Connect EZ 16/32

User Guide
Firmware version 24.9
Revision history—90002540

Revision Date Description

L November Release of Digi Connect EZ 16/32 firmware version 24.9.
2024 n Modem firmware updates: There's no more guesswork about
the carrier you need to choose when upgrading modem firmware.
Now, choose a firmware bundle based on the type of modem you
have. There's no need to know and/or specify the carrier because
every firmware upgrade package includes all of the carrier images
supported by Digi routers. The The modem firmware update is
done using the modem firmware bundle ota CLI commands.
n New EDP client written in Rust: The new client connector for
how devices establish their connections to Digi Remote Manager,
provides a faster connection, reduces data consumption, and
includes Watchdog support.
n Serial port configuration copy feature: You can copy the
configuration defined for one serial port to other serial ports on
the same device.
n Configuration validation and automated rollback to maintain
remote access to your devices:
Maintain remote access to your devices that have DAL OS 24.9
firmware or newer. Any configuration changes made by a
template that result in devices losing connection to Remote
Manager are automatically rolled back. To see whether
configuration changes were rolled back, you can view the history
of a device. For more information, see the Templates user guide.
n Cellular connectivity enhancements:
l Modem manager has been updated to version 1.22.0.
l Modems are tracked by name instead of index.
l Default modem signal/status update interval changed from
30s to 10s.
l Default PDP context changed from 2 to 1.
l PDP context ID stored & read from mm.json to ensure stability
when updating from 24.6 to 24.9.
n Miscellaneous enhancements:
l No authentication SMTP option: Send emails without
encryption.
l Download peer settings: If you are using a Digi device as a
WireGuard server and you have a lot of client devices
connected to it, you now have the option to download the
template with all the settings and use it to configure other
devices.

Digi Connect EZ 16/32 User Guide 2

 Revision Date Description
l Confirmation is now required to perform a system factory
erase in the CLI.
l DefaultIP renamed to SetupIP in reporting metrics and
CLI configuration.
l Network type, band, and signal strength are now included in
speed test information reported from the device to Digi
Remote Manager.
n Modbus hardening:Take a look at the new Modbus hardening
topic and use case about enhancing the security and reliability of
Modbus communications between devices over your network.

What's coming
When accessing the device locally through the Web UI or CLI, you will be
able to see more metrics in Settings > Status, such as connection status
and network details. Though not much else changes in this release, the
work behind the scenes is foundational. Coming soon, data streams in
Digi Remote Manager will be replaced with a comprehensive view about
the status of your devices. What you see in the local Web UI or CLI is
what you will see in Digi Remote Manager.

Tip For more information about this release, see the blog post called,
"Announcing the Latest Digi Software Solutions for DAL OS 24.9
Firmware" on digi.com.

Additional changes
n Added documentation for the Containers feature.
Changes for AnywhereUSB 2 port feature
n Updated the AnywhereUSB Manager Windows OS install process
n Updated Use all Hub IPv4 addresses for IPv4 IP addresses only.
n Added documentation for Configure the Include IPv6 Addrs in
Autofind option.
n Updated the uninstall process from the Windows Control Panel.
n Updated Create a debug log file with the USB Debug Logging
Wizard.

K August 2024 n Added documentation for the AnywhereUSB Manager install

process for Linux.
n Updated syntax for system time set CLI command.

J July 2024 Release of DigiConnect EZ 16/32 firmware version 24.6.

n System time synchronization:
You can now configure how often you want your Connect EZ

Digi Connect EZ 16/32 User Guide 3

 Revision Date Description
16/32 to synchronize its system time. Configure the duration of
the synchronization (default is set to 1 day), as well as continue to
have it synchronize at start-up and when there is a change in the
default route. See System time synchronization for more
information.
n New Device managed public key setting for WireGuard VPN:
For server mode, enable the Connect EZ 16/32 to generate a
public and private key pair for a peer. See Configure the
WireGuard VPN.
n New metrics views for the Watchdog service:
View metrics in the local web UI or use the new CLI command.
See test failures in Digi Remote Manager. See Watchdog service.
n Isolate clients setting:
Now enabled by default in the Network > SD-WAN > Wi-Fi >
Access Points configuration. This prevents all clients attached via
Wi-Fi from communicating with other clients on the same access
point.
n Enable event log uploads setting:
This setting (Monitoring > Device event logs) is now enabled by
default. Uploading event logs to Digi Remote Manager now occurs
automatically.
n New default trusted zones:
There were no default trusted zones set up by default. The service
could be accessed from any zone. Now, it can be accessed via
three trusted zones: Default, Edge, and IPsec. See Configure the
Modbus gateway.

H April 2024 Release of Digi Connect EZ 16/32 firmware version 24.3:

n WireGuard VPN - Configure a WireGuard VPN where your device
can act as a client or as a server.
n System watchdog - Two new configuration settings:
l Interface tests - Configure a reboot of the interfaces you
configure after a specified amount of time.
l Modem monitoring - Configure a power cycle of the modem
after an initial timeout instead of that timeout being reported
as a failure.
n SNMP trap and email notification for events - Configure an SNMP
v2 trap and/or email notification to be sent when an event occurs.
n Configure a GRE tunnel - Configure your tunnel to use Ethernet
over GRE (GRETAP setting).
n Configure cellular modem(s) - Configure your cellular modem(s)
to include or exclude certain 4Gbands.
n Serial disconnect - Disconnect any users connected to a serial

Digi Connect EZ 16/32 User Guide 4

 Revision Date Description
port configured for one of these modes: Login, Remote Access,
PPP Dial-in, or Modem Emulator.
n Serial port information - Display information about the serial
ports on the Dashboard.

Tip For more information about this release, see the blog post called,
"Announcing the Latest Digi Software Solutions for DAL OS 24.3
Firmware" on digi.com.

Additional changes
n Added a step for device registration.
n Added information about the altpin feature. See Serial connector
pinout.

G February Added information about CORE module installation. See Create a cellular
2024 connection using the CORE module.

Updates for AnywhereUSB Plus Hub:

n Updated the User Roles description.
n Documented the Minimum TLS Version option in the Preferences
dialog.
n Documented the client ID displayed on the
AnywhereUSB Manager title bar.

Trademarks and copyright

Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States
and other countries worldwide. All other trademarks mentioned in this document are the property of
their respective owners.
© 2024 Digi International Inc. All rights reserved.

Disclaimers
Information in this document is subject to change without notice and does not represent a
commitment on the part of Digi International. Digi provides this document “as is,” without warranty of
any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or
merchantability for a particular purpose. Digi may make improvements and/or changes in this manual
or in the product(s) and/or the program(s) described in this manual at any time.

Warranty
To view product warranty information, go to the following website:
www.digi.com/howtobuy/terms

Digi Connect EZ 16/32 User Guide 5

Customer support
Gather support information: Before contacting Digi technical support for help, gather the following
information:
 Product name and model
 Product serial number (s)
 Firmware version
 Operating system/browser (if applicable)
 Logs (from time of reported issue)
 Trace (if possible)
 Description of issue
 Steps to reproduce
Contact Digi technical support: Digi offers multiple technical support plans and service packages.
Contact us at +1 952.912.3444 or visit us at www.digi.com/support.

Feedback
To provide feedback on this document, email your comments to
techcomm@digi.com
Include the document title and part number (Digi Connect EZ 16/32 User Guide, 90002540 A) in the
subject line of your email.

Digi Connect EZ 16/32 User Guide 6

 Contents

What's coming 3

Digi Connect EZ 16/32 User Guide

Applicable hardware 22

Get started with Connect EZ 16/32

Before you begin: Register your Connect EZ 16/32 23
Step 1: Open the box and remove components needed for the initial install 23
Step 2: Connect the power supply 24
Step 3: Connect to site network using an Ethernet LAN 25
Step 4: Configure RealPort using the Digi Navigator 25
Step 5: Connect to the web UI and update the firmware 28
Step 6: Validate RealPort connection 29
Optional actions 29

Hardware
Connect EZ 16/32 component list 31
Included equipment for Connect EZ 16/32 31
Additional required equipment 32
Optional additional equipment 32
Optional additional cellular equipment 32
Front panel and LEDs 33
Back panel 35
Change the password on the Connect EZ 36
Create a cellular connection using the CORE module 36
Prerequisites 36
Connect to site network using an Ethernet LAN 37
Connect equipment to the Connect EZ serial port 38
Connect equipment to a serial port 38
Serial connector pinout 38
Mount the Connect EZ 16/32 on a rack 39
Power the Connect EZ 16/32 39
Power loss and Connect EZ 16/32 configuration 40
Install an additional power supply unit 40
Use the RESET button to reset your device to the factory defaults 40
Discover the IP address using the Digi Navigator 41
Discover the device's IP address: Additional methods 41

Digi Connect EZ 16/32 User Guide 7

 Manually configure the PC and assign an IP address to the device 41
Connect to the local Web UI on the Connect EZ 43
Device label sticker sample 44

Firmware configuration
Review Connect EZ 16/32 default settings 47
Local WebUI 47
Digi Remote Manager 47
Default interface configuration 47
Other default configuration settings 48
Change the default password for the admin user 48
Configuration methods 49
Using Digi Remote Manager 50
Access Digi Remote Manager 50
Using the local web interface 51
Review the dashboard 51
Log out of the web interface 52
Use the local REST API to configure the Connect EZ 16/32 device 52
Use the GET method to return device configuration information 52
Use the POST method to modify device configuration parameters and list arrays 54
Use the DELETE method to remove items from a list array 55
Access the terminal screen from the web UI 56
Using the command line 58
Access the command line interface 58
Log in to the command line interface 58
Exit the command line interface 59

Interfaces
Wide Area Networks (WANs) 61
Wide Area Networks (WANs) and Wireless Wide Area Networks (WWANs) 62
Configure WAN/WWAN priority and default route metrics 62
WAN/WWAN failover 65
Configure SureLink active recovery to detect WAN/WWAN failures 66
Configure the device to reboot when a failure is detected 82
Disable SureLink 95
Example: Use a ping test for WAN failover from Ethernet to cellular 104
Using Ethernet devices in a WAN 106
Using cellular modems in a Wireless WAN (WWAN) 106
Configure a Wide Area Network (WAN) 131
Configure a Wireless Wide Area Network (WWAN) 139
Show WAN and WWAN status and statistics 150
Delete a WAN or WWAN 152
Default outbound WAN/WWAN ports 153
Local Area Networks (LANs) 154
About Local Area Networks (LANs) 155
Configure a Local Area Network (LAN) 155
Configure the ETH1 port as a LAN or in a bridge 162
Change the default LAN subnet 169
Show LAN status and statistics 170
Delete a LAN 172
DHCP servers 173
Default services listening on LAN ports 190

Digi Connect EZ 16/32 User Guide 8

 Configure an interface to operate in passthrough mode. 191
Virtual LANs (VLANs) 197
Create a trunked VLAN route 198
Create a VLAN using switchport mode 199
Bridging 202
Configure a bridge 203
Show SureLink status and statistics 206
Show SureLink State 206
Show SureLink status for all interfaces 206
Show SureLink status for a specific interface 207
Show SureLink status for all IPsec tunnels 208
Show SureLink status for a specific IPsec tunnel 208
Show SureLink status for all OpenVPN clients 209
Show SureLink status for a specific OpenVPN client 209
Configure a TCP connection timeout 210

Serial port
Default serial port configuration 211
Serial mode options 211
View serial port information 211
Default serial port configuration 211
Baud rate options 212
Configure Login mode for a serial port 212
Configure Remote Access mode for a serial port 217
Configure Application mode for a serial port 234
Configure PPP dial-in mode for a serial port 237
Configure UDP serial mode for a serial port 244
Configure Modem emulator mode for a serial port 257
Configure Modbus mode for a serial port 260
Copy a serial port configuration 264
Configure RealPort mode using the Digi Navigator 266
Installation and configuration process 267
Digi Navigator features 267
Install the Digi Navigator 267
Configure RealPort on a Digi device from the Digi Navigator 268
Digi Navigator device discovery process 270
Services used to discover a device when connected to a network 270
Digi Navigator application features 275
Advanced RealPort configuration without using the Digi Navigator 278
Windows Operating System 279
Linux Operating System 279
Download the RealPort driver 279
Configure RealPort on your laptop 279
Configure the serial port for RealPort mode 281
Configure the RealPort service 286
Disconnect a user from a serial port 288
Show serial port status and statistics 290
Serial Status page 290
Review the serial port message log 292

Routing
IP routing 295

Digi Connect EZ 16/32 User Guide 9

 Configure a static route 296
Delete a static route 299
Policy-based routing 300
Configure a routing policy 301
Routing services 309
Configure routing services 309
Show the routing table 312
Dynamic DNS 313
Configure dynamic DNS 313
Virtual Router Redundancy Protocol (VRRP) 318
VRRP+ 318
Configure VRRP 318
Configure VRRP+ 321
Example: VRRP/VRRP+ configuration 329
Configure device one (master device) 329
Configure device two (backup device) 333
Show VRRP status and statistics 339

Virtual Private Networks (VPN)

IPsec 342
IPsec data protection 342
IPsec mode 342
Internet Key Exchange (IKE) settings 342
Authentication 343
Configure an IPsec tunnel 343
Configure IPsec failover 371
Configure SureLink active recovery for IPsec 374
Show IPsec status and statistics 390
Debug an IPsec configuration 391
Configure a Simple Certificate Enrollment Protocol client 392
Example: SCEP client configuration with Fortinet SCEP server 399
Show SCEP client status and information 404
OpenVPN 407
Configure an OpenVPN server 408
Configure an OpenVPN Authentication Group and User 417
Configure an OpenVPN client by using an .ovpn file 421
Configure an OpenVPN client without using an .ovpn file 424
Configure SureLink active recovery for OpenVPN 428
Show OpenVPN server status and statistics 445
Show OpenVPN client status and statistics 446
Generic Routing Encapsulation (GRE) 448
Configuring a GRE tunnel 448
Show GRE tunnels 453
Example: GRE tunnel over an IPSec tunnel 454
Dynamic Multipoint VPN (DMVPN) 469
Configure a DMVPN spoke 470
L2TP 476
Configure a PPP-over-L2TP tunnel 476
L2TP with IPsec 486
Show L2TP tunnel status 486
L2TPv3 Ethernet 488
Configure an L2TPv3 tunnel 488
Show L2TPV3 tunnel status 492
MACsec 494

Digi Connect EZ 16/32 User Guide 10

 Configure a MACsec tunnel 494
NEMO 496
Configure a NEMO tunnel 496
Show NEMO status 501
WireGuard VPN 502
Configure the WireGuard VPN 503

Services
Allow remote access for web administration and SSH 510
Configure the web administration service 513
Configure SSH access 522
Use SSH with key authentication 529
Generating SSH key pairs 529
Configure telnet access 532
Configure DNS 537
Show DNS server 542
Simple Network Management Protocol (SNMP) 544
SNMP Security 544
Configure Simple Network Management Protocol (SNMP) 544
Download MIBs 549
Location information 551
Configure the device to use a user-defined static location 552
Configure the device to accept location messages from external sources 554
Forward location information to a remote host 558
Configure geofencing 565
Show location information 577
Modbus gateway 578
Configure the Modbus gateway 579
Modbus hardening 592
Show Modbus gateway status and statistics 594
System time synchronization 597
Configure the system time synchronization 597
Manually set the system date and time 601
Network Time Protocol 602
Configure the device as an NTP server 602
Show status and statistics of the NTP server 607
Configure a multicast route 608
Ethernet network bonding 611
Enable service discovery (mDNS) 615
Use the iPerf service 619
Example performance test using iPerf3 622
Configure the ping responder service 623
Example performance test using iPerf3 626
Configure AnywhereUSB services 627

Applications
Develop Python applications 634
Set up the Connect EZ 16/32 for Python development 635
Create and test a Python application 635
Python modules 639
Set up the Connect EZ 16/32 to automatically run your applications 670
Configure scripts to run automatically 670

Digi Connect EZ 16/32 User Guide 11

 Show script information 677
Stop a script that is currently running 678
Start an interactive Python session 679
Run a Python application at the shell prompt 680
Configure scripts to run manually 681
Task one: Upload the application 682
Task two: Configure the application to run automatically 683
Start a manual script 687

User authentication
Connect EZ 16/32 user authentication 690
User authentication methods 690
Add a new authentication method 692
Delete an authentication method 694
Rearrange the position of authentication methods 695
Authentication groups 697
Change the access rights for a predefined group 699
Add an authentication group 701
Delete an authentication group 705
Local users 707
Change a local user's password 708
Configure a local user 710
Delete a local user 718
Terminal Access Controller Access-Control System Plus (TACACS+) 721
TACACS+ user configuration 722
TACACS+ server failover and fallback to local authentication 723
Configure your Connect EZ 16/32 device to use a TACACS+ server 723
Remote Authentication Dial-In User Service (RADIUS) 728
RADIUS user configuration 729
RADIUS server failover and fallback to local configuration 729
Configure your Connect EZ 16/32 device to use a RADIUS server 730
LDAP 733
LDAP user configuration 735
LDAP server failover and fallback to local configuration 736
Configure your Connect EZ 16/32 device to use an LDAP server 736
Configure serial authentication 741
Disable shell access 743
Set the idle timeout for Connect EZ 16/32 users 745
Example user configuration 747
Example 1: Administrator user with local authentication 747
Example 2: RADIUS, TACACS+, and local authentication for one user 749

Firewall
Firewall configuration 757
Create a custom firewall zone 757
Configure the firewall zone for a network interface 759
Delete a custom firewall zone 760
Port forwarding rules 762
Configure port forwarding 762
Delete a port forwarding rule 767
Packet filtering 769
Configure packet filtering 769

Digi Connect EZ 16/32 User Guide 12

 Enable or disable a packet filtering rule 773
Delete a packet filtering rule 774
Configure custom firewall rules 776
Configure Quality of Service options 778
Web filtering 787
Configure web filtering with Cisco Umbrella 787
Configure web filtering with manual DNS servers 790
Verify your web filtering configuration 793
Show web filter service information 795

Containers
Use Digi Remote Manager to deploy and run containers 797
Use an automation to start the container 800
Upload a new LXCcontainer 801
Configure a container 802
Starting and stopping the container 807
Starting the container 807
Stopping the container 808
View the status of containers 808
Show status of all containers 809
Show status of a specific container 809
Schedule a script to run in the container 810
Create a custom container 812
Create the custom container file 812
Test the custom container file 813

Containers
Use Digi Remote Manager to deploy and run containers 816
Use an automation to start the container 819
Upload a new LXCcontainer 820
Configure a container 821
Starting and stopping the container 826
Starting the container 826
Stopping the container 827
View the status of containers 827
Show status of all containers 828
Show status of a specific container 828
Schedule a script to run in the container 829
Create a custom container 831
Create the custom container file 831
Test the custom container file 832

System administration
Review device status 835
Configure system information 836
Update system firmware 838
Manage firmware updates using Digi Remote Manager 838
Certificate management for firmware images 839
Downgrading 839
Dual boot behavior 843

Digi Connect EZ 16/32 User Guide 13

 Update cellular module firmware 844
Update modem firmware over the air (OTA) 845
Update modem firmware by using a local firmware file 847
External storage 848
Configure external storage on an SD card 848
Configure external storage on a network server 849
Configure log location 850
Reboot your Connect EZ 16/32 device 850
Reboot your device immediately 850
Schedule reboots of your device 851
Erase device configuration and reset to factory defaults 853
Custom factory default settings 856
Locate the device by using the Find Me feature 858
Enable FIPS mode 859
Configuration files 862
Save configuration changes 862
Save configuration to a file 863
Restore the device configuration 864
Schedule system maintenance tasks 867
Disable device encryption 872
Re-enable cryptography after it has been disabled. 873
Configure the speed of your Ethernet ports 874
Watchdog service 876
Configure the Watchdog service 876
View Watchdog metrics 879

Monitoring
intelliFlow 883
Enable intelliFlow 884
Configure service types 886
Configure domain name groups 888
Use intelliFlow to display average CPU and RAM usage 891
Use intelliFlow to display top data usage information 892
Use intelliFlow to display data usage by host over time 894
Configure NetFlow Probe 895

Central management
Digi Remote Manager support 901
Certificate-based enhanced security 901
Configure your device for Digi Remote Manager support 901
Collect device health data and set the sample interval 908
Event log upload to Digi Remote Manager 911
Reach Digi Remote Manager on a private network 913
Pinhole method 913
Proxy server method 913
VPN Tunnel method 913
Log into Digi Remote Manager 913
Use Digi Remote Manager to view and manage your device 915
Add a device to Remote Manager 915
Add a device to Remote Manager using information from the label 915
Add a device to Remote Manager using your Remote Manager login credentials 916
Configure multiple Connect EZ 16/32 devices by using Digi Remote Manager configurations 917

Digi Connect EZ 16/32 User Guide 14

 View Digi Remote Manager connection status 918
Learn more 919

File system
The Connect EZ 16/32 local file system 921
Display directory contents 921
Create a directory 922
Display file contents 923
Copy a file or directory 923
Move or rename a file or directory 924
Delete a file or directory 925
Upload and download files 926
Upload and download files by using the WebUI 926
Upload and download files by using the Secure Copy command 927
Upload and download files using SFTP 928

Diagnostics
Perform a speedtest 931
Generate a support report 931
Support report overview 932
View system and event logs 936
View System Logs 936
View Event Logs 938
Configure syslog servers 941
Configure options for the event and system logs 943
Configure an email notification for a system event 948
Configure an SNMP trap for a system event 948
Analyze network traffic 950
Configure packet capture for the network analyzer 951
Example filters for capturing data traffic 960
Capture packets from the command line 961
Stop capturing packets 962
Show captured traffic data 963
Save captured data traffic to a file 964
Download captured data to your PC 965
Clear captured data 966
Use the ping command to troubleshoot network connections 968
Ping to check internet connection 968
Stop ping commands 968
Use the traceroute command to diagnose IP routing problems 968

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32

Get started 970
Step 1: Install the AnywhereUSB Manager 970
Service 975
Stand-alone 976
Script: Initial configuration 982
Step 2: Enable the AnywhereUSB Service 984
Step 3: Name groups and assign ports to a group 985
Step 4: Assign groups to a client ID 985

Digi Connect EZ 16/32 User Guide 15

 Step 5: Connect to a group of USB ports 986
Step 6: Connect to a USB device in a group 986
Manage the Hubs using the AnywhereUSB Manager 988
Launch the AnywhereUSB Manager 989
AnywhereUSB Manager overview: Status panes, menus, and icons 989
Multiple user accounts with the same client ID 997
AnywhereUSB Manager was uninstalled and then reinstalled 997
AnywhereUSB Manager created a new certificate 998
Step 1: Remove the Hub certificate 998
Step 2: Add the Hub certificate to the Manager 998
Problem: TCP port is not configured correctly 999
Problem: Hub is offline 999
Problem: Invalid Hub certificate 999
Problem: Hub has a different IP address 999
Problem: Network issue blocking access 999
Problem: Duplicate Hub 1000
Problem: Old version of AnywhereUSB Manager 1000
Problem: Incompatible Hub 1000
Problem: Client ID has not been added to the Hub 1000
Problem: Initial connection 1001
Configure the Auto-register Hub Cert feature 1002
Autofind Hubs and Include IPv6 Addrs in Autofind options 1003
Rename AnywhereUSB Hubs, groups, and USB devices 1006
Disconnect from a group or a USB device 1007
Configure the auto-connect feature for a group 1009
Manage the list of known Hubs 1010
Hide an individual Hub 1012
Hide all unauthorized Hubs 1013
Use all Hub IPv4 addresses 1014
Specify search, response, and keepalive intervals for a Hub 1014
Configure the minimum TLS version 1015
Manage Hub credentials 1015
Assign Device Address (use the same virtual port number) 1017
View the AnywhereUSB Manager system messages 1018
Restore AnywhereUSB Manager default configuration 1019
Manage USB isochronous transfers for audio and video streams 1019
Create support log file 1020
Access the online help from the AnywhereUSB Manager 1021
Always display the AnywhereUSB Manager on top 1021
Minimize the AnywhereUSB Manager when launched 1021
View AnywhereUSB Manager version and license information 1021
View latency graph 1022
Stop and start the AnywhereUSB Manager Windows service 1022
Stop and start the Linux headless AnywhereUSB Manager 1023
Power loss and Hub configuration 1023
Exit the AnywhereUSB Manager 1023
Power cycle feature 1024
Cycle the power to a USB device connected to the Hub from the AnywhereUSB Manager 1025
Cycle the power to a port on a Hub from the web UI 1025
Cycle the power to a device when it disconnects from a PC 1026
Configure and manage the AnywhereUSB Hub in the web user interface 1028
AnywhereUSB Configuration page 1028
AnywhereUSB Status page 1029
Open the web UI to manage the AnywhereUSB ports 1031
Rename a Hub and the groups in a Hub 1032

Digi Connect EZ 16/32 User Guide 16

 Configure and manage client IDs 1033
Automatically register or reject unknown clients 1036
Block a client ID from connecting to groups 1039
View Hub system information 1040
Configure device identity settings 1042
View current connections to the Hub 1042
Manually configure the PC and assign an IP address to a Hub 1043
Create a debug log file with the USB Debug Logging Wizard 1044
AnywhereUSB Manager reference 1046
User roles 1046
Terminology 1048
Client ID overview 1049
Install the AnywhereUSB Manager using Windows 2019 Server Core edition 1050
Uninstall the Manager from the Windows Control Panel 1051
Uninstall the AnywhereUSB Manager on a Windows OS using the original installer 1051
Uninstall the AnywhereUSB Manager using Windows 2019 Server Core edition 1054
Stop and start the Linux headless AnywhereUSB Manager 1055
Update the AnywhereUSB Manager: Linux 1055
Uninstall the AnywhereUSB Manager: Linux 1055
Connect to a group or USB device in the AnywhereUSB Manager 1056
Command line interface: AnywhereUSB Manager 1058
Create a new client ID from the CLI 1058
autoconnect clear all 1058
autoconnect clear group 1059
autoconnect group 1060
autofind 1062
connect device 1063
connect group 1064
device info 1065
device name 1066
disconnect device 1066
disconnect group 1068
exit 1069
group info 1069
group name 1070
hidden hub add 1070
hidden hub list 1071
hidden hub remove 1072
hidden hub remove all 1072
help 1073
hub info 1073
hub name 1074
known hub add 1075
known hub list 1075
known hub remove 1076
known hub remove all 1077
list 1077
list full 1078
power cycle 1079
Command line interface: Hub 1081
config service anywhereusb enable 1081
config service anywhereusb port 1081
config service anywhereusb groups 1081
config service anywhereusb clients 1083
config service anywhereusb autoreg 1084

Digi Connect EZ 16/32 User Guide 17

 config service anywhereusb client_block_duration 1084
powercycle port 1084
power_cycle_on_unbind 1085
use all hub addresses 1085
Troubleshooting 1087
AnywhereUSB Manager client ID is not unique 1087
No remote Hubs found 1087
Hide a group in the AnywhereUSB Manager 1088
Microsoft Windows restrictions 1088
Allow remote access to USB devices 1088
Hub connection is taking too long 1089
Red Xicon next to a Hub in the AnywhereUSB Manager 1089

Command line interface

Access the command line interface 1091
Log in to the command line interface 1091
Exit the command line interface 1092
Execute a command from the web interface 1092
Display help for commands and parameters 1093
The help command 1093
The question mark (?) command 1093
Display help for individual commands 1094
Use the Tab key or the space bar to display abbreviated help 1095
Auto-complete commands and parameters 1095
Available commands 1096
Use the scp command 1097
Display status and statistics using the show command 1099
show config 1099
show system 1099
show network 1100
Device configuration using the command line interface 1100
Execute configuration commands at the root Admin CLI prompt 1100
Display help for the config command from the root Admin CLI prompt 1101
Configuration mode 1102
Enable configuration mode 1102
Enter configuration commands in configuration mode 1102
Save changes and exit configuration mode 1103
Exit configuration mode without saving changes 1103
Configuration actions 1104
Display command line help in configuration mode 1104
Move within the configuration schema 1107
Manage elements in lists 1108
The revert command 1110
Enter strings in configuration commands 1112
Example: Create a new user by using the command line 1112
Command line reference 1115
ain calibrate 1115
ain calibration-reset 1115
analyzer clear 1115
analyzer save 1115
analyzer start 1116
analyzer stop 1116
cat 1116
clear dhcp-lease ip-address 1116

Digi Connect EZ 16/32 User Guide 18

 clear dhcp-lease mac 1116
config system storage mount 1117
config system storage partition 1117
config system storage used percent 1117
cp 1117
dio state 1118
grep 1118
help 1118
ls 1119
mkdir 1120
modem at 1120
modem at-interactive 1120
modem firmware bundle ota check 1120
modem firmware bundle ota download 1120
modem firmware bundle ota list 1121
modem firmware bundle ota update 1121
modem firmware check 1121
modem firmware list 1121
modem firmware ota check 1122
modem firmware ota download 1122
modem firmware ota list 1122
modem firmware ota update 1122
modem firmware update 1123
modem pin change 1123
modem pin disable 1123
modem pin enable 1124
modem pin status 1124
modem pin unlock 1124
modem puk status 1124
modem puk unlock 1125
modem reset 1125
modem scan 1125
modem sim-slot 1125
modem sms send 1126
modem sms send-binary 1126
monitoring metrics upload 1126
monitoring 1127
monitoring metrics upload 1127
more 1127
mv 1127
ping 1127
poweroff 1128
reboot 1128
rm 1128
scp 1129
show ain 1129
show analyzer 1129
show arp 1129
show cloud 1130
show config 1130
show dhcp-lease 1130
show dio 1130
show dns 1130
show eth 1131
show event 1131

Digi Connect EZ 16/32 User Guide 19

 show hotspot 1131
show ipsec 1131
show l2tp lac 1132
show l2tp lns 1132
show l2tpeth 1132
show location 1132
show log 1132
show manufacture 1133
show modbus-gateway 1133
show modem 1133
show nemo 1133
show network 1134
show ntp 1134
show openvpn client 1134
show openvpn server 1134
show route 1135
show scep-client 1135
show scripts 1135
show serial 1135
show surelink interface 1136
show surelink ipsec 1136
show surelink openvpn 1136
show surelink state 1136
show system 1136
show version 1137
show vrrp 1137
show web-filter 1137
iperf 1137
ssh 1138
system backup 1138
system cloud register 1138
system disable-cryptography 1139
system duplicate-firmware 1139
system factory-erase 1139
system find-me 1139
system firmware ota check 1140
system firmware ota list 1140
system firmware ota update 1140
system firmware update 1140
system power ignition off_delay 1140
system restore 1141
system script start 1141
system script stop 1141
system serial clear 1141
system serial copy 1141
system serial ipport 1142
system serial restart 1142
system serial save 1143
system serial show 1143
system storage format 1143
system storage mount 1143
system storage show 1143
system storage unmount 1144
system support-report 1144
system time set 1144

Digi Connect EZ 16/32 User Guide 20

 system time sync 1145
system time test 1145
tail 1145
telnet 1145
traceroute 1145
vtysh 1146

Safety warnings
English 1147
Bulgarian--български 1147
Croatian--Hrvatski 1147
French--Français 1147
Greek--Ελληνικά 1147
Hungarian--Magyar 1147
Italian--Italiano 1148
Latvian--Latvietis 1148
Lithuanian--Lietuvis 1148
Polish--Polskie 1148
Portuguese--Português 1148
Slovak--Slovák 1148
Slovenian--Esloveno 1148
Spanish--Español 1149

Digi Connect EZ 16/32 regulatory and safety statements

RF exposure statement 1150
Federal Communication (FCC) Part 15 Class B 1150
Radio Frequency Interference (RFI) (FCC15.105) 1150
European Community - CE Mark Declaration of Conformity (DoC) 1151
CE and UKCA OEM labeling requirements 1151
CE labeling requirements 1151
UK Conformity Assessed (UKCA) labeling requirements 1152
RoHS compliance statement 1153
Cautionary statements for Connect EZ 16/32 1153
Residential environment warnings 1153
Product disposal instructions 1153

Digi Connect EZ 16/32 User Guide 21

 Digi Connect EZ 16/32 User Guide
This guide provides reference and usage information for the Connect EZ 16/32.
Digi Connect EZ is Digi’s next generation Device Server product line, providing connectivity for existing
critical assets in business, commercial, and industrial automation applications. This product line
builds on and extends the capabilities of our previous PortServer and Digi One products along with
enhanced manageability, security, intelligence, and performance, while offering seamless connectivity
for existing applications.

Applicable hardware
This user guide contains information for these Connect EZ 16/32 models. Hardware features are
shown in the table below.

Core
module
and
2
AnywhereUSB antenna
Name SKU MEI Serial ports USB ports ports

Connect EZ 16 EZ16-A100 16 2 X
Connect EZ 16 MEI EZ16-C100 X 16 2 X
Connect EZ 32 EZ32-A100 32 2 X
Connect EZ 32 MEI EZ32-C100 X 32 2 X

Digi Connect EZ 16/32 User Guide 22

 Get started with Connect EZ 16/32
This section explains what comes with each Connect EZ model, how to install the necessary software,
and how to connect the hardware.
For a list of the Connect EZ 16/32 variants, see the applicable hardware list.

Before you begin: Register your Connect EZ 16/32

Welcome to the Digi family! Register your new Connect EZ 16/32 today and start enjoying a suite of
exclusive benefits, including centralized management and 24/7 technical support. Click here to
register now!

Step 1: Open the box and remove components needed for the
initial install
You will need:

Equipment Description
Connect EZ
16
OR
Connect EZ
32

Note This image is of Connect EZ 32. The Connect EZ 16 has a blank panel covering
the top row of serial ports.

Digi Connect EZ 16/32 User Guide 23

Get started with Connect EZ 16/32 Step 2: Connect the power supply

Equipment Description
Ethernet Ethernet cable/RJ45 straight-through.
cable
Note One Ethernet cable is included in the box, but you will need two Ethernet
cables to complete the initial set up.

Loopback RJ45M serial loopback plug is included for use with testing.
plug

Welcome The password used to log into the web UI for the device is printed on the back of the
card card.

For information about all of the Connect EZ 16/32 components, see Connect EZ 16/32 component list.
In addition to the components in the box, you will need to supply the following:

Equipment Description
Power cord A national mains power cord. Depending on the device variant ordered, a power
cord may be supplied. At least one power cord is required to power the device. If
your device is dual-powered, a second power cord is recommended.
For ACpower supplies: Use an appropriate power cable meeting national standards
to connect to a standard outlet.
n EU/International: VDE Mark, conforming to IEC60083, IEC60227, or IEC
60320, with C13 to the appropriate national mains connector rated for 16A at
250V.
n USA/Canada: URor UL Mark, conforming to UL 62, UL 817, or CSA-C22.2, with
C13 to 5-15P, or NEMA locking connector rated for 10A at 125V.

Step 2: Connect the power supply

1. Orient the device so the back of the device is facing you.

2. Connect the power cord to at least one power supply on the device.
3. Plug the other end of the power cord to a main power supply.
4. If your device is dual-powered, repeat the process for the second power supply.

Digi Connect EZ 16/32 User Guide 24

Get started with Connect EZ 16/32 Step 3: Connect to site network using an Ethernet LAN

Note If your device is single-powered, you can purchase and install an additional power supply unit.
See Install an additional power supply unit.

Step 3: Connect to site network using an Ethernet LAN

1. Orient the device so the front of the device is facing you
2. Connect one end of an Ethernet cable to your site network.
3. Connect the other end of the Ethernet cable to the ETH 1 port on the Connect EZ.

Step 4: Configure RealPort using the Digi Navigator

In this step, you will download and install Digi Navigator and configure RealPort.

1. Connect one end of the second Ethernet cable to the ETH 2 port on your device and the other
end to your computer or local network.

2. Download the Digi Navigator.

a. Navigate to the Digi Navigator support page.
b. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click
Digi Navigator.
c. From the list box, select the appropriate Microsoft Windows option from the list of driver
options.
d. Click the download link to download the Digi Navigator application.
3. When the download is complete, click on the downloaded .exe file. The Digi Navigator Setup
wizard displays.
4. Select which user(s) should be able to launch the Digi Navigator from this computer after it
has been installed:
n Anyone who uses this computer (all users): Any user who logs into this computer can
launch the Digi Navigator.
n Only for me. Only the user who was logged in to this computer when the Digi

Digi Connect EZ 16/32 User Guide 25

Get started with Connect EZ 16/32 Step 4: Configure RealPort using the Digi Navigator

Navigator was installed can launch the Digi Navigator. This is the default.

5. Click Install. The Completing Digi Navigator Setup screen displays.

6. Choose the Run Digi Navigator option to launch the Navigator when the installation is
complete.

7. Click Finish to complete the installation process. When installation is complete, the Digi
Navigator is launched.
8. The Digi Navigator discovers the Connect EZ 16/32 devices that are powered on and
connected to your network. When the process is complete, a list of the devices on your
network appears.
9. If more than one device is displayed in the list, you can verify the device you are working on by
looking at the unique serial number for the device on the back of the device's Welcome card.

Digi Connect EZ 16/32 User Guide 26

Get started with Connect EZ 16/32 Step 4: Configure RealPort using the Digi Navigator

10. Configure RealPort on the device.

a. Click the Configure device for RealPort button.

b. A login screen for the devices web UI displays.

c. Enter the device's default user name and password in the appropriate fields. The default
user name is admin and the default password is the unique password printed on the label
packaged with your device.
d. Click Submit. A progress message displays.
e. When RealPort configuration is complete, the Success message displays.

f. Click Close to close the message.

11. Configure RealPort on your computer. The RealPort service is installed during this process.
a. Click Configure this PC for RealPort.

b. The Select starting COM list box displays.

Digi Connect EZ 16/32 User Guide 27

Get started with Connect EZ 16/32 Step 5: Connect to the web UI and update the firmware

c. Select the COM port that should be configured for RealPort. The first available port
displays by default.
d. Click Submit. A series of progress messages displays.
e. When the configuration is complete, a message displays.

f. Click Close to close the message. Configuration is complete.

Step 5: Connect to the web UI and update the firmware

1. From the Digi Navigator, find your device.

2. Click Open. The login screen for the web UI launches.

3. Enter the user name and password for the Connect EZ 16/32 in the Username and Password
fields.
n User name: Admin
n Password: The unique password is printed on the device label and also on the label
attached to the back of the Welcome card.
4. Click Login.

Digi Connect EZ 16/32 User Guide 28

Get started with Connect EZ 16/32 Step 6: Validate RealPort connection

5. On the main menu, click System > Administration > Firmware Update.

Click Download from server.

6. For Version:, select the most recent version of the device firmware.
7. Click Update Firmware.

Step 6: Validate RealPort connection

You can test your connection to a serial port using the loopback plug.

Note Before you begin, make sure a terminal emulator is installed on your laptop.

1. Insert the loopback plug into one of the serial ports on the Connect EZ 16/32.

2. Open your terminal emulator.

3. Select the serial port to which the loopback plug is connected. The port description includes
the name of the device, the port number on the device, and related COM port. For example:
"COM1: EZ01-E00028-Port 1 (COM1)"
4. Open the port. When the connection has been make, the serial port LED is solid green.
5. Type data (such as "Hello" or "test") into the terminal emulator. The yellow serial port LED
flashes as you type.
n When the loopback plug is inserted, the data will echo back to you.
n If you remove the loopback plug, the data will not echo back to you.

Optional actions
The actions below are optional set-up items.

Digi Connect EZ 16/32 User Guide 29

Get started with Connect EZ 16/32 Optional actions

Action Description
Power supply If desired, you can order an additional power supply unit and install it. This
unit enables you to have two power supplies for one device.
n EZPS-AC: Connect EZ 16/32 power supply kit, port-side intake. The thumb
screws used to connect the items to the Connect EZ are red.
See Install an additional power supply unit.
Cellular If you want to use a cellular connection to the Connect EZ 16/32, you can
connection connect the Digi CORE module and cellular antennas to the Connect EZ
hardware.
See Create a cellular connection using the CORE module.
Mount the You can mount the device on a rack.
device See Mount the Connect EZ 16/32 on a rack.

Connect to Digi Connect to Digi Remote Manger to remotely manage a large number of devices.
Remote See Central management.
Manager
AnywhereUSB Your Connect EZ 16/32 includes two USB ports, which act as an AnywhereUSB 2
ports Plus Hub. The USB ports can only be used in conjunction with the
AnywhereUSB Manager, which must be installed separately.
See AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32.

Digi Connect EZ 16/32 User Guide 30

 Hardware

Connect EZ 16/32 component list

Verify that you have the following included equipment.

Included equipment for Connect EZ 16/32

These components are included in the box.

Equipment Description
Connect EZ
16
Connect EZ
32

Note This image is of Connect EZ 32. The Connect EZ 16 has a blank panel covering
the top row of serial ports.

For detailed information about the panels, see:

n Front panel and LEDs
n Back panel
Ethernet Ethernet cable/RJ45 straight-through
cable Connect to a site network using an Ethernet cable. See Connect to site network
using an Ethernet LAN.
Console RJ45F to DB9F RS232 Serial adapter.
Adapter Connect the console adapter to a straight-through RJ45 cable, and then connect
that cable to the Console port on the front of the device.
Mounting The Connect EZ 16/32 ships with rack mount ears pre-attached.
bracket For mounting instructions, see Mount the Connect EZ 16/32 on a rack.

Digi Connect EZ 16/32 User Guide 31

Hardware Connect EZ 16/32 component list

Equipment Description
Loopback RJ45M serial loopback cable is included for use with testing.
cable
Device label A label sticker that includes information about the device is attached to the
sticker Welcome card. You should retain this label sticker and card with your hardware
records. For more information about the label, see Device label sticker sample.

Note This label includes the unique default password for the device. This unique
password will be needed if the device is factory reset and you want to access the
web UI on the device.

Additional required equipment

Equipment Description
Power cord A national mains power cord. Depending on the device variant ordered, a power
cord may be supplied. At least one is required to power the device. If your device is
dual-powered, a second power cord is recommended.
For ACpower supplies: Use an appropriate power cable meeting national standards
to connect to a standard outlet.
n EU/International: VDE Mark, conforming to IEC60083, IEC60227, or IEC
60320, with C13 to the appropriate national mains connector rated for 16A at
250V.
n USA/Canada: URor UL Mark, conforming to UL 62, UL 817, or CSA-C22.2, with
C13 to 5-15P, or NEMA locking connector rated for 10A at 125V.
For information about connecting the power supply, see Power the Connect EZ
16/32.

Optional additional equipment

Equipment Description
Power Each Connect EZ 16/32 has one power supply installed by default. You can order a
supply unit dual-powered device with two power supplies installed by default, or you can
purchase a second power supply unit and install it.
n EZPS-AC: Connect EZ 16/32 power supply unit, port-side intake. The thumb
screws used to connect the items to the Connect EZ are red.
See Install an additional power supply unit.

Optional additional cellular equipment

These items are only needed if you are using a CORE module to connect to a cellular network.
For more information, see Create a cellular connection using the CORE module.

Digi Connect EZ 16/32 User Guide 32

Hardware Front panel and LEDs

Equipment Description
CORE module

Note A SIM card is also required.

SIM card An activated SIM card provided by your cellular network operator. You can insert
up to two SIM cards in the CORE module. See Create a cellular connection using
the CORE module.
The CORE module supports the standard mini-SIM cards (2FF).
LTE Antenna Up to two LTE antennas can be attached. See Create a cellular connection using
(2) the CORE module.

Front panel and LEDs

Item Name Description

1 Micro-SD Insert an SD card.
2 Console Connect the RJ45F to DB9F RS232 console adapter to the Console port.

3 USB 3.0 1 The two USB ports act as an AnywhereUSB 2 Plus Hub. The USB ports can
USB 3.0 2 only be used in conjunction with the AnywhereUSB Manager, which
must be installed separately.
You can use the Manager connect to and monitor the devices connected
to the USB ports. You can configure the AnywhereUSB service and
Manager from the Connect EZ 16/32 web UI.
See AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32.

4 SFP+ 1 Connect an SFP+ transceiver module for fiber connection, such as Finisar
SFP+ 2 Network FTLX8574D3BCL SFP+.

Note This is available on all models except for the Connect EZ 8 model
(EZ08-A100).

Digi Connect EZ 16/32 User Guide 33

Hardware Front panel and LEDs

Item Name Description

Note Connect EZ 16/32 can support both a copper port and and an SFP+
port at the same time. If an SFP+ port is enabled, the SFP+ port LED will
illuminate if an SPF+ transceiver is installed, regardless of whether the
optical/fiber cable is connected end-to-end.

5 ETH 1 Use the ETH 1 port to connect the device to your local network using an
Ethernet cable. See Connect to site network using an Ethernet LAN.
The ETH 1 LED shows the status of the connection.
n Yellow (right): There is activity on the port.
n Green (left): The port is in use.

5 ETH 2 Use the ETH 2 port to connect to a second Ethernet port. This is useful
for redundancy or if you have more than one network.
The ETH 2 LED shows the status of the connection.
n Yellow (right): There is activity on the port.
n Green (left): The port is in use.

6 Serial Use the serial ports to connect to devices and equipment to the Connect
ports 1-16 EZ 16/32. See Connect equipment to the Connect EZ serial port.
OR The serial port LED shows the status of the connection.
1-32
n Yellow (right): The port is in use. The LED may be solid or blink,

depending on the traffic speed.

n Green (left): A device is connected to the port.

7 Fan1 LED The LED shows the status of Fan1 that is included with PSU1, which is on
the right side of the back of the device.
Solid green: The fan is running within normal range of use.
Solid red: The fan slows down or the device is overheating.

7 Fan2 LED The LED shows the status of Fan2 that is included with PSU2, which is on
the lft side of the back of the device.
n Solid green: The fan is running within normal range of use.
n Solid red: The fan slows down or the device is overheating.

7 Sys. Fan The LED shows the status of Sys. Fan, which is the fan on the back of the
LED device that is not associated with a PSU (power supply unit).
n Solid green: The fan is running within normal range of use.
n Solid red: The fan slows down or the device is overheating.

8 PSU1 LED The LED shows the status of power supply and fan unit on the left. This
power supply and fan unit is factory-installed.
n Solid blue: The device is powered on.
n Solid red: The device is not powered or the supply has failed.

8 PSU2 LED The LED shows the status of power supply and fan unit on the right. This

Digi Connect EZ 16/32 User Guide 34

Hardware Back panel

Item Name Description

power supply and fan unit is optional.
n Solid blue: The device is powered on.
n Solid red: The device is not powered or the supply has failed.

8 User LED LED used for the Find Me feature. When this feature is activated, the LED
blinks orange and then green.

9 WWAN Shows the strength of the WWAN signal.

Signal LED

9 WWAN Shows the status of the WWAN service.

Service
LED

Back panel

Item Name Description

1 PSU2 A location for an optional second power supply for devices that are dual-
powered.
Your device may have a second power supply installed from the factory, but if
not you can purchase a second power supply unit and install it.
See Install an additional power supply unit.
The second power supply allows for additional power for the device.
See Power the Connect EZ 16/32.

2 WWAN1 Attach cellular antennas if the CORE module is used to complete a cellular
WWAN2 connection. The antenna mounts are covered with a black button that can be
removed.
See Create a cellular connection using the CORE module.

3 Core Insert a Digi Core Modem to complete a cellular connection.

Module Use these thumb screws to remove the CORE module plate so that you can
insert the CORE module.
See Create a cellular connection using the CORE module.

4 Reset Press the Reset button to reset the device to the factory default settings. See
Use the RESET button to reset your device to the factory defaults.

5 System Provides air flow for the device.

Fan

6 PSU1 The power supply for a device.

See Power the Connect EZ 16/32.

Digi Connect EZ 16/32 User Guide 35

Hardware Change the password on the Connect EZ

Change the password on the Connect EZ

The unique, factory-assigned password for the default admin user account is printed on the bottom
label of the device and on the loose label included in the package. For ease of use, you may want to
change the password from the default.
If you erase the device configuration or reset the device to factory defaults, the password for the
admin user will revert to the original, factory-assigned default password.

1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System > Device Configuration. The Configuration window appears.

3. Click Authentication > Users > Admin.

4. For Password, enter the new password. The password must be at least eight characters long
and must contain at least one uppercase letter, one lowercase letter, one number, and one
special character.

5. Click Apply to save the configuration and apply the change.

For more detailed information about this process, see Change the default password for the admin
user.

Create a cellular connection using the CORE module

This section explains how to connect the Digi CORE®module and cellular antennas to the Connect EZ
hardware.

Note As an alternative, you can also use an Ethernet LAN connection. See Connect to site network
using an Ethernet LAN.

Prerequisites
n Activated SIM card from your cellular network provider.
n Digi CORE module. This is purchased separately.
To connect the hardware and connect to the cellular network:

Digi Connect EZ 16/32 User Guide 36

Hardware Connect to site network using an Ethernet LAN

1. Make sure that your device is powered down before removing or installing the module.
CORE modules are not hot-swappable.
2. Insert your activated SIM card into the CORE module. The notched end of SIM card should be
inserted first, with the gold metal contacts facing down. You will hear a click once the SIM is
completely inserted.

Note If one SIM card is being used, insert the SIM card into the SIM 1 slot.

3. Insert the CORE module into the device.

a. Orient the device so the front of the device is facing you.
b. Unscrew the CORE module slot cover from the back of the device.
c. Insert the CORE module into the slot. Make sure the pin holes on the back of the module
match the location of the pins in the slot.
d. Push the module into the slot.
e. Push the white handle down until you hear it click.
f. Optionally, you can screw one of the CORE module cover screws into the center of the
handle.
g. Place the CORE module cover over the end of the device. Make sure that the antenna
labels are oriented correctly.
h. Push the cover in place.
4. Attach both of the cellular antennas. While gripping the metal connector section with your
thumb and forefinger, tighten until secure. Do not tighten the antenna by holding any part of
the plastic antenna housing.
5. Plug the power supply cord into at least one of the power supplies on the back of the device.
6. Plug the power supply unit into an ACpower outlet to power up the Connect EZ.

Connect to site network using an Ethernet LAN

This section explains how to connect to a site network using an Ethernet cable.

1. Connect one end of an Ethernet cable to your site network.

2. Connect the other end of the Ethernet cable to either the ETH 1 or the ETH 2 port on the
Connect EZ. By default a DHCP request will be sent to the local Ethernet network.

Note If you do not have a DHCP server on your network, you can connect locally over 192.168.210.1.
See Using the local web interface.

Digi Connect EZ 16/32 User Guide 37

Connect equipment to the Connect EZ serial port
After your device is connected and powered up, you can connect equipment to the device using the
serial ports.
The serial port on the Connect EZ provides console access to connected critical equipment through a
connected Ethernet LAN. Connect your network device to the Connect EZ serial port. For pinout
information, see Serial connector pinout.
You must use a cable with an RJ45 (10 pin) connector to connect to a serial port on the Connect EZ .
Consult the user guide for the device you are connecting to the Connect EZ to determine the
connector type, cable type, and pinout positions for your specific device.
The serial port is enabled by default. The network devices connected to the serial port may be
accessed using RealPort, Digi Remote Manager, the local web user interface, TCP, telnet, or SSH
connections. TCP, telnet and SSH connections to serial ports are disabled by default and must be
enabled by a device-specific configuration.

Connect equipment to a serial port

You can connect equipment to a serial port on the Connect EZ 16/32, and access it using a terminal
emulator program, such as Tera Term or Putty.

Note Before you begin, make sure a terminal emulator is installed on your laptop and you have a
serial cable.

1. Connect one end of a serial cable to a serial port on the Connect EZ 16/32.

2. Connect the other end of the serial cable to your equipment.

3. Verify the connection between the Connect EZ 16/32 and the equipment.
a. Open your terminal emulator.
b. Press Enter.
c. When the connection has been make, the serial port LED is solid green.

Serial connector pinout

The Connect EZ has an RJ45 (10 pin) serial connector. The table below contains the pinout
information.
If you enable Altpin in EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD
with 8-wire cables. Altpin has no impact on 422 or 485 mode.

Digi Connect EZ 16/32 User Guide 38

 Mount the Connect EZ 16/32 on a rack

All Connect EZ Models MEI models only MEI models only

Digi RJ45 Digi RJ45 EIA-232 Signals (DTE) EIA-422/485 EIA-485

10-pin 8-pin Full-duplex Half-duplex

1 RI TxD- TxD-
2 1 DSR(DCD*) RxD- RxD-
*When Altpin is enabled

3 2 RTS RTS+ N/A

4 3 GND GND GND
5 4 TxD TxD+ TxD+
6 5 RxD RxD+ RxD+
7 6 SG SG SG
8 7 CTS CTS+ N/A
9 8 DTR RTS- N/A
10 DCD (DSR*) CTS- N/A
*When Altpin is enabled

Mount the Connect EZ 16/32 on a rack

The Connect EZ 16/32 can be mounted on a rack using the pre-attached ears. Refer to your rack
installation guide to determine the type of screws required by your rack for secure installation.

1. Place the device on the rack and line up the oval holes on the pre-attached ear with your rack.
2. Using the screws recommended by your rack installation guide, attach the device to the rack.
Carefully tighten the screws so that the device is firmly attached to your mounting rack.

Power the Connect EZ 16/32

Each device is single-powered by default. If theConnect EZ 16/32 is dual-powered, you can use two
power cords to power the device.

1. Orient the device so the back of the device is facing you.

2. Connect the power cord to at least one power supply. The power supply on the right is
available by default.
3. Plug the other end of the power cord to a main power supply.
4. If your device is dual-powered, repeat the process for the second power supply.

Digi Connect EZ 16/32 User Guide 39

 Power loss and Connect EZ 16/32 configuration

Power loss and Connect EZ 16/32 configuration

The Connect EZ 16/32 retains its configuration if power is lost and then power is restored when the
device is plugged into a main power supply, or if the device is commanded to restart automatically or
interactively.

Install an additional power supply unit

If you have a single-powered device, you can purchase and install a second power supply unit.
The following part can be purchased: EZ-PSIK: Connect EZ 16/32cpower supply kit, port-side intake.
You will need a screwdriver to complete the installation.
To install a power supply:

1. Orient the device so the back of the device is facing you.

2. Using a screwdriver, remove the plate on the left side of the device.

3. Orient the power supply unit so that the exhaust is on the left and the power point is on the
right.
4. Insert the unit into the slot on the left side of the device.
5. Turn the red thumb screws to securely attach the unit to the device case.

Use the RESET button to reset your device to the factory

defaults
You can reset the Connect EZ to the factory default settings. Resetting the device to factory defaults
performs the following actions:
n Clears all configuration settings.
n All firmware updates are deleted.
n Deletes all user files.
n Regenerates SSH keys.
n Clears event and system log files.
n Creates a new event in the event log, indicating a factory reset.

Note While the settings are reset, the device's firmware version remains the same.

1. Make sure that the Connect EZ has been powered on for at least 30 seconds.
2. Locate the RESET button on the back of the device.
3. Using a pinhole tool, press and hold the RESET button. The RESET button has the following
modes:

Digi Connect EZ 16/32 User Guide 40

 Discover the IP address using the Digi Navigator

n Configuration reset:
l Press and release the RESET button for 10 seconds.
l The device reboots automatically and resets to factory defaults. This does not
remove any automatically generated certificates and keys.
n Full device reset:
l After the device reboots from the first button press, immediately press and release
the RESET button for 10 seconds again.
l The device reboots again and resets to factory defaults, as well as also removing
generated certificates and keys.

Discover the IP address using the Digi Navigator

You can use the Digi Navigator to quickly discover the IP address for the Connect EZ 16/32.

1. To ensure that your computer and device are connected to each other and your local network,
make the following connections:
n Connect the device to your computer with an Ethernet cable.
n Connect the device to your local network with an Ethernet cable.
n Connect your computer to your local network with an Ethernet cable.
2. Download and install the Digi Navigator.
3. Launch the Digi Navigator.
4. The tool discovers the Connect EZ 16/32 devices that are powered on and connected to your
network. When the process is complete, a list of the devices appears.
n Connected to a network: By default, the HTTPS service is enabled and used to find an
IP address for the Connect EZ 16/32. Other services can be enabled if needed from the
Filters section. See Services used to discover a device when connected to a network.
n Connected directly to a device or on a network with no DHCP server: In either of
these situations, a Setup IP address is assigned to the device. You can specify the filters
used to assign an IP address. See Use the autodiscovery protocol to discover a device
and Assign a generic IP address to the device.
5. Expand a device to display the IP address.

Discover the device's IP address: Additional methods

The IP address is used to log in to the Web UI for the device. If you do not have access to the Digi
Navigator, you can use either of these methods to discover the IP address.
n Manually configure the PC and assign an IP address to the device
n Connect to the local Web UI on the Connect EZ

Manually configure the PC and assign an IP address to the device

You can manually assign an IP address to the device.

Digi Connect EZ 16/32 User Guide 41

 Discover the device's IP address: Additional methods

Prerequisites
n An Ethernet cable must be connected to the device and your network.
n A power supply must be connected to the device and the device powered on.
n Determine the IP address that you want to assign to the device.
To configure your laptop and assign an IP address:

1. On your PC, navigate to the Ethernet network settings dialog.

2. Click the Internet Protocol Version 4 (TCP/IPv4) parameter.

3. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears.
4. Select Use the following IP address.

Note IMPORTANT: Make note of the current IP address entries for IP address, Subnet mask,
and Default gateway. You will need this information to complete the final step of the process.

5. Configure with the following details:

n IP address for PC: 192.168.210.2
n Subnet: 255.255.255.0
n Gateway: 192.168.210.1

Digi Connect EZ 16/32 User Guide 42

 Discover the device's IP address: Additional methods

6. Click OK.
7. Open a browser window.
8. Enter the default gateway IP address: 192.168.210.1
9. Log into the device using the default user name and password. The default user name is admin
and the default password is the unique password printed on the label packaged with your
device. For more detailed instructions, see Connect to the local Web UI on the Connect EZ.
10. Update the IP address for the device.
11. On your PC, revert the IP address information to the original entries.
a. Return to the Internet Protocol Version 4 (TCP/IPv4) Properties dialog.
b. Enter the original IP address entries for IP address, Subnet mask, and Default gateway.
c. Click OK.

Connect to the local Web UI on the Connect EZ

Once you are connected to the local Web UI, you can configure your device.

Note You can also use the Digi Navigator to access the web UI and configure the device. See Access
the web UI from the Digi Navigator.

1. Make sure that an Ethernet cable is connected to the Connect EZ 16/32's ETH 1 port and to a
laptop or PC.
2. Open a browser and enter the IP address for the device.
3. Log into the device using the default user name and password. The default user name is admin
and the default password is the unique password printed on the label packaged with your
device.
4. After logging in, the local web admin dashboard is displayed.
The dashboard shows the current state of the device.

Digi Connect EZ 16/32 User Guide 43

 Device label sticker sample

Dashboard
area Description
Network Summarizes network statistics: the total number of bytes sent and received over all
activity configured bridges and Ethernet devices.
Digi Remote Displays the device connection status for Digi Remote Manager, the amount of time
Manager the connection has been up, and the Digi Remote Manager device ID.
See Using Digi Remote Manager.
Device Displays the Connect EZ 16/32 device's status, statistics, and identifying information.
Network Displays the status of the network interfaces configured on the device.
Interfaces

For more information, see Using the local web interface.

Device label sticker sample

A device label sticker that includes information about the device is included in the box. You should
retain this label sticker with your hardware records.

Item Description
1 QR code Scan the QR code to display a semicolon separated list of:
ProductName;DeviceID;Password;SerialNumber;SKUPartNumber
SKUPartRevision

Note Note the space between SKUPartNumber and SKUPartRevision

Example: Connect EZ 02;00000000-00000000-112233FF-

FF445566;PW1234567890;EZ02-123456;EZ02-C000 B

Digi Connect EZ 16/32 User Guide 44

 Device label sticker sample

Item Description
2 Label part Label part number and revision level.
number
3 Product name Product name, such as Connect EZ Mini, Connect EZ 2, or Connect EZ 8.
4 Device part Device part number (SKU number) and revision. For example, EZ02-C000 A
number (SKU)
and revision
5 Password The unique default password for the device. This unique default password
will be needed if the device is factory reset and you want to access the web
UI on the device.

6 MACaddress The MACaddress for the device.

7 Serial number The unique serial number assigned to the device. The SN is needed when
submitting a Digi support ticket.
8 Device kit part The part number and revision level of the device kit.
number and
revision level

Digi Connect EZ 16/32 User Guide 45

 Firmware configuration
This chapter contains the following topics:

Review Connect EZ 16/32 default settings 47

Change the default password for the admin user 48
Configuration methods 49
Using Digi Remote Manager 50
Access Digi Remote Manager 50
Using the local web interface 51
Use the local REST API to configure the Connect EZ 16/32 device 52
Access the terminal screen from the web UI 56
Using the command line 58

Digi Connect EZ 16/32 User Guide 46

Firmware configuration Review Connect EZ 16/32 default settings

Review Connect EZ 16/32 default settings

You can review the default settings for your Connect EZ 16/32 device by using the local WebUI or Digi
Remote Manager:

Local WebUI
1. Log into the Connect EZ 16/32 WebUI as a user with Admin access.
2. On the menu, click System > Device Configuration.

Digi Remote Manager

1. If you have not already done so, connect to your Digi Remote Manager account.
2. Click Device Management to display a list of your devices.
3. Locate and select your device as described in Use Digi Remote Manager to view and manage
your device.
4. Click Configure.
The following tables list important factory default settings for the Connect EZ 16/32.

Default interface configuration

Preconfigured
Interface type interfaces Devices Default configuration
Wide Area Networks (WANs) n Modem n WWAN1 n Firewall zone: External
cellular n WAN priority: Metric=3
modem n SIM failover after 5
attempts
Ethernet Network n ETH1 n Ethernet: n Firewall zone: Edge
ETH1 n DHCP client enabled
n ETH2 n Ethernet: n Firewall zone: Edge
ETH2 n DHCP client enabled
n Loopback n Ethernet: n Firewall zone:
Loopback Loopback
n IP address: 127.0.0.1/8
n Setup IP n Ethernet: n Firewall zone: Setup
ETH1 n IP address
192.168.210.1/24
n Setup Link- n Ethernet: n Firewall zone: Setup
local IP ETH1 n IP address
169.254.100.100/16

Digi Connect EZ 16/32 User Guide 47

Firmware configuration Change the default password for the admin user

Other default configuration settings

Feature Configuration
Central n Digi Remote Manager enabled as the central management service.
management
Security policies n Packet filtering allows all outbound traffic.
n SSH and web administration:
l Enabled for local administration
l Firewall zone: Set up

Monitoring n Device heath metrics uploaded to Digi Remote Manager at 60 minute

interval.
n SNMP: Disabled

Change the default password for the admin user

The unique, factory-assigned password for the default admin user account is printed on the bottom
label of the device and on the loose label included in the package.
If you erase the device configuration or reset the device to factory defaults, the password for the
admin user will revert to the original, factory-assigned default password.
To change the default password for the admin user:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Users > admin.

Digi Connect EZ 16/32 User Guide 48

Firmware configuration Configuration methods

4. Enter a new password for the admin user.The password must be at least eight characters long
and must contain at least one uppercase letter, one lowercase letter, one number, and one
special character.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set a new password for the admin user. The password must be at least eight characters long
and must contain at least one uppercase letter, one lowercase letter, one number, and one
special character.

(config)> auth user admin password new-password

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configuration methods
There are two primary methods for configuring your Connect EZ 16/32 device:
n Web interface.
The web interface can be accessed in two ways:

Digi Connect EZ 16/32 User Guide 49

Firmware configuration Using Digi Remote Manager

l Central management using the Digi Remote Manager, a cloud-based device management
and data enablement platform that allows you to connect any device to any application,
anywhere. With the Remote Manager, you can configure your Connect EZ 16/32 device and
use the configuration as a basis for a Remote Manager configuration which can be applied
to other similar devices. See Central management for more information about using the
Remote Manager to manage and configure your Connect EZ 16/32 device.
l The local web interface. See Using the local web interface for more information about
using the local web interface to manage and configure your Connect EZ 16/32 device.

Note Changes made to the device's configuration by using the local web interface will not
be automatically reflected in Digi Remote Manager. You must manually refresh Remote
Manager for the changes to be displayed.

Web-based instructions in this guide are applicable to both the Remote Manager and the local
web interface.
n Command line.
A robust command line allows you to perform all configuration and management tasks from
within a command shell. Both the Remote Manager and the local web interface also have the
option to open a terminal emulator for executing commands on your Connect EZ 16/32 device.
See Using the command line for more information about using the command line to manage
and configure your Connect EZ 16/32 device.
In this guide, task topics show how to perform tasks:

 Web
Shows how to perform a task by using the local web interface.
 Command line
Shows how to perform a task by using the command line interface.

Using Digi Remote Manager

By default, your Connect EZ 16/32 device is configured to use Digi Remote Manager as its central
management server. Devices must be registered with Remote Manager using one of the following
options:
n As part of the getting started process. See the for information.
n If you have not registered the device already, you can do so using the Device ID, MACaddress,
IMEI, or your Remote Manager login credentials. See Add a device to Remote Manager.
For information about configuring central management for your Connect EZ 16/32 device, see Central
management.

Access Digi Remote Manager

To access Digi Remote Manager:

1. If you have not already done so, go to https://myaccount.digi.com/ to sign up for a Digi
Remote Manager account.
2. Check your email for Digi Remote Manager login instructions.

Digi Connect EZ 16/32 User Guide 50

Firmware configuration Using the local web interface

3. Go to remotemanager.digi.com.
4. Enter your user name and password. The Digi Remote Manager Dashboard appears.

Using the local web interface

To connect to the Connect EZ 16/32 local Web UI:

1. Use an Ethernet cable to connect the Connect EZ 16/32's ETH2 port to a laptop or PC.
2. Open a browser and go to 192.168.2.1.
3. Log into the device using a configured user name and password.
The default user name is admin and the default password is the unique password printed on
the label packaged with your device.

Review the dashboard

After logging in, the local web admin dashboard is displayed.
The dashboard shows the current state of the device.

Dashboard area Description

Network n Summarizes network statistics: the total number of bytes sent and
activity received over all configured bridges and Ethernet devices.
n Displays the status of the network interfaces configured on the device.
n Provides information about the signal strength and technology of the
cellular modem(s).
Digi Remote Displays the device connection status for Digi Remote Manager, the amount of
Manager time the connection has been up, and the Digi Remote Manager device ID.
See Using Digi Remote Manager.
The links in this section enable you to do the following:
n Launch Digi Remote Manager: Click Go To Digi Remote Manager to
open the Digi Remote Manager login page.
n Add a device to Remote Manager: Click Register device in new
account to add a device to Remote Manager using your Remote Manager
login credentials.
Device Displays the Connect EZ 16/32 device's status, statistics, and identifying
information.
AnywhereUSB Displays information about the AnywhereUSB service that is used with the
Service AnywhereUSB USB ports.
Click Show Details to navigate to the AnywhereUSB Status page for more
detailed information about the USB ports.
Serial Ports Displays information about the serial ports on the Connect EZ 16/32. Each serial
port is identified by port name or number, followed by the serial port mode
configured for the port.
The icons next to the port name or number shows the serial port status:

Digi Connect EZ 16/32 User Guide 51

Firmware configuration Use the local REST API to configure the Connect EZ 16/32 device

Dashboard area Description

n Empty circle: Port is not connected.
n Green circle: Active connection on the port.
n Red X: No signal, which is an error state where the port is not available.
n Down arrow: One of the control signals is not active. This icon may
display For for ports configured in Remote Access serial port mode and
that have a signal monitor enabled (CTS or DCD) in the Monitoring
Settings section.
You can click the icons at the top of the section to access other pages:
n Blue "i": Click to access the Serial Status page.
n Blue wrench: Click to access the Serial Configuration page.
Services Displays an option for the Watchdog service if it has been enabled.

Log out of the web interface

n On the main menu, click your user name. Click Log out.

Use the local REST API to configure the Connect EZ 16/32 device
Your Connect EZ 16/32 device includes a REST API that can be used to return information about the
device's configuration and to make modifications to the configuration. You can view the REST API
specification from your web browser by opening the URL:
https://ip-address/cgi-bin/config.cgi
For example:
https://192.168.210.1/cgi-bin/config.cgi

Use the GET method to return device configuration information

To return device configuration, issue the GET method. For example, using curl:

$ curl -k -u admin https://ip-address/cgi-bin/config.cgi/value/path -X GET

where:
n ip-address is the IP address of the Connect EZ 16/32 device.
n path is the path location in the configuration for the information being returned.

To determine allowed values for path from the Admin CLI:

Digi Connect EZ 16/32 User Guide 52

Firmware configuration Use the local REST API to configure the Connect EZ 16/32 device

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access
selection menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type ? (question mark):

(config)> ?
auth Authentication
cloud Central management
firewall Firewall
monitoring Monitoring
network Network
serial Serial
service Services
system System
vpn VPN

(config)>

The allowed values for path are listed in the first (left) column.
4. To determine further allowed path location values by using the ? (question mark) with
the path name:

(config> service ?

Services

Additional Configuration
-------------------------------------------------------------------
------------
dns DNS
iperf IPerf
location Location
mdns Service Discovery (mDNS)
modbus_gateway Modbus Gateway
multicast Multicast
ntp NTP
ping Ping responder
snmp SNMP
ssh SSH
telnet Telnet
web_admin Web administration

(config)> service

For example, to use curl to return the ssh configuration:

Digi Connect EZ 16/32 User Guide 53

Firmware configuration Use the local REST API to configure the Connect EZ 16/32 device

$ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value/service/ssh -

X GET
Enter host password for user 'admin':
{
ok": true,
"result": {
"type": "object",
"path": "service.ssh"
, "collapsed": {
"acl.zone.0": "internal"
,
"acl.zone.1": "edge"
,
"acl.zone.2": "ipsec"
,
"acl.zone.3": "setup"
,
"enable": "true"
,
"key": ""
,
"mdns.enable": "true"
,
"mdns.name": ""
,
"mdns.type": "_ssh._tcp."
,
"port": "22"
,
"protocol.0": "tcp"
}
}
}
$

You can also use the GET method to return the configuration parameters associated with an item:

curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/keys/service/ssh -X

GET
Enter host password for user 'admin':
{ "ok": true, "result": [ "acl", "custom", "enable", "key", "mdns", "port",
"protocol" ] }
$

Use the POST method to modify device configuration parameters

and list arrays

Use the POST method to modify device configuration parameters

To modify configuration parameters, use the POST method with the path and value parameters.

$ curl -k -u admin "https://ip-address/cgi-

bin/config.cgi/value?path=path&value=new_value" -X POST

where:

Digi Connect EZ 16/32 User Guide 54

Firmware configuration Use the local REST API to configure the Connect EZ 16/32 device

n path is the path to the configuration parameter, in dot notation (for example,
ssh.service.enable).
n new_value is the new value for the parameter.
For example, to disable the ssh service using curl:

$ curl -k -u admin "https://192.168.210.1/cgi-

bin/config.cgi/value?path=service.ssh.enable&value=false" -X POST
Enter host password for user 'admin':
{ "ok": true }
$

Use the POST method to add items to a list array

To add items to a list array, use the POST method with the path and append parameters. For
example, to add the external firewall zone to the ssh service:

$ curl -k -u admin "https://192.168.210.1/cgi-

bin/config.cgi/value?path=service.ssh.acl.zone&append=true&value=external" -X
POST
Enter host password for user 'admin':
{ "ok": true, "result": "service.ssh.acl.zone.4" }
$

Use the POST method to add objects to a list array

Objects in an array that require one or more underlying values can be set using the collapsed URI
parameter. We recommend including the -g option as well, to instruct curl to turn off globbing. The
below example would add a new static route for the WAN interface for the 1.2.4.0/24 destination
network:

$ curl -g -k -u admin "https://192.168.210.1/cgi-

bin/config.cgi/value?path=network.route.static&append=true&collapsed
[dst]=1.2.4.0/24&collapsed[interface]=/network/interface/wan" -X POST
Enter host password for user 'admin':
{ "ok": true, "result": "network.route.static.1" }
$

Use the DELETE method to remove items from a list array

To remove items from a list array, use the DELETE method. For example, using curl:

$ curl -k -u admin "https://192.168.210.1/cgi-bin/config.cgi/value?path=path

where path is the path to the list item, including the list number, in dot notation (for example,
service.ssh.acl.zone.4).
For example, to remove the external firewall zone to the ssh service:

1. Use the GET method to determine the SSH service's list number for the external zone:

$ curl -k -u admin "https://192.168.210.1/cgi-

bin/config.cgi/value?path=service/ssh/acl/zone -X GET
{
"ok": true,

Digi Connect EZ 16/32 User Guide 55

Firmware configuration Access the terminal screen from the web UI

"result": {
"type": "array",
"path": "service.ssh.acl.zone"
, "collapsed": {
"0": "internal"
,
"1": "edge"
,
"2": "ipsec"
,
"3": "setup"
,
"4": "external"
}
}
}
$

2. Use the DELETE method to remove the external zone (list item 4).

$ curl -k -u admin https://192.168.210.1/cgi-

bin/config.cgi/value?path=service.ssh.acl.zone.4 -X DELETE
Enter host password for user 'admin':
{ "ok": true }
$

Access the terminal screen from the web UI

A user can log into a terminal screen and use CLI commands to access features.

Note You can also access the terminal screen from a port listed in the Serial Status page.

1. Log in to the web UI.

2. Click System > Terminal. The Terminal screen displays.
3. When prompted, enter your user name and password.
4. Enter the number of the port that you want to access.
5. Information about the port you are connected to displays, as well as commands.

Connecting to port5:
Settings: 9600, 8, 1, none, none
Type '~b.' to disconnect from port
Type '~b?' to list commands

6. Enter ~b? to display additional commands.

Command Description
~b. Disconnect from the port.

Digi Connect EZ 16/32 User Guide 56

Firmware configuration Access the terminal screen from the web UI

Command Description
~bB Send a BREAK sequence.
~bc Clear the history buffer.
~br Send a DTRreset sequence.
~b? Display a list of commands.

7. Enter ~b. to disconnect from the port.

Digi Connect EZ 16/32 User Guide 57

Firmware configuration Using the command line

Using the command line

The Digi Connect EZ 16/32 device provides a command-line interface that you can use to configure the
device, display status and statistics, update firmware, and manage device files.
See Command line interface for detailed instructions on using the command line interface and see
Command line reference for information on available commands.

Access the command line interface

You can access the Connect EZ 16/32 command line interface using an SSH connection, a telnet
connection, or a serial connection. You can use an open-source terminal software, such as PuTTYor
TeraTerm, to access the device through one of these mechanisms.
You can also access the command line interface in the WebUI by using the Terminal, or the Digi
Remote Manager by using the Console.
To access the command line, your device must be configured to allow access, and you must log in as
a user who has been configured for the appropriate access.
For further information about configuring access to these services, see:
n Serial: Serial port
n WebUI: Configure the web administration service
n SSH: Configure SSH access
n Telnet: Configure telnet access

Log in to the command line interface

 Command line
1. Connect to the Connect EZ 16/32 device by using a serial connection, SSH or telnet, or the
Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command
line interface for more information.
n For serial connections, the default configuration is:
l 115200 baud rate
l 8 data bits
l no parity
l 1 stop bit
l no flow control
n For SSH and telnet connections, the Setup IP address of the device is 192.168.2.1 on
the .
2. At the login prompt, enter the username and password of a user with Admin access:

login: admin
Password: **********

The default username is admin. The default unique password for your device is printed on the
device label.
3. Depending on the device configuration, you may be presented with another menu, for
example:

Digi Connect EZ 16/32 User Guide 58

Firmware configuration Using the command line

Access selection menu:

a: Admin CLI
q: Quit

Select access or quit [admin] :

Type a or admin to access the Connect EZ 16/32 command line.

You will now be connected to the Admin CLI:

Connecting now...
Press Tab to autocomplete commands
Press '?' for a list of commands and details
Type 'help' for details on navigating the CLI
Type 'exit' to disconnect from the Admin CLI

>

See Command line interface for detailed instructions on using the command line interface.

Exit the command line interface

 Command line
1. At the command prompt, type exit.

> exit

2. Depending on the device configuration, you may be presented with another menu, for
example:

Access selection menu:

a: Admin CLI
q: Quit

Select access or quit [admin] :

Type q or quit to exit.

Digi Connect EZ 16/32 User Guide 59

 Interfaces
Connect EZ devices have several physical communications interfaces. These interfaces can be bridged
in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN).
This chapter contains the following topics:

Wide Area Networks (WANs) 61

Local Area Networks (LANs) 154
Virtual LANs (VLANs) 197
Bridging 202
Show SureLink status and statistics 206
Configure a TCP connection timeout 210

Digi Connect EZ 16/32 User Guide 60

Interfaces Wide Area Networks (WANs)

Wide Area Networks (WANs)

The Connect EZ 16/32 device is preconfigured with one Wide Area Network (WAN), named ETH1, and
one Wireless Wide Area Network (WWAN), named Modem.

You can modify configuration settings for the existing WAN and WWANs, and you can create new WANs
and WWANs.
This section contains the following topics:

Wide Area Networks (WANs) and Wireless Wide Area Networks (WWANs) 62
Configure WAN/WWAN priority and default route metrics 62
WAN/WWAN failover 65
Configure SureLink active recovery to detect WAN/WWAN failures 66
Configure the device to reboot when a failure is detected 82
Disable SureLink 95
Example: Use a ping test for WAN failover from Ethernet to cellular 104
Using Ethernet devices in a WAN 106
Using cellular modems in a Wireless WAN (WWAN) 106
Configure a Wide Area Network (WAN) 131
Configure a Wireless Wide Area Network (WWAN) 139
Show WAN and WWAN status and statistics 150
Delete a WAN or WWAN 152
Default outbound WAN/WWAN ports 153

Digi Connect EZ 16/32 User Guide 61

Interfaces Wide Area Networks (WANs)

Wide Area Networks (WANs) and Wireless Wide Area Networks

(WWANs)
A Wide Area Network (WAN) provides connectivity to the internet or a remote network. A WAN
configuration consists of the following:
n A physical device, such as an Ethernet device or a cellular modem.
n Several networking parameters for the WAN, such as firewall configuration and IPv4 and IPv6
support.
n Several parameters controlling failover.

Configure WAN/WWAN priority and default route metrics

The Connect EZ 16/32 device is preconfigured with one Wide Area Network (WAN), named ETH1, and
one Wireless Wide Area Network (WWAN), named Modem. You can also create additional WANs and
WWANs.
When a WAN is initialized, the Connect EZ 16/32 device automatically adds a Setup IP route for the
WAN. The priority of the WAN is based on the metric of the default route, as configured in the WAN's
IPv4 and IPv6 metric settings.

Assigning priority to WANs

By default, the Connect EZ 16/32 device's WAN (ETH1) is configured with the lowest metric (1), and is
therefor the highest priority WAN. By default, the Wireless WAN (Modem) is configured with a metric
of 3, which means it has a lower priority than ETH1. You can assign priority to WANs based on the
behavior you want to implement for primary and backup WAN interfaces. For example, if you want a
cellular connection to be your primary WAN, with an Ethernet interface as backup, configure the
metric of the WWAN to be lower than the metric of the WAN.

Example: Configure cellular connection as the primary WAN, and the Ethernet
connection as backup

Required configuration items

n Configured WAN and WWAN interfaces. This example uses the preconfigured ETH1 and Modem
interfaces.
n The metric for each WAN.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.

Digi Connect EZ 16/32 User Guide 62

Interfaces Wide Area Networks (WANs)

d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Set the metrics for Modem:
a. Click Network > Interfaces > Modem > IPv4.
b. For Metric, type 1.
c. Click IPv6.
d. For Metric, type 1.

4. Set the metrics for ETH1:

a. Click Network > Interfaces > ETH1 > IPv4.
b. For Metric, type 2.
c. Click IPv6.
d. For Metric, type 2.

Digi Connect EZ 16/32 User Guide 63

Interfaces Wide Area Networks (WANs)

5. Click Apply to save the configuration and apply the change.

The Connect EZ 16/32 device is now configured to use the cellular modem WWAN, Modem, as its
highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set the metrics for Modem:

a. Set the IPv4 metric for Modem to 1. For example:

(config)> network interface modem ipv4 metric 1

(config)>

b. Set the IPv6 metric for Modem to 1:

(config)> network interface modem ipv6 metric 1

(config)>

4. Set the metrics for ETH1:

a. Set the IPv4 metric for ETH1 to 2:

(config)> network interface eth1 ipv4 metric 2

(config)>

b. Set the IPv6 metric for ETH1 to 1:

Digi Connect EZ 16/32 User Guide 64

Interfaces Wide Area Networks (WANs)

(config)> network interface eth1 ipv6 metric 2

(config)>

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.
The Connect EZ 16/32 device is now configured to use the cellular modem WWAN, Modem, as its
highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN.

WAN/WWAN failover
If a connection to a WAN interface is lost for any reason, the Connect EZ 16/32 device will immediately
fail over to the next WAN or WWAN interface, based on WAN priority. See Configure WAN/WWAN
priority and default route metrics for more information about WAN priority.

Active vs. passive failure detection

There are two ways to detect WAN or WWAN failure: active detection and passive detection.
n Active detection uses Digi SureLinkTM technology to send probe tests to a target host or to test
the status of the interface. The WAN/WWAN is considered to be down if there are no responses
for a configured amount of time. See Configure SureLink active recovery to detect WAN/WWAN
failures for more information about active failure detection.
n Passive detection involves detecting the WAN going down by monitoring its link status by some
means other than active detection. For example, if an Ethernet cable is disconnected or the
state of a cellular interface changes from on to off, the WAN is down.

Default Digi SureLink configuration

Surelink is enabled by default for IPv4 on all WAN and WWAN interfaces, and is configured to perform
two tests on these interfaces:
n Interface connectivity.
n DNS query to the DNS servers for interface's the network connection.
DNS servers are typically received as part of the interface's DHCP client connection, although
you can manually configure the DNS servers that will be used by SureLink.

Note If your device is operating on a private APN or on wired network with firewall restrictions,
ensure that the DNS servers on your private network allow DNS lookups for
https://remotemanager.digi.com; otherwise, the SureLink DNS query test will fail and the
Connect EZ 16/32 device will determine that the interface is down.

By default, these tests will be performed every 15 minutes, with a response timeout of 15 seconds. If
the tests fail three consecutive times, the device will reset the network interface to attempt to recover
the connection.

Digi Connect EZ 16/32 User Guide 65

Interfaces Wide Area Networks (WANs)

Configure SureLink active recovery to detect WAN/WWAN failures

Problems can occur beyond the immediate WAN/WWAN connection that prevent some IP traffic from
reaching its destination. Normally this kind of problem does not cause the Connect EZ 16/32 device to
detect that the WAN has failed, because the connection continues to work while the core problem
exists somewhere else in the network.
Using Digi SureLink, you can configure the Connect EZ 16/32 device to regularly probe connections
through the WAN to determine if the WAN has failed, and to perform recovery actions, such as
changing the interface metric to use a new default gateway.

Required configuration items

n Enable SureLink.
By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The
default configuration tests the DNS servers configured for the interface.
When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular
modem is connected and has an IP address. Use the SIM failover options to configure the
Connect EZ 16/32 device to automatically recover the modem in the event that it cannot
obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about
SIM failover.
n The type of tests to be performed:
l Ping test: Uses ICMP to determine connectivity. The default behavior is to ping the
interface gateway, which means that an initial traceroute is sent to the hostname or IP
address configured in the SureLink advanced settings, and then the first hop in that route
is used for the ping test.
l DNS test: Performs a DNS query to the named DNS server.
l HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
l Test DNS servers configured for this interface: Tests communication with DNS servers
that are either provided by DHCP, or statically configured for this interface.
l Test the interface status: Tests the current status of the interface. The test fails if the
interface is down. Failing this test infers that all other tests fail.
l Custom test: Tests the interface with custom commands.
l TCP connection test: Tests that the interface can reach a destination port on the
configured host.
l Test another interface's status: Tests the status of another interface.
n The actions to take to recover connectivity in the event of failed tests:
l Change default gateway: Increases the interface's metric to change the default gateway.
This recovery action is enabled by default for the preconfigured WAN and WWAN interfaces.
l Restart interfaceThis recovery action is enabled by default for the preconfigured WAN and
WWAN interfaces.
l Reset modem: This recovery action is enabled by default for the preconfigured WWAN
interface.
l Switch to alternate SIM: Switches to an alternate SIM. This recovery action is enabled by
default for the preconfigured WWAN interface.
l Reboot device.

Digi Connect EZ 16/32 User Guide 66

Interfaces Wide Area Networks (WANs)

l Execute custom Recovery commands.

l Powercycle the modem. This recovery action is enabled by default for the preconfigured
WWAN interface.
l Two options also apply to every type of action:
o SureLink test failures: The number of failures for this recovery action to perform,
before moving to the next recovery action.
o Override wait interval before performing the next recovery action: The time to wait
before the next test is run. If set to the default value of 0s, the Test interval is used.

Additional configuration items

n The Test interval between connectivity tests.
n If more than one tests is configured, determine whether the interface should fail over based on
the failure of one of the tests, or all of the tests.
n The number of test that must pass before the interface is considered to be working and its
default route and DNS servers are reinstated.
n The amount of time that the device should wait for a response from an individual test before
considering it to have failed.
n Advanced configuration items:
l Delayed Start: The amount of time to wait while the device is starting before SureLink
testing begins. This setting is bypassed when the interface is determined to be up.
l Backoff interval: The time to add to the test interval when restarting the list of actions.
l Test interface gateway by pinging: Used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway.

Order of precedence for SureLink actions

SureLink recovery actions are preformed in the order that they are configured. As a result, if you
include the Reboot Device with other SureLink recovery actions, it should be the last action in the
recovery action list. Otherwise, the device will reboot and all recovery actions listed after the Reboot
Device action will be ignored.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 67

Interfaces Wide Area Networks (WANs)

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Create a new WAN or WWAN or select an existing one:
n To create a new WAN or WWAN, see Configure a Wide Area Network (WAN) or Configure
a Wireless Wide Area Network (WWAN).
n To edit an existing WAN or WWAN, click to expand the appropriate WAN or WWAN.
5. After creating or selecting the WAN or WWAN, click SureLink.

By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The
default configuration tests the DNS servers configured for the interface.
When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular
modem is connected and has an IP address. Use the SIM failover options to configure the
Connect EZ 16/32 device to automatically recover the modem in the event that it cannot
obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about
SIM failover.
6. (Optional) Change the Test interval between connectivity tests.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Interval to ten minutes, enter 10m or 600s.
The default is 15 minutes.
7. (Optional) If more than one test target is configured, for Success condition, select either:
n One test passes: Only one test needs to pass for Surelink to consider an interface to be
up.
n All test pass: All tests need to pass for SureLink to consider the interface to be up.
8. (Optional) For Pass threshold, type or select the number of times that the test must pass after
failure, before the interface is determined to be working and is reinstated.
9. (Optional) For Response timeout, type the amount of time that the device should wait for a
response to a test failure before considering it to have failed.

Digi Connect EZ 16/32 User Guide 68

Interfaces Wide Area Networks (WANs)

Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Response timeout to ten minutes, enter 10m or 600s.
The default is 15 seconds.
10. Click to expand Tests.
By default, Test DNS servers configured for this interface is automatically configured and
enabled. This test communication with DNS servers that are either provided by DHCP, or
statically configured for this interface.
a. Click .

New tests are enabled by default. To disable, click to toggle off Enable.
b. Type a Label for the test.
c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4.
d. Select the Test type.
Available test types:
n Ping test: Uses ICMP to determine connectivity.
If Ping test is selected, complete the following:
l Ping target: The type of target for the ping, one of:
o Hostname or IP address of an external server.
o Ping host: hostname or IP address of the server.
o The Interface gateway. If Interface gateway is selected, an initial
traceroute is sent to the hostname or IP address configured in the SureLink
advanced settings, and then the first hop in that route is used for the ping
test.
o The Interface address.
o The Interface DNS server.
l Ping payload size: The number of bytes to send as part of the ping payload.
n DNS test: Performs a DNS query to the named DNS server.
If DNS test is selected, complete the following:
l DNS server: The IP address of the DNS server.
n HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured
web server.
If HTTP test is selected, complete the following:
l Web server: The URL of the web server.
n Test DNS servers configured for this interface: Tests communication with DNS
servers that are either provided by DHCP, or statically configured for this interface.
n Test the interface status: Tests the current status of the interface. The test fails if
the interface is down. Failing this test infers that all other tests fail.

Digi Connect EZ 16/32 User Guide 69

Interfaces Wide Area Networks (WANs)

If Test the interface status is selected, complete the following:

l Down time: The amount of time that the interface is down before the test can
be considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Down time to ten minutes, enter 10m or 600s.
l Initial connection time: The amount of time to wait for the interface to
connect for the first time before the test is considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Initial connection time to ten minutes, enter 10m or 600s.
n Custom test: Tests the interface with custom commands.
If Custom test is selected, complete the following:
l The Commands to run to test.
n TCP connection test: Tests that the interface can reach a destination port on the
configured host.
If TCP connection test is selected, complete the following:
l TCP connect host: The hostname or IP address of the host to create a
TCP connection to.
l TCP connect port: The TCP port to create a TCP connection to.
n Test another interface's status: Tests the status of another interface.
If Test another interface's status is selected, complete the following:
l Test interface: The interface to test.
l IP version: The type of IP connection, one of:
o Any: Either the IPv4 or IPv6 connection must be up.
o Both: Both the IPv4 or IPv6 connection must be up.
o IPv4: The IPv4 connection must be up.
o IPv6: The IPv6 connection must be up.
l Expected status: The status required for the test to past.
o Up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o Down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
e. Repeat for each additional test.
11. Add recovery actions:
a. Click to expand Recovery actions.
By default, there are two preconfigured recovery actions:
n Update routing: Uses the Change default gateway action, which increases the
interface's metric by 100 to change the default gateway.
n Restart interface.

Digi Connect EZ 16/32 User Guide 70

Interfaces Wide Area Networks (WANs)

b. Click .

New recovery actions are enabled by default. To disable, click to toggle off Enable.
c. Type a Label for the recovery action.
d. For Recovery type, select Reboot device.
e. For Recovery type, select the type of recovery action. If multiple recovery actions are
configured, they are performed in the order that they are listed.
n Change default gateway: Increases the interface's metric to change the default
gateway.
If Change default gateway is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Increase metric to change active default gateway: Increase the interface's
metric by this amount. This should be set to a number large enough to change
the routing table to use another default gateway. The default is 100.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Restart interface.
If Restart interface is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reset modem: This recovery action is available for WWAN interfaces only.
If Reset modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Switch to alternate SIM: Switches to an alternate SIM. This recovery action is
available for WWAN interfaces only.
If Switch to alternate SIM is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.

Digi Connect EZ 16/32 User Guide 71

Interfaces Wide Area Networks (WANs)

n Reboot device.
If Reboot device is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Execute custom Recovery commands.
If Recovery commands is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l The Commands to run to recovery connectivity.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Powercycle the modem. This recovery action is available for WWAN interfaces
only.
If Powercycle the modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
f. Repeat for each additional recovery action.
12. (Optional) Configure advanced SureLink parameters:
a. Click to expand Advanced settings.
b. For Delayed Start, type the amount of time to wait while the device is starting before
SureLink testing begins. This setting is bypassed when the interface is determined to be
up.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Delayed start to ten minutes, enter 10m or 600s.
The default is 300 seconds.
c. For Backoff interval, type the time to add to the test interval when restarting the list of
actions. This option is capped at 15 minutes.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Backoff interval to ten minutes, enter 10m or 600s.
The default is 300 seconds.
d. Test interface gateway by pinging is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.

Digi Connect EZ 16/32 User Guide 72

Interfaces Wide Area Networks (WANs)

13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new WAN or WWAN, or edit an existing one:

n To create a new WAN or WWAN, see Configure a Wide Area Network (WAN) or Configure
a Wireless Wide Area Network (WWAN).
n To edit an existing WAN or WWAN, change to the WAN or WWAN's node in the
configuration schema. For example, for a WAN or WWAN named my_wan, change to the
my_wan node in the configuration schema:

(config)> network interface my_wan

(config network interface my_wan)>

4. Enable SureLink.
By default, SureLink is enabled for the preconfigured WAN (eth1) and WWAN (modemwwan2).
The default configuration tests the DNS servers configured for the interface.
When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular
modem is connected and has an IP address. Use the SIM failover options to configure the
Connect EZ 16/32 device to automatically recover the modem in the event that it cannot
obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about
SIM failover.

(config network interface my_wan)> surelink enable true

(config network interface my_wan)>

5. By default, the Test DNS servers configured for this interface test is automatically
configured and enabled. This tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
To add additional tests:
a. Add a test:

(config network interface my_wan)> add surelink tests end

(config network interface my_wan surelink tests 1)>

b. New tests are enabled by default. To disable:

(config network interface my_wan surelink tests 1)> enable false

(config network interface my_wan surelink tests 1)>

Digi Connect EZ 16/32 User Guide 73

Interfaces Wide Area Networks (WANs)

c. Create a label for the test:

(config network interface my_wan surelink tests 1)> label string

(config network interface my_wan surelink tests 1)>

d. if the test should apply to both IPv6 rather than IPv4, enable IPv6:

(config network interface my_wan surelink tests 1)> ipv6 true

(config network interface my_wan surelink tests 1)>

e. Set the test type:

(config network interface my_wan surelink tests 1)> test value

(config network interface my_wan surelink tests 1)>

where value is one of:

n ping: Uses ICMP to determine connectivity.
If ping is selected, complete the following:
l Set the ping_method:

(config network interface my_wan surelink tests 1)> ping_

method value
(config network interface my_wan surelink tests 1)>

where value is one of:

o hostname: The hostname or IP address of an external server.
o Set ping_host to the hostname or IP address of the server:

(config network interface my_wan surelink tests 1)> ping_

host hostname/IP_address
(config network interface my_wan surelink tests 1)>

o interface_gateway. If set, an initial traceroute is sent to the hostname or IP

address configured in the SureLink advanced settings, and then the first hop
in that route is used for the ping test.
o interface_address.
o interface_dns: The interface's DNS server.
l Set the number of bytes to send as part of the ping payload:

(config network interface my_wan ipsec tunnel ipsec_example

surelink tests 1)> ping_size int
(config network interface my_wan surelink tests 1)>

n dns: Performs a DNS query to the named DNS server.

If dns is set, set the IPv4 or IPv6 address of the DNS server:

(config network interface my_wan surelink tests 1)> dns_server

IP_address
(config network interface my_wan surelink tests 1)>

Digi Connect EZ 16/32 User Guide 74

Interfaces Wide Area Networks (WANs)

n http: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
If http is set, set the URL of the web server.

(config network interface my_wan surelink tests 1)> http url

(config network interface my_wan surelink tests 1)>

n dns_configured: Tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
n interface_up: Tests the current status of the interface. The test fails if the interface
is down. Failing this test infers that all other tests fail.
If interface_up is set, complete the following:
l Set the amount of time that the interface is down before the test can be
considered to have failed.

(config network interface my_wan surelink tests 1)>

interface_down_time value
(config network interface my_wan surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_down_time to ten minutes, enter either 10m or
600s:

(config network interface my_wan surelink tests 1)>

interface_down_time 600s
(config)>

l Set the amount of time to wait for the interface to connect for the first time
before the test is considered to have failed.

(config network interface my_wan surelink tests 1)>

interface_timeout value
(config network interface my_wan surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_timeout to ten minutes, enter either 10m or
600s:

(config network interface my_wan surelink tests 1)>

interface_timeout 600s
(config)>

n custom_test: Tests the interface with custom commands.

If custom_test is set, set the commands to run to perform the test:

Digi Connect EZ 16/32 User Guide 75

Interfaces Wide Area Networks (WANs)

(config network interface my_wan surelink tests 1)> custom_

test_commands "string"
(config network interface my_wan surelink tests 1)>

n tcp_connection: Tests that the interface can reach a destination port on the
configured host.
If tcp_connection is selected, complete the following:
l Set the hostname or IP address of the host to create a TCP connection to:

(config network interface my_wan surelink tests 1)> tcp_host

hostname/IP_address
(config network interface my_wan surelink tests 1)>

l Set the TCP port to create a TCP connection to.

(config network interface my_wan surelink tests 1)> tcp_port

port
(config network interface my_wan surelink tests 1)>

n other: Tests the status of another interface.

If other is selected, complete the following:
l Set the interface to test.
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config network interface my_wan surelink tests 1)> other_

interface /network/interface/eth1
(config network interface my_wan surelink tests 1)>

l Set the type of IP connection:

(config network interface my_wan surelink tests 1)> other_ip_

version value
(config network interface my_wan surelink tests 1)>

where value is one of:

o any: Either the IPv4 or IPv6 connection must be up.
o both: Both the IPv4 or IPv6 connection must be up.
o ipv4 The IPv4 connection must be up.
o ipv6: The IPv6 connection must be up.
l The status required for the test to past.

(config network interface my_wan surelink tests 1)> other_

status value
(config network interface my_wan surelink tests 1)>

where value is one of:

Digi Connect EZ 16/32 User Guide 76

Interfaces Wide Area Networks (WANs)

o up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
f. Repeat for each additional test.
6. Add recovery actions:
a. Type ... to return to the root of the configuration:

(config network interface my_wan surelink tests 1)> ...

(config)>

b. Add a recovery action:

(config)> add network interface my_wan surelink actions end

(config network interface my_wan surelink actions 0)>

c. New actions are enabled by default. To disable:

(config network interface my_wan surelink actions 0)> enable false

(config network interface my_wan surelink actions 0)>

d. Create a label for the action:

(config network interface my_wan surelink actions 0)> label string

(config network interface my_wan surelink actions 0)>

e. Set the type of recovery action. If multiple recovery actions are configured, they are
performed in the order that they are listed. The command varies depending on whether
the interface is a WAN or WWAN:
n WAN interfaces:

(config network interface my_wan surelink actions 0)> action

value
(config network interface my_wan surelink actions 0)>

n WWAN interfaces:

(config network interface my_wan surelink actions 0)> modem_

action value
(config network interface my_wan surelink actions 0)>

where value is one of:

n update_routing_table: Increases the interface's metric to change the default
gateway.
If update_routing_table is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

Digi Connect EZ 16/32 User Guide 77

Interfaces Wide Area Networks (WANs)

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
l Set the amount that the interface's metric should be increased. This should be
set to a number large enough to change the routing table to use another
default gateway.

(config network interface my_wan surelink actions 0)> metric_

adjustment_modem int
(config network interface my_wan surelink actions 0)>

The default is 100.

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

n restart_interface.
If restart_interface is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

n reset_modem: This recovery action is available for WWAN interfaces only.

If reset_modem is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.

Digi Connect EZ 16/32 User Guide 78

Interfaces Wide Area Networks (WANs)

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

n switch_sim: Switches to an alternate SIM. This recovery action is available for

WWAN interfaces only.
If switch_sim is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

n modem_power_cycle: This recovery action is available for WWAN interfaces only.

If modem_power_cycle is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

n reboot_device.
If reboot_device is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

Digi Connect EZ 16/32 User Guide 79

Interfaces Wide Area Networks (WANs)

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

n custom_action: Execute custom recovery commands.

If custom_action is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
l Set the commands to run to attempt to recovery connectivity.

(config network interface my_wan surelink actions 0)> custom_

action_commands_modem "string"
(config network interface my_wan surelink actions 0)>

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config network interface my_wan surelink actions 0)>

override_interval int
(config network interface my_wan surelink actions 0)>

f. Repeat for each additional recovery action.

7. Optional SureLink configuration parameters:
a. Type ... to return to the root of the configuration:

(config network interface my_wan surelink actions 0)> ...

(config)>

b. Set the test interval between connectivity tests:

(config)> network interface my_wan surelink interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set interval to ten minutes, enter either 10m or 600s:

Digi Connect EZ 16/32 User Guide 80

Interfaces Wide Area Networks (WANs)

(config)> network interface my_wan surelink interval 600s

(config)>

The default is 15m.

c. If more than one test target is configured, set the success condition:

(config)> network interface my_wan surelink success_condition value

(config)>

where value is either:

n one: Only one test needs to pass for Surelink to consider an interface to be up.
n all: All tests need to pass for SureLink to consider the interface to be up.
d. Set the number of times that the test must pass after failure, before the interface is
determined to be working and is reinstated.

(config)> network interface my_wan surelink pass_threshold int

(config)>

The default is 1.
e. Set the amount of time that the device should wait for a response to a test failure before
considering it to have failed:

(config)> network interface my_wan surelink timeout value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set timeout to ten minutes, enter either 10m or 600s:

(config)> network interface my_wan surelink timeout 600s

(config)>

The default is 15s.

f. Set the amount of time to wait while the device is starting before SureLink testing begins.
This setting is bypassed when the interface is determined to be up.

(config)> network interface my_wan surelink advanced delayed_start

value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set delayed_start to ten minutes, enter either 10m or 600s:

(config)> network interface my_wan surelink advanced delayed_start

600s
(config)>

The default is 300s.

Digi Connect EZ 16/32 User Guide 81

Interfaces Wide Area Networks (WANs)

g. Set the time to add to the test interval when restarting the list of actions. This option is
capped at 15 minutes.

(config)> network interface my_wan surelink advanced backoff_interval

value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set backoff_interval to ten minutes, enter either 10m or 600s:

(config)> network interface my_wan surelink advanced backoff_interval

600s
(config)>

The default is 300 seconds.

h. The interface_gateway parameter is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
To set to an alternate host:

(config)> network interface my_wan surelink advanced interface_gateway

hostname/IP_address
(config)>

8. Save the configuration and apply the change.

(config network interface my_wan ipv4 surelink)> save

Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the device to reboot when a failure is detected

Using SureLink, you can configure the Connect EZ 16/32 device to reboot when it has determined that
an interface has failed.

Required configuration items

n Enable SureLink.
By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The
default configuration tests the DNS servers configured for the interface.
When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular
modem is connected and has an IP address. Use the SIM failover options to configure the
Connect EZ 16/32 device to automatically recover the modem in the event that it cannot
obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about
SIM failover.
n Enable device reboot upon interface failure.

Digi Connect EZ 16/32 User Guide 82

Interfaces Wide Area Networks (WANs)

n The type of tests to be performed:

l Ping test: Uses ICMP to determine connectivity. The default behavior is to ping the
interface gateway, which means that an initial traceroute is sent to the hostname or IP
address configured in the SureLink advanced settings, and then the first hop in that route
is used for the ping test.
l DNS test: Performs a DNS query to the named DNS server.
l HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
l Test DNS servers configured for this interface: Tests communication with DNS servers
that are either provided by DHCP, or statically configured for this interface.
l Test the interface status: Tests the current status of the interface. The test fails if the
interface is down. Failing this test infers that all other tests fail.
l Custom test: Tests the interface with custom commands.
l TCP connection test: Tests that the interface can reach a destination port on the
configured host.
l Test another interface's status: Tests the status of another interface.

Additional configuration items

n See Configure SureLink active recovery to detect WAN/WWAN failures for optional SureLink
configuration parameters.
To configure the Connect EZ 16/32 device to reboot when an interface has failed:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.

Digi Connect EZ 16/32 User Guide 83

Interfaces Wide Area Networks (WANs)

4. Create a new interface or select an existing one:

n To create a new interface, see Configure a Local Area Network (LAN), Configure a Wide
Area Network (WAN), or Configure a Wireless Wide Area Network (WWAN).
n To edit an existing interface, click to expand the appropriate interface.
5. After creating or selecting the interface, click SureLink.

By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The
default configuration tests the DNS servers configured for the interface.
When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular
modem is connected and has an IP address. Use the SIM failover options to configure the
Connect EZ 16/32 device to automatically recover the modem in the event that it cannot
obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about
SIM failover.
6. (Optional) Change the Test interval between connectivity tests.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Interval to ten minutes, enter 10m or 600s.
The default is 15 minutes.
7. (Optional) If more than one test target is configured, for Success condition, select either:
n One test passes: Only one test needs to pass for Surelink to consider an interface to be
up.
n All test pass: All tests need to pass for SureLink to consider the interface to be up.
8. (Optional) For Pass threshold, type or select the number of times that the test must pass after
failure, before the interface is determined to be working and is reinstated.
9. (Optional) For Response timeout, type the amount of time that the device should wait for a
response to a test failure before considering it to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Response timeout to ten minutes, enter 10m or 600s.
The default is 15 seconds.
10. Click to expand Tests.
By default, Test DNS servers configured for this interface is automatically configured and
enabled. This test communication with DNS servers that are either provided by DHCP, or
statically configured for this interface.

Digi Connect EZ 16/32 User Guide 84

Interfaces Wide Area Networks (WANs)

a. Click .

New tests are enabled by default. To disable, click to toggle off Enable.
b. Type a Label for the test.
c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4.
d. Select the Test type.
Available test types:
n Ping test: Uses ICMP to determine connectivity.
If Ping test is selected, complete the following:
l Ping target: The type of target for the ping, one of:
o Hostname or IP address of an external server.
o Ping host: hostname or IP address of the server.
o The Interface gateway. If Interface gateway is selected, an initial
traceroute is sent to the hostname or IP address configured in the SureLink
advanced settings, and then the first hop in that route is used for the ping
test.
o The Interface address.
o The Interface DNS server.
l Ping payload size: The number of bytes to send as part of the ping payload.
n DNS test: Performs a DNS query to the named DNS server.
If DNS test is selected, complete the following:
l DNS server: The IP address of the DNS server.
n HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured
web server.
If HTTP test is selected, complete the following:
l Web server: The URL of the web server.
n Test DNS servers configured for this interface: Tests communication with DNS
servers that are either provided by DHCP, or statically configured for this interface.
n Test the interface status: Tests the current status of the interface. The test fails if
the interface is down. Failing this test infers that all other tests fail.
If Test the interface status is selected, complete the following:
l Down time: The amount of time that the interface is down before the test can
be considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Down time to ten minutes, enter 10m or 600s.
l Initial connection time: The amount of time to wait for the interface to
connect for the first time before the test is considered to have failed.

Digi Connect EZ 16/32 User Guide 85

Interfaces Wide Area Networks (WANs)

Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Initial connection time to ten minutes, enter 10m or 600s.
n Custom test: Tests the interface with custom commands.
If Custom test is selected, complete the following:
l The Commands to run to test.
n TCP connection test: Tests that the interface can reach a destination port on the
configured host.
If TCP connection test is selected, complete the following:
l TCP connect host: The hostname or IP address of the host to create a
TCP connection to.
l TCP connect port: The TCP port to create a TCP connection to.
n Test another interface's status: Tests the status of another interface.
If Test another interface's status is selected, complete the following:
l Test interface: The interface to test.
l IP version: The type of IP connection, one of:
o Any: Either the IPv4 or IPv6 connection must be up.
o Both: Both the IPv4 or IPv6 connection must be up.
o IPv4: The IPv4 connection must be up.
o IPv6: The IPv6 connection must be up.
l Expected status: The status required for the test to past.
o Up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o Down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
e. Repeat for each additional test.
11. Add recovery actions:
a. Click to expand Recovery actions.
By default, there are two preconfigured recovery actions:
n Update routing: Uses the Change default gateway action, which increases the
interface's metric by 100 to change the default gateway.
n Restart interface.
b. Click .

New recovery actions are enabled by default. To disable, click to toggle off Enable.
c. Type a Label for the recovery action.
d. For Recovery type, select Reboot device.

Digi Connect EZ 16/32 User Guide 86

Interfaces Wide Area Networks (WANs)

e. For Recovery type, select the type of recovery action. If multiple recovery actions are
configured, they are performed in the order that they are listed.
n Change default gateway: Increases the interface's metric to change the default
gateway.
If Change default gateway is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Increase metric to change active default gateway: Increase the interface's
metric by this amount. This should be set to a number large enough to change
the routing table to use another default gateway. The default is 100.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Restart interface.
If Restart interface is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reset modem: This recovery action is available for WWAN interfaces only.
If Reset modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Switch to alternate SIM: Switches to an alternate SIM. This recovery action is
available for WWAN interfaces only.
If Switch to alternate SIM is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reboot device.
If Reboot device is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.

Digi Connect EZ 16/32 User Guide 87

Interfaces Wide Area Networks (WANs)

n Execute custom Recovery commands.

If Recovery commands is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l The Commands to run to recovery connectivity.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Powercycle the modem. This recovery action is available for WWAN interfaces
only.
If Powercycle the modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
f. Repeat for each additional recovery action.
12. (Optional) Configure advanced SureLink parameters:
a. Click to expand Advanced settings.
b. For Delayed Start, type the amount of time to wait while the device is starting before
SureLink testing begins. This setting is bypassed when the interface is determined to be
up.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Delayed start to ten minutes, enter 10m or 600s.
The default is 300 seconds.
c. For Backoff interval, type the time to add to the test interval when restarting the list of
actions. This option is capped at 15 minutes.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Backoff interval to ten minutes, enter 10m or 600s.
The default is 300 seconds.
d. Test interface gateway by pinging is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 88

Interfaces Wide Area Networks (WANs)

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new interface, or edit an existing one:

n To create a new interface, see Configure a Local Area Network (LAN), Configure a Wide
Area Network (WAN), or Configure a Wide Area Network (WAN) or Configure a Wireless
Wide Area Network (WWAN).
n To edit an existing interface, change to the interface's node in the configuration
schema. For example, for a interface named my_wan, change to the my_wan node in
the configuration schema:

(config)> network interface my_wan

(config network interface my_wan)>

4. Enable SureLink.
By default, SureLink is enabled for the preconfigured WAN (eth1) and WWAN (modemwwan2).
The default configuration tests the DNS servers configured for the interface.
When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular
modem is connected and has an IP address. Use the SIM failover options to configure the
Connect EZ 16/32 device to automatically recover the modem in the event that it cannot
obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about
SIM failover.

(config network interface my_wan)> surelink enable true

(config network interface my_wan)>

5. By default, the Test DNS servers configured for this interface test is automatically
configured and enabled. This tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
To add additional tests:
a. Add a test:

(config network interface my_wan)> add surelink tests end

(config network interface my_wan surelink tests 1)>

b. New tests are enabled by default. To disable:

(config network interface my_wan surelink tests 1)> enable false

(config network interface my_wan surelink tests 1)>

c. Create a label for the test:

(config network interface my_wan surelink tests 1)> label string

(config network interface my_wan surelink tests 1)>

Digi Connect EZ 16/32 User Guide 89

Interfaces Wide Area Networks (WANs)

d. if the test should apply to both IPv6 rather than IPv4, enable IPv6:

(config network interface my_wan surelink tests 1)> ipv6 true

(config network interface my_wan surelink tests 1)>

e. Set the test type:

(config network interface my_wan surelink tests 1)> test value

(config network interface my_wan surelink tests 1)>

where value is one of:

n ping: Uses ICMP to determine connectivity.
If ping is selected, complete the following:
l Set the ping_method:

(config network interface my_wan surelink tests 1)> ping_

method value
(config network interface my_wan surelink tests 1)>

where value is one of:

o hostname: The hostname or IP address of an external server.
o Set ping_host to the hostname or IP address of the server:

(config network interface my_wan surelink tests 1)> ping_

host hostname/IP_address
(config network interface my_wan surelink tests 1)>

o interface_gateway. If set, an initial traceroute is sent to the hostname or IP

address configured in the SureLink advanced settings, and then the first hop
in that route is used for the ping test.
o interface_address.
o interface_dns: The interface's DNS server.
l Set the number of bytes to send as part of the ping payload:

(config network interface my_wan ipsec tunnel ipsec_example

surelink tests 1)> ping_size int
(config network interface my_wan surelink tests 1)>

n dns: Performs a DNS query to the named DNS server.

If dns is set, set the IPv4 or IPv6 address of the DNS server:

(config network interface my_wan surelink tests 1)> dns_server

IP_address
(config network interface my_wan surelink tests 1)>

n http: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
If http is set, set the URL of the web server.

Digi Connect EZ 16/32 User Guide 90

Interfaces Wide Area Networks (WANs)

(config network interface my_wan surelink tests 1)> http url

(config network interface my_wan surelink tests 1)>

n dns_configured: Tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
n interface_up: Tests the current status of the interface. The test fails if the interface
is down. Failing this test infers that all other tests fail.
If interface_up is set, complete the following:
l Set the amount of time that the interface is down before the test can be
considered to have failed.

(config network interface my_wan surelink tests 1)>

interface_down_time value
(config network interface my_wan surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_down_time to ten minutes, enter either 10m or
600s:

(config network interface my_wan surelink tests 1)>

interface_down_time 600s
(config)>

l Set the amount of time to wait for the interface to connect for the first time
before the test is considered to have failed.

(config network interface my_wan surelink tests 1)>

interface_timeout value
(config network interface my_wan surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_timeout to ten minutes, enter either 10m or
600s:

(config network interface my_wan surelink tests 1)>

interface_timeout 600s
(config)>

n custom_test: Tests the interface with custom commands.

If custom_test is set, set the commands to run to perform the test:

(config network interface my_wan surelink tests 1)> custom_

test_commands "string"
(config network interface my_wan surelink tests 1)>

Digi Connect EZ 16/32 User Guide 91

Interfaces Wide Area Networks (WANs)

n tcp_connection: Tests that the interface can reach a destination port on the
configured host.
If tcp_connection is selected, complete the following:
l Set the hostname or IP address of the host to create a TCP connection to:

(config network interface my_wan surelink tests 1)> tcp_host

hostname/IP_address
(config network interface my_wan surelink tests 1)>

l Set the TCP port to create a TCP connection to.

(config network interface my_wan surelink tests 1)> tcp_port

port
(config network interface my_wan surelink tests 1)>

n other: Tests the status of another interface.

If other is selected, complete the following:
l Set the interface to test.
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config network interface my_wan surelink tests 1)> other_

interface /network/interface/eth1
(config network interface my_wan surelink tests 1)>

l Set the type of IP connection:

(config network interface my_wan surelink tests 1)> other_ip_

version value
(config network interface my_wan surelink tests 1)>

where value is one of:

o any: Either the IPv4 or IPv6 connection must be up.
o both: Both the IPv4 or IPv6 connection must be up.
o ipv4 The IPv4 connection must be up.
o ipv6: The IPv6 connection must be up.
l The status required for the test to past.

(config network interface my_wan surelink tests 1)> other_

status value
(config network interface my_wan surelink tests 1)>

where value is one of:

o up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
f. Repeat for each additional test.

Digi Connect EZ 16/32 User Guide 92

Interfaces Wide Area Networks (WANs)

6. Add recovery actions:

a. Type ... to return to the root of the configuration:

(config network interface my_wan surelink tests 1)> ...

(config)>

b. Add a recovery action:

(config)> add network interface my_wan surelink actions end

(config network interface my_wan surelink actions 0)>

c. New actions are enabled by default. To disable:

(config network interface my_wan surelink actions 0)> enable false

(config network interface my_wan surelink actions 0)>

d. Create a label for the action:

(config network interface my_wan surelink actions 0)> label string

(config network interface my_wan surelink actions 0)>

e. Set the type of recovery action to reboot_device:

(config network interface my_wan surelink actions 0)> action reboot_

device
(config network interface my_wan surelink actions 0)>

n Set the number of failures for this recovery action to perform, before moving to the
next recovery action:

(config network interface my_wan surelink actions 0)> test_

failures int
(config network interface my_wan surelink actions 0)>

The default is 3.
n Set the time to wait before the next test is run. If set to the default value of 0s, the
test interval is used.

(config network interface my_wan surelink actions 0)> override_

interval int
(config network interface my_wan surelink actions 0)>

7. Optional SureLink configuration parameters:

a. Type ... to return to the root of the configuration:

(config network interface my_wan surelink actions 0)> ...

(config)>

b. Set the test interval between connectivity tests:

(config)> network interface my_wan surelink interval value

(config)>

Digi Connect EZ 16/32 User Guide 93

Interfaces Wide Area Networks (WANs)

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set interval to ten minutes, enter either 10m or 600s:

(config)> network interface my_wan surelink interval 600s

(config)>

The default is 15m.

c. If more than one test target is configured, set the success condition:

(config)> network interface my_wan surelink success_condition value

(config)>

where value is either:

n one: Only one test needs to pass for Surelink to consider an interface to be up.
n all: All tests need to pass for SureLink to consider the interface to be up.
d. Set the number of times that the test must pass after failure, before the interface is
determined to be working and is reinstated.

(config)> network interface my_wan surelink pass_threshold int

(config)>

The default is 1.
e. Set the amount of time that the device should wait for a response to a test failure before
considering it to have failed:

(config)> network interface my_wan surelink timeout value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set timeout to ten minutes, enter either 10m or 600s:

(config)> network interface my_wan surelink timeout 600s

(config)>

The default is 15s.

f. Set the amount of time to wait while the device is starting before SureLink testing begins.
This setting is bypassed when the interface is determined to be up.

(config)> network interface my_wan surelink advanced delayed_start

value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set delayed_start to ten minutes, enter either 10m or 600s:

Digi Connect EZ 16/32 User Guide 94

Interfaces Wide Area Networks (WANs)

(config)> network interface my_wan surelink advanced delayed_start

600s
(config)>

The default is 300s.

g. Set the time to add to the test interval when restarting the list of actions. This option is
capped at 15 minutes.

(config)> network interface my_wan surelink advanced backoff_interval

value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set backoff_interval to ten minutes, enter either 10m or 600s:

(config)> network interface my_wan surelink advanced backoff_interval

600s
(config)>

The default is 300 seconds.

h. The interface_gateway parameter is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
To set to an alternate host:

(config)> network interface my_wan surelink advanced interface_gateway

hostname/IP_address
(config)>

8. Save the configuration and apply the change.

(config network interface my_wan ipv4 surelink)> save

Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Disable SureLink
If your device uses a private APN with no Internet access or has a restricted WAN connection that
doesn't allow DNS resolution, you can disable SureLink connectivity tests. You can also reconfigure
SureLink to disable the DNS test and use one or more other tests.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.

Digi Connect EZ 16/32 User Guide 95

Interfaces Wide Area Networks (WANs)

2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Select the appropriate WAN or WWAN on which SureLink should be disabled..
5. After selecting the WAN or WWAN, click SureLink.

6. Toggle off Enable to disable SureLink.

7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Change to the WAN or WWAN's node in the configuration schema. For example, to disable
SureLink for the Modem interface:

Digi Connect EZ 16/32 User Guide 96

Interfaces Wide Area Networks (WANs)

(config)> network interface modem

(config network interface modem)>

4. Disable SureLink:

(config network interface modem> surelink enable false

(config network interface modem)>

5. Save the configuration and apply the change.

(config network interface my_wwan surelink)> save

Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Disable the default DNS test

Alternatively, you can disable the default DNS test for devices that use a private APN with no Internet
access, or that have restricted wired WAN connections that do not allow DNS resolution, and
configure alternate test.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Select the appropriate WAN or WWAN on which the default DNS test should be disabled..

Digi Connect EZ 16/32 User Guide 97

Interfaces Wide Area Networks (WANs)

5. After selecting the WAN or WWAN, click SureLink.

6. Click to expand Tests.

7. Click to expand the default DNS configured test.
8. Click to toggle off Enable.
9. Click  to add a new test.

10. Type a Label for the test.

11. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4.
12. Select the Test type.
Available test types:
n Ping test: Uses ICMP to determine connectivity.
If Ping test is selected, complete the following:
l Ping target: The type of target for the ping, one of:
o Hostname or IP address of an external server.
o Ping host: hostname or IP address of the server.
o The Interface gateway. If Interface gateway is selected, an initial traceroute is
sent to the hostname or IP address configured in the SureLink advanced settings,
and then the first hop in that route is used for the ping test.
o The Interface address.
o The Interface DNS server.
l Ping payload size: The number of bytes to send as part of the ping payload.
n DNS test: Performs a DNS query to the named DNS server.
If DNS test is selected, complete the following:
l DNS server: The IP address of the DNS server.

Digi Connect EZ 16/32 User Guide 98

Interfaces Wide Area Networks (WANs)

n HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
If HTTP test is selected, complete the following:
l Web server: The URL of the web server.
n Test DNS servers configured for this interface: Tests communication with DNS
servers that are either provided by DHCP, or statically configured for this interface.
n Test the interface status: Tests the current status of the interface. The test fails if the
interface is down. Failing this test infers that all other tests fail.
If Test the interface status is selected, complete the following:
l Down time: The amount of time that the interface is down before the test can be
considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Down time to ten minutes, enter 10m or 600s.
l Initial connection time: The amount of time to wait for the interface to connect for
the first time before the test is considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Initial connection time to ten minutes, enter 10m or 600s.
n Custom test: Tests the interface with custom commands.
If Custom test is selected, complete the following:
l The Commands to run to test.
n TCP connection test: Tests that the interface can reach a destination port on the
configured host.
If TCP connection test is selected, complete the following:
l TCP connect host: The hostname or IP address of the host to create a
TCP connection to.
l TCP connect port: The TCP port to create a TCP connection to.
n Test another interface's status: Tests the status of another interface.
If Test another interface's status is selected, complete the following:
l Test interface: The interface to test.
l IP version: The type of IP connection, one of:
o Any: Either the IPv4 or IPv6 connection must be up.
o Both: Both the IPv4 or IPv6 connection must be up.
o IPv4: The IPv4 connection must be up.
o IPv6: The IPv6 connection must be up.
l Expected status: The status required for the test to past.
o Up: The test will pass only if the referenced interface is up and passing its own
SureLink tests (if applicable).

Digi Connect EZ 16/32 User Guide 99

Interfaces Wide Area Networks (WANs)

o Down: The test will pass only if the referenced interface is down or failing its own
SureLink tests (if applicable).
13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Change to WAN or WWAN's node in the configuration schema. For example, to disable the
default DNS test for an interface named my_wan:

(config)> network interface my_wan

(config network interface my_wan)>

4. Disable the default DNS test:

(config network interface my_wan)> surelink tests 0 enable false

(config network interface my_wan)>

5. Add a new test:

a. Add a test:

(config network interface my_wan)> add surelink tests end

(config network interface my_wan surelink tests 1)>

b. Create a label for the test:

(config network interface my_wan surelink tests 1)> label string

(config network interface my_wan surelink tests 1)>

c. if the test should apply to both IPv6 rather than IPv4, enable IPv6:

(config network interface my_wan surelink tests 1)> ipv6 true

(config network interface my_wan surelink tests 1)>

d. Set the test type:

(config network interface my_wan surelink tests 1)> test value

(config network interface my_wan surelink tests 1)>

where value is one of:

n ping: Uses ICMP to determine connectivity.
If ping is selected, complete the following:

Digi Connect EZ 16/32 User Guide 100

Interfaces Wide Area Networks (WANs)

l Set the ping_method:

(config network interface my_wan surelink tests 1)> ping_

method value
(config network interface my_wan surelink tests 1)>

where value is one of:

o hostname: The hostname or IP address of an external server.
o Set ping_host to the hostname or IP address of the server:

(config network interface my_wan surelink tests 1)> ping_

host hostname/IP_address
(config network interface my_wan surelink tests 1)>

o interface_gateway. If set, an initial traceroute is sent to the hostname or IP

address configured in the SureLink advanced settings, and then the first hop
in that route is used for the ping test.
o interface_address.
o interface_dns: The interface's DNS server.
l Set the number of bytes to send as part of the ping payload:

(config network interface my_wan ipsec tunnel ipsec_example

surelink tests 1)> ping_size int
(config network interface my_wan surelink tests 1)>

n dns: Performs a DNS query to the named DNS server.

If dns is set, set the IPv4 or IPv6 address of the DNS server:

(config network interface my_wan surelink tests 1)> dns_server

IP_address
(config network interface my_wan surelink tests 1)>

n http: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
If http is set, set the URL of the web server.

(config network interface my_wan surelink tests 1)> http url

(config network interface my_wan surelink tests 1)>

n dns_configured: Tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
n interface_up: Tests the current status of the interface. The test fails if the interface
is down. Failing this test infers that all other tests fail.
If interface_up is set, complete the following:
l Set the amount of time that the interface is down before the test can be
considered to have failed.

Digi Connect EZ 16/32 User Guide 101

Interfaces Wide Area Networks (WANs)

(config network interface my_wan surelink tests 1)>

interface_down_time value
(config network interface my_wan surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_down_time to ten minutes, enter either 10m or
600s:

(config network interface my_wan surelink tests 1)>

interface_down_time 600s
(config)>

l Set the amount of time to wait for the interface to connect for the first time
before the test is considered to have failed.

(config network interface my_wan surelink tests 1)>

interface_timeout value
(config network interface my_wan surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_timeout to ten minutes, enter either 10m or
600s:

(config network interface my_wan surelink tests 1)>

interface_timeout 600s
(config)>

n custom_test: Tests the interface with custom commands.

If custom_test is set, set the commands to run to perform the test:

(config network interface my_wan surelink tests 1)> custom_

test_commands "string"
(config network interface my_wan surelink tests 1)>

n tcp_connection: Tests that the interface can reach a destination port on the
configured host.
If tcp_connection is selected, complete the following:
l Set the hostname or IP address of the host to create a TCP connection to:

(config network interface my_wan surelink tests 1)> tcp_host

hostname/IP_address
(config network interface my_wan surelink tests 1)>

Digi Connect EZ 16/32 User Guide 102

Interfaces Wide Area Networks (WANs)

l Set the TCP port to create a TCP connection to.

(config network interface my_wan surelink tests 1)> tcp_port

port
(config network interface my_wan surelink tests 1)>

n other: Tests the status of another interface.

If other is selected, complete the following:
l Set the interface to test.
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config network interface my_wan surelink tests 1)> other_

interface /network/interface/eth1
(config network interface my_wan surelink tests 1)>

l Set the type of IP connection:

(config network interface my_wan surelink tests 1)> other_ip_

version value
(config network interface my_wan surelink tests 1)>

where value is one of:

o any: Either the IPv4 or IPv6 connection must be up.
o both: Both the IPv4 or IPv6 connection must be up.
o ipv4 The IPv4 connection must be up.
o ipv6: The IPv6 connection must be up.
l The status required for the test to past.

(config network interface my_wan surelink tests 1)> other_

status value
(config network interface my_wan surelink tests 1)>

where value is one of:

o up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
6. Save the configuration and apply the change.

(config network interface my_wan ipv4 surelink)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 103

Interfaces Wide Area Networks (WANs)

Example: Use a ping test for WAN failover from Ethernet to cellular
In this example configuration, the ETH1 interface serves as the primary WAN, while the cellular
Modem interface serves as the backup WAN.
In this example configuration, SureLink is used over for the ETH1 interface to send a probe packet of
size 256 bytes to the IP host 43.66.93.111 every 10 seconds. If there are three consecutive failed
responses, the default Update Routing recovery action will increase the metric for the ETH1 interface
by 100, which will cause the Connect EZ 16/32 device to start using the Modem interface as the
default route. It continues to regularly test the connection to ETH1, and when tests on ETH1 succeed,
the device falls back to that interface.
To achieve this WAN failover from the ETH1 to the Modem interface, the WAN failover configuration is:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Configure active recovery on ETH1:
a. Click Network > Interface > ETH1 > SureLink.

b. For Test interval, type 10s.

Digi Connect EZ 16/32 User Guide 104

Interfaces Wide Area Networks (WANs)

c. Click to expand Tests.

d. Disable the default DNS test:
i. Click to expand the default DNS configured test.
ii. Click to toggle off Enable.
e. Click  to add a new test.

f. For Test type, select Ping test.

g. For Ping host, type 43.66.93.111.
h. For Ping payload size, type 256.

4. Repeat the above step for Modem to enable SureLink on that interface.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Configure SureLink on ETH1:

a. Set the interval to ten seconds:

(config)> network interface eth1 surelink interval 10s

(config)>

b. Disable the default DNS test:

(config)> network interface eth1 surelink tests 0 enable false

(config)>

Digi Connect EZ 16/32 User Guide 105

Interfaces Wide Area Networks (WANs)

c. Add a test:

(config)> add network interface eth1 surelink tests end

(config network interface eth1 surelink tests 1)>

d. Set the probe type to ping:

(config network interface eth1 ipv4 surelink tests 1)> test ping
(config network interface eth1 ipv4 surelink tests 1)>

e. Set the packet size to 256 bytes:

(config network interface eth1 ipv4 surelink tests 1)> ping_size 256
(config network interface eth1 ipv4 surelink tests 1)>

f. Set the host to ping:

(config network interface eth1 ipv4 surelink tests 1)> ping_host

43.66.93.111
(config network interface eth1 ipv4 surelink tests 1)>

1. Repeat the above step for the cellular Modem (modem) interface to enable SureLink on that
interface. Note that this will cause the interface to send a ping every 10 seconds, which will
incur data costs.
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Using Ethernet devices in a WAN

The Connect EZ 16/32 device has two Ethernet devices, named ETH1 and ETH2. You can use these
Ethernet interfaces as a WAN when connecting to the Internet, through a device such as a cable
modem:
By default, the ETH1 Ethernet device is configured as a WAN, named ETH1, with both DHCP and NAT
enabled and using the External firewall zone. This means you should be able to connect to the
Internet by connecting the ETH1 Ethernet port to another device that already has an internet
connection.
The ETH2 device is configured as a LAN interface, named ETH2, which uses the Internal firewall zone.

Using cellular modems in a Wireless WAN (WWAN)

The Connect EZ 16/32 supports one cellular modem, named Modem, which is included in a
preconfigured Wireless WAN, also named Modem.
The cellular modem can have only one active SIM slot at any one time. For example, Modem can have
either SIM1 or SIM2 up at one time.
Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the
backup cellular interface. In this way, if the Connect EZ 16/32 device cannot connect to the network

Digi Connect EZ 16/32 User Guide 106

Interfaces Wide Area Networks (WANs)

using SIM1, it automatically fails over to SIM2. Connect EZ 16/32 devices automatically use the correct
cellular module firmware for each carrier when switching SIMs.

Configure cellular modem

Configuring the Connect EZ 16/32's cellular modem involves configuring the following items:

Required configuration items

n Enable the cellular modem.
The cellular modem is enabled by default.
n Determine the SIM slot that will be used when connecting to the cellular network.
n Configure the maximum number of interfaces that can use the modem.
n Enable carrier switching, which allows the modem to automatically match the carrier for the
active SIM.
Carrier switching is enabled by default.
n Configure the access technology.
n Determine which cellular antennas to use.

Additional configuration items

n If Active SIM slot is set to Any, by default the device uses the SIM slot that was last used or
was operational. As an alternative, you can specify a preferred SIM slot.
In the event of a failover to a non-preferred SIM, or if manual SIM switching is used to switch to
a non-preferred SIM, the modem will attempt to reconnect to the SIM in the preferred SIM slot.
To configure the modem:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 107

Interfaces Wide Area Networks (WANs)

The Configuration window is displayed.

3. For single-cellular models, click Network > Modems > WWAN cellular modem or Modem.
4. Click Network > Modems > Modem.
5. Modem configurations are enabled by default. Click to toggle Enable to off to disable.
6. The Active SIM slot selection is used to determine which SIM slot the modem will attempt to
connect with. For Active SIM slot, select one of the following options:
n Any: Use the SIM slot that was last used or was last operational. The default is Any.
n SIM1: Only use SIM slot 1 with the modem
n SIM2: Only use SIM slot 2 with the modem
7. If you set the Active SIM slot to Any, the Preferred SIM slot option displays. Options for
Preferred SIM slot are:
n None: The modem attempts to connect to the SIM in the SIM slot that was last used or
was last operational. None is the default.
n SIM slot: Select the SIM slot that should be considered the preferred slot for this
modem. If a preferred SIM is configured, the Preferred SIM slot check schedule
displays in the configuration settings. In the event of a SIM failover, or if manual SIM
switching is used to switch SIM slots, the modem attempts to reconnect to the
preferred SIM at the interval or schedule configured in the Preferred SIM slot check
schedule settings. If a Preferred SIM slot is selected, you can choose the type of
schedule:
l On boot - Runs task when device starts.
l Interval - Runs task once per hour.
l Set time - Runs task at a set time.
l During system maintenance window - Runs task only during the period of time
designated for system maintenance.
l Manual - Task is not performed automatically.
l After - Task runs for a fixed time interval on a different SIM and then goes back to
the preferred SIM.
8. For Maximum number of interfaces, type the number of interfaces that can be configured to
use this modem. This is used when using dual-APN SIMs. The default is 1.
9. For Signal strength query interval, type or select the amount of time the system waits before
polling the modem for signal information.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Signal strength query interval to ten minutes, enter 10m or 600s.
The default is 10s.
10. Enable Carrier switching to allow the modem to automatically match the carrier for the active
SIM. Carrier switching is enabled by default.
11. For Access technology, select the type of cellular technology that this modem should use to
access the cellular network, or select All technologies to configure the modem to use the best
available technology. The default is All technologies.
12. For Antennas, select whether the modem should use the main antenna, the auxiliary antenna,
or both the main and auxiliary antennas.

Digi Connect EZ 16/32 User Guide 108

Interfaces Wide Area Networks (WANs)

Note For 4G bands, specify the frequency bands you want to include or exclude. By default, all
bands are used. To only use certain bands, separate each band in the list with a space (for
example, B1 B3 B5). To exclude certain bands, separate each band in the list with a space and
precede each band with an exclamation point (for example, !B1 !B5).

CAUTION! Make sure to confirm with your service provider that the bands you want
to include or exclude are accurate. Connection issues may occur if a service provider
changed any of the frequency bands they use for their network and you have set
limitations on the bands to which the Connect EZ 16/32 can connect.

13. (Optional) For 4G bands, specify the 4Gbands.

14. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Modem configurations are enabled by default. To disable:

(config)> network modem modem enable false

(config)>

4. Set the SIM slot that should be used by the modem:

(config)> network modem modem sim_slot value

(config)>

where value is one of the following:

n any: Uses either SIM slot.
n 1: Uses the first SIM slot.
n 2. Uses the second SIM slot.
The default is any.
5. If sim_slot is set to any, set the SIM slot that should be considered the preferred slot for this
modem:

(config)> network modem modem sim_slot_preference value

(config)>

where value is one of the following:

Digi Connect EZ 16/32 User Guide 109

Interfaces Wide Area Networks (WANs)

n none: Does not consider either SIM slot to be the preferred slot.
n 1: Configures the first SIM slot as the preferred SIM slot.
n 2. Configures the second SIM slot as the preferred SIM slot.
In the event of a failover to a non-preferred SIM, or if manual SIM switching is used to switch to
a non-preferred SIM, the modem will attempt to reconnect to the SIM in the preferred SIM slot.
The default is none.
6. To set the preferred SIM slot check schedule:

(config)> network modem modem sim_slot_preference_value

where value is one of the following:

n 1: SIM slot 1.
n 2. SIM slot 2.

(config)> ...run-time when value

where value is one of the following:

n after
n boot
n interval
n maintenance_window
n manual
n set_time
The default is set_time.
7. Set the amount of time the system waits before polling the modem for signal information:

(config)> network modem modem query_interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set query_interval to ten minutes, enter either 10m or 600s:

(config)> network modem wan query_interval 600s

(config)>

The default is 10s.

8. Set the maximum number of interfaces. This is used when using dual-APN SIMs. The default is
1.

(config)> network modem modem max_intfs int

(config)>

9. Carrier switching allows the modem to automatically match the carrier for the active SIM.
Carrier switching is enabled by default. To disable:

Digi Connect EZ 16/32 User Guide 110

Interfaces Wide Area Networks (WANs)

(config)> network modem modem carrier_switch false

(config)>

10. Set the type of cellular technology that this modem should use to access the cellular network:

(config)> network modem modem access_tech value

(config)>

Available options for value vary depending on the modem type. To determine available
options:

(config)> network modem modem access_tech ?

Access technology: The cellular network technology that the modem may
use.
Format:
2G
3G
4G
4GM
4GT
all
Default value: all
Current value: all

(config)>

The default is all, which uses the best available technology.

11. Set whether the modem should use the main antenna, the auxiliary antenna, or both the main
and auxiliary antennas:

(config)> network modem modem antenna value

(config)>

where value is one of the following:

n main
n aux
n both
12. (Optional) To specify the 4Gbands you want to include or exclude:

(config)> network modem modem 4g_bands

(config)>

13. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 111

Interfaces Wide Area Networks (WANs)

14. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Cellular modem APNs

The Connect EZ 16/32 device uses a preconfigured list of Access Point Names (APNs) when attempting
to connect to a cellular carrier for the first time. You can find the serviceproviders-local.txt
and serviceproviders.txt files in the filesystem of the Connect EZ 16/32. The order of the APNs
for a specific carrier in these text files corresponds to the order in which the Connect EZ 16/32 will try
those APNS until it makes a successful connection. After the device has successfully connected, it will
remember the correct APN. As a result, it is not necessary to configure APNs. However, you can
configure the system to use a specified APN if you choose to do so.

Configure cellular modem APNs

To configure the APN:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 112

Interfaces Wide Area Networks (WANs)

3. Click Network > Interfaces > Modem > APN list > APN.

4. For APN, type the Access Point Name (APN) to be used when connecting to the cellular carrier.
5. (Optional) IP version:
For IP version, select one of the following:
n Automatic: Requests both IPv4 and IPv6 address.
n IPv4: Requests only an IPv4 address.
n IPv6: Requests only an IPv6 address.
The default is Automatic.
6. (Optional)For PDP context index, type the number for the index of the SIM card that the APN
is programmed into or type 0 to have the index set automatically.
7. (Optional) For Authentication method, select one of the following:
n None: No authentication is required.
n Automatic: The device will attempt to connect using CHAP first, and then PAP.
n CHAP: Uses the Challenge Handshake Authentication Profile (CHAP) to authenticate.
n PAP: Uses the Password Authentication Profile (PAP) to authenticate.
If Automatic, CHAP, or PAP is selected, enter the Username and Password required to
authenticate.
The default is None.
8. Lightweight M2M support is enabled by default. Disable if you are using an AT&T SIM that
does not support AT&T lightweight M2M.
9. (Optional) For APN selection, select whether you want to configure the device to use the
preconfigured APNs, custom APNs, or both.
10. To add additional APNs, for Add APN, click  and repeat the preceding instructions.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 113

Interfaces Wide Area Networks (WANs)

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> network interface modem modem apn 0 apn value

(config)>

where value is the APN for the SIM card.

4. (Optional) To add additional APNs:
a. Use the add command to add a new APN entry. For example:

(config)> add network interface modem modem apn end

(config network interface modem modem apn 1)>

b. Set the value of the APN:

(config network interface modem modem apn 1)> apn value

(config network interface modem modem apn 1)>

where value is the APN for the SIM card.

5. (Optional) Set the IP version:

(config)> network interface modem modem apn 0 ip_version version

(config)>

where version is one of the following:

n auto: Requests both IPv4 and IPv6 address.
n ipv4: Requests only an IPv4 address.
n ipv6: Requests only an IPv6 address.
The default is auto.
6. (Optional) Set the PDP context index:

(config network interface wwan1 modem apn 0) > cid value

(config network interface wwan1 modem apn 0) >

where value is the index number of the SIM that the APN is programmed into. 0 means the
index will be automatically set.
7. (Optional) Set the authentication method:

(config)> network interface modem modem apn 0 auth method

(config)>

where method is one of the following:

n none: No authentication is required.
n auto: The device will attempt to connect using CHAP first, and then PAP.
n chap: Uses the Challenge Handshake Authentication Profile (CHAP) to authenticate.
n pap: Uses the Password Authentication Profile (PAP) to authenticate.

Digi Connect EZ 16/32 User Guide 114

Interfaces Wide Area Networks (WANs)

If auto, chap, or pap is selected, enter the Username and Password required to authenticate:

(config)> network interface modem modem apn 0 username name

(config)> network interface modem modem apn 0 password pwd
(config)>

The default is none.

8. Disable Lightweight M2M support if you are using an AT&T SIM that does not support AT&T
lightweight M2M:

(config)> network interface modem modem apn 0 attm2mglobal false

(config)>

9. (Optional) To configure the device to use either the preconfigured APNs, custom APNs, or both:

(config)> network interface modem modem apn_selection value

(config)>

Where value is one of the following:

n apn_list_only
n both_lists
n built-in-list-only
10. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure dual APNs

Some cellular carriers offer a dual APN feature that allows a SIM card to be provisioned with two
separate APNs that can be used simultaneously. For example, Verizon offers this service as its Split
Data Routing feature. This feature provides two separate networking paths through a single cellular
modem and SIM card, and allows for configurations such as:
n Segregating public and private traffic, including policy-based routes to ensure that your
internal network traffic always goes through the private connection.
n Separation of untrusted Internet traffic from trusted internal network traffic.
n Secure connection to internal customer network without using a VPN.
n Separate billing structures for public and private traffic.
n Site-to-site networking, without the overhead of tunneling for each device.
In the following example configuration, all traffic on LAN1 is routed through the public APN to the
internet, and all traffic on LAN2 is routed through the private APN to the customer's data center:
To accomplish this, we will create separate WWAN interfaces that use the same modem but use
different APNs, and then use routing roles to forward traffic to the appropriate WWAN interface.

Digi Connect EZ 16/32 User Guide 115

Interfaces Wide Area Networks (WANs)

Note Dual-APN connections with the Telit LE910-NAv2 module when using a Verizon SIM are not
supported. Using an AT&T SIM with the Telit LE910-NAv2 module is supported. The Telit LE910-NAv2
module is used in the 1002-CM04 CORE modem.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Increase the maximum number of interfaces allowed for the modem:
a. Click Network > Modems > Modem.
b. For Maximum number of interfaces, type 2.

4. Create the WWAN interfaces:

In this example, we will create two interfaces named WWAN_Public and WWAN_Private.

Digi Connect EZ 16/32 User Guide 116

Interfaces Wide Area Networks (WANs)

a. Click Network > Interfaces.

b. For Add Interface, type WWAN_Public and click .

c. For Interface type, select Modem.

d. For Zone, select External.
e. For Device, select Modem .
f. (Optional) For APN selection, select whether you want to configure the device to use the
preconfigured APNs, custom APNs, or both.
g. For Add Interface, type WWAN_Private and click .

h. For Interface type, select Modem.

i. For Zone, select External.
j. For Device, select Modem .
This should be the same modem selected for the WWAN_Public WWAN.
k. For APN selection, select whether you want to configure the device to use the
preconfigured APNs, custom APNs, or both.
5. Create the routing policies. For example, to route all traffic from LAN1 through the public APN,
and LAN2 through the private APN:
a. Click Network > Routes > Policy-based routing.
b. Click the  to add a new route policy.

c. For Label, enter Route through public APN.

d. For Interface, select Interface: WWAN_Public.
e. Configure the source address:
i. Click to expand Source address.
ii. For Type, select Interface.
iii. For Interface, select LAN1.

Digi Connect EZ 16/32 User Guide 117

Interfaces Wide Area Networks (WANs)

f. Configure the destination address:

i. Click to expand Destination address.
ii. For Type, select Interface.
iii. For Interface, select Interface: WWAN_Public.

g. Click the  to add another route policy.

h. For Label, enter Route through private APN.
i. For Interface, select Interface: WWAN_Private.
j. Configure the source address:
i. Click to expand Source address.
ii. For Type, select Interface.
iii. For Interface, select LAN2.
k. Configure the destination address:
i. Click to expand Destination address.
ii. For Type, select Interface.
iii. For Interface, select Interface: WWAN_Private.

6. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 118

Interfaces Wide Area Networks (WANs)

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set the maximum number of interfaces for the modem:

(config)> network modem modem max_intfs 2

(config)>

4. Create the WWAN interfaces:

a. Create the WWANPublic interface:

(config)> add network interface WWANPublic

(config network interface WWANPublic)>

b. Set the interface type to modem:

(config network interface WWANPublic)> type modem

(config network interface WWANPublic)>

c. Set the modem device:

(config network interface WWANPublic)> modem device modem

(config network interface WWANPublic)>

d. Configure whether you want the device to use the preconfigured APNs, custom APNs, or
both. For more information, see Cellular modem APNs.

(config network interface WWANPublic)> modem apn public_apn

(config network interface WWANPublic)>

e. Use to periods (..) to move back one level in the configuration:

(config network interface WWANPublic)> ..

(config network interface)>

f. Create the WWANPrivate interface:

(config network interface)> add WWANPrivate

(config network interface WWANPrivate)>

g. Set the interface type to modem:

(config network interface WWANPrivate)> type modem

(config network interface WWANPrivate)>

h. Set the modem device:

Digi Connect EZ 16/32 User Guide 119

Interfaces Wide Area Networks (WANs)

(config network interface WWANPrivate)> modem device modem

(config network interface WWANPrivate)>

i. Enable APN list only:

(config network interface WWANPrivate)> modem apn_selection apn_list_

only
(config network interface WWANPrivate)>

j. Set the private APN:

(config network interface WWANPublic)> modem apn private_apn

(config network interface WWANPublic)>

5. Create the routing policies. For example, to route all traffic from LAN1 through the public APN,
and LAN2 through the private APN:
a. Add a new routing policy:

(config)> add network route policy end

(config network route policy 0)>

b. Set the label that will be used to identify this route policy:

(config network route policy 0)> label "Route through public apn"
(config network route policy 0)>

c. Set the interface:

(config network route policy 0)> interface

/network/interface/WWANPublic
(config network route policy 0)>

d. Configure the source address:

i. Set the source type to interface:

(config network route policy 0)> src type interface

(config network route policy 0)>

ii. Set the interface to LAN1:

(config network route policy 0)> src interface LAN1

(config network route policy 0)>

e. Configure the destination address:

i. Set the type to interface:

(config network route policy 0)> dst type interface

(config network route policy 0)>

Digi Connect EZ 16/32 User Guide 120

Interfaces Wide Area Networks (WANs)

ii. Set the interface to WWANPublic :

(config network route policy 0)> interface

/network/interface/WWANPublic
(config network route policy 0)>

f. Use to periods (..) to move back one level in the configuration:

(config nnetwork route policy 0)> ..

(config nnetwork route policy)>

g. Add a new routing policy:

(config network route policy )> add end

(config network route policy 1)>

h. Set the label that will be used to identify this route policy:

(config network route policy 1)> label "Route through private apn"
(config network route policy 1)>

i. Set the interface:

(config network route policy 1)> interface

/network/interface/WWANPrivate
(config network route policy 1)>

j. Configure the source address:

i. Set the source type to interface:

(config network route policy 1)> src type interface

(config network route policy 1)>

ii. Set the interface to LAN2:

(config network route policy 1)> src interface LAN2

(config network route policy 1)>

k. Configure the destination address:

i. Set the type to interface:

(config network route policy 1)> dst type interface

(config network route policy 1)>

ii. Set the interface to WWANPrivate :

(config network route policy 1)> interface

/network/interface/WWANPrivate
(config network route policy 1)>

Digi Connect EZ 16/32 User Guide 121

Interfaces Wide Area Networks (WANs)

6. Save the configuration and apply the change.

(config network route policy 1)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure manual carrier selection

By default, your Connect EZ 16/32 automatically selects the most appropriate cellular carrier based on
the SIM that is in use and the status of available carriers in your area.
Alternatively, you can configure the devices to manually select the carrier, based on the Network
PLMN ID. You can also configure the device to use manual carrier selection and fall back to automatic
carrier selection if connecting to the manually-configured carrier fails.
You can use also use the modem scan command at the command line to scan for available carriers
and determine their PLMN ID.

Required configuration items

n Select Manual or Manual/Automatic carrier selection mode.
n The Network PLMN ID.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces > Modem.

Digi Connect EZ 16/32 User Guide 122

Interfaces Wide Area Networks (WANs)

4. For Carrier selection mode, select one of the following:

n Automatic—The device automatically selects the carrier based on your SIM and cellular
network status.
n Manual—The device will only connect to the carrier identified in the Network PLMN ID.
If the carrier is not available, no cellular connection will be established.
n Manual/Automatic—The device will attempt to connect to the carrier identified in the
Network PLMN ID. If the carrier is not available, the device will fall back to using
automatic carrier selection.
5. If Manual or Manual/Automatic are selected for Carrier section mode, enter the Network
PLMN ID.

Note You can use the modem scan command at the Admin CLI to scan for available carriers
and determine their PLMN ID. See Scan for available cellular carriers for details.

6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> network interface modem modem operator_mode value

(config)>

where value is one of:

n automatic—The device automatically selects the carrier based on your SIM and cellular
network status.

Digi Connect EZ 16/32 User Guide 123

Interfaces Wide Area Networks (WANs)

n manual—The device will only connect to the carrier identified in the Network PLMN ID.
If the carrier is not available, no cellular connection will be established.
n manual_automatic—The device will attempt to connect to the carrier identified in the
Network PLMN ID. If the carrier is not available, the device will fall back to using
automatic carrier selection.
4. If carrier section mode is set to manual or manual_automatic, set the network PLMN ID:

(config)> network interface modem modem operator plmn_ID

(config)>

Note You can use the modem scan command at the Admin CLI to scan for available carriers
and determine their PLMN ID. See Scan for available cellular carriers for details.

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Scan for available cellular carriers

You can scan for available carriers and determine their network PLMN ID by using the modem scan
command at the Admin CLI.

Note For devices using Unitac modems (such as devices with the 1002-CM45 core module), carrier
scanning will not work if the modem has an active cellular connection.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the main menu, click Status > Modems.
2. croll to the Connection Status section and click SCAN.

The Carrier Scan window opens.

Digi Connect EZ 16/32 User Guide 124

Interfaces Wide Area Networks (WANs)

3. (Optional) Change the Timeout for the carrier scan. The default is 300 seconds.
4. When the Carrier Scan window opens, the results of the most recent previous scan are
displayed. If there is no previous scan available, or to refresh the list, click SCAN.
5. The current carrier is highlighted in green. To switch to a different carrier:
a. Highlight the appropriate carrier and click SELECT.
The Carrier selection dialog opens.

b. For Carrier selection mode, select one of the following:

n Manual/Automatic: The device will use automatic carrier selection if this carrier is
not available.
n Manual: Does not allow the device to use automatic carrier selection if this carrier
is not available.

Note If Manual is selected, your modem must support the Network technology or
the modem will lose cellular connectivity. If you are using a cellular connection to
perform this procedure, you may lose your connection and the device will no longer
be accessible.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type:

> modem scan

Issuing network scan, this may take some time...

Status Carrier PLMN ID Technology

Digi Connect EZ 16/32 User Guide 125

Interfaces Wide Area Networks (WANs)

--------- -------- ------- ----------

Available T-Mobile 310260 4G
Available T-Mobile 310260 3G
Available AT&T 310410 4G
Available Verizon 311480 4G
Available 311 490 311490 4G
Available 313 100 313100 4G

>

Show cellular status and statistics

You can view a summary status for all cellular modems, or view detailed status and statistics for a
specific modem.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click Status.
2. Under Connections, click Modems.
The modem status window is displayed
 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show modem command:
n To view a status summary for the modem:

> show modem

Modem SIM Status APN Signal Strength

----- ------------- --------- --------- --------------------
modem 1 (ready) connected 1234 Good (-84 dBm)

>

n To view detailed status and statistics, use the show modem name name command:

> show modem name modem

modem: [Telit] LM940

-------------------------------------------------------------------
-----------
IMEI : 781154796325698
Model : LM940
FW Version : 24.01.541_ATT
Revision : 24.01.541

Digi Connect EZ 16/32 User Guide 126

Interfaces Wide Area Networks (WANs)

Status
------
State : connected
Signal Strength : Good (-85 dBm)
Bars : 2/5
Access Mode : 4G
Network Technology (CNTI): LTE
Band : B2
Temperature : 34C

wwan1 Interface
---------------
APN : 1234
IPv4 surelink : passing
IPv4 address : 189.232.229.47
IPv4 gateway : 189.232.229.1
IPv4 MTU : 1500
IPv4 DNS server(s) : 245.144.162.207, 245.144.162.208

IPv6 surelink : passing

IPv6 address : 11f6:4680:0d67:59d2:552b:3429:81a8:f1ea
IPv6 gateway : ff50:d95d:7e98:abe8:3030:9138:4f25:f51b
IPv6 MTU : 1500

TX bytes : 127941
RX bytes : 61026
Uptime : 10 hrs, 56 mins (39360s)

SIM
---
SIM Slot : 1
SIM Status : ready
IMSI : 61582122197895
ICCID : 26587628655003992180
SIM Provider : AT&T

4G
--
RSRQ : Good (-11.0 dB)
RSRP : Good (-93.0 dBm)
RSSI : Excellent (-64.0 dBm)
SNR : Good (6.4 dB)

>

Unlock a SIM card

A SIM card can be locked if a user tries to set an invalid PIN for the SIM card too many times. In
addition, some cellular carriers require a SIM PIN to be added before the SIM card can be used. If the
SIM card is locked, the Connect EZ device cannot make a cellular connection.

 Command line

Digi Connect EZ 16/32 User Guide 127

Interfaces Wide Area Networks (WANs)

To unlock a SIM card:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, use the modem puk unlock command to set a new PIN for the SIM
card:

> modem puk unlock puk_code new_pin modem_name

>

For example, to unlock a SIM card in the modem named modem with PUK code 12345678,
and set the new SIM PIN to 1234:

> modem puk unlock 12345678 1234 modem

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Note If the SIM remains in a locked state after using the unlock command, contact your cellular
carrier.

Signal strength for cellular connections

See Show cellular status and statistics for procedures to view this information.

Signal strength for 4G connections

For 4Gconnections, the RSRP value determines signal strength.
n Excellent: > -90 dBm
n Good: -90 dBm to -105 dBm
n Fair: -106 dBm to -115 dBm
n Poor: -116 dBm to -120 dBm
n No service: < -120 dBm

Signal strength for 3G and 2G connections

For 3Gand 2Gcellular connections, the current RSSI value determines signal strength.
n Excellent: > -70 dBm
n Good: -70 dBm to -85 dBm
n Fair: -86 dBm to -100 dBm
n Poor: < -100 dBm to -109 dBm
n No service: -110 dBm

Tips for improving cellular signal strength

If the signal strength LEDs or the signal quality for your device indicate Poor or No service, try the
following things to improve signal strength:

Digi Connect EZ 16/32 User Guide 128

Interfaces Wide Area Networks (WANs)

n Move the Connect EZ 16/32 device to another location.

n Try connecting a different set of antennas, if available.
n Purchase a Digi Antenna Extender Kit:
l Antenna Extender Kit, 1m

AT command access
To run AT commands from the Connect EZ 16/32 command line:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type modem at-interactive and press Enter. Type n if you do not
want exclusive access. This allows you to send AT commands to the device while still allowing
the device to connect, disconnect, and/or reconnect to the cellular network.
3. At the Admin CLI prompt, use the modem at-interactive command to begin an interactive AT
command session:

> modem at-interactive

Do you want exclusive access to the modem? (y/n) [y]:

4. Type n if you do not want exclusive access. This allows you to send AT commands to the
device while still allowing the device to connect, disconnect, and/or reconnect to the cellular
network.
The following is an example interactive AT command:

> modem at-interactive

Do you want exclusive access to the modem? (y/n) [y]: n

Starting terminal access to modem AT commands.
Note that the modem is still in operation.

To quit enter '~.' ('~~.' if using an ssh client) and press ENTER

Connected
ati
Manufacturer: Sierra Wireless, Incorporated
Model: MC7455
Revision: SWI9X30C_02.24.03.00 r6978 CARMD-EV-FRMWR2 2017/03/02 13:36:45
MEID: 35907206045169
IMEI: 359072060451693
IMEI SV: 9
FSN: LQ650551070110

Digi Connect EZ 16/32 User Guide 129

Interfaces Wide Area Networks (WANs)

+GCAP: +CGSM
OK

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 130

Interfaces Wide Area Networks (WANs)

Configure a Wide Area Network (WAN)

Configuring a Wide Area Network (WAN) involves configuring the following items:

Required configuration items

n A name for the interface.

Note If the interface name is more than eight characters, the name will be truncated in the
underlying network interface to the first six characters followed by three digits, incrementing
from 000. This affects any custom scripts or firewall rules that may be trying to adjust the
interface or routing table entries.

n The interface type: Ethernet.

n The firewall zone: External.
n The network device or bridge that is used by the WAN.
n Configure the WAN as a DHCP client.

Additional configuration items

n Active recovery configuration. See Configure SureLink active recovery to detect WAN/WWAN
failures for further information.
n Additional IPv4 configuration:
l The type being the way to control how the modem in the Digi device obtains an IP address
from the cellular network.
l The metric for IPv4 routes associated with the WAN.
l The relative weight for IPv4 routes associated with the WAN.
l The IPv4 management priority of the WAN. The active interface with the highest
management priority will have its address reported as the preferred contact address for
central management and direct device access.
l The IPv4 Maximum Transmission Unit (MTU) of the WAN.
l When to use DNS: always, never, or only when this interface is the primary default route.
l When to use DNS servers for this interface.
l Whether to include the Connect EZ 16/32 device's hostname in DHCP requests.
n IPv6 configuration:
l The type being the way to control how the modem in the Digi device obtains an IP address
from the cellular network.
l The metric for IPv6 routes associated with the WAN.
l The relative weight for IPv6 routes associated with the WAN.
l The IPv6 management priority of the WAN. The active interface with the highest
management priority will have its address reported as the preferred contact address for
central management and direct device access.
l The IPv6 Maximum Transmission Unit (MTU) of the WAN.
l When to use DNS: always, never, or only when this interface is the primary default route.

Digi Connect EZ 16/32 User Guide 131

Interfaces Wide Area Networks (WANs)

l When to use DNS servers for this interface.

l Whether to include the Connect EZ 16/32 device's hostname in DHCP requests.
n MACaddress denylist and allowlist.
To create a new WAN or edit an existing WAN:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Create the WAN or select an existing WAN:
n To create a new WAN, for Add interface, type a name for the WAN and click .

n To edit an existing WAN, click to expand the WAN.

The Interface configuration window is displayed.

Digi Connect EZ 16/32 User Guide 132

Interfaces Wide Area Networks (WANs)

New WANs are enabled by default. To disable, toggle off Enable.

5. For Interface type, leave at the default setting of Ethernet.
6. For Zone, select External.
7. For Device, select an Ethernet device or a bridge. See Bridging for more information about
bridging.
8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control.
The Connect EZ 16/32 can function as an 802.1x authenticator; it does not function as an
802.1x supplicant.
a. Click to expand Authentication.
b. Click Enable server to enable the 802.1x authenticator on the Connect EZ 16/32 device.
c. Set the Reauth period.
9. Configure IPv4 settings:
a. Click to expand IPv4.
IPv4 support is enabled by default.
b. For Type, select DHCP address.
c. Optional IPv4 configuration items:
i. Set the Metric.
See Configure WAN/WWAN priority and default route metrics for further information
about metrics.
ii. For Weight, type the relative weight for default routes associated with this interface.
For multiple active interfaces with the same metric, Weight is used to load balance
traffic to the interfaces.
iii. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
iv. Set the MTU.
v. For Use DNS, select one of the following:
n Always: DNS will always be used for this WAN; when multiple interfaces have
the same DNS server, the interface with the lowest metric will be used for DNS
requests.
n When primary default route: Only use the DNS servers provided for this
interface when the interface is the primary route.
n Never: Never use DNS servers for this interface.
vi. Enable DHCP Hostname to instruct the Connect EZ 16/32 device to include the
device's system name with DHCP requests as the Client FQDN option. The DHCP
server can then be configured to register the device's hostname and IP address with
an associated DNS server.
n See RFC4702 for further information about DHCP server support for the Client
FQDN option.
n See Configure system information for information about setting the Connect
EZ 16/32 device's system name.
d. Enable Force link to keep the network interface active even when the device link is down.
10. (Optional) Configure IPv6 settings:

Digi Connect EZ 16/32 User Guide 133

Interfaces Wide Area Networks (WANs)

a. Click to expand IPv6.

b. Enable IPv6 support.
c. For Type, select DHCPv6 address.
d. For Prefix length, type the minimum length of the prefix to assign to this LAN. If the
minimum length is not available, then a longer prefix will be used.
e. For Prefix ID, type the identifier used to extend the prefix to the assigned length. Leave
blank to use a random identifier.
f. Set the Metric.
See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
g. For Weight, type the relative weight for default routes associated with this interface. For
multiple active interfaces with the same metric, Weight is used to load balance traffic to
the interfaces.
h. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
i. Set the MTU.
j. For Use DNS:
n Always: DNS will always be used for this WAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n When primary default route: Only use the DNS servers provided for this interface
when the interface is the primary route.
n Never: Never use DNS servers for this interface.
k. Enable DHCP Hostname to instruct the Connect EZ 16/32 device to include the device's
system name with DHCP requests as the Client FQDN option. The DHCP server can then be
configured to register the device's hostname and IP address with an associated DNS
server.
n See RFC4702 for further information about DHCP server support for the Client
FQDN option.
n See Configure system information for information about setting the Connect EZ
16/32 device's system name.
11. (Optional) Click to expand MAC address denylist.
Incoming packets will be dropped from any devices whose MACaddresses is included in the
MAC address denylist.
a. Click to expand MAC address denylist.
b. For Add MAC address, click .
c. Type the MAC address.
12. (Optional) Click to expand MAC address allowlist.
If allowlist entries are specified, incoming packets will only be accepted from the listed MAC
addresses.

Digi Connect EZ 16/32 User Guide 134

Interfaces Wide Area Networks (WANs)

a. Click to expand MAC address allowlist.

b. For Add MAC address, click .
c. Type the MAC address.
1. See Configure SureLink active recovery to detect WAN/WWAN failures for information about
configuring SureLink.
13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new WAN or edit an existing one:

n To create a new WAN named my_wan:

(config)> add network interface my_wan

(config network interface my_wan)>

n To edit an existing WAN named my_wan, change to the my_wan node in the
configuration schema:

(config)> network interface my_wan

(config network interface my_wan)>

4. Set the appropriate firewall zone:

(config network interface my_wan)> zone zone

(config network interface my_wan)>

See Firewall configuration for further information.

5. Select an Ethernet device or a bridge. See Bridging for more information about bridging.
a. Enter device ? to view available devices and the proper syntax.

(config network interface my_wan)> device ?

Current value:

(config network interface my_wan)> device

b. Set the device for the LAN:

(config network interface my_wan)> device device

(config network interface my_wan)>

Digi Connect EZ 16/32 User Guide 135

Interfaces Wide Area Networks (WANs)

6. Configure IPv4 settings:

n IPv4 support is enabled by default. To disable:

(config network interface my_wan)> ipv4 enable false

(config network interface my_wan)>

n Configure the WAN to be a DHCP client:

(config network interface my_wan)> ipv4 type dhcp

(config network interface my_wan)>

a. Optional IPv4 configuration items:

i. Set the IP metric:

(config network interface my_wan)> ipv4 metric num

(config network interface my_wan)>

See Configure WAN/WWAN priority and default route metrics for further information
about metrics.
ii. Set the relative weight for default routes associated with this interface. For multiple
active interfaces with the same metric, the weight is used to load balance traffic to
the interfaces.

(config network interface my_wan)> ipv4 weight num

(config network interface my_wan)>

iii. Set the management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.

(config network interface my_wan)> ipv4 mgmt num

(config network interface my_wan)>

iv. Set the MTU:

(config network interface my_wan)> ipv4 mtu num

(config network interface my_wan)>

v. Configure how to use DNS:

(config network interface my_wan)> ipv4 use_dns value

(config network interface my_wan)>

where value is one of:

n always: DNS will always be used for this WAN; when multiple interfaces have
the same DNS server, the interface with the lowest metric will be used for DNS
requests.
n primary: Only use the DNS servers provided for this interface when the
interface is the primary route.
n never: Never use DNS servers for this interface.

Digi Connect EZ 16/32 User Guide 136

Interfaces Wide Area Networks (WANs)

vi. Enable DHCP Hostname to instruct the Connect EZ 16/32 device to include the
device's system name with DHCP requests as the Client FQDN option. The DHCP
server can then be configured to register the device's hostname and IP address with
an associated DNS server.

(config network interface my_wan)> ipv4 dhcp_hostname true

(config network interface my_wan)>

n See RFC4702 for further information about DHCP server support for the Client
FQDN option.
n See Configure system information for information about setting the Connect
EZ 16/32 device's system name.
7. (Optional) Configure IPv6 settings:
a. Enable IPv6 support:

(config network interface my_wan)> ipv6 enable true

(config network interface my_wan)>

b. Set the IPv6 type to DHCP:

(config network interface my_wan)> ipv6 type dhcpv6

(config network interface my_wan)>

c. Generally, the default settings for IPv6 support are sufficient. You can view the default IPv6
settings by using the question mark (?):

(config network interface my_wan)> ipv6 ?

IPv6

Parameters Current Value

---------------------------------------------------------------------
----------
dhcp_hostname false DHCP Hostname
enable true Enable
metric 0 Metric
mgmt 0 Management priority
mtu 1500 MTU
type dhcpv6 Type
use_dns always Use DNS
weight 10 Weight

Additional Configuration
---------------------------------------------------------------------
----------
connection_monitor Active recovery

(config network interface my_wan)>

d. Modify any of the remaining default settings as appropriate. For example, to change the
metric:

Digi Connect EZ 16/32 User Guide 137

Interfaces Wide Area Networks (WANs)

(config network interface my_wan)> ipv6 metric 1

(config network interface my_wan)>

If the minimum length is not available, then a longer prefix will be used.

See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
8. (Optional) To configure 802.1x port based network access control:

Note The Connect EZ 16/32 can function as an 802.1x authenticator; it does not function as an
802.1x supplicant.

a. Enable the 802.1x authenticator on the Connect EZ 16/32 device:

(config network interface my_wan)> 802_1x authentication enable true

(config network interface my_wan)>

b. Set the frequency period for reauthorization:

(config network interface my_wan)> 802_1x authentication reauth_period

value
(config network interface my_wan)>

where value is an integer between 0 and 86400. The default is 3600.

9. (Optional) Configure the MACaddress deny list.
Incoming packets will be dropped from any devices whose MACaddresses is included in the
MACaddress denylist.
a. Add a MAC address to the denylist:

(config network interface my_wan)> add mac_denylist end mac_address

(config network interface my_wan)>

where mac_address is a hyphen-separated MACaddress, for example, 32-A6-84-2E-81-58.

b. Repeat for each additional MAC address.
10. (Optional) Configure the MACaddress allowlist.
If allowlist entries are specified, incoming packets will only be accepted from the listed MAC
addresses.
a. Add a MAC address to the allowlist:

(config network interface my_wan)> add mac_allowlist end mac_address

(config network interface my_wan)>

where mac_address is a hyphen-separated MACaddress, for example, 32-A6-84-2E-81-58.

b. Repeat for each additional MAC address.
11. See Configure SureLink active recovery to detect WAN/WWAN failures for information about
configuring SureLink for active recovery.

Digi Connect EZ 16/32 User Guide 138

Interfaces Wide Area Networks (WANs)

12. Save the configuration and apply the change.

(config network interface my_wan)> save

Configuration saved.
>

13. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure a Wireless Wide Area Network (WWAN)

Configuring a Wireless Wide Area Network (WWAN) involves configuring the following items:

Required configuration items

n The interface type: Modem.
n The firewall zone: External.
n The cellular modem that is used by the WWAN.

Additional configuration items

n SIM selection for this WWAN.
n The SIM PIN.
n The SIM phone number for SMS connections.
n Enable or disable roaming.
n SIM failover configuration.
n APN configuration.
n The custom gateway/netmask.
n IPv4 configuration:
l The type being the way to control how the modem in the Digi device obtains an IP address
from the cellular network.
l The metric for IPv4 routes associated with the WAN.
l The relative weight for IPv4 routes associated with the WAN.
l The IPv4 management priority of the WAN. The active interface with the highest
management priority will have its address reported as the preferred contact address for
central management and direct device access.
l The IPv4 Maximum Transmission Unit (MTU) of the WAN.
l When to use DNS: always, never, or only when this interface is the primary default route.
l SureLink active recovery configuration. See Configure SureLink active recovery to detect
WAN/WWAN failures for further information.
n IPv6 configuration:
l The type being the way to control how the modem in the Digi device obtains an IP address
from the cellular network.
l The metric for IPv6 routes associated with the WAN.
l The relative weight for IPv6 routes associated with the WAN.

Digi Connect EZ 16/32 User Guide 139

Interfaces Wide Area Networks (WANs)

l The IPv6 management priority of the WAN. The active interface with the highest
management priority will have its address reported as the preferred contact address for
central management and direct device access.
l The IPv6 Maximum Transmission Unit (MTU) of the WAN.
l When to use DNS: always, never, or only when this interface is the primary default route.
l SureLink active recovery configuration. See Configure SureLink active recovery to detect
WAN/WWAN failures for further information.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Create the WWAN or select an existing WWAN:
n To create a new WWAN:
a. For Add interface, type a name for the WWAN and click .

Digi Connect EZ 16/32 User Guide 140

Interfaces Wide Area Networks (WANs)

b. For Interface type, select Modem.

New WWANs are enabled by default. To disable, toggle off Enable.

n To edit an existing WWAN, click to expand the WWAN.
5. For Zone, select External.
6. For Device, select the cellular modem.
7. For Match SIM by, select a SIM matching criteria to determine when this WWAN should be
used:
n If SIM slot is selected, for Match SIM slot, select which SIM slot must be in active for
this WWAN to be used.
n If Carrier is selected, for Match SIM carrier, select which cellular carrier must be in
active for this WWAN to be used.
n If PLMN identifier is selected, for Match PLMN identifier, type the PLMN id that must
be in active for this WWAN to be used.
n If IMSI is selected, for Match IMSI, type the International Mobile Subscriber Identity
(IMSI) that must be in active for this WWAN to be used.
n If ICCID is selected, for Match ICCID, type the unique SIM card ICCID that must be in
active for this WWAN to be used.
8. Type the PIN for the SIM. Leave blank if no PIN is required.
9. Type the Phone number for the SIM, for SMS connections.
Normally, this should be left blank. It is only necessary to complete this field if the SIM does
not have a phone number or if the phone number is incorrect.
10. Roaming is enabled by default. Click to disable.
11. For Carrier selection mode, select one of the following:
n Automatic: The cellular carrier is selected automatically by the device.
n Manual: The cellular carrier must be manually configured. If the configured network is
not available, no cellular connection will be established.
n Manual/Automatic: The carrier is manually configured. If the configured network is not
available, automatic carrier selection is used.
If Manual or Manual/Automatic is selected:

Digi Connect EZ 16/32 User Guide 141

Interfaces Wide Area Networks (WANs)

a. For Network PLMN ID, type the PLMN ID for the cellular network.
b. For Network technology, select the technology that should be used. The default is All
technologies, which means that the best available technology will be used.

Note If Manual is configured for Carrier selection mode and a specific network
technology is selected for the Network technology, your modem must support the
selected technology or no cellular connection will be established. If you are using a cellular
connection to perform this procedure, you may lose your connection and the device will
no longer be accessible.

12. SIM failover is enabled by default, which means that the modem will automatically fail over
from the active SIM to the next available SIM when the active SIM fails to connect. If enabled:
a. For Connection attempts before SIM failover, type the number of times that the device
should attempt to connect to the active SIM before failing over to the next available SIM.
b. For SIM failover alternative, configure how SIM failover will function if automatic SIM
switching is unavailable:
n None: The device will perform no alternative action if automatic SIM switching is
unavailable.
n Reset modem: The device will reset the modem if automatic SIM switching is
unavailable.
n Reboot device: The device will reboot if automatic SIM switching is unavailable.
13. For APN Selection, select whether you want to configure the Connect EZ 16/32 to use the
preconfigured APNs, custom APNs, or both. See Cellular modem APNs for information and
instructions for setting an APN.
14. (Optional) To configure the IP address of a custom gateway or a custom netmask:
a. Click Custom gateway to expand.
b. Click Enable.
c. For Gateway/Netmask, enter the IP address and netmask of the custom gateway. To
override only the gateway netmask, but not the gateway IP address, use all zeros for the IP
address. For example, 0.0.0.0./32 will use the network-provided gateway, but with a /32
netmask.
15. Optional IPv4 configuration items:
a. Click IPv4 to expand.
b. IPv4 support is Enabled by default. Click to disable.
c. Set the Type.
n Static IP address - Digi device obtains the static IP address from the cellular network.
n DHCP address - Digi device obtains IP address through a DHCP server on the cellular
network.
a. Set the Metric.
See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
b. For Weight, type the relative weight for default routes associated with this interface. For
multiple active interfaces with the same metric, Weight is used to load balance traffic to
the interfaces.

Digi Connect EZ 16/32 User Guide 142

Interfaces Wide Area Networks (WANs)

c. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
d. Set the MTU.
e. For Use DNS:
n Always: DNS will always be used for this WWAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n When primary default route: Only use the DNS servers provided for this WWAN
when the WWAN is the primary route.
n Never: Never use DNS servers for this WWAN.
The default setting is When primary default route.
16. Optional IPv6 configuration items:
a. Click IPv6 to expand.
b. IPv6 support is Enabled by default. Click to disable.
c. Set the Type.
n Static IP address - Digi device obtains the static IP address from the cellular network.
n DHCP address - Digi device obtains IP address through a DHCP server on the cellular
network.
a. Set the Metric.
See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
b. For Weight, type the relative weight for default routes associated with this interface. For
multiple active interfaces with the same metric, Weight is used to load balance traffic to
the interfaces.
c. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
d. Set the MTU.
e. For Use DNS:
n Always: DNS will always be used for this WWAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n When primary default route: Only use the DNS servers provided for this WWAN
when the WWAN is the primary route.
n Never: Never use DNS servers for this WWAN.
The default setting is When primary default route.
1. See Configure SureLink active recovery to detect WAN/WWAN failures for information about
configuring SureLink.
17. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 143

Interfaces Wide Area Networks (WANs)

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new WWAN or edit an existing one:

n To create a new WWAN named my_wwan:

(config)> add network interface my_wwan

(config network interface my_wwan)>

n To edit an existing WWAN named my_wwan, change to the my_wwan node in the
configuration schema:

(config)> network interface my_wwan

(config network interface my_wwan)>

4. Set the appropriate firewall zone:

(config network interface my_wwan)> zone zone

(config network interface my_wwan)>

See Firewall configuration for further information.

5. Select a cellular modem:
a. Enter modem device ? to view available modems and the proper syntax.

(config network interface my_wwan)> modem device ?

Device: The modem used by this network interface.

Format:
modem
Current value:

(config network interface my_wwan)> device

b. Set the device:

(config network interface my_wwan)> modem device modem

(config network interface my_wwan)>

6. Set the SIM matching criteria to determine when this WWAN should be used:

(config network interface my_wwan)> modem match value

(config network interface my_wwan)>

Where value is one of:

n any
n carrier
Set the cellular carrier must be in active for this WWAN to be used:

Digi Connect EZ 16/32 User Guide 144

Interfaces Wide Area Networks (WANs)

a. Use ? to determine available carriers:

(config network interface my_wwan)> modem carrier

Match SIM carrier: The SIM carrier match criteria. This

interface is applied when the SIM card is
provisioned from the carrier.
Format:
AT&T
Rogers
Sprint
T-Mobile
Telstra
Verizon
Vodafone
other
Default value: AT&T
Current value: AT&T

(config network interface my_wwan)>

b. Set the carrier:

(config network interface my_wwan)> modem carrier value

(config network interface my_wwan)>

n iccid
Set the unique SIM card ICCID that must be in active for this WWAN to be used:

(config network interface my_wwan)> modem iccid ICCID

(config network interface my_wwan)>

n imsi
Set the International Mobile Subscriber Identity (IMSI) that must be in active for this
WWAN to be used:

(config network interface my_wwan)> modem imsi IMSI

(config network interface my_wwan)>

n plmn_id
Set the PLMN id that must be in active for this WWAN to be used:

(config network interface my_wwan)> modem plmn_id PLMN_ID

(config network interface my_wwan)>

n sim_slot
Set which SIM slot must be in active for this WWAN to be used:

(config network interface my_wwan)> modem sim_slot value

(config network interface my_wwan)>

where value is either 1 or 2.

Digi Connect EZ 16/32 User Guide 145

Interfaces Wide Area Networks (WANs)

7. Set the PIN for the SIM. Leave blank if no PIN is required.

(config network interface my_wwan)> modem pin value

(config network interface my_wwan)>

8. Set the phone number for the SIM, for SMS connections:

(config network interface my_wwan)> modem phone num

(config network interface my_wwan)>

Normally, this should be left blank. It is only necessary to complete this field if the SIM does
not have a phone number or if the phone number is incorrect.
9. Roaming is enabled by default. To disable:

(config network interface my_wwan)> modem roaming false

(config network interface my_wwan)>

10. Set the carrier selection mode:

(config network interface my_wwan)> modem operator_mode value

(config network interface my_wwan)>

where value is one of:

n automatic: The cellular carrier is selected automatically by the device.
n manual: The cellular carrier must be manually configured. If the configured network is
not available, no cellular connection will be established.
n manual_automatic: The carrier is manually configured. If the configured network is not
available, automatic carrier selection is used.
If manual or manual_automatic is set:
a. Set the Network PLMN ID:

(config network interface my_wwan)> modem operator PLMN_ID

(config network interface my_wwan)>

b. Set the cellular network technology:

(config network interface my_wwan)> modem operator_technology value

(config network interface my_wwan)>

where value is one of:

n all: The best available technology will be used.
n 2G: Only 2Gtechnology will be used.
n 3G: Only 3Gtechnology will be used.
n 4G: Only 4Gtechnology will be used.
n NR5G-NSA: Only 5Gnon-standalone technology will be used.
n NR5G-SA: Only 5Gstandalone technology will be used.
The default is all.

Digi Connect EZ 16/32 User Guide 146

Interfaces Wide Area Networks (WANs)

Note If manual is configured for the carrier selection mode and a specific network
technology is selected for the cellular network technology, your modem must support the
selected technology or no cellular connection will be established. If you are using a cellular
connection to perform this procedure, you may lose your connection and the device will
no longer be accessible.

11. SIM failover is enabled by default, which means that the modem will automatically fail over
from the active SIM to the next available SIM when the active SIM fails to connect. To disable:

(config network interface my_wwan)> modem sim_failover false

(config network interface my_wwan)>

If enabled:
a. Set the number of times that the device should attempt to connect to the active SIM
before failing over to the next available SIM:

(config network interface my_wwan)> modem sim_failover_retries num

(config network interface my_wwan)>

The default setting is 5.

b. Configure how SIM failover will function if automatic SIM switching is unavailable:

(config network interface my_wwan)> modem sim_failover_alt value

(config network interface my_wwan)>

where value is one of:

n none: The device will perform no alternative action if automatic SIM switching is
unavailable.
n reset: The device will reset the modem if automatic SIM switching is unavailable.
n reboot: The device will reboot if automatic SIM switching is unavailable.
12. (Optional) To configure the device to use either the preconfigured APNs, custom APNs, or both:

(config)> network interface modem modem apn_selection value

(config)>

Where value is one of the following:

n apn_list_only
n both_lists
n built-in-list-only
13. (Optional) To configure the IP address of a custom gateway or a custom netmask:
a. Enable the custom gateway:

(config network interface my_wwan)> modem custom_gw enable true

(config network interface my_wwan)>

Digi Connect EZ 16/32 User Guide 147

Interfaces Wide Area Networks (WANs)

b. Set the IP address and netmask of the custom gateway:

(config network interface my_wwan)> modem custom_gw gateway ip_

address/netmask
(config network interface my_wwan)> modem custom_gw

To override only the gateway netmask, but not the gateway IP address, use all zeros for
the IP address. For example, 0.0.0.0./32 will use the network-provided gateway, but with a
/32 netmask.
14. Optional IPv4 configuration items:
a. IPv4 support is enabled by default. To disable:

(config network interface my_wwan)> ipv4 enable false

(config network interface my_wwan)>

b. Set the type, which determines how the modem in the device obtains an IP address from
the cellular network.

(config network interface my_wwan)> ipv4 modem_type value

(config network interface my_wwan)>

Where value is one of:

n static: Digi device obtains the static IP address from the cellular network.
n dhcp: Digi device obtains IP address via a DHCP server on the cellular network.
c. Set the metric:

(config network interface my_wwan)> ipv4 metric num

(config network interface my_wwan)>

See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
d. Set the relative weight for default routes associated with this interface. For multiple active
interfaces with the same metric, the weight is used to load balance traffic to the interfaces.

(config network interface my_wwan)> ipv4 weight num

(config network interface my_wwan)>

e. Set the management priority. This determines which interface will have priority for central
management activity. The interface with the highest number will be used.

(config network interface my_wwan)> ipv4 mgmt num

(config network interface my_wwan)>

f. Set the MTU:

(config network interface my_wwan)> ipv4 mtu num

(config network interface my_wwan)>

Digi Connect EZ 16/32 User Guide 148

Interfaces Wide Area Networks (WANs)

g. Configure when the WWAN's DNS servers will be used:

(config network interface my_wwan)> ipv4 dns value

(config network interface my_wwan)>

Where value is one of:

n always: DNS will always be used for this WWAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n never: Never use DNS servers for this WWAN.
n primary: Only use the DNS servers provided for this WWAN when the WWAN is the
primary route.
The default setting is primary.
15. Optional IPv6 configuration items:
a. IPv6 support is enabled by default. To disable:

(config network interface my_wwan)> ipv4 enable false

(config network interface my_wwan)>

b. Set the type, which determines how the modem in the device obtains an IP address from
the cellular network.

(config network interface my_wwan)> ipv4 modem_type value

(config network interface my_wwan)>

Where value is one of:

n static: Digi device obtains the static IP address from the cellular network.
n dhcp: Digi device obtains IP address via a DHCP server on the cellular network.
c. Set the metric:

(config network interface my_wwan)> ipv4 metric num

(config network interface my_wwan)>

See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
d. Set the relative weight for default routes associated with this interface. For multiple active
interfaces with the same metric, the weight is used to load balance traffic to the interfaces.

(config network interface my_wwan)> ipv4 weight num

(config network interface my_wwan)>

e. Set the management priority. This determines which interface will have priority for central
management activity. The interface with the highest number will be used.

(config network interface my_wwan)> ipv4 mgmt num

(config network interface my_wwan)>

Digi Connect EZ 16/32 User Guide 149

Interfaces Wide Area Networks (WANs)

f. Set the MTU:

(config network interface my_wwan)> ipv4 mtu num

(config network interface my_wwan)>

g. Configure when the WWAN's DNS servers will be used:

(config network interface my_wwan)> ipv4 dns value

(config network interface my_wwan)>

Where value is one of:

n always: DNS will always be used for this WWAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n never: Never use DNS servers for this WWAN.
n primary: Only use the DNS servers provided for this WWAN when the WWAN is the
primary route.
The default setting is primary.
16. See Configure SureLink active recovery to detect WAN/WWAN failures for information about
configuring active recovery.
17. Save the configuration and apply the change.

(config network interface my_wan)> save

Configuration saved.
>

18. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show WAN and WWAN status and statistics

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the menu, click Status.
2. Under Networking, click Interfaces.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 150

Interfaces Wide Area Networks (WANs)

2. Enter the show network command at the Admin CLI prompt:

> show network

Interface Proto Status Address

---------------- ----- ------- -------------------------------
setupip IPv4 up 192.168.210.1/24
setuplinklocalip IPv4 up 169.254.100.100/16
eth1 IPv4 up 10.10.10.10/24
eth1 IPv6 up fe00:2404::240:f4ff:fe80:120/64
eth2 IPv4 up 192.168.2.1/24
eth2 IPv6 up fd00:2704::1/48
loopback IPv4 up 127.0.0.1/8
modem IPv4 up 10.200.1.101/30
modem IPv6 down

>

3. Additional information can be displayed by using the show network verbose command:

> show network verbose

Interface Proto Status Type Zone Device Metric

Weight
---------------- ----- ------- ------ -------- -------- ------ --
----
setupip IPv4 up static setup eth2 10 10
setuplinklocalip IPv4 up static setup eth2 0 10
eth1 IPv4 up dhcp external eth1 1 10
eth1 IPv6 up dhcp external eth1 1 10
eth2 IPv4 up static internal eth2 5 10
eth2 IPv6 up static internal eth2 5 10
loopback IPv4 up static loopback loopback 0 10
modem IPv4 up modem external wwan1 3 10
modem IPv6 down modem external wwan1 3 10

>

4. Enter show network interface name at the Admin CLI prompt to display additional
information about a specific WAN. For example, to display information about ETH1, enter show
network interface eth1:

> show network interface eth1

wan1 Interface Status

---------------------
Device : eth1
Zone : external

IPv4 Status : up
IPv4 Type : dhcp

Digi Connect EZ 16/32 User Guide 151

Interfaces Wide Area Networks (WANs)

IPv4 Address(es) : 10.10.10.10/24

IPv4 Gateway : 10.10.10.1
IPv4 MTU : 1500
IPv4 Metric : 1
IPv4 Weight : 10
IPv4 DNS Server(s) : 10.10.10.2, 10.10.10.3

IPv6 Status : up
IPv6 Type : dhcpv6
IPv6 Address(es) : fe00:2404::240:f4ff:fe80:120/64
IPv6 Gateway : ff80::234:f3ff:ff0e:4320
IPv6 MTU : 1500
IPv6 Metric : 1
IPv6 Weight : 10
IPv6 DNS Server(s) : fd00:244::1, fe80::234:f3f4:fe0e:4320

>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a WAN or WWAN

Follow this procedure to delete any WANs and WWANs that have been added to the system. You
cannot delete the preconfigured WAN, ETH1, or the preconfigured WWAN, Modem.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 152

Interfaces Wide Area Networks (WANs)

3. Click Network > Interfaces.

4. Click the menu icon (...) next to the name of the WAN or WWAN to be deleted and select
Delete.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the del command to delete the WAN or WWAN. For example, to delete a WWAN named
my_wwan:

(config)> del network interface my_wwan

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Default outbound WAN/WWAN ports

The following table lists the default outbound network communications for Connect EZ 16/32
WAN/WWAN interfaces:

Port
Description TCP/UDP number
Digi Remote Manager connection to edp12.devicecloud.com. TCP 3199
NTP date/time sync to time.devicecloud.com. UDP 123
DNS resolution using WAN-provided DNS servers. UDP 53
HTTPS for modem firmware downloads from TCP 443
firmware.devicecloud.com.

Digi Connect EZ 16/32 User Guide 153

Interfaces Local Area Networks (LANs)

Local Area Networks (LANs)

The Connect EZ 16/32 device is preconfigured with the following Local Area Networks (LANs):
You can modify configuration settings for ETH2, and you can create new LANs.
This section contains the following topics:

About Local Area Networks (LANs) 155

Configure a Local Area Network (LAN) 155
Configure the ETH1 port as a LAN or in a bridge 162
Change the default LAN subnet 169
Show LAN status and statistics 170
Delete a LAN 172
DHCP servers 173
Default services listening on LAN ports 190
Configure an interface to operate in passthrough mode. 191

Digi Connect EZ 16/32 User Guide 154

Interfaces Local Area Networks (LANs)

About Local Area Networks (LANs)

A Local Area Network (LAN) connects network devices together in a logical Layer-2 network.
The following diagram shows a LAN connected to the ETH2 Ethernet device. Once the LAN is
configured and enabled, the devices connected to the network interfaces can communicate with each
other, as demonstrated by the ping commands.

Configure a Local Area Network (LAN)

Configuring a Local Area Network (LAN) involves configuring the following items:

Required configuration items

n A name for the interface.

Note If the interface name is more than eight characters, the name will be truncated in the
underlying network interface to the first six characters followed by three digits, incrementing
from 000. This affects any custom scripts or firewall rules that may be trying to adjust the
interface or routing table entries.

n The interface type: either Ethernet, IP Passthrough, or PPPoE.

n The firewall zone: Internal.
n The network device or bridge that is used by the LAN.
n The IPv4 address and subnet mask for the LAN. While it is not strictly necessary for a LAN to
have an IP address, if you want to send traffic from other networks to the LAN, you must
configure an IP address.

Additional configuration items

n Additional IPv4 configuration:
l The type being the way to control how the modem in the Digi device obtains an IP address
from the cellular network.
l The metric for IPv4 routes associated with the LAN.
l The relative weight for IPv4 routes associated with the LAN.
l The IPv4 management priority of the LAN. The active interface with the highest
management priority will have its address reported as the preferred contact address for
central management and direct device access.
l The IPv4 Maximum Transmission Unit (MTU) of the LAN.
l When to use DNS: always, never, or only when this interface is the primary default route.
l IPv4 DHCP server configuration. See DHCP servers for more information.
n IPv6 configuration:
l The type being the way to control how the modem in the Digi device obtains an IP address
from the cellular network.
l The metric for IPv6 routes associated with the LAN.
l The relative weight for IPv6 routes associated with the LAN.

Digi Connect EZ 16/32 User Guide 155

Interfaces Local Area Networks (LANs)

l The IPv6 management priority of the LAN. The active interface with the highest
management priority will have its address reported as the preferred contact address for
central management and direct device access.
l The IPv6 Maximum Transmission Unit (MTU) of the LAN.
l When to use DNS: always, never, or only when this interface is the primary default route.
l The IPv6 prefix length and ID.
l IPv6 DHCP server configuration. See DHCP servers for more information.
n MACaddress denylist and allowlist.
To create a new LAN or edit an existing LAN:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Create the LAN or select an existing LAN:
n To create a new LAN, for Add interface, type a name for the LAN and click .

n To edit an existing LAN, click to expand the LAN.

The Interface configuration window is displayed.

Digi Connect EZ 16/32 User Guide 156

Interfaces Local Area Networks (LANs)

New LANs are enabled by default. To disable, toggle off Enable.

5. For Interface type, leave at the default setting of Ethernet.
6. For Zone, select the appropriate firewall zone. See Firewall configuration for further
information.
7. For Device, select an Ethernet device or a bridge. See Bridging for more information about
bridging.
8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control.
The Connect EZ 16/32 can function as an 802.1x authenticator; it does not function as an
802.1x supplicant.
a. Click to expand Authentication.
b. Click Enable server to enable the 802.1x authenticator on the Connect EZ 16/32 device.
c. Set the Reauth period.
9. Configure IPv4 settings:
a. Click to expand IPv4.
IPv4 support is enabled by default.
b. For Type, select Static IP address.
c. For Address, type the IP address and subnet of the LAN interface. Use the format IPv4_
address/netmask, for example, 192.168.2.1/24.
d. Optional IPv4 configuration items:
i. Set the Metric.
ii. For Weight, type the relative weight for default routes associated with this interface.
For multiple active interfaces with the same metric, Weight is used to load balance
traffic to the interfaces.
iii. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
iv. Set the MTU.
e. Enable the DHCP server:
i. Click to expand DHCP server.
ii. Click Enable.
See DHCP servers for information about configuring the DHCP server.
f. Enable Force link to keep the network interface active even when the device link is down.
10. See Configure DHCP relay for information about configuring DHCP relay.
11. (Optional) Configure IPv6 settings:

Digi Connect EZ 16/32 User Guide 157

Interfaces Local Area Networks (LANs)

a. Click to expand IPv6.

b. Enable IPv6 support.
c. For Type, select IPv6 prefix delegration.
d. For Prefix length, type the minimum length of the prefix to assign to this LAN. If the
minimum length is not available, then a longer prefix will be used.
e. For Prefix ID, type the identifier used to extend the prefix to the assigned length. Leave
blank to use a random identifier.
f. Set the Metric.
g. For Weight, type the relative weight for default routes associated with this interface. For
multiple active interfaces with the same metric, Weight is used to load balance traffic to
the interfaces.
h. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
i. Set the MTU.
12. (Optional) Click to expand MAC address denylist.
Incoming packets will be dropped from any devices whose MACaddresses is included in the
MAC address denylist.
a. Click to expand MAC address denylist.
b. For Add MAC address, click .
c. Type the MAC address.
13. (Optional) Click to expand MAC address allowlist.
If allowlist entries are specified, incoming packets will only be accepted from the listed MAC
addresses.
a. Click to expand MAC address allowlist.
b. For Add MAC address, click .
c. Type the MAC address.
14. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new LAN or edit an existing one:

n To create a new LAN named my_lan:

(config)> add network interface my_lan

(config network interface my_lan)>

Digi Connect EZ 16/32 User Guide 158

Interfaces Local Area Networks (LANs)

n To edit an existing LAN named my_lan, change to the my_lan node in the configuration
schema:

(config)> network interface my_lan

(config network interface my_lan)>

4. Set the appropriate firewall zone:

(config network interface my_lan)> zone zone

(config network interface my_lan)>

See Firewall configuration for further information.

5. Select an Ethernet device or a bridge. See Bridging for more information about bridging.
a. Enter device ? to view available devices and the proper syntax.

(config network interface my_lan)> device ?

Current value:

(config network interface my_lan)> device

b. Set the device for the LAN:

(config network interface my_lan)> device device

(config network interface my_lan)>

6. Configure IPv4 settings:

n IPv4 support is enabled by default. To disable:

(config network interface my_lan)> ipv4 enable false

(config network interface my_lan)>

n The LAN is configured by default to use a static IP address for its IPv4 configuration. To
configure the LAN to be a DHCP client, rather than using a static IP addres:

(config network interface my_lan)> ipv4 type dhcp

(config network interface my_lan)>

These instructions assume that the LAN will use a static IP address for its IPv4
configuration.
a. Set the IPv4 address and subnet of the LAN interface. Use the format IPv4_
address/netmask, for example, 192.168.2.1/24.

(config network interface my_lan)> ipv4 address ip_address/netmask

(config network interface my_lan)>

b. Optional IPv4 configuration items:

i. Set the IP metric:

(config network interface my_lan)> ipv4 metric num

(config network interface my_lan)>

Digi Connect EZ 16/32 User Guide 159

Interfaces Local Area Networks (LANs)

ii. Set the relative weight for default routes associated with this interface. For multiple
active interfaces with the same metric, the weight is used to load balance traffic to
the interfaces.

(config network interface my_lan)> ipv4 weight num

(config network interface my_lan)>

iii. Set the management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.

(config network interface my_lan)> ipv4 mgmt num

(config network interface my_lan)>

iv. Set the MTU:

(config network interface my_lan)> ipv4 mtu num

(config network interface my_lan)>

c. Enable the DHCP server:

(config network interface my_lan)> ipv4 dhcp_server enable true

See DHCP servers for information about configuring the DHCP server.
7. (Optional) Configure IPv6 settings:
a. Enable IPv6 support:

(config network interface my_lan)> ipv6 enable true

(config network interface my_lan)>

b. Set the IPv6 type to DHCP:

(config network interface my_lan)> ipv6 type dhcpv6

(config network interface my_lan)>

c. Generally, the default settings for IPv6 support are sufficient. You can view the default IPv6
settings by using the question mark (?):

(config network interface my_lan)> ipv6 ?

IPv6

Parameters Current Value

---------------------------------------------------------------------
----------
enable true Enable
metric 0 Metric
mgmt 0 Management priority
mtu 1500 MTU
prefix_id 1 Prefix ID
prefix_length 48 Prefix length
type prefix_delegation Type
weight 10 Weight

Digi Connect EZ 16/32 User Guide 160

Interfaces Local Area Networks (LANs)

Additional Configuration
---------------------------------------------------------------------
----------
connection_monitor Active recovery
dhcpv6_server DHCPv6 server

(config network interface my_lan)>

View default settings for the IPv6 DHCP server:

(config network interface my_lan)> ipv6 dhcpv6_server ?

DHCPv6 server: The DHCPv6 server settings for this network interface.

Parameters Current Value

---------------------------------------------------------------------
----------
enable true Enable

(config network interface my_lan)>

d. Modify any of the remaining default settings as appropriate. For example, to change the
minimum length of the prefix:

(config network interface my_lan)> ipv6 prefix_length 60

(config network interface my_lan)>

If the minimum length is not available, then a longer prefix will be used.

See Configure WAN/WWAN priority and default route metrics for further information about
metrics.
8. (Optional) To configure 802.1x port based network access control:

Note The Connect EZ 16/32 can function as an 802.1x authenticator; it does not function as an
802.1x supplicant.

a. Enable the 802.1x authenticator on the Connect EZ 16/32 device:

(config network interface my_lan)> 802_1x authentication enable true

(config network interface my_lan)>

b. Set the frequency period for reauthorization:

(config network interface my_lan)> 802_1x authentication reauth_period

value
(config network interface my_lan)>

where value is an integer between 0 and 86400. The default is 3600.

9. (Optional) Configure the MACaddress deny list.

Digi Connect EZ 16/32 User Guide 161

Interfaces Local Area Networks (LANs)

Incoming packets will be dropped from any devices whose MACaddresses is included in the
MACaddress denylist.
a. Add a MAC address to the denylist:

(config network interface my_lan)> add mac_denylist end mac_address

(config network interface my_lan)>

where mac_address is a hyphen-separated MACaddress, for example, 32-A6-84-2E-81-58.

b. Repeat for each additional MAC address.
10. (Optional) Configure the MACaddress allowlist.
If allowlist entries are specified, incoming packets will only be accepted from the listed MAC
addresses.
a. Add a MAC address to the allowlist:

(config network interface my_lan)> add mac_allowlist end mac_address

(config network interface my_lan)>

where mac_address is a hyphen-separated MACaddress, for example, 32-A6-84-2E-81-58.

b. Repeat for each additional MAC address.
11. Save the configuration and apply the change.

(config network interface my_lan)> save

Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the ETH1 port as a LAN or in a bridge

By default, the ETH1 Ethernet port on your Connect EZ 16/32 is configured to function as a WAN port,
which means that it:
n Uses the External firewall zone.
n Receives its IPv4 address from an upstream DHCP server.
n Has SureLink enabled to test the quality of its internet connection.
Alternatively, you can configure the ETH1 port to function as a LAN port, or you can create a bridge
that includes the ETH1 and ETH2 ports.

Configure the ETH1 Ethernet port as a LAN

This procedure reconfigures the ETH1 port to serve as port for a LAN, which will result in the device
having two separate LANs: the default ETH2 LAN, and the LAN created in this procedure. To utilize
both LANs, you will need to have a device connected to the ETH1 port, and a separate device
connected to the ETH2 port, and these devices will be on separate LANs.
If instead, you want the ETH1 port to be bridged with the ETH2 port, see Create a bridge that includes
the ETH1 port.

To configure the ETH1 Ethernet port as a LAN:

Digi Connect EZ 16/32 User Guide 162

Interfaces Local Area Networks (LANs)

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces > ETH1.
4. For Zone, select Internal.

5. Configure IPv4 settings:

a. Click to expand IPv4.
b. For Type, select Static IP address.
c. For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask,
for example, 192.168.3.1/24.

Digi Connect EZ 16/32 User Guide 163

Interfaces Local Area Networks (LANs)

d. Enable the DHCP server:

i. Click to expand DHCP server.
ii. Click to toggle on Enable.
e. Disable SureLink:
i. Click to expand SureLink.
ii. Click to toggle off Enable.
6. (Optional) Configure IPv6 settings:
a. Click to expand IPv6.
b. For Type, select IPv6 prefix delegation.
7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set the zone to internal:

(config)> network interface eth1 zone internal

(config)>

4. Configure IPv4 settings:

a. Set the type to static:

(config)> network interface eth1 ipv4 type static

(config)>

b. Set the address IPv4 address and netmask, using the format IPv4_address/netmask, for
example:

(config)> network interface eth1 ipv4 address 192.168.3.1/24

(config)>

c. Enable the DHCP server:

(config)> network interface eth1 ipv4 dhcp_server enable true

(config)>

d. Disable SureLink:

(config)> network interface eth1 ipv4 surelink enable false

(config)>

Digi Connect EZ 16/32 User Guide 164

Interfaces Local Area Networks (LANs)

5. (Optional) Configure IPv6:

a. Set the type to prefix_delegation:

(config)> network interface eth1 ipv6 type prefix_delegation

(config)>

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Create a bridge that includes the ETH1 port

This procedure will bridge the ETH1 port with the ETH2 port, which will configure the two Ethernet
ports to function as a hub.
To bridge the Connect EZ 16/32 device's ETH1 Ethernet port with the ETH2 port:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 165

Interfaces Local Area Networks (LANs)

3. Create the bridge and add devices:

a. Click Network > Bridges.
b. For Add Bridge, type a name for the bridge and click .

c. Click to expand Devices.

d. Click Add Device .

e. For Device, select Device: ETH1.

f. Click Add Device  again and select the Device: ETH2.
4. Create a LAN interface for the bridge:
a. Click Network > Interfaces.
b. For Add Interface, type a name for the interface and click .

c. For Zone, select Internal.

d. For Device, select the new bridge.

e. Click to expand IPv4.

f. For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask,
for example, 192.168.3.1/24.

Digi Connect EZ 16/32 User Guide 166

Interfaces Local Area Networks (LANs)

g. Enable the DHCP server:

i. Click to expand DHCP server.
ii. Click to toggle on Enable.
5. Disable the ETH1 interface:
a. Click Network > Interfaces > ETH1.
b. Click to toggle off Enable.
6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create the bridge and add devices:

a. Create the bridge:

(config)> add network bridge bridge_name

(config network bridge bridge_name)>

where bridge_name is the name of the new bridge. For example, to create a bridge named
LAN_bridge:

(config)> add network bridge LAN_bridge

(config network bridge LAN_bridge)>

b. Add the eth1 device:

(config network bridge LAN_bridge)> add device end

/network/device/eth1
(config network bridge LAN_bridge)>

Digi Connect EZ 16/32 User Guide 167

Interfaces Local Area Networks (LANs)

c. Add the eth2 device:

(config network bridge LAN_bridge)> add device end

/network/device/eth2
(config network bridge LAN_bridge)>

4. Create a LAN interface for the bridge:

a. Type ... to return to the root of the configuration:

(config network bridge LAN_bridge)> ...

(config)>

b. Create the bridge:

(config)> add network interface interface_name

(config network interface interface_name)>

where interface_name is the name of the new interface. For example, to create a interface
named LAN_bridge_interface:

(config)> add network interface LAN_bridge_interface

(config network interface LAN_bridge_interface)>

c. Set the zone to internal:

(config network interface LAN_bridge_interface)> zone internal

(config network interface LAN_bridge_interface)>

d. Set the device to the new bridge:

(config network interface LAN_bridge_interface)> device

/network/bridge/LAN_bridge
(config network interface LAN_bridge_interface)>

e. Set the IPv4 address and netmask for the interface, using the format IPv4_
address/netmask, for example, 192.168.3.1/24:

(config network interface LAN_bridge_interface)> ipv4 address

192.168.3.1/24
(config network interface LAN_bridge_interface)>

f. Enable the DHCP server:

(config network interface LAN_bridge_interface)> ipv4 dhcp_server

enable true
(config network interface LAN_bridge_interface)>

5. Disable the eth1 interface:

(config)> network interface eth1 enable false

(config)>

Digi Connect EZ 16/32 User Guide 168

Interfaces Local Area Networks (LANs)

6. Save the configuration and apply the change.

(config network interface LAN_bridge_interface)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Change the default LAN subnet

You can change the Connect EZ 16/32 default LAN subnet—192.168.2.1/24—to any range of private IPs.
The local DHCP server range will also change to the range of the LAN subnet.
To change the LAN subnet:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces > LAN > IPv4.
4. For Address, change the IP address to an alternate private IP. You must also specify the subnet
mask. It must have the syntax of IPv4_address/netmask.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 169

Interfaces Local Area Networks (LANs)

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, set the IP address to an alternate private IP:

(config)> network interface lan ipv4 address IPv4_address/netmask

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show LAN status and statistics

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the menu, click Status.
2. Under Networking, click Interfaces.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Enter the show network command at the Admin CLI prompt:

> show network

Interface Proto Status Address

---------------- ----- ------- -------------------------------
setupip IPv4 up 192.168.210.1/24
setuplinklocalip IPv4 up 169.254.100.100/16
eth1 IPv4 up 10.10.10.10/24
eth1 IPv6 up fe00:2404::240:f4ff:fe80:120/64
eth2 IPv4 up 192.168.2.1/24
eth2 IPv6 up fd00:2704::1/48
loopback IPv4 up 127.0.0.1/8

Digi Connect EZ 16/32 User Guide 170

Interfaces Local Area Networks (LANs)

modem IPv4 up 10.200.1.101/30

modem IPv6 down

>

3. Additional information can be displayed by using the show network verbose command:

> show network verbose

Interface Proto Status Type Zone Device Metric

Weight
---------------- ----- ------- ------ -------- -------- ------ --
----
setupip IPv4 up static setup eth2 10 10
setuplinklocalip IPv4 up static setup eth2 0 10
eth1 IPv4 up dhcp external eth1 1 10
eth1 IPv6 up dhcp external eth1 1 10
eth2 IPv4 up static internal eth2 5 10
eth2 IPv6 up static internal eth2 5 10
loopback IPv4 up static loopback loopback 0 10
modem IPv4 up modem external wwan1 3 10
modem IPv6 down modem external wwan1 3 10

>

4. Enter show network interface name at the Admin CLI prompt to display additional
information about a specific LAN. For example, to display information about ETH2, enter show
network interface eth2:

> show network interface eth2

lan1 Interface Status

---------------------
Device : eth2
Zone : internal

IPv4 Status : up
IPv4 Type : static
IPv4 Address(es) : 192.168.2.1/24
IPv4 Gateway :
IPv4 MTU : 1500
IPv4 Metric : 5
IPv4 Weight : 10
IPv4 DNS Server(s) :

IPv6 Status : up
IPv6 Type : prefix
IPv6 Address(es) : fd00:2704::1/48
IPv6 Gateway :
IPv6 MTU : 1500
IPv6 Metric : 5

Digi Connect EZ 16/32 User Guide 171

Interfaces Local Area Networks (LANs)

IPv6 Weight : 10
IPv6 DNS Server(s) :

>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a LAN
Follow this procedure to delete any LANs that have been added to the system. You cannot delete the
preconfigured LAN, LAN1.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Click the menu icon (...) next to the name of the LAN to be deleted and select Delete.

5. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 172

Interfaces Local Area Networks (LANs)

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the del command to delete the LAN. For example, to delete a LAN named my_lan:

(config)> del network interface my_lan

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

DHCP servers
You can enable DHCP on your Connect EZ 16/32 device to assign IP addresses to clients, using either:
n The DHCP server for the device's local network, which assigns IP addresses to clients on the
device's local network. Addresses are assigned from a specified pool of IP addresses. For a
local network, the device uses the DHCP server that has the IP address pool in the same
IP subnet as the local network.
When a host receives an IP configuration, the configuration is valid for a particular amount of
time, known as the lease time. After this lease time expires, the configuration must be
renewed. The host renews the lease time automatically.
n A DHCP relay server, which forwards DHCP requests from clients to a DHCP server that is
running on a separate device.

Configure a DHCP server

Note These instructions assume you are configuring the device to use its local DHCP server. For
instructions about configuring the device to use a DHCP relay server, see Configure DHCP relay.

Required configuration items

n Enable the DHCP server.

Digi Connect EZ 16/32 User Guide 173

Interfaces Local Area Networks (LANs)

Additional configuration items

n The lease address pool: the range of IP addresses issued by the DHCP server to clients.
n Lease time: The length, in minutes, of the leases issued by the DHCP server.
n The Maximum Transmission Units (MTU).
n The domain name suffix appended to host names.
n The IP gateway address given to clients.
n The IP addresses of the preferred and alternate Domain Name Server (DNS), NTP servers, and
WINS severs that are given to clients.
n The TFTP server name.
n The filepath and name of the bootfile on the TFTP server.
n Custom DHCP options. See Configure DHCP options for information about custom DHCP
options.
n Static leases. See Map static IP addresses to hosts for information about static leases.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network
(LAN).
5. Click to expand IPv4 > DHCP server.
6. Enable the DHCP server.
7. (Optional) For Lease time, type the amount of time that a DHCP lease is valid.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.

Digi Connect EZ 16/32 User Guide 174

Interfaces Local Area Networks (LANs)

For example, to set Lease time to ten minutes, enter 10m or 600s.
The default is 12 hours.
n By default, DHCP leases are persistent across reboots. You can disable persistent leases:
a. Click Network > Advanced.
b. Click to toggle off DHCP persistent leases.
8. (Optional) For Lease range start and Lease range end, type the lowest and highest IP address
that the DHCP server will assign to a client. This value represents the low order byte of the
address (the final triplet in an IPv4 address, for example, 192.168.2.xxx). The remainder of the
IP address will be based on the LAN's static IP address as defined in the Address field.
Allowed values are between 1 and 254, and the default is 100 for Lease range start and 250
for Lease range end.
n Sequential DHCP address allocation:
By default, DHCP addresses are assigned psuedo-randomly, using a hash of the client's
MACaddress to determine the IP address that gets assigned. You can configure the
device to use sequential IP addresses instead:
a. Click Network > Advanced.
b. Click to enable Sequential DHCP address allocation.
Because sequential mode does not use a hash based on the client's MAC address, when
DHCP lease expires, the client is not likely to get the same IP address assigned to it.
Therefore, sentential DHCP address allocation generally should not be used.
9. Optional DHCP server settings:
a. Click to expand Advanced settings.
b. For Gateway, select either:
n None: No gateway is broadcast by the DHCP server. Client destinations must be
resolvable without a gateway.
n Automatic: Broadcasts the Connect EZ 16/32 device's gateway.
n Custom: Allows you to identify the IP address of a Custom gateway to be
broadcast.
The default is Automatic.
c. For MTU,
n None: An MTU of length 0 is broadcast. This is not recommended.
n Automatic: No MTU is broadcast and clients will determine their own MTU.
n Custom: Allows you to identify a Custom MTU to be broadcast.
The default is Automatic.
d. For Domain name suffix, type the domain name that should be appended to host names.
e. For Primary and Secondary DNS, Primary and Secondary NTP server, and Primary and
Secondary WINS server, select either:
n None: No server is broadcast.
n Automatic: Broadcasts the Connect EZ 16/32 device's server.
n Custom: Allows you to identify the IP address of the server.
f. Enable BOOTP dynamic allocation to automatically assign an IP address to a device on
the server.

Digi Connect EZ 16/32 User Guide 175

Interfaces Local Area Networks (LANs)

CAUTION! The IP address assigned to the device is leased forever and becomes
permanently unavailable for other hosts to use.

g. For Bootfile name, type the relative path and file name of the bootfile on the TFTP server.
h. For TFTP server name, type the IP address or host name of the TFTP server.
i. Enable
10. See Configure DHCP options for information about Custom DHCP options.
11. See Map static IP addresses to hosts for information about Static leases.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the DHCP server for an existing LAN. For example, to enable the DHCP server for a LAN
named my_lan:

(config)> network interface my_lan ipv4 dhcp_server enable true

(config)>

See Configure a Local Area Network (LAN) for information about creating a LAN.
4. (Optional) Set the amount of time that a DHCP lease is valid:

(config)> network interface my_lan ipv4 dhcp_server lease_time value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set network interface my_lan ipv4 dhcp_server lease_time to ten minutes,
enter either 10m or 600s:

(config)> network interface my_lan ipv4 dhcp_server lease_time 600s

(config)>

n By default, DHCP leases are persistent across reboots. You can disable persistent leases:

(config)> network advanced dhcp_persistent_lease false

(config)>

5. (Optional) Set the lowest IP address that the DHCP server will assign to a client. This value
represents the low order byte of the address (the final triplet in an IPv4 address, for example,
192.168.2.xxx). The remainder of the IP address will be based on the LAN's static IP address as

Digi Connect EZ 16/32 User Guide 176

Interfaces Local Area Networks (LANs)

defined in the address parameter.

(config)> network interface my_lan ipv4 dhcp_server lease_start num

(config)>

Allowed values are between 1 and 254, and the default is 100.
6. (Optional) Set the highest IP address that the DHCP server will assign to a client:

(config)> network interface my_lan ipv4 dhcp_server lease_end num

(config)>

Allowed values are between 1 and 254, and the default is 250.
7. Sequential DHCP address allocation
By default, DHCP addresses are assigned psuedo-randomly, using a hash of the client's MAC
address to determine the IP address that gets assigned. You can configure the device to use
sequential IP addresses instead:

(config)> network advanced sequential_dhcp_allocation true

(config)>

Because sequential mode does not use a hash based on the client's MAC address, when DHCP
lease expires, the client is not likely to get the same IP address assigned to it. Therefore,
sentential DHCP address allocation generally should not be used.
8. Optional DHCP server settings:
a. Click to expand Advanced settings.
b. Determine how the DHCP server should broadcast the gateway server:

(config)> network interface my_lan ipv4 dhcp_server advanced gateway

value
(config)>

where value is one of:

n none: No gateway is broadcast by the DHCP server. Client destinations must be
resolvable without a gateway.
n auto: Broadcasts the Connect EZ 16/32 device's gateway.
n custom: Allows you to identify the IP address of a custom gateway to be broadcast:

(config)> network interface my_lan ipv4 dhcp_server advanced

gateway_custom ip_address
(config)>

The default is auto.

c. Determine how the DHCP server should broadcast the the MTU:

(config)> network interface my_lan ipv4 dhcp_server advanced mtu value

(config)>

where value is one of:

n none: An MTU of length 0 is broadcast. This is not recommended.
n auto: No MTU is broadcast and clients will determine their own MTU.

Digi Connect EZ 16/32 User Guide 177

Interfaces Local Area Networks (LANs)

n custom: Allows you to identify a custom MTU to be broadcast:

(config)> network interface my_lan ipv4 dhcp_server advanced

mtu_custom mtu
(config)>

The default is auto.

d. Set the domain name that should be appended to host names:

(config)> network interface my_lan ipv4 dhcp_server advanced domain_

suffix name
(config)>

e. Set the IP address or host name of the primary and secondary DNS, the primary and
secondary NTP server, and the primary and secondary WINS servers:

(config)> network interface my_lan ipv4 dhcp_server advanced primary_

dns value
(config)> network interface my_lan ipv4 dhcp_server advanced
secondary_dns value
(config)> network interface my_lan ipv4 dhcp_server advanced primary_
ntp value
(config)> network interface my_lan ipv4 dhcp_server advanced
secondary_ntp value
(config)> network interface my_lan ipv4 dhcp_server advanced primary_
wins value
(config)> network interface my_lan ipv4 dhcp_server advanced
secondary_wins value
(config)>

where value is one of:

n none: No server is broadcast.
n auto: Broadcasts the Connect EZ 16/32 device's server.
n custom: Allows you to identify the IP address of the server. For example:

(config)> network interface my_lan ipv4 dhcp_server advanced

primary_dns_custom ip_address
(config)>

The default is auto.

f. Set the IP address or host name of the TFTP server:

(config)> network interface my_lan ipv4 dhcp_server advanced nftp_

server ip_address
(config)>

g. Set the relative path and file name of the bootfile on the TFTP server:

Digi Connect EZ 16/32 User Guide 178

Interfaces Local Area Networks (LANs)

(config)> network interface my_lan ipv4 dhcp_server advanced bootfile

filename
(config)>

h. Enable BOOTP dynamic allocation to automatically assign an IP address to a device on

the server:

CAUTION! The IP address assigned to the device is leased forever and becomes
permanently unavailable for other hosts to use.

(config)> network interface my_lan ipv4 dhcp_server advanced bootp_

dynamic true
(config)>

9. See Configure DHCP options for information about custom DHCP options.
10. See Map static IP addresses to hosts for information about static leases.
11. Save the configuration and apply the change.

(config network interface my_lan ipv4 dhcp_server advanced static_lease

0)> save
Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Map static IP addresses to hosts

You can configure the DHCP server to assign static IP addresses to specific hosts.

Required configuration items

n IP address that will be mapped to the device.
n MACaddress of the device.

Additional configuration items

n A label for this instance of the static lease.
To map static IP addresses:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:

Digi Connect EZ 16/32 User Guide 179

Interfaces Local Area Networks (LANs)

a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network
(LAN).
5. Click to expand IPv4 > DHCP server > Advanced settings > Static leases.
6. For Add Static lease, click .
7. Type the MAC address of the device associated with this static lease.
8. Type the IP address for the static lease.

Note The IP address here should be outside of the DHCP server's configured lease range. See
Configure a DHCP server for further information about the lease range.

9. (Optional) For Hostname, type a label for the static lease. This does not have to be the
device's actual hostname.
10. Repeat for each additional DHCP static lease.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a static lease to the DHCP server configuration for an existing LAN. For example, to add
static lease to a LAN named my_lan:

(config)> add network interface my_lan ipv4 dhcp_server advanced static_

lease end

Digi Connect EZ 16/32 User Guide 180

Interfaces Local Area Networks (LANs)

(config network interface my_lan ipv4 dhcp_server advanced static_lease

0)>

See Configure a Local Area Network (LAN) for information about creating a LAN.
4. Set the MACaddress of the device associated with this static lease, using the colon-separated
format:

(config network interface my_lan ipv4 dhcp_server advanced static_lease

0)> mac 00:40:D0:13:35:36
(config network interface my_lan ipv4 dhcp_server advanced static_lease
0)>

5. Set the IP address for the static lease:

(config network interface my_lan ipv4 dhcp_server advanced static_lease

0)> ip 10.01.01.10
(network interface my_lan ipv4 dhcp_server advanced static_lease 0)>

Note The IP address here should be outside of the DHCP server's configured lease range. See
Configure a DHCP server for further information about the lease range.

6. (Optional) Set a label for this static lease:

(config network interface my_lan ipv4 dhcp_server advanced static_lease

0)> name label
(config network interface my_lan ipv4 dhcp_server advanced static_lease
0)>

7. Save the configuration and apply the change.

(config network interface my_lan ipv4 dhcp_server advanced static_lease

0)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show current static IP mapping

To view your current static IP mapping:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click Status
2. Under Networking, click DHCP Leases.

 Command line

Digi Connect EZ 16/32 User Guide 181

Interfaces Local Area Networks (LANs)

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Show the static lease configuration. For example, to show the static leases for a lan named
my_lan:

(config)> show network interface my_lan ipv4 dhcp_server advanced static_

lease
0
ip 192.168.2.10
mac BF:C3:46:24:0E:D9
no name
1
ip 192.168.2.11
mac E3:C1:1F:65:C3:0E
no name
(config)>

4. Type cancel to exit configuration mode:

(config)> cancel
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete static IP mapping entries

To delete a static IP entry:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 182

Interfaces Local Area Networks (LANs)

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Click to expand an existing LAN.
5. Click to expand IPv4 > DHCP server > Advanced settings > Static leases.
6. Click the menu icon (...) next to the name of the static lease to be deleted and select Delete.

7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Show the static lease configuration. For example, to show the static leases for a lan named
my_lan:

(config)> show network interface my_lan ipv4 dhcp_server advanced static_

lease
0
ip 192.168.2.10
mac BF:C3:46:24:0E:D9
no name
1
ip 192.168.2.11
mac E3:C1:1F:65:C3:0E
no name
(config)>

4. Use the del index_number command to delete a static lease. For example, to delete the static
lease for the device listed in the above output with a mac address of BF:C3:46:24:0E:D9 (index
number 0):

Digi Connect EZ 16/32 User Guide 183

Interfaces Local Area Networks (LANs)

(config)> del network interface lan1 ipv4 dhcp_server advanced static_

lease 0
(config)>

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure DHCP options

You can configure DHCP servers running on your Connect EZ device to send certain specified DHCP
options to DHCP clients. You can also set the user class, which enables you to specify which specific
DHCP clients will receive the option. You can also force the command to be sent to the clients.
DHCP options can be set on a per-LAN basis, or can be set for all LANs. A total of 32 DHCP options can
be configured.

Required configuration items

n DHCP option number.
n Value for the DHCP option.

Additional configuration items

n The data type of the value.
n Force the option to be sent to the DHCP clients.
n A label for the custom option.

Digi Connect EZ 16/32 User Guide 184

Interfaces Local Area Networks (LANs)

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network
(LAN).
5. Click to expand IPv4 > DHCP server > Advanced settings > Custom DHCP option.
6. For Add Custom option, click .
Custom options are enabled by default. To disable, toggle off Enable.
7. For Option number, type the DHCP option number.
8. For Value, type the value of the DHCP option.
9. (Optional) For Label, type a label for the custom option.
10. (Optional) If Forced send is enabled, the DHCP option will always be sent to the client, even if
the client does not ask for it.
11. (Optional) For Data type, select the data type that the option uses. If the incorrect data type is
selected, the device will send the value as a string.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 185

Interfaces Local Area Networks (LANs)

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a custom DHCP option to the DHCP server configuration for an existing LAN. For example,
to add static lease to a LAN named my_lan:

(config)> add network interface my_lan ipv4 dhcp_server advanced custom_

option end
(config network interface my_lan ipv4 dhcp_server advanced custom_option
0)>

See Configure a Local Area Network (LAN) for information about creating a LAN.
4. Custom options are enabled by default. To disable:

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> enable false
(config network interface my_lan ipv4 dhcp_server advanced custom_option
0)>

5. Set the option number for the DHCP option:

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> option 210
(config network interface my_lan ipv4 dhcp_server advanced custom_option
0)>

6. Set the value for the DHCP option:

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> value_str value
(network interface my_lan ipv4 dhcp_server advanced custom_option 0)>

7. (Optional) Set a label for this custom option:

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> name label
(config network interface my_lan ipv4 dhcp_server advanced custom_option
0)>

8. (Optional) To force the DHCP option to always be sent to the client, even if the client does not
ask for it:

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> force true
(config network interface my_lan ipv4 dhcp_server advanced custom_option
0)>

9. (Optional) Set the data type that the option uses.

If the incorrect data type is selected, the device will send the value as a string.

Digi Connect EZ 16/32 User Guide 186

Interfaces Local Area Networks (LANs)

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> datatype value
(config network interface my_lan ipv4 dhcp_server advanced custom_option
0)>

where value is one of:

n 1byte
n 2byte
n 4byte
n hex
n ipv4
n str
The default is str.
10. Save the configuration and apply the change.

(config network interface my_lan ipv4 dhcp_server advanced custom_option

0)> save
Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure DHCP relay

DHCP relay allows a router to forward DHCP requests from one LAN to a separate DHCP server,
typically connected to a different LAN.
For the Connect EZ 16/32 device, DHCP relay is configured by providing the IP address of a DHCP relay
server, rather than an IP address range. If both the DHCP relay server and an IP address range are
specified, DHCP relay is used, and the specified IP address range is ignored.
Multiple DHCP relay servers can be provided for each LAN. If multiple relay servers are provided, DHCP
requests are forwarded to all servers without waiting for a response. Clients will typically use the IP
address from the first DHCP response received.
Configuring DHCP relay involves the following items:

Required configuration items

n Disable the DHCP server, if it is enabled.
n IP address of the primary DHCP relay server, to define the relay server that will respond to
DHCP requests.

Additional configuration items

n IP address of additional DHCP relay servers.

 Web

Digi Connect EZ 16/32 User Guide 187

Interfaces Local Area Networks (LANs)

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network
(LAN).
5. Disable the DHCP server, if it is enabled:
a. Click to expand IPv4 > DHCP server.
b. Click Enable to toggle off the DHCP server.
6. Click to expand DHCP relay.
7. For Add DHCP Server:, click .
8. For DHCP server address, type the IP address of the relay server.
9. Repeat for each additional DHCP relay server.
10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a DHCP relay server to an existing LAN. For example, to add a server to a LAN named my_
lan:

Digi Connect EZ 16/32 User Guide 188

Interfaces Local Area Networks (LANs)

(config)> add network interface my_lan ipv4 dhcp_relay end

(config network interface lan1 my_lan dhcp_relay 0)>

See Configure a Local Area Network (LAN) for information about creating a LAN.
4. Set the IP address of the DHCP relay server:

(config network interface my_lan ipv4 dhcp_relay 0)> address 10.10.10.10

(config network interface my_lan ipv4 dhcp_relay 0)>

5. (Optional) Add additional DHCP relay servers:

a. Move back one step in the configuration schema by typing two periods (..):

(config network interface my_lan ipv4 dhcp_relay 0)> ..

(config network interface my_lan ipv4 dhcp_relay)>

b. Add the next server:

(config network interface lan1 ipv4 dhcp_relay)> add end

(config network interface lan1 ipv4 dhcp_relay 1)>

c. Set the IP address of the DHCP relay server:

(config network interface my_lan ipv4 dhcp_relay 1)> address

10.10.10.11
(config network interface my_lan ipv4 dhcp_relay 1)>

d. Repeat for each additional relay server.

1. Disable the DHCP server, if it is enabled:

(config network interface my_lan ipv4 dhcp_relay 1)> .. .. dhcp_server

enable false
(config network interface my_lan ipv4 dhcp_relay 1)>

6. Save the configuration and apply the change.

(config network interface lan1 ipv4 dhcp_relay 1)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show DHCP server status and settings

View DHCP status to monitor which devices have been given IP configuration by the Connect EZ
device and to diagnose DHCP issues.

 Web

Digi Connect EZ 16/32 User Guide 189

Interfaces Local Area Networks (LANs)

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click Status
2. Under Networking, click DHCP Leases.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Enter the show dhcp-lease command at the Admn CLI prompt:

> show dhcp-lease

IP Address Hostname Expires

------------- --------------- -------
192.168.2.194 MTK-ENG-USER1
192.168.2.195 MTK-ENG-USER2

>

3. Additional information can be returned by using the show dhcp-lease verbose command:

> show dhcp-lease verbose

IP Address Hostname Expires Type Active

MAC Address
------------- -------- ------------------------ ------- ------
-----------------
192.168.2.194 MTK-ENG-USER1 May 19 08:25:11 UTC 2021 Dynamic Yes
ba:ba:2c:13:8c:71
192.168.2.195 MTK-ENG-USER2 May 20 11:32:12 UTC 2021 Dynamic Yes
09:eb:10:f0:bc:16

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Default services listening on LAN ports

The following table lists the default services listening on the specified ports on the Connect EZ 16/32
LAN interfaces:

Description TCP/UDP Port numbers

DNS server UDP 53
DHCP server UDP 67 and 68

Digi Connect EZ 16/32 User Guide 190

Interfaces Local Area Networks (LANs)

Description TCP/UDP Port numbers

SSH server TCP 22
Web UI TCP 443 (also listens on port 80, then redirects to port 443

Configure an interface to operate in passthrough mode.

You can configure interfaces on your Connect EZ 16/32 device to operate in passthrough mode, which
means that the device passes the IP address assigned to it on a WAN or cellular modem interface, to a
client connected to a LAN interface.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. Create the interface or select an existing interface:
n To create a new interface, for Add interface, type a name for the interface and click .

n To edit an existing interface, click to expand the interface.

The Interface configuration window is displayed.

Digi Connect EZ 16/32 User Guide 191

Interfaces Local Area Networks (LANs)

New Interfaces are enabled by default. To disable, toggle off Enable.

5. For Interface type, select IP Passthrough.
6. For Zone, select Internal.
7. For Device, select an Ethernet device or a Wi-Fi access point.
8. Add one or more interface that will be the source of the passed-through IP address:
a. Click to expand Source interfaces.
b. Click  to add a source interface.
c. Select the appropriate Interface.
d. Repeat for additional interfaces.
9. (Optional) Packet filtering is disabled by default. Toggle on to enable.
If packet filtering is disabled, traffic is allowed in both directions and it is the responsibility of
the external device to provide its own firewall.
10. (Optional) Allow all addresses is disabled by default. Toggle on to enable.
When enabled, this option allows forwarding between the source interface and devices
connected to this interface, which allows connected devices to forward and receive packets
without network address translation (NAT). This should normally be disabled unless it is
required for modem passthrough, because some cellular will disconnect modems that send
packets that are not from the carrier-assigned IP address.
11. Ancillary addressing is enabled by default, which provides an IPv4 address to the connected
device when the source address is not available.
a. For Ancillary address/netmask, type the IPv4 address and netmask to provide to the
connected device when the source address is not available.
b. For Ancillary gateway, type the IPv4 address of the network gateway to be used when the
connected device when the source address is not available.
c. Ancillary DNS redirect is enabled by default, which means resolves all DNS requests to
the connected device and redirects HTTP traffic to the device's web administration page.
12. For Server type, select the type of server to use to pass the IP address through to the client.
13. If PPPoE server is selected for Server type:
a. Click to expand PPPoE server.
b. For Service name, type the name of service to offer to the client.
c. For Access concentrator name, type the name of the access concentrator to report to the
client. If no name is provided, the host name is used.
d. For Authentication method, select the authentication method used to connect to the
remote peer.

Digi Connect EZ 16/32 User Guide 192

Interfaces Local Area Networks (LANs)

If an authentication method is selected, type the Username and Password required to

authenticate the remote peer.
e. (Optional) Click to expand Custom PPP configuration.
f. Custom PPP configuration is disabled by default. Click toggle on Enable.
g. Enable Override to override the default configuration and use only the custom
configuration file.
h. For Configuration file, type or paste configuration data using the format of a pppd
options file.
14. (Optional) Click to expand 802.1x to configure 802.1x port based network access control.
The Connect EZ 16/32 can function as an 802.1x authenticator; it does not function as an
802.1x supplicant.
a. Click to expand Authentication.
b. Click Enable server to enable the 802.1x authenticator on the Connect EZ 16/32 device.
c. Set the Reauth period.
15. Configure IPv4 settings:
a. Click to expand IPv4.
IPv4 support is enabled by default.
b. Set the Metric.
c. For Weight, type the relative weight for default routes associated with this interface. For
multiple active interfaces with the same metric, Weight is used to load balance traffic to
the interfaces.
d. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.
e. Set the MTU.
f. For Use DNS, select one of the following:
n Always: DNS will always be used for this WAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n When primary default route: Only use the DNS servers provided for this interface
when the interface is the primary route.
n Never: Never use DNS servers for this interface.
g. See Configure SureLink active recovery to detect WAN/WWAN failures for information
about configuring SureLink for active recovery.
16. (Optional) Configure IPv6 settings:
a. Click to expand IPv6.
b. Enable IPv6 support.
c. Set the Metric.
d. For Weight, type the relative weight for default routes associated with this interface. For
multiple active interfaces with the same metric, Weight is used to load balance traffic to
the interfaces.
e. Set the Management priority. This determines which interface will have priority for
central management activity. The interface with the highest number will be used.

Digi Connect EZ 16/32 User Guide 193

Interfaces Local Area Networks (LANs)

f. Set the MTU.

g. For Use DNS, select one of the following:
n Always: DNS will always be used for this WAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n When primary default route: Only use the DNS servers provided for this interface
when the interface is the primary route.
n Never: Never use DNS servers for this interface.
h. See Configure SureLink active recovery to detect WAN/WWAN failures for information
about configuring SureLink for active recovery.
17. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new interface or edit an existing one:

n To create a new interface named ip_passthrough_interface:

(config)> add network interface ip_passthrough_interface

(config network interface ip_passthrough_interface)>

n To edit an existing interface named ip_passthrough_interface, change to the IP-

passthrough-interface node in the configuration schema:

(config)> network interface ip_passthrough_interface

(config network interface ip_passthrough_interface)>

4. Set the interface type to passthrough:

(config network interface ip_passthrough_interface)> type passthrough

(config network interface ip_passthrough_interface)>

5. Set the firewall zone to internal:

(config network interface ip_passthrough_interface)> zone internal

(config network interface ip_passthrough_interface)>

6. Select an Ethernet device or a Wi-Fi access point for this interface:

a. Enter device ? to view available devices and the proper syntax.

(config network interface my_wan)> device ?

Digi Connect EZ 16/32 User Guide 194

Interfaces Local Area Networks (LANs)

Current value:

(config network interface ip_passthrough_interface)> device

b. Set the device for the interface:

(config network interface ip_passthrough_interface)> device device

(config network interface my_wan)>

7. Set passthrough options

8. Configure IPv4 settings:
n IPv4 support is enabled by default. To disable:

(config network interface ip_passthrough_interface)> ipv4 enable

false
(config network interface ip_passthrough_interface)>

a. Set the IP metric:

(config network interface ip_passthrough_interface)> ipv4 metric num

(config network interface ip_passthrough_interface)>

b. Set the relative weight for default routes associated with this interface. For multiple active
interfaces with the same metric, the weight is used to load balance traffic to the interfaces.

(config network interface ip_passthrough_interface)> ipv4 weight num

(config network interface ip_passthrough_interface)>

c. Set the management priority. This determines which interface will have priority for central
management activity. The interface with the highest number will be used.

(config network interface ip_passthrough_interface)> ipv4 mgmt num

(config network interface ip_passthrough_interface)>

d. Set the MTU:

(config network interface ip_passthrough_interface)> ipv4 mtu num

(config network interface ip_passthrough_interface)>

e. Configure how to use DNS:

(config network interface ip_passthrough_interface)> ipv4 use_dns

value
(config network interface ip_passthrough_interface)>

where value is one of:

n always: DNS will always be used for this WAN; when multiple interfaces have the
same DNS server, the interface with the lowest metric will be used for DNS
requests.
n primary: Only use the DNS servers provided for this interface when the interface is

Digi Connect EZ 16/32 User Guide 195

Interfaces Local Area Networks (LANs)

the primary route.

n never: Never use DNS servers for this interface.
f. See Configure SureLink active recovery to detect WAN/WWAN failures for information
about configuring SureLink for active recovery.
9. (Optional) Configure IPv6 settings:
a. Enable IPv6 support:

(config network interface ip_passthrough_interface)> ipv6 enable true

(config network interface ip_passthrough_interface)>

b. Generally, the default settings for IPv6 support are sufficient. You can view the default IPv6
settings by using the question mark (?):

(config network interface ip_passthrough_interface)> ipv6 ?

IPv6

Parameters Current Value

----------------------------------------------------------------------
---------
enable true Enable
metric 0 Metric
mgmt 0 Management priority
mtu 1500 MTU
use_dns always Use DNS
weight 10 Weight

(config network interface ip_passthrough_interface)>

c. Modify any of the remaining default settings as appropriate.

10. (Optional) To configure 802.1x port based network access control:

Note The Connect EZ 16/32 can function as an 802.1x authenticator; it does not function as an
802.1x supplicant.

a. Enable the 802.1x authenticator on the Connect EZ 16/32 device:

(config network interface ip_passthrough_interface)> 802_1x

authentication enable true
(config network interface ip_passthrough_interface)>

b. Set the frequency period for reauthorization:

(config network interface ip_passthrough_interface)> 802_1x

authentication reauth_period value
(config network interface ip_passthrough_interface)>

where value is an integer between 0 and 86400. The default is 3600.

Digi Connect EZ 16/32 User Guide 196

Interfaces Virtual LANs (VLANs)

11. Save the configuration and apply the change.

(config network interface ip_passthrough_interface)> save

Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Virtual LANs (VLANs)

Virtual LANs (VLANs) allow splitting a single physical LAN into separate Virtual LANs. Each device on a
VLAN can only access other devices on the same VLAN and each device is unaware of any other VLAN,
which isolates networks from one another, even though they run over the same physical network.
Your Connect EZ 16/32 device supports two VLANs modes:
n Trunking: Supports multiple VLANs per Ethernet port, which enables you to extend your VLAN
across multiple switches through your entire network.
n Switchport: Each Ethernet port can have one or more VLAN IDs associated to it. Any un-tagged
VLAN packets that come into a network interface are automatically tagged with the primary
VLAN ID for that switchport. This allows devices on the network that aren’t configured with a
VLAN to act as if they are directly connected to the VLAN.
This section contains the following topics:

Create a trunked VLAN route 198

Create a VLAN using switchport mode 199

Digi Connect EZ 16/32 User Guide 197

Interfaces Virtual LANs (VLANs)

Create a trunked VLAN route

Required configuration items
n Device to be assigned to the VLAN.
n The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet.
To create a VLAN:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Virtual LAN.
4. Type a name for the VLAN and click .
5. Select the Device.
6. Type or select a unique numeric ID for the VLAN ID.
7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

Digi Connect EZ 16/32 User Guide 198

Interfaces Virtual LANs (VLANs)

3. Add the VLAN:

(config)> add network vlan name

(config)>

4. Set the device to be used by the VLAN:

a. View a list of available devices:

(config network vlan vlan1)> device ?

Device: The Ethernet device to use for this virtual LAN

Format:
/network/device/eth1
/network/device/eth2
/network/device/loopback
/network/vlan/vlan1
/network/bridge/lan
Current value:

(config network vlan vlan1)>

b. Add the device:

(config network vlan vlan1)> device /network/device/

(config network vlan vlan1)>

5. Set the VLAN ID:

(config network vlan vlan1)> id value

where value is an integer between 1 and 4095.

6. Save the configuration and apply the change.

(config network vlan vlan1)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Create a VLAN using switchport mode

Required configuration items
n Device to be assigned to the VLAN.
n The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet.
To create a VLAN using switchport mode:

 Web

Digi Connect EZ 16/32 User Guide 199

Interfaces Virtual LANs (VLANs)

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Bridges.
4. For Add Bridge, type a name for the bridge and click .
5. Bridges are enabled by default. To disable, toggle off Enable.
6. For Bridge type, select Switchport.
7. (Optional) Enable Spanning Tree Protocol (STP).
STP is used when using multiple LANs on the same device, to prevent bridge loops and other
routing conflicts.
a. Click STP.
b. Click Enable.
c. For Forwarding delay, enter the number of seconds that the device will spend in each of
the listening and learning states before the bridge begins forwarding data. The default is 2
seconds.
8. For Port, type a name for the VLAN port and click . Generally, numbers are used for VLAN
ports.
9. Select the Device that the port uses.
10. Configure Vlan IDs:
a. Click to expand Vlan IDs.
b. Click  for Add Vlan ID.
c. Type or select a unique numeric Vlan ID.
d. Click  for Add Vlan ID again to add additional VLAN IDs.
11. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 200

Interfaces Virtual LANs (VLANs)

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the VLAN:

(config)> add network vlan name

(config)>

4. Set the device to be used by the VLAN:

a. View a list of available devices:

(config network vlan vlan1)> device ?

Device: The Ethernet device to use for this virtual LAN

Format:
/network/device/eth1
/network/device/eth2
/network/device/loopback
/network/vlan/vlan1
/network/bridge/lan
Current value:

(config network vlan vlan1)>

b. Add the device:

(config network vlan vlan1)> device /network/device/

(config network vlan vlan1)>

5. Set the VLAN ID:

(config network vlan vlan1)> id value

where value is an integer between 1 and 4095.

6. Save the configuration and apply the change.

(config network vlan vlan1)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 201

Interfaces Bridging

Bridging
Bridging is a mechanism to create a single network consisting of multiple devices, such as Ethernet
devices and wireless access points. You can also use bridging to create a Vitural LAN switchport
bridge. See Create a VLAN using switchport mode for more information about switchport bridging for
VLANs.
This section contains the following topics:

Configure a bridge 203

Digi Connect EZ 16/32 User Guide 202

Interfaces Bridging

Configure a bridge
Required configuration items
n A name for the bridge.
Bridges are enabled by default.
n Devices to be included in the bridge.

Additional configuration items

n Enable Spanning Tree Protocol (STP).
To create a bridge:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Bridges.
4. For Add Bridge, type a name for the bridge and click .
5. Bridges are enabled by default. To disable, toggle off Enable.
6. For Bridge type, select Standard.
See Create a VLAN using switchport mode for information about switchport bridging.
7. (Optional) Enable Spanning Tree Protocol (STP).
STP is used when using multiple LANs on the same device, to prevent bridge loops and other
routing conflicts.
a. Click STP.
b. Click Enable.

Digi Connect EZ 16/32 User Guide 203

Interfaces Bridging

c. For Forwarding delay, enter the number of seconds that the device will spend in each of
the listening and learning states before the bridge begins forwarding data. The default is 2
seconds.
8. (Optional) Enable Rapid Spanning Tree Protocol (RSTP) for faster response to topology
changes on the network.
a. Click RSTP to enable.
b. For Hello Time, enter the number of seconds between bridge protocol units (BPDUs) sent
on a port. The default is 2 seconds.
c. For Max Age, enter the maximum number of seconds before a bridge port saves its BDPU
configuration. The default is 20 seconds.
d. For Priority, enter the system priority. The default priority number is 8.
e. (Optional) For Custom mstpd options, enter the extra configuration options to pass to
mspd daemon.
9. Add devices to the bridge:
a. Click to expand Devices.
b. For Add device, click .
c. Select the Device.
d. Repeat to add additional devices.

Note The MACaddress of the bridge is taken from the first available device in the list.

10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create the bridge:

(config)> add network bridge my_bridge

(config network bridge my_bridge)>

4. Bridges are enabled by default.

n To disable:

(config network bridge my_bridge)> enable false

(config network bridge my_bridge)>

Digi Connect EZ 16/32 User Guide 204

Interfaces Bridging

n To enable if it has been disabled:

(config network bridge my_bridge)> enable true

(config network bridge my_bridge)>

5. Set the bridge mode to standard:

(config network bridge my_bridge)> mode standard

(config network bridge my_bridge)>

6. Add devices to the bridge:

a. Determine available devices:

(config network bridge my_bridge)> .. .. interface lan device ?

Default value: /network/lan

Current value: /network/lan

(config network bridge my_bridge)>

b. Add the appropriate device.

Note The MACaddress of the bridge is taken from the first available device in the list.

7. (Optional) Enable Spanning Tree Protocol (STP).

STP is used when using multiple LANs on the same device, to prevent bridge loops and other
routing conflicts.
a. Enable STP:

(config network bridge my_bridge)> stp enable true

b. Set the number of seconds that the device will spend in each of the listening and learning
states before the bridge begins forwarding data:

(config network bridge my_bridge)> stp forward_delay num

(config)>

The default is 2 seconds.

8. (Optional) Enable Rapid Spanning Tree Protocol (RSTP) for faster response to topology
changes on the network.

(config network bridge my_bridge)> rstp enable true

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 205

Interfaces Show SureLink status and statistics

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show SureLink status and statistics

You can show SureLink status for all interfaces, or for an individual interface. You can also show
Surelink status for ipsec tunnels and OpenVPN clients.
SureLink status is only available from the Admin CLI.

 Command line

Show SureLink State

To show the current state of SureLink for the Connect EZ 16/32 device, use the show surelink state
command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type:

> show surelink state

Test on network.interface.eth1.ipv6 with condition: one

dns_configured (n);

network.interface.eth1.ipv6; -> update_routing_table

ACTION ATTEMPTS STATUS
restart_interface 00/01 [FAILED]
update_routing_table 00/01

Test on network.interface.modem.ipv4 with condition: all

dns_configured (n);

network.interface.modem.ipv4; -> restart_interface

ACTION ATTEMPTS STATUS
update_routing_table 00/03 [ BUSY ]
restart_interface 00/03
reset_modem 00/03
switch_sim 00/03
modem_power_cycle 00/03
restart_interface 00/03

>

Show SureLink status for all interfaces

To show the SureLink status all interfaces, use the show surelink interface all command:

Digi Connect EZ 16/32 User Guide 206

Interfaces Show SureLink status and statistics

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type :

> show surelink interface all

Interface Test Proto Last Response Status

--------- ----------------------------- ----- ------------- -------
eth1 Interface is up IPv4 32 seconds Passing
eth1 Interface's DNS servers (DNS) IPv4 28 seconds Passing
eth2 Interface is up IPv4 21 seconds Passing
eth2 Interface's DNS servers (DNS) IPv4 20 seconds Passing
modem Interface is up IPv4 115 seconds Passing
modem Interface's DNS servers (DNS) IPv4 114 seconds Passing

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show SureLink status for a specific interface

To show the SureLink status a specific interface, use the show surelink interface name name
command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show surelink interface name name command to show the Surelink status of a specific
interface, for example:

> show surelink interface name eth1

wan1 Surelink Status

--------------------
IPv4 Status : Passing
IPv6 Status : Failed

Test Proto Last Response Status

----------------------------- ----- ------------- ------
Interface's DNS servers (DNS) IPv6 15 seconds Failed

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 207

Interfaces Show SureLink status and statistics

Show SureLink status for all IPsec tunnels

To show the SureLink status all IPsec tunnels, use the show surelink ipsec all command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type :

> show surelink ipsec all

IPsec Test Last Response Status

------ -------------------- ------------- ------------------
test 194.43.79.74 (Ping) 29 seconds Passed
test 194.43.79.75 (Ping) 5 seconds Passed
test1 194.43.79.74 (Ping) 21 seconds Failed
test2 194.43.79.75 (Ping) 21 seconds Waiting for result

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show SureLink status for a specific IPsec tunnel

To show the SureLink status a specific IPsec tunnel, use the show surelink ipsec tunnel name
command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

2. Use the show surelink ipsec tunnel name command to show the Surelink status of a specific
tunnel, for example:

> show surelink ipsec tunnel test

IPsec Test Last Response Status

------ -------------------- ------------- ------------------
test 194.43.79.74 (Ping) 29 seconds Passed
test 194.43.79.75 (Ping) 5 seconds Passed

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 208

Interfaces Show SureLink status and statistics

Show SureLink status for all OpenVPN clients

To show the SureLink status all OpenVPN clients, use the show surelink openvpn client all command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type :

> show surelink openvpn all

OpenVPN Client Test Last Response Status

-------------- -------------------- ------------- ------------------
test_client1 194.43.79.74 (Ping) 29 seconds Passed
test_client1 194.43.79.75 (Ping) 5 seconds Passed
test_client2 194.43.79.74 (Ping) 21 seconds Failed
test_client2 194.43.79.75 (Ping) 21 seconds Waiting for result

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show SureLink status for a specific OpenVPN client

To show the SureLink status a specific OpenVPN client, use the show surelink openvpn client name
command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

2. Use the show surelink openvpn client name command to show the Surelink status of a specific
OpenVPN client, for example:

> show surelink openvpn client test_client1

OpenVPN Client Test Last Response Status

-------------- -------------------- ------------- ------------------
test_client1 194.43.79.74 (Ping) 29 seconds Passed
test_client1 194.43.79.75 (Ping) 5 seconds Passed

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 209

Interfaces Configure a TCP connection timeout

Configure a TCP connection timeout

You can configure the number of times an unacknowledged TCP data packet will be retransmitted
before the connection is considered lost.
This feature is useful as it allows a backup system to control the serial port if the primary system goes
offline, or for the primary system to be able to recover regardless of whether there has been a
network disruption.
A low number of retries will end a "stale" connection more quickly that a larger number. The default is
15 retries.
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Set the TCP retry attempts value:
a. Click Network > Advanced.
b. For TCP retries2, enter the number of times an unacknowledged TCP data packet will be
transmitted before the connection is considered lost.
Minimum: 0
Maximum: 255
Default: 15
4. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 210

 Serial port
Connect EZ 16/32 devices have access to different features, depending on the serial port mode
selection.

Default serial port configuration

You can review the default serial port configuration for your device.

Serial mode options

You can choose a serial mode option for each serial port, depending on the feature that you want to
use.
n Login: Allows the port to be used to log into the CLI.
n Remote Access: Provides socket level access to ports.
n Application: Provides access to the serial device from Python applications.
n PPP dial-in: Allows the device to answer Point-to-Point Protocol (PPP) connections over serial
ports.
n RealPort: Used in conjunction with the Digi RealPort driver.
n UDP serial: Provides access to the serial port using UDP.
n Modem emulator: Allows the device to act as a dial-up modem emulator for handling incoming
AT dial-ins.
n Modbus: Allows the device to function as a Modbus protocol gateway.

View serial port information

n Show serial port status and statistics
n Review the serial port message log

Default serial port configuration

The Connect EZ 16/32 default serial port configuration is:
n Enabled: enabled
n Serial mode: Remote access
n Label: None
n Baud rate: 9600

Digi Connect EZ 16/32 User Guide 211

Serial port Configure Login mode for a serial port

n Data bits: 8
n Parity: None
n Stop bits: 1
n Flow control: None
n Escape sequence: None
n History size: 0
n Exclusive access: disabled
n Idle timeout: 0 m

Baud rate options

The baud rate options are: 50, 75, 110, 134, 150, 200, 300, 600, 1200, 2400, 4800, 9600, 19200, 38400,
57600, 115200, 230400
n Default baud rate: 9600
n Minimum baud rate: 50
n Maximum baud rate: 230400

Configure Login mode for a serial port

Login mode allows the user to log into the device through the serial port.
To change the configuration to match the serial configuration of the device to which you want to
connect:
 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

Note You can also configure the serial port by using Device Configuration > Serial. Changes
made by using either Device Configuration or Serial Configuration will be reflected in both.

3. Click the name of the port that you want to configure.

The serial port is enabled by default. To disable, toggle off Enable.

Digi Connect EZ 16/32 User Guide 212

Serial port Configure Login mode for a serial port

4. For Mode, select Login.

5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
6. (Optional) For Label, enter a label that will be used when referring to this port.
7. For Signalling, select the electrical signaling interface type used on this serial port:
n RS-232
l Enable RTS Toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control.
l For RTS Pre-delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms.
l For RTS Post-delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms.
n RS-422
l Enable Termination if you want to enable electrical termination on this serial port.
n RS-485
l Enable Termination if you want to enable electrical termination on this serial port.
l Enable Full Duplex if you want to enable full duplex communication on this serial
port.
The default is RS-232.
8. Expand Serial Settings.
The entries in the following fields must match the information for the power controller. Refer
to your power controller manual for the correct entries.
a. Baud rate: For Baud rate, select the baud rate used by the device to which you want to
connect. The default is 9600.
n Max baud rate: 230400
n Minimum: 50
For a complete list, see Baud rate options.
b. Data bits: For Data bits, select the number of data bits used by the device to which you
want to connect. The default is 8.
c. Parity: For Parity, select the type of parity used by the device to which you want to
connect. The default is None.
d. Stop bits: For Stop bits, select the number of stop bits used by the device to which you
want to connect. The default is 1.
e. Flow control: For Flow control, select the type of flow control used by the device to
which you want to connect. The default is None.
9. Expand Logging Settings to configure logging for this serial port.
a. To enable logging, click to toggle on Enable.
b. In the Log file name field, enter a descriptive name for the log file.
c. For Log file size, type the size of the log file. When the log file reaches the size limit, the
current file is saved and a new file is created. The default is 65536 bytes.

Digi Connect EZ 16/32 User Guide 213

Serial port Configure Login mode for a serial port

d. From the Type of data to log list box, specify the type of data that should be saved.
n Received
n Transmitted
n Both
n Both with arrows. This is the default.
e. If you want to log the time at which date was received or transmitted, click the
Timestamps toggle to Enable.
f. If you want to log the data as hexadecimal values, click the Hexadecimal toggle to
Enable.

Note You can review the message log in the Serial Port Log page. See Review the serial
port message log.

10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The serial port is enabled by default. To disable:

(config)> serial port1 enable false

(config)>

4. Set the mode:

(config)> serial port1 mode login

(config)>

5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.

(config)> serial port1 altpin true

(config)>

6. Set the signaling interface type used on this serial port:

n rs-232
l Enable rts_toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control:

Digi Connect EZ 16/32 User Guide 214

Serial port Configure Login mode for a serial port

(config)> serial port1 rts_toggle true

(config)>

l For rts_pre_delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 "rts_pre_delay value

(config)>

l For rts_post_delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 rts_post_delay value

(config)>

n rs-422
l Enable Termination if you want to enable electrical termination on this serial port.
n rs-485
l Enable termination if you want to enable electrical termination on this serial port:

(config)> serial port1 termination true

(config)>

l Enable full_duplex if you want to enable full duplex communication on this serial
port:

(config)> serial port1 full_duplex true

(config)>

The default is rs-232.

7. (Optional) Set a label that will be used when referring to this port.

(config)>path-paramlabel label
(config)>

8. Set the baud rate used by the device to which you want to connect:

(config)> serial port1 baudrate rate

(config)>

where rate is the desired baud rate:

n Default baud rate: 9600
n Max baud rate: 230400
n Minimum baud rate: 50
For a complete list, see Baud rate options.
9. Set the number of data bits used by the device to which you want to connect:

(config)> serial port1 databits bits

(config)>

Digi Connect EZ 16/32 User Guide 215

Serial port Configure Login mode for a serial port

10. Set the type of parity used by the device to which you want to connect:

(config)> serial port1 parity parity

(config)>

Allowed values are:

n even
n odd
n none
The default is none.
11. Set the stop bits used by the device to which you want to connect:

(config)> serial port1 stopbits bits

(config)>

12. Set the type of flow control used by the device to which you want to connect:

(config)> serial port1 flow value

(config)>

where value is one of:

n none
n rts/cts
n xon/xoff
13. Configure serial port logging:
a. Enable serial port logging:

(config)>serial port1 logging enable true

(config)>

b. Set the file name:

(config)>serial port1 logging filename string

(config)>

c. Set the maximum allowed log size for the serial port log when starting the log:

(config)>serial port1 logging size value

(config)>

where value is the size of the log file in bytes. The default is 65536.
d. Specify the data type:

(config)>serial port1 logging type value

(config)>

where value is one of:

n received
n transmitted

Digi Connect EZ 16/32 User Guide 216

Serial port Configure Remote Access mode for a serial port

n both
n arrows. This is the default.
e. Log the time at which date was received or transmitted:

(config)>serial port1 logging hex true

(config)>

f. Log data as hexadecimal values:

(config)>serial port1 logging timestamp true

(config)>

14. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

15. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure Remote Access mode for a serial port

Remote Access mode allows for remote access to another device that is connected to the serial port.
To change the configuration to match the serial configuration of the device to which you want to
connect:

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

Note You can also configure the serial port by using Device Configuration > Serial. Changes
made by using either Device Configuration or Serial Configuration will be reflected in both.

Digi Connect EZ 16/32 User Guide 217

Serial port Configure Remote Access mode for a serial port

3. Click the name of the port that you want to configure.

The serial port is enabled by default. To disable, toggle off Enable.

4. For Serial mode, select Remote access (TCP).
5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
6. (Optional) For Label, enter a label that will be used when referring to this port.
7. For Signalling, select the electrical signaling interface type used on this serial port:
n RS-232
l Enable RTS Toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control.
l For RTS Pre-delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms.
l For RTS Post-delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms.
n RS-422
l Enable Termination if you want to enable electrical termination on this serial port.
n RS-485
l Enable Termination if you want to enable electrical termination on this serial port.
l Enable Full Duplex if you want to enable full duplex communication on this serial
port.
The default is RS-232.
8. Expand Serial Settings.
The entries in the following fields must match the information for the power controller. Refer
to your power controller manual for the correct entries.
a. Baud rate: For Baud rate, select the baud rate used by the device to which you want to
connect. The default is 9600.
n Max baud rate: 230400
n Minimum: 50
For a complete list, see Baud rate options.
b. Data bits: For Data bits, select the number of data bits used by the device to which you
want to connect. The default is 8.

Digi Connect EZ 16/32 User Guide 218

Serial port Configure Remote Access mode for a serial port

c. Parity: For Parity, select the type of parity used by the device to which you want to
connect. The default is None.
d. Stop bits: For Stop bits, select the number of stop bits used by the device to which you
want to connect. The default is 1.
e. Flow control: For Flow control, select the type of flow control used by the device to
which you want to connect. The default is None.
9. Click to expand Data Framing.
a. Click Enable to enable the data framing feature.
b. For Maximum Frame Count, enter the maximum size of the packet. The default is 1024.
c. For Idle Time, enter the length of time the device should wait before sending the packet.
d. For End Pattern, enter the end pattern. The packet is sent when this pattern is received
from the serial port.
e. Click Strip End Pattern if you want to remove the end pattern from the packet before it is
sent.
10. Expand Service Settings.
All service settings are disabled by default. Click available options to toggle them to enabled,
and set the IP ports as appropriate.

Note If the Telnet service is enabled for the serial port, note that the Telnet Login option,
when enabled, prompts the user to enter Telnet login credentials when accessing the serial
port via Telnet. The Telnet Login option is enabled by default. To disable this option, navigate
to System > Device Configuration > Authentication > Serial and disable Telnet Login.

For each type of service, you can also configure the access control.
To do this, you need to go to Device Configuration:
a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

b. Access the configuration for the appropriate type of service:
i. Click to expand Serial.
ii. Click to expand the appropriate serial port.
iii. Click to expand the appropriate type of service.
iv. Click to expand Access Control List.

Digi Connect EZ 16/32 User Guide 219

Serial port Configure Remote Access mode for a serial port

For example, to set the Access Control List for the SSH connection for serial port 1, click to
expand Serial > Port 1 > SSH connection > Access Control List:

n To limit access to specified IPv4 addresses and networks:

i. Click IPv4 Addresses.
ii. For Add Address, click .
iii. For Address, enter the IPv4 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
iv. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
i. Click IPv6 Addresses.
ii. For Add Address, click .
iii. For Address, enter the IPv6 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
iv. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
i. Click Interfaces.
ii. For Add Interface, click .

Digi Connect EZ 16/32 User Guide 220

Serial port Configure Remote Access mode for a serial port

iii. For Interface, select the appropriate interface from the dropdown.
iv. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
i. Click Zones. By default, there are three firewall zones already configured:
Internal, Edge, and IPsec.
ii. For Add Zone, click .
iii. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
iv. Click  again to allow access through additional firewall zones.
11. Expand Autoconnect Settings. The autoconnect feature is used to initiate a connection to a
remote server to directly access the serial port.
a. Click Enable to enable the autoconnect feature.
b. For Connection Trigger, select the option that describes the type of event that should
trigger the connection.
If you select the Data received matches a string option, additional fields display.
a. In the Data Match String field, enter the received data string that should trigger the
connection. The syntax is: backslash escaped string
b. The Flush String option determines whether the match string data sent from the
remote server is discarded.
n Enable: Discard the match string data. This is the default.
n Disable: Do not discard the match string data.
c. For Outbound Connection Type, select the option that describes the method used to
initiate the connection.
d. For Destination, enter the host name or IP address of the remote server. When using SSH,
this should be prefixed with the user name and followed by @, for example,
admin@192.168.1.1.
e. For IP port, enter the TCP port of the remote server (1-65535).
f. Click Enable TCP keep-alive to enable TCP keepalive on the connection.
g. Click Enable TCP nodelay to enable TCP nodelay on the connection.
h. For Socket ID string, type text to be transmitted to the remote server when the socket
connects.
12. Expand Session Settings.

a. Enable Exclusive access to limit access to the serial port to a single active session. This
option is disabled by default. When it is disabled, multiple users can connect using Telnet,
TCP, and SSH.
b. For Escape sequence, type the characters used to start an escape sequence. If no
characters are defined, the escape sequence is disabled. The default is ~b.

Digi Connect EZ 16/32 User Guide 221

Serial port Configure Remote Access mode for a serial port

c. For History size, type or select the number of bytes of output from the serial port that are
written to buffer. These bytes are redisplayed when a user connects to the serial port. The
default is 4000 bytes.
d. For Idle timeout, type the amount of time to wait before disconnecting due to user
inactivity.
13. Expand Monitor Settings.
a. Enable CTS to monitor CTS (Clear to Send) changes on this port.
b. Enable DCD to monitor DCD (Data Carrier Detect) changes on this port.
14. Expand Logging Settings to configure logging for this serial port.
a. To enable logging, click to toggle on Enable.
b. In the Log file name field, enter a descriptive name for the log file.
c. For Log file size, type the size of the log file. When the log file reaches the size limit, the
current file is saved and a new file is created. The default is 65536 bytes.
d. From the Type of data to log list box, specify the type of data that should be saved.
n Received
n Transmitted
n Both
n Both with arrows. This is the default.
e. If you want to log the time at which date was received or transmitted, click the
Timestamps toggle to Enable.
f. If you want to log the data as hexadecimal values, click the Hexadecimal toggle to
Enable.

Note You can review the message log in the Serial Port Log page. See Review the serial
port message log.

15. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Serial ports is enabled by default. To disable:

(config)> serial port_number enable false

(config)>

Command line examples in this section will use port1 for the serial port. However, any port
number can be used.

Digi Connect EZ 16/32 User Guide 222

Serial port Configure Remote Access mode for a serial port

4. Set the mode:

(config)> serial port1 mode remoteaccess

(config)>

5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.

(config)> serial port1 altpin true

(config)>

6. Set the signaling interface type used on this serial port:

n rs-232
l Enable rts_toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control:

(config)> serial port1 rts_toggle true

(config)>

l For rts_pre_delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 "rts_pre_delay value

(config)>

l For rts_post_delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 rts_post_delay value

(config)>

n rs-422
l Enable Termination if you want to enable electrical termination on this serial port.
n rs-485
l Enable termination if you want to enable electrical termination on this serial port:

(config)> serial port1 termination true

(config)>

l Enable full_duplex if you want to enable full duplex communication on this serial
port:

(config)> serial port1 full_duplex true

(config)>

The default is rs-232.

Digi Connect EZ 16/32 User Guide 223

Serial port Configure Remote Access mode for a serial port

7. (Optional) Set a label that will be used when referring to this port.

(config)>serial port1 label label

(config)>

8. Set the baud rate used by the device to which you want to connect:

(config)> serial port1 baudrate rate

(config)>

where rate is the desired baud rate:

n Default baud rate: 9600
n Max baud rate: 230400
n Minimum baud rate: 50
For a complete list, see Baud rate options.
9. Set the number of data bits used by the device to which you want to connect:

(config)> serial port1 databits bits

(config)>

10. Set the type of parity used by the device to which you want to connect:

(config)> serial port1 parity parity

(config)>

Allowed values are:

n even
n odd
n none
The default is none.
11. Set the stop bits used by the device to which you want to connect:

(config)> serial port1 stopbits bits

(config)>

12. Set the type of flow control used by the device to which you want to connect:

(config)> serial port1 flow value

(config)>

where value is one of:

n none
n rts/cts
n xon/xoff
13. Configure the session settings.

Digi Connect EZ 16/32 User Guide 224

Serial port Configure Remote Access mode for a serial port

a. Set the characters used to start an escape sequence:

(config)>serial port1 escape string

(config)

If no characters are defined, the escape sequence is disabled. The default is ~b.
b. Limit access to the serial port to a single active session:

(config)>serial port1 exclusive true

(config)

c. Set the number of bytes of output from the serial port that are written to buffer. These
bytes are redisplayed when a user connects to the serial port.

(config)>serial port1 history bytes

(config)

The default is 4000 bytes.

d. Set the amount of time to wait before disconnecting due to user inactivity:

(config)>serial port1 idle_timeout value

(config)

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set idle_timeout to ten minutes, enter either 10m or 600s:

(config)>serial port1 idle_timeout 600s

(config)

The default is 15m.

14. Configure monitor settings.
a. (Optional) Enable monitoring of CTS (Clear to Send) changes on this port:

(config)>serial port1 monitor cts true

(config)

b. (Optional) Enable monitoring of DCD (Data Carrier Detect) changes on this port:

(config)>serial port1 monitor dcd true

(config)

15. (Optional) Configure autoconnect:

a. Enable autoconnect:

(config)>serial port1 autoconnect enable true

(config)>

b. Set the option that will trigger the connection:

(config)>serial port1 autoconnect trigger value

(config)>

Digi Connect EZ 16/32 User Guide 225

Serial port Configure Remote Access mode for a serial port

where value is one of:

n always
n data
n dcd
n destination
n dsr
n match
If match is selected:
i. Set the string that, when received, will trigger the connection:

(config)>serial port1 autoconnect match_string string

(config)>

ii. flush_string is enabled by default, which will discard the matched string from
data sent to the server. To disable:

(config)>serial port1 autoconnect flush_string false

(config)>

The default is always.

c. Set the option that initiates the connection:

(config)>serial port1 autoconnect conn_type value

(config)>

where value is one of:

n ssh
n tcp
n telnet
n tls
n tls_auth
The default is tls.
d. Set the host name or IP address of the destination server:

(config)>serial port1 autoconnect destination hostname/IP_address

(config)>

When using SSH, this should be prefixed with the user name and followed by @, for
example:

(config)>serial port1 autoconnect destination admin@192.168.1.1

(config)>

e. Set the TCP port of the destination server:

(config)>serial port1 autoconnect port int

(config)>

Digi Connect EZ 16/32 User Guide 226

Serial port Configure Remote Access mode for a serial port

where int is any integer between 1 and 65535.

f. To enable TCP keepalive:

(config)>serial port1 autoconnect keepalive true

(config)>

g. To enable TCP nodelay:

(config)>serial port1 autoconnect nodely true

(config)>

h. Set the text to be transmitted to the remote server when the socket connects:

(config)>serial port1 socketid string

(config)>

16. (Optional) Configure data framing:

a. Enable data framing:

(config)>serial port1 framing enable true

(config)

b. Set the maximum size of the packet:

(config)>serial port1 framing max_count int

(config)

The default is 1024.

c. Set the length of time the device should wait before sending the packet:

(config)>serial port1 framing idle_time value

(config)

where value is in milliseconds (ms) or seconds (s). The maximum value is 60s.
d. Set the end pattern. The packet is sent when this pattern is received from the serial port:

(config)>serial port1 framing end_pattern backslash-escaped-string

(config)

e. Set the strip end pattern if you want to remove the end pattern from the packet before it is
sent:

(config)>serial port1 framing strip_pattern true

(config)

17. (Optional) Configure service settings:

a. Configure SSH settings:
i. Enable SSH:

(config)>serial port1 service ssh enable true

(config)>

ii. Set the port to be used for ssh communications:

Digi Connect EZ 16/32 User Guide 227

Serial port Configure Remote Access mode for a serial port

(config)>serial port1 service ssh port int

(config)>

where int is any integer between 1 and 65535. The default is 3001.
iii. Enable TCP keep-alive messages:

(config)>serial port1 service ssh keepalive true

(config)>

iv. Enable TCP nodelay messages:

(config)>serial port1 service ssh nodelay true

(config)>

v. (Optional) Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add serial port1 service ssh acl address end value
(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add serial port1 service ssh acl address6 end value
(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the
Connect EZ 16/32 device:

(config)> add serial port1 service ssh acl interface end

value
(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

Digi Connect EZ 16/32 User Guide 228

Serial port Configure Remote Access mode for a serial port

n To limit access based on firewall zones:

(config)> add serial port1 service ssh acl zone end value
(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that

can be referred to by packet
filtering rules and access control lists.

Additional Configuration
-------------------------------------------------
------------------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

vi. (Optional) Enable Multicast DNS (mDNS):

(config)>serial port1 service ssh mdns enable true

(config)>

b. Configure TCP settings:

i. Enable TCP:

(config)>serial port1 service tcp enable true

(config)>

ii. Set the port to be used for ssh communications:

(config)>serial port1 service tcp port int

(config)>

where int is any integer between 1 and 65535. The default is 4001.
iii. Enable TCP keep-alive messages:

Digi Connect EZ 16/32 User Guide 229

Serial port Configure Remote Access mode for a serial port

(config)>serial port1 service tcp keepalive true

(config)>

iv. Set the option that initiates the connection:

(config)>serial port1 service tcp conn_type value

(config)>

where value is one of:

n tcp
n tls
n tls_auth
The default is tls.
v. Enable TCP nodelay messages:

(config)>serial port1 service tcp nodelay true

(config)>

vi. (Optional) Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add serial port1 service tcp acl address end value
(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add serial port1 service tcp acl address6 end value
(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the
Connect EZ 16/32 device:

(config)> add serial port1 service tcp acl interface end

value
(config)>

Where value is an interface defined on your device.

Digi Connect EZ 16/32 User Guide 230

Serial port Configure Remote Access mode for a serial port

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add serial port1 service tcp acl zone end value
(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that

can be referred to by packet
filtering rules and access control lists.

Additional Configuration
-------------------------------------------------
------------------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

vii. (Optional) Enable Multicast DNS (mDNS):

(config)>serial port1 service tcp mdns enable true

(config)>

c. Configure telnet settings:

i. Enable Telnet:

(config)>serial port1 service telnet enable true

(config)>

ii. Set the port to be used for Telnet communications:

(config)>serial port1 service telnet port int

(config)>

where int is any integer between 1 and 65535. The default is 3001.

Digi Connect EZ 16/32 User Guide 231

Serial port Configure Remote Access mode for a serial port

iii. Enable TCP keep-alive messages:

(config)>serial port1 service telnet keepalive true

(config)>

iv. Enable TCP nodelay messages:

(config)>serial port1 service telnet nodelay true

(config)>

v. (Optional) Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add serial port1 service telnet acl address end

value
(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add serial port1 service telnet acl address6 end

value
(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the
Connect EZ 16/32 device:

(config)> add serial port1 service telnet acl interface end

value
(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

Digi Connect EZ 16/32 User Guide 232

Serial port Configure Remote Access mode for a serial port

n To limit access based on firewall zones:

(config)> add serial port1 service telnet acl zone end value
(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that

can be referred to by packet
filtering rules and access control lists.

Additional Configuration
-------------------------------------------------
------------------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

vi. (Optional) Enable Multicast DNS (mDNS):

(config)>serial port1 service telnet mdns enable true

(config)>

18. Configure serial port logging:

a. Enable serial port logging:

(config)>serial port1 logging enable true

(config)>

b. Set the file name:

(config)>serial port1 logging filename string

(config)>

c. Set the maximum allowed log size for the serial port log when starting the log:

(config)>serial port1 logging size value

(config)>

where value is the size of the log file in bytes. The default is 65536.

Digi Connect EZ 16/32 User Guide 233

Serial port Configure Application mode for a serial port

d. Specify the data type:

(config)>serial port1 logging type value

(config)>

where value is one of:

n received
n transmitted
n both
n arrows. This is the default.
e. Log the time at which date was received or transmitted:

(config)>serial port1 logging hex true

(config)>

f. Log data as hexadecimal values:

(config)>serial port1 logging timestamp true

(config)>

19. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

20. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure Application mode for a serial port

Application mode provides access to the serial device from Python applications.
To change the configuration to match the serial configuration of the device to which you want to
connect:
 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

Note You can also configure the serial port by using Device Configuration > Serial. Changes
made by using either Device Configuration or Serial Configuration will be reflected in both.

Digi Connect EZ 16/32 User Guide 234

Serial port Configure Application mode for a serial port

3. Click the name of the port that you want to configure.

The serial port is enabled by default. To disable, toggle off Enable.

4. For Mode, select Application. The default is Login.
5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
6. (Optional) For Label, enter a label that will be used when referring to this port.
7. For Signalling, select the electrical signaling interface type used on this serial port:
n RS-232
l Enable RTS Toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control.
l For RTS Pre-delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms.
l For RTS Post-delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms.
n RS-422
l Enable Termination if you want to enable electrical termination on this serial port.
n RS-485
l Enable Termination if you want to enable electrical termination on this serial port.
l Enable Full Duplex if you want to enable full duplex communication on this serial
port.
The default is RS-232.
8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

Digi Connect EZ 16/32 User Guide 235

Serial port Configure Application mode for a serial port

3. The serial port is enabled by default. To disable:

(config)> serial port1 enable false

(config)>

4. Set the mode:

(config)> serial port1 mode application

(config)>

5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.

(config)> serial port1 altpin true

(config)>

6. Set the signaling interface type used on this serial port:

n rs-232
l Enable rts_toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control:

(config)> serial port1 rts_toggle true

(config)>

l For rts_pre_delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 "rts_pre_delay value

(config)>

l For rts_post_delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 rts_post_delay value

(config)>

n rs-422
l Enable Termination if you want to enable electrical termination on this serial port.
n rs-485
l Enable termination if you want to enable electrical termination on this serial port:

(config)> serial port1 termination true

(config)>

l Enable full_duplex if you want to enable full duplex communication on this serial
port:

(config)> serial port1 full_duplex true

(config)>

Digi Connect EZ 16/32 User Guide 236

Serial port Configure PPP dial-in mode for a serial port

The default is rs-232.

7. (Optional) Set a label that will be used when referring to this port.

(config)>path-paramlabel label
(config)>

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure PPP dial-in mode for a serial port

PPP dial-in allows the device to answer Point-to-Point Protocol (PPP) connections over serial ports.
To change the configuration to match the serial configuration of the device to which you want to
connect:
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click to expand the name of the port that you want to configure, for example, Port 1.
The serial port is enabled by default. To disable, toggle off Enable.

Digi Connect EZ 16/32 User Guide 237

Serial port Configure PPP dial-in mode for a serial port

4. For Mode, select PPP-Dial-in. The default is Login.

5. (Optional) For Label, enter a label that will be used when referring to this port.
6. For Baud rate, select the baud rate used by the device to which you want to connect. The
default is 9600.
n Max baud rate: 230400
n Minimum: 50
For a complete list, see Baud rate options.
7. For Flow control, select the type of flow control used by the device to which you want to
connect. The default is None.
8. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
9. For Idle timeout, type the amount of time that the active session can be idle before the
session is disconnected.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Idle timeout to ten minutes, enter 10m or 600s.
10. Click to expand PPP dial-in.
11. For Local IP address, type the IP address assigned to this interface.
12. For Remote IP address, type the IP address assigned to the remote peer.
13. For Metric, set the priority of routes associated with this interface. If there are multiple active
routes that match a destination, then the route with the lowest metric will be used.
14. For Default route, toggle to control whether a default route gets added for the PPP interface.
This feature is disabled by default.
15. For Zone, select the firewall zone for this interface. This can be used by packet filtering rules
and access control lists to restrict network traffic on this interface.
16. For Authentication method, select the method used to authenticate the remote peer. Allowed
values are:
n None: No authentication is required.
n Automatic: Attempt to authenticate using CHAP first, and then PAP.

Digi Connect EZ 16/32 User Guide 238

Serial port Configure PPP dial-in mode for a serial port

n CHAP: Use Challenge Handshake Authentication Protocol (CHAP) to authenticate.

n PAP: Use Password Authentication Protocol (PAP) to authenticate.
If Automatic, CHAP, or PAP are selected, type the Username and Password used to
authenticate the remote peer.
17. (Optional) Configure the serial port to use a custom PPP configuration file:
a. Click to expand Custom PPP configuration.
b. Click Enable to enable the use of a custom PPP configuration file.
c. Click Override to override the default PPP configuration and only use the custom
configuration file.
If Override is not enabled, the custom PPP configuration file is used in addition to the
default configuration.
d. For Configuration file, paste or type the configuration data in the format of a pppd
options file. Because the options are passed directly to the pppd command line, they
should all be entered on a single line. For example:

debug lcp-echo-interval 10 lcp-echo-failure 2

18. (Optional) Configure a script that will be run to prepare the link before PPP negotiations are
started:
a. Click to expand Connect script.
b. Click Enable to enable the use of a connection script.
c. For Connect script filename, type the name of the script. Scripts are located in the
/etc/config/serial directory. An example script, windows_dun.sh is provided.
Example windows_dun.sh file:

#!/bin/sh

# Example connect script for connecting from a PC using a Windows

dial-up
# networking connection with built-in standard 33600 bps modem driver
and phone
# number 123.

# The shell's 'read' builtin breaks on newline, so translate incoming

carriage-
# return to newline, and outgoing newline to carriage-return-newline.
stty icrnl onlcr opost

# Read input from the serial port, one line at a time.

while read -r line; do
case "$line" in
ATDT123)
echo "CONNECT" # instruct the peer to start PPP
exit 0 # start up the local PPP session
;;
AT*)
echo "OK" # passively accept any other AT command

Digi Connect EZ 16/32 User Guide 239

Serial port Configure PPP dial-in mode for a serial port

;;
esac
done

19. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The serial port is enabled by default. To disable:

(config)> serial port1 enable false

(config)>

4. Set the mode:

(config)> serial port1 mode ppp_dialin

(config)>

5. (Optional) Set a label that will be used when referring to this port.

(config)> serial port1 label label

(config)>

6. Set the baud rate used by the device to which you want to connect:

(config)> serial port1 baudrate rate

(config)>

where rate is the desired baud rate:

n Default baud rate: 9600
n Max baud rate: 230400
n Minimum baud rate: 50
For a complete list, see Baud rate options.
7. Set the type of flow control used by the device to which you want to connect:

(config)> serial port1 flow value

(config)>

where value is one of:

n none
n rts/cts
n xon/xoff

Digi Connect EZ 16/32 User Guide 240

Serial port Configure PPP dial-in mode for a serial port

8. Set the amount of time that the active session can be idle before the session is disconnected:

(config)> serial port1 idle_timeout value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set idle_timeout to ten minutes, enter either 10m or 600s:

(config)> serial port1 idle_timeout 600s

(config)>

9. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.

(config)> serial port1 altpin true

(config)>

10. Set the local IP address assigned to this interface:

(config)> serial port1 ppp_dialin local_address IPv4_address

(config)>

11. Set the IP address assigned to the remote peer:

(config)> serial port1 ppp_dialin remote_address IPv4_address

(config)>

12. The default route is added for the PPP interface is disabled by default. To enable:

(config)> serial port1 ppp_dialin default_route true

config)>

13. Set the authentication method used to authenticate the remote peer:

(config)> serial port1 ppp_dialin auth value

(config)>

where value is one of:

n none: No authentication is required.
n auto: Attempt to authenticate using CHAP first, and then PAP.
n chap: Use Challenge Handshake Authentication Protocol (CHAP) to authenticate.
n pap: Use Password Authentication Protocol (PAP) to authenticate.
The default is none.
If auto, chap, or pap are set, set the username and password used to authenticate the remote
peer:

Digi Connect EZ 16/32 User Guide 241

Serial port Configure PPP dial-in mode for a serial port

(config)> serial port1 ppp_dialin username username

(config)> serial port1 ppp_dialin password password
(config)>

14. Set the priority of routes associated with this interface. If there are multiple active routes that
match a destination, then the route with the lowest metric will be used.

(config)> serial port1 ppp_dialin metric int

(config)>

The default is 10.

15. Set the firewall zone for this interface. This can be used by packet filtering rules and access
control lists to restrict network traffic on this interface.
a. Use the ? to determine available zones:

(config)> serial port1 ppp_dialin zone ?

Zone: The firewall zone assigned to this interface. This can be used
by packet
filtering rules and access control lists to restrict network traffic
on this
interface.
Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Default value: internal
Current value: internal

(config)>

b. Set the zone:

(config)> serial port1 ppp_dialin zone zone

(config)>

16. (Optional) Configure the serial port to use a custom PPP configuration file:
a. Enable the use of a custom PPP configuration file:

(config)> serial port1 ppp_dialin custom enable true

(config)>

b. Enable override to override the default PPP configuration and only use the custom
configuration file:

Digi Connect EZ 16/32 User Guide 242

Serial port Configure PPP dial-in mode for a serial port

(config)> serial port1 ppp_dialin custom override true

(config)>

If override is not enabled, the custom PPP configuration file is used in addition to the
default configuration.
c. Paste or type the configuration data in the format of a pppd options file:

(config)> serial port1 ppp_dialin custom config_file data

(config)>

where data are one or more pppd command line options. Because the options are passed
directly to the pppd command line, they should all be entered on a single line. For
example:

(config)> serial port1 ppp_dialin custom config_file "debug lcp-echo-

interval 10 lcp-echo-failure 2"
(config)>

17. (Optional) Configure a script that will be run to prepare the link before PPP negotiations are
started:
a. Enable the use of a connection script.

(config)> serial port1 ppp_dialin connect enable true

(config)>

b. Set the name of the script:

(config)> serial port1 ppp_dialin connect script filename

(config)>

Scripts are located in the /etc/config/serial directory. An example script, windows_dun.sh

is provided.
Example windows_dun.sh file:

#!/bin/sh

# Example connect script for connecting from a PC using a Windows

dial-up
# networking connection with built-in standard 33600 bps modem driver
and phone
# number 123.

# The shell's 'read' builtin breaks on newline, so translate incoming

carriage-
# return to newline, and outgoing newline to carriage-return-newline.
stty icrnl onlcr opost

# Read input from the serial port, one line at a time.

while read -r line; do
case "$line" in

Digi Connect EZ 16/32 User Guide 243

Serial port Configure UDP serial mode for a serial port

ATDT123)
echo "CONNECT" # instruct the peer to start PPP
exit 0 # start up the local PPP session
;;
AT*)
echo "OK" # passively accept any other AT command
;;
esac
done

18. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

19. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure UDP serial mode for a serial port

The UDP serial mode option in the serial port configuration provides access to the serial port using
UDP.
To change the configuration to match the serial configuration of the device to which you want to
connect:

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

Note You can also configure the serial port by using Device Configuration > Serial. Changes
made by using either Device Configuration or Serial Configuration will be reflected in both.

Digi Connect EZ 16/32 User Guide 244

Serial port Configure UDP serial mode for a serial port

3. Click to expand the port that you want to configure for UDP serial mode.

The serial port is enabled by default. To disable, toggle off Enable.

4. For Mode, select UDP serial.
The default is Login.
5. (Optional) For Label, enter a label that will be used when referring to this port.
6. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
7. For Signalling, select the electrical signaling interface type used on this serial port:
n RS-232
l Enable RTS Toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control.
l For RTS Pre-delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms.
l For RTS Post-delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms.
n RS-422
l Enable Termination if you want to enable electrical termination on this serial port.
n RS-485
l Enable Termination if you want to enable electrical termination on this serial port.
l Enable Full Duplex if you want to enable full duplex communication on this serial
port.
The default is RS-232.
8. Expand Serial Settings.

a. For Baud rate, select the baud rate used by the device to which you want to connect.
n Default baud rate: 9600
n Max baud rate: 230400
n Minimum: 50
For a complete list, see Baud rate options.

Digi Connect EZ 16/32 User Guide 245

Serial port Configure UDP serial mode for a serial port

b. For Data bits, select the number of data bits used by the device to which you want to
connect.
c. For Parity, select the type of parity used by the device to which you want to connect.
d. For Stop bits, select the number of stop bits used by the device to which you want to
connect.
e. For Flow control, select the type of flow control used by the device to which you want to
connect.
9. Expand Data Framing Settings.

a. Click to expand Data Framing.

i. Click Enable to enable the data framing feature.
ii. For Maximum Frame Count, enter the maximum size of the packet. The default is
1024.
iii. For Idle Time, enter the length of time the device should wait before sending the
packet.
iv. For End Pattern, enter the end pattern. The packet is sent when this pattern is
received from the serial port.
v. Click Strip End Pattern if you want to remove the end pattern from the packet before
it is sent.
10. Expand UDP Serial Settings.

a. For Local port, enter the UDP port. The default is 4001 or serial port 1, 4002 for serial port
2, etc.

Digi Connect EZ 16/32 User Guide 246

Serial port Configure UDP serial mode for a serial port

b. (Optional) For Socket String ID, enter a string that should be added at the beginning of
each packet.
c. For Destinations, you can configure the remote sites to which you want to send data. If
you do not specify any destinations, the Connect EZ 16/32 sends new data from the last IP
address and port from which data was received. To add a destination:
i. Click Add Destination. A destination row is added.
ii. (Optional) For Description, enter a description of the destination.
iii. For Hostname, enter the host name or IP address of the remote site to which data
should be sent.
iv. For Port, enter the port number of the remote site to which data should be sent.
You can also configure access control for the serial port.
To do this, you need to go to Device Configuration:
a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

b. Access the configuration for the appropriate type of service:
i. Click to expand Serial.
ii. Click to expand the appropriate serial port.
iii. Click to expand UDP serial.
iv. Click to expand Access Control List.

Digi Connect EZ 16/32 User Guide 247

Serial port Configure UDP serial mode for a serial port

n To limit access to specified IPv4 addresses and networks:

i. Click IPv4 Addresses.
ii. For Add Address, click .
iii. For Address, enter the IPv4 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
iv. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
i. Click IPv6 Addresses.
ii. For Add Address, click .
iii. For Address, enter the IPv6 address or network that can access the device's
service-type. Allowed values are:

Digi Connect EZ 16/32 User Guide 248

Serial port Configure UDP serial mode for a serial port

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
iv. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
i. Click Interfaces.
ii. For Add Interface, click .
iii. For Interface, select the appropriate interface from the dropdown.
iv. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
i. Click Zones. By default, there are three firewall zones already configured:
Internal, Edge, and IPsec.
ii. For Add Zone, click .
iii. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
iv. Click  again to allow access through additional firewall zones.
11. Expand Logging Settings to configure logging for this serial port.
a. To enable logging, click to toggle on Enable.
b. In the Log file name field, enter a descriptive name for the log file.
c. For Log file size, type the size of the log file. When the log file reaches the size limit, the
current file is saved and a new file is created. The default is 65536 bytes.
d. From the Type of data to log list box, specify the type of data that should be saved.
n Received
n Transmitted
n Both
n Both with arrows. This is the default.
e. If you want to log the time at which date was received or transmitted, click the
Timestamps toggle to Enable.
f. If you want to log the data as hexadecimal values, click the Hexadecimal toggle to
Enable.

Note You can review the message log in the Serial Port Log page. See Review the serial
port message log.

12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 249

Serial port Configure UDP serial mode for a serial port

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The serial port is enabled by default. To disable:

(config)> serial port1 enable false

(config)>

4. Set the mode:

(config)> serial port1 mode udp

(config)>

5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.

(config)> serial port1 altpin true

(config)>

6. Set the signaling interface type used on this serial port:

n rs-232
l Enable rts_toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control:

(config)> serial port1 rts_toggle true

(config)>

l For rts_pre_delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 "rts_pre_delay value

(config)>

l For rts_post_delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 rts_post_delay value

(config)>

n rs-422
l Enable Termination if you want to enable electrical termination on this serial port.
n rs-485
l Enable termination if you want to enable electrical termination on this serial port:

(config)> serial port1 termination true

(config)>

Digi Connect EZ 16/32 User Guide 250

Serial port Configure UDP serial mode for a serial port

l Enable full_duplex if you want to enable full duplex communication on this serial
port:

(config)> serial port1 full_duplex true

(config)>

The default is rs-232.

7. (Optional) Set a label that will be used when referring to this port.

(config)>serial port1 label label

(config)>

8. Set the baud rate used by the device to which you want to connect:

(config)>serial port1 label baudrate rate

(config)>

where rate is the desired baud rate:

n Default baud rate: 9600
n Max baud rate: 230400
n Minimum baud rate: 50
For a complete list, see Baud rate options.
9. Set the number of data bits used by the device to which you want to connect:

(config)>serial port1 label databits bits

(config)>

10. Set the type of parity used by the device to which you want to connect:

(config)>serial port1 label parity parity

(config)>

Allowed values are:

n even
n odd
n none
The default is none.
11. Set the stop bits used by the device to which you want to connect:

(config)>serial port1 label stopbits bits

(config)>

12. Set the type of flow control used by the device to which you want to connect:

(config)>serial port1 label flow type

(config)

Allowed values are:

Digi Connect EZ 16/32 User Guide 251

Serial port Configure UDP serial mode for a serial port

n none
n rts/cts
n xon/xoff
The default is none.
13. (Optional) Configure data framing:
a. Enable data framing:

(config)>serial port1 framing enable true

(config)

b. Set the maximum size of the packet:

(config)>serial port1 framing max_count int

(config)

The default is 1024.

c. Set the length of time the device should wait before sending the packet:

(config)>serial port1 framing idle_time value

(config)

where value is in milliseconds (ms) or seconds (s). The maximum value is 60s.
d. Set the end pattern. The packet is sent when this pattern is received from the serial port:

(config)>serial port1 framing end_pattern backslash-escaped-string

(config)

e. Set the strip end pattern if you want to remove the end pattern from the packet before it is
sent:

(config)>serial port1 framing strip_pattern true

(config)

14. Set the UDP port:

(config)> serial port1 udp port port

(config)>

The default is 4001.

15. (Optional) Enter a string that should be added at the beginning of each packet:

(config)> serial port1 udp socketid backslash-escaped-string

(config)>

16. Configure the remote sites to which you want to send data. If you do not specify any
destinations, the Connect EZ 16/32 send new data to the last hostname and port from which
data was received. To add a destination:

Digi Connect EZ 16/32 User Guide 252

Serial port Configure UDP serial mode for a serial port

i. Add a destination:

(config)> add serial port1 upd destination end

(config serial port1 udp destination 0)>

ii. (Optional) Enter a description of the destination:

(config serial port1 udp destination 0)> description string

(config serial port1 udp destination 0)>

iii. Set the host name or IP address of the remote site to which data should be sent:

(config serial port1 udp destination 0)>hostname hostanme-or-IP-

address
(config serial port1 udp destination 0)>

iv. Set the port number of the remote site to which data should be sent:

(config serial port1 udp destination 0)> port port

(config serial port1 udp destination 0)>

17. (Optional) Configure access control:

a. Return to the root configuration prompt by typing ...:

(config serial port1 udp destination 0)> ...

(config)>

b. Set the Access Control List:

n To limit access to specified IPv4 addresses and networks:

(config)> add serial port1 udp acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add serial port1 udp acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

Digi Connect EZ 16/32 User Guide 253

Serial port Configure UDP serial mode for a serial port

(config)> add serial port1 udp acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add serial port1 udp acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that

can be referred to by packet
filtering rules and access control lists.

Additional Configuration
----------------------------------------------------
---------------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

n To limit access to specified IPv4 addresses and networks:

(config)> add serial port1 udp acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.

Digi Connect EZ 16/32 User Guide 254

Serial port Configure UDP serial mode for a serial port

n To limit access to specified IPv6 addresses and networks:

(config)> add serial port1 udp acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add serial port1 udp acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add serial port1 udp acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

Digi Connect EZ 16/32 User Guide 255

Serial port Configure UDP serial mode for a serial port

(config)>

Repeat this step to include additional firewall zones.

18. Configure serial port logging:
a. Enable serial port logging:

(config)>serial port1 logging enable true

(config)>

b. Set the file name:

(config)>serial port1 logging filename string

(config)>

c. Set the maximum allowed log size for the serial port log when starting the log:

(config)>serial port1 logging size value

(config)>

where value is the size of the log file in bytes. The default is 65536.
d. Specify the data type:

(config)>serial port1 logging type value

(config)>

where value is one of:

n received
n transmitted
n both
n arrows. This is the default.
e. Log the time at which date was received or transmitted:

(config)>serial port1 logging hex true

(config)>

f. Log data as hexadecimal values:

(config)>serial port1 logging timestamp true

(config)>

19. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

20. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 256

Serial port Configure Modem emulator mode for a serial port

Configure Modem emulator mode for a serial port

Modem emulator mode allows the device to act as a dial-up modem emulator for handling incoming
AT dial-ins.
To change the configuration to match the serial configuration of the device to which you want to
connect:
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click to expand the name of the port that you want to configure, for example, Port 1.
The serial port is enabled by default. To disable, toggle off Enable.
4. For Mode, select Modem emulator. The default is Login.
5. (Optional) For Label, enter a label that will be used when referring to this port.
6. For Baud rate, select the baud rate used by the device to which you want to connect. The
default is 9600.
n Max baud rate: 230400
n Minimum baud rate: 50
For a complete list, see Baud rate options.
7. For Data bits, select the number of data bits used by the device to which you want to connect.
The default is 8.
8. For Parity, select the type of parity used by the device to which you want to connect. The
default is None.
9. For Stop bits, select the number of stop bits used by the device to which you want to connect.
The default is 1
10. For Flow control, select the type of flow control used by the device to which you want to
connect. The default is None.

Digi Connect EZ 16/32 User Guide 257

Serial port Configure Modem emulator mode for a serial port

11. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
12. For Idle timeout, type the amount of time that the active session can be idle before the
session is disconnected.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Idle timeout to ten minutes, enter 10m or 600s.
13. For Escape character, type the character to use in the escape sequence. Enter this character
three times, followed by the escape delay and then an AT command to switch from data mode
to command mode. The default is the plus sign (+).
14. For Escape delay, type the delay between the escape sequence and an AT command to switch
from data mode to command mode. The default is 1s.
15. For Auto-answer rings, type the number of rings to wait before auto-answering. Enter 0 (zero)
to disable auto-answering.
16. Command echo is enabled by default. Commands sent to the port are echoed back to the
user. Select to disable this feature.
17. For Result codes, select the type of result code that are displayed as responses to commands.
Options are:
n None: No result codes are displayed.
n Numeric: Numeric result codes are displayed.
n Verbose: Result codes are displayed in English, for example: OK, ERROR, CONNECT. This
is the default.
18. (Optional) Click to expand Phonebook and create dial strings that can be used to connect to
remote servers.
a. Click  to add a phone book entry.
b. For Label, type a descriptive name for the phone book entry.
c. (Required) For Dialstring, type the string to dial to connect to the remote server.
d. (Required) For Connection destination, type the hostname or IP address of the remote
server.
e. (Required) For Connection port, type the TCP port of the remote server. Minimum is 1 and
maximum is 65535.
19. Expand TCP connection to configure TCP connection for this serial port.
a. To enable a TCP connection, click to toggle on Enable.
b. For Port, type the TCP port for this service. The default is 4001.
c. Expand Access control list to create a list of IP addresses, interfaces, and firewall zones
from which this service may be accessed.
n To limit access to specified IPv4 addresses and networks:
i. Click IPv4 Addresses.
ii. For Add Address, click .
iii. For Address, enter the IPv4 address or network that can access the device's
service-type. Allowed values are:

Digi Connect EZ 16/32 User Guide 258

Serial port Configure Modem emulator mode for a serial port

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
iv. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
i. Click IPv6 Addresses.
ii. For Add Address, click .
iii. For Address, enter the IPv6 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
iv. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
i. Click Interfaces.
ii. For Add Interface, click .
iii. For Interface, select the appropriate interface from the dropdown.
iv. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
i. Click Zones. By default, there are three firewall zones already configured:
Internal, Edge, and IPsec.
ii. For Add Zone, click .
iii. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
iv. Click  again to allow access through additional firewall zones.
d. Toggle on Enable mDNS to enable Multicast DNS (mDNS) reporting for this service. This
feature is disabled by default.
20. Expand Logging Settings to configure logging for this serial port.
a. To enable logging, click to toggle on Enable.
b. In the Log file name field, enter a descriptive name for the log file.
c. For Log file size, type the size of the log file. When the log file reaches the size limit, the
current file is saved and a new file is created. The default is 65536 bytes.
d. From the Type of data to log list box, specify the type of data that should be saved.
n Received
n Transmitted
n Both
n Both with arrows. This is the default.
e. If you want to log the time at which date was received or transmitted, click the
Timestamps toggle to Enable.

Digi Connect EZ 16/32 User Guide 259

Serial port Configure Modbus mode for a serial port

f. If you want to log the data as hexadecimal values, click the Hexadecimal toggle to
Enable.

Note You can review the message log in the Serial Port Log page. See Review the serial
port message log.

21. Click Apply to save the configuration and apply the change.

Configure Modbus mode for a serial port

Modbus mode allows you to use the serial port for Modbus. See Modbus gateway.
To change the configuration to match the serial configuration of the device to which you want to
connect:
 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

Note You can also configure the serial port by using Device Configuration > Serial. Changes
made by using either Device Configuration or Serial Configuration will be reflected in both.

3. Click the name of the port that you want to configure.

The serial port is enabled by default. To disable, toggle off Enable.

4. For Mode, select Modbus.
5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
6. (Optional) For Label, enter a label that will be used when referring to this port.
7. For Signalling, select the electrical signaling interface type used on this serial port:
n RS-232
l Enable RTS Toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control.

Digi Connect EZ 16/32 User Guide 260

Serial port Configure Modbus mode for a serial port

l For RTS Pre-delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms.
l For RTS Post-delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms.
n RS-422
l Enable Termination if you want to enable electrical termination on this serial port.
n RS-485
l Enable Termination if you want to enable electrical termination on this serial port.
l Enable Full Duplex if you want to enable full duplex communication on this serial
port.
The default is RS-232.
8. Expand Serial Settings.
The entries in the following fields must match the information for the power controller. Refer
to your power controller manual for the correct entries.
a. Baud rate: For Baud rate, select the baud rate used by the device to which you want to
connect. The default is 9600.
n Max baud rate: 230400
n Minimum: 50
For a complete list, see Baud rate options.
b. Data bits: For Data bits, select the number of data bits used by the device to which you
want to connect. The default is 8.
c. Parity: For Parity, select the type of parity used by the device to which you want to
connect. The default is None.
d. Stop bits: For Stop bits, select the number of stop bits used by the device to which you
want to connect. The default is 1.
e. Flow control: For Flow control, select the type of flow control used by the device to
which you want to connect. The default is None.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The serial port is enabled by default. To disable:

(config)> serial port1 enable false

(config)>

Digi Connect EZ 16/32 User Guide 261

Serial port Configure Modbus mode for a serial port

4. Set the mode:

(config)> serial port1 mode modbus

(config)>

5. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.

(config)> serial port1 altpin true

(config)>

6. Set the signaling interface type used on this serial port:

n rs-232
l Enable rts_toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control:

(config)> serial port1 rts_toggle true

(config)>

l For rts_pre_delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 "rts_pre_delay value

(config)>

l For rts_post_delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 rts_post_delay value

(config)>

n rs-422
l Enable Termination if you want to enable electrical termination on this serial port.
n rs-485
l Enable termination if you want to enable electrical termination on this serial port:

(config)> serial port1 termination true

(config)>

l Enable full_duplex if you want to enable full duplex communication on this serial
port:

(config)> serial port1 full_duplex true

(config)>

The default is rs-232.

Digi Connect EZ 16/32 User Guide 262

Serial port Configure Modbus mode for a serial port

7. (Optional) Set a label that will be used when referring to this port.

(config)>path-paramlabel label
(config)>

8. Set the baud rate used by the device to which you want to connect:

(config)> serial port1 baudrate rate

(config)>

where rate is the desired baud rate:

n Default baud rate: 9600
n Max baud rate: 230400
n Minimum baud rate: 50
For a complete list, see Baud rate options.
9. Set the number of data bits used by the device to which you want to connect:

(config)> serial port1 databits bits

(config)>

10. Set the type of parity used by the device to which you want to connect:

(config)> serial port1 parity parity

(config)>

Allowed values are:

n even
n odd
n none
The default is none.
11. Set the stop bits used by the device to which you want to connect:

(config)> serial port1 stopbits bits

(config)>

12. Set the type of flow control used by the device to which you want to connect:

(config)> serial port1 flow value

(config)>

where value is one of:

n none
n rts/cts
n xon/xoff
13. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 263

Serial port Copy a serial port configuration

14. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Copy a serial port configuration

You can copy the configuration defined for one serial port to other serial ports on the same device.
This feature is useful if you have several ports that have the same or a similar configuration.

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

3. Find the serial port that has the configuration that you want to copy.
4. You can drag-and-drop the selected configuration to copy it, or click the copy configuration
icon.
n Drag-and-drop: Click the copy configuration icon and drag it over a different serial
port, then drop it.
n Click: Click the copy configuration icon.

5. The Copy Configuration dialog displays.

6. Select the items you want to copy and specify the serial ports to which the configuration
should be applied.

Digi Connect EZ 16/32 User Guide 264

Serial port Copy a serial port configuration

Field Description
Copy Port X Enter the serial port numbers to which the configuration should be
configuration to applied. You can enter a single number or a group, such as: 2-5, 10, 13-
these ports 15.
If you used the drag-and-drop method, the serial port number on
which you dropped the configuration is entered in this field by default.
You can change the entry if needed.

Copy these The setting sections available for the selected serial port mode are
settings selected by default. You can click the box next to an item name to
select or deselect it.
If you select a setting section that is not available for the serial mode
types, the settings are copied, but have no effect on the current serial
port mode.

Set IP Port Note This feature is optional.

numbers to
sequential values Select a service, and then set the IP port number to a starting number
on these services in the Base port field. When the configuration is applied to each
selected port, a sequential IP port number is applied to the defined
serial ports.
For example, serial port 1 has the TCP port set to a base port number,
and you choose to apply sequential TCP port numbers to serial ports 2,
3, and 4.
The TCP port numbers would be assigned as follows:
n Serial port 1: base port number +1
n Serial port 2: base port number +2
n Serial port 3: base port number +3
n Serial port 4: base port number +4

7. Click Copy. The configuration is copied to the specified serial ports.

8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type a to access the Admin CLI.
2. At the command line, type system serial copy plus the parameters for the features you want
to include. More than parameter can be specified so you can copy more settings.

system serial copy SOURCE DESTINATION [all] [autoconnect]

[autodetect] [base] [data_match] [framing] [hangup] [label]
[logging] [modem] [monitor] [ppp_dialin] [serial] [service]
[session] [udp]

Digi Connect EZ 16/32 User Guide 265

Serial port Configure RealPort mode using the Digi Navigator

where:
n SOURCE: The serial port that you want to copy from. (Required)
n DESTINATION: A list of the serial ports to which you want to copy the configuration.
Example: 1-4,8-10, or type all. (Required)
Syntax:
n all: Copy all serial port settings.
n autoconnect: Copy the autoconnect settings.
n autodetect: Copy the autodetect settings.
n base: Copy enable, mode, sharing, and signal settings.
n data_match: Copy the data matching settings.
n framing: Copy the data framing settings.
n hangup: Copy the hangup or signal loss settings.
n label: Copy the label settings.
n logging: Copy the logging settings.
n modem: Copy the modem emulator settings.
n monitor: Copy the signal change monitoring settings.
n ppp_dialin: Copy the PPP dial-in settings.
n serial: Copy the baud rate, data bits, parity, stop bits, and flow control settings.
n service: Copy SSH, TCP, and Telnet service settings.
n session: Copy escape, history, exclusive, and idle timeout settings.
n udp: Copy UDP serial settings.
3. (Optional) Set sequential IP port numbers for a service on a list of ports.

system serial ipport DESTINATION SERVICE BASE

Where:
n DESTINATION: Enter a list of serial ports to set IP port numbers. Example: 1-4,8-10, or
type all. (Required)
n SERVICE: The service type to set IP port numbers. (Required)
Where SERVICE is one of: ssh, tcp, telnet, or udp
n BASE: Set service IP port numbers to base port + serial port number. (Required).
4. Type exit to exit the Admin CLI.
Depending on your device configuration, you may be presented with an Access selection
menu. Type q to disconnect from the device.

Configure RealPort mode using the Digi Navigator

You can configure RealPort mode for the Connect EZ 16/32 using the Digi Navigator application.
When you install Digi Navigator on your computer, the RealPort application is automatically installed
as well. Each time the Digi Navigator is launched on your computer, any Digi devices that are on the
network and support device discovery are discovered by the Navigator.
For each of the devices that have been discovered, you can set all serial ports on the device to
RealPort mode, and then also enable the RealPort service. The COM ports on your laptop are also
configured. These processes ensure that RealPort is configured on the device and on your computer.

Digi Connect EZ 16/32 User Guide 266

Serial port Configure RealPort mode using the Digi Navigator

Operating system
The Digi Navigator can only be installed on a computer with a Windows OS. If you are using Linux,
you can manually install and configure RealPort without Digi Navigator. For the Linux installation
process, refer to the Get started: Install RealPort for LINUXin the RealPort Installation User's Guide.

Installation and configuration process

These steps explain how to install and configure the Digi Navigator.
Step 1: Install the Digi Navigator
Step 2: Configure RealPort on a Digi device from the Digi Navigator

Digi Navigator features

n Digi Navigator application features
n Manage the RealPort configured Digi device list
n Access the web UI from the Digi Navigator
n Filter devices for display in the Digi Navigator
n Access Digi Remote Manager from the Digi Navigator

Install the Digi Navigator

This section explains how to download and install the Digi Navigator application.

Note Microsoft Visual C++ is required for RealPort and is installed by default during the Digi Navigator
install process.

1. Navigate to the Digi Navigator support page.

Note The Digi Navigator application can also be downloaded from your device's product
support page.

2. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click Digi
Navigator.
3. From the list box, select the appropriate Microsoft Windows option from the list of driver
options.
4. Click the download link to download the Digi Navigator application.
5. When the download is complete, click on the downloaded .exe file. The Digi Navigator Setup
wizard displays.
6. Select which user(s) should be able to launch the Digi Navigator from this computer after it
has been installed:
n Anyone who uses this computer (all users): Any user who logs into this computer can
launch the Digi Navigator.
n Only for me. Only the user who was logged in to this computer when the Digi

Digi Connect EZ 16/32 User Guide 267

Serial port Configure RealPort mode using the Digi Navigator

Navigator was installed can launch the Digi Navigator. This is the default.

7. Click Install. The Completing Digi Navigator Setup screen displays.

8. Choose the Run Digi Navigator option if you want to launch the Navigator when the
installation is complete.

9. Click Finish to complete the installation process.

Configure RealPort on a Digi device from the Digi Navigator

You can configure the Connect EZ 16/32 to communicate with your computer using RealPort from the
Digi Navigator. You must enable RealPort on the device and then configure your computer for
RealPort.
In this step, all serial ports on the device are set to RealPort mode and the RealPort service is enabled.
The COM ports on your laptop are also configured.

Digi Connect EZ 16/32 User Guide 268

Serial port Configure RealPort mode using the Digi Navigator

Note You can also manually configure the device for RealPort by logging into the device's web UI. See
Advanced RealPort configuration without using the Digi Navigator.

1. Download and install the Digi Navigator.

2. Make sure the Connect EZ 16/32 is powered connected your local network or computer with an
Ethernet cable.
3. Launch the Digi Navigator.
4. A list of the devices discovered by the Digi Navigator displays. Click on the device that you
want to configure. For information about how devices are discovered and how to add a device
to the list, see Digi Navigator device discovery process.
5. Configure RealPort on the device.
a. Click the Configure device for RealPort button. A login screen displays.
b. Enter the device's default user name and password in the appropriate fields. The default
user name is admin and the default password is the unique password printed on the label
packaged with your device.
c. Click Submit. A progress message displays.
d. When RealPort configuration is complete, the Success message displays.

e. Click Close to close the message.

6. Configure RealPort on your computer. The RealPort service is installed during this process.
a. Click Configure this PC for RealPort.
b. From the Select starting COM list box, select the COM port that should be configured for
RealPort. The first available COM port is selected by default. The number of COM ports
configured matches the number of serial ports on the device.
c. Click Submit. A series of progress messages displays.
d. When the configuration is complete, a message displays.

e. Determine your final step:

n Close: Click Close to close the message. Configuration is complete.
n Open Device Manager: Click Open Device Manager if you want to do further
configuration to the COM ports. The Windows Properties dialog displays.

Optional activities
n Verify the RealPort configuration: If desired, you can verify the RealPort configuration. See
Configure the serial port for RealPort mode and Configure the RealPort service.
n Review the COM ports that are configured for RealPort: After RealPort configuration is
complete, you can open the Windows Properties dialog for the COM ports on your computer
that are configured for RealPort from within the Digi Navigator.

Digi Connect EZ 16/32 User Guide 269

Serial port Configure RealPort mode using the Digi Navigator

1. Launch the Digi Navigator if it is not currently open. A list of devices that have RealPort
enabled and configured displays in the RealPort Devices section at the bottom of the
application screen.

2. Click Open Device Manager to open the Windows Properties dialog and display the
COM ports on your computer that are configured for RealPort. For more information,
see Manage the RealPort configured Digi device list.

Digi Navigator device discovery process

When the Digi Navigator is installed or launched, it discovers Digi devices that are on your local
network and that also support device discovery. A list of the discovered Digi devices are displayed by
default in the Digi Navigator.
If a Digi device is not on the same network as your computer or the device is undiscoverable, the
device is not displayed in the Digi Navigator. You can add the device using that device's IP address,
and after it has been added, it also displays in the Digi Navigator.
The sections below describe different scenarios for discovering devices.

Device supports Digi Navigator discovery

When the Digi Navigator is launched, all discoverable devices are displayed in the application screen.
These include devices that are on the same network as your computer and the network has a
DHCP server, or devices that have a static IP address.
The Digi Navigator uses the HTTPS service by default to discover devices to your network. Other
services can be used. See Services used to discover a device when connected to a network.

Device cannot be discovered by Digi Navigator

If a device is not on the same network as your computer or the device is undiscoverable, you can
manually add the device using that device's IP address. See Specify the IP address to discover a Digi
device.

Device supports Digi Navigator discovery, but a DHCP server is not on the network
If the device is directly connected to a computer or connected to a network with no DHCP server,
there are two options available to connect to the device:
n 192.168.210.1: A set up address that is available in the OS. See Assign a generic IP address to
the device.
n 169.254.100.100: An auto-IP address available in the OS. See Use the autodiscovery protocol
to discover a device.

Note If you use either of these IP addresses to connect to the device for initial config, you should then
set a unique IP address for the device that is appropriate for the network on which it will be deployed.

Services used to discover a device when connected to a network

To discover the IP address for a Digi device connected to your network, the Digi Navigator uses the
HTTPS service by default. Other services can be used, if needed.

Digi Connect EZ 16/32 User Guide 270

Serial port Configure RealPort mode using the Digi Navigator

1. Make sure Digi Navigator is installed and the Connect EZ 16/32 is powered and connected to
your local network or computer with an Ethernet cable.
2. Launch the Digi Navigator.
3. Click Filters from the green toolbar to expand the toolbar and display the filter options.

4. In the Services Filters section, click the enable button to enable the services that you want to
use to find an IP address.
5. Click Filters at the bottom of the expanded toolbar to minimize the toolbar and hide the
filters.

Use the autodiscovery protocol to discover a device

If a Digi device is directly connected to a computer or connected to a network with no DHCP server,
you can assign an IP address to the Digi device so that the device is automatically discovered.

1. Make sure Digi Navigator is installed and the Connect EZ 16/32 is powered and connected to
your local network or computer with an Ethernet cable.
2. Launch the Digi Navigator.
3. Click Filters from the green toolbar to expand the toolbar and display the filter options.

4. In the Setup IP Filters section, click the enable button for the 169.254.100.100 option.
5. Click Filters at the bottom of the expanded toolbar to minimize the toolbar and hide the
filters.

Digi Connect EZ 16/32 User Guide 271

Serial port Configure RealPort mode using the Digi Navigator

6. Log into the device and set a unique IP address for the device that is appropriate for the
network on which it will be deployed. See Define a static IP address.

Assign a generic IP address to the device

If the Connect EZ device is directly connected to a computer or connected to a network with no DHCP
server, you can assign a generic IP address to the device. Using this IP address requires you to set this
IP address on your computer as well as on the device.
Step 1: Assign a generic IP address to the device

1. Make sure Digi Navigator is installed and the Connect EZ 16/32 is powered and connected to
your local network or computer with an Ethernet cable.
2. Launch the Digi Navigator.
3. Click Filters from the green toolbar to expand the toolbar and display the filter options.

4. In the Setup IP Filters section, click the enable button for the 192.168.210.1 option.
5. Click Filters at the bottom of the expanded toolbar to minimize the toolbar and hide the
filters.
Step 2: Assign the IP address to your computer
You must also manually assign this IP address to your computer to ensure a connection. Both your
computer and device must be connected to a private network that does not have a DHCP server.

1. Use an Ethernet cable to connect the device and your computer. Both your computer and
device must be connected to your private network.
2. On your PC, navigate to the Ethernet network settings dialog.
3. Click the Internet Protocol Version 4 (TCP/IPv4) parameter.

Digi Connect EZ 16/32 User Guide 272

Serial port Configure RealPort mode using the Digi Navigator

4. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears.
5. Select Use the following IP address.

Note IMPORTANT: Make note of the current IP address entries for IP address, Subnet mask,
and Default gateway. You will need this information to complete the final step of the process.

6. Configure with the following details:

n IP address for PC: 192.168.210.2
n Subnet: 255.255.255.0
n Gateway: 192.168.210.1

Digi Connect EZ 16/32 User Guide 273

Serial port Configure RealPort mode using the Digi Navigator

7. Click OK.
8. Open a browser window.
9. Enter the default gateway IP address to access the device: 192.168.210.1. The device's login
screen displays.
10. Log into the device using the default user name and password. The default user name is admin
and the default password is printed on the bottom label of the device and on the loose label
included in the package. If the defaults to not work, they may have been changed. Confirm this
information with your system administrator.
11. Update the IP address for the device.
12. On your PC, revert the IP address information to the original entries.
a. Return to the Internet Protocol Version 4 (TCP/IPv4) Properties dialog.
b. Enter the original IP address entries for IP address, Subnet mask, and Default gateway.
c. Click OK.

Specify the IP address to discover a Digi device

If a Digi device is not on the same network as your computer or the device is undiscoverable, you can
manually add the device using that device's IP address.
To add a device, you will need the devices's IP address, and the user name and password for the
device.

1. Make sure Digi Navigator is installed and the Connect EZ 16/32 is powered and connected to
your local network or computer with an Ethernet cable.
2. Launch the Digi Navigator.
3. Expand the Specify a device section.
4. In the IP Address field, enter the IP address or host name for the device.

Digi Connect EZ 16/32 User Guide 274

Serial port Configure RealPort mode using the Digi Navigator

5. Press Enter. A dialog displays.

6. Enter the user name and password for the device in the User name and Password fields.
7. Click Submit.
8. The device you just added displays at the bottom of the Digi Navigator screen. You can click
Refresh to update the screen until the device appears.

Digi Navigator application features

All features of the Digi Navigator are available from the main application screen.

Item Description
1 Filters Click Filters to display the types of filters that can be applied to Digi
devices, services, and IP types.
n Device Filters: A list of the Digi device types displays. All types
are disabled by default, and when all are disabled, all types are
displayed. To filter the devices by a certain type, click the bar to
display only the selected types. See Filter devices for display in
the Digi Navigator.
n Services Filters: A list of the services that can be used to
discover Digi devices. The HTTPS option is selected by default.
Click the enable button to enable the services that you want to
use. See Services used to discover a device when connected to a
network.

Digi Connect EZ 16/32 User Guide 275

Serial port Configure RealPort mode using the Digi Navigator

Item Description
n Setup IP Filters: These specific IP addresses can be used to
discover a Digi device that is directly connected to a computer or
connected to a network with no DHCP server.
l 192.168.210.1: A set up address that is available in the OS.
See Assign a generic IP address to the device.
l 169.254.100.100: An auto-IP address available in the OS. See
Use the autodiscovery protocol to discover a device.

2 Digi Remote Click Digi Remote Manager to launch Digi Remote Manager. See
Manager Access Digi Remote Manager from the Digi Navigator.

3 Specify a Expand the Specify a device section to enter the IP address of a Digi
device device. See Specify the IP address to discover a Digi device.

4 List of A list of the Digi devices discovered by the Digi Navigator displays.
discovered Expand a device to view additional information. See Digi Navigator
devices device discovery process.

5 Open Click Open to access the web UI for the Digi device. See Access the web
UI from the Digi Navigator.

6 Configure Click Configure device for Realport to configure the Digi device to use
device for RealPort. See Configure RealPort on a Digi device from the Digi
Realport Navigator.

7 Configure Click Configure this PC for RealPort to configure your computer to use
this PC for RealPort. See Configure RealPort on a Digi device from the Digi
RealPort Navigator.

8 RealPort Click RealPort Devices at the bottom of the screen to display a list of
Devices Digi devices that are configured to use RealPort. See Configure RealPort
on a Digi device from the Digi Navigator.

9 Refresh Click Refresh to update the list of the Digi devices that have RealPort
enabled and configured.

10 Open Device Click Open Device Manager to open the Windows Properties dialog on
Manager your computer to access the configured COM ports. The number of
COM ports configured for RealPort matches the number of serial ports
on the device.

Manage the RealPort configured Digi device list

After you have enabled and configured RealPort on at least one Digi device, a list of configured
devices displays at the bottom of the Digi Navigator. You can refresh the list and easily access the
COM port configuration on your computer.

Digi Connect EZ 16/32 User Guide 276

Serial port Configure RealPort mode using the Digi Navigator

n Refresh: Click Refresh to update the list of Connect EZ 16/32 devices that have RealPort
enabled and configured.
n Open Device Manager: Click Open Device Manager to open the Windows Properties dialog
on your computer to access the configured COM ports. The number of COM ports configured
for RealPort matches the number of serial ports on the device.

Access the web UI from the Digi Navigator

You can access the web user interface for a Digi device from the Digi Navigator.

1. Make sure Digi Navigator is installed and the Connect EZ 16/32 is powered and connected to
your local network or computer with an Ethernet cable.
2. Launch the Digi Navigator.
3. From the list of devices shown in the Digi Navigator, expand the device you want to access.

4. Click Open next to the IP address you want to use. The login screen for the web UI launches.
a. Enter the user name and password for the Connect EZ 16/32 in the Username and
Password fields.
b. Click Login.

Filter devices for display in the Digi Navigator

You can use the Digi Navigator filters to determine the types of Digi devices you want to display. Only
the devices that are powered on and are discoverable are included.

1. Make sure Digi Navigator is installed and the Connect EZ 16/32 is powered and connected to
your local network or computer with an Ethernet cable.
2. Launch the Digi Navigator.
3. Click Filters from the green toolbar to expand the toolbar and display the filter options.

Digi Connect EZ 16/32 User Guide 277

Serial port Advanced RealPort configuration without using the Digi Navigator

4. In the Device Filters section, a list of the Digi device types display. All types are disabled by
default, and when all are disabled, all types are displayed.
5. To filter the types that are displayed, click the enable slider for the types you want to display.
Only the enabled types will display, and all other types remain disabled and do not display.
6. Click Filters at the bottom of the expanded toolbar to minimize the toolbar and hide the
filters.

Access Digi Remote Manager from the Digi Navigator

You can access Digi Remote Manager from the Digi Navigator. Within the Remote Manager, you can
configure and monitor your Digi devices.
For information about using Digi Remote Manager, refer to the Digi Remote Manager User Guide.

1. Make sure Digi Navigator is installed.

2. Launch the Digi Navigator.
3. Click the Digi Remote Manager link in the toolbar.

4. The Digi Remote Manager login screen launches.

a. Enter your Remote Manager user name and password.
b. Click Login.

Advanced RealPort configuration without using the Digi

Navigator
You can configure the Connect EZ 16/32 to communicate with your computer using RealPort.

Digi Connect EZ 16/32 User Guide 278

Serial port Advanced RealPort configuration without using the Digi Navigator

Windows Operating System

This method can be used if your computer has a Windows OS installed and you choose not to use the
Digi Navigator to discover devices and configure RealPort.
To complete the RealPort configuration process for Windows:
Step 1: Download the RealPort driver
Step 2: Configure RealPort on your laptop
Step 3: Configure the serial port for RealPort mode
Step 4: Configure the RealPort service

Linux Operating System

To complete the RealPort configuration process for Linux OS:
Step 1: Download the RealPort driver
Step 2: To complete the RealPort configuration process, refer to the Get started: Install RealPort for
LINUXsection in the RealPort Installation User's Guide.

Download the RealPort driver

The first step is to download the RealPort application and save it to a location that you can easily
access.

1. Navigate to https://hub.digi.com/support/products/realport/.
2. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click
RealPort Driver.
3. From the list box, select the appropriate Microsoft Windows option from the list of driver
options. The associated RealPort for Windows option displays.
4. Click the download link.
5. When the download is complete, navigate to your download folder. The application is in a .zip
file.
6. You can leave the .zip file in the download folder, or copy the .zip file and paste it to a location
that you can easily access.

Configure RealPort on your laptop

RealPort must be installed on your laptop, and then RealPort configured for the IP address of each
device that should be allowed a RealPort connection.
You will run the RealPort Wizard for each device that you want to configure. RealPort is installed on
your laptop the first time that you run the wizard. The installation process is ignored each subsequent
time that you run the wizard.
Before you begin
n Download RealPort onto your laptop, and make note of the download location. See Download
the RealPort driver.
n Have the IP address of the device that you want to configure.
Step 1: Implement RealPort

Digi Connect EZ 16/32 User Guide 279

Serial port Advanced RealPort configuration without using the Digi Navigator

1. Navigate to the downloaded Realport .zip file.

2. Open the .zip file.
3. Click on setup.exe to launch the RealPort wizard. The Welcome to the Digi RealPort Setup
Wizard screen displays.
4. If this is not the first time you have run the wizard, select the Add a New Device option. If this
is the first time running the wizard, no options are available on the screen.
5. Click Next. The Select Device screen displays.
a. From the list of device options, select the Device not listed option.
6. Click Next. The Describe the Device screen displays.
a. In the Device Model Name field, enter a descriptive name for the device.
b. In the Network Settings section, select the IP option and enter the IP address in the
associated field.
c. In the COM Port Settings section, from the No. Ports list box, select the number of
physical serial ports that you want to configure. You can specify from 1 to the maximum
number of ports available on the device.
d. In the Device Features section, select both the Encryption and Authentication options.
7. Click Finish to complete the process and close the wizard.

Note If this is the first time that you have run the RealPort wizard, Realport is installed on your
laptop. If it is not the first time or if RealPort is already installed, it is not installed again.

Step 2: Configure a RealPort connection on your laptop for your device

1. Follow the standard Windows process to access the Device Manager from your computer's
operating system.
2. Select Multi-port Serial Adapters.
3. Right-click on your device. Click the Properties menu option. The Properties dialog appears.
4. Click the Advanced tab.
5. Click Properties. The Advanced Properties dialog appears
6. Click the Security tab.

Digi Connect EZ 16/32 User Guide 280

Serial port Advanced RealPort configuration without using the Digi Navigator

7. Select the Encrypt Network Traffic check box to enable encrypted network traffic. When you
select this option, the TCP Port for Encrypted Traffic field becomes available.
8. The TCP Port for Encrypted Traffic field has a default value of 1027. The entry must match
the device's TCP port setting.
9. (Optional) If you want to use authentication, configure the feature.
a. From the the Authentication Method list box, select the Shared Secret - SHA256 option.
b. Enter the authentication password in the Shared Secret field.
10. Click Apply.
11. Click OK to close the Advanced Properties dialog.
12. Click OK to close the Properties window.

Configure the serial port for RealPort mode

RealPort mode allows you to use Realport.
To change the configuration to match the serial configuration of the device to which you want to
connect:
 Web

Digi Connect EZ 16/32 User Guide 281

Serial port Advanced RealPort configuration without using the Digi Navigator

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Configuration, click Serial Configuration.

The Serial Configuration page is displayed.

Note You can also configure the serial port by using Device Configuration > Serial. Changes
made by using either Device Configuration or Serial Configuration will be reflected in both.

2. Click the name of the port that you want to configure.

The serial port is enabled by default. To disable, toggle off Enable.

3. For Mode, select RealPort.
4. Select an option from the Sharing Mode list box to determine which user(s) can change the
port settings, and whether users can receive data from the port.
n None: Only the user that opened the port can change the port settings. All other users
are rejected. No other users can receive data from the port. This is the default.
n Primary: Only the user that opened the port can change the port settings. All other
users that try to open the port receive all of the data read to the port.
n Peer: Any user that tries to open the port can change the port settings. All users that try
to open the port receive all of the data read to the port.
5. (Optional) For Label, enter a label that will be used when referring to this port.
6. Enable Altpin to use the Altpin feature. Altpin is disabled by default. If you enable Altpin in
EIA-232 mode, the DCD and DSRsignals are swapped. This allows use of DCD with 8-wire
cables. Altpin has no impact on 422 or 485 mode. For more information, see Serial connector
pinout.
7. For Signalling, select the electrical signaling interface type used on this serial port:
n RS-232
l Enable RTS Toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control.
l For RTS Pre-delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms.
l For RTS Post-delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms.

Digi Connect EZ 16/32 User Guide 282

Serial port Advanced RealPort configuration without using the Digi Navigator

n RS-422
l Enable Termination if you want to enable electrical termination on this serial port.
n RS-485
l Enable Termination if you want to enable electrical termination on this serial port.
l Enable Full Duplex if you want to enable full duplex communication on this serial
port.
The default is RS-232.
8. Expand Logging Settings to configure logging for this serial port.
a. To enable logging, click to toggle on Enable.
b. In the Log file name field, enter a descriptive name for the log file.
c. For Log file size, type the size of the log file. When the log file reaches the size limit, the
current file is saved and a new file is created. The default is 65536 bytes.
d. From the Type of data to log list box, specify the type of data that should be saved.
n Received
n Transmitted
n Both
n Both with arrows. This is the default.
e. If you want to log the time at which date was received or transmitted, click the
Timestamps toggle to Enable.
f. If you want to log the data as hexadecimal values, click the Hexadecimal toggle to
Enable.

Note You can review the message log in the Serial Port Log page. See Review the serial
port message log.

9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The serial port is enabled by default. To disable:

(config)> serial port1 enable false

(config)>

Digi Connect EZ 16/32 User Guide 283

Serial port Advanced RealPort configuration without using the Digi Navigator

4. Set the mode:

(config)> serial port1 mode realport

(config)>

5. Set the sharing mode:

(config)> serial port1 sharing value

(config)>

where value is one of:

n none: Only the user that opened the port can change the port settings. All other users
are rejected. No other users can receive data from the port. This is the default.
n peer: Any user that tries to open the port can change the port settings. All users that try
to open the port receive all of the data read to the port.
n primary: Only the user that opened the port can change the port settings. All other
users that try to open the port receive all of the data read to the port.
6. Set the signal mode:

(config)> serial port1 signal mode value

(config)>

where value is one of:

Set the signaling interface type used on this serial port:
n rs-232
l Enable rts_toggle if you want to enable RTS toggling during transmission on this
serial port. If enabled, this setting overrides RTS\CTS flow control:

(config)> serial port1 rts_toggle true

(config)>

l For rts_pre_delay, enter the amount of time RTS is asserted before starting data
transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 "rts_pre_delay value

(config)>

l For rts_post_delay, enter the amount of time RTS is deasserted before completing
data transmission. The time is measured in milliseconds. The default is 0ms:

(config)> serial port1 rts_post_delay value

(config)>

n rs-422
l Enable Termination if you want to enable electrical termination on this serial port.

Digi Connect EZ 16/32 User Guide 284

Serial port Advanced RealPort configuration without using the Digi Navigator

n rs-485
l Enable termination if you want to enable electrical termination on this serial port:

(config)> serial port1 termination true

(config)>

l Enable full_duplex if you want to enable full duplex communication on this serial
port:

(config)> serial port1 full_duplex true

(config)>

The default is rs-232.

7. Set a label that will be used when referring to this port.

(config)> serial port1 label label

(config)>

8. (Optional) Set a label that will be used when referring to this port.

(config)> serial port1 label label

(config)>

9. Configure serial port logging:

a. Enable serial port logging:

(config)>serial port1 logging enable true

(config)>

b. Set the file name:

(config)>serial port1 logging filename string

(config)>

c. Set the maximum allowed log size for the serial port log when starting the log:

(config)>serial port1 logging size value

(config)>

where value is the size of the log file in bytes. The default is 65536.
d. Specify the data type:

(config)>serial port1 logging type value

(config)>

where value is one of:

n received
n transmitted
n both
n arrows. This is the default.
e. Log the time at which date was received or transmitted:

Digi Connect EZ 16/32 User Guide 285

Serial port Advanced RealPort configuration without using the Digi Navigator

(config)>serial port1 logging hex true

(config)>

f. Log data as hexadecimal values:

(config)>serial port1 logging timestamp true

(config)>

10. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the RealPort service

After you have configured RealPort mode on the Connect EZ 16/32, you must enable and configure the
RealPort service. When this step is complete, all of the serial ports on the Connect EZ 16/32 are
configured to use the RealPort service.
 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click System > Configuration > Device Configuration.
3. Expand Services.
4. Expand RealPort.
5. Click Enable to enable the RealPort service.
6. For RealPort Server Port, enter 1027. This is the default.
7. For Minimum TLS version, select the minimum TLS version that the RealPort service will
accept. The default is TLS version 1.0.
8. Enable Encryption to enable encryption of data. This is enabled by default.
9. (Optional) Configure the authentication method the RealPort server uses to authenticate
clients.
a. From the Authentication Method list box, select the Shared Secret - SHA256 option.
b. For Shared Secret, enter the authentication password to ensure secure communication.
Leave this field blank to disable authentication.
10. Enable Exclusive Mode to ensure that any connection from an IP address is closed when
opening a new connection from the same IP address. This disabled by default.
11. Enable RealPort Keepalive to send RealPort keepalive packets. This is enabled by default.
12. Enable TCP Port Keepalive to send TCP keepalive packets. This is disabled by default.
13. Enable Device Initiated connections so users can remotely connect to serial devices as if they
had a native COM/TTYport on their PC. This is disabled by default.
14. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 286

Serial port Advanced RealPort configuration without using the Digi Navigator

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. RealPort is enabled by default. To disable:

(config)> service realport enable false

(config)>

4. Set the RealPort server port.

(config)> service realport port value

(config)>

where value is the port you want to use for the RealPort service. The default is 1027.
5. Set the select the minimum TLS version that the RealPort service will accept:

(config)> service realport minimum_tls_version value

(config)>

where value is one of:

n TLS-1_0. This is the default.
n TLS-1_1
n TLS-1_2
n TLS-1_3
6. Data encryption is enabled by default. To disable:

(config)> service realport encryption false

(config)>

7. (Optional) Configure authentication.

(config)> service realport auth value

(config)>

where value is one of:

n none: Do not use authentication. This is the default.
n shared_secret_sha256: You must also define the authentication password to ensure
secure communication. Leave this field blank to disable authentication.

(config)> service realport auth shared_secret_sha256 value

(config)

where value is the authentication password.

Digi Connect EZ 16/32 User Guide 287

Serial port Disconnect a user from a serial port

8. Exclusive mode is disabled by default. This mode ensures that any connection from an
IP address is closed when opening a new connection from the same IP address. To enable:

(config)> service realport exclusive true

(config)

9. Use RealPort keepalive to send RealPort keepalive packets. This is enabled by default. To
disable:

(config)> service realport realport_keepalive false

(config)>

10. TCP port keepalive to send TCP keepalive packets is disabled by default. To enable:

(config)> service realport tcp_keepalive true

(config)>

11. Device initiated connections allow users to remotely connect to serial devices as if they had a
native COM/TTYport on their PC. This is disabled by default. To enable:

(config)> service realport device_initiated_enable true

(config)>

12. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

13. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Disconnect a user from a serial port

From the Serial Status page, you can disconnect any users connected to a serial port configured for
one of these modes: Login, Remote Access, PPP Dial-in, or Modem Emulator.
 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the menu, click Status > Connections> Serial. The Serial Status page displays.
3. Find the port for which you want to disconnect one or more users. Verify that the port is
configured for one of the following modes: Login, Remote Access, PPP Dial-in, or Modem
Emulator.
4. Click the down arrow next to the user name in the Users column to display a pop-up box.
5. A list of the users currently connected to the port display in the pop-up box. Information about
each user's connection displays. If more than one user is connected, a check box displays for
each user.
n User: The user's log in name or a connection type, such as Telnet, TCP, or SSH.
n Remote IP: The user's IP address.

Digi Connect EZ 16/32 User Guide 288

Serial port Disconnect a user from a serial port

n Connected: The length of time that the user has been connected to the port. The time
is measured in seconds.
n Idle: The length of time that connection has been idle. The time is measured in
seconds.
6. Determine the user(s) that you want to disconnect.
n If only one user is listed, that user will be selected for the disconnect by default.
n If more than one user is connected to the port, by default the check box for each user is
selected. Click on a check box to deselect a user. Click All to deselect or select all of of
the users.
7. Click Disconnect. The single user or set of selected users are disconnected from the serial port.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. (Optional) Review the users currently connected to the port.

show serial port

>

Where port is the port number you want to review, such as "port2"; a string, such as "console";
or the name of a user-configured serial port, such as USB.
3. (Optional) Review information about the disconnect command.

> system serial disconnect ?

>

4. Disconnect a specific user from a port.

>system serial disconnect port remoteip STRING user STRING

>

Where port is the port number you want to review, such as "port2"; a string, such as "console";
or the name of a user-configured serial port, such as USB.
Enter one or both of the following:
n remoteip STRING: The remote IP address to disconnect.
n user: The user name of the user that you want to disconnect.
5. Disconnect all users from a port.

system serial disconnect port

>

Where port: is the port number you want to review, such as "port2"; a string, such as "console";
or the name of a user-configured serial port, such as USB.
6. Type exit to exit the Admin CLI.Depending on your device configuration, you may be presented
with an Access selection menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 289

Serial port Show serial port status and statistics

Show serial port status and statistics

To show the status and statistics for the serial port:
 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the main menu, click Status > Connections > Serial. The Serial Status page displays. See
Serial Status page for information about the features in this page.
 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show serial command:

> show serial

Label Port Enable Mode Baudrate

-------- ----- ------ ----- --------
Serial 1 port1 true login 9600
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Serial Status page

The Serial Status page contains status information about all of the serial ports available on the
device.
To navigate to the Serial Status page, log into the device's web UI and click Status > Connection>
Serial.

Item Description
 Click the  (configuration) icon in the upper right corner of the page to access the
configuration Serial Configuration page. See Serial port for more information.
icon
Search ports Use the Search ports field to limit the list of ports displayed on the page.

Ports per Select the number of Ports per page that you want to display. Click the
page appropriate number or click ALL to display all ports. You can also click Next or
Back to display the next or previous set of ports.

Note The number ports you can display is determined by the number of ports
available on the device.

Digi Connect EZ 16/32 User Guide 290

Serial port Show serial port status and statistics

Item Description
Status Displays the connection status.
n CONNECTED: A telnet, terminal, SSH, or TCP session is active.
n DISABLED: The port is not enabled.
n NO SIGNAL: CTS or DCD is not active on the port.
Port A list of the ports on the device.
The port number and name displays as a link when the port is configured for
remote access. You can click the port number or name to connect to the port in
the terminal page.

1. Click the link to connect to the port in the terminal page.

2. In the terminal screen, enter ~b? to display additional commands. See
Access the terminal screen from the web UI for more information about the
commands.
While you are connected to the terminal, the port status displays in the Status
column as CONNECTED, and the name of the user logged into the device displays
in the User column.
Console port
The console port on the Serial Status screen corresponds to the console port on
the device. You can use this console port to log in to the Connect EZ when a
network isn't available. See Log into the Connect EZ from the Console port.
Label A description for the port.
You can change this from the Serial Configuration page. Click the 
(configuration) icon in the upper right corner of the page to access that page.
The port number and name displays as a link when the port is configured for
remote access. You can click the port number or name to connect to the port in
the terminal page. See the description for Port (above) for more information.
Log If configured, you can open the Serial Port Log page for that port. Options are:
n Green Log button: The serial port mode selected for the port supports
serial port logging, and logging is enabled. Click the Log button to open the
Serial Port Log page for that port. See Review the serial port message log
for information about that page.
n Gray Log button: The serial port mode selected for the port supports serial
port logging, but logging is not enabled.
n No button: The serial port mode selected for the port does not support
serial port logging.
User When the port is connected to a Telnet, terminal, SSH, or TCP connection the
name of the user logged into the device displays.
See the description for Port (above) for more information.
If a serial port is configured for one of these modes: Login, Remote Access, PPP
Dial-in, or Modem Emulator, you can disconnect one or more users from the serial
port using the Disconnect feature. See Disconnect a user from a serial port.

Digi Connect EZ 16/32 User Guide 291

Serial port Review the serial port message log

Item Description
TX/RX Bytes Displays the total number of bytes that have been transmitted and received.

Signals Indicates the types of communication that the device is ready to send.
DCD: Carrier Detected
CTS: Clear to Send
DTR: Data Terminal Ready
RTS: Ready to Dend

Review the serial port message log

Serial port messages can be reviewed from the Serial Port Log page.
A serial port message log is created and saved when serial port logging has been enabled and
configured for one of the following serial port modes: Login, Remote Access, RealPort, or UDP Serial.
You can view the log file from the Log column in the Serial Status page.

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the main menu, click Status
3. Under Connections, click Serial. The Serial Status page displays.
4. If a green Log button is displayed, the serial port mode selected for the port supports serial
port logging, and logging is enabled. Click the Log button to open the Serial Port Log page for
that port. The Serial port log window displays.

Note If the Log button is gray, the serial port mode selected for the port supports serial port
logging, but logging is not enabled. If there is no Log button, the serial port mode selected for
the port does not support serial port logging.

5. Review the messages in the window.

n Click Refresh to refresh the log display.
n Click Download to download the serial port log to your local device. The log file is
saved to the /opt/serial directory. Because this is being save to the device's memory,
you should use serial logging for diagnostic purposes, rather than having it permanently
enabled.
n Click Restart to clear and restart the serial port log.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 292

Serial port Review the serial port message log

2. To show the serial port's contents and logging status:

> system serial show port-number

Logging is active on port-number
>

3. To save the log to your local device:

> system serial save port-number path

>

If a relative path is provided, /etc/config/serial will be used as the root directory for the path
and file. (Required)
The log file is saved to the /opt/serial directory. Because this is being save to the device's
memory, you should use serial logging for diagnostic purposes, rather than having it
permanently enabled.
4. To clear and restart the log:

> system serial clear port-number

>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 293

 Routing
This chapter contains the following topics:

IP routing 295
Show the routing table 312
Dynamic DNS 313
Virtual Router Redundancy Protocol (VRRP) 318

Digi Connect EZ 16/32 User Guide 294

Routing IP routing

IP routing
The Connect EZ 16/32 device uses IP routes to decide where to send a packet it receives for a remote
network. The process for deciding on a route to send the packet is as follows:

1. The device examines the destination IP address in the IP packet, and looks through the IP
routing table to find a match for it.
2. If it finds a route for the destination, it forwards the IP packet to the configured IP gateway or
interface.
3. If it cannot find a route for the destination, it uses a default route.
4. If there are two or more routes to a destination, the device uses the route with the longest
mask.
5. If there are two or more routes to a destination with the same mask, the device uses the route
with the lowest metric.
This section contains the following topics:

Configure a static route 296

Delete a static route 299
Policy-based routing 300
Configure a routing policy 301
Routing services 309
Configure routing services 309

Digi Connect EZ 16/32 User Guide 295

Routing IP routing

Configure a static route

A static route is a manually configured routing entry. Information about the route is manually entered
rather than obtained from dynamic routing traffic.

Required configuration items

n The destination address or network.
n The interface to use to reach the destination.

Additional configuration items

n A label used to identify this route.
n The IPv4 address of the gateway used to reach the destination.
n The metric for the route. When multiple routes are available to reach the same destination, the
route with the lowest metric is used.
n The Maximum Transmission Units (MTU) of network packets using this route.
To configure a static route:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Routes > Static routes.

Digi Connect EZ 16/32 User Guide 296

Routing IP routing

4. Click the  to add a new static route.

The new static route configuration page is displayed:

New static route configurations are enabled by default. To disable, toggle off Enable.
5. (Optional) For Label, type a label that will be used to identify this route.
6. For Destination, type the IP address or network of the destination of this route.
For example, to route traffic to the 192.168.47.0 network that uses a subnet mask of
255.255.255.0, type 192.168.47.0/24. The any keyword can also be used to route packets to
any destination with this static route.
7. For Interface, select the interface on the Connect EZ 16/32 device that will be used with this
static route.
8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
Set to blank if the destination can be accessed without a gateway.
9. (Optional) For Metric, type the metric for the route. When multiple routes are available to
reach the same destination, the route with the lowest metric is used.
10. (Optional) For MTU, type the Maximum Transmission Units (MTU) of network packets using this
route.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a new static route:

(config)> add network route static end

(config network route static 0)>

Digi Connect EZ 16/32 User Guide 297

Routing IP routing

New static route instances are enabled by default. To disable:

(config network route static 0)> enable false

(config network route static 0)>

4. (Optional) set a label that will be used to identify this route. For example:

(config network route static 0)> label "route to accounting network"

(config network route static 0)>

5. Set the IP address or network of the destination of this route. For example:

(config network route static 0)> destination ip_address[/netmask]

(config network route static 0)>

For example, to route traffic to the 192.168.47.0 network that uses a subnet mask of
255.255.255.0:

(config network route static 0)> dst 192.168.47.0/24

(config network route static 0)>

The any keyword can also be used to route packets to any destination with this static route.
6. Set the interface on the Connect EZ 16/32 device that will be used with this static route:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config network route static 0)> interface /network/interface/eth1

(config network route static 0)>

7. (Optional) Set the IPv4 address of the gateway used to reach the destination. Set to blank if the
destination can be accessed without a gateway.

(config network route static 0)> gateway IPv4_address

(config network route static 0)>

8. (Optional) Set the metric for the route. When multiple routes are available to reach the same
destination, the route with the lowest metric is used.

(config network route static 0)> metric value

(config network route static 0)>

where value is an interger between 0 and 65535. The default is 0.

9. (Optional) Set the Maximum Transmission Units (MTU) of network packets using this route:

(config network route static 0)> mtu integer

(config network route static 0)>

10. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 298

Routing IP routing

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a static route

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Routes > Static routes.
4. Click the menu icon (...) for a static route and select Delete.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 299

Routing IP routing

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Determine the index number of the static route to be deleted:

(config)> show network route static

0
dst 10.0.0.1
enable true
no gateway
interface /network/interface/lan1
label new_static_route
metric 0
mtu 0
1
dst 192.168.5.1
enable true
gateway 192.168.5.1
interface /network/interface/lan2
label new_static_route_1
metric 0
mtu 0
(config)>

4. Use the index number to delete the static route:

(config)> del network route static 0

(config)>

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Policy-based routing
Normally, a routing device determines how to route a network packet based on its destination
address. However, you can use policy-based routing to forward the packet based on other criteria,
such as the source of the packet. For example, you can configure the Connect EZ 16/32 device so that
high-priority traffic is routed through the cellular connection, while all other traffic is routed through
an Ethernet (WAN) connection.
Policy-based routing for the Connect EZ 16/32 device uses the following criteria to determine how to
route traffic:
n Firewall zone (for example, internal/outbound traffic, external/inbound traffic, or IPSec tunnel
traffic).

Digi Connect EZ 16/32 User Guide 300

Routing IP routing

n Network interface (for example, the cellular connection, the WAN, or the LAN).
n IPv4 address.
n IPv6 address.
n MACaddress.
n Domain.
n Protocol type (TCP, UDP, ICMP, or all).
The order of the policies is important. Routing policies are processed sequentially; as a result, if a
packet matches an earlier policy, it will be routed using that policy’s rules. It will not be processed by
any subsequent rules.

Configure a routing policy

Required configuration items
n The packet matching parameters. It can any combination of the following:
l Source interface.
l Source address. This can be a firewall zone, an interface, a single IPv4/IPv6 address or
network, or a MAC address.
l Destination address. This can be a firewall zone, an interface, a single IPv4/IPv6 address or
network, or a domain.
l Protocol. This can be any, tcp, udp or icmp.
l Source port. This is only used if the protocol is set to tcp or udp.
l Destination port. This is only used if protocol is set to tcp or udp.
n The network interface used to reach the destination.

Additional configuration items

n A label for the routing policy.
n Whether packets that match this policy should be dropped when the gateway interface is
disconnected, rather than forwarded through other interfaces.
To configure a routing policy:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 301

Routing IP routing

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Routes > Policy-based routing.
4. Click the  to add a new route policy.

The new route policy page is displayed:

New route policies are enabled by default. To disable, toggle off Enable.
5. (Optional) For Label, type a label that will be used to identify this route policy.
6. For Interface, select the interface on the Connect EZ 16/32 device that will be used with this
route policy.
7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy
when the gateway interface is disconnected, rather than forwarded through other interfaces.
8. For IP version, select Any, IPv4, or IPv6.
9. For Protocol, select Any, TCP, UDP, or ICMP.
n If TCP or UDP is selected for Protocol, type the port numbers of the Source port and
Destination port, or set to any to match for any port.
n If ICMP is selected for Protocol, type the ICMP type and optional code, or set to any to
match for any ICMP type.
10. For DSCP, type the 6-bit hexadecimal Differentiated Services Code Point (DSCP) field match
criteria. This will match packets based on the DHCP field within the ToS field of the IP header.
11. Configure source address information:
a. Click to expand Source address.
b. For Type, select one of the following:
n Zone: Matches the source IP address to the selected firewall zone. See Firewall
configuration for more information about firewall zones.
n Interface: Matches the source IP address to the selected interface's network
address.
n IPv4 address: Matches the source IP address to the specified IP address or
network. Use the format IPv4_address[/netmask], or use any to match any IPv4
address.

Digi Connect EZ 16/32 User Guide 302

Routing IP routing

n IPv6 address: Matches the source IP address to the specified IP address or

network. Use the format IPv6_address[/prefix_length], or use any to match any
IPv6 address.
n MAC address: Matches the source MACaddress to the specified MACaddress.
12. Configure the destination address information:
a. Click to expand Destination address.
b. For Type, select one of the following:
n Zone: Matches the destination IP address to the selected firewall zone. See Firewall
configuration for more information about firewall zones.
n Interface: Matches the destination IP address to the selected interface's network
address.
n IPv4 address: Matches the destination IP address to the specified IP address or
network. Use the format IPv4_address/[netmask], or use any to match any IPv4
address.
n IPv6 address: Matches the destination IP address to the specified IP address or
network. Use the format IPv6_address/[prefix_length], or use any to match any IPv6
address.
n Domain: Matches the destination IP address to the specified domain names. To
specify domains:
i. Click to expand Domains.
ii. Click the  to add a domain.
iii. For Domain, type the domain name.
iv. Repeat to add additional domains.
n Default route: Matches packets destined for the default route, excluding routes for
local networks.
13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a new routing policy:

(config)> add network route policy end

(config network route policy 0)>

Digi Connect EZ 16/32 User Guide 303

Routing IP routing

New route policies are enabled by default. To disable:

(config network route policy 0)> enable false

(config network route policy 0)>

4. (Optional) Set the label that will be used to identify this route policy:

(config network route policy 0)> label "New route policy"

(config network route policy 0)>

5. Set the interface on the Connect EZ 16/32 device that will be used with this route policy:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config network route policy 0)> interface /network/interface/eth1

(config network route policy 0)>

6. (Optional) Enable exclusive to configure the policy to drop packets that match the policy
when the gateway interface is disconnected, rather than forwarded through other interfaces:

(config network route policy 0)> exclusive true

(config network route policy 0)>

7. Select the IP version:

(config network route policy 0)> ip_version value

(config network route policy 0)>

where value is one of any, ipv4, or ipv6.

8. Set the protocol:

(config network route policy 0)> protocol value

(config network route policy 0)>

where value is one of:

n any: All protocols are matched.
n tcp: Source and destination ports are matched:
a. Set the source port:

(config network route policy 0)> src_port value

(config network route policy 0)>

where value is the port number, or the keyword any to match any port as the
source port.
b. Set the destination port:

(config network route policy 0)> dst_port value

(config network route policy 0)>

where value is the port number, or the keyword any to match any port as the
destination port.

Digi Connect EZ 16/32 User Guide 304

Routing IP routing

n upd: Source and destination ports are matched:

a. Set the source port:

(config network route policy 0)> src_port value

(config network route policy 0)>

where value is the port number, or the keyword any to match any port as the
source port.
b. Set the destination port:

(config network route policy 0)> dst_port value

(config network route policy 0)>

where value is the port number, or the keyword any to match any port as the
destination port.
n icmp: The ICMP protocol is matched. Identify the ICMP type:

(config network route policy 0)> icmp_type value

(config network route policy 0)>

where value is the ICMP type and optional code, or set to any to match for any ICMP
type.
9. Set the source address type:

(config network route policy 0)> src type value

(config network route policy 0)>

where value is one of:

n zone: Matches the source IP address to the selected firewall zone. Set the zone:
a. Use the ? to determine available zones:

(config network route policy 0)> src zone ?

Zone: Match the IP address to the specified firewall zone.

Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

Default value: any

Current value: any

(config network route policy 0)> src zone

Digi Connect EZ 16/32 User Guide 305

Routing IP routing

b. Set the zone. For example:

(config network route policy 0)> src zone external

(config network route policy 0)>

See Firewall configuration for more information about firewall zones.

n interface: Matches the source IP address to the selected interface's network address.
Set the interface:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config network route policy 0)> src interface

/network/interface/eth1
(config network route policy 0)>

n address: Matches the source IPv4 address to the specified IP address or network. Set
the address that will be matched:

(config network route policy 0)> src address value

(config network route policy 0)>

where value uses the format IPv4_address[/netmask], or any to match any IPv4
address.
n address6: Matches the source IPv6 address to the specified IP address or network. Set
the address that will be matched:

(config network route policy 0)> src address6 value

(config network route policy 0)>

where value uses the format IPv6_address[/prefix_length], or any to match any IPv6
address.
n mac: Matches the source MACaddress to the specified MACaddress. Set the MAC
address to be matched:

(config network route policy 0)> src mac MAC_address

(config network route policy 0)>

10. Set the destination address type:

(config network route policy 0)> dst type value

(config network route policy 0)>

where value is one of:

n zone: Matches the destination IP address to the selected firewall zone. Set the zone:
a. Use the ? to determine available zones:

(config network route policy 0)> dst zone ?

Zone: Match the IP address to the specified firewall zone.

Format:

Digi Connect EZ 16/32 User Guide 306

Routing IP routing

any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

Default value: any

Current value: any

(config network route policy 0)> dst zone

b. Set the zone. For example:

(config network route policy 0)> dst zone external

(config network route policy 0)>

See Firewall configuration for more information about firewall zones.

n interface: Matches the destination IP address to the selected interface's network
address. Set the interface:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config network route policy 0)> dst interface

/network/interface/eth1
(config network route policy 0)>

n address: Matches the destination IPv4 address to the specified IP address or network.
Set the address that will be matched:

(config network route policy 0)> dst address value

(config network route policy 0)>

where value uses the format IPv4_address[/netmask], or any to match any IPv4
address.
n address6: Matches the destination IPv6 address to the specified IP address or network.
Set the address that will be matched:

(config network route policy 0)> dst address6 value

(config network route policy 0)>

where value uses the format IPv6_address[/prefix_length], or any to match any IPv6
address.
n mac: Matches the destination MACaddress to the specified MACaddress. Set the MAC
address to be matched:

Digi Connect EZ 16/32 User Guide 307

Routing IP routing

(config network route policy 0)> dst mac MAC_address

(config network route policy 0)>

11. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 308

Routing IP routing

Routing services
Your Connect EZ 16/32 includes support for dynamic routing services and protocols. The following
routing services are supported:

Service or
protocol Information
BGP The Border Gateway Protocol (BGP) service supports BGP-4 (RFC1771).
IS-IS The IPv4 and IPv6 Intermediate System to Intermediate System (IS-IS) service
(RFC1142).
NHRP Next Hop Resolution Protocol (NHRP) (RFC2332). Does not support NHRP
authentication.
OSPFv2 The IPv4 Open Shortest Path First (OSPF) service supports OSPFv2 (RFC2328).
OSPFv3 The IPv6 Open Shortest Path First (OSPF) service supports OSPFv3 (RFC2740).
RIP The IPv4 Routing Information Protocol (RIP) service supports RIPv2 (RFC2453)
and RIPv1 (RFC1058).
RIPng The IPv6 Routing Information Protocol (RIP) service supports RIPng (RFC2080).

Configure routing services

Required configuration items
n Enable routing services.
n Enable and configure the types of routing services that will be used.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 309

Routing IP routing

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Routes > Routing services.
4. Click Enable.

The default firewall zone setting, Dynamic routes, is specifically designed to work with routing
services and should be left as the default.
5. Configure the routing services that will be used:
a. Click to expand a routing service.
b. Enable the routing service.
c. Complete the configuration of the routing service.
6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable routing services:

(config)> network route service enable true

(config)>

4. Configure routing services that will be used:

a. Use the ? to display available routing services:

(config)> network route service ?

Routing services: Settings for dynamic routing services and protocols.

Digi Connect EZ 16/32 User Guide 310

Routing IP routing

Parameters Current Value

---------------------------------------------------------------------
----------
enable true Enable
zone dynamic_routes Zone

Additional Configuration
---------------------------------------------------------------------
----------
bgp BGP
isis IS-IS
nhrp NHRP
ospfv2 OSPFv2
ospfv3 OSPFv3
rip RIP
ripng RIPng

(config)>

b. Enable a routing service that will be used. For example, to enable the RIP service:

(config)> network route service rip enable true

(config)>

c. Complete the configuration of the routing service. For example, use the ? to view the
available parameters for the RIP service:

(config)> network route service rip ?

Parameters Current Value

---------------------------------------------------------------------
----------
ecmp false Allow ECMP
enable true Enable

Additional Configuration
---------------------------------------------------------------------
----------
interface Interfaces
neighbour Neighbours
redis Route redistribution
timer Timers

(config)>

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 311

Routing Show the routing table

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show the routing table

To display the routing table:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Status > Routes.
The Network Routing window is displayed.
4. Click IPv4 Load Balance to view IPv4 load balancing.
5. Click IPv6 Load Balance to view IPv6 load balancing.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type show route:
You can limit the display to only IPv4 entries by using show route ipv4, or to IPv6 entries by
using show route ipv6. You can also display more information by adding the verbose option
to the show route and show route ip_type commands.

Digi Connect EZ 16/32 User Guide 312

Routing Dynamic DNS

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Dynamic DNS

WARNING! The Dynamic Domain Name System uses unencrypted HTTP communication.
Please ensure you are utilizing a VPN to secure your communications.

The Domain Name System (DNS) uses name servers to provide a mapping between computer-
readable IP addresses and human-readable hostnames. This allows users to access websites and
personal networks with easy-to-remember URLs. Unfortunately, IP addresses change frequently,
invalidating these mappings when they do. Dynamic DNS has become the standard method of
addressing this problem, allowing devices to update name servers with their new IP addresses.
By providing the Connect EZ 16/32 device with the domain name and credentials obtained from a
dynamic DNS provider, the router can automatically update the remote nameserver whenever your
WAN or public IP address changes.
Your Connect EZ 16/32 device supports a number of Dynamic DNS providers as well as the ability to
provide a custom provider that is not included on the list of providers.

Configure dynamic DNS

This section describes how to cofigure dynamic DNS on a Connect EZ 16/32 device.

Required configuration items

n Add a new Dynamic DNS service.
n The interface that has its IP address registered with the Dynamic DNS provider.
n The name of a Dynamic DNS provider.
n The domain name that is linked to the interface's IP address.
n The username and password to authenticate with the Dynamic DNS provider.

Additional configuration items

n If the Dynamic DNS service provider is set to custom, identify the URL that should be used to
update the IP address with the Dynamic DNS provider.
n The amount of time to wait to check if the interface's IP address needs to be updated.
n The amount of time to wait to force an update of the interface's IP address.
n The amount of time to wait for an IP address update to succeed before retrying the update.
n The number of times to retry a failed IP address update.

Digi Connect EZ 16/32 User Guide 313

Routing Dynamic DNS

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Dynamic DNS.
4. Type a name for this Dynamic DNS instance in Add Service and click .

The Dynamic DNS configuration page displays.

New Dynamic DNS configurations are enabled by default. To disable, toggle off Enable.
5. For Interface, select the interface that has its IP address registered with the Dynamic DNS
provider.

Digi Connect EZ 16/32 User Guide 314

Routing Dynamic DNS

6. For Service, select the Dynamic DNS provider, or select custom to enter a custom URL for the
Dynamic DNS provider.
7. If custom is selected for Service, type the Custom URL that should be used to update the IP
address with the Dynamic DNS provider.
8. Type the Domain name that is linked to the interface's IP address.
9. Type the Username and Password used to authenticate with the Dynamic DNS provider.
10. (Optional) For Check Interval, type the amount of time to wait to check if the interface's IP
address needs to be updated.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Check interval to ten minutes, enter 10m or 600s.
11. (Optional) For Forced update interval, type the amount of time to wait to force an update of
the interface's IP address.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Forced update interval to ten minutes, enter 10m or 600s.
The setting for Forced update interval must be larger than the setting for Check Interval.
12. (Optional) For Retry interval, type the amount of time to wait for an IP address update to
succeed before retrying the update.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Retry interval to ten minutes, enter 10m or 600s.
13. (Optional) For Retry count, type the number of times to retry a failed IP address update.
14. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a new Dynamic DNS instance. For example, to add an instance named new_ddns_
instance:

(config)> add network ddns new_ddns_instance

(config network ddns new_ddns_instance)>

New Dynamic DNS instances are enabled by default. To disable:

(config network ddns new_ddns_instance)> enable false

(config network ddns new_ddns_instance)>

Digi Connect EZ 16/32 User Guide 315

Routing Dynamic DNS

4. Set the interface for the Dynamic DNS instance:

a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config network ddns new_ddns_instance)> interface eth1

(config network ddns new_ddns_instance)>

5. Set the Dynamic DNS provider service:

a. Use the ? to determine available services:

(config network ddns new_ddns_instance)> service ?

Service: The provider of the dynamic DNS service.

Format:
custom
3322.org
changeip.com
ddns.com.br
dnsdynamic.org
...

Default value: custom

Current value: custom

(config network ddns new_ddns_instance)> service

b. Set the service:

(config network ddns new_ddns_instance)> service service_name

(config network ddns new_ddns_instance)>

6. If custom is configured for service, set the custom URL that should be used to update the IP
address with the Dynamic DNS provider:

(config network ddns new_ddns_instance)> custom url

(config network ddns new_ddns_instance)>

7. Set the domain name that is linked to the interface's IP address:

(config network ddns new_ddns_instance)> domain domain_name

(config network ddns new_ddns_instance)>

8. Set the username to authenticate with the Dynamic DNS provider:

(config network ddns new_ddns_instance)> username name

(config network ddns new_ddns_instance)>

9. Set the password to authenticate with the Dynamic DNS provider:

(config network ddns new_ddns_instance)> password pwd

(config network ddns new_ddns_instance)>

Digi Connect EZ 16/32 User Guide 316

Routing Dynamic DNS

10. (Optional) Set the amount of time to wait to check if the interface's IP address needs to be
updated:

(config network ddns new_ddns_instance)> check_interval value

(config network ddns new_ddns_instance)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set check_interval to ten minutes, enter either 10m or 600s:

(config network ddns new_ddns_instance)> check_interval 600s

(config network ddns new_ddns_instance)>

The default is 10m.

11. (Optional) Set the amount of time to wait to force an update of the interface's IP address:

(config network ddns new_ddns_instance)> force_interval value

(config network ddns new_ddns_instance)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set force_interval to ten minutes, enter either 10m or 600s:

(config network ddns new_ddns_instance)> force_interval 600s

(config network ddns new_ddns_instance)>

The default is 3d.

12. (Optional) Set the amount of time to wait for an IP address update to succeed before retrying
the update:

(config network ddns new_ddns_instance)> retry_interval value

(config network ddns new_ddns_instance)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set retry_interval to ten minutes, enter either 10m or 600s:

(config network ddns new_ddns_instance)> retry_interval 600s

(config network ddns new_ddns_instance)>

The default is 60s.

13. (Optional) Set the number of times to retry a failed IP address update:

(config network ddns new_ddns_instance)> retry_count value

(config network ddns new_ddns_instance)>

where value is any interger. The default is 5.

14. Save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 317

Routing Virtual Router Redundancy Protocol (VRRP)

(config)> save
Configuration saved.
>

15. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Virtual Router Redundancy Protocol (VRRP)

Virtual Router Redundancy Protocol (VRRP) is a standard for gateway device redundancy and failover
that creates a "virtual router" with a floating IP address. Devices connected to the LAN then use this
virtual router as their default gateway. Responsibility for the virtual router is assigned to one of the
VRRP-enabled devices on a LAN (the "master router"), and this responsibility transparently fails over
to backup VRRP devices if the master router fails. This prevents the default gateway from being a
single point of failure, without requiring configuration of dynamic routing or router discovery
protocols on every host.
Multiple Connect EZ 16/32 devices can be configured as VRRP devices and assigned a priority. The
router with the highest priority will be used as the master router. If the master router fails, then the IP
address of the virtual router is mapped to the backup device with the next highest priority. Each VRRP
router is configured with a unique LAN IP address, and the same shared VRRP address.

VRRP+
VRRP+ is an extension to the VRRP standard that uses network probing to monitor connections
through VRRP-enabled devices and can dynamically change the priority of the devices, including
changing devices from master to backup, and from backup to master, even if the device has not
failed. For example, if a host becomes unreachable on the far end of a network link, then the physical
default gateway can be changed by adjusting the VRRP priority of the Connect EZ device connected to
the failing link. This provides failover capabilities based on the status of connections behind the
router, in addition to the basic VRRP device failover. For Connect EZ 16/32 devices, SureLink is used to
probe network connections.
VRRP+ can be configured to probe a specified IP address by either sending an ICMP echo request
(ping) or attempting to open a TCP socket to the IP address.

Configure VRRP
This section describes how to configure VRRP on a Connect EZ 16/32 device.

Required configuration items

n Enable VRRP.
n The interface used by VRRP.
n The Router ID that identifies the virtual router instance. The Router ID must be the same on all
VRRP devices that participate in the same VRRP device pool.
n The VRRP priority of this device.
n The shared virtual IP address for the VRRP virtual router. Devices connected to the LAN will use
this virtual IP address as their default gateway.

Digi Connect EZ 16/32 User Guide 318

Routing Virtual Router Redundancy Protocol (VRRP)

See Configure VRRP+ for information about configuring VRRP+, an extension to VRRP that uses
network probing to monitor connections through VRRP-enabled devices and dynamically change the
VRRP priorty of devices based on the status of their network connectivity.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > VRRP.
4. For Add VRRP instance, type a name for the VRRP instance and click .

The new VRRP instance configuration is displayed.

5. Click Enable.
6. For Interface, select the interface on which this VRRP instance should run.

Digi Connect EZ 16/32 User Guide 319

Routing Virtual Router Redundancy Protocol (VRRP)

7. For Router ID field, type the ID of the virtual router instance. The Router ID must be the same
on all VRRP devices that participate in the same VRRP device pool. Allowed values are from 1
and 255, and it is configured to 50 by default.
8. For Priority, type the priority for this router in the group. The router with the highest priority
will be used as the master router. If the master router fails, then the IP address of the virtual
router is mapped to the backup device with the next highest priority. If this device's actual IP
address is being used as the virtual IP address of the VRRP pool, then the priority of this device
should be set to 255 . Allowed values are from 1 and 255, and it is configured to 100 by
default.
9. (Optional) For Password, type a password that will be used to authenticate this VRRP router
with VRRP peers. If the password length exceeds 8 characters, it will be truncated to 8
characters.
10. Configure the virtual IP addresses associated with this VRRP instance:
a. Click to expand Virtual IP addresses.
b. Click  to add a virtual IP address.

c. For Virtual IP, type the IPv4 or IPv6 address for a virtual IP of this VRRP instance.
d. (Optional) Repeat to add additional virtual IPs.
11. See Configure VRRP+ for information about configuring VRRP+.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a VRRP instance. For example:

(config)> add network vrrp VRRP_test

(config network vrrp VRRP_test)>

4. Enable the VRRP instance:

(config network vrrp VRRP_test)> enable true

(config network vrrp VRRP_test)>

5. Set the interface on which this VRRP instance should run:

a. Use the ? to determine available interfaces:

Digi Connect EZ 16/32 User Guide 320

Routing Virtual Router Redundancy Protocol (VRRP)

b. Set the interface, for example:

(config network vrrp VRRP_test)> interface /network/interface/eth2

(config network vrrp VRRP_test)>

c. Repeat for additional interfaces.

6. Set the router ID. The Router ID must be the same on all VRRP devices that participate in the
same VRRP device pool. Allowed values are from 1 and 255, and it is configured to 50 by
default.

(config network vrrp VRRP_test)> router_id int

(config network vrrp VRRP_test)>

7. Set the priority for this router in the group. The router with the highest priority will be used as
the master router. If the master router fails, then the IP address of the virtual router is mapped
to the backup device with the next highest priority. If this device's actual IP address is being
used as the virtual IP address of the VRRP pool, then the priority of this device should be set to
255 . Allowed values are from 1 and 255, and it is configured to 100 by default.

(config network vrrp VRRP_test)> priority int

(config network vrrp VRRP_test)>

8. (Optional) Set a password that will be used to authenticate this VRRP router with VRRP peers. If
the password length exceeds 8 characters, it will be truncated to 8 characters.

(config network vrrp VRRP_test)> password pwd

(config network vrrp VRRP_test)>

9. Add a virtual IP address associated with this VRRP instance. This can be an IPv4 or IPv6
address.

(config network vrrp VRRP_test)> add virtual_address end ip_address

(config network vrrp VRRP_test)>

Additional virtual IP addresses can be added by repeating this step with different values for ip_
address.
10. Save the configuration and apply the change.

(config network vrrp new_vrrp_instance)> save

Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure VRRP+
VRRP+ is an extension to the VRRP standard that uses SureLink network probing to monitor
connections through VRRP-enabled devices and adjust devices' VRRP priority based on the status of
the SureLink tests.
This section describes how to configure VRRP+ on a Connect EZ 16/32 device.

Digi Connect EZ 16/32 User Guide 321

Routing Virtual Router Redundancy Protocol (VRRP)

Required configuration items

n Both master and backup devices:
l A configured and enabled instance of VRRP. See Configure VRRP for information.
l Enable VRRP+.
l WAN interfaces to be monitored by using VRRP+.

Note SureLink is enabled by default on all WAN interfaces, and should not be disabled on
the WAN interfaces that are being monitored by VRRP+.
If multiple WAN interfaces are being monitored on the same device, the VRRP priority will
be adjusted only if all WAN interfaces fail SureLink tests.

l The amount that the VRRP priority will be modified when SureLink determines that the
VRRP interface is not functioning correctly.
l Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to
one of the VRRP virtual IP addresses.
n Backup devices only:
l Enable and configure SureLink on the VRRP interface.
l Set the IP gateway to the IP address of the VRRP interface on the master device.

Additional configuration items

n For backup VRRP devices, enable the ability to monitor the VRRP master, so that a backup
device can increase its priority when the master device fails SureLink tests.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 322

Routing Virtual Router Redundancy Protocol (VRRP)

3. Click Network > VRRP.

4. Create a new VRRP instance, or click to expand an existing VRRP instance.
See Configure VRRP for information about creating a new VRRP instance.
5. Click to expand VRRP+.

6. Click Enable.
7. Add interfaces to monitor:
a. Click to expand Monitor interfaces.
b. Click  to add an interface for monitoring.

c. For Interface, select the local interface to monitor. Generally, this will be a cellular or WAN
interface.
d. (Optional) Click  again to add additional interfaces.
8. (Optional) For backup devices, click to enable Monitor VRRP+ master.
This parameter allows a backup VRRP device to monitor the master device, and increase its
priority when the master device is failing SureLink tests. This can allow a device functioning as
a backup device to promote itself to master.
9. For Priority modifier, type or select the amount that the device's priority should be decreased
due to SureLink connectivity failure, and increased when SureLink succeeds again.
Along with the priority settings for devices in this VRRP pool, the amount entered here should
be large enough to automatically demote a master device when SureLink connectivity fails. For
example, if the VRRP master device has a priority of 100 and the backup device has a priority
of 80, then the Priority modifier should be set to an amount greater than 20 so that if
SureLink fails on the master, it will lower its priority to below 80, and the backup device will
assume the master role.
10. Configure the VRRP interface. The VRRP interface is defined in the Interface parameter of the
VRRP configuration, and generally should be a LAN interface:

Digi Connect EZ 16/32 User Guide 323

Routing Virtual Router Redundancy Protocol (VRRP)

To configure the VRRP interface:

a. Click to expand Network > Interfaces.
b. Click to expand the appropriate VRRP interface (for example, LAN1).
c. For backup devices, for Default Gateway, type the IP address of the VRRP interface on the
master device.

d. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to
one of the VRRP virtual IP addresses:
i. Click to expand DHCP Server > Advanced settings.
ii. For Gateway, select Custom.
iii. For Custom gateway, enter the IP address of one of the virtual IPs used by this VRRP
instance.

e. For backup devices, enable and configure SureLink on the VRRP interface. Generally, this
should be a LAN interface; VRRP+ will then monitor the LAN using SureLink to determine if
the interface has network connectivity and promote a backup to master if SureLink fails.
i. Click to expand IPv4 > SureLink.
ii. Click Enable.
iii. For Interval, type a the amount of time to wait between connectivity tests. To
guarantee seamless internet access for VRRP+ purposes, SureLink tests should occur

Digi Connect EZ 16/32 User Guide 324

Routing Virtual Router Redundancy Protocol (VRRP)

more often than the default of 15 minutes.

Allowed values are any number of weeks, days, hours, minutes, or seconds, and take
the format number{w|d|h|m|s}. For example, to set Interval to five seconds, enter 5s.
iv. Click to expand Test targets > Test target.
v. Configure the test target. For example, to configure SureLink to verify internet
connectivity on the LAN by pinging https://remotemanager.digi.com:
i. For Test Type, select Ping test.
ii. For Ping host, type https://remotemanager.digi.com.

11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new VRRP instance, or edit an existing one. See Configure VRRP for information about
creating a new VRRP instance.
4. Enable VRRP+:

(config)> network vrrp VRRP_test vrrp_plus enable true

(config)>

5. Add interfaces to monitor. Generally, this will be a cellular or WAN interface.

a. Use the ? to determine available interfaces:
b. Set the interface, for example:

(config)> add network vrrp VRRP_test vrrp_plus monitor_interface end

/network/interface/modem
(config)>

c. (Optional) Repeat for additional interfaces.

Digi Connect EZ 16/32 User Guide 325

Routing Virtual Router Redundancy Protocol (VRRP)

6. Set the amount that the device's priority should be decreased or increased due to SureLink
connectivity failure or success:

(config)> network vrrp VRRP_test vrrp_plus weight value

(config)>

where value is an integer between 1 and 254. The default is 10.

Along with the priority settings for devices in this VRRP pool, the amount entered here should
be large enough to automatically demote a master device when SureLink connectivity fails. For
example, if the VRRP master device has a priority of 100 and the backup device has a priority
of 80, then weight should be set to an amount greater than 20 so that if SureLink fails on the
master, it will lower its priority to below 80, and the backup device will assume the master
role.
7. (Optional) For backup devices, enable the ability for the device to monitor the master device.
This allows a backup VRRP device to monitor the master device, and increase its priority when
the master device is failing SureLink tests. This can allow a device functioning as a backup
device to promote itself to master.

(config)> network vrrp VRRP_test vrrp_plus monitor_master true

(config)>

8. Configure the VRRP interface:

a. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to
one of the VRRP virtual IP addresses:
i. Set the DHCP server gateway type to custom:

(config)> network interface eth2 ipv4 dhcp_server advanced gateway

custom
(config)>

ii. Determine the VRRP virtual IP addresses:

(config)> show network vrrp VRRP_test virtual_address

0 192.168.3.3
1 10.10.10.1

(config)>

iii. Set the custom gateway to one of the VRRP virtual IP addresses. For example:

(config)> network interface eth2 ipv4 dhcp_server advanced

gateway_custom 192.168.3.3
(config)>

b. For backup devices, set the default gateway to the IP address of the VRRP interface on the
master device. For example:

(config)> network interface eth2 ipv4 gateway 192.168.3.1

(config)>

Digi Connect EZ 16/32 User Guide 326

Routing Virtual Router Redundancy Protocol (VRRP)

c. For backup devices, enable and configure SureLink on the VRRP interface.
i. Determine the VRRP interface. Generally, this should be a LAN interface; VRRP+ will
then monitor the LAN using SureLink to determine if the interface has network
connectivity and promote a backup to master if SureLink fails.

(config)> show network vrrp VRRP_test interface

/network/interface/eth2
(config)>

ii. Enable SureLink on the interface:

(config)> network interface eth2 ipv4 surelink enable true

(config)>

iii. Set the amount of time to wait between connectivity tests:

(config)> network interface eth2 ipv4 surelink interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set interval to ten minutes, enter 5s:

(config)> network interface eth2 ipv4 surelink interval 5s

(config)>

iv. Create a SureLink test target:

(config)> add network interface eth2 ipv4 surelink target end

(config network interface eth2 ipv4 surelink target 0)>

v. Configure the type of test for the test target:

(config network interface eth2 ipv4 surelink target 0)> test value
(config network interface eth2 ipv4 surelink target 0)>

where value is one of:

n ping: Tests connectivity by sending an ICMP echo request to a specified
hostname or IP address.
l Specify the hostname or IP address:

(config network interface eth2 ipv4 surelink target 0)>

ping_host host
(config network interface eth2 ipv4 surelink target 0)>

l (Optional) Set the size, in bytes, of the ping packet:

(config network interface eth2 ipv4 surelink target 0)>

ping_size [num]
(config network interface eth2 ipv4 surelink target 0)>

Digi Connect EZ 16/32 User Guide 327

Routing Virtual Router Redundancy Protocol (VRRP)

n dns: Tests connectivity by sending a DNS query to the specified DNS server.
l Specify the DNS server. Allowed value is the IP address of the DNS server.

(config network interface eth2 ipv4 surelinktarget 0)>

dns_server ip_address
(config network interface eth2 ipv4 surelinktarget 0)>

n dns_configured: Tests connectivity by sending a DNS query to the DNS servers

configured for this interface.
n http: Tests connectivity by sending an HTTP or HTTPS GET request to the
specified URL.
l Specify the url:

(config network interface eth2 ipv4 surelink target 0)>

http_url value
(config network interface eth2 ipv4 surelink target 0)>

where value uses the format http[s]://hostname/[path]

n interface_up: The interface is considered to be down based on the interfaces
down time, and the amount of time an initial connection to the interface takes
before this test is considered to have failed.
l (Optional) Set the amount of time that the interface can be down before
this test is considered to have failed:

(config network interface eth2 ipv4 surelink target 0)>

interface_down_time value
(config network interface eth2 ipv4 surelink target 0)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_down_time to ten minutes, enter either
10m or 600s:

(config network interface eth2 ipv4 surelink target 0)>

interface_down_time 600s
(config network interface eth2 ipv4 surelink target 0)>

The default is 60 seconds.

l (Optional) Set the amount of time to wait for an initial connection to the
interface before this test is considered to have failed:

(config network interface eth2 ipv4 surelink target 0)>

interface_timeout value
(config network interface eth2 ipv4 surelink target 0)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.

Digi Connect EZ 16/32 User Guide 328

Routing Virtual Router Redundancy Protocol (VRRP)

For example, to set interface_timeout to ten minutes, enter either 10m or

600s:

(config network interface eth2 ipv4 surelink target 0)>

interface_timeout 600s
(config network interface eth2 ipv4 surelink target 0)>

The default is 60 seconds.

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Example: VRRP/VRRP+ configuration

This example configuration creates a VRRP pool containing two Connect EZ 16/32 devices:

Configure device one (master device)

 Web

Task 1: Configure VRRP on device one

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > VRRP.

Digi Connect EZ 16/32 User Guide 329

Routing Virtual Router Redundancy Protocol (VRRP)

4. For Add VRRP instance, type a name for the VRRP instance and click .

The new VRRP instance configuration is displayed.

5. Click Enable.
6. For Interface, select Interface: ETH2.
7. For Router ID, leave at the default setting of 50.
8. For Priority, leave at the default setting of 100.
9. Click to expand Virtual IP addresses.
10. Click  to add a virtual IP address.

11. For Virtual IP, type 192.168.3.3.

Task 2: Configure VRRP+ on device one

1. Click to expand VRRP+.
2. Click Enable.
3. Click to expand Monitor interfaces.
4. Click  to add an interface for monitoring.

5. Select Interface: Modem.

6. For Priority modifier, type 30.

Digi Connect EZ 16/32 User Guide 330

Routing Virtual Router Redundancy Protocol (VRRP)

Task 3: Configure the IP address for the VRRP interface, ETH2, on device one
1. Click Network > Interfaces > ETH2 > IPv4
2. For Address, type 192.168.3.1/24.

Task 4: Configure the DHCP server for ETH2 on device one

1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server
2. For Lease range start, leave at the default of 100.
3. For Lease range end, type 199.
4. Click to expand Advanced settings.
5. For Gateway, select Custom.
6. For Custom gateway, enter 192.168.3.3.

7. Click Apply to save the configuration and apply the change.

 Command line

Task 1: Configure VRRP on device one

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create the VRRP instance:

(config)> add network vrrp VRRP_test

(config network vrrp VRRP_test)>

Digi Connect EZ 16/32 User Guide 331

Routing Virtual Router Redundancy Protocol (VRRP)

4. Enable the VRRP instance:

(config network vrrp VRRP_test)> enable true

(config network vrrp VRRP_test)>

5. Set the VRRP interface to ETH2:

(config network vrrp VRRP_test)> interface /network/interface/eth2

(config network vrrp VRRP_test)>

6. Add the virtual IP address associated with this VRRP instance.

(config network vrrp VRRP_test)> add virtual_address end 192.168.3.3

(config network vrrp VRRP_test)>

Task 2: Configure VRRP+ on device one

1. Enable VRRP+:

(config network vrrp VRRP_test)> vrrp_plus enable true

(config network vrrp VRRP_test )>

2. Add the interface to monitor:

(config network vrrp VRRP_test)> add vrrp_plus monitor_interface end

/network/interface/modem
(config network vrrp VRRP_test)>

3. Set the amount that the device's priority should be decreased or increased due to SureLink
connectivity failure or success to 30:

(config network vrrp VRRP_test )> network vrrp VRRP_test vrrp_plus weight
30
(config network vrrp VRRP_test )>

Task 3: Configure the IP address for the VRRP interface, ETH2, on device one
1. Type ... to return to the root of the config prompt:

(config network vrrp VRRP_test )> ...

(config)>

2. Set the IP address for ETH2:

(config)> network interface eth2 ipv4 address 192.168.3.1/24

(config)>

Digi Connect EZ 16/32 User Guide 332

Routing Virtual Router Redundancy Protocol (VRRP)

Task 4: Configure the DHCP server for ETH2 on device one

1. Set the start and end addresses of the DHCP pool to use to assign DHCP addresses to clients:
a. Set the start address to 100:

(config)> network interface eth2 ipv4 dhcp_server lease_start 100

(config)>

b. Set the end address to 199:

(config)> network interface eth2 ipv4 dhcp_server lease_end 199

(config)>

2. Set the DHCP server gateway type to custom:

(config)> network interface eth2 ipv4 dhcp_server advanced gateway custom

(config)>

3. Set the custom gateway to 192.168.3.3:

(config)> network interface eth2 ipv4 dhcp_server advanced gateway_custom

192.168.3.3
(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure device two (backup device)

 Web

Task 1: Configure VRRP on device two

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 333

Routing Virtual Router Redundancy Protocol (VRRP)

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > VRRP.
4. For Add VRRP instance, type a name for the VRRP instance and click .

The new VRRP instance configuration is displayed.

5. Click Enable.
6. For Interface, select Interface: ETH2.
7. For Router ID, leave at the default setting of 50.
8. For Priority, type 80.
9. Click to expand Virtual IP addresses.
10. Click  to add a virtual IP address.

11. For Virtual IP, type 192.168.3.3.

Task 2: Configure VRRP+ on device two

1. Click to expand VRRP+.
2. Click Enable.
3. Click to expand Monitor interfaces.

Digi Connect EZ 16/32 User Guide 334

Routing Virtual Router Redundancy Protocol (VRRP)

4. Click  to add an interface for monitoring.

5. Select Interface: Modem.

6. Click to enable Monitor VRRP+ master.
7. For Priority modifier, type 30.

Task 3: Configure the IP address for the VRRP interface, ETH2, on device two
1. Click Network > Interfaces > ETH2 > IPv4
2. For Address, type 192.168.3.2/24.
3. For Default gateway, type the IP address of the VRRP interface on the master device,
configured above in Task 3, step 2 (192.168.3.1).

Task 4: Configure SureLink for ETH2 on device two

1. Click Network > Interfaces > ETH2 > IPv4 > SureLink.
2. Click Enable.
3. For Interval, type 15s.
4. Click to expand Test targets > Test target.
5. For Test Type, select Ping test.
6. For Ping host, type https://remotemanager.digi.com.

Task 5: Configure the DHCP server for ETH2 on device two

1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server
2. For Lease range start, type 200.

Digi Connect EZ 16/32 User Guide 335

Routing Virtual Router Redundancy Protocol (VRRP)

3. For Lease range end, type 250.

4. Click Advanced settings.
5. For Gateway, select Custom.
6. For Custom gateway, enter 192.168.3.3.

7. Click Apply to save the configuration and apply the change.

 Command line

Task 1: Configure VRRP on device two

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create the VRRP instance:

(config)> add network vrrp VRRP_test

(config network vrrp VRRP_test)>

4. Enable the VRRP instance:

(config network vrrp VRRP_test)> enable true

(config network vrrp VRRP_test)>

5. Set the VRRP interface to ETH2:

(config network vrrp VRRP_test)> interface /network/interface/eth2

(config network vrrp VRRP_test)>

6. Add the virtual IP address associated with this VRRP instance.

(config network vrrp VRRP_test)> add virtual_address end 192.168.3.3

(config network vrrp VRRP_test)>

Digi Connect EZ 16/32 User Guide 336

Routing Virtual Router Redundancy Protocol (VRRP)

Task 2: Configure VRRP+ on device two

1. Enable VRRP+:

(config network vrrp VRRP_test)> vrrp_plus enable true

(config network vrrp VRRP_test )>

2. Add the interface to monitor:

(config network vrrp VRRP_test)> add vrrp_plus monitor_interface end

/network/interface/modem
(config network vrrp VRRP_test)>

3. Enable the ability to monitor the master device:

(config network vrrp VRRP_test)> vrrp_plus monitor_master true

(config network vrrp VRRP_test)>

4. Set the amount that the device's priority should be decreased or increased due to SureLink
connectivity failure or success to 30:

(config network vrrp VRRP_test )> network vrrp VRRP_test vrrp_plus weight
30
(config network vrrp VRRP_test )>

Task 3: Configure the IP address for the VRRP interface, ETH2, on device two
1. Type ... to return to the root of the config prompt:

(config network vrrp VRRP_test )> ...

(config)>

2. Set the IP address for ETH2:

(config)> network interface eth2 ipv4 address 192.168.3.2

(config)>

3. Set the default gateway to the IP address of the VRRP interface on the master device,
configured above in Task 3, step 2 (192.168.3.1).

(config)> network interface eth2 ipv4 gateway 192.168.3.1

(config)>

Task 4: Configure SureLink for ETH2 on device two

1. Enable SureLink on the ETH2 interface:

(config)> network interface eth2 ipv4 surelink enable true

(config)>

Digi Connect EZ 16/32 User Guide 337

Routing Virtual Router Redundancy Protocol (VRRP)

2. Create a SureLink test target:

(config)> add network interface eth2 ipv4 surelink target end

(config network interface eth2 ipv4 surelink target 0)>

3. Set the type of test to ping:

(config network interface eth2 ipv4 surelink target 0)> test ping
(config network interface eth2 ipv4 surelink target 0)>

4. Set https://remotemanager.digi.com as the hostname to ping:

(config network interface eth2 ipv4 surelink target 0)> ping_host

https://remotemanager.digi.com(config network interface eth2 ipv4
surelink target 0)>

Task 5: Configure the DHCP server for ETH2 on device two

1. Type ... to return to the root of the configuration prompt:

(config network interface eth2 ipv4 surelink target 0)> ...

(config)>

2. Set the start and end addresses of the DHCP pool to use to assign DHCP addresses to clients:
a. Set the start address to 200:

(config)> network interface eth2 ipv4 dhcp_server lease_start 200

(config)>

b. Set the end address to 250:

(config)> network interface eth2 ipv4 dhcp_server lease_end 250

(config)>

3. Set the DHCP server gateway type to custom:

(config)> network interface eth2 ipv4 dhcp_server advanced gateway custom

(config)>

4. Set the custom gateway to 192.168.3.3:

(config)> network interface eth2 ipv4 dhcp_server advanced gateway_custom

192.168.3.3
(config)>

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 338

Routing Virtual Router Redundancy Protocol (VRRP)

Show VRRP status and statistics

This section describes how to display VRRP status and statistics for a Connect EZ device. VRRP status
is available from the Web UI only.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Status > VRRP.
The Virtual Router Redundancy Protocol window is displayed.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 339

Routing Virtual Router Redundancy Protocol (VRRP)

2. At the Admin CLI prompt, type show vrrp:

> show vrrp

VRRP Status Proto State Virtual IP

---- ------ ----- ------ -------------
VRRP_test Up IPv4 Backup 10.10.10.1
VRRP_test Up IPv4 Backup 100.100.100.1
>

3. To display additional information about a specific VRRP instance, at the Admin CLI prompt,
type show vrrp name name:

> show vrrp name VRRP_test

VRRP_test VRRP Status

---------------------
Enabled : True
Status : Up
Interface : lan

IPv4
----
Virtual IP address(es) : 10.10.10.1, 100.100.100.1
Current State : Master
Current Priority : 100
Last Transition : Tue Jan 1 00:00:39 2019
Became Master : 1
Released Master : 0
Adverts Sent : 71
Adverts Received : 4
Priority Zero Sent : 0
Priority zero Received : 0

>

Digi Connect EZ 16/32 User Guide 340

 Virtual Private Networks (VPN)
Virtual Private Networks (VPNs) are used to securely connect two private networks together so that
devices can connect from one network to the other using secure channels.
This chapter contains the following topics:

IPsec 342
OpenVPN 407
Generic Routing Encapsulation (GRE) 448
Dynamic Multipoint VPN (DMVPN) 469
L2TP 476
L2TPv3 Ethernet 488
MACsec 494
NEMO 496
WireGuard VPN 502

Digi Connect EZ 16/32 User Guide 341

Virtual Private Networks (VPN) IPsec

IPsec
IPsec is a suite of protocols for creating a secure communication link—an IPsec tunnel—between a
host and a remote IP network or between two IP networks across a public network such as the
Internet.

IPsec data protection

IPsec protects the data being sent across a public network by providing the following:
Data origin authentication
Authentication of data to validate the origin of data when it is received.
Data integrity
Authentication of data to ensure it has not been modified during transmission.
Data confidentiality
Encryption of data sent across the IPsec tunnel to ensure that an unauthorized device cannot read
the data.
Anti-Replay
Authentication of data to ensure an unauthorized device has not injected it into the IPsec tunnel.

IPsec mode
The Connect EZ 16/32 supports IPsec mode. You can set this mode to run using either the Tunnel or
Transport options.
Tunnel
The entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a
new IP packet.
Transport
Only the payload of the IP packet is encrypted and/or authenticated. The IP header is left
untouched. This mode has limitations when using an authentication header, because the IP
addresses in the IP header cannot be translated (for example, with Network Address Translation
(NAT), as it would invalidate the authentication hash value.

Internet Key Exchange (IKE) settings

IKE is a key management protocol that allows IPsec to negotiate the security associations (SAs) that
are used to create the secure IPsec tunnel. Both IKEv1 and IKEv2 are supported.
SA negotiations are performed in two phases, known as phase 1 and phase 2.

Phase 1
In phase 1, IKE creates a secure authenticated communication channel between the device and the
peer (the remote device which is at the other end of the IPsec tunnel) using the configured pre-shared
key and the Diffie-Hellman key exchange. This creates the IKE SAs that are used to encrypt further IKE
communications.
For IKEv1, there are two modes for the phase 1 negotiation: Main mode and Aggressive mode. IKEv2
does not use these modes.
Main mode
Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all
sensitive information sent between the device and its peer is encrypted.
Aggressive mode

Digi Connect EZ 16/32 User Guide 342

Virtual Private Networks (VPN) IPsec

Aggressive mode is faster than main mode, but is not as secure as main mode, because the device
and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Aggressive mode is usually used when one or both of the devices have a dynamic external IP
address.

Phase 2
In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each
direction. Once the phase 2 negotiation is complete, the IPsec tunnel should be fully functional.

IPsec and IKE renegotiation

To reduce the chances of an IPsec tunnel being compromised, the IPsec SAs and IKE SA are
renegotiated at a regular interval. This results in different encryption keys being used in the IPsec
tunnel.

Authentication

Client authenticaton
XAUTH (extended authentication) pre-shared key authentication mode provides additional security by
using client authentication credentials in addition to the standard pre-shared key. The Connect EZ
16/32 device can be configured to authenticate with the remote peer as an XAUTH client.

RSASignatures
With RSA signatures authentication, the Connect EZ 16/32 device uses a private RSA key to
authenticate with a remote peer that is using a corresponding public key.

Certificate-based Authentication
X.509 certificate-based authentication makes use of private keys on both the server and client which
are secured and never shared. Both the server and client have a certificate which is generated with
their respective private key and signed by a Certificate Authority (CA).
The Connect EZ 16/32 implementation of IPsec can be configured to use X.509 certificate-based
authentication using the private keys and certificates, along with a root CA certificate from the signing
authority and, if available, a Certificate Revocation List (CRL).

Configure an IPsec tunnel

Configuring an IPsec tunnel with a remote device involves configuring the following items:

Required configuration items

n IPsec tunnel configuration items:
l A name for the tunnel.

Note If the tunnel name is more than eight characters, the name will be truncated in the
underlying network interface to the first six characters followed by three digits,
incrementing from 000. This affects any custom scripts or firewall rules that may be trying
to adjust the tunnel’s interface or routing table entries.

l The mode: either tunnel or transport.

Digi Connect EZ 16/32 User Guide 343

Virtual Private Networks (VPN) IPsec

l Enable the IPsec tunnel.

The IPsec tunnel is enabled by default.
l The firewall zone of the IPsec tunnel.
l The routing metric for routes associated with this IPsec tunnel.
l The authentication type and pre-shared key or other applicable keys and certificates.
If SCEP certificates will be selected as the Authentication type, create the SCEP client prior
to configuring the IPsec tunnel. See Configure a Simple Certificate Enrollment Protocol
client for instructions.
l The local endpoint type and ID values, and the remote endpoint host and ID values.
n IKE configuration items
l The IKE version, either IKEv1 or IKEv2.
l Whether to initiate a key exchange or wait for an incoming request.
l The IKE mode, either main aggressive.
l The IKE authentication protocol to use for the IPsec tunnel negotiation during phase 1 and
phase 2.
l The IKE encryption protocol to use for the IPsec tunnel negotiation during phase 1 and
phase 2.
l The IKE Diffie-Hellman group to use for the IPsec tunnel negotiation during phase 1 and
phase 2.
n Enable dead peer detection and configure the delay and timeout.
n Destination networks that require source NAT.
n Active recovery configuration. See Configure SureLink active recovery for IPsec for information
about IPsec active recovery.

Additional configuration items

The following additional configuration settings are not typically configured to get an IPsec tunnel
working, but can be configured as needed:
n Determine whether the device should use UDP encapsulation even when it does not detect
that NAT is being used.
n If using IPsec failover, identify the primary tunnel during configuration of the backup tunnel.
n The Network Address Translation (NAT) keep alive time.
n The protocol, either Encapsulating Security Payload (ESP) or Authentication Header (AH).
n The management priority for the IPsec tunnel interface. The active interface with the highest
management priority will have its address reported as the preferred contact address for central
management and direct device access.
n Enable XAUTH client authentication, and the username and password to be used to
authenticate with the remote peer.
n Enable Mode-configuration (MODECFG) to receive configuration information, such as the
private IP address, from the remote peer.
n Disable the padding of IKE packets. This should normally not be done except for compatibility
purposes.
n Destination networks that require source NAT.

Digi Connect EZ 16/32 User Guide 344

Virtual Private Networks (VPN) IPsec

n Depending on your network and firewall configuration, you may need to add a packet filtering
rule to allow incoming IPsec traffic.
n Tunnel and key renegotiating
l The lifetime of the IPsec tunnel before it is renegotiated.
l The amount of time before the IKE phase 1 lifetime expires.
l The amount of time before the IKE phase 2 lifetime expires
l The lifetime margin, a randomizing amount of time before the IPsec tunnel is renegotiated.

Note if the remote networks for an IPsec tunnel overlap with the networks for a WAN internet
connection (wired, cellular, or otherwise), you must configure a static route to direct the traffic either
through the IPsec tunnel, or through the WAN (outside of the IPsec tunnel). See Configure a static
route for information about configuring a static route.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > IPsec.
4. Click to expand Tunnels.
5. For Add IPsec tunnel, type a name for the tunnel and click .

Digi Connect EZ 16/32 User Guide 345

Virtual Private Networks (VPN) IPsec

The new IPsec tunnel configuration is displayed.

6. The IPsec tunnel is enabled by default. To disable, toggle off Enable.

7. (Optional) Preferred tunnel provides an optional mechanism for IPsec failover behavior. See
Configure IPsec failover for more information.
8. (Optional) Enable Force UDP encapsulation to force the tunnel to use UDP encapsulation
even when it does not detect that NAT is being used.
9. For Zone, select the firewall zone for the IPsec tunnel. Generally this should be left at the
default of IPsec.

Note Depending on your network configuration, you may need to add a packet filtering rule to
allow incoming traffic. For example, for the IPsec zone:
a. Click to expand Firewall > Packet filtering.
b. For Add packet filter, click .
c. For Label, type Allow incoming IPsec traffic.
d. For Source zone, select IPsec.
Leave all other fields at their default settings.

10. For Metric, enter or select the priority of routes associated with this IPsec tunnel. When more
than one active route matches a destination, the route with the lowest metric is used.
The metric can also be used in tandem with SureLink to configure IPsec failover behavior. See
Configure IPsec failover for more information.
11. For Mode, select Tunnel mode. Transport mode is not currently supported.

Digi Connect EZ 16/32 User Guide 346

Virtual Private Networks (VPN) IPsec

12. Select the Mode, either:

n Tunnel mode: The entire IP packet is encrypted and/or authenticated and then
encapsulated as the payload in a new IP packet.
n Transport mode: Only the payload of the IP packet is encrypted and/or authenticated.
The IP header is unencrypted.
13. Select the Protocol, either:
n ESP (Encapsulating Security Payload): Provides encryption as well as authentication
and integrity.
n AH (Authentication Header): Provides authentication and integrity only.
14. Strict routing is disabled by default. Toggle on to enable.
Strict routing makes IPsec behave like a policy-based VPN, rather than a route-based VPN.
15. Click to expand Authentication.

a. For Authentication type, select one of the following:

n Pre-shared key: Uses a pre-shared key (PSK) to authenticate with the remote peer.
i. Type the Pre-shared key.
n Asymmetric pre-shared keys: Uses asymmetric pre-shared keys to authenticate
with the remote peer.
i. For Local key, type the local pre-shared key. This must be the same as the
remote key on the remote host.
ii. For Remote key, type the remote pre-shared key. This must be the same as
the local key on the remote host.
n RSA signature: Uses a private RSA key to authenticate with the remote peer.
i. For Private key, paste the device's private RSA key in PEM format.
ii. Type the Private key passphrase that is used to decrypt the private key.
Leave blank if the private key is not encrypted.
iii. For Peer public key, paste the peer's public RSA key in PEM format.
n SCEP certificates: Uses Simple Certificate Enrollment Protocol (SCEP) to download
a private key, certificates, and an optional Certificate Revocation List (CRL) to the
Connect EZ 16/32 device from a SCEP server.
You must create the SCEP client prior to configuring the IPsec tunnel. See Configure
a Simple Certificate Enrollment Protocol client for instructions.
i. For SCEP Client, select the SCEP client.
n X.509 certificate: Uses private key and X.509 certificates to authenticate with the
remote peer.
i. For Private key, paste the device's private RSA key in PEM format.
ii. Type the Private key passphrase that is used to decrypt the private key.
Leave blank if the private key is not encrypted.

Digi Connect EZ 16/32 User Guide 347

Virtual Private Networks (VPN) IPsec

iii. For Certificate, paste the local X.509 certificate in PEM format.
iv. For Peer verification, select either:
l Peer certificate: For Peer certificate, paste the peer's X.509 certificate in
PEM format.
l Certificate Authority: For Certificate Authority chain, paste the
Certificate Authority (CA) certificates. These must include all peer
certificates in the chain up to the root CA certificate, in PEM format.
16. (Optional) For Management Priority, set the management priority for this IPsec tunnel. A
tunnel that is up and has the highest priority will be used for central management and direct
device access.
17. (Optional) To configure the device to connect to its remote peer as an XAUTH client:
a. Click to expand XAUTH client.

b. Click Enable.
c. Type the Username and Password that the device will use to authenticate as an
XAUTH client with the peer.
18. (Optional) Click Enable MODECFG client to receive configuration information, such as the
private IP address, from the remote peer.
19. Click to expand Local endpoint.
a. For Type, select either:
n Default route: Uses the same network interface as the default route.
n Interface: Select the Interface to be used as the local endpoint.
b. Click to expand ID.
i. Select the ID type:
n Auto: The ID will be automatically determined from the value of the tunnels
endpoints.
n Raw: Enter an ID and have it passed unmodified to the underlying IPsec stack.
For Raw ID value, type the ID that will be passed.
n Any: Any ID will be accepted.
n IPv4: The ID will be interpreted as an IP address and sent as an ID_IPV4_ADDR
IKE identity.
For IPv4 ID value, type an IPv4 formatted ID. This can be a fully-qualified
domain name or an IPv4 address.
n IPv6: The ID will be interpreted as an IP address and sent as an ID_IPV6_ADDR
IKE identity.
For IPv6 ID value, type an IPv6 formatted ID. This can be a fully-qualified
domain name or an IPv6 address.

Digi Connect EZ 16/32 User Guide 348

Virtual Private Networks (VPN) IPsec

n RFC822/Email: The ID will be interpreted as an RFC822 (email address).

For RFC822 ID value, type the ID in internet email address format.
n FQDN: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and
sent as an ID_FQDN IKE identity.
For FQDN ID value, type the ID as an FQDN.
n KeyID: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE
identity.
For KEYID ID value, type the key ID.
n MAC address: The device's primary MAC address will be used as the ID and
sent as a ID_KEY_ID IKE identity.
n Serial number: The device's serial number will be used as the ID and sent as a
ID_KEY_ID IKE identity.
20. Click to expand Remote endpoint.
a. For IP version, select either IPv4 or IPv6.
b. For Hostname list selection, select one of the following:
n Round robin: Attempts to connect to hostnames sequentially based on the list
order.
n Random: Randomly selects an IPsec peer to connect to from the hostname list.
n Priority ordered: Selects the first hostname in the list that is resolvable.
c. Click to expand Hostname.
i. Click  next to Add Hostname.
ii. For Hostname, type a hostname or IPv4 address. If your device is not configured to
initiate the IPsec connection (see IKE > Initiate connection), you can also use the
keyword any, which means that the hostname is dynamic or unknown.
iii. Click  again to add additional hostnames.
d. Click to expand ID.
i. Select the ID type:
n Auto: The ID will be automatically determined from the value of the tunnels
endpoints.
n Raw: Enter an ID and have it passed unmodified to the underlying IPsec stack.
For Raw ID value, type the ID that will be passed.
n Any: Any ID will be accepted.
n IPv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_
ADDRIKE identity.
For IPv4 ID value, type an IPv4 formatted ID. This can be a fully-qualified
domain name or an IPv4 address.
n IPv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_
ADDRIKE identity.
For IPv6 ID value, type an IPv6 formatted ID. This can be a fully-qualified
domain name or an IPv6 address.
n RFC822/Email: The ID will be interpreted as an RFC822 (email address).
For RFC822 ID value, type the ID in internet email address format.

Digi Connect EZ 16/32 User Guide 349

Virtual Private Networks (VPN) IPsec

n FQDN: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and
sent as an ID_FQDN IKE identity.
For FQDN ID value, type the ID as an FQDN.
n KeyID: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE
identity.
For KEYID ID value, type the key ID.
n MAC address: The device's primary MAC address will be used as the ID and
sent as a ID_KEY_ID IKE identity.
n Serial number: The device's serial number will be used as the ID and sent as a
ID_KEY_ID IKE identity.
21. Click to expand Policies.
Policies define the network traffic that will be encapsulated by this tunnel.
a. Click  to create a new policy.

The new policy configuration is displayed.

b. Click to expand Local traffic selector.

c. For Type, select one of the following:

n Address: The address of a local network interface.
For Address, select the appropriate interface.
n Network: The subnet of a local network interface.
For Address, select the appropriate interface.
n Custom network: A user-defined network.
For Custom network, enter the IPv4 address and optional netmask.
n Request a network: Requests a network from the remote peer.
n Dynamic: Uses the address of the local endpoint.
d. For Protocol, select one of the following:
n Any: Matches any protocol.
n TCP: Matches TCP protocol only.
n UDP: Matches UDP protocol only.
n ICMP: Matches ICMP requests only.

Digi Connect EZ 16/32 User Guide 350

Virtual Private Networks (VPN) IPsec

n Other protocol: Matches an unlisted protocol.

If Other protocol is selected, type the number of the protocol.
e. For Port, type the port matching criteria.
Allowed values are a port number, a range of port numbers, or any.
f. (Optional) Click to expand Remote traffic selector.

g. For Remote network, enter the IP address and optional netmask of the remote network.
h. For Protocol, select one of the following:
n Any: Matches any protocol.
n TCP: Matches TCP protocol only.
n UDP: Matches UDP protocol only.
n ICMP: Matches ICMP requests only.
n Other protocol: Matches an unlisted protocol.
If Other protocol is selected, type the number of the protocol.
i. For Port, type the port matching criteria.
Allowed values are a port number, a range of port numbers, or any.
22. Click to expand IKE.

a. For IKE version, select either IKEv1 or IKEv2. This setting must match the peer's IKE
version.
b. Initiate connection instructs the device to initiate the key exchange, rather than waiting
for an incoming request. This must be disabled if Remote endpoint > Hostname is set to
any.
c. For Mode, select either Main mode or Aggressive mode.
d. For IKE fragmentation, select one of the following:
n If supported by the peer: Send oversized IKE messages in fragments, if the peer
supports receiving them.

Digi Connect EZ 16/32 User Guide 351

Virtual Private Networks (VPN) IPsec

n Always: Always send IKEv1 messages in fragments. For IKEv2, this option is
equivalent to If supported by the peer.
n Never: Do not send oversized IKE messages in fragments.
n Accept: Do not send oversized IKE messages in fragments, but announce support
for fragmentation to the peer.
The default is Always.
e. For Enable padding, click to disable the padding of IKE packets. This should normally not
be disabled except for compatibility purposes.
f. For Phase 1 lifetime, enter the amount of time that the IKE security association expires
after a successful negotiation and must be re-authenticated.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Phase 1 lifetime to ten minutes, enter 10m or 600s.
g. For Phase 2 lifetime, enter the amount of time that the IKE security association expires
after a successful negotiation and must be rekeyed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Phase 2 lifetime to ten minutes, enter 10m or 600s.
h. For Lifetime margin, enter a randomizing amount of time before the IPsec tunnel is
renegotiated.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Lifetime margin to ten minutes, enter 10m or 600s.
i. Click to expand Phase 1 Proposals.
i. Click  to create a new phase 1 proposal.
ii. For Cipher, select the type of encryption.
iii. For Hash, select the type of hash to use to verify communication integrity.
iv. For Diffie-Hellman group, select the type of Diffie-Hellman group to use for key
exchange.
v. You can add additional Phase 1 proposals by clicking  next to Add Phase 1
Proposal.
j. Click to expand Phase 2 Proposals.
i. Click  to create a new phase 2 proposal.
ii. For Cipher, select the type of encryption.
iii. For Hash, select the type of hash to use to verify communication integrity.
iv. For Diffie-Hellman group, select the type of Diffie-Hellman group to use for key
exchange.
v. You can add additional Phase 2 proposals by clicking  next to Add Phase 2
Proposal.
23. (Optional) Click to expand Dead peer detection. Dead peer detection is enabled by default.
Dead peer detection uses periodic IKE transmissions to the remote endpoint to detect whether
tunnel communications have failed, allowing the tunnel to be automatically restarted when

Digi Connect EZ 16/32 User Guide 352

Virtual Private Networks (VPN) IPsec

failure occurs.
a. To enable or disable dead peer detection, click Enable.
b. For Delay, type the number of seconds between transmissions of dead peer packets. Dead
peer packets are only sent when the tunnel is idle.
c. For Timeout, type the number of seconds to wait for a response from a dead peer packet
before assuming the tunnel has failed.
24. (Optional) Click to expand NAT to create a list of destination networks that require source NAT.
a. Click  next to Add NAT destination.
b. For Destination network, type the IPv4 address and optional netmask of a destination
network that requires source NAT. You can also use any, meaning that any destination
network connected to the tunnel will use source NAT.
25. See Configure SureLink active recovery for IPsec for information about IPsec Active recovery.
26. (Optional) Click Advanced to set various IPsec-related time out, keep alive, and related values.
27. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 353

Virtual Private Networks (VPN) IPsec

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add an IPsec tunnel. For example, to add an IPsec tunnel named ipsec_example:

(config)> add vpn ipsec tunnel ipsec_example

(config vpn ipsec tunnel ipsec_example)>

The IPsec tunnel is enabled by default. To disable:

(config vpn ipsec tunnel ipsec_example)> enable false

(config vpn ipsec tunnel ipsec_example)>

4. (Optional) Set the tunnel to use UDP encapsulation even when it does not detect that NAT is
being used:

(config vpn ipsec tunnel ipsec_example)> force_udp_encap true

(config vpn ipsec tunnel ipsec_example)>

5. Set the firewall zone for the IPsec tunnel. Generally this should be left at the default of ipsec.

(config vpn ipsec tunnel ipsec_example)> zone zone

(config vpn ipsec tunnel ipsec_example)>

To view a list of available zones:

(config vpn ipsec tunnel ipsec_example)> zone ?

Zone: The firewall zone assigned to this IPsec tunnel. This can be used
by packet filtering rules
and access control lists to restrict network traffic on this tunnel.
Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Default value: ipsec
Current value: ipsec

(config vpn ipsec tunnel ipsec_example)>

Digi Connect EZ 16/32 User Guide 354

Virtual Private Networks (VPN) IPsec

Note Depending on your network configuration, you may need to add a packet filtering rule to
allow incoming traffic. For example, for the IPsec zone:
a. Type ... to move to the root of the configuration:

(config vpn ipsec tunnel ipsec_example)> ...

(config)>

b. Add a packet filter:

(config)> add firewall filter end

(config firewall filter 2)>

c. Set the label to Allow incoming IPsec traffic:

(config config firewall filter 2)> label "Allow incoming IPsec

traffic"
(config firewall filter 2)>

d. Set the source zone to ipsec:

(config config firewall filter 2)> src_zone ipsec

(config firewall filter 2)>

6. Set the metric for the IPsec tunnel. When more than one active route matches a destination,
the route with the lowest metric is used. The metric can also be used in tandem with SureLink
to configure IPsec failover behavior. See Configure IPsec failover for more information.

(config vpn ipsec tunnel ipsec_example)> metric value

(config vpn ipsec tunnel ipsec_example)>

where value is any integer between 0 and 65535.

7. Set the mode:

(config vpn ipsec tunnel ipsec_example)> mode mode

(config vpn ipsec tunnel ipsec_example)>

where mode is either:

n tunnel: The entire IP packet is encrypted and/or authenticated and then encapsulated
as the payload in a new IP packet.
n transport: Only the payload of the IP packet is encrypted and/or authenticated. The IP
header is unencrypted.
The default is tunnel.
8. Set the protocol:

(config vpn ipsec tunnel ipsec_example)> type protocol

(config vpn ipsec tunnel ipsec_example)>

where protocol is either:

Digi Connect EZ 16/32 User Guide 355

Virtual Private Networks (VPN) IPsec

n esp (Encapsulating Security Payload): Provides encryption as well as authentication and

integrity.
n ah (Authentication Header): Provides authentication and integrity only.
The default is esp.
9. (Optional) Set the management priority for this IPsec tunnel:

(config vpn ipsec tunnel ipsec_example)> mgmt value

(config vpn ipsec tunnel ipsec_example)>

where value is any interger between 0 and 1000.

10. Set the authentication type:

(config vpn ipsec tunnel ipsec_example)> auth type value

(config vpn ipsec tunnel ipsec_example)>

where value is one of:

n secret: Uses a pre-shared key (PSK) to authenticate with the remote peer.
a. Set the pre-shared key:

(config vpn ipsec tunnel ipsec_example)> auth secret key

(config vpn ipsec tunnel ipsec_example)>

n asymmetric-secrets: Uses asymmetric pre-shared keys to authenticate with the remote

peer.
a. Set the local pre-shared key. This must be the same as the remote key on the
remote host.:

(config vpn ipsec tunnel ipsec_example)> auth local_secret key

(config vpn ipsec tunnel ipsec_example)>

b. Set the remote pre-shared key. This must be the same as the local key on the
remote host.:

(config vpn ipsec tunnel ipsec_example)> auth remote_secret key

(config vpn ipsec tunnel ipsec_example)>

n rsasig: Uses a private RSA key to authenticate with the remote peer.
a. For the private_key parameter, paste the device's private RSA key in PEM format:

(config vpn ipsec tunnel ipsec_example)> auth private_key key

(config vpn ipsec tunnel ipsec_example)>

b. Set the private key passphrase that is used to decrypt the private key. Leave blank
if the private key is not encrypted.

(config vpn ipsec tunnel ipsec_example)> auth private_key_

passphrase passphrase
(config vpn ipsec tunnel ipsec_example)>

c. For the peer_public_key parameter, paste the peer's public RSA key in PEM
format:

Digi Connect EZ 16/32 User Guide 356

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example)> auth peer_public_key

key
(config vpn ipsec tunnel ipsec_example)>

n x509: Uses private key and X.509 certificates to authenticate with the remote peer.
a. For the private_key parameter, paste the device's private RSA key in PEM format:

(config vpn ipsec tunnel ipsec_example)> auth private_key key

(config vpn ipsec tunnel ipsec_example)>

b. Set the private key passphrase that is used to decrypt the private key. Leave blank
if the private key is not encrypted.

(config vpn ipsec tunnel ipsec_example)> auth private_key_

passphrase passphrase
(config vpn ipsec tunnel ipsec_example)>

c. For the cert parameter, paste the local X.509 certificate in PEM format:

(config vpn ipsec tunnel ipsec_example)> auth cert certificate

(config vpn ipsec tunnel ipsec_example)>

d. Set the method for verifying the peer's X.509 certificate:

(config vpn ipsec tunnel ipsec_example)> auth peer_verify value

(config vpn ipsec tunnel ipsec_example)>

where value is either:

l cert: Uses the peer's X.509 certificate in PEM format for verification.
o For the peer_cert parameter, paste the peer's X.509 certificate in PEM
format:

(config vpn ipsec tunnel ipsec_example)> auth peer_cert

certificate
(config vpn ipsec tunnel ipsec_example)>

l ca: Uses the Certificate Authority chain for verification.

o For the ca_cert parameter, paste the Certificate Authority (CA) certificates.
These must include all peer certificates in the chain up to the root
CA certificate, in PEM format.

(config vpn ipsec tunnel ipsec_example)> auth ca_cert cert_

chain
(config vpn ipsec tunnel ipsec_example)>

11. (Optional) Configure the device to connect to its remote peer as an XAUTH client:
a. Enable XAUTH client functionality:

(config vpn ipsec tunnel ipsec_example)> xauth_client enable true

(config vpn ipsec tunnel ipsec_example)>

Digi Connect EZ 16/32 User Guide 357

Virtual Private Networks (VPN) IPsec

b. Set the XAUTH client username:

(config vpn ipsec tunnel ipsec_example)> xauth_client username name

(config vpn ipsec tunnel ipsec_example)>

c. Set the XAUTH client password:

(config vpn ipsec tunnel ipsec_example)> xauth_client password pwd

(config vpn ipsec tunnel ipsec_example)>

12. (Optional) Enable MODECFGclient functionality:

MODECFGclient functionality configures the device to receive configuration information, such
as the private IP address, from the remote peer.
a. Enable MODECFGclient functionality:

(config vpn ipsec tunnel ipsec_example)> modecfg_client enable true

(config vpn ipsec tunnel ipsec_example)>

13. Configure the local endpoint:

a. Set the method for determining the local network interface:

(config vpn ipsec tunnel ipsec_example)> local type value

(config vpn ipsec tunnel ipsec_example)>

where value is either:

n defaultroute: Uses the same network interface as the default route.
n interface: Select the Interface to be used as the local endpoint.
b. Set the ID type:

(config vpn ipsec tunnel ipsec_example)> local id type value

(config vpn ipsec tunnel ipsec_example)>

where value is one of:

n auto: The ID will be automatically determined from the value of the tunnels
endpoints.
n raw: Enter an ID and have it passed unmodified to the underlying IPsec stack.
Set the unmodified ID that will be passed:

(config vpn ipsec tunnel ipsec_example)> local id type raw_id id

(config vpn ipsec tunnel ipsec_example)>

n any: Any ID will be accepted.

n ipv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR
IKE identity.
Set an IPv4 formatted ID. This can be a fully-qualified domain name or an IPv4
address.

Digi Connect EZ 16/32 User Guide 358

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example)> local id type ipv4_id

id
(config vpn ipsec tunnel ipsec_example)>

n ipv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR

IKE identity.
Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6
address.

(config vpn ipsec tunnel ipsec_example)> local id type ipv6_id

id
(config vpn ipsec tunnel ipsec_example)>

n rfc822: The ID will be interpreted as an RFC822 (email address).

Set the ID in internet email address format:

(config vpn ipsec tunnel ipsec_example)> local id type rfc822_id

id
(config vpn ipsec tunnel ipsec_example)>

n fqdn: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as
an ID_FQDN IKE identity.
n keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity.
Set the key ID:

(config vpn ipsec tunnel ipsec_example)> local id type keyid_id

id
(config vpn ipsec tunnel ipsec_example)>

n mac_address: The device's MAC address will be used for the Key ID and sent as an
ID_KEY_ID IKE identity.
n serial_number: The ID device's serial number will be used for the Key ID and sent
as an ID_KEY_ID IKE identity.
14. Configure the remote endpoint:
a. Add a remote hostname:

(config vpn ipsec tunnel ipsec_example)> add remote hostname end value
(config vpn ipsec tunnel ipsec_example)>

where value is the hostname or IPv4 address of the IPsec peer. If your device is not
configured to initiate the IPsec connection (see ike initiate), you can also use the keyword
any, which means that the hostname is dynamic or unknown.
Repeat for additional hostnames.
b. Set the hostname selection type:

(config vpn ipsec tunnel ipsec_example)> remote hostname_selection

value
(config vpn ipsec tunnel ipsec_example)>

where value is one of:

Digi Connect EZ 16/32 User Guide 359

Virtual Private Networks (VPN) IPsec

n round_robin: Attempts to connect to hostnames sequentially based on the list

order.
n random: Randomly selects an IPsec peer to connect to from the hostname list.
n priority: Selects the first hostname in the list that is resolvable.
c. Set the ID type:

(config vpn ipsec tunnel ipsec_example)> remote id type value

(config vpn ipsec tunnel ipsec_example)>

where value is one of:

n auto: The ID will be automatically determined from the value of the tunnels
endpoints.
n raw: Enter an ID and have it passed unmodified to the underlying IPsec stack.
Set the unmodified ID that will be passed:

(config vpn ipsec tunnel ipsec_example)> remote id type raw_id

id
(config vpn ipsec tunnel ipsec_example)>

n any: Any ID will be accepted.

n ipv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR
IKE identity.
Set an IPv4 formatted ID. This can be a fully-qualified domain name or an IPv4
address.

(config vpn ipsec tunnel ipsec_example)> remote id type ipv4_id

id
(config vpn ipsec tunnel ipsec_example)>

n ipv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR

IKE identity.
Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6
address.

(config vpn ipsec tunnel ipsec_example)> remote id type ipv6_id

id
(config vpn ipsec tunnel ipsec_example)>

n rfc822: The ID will be interpreted as an RFC822 (email address).

Set the ID in internet email address format:

(config vpn ipsec tunnel ipsec_example)> remote id type rfc822_

id id
(config vpn ipsec tunnel ipsec_example)>

n fqdn: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as
an ID_FQDN IKE identity.

Digi Connect EZ 16/32 User Guide 360

Virtual Private Networks (VPN) IPsec

n keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity.
Set the key ID:

(config vpn ipsec tunnel ipsec_example)> remote id type keyid_id

id
(config vpn ipsec tunnel ipsec_example)>

n mac_address: The device's MAC address will be used for the Key ID and sent as an
ID_KEY_ID IKE identity.
n serial_number: The ID device's serial number will be used for the Key ID and sent
as an ID_KEY_ID IKE identity.
15. Configure IKE settings:
a. Set the IKE version:

(config vpn ipsec tunnel ipsec_example)> ike version value

(config vpn ipsec tunnel ipsec_example)>

where value is either ikev1 or ikev2. This setting must match the peer's IKE version.
b. Determine whether the device should initiate the key exchange, rather than waiting for an
incoming request. By default, the device will initiate the key exchange. This must be
disabled if remote hostname is set to any. To disable:

(config vpn ipsec tunnel ipsec_example)> ike initiate false

(config vpn ipsec tunnel ipsec_example)>

c. Set the IKE phase 1 mode:

(config vpn ipsec tunnel ipsec_example)> ike mode value

(config vpn ipsec tunnel ipsec_example)>

where value is either aggressive or main.

d. Set the IKE fragmentation:

(config vpn ipsec tunnel ipsec_example)> ike fragmentation value

(config vpn ipsec tunnel ipsec_example)>

where value is one of:

n if_supported: Send oversized IKE messages in fragments, if the peer supports
receiving them.
n always: Always send IKEv1 messages in fragments. For IKEv2, this option is
equivalent to if supported.
n never: Do not send oversized IKE messages in fragments.
n accept: Do not send oversized IKE messages in fragments, but announce support
for fragmentation to the peer.
The default is always.
e. Padding of IKE packets is enabled by default and should normally not be disabled except
for compatibility purposes. To disable:

Digi Connect EZ 16/32 User Guide 361

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example)> ike pad false

(config vpn ipsec tunnel ipsec_example)>

f. Set the amount of time that the IKE security association expires after a successful
negotiation and must be re-authenticated:

(config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value

(config vpn ipsec tunnel ipsec_example)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set phase1_lifetime to ten minutes, enter either 10m or 600s:

(config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime 600s

(config vpn ipsec tunnel ipsec_example)>

The default is three hours.

g. Set the amount of time that the IKE security association expires after a successful
negotiation and must be rekeyed.

(config vpn ipsec tunnel ipsec_example)> ike phase2_lifetime value

(config vpn ipsec tunnel ipsec_example)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set phase2_lifetime to ten minutes, enter either 10m or 600s:

(config vpn ipsec tunnel ipsec_example)> ike phase2_lifetime 600s

(config vpn ipsec tunnel ipsec_example)>

The default is one hour.

h. Set a randomizing amount of time before the IPsec tunnel is renegotiated:

(config vpn ipsec tunnel ipsec_example)> ike lifetime_margin value

(config vpn ipsec tunnel ipsec_example)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set lifetime_margin to ten minutes, enter either 10m or 600s:

(config vpn ipsec tunnel ipsec_example)> ike lifetime_margin 600s

(config vpn ipsec tunnel ipsec_example)>

The default is nine minutes.

i. Configure the types of encryption, hash, and Diffie-Hellman group to use during phase 1:
i. Add a phase 1 proposal:

(config vpn ipsec tunnel ipsec_example)> add ike phase1_proposal

end
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

Digi Connect EZ 16/32 User Guide 362

Virtual Private Networks (VPN) IPsec

ii. Set the type of encryption to use during phase 1:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

cipher value
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

where value is one of:

n 3des
n aes128
n aes128gcm128
n aes128gcm64
n aes128gcm96
n aes192
n aes192gcm128
n aes192gcm64
n aes192gcm96
n aes256
n aes256gcm128
n aes256gcm64
n aes256gcm96
n null
The default is 3des.
iii. Set the type of hash to use during phase 1 to verify communication integrity:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

hash value
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

where value is one of:

n md5
n sha1
n sha256
n sha384
n sha512
The default is sha1.
iv. Set the type of Diffie-Hellman group to use for key exchange during phase 1:
i. Use the ? to determine available Diffie-Hellman group types:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

dh_group ?
curve25519
curve448
ecp192

Digi Connect EZ 16/32 User Guide 363

Virtual Private Networks (VPN) IPsec

ecp224
...
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

ii. Set the Diffie-Hellman group type:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

dh_group value
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

The default is modp2048.

v. (Optional) Add additional phase 1 proposals:
i. Move back one level in the schema:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>

..
(config vpn ipsec tunnel ipsec_example ike phase1_proposal)>

ii. Add an additional proposal:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal)>

add end
(config vpn ipsec tunnel ipsec_example ike phase1_proposal 1)>

Repeat the above steps to set the type of encryption, hash, and Diffie-Hellman
group for the additional proposal.
iii. Repeat to add more phase 1 proposals.
j. Configure the types of encryption, hash, and Diffie-Hellman group to use during phase 2:
i. Move back two levels in the schema:

(config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> ..

..
(config vpn ipsec tunnel ipsec_example ike)>

ii. Add a phase 2 proposal:

(config vpn ipsec tunnel ipsec_example ike)> add ike phase2_

proposal end
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

iii. Set the type of encryption to use during phase 2:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

cipher value
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

where value is one of:

n 3des
n aes128
n aes128gcm128

Digi Connect EZ 16/32 User Guide 364

Virtual Private Networks (VPN) IPsec

n aes128gcm64
n aes128gcm96
n aes192
n aes192gcm128
n aes192gcm64
n aes192gcm96
n aes256
n aes256gcm128
n aes256gcm64
n aes256gcm96
n null
The default is 3des.
iv. Set the type of hash to use during phase 2 to verify communication integrity:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

hash value
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

where value is one of:

n md5
n sha1
n sha256
n sha384
n sha512
The default is sha1.
v. Set the type of Diffie-Hellman group to use for key exchange during phase 2:
i. Use the ? to determine available Diffie-Hellman group types:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

dh_group ?
curve25519
curve448
ecp192
ecp224
...
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

ii. Set the Diffie-Hellman group type:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

dh_group value
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

The default is modp2048.

vi. (Optional) Add additional phase 2 proposals:

Digi Connect EZ 16/32 User Guide 365

Virtual Private Networks (VPN) IPsec

i. Move back one level in the schema:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>

..
(config vpn ipsec tunnel ipsec_example ike phase2_proposal)>

ii. Add an additional proposal:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal)>

add end
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 1)>

Repeat the above steps to set the type of encryption, hash, and Diffie-Hellman
group for the additional proposal.
iii. Repeat to add more phase 2 proposals.
16. (Optional) Configure dead peer detection:
Dead peer detection is enabled by default. Dead peer detection uses periodic IKE transmissions
to the remote endpoint to detect whether tunnel communications have failed, allowing the
tunnel to be automatically restarted when failure occurs.
a. Change to the root of the configuration schema:

(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ...

(config)>

b. To disable dead peer detection:

(config)> vpn ipsec tunnel ipsec_example dpd enable false

(config)>

c. Set the number of seconds between transmissions of dead peer packets. Dead peer
packets are only sent when the tunnel is idle. The default is 60.

(config)> vpn ipsec tunnel ipsec_example dpd delay value

(config)>

d. Set the number of seconds to wait for a response from a dead peer packet before
assuming the tunnel has failed. The default is 90.

(config)> vpn ipsec tunnel ipsec_example dpd timeout value

(config)>

17. (Optional) Create a list of destination networks that require source NAT:
a. Add a destination network:

(config)> add vpn ipsec tunnel ipsec_example nat end

(config vpn ipsec tunnel ipsec_example nat 0)>

b. Set the IPv4 address and optional netmask of a destination network that requires source
NAT. You can also use any, meaning that any destination network connected to the tunnel
will use source NAT.

Digi Connect EZ 16/32 User Guide 366

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example nat 0)> dst value

(config vpn ipsec tunnel ipsec_example nat 0)>

18. Configure policies that define the network traffic that will be encapsulated by this tunnel:
a. Change to the root of the configuration schema:

(config vpn ipsec tunnel ipsec_example nat 0)> ...

(config)>

b. Add a policy:

(config)> add vpn ipsec tunnel ipsec_example policy end

(config vpn ipsec tunnel ipsec_example policy 0)>

c. Set the type of local traffic selector:

(config vpn ipsec tunnel ipsec_example policy 0)> local type value
(config vpn ipsec tunnel ipsec_example policy 0)>

where value is one of:

n address: The address of a local network interface.
Set the address:
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn ipsec tunnel ipsec_example policy 0)> local

address eth1
(config vpn ipsec tunnel ipsec_example policy 0)>

n network: The subnet of a local network interface.

Set the network:
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn ipsec tunnel ipsec_example policy 0)> local

network eth1
(config vpn ipsec tunnel ipsec_example policy 0)>

n custom: A user-defined network.

Set the custom network:

(config vpn ipsec tunnel ipsec_example policy 0)> local custom

value
(config vpn ipsec tunnel ipsec_example policy 0)>

where value is the IPv4 address and optional netmask. The keyword any can also
be used.
n request: Requests a network from the remote peer.
n dynamic: Uses the address of the local endpoint.

Digi Connect EZ 16/32 User Guide 367

Virtual Private Networks (VPN) IPsec

d. Set the port matching criteria for the local traffic selector:

(config vpn ipsec tunnel ipsec_example policy 0)> local port value
(config vpn ipsec tunnel ipsec_example policy 0)>

where value is the port number, a range of port numbers, or the keyword any.
e. Set the protocol matching criteria for the local traffic selector:

(config vpn ipsec tunnel ipsec_example policy 0)> local protocol value
(config vpn ipsec tunnel ipsec_example policy 0)>

where value is one of:

n any: Matches any protocol.
n tcp: Matches TCP protocol only.
n udp: Matches UDP protocol only.
n icmp: Matches ICMP requests only.
n other: Matches an unlisted protocol.
If other is used, set the number of the protocol:

(config vpn ipsec tunnel ipsec_example policy 0)> local

protocol_other int
(config vpn ipsec tunnel ipsec_example policy 0)>

Allowed values are an integer between 1 and 255.

f. Set the IP address and optional netmask of the remote traffic selector:

(config vpn ipsec tunnel ipsec_example policy 0)> remote network value
(config vpn ipsec tunnel ipsec_example policy 0)>

g. Set the port matching criteria for the remote traffic selector:

(config vpn ipsec tunnel ipsec_example policy 0)> remote port value
(config vpn ipsec tunnel ipsec_example policy 0)>

where value is the port number, a range of port numbers, or the keyword any.
h. Set the protocol matching criteria for the remote traffic selector:

(config vpn ipsec tunnel ipsec_example policy 0)> remote protocol

value
(config vpn ipsec tunnel ipsec_example policy 0)>

where value is one of:

n any: Matches any protocol.
n tcp: Matches TCP protocol only.
n udp: Matches UDP protocol only.
n icmp: Matches ICMP requests only.

Digi Connect EZ 16/32 User Guide 368

Virtual Private Networks (VPN) IPsec

n other: Matches an unlisted protocol.

If other is used, set the number of the protocol:

(config vpn ipsec tunnel ipsec_example policy 0)> remote

protocol_other int
(config vpn ipsec tunnel ipsec_example policy 0)>

Allowed values are an integer between 1 and 255.

19. (Optional) You can also configure various IPsec related time out, keep alive, and related values:
a. Change to the root of the configuration schema:

(config vpn ipsec tunnel ipsec_example policy 0)> ...

(config)>

b. Use the ? to determine available options:

(config)> vpn ipsec advanced ?

Advanced: Advanced configuration that applies to all IPsec tunnels.

Parameters Current Value

---------------------------------------------------------------------
---------
debug none Debug level
ike_fragment_size 1280 Maximum IKE fragment size
ike_retransmit_tries 5 IKE retransmit tries
keep_alive 40s NAT keep alive time

Additional Configuration
---------------------------------------------------------------------
----------
connection_retry_timeout Connection retry timeout
connection_try_interval Connection try interval
ike_timeout IKE timeout

(config)>

Generally, the default settings for these should be sufficient.

c. You can also enable debugging for IPsec:

(config)> vpn ipsec advanced debug value

(config)>

where value is one of:

n none
n basic_auditing
n detailed_control
n generic_control
n raw_data
n sensitive_data

Digi Connect EZ 16/32 User Guide 369

Virtual Private Networks (VPN) IPsec

20. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

21. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 370

Virtual Private Networks (VPN) IPsec

Configure IPsec failover

There are two methods to configure the Connect EZ 16/32 device to fail over from a primary IPsec
tunnel to a backup tunnel:
n SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to
configure two or more tunnels so that when the primary tunnel is determined to be inactive by
SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
n Preferred tunnel—When multiple IPsec tunnels are configured, one tunnel can be configured
as a backup to another tunnel by defining a preferred tunnel for the backup device.

Required configuration items

n Two or more configured IPsec tunnels: The primary tunnel, and one or more backup tunnels.
n Either:
l SureLink configured on the primary tunnel with Restart Interface enabled, and the metric
for all tunnels set appropriately to determine which IPsec tunnel has priority. With this
failover configuration, both tunnels are active simultaneously, and there is minimal
downtime due to failover.
l Identify the preferred tunnel during configuration of the backup tunnel. In this scenario,
the backup tunnel is not active until the preferred tunnel fails.

IPsec failover using SureLink

With this configuration, when two IPsec tunnels are configured with the same local and remote
endpoints but different metrics, traffic addressed to the remote endpoint will be routed through the
IPsec tunnel with the lower metric.
If SureLink > Restart Interface is enabled for the tunnel with the lower metric, and SureLink
determines that the tunnel is not functioning properly (for example, pings to a host at the other end
of the tunnel are failing), then:

1. SureLink will shut down the tunnel and renegotiate its IPsec connection.
2. While the tunnel with the lower metric is down, traffic addressed to the remote endpoint will
be routed through the tunnel with the higher metric.
For example:
n Tunnel_1:
l Metric: 10
l Local endpoint > Interface: ETH2
l Remote endpoint > Hostname: 192.168.10.1
l SureLink configuration:
o Restart Interface enabled
o Test target:
o Test type: Ping test
o Ping host: 192.168.10.2
n Tunnel_2:

Digi Connect EZ 16/32 User Guide 371

Virtual Private Networks (VPN) IPsec

l Metric: 20
l Local endpoint > Interface: ETH2
l Remote endpoint > Hostname: 192.168.10.1
In this configuration:

1. Tunnel_1 will normally be used for traffic destined for the 192.168.10.1 endpoint.
2. If pings to 192.168.10.2 fail, SureLink will shut down the tunnel and renegotiate its IPsec
connection.
3. While Tunnel_1 is down, Tunnel_2 will be used for traffic destined for the 192.168.10.1
endpoint.
 Web
1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions.
n During configuration of the IPsec tunnel, set the metric to a low value (for example, 10).

n Configure SureLink for the primary IPsec tunnel and enable Restart interface. See
Configure SureLink active recovery for IPsec for instructions.

2. Create a backup IPsec tunnel. Configure this tunnel to use the same local and remote
endpoints as the primary tunnel. See Configure an IPsec tunnel for instructions.
n During configuration of the IPsec tunnel, set the metric to a value that is higher than the
metric of the primary tunnel (for example, 20).

 Command line

Digi Connect EZ 16/32 User Guide 372

Virtual Private Networks (VPN) IPsec

1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions.
n During configuration of the IPsec tunnel, set the metric to a low value (for example, 10):

(config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)> metric 10

(config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)>

n Configure SureLink for the primary IPsec tunnel and enable Restart interface. See
Configure SureLink active recovery for IPsec for instructions.

(config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)> surelink

restart true
(config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)>

2. Create a backup IPsec tunnel. Configure this tunnel to use the same local and remote
endpoints as the primary tunnel. See Configure an IPsec tunnel for instructions.
n During configuration of the IPsec tunnel, set the metric to a value that is higher than the
metric of the primary tunnel (for example, 20):

(config vpn ipsec tunnel IPsecFailoverBackupTunnel)> metric 20

(config vpn ipsec tunnel IPsecFailoverBackupTunnel)>

IPsec failover using Preferred tunnel

 Web
1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions.
2. Create a backup IPsec tunnel. See Configure an IPsec tunnel for instructions.
3. During configuration of the backup IPsec tunnel, identify the primary IPsec tunnel in the
Preferred tunnel parameter:

 Command line
1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions.
2. Create a backup IPsec tunnel. See Configure an IPsec tunnel for instructions.
3. During configuration of the backup IPsec tunnel, identify the primary IPsec tunnel:
a. Use the ? to view a list of available tunnels:

(config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover ?

Preferred tunnel: This tunnel will not start until the preferred
tunnel has failed. It will continue
to operate until the preferred tunnel returns to full operation

Digi Connect EZ 16/32 User Guide 373

Virtual Private Networks (VPN) IPsec

status.
Format:
primary_ipsec_tunnel
backup_ipsec_tunnel
Optional: yes
Current value:

(config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover

b. Set the primary IPsec tunnel:

(config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover primary_

ipsec_tunnel
(config vpn ipsec tunnel backup_ipsec_tunnel)>

Configure SureLink active recovery for IPsec

You can configure the Connect EZ 16/32 device to regularly probe IPsec tunnels to determine if the
connection has failed and take remedial action.
You can also configure the IPsec tunnel to fail over to a backup tunnel. See Configure IPsec failover for
further information.

Required configuration items

n A valid IPsec configuration. See Configure an IPsec tunnel for configuration instructions.
n Enable IPsec SureLink.
n The behavior of the Connect EZ 16/32 device upon IPsec failure: either
l Restart the IPsec interface
l Reboot the device.

Additional configuration items

n The interval between connectivity tests.
n Whether the interface should be considered to have failed if one of the test targets fails, or all
of the test targets fail.
n The number of probe failures before the IPsec connection is considered to have failed.
n The amount of time that the device should wait for a response to a probe failures before
considering it to have failed.
To configure the Connect EZ 16/32 device to regularly probe the IPsec connection:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:

Digi Connect EZ 16/32 User Guide 374

Virtual Private Networks (VPN) IPsec

a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > IPsec.
4. Create a new IPsec tunnel or select an existing one:
n To create a new IPsec tunnel, see Configure an IPsec tunnel.
n To edit an existing IPsec tunnel, click to expand the appropriate tunnel.
5. After creating or selecting the IPsec tunnel, click SureLink.

6. Enable SureLink.
7. (Optional) Change the Test interval between connectivity tests.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Interval to ten minutes, enter 10m or 600s.
The default is 15 minutes.
8. (Optional) If more than one test target is configured, for Success condition, select either:

Digi Connect EZ 16/32 User Guide 375

Virtual Private Networks (VPN) IPsec

n One test passes: Only one test needs to pass for Surelink to consider an interface to be
up.
n All test pass: All tests need to pass for SureLink to consider the interface to be up.
9. (Optional) For Pass threshold, type or select the number of times that the test must pass after
failure, before the interface is determined to be working and is reinstated.
10. (Optional) For Response timeout, type the amount of time that the device should wait for a
response to a test failure before considering it to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Response timeout to ten minutes, enter 10m or 600s.
The default is 15 seconds.
11. Click to expand Tests.
By default, Test DNS servers configured for this interface is automatically configured and
enabled. This test communication with DNS servers that are either provided by DHCP, or
statically configured for this interface.
a. Click .

New tests are enabled by default. To disable, click to toggle off Enable.
b. Type a Label for the test.
c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4.
d. Select the Test type.
Available test types:
n Ping test: Uses ICMP to determine connectivity.
If Ping test is selected, complete the following:
l Ping target: The type of target for the ping, one of:
o Hostname or IP address of an external server.
o Ping host: hostname or IP address of the server.
o The Interface gateway. If Interface gateway is selected, an initial
traceroute is sent to the hostname or IP address configured in the SureLink
advanced settings, and then the first hop in that route is used for the ping
test.
o The Interface address.
o The Interface DNS server.
l Ping payload size: The number of bytes to send as part of the ping payload.
n DNS test: Performs a DNS query to the named DNS server.
If DNS test is selected, complete the following:
l DNS server: The IP address of the DNS server.

Digi Connect EZ 16/32 User Guide 376

Virtual Private Networks (VPN) IPsec

n HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured
web server.
If HTTP test is selected, complete the following:
l Web server: The URL of the web server.
n Test DNS servers configured for this interface: Tests communication with DNS
servers that are either provided by DHCP, or statically configured for this interface.
n Test the interface status: Tests the current status of the interface. The test fails if
the interface is down. Failing this test infers that all other tests fail.
If Test the interface status is selected, complete the following:
l Down time: The amount of time that the interface is down before the test can
be considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Down time to ten minutes, enter 10m or 600s.
l Initial connection time: The amount of time to wait for the interface to
connect for the first time before the test is considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Initial connection time to ten minutes, enter 10m or 600s.
n Custom test: Tests the interface with custom commands.
If Custom test is selected, complete the following:
l The Commands to run to test.
n TCP connection test: Tests that the interface can reach a destination port on the
configured host.
If TCP connection test is selected, complete the following:
l TCP connect host: The hostname or IP address of the host to create a
TCP connection to.
l TCP connect port: The TCP port to create a TCP connection to.
n Test another interface's status: Tests the status of another interface.
If Test another interface's status is selected, complete the following:
l Test interface: The interface to test.
l IP version: The type of IP connection, one of:
o Any: Either the IPv4 or IPv6 connection must be up.
o Both: Both the IPv4 or IPv6 connection must be up.
o IPv4: The IPv4 connection must be up.
o IPv6: The IPv6 connection must be up.
l Expected status: The status required for the test to past.
o Up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).

Digi Connect EZ 16/32 User Guide 377

Virtual Private Networks (VPN) IPsec

o Down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
e. Repeat for each additional test.
12. Add recovery actions:
a. Click to expand Recovery actions.
By default, there are two preconfigured recovery actions:
n Update routing: Uses the Change default gateway action, which increases the
interface's metric by 100 to change the default gateway.
n Restart interface.
b. Click .

New recovery actions are enabled by default. To disable, click to toggle off Enable.
c. Type a Label for the recovery action.
d. For Recovery type, select Reboot device.
e. For Recovery type, select the type of recovery action. If multiple recovery actions are
configured, they are performed in the order that they are listed.
n Change default gateway: Increases the interface's metric to change the default
gateway.
If Change default gateway is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Increase metric to change active default gateway: Increase the interface's
metric by this amount. This should be set to a number large enough to change
the routing table to use another default gateway. The default is 100.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Restart interface.
If Restart interface is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reset modem: This recovery action is available for WWAN interfaces only.
If Reset modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.

Digi Connect EZ 16/32 User Guide 378

Virtual Private Networks (VPN) IPsec

l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Switch to alternate SIM: Switches to an alternate SIM. This recovery action is
available for WWAN interfaces only.
If Switch to alternate SIM is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reboot device.
If Reboot device is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Execute custom Recovery commands.
If Recovery commands is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l The Commands to run to recovery connectivity.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Powercycle the modem. This recovery action is available for WWAN interfaces
only.
If Powercycle the modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
f. Repeat for each additional recovery action.
13. (Optional) Configure advanced SureLink parameters:
a. Click to expand Advanced settings.
b. For Delayed Start, type the amount of time to wait while the device is starting before
SureLink testing begins. This setting is bypassed when the interface is determined to be
up.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.

Digi Connect EZ 16/32 User Guide 379

Virtual Private Networks (VPN) IPsec

For example, to set Delayed start to ten minutes, enter 10m or 600s.
The default is 300 seconds.
c. For Backoff interval, type the time to add to the test interval when restarting the list of
actions. This option is capped at 15 minutes.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Backoff interval to ten minutes, enter 10m or 600s.
The default is 300 seconds.
d. Test interface gateway by pinging is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
14. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new IPsec tunnel, or edit an existing one:

n To create a new IPsec tunnel, see Configure an IPsec tunnel.
n To edit an existing IPsec tunnel, change to the IPsec tunnel's node in the configuration
schema. For example, for an IPsec tunnel named ipsec_example, change to the ipsec_
example node in the configuration schema:

(config)> vpn ipsec tunnel ipsec_example

(config vpn ipsec tunnel ipsec_example)>

4. Enable SureLink:

(config vpn ipsec tunnel ipsec_example)> surelink enable true

(config vpn ipsec tunnel ipsec_example)>

5. By default, the Test DNS servers configured for this interface test is automatically
configured and enabled. This tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
To add additional tests:
a. Add a test:

(config vpn ipsec tunnel ipsec_example)> add surelink tests end

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

b. New tests are enabled by default. To disable:

Digi Connect EZ 16/32 User Guide 380

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example surelink tests 1)> enable false
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

c. Create a label for the test:

(config vpn ipsec tunnel ipsec_example surelink tests 1)> label string
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

d. if the test should apply to both IPv6 rather than IPv4, enable IPv6:

(config vpn ipsec tunnel ipsec_example surelink tests 1)> ipv6 true
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

e. Set the test type:

(config vpn ipsec tunnel ipsec_example surelink tests 1)> test value
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

where value is one of:

n ping: Uses ICMP to determine connectivity.
If ping is selected, complete the following:
l Set the ping_method:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

ping_method value
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

where value is one of:

o hostname: The hostname or IP address of an external server.
o Set ping_host to the hostname or IP address of the server:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

ping_host hostname/IP_address
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

o interface_gateway. If set, an initial traceroute is sent to the hostname or IP

address configured in the SureLink advanced settings, and then the first hop
in that route is used for the ping test.
o interface_address.
o interface_dns: The interface's DNS server.
l Set the number of bytes to send as part of the ping payload:

(config vpn ipsec tunnel ipsec_example ipsec tunnel ipsec_

example surelink tests 1)> ping_size int
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

n dns: Performs a DNS query to the named DNS server.

If dns is set, set the IPv4 or IPv6 address of the DNS server:

Digi Connect EZ 16/32 User Guide 381

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example surelink tests 1)> dns_

server IP_address
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

n http: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
If http is set, set the URL of the web server.

(config vpn ipsec tunnel ipsec_example surelink tests 1)> http

url
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

n dns_configured: Tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
n interface_up: Tests the current status of the interface. The test fails if the interface
is down. Failing this test infers that all other tests fail.
If interface_up is set, complete the following:
l Set the amount of time that the interface is down before the test can be
considered to have failed.

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

interface_down_time value
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_down_time to ten minutes, enter either 10m or
600s:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

interface_down_time 600s
(config)>

l Set the amount of time to wait for the interface to connect for the first time
before the test is considered to have failed.

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

interface_timeout value
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_timeout to ten minutes, enter either 10m or
600s:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

interface_timeout 600s
(config)>

Digi Connect EZ 16/32 User Guide 382

Virtual Private Networks (VPN) IPsec

n custom_test: Tests the interface with custom commands.

If custom_test is set, set the commands to run to perform the test:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

custom_test_commands "string"
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

n tcp_connection: Tests that the interface can reach a destination port on the
configured host.
If tcp_connection is selected, complete the following:
l Set the hostname or IP address of the host to create a TCP connection to:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

tcp_host hostname/IP_address
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

l Set the TCP port to create a TCP connection to.

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

tcp_port port
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

n other: Tests the status of another interface.

If other is selected, complete the following:
l Set the interface to test.
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

other_interface /network/interface/eth1
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

l Set the type of IP connection:

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

other_ip_version value
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

where value is one of:

o any: Either the IPv4 or IPv6 connection must be up.
o both: Both the IPv4 or IPv6 connection must be up.
o ipv4 The IPv4 connection must be up.
o ipv6: The IPv6 connection must be up.

Digi Connect EZ 16/32 User Guide 383

Virtual Private Networks (VPN) IPsec

l The status required for the test to past.

(config vpn ipsec tunnel ipsec_example surelink tests 1)>

other_status value
(config vpn ipsec tunnel ipsec_example surelink tests 1)>

where value is one of:

o up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
f. Repeat for each additional test.
6. Add recovery actions:
a. Type ... to return to the root of the configuration:

(config vpn ipsec tunnel ipsec_example surelink tests 1)> ...

(config)>

b. Add a recovery action:

(config)> add vpn ipsec tunnel ipsec_example surelink actions end

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

c. New actions are enabled by default. To disable:

(config vpn ipsec tunnel ipsec_example surelink actions 0)> enable

false
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

d. Create a label for the action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)> label

string
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

e. Set the type of recovery action to reboot_device:

(config vpn ipsec tunnel ipsec_example surelink actions 0)> action

reboot_device
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n Set the number of failures for this recovery action to perform, before moving to the
next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
n Set the time to wait before the next test is run. If set to the default value of 0s, the
test interval is used.

Digi Connect EZ 16/32 User Guide 384

Virtual Private Networks (VPN) IPsec

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

f. Set the type of recovery action. If multiple recovery actions are configured, they are
performed in the order that they are listed. The command varies depending on whether
the interface is a WAN or WWAN:
n WAN interfaces:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

action value
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n WWAN interfaces:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

modem_action value
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

where value is one of:

n update_routing_table: Increases the interface's metric to change the default
gateway.
If update_routing_table is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the amount that the interface's metric should be increased. This should be
set to a number large enough to change the routing table to use another
default gateway.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

metric_adjustment_modem int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 100.

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n restart_interface.
If restart_interface is selected, complete the following:

Digi Connect EZ 16/32 User Guide 385

Virtual Private Networks (VPN) IPsec

l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n reset_modem: This recovery action is available for WWAN interfaces only.

If reset_modem is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n switch_sim: Switches to an alternate SIM. This recovery action is available for

WWAN interfaces only.
If switch_sim is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

Digi Connect EZ 16/32 User Guide 386

Virtual Private Networks (VPN) IPsec

n modem_power_cycle: This recovery action is available for WWAN interfaces only.

If modem_power_cycle is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n reboot_device.
If reboot_device is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

n custom_action: Execute custom recovery commands.

If custom_action is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

test_failures int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

The default is 3.
l Set the commands to run to attempt to recovery connectivity.

Digi Connect EZ 16/32 User Guide 387

Virtual Private Networks (VPN) IPsec

(config network interface my_wan surelink actions 0)> custom_

action_commands_modem "string"
(config network interface my_wan surelink actions 0)>

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn ipsec tunnel ipsec_example surelink actions 0)>

override_interval int
(config vpn ipsec tunnel ipsec_example surelink actions 0)>

g. Repeat for each additional recovery action.

7. Optional SureLink configuration parameters:
a. Type ... to return to the root of the configuration:

(config vpn ipsec tunnel ipsec_example surelink actions 0)> ...

(config)>

b. Set the test interval between connectivity tests:

(config)> vpn ipsec tunnel ipsec_example surelink interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set interval to ten minutes, enter either 10m or 600s:

(config)> vpn ipsec tunnel ipsec_example surelink interval 600s

(config)>

The default is 15m.

c. If more than one test target is configured, set the success condition:

(config)> vpn ipsec tunnel ipsec_example surelink success_condition

value
(config)>

where value is either:

n one: Only one test needs to pass for Surelink to consider an interface to be up.
n all: All tests need to pass for SureLink to consider the interface to be up.
d. Set the number of times that the test must pass after failure, before the interface is
determined to be working and is reinstated.

(config)> vpn ipsec tunnel ipsec_example surelink pass_threshold int

(config)>

The default is 1.
e. Set the amount of time that the device should wait for a response to a test attempt before
considering it to have failed:

Digi Connect EZ 16/32 User Guide 388

Virtual Private Networks (VPN) IPsec

(config)> vpn ipsec tunnel ipsec_example surelink timeout value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set timeout to ten minutes, enter either 10m or 600s:

(config)> vpn ipsec tunnel ipsec_example surelink timeout 600s

(config)>

The default is 15s.

f. Set the amount of time to wait while the device is starting before SureLink testing begins.
This setting is bypassed when the interface is determined to be up.

(config)> vpn ipsec tunnel ipsec_example surelink advanced delayed_

start value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set delayed_start to ten minutes, enter either 10m or 600s:

(config)> vpn ipsec tunnel ipsec_example surelink advanced delayed_

start 600s
(config)>

The default is 300s.

g. Set the time to add to the test interval when restarting the list of actions. This option is
capped at 15 minutes.

(config)> vpn ipsec tunnel ipsec_example surelink advanced backoff_

interval value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set backoff_interval to ten minutes, enter either 10m or 600s:

(config)> vpn ipsec tunnel ipsec_example surelink advanced backoff_

interval 600s
(config)>

The default is 300 seconds.

h. The interface_gateway parameter is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
To set to an alternate host:

Digi Connect EZ 16/32 User Guide 389

Virtual Private Networks (VPN) IPsec

(config)> vpn ipsec tunnel ipsec_example surelink advanced interface_

gateway hostname/IP_address
(config)>

8. Save the configuration and apply the change.

(config vpn ipsec tunnel ipsec_example connection_monitor target 0)> save

Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show IPsec status and statistics

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status > IPsec.
The IPsec page appears.
2. To view configuration details about an IPsec tunnel, click the  (configuration) icon in the
upper right of the tunnel's status pane.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured IPsec tunnels, type the following at the prompt:

> show ipsec all

Name Enable Status Hostname

------ ------ ------- ---------------
ipsec1 true up 192.168.2.1
vpn1 false pending 192.168.3.1

>

3. To display details about a specific tunnel:

> show ipsec tunnel ipsec1

Tunnel : ipsec1
Enable : true
Status : pending
Hostname : 192.168.2.1

Digi Connect EZ 16/32 User Guide 390

Virtual Private Networks (VPN) IPsec

Zone : ipsec
Mode : tunnel
Type : esp

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Debug an IPsec configuration

If you experience issues with an IPsec tunnel not being successfully negotiated with the remote end of
the tunnel, you can enable IPsec debug messages to be written to the system log. See View system
and event logs for more information about viewing the system log.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > IPsec.
4. Click to expand Advanced.
5. For Debug level, select one of the following:
n Disable debug messages.
n Basic auditing debug: Logs basic auditing information, (for example, SA up/SA down).
n Generic control flow : Select this for basic debugging information.
n Detailed control flow : More detailed debugging control flow.
n Raw data: Includes raw data dumps in hexadecimal format.

Digi Connect EZ 16/32 User Guide 391

Virtual Private Networks (VPN) IPsec

n Sensitive material: Also includes sensitive material in dumps (for example, encryption
keys).
6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set the IPsec debug value:

config> vpn ipsec advanced debug value

config>

where value is one of:

n none. (Default) No debug messages are written.
n basic_auditing: Logs basic auditing information, (for example, SA up/SA down).
n generic_control: Select this for basic debugging information.
n detailed_control: More detailed debugging control flow.
n raw_data: Includes raw data dumps in hexadecimal format.
n sensitive_data: Also includes sensitive material in dumps (for example, encryption
keys).
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure a Simple Certificate Enrollment Protocol client

WARNING! The Simple Certificate Enrollment Protocol (SCEP) uses unencrypted HTTP
communication. Please ensure you are utilizing a VPN to secure your communications.

Simple Certificate Enrollment Protocol (SCEP) is a mechanism that allows for large-scale X.509
certificate deployment. You can configure Connect EZ 16/32 device to function as a SCEP client that
will connect to a SCEP server that is used to sign Certificate Signing Requests (CSRs), provide
Certificate Revocation Lists (CRLs), and distribute valid certificates from a Certificate Authority (CA).

Digi Connect EZ 16/32 User Guide 392

Virtual Private Networks (VPN) IPsec

Required configuration
n Enable the SCEP client.
n The fully-qualified domain name of the SCEP server to be used for certificate requests.
n The challenge password provided by the SCEP server that the SCEP client will use when
making SCEP requests.
n The distinguished name to be used for the CSR.

Additional configuration
n The number of days that the certificate enrollment can be renewed, prior to the request
expiring.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > SCEP Client.
4. For Add clients, enter a name for the SCEP client and click .

The new SCEP client configuration is displayed.

Digi Connect EZ 16/32 User Guide 393

Virtual Private Networks (VPN) IPsec

5. Click Enable to enable the SCEP client.

6. For Maximum Polling Time, type the maximum time that the device will poll the SCEP server,
when operating in manual mode.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Maximum Polling Time to ten minutes, enter 10m or 600s.
The default is 1d.
7. For Polling Interval, type the amount of time that the device should wait between polling
attempts, when operating in manual mode.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Polling Interval to ten minutes, enter 10m or 600s.
The default is 5s.
8. For Key Length, type the bit size of the private key. The default is 2048.
9. For Renewable Time, type the number of days that the certificate enrollment can be renewed,
prior to the request expiring. This value is configured on the SCEP server, and is used by the
Connect EZ 16/32 device to determine when to start attempting to auto-renew an existing
certificate. The default is 7.
10. (Optional) Click Debug to enable verbose logging in /var/log/scep_client.
11. Click to expand SCEP server.

12. For FQDN, type the fully qualified domain name or IP address of the SCEP server.
13. (Optional) For CA identity, type a string that will be understood by the certificate authority.
For example, it could be a domain name or a user name. If the certificate authority has
multiple CA certificates, this field can be used to distinguish which is required.

Digi Connect EZ 16/32 User Guide 394

Virtual Private Networks (VPN) IPsec

14. For Path, Type the HTTP URL path required for accessing the certificate authority. You should
leave this option at the default of /cgi-bin/pkiclient.exe unless directed by the CA to use
another path.
15. For Password, type the challenge password as configured on the SCEP server.
16. For Encryption Algorithm, select the PKCS#7 encryption algorithm. The default is Auto, which
automatically selects the best algorithm.
17. For Signature Algorithm, select the PKCS#7 signature algorithm. The default is Auto, which
automatically selects the best algorithm.
18. Click to expand Distinguished Name.

19. Type the value for each appropriate Distinguished Name attribute.
20. (Optional) Configure the certificate revocation list (CRL):
a. Click to expand CRL.
b. Click Enable to enable the CRL.
c. For Type, select the type of CRL:
n URL: The URL to the file name used to access the certificate revocation list from the
CA.
n CRLDP: The CRL distribution point.
n getCRL: A CRL query using the issuer name and serial number from the certificate
whose revocation status is being queried.
The default is URL.
d. If Type is set to URL, for URL, type the URL to be used.
21. Configure certificate renewal:
a. Click to expand Renewal.
b. Click Use New Private Key to enable the creation of a new private key for renewal
requests.
c. Use Client Certificate is enabled by default. Click to disable the use of a client certificate
for renewal requrests.
22. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 395

Virtual Private Networks (VPN) IPsec

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a new SCEP client:

(config)> add network scep_client scep_client_name

(config network scep_client scep_client_name
)>

4. Enable the SCEP client:

(config network scep_client scep_client_name)> enable true

(config network scep_client scep_client_name)>

5. Set the url parameter to the fully qualified domain name or IP address of the SCEP server:

(config network scep_client scep_client_name)> server url

https://scep.example.com
(config network scep_client scep_client_name)>

6. (Optional) Set a CA identity string that will be understood by the certificate authority. For
example, it could be a domain name or a user name. If the certificate authority has multiple
CA certificates, this field can be used to distinguish which is required.

(config network scep_client scep_client_name)> server ca_ident string

(config network scep_client scep_client_name)>

7. Set the HTTP URL path required for accessing the certificate authority. You should leave this
option at the default of /cgi-bin/pkiclient.exe unless directed by the CA to use another path.

(config network scep_client scep_client_name)> server path path

(config network scep_client scep_client_name)>

8. Set the challenge password as configured on the SCEP server:

(config network scep_client scep_client_name)> server password challenge_

password
(config network scep_client scep_client_name)>

9. Set Distinguished Name attributes:

a. Set the Domain Component:

(config network scep_client scep_client_name)> distinguished_name dc

value
(config network scep_client scep_client_name)>

b. Set the two letter Country Code:

Digi Connect EZ 16/32 User Guide 396

Virtual Private Networks (VPN) IPsec

(config network scep_client scep_client_name)> distinguished_name c

value
(config network scep_client scep_client_name)>

c. Set the State or Province:

(config network scep_client scep_client_name)> distinguished_name st

value
(config network scep_clientscep_client_name )>

d. Set the Locality:

(config network scep_client scep_client_name)> distinguished_name l

value
(config network scep_client scep_client_name)>

e. Set the Organization:

(config network scep_client scep_client_name)> distinguished_name o

value
(config network scep_client scep_client_name)>

f. Set the Organizational Unit:

(config network scep_client scep_client_name)> distinguished_name ou

value
(config network scep_client scep_client_name)>

g. Set the Common Name:

(config network scep_client scep_client_name)> distinguished_name cn

value
(config network scep_client scep_client_name)>

10. (Optional) Configure the certificate revocation list (CRL):

a. Enable the CRL:

(config network scep_client scep_client_name)> crl enable true

(config network scep_client scep_client_name)>

b. Set the type of CRL:

(config network scep_client scep_client_name)> crl type value

(config network scep_client scep_client_name)>

where value is one of:

n url: The URL to the file name used to access the certificate revocation list from the
CA.
n crldp: The CRL distribution point.
n getCRL: A CRL query using the issuer name and serial number from the certificate
whose revocation status is being queried.
The default is url.

Digi Connect EZ 16/32 User Guide 397

Virtual Private Networks (VPN) IPsec

c. If type is set to url, set the URL that should be used:

(config network scep_client scep_client_name)> crl url value

(config network scep_client scep_client_name)>

11. Configure certificate renewal:

a. To enable the creation of a new private key for renewal requests:

(config network scep_client scep_client_name)> renewal new_key true

(config network scep_client scep_client_name)>

b. The use of a client certificate for renewal requests is enabled by default. To disable:

(config network scep_client scep_client_name)> renewal use_client_cert

false
(config network scep_client scep_client_name)>

12. Set the maximum time that the device will poll the SCEP server, when operating in manual
mode:

(config network scep_client scep_client_name)> max_poll_time value

(config network scep_client scep_client_name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set max_poll_time to ten minutes, enter either 10m or 600s:

(config network scep_client scep_client_name)> max_poll_time 600s

(config network scep_client scep_client_name)>

The default is 1d.

13. Set the amount of time that the device should wait between polling attempts, when operating
in manual mode:

(config network scep_client scep_client_name)> polling_interval value

(config network scep_client scep_client_name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set polling_interval to ten minutes, enter either 10m or 600s:

(config network scep_client scep_client_name)> polling_interval 600s

(config network scep_client scep_client_name)>

The default is 5s.

14. Set the bit size of the private key:

(config network scep_client scep_client_name)> key_length int

(config network scep_client scep_client_name)>

The default is 2048.

Digi Connect EZ 16/32 User Guide 398

Virtual Private Networks (VPN) IPsec

15. Set the number of days that the certificate enrollment can be renewed, prior to the request
expiring. This value is configured on the SCEP server, and is used by the Connect EZ 16/32
device to determine when to start attempting to auto-renew an existing certificate. The default
is 7.

(config network scep_client scep_client_name)> renewable_time integer

(config network scep_client scep_client_name)>

16. (Optional) Enable verbose logging in /var/log/scep_client:

(config network scep_client scep_client_name)> debug true

(config network scep_client scep_client_name)>

17. Save the configuration and apply the change.

(config network scep_client scep_client_name)> save

Configuration saved.
>

18. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Example: SCEP client configuration with Fortinet SCEP server

In this example configuration, we will configure the Connect EZ 16/32 device as a SCEP client that will
connect to a Fortinet SCEP server.

Fortinet configuration
On the Fortinet server:

1. Enable ports for SCEP services:

a. From the menu, select Network > Interfaces.
b. Select the appopriate port and click Edit.
c. For Access Rights > Services, enable the following services:
n HTTPS > SCEP
n HTTPS > CRL Downloads
n HTTP > SCEP
n HTTP > CRL Downloads
d. The remaining fields can be left at their defaults or changed as appropriate.
e. Click OK.
2. Create a Certificate Authority (CA):
a. From the menu, click Certificate Authorities > Local CAs.
b. Click Create New.
c. Type a Certificate ID for the CA, for example, fortinet_example_ca.
d. Complete the Subject Information fields.

Digi Connect EZ 16/32 User Guide 399

Virtual Private Networks (VPN) IPsec

e. The remaining fields can be left at their defaults or changed as appropriate.

f. Click OK.
3. Edit SCEP settings:
a. From the menu, click SCEP > General.
b. Click Enable SCEP if it is not enabled.
c. For Default enrollment password, enter a password. The password entered here must
correspond to the challenge password configured for the SCEP client on the Connect EZ
16/32 device.
d. The remaining fields can be left at their defaults or changed as appropriate.
e. Click OK.
4. Create an Enrollment Request:
a. From the menu, click SCEP > Enrollment Requests.
b. Click Create New.
c. For Automatic request type, select Wildcard.
d. For Certificate authority, select the CA created in step 1, above.
e. Complete the Subject Information fields. The Distinguished Name (DN) attributes entered
here must correspond to the Distinguished Name attributes configured for the SCEP client
on the Connect EZ 16/32 device.
f. For Renewal > Allow renewal x days before the certified is expired, type the number of
days that the certificate enrollment can be renewed, prior to the request expiring. The
Renewable Time setting on the Connect EZ 16/32 device must match the setting of this
parameter.
g. The remaining fields can be left at their defaults or changed as appropriate.
h. Click OK.

Connect EZ 16/32 configuration

On the Connect EZ 16/32 device:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 400

Virtual Private Networks (VPN) IPsec

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > SCEP Client.
4. For Add clients, enter a name for the SCEP client and click .

The new SCEP client configuration is displayed.

5. Click Enable to enable the SCEP client.

6. For Renewable Time, type the number of days that the certificate enrollment can be renewed,
prior to the request expiring. This value must match the setting of the Allow renewal x days
before the certified is expired option on the Fortinet server.
7. (Optional) Click Debug to enable verbose logging in /var/log/scep_client.
8. Click to expand SCEP server.

9. For FQDN, type the fully qualified domain name or IP address of the Fortinet server.
10. For Password, type the challenge password. This corresponds to the Default enrollment
password on the Fortinet server.

Digi Connect EZ 16/32 User Guide 401

Virtual Private Networks (VPN) IPsec

11. Click to expand Distinguished Name.

12. Type the value for each appropriate Distinguished Name attribute. The values entered here
must correspond to the DN attributes in the Enrollment Request on the Fortinet server.
13. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 402

Virtual Private Networks (VPN) IPsec

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a new SCEP client, for example, Fortinet_SCEP_client:

(config)> add network scep_client Fortinet_SCEP_client

(config network scep_client Fortinet_SCEP_client
)>

4. Enable the SCEP client:

(config network scep_client Fortinet_SCEP_client)> enable true

(config network scep_client Fortinet_SCEP_client)>

5. Set the url parameter to the fully qualified domain name or IP address of the SCEP server:

(config network scep_client Fortinet_SCEP_client)> server url

https://fortinet.example.com
(config network scep_client Fortinet_SCEP_client)>

6. Set the challenge password as configured on the SCEP server. This corresponds to the Default
enrollment password on the Fortinet server.

(config network scep_client Fortinet_SCEP_client)> server password

challenge_password
(config network scep_client Fortinet_SCEP_client)>

7. Set Distinguished Name attributes. The values entered here must correspond to the DN
attributes in the Enrollment Request on the Fortinet server.
a. Set the Domain Component:

(config network scep_client Fortinet_SCEP_client)> distinguished_name

dc value
(config network scep_client Fortinet_SCEP_client)>

b. Set the two letter Country Code:

(config network scep_client Fortinet_SCEP_client)> distinguished_name

c value
(config network scep_client Fortinet_SCEP_client)>

c. Set the State or Province:

Digi Connect EZ 16/32 User Guide 403

Virtual Private Networks (VPN) IPsec

(config network scep_client Fortinet_SCEP_client)> distinguished_name

st value
(config network scep_client Fortinet_SCEP_client)>

d. Set the Locality:

(config network scep_client Fortinet_SCEP_client)> distinguished_name

l value
(config network scep_client Fortinet_SCEP_client)>

e. Set the Organization:

(config network scep_client Fortinet_SCEP_client)> distinguished_name

o value
(config network scep_client Fortinet_SCEP_client)>

f. Set the Organizational Unit:

(config network scep_client Fortinet_SCEP_client)> distinguished_name

ou value
(config network scep_client Fortinet_SCEP_client)>

g. Set the Common Name:

(config network scep_client Fortinet_SCEP_client)> distinguished_name

cn value
(config network scep_client Fortinet_SCEP_client)>

8. Set the number of days that the certificate enrollment can be renewed, prior to the request
expiring. This value must match the setting of the Allow renewal x days before the certified
is expired option on the Fortinet server.

(config network scep_client Fortinet_SCEP_client)> renewable_time integer

(config network scep_client Fortinet_SCEP_client)>

9. (Optional) Enable verbose logging in /var/log/scep_client:

(config network scep_client Fortinet_SCEP_client)> debug true

(config network scep_client Fortinet_SCEP_client)>

10. Save the configuration and apply the change.

(config network scep_client Fortinet_SCEP_client)> save

Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show SCEP client status and information

You can show general SCEP client information for all SCEP clients, and specific information for an
individual SCEP client.

Digi Connect EZ 16/32 User Guide 404

Virtual Private Networks (VPN) IPsec

This procedure is only available from the Admin CLI.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured SCEP clients, type the following at the prompt:

> show scep-client

SCEP Enabled Expiry

----- ------- -------
test true Jun 4 19:05:25 2022 GMT
test1 false

>

3. To display details about a specific SCEP client:

> show scep-client name name

For example:

> show scep-client name test

test SCEP Status

----------------
Enabled : true

Client Certificate
------------------
Subject : C=US,ST=MA,L=BOS,O=Digi,OU=IT1,CN=dummy
Issuer : CN=TA-SCEP-1-CA
Serial : 1100000017A30C8EDD3805EB52000000000017
Expiry : Jun 4 19:05:25 2022 GMT

Certificate Authority Certificate {1}

-------------------------------------
Subject : C=US,CN=TA-SCEP-1-MSCEP-RA
Issuer : CN=TA-SCEP-1-CA
Serial : 1100000002A1E755981C0C3F34000000000002
Expiry : Apr 25 13:42:47 2023 GMT

Certificate Authority Certificate {2}

-------------------------------------
Subject : C=US,CN=TA-SCEP-1-MSCEP-RA
Issuer : CN=TA-SCEP-1-CA
Serial : 1100000003268AFB5E98BFCA73000000000003
Expiry : Apr 25 13:42:48 2023 GMT

Digi Connect EZ 16/32 User Guide 405

Virtual Private Networks (VPN) IPsec

Certificate Authority Certificate {3}

-------------------------------------
Subject : CN=TA-SCEP-1-CA
Issuer : CN=TA-SCEP-1-CA
Serial : 681670E9EFB7FCB74E79C33DD9D54847
Expiry : Apr 25 13:36:42 2027 GMT

Certificate Revocation List

---------------------------
Issuer : CN=TA-SCEP-1-CA
Last Update : May 23 13:27:21 2022 GMT

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 406

Virtual Private Networks (VPN) OpenVPN

OpenVPN
OpenVPN is an open-source Virtual Private Network (VPN) technology that creates secure point-to-
point or site-to-site connections in routed or bridged configurations. OpenVPN uses a custom security
protocol that is Secure Socket Layer (SSL) / Transport Layer Security (TLS) for key exchange. It uses
standard encryption and authentication algorithms for data privacy and authentication over TCP or
UDP.
The OpenVPN server can push the network configuration, such as the topology and IP routes, to
OpenVPN clients. This makes OpenVPN simpler to configure as it reduces the chances of a
configuration mismatch between the client and server. OpenVPN also supports cipher negotiation
between the client and server. This means you can configure the OpenVPN server and clients with a
range of different cipher options and the server will negotiate with the client on the cipher to use for
the connection.
For more information on OpenVPN, see www.openvpn.net.

OpenVPN modes:
There are two modes for running OpenVPN:
n Routing mode, also known as TUN.
n Bridging mode, also known as TAP.

Routing (TUN) mode

In routing mode, each OpenVPN client is assigned a different IP subnet from the OpenVPN server and
other OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from
devices connected on its LAN interfaces to the OpenVPN server.
The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The
Connect EZ 16/32 device supports two types of OpenVPN topology:

OpenVPN Topology Subnet definition method

net30 Each OpenVPN client is assigned a /30 subnet within the IP subnet specified
in the OpenVPN server configuration. With net30 topology, pushed routes
are used, with the exception of the default route. Automatic route pushing
(exec) is not allowed, because this would not inform the firewall and would
be blocked.

subnet Each OpenVPN client connected to the OpenVPN server is assigned an IP

address within the IP subnet specified in the OpenVPN server configuration.
For the Connect EZ 16/32 device, pushed routes are not allowed; you will
need to manually configure routes on the device.

For more information on OpenVPN topologies, see OpenVPN topology.

Bridging (TAP) mode

In bridging mode, a LAN interface on the OpenVPN server is assigned to OpenVPN. The LAN interfaces
of the OpenVPN clients are on the same IP subnet as the OpenVPN server’s LAN interface. This means
that devices connected to the OpenVPN client’s LAN interface are on the same IP subnet as devices.
The Connect EZ 16/32 device supports two mechanisms for configuring an OpenVPN server in TAP
mode:

Digi Connect EZ 16/32 User Guide 407

Virtual Private Networks (VPN) OpenVPN

n OpenVPN managed—The Connect EZ 16/32 device creates the interface and then uses its
standard configuration to set up the connection (for example, its standard DHCP server
configuration).
n Device only—IP addressing is controlled by the system, not by OpenVPN.

Additional OpenVPN information

For more information on OpenVPN, see these resources:
Bridging vs. routing
OpenVPN/Routing

Configure an OpenVPN server

Required configuration items
n Enable the OpenVPN server.
The OpenVPN server is enabled by default.
n The mode used by the OpenVPN server, one of:
l TUN (OpenVPN managed)—Also known as routing mode. Each OpenVPN client is assigned
a different IP subnet from the OpenVPN server and other OpenVPN clients. OpenVPN
clients use Network Address Translation (NAT) to route traffic from devices connected on
its LAN interfaces to the OpenVPN server.
l TAP - OpenVPN managed—Also know as bridging mode. A more advanced
implementation of OpenVPN. The Connect EZ 16/32 device creates an OpenVPN interface
and uses standard interface configuration (for example, a standard DHCP server
configuration).
l TAP - Device only—An alternate form of OpenVPN bridging mode, in which the device,
rather than OpenVPN, controls the interface configuration. If this method is is, the
OpenVPN server must be included as a device in either an interface or a bridge.
n The firewall zone to be used by the OpenVPN server.
n The IP network and subnet mask of the OpenVPN server.
n The server's Certificate authority (CA) certificate, and public, private and Diffie-Hellman (DH)
keys.
n An OpenVPN authentication group and an OpenVPN user.
n Determine the method of certificate management:
l Certificates managed by the server.
l Certificates created externally and added to the server.
n If certificates are created and added to the server, determine the level of authentication:
l Certificate authentication only.
l Username and password authentication only.
l Certificate and username and password authentication.
If username and password authentication is used, you must create an OpenVPN authentication
group and user. See Configure an OpenVPN Authentication Group and User for instructions.

Digi Connect EZ 16/32 User Guide 408

Virtual Private Networks (VPN) OpenVPN

n Certificates and keys:

l The CA certificate (usually in a ca.crt file).
l The Public key (for example, server.crt)
l The Private key (for example, server.key).
l The Diffie Hellman key (usually in dh2048.pem).
n Active recovery configuration. See Configure SureLink active recovery for OpenVPN for
information about OpenVPN active recovery.

Additional configuration items

n The route metric for the OpenVPN server.
n The range of IP addresses that the OpenVPN server will provide to clients.
n The TCP/UDP port to use. By default, the Connect EZ 16/32 device uses port 1194.
n Access control list configuration to restrict access to the OpenVPN server through the firewall.
n Additional OpenVPN parameters.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > OpenVPN > Servers.
4. For Add, type a name for the OpenVPN server and click .

Digi Connect EZ 16/32 User Guide 409

Virtual Private Networks (VPN) OpenVPN

The new OpenVPN server configuration is displayed.

The OpenVPN server is enabled by default. To disable, toggle off Enable.

5. For Device type, select the mode used by the OpenVPN server, either:
n TUN (OpenVPN managed)
n TAP - OpenVPN managed
n TAP - Device only
See OpenVPN for information about OpenVPN server modes.
6. If TUN (OpenVPN managed) or TAP - OpenVPN managed is selected for Device type:
a. For Zone, select the firewall zone for the OpenVPN server. For TUN device types, this
should be set to Internal to treat clients as LAN devices.
b. (Optional) Select the Metric for the OpenVPN server. If multiple active routes match a
destination, the route with the lowest metric will be used. The default setting is 0.
c. For Address, type the IP address and subnet mask of the OpenVPN server.
d. (Optional) For First IP address and Last IP address, set the range of IP addresses that the
OpenVPN server will use when providing IP addresses to clients. The default is from 80 to
99.
7. (Optional) Set the VPN port that the OpenVPN server will use. The default is 1194.
8. For Server managed certificates, determine the method of certificate management. If
enabled, the server will manage certificates. If not enabled, certificates must be created
externally and added to the server.
9. If Server managed certificates is not enabled:
a. Select the Authentication type:
n Certificate only: Uses only certificates for client authentication. Each client
requires a public and private key.
n Username/password only: Uses a username and password for client
authentication. You must create an OpenVPN authentication group and user. See
Configure an OpenVPN Authentication Group and User for instructions.
n Certificate and username/password: Uses both certificates and a username and
password for client authentication. Each client requires a public and private key,

Digi Connect EZ 16/32 User Guide 410

Virtual Private Networks (VPN) OpenVPN

and you must create an OpenVPN authentication group and user. See Configure an
OpenVPN Authentication Group and User for instructions.
b. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for
example, server.crt), the Private key (for example, server.key), and the Diffie Hellman
key (usually in dh2048.pem) into their respective fields. The contents will be hidden when
the configuration is saved.
10. (Optional) Click to expand Access control list to restrict access to the OpenVPN server:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
11. (Optional) Click to expand Advanced Options to manually set additional OpenVPN
parameters.
a. Click Enable to enable the use of additional OpenVPN parameters.
b. Click Override if the additional OpenVPN parameters should override default options.

Digi Connect EZ 16/32 User Guide 411

Virtual Private Networks (VPN) OpenVPN

c. For OpenVPN parameters, type the additional OpenVPN parameters.

12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> add vpn openvpn server name

(config vpn openvpn server name)>

where name is the name of the OpenVPN server.

The OpenVPN server is enabled by default. To disable the server, type:

(config vpn openvpn server name)> enable false

(config vpn openvpn server name)>

4. Set the mode used by the OpenVPN server:

(config vpn openvpn server name)> device_type value

(config vpn openvpn server name)>

where value is one of:

n TUN (OpenVPN managed)—Also known as routing mode. Each OpenVPN client is
assigned a different IP subnet from the OpenVPN server and other OpenVPN clients.
OpenVPN clients use Network Address Translation (NAT) to route traffic from devices
connected on its LAN interfaces to the OpenVPN server.
n TAP - OpenVPN managed—Also know as bridging mode. A more advanced
implementation of OpenVPN. The Connect EZ 16/32 device creates an OpenVPN
interface and uses standard interface configuration (for example, a standard DHCP
server configuration).
n TAP - Device only—An alternate form of OpenVPN bridging mode, in which the device,
rather than OpenVPN, controls the interface configuration. If this method is is, the
OpenVPN server must be included as a device in either an interface or a bridge.
See OpenVPN for information about OpenVPN modes. The default is tun.
5. If tap or tun are set for device_type:
a. Set the IP address and subnet mask of the OpenVPN server.

(config vpn openvpn server name)> address ip_address/netmask

(config vpn openvpn server name)>

Digi Connect EZ 16/32 User Guide 412

Virtual Private Networks (VPN) OpenVPN

b. Set the firewall zone for the OpenVPN server. For TUN device types, this should be set to
internal to treat clients as LAN devices.

(config vpn openvpn server name)> zone value

(config vpn openvpn server name)>

To view a list of available zones:

(config vpn openvpn server name)> firewall zone ?

Zone: The zone for the local TUN interface. To treat clients as LAN
devices this would usually be
set to internal.
Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Current value:

(config vpn openvpn server name)>

c. (Optional) Set the route metric for the OpenVPN server. If multiple active routes match a
destination, the route with the lowest metric will be used.

(config vpn openvpn server name)> metric value

(config vpn openvpn server name)>

where value is an interger between 0 and 65535. The default is 0.

d. (Optional) Set the range of IP addresses that the OpenVPN server will use when providing
IP addresses to clients:
i. Set the first address in the range limit:

(config vpn openvpn server name)> server_first_ip value

(config vpn openvpn server name)>

where value is a number between 1 and 255. The number entered here will represent
the first client IP address. For example, if address is set to 192.168.1.1/24 and
server_first_ip is set to 80, the first client IP address will be 192.168.1.80.
The default is from 80.
ii. Set the last address in the range limit:

(config vpn openvpn server name)> server_last_ip value

(config vpn openvpn server name)>

Digi Connect EZ 16/32 User Guide 413

Virtual Private Networks (VPN) OpenVPN

where value is a number between 1 and 255. The number entered here will represent
the last client IP address. For example, if address is set to 192.168.1.1/24 and
server_last_ip is set to 99, the last client IP address will be 192.168.1.80.
The default is from 80.
6. (Optional) Set the port that the OpenVPN server will use:

(config vpn openvpn server name)> port port

(config vpn openvpn server name)>

The default is 1194.

7. Determine the method of certificate management:
a. To allow the server to manage certificates:

(config vpn openvpn server name)> autogenerate true

(config vpn openvpn server name)>

b. To create certificates externally and add them to the server

(config vpn openvpn server name)> autogenerate false

(config vpn openvpn server name)>

The default setting is false.

c. If autogenerate is set to false:
i. Set the authentication type:

(config vpn openvpn server name)> authentication value

(config vpn openvpn server name)>

where value is one of:

n cert: Uses only certificates for client authentication. Each client requires a
public and private key.
n passwd: Uses a username and password for client authentication. You must
create an OpenVPN authentication group and user. See Configure an OpenVPN
Authentication Group and User for instructions.
n cert_passwd: Uses both certificates and a username and password for client
authentication. Each client requires a public and private key, and you must
create an OpenVPN authentication group and user. See Configure an OpenVPN
Authentication Group and User for instructions.
ii. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the
cacert parameter:

(config vpn openvpn server name)> cacert value

(config vpn openvpn server name)>

iii. Paste the contents of the public key (for example, server.crt) into the value of the
server_cert parameter:

(config vpn openvpn server name)> server_cert value

(config vpn openvpn server name)>

Digi Connect EZ 16/32 User Guide 414

Virtual Private Networks (VPN) OpenVPN

iv. Paste the contents of the private key (for example, server.key) into the value of the
server_key parameter:

(config vpn openvpn server name)> server_key value

(config vpn openvpn server name)>

v. Paste the contents of the Diffie Hellman key (usually in dh2048.pem) into the value of
the diffie parameter:

(config vpn openvpn server name)> diffie value

(config vpn openvpn server name)>

8. (Optional) Set the access control list to restrict access to the OpenVPN server:
n To limit access to specified IPv4 addresses and networks:

(config vpn openvpn server name)> add acl address end value
(config vpn openvpn server name)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config vpn openvpn server name)> add acl address6 end value
(config vpn openvpn server name)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config vpn openvpn server name)> add acl interface end value
(config vpn openvpn server name)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config vpn openvpn server name)> add acl zone end value
(config vpn openvpn server name)>

Digi Connect EZ 16/32 User Guide 415

Virtual Private Networks (VPN) OpenVPN

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config vpn openvpn server name)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config vpn openvpn server name)>

Repeat this step to include additional firewall zones.

9. (Optional) Set additional OpenVPN parameters.
a. Enable the use of additional OpenVPN parameters:

(config vpn openvpn server name)> advanced_options enable true

(config vpn openvpn server name)>

b. Configure whether the additional OpenVPN parameters should override default options:

(config vpn openvpn server name)> advanced_options override true

(config vpn openvpn server name)>

c. Set the additional OpenVPN parameters:

(config vpn openvpn server name)> extra parameters

(config vpn openvpn server name)>

10. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 416

Virtual Private Networks (VPN) OpenVPN

Configure an OpenVPN Authentication Group and User

If username and password authentication is used for the OpenVPN server, you must create an
OpenVPN authentication group and user.
See Configure an OpenVPN server for information about configuring an OpenVPN server to use
username and password authentication. See Connect EZ 16/32 user authentication for more
information about creating authentication groups and users.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Add an OpenVPN authentication group:
a. Click Authentication > Groups.
b. For Add Group, type a name for the group (for example, OpenVPN_Group) and click .

The new authentication group configuration is displayed.

Digi Connect EZ 16/32 User Guide 417

Virtual Private Networks (VPN) OpenVPN

c. Click OpenVPN access to enable OpenVPN access rights for users of this group.
d. Click to expand the OpenVPN node.
e. Click  to add a tunnel.

f. For Tunnel, select an OpenVPN tunnel to which users of this group will have access.

g. Repeat to add additional OpenVPN tunnels.

4. Add an OpenVPN authentication user:
a. Click Authentication > Users.
b. For Add, type a name for the user (for example, OpenVPN_User) and click .

c. Type a password for the user.

This password is used for local authentication of the user. You can also configure the user
to use RADIUS or TACACS+ authentication by configuring authentication methods. See
User authentication methods for information.

Digi Connect EZ 16/32 User Guide 418

Virtual Private Networks (VPN) OpenVPN

d. Click to expand the Groups node.

e. Click  to add a group to the user.

f. Select a Group with OpenVPN access enabled.

5. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 419

Virtual Private Networks (VPN) OpenVPN

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the add auth group command to add a new authentication. For example, to add a group
named OpenVPN_Group:

(config)> add auth group OpenVPN_Group

(config auth group OpenVPN_Group)>

4. Enable OpenVPN access rights for users of this group:

(config auth group OpenVPN_Group)> acl openvpn enable true

5. Add an OpenVPN tunnel to which users of this group will have access:
a. Determine available tunnels:

(config auth group OpenVPN_Group)> .. .. .. vpn openvpn server ?

Servers: A list of openvpn servers

Additional Configuration
---------------------------------------------------------------------
----------
OpenVPN_server1 OpenVPN server

(config auth group OpenVPN_Group)>

b. Add a tunnel:

(config auth group OpenVPN_Group)> add auth group test acl openvpn
tunnels end /vpn/openvpn/server/OpenVPN_server1
(config auth group OpenVPN_Group)>

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 420

Virtual Private Networks (VPN) OpenVPN

Configure an OpenVPN client by using an .ovpn file

Required configuration items
n Enable the OpenVPN client.
The OpenVPN client is enabled by default.
n The firewall zone to be used by the OpenVPN client.

Additional configuration items

n The route metric for the OpenVPN client.
n The login credentials for the OpenVPN client, if configured on the OpenVPN server.
See Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > OpenVPN > Clients.
4. For Add, type a name for the OpenVPN client and click .

The new OpenVPN client configuration is displayed.

Digi Connect EZ 16/32 User Guide 421

Virtual Private Networks (VPN) OpenVPN

5. The OpenVPN client is enabled by default. To disable, toggle off Enable.

6. The default behavior is to use an OVPN file for client configuration. To disable this behavior
and configure the client manually, click Use .ovpn file to disable. If Use .ovpn file is disabled,
see Configure an OpenVPN client without using an .ovpn file for configuration information.
7. For Zone, select the firewall zone for the OpenVPN client.
8. (Optional) Select the Metric for the OpenVPN client. If multiple active routes match a
destination, the route with the lowest metric will be used.
9. (Optional) For Username and Password, type the login credentials as configured on the
OpenVPN server.
10. For OVPN file, paste the content of the client.ovpn file.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> add vpn openvpn client name

(config vpn openvpn client name)>

where name is the name of the OpenVPN server.

The OpenVPN client is enabled by default. To disable the client, type:

(config vpn openvpn client name)> enable false

(config vpn openvpn client name)>

Digi Connect EZ 16/32 User Guide 422

Virtual Private Networks (VPN) OpenVPN

4. Set the firewall zone for the OpenVPN client:

(config vpn openvpn client name)> zone value

(config vpn openvpn client name)>

To view a list of available zones:

(config vpn openvpn client name)> zone ?

Zone: The zone for the openvpn client interface.

Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Current value:

(config vpn openvpn client name)>

5. (Optional) Set the route metric for the OpenVPN server. If multiple active routes match a
destination, the route with the lowest metric will be used.

(config vpn openvpn client name)> metric value

(config vpn openvpn client name)>

where value is an interger between 0 and 65535. The default is 0.

6. (Optional) Set the login credentials as configured on the OpenVPN server:

(config vpn openvpn client name)> username value

(config vpn openvpn client name)> password value
(config vpn openvpn client name)>

7. Paste the content of the client.ovpn file into the value of the config_file parameter:

(config vpn openvpn client name)> config_file value

(config vpn openvpn client name)>

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 423

Virtual Private Networks (VPN) OpenVPN

Configure an OpenVPN client without using an .ovpn file

Required configuration items
n Enable the OpenVPN client.
The OpenVPN client is enabled by default.
n The mode used by the OpenVPN server, either routing (TUN), or bridging (TAP).
n The firewall zone to be used by the OpenVPN client.
n The IP address of the OpenVPN server.
n Certificates and keys:
l The CA certificate (usually in a ca.crt file).
l The Public key (for example, client.crt)
l The Private key (for example, client.key).

Additional configuration items

n The route metric for the OpenVPN client.
n The login credentials for the OpenVPN client, if configured on the OpenVPN server.
n Additional OpenVPN parameters.
See Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > OpenVPN > Clients.

Digi Connect EZ 16/32 User Guide 424

Virtual Private Networks (VPN) OpenVPN

4. For Add, type a name for the OpenVPN client and click .

The new OpenVPN client configuration is displayed.

5. The OpenVPN client is enabled by default. To disable, toggle off Enable.

6. The default behavior is to use an OVPN file for client configuration. To disable this behavior
and configure the client manually, click Use .ovpn file to disable.
7. For Device type, select the mode used by the OpenVPN server, either TUN or TAP.
8. For Zone, select the firewall zone for the OpenVPN client.
9. (Optional) Select the Metric for the OpenVPN client. If multiple active routes match a
destination, the route with the lowest metric will be used.
10. (Optional) For Username and Password, type the login credentials as configured on the
OpenVPN server.
11. For VPN server IP, type the IP address of the OpenVPN server.
12. (Optional) Set the VPN port used by the OpenVPN server. The default is 1194.
13. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for example,
client.crt), and the Private key (for example, client.key) into their respective fields. The
contents will be hidden when the configuration is saved.
14. (Optional) Click to expand Advanced Options to manually set additional OpenVPN
parameters.

Digi Connect EZ 16/32 User Guide 425

Virtual Private Networks (VPN) OpenVPN

a. Click Enable to enable the use of additional OpenVPN parameters.

b. Click Override if the additional OpenVPN parameters should override default options.
c. For OpenVPN parameters, type the additional OpenVPN parameters. For example, to
override the configuration by using a configuration file, enter --config filename, for
example, --config /etc/config/openvpn_config.
15. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> add vpn openvpn client name

(config vpn openvpn client name)>

where name is the name of the OpenVPN server.

The OpenVPN client is enabled by default. To disable the client, type:

(config vpn openvpn client name)> enable false

(config vpn openvpn client name)>

4. The default behavior is to use an OVPN file for client configuration. To disable this behavior
and configure the client manually:

(config vpn openvpn client name)> use_file false

(config vpn openvpn client name)>

5. Set the mode used by the OpenVPN server:

(config vpn openvpn client name)> device_type value

(config vpn openvpn client name)>

where value is either tun or tap. The default is tun.

6. Set the firewall zone for the OpenVPN client:

(config vpn openvpn client name)> zone value

(config vpn openvpn client name)>

To view a list of available zones:

(config vpn openvpn client name)> zone ?

Zone: The zone for the openvpn client interface.

Digi Connect EZ 16/32 User Guide 426

Virtual Private Networks (VPN) OpenVPN

Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Current value:

(config vpn openvpn client name)>

7. (Optional) Set the route metric for the OpenVPN server. If multiple active routes match a
destination, the route with the lowest metric will be used.

(config vpn openvpn client name)> metric value

(config vpn openvpn client name)>

where value is an interger between 0 and 65535. The default is 0.

8. (Optional) Set the login credentials as configured on the OpenVPN server:

(config vpn openvpn client name)> username value

(config vpn openvpn client name)> password value
(config vpn openvpn client name)>

9. Set the IP address of the OpenVPN server:

(config vpn openvpn client name)> server ip_address

(config vpn openvpn client name)>

10. (Optional) Set the port used by the OpenVPN server:

(config vpn openvpn client name)> port port

(config vpn openvpn client name)>

The default is 1194.

11. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the cacert
parameter:

(config vpn openvpn client name)> cacert value

(config vpn openvpn client name)>

12. Paste the contents of the public key (for example, client.crt) into the value of the public_cert
parameter:

(config vpn openvpn client name)> public_cert value

(config vpn openvpn client name)>

13. Paste the contents of the private key (for example, client.key) into the value of the private_
key parameter:

Digi Connect EZ 16/32 User Guide 427

Virtual Private Networks (VPN) OpenVPN

(config vpn openvpn client name)> private_key value

(config vpn openvpn client name)>

14. (Optional) Set additional OpenVPN parameters.

a. Enable the use of additional OpenVPN parameters:

(config vpn openvpn client name)> advanced_options enable true

(config vpn openvpn client name)>

b. Configure whether the additional OpenVPN parameters should override default options:

(config vpn openvpn client name)> advanced_options override true

(config vpn openvpn client name)>

c. Set the additional OpenVPN parameters:

(config vpn openvpn client name)> advanced_options extra parameters

(config vpn openvpn client name)>

15. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

16. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure SureLink active recovery for OpenVPN

You can configure the Connect EZ 16/32 device to regularly probe OpenVPN client connections to
determine if the connection has failed and take remedial action.

Required configuration items

n A valid OpenVPN client configuration. See Configure an OpenVPN client by using an .ovpn file
or Configure an OpenVPN client without using an .ovpn file for configuration instructions.
n Enable OpenVPN SureLink.
n The behavior of the Connect EZ 16/32 device upon OpenVPN failure: either
l Restart the OpenVPN interface
l Reboot the device.

Additional configuration items

n The interval between connectivity tests.
n Whether the interface should be considered to have failed if one of the test targets fails, or all
of the test targets fail.
n The number of probe failures before the OpenVPN connection is considered to have failed.
n The amount of time that the device should wait for a response to a probe failures before
considering it to have failed.

Digi Connect EZ 16/32 User Guide 428

Virtual Private Networks (VPN) OpenVPN

To configure the Connect EZ 16/32 device to regularly probe the OpenVPN connection:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > OpenVPN > Clients.
4. Create a new OpenVPN client or select an existing one:
n To create a new OpenVPN client, see Configure an OpenVPN client by using an .ovpn file
or Configure an OpenVPN client without using an .ovpn file.
n To edit an existing OpenVPN client, click to expand the appropriate client.
5. After creating or selecting the OpenVPN client, click SureLink.

Digi Connect EZ 16/32 User Guide 429

Virtual Private Networks (VPN) OpenVPN

6. Enable SureLink.
7. (Optional) Change the Test interval between connectivity tests.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Interval to ten minutes, enter 10m or 600s.
The default is 15 minutes.
8. (Optional) If more than one test target is configured, for Success condition, select either:
n One test passes: Only one test needs to pass for Surelink to consider an interface to be
up.
n All test pass: All tests need to pass for SureLink to consider the interface to be up.
9. (Optional) For Pass threshold, type or select the number of times that the test must pass after
failure, before the interface is determined to be working and is reinstated.
10. (Optional) For Response timeout, type the amount of time that the device should wait for a
response to a test failure before considering it to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Response timeout to ten minutes, enter 10m or 600s.
The default is 15 seconds.
11. Click to expand Tests.
By default, Test DNS servers configured for this interface is automatically configured and
enabled. This test communication with DNS servers that are either provided by DHCP, or
statically configured for this interface.
a. Click .

New tests are enabled by default. To disable, click to toggle off Enable.
b. Type a Label for the test.
c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4.
d. Select the Test type.
Available test types:
n Ping test: Uses ICMP to determine connectivity.
If Ping test is selected, complete the following:
l Ping target: The type of target for the ping, one of:
o Hostname or IP address of an external server.
o Ping host: hostname or IP address of the server.
o The Interface gateway. If Interface gateway is selected, an initial
traceroute is sent to the hostname or IP address configured in the SureLink
advanced settings, and then the first hop in that route is used for the ping
test.

Digi Connect EZ 16/32 User Guide 430

Virtual Private Networks (VPN) OpenVPN

o The Interface address.

o The Interface DNS server.
l Ping payload size: The number of bytes to send as part of the ping payload.
n DNS test: Performs a DNS query to the named DNS server.
If DNS test is selected, complete the following:
l DNS server: The IP address of the DNS server.
n HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured
web server.
If HTTP test is selected, complete the following:
l Web server: The URL of the web server.
n Test DNS servers configured for this interface: Tests communication with DNS
servers that are either provided by DHCP, or statically configured for this interface.
n Test the interface status: Tests the current status of the interface. The test fails if
the interface is down. Failing this test infers that all other tests fail.
If Test the interface status is selected, complete the following:
l Down time: The amount of time that the interface is down before the test can
be considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Down time to ten minutes, enter 10m or 600s.
l Initial connection time: The amount of time to wait for the interface to
connect for the first time before the test is considered to have failed.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Initial connection time to ten minutes, enter 10m or 600s.
n Custom test: Tests the interface with custom commands.
If Custom test is selected, complete the following:
l The Commands to run to test.
n TCP connection test: Tests that the interface can reach a destination port on the
configured host.
If TCP connection test is selected, complete the following:
l TCP connect host: The hostname or IP address of the host to create a
TCP connection to.
l TCP connect port: The TCP port to create a TCP connection to.
n Test another interface's status: Tests the status of another interface.
If Test another interface's status is selected, complete the following:

Digi Connect EZ 16/32 User Guide 431

Virtual Private Networks (VPN) OpenVPN

l Test interface: The interface to test.

l IP version: The type of IP connection, one of:
o Any: Either the IPv4 or IPv6 connection must be up.
o Both: Both the IPv4 or IPv6 connection must be up.
o IPv4: The IPv4 connection must be up.
o IPv6: The IPv6 connection must be up.
l Expected status: The status required for the test to past.
o Up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o Down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
e. Repeat for each additional test.
12. Add recovery actions:
a. Click to expand Recovery actions.
By default, there are two preconfigured recovery actions:
n Update routing: Uses the Change default gateway action, which increases the
interface's metric by 100 to change the default gateway.
n Restart interface.
b. Click .

New recovery actions are enabled by default. To disable, click to toggle off Enable.
c. Type a Label for the recovery action.
d. For Recovery type, select Reboot device.
e. For Recovery type, select the type of recovery action. If multiple recovery actions are
configured, they are performed in the order that they are listed.
n Change default gateway: Increases the interface's metric to change the default
gateway.
If Change default gateway is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Increase metric to change active default gateway: Increase the interface's
metric by this amount. This should be set to a number large enough to change
the routing table to use another default gateway. The default is 100.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Restart interface.
If Restart interface is selected, complete the following:

Digi Connect EZ 16/32 User Guide 432

Virtual Private Networks (VPN) OpenVPN

l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reset modem: This recovery action is available for WWAN interfaces only.
If Reset modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Switch to alternate SIM: Switches to an alternate SIM. This recovery action is
available for WWAN interfaces only.
If Switch to alternate SIM is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Reboot device.
If Reboot device is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Execute custom Recovery commands.
If Recovery commands is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.
l The Commands to run to recovery connectivity.
l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
n Powercycle the modem. This recovery action is available for WWAN interfaces
only.
If Powercycle the modem is selected, complete the following:
l SureLink test failures: The number of failures for this recovery action to
perform, before moving to the next recovery action.

Digi Connect EZ 16/32 User Guide 433

Virtual Private Networks (VPN) OpenVPN

l Override wait interval before performing the next recovery action: The
time to wait before the next test is run. If set to the default value of 0s, the Test
interval is used.
f. Repeat for each additional recovery action.
13. (Optional) Configure advanced SureLink parameters:
a. Click to expand Advanced settings.
b. For Delayed Start, type the amount of time to wait while the device is starting before
SureLink testing begins. This setting is bypassed when the interface is determined to be
up.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Delayed start to ten minutes, enter 10m or 600s.
The default is 300 seconds.
c. For Backoff interval, type the time to add to the test interval when restarting the list of
actions. This option is capped at 15 minutes.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Backoff interval to ten minutes, enter 10m or 600s.
The default is 300 seconds.
d. Test interface gateway by pinging is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
14. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new OpenVPN client, or edit an existing one:

n To create a new OpenVPN client, see Configure an OpenVPN client by using an .ovpn file
or Configure an OpenVPN client without using an .ovpn file.
n To edit an existing OpenVPN client, change to the OpenVPN client's node in the
configuration schema. For example, for an OpenVPN client named openvpn_client1,
change to the openvpn_client1 node in the configuration schema:

(config)> vpn openvpn client openvpn_client1

(config vpn openvpn client openvpn_client1)>

Digi Connect EZ 16/32 User Guide 434

Virtual Private Networks (VPN) OpenVPN

4. Enable SureLink:

(config vpn openvpn client openvpn_client1)> surelink enable true

(config vpn openvpn client openvpn_client1)>

5. By default, the Test DNS servers configured for this interface test is automatically
configured and enabled. This tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
To add additional tests:
a. Add a test:

(config vpn openvpn client openvpn_client1)> add surelink tests end

(config vpn openvpn client openvpn_client1 surelink tests 1)>

b. New tests are enabled by default. To disable:

(config vpn openvpn client openvpn_client1 surelink tests 1)> enable

false
(config vpn openvpn client openvpn_client1 surelink tests 1)>

c. Create a label for the test:

(config vpn openvpn client openvpn_client1 surelink tests 1)> label

string
(config vpn openvpn client openvpn_client1 surelink tests 1)>

d. if the test should apply to both IPv6 rather than IPv4, enable IPv6:

(config vpn openvpn client openvpn_client1 surelink tests 1)> ipv6

true
(config vpn openvpn client openvpn_client1 surelink tests 1)>

e. Set the test type:

(config vpn openvpn client openvpn_client1 surelink tests 1)> test

value
(config vpn openvpn client openvpn_client1 surelink tests 1)>

where value is one of:

n ping: Uses ICMP to determine connectivity.
If ping is selected, complete the following:
l Set the ping_method:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

ping_method value
(config vpn openvpn client openvpn_client1 surelink tests 1)>

where value is one of:

Digi Connect EZ 16/32 User Guide 435

Virtual Private Networks (VPN) OpenVPN

o hostname: The hostname or IP address of an external server.

o Set ping_host to the hostname or IP address of the server:

(config vpn openvpn client openvpn_client1 surelink tests

1)> ping_host hostname/IP_address
(config vpn openvpn client openvpn_client1 surelink tests
1)>

o interface_gateway. If set, an initial traceroute is sent to the hostname or IP

address configured in the SureLink advanced settings, and then the first hop
in that route is used for the ping test.
o interface_address.
o interface_dns: The interface's DNS server.
l Set the number of bytes to send as part of the ping payload:

(config vpn openvpn client openvpn_client1 openvpn client

openvpn_client1 surelink tests 1)> ping_size int
(config vpn openvpn client openvpn_client1 surelink tests 1)>

n dns: Performs a DNS query to the named DNS server.

If dns is set, set the IPv4 or IPv6 address of the DNS server:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

dns_server IP_address
(config vpn openvpn client openvpn_client1 surelink tests 1)>

n http: Uses HTTP(s) GET requests to determine connectivity to the configured web
server.
If http is set, set the URL of the web server.

(config vpn openvpn client openvpn_client1 surelink tests 1)>

http url
(config vpn openvpn client openvpn_client1 surelink tests 1)>

n dns_configured: Tests communication with DNS servers that are either provided
by DHCP, or statically configured for this interface.
n interface_up: Tests the current status of the interface. The test fails if the interface
is down. Failing this test infers that all other tests fail.
If interface_up is set, complete the following:
l Set the amount of time that the interface is down before the test can be
considered to have failed.

(config vpn openvpn client openvpn_client1 surelink tests 1)>

interface_down_time value
(config vpn openvpn client openvpn_client1 surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.

Digi Connect EZ 16/32 User Guide 436

Virtual Private Networks (VPN) OpenVPN

For example, to set interface_down_time to ten minutes, enter either 10m or

600s:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

interface_down_time 600s
(config)>

l Set the amount of time to wait for the interface to connect for the first time
before the test is considered to have failed.

(config vpn openvpn client openvpn_client1 surelink tests 1)>

interface_timeout value
(config vpn openvpn client openvpn_client1 surelink tests 1)>

where value is any number of weeks, days, hours, minutes, or seconds, and
takes the format number{w|d|h|m|s}.
For example, to set interface_timeout to ten minutes, enter either 10m or
600s:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

interface_timeout 600s
(config)>

n custom_test: Tests the interface with custom commands.

If custom_test is set, set the commands to run to perform the test:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

custom_test_commands "string"
(config vpn openvpn client openvpn_client1 surelink tests 1)>

n tcp_connection: Tests that the interface can reach a destination port on the
configured host.
If tcp_connection is selected, complete the following:
l Set the hostname or IP address of the host to create a TCP connection to:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

tcp_host hostname/IP_address
(config vpn openvpn client openvpn_client1 surelink tests 1)>

l Set the TCP port to create a TCP connection to.

(config vpn openvpn client openvpn_client1 surelink tests 1)>

tcp_port port
(config vpn openvpn client openvpn_client1 surelink tests 1)>

n other: Tests the status of another interface.

If other is selected, complete the following:

Digi Connect EZ 16/32 User Guide 437

Virtual Private Networks (VPN) OpenVPN

l Set the interface to test.

i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn openvpn client openvpn_client1 surelink tests

1)> other_interface /network/interface/eth1
(config vpn openvpn client openvpn_client1 surelink tests
1)>

l Set the type of IP connection:

(config vpn openvpn client openvpn_client1 surelink tests 1)>

other_ip_version value
(config vpn openvpn client openvpn_client1 surelink tests 1)>

where value is one of:

o any: Either the IPv4 or IPv6 connection must be up.
o both: Both the IPv4 or IPv6 connection must be up.
o ipv4 The IPv4 connection must be up.
o ipv6: The IPv6 connection must be up.
l The status required for the test to past.

(config vpn openvpn client openvpn_client1 surelink tests 1)>

other_status value
(config vpn openvpn client openvpn_client1 surelink tests 1)>

where value is one of:

o up: The test will pass only if the referenced interface is up and passing its
own SureLink tests (if applicable).
o down: The test will pass only if the referenced interface is down or failing its
own SureLink tests (if applicable).
f. Repeat for each additional test.
6. Add recovery actions:
a. Type ... to return to the root of the configuration:

(config vpn openvpn client openvpn_client1 surelink tests 1)> ...

(config)>

b. Add a recovery action:

(config)> add vpn openvpn client openvpn_client1 surelink actions end

(config vpn openvpn client openvpn_client1 surelink actions 0)>

c. New actions are enabled by default. To disable:

(config vpn openvpn client openvpn_client1 surelink actions 0)> enable

false
(config vpn openvpn client openvpn_client1 surelink actions 0)>

Digi Connect EZ 16/32 User Guide 438

Virtual Private Networks (VPN) OpenVPN

d. Create a label for the action:

(config vpn openvpn client openvpn_client1 surelink actions 0)> label

string
(config vpn openvpn client openvpn_client1 surelink actions 0)>

e. Set the type of recovery action to reboot_device:

(config vpn openvpn client openvpn_client1 surelink actions 0)> action

reboot_device
(config vpn openvpn client openvpn_client1 surelink actions 0)>

n Set the number of failures for this recovery action to perform, before moving to the
next recovery action:

(config vpn openvpn client openvpn_client1 surelink actions 0)>

test_failures int
(config vpn openvpn client openvpn_client1 surelink actions 0)>

The default is 3.
n Set the time to wait before the next test is run. If set to the default value of 0s, the
test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions 0)>

override_interval int
(config vpn openvpn client openvpn_client1 surelink actions 0)>

f. Set the type of recovery action. If multiple recovery actions are configured, they are
performed in the order that they are listed. The command varies depending on whether
the interface is a WAN or WWAN:
n WAN interfaces:

(config vpn openvpn client openvpn_client1 surelink actions 0)>

action value
(config vpn openvpn client openvpn_client1 surelink actions 0)>

n WWAN interfaces:

(config vpn openvpn client openvpn_client1 surelink actions 0)>

modem_action value
(config vpn openvpn client openvpn_client1 surelink actions 0)>

where value is one of:

n update_routing_table: Increases the interface's metric to change the default
gateway.
If update_routing_table is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

Digi Connect EZ 16/32 User Guide 439

Virtual Private Networks (VPN) OpenVPN

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the amount that the interface's metric should be increased. This should be
set to a number large enough to change the routing table to use another
default gateway.

(config vpn openvpn client openvpn_client1 surelink actions

0)> metric_adjustment_modem int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 100.

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

n restart_interface.
If restart_interface is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

n reset_modem: This recovery action is available for WWAN interfaces only.

If reset_modem is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

Digi Connect EZ 16/32 User Guide 440

Virtual Private Networks (VPN) OpenVPN

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

n switch_sim: Switches to an alternate SIM. This recovery action is available for

WWAN interfaces only.
If switch_sim is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

n modem_power_cycle: This recovery action is available for WWAN interfaces only.

If modem_power_cycle is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

Digi Connect EZ 16/32 User Guide 441

Virtual Private Networks (VPN) OpenVPN

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

n reboot_device.
If reboot_device is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

n custom_action: Execute custom recovery commands.

If custom_action is selected, complete the following:
l Set the number of failures for this recovery action to perform, before moving to
the next recovery action:

(config vpn openvpn client openvpn_client1 surelink actions

0)> test_failures int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

The default is 3.
l Set the commands to run to attempt to recovery connectivity.

(config network interface my_wan surelink actions 0)> custom_

action_commands_modem "string"
(config network interface my_wan surelink actions 0)>

l Set the time to wait before the next test is run. If set to the default value of 0s,
the test interval is used.

(config vpn openvpn client openvpn_client1 surelink actions

0)> override_interval int
(config vpn openvpn client openvpn_client1 surelink actions
0)>

g. Repeat for each additional recovery action.

Digi Connect EZ 16/32 User Guide 442

Virtual Private Networks (VPN) OpenVPN

7. Optional SureLink configuration parameters:

a. Type ... to return to the root of the configuration:

(config vpn openvpn client openvpn_client1 surelink actions 0)> ...

(config)>

b. Set the test interval between connectivity tests:

(config)> vpn openvpn client openvpn_client1 surelink interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set interval to ten minutes, enter either 10m or 600s:

(config)> vpn openvpn client openvpn_client1 surelink interval 600s

(config)>

The default is 15m.

c. If more than one test target is configured, set the success condition:

(config)> vpn openvpn client openvpn_client1 surelink success_

condition value
(config)>

where value is either:

n one: Only one test needs to pass for Surelink to consider an interface to be up.
n all: All tests need to pass for SureLink to consider the interface to be up.
d. Set the number of times that the test must pass after failure, before the interface is
determined to be working and is reinstated.

(config)> vpn openvpn client openvpn_client1 surelink pass_threshold

int
(config)>

The default is 1.
e. Set the amount of time that the device should wait for a response to a test attempt before
considering it to have failed:

(config)> vpn openvpn client openvpn_client1 surelink timeout value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set timeout to ten minutes, enter either 10m or 600s:

(config)> vpn openvpn client openvpn_client1 surelink timeout 600s

(config)>

The default is 15s.

Digi Connect EZ 16/32 User Guide 443

Virtual Private Networks (VPN) OpenVPN

f. Set the amount of time to wait while the device is starting before SureLink testing begins.
This setting is bypassed when the interface is determined to be up.

(config)> vpn openvpn client openvpn_client1 surelink advanced

delayed_start value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set delayed_start to ten minutes, enter either 10m or 600s:

(config)> vpn openvpn client openvpn_client1 surelink advanced

delayed_start 600s
(config)>

The default is 300s.

g. Set the time to add to the test interval when restarting the list of actions. This option is
capped at 15 minutes.

(config)> vpn openvpn client openvpn_client1 surelink advanced

backoff_interval value
(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set backoff_interval to ten minutes, enter either 10m or 600s:

(config)> vpn openvpn client openvpn_client1 surelink advanced

backoff_interval 600s
(config)>

The default is 300 seconds.

h. The interface_gateway parameter is used by the Interface gateway Ping test as the
endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8,
and should only be changed if this IP address is not accessible due to networking issues.
To set to an alternate host:

(config)> vpn openvpn client openvpn_client1 surelink advanced

interface_gateway hostname/IP_address
(config)>

8. Save the configuration and apply the change.

(config vpn openvpn client openvpn_client1 connection_monitor target 0)>

save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 444

Virtual Private Networks (VPN) OpenVPN

See Show SureLink status and statistics for information about showing Surelink status for OpenVPN
clients.

Show OpenVPN server status and statistics

You can view status and statistics for OpenVPN servers from either the web interface or the command
line:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status > OpenVPN > Servers.
The OpenVPN Servers page appears.
2. To view configuration details about an OpenVPN server, click the  (configuration) icon in the
upper right of the OpenVPN server's status pane.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured OpenVPN servers, type the following at the prompt:

> show openvpn server all

Server Enable Type Zone IP Address Port

--------------- ------ ---- -------- --------------- ----
OpenVPN_server1 true tun internal 192.168.30.1/24 1194
OpenVPN_server2 false tun internal 192.168.40.1/24 1194

>

3. To display details about a specific server:

> show openvpn server name OpenVPN_server1

Server : OpenVPN_server1
Enable : true
Type : tun
Zone : internal
IP Address : 192.168.30.1/24
Port : 1194
Use File : true
Metric : 0
Protocol : udp
First IP : 80
Last IP : 99

>

Digi Connect EZ 16/32 User Guide 445

Virtual Private Networks (VPN) OpenVPN

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show OpenVPN client status and statistics

You can view status and statistics for OpenVPN clients from either web interface or the command line:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status > OpenVPN > Clients.
The OpenVPN Clients page appears.
2. To view configuration details about an OpenVPN client, click the  (configuration) icon in the
upper right of the OpenVPN client's status pane.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured OpenVPN clients, type the following at the prompt:

> show openvpn client all

Client Enable Status Username Use File Zone

--------------- ------ ------- -------- -------- --------
OpenVPN_Client1 true connected true internal
OpenVPN_Client2 true pending true internal

>

3. To display details about a specific client:

> show openvpn client name OpenVPN_client1

Client : OpenVPN_client1
Enable : true
Status : up
Username : user1
IP address : 123.122.121.120
Remote : 120.121.122.123
MTU : 1492
Zone : internal
IP Address : 192.168.30.1/24
Port : 1194
Use File : true
Metric : 0

Digi Connect EZ 16/32 User Guide 446

Virtual Private Networks (VPN) OpenVPN

Protocol : udp
Port : 1194
Type : tun

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 447

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

Generic Routing Encapsulation (GRE)

Generic Routing Encapsulation (GRE) is an IP packet encapsulation protocol that allow for networks
and routes to be advertized from one network device to another. You can use GRE to encapsulate a
wide variety of network layer protocols inside virtual point-to-point links over an IP network.

Configuring a GRE tunnel

Configuring a GRE tunnel involves the following items:

Required configuration items

n A GRE loopback endpoint interface.
n GRE tunnel configuration:
l Enable the GRE tunnel.
The GRE tunnels are enabled by default.
l The local endpoint interface.
l The IP address of the remote device/peer.

Additional configuration items

n A GRE key.
n Enable the device to respond to keepalive packets.

Task One: Create a GRE loopback endpoint interface

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 448

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces.
4. For Add Interface, type a name for the GRE loopback endpoint interface and click .
5. Enable the interface.
New interfaces are enabled by default. To disable, toggle off Enable.
6. For Interface type, select Ethernet.
7. For Zone, select Internal.
8. For Device, select Ethernet: Loopback.
9. Click to expand IPv4.
10. For Address, enter the IP address and subnet mask of the local GRE endpoint, for example
10.10.1.1/24.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the GRE endpoint interface. For example, to add an interface named gre_endpoint:

(config)> add network interface gre_interface

(config network interface gre_interface)>

4. Set the interface zone to internal:

(config network interface gre_interface)> zone internal

(config network interface gre_interface)>

5. Set the interface device to loopback:

(config network interface gre_interface)> device /network/device/loopback

(config network interface gre_interface)>

6. Set the IP address and subnet mask of the local GRE endpoint. For example, to set the local
GRE endpoint's IP address and subnet mask to 10.10.1.1/24:

Digi Connect EZ 16/32 User Guide 449

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

(config network interface gre_interface)> ipv4 address 10.10.1.1/24

(config network interface gre_interface)>

7. Save the configuration and apply the change.

(config network interface gre_interface)> save

Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Task Two: Configure the GRE tunnel

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > IP Tunnels.
4. For Add IP tunnel, type a name for the GRE tunnel and click .
5. Enable the tunnel.
New tunnels are enabled by default. To disable, toggle off Enable.
6. For Mode, select one of the following options:
n GRE: Standard GRE point-to-point protocol.
n mGRE: multipoint GRE protocol.
n GRETAP: Ethernet over GRE.
7. For Local endpoint, select the GRE endpoint interface created in Task One.

Digi Connect EZ 16/32 User Guide 450

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

8. If GRE is selected for the Mode, for Remote endpoint, type the IP address of the GRE endpoint
on the remote peer.
9. If GRETAP is selected for Mode, for Local endpoint, select the interface.
10. (Optional) For Key, enter a key that will be inserted in GRE packets created by this tunnel. It
must match the key set by the remote endpoint. Allowed value is an integer between 0 and
4294967295, or an IP address.
11. (Optional) Enable keepalive reply to enable the device to reply to Cisco GRE keepalive
packets.
12. (Optional) Enable open routing to enable packets destined for an address which is not
explicitly in the routing table to exit the IP tunnel.
13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the GRE endpoint tunnel. For example, to add a tunnel named gre_example:

(config)> add vpn iptunnel gre_example

(config vpn iptunnel gre_example)>

GRE tunnels are enabled by default. To disable:

(config vpn iptunnel gre_example)> enable false

(config vpn iptunnel gre_example)>

4. Set the mode:

(config vpn iptunnel gre_example)> type value

(config vpn iptunnel gre_example)>

where value is either:

n gre: Standard GRE point-to-point protocol.
n mgre: multipoint GRE protocol.
n GRETAP: Ethernet over GRE
5. Set the local endpoint to the GRE endpoint interface created in Task One, for example:

(config vpn iptunnel gre_example)> local /network/interface/gre_endpoint

(config vpn iptunnel gre_example)>

Digi Connect EZ 16/32 User Guide 451

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

6. If type is set to gre, set the IP address of the GRE endpoint on the remote peer:

(config vpn iptunnel gre_example)> remote ip_address

(config vpn iptunnel gre_example)>

7. (Optional) Set a key that will be inserted in GRE packets created by this tunnel.
The key must match the key set by the remote endpoint.

(config vpn iptunnel gre_example)> key value

(config vpn iptunnel gre_example)>

where value is an integer between 0 and 4294967295, or an IP address.

8. (Optional) Enable the device to reply to Cisco GRE keepalive packets:

(config vpn iptunnel gre_example)> keepalive true

(config vpn iptunnel gre_example)>

9. (Optional) Enable the device to allow packets destined for an address which is not explicitly in
the routing table to exit the IP tunnel:

(config vpn iptunnel gre_example)> open_routing true

(config vpn iptunnel gre_example)>

10. Save the configuration and apply the change.

(config vpn iptunnel gre_example)> save

Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 452

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

Show GRE tunnels

To view information about currently configured GRE tunnels:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click Status > IP tunnels.
The IP Tunnelspage appears.
2. To view configuration details about a GRE tunnel, click the  (configuration) icon in the upper
right of the tunnel's status pane.

Digi Connect EZ 16/32 User Guide 453

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

Example: GRE tunnel over an IPSec tunnel

The Connect EZ 16/32 device can be configured as an advertised set of routes through an IPSec
tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a
secured IPSec tunnel.
The example configuration provides instructions for configuring the Connect EZ 16/32 device with a
GRE tunnel through IPsec.
Connect EZ 16/32-1 configuration tasks

1. Create an IPsec tunnel named ipsec_gre1 with:

n A pre-shared key.
n Remote endpoint set to the public IP address of the Connect EZ 16/32-2 device.
n A policy with:
l Local network set to the IP address and subnet of the local GRE tunnel,
172.30.0.1/32.
l Remote network set to the IP address and subnet of the remote GRE tunnel,
172.30.0.2/32.
2. Create an IPsec endpoint interface named ipsec_endpoint1:
a. Zone set to Internal.
b. Device set to Ethernet: Loopback.
c. IPv4 Address set to the IP address of the local GRE tunnel, 172.30.0.1/32.
3. Create a GRE tunnel named gre_tunnel1:
a. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint1.
b. Remote endpoint set to the IP address of the GRE tunnel on Connect EZ 16/32-2,
172.30.0.2.
4. Create an interface named gre_interface1 and add it to the GRE tunnel:
a. Zone set to Internal.
b. Device set to IP tunnel: gre_tunnel1.
c. IPv4 Address set to a virtual IP address on the GRE tunnel, 172.31.0.1/30.
Connect EZ 16/32-2 configuration tasks

1. Create an IPsec tunnel named ipsec_gre2 with:

n The same pre-shared key as the ipsec_gre1 tunnel on Connect EZ 16/32-1.
n Remote endpoint set to the public IP address of Connect EZ 16/32-1.
n A policy with:
l Local network set to the IP address and subnet of the local GRE tunnel,
172.30.0.2/32.
l Remote network set to the IP address of the remote GRE tunnel, 172.30.0.1/32.
2. Create an IPsec endpoint interface named ipsec_endpoint2:
a. Zone set to Internal.
b. Device set to Ethernet: Loopback.
c. IPv4 Address set to the IP address of the local GRE tunnel, 172.30.0.2/32.

Digi Connect EZ 16/32 User Guide 454

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

3. Create a GRE tunnel named gre_tunnel2:

a. Local endpoint set to the IPsec endpoint interface, Interface: ipsec_endpoint2.
b. Remote endpoint set to the IP address of the GRE tunnel on Connect EZ 16/32-1,
172.30.0.1.
4. Create an interface named gre_interface2 and add it to the GRE tunnel:
a. Zone set to Internal.
b. Device set to IP tunnel: gre_tunnel2.
c. IPv4 Address set to a virtual IP address on the GRE tunnel, 172.31.0.2/30.

Configuration procedures

Configure the Connect EZ 16/32-1 device

Task one: Create an IPsec tunnel
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > IPsec > Tunnels.
4. For Add IPsec Tunnel, type ipsec_gre1 and click .

5. Click to expand Authentication.

Digi Connect EZ 16/32 User Guide 455

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

6. For Pre-shared key, type testkey.

7. Click to expand Remote endpoint.

8. For Hostname, type public IP address of the Connect EZ 16/32-2 device.

9. Click to expand Policies.

10. For Add Policy, click  to add a new policy.

11. Click to expand Local network.

12. For Type, select Custom network.
13. For Address, type the IP address and subnet of the local GRE tunnel, 172.30.0.1/32.
14. For Remote network, type the IP address and subnet of the remote GRE tunnel,
172.30.0.2/32.

15. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add an IPsec tunnel named ipsec_gre1:

(config)> add vpn ipsec tunnel ipsec_gre1

(config vpn ipsec tunnel ipsec_gre1)>

Digi Connect EZ 16/32 User Guide 456

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

4. Set the pre-shared key to testkey:

(config vpn ipsec tunnel ipsec_gre1)> auth secret testkey

(config vpn ipsec tunnel ipsec_gre1)>

5. Set the remote endpoint to public IP address of the Connect EZ 16/32-2 device:

(config vpn ipsec tunnel ipsec_gre1)> remote hostname 192.168.101.1

(config vpn ipsec tunnel ipsec_gre1)>

6. Add a policy:

(config vpn ipsec tunnel ipsec_gre1)> add policy end

(config vpn ipsec tunnel ipsec_gre1 policy 0)>

7. Set the local network policy type to custom:

(config vpn ipsec tunnel ipsec_gre1 policy 0)> local type custom
(config vpn ipsec tunnel ipsec_gre1 policy 0)>

8. Set the local network address to the IP address and subnet of the local GRE tunnel,
172.30.0.1/32:

(config vpn ipsec tunnel ipsec_gre1 policy 0)> local custom 172.30.0.1/32
(config vpn ipsec tunnel ipsec_gre1 policy 0)>

9. Set the remote network address to the IP address and subnet of the remote GRE tunnel,
172.30.0.2/32:

(config vpn ipsec tunnel ipsec_gre1 policy 0)> remote network

172.30.0.2/32
(config vpn ipsec tunnel ipsec_gre1 policy 0)>

10. Save the configuration and apply the change.

(config ipsec tunnel ipsec_gre1 policy 0)> save

Configuration saved.
>

Digi Connect EZ 16/32 User Guide 457

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

Task two: Create an IPsec endpoint interface

 Web
1. Click Network > Interface.
2. For Add Interface, type ipsec_endpoint1 and click .

3. For Zone, select Internal.

4. For Device, select Ethernet: loopback.

5. Click to expand IPv4.

6. For Address, type the IP address of the local GRE tunnel, 172.30.0.1/32.

7. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 458

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

 Command line
1. At the command line, type config to enter configuration mode:

> config
(config)>

2. Add an interface named ipsec_endpoint1:

(config)> add network interface ipsec_endpoint1

(config network interface ipsec_endpoint1)>

3. Set the zone to internal:

(config network interface ipsec_endpoint1)> zone internal

(config network interface ipsec_endpoint1)>

4. Set the device to /network/device/loopback:

(config network interface ipsec_endpoint1)> device

/network/device/loopback
(config network interface ipsec_endpoint1)>

5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.1/32:

(config network interface ipsec_endpoint1)> ipv4 address 172.30.0.1/32

(config network interface ipsec_endpoint1)>

6. Save the configuration and apply the change.

(config vpn ipsec tunnel ipsec_endpoint1 policy 0)> save

Configuration saved.
>

Task three: Create a GRE tunnel

 Web
1. Click VPN > IP Tunnels.
2. For Add IP Tunnel, type gre_tunnel1 and click .

3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_
endpoint1).
4. For Remote endpoint, type the IP address of the GRE tunnel on Connect EZ 16/32-2,
172.30.0.2.

Digi Connect EZ 16/32 User Guide 459

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

5. Click Apply to save the configuration and apply the change.

 Command line
1. At the command line, type config to enter configuration mode:

> config
(config)>

2. Add a GRE tunnel named gre_tunnel1:

(config)> add vpn iptunnel gre_tunnel1

(config vpn iptunnel gre_tunnel1)>

3. Set the local endpoint to the IPsec endpoint interface created in Task two
(/network/interface/ipsec_endpoint1):

(config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_

endpoint1
(config vpn iptunnel gre_tunnel1)>

4. Set the remote endpoint to the IP address of the GRE tunnel on Connect EZ 16/32-2,
172.30.0.2:

(config vpn iptunnel gre_tunnel1)> remote 172.30.0.2

(config vpn iptunnel gre_tunnel1)>

5. Save the configuration and apply the change.

(config vpn iptunnel gre_tunnel1)> save

Configuration saved.
>

Digi Connect EZ 16/32 User Guide 460

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

Task four: Create an interface for the GRE tunnel device

 Web
1. Click Network > Interfaces.
2. For Add Interface, type gre_interface1 and click .

3. For Zone, select Internal.

4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel1).

5. Click to expand IPv4.

6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel.

7. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 461

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

 Command line
1. At the command line, type config to enter configuration mode:

> config
(config)>

2. Add an interface named gre_interface1:

(config)> add network interface gre_interface1

(config network interface gre_interface1)>

3. Set the zone to internal:

(config network interface gre_interface1)> zone internal

(config network interface gre_interface1)>

4. Set the device to the GRE tunnel created in Task three (/vpn/iptunnel/gre_tunnel1):

(config network interface gre_interface1)> device /vpn/iptunnel/gre_

tunnel1
(config network interface gre_interface1)>

5. Set 172.31.0.1/30 as the virtual IP address on the GRE tunnel:

(config network interface gre_interface1)> ipv4 address 172.31.0.1/30

(config network interface gre_interface1)>

6. Save the configuration and apply the change.

(config network interface gre_interface1)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the Connect EZ 16/32-2 device

Task one: Create an IPsec tunnel
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 462

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > IPsec > Tunnels.
4. For Add IPsec Tunnel, type ipsec_gre2 and click .

5. Click to expand Authentication.

6. For Pre-shared key, type the same pre-shared key that was configured for the Connect EZ
16/32-1 (testkey).

7. Click to expand Remote endpoint.

8. For Hostname, type public IP address of the Connect EZ 16/32-1 device.

9. Click to expand Policies.

10. For Add Policy, click  to add a new policy.

11. Click to expand Local network.

12. For Type, select Custom network.
13. For Address, type the IP address and subnet of the local GRE tunnel, 172.30.0.2/32.
14. For Remote network, type the IP address and subnet of the remote GRE tunnel,
172.30.0.1/32.

Digi Connect EZ 16/32 User Guide 463

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

15. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add an IPsec tunnel named ipsec_gre2:

(config)> add vpn ipsec tunnel ipsec_gre2

(config vpn ipsec tunnel ipsec_gre2)>

4. Set the pre-shared key to the same pre-shared key that was configured for the Connect EZ
16/32-1 (testkey):

(config vpn ipsec tunnel ipsec_gre2)> auth secret testkey

(config vpn ipsec tunnel ipsec_gre2)>

5. Set the remote endpoint to public IP address of the Connect EZ 16/32-1 device:

(config vpn ipsec tunnel ipsec_gre2)> remote hostname 192.168.100.1

(config vpn ipsec tunnel ipsec_gre2)>

6. Add a policy:

(config vpn ipsec tunnel ipsec_gre2)> add policy end

(config vpn ipsec tunnel ipsec_gre2 policy 0)>

7. Set the local network policy type to custom:

(config vpn ipsec tunnel ipsec_gre2 policy 0)> local type custom
(config vpn ipsec tunnel ipsec_gre2 policy 0)>

8. Set the local network address to the IP address and subnet of the local GRE tunnel,
172.30.0.2/32:

(config vpn ipsec tunnel ipsec_gre2 policy 0)> local custom 172.30.0.2/32
(config vpn ipsec tunnel ipsec_gre2 policy 0)>

9. Set the remote network address to the IP address and subnet of the remote GRE tunnel,
172.30.0.1/32:

(config vpn ipsec tunnel ipsec_gre2 policy 0)> remote network

172.30.0.1/32
(config vpn ipsec tunnel ipsec_gre2 policy 0)>

Digi Connect EZ 16/32 User Guide 464

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

10. Save the configuration and apply the change.

(config vpn ipsec tunnel ipsec_gre2 policy 0)> save

Configuration saved.
>

Task two: Create an IPsec endpoint interface

 Web
1. Click Network > Interfaces.
2. For Add Interface, type ipsec_endpoint2 and click .

3. For Zone, select Internal.

4. For Device, select Ethernet: loopback.

5. Click to expand IPv4.

6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32.

7. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 465

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

1. At the command line, type config to enter configuration mode:

> config
(config)>

2. Add an interface named ipsec_endpoint2:

(config)> add network interface ipsec_endpoint2

(config network interface ipsec_endpoint2)>

3. Set the zone to internal:

(config network interface ipsec_endpoint2)> zone internal

(config network interface ipsec_endpoint2)>

4. Set the device to /network/device/loopback:

(config network interface ipsec_endpoint2)> device

/network/device/loopback
(config network interface ipsec_endpoint2)>

5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.2/32:

(config network interface ipsec_endpoint2)> ipv4 address 172.30.0.2/32

(config network interface ipsec_endpoint2)>

6. Save the configuration and apply the change.

(config vpn ipsec tunnel ipsec_endpoint2)> save

Configuration saved.
>

Task three: Create a GRE tunnel

 Web
1. Click VPN > IP Tunnels.
2. For Add IP Tunnel, type gre_tunnel2 and click .

3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_
endpoint2).
4. For Remote endpoint, type the IP address of the GRE tunnel on Connect EZ 16/32-1,
172.30.0.1.

Digi Connect EZ 16/32 User Guide 466

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

5. Click Apply to save the configuration and apply the change.

 Command line
1. At the command line, type config to enter configuration mode:

> config
(config)>

2. Add a GRE tunnel named gre_tunnel2:

(config)> add vpn iptunnel gre_tunnel2

(config vpn iptunnel gre_tunnel2)>

3. Set the local endpoint to the IPsec endpoint interface created in Task two
(/network/interface/ipsec_endpoint2):

(config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_

endpoint2
(config vpn iptunnel gre_tunnel2)>

4. Set the remote endpoint to the IP address of the GRE tunnel on Connect EZ 16/32-1,
172.30.0.1:

(config vpn iptunnel gre_tunnel2)> remote 172.30.0.1

(config vpn iptunnel gre_tunnel2)>

5. Save the configuration and apply the change.

(config vpn iptunnel gre_tunnel2)> save

Configuration saved.
>

Task four: Create an interface for the GRE tunnel device

 Web

Digi Connect EZ 16/32 User Guide 467

Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)

1. Click Network > Interfaces.

2. For Add Interface, type gre_interface2 and click .

3. For Zone, select Internal.

4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel2).

5. Click to expand IPv4.

6. For Address, type 172.31.0.2/30 for a virtual IP address on the GRE tunnel.

7. Click Apply to save the configuration and apply the change.

 Command line
1. At the command line, type config to enter configuration mode:

> config
(config)>

2. Add an interface named gre_interface2:

(config)> add network interface gre_interface2

(config network interface gre_interface2)>

Digi Connect EZ 16/32 User Guide 468

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

3. Set the zone to internal:

(config network interface gre_interface2)> zone internal

(config network interface gre_interface2)>

4. Set the device to the GRE tunnel created in Task three (/vpn/iptunnel/gre_tunnel2):

(config network interface gre_interface2)> device /vpn/iptunnel/gre_

tunnel2
(config network interface gre_interface2)>

5. Set 172.31.0.2/30 as the virtual IP address on the GRE tunnel:

(config network interface gre_interface2)> ipv4 address 172.31.0.2/30

(config network interface gre_interface2)>

6. Save the configuration and apply the change.

(config network interface gre_interface2)> save

Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Dynamic Multipoint VPN (DMVPN)

Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private
network (VPN), using a multi spoke-to-hub network in which the network addresses of the spoke
routers do not need to be known, and therefore do not need to be configured in the hub router.
One advantage to this form of VPN is a scalable network in which the size of the hub configuration is
minimized. When one spoke of the network needs to send traffic to another spoke, a direct transfer is
possible without having to add any load onto the hub. This is achieved by the creation of a dynamic
GRE tunnel directly to the other spoke. The network address of the target spoke is resolved with the
use of Next Hop Resolution Protocol (NHRP).
This section contains the following topics:

Configure a DMVPN spoke 470

Digi Connect EZ 16/32 User Guide 469

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

Configure a DMVPN spoke

To configure a DMVPN spoke:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Create an IP tunnel.
a. Click VPN > IP Tunnels.
b. In Add IP tunnel, type the name of the tunnel and click .

c. For Mode, select mGRE.

d. For Local endpoint, select the interface that will serve as the local endpoint of the tunnel.
e. For Key, type a four-octet value that matches the key on the remote endpoint.

Digi Connect EZ 16/32 User Guide 470

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

f. (Optional) Enable keep-alive reply to enable the device to reply to Cisco GRE keep-alive
packets.
g. (Optional) Enable open routing to enable packets destined for an address which is not
explicitly in the routing table to exit the IP tunnel.
4. Assign an IP address to the IP tunnel:
a. Click Network > Interfaces.
b. For Add Interface, type a name for the interface and click .

c. For Zone, select Internal.

d. For Device, select the IP tunnel created above.
e. Click to expand IPv4.
f. For Address, type the IP address and netmask of the tunnel. The netmask must be set to
/32.

5. Configure NHRP:
a. Click Network > Routing Services.
b. Enable routing services.
c. Click to expand NHRP.
d. Enable NHRP.
e. Click to expand Network.

Digi Connect EZ 16/32 User Guide 471

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

f. Click  to add a network.

g. For Interface, select the interface created above.

h. For Tunnel, select the IP tunnel created above.
i. Click to expand Next hop servers.
j. Click  to add a server.
k. For NBMA address, type the hostname or IP address of the node that will be the next hop
server.

6. To enable redirection of packets between spokes, configure OSPF routing:

a. Click Network > Routes > Routing services > OSPF.
b. Enable OSPF.
c. For ABR behavior, choose the Area Border Router for the network.
d. For Reference bandwidth, type the link bandwidth.
e. Enable the Opaque-LSA standard.
f. Enable the RFC1583 standard.
7. Configure the overlay connection:
a. Click Network > Routing services > BGP.
b. Enable BGP.
c. For AS number, type the autonomous system number for this device.
d. For Best path criteria, select Multipath.
e. Click to expand Neighbours.
f. Click  to add a neighbour.

Digi Connect EZ 16/32 User Guide 472

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

g. For IP address, type the IP address of the hub.

h. Click to toggle on eBGP multihop.

8. Repeat to add additional spokes.

9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create an IP tunnel.
a. Add an IP tunnel. For example, to add a tunnel named dmvpn_tunnel:

(config)> add vpn iptunnel dmvpn_tunnel

(config vpn iptunnel dmvpn_tunnel)>

b. Set the type to multipoint:

(config vpn iptunnel dmvpn_tunnel)> type multipoint

(config vpn iptunnel dmvpn_tunnel)>

c. Set the local interface:

i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn iptunnel dmvpn_tunnel)> local /network/interface/eth1

(config vpn iptunnel dmvpn_tunnel)>

Digi Connect EZ 16/32 User Guide 473

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

d. Set the key to a four-octet value that matches the key on the remote endpoint. For
example:

(config vpn iptunnel dmvpn_tunnel)> key 1.1.1.1

(config vpn iptunnel dmvpn_tunnel)>

e. (Optional) Enable the device to reply to Cisco GRE keepalive packets:

(config vpn iptunnel dmvpn_tunnel)> keepalive true

(config vpn iptunnel dmvpn_tunnel)>

f. (Optional) Enable the device to allow packets destined for an address which is not
explicitly in the routing table to exit the IP tunnel:

(config vpn iptunnel dmvpn_tunnel)> open_routing true

(config vpn iptunnel dmvpn_tunnel)>

4. Assign an IP address to the IP tunnel:

a. Type ... to return to the top level of the configuration schema:

(config vpn iptunnel dmvpn_tunnel)> ...

(config)>

b. And a network interface. For example, to add an interface named dmvpn_tunnel_interface:

(config)> add network interface dmvpn_tunnel_interface

(config network interface dmvpn_tunnel_interface)>

c. Set the zone to internal:

(config network interface dmvpn_tunnel_interface)> zone internal

(config network interface dmvpn_tunnel_interface)>

d. Set the device to the IP tunnel created above:

(config network interface dmvpn_tunnel_interface)> device

/vpn/iptunnel/dmvpn_tunnel
(config network interface dmvpn_tunnel_interface)>

e. Set the IP address and netmask of the tunnel. The netmask must be set to /32. For
example, to set the IP address to 10.20.1.4/32:

(config network interface dmvpn_tunnel_interface)> ipv4 address

10.20.1.4/32
(config network interface dmvpn_tunnel_interface)>

5. Configure NHRP:
a. Type ... to return to the top level of the configuration schema:

(config network interface dmvpn_tunnel_interface)> ...

(config)>

Digi Connect EZ 16/32 User Guide 474

Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)

b. Enable routing services:

(config)> network route service enable true

(config)>

c. Enable NHRP:

(config)> network route service nhrp enable true

(config)>

d. Add an NHRP network:

(config)> add network route service nhrp network end

(config network route service nhrp network 0)>

e. Set the interface to the interface that was created above:

(config network route service nhrp network 0)> interface dmvpn_tunnel_

interface
(config network route service nhrp network 0)>

f. Set the tunnel to the IP tunnel created above:

(config network route service nhrp network 0)> tunnel

/vpn/iptunnel/dmvpn_tunnel
(config network route service nhrp network 0)>

g. Add a net hop server:

(config network route service nhrp network 0)> add nhs end
(config network route service nhrp network 0 nhs 0)>-

6. Set the hostname or IP address of the node that will be the next hop server:

(config network route service nhrp network 0 nhs 0)> nbma hostname/IP_
address
(config network route service nhrp network 0 nhs 0)>

7. Configure OSPF routing:

(config network route service ospf)

(config)>

8. Configure the overlay connection using BGP:

a. Type ... to return to the top level of the configuration schema:

(config network interface dmvpn_tunnel_interface)> ...

(config)>

b. Enable BGP:

(config)> network route service bgp enable true

(config)>

Digi Connect EZ 16/32 User Guide 475

Virtual Private Networks (VPN) L2TP

c. Set the autonomous system number for this device. For example, to set the autonomous
system number to 66007:

(config)> network route service bgp asn 66007

(config)>

d. Set the best path criteria to multipath:

(config)> network route service bgp as_path multipath-relax

(config)>

e. Add a neighbour:

(config)> add network route service bgp neighbour end

(config network route service bgp neighbour 0)>

f. Set ip to the IP address of the hub. For example:

(config network route service bgp neighbour 0)> ip 10.20.1.1

(config network route service bgp neighbour 0)>

g. Enable eBGP multihop:

(config network route service bgp neighbour 0)> ebgp_multihop true

(config network route service bgp neighbour 0)>

9. Repeat to add additional spokes.

10. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

L2TP
Your Connect EZ 16/32 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol).

Configure a PPP-over-L2TP tunnel

Your Connect EZ 16/32 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). The tunnel
endpoints are known as L2TP Access Concentrators (LAC) and L2TP Network Servers (LNS). Each
endpoint terminates the PPP session.

Required configuration items

n For L2TP access concentrators:
l The hostname or IP address of the L2TP network server.
l The firewall zone for the tunnel.

Digi Connect EZ 16/32 User Guide 476

Virtual Private Networks (VPN) L2TP

n For L2TP network servers:

l The IP address of the L2TP access concentrator.
l The local IP address assigned to the L2TP virtual network interface.
l The IP address assigned to the remote peer.
l The firewall zone for the tunnel.

Additional configuration items

n The UDP port that L2TP servers will listen on, if other than the deafult of 1701.
n Access control for the L2TP tunnel.
n For L2TP access concentrators:
l L2TP network server port.
l The username and password of the L2TP server.
l The metric for the tunnel.
l Enable custom PPP configuration options for the tunnel.
o Whether to override the default configuration and only use the custom options.
o Optional configuration data in the format of a pppd options file.
n For L2TP network servers:
l The Authentication method.
l The metric for the tunnel.
l Enable custom PPP configuration options for the tunnel.
o Whether to override the default configuration and only use the custom options.
o Optional configuration data in the format of a pppd options file.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 477

Virtual Private Networks (VPN) L2TP

The Configuration window is displayed.

3. Click VPN > L2TP.
4. (Optional) Type the UDP listening port that L2TP servers will listen on, if other than the
default of 1701.
5. Set the access control for L2TP tunnels:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's
service-type. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
6. To add an L2TP access concentrator:
a. Click to expand L2TP access concentrators.
b. For Add L2TP access concentrator, type a name for the LACand click .
c. LACs are enabled by default. To disable, toggle off Enable.
d. For L2TP network server, type the hostname or IP address of the L2TP network server.

Digi Connect EZ 16/32 User Guide 478

Virtual Private Networks (VPN) L2TP

e. (Optional) Type the L2TP network server port to use to connect to the server, if other
than the default of 1701.
f. (Optional) Type the Username to use to log into the server.
g. (Optional) Type the Password to use to log into the server.
h. (Optional) Type the Metric for the tunnel, if other than the default of 1.
i. Select a firewall Zone for the tunnel. This is used by packet filtering rules and access
control lists to restrict network traffic on the tunnel.
j. (Optional): Custom PPP configuration:
i. Enable custom PPP configuration.
ii. Enable Override if the custom configuration should override the default configuration
and only use the custom options.
iii. For Configuration file, paste or type the configuration data in the format of a pppd
options file.
7. To add an L2TP network server:
a. Click to expand L2TP network servers.
b. For Add L2TP network server, type a name for the LNS and click .
c. LNSs are enabled by default. To disable, toggle off Enable.
d. For L2TP access concentrator, type the IP addressof the L2TP access concentrator that
this server will allow connections from. This can also be:
n A range of IP addresses, using the format x.x.x.x-y.y.y.y, for example 192.168.188.1-
192.168.188.254.
n The keyword any, which means that the server will accept connections from any IP
address.
e. For Local IP address, type the IP address of the L2TP virtual network interface.
f. For Remote IP address, type the IP address to assign to the remote peer.
g. (Optional) For Authentication method, select one of the following:
n None: No authentication is required.
n Automatic: The device will attempt to connect using CHAP first, and then PAP.
n CHAP: Uses the Challenge Handshake Authentication Profile (CHAP) to
authenticate.
n PAP: Uses the Password Authentication Profile (PAP) to authenticate.
If Automatic, CHAP, or PAP is selected, enter the Username and Password required to
authenticate.
The default is None.
h. (Optional) For Authentication method, select the authentication method, one of:
n None: No authentication is required.
n Automatic: The device will attempt to connect using CHAP first, and then PAP.
n CHAP: Uses the Challenge Handshake Authentication Profile (CHAP) to
authenticate.
n PAP: Uses the Password Authentication Profile (PAP) to authenticate.

Digi Connect EZ 16/32 User Guide 479

Virtual Private Networks (VPN) L2TP

n MS-CHAPv2: Uses the Microsoft version of the Challenge Handshake Authentication

Profile (CHAP) to authenticate.
n If Automatic, CHAP, PAP, or MS-CHAPv2 is selected, enter the Username and
Password required to authenticate.
n The default is None.
i. (Optional) Type the Metric for the tunnel, if other than the default of 1.
j. Select a firewall Zone for the tunnel. This is used by packet filtering rules and access
control lists to restrict network traffic on the tunnel.
k. (Optional): Custom PPP configuration:
i. Enable custom PPP configuration.
ii. Enable Override if the custom configuration should override the default configuration
and only use the custom options.
iii. For Configuration file, paste or type the configuration data in the format of a pppd
options file.
8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) Set the UDP listening port that L2TP servers will listen on:

(config)> vpn l2tp port value

(config)>

where value is an integer between 1 and 65535. The default is 1701.

4. Set the access control for L2TP tunnels:
n To limit access to specified IPv4 addresses and networks:

(config)> add vpn l2tp acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.

Digi Connect EZ 16/32 User Guide 480

Virtual Private Networks (VPN) L2TP

n To limit access to specified IPv6 addresses and networks:

(config)> add vpn l2tp acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add vpn l2tp acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add vpn l2tp acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

Digi Connect EZ 16/32 User Guide 481

Virtual Private Networks (VPN) L2TP

(config)>

Repeat this step to include additional firewall zones.

5. To add an L2TP access concentrator:
a. Add an LAC:

(config)> add vpn l2tp lac name

(config add vpn l2tp lac name)>

where name is the name of the LAC. For example, to add an LACnamed lac_tunnel:

(config)> add vpn l2tp lac lac_tunnel

(config vpn l2tp lac lac_tunnel)>

LACs are enabled by default. To disable:

(config vpn l2tp lac lac_tunnel)> enable false

(config vpn l2tp lac lac_tunnel)>

b. Set the hostname or IP address of the L2TP network server:

(config vpn l2tp lac lac_tunnel)> lns hostname

(config vpn l2tp lac lac_tunnel)>

c. (Optional) Set the UDP port to use to connect to the L2TP network server:

(config vpn l2tp lac lac_tunnel)> port int

(config vpn l2tp lac lac_tunnel)>

where int is an integer between 1 and 65535. The default is 1701.

d. (Optional) Set the username to use to log into the server:

(config vpn l2tp lac lac_tunnel)> username username

(config vpn l2tp lac lac_tunnel)>

e. (Optional) Set the password to use to log into the server:

(config vpn l2tp lac lac_tunnel)> password password

(config vpn l2tp lac lac_tunnel)>

f. (Optional) Set the metric for the tunnel:

(config vpn l2tp lac lac_tunnel)> metric int

(config vpn l2tp lac lac_tunnel)>

where int is an integer between 0 and 65535. The default is 1.

g. Set the firewall zone for the tunnel. This is used by packet filtering rules and access control
lists to restrict network traffic on the tunnel.

Digi Connect EZ 16/32 User Guide 482

Virtual Private Networks (VPN) L2TP

i. Use the ? to determine available zones:

(config vpn l2tp lac lac_tunnel)> zone ?

Zone: The firewall zone assigned to this tunnel. This can be used
by packet
filtering rules and access control lists to restrict network
traffic on this
tunnel.
Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Current value:

(config vpn l2tp lac lac_tunnel)>

ii. Set the zone:

(config vpn l2tp lac lac_tunnel)> zone zone

(config vpn l2tp lac lac_tunnel)>

h. (Optional): Custom PPP configuration:

i. Enable custom PPP configuration:

(config vpn l2tp lac lac_tunnel)> custom enable true

(config vpn l2tp lac lac_tunnel)>

ii. Enable overriding, if the custom configuration should override the default
configuration and only use the custom options:

(config vpn l2tp lac lac_tunnel)> custom override true

(config vpn l2tp lac lac_tunnel)>

iii. Paste or type the configuration data in the format of a pppd options file:

(config vpn l2tp lac lac_tunnel)> custom config_file data

(config vpn l2tp lac lac_tunnel)>

6. To add an L2TP network server:

a. Add an LNS:

(config)> add vpn l2tp lns name

(config add vpn l2tp lac name)>

where name is the name of the LNS. For example, to add an LNS named lns_server:

Digi Connect EZ 16/32 User Guide 483

Virtual Private Networks (VPN) L2TP

(config)> add vpn l2tp lns lns_server

(config vpn l2tp lns lns_server)>

LACs are enabled by default. To disable:

(config vpn l2tp lns lns_server)> enable false

(config vpn l2tp lns lns_server)>

b. Set the IP address of the L2TP access concentrator that this server will allow connections
from:

(config vpn l2tp lns lns_server)> lac IP_address

(config vpn l2tp lns lns_server)>

This can also be:

n A range of IP addresses, using the format x.x.x.x-y.y.y.y, for example 192.168.188.1-
192.168.188.254.
n The keyword any, which means that the server will accept connections from any IP
address.
c. Set the IP address of the L2TP virtual network interface:

(config vpn l2tp lns lns_server)> local_address IP_address

(config vpn l2tp lns lns_server)>

d. Set the IP address to assign to the remote peer:

(config vpn l2tp lns lns_server)> remote_address IP_address

(config vpn l2tp lns lns_server)>

e. (Optional) Set the authentication method:

(config vpn l2tp lns lns_server)> auth method

(config)>

where method is one of the following:

n none: No authentication is required.
n auto: The device will attempt to connect using CHAP first, and then PAP.
n chap: Uses the Challenge Handshake Authentication Profile (CHAP) to authenticate.
n pap: Uses the Password Authentication Profile (PAP) to authenticate.
n mschapv2: Uses the Microsoft version of the Challenge Handshake Authentication
Profile (CHAP) to authenticate.
If auto, chap, pap or mschapv2 is selected, enter the Username and Password required
to authenticate:

(config vpn l2tp lns lns_server)> username username

(config vpn l2tp lns lns_server)> password password
(config vpn l2tp lns lns_server)>

The default is none.

Digi Connect EZ 16/32 User Guide 484

Virtual Private Networks (VPN) L2TP

f. (Optional) Set the metric for the tunnel:

(config vpn l2tp lns lns_server)> metric int

(config vpn l2tp lns lns_server)>

where int is an integer between 0 and 65535. The default is 1.

g. Set the firewall zone for the tunnel. This is used by packet filtering rules and access control
lists to restrict network traffic on the tunnel.
i. Use the ? to determine available zones:

(config vpn l2tp lns lns_server)> zone ?

Zone: The firewall zone assigned to this tunnel. This can be used
by packet
filtering rules and access control lists to restrict network
traffic on this
tunnel.
Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Current value:

(config vpn l2tp lns lns_server)>

ii. Set the zone:

(config vpn l2tp lns lns_server)> zone zone

(config vpn l2tp lns lns_server)>

h. (Optional): Custom PPP configuration:

i. Enable custom PPP configuration:

(config vpn l2tp lac lns lns_server)> custom enable true

(config vpn l2tp lns lns_server)>

ii. Enable overriding, if the custom configuration should override the default
configuration and only use the custom options:

(config vpn l2tp lns lns_server)> custom override true

(config vpn l2tp lns lns_server)>

iii. Paste or type the configuration data in the format of a pppd options file:

(config vpn l2tp lns lns_server)> custom config_file data

(config vpn l2tp lns lns_server)>

Digi Connect EZ 16/32 User Guide 485

Virtual Private Networks (VPN) L2TP

7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

L2TP with IPsec

L2TP is commonly used in conjunction with IPsec in transport mode (to provide security).
Your Connect EZ 16/32 supoorts L2TP with IPsec by configuring a transport-mode IPsec tunnel
between the two endpoints, and then an L2TP tunnel with its LNS and LACconfigured the same as the
IPsec tunnel’s endpoints. See Configure an IPsec tunnel for information about configuring an IPsec
tunnel.

Note The Connect EZ 16/32 does not currently support the configuration of IPsec protocol/port traffic
selectors. This means that you cannot restrict traffic on the IPsec tunnel to L2TP traffic (typically UDP
port 1701).
While multiple L2TP clients are supported on the Connect EZ 16/32 by configuring a separate LNS for
each client, multiple clients behind a Network Address Translation (NAT) device are not supported,
because they will all appear to have the same IP address.

Show L2TP tunnel status

 Web

Show the status of L2TP access connectors from the WebUI

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status. Under VPN, select L2TP > Access Connectors.
The L2TP Access Connectors page appears.
2. To view configuration details about an L2TP access connector, click the  (configuration) icon
in the upper right of the tunnel's status pane.

Show the status of L2TP network servers from the WebUI

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status. Under VPN, select L2TP > Network Servers.
The L2TP Network Servers page appears.
2. To view configuration details about an L2TP network server, click the  (configuration) icon in
the upper right of the tunnel's status pane.

 Command line

Digi Connect EZ 16/32 User Guide 486

Virtual Private Networks (VPN) L2TP

Show the status of L2TP access connectors from the Admin CLI
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured L2TP access connectors, type the following at the
prompt:

> show l2tp lac

Name Enabled Status Device

--------- ------- ------ -----------
lac_test1 true up test_device0
lac_test2 true pending
>

3. To display details about a specific tunnel:

> show l2tp lac name lac_test2

lac_test2 L2TP Access Concentrator Status

------------------------------------
Enabled : true
Status : pending

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show the status of L2TP network servers from the Admin CLI
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured L2TP access connectors, type the following at the
prompt:

> show l2tp lns

Name Enabled Status Device

--------- ------- ------ -----------
lns_test1 true up test_device0
lns_test2 true pending

>

Digi Connect EZ 16/32 User Guide 487

Virtual Private Networks (VPN) L2TPv3 Ethernet

3. To display details about a specific tunnel:

> show l2tp lns name lns_test2

lns_test2 L2TP Access Concentrator Status

------------------------------------
Enabled : true
Status : pending

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

L2TPv3 Ethernet
Your Connect EZ 16/32 device supports Layer 2 Tunneling Protocol Version 3 (L2TPv3) static
unmanaged Ethernet tunnels.

Configure an L2TPv3 tunnel

Your Connect EZ 16/32 device supports Layer 2 Tunneling Protocol Version 3 (L2TPv3) static
unmanaged Ethernet tunnels.

Required configuration items

n A name for the L2TPv3 tunnel.
n Enable the tunnel.
n The remote endpoint IP address.
n The local endpoint IP address.
n The session ID.
n The peer session ID.

Additional configuration items

n Encapsulation type. If UDP is selected:
l The ID for the tunnel.
l The ID of the peer's tunnel.
l Determine whether to enable UDP checksum.
n The session cookie.
n The peer session cookie.
n The Layer2SpecificHeader type.
n The Sequence numbering control.

 Web

Digi Connect EZ 16/32 User Guide 488

Virtual Private Networks (VPN) L2TPv3 Ethernet

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > L2TPv3 ethernet.
4. For Add L2TPv3 ethernet tunnel, type a name for the tunnel and click .
5. For Remote endpoint, type the IPv4 address of the remote endpoint.
6. For Local endpoint, select the interface that will be the local endpoint.
7. For Tunnel ID, type the tunnel identifier for this tunnel. This must match the value for Peer
tunnel ID on the remote peer. Allowed value is any integer between 1 and 4294967295.
8. For Peer tunnel ID, type the Tunnel ID of the remote peer.
9. (Optional) For Encapsulation type, select either UDP or IP. If UDP is selected:
a. For UDP source port, type the number of the source UDP port to be used for the tunnel.
b. For UDP destination port, type the number of the destination UDP port to be used for the
tunnel.
c. (Optional) Click to enable UDP checksum to calculate and check the UDP checksum.
10. Click to expand Sessions.
a. For Add Sesssion, type a name for a session carried by the parent tunnel and click .
b. For Session ID, type the session identifier for this session. This must match the value for
Peer session ID on the remote peer. Allowed value is any integer between 1 and
4294967295.
c. For Peer session ID, type the Session ID of the remote peer.
d. (Optional) For Cookie, type the cookie value to be assigned to the session. Allowed value
is 8 or 16 hex digits.
e. (Optional) For Peer cookie, type the Cookie value of the remote peer.
f. For Layer2SpecificHeader type, select the Layer2Specific header type. This must match
what is configured on the remote peer.

Digi Connect EZ 16/32 User Guide 489

Virtual Private Networks (VPN) L2TPv3 Ethernet

g. For Sequence numbering control, determine the sequence number control to prevent or
detect out of order packets. Allowed values are:
n None: No sequence numbering.
n Send: Add a sequence number to each outgoing packet.
n Receive: Reorder packets if they are received out of order.
n Both: Add a sequence number to each outgoing packet, and reorder packets if they
are received out of order.
The default is None.
h. Repeat for additional sessions.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a L2TPv3 Ethernet tunnel. For example, to add a tunnel named L2TPv3_example:

(config)> add vpn l2tpv3 L2TPv3_example

(config vpn l2tpeth L2TPv3_example)>

The tunnel is enabled by default. To disable:

(config vpn l2tpeth L2TPv3_example)> enable false

(config vpn l2tpeth L2TPv3_example)>

4. Set the IPv4 address of the remote endpoint:

(config vpn l2tpeth L2TPv3_example)> remote IP_address

(config vpn l2tpeth L2TPv3_example)>

5. Set the interface of the local endpoint:

i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn l2tpeth L2TPv3_example)> local /network/interface/eth1

(config vpn l2tpeth L2TPv3_example)>

6. Set the tunnel identifier for this tunnel. This must match the value for peer tunnel ID on the
remote peer.

(config vpn l2tpeth L2TPv3_example)> tunnel_id value

(config vpn l2tpeth L2TPv3_example)>

Digi Connect EZ 16/32 User Guide 490

Virtual Private Networks (VPN) L2TPv3 Ethernet

where value is any integer between 1 and 4294967295.

7. Set the tunnel ID of the remote peer:

(config vpn l2tpeth L2TPv3_example)> peer_tunnel_id value

(config vpn l2tpeth L2TPv3_example)>

where value is any integer between 1 and 4294967295.

8. (Optional) Set the encapsulation type:

(config vpn l2tpeth L2TPv3_example)> encapsulation value

(config vpn l2tpeth L2TPv3_example)>

where value is either udp or ip. The default is upd.

If udp is set:
a. Set the source UDP port to be used for the tunnel:

(config vpn l2tpeth L2TPv3_example)> udp_source_port port

(config vpn l2tpeth L2TPv3_example)>

b. Set the destination UDP port to be used for the tunnel.

(config vpn l2tpeth L2TPv3_example)> udp_destination_port port

(config vpn l2tpeth L2TPv3_example)>

c. (Optional) To calculate and check the UDP checksum:

(config vpn l2tpeth L2TPv3_example)> udp_checksum true

(config vpn l2tpeth L2TPv3_example)>

9. Add a session carried by the parent tunnel:

(config vpn l2tpeth L2TPv3_example)> add session session_example

(config vpn l2tpeth L2TPv3_example session_example)>

10. Set the session identifier for this session. This must match the value for peer session ID on the
remote peer.

(config vpn l2tpeth L2TPv3_example session_example)> session_id value

(config vpn l2tpeth L2TPv3_example session_example)>

where value is any integer between 1 and 4294967295.

11. Set the session ID of the remote peer:

(config vpn l2tpeth L2TPv3_example session_example)> peer_session_id

value
(config vpn l2tpeth L2TPv3_example session_example)>

where value is any integer between 1 and 4294967295.

Digi Connect EZ 16/32 User Guide 491

Virtual Private Networks (VPN) L2TPv3 Ethernet

12. (Optional) Set the cookie value to be assigned to the session.

(config vpn l2tpeth L2TPv3_example session_example)> cookie value

(config vpn l2tpeth L2TPv3_example session_example)>

Allowed value is 8 or 16 hex digits.

13. (Optional) Set the cookie value of the remote peer:

(config vpn l2tpeth L2TPv3_example session_example)> peer cookie value

(config vpn l2tpeth L2TPv3_example session_example)>

Allowed value is 8 or 16 hex digits.

14. Set the Layer2Specific header type. This must match what is configured on the remote peer.

(config vpn l2tpeth L2TPv3_example session_example)> l2spec_type value

(config vpn l2tpeth L2TPv3_example session_example)>

where value is either none or default. The default is default.

15. Set the sequence number control to prevent or detect out of order packets.

(config vpn l2tpeth L2TPv3_example session_example)> seq value

(config vpn l2tpeth L2TPv3_example session_example)>

where value is one of:

n none: No sequence numbering.
n send: Add a sequence number to each outgoing packet.
n recv: Reorder packets if they are received out of order.
n both: Add a sequence number to each outgoing packet, and reorder packets if they are
received out of order.
The default is none.
16. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

17. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show L2TPV3 tunnel status

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status. Under VPN, select L2TPv3 Ethernet.
The L2TPv3 Ethernet page appears.

Digi Connect EZ 16/32 User Guide 492

Virtual Private Networks (VPN) L2TPv3 Ethernet

2. To view configuration details about an L2TPV3 tunnel, click the  (configuration) icon in the
upper right of the tunnel's status pane.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured L2TPv3 Ethernet tunnels, type the following at the
prompt:

> show l2tpeth

Tunnel Session Enabled Device Status

----------------- ------- ------------ ------
test/session/test true le_test_test up

>

3. To display details about a specific tunnel:

> show l2tpeth name /vpn/l2tpeth/test/session/test

test/session/test Tunnel Session Status

---------------------------------------
Enabled : true
Status : up

Local IP : 4.3.2.1
Remote IP : 10.10.10.1
Tunnel ID : modem
Peer Tunnel ID : 10.10.10.1 === 4.3.2.1
Session ID : 255
Peer Session ID : 1476
Lifetime (Actual) : 600

Device : le_test_test
RX Packets : 2,102
RX Bytes : 462
TX Packets : 2,787
TX Byptes : 3,120

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 493

Virtual Private Networks (VPN) MACsec

MACsec
MACsec (Media Access Control Security) is a 802.1ae (Layer2) VPN protocol that can be used to create
a secure MACsec tunnel over a wired Ethernet LAN. The MACsec uses keys to provide multiple
authentications between hosts in a network.
A MACsec tunnel must be tied to a physical interface. You cannot create a MACsec tunnel for a bridge.

Security modes
Two security modes are available for a MACsec tunnel.
n Automatic: Uses a pre-shared key to generate association key information, which is
periodically rotated through using 802.1x.
n Manual: Uses connectivity association key information that is manually entered in the CAK and
CKN fields.

Configure a MACsec tunnel

Your Connect EZ 16/32 device supports MACsec (Layer 2 Tunneling Protocol).

Required configuration items

n The local network device to connect to the peer device.
n When using Manual mode, the connectivity association key and key name.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > MACsec.
4. For Add MACsec tunnel, click .

Digi Connect EZ 16/32 User Guide 494

Virtual Private Networks (VPN) MACsec

5. Click Enable.
6. For Local endpoint, select the local network device you want to use to connect to the peer
device.
7. For Security mode, select your desired mode.
n Automatic: Uses a pre-shared key to generate association key information, which is
periodically rotated through using 802.1x.
n Manual: Uses connectivity association key information that is manually entered in the
CAK and CKN fields.
8. If you selected Manual, additional required fields display.
a. For CAK, enter the connectivity associated key. The key format is 16 hex digits.
b. For CKN, enter the connectivity associated key name. The key format is 32 hex digits.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Name the tunnel. At the config prompt, type:

(config)> add vpn macsec name

(config)>

where name is a string.

4. Enable the tunnel:

(config vpn macsec tunnel1) enable true

(config vpn macsec tunnel1)>

5. Specify the local endpoint:

(config vpn macsec tunnel1) local value

(config vpn macsec tunnel1)>

where value is one of the available options.

6. Specify the security mode:

(config vpn macsec tunnel1) type value

(config vpn macsec tunnel1)>

where value is one of the following:

Digi Connect EZ 16/32 User Guide 495

Virtual Private Networks (VPN) NEMO

n automatic: Uses a pre-shared key to generate association key information, which is

periodically rotated through using 802.1x.
n manual: Uses connectivity association key information that is manually entered.
7. If you specified the manual security mode, enter the connectivity association key and key
name.
a. Specify the connectivity association key:

(config vpn macsec tunnel1) association cak value

(config vpn macsec tunnel1)>

where value is the association key. The key format is 16 hex digits.
b. Specify the connectivity association key name:

(config vpn macsec tunnel1) association ckn value

(config vpn macsec tunnel1)>

where value is the association key name. The key format is 32 hex digits.
8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

NEMO
Network Mobility (NEMO) is a mobile networking technology that provides access to one or more
Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the
mobile private network and the Connect EZ 16/32 device, isolating the connection from internet traffic
and advertising the IP subnets of the LANs for remote access and device management.
Dynamic Mobile Network Routing (DMNR) is the implementation of NEMO for Verizon Wireless Private
Networks. DMNRsupport requires the use of Verizon SIM cards that have DMNRenabled.

Configure a NEMO tunnel

Configuring an NEMO tunnel with a remote device involves configuring the following items:

Required configuration items

n Enable the NEMO tunnel.
The NEMO tunnel is enabled by default.
n The IP address of the NEMO virtual network interface.
n The firewall zone of the NEMO tunnel.
n The IP address of the NEMO home agent server. This is provided by your cellular carrier.
n The home agent's authentication key. This is provided by your cellular carrier.

Digi Connect EZ 16/32 User Guide 496

Virtual Private Networks (VPN) NEMO

n Home agent registration lifetime. This is provided by your cellular carrier.

n The local network interfaces that will be advertised on NEMO.

Additional configuration items

n The home agent Software Parameter Index (SPI).
n Path MTU discovery.
Path MTU discovery is enabled by default. If it is disabled, identify the MTU.
n Care of address: the local network interface that is used to communicate with the peer.
l If set to Interface, identify the local interface to be used. Generally, this will be the
Wirelesss WAN (Modem).
l If set to IP address, enter the IP address.
n The local network of the GRE endpoint negotiated by NEMO.
l If the local network is set to Interface, identify the local interface to be used.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click VPN > NEMO.
The NEMO tunnel is enabled by default. To disable, toggle off Enable.
4. For Home IP address, type the IPv4 address of the NEMO virtual network interface.
5. For Zone, select Internal.
The Internal firewall zone configures the Connect EZ 16/32 device to trust traffic going to the
tunnel and allows it through the network.
6. For Home agent server IP address, type the IPv4 address of the NEMO home agent. This is
provided by your cellular carrier.

Digi Connect EZ 16/32 User Guide 497

Virtual Private Networks (VPN) NEMO

7. For Key, type the key used to authenticate to the home agent. This is provided by your cellular
carrier.
8. For Home agent SPI, type the Security Parameter Index (SPI) value, which is used in the
authentication extension when registering. This should be normally left at the default setting
of 256 unless your service provider indicates a different value.
9. For Home agent registration lifetime, in seconds, type the number of seconds number of
seconds until the authorization key expires. This is provided by your cellular carrier.
10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size.
If disabled, for MTU, type the MTU size. The default MTU size for LANs on the Connect EZ 16/32
device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the
required headers.
11. Click to expand Care of address to configure the local WAN interface of the internet facing
network.
a. For Type, select the method to determine the local network interface that is used to
communicate with the peer.
n If Default route is selected, the network interface that is used will be the same as
the default route.
n If Interface is selected, specify the local network interface.
n If IP address is selected, type the IP address.
The default is Default route.
12. Click to expand GRE tunnel local endpoint.
a. For Type, select the local endpoint of the GRE endpoint negotiated by NEMO.
n If Default route is selected, the network interface that is used will be the same as
the default route.
n If Interface is selected, specify the local network interface.
The default is Default route.
13. Click to expand Local networks.
a. For Add Interface, click  to add a local network to use as a virtual NEMO network
interface.

b. For Interface, select the local interface to use as a virtual NEMO network interface.
Generally, this will be the a Local Area Network (LAN).
c. (Optional) Repeat for additional interfaces.
14. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 498

Virtual Private Networks (VPN) NEMO

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a NEMO tunnel. For example, to add a NEMO tunnel named nemo_example:

(config)> add vpn nemo nemo_example

(config vpn nemo nemo_example)>

The NEMO tunnel is enabled by default. To disable:

(config vpn nemo nemo_example)> enable false

(config vpn nemo nemo_example)>

4. Set the IPv4 address of the NEMO virtual network interface:

(config vpn nemo nemo_example)> home_address IPv4_address

(config vpn nemo nemo_example)>

5. Set the IPv4 address of the NEMO home agent. This is provided by your cellular carrier.

(config vpn nemo nemo_example)> home_agent IPv4_address

(config vpn nemo nemo_example)>

6. Set the key used to authenticate to the home agent. This is provided by your cellular carrier.

(config vpn nemo nemo_example)> key value

(config vpn nemo nemo_example)>

7. Set the the number of seconds number of seconds until the authorization key expires. This is
provided by your cellular carrier.

(config vpn nemo nemo_example)> lifetime integer

(config vpn nemo nemo_example)>

Allowed values are any integer between 1 and 65535.

8. MTU discovery is enabled by default, which allows the device to determine the maximum
transmission unit (MTU) size. To disable:

(config vpn nemo nemo_example)> mtu_discovery false

(config vpn nemo nemo_example)>

If disabled, set the MTU size. The default MTU size for LANs on the Connect EZ 16/32 device is
1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required
headers.

(config vpn nemo nemo_example)> mtu integer

(config vpn nemo nemo_example)>

Allowed values are any integer between 68 and 1476.

9. Set the Security Parameter Index (SPI) value, which is used in the authentication extension
when registering. This should be normally left at the default setting of 256 unless your service

Digi Connect EZ 16/32 User Guide 499

Virtual Private Networks (VPN) NEMO

provider indicates a different value.

(config vpn nemo nemo_example)> spi integer

(config vpn nemo nemo_example)>

Allowed values are any integer between 256 and 4294967295.

10. Set the firewall zone for the NEMO tunnel to internal:

(config vpn nemo nemo_example)> zone internal

(config vpn nemo nemo_example)>

The Internal firewall zone configures the Connect EZ 16/32 device to trust traffic going to the
tunnel and allows it through the network.
11. Configure the Care-of-Address, the local WAN interface of the internet facing network.
a. Set the method to determine the Care-of-Address:

(config vpn nemo nemo_example)> coaddress type value

(config vpn nemo nemo_example)>

where value is one of:

n defaultroute: Uses the same network interface as the default route.
n interface
If interface is used, set the interface:
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config vpn nemo nemo_example)> coaddress interface eth1

(config vpn nemo nemo_example)>

n ip
If ip is used, set the IP address:

(config vpn nemo nemo_example)> coaddress address IP_address

(config vpn nemo nemo_example)>

The default is defaultroute.

12. Set the GRE tunnel local endpoint:
a. Set the method to determine the GRE tunnel local endpoint:

(config vpn nemo nemo_example)> tun_local type value

(config vpn nemo nemo_example)>

where value is one of:

n defaultroute: Uses the same network interface as the default route.
n interface
If interface is used, set the interface.

Digi Connect EZ 16/32 User Guide 500

Virtual Private Networks (VPN) NEMO

i. Use the ? to determine available interfaces:

ii. Set the interface. For example:

(config vpn nemo nemo_example)> tun_local interface eth1

(config vpn nemo nemo_example)>

The default is defaultroute.

13. Configure one or more local networks to use as a virtual NEMO network interface. Generally,
this will be a Local Area Network (LAN):
a. Add a local network to use as a virtual NEMO network interface:

(config vpn nemo nemo_example)> add network end eth2

(config vpn nemo nemo_example)>

b. (Optional) Repeat for additional interfaces.

14. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

15. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show NEMO status

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status > NEMO.
The NEMO page appears.
2. To view configuration details about an NEMO tunnel, click the  (configuration) icon in the
upper right of the tunnel's status pane.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To display details about all configured NEMO tunnels, type the following at the prompt:

> show nemo

NEMO Enable Status Address Agent CoAddress

---- ------ ------ ------- ------- ----------
demo false

Digi Connect EZ 16/32 User Guide 501

Virtual Private Networks (VPN) WireGuard VPN

test true up 1.2.3.4 4.3.2.1 10.10.10.1

>

3. To display details about a specific tunnel:

> show nemo name test

test NEMO Status

----------------
Enabled : true
Status : up
Home Agent : 4.3.2.1
Care of Address : 10.10.10.1
Interface : modem
GRE Tunnel : 10.10.10.1 === 4.3.2.1
Metric : 255
MTU : 1476
Lifetime (Actual) : 600

Local Network Subnet Status

------------- -------------- ----------
lan1 192.168.2.1/24 Advertized
LAN2 192.168.3.1/24 Advertized

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

WireGuard VPN
WireGuard is a VPN1 is a protocol that operates at the network layer to provide communication
between devices over a public network. It encrypts and encapsulates traffic to protect information.
WireGuard supports full networking capabilities including standard, policy-based, and static routes, as
well as firewalls. In addition to having IPs inside the tunnel, like IPSec and OpenVPN, you can use this
WireGuard tunnel for policy-based routing: send only certain traffic through the tunnel or use it for
static routes to send routing and networking through regardless of the source IP. You can also have
multiple tunnels.
There are two modes available when configuring a WireGuard VPN:
n Client mode: Configure the Connect EZ 16/32 device to act as a client, so it establishes an
outbound WireGuard VPN tunnel to a remote server.
n Server mode: Configure the Connect EZ 16/32 device to act as a server, so one or more remote
devices can establish an inbound WireGuard VPN tunnel to the device.

1virtual private network

Digi Connect EZ 16/32 User Guide 502

Virtual Private Networks (VPN) WireGuard VPN

Configure the WireGuard VPN

Your Connect EZ 16/32 device supports using WireGuard VPN. You can configure the device for either
client or server mode. For client mode, your Connect EZ 16/32 is establishing an outbound WireGuard
VPN connection to the WireGuard server. For server mode, your Connect EZ 16/32 is acting as a
WireGuard server and accepts incoming WireGuard VPN connections from one or more client devices.

Before you begin

Decide whether you want your device to establish an outbound WireGuard VPN connection or if you
want it to act as a WireGuard server. Each mode requires different information.

For client mode For server mode

You need the You need the following information:
following
information from
n Client public key
the WireGuard
server: Note This key can come from the client device or you can generate it
from the Digi device’s Admin CLI console using the wireguard
n Private key generate [tunnel_name] [client_name] command after
n Remote configuring the Wireguard server settings on the Digi device.
endpoint
address or
n Pre-shared key (optional)
hostname n Local and remote IP addresses
n Remote
endpoint
port
n Remote
endpoint
public key
n Preshared
key
(optional)
n Local and
remote IP
addresses

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.

Digi Connect EZ 16/32 User Guide 503

Virtual Private Networks (VPN) WireGuard VPN

c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

1. Navigate to VPN > WireGuard > WireGuard tunnel.
2. Click  to add a new WireGuard tunnel.
3. Type a name for the tunnel.
4. Click OK.
The settings for your new tunnel appear.
5. Modify the settings.

Tunnel
setting UI Configuration
Enable The new tunnel is enabled by default. It can be disabled if the tunnel is being
set up for future use or if you want to stop the tunnel while testing other
configuration changes.

Digi Connect EZ 16/32 User Guide 504

Virtual Private Networks (VPN) WireGuard VPN

Tunnel
setting UI Configuration
Peers a. Click  to add a new peer.
n If this Connect EZ 16/32 is the WireGuard client, then only add one
peer. The peer is the remote Wireguard server to which it connects.
n If this Connect EZ 16/32 is the WireGuard server, add one or more
peers. The peer(s) are the remote WireGuard clients that will
connect to this device.
b. Configure the settings for the new peer(s).
If the new peer is to act as the WireGuard server, make sure to configure
the following settings:
n [Remote] Public key
n [Remote] Pre-shared key (optional)
n [Remote] Allowed addresses: Only traffic destined for an IP address
added here is sent to this peer.
n [Remote] Endpoint address
n [Remote] Endpoint port
If the new peer is to act as a remote WireGuard client, make sure to
configure the following settings:
n [Client] Public key
n [Client] Pre-shared key (optional)
n [Local and Remote] Allowed addresses

Device Enable to allow the Connect EZ 16/32 to generate its own public and private
managed keys. If this setting is enabled, it triggers the Connect EZ 16/32 to automatically
private generate a private key and corresponding public key. This private and public
key key is used to establish the encrypted communication between the client and
peer via the Wireguard tunnel. To see the public key, navigate to Status > VPN
> WireGuard.

Private Type the private key for the Wireguard tunnel, if the Device managed private
key key setting is disabled.

Endpoint The WireGuard connection value of 51820 is populated by default.

port

6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 505

Virtual Private Networks (VPN) WireGuard VPN

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Save the configuration and apply the change.

(config vpn iptunnel gre_example)> save

Configuration saved.
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.
5. At the command line, type VPN to enter configuration mode for VPN:

> config vpn

(config vpn)>

6. Type wireguard to enter configuration mode for WireGuard.

> config vpn wireguard

(config vpn wireguard)>

7. The table below lists the required settings for creating and configuring a client WireGuard
tunnel.

Configuration Description
add Add a new WireGuard tunnel.

> config vpn wireguard add name

(config)>

Where name is the name of the new WireGuard tunnel.

enable The WireGuard tunnel is enabled by default.
You may want to temporarily disable the tunnel while it is being set up, for
future use, or if you want to stop the tunnel while testing other
configuration changes.
To disable:

(config)> vpn wireguard name enable false

(config)>

To enable:

(config)> vpn wireguard name enable true

(config)>

peer a. Determine if the Connect EZ 16/32 will act as a client or server.

n If this Connect EZ 16/32 is the WireGuard client, then only add

Digi Connect EZ 16/32 User Guide 506

Virtual Private Networks (VPN) WireGuard VPN

one peer. The peer is the remote Wireguard server to which it

connects.
n If this Connect EZ 16/32 is the WireGuard server, add one or
more peers. The peer(s) are the remote WireGuard clients that
will connect to this device.
b. Create the peer(s).

(config)> vpn wireguard name add peer

(config)>

For a peer that acts as the remote Wireguard server, configure the
following settings:
n [Remote] Device managed public key

(config vpn wireguard [name])> generate

Parameters
tunnel Tunnel Name (Required)
peer Peer (Required)
n [Remote] Public key

(config)> vpn wireguard name peer public_key

(config)>

n [Remote] Pre-shared key (optional)

(config)> vpn wireguard name peer psk

(config)>

n [Remote] Allowed addresses: Only traffic destined for an IP

address added here will be sent to this peer.

(config)> vpn wireguard name peer overlay

(config)>

n [Remote] Endpoint address

(config)> vpn wireguard name peer endpoint

(config)>

n [Remote] Endpoint port

(config)> vpn wireguard name peer port

(config)>

For a peer(s) that acts as the remote WireGuard client, configure the
following settings:
n [Client] Public key

Digi Connect EZ 16/32 User Guide 507

Virtual Private Networks (VPN) WireGuard VPN

(config)> vpn wireguard name peer public_key

(config)>

n [Client] Pre-shared key (optional)

(config)> vpn wireguard name peer psk

(config)>

n [Local and Remote] Allowed addresses

autogenerate Enable to allow the Connect EZ 16/32 to generate its own public and
private keys. If this setting is enabled, it triggers the Connect EZ 16/32 to
automatically generate a private key and corresponding public key.
To enable:

> config vpn wireguard add name autogenerate true

(config)>

To disable:

> config vpn wireguard add name autogenerate false

(config)>

port The WireGuard connection value of 51820 is populated by default.

(config)> vpn wireguard name port

(config)>

private-key Type the private key for the Wireguard tunnel, if the Device managed
private key setting is disabled.

> config vpn wireguard add name private key value

(config)>

With value being a 32-byte string encoded in base 64.

Digi Connect EZ 16/32 User Guide 508

 Services
This chapter contains the following topics:

Allow remote access for web administration and SSH 510

Configure the web administration service 513
Configure SSH access 522
Use SSH with key authentication 529
Configure telnet access 532
Configure DNS 537
Simple Network Management Protocol (SNMP) 544
Location information 551
Modbus gateway 578
System time synchronization 597
Network Time Protocol 602
Configure a multicast route 608
Ethernet network bonding 611
Enable service discovery (mDNS) 615
Use the iPerf service 619
Configure the ping responder service 623
Configure AnywhereUSB services 627

Digi Connect EZ 16/32 User Guide 509

Services Allow remote access for web administration and SSH

Allow remote access for web administration and SSH

By default, only devices connected to the Connect EZ 16/32's LAN have access to the device via web
administration and SSH. To enable these services for access from remote devices:
n The Connect EZ 16/32 device must have a publicly reachable IP address.
n The External firewall zone must be added to the web administration or SSH service. See
Firewall configuration for information on zones.
n See Set the idle timeout for Connect EZ 16/32 users for information about setting the inactivity
timeout for the web administration and SSH services.
To allow web administration or SSH for the External firewall zone:

Add the External firewall zone to the web administration service

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Web administration > Access Control List > Zones.

Digi Connect EZ 16/32 User Guide 510

Services Allow remote access for web administration and SSH

4. For Add Zone, click .

5. Select External.

6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the external zone to the web administration service:

(config)> add service web_admin acl zone end external

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Add the External firewall zone to the SSH service

Digi Connect EZ 16/32 User Guide 511

Services Allow remote access for web administration and SSH

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Configuration > Services > SSH > Access Control List > Zones.
4. For Add Zone, click .

5. Select External.

6. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 512

Services Configure the web administration service

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the External zone to the SSH service:

(config)> add service ssh acl zone end external

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the web administration service

The web administration service allows you to monitor and configure the Connect EZ 16/32 device by
using the WebUI, a browser-based interface.
By default, the web administration service is enabled and uses the standard HTTPS port, 443. The
default access control for the service uses the Internal firewall zone, which means that only devices
connected to the Connect EZ 16/32's LAN can access the WebUI. If this configuration is sufficient for
your needs, no further configuration is required. See Allow remote access for web administration and
SSH for information about configuring the web administration service to allow access from remote
devices.

Required configuration items

n The web administration service is enabled by default.
n Configure access control for the service.

Additional configuration items

n Port to use for web administration service communication.
n Multicast DNS (mDNS) support.
n An SSL certificate to use for communications with the service.
n Support for legacy encryption protocols.
See Set the idle timeout for Connect EZ 16/32 users for information about setting the inactivity
timeout for the web administration services.

Digi Connect EZ 16/32 User Guide 513

Services Configure the web administration service

Enable or disable the web administration service

The web administration service is enabled by default. To disable the service, or enable it if it has been
disabled:

 Web

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Web administration.
4. Click Enable.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable or disable the web administration service:

n To enable the service:

(config)> service web_admin enable true

(config)>

Digi Connect EZ 16/32 User Guide 514

Services Configure the web administration service

n To disable the sevice:

(config)> service web_admin enable false

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the service

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Web administration.
4. (Optional) For Port, enter the port number for the service. Normally this should not be
changed.
5. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's web
administration service. Allowed values are:

Digi Connect EZ 16/32 User Guide 515

Services Configure the web administration service

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the web administration service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's web
administration service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the web administration service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
6. Multicast DNS (mDNS) is enabled by default. mDNS is a protocol that resolves host names in
small networks that do not have a DNS server. To disable mDNS, or enable it if it has been
disabled, click Enable mDNS.
7. For SSL certificate, if you have your own signed SSL certificate, paste the certificate and
private key. If SSL certificate is blank, the device will use an automatically-generated, self-
signed certificate.
n The SSL certificate and private key must be in PEM format.
n The private key can use one of the following algorithms:
l RSA
l DSA
l ECDSA
l ECDH

Note Password-protected certificate keys are not supported.

Example:

Digi Connect EZ 16/32 User Guide 516

Services Configure the web administration service

a. Generate the SSL certificate and private key, for example:

# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365
-out certificate.pem

b. Paste the contents of certificate.pem and key.pem into the SSL certificate field. The
contents of the certificate.pem must be first. For example:

8. View is set to Auto by default and normally should not be changed.

9. Legacy port redirection is used to redirect client HTTP requests to the HTTPS service. Legacy
port redirection is enabled by default, and normally these settings should not be changed. To
disable legacy port redirection, click to expand Legacy port redirection and deselect Enable.
10. For Minimum TLS version, select the minimum TLS version that can be used by client to
negotiate the HTTPS session.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service web_admin acl address end value

(config)>

Where value can be:

Digi Connect EZ 16/32 User Guide 517

Services Configure the web administration service

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the web administratrion service.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service web_admin acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the web administratrion service.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service web_admin acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service web_admin acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge

Digi Connect EZ 16/32 User Guide 518

Services Configure the web administration service

external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

4. (Optional) If you have your own signed SSL certificate, if you have your own signed SSL
certificate, set the certificate and private key by pasting their contents into the service web_
admin cert command. Enclose the certificate and private key contents in quotes (").

(config)> service web_admin cert "ssl-cert-and-private-key"

(config)>

n If SSL certificate is blank, the device will use an automatically-generated, self-signed

certificate.
n The SSL certificate and private key must be in PEM format.
n The private key can use one of the following algorithms:
l RSA
l DSA
l ECDSA
l ECDH

Note Password-protected certificate keys are not supported.

Example
a. Generate the SSL certificate and private key, for example:

# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365
-out certificate.pem

b. Paste the contents of certificate.pem and key.pem into the service web_admin cert
command. Enclose the contents of certificate.pem and key.pem in quotes. For example:

(config)> service web_admin cert "-----BEGIN CERTIFICATE-----

MIID8TCCAtmgAwIBAgIULOwezcmbnQmIC9pT9txwCfUbkWQwDQYJKoZIhvcNAQEL
BQAwgYcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBUFs
b2hhMRMwEQYDVQQKDApNY0JhbmUgSW5jMRAwDgYDVQQLDAdTdXBwb3J0MQ8wDQYD
VQQDDAZtY2JhbmUxHzAdBgkqhkiG9w0BCQEWEGptY2JhbmVAZGlnaS5jb20wHhcN
MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN
BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ
bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3
DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt/rihLVBJS1woYv
u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi/dRyRi4vr7EkjGDr0Vb/NVT0L5w
UzcMeT+71DYvKYm6GpcWx+LoKqFTjbMFBIze5pbBfru+SicId6joCHIuYq8Ehflx
6sy6s4MDbyTUAEN2YhsBaOljej64LNzcsHeISbAWibXWjOSsK+N1MivQq5uwIYw/

Digi Connect EZ 16/32 User Guide 519

Services Configure the web administration service

1fsnD8KDS43Wg57+far9fQ2MIHsgnoAGz+w6PIKJR594y/MfqQffDFNCh2lJY49F
hOqEtA5B9TyXRKwoa3j/lIC/t5cpIBcCAwEAAaNTMFEwHQYDVR0OBBYEFDVtrWBH
E1ZcBg9TRRxMn7chKYjXMB8GA1UdIwQYMBaAFDVtrWBHE1ZcBg9TRRxMn7chKYjX
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALj/mrgaKDNTspv9
ThyZTBlRQ59wIzwRWRYRxUmkVcR8eBcjwdBTWjSBLnFlD2WFOEEEnVz2Dzcixmj4
/Fw7GQNcYIKj+aIGJzbcKgox10mZB3VKYRmPpnpzHCkvFi4o81+bC8HJQfK9U80e
vDV0/vA5OB2j/DrjvlOrapCTkuyA0TVyGvgTASx2ATu9U45KZofm4odThQs/9FRQ
+cwSTb5v47KYffeyY+g3dyJw1/KgMJGpBUYNJDIsFQC9RfzPjKE2kz41hx4VksT/
q81WGstDXH++QTu2sj7vWkFJH5xPFt80HjtWKKpIfeOIlBPGeRHvdH2PQibx0OOt
Sa+P5O8=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgZ9fQF9NSzvaZ
WLX0WatGxE8DcEgmBnhCDhie4B7f64oS1QSUtcKGL7tTqtaIWMSGsAWNYiDwQ9hr
c8hCV8wWXUEYcIv3UckYuL6+xJIxg69FW/zVU9C+cFM3DHk/u9Q2LymJuhqXFsfi
6CqhU42zBQSM3uaWwX67vkonCHeo6AhyLmKvBIX5cerMurODA28k1ABDdmIbAWjp
Y3o+uCzc3LB3iEmwFom11ozkrCvjdTIr0KubsCGMP9X7Jw/Cg0uN1oOe/n2q/X0N
jCB7D56ABs/sOjyCiUefeMvzH6kH3wxTQodpSWOPRYTqhLQOQfU8l0SsKGt4/5SA
v7eXKSAXAgMBAAECggEBAMDKdi7hSTyrclDsVeZH4044+WkK3fFNPaQCWESmZ+AY
i9cCC513SlfeSiHnc8hP+wd70klVNNc2coheQH4+z6enFnXYu2cPbKVAkx9x4eeI
Ktx72wurpnr2JYf1v3Vx+S9T9WvN52pGuBPJQla3YdWbSf18wr5iHm9NXIeMTsFc
esdjEW07JRnxQEMZ1GPWT+YtH1+FzQ3+W9rFsFFzt0vcp5Lh1RGg0huzL2NQ5EcF
3brzIZjNAavMsdBFzdc2hcbYnbv7o1uGLujbtZ7WurNy7+Tc54gu2Ds25J0/0mgf
OxmqFevIqVkqp2wOmeLtI4o77y6uCbhfA6I+GWTZEYECgYEA/uDzlbPMRcWuUig0
CymOKlhEpx9qxid2Ike0G57ykFaEsKxVMKHkv/yvAEHwazIEzlc2kcQrbLWnDQYx
oKmXf87Y1T5AXs+ml1PlepXgveKpKrWwORsdDBd+OS34lyNJ0KCqqIzwAaf8lcSW
tyShAZzvuH9GW9WlCc8g3ifp9WUCgYEA4WSSfqFkQLA09sI76VLvUqMbb31bNgOk
ZuPg7uxuDk3yNY58LGQCoV8tUZuHtBJdrBDCtcJa5sasJZQrWUlZ8y/5zgCZmqQn
MzTD062xaqTenL0jKgKQrWig4DpUUhfc4BFJmHyeitosDPG98oCxuh6HfuMOeM1v
Xag6Z391VcsCgYBgBnpfFU1JoC+L7m+lIPPZykWbPT/qBeYBBki5+0lhzebR9Stn
VicrmROjojQk/sRGxR7fDixaGZolUwcRg7N7SH/y3zA7SDp4WvhjFeKFR8b6O1d4
PFnWO2envUUiE/50ZoPFWsv1o8eK2XT67Qbn56t9NB5a7QPvzSSR7jG77QKBgD/w
BrqTT9wl4DBrsxEiLK+1g0/iMKCm8dkaJbHBMgsuw1m7/K+fAzwBwtpWk21alGX+
Ly3eX2j9zNGwMYfXjgO1hViRxQEgNdqJyk9fA2gsMtYltTbymVYHyzMweMD88fRC
Ey2FlHfxIfPeE7MaHNCeXnN5N56/MCtSUJcRihh3AoGAey0BGi4xLqSJESqZZ58p
e71JHg4M46rLlrxi+4FXaop64LCxM8kPpROfasJJu5nlPpYHye959BBQnYcAheZZ
0siGswIauBd8BrZMIWf8JBUIC5EGkMiIyNpLJqPbGEImMUXk4Zane/cL7e06U8ft
BUtOtMefbBDDxpP+E+iIiuM=
-----END PRIVATE KEY-----"
(config)>

5. (Optional) Configure Multicast DNS (mDNS):

mDNS is a protocol that resolves host names in small networks that do not have a DNS server.
mDNS is enabled by default. To disable mDNS, or enable it if it has been disabled:
n To enable the mDNS protocol:

(config)> service web_admin mdns enable true

(config>

Digi Connect EZ 16/32 User Guide 520

Services Configure the web administration service

n To disable the mDNS protocl:

(config)> service web_admin mdns enable false

(config)>

6. (Optional) Set the port number for this service.

The default setting of 443 normally should not be changed.

(config)> service web_admin port 444

(config)>

7. (Optional) Set the minimum TLS version that can be used by client to negotiate the HTTPS
session:

(config)> service web_admin legacy_encryption value

(config)>

where value is one of:

n TLS-1_1
n TLS-1_2
n TLS-1_3
The default is TLS-1_2.
8. (Optional) Disable legacy port redirection.
Legacy port redirection is used to redirect client HTTP requests to the HTTPS service. Legacy
port redirection is enabled by default, and normally these settings should not be changed.
To disable legacy port redirection:

(config)> service web_admin legacy enable false

(config)>

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 521

Services Configure SSH access

Configure SSH access

The Connect EZ 16/32's default configuration has SSH access enabled, and allows SSH access to the
device from authorized users within the Internal firewall zone. If this configuration is sufficient for
your needs, no further configuration is required. See Allow remote access for web administration and
SSH for information about configuring the SSH service to allow access from remote devices.

Required configuration items

n Enable SSH access.
n Configure access control for the SSH service.

Additional configuration items

n Port to use for communications with the SSH service.
n Multicast DNS (mDNS) support.
n A private key to use for communications with the SSH service.
n Create custom SSH configuration settings.
See Set the idle timeout for Connect EZ 16/32 users for information about setting the inactivity
timeout for the SSH service.

Enable or disable the SSH service

The SSH service is enabled by default. To disable the service, or enable it if it has been disabled:

 Web

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 522

Services Configure SSH access

3. Click Services > SSH.

4. Click Enable.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable or disable the SSH service:

n To enable the service:

(config)> service ssh enable true

(config)>

n To disable the sevice:

(config)> service ssh enable false

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the service

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 523

Services Configure SSH access

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > SSH.
4. (Optional) For Port, enter the port number for the service. Normally this should not be
changed.
5. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's SSH
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the SSH service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's SSH
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the SSH service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.

Digi Connect EZ 16/32 User Guide 524

Services Configure SSH access

d. Click  again to allow access through additional firewall zones.

6. Multicast DNS (mDNS) is enabled by default. mDNS is a protocol that resolves host names in
small networks that do not have a DNS server. To disable mDNS, or enable it if it has been
disabled, click Enable mDNS.
7. For Private key, type the private key in PEM format. If Private key is blank, the device will use
an automatically-generated key.
8. To create custom SSH configuration settings:
a. Click to expand Custom configuration.
b. Click Enable.
c. For Override:
n If Override is enabled, entries in Configuration file will be used in place of the
standard SSH configuration.
n If Override is not enabled, entries in Configuration file will be added to the
standard SSH configuration.
d. For Configuration file, type configuration settings in the form of an OpenSSH sshd_config
file.
For example, to enable the diffie-helman-group-sha-14 key exchange algorithm:
i. Click Enable to enable SSH custom configuration.
ii. Leave Override disabled.
iii. For Configuration file, type the following:

KexAlgorithms +diffie-hellman-group14-sha1

9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service ssh acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the SSH service.
Repeat this step to list additional IP addresses or networks.

Digi Connect EZ 16/32 User Guide 525

Services Configure SSH access

n To limit access to specified IPv6 addresses and networks:

(config)> add service ssh acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the SSH service.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service ssh acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service ssh acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

Digi Connect EZ 16/32 User Guide 526

Services Configure SSH access

(config)>

Repeat this step to include additional firewall zones.

4. (Optional) Set the private key in PEM format. If not set, the device will use an automatically-
generated key.

(config)> service ssh key key.pem

(config)>

5. (Optional) Configure Multicast DNS (mDNS)

mDNS is a protocol that resolves host names in small networks that do not have a DNS server.
mDNS is enabled by default. To disable mDNS, or enable it if it has been disabled:
n To enable the mDNS protocol:

(config)> service ssh mdns enable true

(config>

n To disable the mDNS protocl:

(config)> service ssh mdns enable false

(config)>

6. (Optional) Set the port number for this service.

The default setting of 22 normally should not be changed.

(config)> service ssh port 24

(config)>

7. To create custom SSH configuration settings:

a. Enable custom configurations:

(config)> service ssh custom enable true

(config)>

b. To override the standard SSH configuration and only use the config_file parameter:

(config)> service ssh custom override true

(config)>

n If override is set to true, entries in Configuration file will be used in place of the
standard SSH configuration.
n If override is set to false, entries in Configuration file will be added to the
standard SSH configuration.
The default is false.
c. Set the configuration settings:

(config)> service ssh custom config_file value

(config)>

Digi Connect EZ 16/32 User Guide 527

Services Configure SSH access

where value is one or more entires in the form of an OpenSSH sshd_config file. For
example, to enable the diffie-helman-group-sha-14 key exchange algorithm:

(config)> service ssh custom config_file "KexAlgorithms +diffie-

hellman-group14-sha1"
(config)>

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 528

Services Use SSH with key authentication

Use SSH with key authentication

Rather than using passwords, you can use SSH keys to authenticate users connecting via SSH, SFTP,
or SCP. SSH keys provide security and scalability:
n Security: Using SSH keys for authentication is more secure than using passwords. Unlike a
password that can be guessed by an unauthorized user, SSH key pairs provide more
sophisticated security. A public key configured on the Connect EZ device is paired with a
private key on the user's PC. The private key, once generated, remains on the user’s PC.
n Scalability: SSH keys can be used on more than one Connect EZ device.

Generating SSH key pairs

On a Microsoft Windows PC, you can generate SSH key pairs using a terminal emulator application,
such as PuTTY or Tera Term.
On a Linux host, an SSH key pair is usually created automatically in the user’s .ssh directory. The
private and public keys are named id_rsa and id_rsa.pub. If you need to generate an SSH key pair,
you can use the ssh-keygen application.
For example, the following entry generates an RSA key pair in the user's .ssh directory:

ssh-keygen -t rsa -f ~/.ssh/id_rsa

The private key file is named id_rsa and the public key file is named id_rsa.pub. (The .pub extension
is automatically appended to the name specified for the private key output file.)

Required configuration items

n Name for the user
n SSH public key for the user

Additional configuration items

n If you want to access the Connect EZ device using SSH over a WAN interface, configure the
access control list for the SSH service to allow SSH access for the External firewall zone.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 529

Services Use SSH with key authentication

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Users.
4. Select an existing user or create a new user. See User authentication for information about
creating a new user.
5. Click SSH keys.
6. In Add SSH key, enter a name for the SSH key and click .
7. Enter the public SSH key by pasting or typing a public encryption key that this user can use for
passwordless SSH login.
8. Click Apply to save the configuration and apply the change.

 Command line
You can add configure passwordless SSH login for an existing user or include the support when
creating a new user. See User authentication for information about creating a new user. These
instructions assume an existing user named temp_user.

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add an SSH key for the user by using the ssh_key command and pasting or typing a public
encryption key:

(config)> add auth user maria ssh_key key_name key

(config)>

where:
n key_name is a name for the key.
n key is a public SSH key, which you can enter by pasting or typing a public encryption
key that this user can use for passwordless SSH login
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 530

Services Use SSH with key authentication

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 531

Services Configure telnet access

Configure telnet access

By default, the telnet service is disabled.

Note Telnet is an insecure protocol and should only be used for backward-compatibility reasons, and
only if the network connection is otherwise secured.

Required configuration items

n Enable telnet access.
n Configure access control for the telnet service.

Additional configuration items

n Port to use for communications with the telnet service.
n Multicast DNS (mDNS) support.
See Set the idle timeout for Connect EZ 16/32 users for information about setting the inactivity
timeout for the telnet service.

Enable the telnet service

The telnet service is disabled by default. To enable the service:

 Web

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > telnet.

Digi Connect EZ 16/32 User Guide 532

Services Configure telnet access

4. Click Enable.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the telnet service:

(config)> service telnet enable true

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the service

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 533

Services Configure telnet access

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > telnet.
4. (Optional) For Port, enter the port number for the service. Normally this should not be
changed.
5. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's telnet
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the telnet service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's telnet
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the telnet service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.

Digi Connect EZ 16/32 User Guide 534

Services Configure telnet access

6. Multicast DNS (mDNS) is disabled by default. mDNS is a protocol that resolves host names in
small networks that do not have a DNS server. To enable mDNS, click Enable mDNS.
7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service telnet acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the telnet service.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service telnet acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the telnet service.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service telnet acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

Digi Connect EZ 16/32 User Guide 535

Services Configure telnet access

n To limit access based on firewall zones:

(config)> add service telnet acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

4. (Optional) Configure Multicast DNS (mDNS)
mDNS is a protocol that resolves host names in small networks that do not have a DNS server.
mDNS is disabled by default. To enable:

(config)> service telnet mdns enable true

(config>

5. (Optional) Set the port number for this service.

The default setting of 23 normally should not be changed.

(config)> service telnet port 25

(config)>

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 536

Services Configure DNS

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure DNS
The Connect EZ 16/32 device includes a caching DNS server which forwards queries to the DNS servers
that are associated with the network interfaces, and caches the results. This server is used within the
device, and cannot be disabled. Use the access control list to restrict external access to this server.

Required configuration items

n Configure access control for the DNS service.

Additional configuration items

n Whether the device should cache negative responses.
n Whether the device should always perform DNS queries to all available DNS servers.
n Whether to prevent upstream DNS servers from returning private IP addresses.
n Additional DNS servers, in addition to the ones associated with the device's network interfaces.
n Specific host names and their IP addresses.
The device is configured by default with the hostname digi.device, which corresponds to the
192.168.210.1 IP address.
To configure the DNS server:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 537

Services Configure DNS

The Configuration window is displayed.

3. Click Services > DNS.
4. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's DNS
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the DNS service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's DNS
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the DNS service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
5. (Optional) Cache negative responses is enabled by default. Disabling this option may improve
performance on networks with transient DNS results, when one or more DNS servers may have
positive results. To disable, click to toggle off Cache negative responses.
6. (Optional) Query all servers is enabled by default. This option is useful when only some DNS
servers will be able to resolve hostnames. To disable, click to toggle off Query all servers.
7. (Optional) Rebind protection, if enabled, prevents upstream DNS servers from returning
private IP addresses. To enable, click Rebind protection.

Digi Connect EZ 16/32 User Guide 538

Services Configure DNS

8. (Optional) Allow localhost rebinding is enabled by default if Rebind protection is enabled.

This is useful for Real-time Black List (RBL) servers.
9. (Optional) Type the IP address of the Fallback server. This is a DNS server to be used in the
absence of any other server. The default is 8.8.8.8.
10. (Optional) To add additional DNS servers:
a. Click DNS servers.
b. For Add Server, click .
c. (Optional) Enter a label for the DNS server.
d. For DNS server, enter the IP address of the DNS server.
e. Domain restricts the device's use of this DNS server based on the domain. If no domain
are listed, then all queries may be sent to this server.
11. (Optional) To add host names and their IP addresses that the device's DNS server will resolve:
a. Click Additional DNS hostnames.
b. For Add Host, click .
c. Type the IP address of the host.
d. For Name, type the hostname.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service dns acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the DNS service.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service dns acl address6 end value

(config)>

Where value can be:

Digi Connect EZ 16/32 User Guide 539

Services Configure DNS

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the DNS service.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service dns acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service dns acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

4. (Optional) Cache negative responses
By default, the device's DNS server caches negative responses. Disabling this option may
improve performance on networks with transient DNS results, when one or more DNS servers

Digi Connect EZ 16/32 User Guide 540

Services Configure DNS

may have positive results. To disable:

(config)> service dns cache_negative_responses false

(config>

5. (Optional) Query all servers

By default, the device's DNS server queries all available DNS servers. Disabling this option may
improve performance on networks with transient DNS results, when one or more DNS servers
may have positive results. To disable:

(config)> service dns query_all_servers false

(config>

6. (Optional) Rebind protection

By default, rebind protection is disabled. If enabled, this prevents upstream DNS servers from
returning private IP addresses. To enable:

(config)> service dns stop_dns_rebind false

(config)>

7. (Optional) Allow localhost rebinding

By default, localhost rebinding is enabled by default if rebind protection is enabled. This is
useful for Real-time Black List (RBL) servers. To disable:

(config)> service dns rebind_localhost_ok false

(config)>

8. (Optional) Fallback server

Configure the IP address of the DNS server to be used in the absence of any other server. The
default is 8.8.8.8.

(config)> service dns fallback_server value

(config)>

9. (Optional) Add additional DNS servers

a. Add a DNS server:

(config)> add service dns server end

(config service dns server 0)>

b. Set the IP address of the DNS server:

(config service dns server 0)> address ip-addr

(config service dns server 0)>

c. To restrict the device's use of this DNS server based on the domain, use the domain
command. If no domain are listed, then all queries may be sent to this server.

(config service dns server 0)> domain domain

(config service dns server 0)>

Digi Connect EZ 16/32 User Guide 541

Services Configure DNS

d. (Optional) Set a label for this DNS server:

(config service dns server 0)> label label

(config service dns server 0)>

10. (Optional) Add host names and their IP addresses that the device's DNS server will resolve
a. Add a host:

(config)> add service dns host end

(config service dns host 0)>

b. Set the IP address of the host:

(config service dns host 0)> address ip-addr

(config service dns host 0)>

c. Set the host name:

(config service dns host 0)> name host-name

(config service dns host 0)>

11. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show DNS server

You can display status for DNS servers. This command is available only at the Admin CLI.

 Command line

Show DNS information

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show dns command at the system prompt:

> show dns

Interface Label Server Domain

--------- ----- ------------------------ ------
eth1 192.168.3.1
eth1 fd00:2704::1

Digi Connect EZ 16/32 User Guide 542

Services Configure DNS

eth1 fe80::227:4ff:fe2b:ae12
eth1 fe80::227:4ff:fe44:105b
eth1 fe80::240:ffff:fe80:23b0

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 543

Services Simple Network Management Protocol (SNMP)

Simple Network Management Protocol (SNMP)

Simple Network Management Protocol (SNMP) is a protocol for remotely managing and monitoring
network devices. Network administrators can use the SNMP architecture to manage nodes, including
servers, workstations, routers, switches, hubs, and other equipment on an IP network, manage
network performance, find and solve network problems, and plan for network growth.
The Connect EZ 16/32 device supports both SNMPv3 and SNMPv2c in read-only mode. Both are
disabled by default. SNMPv1 is not supported.

SNMP Security
By default, the Connect EZ 16/32 device automatically blocks SNMP packets from being received over
WAN and LAN interfaces. As a result, if you want a Connect EZ 16/32 device to receive SNMP packets,
you must configure the SNMP access control list to allow the device to receive the packets. See
Configure Simple Network Management Protocol (SNMP).

Standard and custom Management Information Bases (MIB)

The standard MIB defines the properties and access permissions for various managed objects so that
you can query standard information about a device, like system contact or system location via SNMP
monitoring. The custom MIB defines the unique properties and access permissions not found in the
standard MIB. To view the MIB list, see Download MIBs.

Dynamic SNMP
To expose a specific device property for SNMP monitoring that is not included in the standard MIB -
properties like serial number, system firmware version, hardware model name, and dynamic properties
- you can query the runtime database for the property value and then add a Dynamic SNMP. The
device property is added to the custom MIB.

Configure Simple Network Management Protocol (SNMP)

Required configuration items
n Enable SNMP.
n Firewall configuration using access control to allow remote connections to the SNMP agent.
n The user name and password used to connect to the SNMP agent.

Additional configuration items

n The port used by the SNMP agent.
n Authentication type (either MD5 or SHA).
n Privacy protocol (either DES or AES).
n Privacy passphrase, if different that the SNMP user password.
n Enable Multicast DNS (mDNS) support.
To configure the SNMP agent on your Connect EZ 16/32 device:

 Web

Digi Connect EZ 16/32 User Guide 544

Services Simple Network Management Protocol (SNMP)

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > SNMP.
4. Click Enable.
5. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's SNMP
agent. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the SNMP agent.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's SNMP
agent. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the SNMP agent.
d. Click  again to list additional IP addresses or networks.

Digi Connect EZ 16/32 User Guide 545

Services Simple Network Management Protocol (SNMP)

n To limit access to hosts connected through a specified interface on the device:

a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
6. Type the Username used to connect to the SNMP agent.
7. Type the Password used to connect to the SNMP agent.
8. (Optional) For Port, type the port number. The default is 161.
9. (Optional) Multicast DNS (mDNS) is disabled by default. mDNS is a protocol that resolves host
names in small networks that do not have a DNS server. To enable mDNS, click Enable mDNS.
10. (Optional) Select the Authentication type, either MD5 or SHA. The default is MD5.
11. (Optional) Type the Privacy passphrase. If not set, the password, entered above, is used.
12. (Optional) Select the Privacy protocol, either DES or AES. The default is DES.
13. (Optional) Add Dynamic SNMP Properties to expose specific details about your device for
SNMP monitoring that are not included in the standard MIB. To query the runtime database to
find the device property you want to expose to SNMP, see Use digidevice runtime to access the
runtime database.
a. Click .
b. For Property, type the device property (e.g., "system.cpu_temp" or "system.name").
c. Click  again to add another dynamic SNMP property.
14. (Optional) Click Enable version 2c access to enable read-only access to SNMP version 2c.
15. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

Digi Connect EZ 16/32 User Guide 546

Services Simple Network Management Protocol (SNMP)

3. Enable the SNMP agent:

(config)> service snmp enable true

(config)>

4. Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service snmp acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the SNMP service.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service snmp acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the SNMP service.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service snmp acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service snmp acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Digi Connect EZ 16/32 User Guide 547

Services Simple Network Management Protocol (SNMP)

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

5. Set the name of the user that will be used to connect to the SNMP agent.

(config)> service snmp username name

(config)>

6. Set the password for the user that will be used to connect to the SNMP agent:

(config)> service snmp password pwd

(config)>

7. (Optional) Set the port number for the SNMP agent. The default is 161.

(config)> service snmp port port

(config)>

8. (Optional) Configure Multicast DNS (mDNS)

mDNS is a protocol that resolves host names in small networks that do not have a DNS server.
For the SNMP agent, mDNS is disabled by default. To enable:

(config)> service snmp mdns enable true

(config>

9. (Optional) Set the authentication type. Allowed values are MD5 or SHA. The default is MD5.

(config)> service snmp auth_type SHA

(config)>

10. (Optional) Set the privacy passphrase. If not set, the password, entered above, is used.

Digi Connect EZ 16/32 User Guide 548

Services Simple Network Management Protocol (SNMP)

(config)> service snmp privacy pwd

(config)>

11. (Optional) Set the privacy protocol, either DES or AES. The default is DES.

(config)> service snmp privacy_protocol AES

(config)>

12. (Optional) Add Dynamic SNMP Properties to expose specific details about your device for
SNMP monitoring that are not included in the standard MIB.

(config) service snmp runt> add end value

(config)>

Where value can be any element in the runtime table you want to expose to SNMP monitoring
(for example, "system.cpu_temp" or "system.name").
13. (Optional) Enable read-only access to to SNMP version 2c.

(config)> service snmp enable 2c true

(config)>

14. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

15. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Download MIBs
This procedure is available from the WebUI only.

Required configuration items

n Enable SNMP.
To download a .zip archive of the SNMP MIBs supported by this device:

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. Enable SNMP.
See Configure Simple Network Management Protocol (SNMP) for information about enabling
and configuring SNMP support on the Connect EZ 16/32 device.
3. On the main menu, click Status. Under Services, click SNMP.

Note If you have recently enabled SNMP and the SNMP option is not visible, refresh your
browser.

Digi Connect EZ 16/32 User Guide 549

Services Simple Network Management Protocol (SNMP)

The SNMP page is displayed.

4. Click Download.

Digi Connect EZ 16/32 User Guide 550

Services Location information

Location information
Your Connect EZ 16/32 device can be configured to use the following location sources:
n User-defined static location.
n Location messages forwarded to the device from other location-enabled devices.
You can also configure your Connect EZ 16/32 device to forward location messages, either from the
Connect EZ 16/32 device or from external sources, to a remote host. Additionally, the device can be
configured to use a geofence, to allow you to determine actions that will be taken based on the
physical location of the device.
This section contains the following topics:

Configure the device to use a user-defined static location 552

Configure the device to accept location messages from external sources 554
Forward location information to a remote host 558
Configure geofencing 565
Show location information 577

Digi Connect EZ 16/32 User Guide 551

Services Location information

Configure the device to use a user-defined static location

You can configured your Connect EZ 16/32 device to use a user-defined static location.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Location > Location sources.
4. Click  to add a location source.
5. (Optional) Type a Label for this location source.
6. For Type of location source, select User-defined location.
7. The location source is enabled by default. Click Enable the location source to disable the
location source, or to enable it if it has been disabled.
8. For Latitude, type the latitude of the device. Allowed values are -90 and 90, with up to six
decimal places.
9. For Longitude, type the longitude of the device. Allowed values are -180 and 180, with up to
six decimal places.
10. For Altitude, type the altitude of the device. Allowed values are an integer followed by m or
km, for example, 100m or 1km.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 552

Services Location information

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a location source:

(config)> add service location source end

(config service location source 0)>

The location source is enabled by default. To disable:

(config service location source 0)> enable false

(config service location source 0)>

4. (Optional) Set a label for this location source:

(config service location source 0)> label "label"

(config)>

5. Set the type of location source to user_defined:

(config service location source 0)> type user_defined

(config service location source 0)>

6. Set the latitude of the device:

(config service location source 0 coordinates latitude int

(config service location source 0)>

where int is any integer between -90 and 90, with up to six decimal places.
7. Set the longitude of the device:

(config service location source 0 coordinates longitude int

(config service location source 0)>

where int is any integer between -180 and 180, with up to six decimal places.
8. Set the altitude of the device:

(config service location source 0 coordinates altitude alt

(config service location source 0)>

Where alt is an integer followed by m or km, for example, 100m or 1km.

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 553

Services Location information

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure the device to accept location messages from external

sources
You can configure the Connect EZ 16/32 device to accept NMEA and TAIP messages from external
sources. For example, location-enabled devices connected to the Connect EZ 16/32 device can
forward their location information to the device, and then the Connect EZ 16/32 device can serve as a
central repository for this location information and forward it to a remote host. See Forward location
information to a remote host for information about configuring the Connect EZ 16/32 device to
forward location messages.
This procedure configures a UDP port on the Connect EZ 16/32 device that will be used to listen for
incoming messages.

Required configuration items

n The location server must be enabled.
n UDP port that the Connect EZ device will listen to for incoming location messages.
n Access control list configuration to provide access to the port through the firewall.
To configure the device to accept location messages from external sources:
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Location > Location sources.
4. Click  to add a location source.
5. (Optional) Type a Label for this location source.

Digi Connect EZ 16/32 User Guide 554

Services Location information

6. For Type of location source, select Server.

7. For Location server port, type the number of the UDP port that will receive incoming location
messages.
8. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's
location server UDP port. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the location server UDP port.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's
location server UDP port. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the location server UDP port.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 555

Services Location information

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a location source:

(config)> add service location source end

(config service location source 0)>

4. (Optional) Set a label for this location source:

(config service location source 0)> label "label"

(config service location source 0)>

5. Set the type of location source to server:

(config service location source 0)> type server

(config service location source 0)>

6. Set the UDP port that will receive incoming location messages.

(config service location source 0)> server port port

(config service location source 0)>

7. Click Access control list to configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service location source 1 acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the location server UDP port.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service location source 1 acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the location server UDP port.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

Digi Connect EZ 16/32 User Guide 556

Services Location information

(config)> add service location source 1 acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service location source 1 acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

1. Save the configuration and apply the change.
8.

(config)> save
Configuration saved.
>

2. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 557

Services Location information

Forward location information to a remote host

You can configure location clients on the Connect EZ 16/32 device that forward location messages in
either NMEA or TAIP format to a remote host.

Required configuration items

n Enable the location service.
n The hostname or IP address of the remote host to which the location messages will be
forwarded.
n The communication protocol, either TCP or UDP.
n The destination port on the remote host to which the messages will be forwarded.
n Message protocol type of the messages being forwarded, either NMEA or TAIP.

Additional configuration items

n Additional remote hosts to which the location messages will be forwarded.
n Location update interval, which determines how often the device will forward location
information to the remote hosts.
n A description of the remote hosts.
n Specific types of NMEA or TAIP messages that should be forwarded.
n If the message protocol is NMEA, configure a talker ID to be used for all messages.
n Text that will be prepended to the forwarded message.
n A vehicle ID that is used in the TAIP ID message and can also be prepended to the forwarded
message.
Configure the Connect EZ device to forward location information:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 558

Services Location information

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Location > Destination servers.
4. For Add destination server, click .
5. (Optional) For Label, type a description of the location destination server.
6. For Destination server, enter the hostname or IP address of the remote host to which location
messages will be sent.
7. For Destination server port, enter the UDP or TCP port on the remote host to which location
messages will be sent.
8. For Communication protocol, select either UDP or TCP.
9. For Forward interval multiplier, select the number of Location update intervals to wait
before forwarding location data to this server. See Configure the location service for more
information about setting the Location update interval.
10. For NMEA filters, select the filters that represent the types of messages that will be forwarded.
By default, all message types are forwarded.
n To remove a filter:
a. Click the down arrow () next to the appropriate message type.
b. Click Delete.
n To add a message type:
a. For Add NMEA filter or Add TAIP filter, click .
b. Select the filter type. Allowed values are:
l GGA: Reports time, position, and fix related data.
l GLL: Reports position data: position fix, time of position fix, and status.
l GSA: Reports GPS DOP and active satellites.
l GSV: Reports the number of SVs in view, PRN, elevation, azimuth, and SNR.
l RMC: Reports position, velocity, and time.
l VTG: Reports direction and speed over ground.
11. For TAIP filters, select the filters that represent the types of messages that will be forwarded.
By default, all message types are forwarded.
n To remove a filter:
a. Click the down arrow () next to the appropriate message type.
b. Click Delete.
n To add a message type:
a. For Add NMEA filter or Add TAIP filter, click .
b. Select the filter type. Allowed values are:
l AL: Reports altitude and vertical velocity.
l CP: Compact position: reports time, latitude, and longitude.

Digi Connect EZ 16/32 User Guide 559

Services Location information

l ID: Reports the vehicle ID.

l LN: Long navigation: reports the latitude, longitude, and altitude, the horizontal
and vertical speed, and heading.
l PV: Position/velocity: reports the latitude, longitude, and heading.
12. For Outgoing message type, select either NMEA or TAIP for the type of message that the
device will forward to a remote host.
(Optional) If NMEA is selected:
a. Select a Talker ID.
The talker ID is a two-character prefix in the NMEA message that identifies the source type.
The talker ID set here will override the talker ID from all sources, and all forwarded
sentences will use the configured ID. The default setting is Default, which means that the
talker ID provided by the source will be used.
b. Determine the Behavior when fix is invalid:
n None: No messages are sent.
n Empty: Send messages with empty fields.
n Last fix: Send messages with information from the last valid fix.
13. (Optional) For Prepend text, enter text to prepend to the forwarded message. Two variables
can be included in the prepended text:
n %s: Includes the Connect EZ device's serial number in the prepended text.
n %v: Includes the vehicle ID in the prepended text.
For example, to include both the device's serial number and vehicle ID in the prepend
message, you can enter the following in the Prepend field:

__|%s|__|%v|__

14. Type a four-digit alphanumeric Vehicle ID that will be included with to location messages. If
no vehicle ID is configured, this setting defaults to 0000.
15. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a remote host to which location messages will be sent:

(config)> add service location forward end

(config service location forward 0)>

Digi Connect EZ 16/32 User Guide 560

Services Location information

4. Set the hostname or IP address of the remote host to which location messages will be sent:

(config service location forward 0)> server host

(config service location forward 0)>

5. Set the communication protocol to either upd or tcp:

(config service location forward 0)> protocol protocol

(config service location forward 0)>

6. Set the TCP or UDP port on the remote host to which location messages will be sent:

(config service location forward 0)> server_port 8000

(config service location forward 0)>

7. Set the number of Location update intervals to wait before forwarding location data to this
server. See Configure the location service for more information about setting the Location
update interval.

(config service location forward 0)> interval_multiplier int

(config service location forward 0)>

8. Set the protocol type for the messages. Allowed values are taip or nmea; the default is taip:

(config service location forward 0)> type nmea

(config service location forward 0)>

(Optional) If the protocol type is set to nmea:

a. Configure a Talker ID.
The talker ID is a two-character prefix in the NMEA message that identifies the source type.
The talker ID set here will override the talker ID from all sources, and all forwarded
sentences will use the configured ID.
i. Use the ? to determine available talker IDs:

(config service location forward 0)> talker_id ?

Talker ID: Setting a talker ID will override the talker ID from

all remote
sources, and all forwarded sentences from remote sources will use
the configured
ID.
Format:
Default
GA
GB
GI
GL
GN
GP
GQ
Default value: Default

Digi Connect EZ 16/32 User Guide 561

Services Location information

Current value: Default

(config service location forward 0)>

ii. Set the talker ID:

(config service location forward 0)> talker_id value

(config service location forward 0)>

The default setting is Default, which means that the talker ID provided by the source will
be used.
b. Determine the behavior when fix is invalid:

(config service location forward 0)> no_fix value

(config service location forward 0)>

where value is one of:

n none: No messages are sent.
n empty: Send messages with empty fields.
n last_fix: Send messages with information from the last valid fix.
The default is empty.
9. (Optional) Set the text to prepend to the forwarded message. Two variables can be included in
the prepended text:
n %s: Includes the Connect EZ device's serial number in the prepended text.
n %v: Includes the vehicle ID in the prepended text.
(config service location forward 0)> prepend __|%s|__|%v|__
(config service location forward 0)>

10. (Optional) Set the vehicle ID.

Allowed value is a four digit alphanumerical string (for example, 01A3 or 1234). If no vehicle ID
is configured, this setting defaults to 0000.

(config service location forward 0)> vehicle-id 1234

(config service location forward 0)>

11. (Optional) Provide a description of the remote host:

(config service location forward 0)> label "Remote host 1"

(config service location forward 0)>

12. (Optional) Specify types of messages that will be forwarded. Allowed values vary depending on
the message protocol type. By default, all message types are forwarded.
n If the message protocol type is NMEA:
Allowed values are:
l gga: Reports time, position, and fix related data.
l gll: Reports position data: position fix, time of position fix, and status.
l gsa: Reports GPS DOP and active satellites.
l gsv: Reports the number of SVs in view, PRN, elevation, azimuth, and SNR.

Digi Connect EZ 16/32 User Guide 562

Services Location information

l rmc: Reports position, velocity, and time.

l vtg: Reports direction and speed over ground.
To remove a message type:
a. Use the show command to determine the index number of the message type to be
deleted:

(config service location forward 0)> show filter_nmea

0 gga
1 gll
2 gsa
3 gsv
4 rmc
5 vtg
(config service location forward 0)>

b. Use the index number to delete the message type. For example, to delete the gsa
(index number 2) message type:

(config service location forward 0)> del filter_nmea 2

(config service location forward 0)>

To add a message type:

a. Change to the filter_nmea node:

(config service location forward 0)> filter_nmea

(config service location forward 0 filter_nmea)>

b. Use the add command to add the message type. For example, to add the gsa
message type:

(config service location forward 0 filter_nmea)> add gsa end

(config service location forward 0 filter_nmea)>

n If the message protocol type is TAIP:

Allowed values are:
l al: Reports altitude and vertical velocity.
l cp: Compact position: reports time, latitude, and longitude.
l id: Reports the vehicle ID.
l ln: Long navigation: reports the latitude, longitude, and altitude, the horizontal and
vertical speed, and heading.
l pv: Position/velocity: reports the latitude, longitude, and heading.
To remove a message type:
a. Use the show command to determine the index number of the message type to be
deleted:

(config service location forward 0)> show filter_taip

0 al
1 cp

Digi Connect EZ 16/32 User Guide 563

Services Location information

2 id
3 ln
4 pv
(config service location forward 0)>

b. Use the index number to delete the message type. For example, to delete the id
(index number 2) message type:

(config service location forward 0)> del filter_taip 2

(config service location forward 0)>

To add a message type:

a. Change to the filter_taip node:

(config service location forward 0)> filter_taip

(config service location forward 0 filter_taip)>

b. Use the add command to add the message type. For example, to add the id
message type:

(config service location forward 0 filter_taip)> add id end

(config service location forward 0 filter_taip)>

13. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

14. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 564

Services Location information

Configure geofencing
Geofencing is a mechanism to create a virtual perimeter that allows you configure your Connect EZ
16/32 device to perform actions when entering or exiting the perimeter. For example, you can
configure a device to factory default if its location service indicates that it has been moved outside of
the geofence.
Multiple geofences can be defined for one device, allowing for a complex configuration in which
different actions are taken depending on the physical location of the device.

Required configuration items

n Location services must be enabled.
n The geofence must be enabled.
n The boundary type of the geofence, either circular or polygonal.
l If boundary type is circular, the latitude and longitude of the center point of the circle, and
the radius.
l If boundary type is polygonal, the latitude and longitude of the polygon's vertices (a vertex
is the point at which two sides of a polygon meet). Three vertices will create a triangular
polygon; four will create a square, etc. Complex polygons can be defined.
n Actions that will be taken when the device's location triggers a geofence event. You can define
actions for two types of events:
l Actions taken when the device enters the boundary of the geofence, or is inside the
boundary when the device boots.
l Actions taken when the device exits the boundary of the geofence, or is outside the
boundary when the device boots.
For each event type:
l Determine if the action(s) associated with the event type should be performed when the
device boots inside or outside of the geofence boundary.
l The number of update intervals that should take place before the action(s) are taken.
Multiple actions can be configured for each type of event. For each action:
l The type of action, either a factory erase or executing a custom script.
l If a custom script is used:
o The script that will be executed.
o Whether to log output and errors from the script.
o The maximum memory that the script will have available.
o Whether the script should be executed within a sandbox that will prevent the script from
affecting the system itself.

Additional configuration items

n Update interval, which determines the amount of time that the geofence should wait between
polling for updated location data.

 Web

Digi Connect EZ 16/32 User Guide 565

Services Location information

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Location > Geofence.
4. For Add Geofence, type a name for the geofence and click .

The geofence is enabled by default. To disable, toggle off Enable.

5. For Update interval, type the amount of time that the geofence should wait between polling
for updated location data. The default is one minute.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Update interval to ten minutes, enter 10m or 600s.
6. For Boundary type, select the type of boundary that the geofence will have.
n If Circular is selected:
a. Click to expand Center.
b. Type the Latitude and Longitude of the center point of the circle. Allowed values
are:
l For Latitude, any integer between -90 and 90, with up to six decimal places.
l For Longitude, any integer between -180 and 180, with up to six decimal
places.

Digi Connect EZ 16/32 User Guide 566

Services Location information

c. For Radius, type the radius of the circle. Allowed values are an integer followed by
m or km, for example, 100m or 1km.
n If Polygonal is selected:
a. Click to expand Coordinates.
b. Click  to add a point that represents a vertex of the polygon. A vertex is the point
at which two sides of a polygon meet.
c. Type the Latitude and Longitude of one of the vertices of the polygon. Allowed
values are:
l For Latitude, any integer between -90 and 90, with up to six decimal places.
l For Longitude, any integer between -180 and 180, with up to six decimal
places.
d. Click  again to add an additional point, and continue adding points to create the
desired polygon.
For example, to configure a square polygon around the Digi headquarters, configure a
polygon with four points:

This defines a square-shaped polygon equivalent to the following:

7. Define actions to be taken when the device's location triggers a geofence event:
n To define actions that will be taken when the device enters the geofence, or is inside
the geofence when it boots:

Digi Connect EZ 16/32 User Guide 567

Services Location information

a. Click to expand On entry.

b. (Optional) Enable Bootup action to configure the device to perform the On entry
actions if the device is inside the geofence when it boots.
c. For Number of intervals, type or select the number of Update Intervals that must
take place prior to performing the On entry actions.
For example, if the Update interval is 1m (one minute) and the Number of
intervals is 3, the On entry actions will not be performed until the device has been
inside the geofence for three minutes.
d. Click to expand Actions.
e. Click  to create a new action.

f. For Action type, select either:

l Factory erase to erase the device configuration when the action is triggered.
l Custom script to execute a custom script when the action is triggered.
If Custom script is selected:
i. Click to expand Custom script.
ii. For Commands, type the script that will be executed when the action is
triggered. If the script begins with #!, then the proceeding file path will be used
to invoke the script interpreter. If not, then the default shell will be used.
iii. Enable Log script output to log the output of the script to the system log.
iv. Enable Log script errors to log errors from the script to the system log.
v. (Optional) For Maximum memory, type the maximum amount of system
memory that will be available for the script and it spawned processes.
Allowed values are any integer followed by one of the following:
b|bytes|KB|k|MB|M|GB|G|TB|T.
For example. the allocate one megabyte of memory to the script and its
spawned processes, type 1MB or 1M.
vi. Sandbox is enabled by default. This prevents the script from adversely
affecting the system. If you disable Sandbox, the script may render the system
unusable.
vii. Repeat for any additional actions.
n To define actions that will be taken when the device exits the geofence, or is outside the
geofence when it boots:

Digi Connect EZ 16/32 User Guide 568

Services Location information

a. Click to expand On exit.

b. (Optional) Enable Bootup action to configure the device to perform the On exit
actions if the device is inside the geofence when it boots.
c. For Number of intervals, type or select the number of Update Intervals that must
take place prior to performing the On exit actions.
For example, if the Update interval is 1m (one minute) and the Number of
intervals is 3, the On entry actions will not be performed until the device has been
inside the geofence for three minutes.
d. Click to expand Actions.
e. Click  to create a new action.

f. For Action type, select either:

l Factory erase to erase the device configuration when the action is triggered.
l Custom script to execute a custom script when the action is triggered.
If Custom script is selected:
i. Click to expand Custom script.
ii. For Commands, type the script that will be executed when the action is
triggered. If the script begins with #!, then the proceeding file path will be used
to invoke the script interpreter. If not, then the default shell will be used.
iii. Enable Log script output to log the output of the script to the system log.
iv. Enable Log script errors to log errors from the script to the system log.
v. (Optional) For Maximum memory, type the maximum amount of system
memory that will be available for the script and it spawned processes.
Allowed values are any integer followed by one of the following:
b|bytes|KB|k|MB|M|GB|G|TB|T.
For example. the allocate one megabyte of memory to the script and its
spawned processes, type 1MB or 1M.
vi. Sandbox is enabled by default. This prevents the script from adversely
affecting the system. If you disable Sandbox, the script may render the system
unusable.
vii. Repeat for any additional actions.
8. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 569

Services Location information

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a geofence:

(config)> add service location geofence name

(config service location geofence name)>

where name is a name for the geofence. For example:

(config)> add service location geofence test_geofence

(config service location geofence test_geofence)>

The geofence is enabled by default. To disable:

(config service location geofence test_geofence)> enable false

(config service location geofence test_geofence)>

4. Set the amount of time that the geofence should wait between polling for updated location
data:

(config service location geofence test_geofence)> update_interval value

(config service location geofence test_geofence)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set update_interval to ten minutes, enter either 10m or 600s:

(config service location geofence test_geofence)> update_interval 600s

(config service location geofence test_geofence)>

The default is 1m (one minute).

5. Set the boundary type for the geofence:

(config service location geofence test_geofence)> boundary value

(config service location geofence test_geofence)>

where value is either circular or polygonal.

n If boundary is set to circular :
a. Set the latitude and longitude of the center point of the circle:

(config service location geofence test_geofence)> center

latitude int
(config service location geofence test_geofence)> center

Digi Connect EZ 16/32 User Guide 570

Services Location information

longitude int
(config service location geofence test_geofence)>

where int is:

l For latitude, any integer between -90 and 90, with up to six decimal places.
l For longitude, any integer between -180 and 180, with up to six decimal
places.
b. Set the radius of the circle:

(config service location geofence test_geofence)> radius radius

(config service location geofence test_geofence)>

where radius is an integer followed by m or km, for example, 100m or 1km.

n If boundary is set to polygonal:
a. Set the coordinates of one vertex of the polygon. A vertex is the point at which two
sides of a polygon meet.
i. Add a vertex:

(config service location geofence test_geofence)> add

coordinates end
(config service location geofence test_geofence coordinates
0)>

ii. Set the latitude and longitude of the vertex:

(config service location geofence test_geofence coordinates

0)> latitude int
(config service location geofence test_geofence coordinates
0)> longitude int
(config service location geofence test_geofence coordinates
0)>

where int is:

l For latitude, any integer between -90 and 90, with up to six decimal
places.
l For longitude, any integer between -180 and 180, with up to six decimal
places.
iii. Configure additional vortices:

(config service location geofence test_geofence coordinates

0)> ..
(config service location geofence test_geofence coordinates)>
add end
(config service location geofence test_geofence coordinates
1)> latitude int
(config service location geofence test_geofence coordinates
1)> longitude int

Digi Connect EZ 16/32 User Guide 571

Services Location information

(config service location geofence test_geofence coordinates

1)>

where int is:

l For latitude, any integer between -90 and 90, with up to six decimal
places.
l For longitude, any integer between -180 and 180, with up to six decimal
places.
Repeat for each vortex of the polygon.
For example, to configure a square polygon around the Digi headquarters,
configure a polygon with four points:

(config service location geofence test_geofence)> add

coordinates end
(config service location geofence test_geofence coordinates
0)> latitude 44.927220
(config service location geofence test_geofence coordinates
0)> longitude -93.399200
(config service location geofence test_geofence coordinates
0)> ..
(config service location geofence test_geofence coordinates)>
add end
(config service location geofence test_geofence coordinates
1)> latitude 44.927220
(config service location geofence test_geofence coordinates
1)> longitude -93.39589
(config service location geofence test_geofence coordinates
1)> ..
(config service location geofence test_geofence coordinates)>
add end
(config service location geofence test_geofence coordinates
2)> latitude 44.925161
(config service location geofence test_geofence coordinates
2)> longitude -93.39589
(config service location geofence test_geofence coordinates
2)> ..
(config service location geofence test_geofence coordinates)>
add end
(config service location geofence test_geofence coordinates
3)> latitude 44.925161
(config service location geofence test_geofence coordinates
3)> longitude -93.399200
(config service location geofence test_geofence coordinates
3)>

This defines a square-shaped polygon equivalent to the following:

Digi Connect EZ 16/32 User Guide 572

Services Location information

6. Define actions to be taken when the device's location triggers a geofence event:
n To define actions that will be taken when the device enters the geofence, or is inside
the geofence when it boots:
a. (Optional) Configure the device to preform the actions if the device is inside the
geofence when it boots:

(config)> service location geofence test_geofence on_entry

bootup true
(config)>

b. Set the number of update_intervals that must take place prior to performing the
actions:

(config)> service location geofence test_geofence on_entry num_

intervals int
(config)>

For example, if the update interval is 1m (one minute) and the num_intervals is set
to 3, the actions will not be performed until the device has been inside the
geofence for three minutes.
c. Add an action:
i. Type ... to return to the root of the configuration:

(config service location geofence test_geofence coordinates

3)> ...
(config)>

ii. Add the action:

(config)> add service location geofence test_geofence on_

entry action end
(config service location geofence test_geofence on_entry
action 0)>

d. Set the type of action:

(config service location geofence test_geofence on_entry action

0)> type value

Digi Connect EZ 16/32 User Guide 573

Services Location information

(config service location geofence test_geofence on_entry action

0)>

where value is either:

l factory_erase—Erases the device configuration when the action is triggered.
l script—Executes a custom script when the action is triggered.
factory_erase or script.
If type is set to script:
i. Type or paste the script, closed in quote marks:

(config service location geofence test_geofence on_entry

action 0)> commands "script"
(config service location geofence test_geofence on_entry
action 0)>

If the script begins with #!, then the proceeding file path will be used to invoke
the script interpreter. If not, then the default shell will be used.
ii. To log the output of the script to the system log:

(config service location geofence test_geofence on_entry

action 0)> syslog_stdout true
(config service location geofence test_geofence on_entry
action 0)>

iii. To log the errors from the script to the system log:

(config service location geofence test_geofence on_entry

action 0)> syslog_stderr true
(config service location geofence test_geofence on_entry
action 0)>

iv. (Optional) Set the maximum amount of system memory that will be available
for the script and it spawned processes:

(config service location geofence test_geofence on_entry

action 0)> max_memory value
(config service location geofence test_geofence on_entry
action 0)>

where value is any integer followed by one of the following:

b|bytes|KB|k|MB|M|GB|G|TB|T.
For example. the allocate one megabyte of memory to the script and its
spawned processes:

(config service location geofence test_geofence on_entry

action 0)> max_memory 1MB
(config service location geofence test_geofence on_entry
action 0)>

Digi Connect EZ 16/32 User Guide 574

Services Location information

v. A sandbox is enabled by default to prevent the script from adversely affecting

the system. To disable the sandbox:

(config service location geofence test_geofence on_entry

action 0)> sandbox false
(config service location geofence test_geofence on_entry
action 0)>

If you disable the sandbox, the script may render the system unusable.
vi. Repeat for any additional actions.
n To define actions that will be taken when the device exits the geofence, or is outside the
geofence when it boots:
a. (Optional) Configure the device to preform the actions if the device is outside the
geofence when it boots:

(config)> service location geofence test_geofence on_exit bootup

true
(config)>

b. Set the number of update_intervals that must take place prior to performing the
actions:

(config)> service location geofence test_geofence on_exit num_

intervals int
(config)>

For example, if the update interval is 1m (one minute) and the num_intervals is set
to 3, the actions will not be performed until the device has been outside the
geofence for three minutes.
c. Add an action:
i. Type ... to return to the root of the configuration:

(config service location geofence test_geofence coordinates

3)> ...
(config)>

ii. Add the action:

(config)> add service location geofence test_geofence on_exit

action end
(config service location geofence test_geofence on_exit
action 0)>

d. Set the type of action:

(config service location geofence test_geofence on_exit action

0)> type value
(config service location geofence test_geofence on_exit action
0)>

Digi Connect EZ 16/32 User Guide 575

Services Location information

where value is either:

l factory_erase—Erases the device configuration when the action is triggered.
l script—Executes a custom script when the action is triggered.
factory_erase or script.
If type is set to script:
i. Type or paste the script, closed in quote marks:

(config service location geofence test_geofence on_exit

action 0)> commands "script"
(config service location geofence test_geofence on_exit
action 0)>

If the script begins with #!, then the proceeding file path will be used to invoke
the script interpreter. If not, then the default shell will be used.
ii. To log the output of the script to the system log:

(config service location geofence test_geofence on_exit

action 0)> syslog_stdout true
(config service location geofence test_geofence on_exit
action 0)>

iii. To log the errors from the script to the system log:

(config service location geofence test_geofence on_exit

action 0)> syslog_stderr true
(config service location geofence test_geofence on_exit
action 0)>

iv. (Optional) Set the maximum amount of system memory that will be available
for the script and it spawned processes:

(config service location geofence test_geofence on_exit

action 0)> max_memory value
(config service location geofence test_geofence on_exit
action 0)>

where value is any integer followed by one of the following:

b|bytes|KB|k|MB|M|GB|G|TB|T.
For example. the allocate one megabyte of memory to the script and its
spawned processes:

(config service location geofence test_geofence on_exit

action 0)> max_memory 1MB
(config service location geofence test_geofence on_exit
action 0)>

v. A sandbox is enabled by default to prevent the script from adversely affecting

the system. To disable the sandbox:

Digi Connect EZ 16/32 User Guide 576

Services Location information

(config service location geofence test_geofence on_exit

action 0)> sandbox false
(config service location geofence test_geofence on_exit
action 0)>

If you disable the sandbox, the script may render the system unusable.
vi. Repeat for any additional actions.
7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show location information

You can view status and statistics about location information from either the WebUI or the command
line.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click Status.
2. Under Services, click Location.
The device's current location is displayed, along with the status of any configured geofences.

 Command line

Show location information

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show location command at the system prompt:

> show location

Location Status
---------------
State : enabled
Source : 192.168.2.3
Latitude : 44* 55' 14.809" N (44.92078)
Longitude : 93* 24' 47.262" w (-93.413128)
Altitude : 279 meters

Digi Connect EZ 16/32 User Guide 577

Services Modbus gateway

Velocity : 0 meters per second

Direction : None
Quality : Standard GNSS (2D/3D)
UTC Date and Time : Fri, Jan 12, 2024 12:10:00 03
No. of Satellites : 7

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show geofence information

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show location geofence command at the system prompt:

> show location geofence

Geofence Status State Transitions Last Transition

------------- ------ ------ ----------- ---------------
test_geofence Up Inside 0

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Modbus gateway
The Connect EZ 16/32 supports the ability to function as a Modbus gateway, to provide serial-to-
Ethernet connectivity to Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and
other industrial devices. MODBUS provides client/server communication between devices connected
on different types of buses and networks, and the Modbus gateway allows for communication
between buses and networks that use the Modbus protocol.
This section contains the following topics:

Configure the Modbus gateway 579

Modbus hardening 592
Show Modbus gateway status and statistics 594

Digi Connect EZ 16/32 User Guide 578

Services Modbus gateway

Configure the Modbus gateway

Required configuration items
n Server configuration:
l Enable the server.
l Connection type, either socket or serial.
o If the connection type is socket, the IP protocol to be used.
o If the connection type is serial, the serial port to be used.
n Client configuration:
l Enable the client.
l Connection type, either socket or serial.
o If the connection type is socket:
o The IP protocol to be used.
o The hostname or IPv4 address of the remote host on which the Modbus server is
running.
o If the connection type is serial:
o The serial port to be used.
l Modbus address or addresses to determine if messages should be forwarded to a
destination device.

Additional configuration items

n Server configuration:
l The packet mode.
l The maximum time between bytes in a packet.
l If the connection type is set to socket:
o The port to use.
o The inactivity timeout.
o Access control list.
l If the connection type is set to serial:
o Whether to use half duplex (two wire) mode.
n Client configuration:
l The packet mode.
l The maximum time between bytes in a packets.
l Whether to send broadcast messages.
l Response timeout
l If connection type is set to socket:
o The port to use.
o The inactivity timeout.
l If connection type is set to serial:
o Whether to use half duplex (two wire) mode.

Digi Connect EZ 16/32 User Guide 579

Services Modbus gateway

l Whether packets should be delivered to a fixed Modbus address.

l Whether packets should have their Modbus address adjusted downward before to delivery.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Modbus Gateway.

4. Click Enable to enable the gateway.

5. Click Debug to allow verbose logging in the system log.

Configure gateway servers

1. Click to expand Gateway Servers.
2. For Add Modbus server, type a name for the server and click .

The new Modbus gateway server configuration is displayed.

Digi Connect EZ 16/32 User Guide 580

Services Modbus gateway

3. The new Modbus gateway server is enabled by default. Toggle off Enable the server to
disable.
4. For Connection type, select Socket or Serial. Available options in the gateway server
configuration vary depending on this setting.
n If Socket is selected for Connection type:
a. For IP Protocol, select TCP or UDP. The default is TCP.
b. For Port, enter or select an appropriate port. The default is port 502.
n If Serial is selected for Connection type:
a. For Serial port, select the appropriate serial port on the Connect EZ 16/32 device.
5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if
Connection typeis set to Serial) for the type of packet that will be used by this connection.
The default is RTU.
6. For Packet idle gap, type the maximum allowable time between bytes in a packet.
Allowed values are between 10 milliseconds and one second, and take the format number
{ms|s}.
For example, to set Packet idle gap to 20 milliseconds, enter 20ms.
7. If Connection type is set to Socket, for Inactivity timeout, type the amount of time to wait
before disconnecting the socket when it has become inactive.
Allowed values are any number of minutes or seconds up to a maximum of 15 minutes, and
take the format number{m|s}.
For example, to set Inactivity timeout to ten minutes, enter 10m or 600s.
8. (Optional) If Connection type is set to Serial, click Half duplex to enable half duplex (two
wire) mode.
9. (Optional) If Connection type is set to Socket, click to expand Access control list:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's web
administration service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the web administration service.
d. Click  again to list additional IP addresses or networks.

Digi Connect EZ 16/32 User Guide 581

Services Modbus gateway

n To limit access to specified IPv6 addresses and networks:

a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's web
administration service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the web administration service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
10. Repeat these steps to configure additional servers.

Configure clients
1. Click to expand Clients.
2. For Add Modbus client, type a name for the client and click .

The new Modbus gateway client configuration is displayed.

Digi Connect EZ 16/32 User Guide 582

Services Modbus gateway

3. The new Modbus gateway client is enabled by default. Toggle off Enable the client to disable.
4. For Connection type, select Socket or Serial. Available options in the gateway server
configuration vary depending on this setting.
n If Socket is selected for Connection type:
a. For IP Protocol, select TCP or UDP. The default is TCP.
b. For Port, enter or select an appropriate port. The default is port 502.
c. For Remote host, type the hostname or IP address of the remote host on which the
Modbus server is running.
n If Serial is selected for Connection type:
a. For Serial port, select the appropriate serial port on the Connect EZ 16/32 device.
5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if
Connection typeis set to Serial) for the type of packet that will be used by this connection.
The default is RTU.
6. For Packet idle gap, type the maximum allowable time between bytes in a packet.
Allowed values are between 10 milliseconds and one second, and take the format number
{ms|s}.
For example, to set Packet idle gap to 20 milliseconds, enter 20ms.
7. If Connection type is set to Socket, for Inactivity timeout, type the amount of time to wait
before disconnecting the socket when it has become inactive.
Allowed values are any number of minutes or seconds up to a maximum of 15 minutes, and
take the format number{m|s}.
For example, to set Inactivity timeout to ten minutes, enter 10m or 600s.
8. (Optional) If Connection type is set to Serial, click Half duplex to enable half duplex (two
wire) mode.
9. (Optional) If Connection type is set to Socket, click to expand Access control list:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's web
administration service. Allowed values are:

Digi Connect EZ 16/32 User Guide 583

Services Modbus gateway

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the web administration service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's web
administration service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the web administration service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
10. (Optional) Enable Send broadcast messages to configure the gateway to send broadcast
messages to this client.
11. For Response timeout, type the maximum time to wait for a response to a message.
Allowed values are between 1 millisecond and 700 milliseconds, and take the format
numberms.
For example, to set Response timeout to 100 milliseconds, enter 100ms. The default is
700ms.
12. Click to expand Modbus address filter.
This filter is used by the gateway to determine if a message should be forwarded to a
destination device. If the Modbus address in the message matches one or more of the filters,
the message is forwarded. If it does not match the filters, the message is not forwarded.
13. For Address or address range, type a Modbus address or range of addresses. Allowed values
are 1 through 255 or a hyphen-separated range.
For example, to have this client filter for incoming messages that contain the Modbus address
of 10, type 10. To filter for all messages with addresses in the range of 20 to 30, type 20-30.
To add additional address filters for this client, click .

Digi Connect EZ 16/32 User Guide 584

Services Modbus gateway

14. For Fixed Modbus server address, if request messages handled by this client should always
be forwarded to a specific device, type the device's Modbus address. Leave at the default
setting of 0 to allow messages that match the Modbus address filter to be forwarded to
devices based on the Modbuss address in the message.
15. For Adjust Modbus server address, type a value to adjust the Modbus server address
downward by the specified value prior to delivering the message. Allowed values are 0 through
255. Leave at the default setting of 0 to not adjust the server address.
If a packet contains a Modbus server address above the amount entered here, the address will
be adjusted downward by this amount before the packet is delivered. This allows you to
configure clients on the gateway that will forward messages to remote devices with the same
Modbus address on different buses. For example, if there are two devices on two different
buses that have the same Modbus address of 10, you can create two clients on the gateway:
n Client one:
l Modbus address filter set to 10.
This will configure the gateway to deliver all messages that have the Modbus server
address of 10 to this device.
n Client two:
l Modbus address filter set to 20.
l Adjust Modbus server address set to 10.
This will configure the gateway to deliver all messages that have the Modbus server
address address of 20 to the device with address 10.
16. Repeat these steps to configure additional clients.
17. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the Modbus gateway:

(config)> service modbus_gateway enable true

(config)>

Digi Connect EZ 16/32 User Guide 585

Services Modbus gateway

4. Configure servers:
a. Add a server:

(config)> add service modbus_gateway server name

(config service modbus_gateway server name)>

where name is a name for the server, for example:

(config)> add service modbus_gateway server test_modbus_server

(config service modbus_gateway server test_modbus_server)>

The Modbus server is enabled by default. To disable:

(config service modbus_gateway server test_modbus_server)> enable

false
(config service modbus_gateway server test_modbus_server)>

b. Set the connection type:

(config service modbus_gateway server test_modbus_server)> connection_

type type
(config service modbus_gateway server test_modbus_server)>

where type is either socket or serial. The default is socket.

n If connection_type is set to socket:
i. Set the IP protocol:

(config service modbus_gateway server test_modbus_server)>

socket protocol value
(config service modbus_gateway server test_modbus_server)>

where value is either tcp or udp.

ii. Set the port:

(config service modbus_gateway server test_modbus_server)>

socket port
(config service modbus_gateway server test_modbus_server)>

where port is an integer between 1 and 65535. The default is 502.

iii. Set the packet mode:

(config service modbus_gateway server test_modbus_server)>

socket packet_mode value
(config service modbus_gateway server test_modbus_server)>

where value is either rtu or raw. The default is rtu.

iv. Set the maximum allowable time between bytes in a packet:

(config service modbus_gateway server test_modbus_server)>

socket idle_gap value
(config service modbus_gateway server test_modbus_server)>

Digi Connect EZ 16/32 User Guide 586

Services Modbus gateway

where value is any number between 10 milliseconds and one second, and take
the format number{ms|s}.
For example, to set idle_gap to 20 milliseconds, enter 20ms.
v. Set the amount of time to wait before disconnecting the socket when it has
become inactive:

(config service modbus_gateway server test_modbus_server)>

inactivity_timeout value
(config service modbus_gateway server test_modbus_server)>

where value is any number of minutes or seconds up to a maximum of 15

minutes, and takes the format number{m|s}.
For example, to set inactivity_timeout to ten minutes, enter either 10m or
600s:

(config service modbus_gateway server test_modbus_server)>

inactivity_timeout 600s
(config service modbus_gateway server test_modbus_server)>

n If connection_type is set to serial:

i. Set the serial port:
i. Use the ? to determine available serial ports:

(config service modbus_gateway server test_modbus_

server)> ... serial port ?

Serial

Additional Configuration
-------------------------------------------------------
------------------------
port1 Port 1

(config service modbus_gateway server test_modbus_

server)>

ii. Set the port:

(config service modbus_gateway server test_modbus_

server)> serial port
(config service modbus_gateway server test_modbus_
server)>

ii. Set the packet mode:

(config service modbus_gateway server test_modbus_server)>

serial packet_mode value
(config service modbus_gateway server test_modbus_server)>

where value is either rtu or ascii. The default is rtu.

Digi Connect EZ 16/32 User Guide 587

Services Modbus gateway

iii. Set the maximum allowable time between bytes in a packet:

(config service modbus_gateway server test_modbus_server)>

serial idle_gap value
(config service modbus_gateway server test_modbus_server)>

where value is any number between 10 milliseconds and one second, and take
the format number{ms|s}.
For example, to set idle_gap to one second, enter 1000ms or 1s.
iv. (Optional) Enable half-duplex (two wire) mode:

(config service modbus_gateway server test_modbus_server)>

serial half_duplex true
(config service modbus_gateway server test_modbus_server)>

c. Repeat the above instructions for additional servers.

5. Configure clients:
a. Type ... to return to the root of the configuration:

(config)> add service modbus_gateway server test_modbus_server)> ...

(config)>

b. Add a client:

(config)> add service modbus_gateway client name

(config service modbus_gateway client name)>

where name is a name for the client, for example:

(config)> add service modbus_gateway client test_modbus_client

(config service modbus_gateway client test_modbus_client)>

The Modbus client is enabled by default. To disable:

(config service modbus_gateway client test_modbus_client)> enable

false
(config service modbus_gateway client test_modbus_client)>

c. Set the connection type:

(config service modbus_gateway client test_modbus_client)> connection_

type type
(config service modbus_gateway client test_modbus_client)>

where type is either socket or serial. The default is socket.

n If connection_type is set to socket:
i. Set the IP protocol:

(config service modbus_gateway client test_modbus_client)>

socket protocol value
(config service modbus_gateway client test_modbus_client)>

Digi Connect EZ 16/32 User Guide 588

Services Modbus gateway

where value is either tcp or udp.

ii. Set the port:

(config service modbus_gateway client test_modbus_client)>

socket port
(config service modbus_gateway client test_modbus_client)>

where port is an integer between 1 and 65535. The default is 502.

iii. Set the packet mode:

(config service modbus_gateway client test_modbus_client)>

socket packet_mode value
(config service modbus_gateway client test_modbus_client)>

where value is either rtu or ascii. The default is rtu.

iv. Set the maximum allowable time between bytes in a packet:

(config service modbus_gateway client test_modbus_client)>

socket idle_gap value
(config service modbus_gateway client test_modbus_client)>

where value is any number between 10 milliseconds and one second, and take
the format number{ms|s}.
For example, to set idle_gap to 20 milliseconds, enter 20ms.
v. Set the amount of time to wait before disconnecting the socket when it has
become inactive:

(config service modbus_gateway client test_modbus_client)>

inactivity_timeout value
(config service modbus_gateway client test_modbus_client)>

where value is any number of minutes or seconds up to a maximum of 15

minutes, and takes the format number{m|s}.
For example, to set inactivity_timeout to ten minutes, enter either 10m or
600s:

(config service modbus_gateway client test_modbus_client)>

inactivity_timeout 600s
(config service modbus_gateway client test_modbus_client)>

vi. Set the hostname or IP address of the remote host on which the Modbus server
is running:

(config service modbus_gateway client test_modbus_client)>

remote_host ip_address|hostname
(config service modbus_gateway client test_modbus_client)>

Digi Connect EZ 16/32 User Guide 589

Services Modbus gateway

n If connection_type is set to serial:

i. Set the serial port:
i. Use the ? to determine available serial ports:

(config service modbus_gateway client test_modbus_

client)> ... serial port ?

Serial

Additional Configuration
-------------------------------------------------------
------------------------
port1 Port 1

(config service modbus_gateway client test_modbus_

client)>

ii. Set the port:

(config service modbus_gateway client test_modbus_

client)> serial port
(config service modbus_gateway client test_modbus_
client)>

ii. Set the packet mode:

(config service modbus_gateway client test_modbus_client)>

serial packet_mode value
(config service modbus_gateway client test_modbus_client)>

where value is either rtu or ascii. The default is rtu.

iii. Set the maximum allowable time between bytes in a packet:

(config service modbus_gateway client test_modbus_client)>

serial idle_gap value
(config service modbus_gateway client test_modbus_client)>

where value is any number between 10 milliseconds and one second, and take
the format number{ms|s}.
For example, to set idle_gap to one second, enter 1000ms or 1s.
iv. (Optional) Enable half-duplex (two wire) mode:

(config service modbus_gateway client test_modbus_client)>

serial half_duplex true
(config service modbus_gateway client test_modbus_client)>

d. (Optional) Enable the gateway to send broadcast messages to this client:

Digi Connect EZ 16/32 User Guide 590

Services Modbus gateway

(config service modbus_gateway client test_modbus_client)> broadcast

true
(config service modbus_gateway client test_modbus_client)>

e. Set the maximum time to wait for a response to a message:

(config service modbus_gateway client test_modbus_client)> response_

timeout value
(config service modbus_gateway client test_modbus_client)>

Allowed values are between 1 millisecond and 700 milliseconds, and take the format
numberms.
For example, to set response_timeout to 100 milliseconds:

(config service modbus_gateway client test_modbus_client)> response_

timeout 100ms
(config service modbus_gateway client test_modbus_client)>

The default is 700ms.

f. Configure the address filter:
This filter is used by the gateway to determine if a message should be forwarded to a
destination device. If the Modbus address in the message matches one or more of the
filters, the message is forwarded. If it does not match the filters, the message is not
forwarded. Allowed values are 1 through 255 or a hyphen-separated range.
For example:
n To have this client filter for incoming messages that contain the Modbus address of
10, set the index 0 entry to 10:

(config service modbus_gateway client test_modbus_client)>

filter 0 10
(config service modbus_gateway client test_modbus_client)>

n To filter for all messages with addresses in the range of 20 to 30, set the index 0
entry to 20-30:

(config service modbus_gateway client test_modbus_client)>

filter 0 20-30
(config service modbus_gateway client test_modbus_client)>

To add additional filters, increment the index number. For example, to add an additional
filter for addresses in the range of 50-100:

(config service modbus_gateway client test_modbus_client)> filter 1

50-100
(config service modbus_gateway client test_modbus_client)>

g. If request messages handled by this client should always be forwarded to a specific device,
, use fixed_server_address to set the device's Modbus address:

Digi Connect EZ 16/32 User Guide 591

Services Modbus gateway

(config service modbus_gateway client test_modbus_client)> fixed_

server_address value
(config service modbus_gateway client test_modbus_client)>

Leave at the default setting of 0 to allow messages that match the Modbus address filter to
be forwarded to devices based on the Modbuss address in the message.
h. To adjust the Modbus server address downward by the specified value prior to delivering
the message, use adjust_server_address:

(config service modbus_gateway client test_modbus_client)> adjust_

server_address value
(config service modbus_gateway client test_modbus_client)>

where value is an integer from 0 to 255. Leave at the default setting of 0 to not adjust the
server address.
If a packet contains a Modbus server address above the amount entered here, the address
will be adjusted downward by this amount before the packet is delivered. This allows you
to configure clients on the gateway that will forward messages to remote devices with the
same Modbus address on different buses. For example, if there are two devices on two
different buses that have the same Modbus address of 10, you can create two clients on
the gateway:
n Client one:
l filter set to 10.
This will configure the gateway to deliver all messages that have the Modbus server
address of 10 to this device.
n Client two:
l filter set to 20.
l adjust_server_address set to 10.
This will configure the gateway to deliver all messages that have the Modbus server
address address of 20 to the device with address 10.
i. Repeat the above instructions for additional clients.
6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Modbus hardening
Modbus hardening refers to the process of enhancing the security and reliability of Modbus
communications between devices over a network by implementing various protective measures. This
includes configuring the Modbus systems to minimize vulnerabilities, applying access controls, using
encryption, segmenting networks, upgrading firmware on the devices, as well as monitoring and
logging. Modbus hardening is about making the serial communication between devices over a
network more secure against cyber threats.

Digi Connect EZ 16/32 User Guide 592

Services Modbus gateway

Hardening can involve implementing various security measures, such as:

n Access control
Update the Services > Modbus Gateway > Gateway servers > Access control list settings to
only allow access to the Modbus service on the specific network interfaces, firewall zones, and
source IP addresses that you expect the Modbus queries to come from. See Configure the
Modbus gateway for more information.
n Encryption
Further lock down access to the Modbus gateway service on the Connect EZ 16/32 by
configuring it to establish a VPN tunnel, then update the access control list as mentioned
above to only allow access to the Modbus service through the VPN connection.
n Network segmentation
Use a separate firewall zone for the network interface(s) and/or VPN tunnels that the user will
be accessing the Modbus gateway service through to ensure that the Modbus access is
separate from other network traffic
n Monitoring and logging
Utilize Digi Remote Manager or an external logging service to monitor the activity on your Digi
router
n Firmware upgrades
Keep your firmware current so your Connect EZ 16/32 has the most recent security patches
and bug fixes.

Note To see how you can implement security measures for you Modbus gateway service, see Use case
| Secure your Modbus gateway service.

Use case | Secure your Modbus gateway service

Do you want to secure Modbus messaging across an internet connection to safeguard the
information being communicated between Digi devices over your network?
You can by implementing security measures, such as access control, encryption, network
segmentation, monitoring and logging, and firmware upgrades to ensure the integrity and
confidentiality of Modbus communications between Digi devices on your network.

1. Determine the devices on your network that need to communicate with each other via the
Modbus Gateway service.
2. Isolate Modbus traffic using VLANS or separate network interfaces.
3. Implement strong authentication.
4. Define access policies.
Update the Services > Modbus Gateway > Gateway servers > Access control list settings to
only allow access to the Modbus service on the specific network interfaces, firewall zones, and
source IP addresses that you expect the Modbus queries to come from. See Configure the
Modbus gateway for more information.
5. Create a VPN tunnel, such as IPsec or Wireguard, to protect data in transit between your
devices.
6. Configure firewalls to monitor and control incoming and outgoing traffic.
By implementing these advanced security protocols and ensuring reliable data transmission, this
service effectively addresses the challenges of data integrity and privacy on your network.

Digi Connect EZ 16/32 User Guide 593

Services Modbus gateway

Show Modbus gateway status and statistics

You can view status and statistics about location information from either the WebUI or the command
line.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, select Status > Modbus Gateway.
The Modbus Gateway page appears.
Statistics related to the Modbus gateway server are displayed. If the message Server
connections not available is displayed, this indicates that there are no connected clients.
n To view information about Modbus gateway clients, click Clients.
n To view statistics that are common to both the clients and server, click Common
Statistics.
n To view configuration details about the gateway, click the  (configuration) icon in the
upper right of the gateway's status pane.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show modbus-gateway command at the system prompt:

> show modbus-gateway

Server Connection IP Address Port Uptime

----------------- ----------- ----- ------
modbus_socket 10.45.1.139 49570 6
modbus_socket 10.45.1.139 49568 13

Client Uptime
-------------------- ------
modbus_socket_41 0
modbus_socket_21 0
modbus_serial_client 428

>

If the message Server connections not available is displayed, this indicates that there are no
connected clients.
3. Use the show modbus-gateway verbose command at the system prompt to display more
information:

> show modbus-gateway verbose

Client Uptime

Digi Connect EZ 16/32 User Guide 594

Services Modbus gateway

-------------------- ------
modbus_socket_41 0
modbus_socket_21 0
modbus_serial_client 506

Common Statistics
-----------------
Configuration Updates : 1
Client Configuration Failure : 0
Server Configuration Failure : 0
Configuration Load Failure : 0
Incoming Connections : 4
Internal Error : 0
Resource Shortages : 0

Servers
-------

modbus_socket
-------------
Client Lookup Errors : 0
Incoming Connections : 4
Packet Errors : 0
RX Broadcasts : 0
RX Requests : 12
TX Exceptions : 0
TX Responses : 12

Clients
-------

modbus_socket_41
----------------
Address Translation Errors : 0
Connection Errors : 0
Packet Errors : 0
RX Responses : 4
RX Timeouts : 0
TX Broadcasts : 0
TX Requests : 4

modbus_socket_21
----------------
Address Translation Errors : 0
Connection Errors : 0
Packet Errors : 0
RX Responses : 4
RX Timeouts : 0
TX Broadcasts : 0
TX Requests : 4

Digi Connect EZ 16/32 User Guide 595

Services Modbus gateway

modbus_serial_client
--------------------
Address Translation Errors : 0
Connection Errors : 0
Packet Errors : 0
RX Responses : 4
RX Timeouts : 0
TX Broadcasts : 0
TX Requests : 4

>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 596

Services System time synchronization

System time synchronization

System time synchronization refers to the process of coordinating the system time of your Connect EZ
16/32 device with an external, more accurate time source. By default, this synchronization occurs one
time per day, but will also synchronize at startup, and in response to a change in the route. There are
two configuration parameters that control system time synchronization: ntpdate and
system.time.resyn_interval.
The ntpdate default configurations include the following:
n Time zone: UTC
n NTP server: the Digi NTP server, time.digicloud.com
The system.time.resyn_interval default configuration includes the following:
n Frequency of the synchronization: 1d (one day). Set to O (zero) for no synchronization except
at startup and route change.
No additional configuration is required for the synchronization if this default configuration is sufficient
for your setup. However, you can change per-day synchronization, the default time zone, and the
default NTP server, as well as adding additional NTP servers. If multiple NTP servers are added, time
samples are obtained from each server. Selection algorithms are used to determine the most accurate
time. See Configure the system time synchronization for details about changing the default
configuration.
The Connect EZ 16/32 device can also be configured to serve as an NTP server, providing NTP services
to downstream devices. See Network Time Protocol for more information about NTP server support.
You can also set the local date and time manually, if there is no access to the configured NTP servers
or modem time sources. See Manually set the system date and time for more information.

Configure the system time synchronization

To configure or change the system time synchronization:
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 597

Services System time synchronization

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Time.
4. Modify the settings.

System time setting UI Configuration

Timezone Choose the time zone closest to where the device is located.
The default time zone is UTC.
Resynchronization Type the frequency of the daily update.
interval The default is 1d (one day).
Set to O (zero) for no synchronization.
Time sources a. Click  to add a new time source.
The time source is now enabled by default.
b. In Type of time source, choose whether you want to use an
NTP or Modem as the external source to which the device
synchronizes.
n If using an NTP, click  to add the Server hostname.
The default is time.devicecloud.com.

Note If multiple NTP servers are added, time samples are

obtained from each server. Selection algorithms are used
to determine the most accurate time.

n If using a modem, specify the Modem and Modem time

offset.
The default offset is Local.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Type system time to enter configuration mode for system time.

Digi Connect EZ 16/32 User Guide 598

Services System time synchronization

> config system time

(config system time)>

4. Add a new time source or modify the settings.

System
time setting UI Configuration
Timezone (Optional) Set the timezone for the location of your Connect EZ 16/32 device.
The default is UTC.

(config)> system time timezone value

(config)>

Where value is the timezone using the format specified with the following
command:

(config)> system time timezone ?

Timezone: The timezone for the location of this device. This

is used to adjust the time for log
messages. It also affects actions that occur at a specific
time of day.
Format:
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
...

(config)>

Resynchron Type the frequency of the daily update.

ization The default is 1d (one day). Set to O (zero) for no synchronization.
interval
(config) system time resync_interval value
(config) >

Where value is {w|d|h|m|s}. For more information:

(config)> system time resync_interval ?

Format: number {w|d|h|m|s}...

Optional: yes
Dafault value: 1 d
Current value: 1 d
(config)>

Time Add a new time source, either an NTP server or a modem.

sources
Note The default NTP server is time.devicecloud.com.

Digi Connect EZ 16/32 User Guide 599

Services System time synchronization

System
time setting UI Configuration
n If adding one or more NTP servers:

add service ntp server 0 time.server.com

Note If multiple NTP servers are added, time samples are obtained
from each server. Selection algorithms are used to determine the most
accurate time.

Note This list is synchronized with the list of servers included with NTP
server configuration, and changes made to one will be reflected in the
other. See Configure the device as an NTP server for more information
about NTP server configuration.

n If adding a modem, specify the mode and time offset:

The default offset is Local.

(config system time source)> add end

(config system time source 1)>
(config system time source 1)> type modem
(config time source 1) > modem modem

n To see the modem and its settings:

(config system time source 1)> show

enable true
no label
modem modem
offset local
type modem

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Test the connection to the NTP servers

The following procedure tests the configured NTP servers for connectivity. This test does not affect
the device's current local date and time.

 Command line

Digi Connect EZ 16/32 User Guide 600

Services System time synchronization

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Test the configured NTP servers for connectivity:

> system time test

Testing NTP server time.devicecloud.com on UDP port 123...
server 52.2.40.158, stratum 2, offset -0.000216, delay 0.05800
server 35.164.164.69, stratum 2, offset -0.000991, delay 0.07188
24 Aug 22:01:20 ntpdate[28496]: adjust time server 52.2.40.158 offset -
0.000216 sec
NTP test sync successful

Testing NTP server time.accns.com on UDP port 123...

server 128.136.167.120, stratum 3, offset -0.001671, delay 0.08455
24 Aug 22:01:20 ntpdate[28497]: adjust time server 128.136.167.120 offset
-0.001671 sec
NTP test sync successful
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Manually synchronize with the NTP server

The following procedure perform a NTP query to the configured servers and set the local time to the
first server that responds.

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Synchronize the device's local date and time:

> system time sync

24 Aug 22:03:55 ntpdate[2520]: step time server 52.2.40.158 offset -
0.000487 sec
NTP sync to time.devicecloud.com successful
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Manually set the system date and time

If your network restricts access to NTP servers, use this procedure to set the local date and time.
This procedure is available at the Admin CLI only.

 Command line

Digi Connect EZ 16/32 User Guide 601

Services Network Time Protocol

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Set the device's local date and time:

> system time set value

>

where value is the date in year-month-day hour:minute:second format. The value must be
surrounded by double quotes. For example:

> system time set "2024-01-12 12:10:00"

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Network Time Protocol

Network Time Protocol (NTP) enables devices connected on local and worldwide networks to
synchronize their internal software and hardware clocks to the same time source. The Connect EZ
16/32 device can be configured as an NTP server, allowing downstream hosts that are attached to the
device's Local Area Networks to synchronize with the device.
When the device is configured as an NTP server, it also functions as an NTP client. The NTP client will
be consistently synchronized with one or more upstream NTP servers, which means that NTP packets
are transferred every few seconds. A minimum of one upstream NTP server is required. Additional NTP
servers can be configured. If multiple servers are configured, a number of time samples are obtained
from each of the servers and a subset of the NTP clock filter and selection algorithms are applied to
select the best of these.
See Configure the device as an NTP server for information about configuring your device as an NTP
server.

Configure the device as an NTP server

Required Configuration Items
n Enable the NTP service.
n At least one upstream NTP server for synchronization. The default setting is the Digi NTP
server, time.devicecloud.com.

Additional Configuration Options

n Additional upstream NTP servers.
n Access control list to limit downstream access to the Connect EZ 16/32 device's NTP service.
n The time zone setting, if the default setting of UTCis not appropriate.
To configure the Connect EZ 16/32 device's NTP service:

Digi Connect EZ 16/32 User Guide 602

Services Network Time Protocol

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > NTP.
4. Enable the Connect EZ 16/32 device's NTP service by clicking Enable.
5. (Optional) Configure the access control list to limit downstream access to the Connect EZ 16/32
device's NTP service.
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's NTP
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the NTP service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's NTP
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the NTP service.
d. Click  again to list additional IP addresses or networks.

Digi Connect EZ 16/32 User Guide 603

Services Network Time Protocol

n To limit access to hosts connected through a specified interface on the device:

a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.

Note By default, the access control list for the NTP service is empty, which means that all
downstream hosts connected to the Connect EZ 16/32 device can use the NTP service.

6. Enable Fall back to local clock to allow the device's local system clock to be used as backup
time source.
7. (Optional) Add upstream NTP servers that the device will use to synchronize its time. The
default setting is time.devicecloud.com.
n To change the default value of the NTP server:
a. Click NTP servers.
b. For Server, type a new server name.
n To add an NTP server:
a. Click NTP servers.
b. For Add Server, click .
c. For Server, enter the hostname of the upstream NTP server that the device will use
to synchronize its time.
d. Click  to add additional NTP servers. If multiple servers are included, servers are
tried in the order listed until one succeeds.

Note This list is synchronized with the list of servers included with NTP client configuration,
and changes made to one will be reflected in the other. See Configure the system time
synchronization for more information about NTP client configuration.

8. (Optional) Configure the system time zone. The default is UTC.

a. Click System > Time
b. Select the Timezone for the location of your Connect EZ 16/32 device.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 604

Services Network Time Protocol

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the ntp service:

(config)> service ntp enable true

(config)>

4. (Optional) Add an upstream NTP server that the device will use to synchronize its time to the
appropriate location in the list of NTP servers. The default setting is time.devicecloud.com.
n To delete the default NTP server, time.devicecloud.com:

(config)> del service ntp server 0

(config)>

n To add the NTP server to the beginning of the list, use the index value of 0 to indicate
that it should be added as the first server:

(config)> add service ntp server 0 time.server.com

(config)>

n To add the NTP server to the end of the list, use the index keyword end:

(config)> add service ntp server end time.server.com

(config)>

n To add the NTP server in another location in the list, use an index value to indicate the
appropriate position. For example:

(config)> add service ntp server 1 time.server.com

(config)>

Note This list is synchronized with the list of servers included with NTP client configuration,
and changes made to one will be reflected in the other. See Configure the system time
synchronization for more information about NTP client configuration.

5. Allow the device's local system clock to be used as backup time source:

(config)> service ntp local true

(config)>

6. (Optional) Configure the access control list to limit downstream access to the Connect EZ 16/32
device's NTP service.
n To limit access to specified IPv4 addresses and networks:

(config)> add service ntp acl address end value

(config)>

Digi Connect EZ 16/32 User Guide 605

Services Network Time Protocol

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the NTP server agent.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service ntp acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the NTP server agent.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service ntp acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service ntp acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes

Digi Connect EZ 16/32 User Guide 606

Services Network Time Protocol

edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

Note By default, the access control list for the NTP service is empty, which means that all
downstream hosts connected to the Connect EZ 16/32 device can use the NTP service.

7. (Optional) Set the timezone for the location of your Connect EZ 16/32 device. The default is
UTC.

(config)> system time timezone value

(config)>

Where value is the timezone using the format specified with the following command:

(config)> system time timezone ?

Timezone: The timezone for the location of this device. This is used to
adjust the time for log
messages. It also affects actions that occur at a specific time of day.
Format:
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
...

(config)>

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show status and statistics of the NTP server

You can display status and statistics for active NTP servers

 Web

Digi Connect EZ 16/32 User Guide 607

Services Configure a multicast route

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click Status.
2. Under Services, click NTP.
The NTP server status page is displayed.

 Command line

Show NTP information

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show ntp command at the system prompt:

> show ntp

NTP Status Status

-----------------
Status : Up
Sync Status : Up

Remote Refid ST T When Poll Reach Delay

Offset Jitter
---------------- ------------- -- - ---- ---- ----- ------ -----
- ------
*ec2-52-2-40-158 129.6.15.32 2 u 191 1024 377 33.570
+1.561 0.991
128.136.167.120 128.227.205.3 3 u 153 1024 1 43.583 -
1.895 0.382

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure a multicast route

Multicast routing allows a device to transmit data to a single multicast address, which is then
distributed to a group of devices that are configured to be members of that group.
To configure a multicast route:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Digi Connect EZ 16/32 User Guide 608

Services Configure a multicast route

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Multicast.
4. For Add Multicast route, type a name for the route and click .
5. The new route is enabled by default. To disable, toggle off Enable.
6. Type the Source address for the route. This must be a multicast IP address between 224.0.0.1
and 239.255.255.255.
7. Select a Source interface where multicast packets will arrive.
8. To add one or more destination interface that the Connect EZ 16/32 device will send mutlicast
packets to:
a. Click to expand Destination interfaces.
b. Click .
c. For Destination interface, select the interface.
d. Repeat for additional destination interfaces.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the multicast route. For example, to add a route named test:

(config)> add service multicast test

(config service multicast test)>

Digi Connect EZ 16/32 User Guide 609

Services Configure a multicast route

4. The multicast route is enabled by default. If it has been disabled, enable the route:

(config service multicast test)> enable true

(config service multicast test)>

5. Set the source address for the route. This must be a multicast IP address between 224.0.0.1
and 239.255.255.255.

(config service multicast test)> dst ip-address

(config service multicast test)>

6. Set the source interface for the route where multicast packets will arrive:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config service multicast test)> src_interface /network/interface/eth1

(config service multicast test)>

7. Set a destination interface that the Connect EZ 16/32 device will send mutlicast packets to:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config service multicast test)> add interface end

/network/interface/eth1
(config service multicast test)>

c. Repeat for each additional destination interface.

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 610

Services Ethernet network bonding

Ethernet network bonding

The Connect EZ 16/32 device supports bonding mode for the Ethernet network. This allows you to
configure the device so that Ethernet ports share one IP address. When both ports are being used,
they act as one Ethernet network port.

Required configuration items

n Enable Ethernet bonding.
n The mode, either:
l Active-backup. Provides fault tolerance.
l Round-robin. Provides load balancing as well as fault tolerance.
n The Ethernet devices in the bonded pool.
n Create a new network interface for the bonded Ethernet devices, and disable the any interfaces
associated with those Ethernet devices..

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Ethernet bonding.

Digi Connect EZ 16/32 User Guide 611

Services Ethernet network bonding

4. For Add Bond device, click 

The bond device is enabled by default. To disable, toggle off Enable.

5. For Mode, selected either:
n Active-backup: Transmits data on only one of the bonded devices at a time. When the
active device fails, the next available device in the list is chosen. This mode provides for
fault tolerance.
n Round-robin: Alternates between bonded devices to provide load balancing as well as
fault tolerance.
6. Click to expand Devices.
7. Add Ethernet devices:
a. For Add device, click .

b. For Device, select an Ethernet device to participate in the bond pool.

c. Repeat for each appropriate Ethernet device.

8. Create a new network interface that is linked to the Ethernet bond:

a. Click Network > Interface.
b. For Add Interface, type a name for the interface and click .

Digi Connect EZ 16/32 User Guide 612

Services Ethernet network bonding

c. For Device, select the Ethernet bond created above:

d. Complete the rest of the interface configuration. See Configure a Wide Area Network (WAN)
or Configure a Local Area Network (LAN) for further information.
e. Disable any other interfaces associated with the devices that were added to the Ethernet
bond.
For example, if ETH1 and ETH2 were added to the Ethernet bond, disable the ETH1 and
ETH2 interfaces:

In some cases, the device may be a part of a bridge, in which case you should remove the
device from the bridge.
See Configure a bridge for more information.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a network bond:

(config)> add network bond name

(config network bond name)>

Digi Connect EZ 16/32 User Guide 613

Services Ethernet network bonding

For example, to create an Ethernet bond named eth_bond:

(config> add network bond eth_bond

(config network bond eth_bond)>

4. The new network bond is enabled by default. To disable:

(config network bond eth_bond)> enable false

(config network bond eth_bond)>

5. Set the mode:

(config network bond eth_bond)> mode value

(config network bond eth_bond)>

where value is either:

n active-backup: Transmits data on only one of the bonded devices at a time. When the
active device fails, the next available device in the list is chosen. This mode provides for
fault tolerance.
n round-robin: Alternates between bonded devices to provide load balancing as well as
fault tolerance.
6. Add Ethernet devices:
a. Use the ? to determine available devices:

(config network bond eth_bond)> ... network device ?

Additional Configuration
---------------------------------------------------------------------
-------

loopback

(config network bond eth_bond)>

b. Add a device:

(config network bond eth_bond)> add device /network/device/

(config network bond eth_bond)>

c. Repeat to add additional devices.

7. Create a new network interface that is linked to the Ethernet bond:
a. Type ... to return to the root of the configuration:

(config network bond eth_bond)> ...

(config)>

b. Create a new interface, for example:

(config)> add network interface eth_bond_interface

(config network interface eth_bond_interface)>

Digi Connect EZ 16/32 User Guide 614

Services Enable service discovery (mDNS)

c. For device, select the Ethernet bond created above:

(config network interface eth_bonding_interface)> device

/network/bond/eth_bond
(config network interface eth_bonding_interface)>

d. Complete the rest of the interface configuration. See Configure a Wide Area Network (WAN)
or Configure a Local Area Network (LAN) for further information.
8. Disable any other interfaces associated with the devices that were added to the Ethernet bond.
For example, if ETH1 and ETH2 were added to the Ethernet bond, and they are included with
the ETH1 and ETH2 interfaces:
a. Type ... to return to the root of the configuration:

(config network interface eth_bonding_interface)> ...

(config)>

b. Disable the interfaces:

(config)> network interface eth1 enable false

(config)> network interface eth2 enable false
(config)>

In some cases, the device may be a part of a bridge, in which case you should remove the
device from the bridge.
See Configure a bridge for more information.
9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Enable service discovery (mDNS)

Multicast DNS mDNS is a protocol that resolves host names in small networks that do not have a DNS
server. You can enable the Connect EZ 16/32 device to use mDNS.

Note This feature is enabled by default.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:

Digi Connect EZ 16/32 User Guide 615

Services Enable service discovery (mDNS)

a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > Service Discovery (mDNS).
4. The mDNS service is enabled by default. To disable, click to toggle off Enable.
5. Click Access control list to configure access control:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's mDNS
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the mDNS service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's mDNS
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the mDNS service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.

Digi Connect EZ 16/32 User Guide 616

Services Enable service discovery (mDNS)

n To limit access based on firewall zones:

a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The mDNS service is enabled by default. To disable:

(config)> service mdns enable false

(config)>

4. Configure access control:

n To limit access to specified IPv4 addresses and networks:

(config)> add service mdns acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the mDNS service.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service mdns acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the mDNS service.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

Digi Connect EZ 16/32 User Guide 617

Services Enable service discovery (mDNS)

(config)> add service mdns acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service mdns acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 618

Services Use the iPerf service

Use the iPerf service

Your Connect EZ 16/32 device includes an iPerf3 server that you can use to test the performance of
your network.
iPerf3 is a command-line tool that measures the maximum network throughput an interface can
handle. This is useful when diagnosing network speed issues, to determine, for example, whether a
cellular connection is providing expected throughput.
The Connect EZ 16/32 implementation of iPerf3 supports testing with both TCP and UDP.

Note Using iPerf clients that are at a version earlier than iPerf3 to connect to the Connect EZ 16/32
device's iPerf3 server may result in unpredictable results. As a result, Digi recommends using an iPerf
client at version 3 or newer to connect to the Connect EZ 16/32 device's iPerf3 server.

Required configuration items

n Enable the iPerf server on the Connect EZ 16/32 device.
n An iPerf3 client installed on a remote host. iPerf3 software can be downloaded at
https://iperf.fr/iperf-download.php.

Additional configuration Items

n The port that the Connect EZ 16/32 device's iPerf server will use to listen for incoming
connections.
n The access control list for the iPerf server.
When the iPerf server is enabled, the Connect EZ 16/32 device will automatically configure its
firewall rules to allow incoming connections on the configured listening port. You can restrict
access by configuring the access control list for the iPerf server.

To enable the iPerf3 server:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 619

Services Use the iPerf service

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > iPerf.
4. Click Enable.
5. (Optional) For IPerf Server Port, type the appropriate port number for the iPerf server
listening port.
6. (Optional) Click to expand Access control list to restrict access to the iPerf server:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's iperf
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the iperf service.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's iperf
service. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the iperf service.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.

Digi Connect EZ 16/32 User Guide 620

Services Use the iPerf service

7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the iPerf server:

(config)> service iperf enable true

(config)>

4. (Optional) Set the port number for the iPerf server listening port. The default is 5201.

(config)> service iperf port port_number

(config)>

5. (Optional) Set the access control list to restrict access to the iPerf server:
n To limit access to specified IPv4 addresses and networks:

(config)> add service iperf acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service iperf acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service iperf acl interface end value

(config)>

Digi Connect EZ 16/32 User Guide 621

Services Use the iPerf service

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service iperf acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Example performance test using iPerf3

On a remote host with iPerf3 installed, enter the following command:

$ iperf3 -c device_ip

Digi Connect EZ 16/32 User Guide 622

Services Configure the ping responder service

where device_ip is the IP address of the Connect EZ 16/32 device. For example:

$ iperf3 -c 192.168.2.1
Connecting to host 192.168.2.1, port 5201
[ 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 26.7 MBytes 224 Mbits/sec 8 2.68 MBytes
[ 4] 1.00-2.00 sec 28.4 MBytes 238 Mbits/sec 29 1.39 MBytes
[ 4] 2.00-3.00 sec 29.8 MBytes 250 Mbits/sec 0 1.46 MBytes
[ 4] 3.00-4.00 sec 31.2 MBytes 262 Mbits/sec 0 1.52 MBytes
[ 4] 4.00-5.00 sec 32.1 MBytes 269 Mbits/sec 0 1.56 MBytes
[ 4] 5.00-6.00 sec 32.5 MBytes 273 Mbits/sec 0 1.58 MBytes
[ 4] 6.00-7.00 sec 33.9 MBytes 284 Mbits/sec 0 1.60 MBytes
[ 4] 7.00-8.00 sec 33.7 MBytes 282 Mbits/sec 0 1.60 MBytes
[ 4] 8.00-9.00 sec 33.5 MBytes 281 Mbits/sec 0 1.60 MBytes
[ 4] 9.00-10.00 sec 33.2 MBytes 279 Mbits/sec 0 1.60 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 315 MBytes 264 Mbits/sec 37 sender
[ 4] 0.00-10.00 sec 313 MBytes 262 Mbits/sec receiver

iperf Done.
$

Configure the ping responder service

Your Connect EZ 16/32 device's ping responder service replies to ICMP and ICMPv6 echo requests. The
service is enabled by default. You can disable the service, or you can configure the service to use an
access control list to limit the service to specified IP address, interfaces, and/or zones.
To enable the iPerf3 server:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 623

Services Configure the ping responder service

The Configuration window is displayed.

3. Click Services > Ping responder.
The ping responder service is enabled by default. Click Enable to disable all ping responses.
4. Click to expand Access control list to restrict ping responses to specified IP address,
interfaces, and/or zones:
n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's ping
responder. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the ping responder.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's ping
responder. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the ping responder.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 624

Services Configure the ping responder service

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the iPerf server:

(config)> service iperf enable true

(config)>

4. (Optional) Set the port number for the iPerf server listening port. The default is 5201.

(config)> service iperf port port_number

(config)>

5. (Optional) Set the access control list to restrict access to the iPerf server:
n To limit access to specified IPv4 addresses and networks:

(config)> add service iperf acl address end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service iperf acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the service-type.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service iperf acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

Digi Connect EZ 16/32 User Guide 625

Services Configure the ping responder service

n To limit access based on firewall zones:

(config)> add service iperf acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Example performance test using iPerf3

On a remote host with Iperf3 installed, enter the following command:

$ iperf3 -c device_ip

where device_ip is the IP address of the Connect EZ 16/32 device. For example:

$ iperf3 -c 192.168.2.1
Connecting to host 192.168.2.1, port 5201
[ 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd

Digi Connect EZ 16/32 User Guide 626

Services Configure AnywhereUSB services

[ 4] 0.00-1.00 sec 26.7 MBytes 224 Mbits/sec 8 2.68 MBytes

[ 4] 1.00-2.00 sec 28.4 MBytes 238 Mbits/sec 29 1.39 MBytes
[ 4] 2.00-3.00 sec 29.8 MBytes 250 Mbits/sec 0 1.46 MBytes
[ 4] 3.00-4.00 sec 31.2 MBytes 262 Mbits/sec 0 1.52 MBytes
[ 4] 4.00-5.00 sec 32.1 MBytes 269 Mbits/sec 0 1.56 MBytes
[ 4] 5.00-6.00 sec 32.5 MBytes 273 Mbits/sec 0 1.58 MBytes
[ 4] 6.00-7.00 sec 33.9 MBytes 284 Mbits/sec 0 1.60 MBytes
[ 4] 7.00-8.00 sec 33.7 MBytes 282 Mbits/sec 0 1.60 MBytes
[ 4] 8.00-9.00 sec 33.5 MBytes 281 Mbits/sec 0 1.60 MBytes
[ 4] 9.00-10.00 sec 33.2 MBytes 279 Mbits/sec 0 1.60 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 315 MBytes 264 Mbits/sec 37 sender
[ 4] 0.00-10.00 sec 313 MBytes 262 Mbits/sec receiver

iperf Done.
$

Configure AnywhereUSB services

The AnywhereUSB services include enabling the service, creating an access control list, enabling
mDNS discovery, specifying keepalive intervals, and loading an SSL identity certificate.

Note You can also configure the minimum TLS version in the AnywhereUSB Manager. See Configure
the minimum TLS version.

To configure the AnywhereUSB services:

 Web
1. Log into the local Web UI as a user with full Admin access rights.
2. Access the device configuration:
a. In the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Services > AnywhereUSB.
4. Click Enable to enable the service.
5. In the Port field, enter the port number that is used to access the Hub. The default value is
18574. If you change the port number you must also change the corresponding port number on
your computer.

Note You can also enable the AnywhereUSB service and specify the port on the AnywhereUSB
Configuration page. To display this page, click System > Configuration > AnywhereUSB
Configuration. See AnywhereUSB Configuration page.

Digi Connect EZ 16/32 User Guide 627

Services Configure AnywhereUSB services

6. Click Access control list to configure access control:

n To limit access to specified IPv4 addresses and networks:
a. Click IPv4 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv4 address or network that can access the device's
AnywhereUSB. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the AnywhereUSB.
d. Click  again to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:
a. Click IPv6 Addresses.
b. For Add Address, click .
c. For Address, enter the IPv6 address or network that can access the device's
AnywhereUSB. Allowed values are:
l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the AnywhereUSB.
d. Click  again to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the device:
a. Click Interfaces.
b. For Add Interface, click .
c. For Interface, select the appropriate interface from the dropdown.
d. Click  again to allow access through additional interfaces.
n To limit access based on firewall zones:
a. Click Zones. By default, there are three firewall zones already configured: Internal,
Edge, and IPsec.
b. For Add Zone, click .
c. For Zone, select the appropriate firewall zone from the dropdown.
See Firewall configuration for information about firewall zones.
d. Click  again to allow access through additional firewall zones.
7. Enable mDNS to add the AnywhereUSB protocol to the list of services which may be
discovered by global mDNS. See Enable service discovery (mDNS).
8. For Minimum TLS version, select the minimum TLS version that the AnywhereUSB service will
accept. The default is TLS version 1.2.
9. In the Keep-alive interval field, enter how often the AnywhereUSB Manager sends a
keepalive request to the Hubs connected to the network. This impacts network utilization
because each AnywhereUSB Manager will send one packet at this interval to each Hub to
which it is connected. Default is 3 seconds. The minimum value is 1 second.
10. In the Keep-alive timeout field, enter how long the AnywhereUSB Manager should wait for a
keepalive response. When the value of the response time is reached, the Manager decides that

Digi Connect EZ 16/32 User Guide 628

Services Configure AnywhereUSB services

a Hub is no longer available, and the computer is disconnected from all groups and devices on
that Hub. The default value is 20 seconds. The minimum value is 15 seconds.
n The keepalive timeout value would need to be longer if the network has more latency
(such as a cellular or satellite link), or an internet link with unreliable packet delivery.
n If the value is too short, devices will be disconnected, which may have an adverse affect
on some devices, such as USB memory.
n If the value is too long, Hubs that are removed from the network will not be noticed as
gone for a long time, and devices that are no longer connected will be unresponsive for
a long time.
11. (Optional) For TLS identity certificate, paste an SSL certificate and private key in PEM format.
For detailed instructions about loading an SSL certificate for AnywhereUSB, see Load an SSL
certificate.

Note If the TLS identity certificate is empty, the certificate for the web administration service
is used.

12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable the AnywhereUSB service.

(config)> service anywhereusb enable true

(config)>

4. Set the port number that is used to access the Hub:

(config)> service anywhereusb port int

(config)>

where int is any integer between 1 and 65535. The default value is 18574. If you change the
port number you must also change the corresponding port number on your computer.
5. Configure access control:
n To limit access to specified IPv4 addresses and networks:

(config)> add service anywhereusb acl address end value

(config)>

Where value can be:

Digi Connect EZ 16/32 User Guide 629

Services Configure AnywhereUSB services

l A single IP address or host name.

l A network designation in CIDRnotation, for example, 192.168.1.0/24.
l any: No limit to IPv4 addresses that can access the AnywhereUSB.
Repeat this step to list additional IP addresses or networks.
n To limit access to specified IPv6 addresses and networks:

(config)> add service anywhereusb acl address6 end value

(config)>

Where value can be:

l A single IP address or host name.
l A network designation in CIDRnotation, for example, 2001:db8::/48.
l any: No limit to IPv6 addresses that can access the AnywhereUSB.
Repeat this step to list additional IP addresses or networks.
n To limit access to hosts connected through a specified interface on the Connect EZ
16/32 device:

(config)> add service anywhereusb acl interface end value

(config)>

Where value is an interface defined on your device.

Display a list of available interfaces:

Use ... network interface ? to display interface information:

Repeat this step to list additional interfaces.

n To limit access based on firewall zones:

(config)> add service anywhereusb acl zone end value

(config)>

Where value is a firewall zone defined on your device, or the any keyword.

Display a list of available firewall zones:

Type ... firewall zone ? at the config prompt:

(config)> ... firewall zone ?

Zones: A list of groups of network interfaces that can be

referred to by packet
filtering rules and access control lists.

Additional Configuration
--------------------------------------------------------
-----------------------
any
dynamic_routes
edge

Digi Connect EZ 16/32 User Guide 630

Services Configure AnywhereUSB services

external
internal
ipsec
loopback
setup

(config)>

Repeat this step to include additional firewall zones.

6. Enable mDNS to add AnywhereUSB protocol to the list of services which may be discovered by
global mDNS. See Enable service discovery (mDNS).

(config)> service anywhereusb mdns enable true

(config)>

7. Select the minimum TLS version that the AnywhereUSB service will accept.

(config)> service anywhereusb minimum_tls_version value

(config)>

where value is one of:

n TLS-1_2. This is the default.
n TLS-1_3
8. Set the keep-alive interval to how often the AnywhereUSB Manager sends a keepalive request
to the Hubs connected to the network. This impacts network utilization because each
AnywhereUSB Manager will send one packet at this interval to each Hub to which it is
connected. Default is 3 seconds. The minimum value is 1 second.

(config)> service anywhereusb keep_alive_interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set keep_alive_interval to ten minutes, enter either 10m or 600s:

(config)> service anywhereusb keep_alive_interval 600s

(config)>

9. Set the keep-alive timeout to how long the AnywhereUSB Manager should wait for a
keepalive response. When the value of the response time is reached, the Manager decides that
a Hub is no longer available, and the computer is disconnected from all groups and devices on
that Hub. The default value is 20 seconds. The minimum value is 15 seconds.

(config)> service anywhereusb keep_alive_timeout value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set keep_alive_timeout to ten minutes, enter either 10m or 600s:

Digi Connect EZ 16/32 User Guide 631

Services Configure AnywhereUSB services

(config)> service anywhereusb keep_alive_timeout 600s

(config)>

10. (Optional) Paste an SSL certificate and private key in PEM format. If empty, the certificate for
the web administration service is used.

(config)> service anywhereusb identity cert

(config)>

11. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 632

 Applications
The Connect EZ 16/32 supports Python 3.6 and provides you with the ability to run Python
applications on the device interactively or from a file. You can also specify Python applications and
other scripts to be run each time the device system restarts, at specific intervals, or at a specified
time.
This chapter contains the following topics:

Develop Python applications 634

Set up the Connect EZ 16/32 to automatically run your applications 670
Start an interactive Python session 679
Run a Python application at the shell prompt 680
Configure scripts to run manually 681
Start a manual script 687

Digi Connect EZ 16/32 User Guide 633

Applications Develop Python applications

Develop Python applications

The Connect EZ 16/32 features a standard Python 3.6 distribution. Python is a dynamic, object-
oriented language for developing software applications, from simple programs to complex embedded
applications. Digi offers the Digi IoT PyCharm Plugin to help you while writing, building, and testing
your application. See Create and test a Python application.
In addition to the standard Python library, the Connect EZ 16/32 includes a set of extensions to access
its configuration and interfaces. See Python modules.
The Connect EZ 16/32 provides you with the ability to:
n Run Python applications on the device interactively or from a file.
n Specify Python applications and other scripts to be run each time the device system restarts,
at specific intervals, or at a specified time. See Configure scripts to run automatically.
n Use pip to install Python packages.

Note Although pip is provided to help facilitate the installation of Python packages, there are
limitations in Python package support due to package dependencies, storage limitations, and
other issues.

This section contains the following topics:

Set up the Connect EZ 16/32 for Python development 635

Create and test a Python application 635
Python modules 639

Digi Connect EZ 16/32 User Guide 634

Applications Develop Python applications

Set up the Connect EZ 16/32 for Python development

1. Access the Connect EZ 16/32 local web interface
a. Use an Ethernet cable to connect the Connect EZ 16/32 to your local laptop or PC.
The factory Setup IP address is 192.168.2.1
b. Log into the Connect EZ 16/32 WebUI as a user with full admin access rights.
The default user name is admin and the default password is the unique password printed
on the label packaged with your device.
2. Go to the Configuration window
a. On the menu, click System.
b. Under Configuration, click Device Configuration. The Configuration window displays.
3. Enable service discovery (mDNS)
a. Click Services > Service Discovery (mDNS).
b. Enable the mDNS service.

Note For more information, see Enable service discovery (mDNS).

4. Configure SSH access

a. Click Services > SSH.
b. Click Enable.

Note For more information, see the following topics: Configure SSH access, Use SSH with key
authentication, and Allow remote access for web administration and SSH.

5. Enable shell access

a. Click Authentication > Groups > admin.
b. Click the Interactive shell access option.
c. If this option is not displayed, see Disable shell access.
6. Click Apply to save the configuration and apply the changes.
The Apply button is located at the top of the WebUI page. You may need to scroll to the top of
the page to locate it.

Create and test a Python application

To develop a Python application for the Connect EZ 16/32:

1. Set up the Connect EZ 16/32 for Python development.

2. Create and test your application with:
n PyCharm. You can create, build, and remotely launch your application in the Connect EZ 16/32.
n Your preferred editor and manually transfer the application, install dependencies, and launch
in the Connect EZ 16/32.

Digi Connect EZ 16/32 User Guide 635

Applications Develop Python applications

Develop an application in PyCharm

The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in
a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
This is what you can do with it:
n Create Python projects from scratch or import one of the available examples.
n Get help while you write your code thanks to the syntax highlight, quick documentation, and
code completion features.
n Build and upload Python applications to your Digi device with just one click.
n Add libraries that facilitate the usage of external peripherals or non-standard APIs.
n Communicate with your Digi device through the integrated SSH console to see the application
output or execute quick tests.

Manually install and launch an application

To create, build, and launch your application:

1. Write your Python application code. Code can include:

n Any Python 3.6 standard feature.
n Access to the Connect EZ 16/32 configuration and hardware with the Python modules.
n Third-party modules included in the Connect EZ 16/32, for example:
l pySerial 3.4
l Eclipse Paho MQTT Python Client
n Any other third-party module implemented in Python.
2. Install the application in /etc/config/scripts directory.
3. Launch your application:
n Run your application at the shell prompt.
n Configure your application to run automatically.

PyCharm FAQ: My Connect EZ 16/32 is not listed in Digi Device Selector

If an Connect EZ 16/32 does not appear on the list of the Digi Device Selector:
n Ensure that your device has the mDNS service enabled and is on the same network as the
computer. See Set up the Connect EZ 16/32 for Python development.
n Or click the link Click here to add it manually to specify the IP address, port, username, and
password.

Digi Connect EZ 16/32 User Guide 636

Applications Develop Python applications

Example: Configure a custom port to listen for incoming socket connections

The following example Python script configures a custom port, port 9999, to accept incoming socket
connections.
You will also need to add a custom firewall rule to accept the incoming traffic on this port.

Example script

import socket
import socketserver

class MyTCPHandler(socketserver.BaseRequestHandler):
"""
The request handler class for our server.

It is instantiated once per connection to the server, and must

override the handle() method to implement communication to the
client.
"""

def handle(self):
# self.request is the TCP socket connected to the client
self.data = self.request.recv(1024).strip()
print("{} wrote:".format(self.client_address[0]))
print(self.data)
# just send back the same data, but upper-cased
self.request.sendall(self.data.upper())

Digi Connect EZ 16/32 User Guide 637

Applications Develop Python applications

if __name__ == "__main__":
HOST, PORT ='', 9999

# Create the server, binding to localhost on port 9999

with socketserver.TCPServer((HOST, PORT), MyTCPHandler) as server:
# Activate the server; this will keep running until you
# interrupt the program with Ctrl-C
print("Waiting for data...")
server.serve_forever()

Create a custom firewall rule

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Custom rules.
4. Enable the custom rules.
5. For Rules, type the following:

iptables -I INPUT -p tcp --dport 9999 -j ACCEPT

6. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 638

Applications Develop Python applications

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable custom firewall rules:

(config)> firewall custom enable true(config)>

4. Set the shell command that will execute the custom firewall rules script:

(config)> firewall custom rules "iptables -I INPUT -p tcp --dport 9999 -j

ACCEPT"
(config)>

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Python modules
The Connect EZ 16/32 supports Python 3.6 and provides you with the ability to run Python
applications on the device interactively or from a file. It also offers extensions to manage your
Connect EZ 16/32:
n The digidevice module provides platform-specific extensions that allow you to interact with
the device’s configuration and interfaces.
The following submodules are included with the digidevice module:
l LEDs: digidevice.led
l SMS: digidevice.sms
l GPS: digidevice.location
l Digi Remote Manager:
o digidevice.datapoint
o digidevice.device_request
o digidevice.name
l Device configuration: digidevice.config
l Command line interface: digidevice.cli

Digi Connect EZ 16/32 User Guide 639

Applications Develop Python applications

l Access runtime database: digidevice.runt

l Set the maintenance window: digidevice.maintenance
n Use the Python serial module—pySerial—to access the serial ports.
n Eclipse Paho MQTT Python client enables applications to connect to an MQTT broker to
publish messages, and to subscribe to topics and receive published messages.

Note Module-related documentation is in the Digidevice module section.

Digidevice module
The Python digidevice module provides platform-specific extensions that allow you to interact with
the device’s configuration and interfaces. The following submodules are included with the digidevice
module:
This section contains the following topics:

Digi Connect EZ 16/32 User Guide 640

Applications Develop Python applications

Use digidevice.cli to execute CLI commands

Use the digidevice.cli Python module to issue CLI commands from Python to retrieve status and
statistical information about the device.
For example, to display the system status and statistics by using an interactive Python session, use
the show system command with the cli module:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the cli submodule:

>>> from digidevice import cli

>>>

4. Execute a CLI command using the cli.execute(command) function. For example, to print the
system status and statistics to stdout using the show system command:

>>> response = cli.execute("show system")

>>>
>>> print (response)

Model : Digi Connect EZ 16/32

Serial Number : Connect EZ 16/32xxxxxxxxyyyyxx
SKU : Connect EZ 16/32
Hostname : Connect EZ 16/32
MAC Address : DF:DD:E2:AE:21:18

Hardware Version : 50001947-01 1P

Firmware Version : 24.9
Alt. Firmware Version : 24.9
Alt. Firmware Build Date : Fri, Jan 12, 2024 12:10:00
Bootloader Version : 19.7.23.0-15f936e0ed

Current Time : Thu, Jan 11, 2024 12:10:00 +0000

CPU : 1.4%
Uptime : 6 days, 6 hours, 21 minutes, 57 seconds
(541317s)
Temperature : 40C
Location :
Contact :

>>>

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Digi Connect EZ 16/32 User Guide 641

Applications Develop Python applications

Help for using Python to execute Connect EZ 16/32 CLI commands

Get help executing a CLI command from Python by accessing help for cli.execute:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the cli submodule:

>>> from digidevice import cli

>>>

4. Use the help command with cli.execute:

>>> help(cli.execute)
Help on function execute in module digidevice.cli:

execute(command, timeout=5)
Execute a CLI command with the timeout specified returning the results.
...

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use digidevice.datapoint to upload custom datapoints to Digi Remote Manager

Use the datapoint Python module to upload custom datapoints to Digi Remote Manager.
The following characteristics can be defined for a datapoint:
n Stream ID
n Value
n (Optional) Data type
l integer
l long
l float
l double
l string
l binary
n Units (optional)
n Timestamp (optional)
n Location (optional)

Digi Connect EZ 16/32 User Guide 642

Applications Develop Python applications

l Tuple of latitude, longitude and altitude

n Description (optional)
n Quality (optional)
l An integer describing the quality of the data point
For example, to use an interactive Python session to upload datapoints related to velocity,
temperature, and the state of the emergency door:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the datapoint submodule and other necessary modules:

>>> from digidevice import datapoint

>>> import time
>>>

4. Upload the datapoints to Remote Manager:

>>> datapoint.upload("Velocity", 69, units="mph")

>>> datapoint.upload("Temperature", 24, geo_location=(54.409469, -
1.718836, 129))
>>> datapoint.upload("Emergency_Door", "closed", timestamp=time.time())

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().
You can also upload multiple datapoints:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

Digi Connect EZ 16/32 User Guide 643

Applications Develop Python applications

3. Import the datapoint submodule and other necessary modules:

>>> from digidevice import datapoint

>>> import time
>>>

4. Create datapoint objects:

>>> p1 = datapoint.DataPoint("Velocity", 69, units="mph")

>>> p2 = datapoint.DataPoint("Temperature", 24, geo_location=(54.409469,
-1.718836, 129))
>>> p3 = datapoint.DataPoint("Emergency_Door", "closed",
timestamp=time.time())
>>>

5. Upload the datapoints to Remote Manager:

>>> datapoint.upload_multiple([p1, p2, p3])

>>>

6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().
Once the datapoints have been uploaded to Remote Manager, they can be viewed via Remote
Manager or accessed using Web Services calls. See the Digi Remote Manager Programmers Guide for
more information on web services and datapoints.

Help for using Python to upload custom datapoints to Remote Manager

Get help for uploading datapoints to your Digi Remote Manager account by accessing help for
datapoint.upload and datapoint.upload_multiple:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the datapoint submodule and other necessary modules:

>>> from digidevice import datapoint

>>>

4. Use the help command with datapoint.upload:

>>> help(datapoint.upload)
Help on function upload in module digidevice.datapoint:

Digi Connect EZ 16/32 User Guide 644

Applications Develop Python applications

upload(stream_id:str, data, *, description:str=None,

timestamp:float=None, units:str=None,
geo_location:Tuple[float, float, float]=None, quality:int=None,
data_type:digidevice.datapoint.DataType=None, timeout:float=None)
...

5. Use the help command with datapoint.upload_multiple:

>>> help(datapoint.upload_multiple)
Help on function upload_multiple in module digidevice.datapoint:

upload_multiple(datapoints:List[digidevice.datapoint.DataPoint],
timeout:float=None)
...

6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use digidevice.config for device configuration

Use the config Python module to access and modify the device configuration.

Read the device configuration

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the config submodule:

>>> from digidevice import config

>>>

4. Use config.load() and the get() method to return the device's configuration:
a. Return the entire configuration:

>>> from pprint import pprint # use pprint vs. print to make the
output easier to read
>>> cfg = config.load()
>>> pprint(cfg.dump().splitlines())

This returns the device configuration:

...
network.interface.lan1.device=/network/bridge/lan1

Digi Connect EZ 16/32 User Guide 645

Applications Develop Python applications

network.interface.lan1.enable=true
network.interface.lan1.ipv4.address=192.168.2.1/24
network.interface.lan1.ipv4.connection_monitor.attempts=3
...

b. Print a list of available interfaces:

>>> cfg = config.load()

>>> interfaces = cfg.get("network.interface")
>>> print(interfaces.keys())

This returns the following:

['setupip', 'setuplinklocal', 'lan1', 'loopback', 'wan1', 'wwan1',

'wwan2']

c. Print the IPv4 address of the LAN interface:

>>> cfg = config.load()

>>> interfaces = cfg.get(“network.interfaces”)
>>> print(interfaces.get("lan.ipv4.address"))

Which returns:

192.168.2.1/24

Modify the device configuration

Use the set() and commit() methods to modify the device configuration:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the config submodule:

>>> from digidevice import config

>>>

4. Use config.load(writable=True) to enable write mode for the configuration:

>>> cfg = config.load(writable=True)

>>>

Digi Connect EZ 16/32 User Guide 646

Applications Develop Python applications

5. Use the set() method to make changes to the configuration:

>>> cfg.set("system.name", "New-Name")

>>>

6. Use the commit() method to save the changes:

>>> cfg.commit()
True
>>>

7. Use the get() method to verify the change:

>>> print(cfg.get("system.name"))
New-Name
>>>

Help for using Python to read and modify device configuration

Get help for reading and modifying the device configuration by accessing help for digidevice.config:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the config submodule:

>>> from digidevice import config

>>>

4. Use the help command with config:

>>> help(config)
Help on module acl.config in acl:

NAME
acl.config - Python interface to ACL configuration (libconfig).
...

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use Python to respond to Digi Remote Manager SCI requests

The device_request Python module allows you to interact with Digi Remote Manager by using
Remote Manager's Server Command Interface (SCI), a web service that allows users to access
information and perform commands that relate to their devices.

Digi Connect EZ 16/32 User Guide 647

Applications Develop Python applications

Use Remote Manager's SCI interface to create SCI requests that are sent to your Connect EZ 16/32
device, and use the device_request module to send responses to those requests to Remote Manager.
See the Digi Remote Manager Programmers Guide for more information on SCI.

Task one: Use the device_request module on your Connect EZ 16/32 device to create a response

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the device_request module:

>>> from digidevice import device_request

>>>

4. Create a function to handle the request from Remote Manager:

>>> def handler(target, request):

print ("received request %s for target %s" % (request, target))
return "OK"
>>>

5. Register a callbackup function that will be called when the device receives a SCI request from
Remote Manager:

>>> device_request.register("myTarget", handler)

>>>

Note Leave the interactive Python session active while completing task two, below. Once you have
completed task two, exit the interactive session by using Ctrl-D. You can also exit the session using
exit() or quit().

Task two: Create and send an SCI request from Digi Remote Manager
The second step in using the device_request module is to create an SCI request that Remote
Manager will forward to the device. For example, you can create in SCI request a the Remote Manager
API explorer:

1. In Remote Manager, click Documentation > API Explorer.

2. Select the device to use as the SCI target:
a. Click SCI Targets.
b. Click Add Targets.
c. Enter or select the device ID of the device.

Digi Connect EZ 16/32 User Guide 648

Applications Develop Python applications

d. Click Add.
e. Click OK.
3. Click Examples > SCI > Data Service > Send Request.
Code similar to the following will be displayed in the HTTP message body text box:

<sci_request version="1.0">
<data_service>
<targets>
<device id="00000000-00000000-0000FFFF-A83CF6A3"/>
</targets>
<requests>
<device_request target_name="myTarget">
my payload string
</device_request>
</requests>
</data_service>
</sci_request>

Note The value of the target_name parameter in the device_request element must
correspond to the target parameter of the device_request.register function in the Python
script. In this example, the two are the same.

4. Click Send.
Once that the request has been sent to the device, the handler on the device is executed.
n On the device, you will receive the following output:

>>> received request

my payload string
for target myTarget
>>>

n In Remote Manager, you will receive a response similar to the following:

<sci_reply version="1.0">
<data_service>
<device id="00000000-00000000-0000FFFF-A83CF6A3"/>
<requests>
<device_request target_name="myTarget"
status="0">OK</device_request>
</requests>
</device>
</data_service>
</sci_request>

Example: Use digidevice.cli with digidevice.device_request

In this example, we will use the digidevice.cli module in conjunction with the digidevice.device_
request module to return information about multiple devices to Remote Manager.

1. Create a Python application, called showsystem.py, that uses the digidevice.cli module to
create a response containing information about device and the device_request module to
respond with this information to a request from Remote Manager:

Digi Connect EZ 16/32 User Guide 649

Applications Develop Python applications

from digidevice import device_request

from digidevice import cli
import time

def handler(target, request):

return cli.execute("show system verbose")

def status_cb(error_code, error_description):

if error_code != 0:
print("error handling showSystem device request: %s" % error_
description)

device_request.register("showSystem", handler, status_callback = status_

cb)

# Do not let the process finish so that it handles device requests

while True:
time.sleep(10)

2. Upload the showsystem.py application to the /etc/config/scripts directory on two or more Digi
devices. In this example, we will upload it to two devices, and use the same request in Remote
Manager to query both devices.
See Configure scripts to run automatically for information about uploading Python
applications to your device. You can also create the script on the device by using the vi
command when logged in with shell access.
3. For both devices:
a. Configure the device to automatically run the showsystem.py application on reboot, and
to restart the application if it crashes. This can be done from either the WebUI or the
command line:

 Web
i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin
access rights.
ii. Access the device configuration:

Remote Manager:
i. Locate your device as described in Use Digi Remote Manager to view and manage
your device.
ii. Click the Device ID.
iii. Click Settings.
iv. Click to expand Config.

Local Web UI:

i. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 650

Applications Develop Python applications

The Configuration window is displayed.

iii. Click System > Scheduled tasks > Custom scripts.
iv. Click  to add a custom script.

v. For Label, type Show system application.

vi. For Run mode, select On boot.
vii. For Exit action, select Restart script.
viii. For Commands, type python /etc/config/scripts/showsystem.py.

ix. Click Apply to save the configuration and apply the change.

 Command line
i. Select the device in Remote Manager and click Actions > Open Console, or log into
the Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access
selection menu. Type admin to access the Admin CLI.
ii. At the command line, type config to enter configuration mode:

> config
(config)>

iii. Add an application entry:

(config)> add system schedule script end

(config system schedule script 0)>

Scheduled scripts are enabled by default. To disable:

(config system schedule script 0)> enable false

(config system schedule script 0)>

Digi Connect EZ 16/32 User Guide 651

Applications Develop Python applications

iv. Provide a label for the script:

(config system schedule script 0)> label "Show system application"

v. Configure the application to run automatically when the device reboots:

(config system schedule script 0)> when boot

(config system schedule script 0)>

vi. Configure the application to restart if it crashes:

(config system schedule script 0)> exit_action restart

(config system schedule script 0)>

vii. Set the command that will execute the application:

(config system schedule script 0)> commands "python

/etc/config/scripts/showsystem.py"
(config system schedule script 0)>

viii. Save the configuration and apply the change:

(config)> save
Configuration saved.
>

b. Run the showsystem.py application. You can run the application by either rebooting the
device, or by running it from the shell prompt.
n To reboot the device:
i. From the WebUI:
i. From the main menu, click System.
ii. Click Reboot.
i. From the command line, at the Admin CLI prompt, type:

> reboot

n To run the application from the shell prompt:

i. Select a device in Remote Manager that is configured to allow shell access to
the admin user, and click Actions > Open Console. Alternatively, log into the
Connect EZ 16/32 local command line as a user with shell access.
Depending on your device configuration, you may be presented with an Access
selection menu. Type shell to access the device shell.
ii. Type the following at the shell prompt:

# python /etc/config/scripts/showsystem.py &

#

Digi Connect EZ 16/32 User Guide 652

Applications Develop Python applications

iii. Exit the shell:

# exit

4. In Remote Manager, click Documentation > API Explorer.

5. Select the devices to use as the SCI targest:
a. Click SCI Targets.
b. Click Add Targets.
c. Enter or select the device ID of one of the devices.
d. Click Add.
e. Enter or select the device ID of the second device and click Add.
f. Click OK.
6. Click Examples > SCI > Data Service > Send Request.
Code similar to the following will be displayed in the HTTP message body text box:

<sci_request version="1.0">
<data_service>
<targets>
<device id="00000000-00000000-0000FFFF-A83CF6A3"/>
<device id="00000000-00000000-0000FFFF-485740BC"/>
</targets>
<requests>
<device_request target_name="myTarget">
my payload string
</device_request>
</requests>
</data_service>
</sci_request>

7. For the device_request element, replace the value of target_name with showSystem. This
matches the target parameter of the device_request.register function in the showsystem.py
application.

<device_request target_name="showSystem">

8. Click Send.
You should receive a response similar to the following:

<sci_reply version="1.0">
<data_service>
<device id="00000000-00000000-0000FFFF-A83CF6A3"/>
<requests>
<device_request target_name="showSystem" status="0">Model
: Digi Connect EZ 16/32
Serial Number : Connect EZ 16/32-000068
Hostname : Connect EZ 16/32
MAC : 00:40:D0:13:35:36

Hardware Version : 50001959-01 A

Firmware Version : 24.9
Bootloader Version : 1

Digi Connect EZ 16/32 User Guide 653

Applications Develop Python applications

Firmware Build Date : Fri, Jan 12, 2024 12:10:00

Schema Version : 461

Timezone : UTC
Current Time : Thu, Jan 11, 2024 12:10:00
CPU : 1.1
Uptime : 1 day, 21 hours, 49 minutes, 47
seconds (164987s)
Temperature : 39C

Contact : Jane Smith

Disk
----
Load Average : 0.10, 0.05, 0.00
RAM Usage : 85.176MB/250.484MB(34%)
Disk /etc/config Usage : 0.068MB/13.416MB(1%)
Disk /opt Usage : 47.724MB/5309.752MB(1%)
Disk /overlay Usage : MB/MB(%)
Disk /tmp Usage : 0.004MB/40.96MB(0%)
Disk /var Usage : 0.820MB/32.768MB(3%)</device_
request>
</requests>
</device>
<device id="00000000-00000000-0000FFFF-485740BC"/>
<requests>
<device_request target_name="showSystem" status="0">Model
: Digi Connect EZ 16/32
Serial Number : Connect EZ 16/32-000023
Hostname : Connect EZ 16/32
MAC : 00:40:D0:26:79:1C

Hardware Version : 50001959-01 A

Firmware Version : 24.9
Bootloader Version : 1
Firmware Build Date : Fri, Jan 12, 2024 12:10:00
Schema Version : 461

Timezone : UTC
Current Time : Thu, Jan 11, 2024 12:10:00
CPU : 1.1
Uptime : 4 day, 13 hours, 43 minutes, 22
seconds (395002s)
Temperature : 37C

Contact : Omar Ahmad

Disk
----
Load Average : 0.10, 0.05, 0.00
RAM Usage : 85.176MB/250.484MB(34%)
Disk /etc/config Usage : 0.068MB/13.416MB(1%)
Disk /opt Usage : 47.724MB/5309.752MB(1%)
Disk /overlay Usage : MB/MB(%)
Disk /tmp Usage : 0.004MB/40.96MB(0%)
Disk /var Usage : 0.820MB/32.768MB(3%)</device_
request>
</requests>

Digi Connect EZ 16/32 User Guide 654

Applications Develop Python applications

</device>
</data_service>
</sci_request>

Help for using Python to respond to Digi Remote Manager SCI requests
Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing
help for digidevice.device_request:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the device_request submodule:

>>> from digidevice import device_request

>>>

4. Use the help command with device_request:

>>> help(device_request)
Help on module digidevice.device_request in digidevice:

NAME
digidevice.device_request - APIs for registering device request handlers
...

You can also use the help command with available device_request functions:
n Use the help command with device_request.register:

>>> help(device_request.register)
Help on function register in module digidevice.device_request:

register(target:str, response_callback:Callable[[str, str], str],

status_callback:Callable[[int, str], NoneType]=None, xml_
encoding:str='UTF-8')
...

n Use the help command with device_request.unregister:

>>> help(device_request.unregister)
Help on function unregister in module digidevice.device_request:

Digi Connect EZ 16/32 User Guide 655

Applications Develop Python applications

unregister(target:str) -> bool

...

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use digidevice runtime to access the runtime database

Use the runt submodule to access and modify the device runtime database.

Read from the runtime database

Use the keys() and get() methods to read the device configuration:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the runt submodule:

>>> from digidevice import runt

>>>

4. Use the start() method to open the runtime database:

>>> runt.start()
>>>

5. Use the keys() method to display available keys in the runtime database, and use the get()
method to print information from the runtime database:
a. Print available keys:

>>> print(runt.keys(""))

This returns available keys:

['advanced', 'drm', 'firmware', 'location', 'manufacture', 'metrics',

'mm', 'network', 'pam', 'serial', 'system']

b. Print available keys for the system key:

>>> print(runt.keys("system"))

This will return the following:

Digi Connect EZ 16/32 User Guide 656

Applications Develop Python applications

['boot_count', 'chassis', 'cpu_temp', 'cpu_usage', 'disk', 'load_avg',

'local_time', 'mac', 'mcu', 'model', 'ram', 'serial', 'uptime']

c. Use the get() method to print the device's MACaddress:

>>> print(runt.get("system.mac"))

This will return the MACaddress of the device.

6. Use the stop() method to close the runtime database:
7. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Modify the runtime database

Use the set() method to modify the runtime database:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the runt submodule:

>>> from digidevice import runt

>>>

4. Use start() method to open the runtime database:

>>> runt.start()
>>>

5. Use the set() method to make changes to the runtime database:

>>> runt.set("my-variable", "my-value")

>>>

6. Use the get() method to verify the change:

>>> print(runt.get("my-variable"))
my-variable
>>>

7. Close the runtime database:

>>> runt.stop()
>>>

Digi Connect EZ 16/32 User Guide 657

Applications Develop Python applications

8. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Help for using Python to access the runtime database

Get help for reading and modifying the device runtime database by accessing help for
digidevice.runt:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the runt submodule:

>>> from digidevice import runt

>>>

4. Use the help command with runt:

>>> help(runt)

Help on module acl.runt in digidevice:

NAME
acl.runt - Python interface to ACL runtime database (runtd).
...

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use Python to upload the device name to Digi Remote Manager

The name submodule can be used to upload a custom name for your device to Digi Remote Manager.
When you use the name submodule to upload a custom device name to Remote Manager, the
following issues apply:
n If the name is being used by to another device in your Remote Manager account, the name will
be removed from the previous device and added to the new device.
n If Remote Manager is configured to apply a profile to a device based on the device name,
changing the name of the device may cause Remote Manager to automatically push a profile
onto the device.
Together, these two features allow you to swap one device for another by using the name submodule
to change the device name, while guaranteeing that the new device will have the same configuration
as the previous one.

Digi Connect EZ 16/32 User Guide 658

Applications Develop Python applications

Note Because causing a profile to be automatically pushed from Remote Manager may change the
behavior of the device, including overwriting existing usernames and passwords, the name
submodule should be used with caution. As a result, support for this functionality is disabled by
default on Remote Manager.

Enable support on Digi Remote Manager for uploading custom device names

1. In Remote Manager, click API Explorer.

2. For the HTTP method, select PUT.
3. For Enter and API or select an example, type
/ws/v1/settings/inventory/AllowDeviceToSetOwnNameEnabled.
4. In the HTTP message body text box, type the following:

{
"name" : "AllowDeviceToSetOwnNameEnabled",
"value" : "true"
}

5. Click Send.

Upload a custom name

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the name submodule:

>>> from digidevice import name

4. Upload the name to Remote Manager:

>>> name.upload("my_name")

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Help for uploading the device name to Digi Remote Manager

Get help for uploading the device name to Digi Remote Managerby accessing help for
digidevice.name:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command

Digi Connect EZ 16/32 User Guide 659

Applications Develop Python applications

line as a user with shell access.

Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the name submodule:

>>> from digidevice import name

>>>

4. Use the help command with name:

>>> help(name)

Help on module digidevice.name in digidevice:

NAME
digidevice.name - API for uploading name from the device
...

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use Python to set the maintenance window

The maintenance Python module allows you to set the service state of a device. When the module
sets the device to out of service, this can be used as trigger to begin maintenance activity. See
Schedule system maintenance tasks for more details.

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the maintenance module:

>>> from digidevice import maintenance

>>>

Digi Connect EZ 16/32 User Guide 660

Applications Develop Python applications

4. To determine the current service state of the device:

>>> maintenance.state()
'IN_SERVICE'
>>>

5. To set the device to out of service:

>>> maintenance.out_of_service()
>>> maintenance.state()
'OUT_OF_SERVICE'
>>>

6. To set the device to in service:

>>> maintenance.in_service()
>>> maintenance.state()
'IN_SERVICE'
>>>

Note Leave the interactive Python session active while completing task two, below. Once you have
completed task two, exit the interactive session by using Ctrl-D. You can also exit the session using
exit() or quit().

Help for the digidevice maintenance module

Get help for the digidevice maintenance module:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Import the maintenance submodule:

>>> from digidevice import maintenance

>>>

4. Use the help command with maintenance :

>>> help(maintenance )
Help on module digidevice.maintenance in digidevice:

NAME
digidevice.maintenance

Digi Connect EZ 16/32 User Guide 661

Applications Develop Python applications

DESCRIPTION
API for setting the device's service state. The service state is
stored
in runt.
...

5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use Python to send and receive SMS messages

You can create Python scripts that send and receive SMS message in tandem with the Digi Remote
Manager by using the digidevice.sms module. To use a script to send or receive SMS messages, you
must also enable the ability to schedule SMS scripting.

Enable the ability to schedule SMS scripting

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Scheduled tasks.

Digi Connect EZ 16/32 User Guide 662

Applications Develop Python applications

4. Click to enable Allow scheduled scripts to handle SMS.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> system schedule sms_script_handling true

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.
See Configure scripts to run automatically for more information about scheduling scripts.

Example digidevice.sms script

The following example script receives an SMS message and sends a response:

#!/usr/bin/python3.10.1

import os
import threading
import sys
from digidevice.sms import Callback, send
COND = threading.Condition()

Digi Connect EZ 16/32 User Guide 663

Applications Develop Python applications

def sms_test_callback(sms, info):

print(f"SMS message from {info['content.number']} received")
print(sms)
print(info)
COND.acquire()
COND.notify()
COND.release()

def send_sms(destination, msg):

print("sending SMS message", msg)
if len(destination) == 10:
destination = "+1" + destination
send(destination, msg)

if __name__ == '__main__':
if len(sys.argv) > 1:
dest = sys.argv[1]
else:
dest = '+15005550006'
my_callback = Callback(sms_test_callback, metadata=True)
send_sms(dest, 'Hello World!')
print("Please send an SMS message now.")
print("Execution halted until a message is received or 60 seconds have
passed.")
# acquire the semaphore and wait until a callback occurs
COND.acquire()
try:
COND.wait(60.0)
except Exception as err:
print("exception occured while waiting")
print(err)
COND.release()
my_callback.unregister_callback()

Example script using digidevice.sms to send CLI commands

The following example script listens for an incoming SMS message from a specific phone number
(2223334444) and then executes the SMS message as a CLI command. If the CLI command being run
has output, it will send that output as a response SMS message. If the CLI command being run has no
output but ran successfully, the script will instead send an OK response SMS message. Errors in
running the CLI will have those error messages sent as a SMS response.

#!/usr/bin/python

# Take an incoming SMS message from a specified phone number and run it as
# a CLI command. Send a reponse SMS to the sender before running the command

import os
import threading
import sys
from digidevice import cli
from digidevice.sms import Callback, send
COND = threading.Condition()
allowed_incoming_phone_number = '2223334444'

def sms_test_callback(sms, info):

if info['content.number'] == allowed_incoming_phone_number:
print(f"SMS message from {info['content.number']} received")

Digi Connect EZ 16/32 User Guide 664

Applications Develop Python applications

print(sms)
print(info)
#if sms == "Reboot":
# send_sms(dest, 'Reboot message received, rebooting device...')
# response = cli.execute("reboot")
# print (response)
send_sms(dest, 'Message received (' + sms + '). Performing as CLI
command...')
response = cli.execute(sms)
if not response:
response = 'OK'
send_sms(dest, 'CLI results: ' + response)
print (response)
COND.acquire()
COND.notify()
COND.release()

def send_sms(destination, msg):

print("sending SMS message", msg)
if len(destination) == 10:
destination = "+1" + destination
send(destination, msg)

if __name__ == '__main__':
if len(sys.argv) > 1:
dest = sys.argv[1]
else:
dest = allowed_incoming_phone_number
my_callback = Callback(sms_test_callback, metadata=True)
#send_sms(dest, 'Ready to receive incoming SMS message')
print("Waiting up to 60 seconds for incoming SMS message")
# acquire the semaphore and wait until a callback occurs
COND.acquire()
try:
COND.wait(60.0)
except Exception as err:
print("exception occured while waiting")
print(err)
COND.release()
my_callback.unregister_callback()
os.system('rm -f /var/run/sms/scripts/*') # remove all stored SMS messages,
since we've processed them
print("SMS script finished. Please re-run if you want to check for more
incoming SMS messages")
os._exit(0)

Use Python to access serial ports

You can use the Python serial module to access serial ports on your Connect EZ 16/32 device that are
configured to be in Application mode. See Configure Application mode for a serial port for information
about configuring a serial port in Application mode.
To use Python to access serial ports:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.

Digi Connect EZ 16/32 User Guide 665

Applications Develop Python applications

Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. Determine the path to the serial port:

# ls /dev/serial/
by-id by-path port1
#

3. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

4. Import the serial module:

>>> import serial

>>>

5. You can now perform operations on the serial port. For example, to write a message to the
serial port:

>>> s = serial.Serial("/dev/serial/port1", 115200)

>>> s.write(b"Hello from serial port")
26
>>>

6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Use the Paho MQTT python library

Your Connect EZ 16/32 device includes support for the Paho MQTT python library. MQTT is a
lightweight messaging protocol used to communicate with various applications including cloud-based
applications such as Amazon Web Services and Microsoft Azure. The following is example code that
reads CPU and RAM usage on the device, updates the device firmware, then publishes information
about DHCP clients and system information to the MQTT server at 192.168.1.100. The MQTT server IP
is configurable.

"""
MQTT client example:
- Reporting some device metrics from runt
- Reporting DHCP clients
- Firmware update feature (simple implementation, read TODO in cmd_fwupdate)
"""

import sys
import time
import paho.mqtt.client as mqtt
import json
from acl import runt, config
from http import HTTPStatus
import urllib.request
import tempfile

Digi Connect EZ 16/32 User Guide 666

Applications Develop Python applications

import os
from digidevice import cli

POLL_TIME = 60

def cmd_reboot(params):
print("Rebooting unit...")
try:
cli.execute("reboot", 10)
except:
print("Failed to run 'reboot' command")
return HTTPStatus.INTERNAL_SERVER_ERROR

return HTTPStatus.OK

def cmd_fwupdate(params):
try:
fw_uri = params["uri"]
except:
print("Firmware file URI not passed")
return HTTPStatus.BAD_REQUEST

print("Request to update firmware with URI: {}".format(fw_uri))

try:
fd, fname = tempfile.mkstemp()
os.close(fd)
try:
urllib.request.urlretrieve(fw_uri, fname)
except:
print("Failed to download FW file from URI {}".format(fw_uri))
return HTTPStatus.NOT_FOUND

try:
ret = cli.execute("system firmware update file " + fname, 60)
except:
print("Failed to run firmware update command")
return HTTPStatus.INTERNAL_SERVER_ERROR

if not "Firmware update completed" in ret:

print("Failed to update firmware")
return HTTPStatus.INTERNAL_SERVER_ERROR
finally:
os.remove(fname)

print("Firmware update finished")

return HTTPStatus.OK

CMD_HANDLERS = {
"reboot": cmd_reboot,
"fw-update": cmd_fwupdate
}

def send_cmd_reply(client, cmd_path, cid, cmd, status):

if not status or not cid:
return

if cmd_path.startswith(PREFIX_CMD):

Digi Connect EZ 16/32 User Guide 667

Applications Develop Python applications

path = cmd_path[len(PREFIX_CMD):]
else:
print("Invalid command path ({}), cannot send reply".format(cmd_path))
return

reply = {
"cmd": cmd,
"status": status
}

client.publish(PREFIX_RSP + path + "/" + cid, json.dumps(reply, separators=

(',',':')))

def on_connect(client, userdata, flags, rc):

print("Connected to MQTT server")
client.subscribe(PREFIX_CMD + "/system")

def on_message(client, userdata, msg):

""" Supporting only a single topic for now, no need for filters
Expects the following message format:
{
"cid": "<client-id>",
"cmd": "<command>",
"params": {
<optional_parameters>
}
}

Supported commands:
- "fw-update"
params:
- "uri": "<firmware_file_URL>"
- "reboot"
params:
"""

try:
m = json.loads(msg.payload)
cid = m["cid"]
cmd = m["cmd"]
try:
payload = m["params"]
except:
payload = None
except:
print("Invalid command format: {}".format(msg.payload))
if not cid:
# Return if client-ID not passed
return None
send_cmd_reply(client, msg.topic, cid, cmd, HTTPStatus.BAD_REQUEST)

try:
status = CMD_HANDLERS[cmd](payload)
except:
print("Invalid command: {}".format(cmd))
status = HTTPStatus.NOT_IMPLEMENTED

send_cmd_reply(client, msg.topic, cid, cmd, status)

Digi Connect EZ 16/32 User Guide 668

Applications Develop Python applications

def publish_dhcp_leases():
leases = []
try:
with open('/etc/config/dhcp.leases', 'r') as f:
for line in f:
elems = line.split()
if len(elems) != 5:
continue
leases.append({"mac": elems[1], "ip": elems[2], "host": elems
[3]})
if leases:
client.publish(PREFIX_EVENT + "/leases", json.dumps(leases,
separators=(',',':')))
except:
print("Failed to open DHCP leases file")

def publish_system():
avg1, avg5, avg15 = runt.get("system.load_avg").split(', ')
ram_used = runt.get("system.ram.per")
disk_opt = runt.get("system.disk./opt.per")
disk_config = runt.get("system.disk./etc/config.per")

msg = json.dumps({
"load_avg": {
"1min": avg1,
"5min": avg5,
"15min": avg15
},
"disk_usage": {
"/opt": disk_opt,
"/etc/config:": disk_config,
"ram": ram_used
}
})

client.publish(PREFIX_EVENT + "/system", json.dumps(msg))

runt.start()
serial = runt.get("system.serial")

PREFIX = "router/" + serial

PREFIX_EVENT = "event/" + PREFIX
PREFIX_CMD = "cmd/" + PREFIX
PREFIX_RSP = "rsp/" + PREFIX

client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message

try:
client.connect("192.168.1.100", 1883, 60)
client.loop_start()
except:
print("Failed to connect to MQTT server")
sys.exit(1)

while True:
publish_dhcp_leases()
publish_system()
time.sleep(POLL_TIME)

Digi Connect EZ 16/32 User Guide 669

Applications Set up the Connect EZ 16/32 to automatically run your applications

Set up the Connect EZ 16/32 to automatically run your

applications
This section contains the following topics:
n Configure scripts to run automatically
n Show script information
n Stop a script that is currently running

Configure scripts to run automatically

You can configure a script or a python application to run automatically when the system restarts, at
specific intervals, or at a specified time. By default, scripts execute in a "sandbox," which restricts
access to the file system and available commands that can be used by the script.

Required configuration items

n Upload or create the script. The script must be uploaded to /etc/config/scripts or a
subdirectory.
n Enable the script.
n Select whether the script should run:
l When the device boots.
l At a specified time.
l At a specified interval.
l During system maintenance.

Additional configuration items

n If the script is a Python application, include the full path to the script.
n A label used to identify the script.
n The action to take if the script finishes. The actions that can be taken are:
l None.
l Restart the script.
l Reboot the device.
n Whether to write the script output and errors to the system log.
n If the script is set to run at a specified interval, whether another instance of the script should
be run at the specified interval if the previous instance is still running.
n The memory available to be used by the script .
n Whether the script should run one time only.

Task one: Upload the application

 Web

Digi Connect EZ 16/32 User Guide 670

Applications Set up the Connect EZ 16/32 to automatically run your applications

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight the scripts directory and click  to open the directory.

3. Click  (upload).
4. Browse to the location of the script on your local machine. Select the file and click Open to
upload the file.
The uploaded file is uploaded to the /etc/config/scripts directory.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, use the scp command to upload the Python application script to the
Connect EZ 16/32 device:

> scp host hostname-or-ip user username remote remote-path local local-
path to local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be copied
to the Connect EZ 16/32 device.
n local-path is the location on the Connect EZ 16/32 device where the copied file will be
placed.
For example:

Digi Connect EZ 16/32 User Guide 671

Applications Set up the Connect EZ 16/32 to automatically run your applications

To upload a script from a remote host with an IP address of 192.168.4.1 to the

/etc/config/scripts directory on the Connect EZ 16/32 device, issue the following command:

> scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local

/etc/config/scripts/ to local
admin@192.168.4.1's password: adminpwd
test.py 100% 36MB 11.1MB/s 00:03
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Note You can also create scripts by using the vi command when logged in with shell access.

Task two: Configure the application to run automatically

Note This feature does not provide syntax or error checking. Certain commands can render the device
inoperable. Use with care.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Scheduled tasks > Custom scripts.

Digi Connect EZ 16/32 User Guide 672

Applications Set up the Connect EZ 16/32 to automatically run your applications

4. For Add Script, click .

The script configuration window is displayed.

Custom scripts are enabled by default. To disable, toggle off Enable to toggle off.
5. (Optional) For Label, provide a label for the script.
6. For Run mode, select the mode that will be used to run the script. Available options are:
n On boot: The script will run once each time the device boots.
l If On boot is selected, select the action that will be taken when the script
completes in Exit action. Available options are:
o None: Action taken when the script exits.
o Restart script: Runs the script repeatedly.
o Reboot: The device will reboot when the script completes.
n Interval: The script will start running at the specified interval, within 30 seconds after
the configuration change is saved.
l If Interval is selected, in Interval, type the interval.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Interval to ten minutes, enter 10m or 600s.
l Click to enable Run single to run only a single instance of the script at a time.
If Run single is not enabled, a new instance of the script will be started at every
interval, regardless of whether the script is still running from a previous interval.
n Set time: Runs the script at a specified time of the day.
l If Set Time is selected, specify the time that the script should run in Run time,
using the format HH:MM.
n During system maintenance: The script will run during the system maintenance time
window.
7. For Commands, type the commands that will execute the script.

Digi Connect EZ 16/32 User Guide 673

Applications Set up the Connect EZ 16/32 to automatically run your applications

n If a Python script is being used, include the full path to the Python script. For example:

python /etc/config/scripts/test.py

n If the script begins with #!, then the script will be invoked in the location specified by
the path for the script command. Otherwise, the default shell will be used (equivalent
to #!/bin/sh).
8. Script logging options:
a. Click to enable Log script output to log the script's output to the system log.
b. Click to enable Log script errors to log script errors to the system log.
If neither option is selected, only the script's exit code is written to the system log.
9. For Maximum memory, enter the maximum amount of memory available to be used by the
script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}.
10. Sandbox is enabled by default, which restricts access to the file system and available
commands that can be used by the script. This option protects the script from accidentally
destroying the system it is running on.
11. Click to enable Once to configure the script to run only once at the specified time.
If Once is enabled, rebooting the device will cause the script to not run again. The only way to
re-run the script is to:
n Remove the script from the device and add it again.
n Make a change to the script.
n Uncheck Once.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a script:

(config)> add system schedule script end

(config system schedule script 0)>

Scheduled scripts are enabled by default. To disable:

(config system schedule script 0)> enable false

(config system schedule script 0)>

Digi Connect EZ 16/32 User Guide 674

Applications Set up the Connect EZ 16/32 to automatically run your applications

4. (Optional) Provide a label for the script.

(config system schedule script 0)> label value

(config system schedule script 0)>

where value is any string. if spaces are used, enclose value within double quotes.
5. Set the mode that will be used to run the script:

(config system schedule script 0)> when mode

(config system schedule script 0)>

where mode is one of the following:

n boot: The script will run once each time the device boots.
l If boot is selected, set the action that will be taken when the script completes:

(config system schedule script 0)> exit_action action

(config system schedule script 0)>

where action is one of the following:

o none: Action taken when the script exits.
o restart: Runs the script repeatedly.
o reboot: The device will reboot when the script completes.
n interval: The script will start running at the specified interval, within 30 seconds after
the configuration change is saved. If interval is selected:
l Set the interval:

(config system schedule script 0)> on_interval value

(config system schedule script 0)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes
the format number{w|d|h|m|s}.
For example, to set on_interval to ten minutes, enter either 10m or 600s:

(config system schedule script 0)> on_interval 600s

(config system schedule script 0)>

l (Optional) Configure the script to run only a single instance at a time:

(config system schedule script 0)> once true

(config system schedule script 0)>

If once is set to false, a new instance of the script will be started at every interval,
regardless of whether the script is still running from a previous interval.
n set_time: Runs the script at a specified time of the day.
l If set_time is set, set the time that the script should run, using the format HH:MM:

(config system schedule script 0)> run_time HH:MM

(config system schedule script 0)>

n maintenance_time: The script will run during the system maintenance time window.

Digi Connect EZ 16/32 User Guide 675

Applications Set up the Connect EZ 16/32 to automatically run your applications

6. Set the commands that will execute the script:

(config system schedule script 0)> commands filename

(config system schedule script 0)>

where filename is the path and filename of the script, and any related command line
information.
n If a Python script is being used, include the full path to the Python script and enclose in
quotation marks. For example:

(config system schedule script 0)> commands python

"/etc/config/scripts/test.py"
(config system schedule script 0)>

n If the script begins with #!, then the script will be invoked in the location specified by
the path for the script command. Otherwise, the default shell will be used (equivalent
to #!/bin/sh).
7. Script logging options:
n To log the script's output to the system log:

(config system schedule script 0)> syslog_stdout true

(config system schedule script 0)>

n To log script errors to the system log:

(config system schedule script 0)> syslog_stderr true

(config system schedule script 0)>

If syslog_stdout and syslog_stderr are not enabled, only the script's exit code is written to
the system log.
8. Set the maximum amount of memory available to be used by the script and its subprocesses:

(config system schedule script 0)> max_memory value

(config system schedule script 0)>

where value uses the syntax number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}.

9. To run the script only once at the specified time:

(config system schedule script 0)> once true

(config system schedule script 0)>

If once is enabled, rebooting the device will cause the script to run again. The only way to re-
run the script is to:
n Remove the script from the device and add it again.
n Make a change to the script.
n Disable once.
10. Sandbox is enabled by default. This option protects the script from accidentally destroying the
system it is running on.

Digi Connect EZ 16/32 User Guide 676

Applications Set up the Connect EZ 16/32 to automatically run your applications

(config system schedule script 0)> sandbox true

(config system schedule script 0)>

11. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show script information

You can view status and statistics about location information from either the WebUI or the command
line.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. At the Status page, click Scripts.
The Scripts page displays:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show scripts command at the system prompt:

> show scripts

Index Label Enabled Status Run time

----- ----------- ------- ------ --------
0 script1 true active
1 script2 true idle 01:00
>

Digi Connect EZ 16/32 User Guide 677

Applications Set up the Connect EZ 16/32 to automatically run your applications

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Stop a script that is currently running

You can stop a script that is currently running.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. At the Status page, click Scripts.
The Scripts page displays:

2. For scripts that are currently running, click Stop Script to stop the script.
 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Determine the name of scripts that are currently running:

> show scripts

Index Label Enabled Status Run time

----- ----------- ------- ------ --------
0 script1 true active
1 script2 true idle 01:00
>

Scripts that are currently running have the status of active.

3. Stop the appropriate script:

)> system script stop script1

>

Digi Connect EZ 16/32 User Guide 678

Applications Start an interactive Python session

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Start an interactive Python session

Use the python command without specifying any parameters to start an interactive Python session.
The Python session operates interactively using REPL (Read Evaluate Print Loop) to allow you to write
Python code on the command line.

Note The Python interactive session is not available from the Admin CLI. You must access the device
shell in order to run Python applications from the command line. See Authentication groups for
information about configuring authentication groups that include shell access.

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, use the python command with no parameters to enter an interactive
Python session:

# python
Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

3. Type Python commands at the Python prompt. For example, to view help for the digidevice
module, type:

>>> help("digidevice")
Help on package digidevice:

NAME
digidevice - Digi device python extensions

DESCRIPTION
This module includes various extensions that allow Python
to interact with additional features offered by the device.
...

4. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().

Digi Connect EZ 16/32 User Guide 679

Applications Run a Python application at the shell prompt

Run a Python application at the shell prompt

Python applications can be run from a file at the shell prompt. The Python application will run until it
completes, displaying output and prompting for additional user input if needed. To interrupt the
application, enter CTRL-C.

Note Python applications cannot be run from the Admin CLI. You must access the device shell in
order to run Python applications from the command line. See Authentication groups for information
about configuring authentication groups that include shell access.

1. Upload the Python application to the Connect EZ 16/32 device:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
a. On the menu, click System. Under Administration, click File System.

The File System page appears.

b. Highlight the scripts directory and click  to open the directory.

c. Click  (upload).
d. Browse to the location of the script on your local machine. Select the file and click Open
to upload the file.
The uploaded file is uploaded to the /etc/config/scripts directory.

 Command line
a. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
b. At the command line, use the scp command to upload the Python application script to the
Connect EZ 16/32 device:

Digi Connect EZ 16/32 User Guide 680

Applications Configure scripts to run manually

> scp host hostname-or-ip user username remote remote-path local

local-path to local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be
copied to the Connect EZ 16/32 device.
n local-path is the location on the Connect EZ 16/32 device where the copied file will
be placed.
For example:
To upload a script from a remote host with an IP address of 192.168.4.1 to the
/etc/config/scripts directory on the Connect EZ 16/32 device, issue the following
command:

> scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local

/etc/config/scripts/ to local
admin@192.168.4.1's password: adminpwd
test.py 100% 36MB 11.1MB/s 00:03
>

c. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Note You can also create scripts by using the vi command when logged in with shell access.

2. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
3. Use the python command to run the Python application. In the following example, the Python
application, test.py, takes 3 parameters: 120, ports and storage:

# python /etc/config/scripts/test.py 120 ports storage

Configure scripts to run manually

You can configure an scripts to be manually run.

Required configuration items

n Upload or create the script.
n Enable the script.
n Set the script to run manually.

Digi Connect EZ 16/32 User Guide 681

Applications Configure scripts to run manually

Additional configuration items

n A label used to identify the script.
n The arguments for the script.
n Whether to write the script output and errors to the system log.
n The memory available to be used by the script.
n Whether the script should run one time only.

Task one: Upload the application

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight the scripts directory and click  to open the directory.

3. Click  (upload).
4. Browse to the location of the script on your local machine. Select the file and click Open to
upload the file.
The uploaded file is uploaded to the /etc/config/scripts directory.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, use the scp command to upload the Python application script to the
Connect EZ 16/32 device:

Digi Connect EZ 16/32 User Guide 682

Applications Configure scripts to run manually

> scp host hostname-or-ip user username remote remote-path local local-
path to local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be copied
to the Connect EZ 16/32 device.
n local-path is the location on the Connect EZ 16/32 device where the copied file will be
placed.
For example:
To upload a script from a remote host with an IP address of 192.168.4.1 to the
/etc/config/scripts directory on the Connect EZ 16/32 device, issue the following command:

> scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local

/etc/config/scripts/ to local
admin@192.168.4.1's password: adminpwd
test.py 100% 36MB 11.1MB/s 00:03
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Note You can also create scripts by using the vi command when logged in with shell access.

Task two: Configure the application to run automatically

Note This feature does not provide syntax or error checking. Certain commands can render the device
inoperable. Use with care.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 683

Applications Configure scripts to run manually

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Scheduled tasks > Custom scripts.
4. For Add Script, click .

The script configuration window is displayed.

Custom scripts are enabled by default. To disable, toggle off Enable to toggle off.
5. (Optional) For Label, provide a label for the script.
6. For Run mode, select Manual.
7. For Commands, type the commands that will execute the script.
n If a Python script is being used, include the full path to the Python script. For example:

python /etc/config/scripts/test.py

n If the script begins with #!, then the script will be invoked in the location specified by
the path for the script command. Otherwise, the default shell will be used (equivalent
to #!/bin/sh).
8. Script logging options:
a. Click to enable Log script output to log the script's output to the system log.
b. Click to enable Log script errors to log script errors to the system log.
If neither option is selected, only the script's exit code is written to the system log.
9. For Maximum memory, enter the maximum amount of memory available to be used by the
script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}.
10. Sandbox is enabled by default, which restricts access to the file system and available
commands that can be used by the script. This option protects the script from accidentally
destroying the system it is running on.

Digi Connect EZ 16/32 User Guide 684

Applications Configure scripts to run manually

11. Click to enable Once to configure the script to run only once at the specified time.
If Once is enabled, rebooting the device will cause the script to not run again. The only way to
re-run the script is to:
n Remove the script from the device and add it again.
n Make a change to the script.
n Uncheck Once.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a script:

(config)> add system schedule script end

(config system schedule script 0)>

Scheduled scripts are enabled by default. To disable:

(config system schedule script 0)> enable false

(config system schedule script 0)>

4. (Optional) Provide a label for the script.

(config system schedule script 0)> label value

(config system schedule script 0)>

where value is any string. if spaces are used, enclose value within double quotes.
5. Set the run mode to manual:

(config system schedule script 0)> when manual

(config system schedule script 0)>

6. Set the commands that will execute the script:

(config system schedule script 0)> commands filename

(config system schedule script 0)>

where filename is the path and filename of the script, and any related command line
information.
n If a Python script is being used, include the full path to the Python script and enclose in
quotation marks. For example:

Digi Connect EZ 16/32 User Guide 685

Applications Configure scripts to run manually

(config system schedule script 0)> commands python

"/etc/config/scripts/test.py"
(config system schedule script 0)>

n If the script begins with #!, then the script will be invoked in the location specified by
the path for the script command. Otherwise, the default shell will be used (equivalent
to #!/bin/sh).
7. Script logging options:
n To log the script's output to the system log:

(config system schedule script 0)> syslog_stdout true

(config system schedule script 0)>

n To log script errors to the system log:

(config system schedule script 0)> syslog_stderr true

(config system schedule script 0)>

If syslog_stdout and syslog_stderr are not enabled, only the script's exit code is written to
the system log.
8. Set the maximum amount of memory available to be used by the script and its subprocesses:

(config system schedule script 0)> max_memory value

(config system schedule script 0)>

where value uses the syntax number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}.

9. To run the script only once at the specified time:

(config system schedule script 0)> once true

(config system schedule script 0)>

If once is enabled, rebooting the device will cause the script to run again. The only way to re-
run the script is to:
n Remove the script from the device and add it again.
n Make a change to the script.
n Disable once.
10. Sandbox is enabled by default. This option protects the script from accidentally destroying the
system it is running on.

(config system schedule script 0)> sandbox true

(config system schedule script 0)>

11. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 686

Applications Start a manual script

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Start a manual script

You can start a script that is enabled and configured to have a run mode of Manual.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. At the Status page, click Scripts.
The Scripts page displays:

2. For scripts that are enabled and configured to have a run mode of Manual, click Start Script
to start the script.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Determine the name of scripts that are currently running:

> show scripts

Index Label Enabled Status Run time

----- ----------- ------- ------ --------
0 script1 true active
1 script2 true idle 01:00
>

3. Start the script:

)> system script start script1

>

Digi Connect EZ 16/32 User Guide 687

Applications Start a manual script

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 688

 User authentication
This chapter contains the following topics:

Connect EZ 16/32 user authentication 690

User authentication methods 690
Authentication groups 697
Local users 707
Terminal Access Controller Access-Control System Plus (TACACS+) 721
Remote Authentication Dial-In User Service (RADIUS) 728
LDAP 733
Configure serial authentication 741
Disable shell access 743
Set the idle timeout for Connect EZ 16/32 users 745
Example user configuration 747

Digi Connect EZ 16/32 User Guide 689

User authentication Connect EZ 16/32 user authentication

Connect EZ 16/32 user authentication

User authentication on the Connect EZ 16/32 has the following features and default configuration:

Default
Feature Description configuration
Idle timeout Determines how long a user session can be idle before the n 10 minutes
system automatically disconnects.
Allow shell If disabled, prevents all authentication prohibits access to n Enabled
the shell prompt for all authentication groups. This does not
prevent access to the Admin CLI.

Note If shell access is disabled, re-enabling it will erase the

device's configuration and perform a factory reset.

Methods Determines how users are authenticated for access: local n local users
users, TACACS+, or RADIUS.
Groups Associates access permissions for a group. . You can modify n admin:
the released groups and create additional groups as needed Provides the
for your site. A user can be assigned to more than one group. logged-in user
with
administrative
and shell
access.
n serial: Provides
the logged-in
user with
access to serial
ports.
Users Defines local users for the Connect EZ 16/32. n admin: Belongs
to both the
admin and
serial groups.
TACACS+ Configures support for TACACS+ (Terminal Access Controller n Not configured
Access-Control System Plus) servers and users.
RADIUS Configures support for RADIUS (Remote Authentication Dial- n Not configured
In User Service) servers and users.
LDAP Configures support for LDAP (Lightweight Directory Access n Not configured
Protocol) servers and users.
Serial Configures authentication for serial TCP and autoconnect n Not
services. configured

User authentication methods

Authentication methods determine how users of the Connect EZ 16/32 device are authenticated.
Available authentication methods are:

Digi Connect EZ 16/32 User Guide 690

User authentication User authentication methods

n Local users: User are authenticated on the local device.

n RADIUS: Users authenticated by using a remote RADIUS server for authentication.
See Remote Authentication Dial-In User Service (RADIUS) for information about configuring
RADIUS authentication.
n TACACS+: Users authenticated by using a remote TACACS+ server for authentication.
See Terminal Access Controller Access-Control System Plus (TACACS+) for information about
configuring TACACS+ authentication.
n LDAP: Users authenticated by using a remote LDAP server for authentication.
See LDAP for information about configuring LDAP authentication.

Digi Connect EZ 16/32 User Guide 691

User authentication User authentication methods

Add a new authentication method

Required configuration items

n The types of authentication method to be used:
To add an authentication method:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Methods.
4. For Add Method, click .

5. Select the appropriate authentication type for the new method from the Method drop-down.

Digi Connect EZ 16/32 User Guide 692

User authentication User authentication methods

Note Authentication methods are attempted in the order they are listed until the first
successful authentication result is returned. See Rearrange the position of authentication
methods for information about how to reorder the authentication methods.

6. Repeat these steps to add additional methods.

7. Click Apply to save the configuration and apply the change.

 Command line
Authentication methods are attempted in the order they are listed until the first successful
authentication result is returned. This procedure describes how to add methods to various places in
the list.

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the new authentication method to the appropriate location in the list:
n To determine the current list of authentication methods:
a. Select the device in Remote Manager and click Actions > Open Console, or log into
the Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access
selection menu. Type admin to access the Admin CLI.
b. At the command line, type config to enter configuration mode:

> config
(config)>

c. Use the show auth method command to display the current authentication
methods configuration:

(config)> show auth method

0 local
(config)>

n To add the new authentication method to the beginning of the list, use the index value
of 0 to indicate that it should be added as the first method:

(config)> add auth method 0 auth_type

(config)>

where auth_type is one of local, radius, tacacs+, or ldap.

n To add the new authentication method to the end of the list, use the index keyword
end:

Digi Connect EZ 16/32 User Guide 693

User authentication User authentication methods

(config)> add auth method end auth_type

(config)>

where auth_type is one of local, radius, tacacs+, or ldap.

n To add the new authentication in another location in the list, use an index value to
indicate the appropriate position. For example:

(config)> add auth method 1 auth_type

(config)>

where auth_type is one of local, radius, tacacs+, or ldap.

n You can also use the move command to rearrange existing methods. See Rearrange the
position of authentication methods for information about how to reorder the
authentication methods.
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete an authentication method

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 694

User authentication User authentication methods

The Configuration window is displayed.

3. Click Authentication > Methods.
4. Click the menu icon (...) next to the method and select Delete.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the show auth method command to determine the index number of the authentication
method to be deleted:

(config)> show auth method

0 local
1 radius
2 tacacs+
(config)>

4. Delete the appropriate authentication method:

(config)> del auth method n

Where n is index number of the authentication method to be deleted. For example, to delete
the TACACS+ authentication method as displayed by the example show command, above:

(config)> del auth method 2

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Rearrange the position of authentication methods

Digi Connect EZ 16/32 User Guide 695

User authentication User authentication methods

 Web
Authentication methods are reordered by changing the method type in the Method drop-down for
each authentication method to match the appropriate order.
For example, the following configuration has Local users as the first method, and RADIUS as the
second.

To reorder these so that RADIUS is first and Local users is second:

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click to expand the first Method.
4. In the Method drop-down, select RADIUS.

5. Click to expand the second Method.

6. In the Method drop-down, select Local users.

7. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 696

User authentication Authentication groups

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the show command to display current configuration:

(config)> show auth method

0 local
1 radius
(config)>

4. Use the move command to rearrange the methods:

(config)> move auth method 1 0

(config)>

5. Use the show command again to verify the change:

(config)> show auth method

0 radius
1 local
(config)>

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Authentication groups
Authentication groups are used to assign access rights to Connect EZ 16/32 users. Three types of
access rights can be assigned:
n Admin access: Users with Admin access can be configured to have either:
l The ability to manage the Connect EZ 16/32 device by using the WebUI or the Admin CLI.
l Read-only access to the WebUI and Admin CLI.
n Shell access: Users with Shell access have the ability to access the shell when logging into the
Connect EZ 16/32 via ssh, telnet, or the serial console.
Shell access is not available if the Allow shell parameter has been disabled. See Disable shell
access for more information about the Allow shell parameter.

Digi Connect EZ 16/32 User Guide 697

User authentication Authentication groups

n Serial access: Users with Serial access have the ability to log into the Connect EZ 16/32 device
by using the serial console.

Preconfigured authentication groups

The Connect EZ 16/32 device has two preconfigured authentication groups:
n The admin group is configured by default to have full Admin access.
n The serial group is configured by default to have Serial access.
The preconfigured authentication groups cannot be deleted, but the access rights defined for the
group are configurable.
This section contains the following topics:

Change the access rights for a predefined group 699

Add an authentication group 701
Delete an authentication group 705

Digi Connect EZ 16/32 User Guide 698

User authentication Authentication groups

Change the access rights for a predefined group

By default, two authentication groups are predefined: admin and serial. To change the access rights
of the predefined groups:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Groups.
4. Click the authentication group to be changed, either admin or serial, to expand its
configuration node.
5. Click the box next to the following options, as appropriate, to enable or disable access rights
for each:
n Admin access
For groups assigned Admin access, you can also determine whether the Access level
should be Full access or Read-only access.
l Full access provides users of this group with the ability to manage the Connect EZ
16/32 device by using the WebUI or the Admin CLI.
l Read-only access provides users of this group with read-only access to the WebUI
and Admin CLI.
The default is Full access.
n Serial access
n Interactive shell access
Shell access is not available if the Allow shell parameter has been disabled. See Disable
shell access for more information about the Allow shell parameter.

Digi Connect EZ 16/32 User Guide 699

User authentication Authentication groups

6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable or disable access rights for the group. For example:

n Admin access:
l To set the access level for Admin access of the admin group:

(config)> auth group admin acl admin level value

(config)>

where value is either:

o full: provides users of this group with the ability to manage the Connect EZ 16/32
device by using the WebUI or the Admin CLI.
o read-only: provides users of this group with read-only access to the WebUI and
Admin CLI.
The default is full.
l To disable Admin access for the admin group:

(config)> auth group admin acl admin enable false

(config)>

n Shell access:

Digi Connect EZ 16/32 User Guide 700

User authentication Authentication groups

l To enable Shell access for the serial group:

(config)> auth group serial acl shell enable true

(config)>

Shell access is not available if the Allow shell parameter has been disabled. See
Disable shell access for more information about the Allow shell parameter.
n Serial access:
l To enable Serial access for the admin group:

(config)> auth group admin acl serial enable true

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Add an authentication group

Required configuration items
n The access rights to be assigned to users that are assigned to this group.

Additional configuration items

n Access rights to OpenVPN tunnels, and the tunnels to which they have access.
n Access rights to captive portals, and the portals to which they have access.
n Access rights to query the device for Nagios monitoring.
To add an authentication group:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 701

User authentication Authentication groups

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Groups.
4. For Add, type a name for the group and click .

The group configuration window is displayed.

5. Click the following options, as appropriate, to enable or disable access rights for each:
n Admin access
For groups assigned Admin access, you can also determine whether the Access level
should be Full access or Read-only access.
where value is either:
l Full access full: provides users of this group with the ability to manage the Connect
EZ 16/32 device by using the WebUI or the Admin CLI.
l Read-only access read-only: provides users of this group with read-only access to
the WebUI and Admin CLI.
The default is Full access full.

Digi Connect EZ 16/32 User Guide 702

User authentication Authentication groups

n Serial access
6. (Optional) Configure OpenVPN access. See for further information.
7. (Optional) Configure captive portal access:
a. Enable captive portal access rights for users of this group by checking the box next to
Captive portal access.
b. Click Captive portals to expand the Captive portal node.
c. For Add Captive portal, click .
d. In the Captive portal dropdown, select a captive portal to which users of this group will
have access.
e. Click  again to add additional captive portals.
8. Interactive shell access
Shell access is not available if the Allow shell parameter has been disabled. See Disable shell
access for more information about the Allow shell parameter.
9. (Optional) Enable users that belong to this group to query the device for Nagios monitoring by
checking the box next to Nagios access.
10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the add auth group command to add a new authentication. For example, to add a group
named test:

(config)> add auth group test

(config auth group test)>

4. Enable access rights for the group:

n Admin access:

(config auth group test)> acl admin enable true

(config)>

n Set the access level for Admin access:

(config)> auth group admin acl admin level value

(config)>

where value is either:

l full: provides users of this group with the ability to manage the Connect EZ 16/32
device by using the WebUI or the Admin CLI.

Digi Connect EZ 16/32 User Guide 703

User authentication Authentication groups

l read-only: provides users of this group with read-only access to the WebUI and
Admin CLI.
The default is full.
n Shell access:

(config auth group test)> acl shell enable true

(config)>

Shell access is not available if the Allow shell parameter has been disabled. See Disable
shell access for more information about the Allow shell parameter.
n Serial access:

(config auth group test)> acl serial enable true

(config)>

5. (Optional) Configure captive portal access:

a. Return to the config prompt by typing three periods (...):

(config auth group test)> ...

(config)>

b. Enable captive portal access rights for users of this group:

(config)> auth group test acl portal enable true

(config)>

c. Add a captive portal to which users of this group will have access:
i. Determine available portals:

(config)> show firewall portal

portal1
auth none
enable true
http redirect
no interface
no message
no redirect_url
no terms
timeout 24h
no title
(config)>

ii. Add a captive portal:

(config)> add auth group test acl portal portals end portal1
(config)>

6. (Optional) Configure Nagios monitoring:

(config)> auth group test acl nagios enable true

(config)>

Digi Connect EZ 16/32 User Guide 704

User authentication Authentication groups

7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete an authentication group

By default, the Connect EZ 16/32 device has two preconfigured authentication groups: admin and
serial. These groups cannot be deleted.
To delete an authentication group that you have created:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Groups.
4. Click the menu icon (...) next to the group to be deleted and select Delete.

5. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 705

User authentication Authentication groups

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> del auth group groupname

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 706

User authentication Local users

Local users
Local users are authenticated on the device without using an external authentication mechanism such
as TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default
user.

Default user
At manufacturing time, each Connect EZ 16/32 device comes with a default user configured as follows:
n Username: admin.
n Password: The default password is displayed on the label on the bottom of the device.

Note The default password is a unique password for the device, and is the most critical
security feature for the device. If you reset the device to factory defaults, you must log in using
the default user and password, and you should immediately change the password to a custom
password. Before deploying or mounting the Connect EZ 16/32 device, record the default
password, so you have the information available when you need it even if you cannot
physically access the label on the bottom of the device.

The default admin user is preconfigured with both Admin and Serial access. You can configure the
admin user account to fit with the needs of your environment.
This section contains the following topics:

Change a local user's password 708

Configure a local user 710
Delete a local user 718

Digi Connect EZ 16/32 User Guide 707

User authentication Local users

Change a local user's password

Note When updating the password for the local user, you will be prompted to enter the current
password before applying the configuration update.

To change a user's password:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Users.
4. Click the username to expand the user's configuration node.
5. For Password, enter the new password. The password must be at least eight characters long
and must contain at least one uppercase letter, one lowercase letter, one number, and one
special character.
For the admin user, the password field can be left blank:
n If the password field for the admin user is left blank, the admin user's password will be
the default password printed on the device's label.
n If the admin user's password has been changed from the default and the configuration
saved, if you then clear the password field for the admin user, this will result in the
device device's configuration being erased and reset to the default configuration.

Digi Connect EZ 16/32 User Guide 708

User authentication Local users

You can also change the password for the active user by clicking the user name in the menu
bar:

The active user must have full Admin access rights to be able to change the password.
6. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 709

User authentication Local users

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> auth user username password pwd

Where:
n username is the name of the user.
n pwd is the new password for the user. The password must be at least eight characters
long and must contain at least one uppercase letter, one lowercase letter, one number,
and one special character.
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure a local user

Required configuration items
n A username.
n A password. The password must be at least eight characters long and must contain at least one
uppercase letter, one lowercase letter, one number, and one special character. For security
reasons, passwords are stored in hash form. There is no way to get or display passwords in
clear-text form, although prior to saving the configuration, the password can be shown by
clicking Reveal.
n The authentication group or groups from which the user will inherit access rights. See
Authentication groups for information about configuring groups.

Additional configuration items

n An alias for the user. Because the username cannot contain any special characters, such as
hyphens (-) or periods (.), an alias allows the user to log in using a name that contains special
characters.
n The number of unsuccessful login attempts before the user is locked out of the system.

Digi Connect EZ 16/32 User Guide 710

User authentication Local users

n The amount of time that the user is locked out of the system after the specified number of
unsuccessful login attempts.
n An optional public ssh key, to authenticate the user when using passwordless SSH login.
n Two-factor authentication information for user login over SSH, telnet, and the serial console:
l The verification type for two-factor authentication: Either time-based or counter-based.
l The security key.
l Whether to allow passcode reuse (time based verification only).
l The passcode refresh interval (time based verification only).
l The valid code window size.
l The login limit.
l The login limit period.
l One-time use eight-digit emergency scratch codes.
To configure a local user:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Users.

Digi Connect EZ 16/32 User Guide 711

User authentication Local users

4. In Add User, type a name for the user and click .

The user configuration window is displayed.

The user is enabled by default. To disable, toggle off Enable.

5. (Optional) For Username alias, type an alias for the user.
Because the name used to create the user and cannot contain special characters such as
hyphens (-) or periods (.), an alias allows the user to log in using a name that contains special
characters. For security purposes, if two users have the same alias, the alias will be disabled.
6. Enter a password for the user. The password must be at least eight characters long and must
contain at least one uppercase letter, one lowercase letter, one number, and one special
character.
7. Click to expand Login failure lockout.
The login failure lockout feature is enabled by default. To disable, toggle off Enable.
a. For Lockout tries, type the number of unsuccessful login attempts before the user is
locked out of the device. The default is 5.
b. For Lockout duration, type the amount of time that the user is locked out after the
number of unsuccessful login attempts defined in Lockout tries.
Allowed values are any number of minutes, or seconds, and take the format number{m|s}.
For example, to set Lockout duration to ten minutes, enter 10m or 600s.
The minimum value is 1 second, and the maximum is 15 minutes. The default is 15
minutes.
8. Add groups for the user.
Groups define user access rights. See Authentication groups for information about configuring
groups.

Digi Connect EZ 16/32 User Guide 712

User authentication Local users

a. Click to expand Groups.

b. For Add Group, click .

c. For Group, select an appropriate group.

Note Every user must be configured with at least one group. You can add multiple groups to a
user by clicking Add again and selecting the next group.

9. (Optional) Add SSH keys for the user to use passwordless SSH login:
a. Click SSH keys.
b. In Add SSH key, paste or type a public encryption key that this user can use for
passwordless SSH login and click .
10. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login:
a. Click Two-factor authentication.
b. Check Enable to enable two-factor authentication for this user.
c. Select the Verification type:
n Time-based (TOTP): Time-based One-Time Password (TOTP) authentication uses
the current time to generate a one-time password.
n Counter-based (HOTP): HMAC-based One-Time Password (HOTP) uses a counter to
validate a one-time password.
d. Generate a Secret key:
i. Click ... next to the field label and select Generate secret key.

ii. Copy the secret key for use with an application or mobile device to generate
passcodes.
e. For time-based verification only, select Disallow code reuse to prevent a code from being
used more than once during the time that it is valid.
f. For time-based verification only, in Code refresh interval, type the amount of time that a
code will remain valid.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}. For example, to set Code refresh interval to ten minutes,
enter 10m or 600s.

Digi Connect EZ 16/32 User Guide 713

User authentication Local users

g. In Valid code window size, type the allowed number of concurrently valid codes. In cases
where TOTP is being used, increasing the Valid code window size may be necessary when
the clocks used by the server and client are not synchronized.
h. For Login limit, type the number of times that the user is allowed to attempt to log in
during the Login limit period. Set Login limit to 0 to allow an unlimited number of login
attempts during the Login limit period.
i. For Login limit period, type the amount of time that the user is allowed to attempt to log
in.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}. For example, to set Login limit period to ten minutes, enter
10m or 600s.
j. Scratch codes are emergency codes that may be used once, at any time. To add a scratch
code:
i. Click Scratch codes.
ii. For Add Code, click .
iii. For Code, enter the scratch code. The code must be eight digits, with a minimum of
10000000.
iv. Click  again to add additional scratch codes.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a user. For example, to create a user named new_user:

(config)> add auth user new_user

(config auth user new_user)>

The user is enabled by default. To disable the user, type:

(config auth user new_user)> enable false

(config auth user new_user)>

4. (Optional) Create a username alias for the user.

Because the name to create the user cannot contain special characters such as hyphens (-) or
periods (.), an alias allows the user to log in using a name that contains special characters. For
security purposes, if two users have the same alias, the alias will be disabled.

(config auth user new_user> username username_alias

(config auth user new_user)>

Digi Connect EZ 16/32 User Guide 714

User authentication Local users

5. Set the user's password. The password must be at least eight characters long and must contain
at least one uppercase letter, one lowercase letter, one number, and one special character.

(config auth user new_user> password pwd

(config auth user new_user)>

6. Configure login failure lockout settings:

The login failure lockout feature is enabled by default. To disable:

(config auth user new_user> lockout enable false

(config auth user new_user)>

a. Set the number of unsuccessful login attempts before the user is locked out of the device.
where value is any integer. The minimum value is 1, and the default value is 5.
b. Set the amount of time that the user is locked out after the number of unsuccessful login
attempts defined in lockout tries:

(config auth user new_user> lockout duration value

(config auth user new_user)>

where value is any number of minutes, or seconds, and takes the format number{m|s}.
For example, to set duration to ten minutes, enter either 10m or 600s:

(config auth user new_user)> lockout duration 600s

(config auth user new_user)>

The minimum value is 1 second, and the maximum is 15 minutes. The default is 15
minutes.
7. Add groups for the user.
Groups define user access rights. See Authentication groups for information about configuring
groups.
a. Add a group to the user. For example, to add the admin group to the user:

(config auth user new_user> add group end admin

(config auth user new_user)>

Note Every user must be configured with at least one group.

b. (Optional) Add additional groups by repeating the add group command:

(config auth user new_user> add group end serial

(config auth user new_user)>

To remove a group from a user:

a. Use the show command to determine the index number of the group to be deleted:

(config auth user new_user> show group

0 admin
1 serial
(config auth user new_user>

Digi Connect EZ 16/32 User Guide 715

User authentication Local users

b. Type the following:

(config auth user new_user)> del group n

(config auth user new_user)>

Where n is index number of the authentication method to be deleted. For example, to

delete the serial group as displayed by the example show command, above:

(config auth user new_user)> del group 1

(config auth user new_user)>

8. (Optional) Add SSH keys for the user to use passwordless SSH login:
a. Change to the user's ssh_key node:

(config auth user new_user)> ssh_key

(config auth user new_user ssh_key)>

b. Add the key by using the ssh_key command and pasting or typing a public encryption key
that this user can use for passwordless SSH login:

(config auth user new_user ssh_key)> ssh_key key

(config auth user new_user ssh_key)>

9. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login:
a. Change to the user's two-factor authentication node:

(config auth user new_user)> 2fa

(config auth user new_user 2fa)>

b. Enable two-factor authentication for this user:

(config auth user new_user 2fa)> enable true

(config auth user new_user 2fa)>

c. Configure the verification type. Allowed values are:

n totp: Time-based One-Time Password (TOTP) authentication uses the current time
to generate a one-time password.
n hotp: HMAC-based One-Time Password (HOTP) uses a counter to validate a one-
time password.
The default value is totp.

(config auth user new_user 2fa)> type totp

(config auth user new_user 2fa)>

d. Add a secret key:

(config auth user new_user 2fa)> secret key

(config auth user new_user 2fa)>

This key should be used by an application or mobile device to generate passcodes.

e. For time-based verification only, enable disallow_reuse to prevent a code from being
used more than once during the time that it is valid.

Digi Connect EZ 16/32 User Guide 716

User authentication Local users

(config auth user new_user 2fa)> disallow_reuse true

(config auth user new_user 2fa)>

f. For time-based verification only, configure the code refresh interval. This is the amount of
time that a code will remain valid.

(config auth user new_user 2fa)> refresh_interval value

(config auth user new_user 2fa)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set refresh_interval to ten minutes, enter either 10m or 600s:

(config auth user name 2fa)> refresh_interval 600s

(config auth user name 2fa)>

The default is 30s.

g. Configure the valid code window size. This represents the allowed number of concurrently
valid codes. In cases where TOTP is being used, increasing the valid code window size may
be necessary when the clocks used by the server and client are not synchronized.

(config auth user new_user 2fa)> window_size 3

(config auth user new_user 2fa)>

h. Configure the login limit. This represents the number of times that the user is allowed to
attempt to log in during the Login limit period. Set to 0 to allow an unlimited number of
login attempts during the Login limit period

(config auth user new_user 2fa)> login_limit 3

(config auth user new_user 2fa)>

i. Configure the login limit period. This is the amount of time that the user is allowed to
attempt to log in.

(config auth user new_user 2fa)> login_limit_period value

(config auth user new_user 2fa)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set login_limit_period to ten minutes, enter either 10m or 600s:

(config auth user name 2fa)> login_limit_period 600s

(config auth user name 2fa)>

The default is 30s.

j. Scratch codes are emergency codes that may be used once, at any time. To add a scratch
code:

Digi Connect EZ 16/32 User Guide 717

User authentication Local users

i. Change to the user's scratch code node:

(config auth user new_user 2fa)> scratch_code

(config auth user new_user 2fa scratch_code)>

ii. Add a scratch code:

(config auth user new_user 2fa scratch_code)> add end code

(config auth user new_user 2fa scratch_code)>

Where code is an digit number, with a minimum of 10000000.

iii. To add additional scratch codes, use the add end code command again.
10. Save the configuration and apply the change.

(config auth user new 2fa scratch_code)> save

Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a local user

To delete a user from your Connect EZ 16/32:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Users.

Digi Connect EZ 16/32 User Guide 718

User authentication Local users

4. Click the menu icon (...) next to the name of the user to be deleted and select Delete.

5. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 719

User authentication Local users

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> del auth user username

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 720

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

Terminal Access Controller Access-Control System Plus

(TACACS+)
Your Connect EZ 16/32 device supports Terminal Access Controller Access-Control System Plus
(TACACS+), a networking protocol that provides centralized authentication and authorization
management for users who connect to the device. With TACACS+ support, the Connect EZ 16/32
device acts as a TACACS+ client, which sends user credentials and connection parameters to a
TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and
sends back a response message to the device.
When you are using TACACS+ authentication, you can have both local users and TACACS+ users able
to log in to the device. To use TACACS+ authentication, you must set up a TACACS+ server that is
accessible by the Connect EZ 16/32 device prior to configuration. The process of setting up a TACACS+
server varies by the server environment.
This section contains the following topics:

TACACS+ user configuration 722

TACACS+ server failover and fallback to local authentication 723
Configure your Connect EZ 16/32 device to use a TACACS+ server 723

Digi Connect EZ 16/32 User Guide 721

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

TACACS+ user configuration

When configured to use TACACS+ support, the Connect EZ 16/32 device uses a remote TACACS+ server
for user authentication (password verification) and authorization (assigning the access level of the
user). Additional TACACS+ servers can be configured as backup servers for user authentication.
This section outlines how to configure a TACACS+ server to be used for user authentication on your
Connect EZ 16/32 device.

Example TACACS+ configuration

With TACACS+, users are defined in the server configuration file. On Ubuntu, the default location and
filename for the server configuration file is /etc/tacacs+/tac_plus.conf.

Note TACACS+ configuration, including filenames and locations, may vary depending on your
platform and installation. This example assumes a Ubuntu installation.

To define users:

1. Open the TACACS+ server configuration file in a text editor. For example:

$ sudo gedit /etc/tacacs+/tac_plus.conf

2. Add users to the file using the following format. This example will create two users, one with
admin and serial access, and one with only serial access.

user = user1 {
name ="User1 for Connect EZ 16/32"
pap = cleartext password1
service = system {
groupname = admin,serial
}
}
user = user2 {
name ="User2 for Connect EZ 16/32"
pap = cleartext password2
service = system {
groupname = serial
}
}

The groupname attribute is optional. If used, the value must correspond to authentication
groups configured on your Connect EZ 16/32. Alternatively, if the user is also configured as a
local user on the Connect EZ 16/32 device and the LDAP server authenticates the user but does
not return any groups, the local configuration determines the list of groups. See Authentication
groups for more information about authentication groups. The groupname attribute can
contain one group or multiple groups in a comma-separated list.
3. Save and close the file.
4. Verify that your changes did not introduce any syntax errors:

$ sudo tac_plus -C /etc/tacacs+/tac_plus.conf -P

If successful, this command will echo the configuration file to standard out. If the command
encounters any syntax errors, a message similar to this will display:

Digi Connect EZ 16/32 User Guide 722

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

Error: Unrecognised token on line 1

5. Restart the TACACS+ server:

$ sudo /etc/init.d/tacacs_plus restart

TACACS+ server failover and fallback to local authentication

In addition to the primary TACACS+ server, you can also configure your Connect EZ 16/32 device to
use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the
primary TACACS+ server is unavailable.

Falling back to local authentication

With user authentication methods, you can configure your Connect EZ 16/32 device to use multiple
types of authentication. For example, you can configure both TACACS+ authentication and local
authentication, so that local authentication can be used as a fallback mechanism if the primary and
backup TACACS+ servers are unavailable. Additionally, users who are configured locally but are not
configured on the TACACS+ server are still able to log into the device. Authentication methods are
attempted in the order they are listed until the first successful authentication result is returned;
therefore if you want to ensure that users are authenticated first through the TACACS+ server, and
only authenticated locally if the TACACS+ server is unavailable or if the user is not defined on the
TACACS+ server, then you should list the TACACS+ authentication method prior to the Local users
authentication method.
See User authentication methods for more information about authentication methods.
If the TACACS+ servers are unavailable and the Connect EZ 16/32 device falls back to local
authentication, only users defined locally on the device are able to log in. TACACS+ users cannot log in
until the TACACS+ servers are brought back online.

Configure your Connect EZ 16/32 device to use a TACACS+ server

This section describes how to configure a Connect EZ 16/32 device to use a TACACS+ server for
authentication and authorization.

Required configuration items

n Define the TACACS+ server IP address or domain name.
n Define the TACACS+ server shared secret.
n The group attribute configured in the TACACS+ server configuration.
n The service field configured in the TACACS+ server configuration.
n Add TACACS+ as an authentication method for your Connect EZ 16/32 device.

Additional configuration items

n Whether other user authentication methods should be used in addition to the TACACS+ server,
or if the TACACS+ server should be considered the authoritative login method.
n Enable command authorization, so that the device will communicate with the TACACS+ server
to determine if the user is authorized to execute a specific command.
n Enable command accounting, so that the device will communicate with the TACACS+ server to
log commands that the user executes.

Digi Connect EZ 16/32 User Guide 723

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

n The TACACS+ server port. It is configured to 49 by default.

n Add additional TACACS+ servers in case the first TACACS+ server is unavailable.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > TACACS+ > Servers.
4. Add TACACS+ servers:
a. For Add server, click .

b. For Hostname, type the hostname or IP address of the TACACS+ server.

c. (Optional) Change the default Port setting to the appropriate port. Normally this should be
left at the default setting of port 49.
d. For Secret, type the TACACS+ server's shared secret. This is configured in the key
parameter of the TACACS+ server's tac_plus.conf file, for example:

key = testing123

Digi Connect EZ 16/32 User Guide 724

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

Note DAL authentication does not support the use of the # character in the key (e.g.,
DAL#123;&). If included, the server will be unable to decipher the request.

e. (Optional) Click  again to add additional TACACS+ servers.

5. (Optional) Enable Authoritative to prevent other authentication methods from being
attempted if TACACS+ login fails.
6. (Optional) For Group attribute, type the name of the attribute used in the TACACS+ server's
configuration to identify the Connect EZ 16/32 authentication group or groups that the user is
a member of. For example, in TACACS+ user configuration, the group attribute in the sample
tac_plus.conf file is groupname, which is also the default setting in the Connect EZ 16/32
configuration.
7. (Optional) For Service, type the value of the service attribute in the the TACACS+ server's
configuration. For example, in TACACS+ user configuration, the value of the service attribute in
the sample tac_plus.conf file is system, which is also the default setting in the Connect EZ
16/32 configuration.
8. (Optional) Enable Command authorization, which instructs the device to communicate with
the TACACS+ server to determine if the user is authorized to execute a specific command. Only
the first configured TACACS+ server will be used for command authorization.
9. (Optional) Enable Command accounting, which instructs the device to communicate with the
TACACS+ server to log commands that the user executes. Only the first configured TACACS+
server will be used for command accounting.
10. Add TACACS+ to the authentication methods:
a. Click Authentication > Methods.
b. For Add method, click .

c. Select TACACS+ for the new method from the Method drop-down.

Authentication methods are attempted in the order they are listed until an authentication
response, either pass or fail, is received. If Authoritative is enabled (see above), non-
authoritative methods are not attempted. See Rearrange the position of authentication
methods for information about rearranging the position of the methods in the list.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 725

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) Prevent other authentication methods from being used if TACACS+ authentication
fails. Other authentication methods will only be used if the TACACS+ server is unavailable.

(config)> auth tacacs+ authoritative true

(config)>

4. (Optional) Configure the group_attribute. This is the name of the attribute used in the TACACS+
server's configuration to identify the Connect EZ 16/32 authentication group or groups that the
user is a member of. For example, in TACACS+ user configuration, the group attribute in the
sample tac_plus.conf file is groupname, which is also the default setting for the group_
attribute in the Connect EZ 16/32 configuration.

(config)> auth tacacs+ group_attribute attribute-name

(config)>

5. (Optional) Configure the type of service. This is the value of the service attribute in the the
TACACS+ server's configuration. For example, in TACACS+ user configuration, the value of the
service attribute in the sample tac_plus.conf file is system, which is also the default setting in
the Connect EZ 16/32 configuration.

(config)> auth tacacs+ service service-name

(config)>

6. (Optional) Enable command authorization, which instructs the device to communicate with the
TACACS+ server to determine if the user is authorized to execute a specific command. Only the
first configured TACACS+ server will be used for command authorization.

(config)> auth tacacs+ command_authorization true

(config)>

7. (Optional) Enable command accounting, which instructs the device to communicate with the
TACACS+ server to log commands that the user executes. Only the first configured TACACS+
server will be used for command accounting.

(config)> auth tacacs+ command_accounting true

(config)>

8. Add a TACACS+ server:

a. Add the server:

(config)> add auth tacacs+ server end

(config auth tacacs+ server 0)>

Digi Connect EZ 16/32 User Guide 726

User authentication Terminal Access Controller Access-Control System Plus (TACACS+)

b. Enter the TACACS+ server's IP address or hostname:

(config auth tacacs+ server 0)> hostname hostname|ip-address

(config auth tacacs+ server 0)>

c. (Optional) Change the default port setting to the appropriate port:

(config auth tacacs+ server 0)> port port

(config auth tacacs+ server 0)>

d. (Optional) Repeat the above steps to add additional TACACS+ servers.

9. Add TACACS+ to the authentication methods. Authentication methods are attempted in the
order they are listed until the first successful authentication result is returned. This example
will add TACACS+ to the end of the list. See User authentication methods for information about
adding methods to the beginning or middle of the list.

(config)> add auth method end tacacs+

(config)>

10. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 727

User authentication Remote Authentication Dial-In User Service (RADIUS)

Remote Authentication Dial-In User Service (RADIUS)

Your Connect EZ 16/32 device supports Remote Authentication Dial-In User Service (RADIUS), a
networking protocol that provides centralized authentication and authorization management for
users who connect to the device. With RADIUS support, the Connect EZ 16/32 device acts as a RADIUS
client, which sends user credentials and connection parameters to a RADIUS server over UDP. The
RADIUS server then authenticates the RADIUS client requests and sends back a response message to
the device.
When you are using RADIUS authentication, you can have both local users and RADIUS users able to
log in to the device. To use RADIUS authentication, you must set up a RADIUS server that is accessible
by the Connect EZ 16/32 device prior to configuration. The process of setting up a RADIUS server
varies by the server environment. An example of a RADIUS server is FreeRADIUS.
This section contains the following topics:

RADIUS user configuration 729

RADIUS server failover and fallback to local configuration 729
Configure your Connect EZ 16/32 device to use a RADIUS server 730

Digi Connect EZ 16/32 User Guide 728

User authentication Remote Authentication Dial-In User Service (RADIUS)

RADIUS user configuration

When configured to use RADIUS support, the Connect EZ 16/32 device uses a remote RADIUS server
for user authentication (password verification) and authorization (assigning the access level of the
user). Additional RADIUS servers can be configured as backup servers for user authentication.
This section outlines how to configure a RADIUS server to be used for user authentication on your
Connect EZ 16/32 device.

Example FreeRADIUS configuration

With FreeRADIUS, users are defined in the users file in your FreeRADIUS installation. To define users:

1. Open the FreeRadius user file in a text editor. For example:

$ sudo gedit /etc/freeradius/3.0/users

2. Add users to the file using the following format:

user1 Cleartext-Password := "user1"

Unix-FTP-Group-Names := "admin"

user2 Cleartext-Password := "user2"

Unix-FTP-Group-Names := "serial"

The Unix-FTP-Group-Names attribute is optional. If used, the value must correspond to

authentication groups configured on your Connect EZ 16/32. Alternatively, if the user is also
configured as a local user on the Connect EZ 16/32 device and the RADIUS server authenticates
the user but does not return any groups, the local configuration determines the list of groups.
See Authentication groups for more information about authentication groups. The Unix-FTP-
Group-Names attribute can contain one group or multiple groups in a comma-separated list.
3. Save and close the file.
4. Verify that your changes did not introduce any syntax errors:

$ sudo freeradius -CX

This should return a message that completes similar to:

...
Configuration appears to be OK

5. Restart the FreeRADIUS server:

$ sudo /etc/init.d/freeradius restart

RADIUS server failover and fallback to local configuration

In addition to the primary RADIUS server, you can also configure your Connect EZ 16/32 device to use
backup RADIUS servers. Backup RADIUS servers are used for authentication requests when the
primary RADIUS server is unavailable.

Falling back to local authentication

With user authentication methods, you can configure your Connect EZ 16/32 device to use multiple
types of authentication. For example, you can configure both RADIUS authentication and local
authentication, so that local authentication can be used as a fallback mechanism if the primary and

Digi Connect EZ 16/32 User Guide 729

User authentication Remote Authentication Dial-In User Service (RADIUS)

backup RADIUS servers are unavailable. Additionally, users who are configured locally but are not
configured on the RADIUS server are still able to log into the device. Authentication methods are
attempted in the order they are listed until the first successful authentication result is returned;
therefore if you want to ensure that users are authenticated first through the RADIUS server, and only
authenticated locally if the RADIUS server is unavailable or if the user is not defined on the RADIUS
server, then you should list the RADIUS authentication method prior to the Local users authentication
method.
See User authentication methods for more information about authentication methods.
If the RADIUS servers are unavailable and the Connect EZ 16/32 device falls back to local
authentication, only users defined locally on the device are able to log in. RADIUS users cannot log in
until the RADIUS servers are brought back online.

Configure your Connect EZ 16/32 device to use a RADIUS server

This section describes how to configure a Connect EZ 16/32 device to use a RADIUS server for
authentication and authorization.

Required configuration items

n Define the RADIUS server IP address or domain name.
n Define the RADIUS server shared secret.
n Add RADIUS as an authentication method for your Connect EZ 16/32 device.

Additional configuration items

n Whether other user authentication methods should be used in addition to the RADIUS server,
or if the RADIUS server should be considered the authoritative login method.
n The RADIUS server port. It is configured to 1812 by default.
n Add additional RADIUS servers in case the first RADIUS server is unavailable.
n The server NAS ID. If left blank, the default value is used:
l If you are access the Connect EZ 16/32 device by using the WebUI, the default value is for
NAS ID is httpd.
l If you are access the Connect EZ 16/32 device by using ssh, the default value is sshd.
n Time in seconds before the request to the server times out. The default is 3 seconds and the
maximum possible value is 60 seconds.
n Enable additional debug messages from the RADIUS client.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.

Digi Connect EZ 16/32 User Guide 730

User authentication Remote Authentication Dial-In User Service (RADIUS)

d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > RADIUS > Servers.
4. Add RADIUS servers:
a. For Add server, click .

b. For Hostname, type the hostname or IP address of the RADIUS server.

c. (Optional) Change the default Port setting to the appropriate port. Normally this should be
left at the default setting of port 1812.
d. For Secret, type the RADIUS server's shared secret. This is configured in the secret
parameter of the RADIUS server's client.conf file, for example:

secret=testing123

e. For Timeout, type or select the amount of time in seconds to wait for the RADIUS server to
respond. Allowed value is any integer from 3 to 60. The default value is 3.
f. (Optional) Click  again to add additional RADIUS servers.
5. (Optional) Enable Authoritative to prevent other authentication methods from being
attempted if RADIUS login fails.
6. (Optional) Click RADIUS debug to enable additional debug messages from the RADIUS client.
7. (Optional) For NAS ID, type the unique identifier for this network access server (NAS). You can
use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the default
value is used:
n If you are accessing the Connect EZ 16/32 device by using the WebUI, the default value
is for NAS ID is httpd.
n If you are accessing the Connect EZ 16/32 device by using ssh, the default value is sshd.

Digi Connect EZ 16/32 User Guide 731

User authentication Remote Authentication Dial-In User Service (RADIUS)

8. Add RADIUS to the authentication methods:

a. Click Authentication > Methods.
b. For Add method, click .

c. Select RADIUS for the new method from the Method drop-down.

Authentication methods are attempted in the order they are listed until an authentication
response, either pass or fail, is received. If Authoritative is enabled (see above), non-
authoritative methods are not attempted. See Rearrange the position of authentication
methods for information about rearranging the position of the methods in the list.
9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) Prevent other authentication methods from being used if RADIUS authentication
fails. Other authentication methods will only be used if the RADIUS server is unavailable.

(config)> auth radius authoritative true

(config)>

4. (Optional) Enable debug messages from the RADIUS client:

(config)> auth radius debug true

(config)>

5. (Optional) Configure the NAS ID. This is a unique identifier for this network access server (NAS).
You can use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the
default value is used:
n If you are accessing the Connect EZ 16/32 device by using the WebUI, the default value
is for NAS ID is httpd.
n If you are accessing the Connect EZ 16/32 device by using ssh, the default value is sshd.

Digi Connect EZ 16/32 User Guide 732

User authentication LDAP

(config)> auth radius nas_id id

(config)>

6. Add a RADIUS server:

a. Add the server:

(config)> add auth radius server end

(config auth radius server 0)>

b. Enter the RADIUS server's IP address or hostname:

(config auth radius server 0)> hostname hostname|ip-address

(config auth radius server 0)>

c. (Optional) Change the default port setting to the appropriate port:

(config auth radius server 0)> port port

(config auth radius server 0)>

d. Configure the amount of time in seconds to wait for the RADIUS server to respond. Allowed
value is any integer from 3 to 60. The default value is 3.

(config auth radius server 0)> timeout value

(config auth radius server 0)>

e. (Optional) Repeat the above steps to add additional RADIUS servers.

7. Add RADIUS to the authentication methods. Authentication methods are attempted in the
order they are listed until the first successful authentication result is returned. This example
will add RADIUS to the end of the list. See User authentication methods for information about
adding methods to the beginning or middle of the list.

(config)> add auth method end radius

(config)>

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

LDAP
Your Connect EZ 16/32 device supports LDAP (Lightweight Directory Access Protocol), a protocol used
for directory information services over an IP network. LDAP can be used with your Connect EZ 16/32
device for centralized authentication and authorization management for users who connect to the
device. With LDAP support, the Connect EZ 16/32 device acts as an LDAP client, which sends user
credentials and connection parameters to an LDAP server. The LDAP server then authenticates the
LDAP client requests and sends back a response message to the device.

Digi Connect EZ 16/32 User Guide 733

User authentication LDAP

When you are using LDAP authentication, you can have both local users and LDAP users able to log in
to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the
Connect EZ 16/32 device prior to configuration. The process of setting up a LDAP server varies by the
server environment.
This section contains the following topics:

LDAP user configuration 735

LDAP server failover and fallback to local configuration 736
Configure your Connect EZ 16/32 device to use an LDAP server 736

Digi Connect EZ 16/32 User Guide 734

User authentication LDAP

LDAP user configuration

When configured to use LDAP support, the Connect EZ 16/32 device uses a remote LDAP server for
user authentication (password verification) and authorization (assigning the access level of the user).
Additional LDAP servers can be configured as backup servers for user authentication.
This section outlines how to configure a LDAP server to be used for user authentication on your
Connect EZ 16/32 device.
There are several different implementations of LDAP, including Microsoft Active Directory. This section
uses OpenLDAP as an example configuration. Other implementations of LDAP will have different
configuration methods.

Example OpenLDAP configuration

With OpenLDAP, users can be configured in a text file using the LDAP Data Interchange Format (LDIF).
In this case, we will be using a file called add_user.ldif.

1. Create the add_user.ldif file in a text editor. For example:

$ gedit ./add_user.ldif

2. Add users to the file using the following format:

dn: uid=john,dc=example,dc=com
objectClass: inetOrgPerson
cn: John Smith
sn: Smith
uid: john
userPassword: password
ou: admin serial

n The value of uid and userPassword must correspond to the username and password
used to log into the Connect EZ 16/32 device.
n The ou attribute is optional. If used, the value must correspond to authentication
groups configured on your Connect EZ 16/32. Alternatively, if the user is also configured
as a local user on the Connect EZ 16/32 device and the LDAP server authenticates the
user but does not return any groups, the local configuration determines the list of
groups. See Authentication groups for more information about authentication groups.
Other attributes may be required by the user’s objectClass. Any objectClass may be used as
long it allows the uid, userPassword, and ou attributes.
3. Save and close the file.
4. Add the user to the OpenLDAP server:

$ ldapadd -x -H 'ldap:///' -D 'cn=admin,dc=example,dc=com' -W -f add_

user.ldif
adding new entry "uid=john,dc=example,dc=com"

5. Verify that the user has been added by performing an LDAP search:

$ ldapsearch -x -LLL -H 'ldap:///' -b 'dc=example,dc=com'

uid=john
dn: uid=john,dc=example,dc=com
objectClass: inetOrgPerson

Digi Connect EZ 16/32 User Guide 735

User authentication LDAP

cn: John Smith

sn: Smith
uid: john
ou: admin serial

LDAP server failover and fallback to local configuration

In addition to the primary LDAP server, you can also configure your Connect EZ 16/32 device to use
backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary
LDAP server is unavailable.

Falling back to local authentication

With user authentication methods, you can configure your Connect EZ 16/32 device to use multiple
types of authentication. For example, you can configure both LDAP authentication and local
authentication, so that local authentication can be used as a fallback mechanism if the primary and
backup LDAP servers are unavailable. Additionally, users who are configured locally but are not
configured on the LDAP server are still able to log into the device. Authentication methods are
attempted in the order they are listed until the first successful authentication result is returned;
therefore if you want to ensure that users are authenticated first through the LDAP server, and only
authenticated locally if the LDAP server is unavailable or if the user is not defined on the LDAP server,
then you should list the LDAP authentication method prior to the Local users authentication method.
See User authentication methods for more information about authentication methods.
If the LDAP servers are unavailable and the Connect EZ 16/32 device falls back to local authentication,
only users defined locally on the device are able to log in. LDAP users cannot log in until the LDAP
servers are brought back online.

Configure your Connect EZ 16/32 device to use an LDAP server

This section describes how to configure a Connect EZ 16/32 device to use an LDAP server for
authentication and authorization.

Required configuration items

n Define the LDAP server IP address or domain name.
n Add LDAP as an authentication method for your Connect EZ 16/32 device.

Additional configuration items

n Whether other user authentication methods should be used in addition to the LDAP server, or if
the LDAP server should be considered the authoritative login method.
n The LDAP server port. It is configured to 389 by default.
n Whether to use Transport Layer Security (TLS) when communicating with the LDAP server.
n The distinguished name (DN) and password used to communicate with the server.
n The distinguished name used to search to user base.
n The group attribute.
n The number of seconds to wait to receive a message from the server.
n Add additional LDAP servers in case the first LDAP server is unavailable.

 Web

Digi Connect EZ 16/32 User Guide 736

User authentication LDAP

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > LDAP > Servers.
4. Add LDAP servers:
a. For Add server, click .

b. For Hostname, type the hostname or IP address of the LDAP server.

c. (Optional) Change the default Port setting to the appropriate port. Normally this should be
left at the default setting of port 389 for non-TLS and 636 for TLS.
d. (Optional) Click  again to add additional LDAP servers.
5. (Optional) Enable Authoritative to prevent other authentication methods from being
attempted if LDAP login fails.
6. For TLS connection, select the type of TLS connection used by the server:
n Disable TLS: Uses a non-secure TCP connection on the LDAP standard port, 389.
n Enable TLS: Uses an SSL/TLS encrypted connection on port 636.

Digi Connect EZ 16/32 User Guide 737

User authentication LDAP

n Start TLS: Makes a non-secure TCP connection to the LDAP server on port 389, then
sends a request to upgrade the connection to a secure TLS connection. This is the
preferred method for LDAP.
7. If Enable TLS or Start TLS are selected for TLS connection:
n Leave Verify server certificate at the default setting of enabled to verify the server
certificate with a known Certificate Authority.
n Disable Verify server certificate if the server is using a self-signed certificate.
8. (Optional) For Server login, type a distinguished name (DN) that is used to bind to the LDAP
server and search for users, for example cn=user,dc=example,dc=com. Leave this field blank
if the server allows anonymous connections.
9. (Optional) For Server password, type the password used to log into the LDAP server. Leave
this field blank if the server allows anonymous connections.
10. For User search base, type the distinguished name (DN) on the server to search for users. This
can be the root of the directory tree (for example, dc=example,dc=com) or a sub-tree (for
example. ou=People,dc=example,dc=com).
11. For Login attribute, enter the user attribute containing the login of the authenticated user.
For example, in the LDAP user configuration, the login attribute is uid. If this attribute is not
set, the user will be denied access.
12. (Optional) For Group attribute, type the name of the user attribute that contains the list of
Connect EZ 16/32 authentication groups that the authenticated user has access to. See LDAP
user configuration for further information about the group attribute.
13. For Timeout, type or select the amount of time in seconds to wait for the LDAP server to
respond. Allowed value is between 3 and 60 seconds.
14. Add LDAP to the authentication methods:
a. Click Authentication > Methods.
b. For Add method, click .

c. Select LDAP for the new method from the Method drop-down.

Authentication methods are attempted in the order they are listed until an authentication
response, either pass or fail, is received. If Authoritative is enabled (see above), non-
authoritative methods are not attempted. See Rearrange the position of authentication
methods for information about rearranging the position of the methods in the list.
15. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 738

User authentication LDAP

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) Prevent other authentication methods from being used if LDAP authentication fails.
Other authentication methods will only be used if the LDAP server is unavailable.

(config)> auth ldap authoritative true

(config)>

4. Set the type of TLS connection used by the LDAP server:

(config)> auth ldap tls value

(config)>

where value is one of:

n off: Uses a non-secure TCP connection on the LDAP standard port, 389.
n on: Uses an SSL/TLS encrypted connection on port 636.
n start_tls: Makes a non-secure TCP connection to the LDAP server on port 389, then
sends a request to upgrade the connection to a secure TLS connection. This is the
preferred method for LDAP.
The default is off.
5. If tls is set to on or start_tls, configure whether to verify the server certificate:

(config)> auth ldap verify_server_cert value

(config)>

where value is either:

n true: Verifies the server certificate with a known Certificate Authority.
n false: Does not verify the certificate. Use this option if the server is using a self-signed
certificate.
The default is true.
6. Set the distinguished name (DN) that is used to bind to the LDAP server and search for users.
Leave this option unset if the server allows anonymous connections.

(config)> auth ldap bind_dn dn_value

(config)>

For example:

(config)> auth ldap bind_dn cn=user,dc=example,dc=com

(config)>

Digi Connect EZ 16/32 User Guide 739

User authentication LDAP

7. Set the password used to log into the LDAP server. Leave this option unset if the server allows
anonymous connections.

(config)> auth ldap bind_password password

(config)>

8. Set the distinguished name (DN) on the server to search for users. This can be the root of the
directory tree (for example, dc=example,dc=com) or a sub-tree (for example.
ou=People,dc=example,dc=com).

(config)> auth ldap base_dn value

(config)>

9. Set the login attribute:

(config)> auth ldap login_attribute value

(config)>

where value is the user attribute containing the login of the authenticated user. For example,
in the LDAP user configuration, the login attribute is uid. . If this attribute is not set, the user
will be denied access.
10. (Optional) Set the name of the user attribute that contains the list of Connect EZ 16/32
authentication groups that the authenticated user has access to. See LDAP user configuration
for further information about the group attribute.

(config)> auth ldap group_attribute value

(config)>

For example:

(config)> auth ldap group_attribute ou

(config)>

11. Configure the amount of time in seconds to wait for the LDAP server to respond.

(config)> auth ldap timeout value

(config)>

where value is any integer from 3 to 60. The default value is 3.

12. Add an LDAP server:
a. Add the server:

(config)> add auth ldap server end

(config auth ldap server 0)>

b. Enter the LDAP server's IP address or hostname:

(config auth ldap server 0)> hostname hostname|ip-address

(config auth ldap server 0)>

Digi Connect EZ 16/32 User Guide 740

User authentication Configure serial authentication

c. (Optional) Change the default port setting to the appropriate port:

(config auth ldap server 0)> port port

(config auth ldap server 0)>

d. (Optional) Repeat the above steps to add additional LDAP servers.

13. Add LDAP to the authentication methods. Authentication methods are attempted in the order
they are listed until the first successful authentication result is returned. This example will add
LDAP to the end of the list. See User authentication methods for information about adding
methods to the beginning or middle of the list.

(config)> add auth method end ldap

(config)>

14. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

15. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure serial authentication

This section describes how to configure authentication for serial access.
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Serial.

Digi Connect EZ 16/32 User Guide 741

User authentication Configure serial authentication

4. (Optional) For TLS identity certificate, paste a TLS certificate and private key in PEM format.
If empty, the certificate for the web administration service is used. See Configure the web
administration service for more information.
5. For Peer authentication, select the method used to verify the certificate of a remote peer.
6. Include standard CAs is enabled by default. This allows peers with certificates that have been
signed by standard Certificate Authorities (CAs) to authenticate.
7. Click to expand Custom certificate authorities to add the public certificates of custom CAs.
a. For Add CA certificate, type the name of a custom CA and click .
b. Paste the public certificate for the custom CA in PEM format.
c. Repeat for additional custom CA certificates.
8. Click to expand Peer certificates to add the public certificates of trusted peers.
a. For Add Peer certificate, type the name of a trusted peer and click .
b. Paste the public certificate for the trusted peer in PEM format.
c. Repeat for additional trusted peer certificates.
9. Enable TelNet Login, which requires a user to login via the TelNet connection before accessing
a port.
10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) Paste a TLS certificate and private key in PEM format:

(config)> auth serial identiy "cert-and-private-key"

(config)>

4. Set the method used to verify the certificate of a remote peer:

(config)> auth serial verify value

(config)>

where value is either:

n ca: Uses certificate authorities (CAs) to verify.
n peer: Uses the remote peer's public certificate to verify.
5. By default, peers with certificates that have been signed by standard Certificate Authorities
(CAs) are allowed to authenticate. To disable:

(config)> auth serial ca_standard false

(config)>

Digi Connect EZ 16/32 User Guide 742

User authentication Disable shell access

6. Add the public certificate for a custom certificate authority:

(config)> add auth serial ca_certs CA-cert-name "cert-and-private-key"

(config)>

where:
n CA-cert-name is the name of the certificate for the custom certificate authority.
n cert-and-private-key is the certificate and private key for the custom certificate
authority.
Repeat for additional custom certificate authorities.
7. Require a user to login via the TelNet connection before accessing a port.

(config)> auth serial telnet_login?

(config)>

1. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

2. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Disable shell access

To prohibit access to the shell prompt for all authentication groups, disable the Allow shell
parameter.. This does not prevent access to the Admin CLI.

Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a
factory reset.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

Digi Connect EZ 16/32 User Guide 743

User authentication Disable shell access

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication.
4. Click to disable Allow shell.

Note If shell access is disabled, re-enabling it will erase the device's configuration and perform
a factory reset.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set the allow_shell parameter to false:

(config)> auth allow_shell false

Note If shell access is disabled, re-enabling it will erase the device's configuration and perform
a factory reset.

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 744

User authentication Set the idle timeout for Connect EZ 16/32 users

Set the idle timeout for Connect EZ 16/32 users

To configure the amount of time that the user's active session can be inactive before it is
automatically disconnected, set the Idle timeout parameter.
By default, the Idle timeout is set to 10 minutes.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication.
4. For Idle timeout, enter the amount of time that the active session can be idle before the user
is automatically logged out.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Idle timeout to ten minutes, enter 10m or 600s.

5. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 745

User authentication Set the idle timeout for Connect EZ 16/32 users

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> auth idle_timeout value

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.
For example, to set idle_timeout to ten minutes, enter either 10m or 600s:

(config)> auth idle_timeout 600s

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 746

User authentication Example user configuration

Example user configuration

Example 1: Administrator user with local authentication

Goal: To create a user with administrator rights who is authenticated locally on the device.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Authentication > Users.
4. In Add User: enter a name for the user and click .

The user configuration window is displayed.

Digi Connect EZ 16/32 User Guide 747

User authentication Example user configuration

5. Enter a Password for the user.

6. Assign the user to the admin group:
a. Click Groups.
b. For Add Group, click .
c. For Group, select the admin group.
d. Verify that the admin group has full administrator rights:
i. Click Authentication > Groups.
ii. Click admin.
iii. Verify that the admin group has Admin access enabled. If not, click Admin access to
enable.
iv. Verify that Access level is set to Full access. If not, select Full access.
e. Verify that Local users is one of the configured authentication methods:
i. Click Authentication > Methods.
ii. Verify that Local users is one of the methods listed in the list. If not:
i. For Add Method, click .
ii. For Method, select Local users.
7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Verify that the admin group has full administrator rights:

(config)> show auth group admin acl

admin
enable true
level full
...
(config)>

Digi Connect EZ 16/32 User Guide 748

User authentication Example user configuration

If admin > enable is set to false:

(config)> auth group admin acl admin enable true

(config)>

If admin > level is set to read-only:

(config)> auth group admin acl admin level full

(config)>

4. Verify that local is one of the configured authentication methods:

(config)> show auth method

0 local
(config)>

If local is not listed:

(config)> add auth method end local

(config)>

5. Create the user. In this example, the user is being created with the username adminuser:

(config)> add auth user adminuser

(config auth user adminuser)>

6. Assign a password to the user:

(config auth user adminuser)> password pwd

(config auth user adminuser)>

7. Assign the user to the admin group:

(config auth user adminuser)> add group end admin

(config auth user adminuser)>

8. Save the configuration and apply the change.

(config auth user adminuser)> save

Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Example 2: RADIUS, TACACS+, and local authentication for one user

Goal: To create a user with administrator rights who is authenticated by using all three authentication
methods.
In this example, when the user attempts to log in to the Connect EZ 16/32 device, user authentication
will occur in the following order:

Digi Connect EZ 16/32 User Guide 749

User authentication Example user configuration

1. The user is authenticated by the RADIUS server. If the RADIUS server is unavailable,
2. The user is authenticated by the TACACS+ server. If both the RADIUS and TACACS+ servers are
unavailable,
3. The user is authenticated by the Connect EZ 16/32 device using local authentication.
This example uses a FreeRadius 3.0 server running on ubuntu, and a TACACS+ server running on
ubuntu. Server configuration may vary depending on the platforms or type of servers used in your
environment.

Digi Connect EZ 16/32 User Guide 750

User authentication Example user configuration

 Web
1. Configure a user on the RADIUS server:
a. On the ubuntu machine hosting the FreeRadius server, open the /etc/freeradius/3.0/users
file:

$ sudo gedit /etc/freeradius/3.0/users

b. Add a RADIUS user to the users file:

admin1 Cleartext-Password := "password1"

Unix-FTP-Group-Names := "admin"

In this example:
n The user's username is admin1.
n The user's password is password1.
n The authentication group on the Connect EZ 16/32 device, admin, is identified in
the Unix-FTP-Group-Names parameter.
c. Save and close the users file.
2. Configure a user on the TACACS+ server:
a. On the ubuntu machine hosting the TACACS+ server, open the /etc/tacacs+/tac_plus.conf
file:

$ sudo gedit /etc/tacacs+/tac_plus.conf

b. Add a TACACS+ user to the tac_plus.conf file:

user = admin1 {
name ="Admin1 for TX64"
pap = cleartext password1
service = system {
groupname = admin
}
}
}

In this example:
n The user's username is admin1.
n The user's password is password1.
n The authentication group on the Connect EZ 16/32 device, admin, is identified in
the groupname parameter.
c. Save and close the tac_plus.conf file.
3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
4. Access the device configuration:

Remote Manager:

Digi Connect EZ 16/32 User Guide 751

User authentication Example user configuration

a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

5. Configure the authentication methods:
a. Click Authentication > Methods.
b. For Method, select RADIUS.
c. For Add Method, click  to add a new method.
d. For the new method, select TACACS+.
e. Click  to add another new method.
f. For the new method, select Local users.

6. Create the local user:

a. Click Authentication > Users.
b. In Add User:, type admin1 and click .

c. For password, type password1.

Digi Connect EZ 16/32 User Guide 752

User authentication Example user configuration

d. Assign the user to the admin group:

i. Click Groups.
ii. For Add Group, click .

iii. For Group, select the admin group.

a. Verify that the admin group has full administrator rights:

i. Click Authentication > Groups.
ii. Click admin.
iii. Verify that the admin group has Admin access enabled. If not, click Admin access to
enable.
iv. Verify that Access level is set to Full access. If not, select Full access.
7. Click Apply to save the configuration and apply the change.

 Command line
1. Configure a user on the RADIUS server:
a. On the ubuntu machine hosting the FreeRadius server, open the /etc/freeradius/3.0/users
file:

$ sudo gedit /etc/freeradius/3.0/users

b. Add a RADIUS user to the users file:

admin1 Cleartext-Password := "password1"

Unix-FTP-Group-Names := "admin"

In this example:
n The user's username is admin1.
n The user's password is password1.
n The authentication group on the Connect EZ 16/32 device, admin, is identified in
the Unix-FTP-Group-Names parameter.
c. Save and close the users file.
2. Configure a user on the TACACS+ server:
a. On the ubuntu machine hosting the TACACS+ server, open the /etc/tacacs+/tac_plus.conf
file:

$ sudo gedit /etc/tacacs+/tac_plus.conf

Digi Connect EZ 16/32 User Guide 753

User authentication Example user configuration

b. Add a TACACS+ user to the tac_plus.conf file:

user = admin1 {
name ="Admin1 for TX64"
pap = cleartext password1
service = system {
groupname = admin
}
}
}

In this example:
n The user's username is admin1.
n The user's password is password1.
n The authentication group on the Connect EZ 16/32 device, admin, is identified in
the groupname parameter.
c. Save and close the tac_plus.conf file.
3. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
4. At the command line, type config to enter configuration mode:

> config
(config)>

5. Configure the authentication methods:

a. Determine the current authentication method configuration:

(config)> show auth method

0 local
(config)>

This output indicates that on this example system, only local authentication is configured.
b. Add RADIUS authentication to the beginning of the list:

(config)> add auth method 0 radius

(config)>

c. Add TACACS+ authentication second place in the list:

(config)> add auth method 1 tacacs+(config)>

d. Verify that authentication will occur in the correct order:

(config)> show auth method

0 radius
1 tacacs+

Digi Connect EZ 16/32 User Guide 754

User authentication Example user configuration

2 local
(config)>

6. Verify that the admin group has full administrator rights:

(config)> show auth group admin acl

admin
enable true
level full
...
(config)>

If admin > enable is set to false:

(config)> auth group admin acl admin enable true

(config)>

If admin > level is set to read-only:

(config)> auth group admin acl admin level full

(config)>

7. Configure the local user:

a. Create a local user with the username admin1:

(config)> add auth user admin1

(config auth user admin1)>

b. Assign a password to the user:

(config auth user adminuser)> password password1

(config auth user adminuser)>

c. Assign the user to the admin group:

(config auth user adminuser)> add group end admin

(config auth user adminuser)>

8. Save the configuration and apply the change.

(config auth user adminuser)> save

Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 755

 Firewall
This chapter contains the following topics:

Firewall configuration 757

Port forwarding rules 762
Packet filtering 769
Configure custom firewall rules 776
Configure Quality of Service options 778
Web filtering 787

Digi Connect EZ 16/32 User Guide 756

Firewall Firewall configuration

Firewall configuration
Firewall configuration includes the following configuration options:
n Zones: A zone is a firewall access group to which network interfaces can be added. You then
use zones to configure packet filtering and access control lists for interfaces that are included
in the zone. Preconfigured zones include:
l Any: Matches any network interface, even if they are not assigned to this zone.
l Loopback: Zone for interfaces that are used for communication between processes
running on the device.
l Internal: Used for interfaces connected to trusted networks. By default, the firewall will
allow most access from this zone.
l External: Used for interfaces to connect to untrusted zones, such as the internet. This zone
has Network Address Translation (NAT) enabled by default. By default, the firewall will
block most access from this zone.
l Edge: Used for interfaces connected to trusted networks, where the device is a client on
the edge of the network rather than a router or gateway.
l Setup: Used for interfaces involved in the initial setup of the device. By default, the firewall
will only allow this zone to access administration services.
l IPsec: The default zone for IPsec tunnels.
l Dynamic routes: Used for routes learned using routing services.
n Port forwarding: A list of rules that allow network connections to the Connect EZ 16/32 to be
forwarded to other servers by translating the destination address.
n Packet filtering: A list of packet filtering rules that determine whether to accept or reject
network connections that are forwarded through the Connect EZ 16/32.
n Custom rules: A script that is run to install advanced firewall rules beyond the
scope/capabilities of the standard device configuration.
n Quality Of Service: Quality of Service (QOS) options for bandwidth allocation and policy-
based traffic shaping and prioritizing.

Create a custom firewall zone

In addition to the preconfigured zones, you can create your custom zones that can be used to
configure packet filtering and access control lists for network interfaces.
To create a zone:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.

Digi Connect EZ 16/32 User Guide 757

Firewall Firewall configuration

c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Zones.
4. In Add Zone, enter a name for the zone and click .

The firewall configuration window is displayed.

5. (Optional) If traffic on this zone will be forwarded from a private network to the internet,
enable Network Address Translation (NAT).
6. Click Apply to save the configuration and apply the change.
See Configure the firewall zone for a network interface for information about how to configure
network interfaces to use a zone.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add the new zone. For example, to add a zone named my_zone:

(config)> add firewall zone my_zone

(config firewall zone my_zone)>

Digi Connect EZ 16/32 User Guide 758

Firewall Firewall configuration

4. (Optional) Enable Network Address Translation (NAT):

(config firewall zone my_zone)> src_nat true

(config firewall zone my_zone)>

5. Save the configuration and apply the change.

(config firewall zone my_zone)> save

Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.
See Configure the firewall zone for a network interface for information about how to configure
network interfaces to use a zone.

Configure the firewall zone for a network interface

Firewall zones allow you to group network interfaces for the purpose of packet filtering and access
control. There are several preconfigured firewall zones, and you can create custom zones as well. The
firewall zone that a network interfaces uses is selected during interface configuration.
This example procedure uses an existing network interface named ETH2 and changes the firewall
zone from the default zone, Internal, to External.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Interfaces > ETH2.

Digi Connect EZ 16/32 User Guide 759

Firewall Firewall configuration

4. For Zone, select External.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> network interface eth2 zone my_zone

(config)>

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a custom firewall zone

You cannot delete preconfigured firewall zones. To delete a custom firewall zone:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:

Digi Connect EZ 16/32 User Guide 760

Firewall Firewall configuration

a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Zones.
4. Click the menu icon (...) next to the appropriate custom firewall zone and select Delete.

5. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 761

Firewall Port forwarding rules

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Use the del command to delete a custom firewall rule. For example:

(config)> del firewall zone my_zone

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Port forwarding rules

Most computers are protected by a firewall that prevents users on a public network from accessing
servers on the private network. To allow a computer on the Internet to connect to a specific server on
a private network, set up one or more port forwarding rules. Port forwarding rules provide mapping
instructions that direct incoming traffic to the proper device on a LAN.

Configure port forwarding

Required configuration items

n The network interface for the rule.
Network connections will only be forwarded if their destination address matches the IP
address of the selected network interface.
n The public-facing port number that network connections must use for their traffic to be
forwarded.
n The IP address of the server to which traffic should be forwarded.
n The port or range of ports to which traffic should be forwarded.

Additional configuration items

n A label for the port forwarding rule.
n The IP version (either IPv4 or IPv6) that incoming network connections must match.
n The protocols that incoming network connections must match.

Digi Connect EZ 16/32 User Guide 762

Firewall Port forwarding rules

n A white list of devices, based on either IP address or firewall zone, that are authorized to
leverage this forwarding rule.
To configure a port forwarding rule:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Port forwarding.
4. For Add port forward, click .

The port forwarding rule configuration window is displayed.

Port forwarding rules are enabled by default. To disable, toggle off Enable.
5. (Optional) Type a Label that will be used to identify the rule.

Digi Connect EZ 16/32 User Guide 763

Firewall Port forwarding rules

6. For Interface, select the network interface for the rule.

Network connections will only be forwarded if their destination address matches the IP
address of the selected network interface.
7. For IP version, select either IPv4 or IPv6.
Network connections will only be forwarded if they match the selected IP version.
8. For Protocol, select the type of internet protocol.
Network connections will only be forwarded if they match the selected protocol.
9. For Incoming port(s), type the public-facing port number that network connections must use
for their traffic to be forwarded.
10. For To Address, type the IP address of the server to which traffic should be forwarded.
11. For Destination Port(s), type the port number, comma-separated list of port numbers, or
range of port numbers on the server to which traffic should be forwarded. For example, to
forward traffic to ports one, three, and five through ten, enter: 1, 3, 5-10.
12. (Optional) Click Access control list to create a white list of devices that are authorized to
leverage this forwarding rule, based on either the IP address or firewall zone:
n To white list IP addresses:
a. Click Addresses.
b. For Add Address, enter an IP address and click .
c. Repeat for each additional IP address that should be white listed.
n To specify firewall zones for white listing:
a. Click Zones.
b. For Add zone, click .
c. For Zone, select the appropriate zone.
d. Repeat for each additional zone.
13. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> add firewall dnat end

(config firewall dnat 0)>

Digi Connect EZ 16/32 User Guide 764

Firewall Port forwarding rules

Port forwarding rules are enabled by default. To disable the rule:

(config firewall dnat 0)> enable false

(config firewall dnat 0)>

4. Set the network interface for the rule.

(config firewall dnat 0)> interface

(config firewall dnat 0)>

Network connections will only be forwarded if their destination address matches the IP
address of this network interface.

a. Use the ? to determine available interfaces:

b. Set the interface. For example:

(config firewall dnat 0)> interface eth1

(config firewall dnat 0)>

5. Set the IP version. Allowed values are ipv4 and ipv6. The default is ipv4.

(config firewall dnat 0)> ip_version ipv6

(config firewall dnat 0)>

6. Set the public-facing port number that network connections must use for their traffic to be
forwarded.

(config firewall dnat 0)> port port

(config firewall dnat 0)>

7. Set the type of internet protocol .

(config firewall dnat 0)> protocol value

(config firewall dnat 0)>

Network connections will only be forwarded if they match the selected protocol. Allowed
values are custom, tcp, tcpudp, or upd. The default is tcp.
8. Set the IP address of the server to which traffic should be forwarded:
n For IPv4 addresses:

(config firewall dnat 0)> to_address ip-address

(config firewall dnat 0)>

n For IPv6 addresses:

(config firewall dnat 0)> to_address6 ip-address

(config firewall dnat 0)>

9. Set the public-facing port number(s) that network connections must use for their traffic to be
forwarded.

Digi Connect EZ 16/32 User Guide 765

Firewall Port forwarding rules

(config firewall dnat 0)> to_port value

(config firewall dnat 0)>

where value is the port number, comma-separated list of port numbers, or range of port
numbers on the server to which traffic should be forwarded. For example, to forward traffic to
ports one, three, and five through ten, enter 1, 3, 5-10.
10. (Optional) To create a white list of devices that are authorized to leverage this forwarding rule,
based on either the IP address or firewall zone, change to the acl node:

(config firewall dnat 0)> acl

(config firewall dnat 0 acl)>

n To white list an IP address:

l For IPv4 addresses:

(config firewall dnat 0 acl> add address end ip-address

(config firewall dnat 0 acl)>

l For IPv6 addresses:

(config firewall dnat 0 acl> add address6 end ip-address

(config firewall dnat 0 acl)>

Repeat for each appropriate IP address.

n To specify the firewall zone for white listing:

(config firewall dnat 0 acl)> add zone end zone

Repeat for each appropriate zone.

To view a list of available zones:

(config firewall dnat 0 acl)> .. .. .. zone ?

Zones: A list of groups of network interfaces that can be referred

to by packet filtering rules
and access control lists.

Additional Configuration
-------------------------------------------------------------------
-----------
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup

(config firewall dnat 0 acl)>

Digi Connect EZ 16/32 User Guide 766

Firewall Port forwarding rules

11. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

12. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a port forwarding rule

To delete a port forwarding rule:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Port forwarding.
4. Click the menu icon (...) next to the appropriate port forwarding rule and select Delete.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 767

Firewall Port forwarding rules

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Determine the index number of the port forwarding rule you want to delete:

(config)> show firewall dnat

0
acl
no address
no zone
enable true
interface
ip_version ipv4
label IPv4 port forwarding rule
port 10000
protocol tcp
to_address6 10.10.10.10
to_port 10001

1
acl
no address6
no zone
enable false
interface
ip_version ipv6
label IPv6 port forwarding rule
port 10002
protocol tcp
to_address6 c097:4533:bd63:bb12:9a6f:5569:4b53:c29a
to_port 10003
(config)>

4. To delete the rule, use the index number with the del command. For example:

(config)> del firewall dnat 1

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 768

Firewall Packet filtering

Packet filtering
By default, one preconfigured packet filtering rule, Allow all outgoing traffic, is enabled and
monitors traffic going to and from the Connect EZ 16/32 device. The predefined settings are intended
to block unauthorized inbound traffic while providing an unrestricted flow of outgoing data. You can
modify the default packet filtering rule and create additional rules to define how the device accepts or
rejects traffic that is forwarded through the device.

Configure packet filtering

Required configuration items

n The action that the packet filtering rule will perform, either Accept, Reject, or Drop.
n The source firewall zone: Packets originating from interfaces on this zone will be monitored by
this rule.
n The destination firewall zone: Packets destined for interfaces on this zone will be accepted,
rejected, or dropped by this rule.

Additional configuration requirements

n A label for the rule.
n The IP version to be matched, either IPv4, IPv6, or Any.
n The protocol to be matched, one of:
l TCP
l UDP
l ICMP
l ICMP6
l Any
To configure a packet filtering rule:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 769

Firewall Packet filtering

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Packet filtering.
n To create a new packet filtering rule, for Add packet filter, click .

n To edit the default packet filtering rule or another existing packet filtering rule, click to
expand the rule.
The packet filtering rule configuration window is displayed.

Packet filters are enabled by default. To disable, toggle off Enable.

4. (Optional) Type a Label that will be used to identify the rule.
5. For Action, select one of:
n Accept: Allows matching network connections.
n Reject: Blocks matching network connections, and sends an ICMP error if appropriate.
n Drop: Blocks matching network connections, and does not send a reply.
6. Select the IP version.
7. Select the Protocol.
8. For Source zone, select the firewall zone that will be monitored by this rule for incoming
connections from network interfaces that are a member of this zone.
See Firewall configuration for more information about firewall zones.
9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are
members of this zone will either be accepted, rejected or dropped by this rule.
See Firewall configuration for more information about firewall zones.
10. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 770

Firewall Packet filtering

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

To edit the default packet filtering rule or another existing packet filtering rule:
a. Determine the index number of the appropriate packet filtering rule:

(config)> show firewall filter

0
action accept
dst_zone any
enable true
ip_version any
label Allow all outgoing traffic
protocol any
src_zone internal
1
action drop
dst_zone internal
enable true
ip_version any
label myfilter
protocol any
src_zone external
(config)>

b. Select the appropriate rule by using its index number:

(config)> firewall filter 1

(config firewall filter 1)>

To create a new packet filtering rule:

(config)> add firewall filter end

(config firewall filter 1)>

Packet filtering rules are enabled by default. To disable the rule:

(config firewall filter 1)> enable false

(config firewall filter 1)>

3. (Optional) Set the label for the rule.

(config firewall filter 1)> label "My filter rule"

(config firewall filter 1)>

Digi Connect EZ 16/32 User Guide 771

Firewall Packet filtering

4. Set the action to be performed by the filter rule.

(config firewall filter 1)> action value

(config firewall filter 1)>

where value is one of:

n accept: Allows matching network connections.
n reject: Blocks matching network connections, and sends an ICMP error if appropriate.
n drop: Blocks matching network connections, and does not send a reply.
5. Set the firewall zone that will be monitored by this rule for incoming connections from network
interfaces that are a member of this zone:
See Firewall configuration for more information about firewall zones.

(config firewall filter 1)> src_zone my_zone

(config firewall filter 1)>

6. Set the destination firewall zone. Packets destined for network interfaces that are members of
this zone will either be accepted, rejected or dropped by this rule.
See Firewall configuration for more information about firewall zones.

(config firewall filter 1)> dst_zone my_zone

(config firewall filter 1)>

7. Set the IP version.

(config firewall filter 1)> ip_version value

(config firewall filter 1)>

where value is one of:

n any
n ipv4
n ipv6
n The default is any.
8. Set the protocol.

(config firewall filter 1)> protocol value

(config firewall filter 1)>

where value is one of:

n any
n icmp
n icmpv6
n tcp
n upd
The default is any.

Digi Connect EZ 16/32 User Guide 772

Firewall Packet filtering

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Enable or disable a packet filtering rule

To enable or disable a packet filtering rule:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Packet filtering.
4. Click the appropriate packet filtering rule.
5. Click Enable to toggle the rule between enabled and disabled.

6. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 773

Firewall Packet filtering

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Determine the index number of the appropriate port forwarding rule:

(config)> show firewall filter

0
action accept
dst_zone any
enable true
ip_version any
label Allow all outgoing traffic
protocol any
src_zone internal
1
action drop
dst_zone internal
enable true
ip_version any
label My packet filter
protocol any
src_zone external
(config)>

4. To enable a packet filtering rule, use the index number with the enable true command. For
example:

(config)> firewall filter 1 enable true

5. To disable a packet filtering rule, use the index number with the enable false command. For
example:

(config)> firewall filter 1 enable false

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a packet filtering rule

To delete a packet filtering rule:

Digi Connect EZ 16/32 User Guide 774

Firewall Packet filtering

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Packet filtering.
4. Click the menu icon (...) next to the appropriate packet filtering rule and select Delete.

5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Determine the index number of the packet filtering rule you want to delete:

(config)> show firewall filter

0
action accept

Digi Connect EZ 16/32 User Guide 775

Firewall Configure custom firewall rules

dst_zone any
enable true
ip_version any
label Allow all outgoing traffic
protocol any
src_zone internal
1
action drop
dst_zone internal
enable true
ip_version any
label My packet filter
protocol any
src_zone external
(config)>

4. To delete the rule, use the index number with the del command. For example:

(config)> del firewall filter 1

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure custom firewall rules

Custom firewall rules consist of a script of shell commands that can be used to install firewall rules,
ipsets, and other system configuration. These commands are run whenever system configuration
changes occur that might cause changes to the firewall.
To configure custom firewall rules:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Digi Connect EZ 16/32 User Guide 776

Firewall Configure custom firewall rules

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Custom rules.

4. Enable the custom rules.

5. (Optional) Enable Override to override all preconfigured firewall behavior and rely solely on
the custom firewall rules.
6. For Rules, type the shell command that will execute the custom firewall rules script.
7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable custom firewall rules:

(config)> firewall custom enable true

(config)>

4. (Optional) Instruct the device to override all preconfigured firewall behavior and rely solely on
the custom firewall rules:

(config)> firewall custom override true

(config)>

5. Set the shell command that will execute the custom firewall rules script:

(config)> firewall custom rules "shell-command"

(config)>

Digi Connect EZ 16/32 User Guide 777

Firewall Configure Quality of Service options

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure Quality of Service options

Quality of Service (QoS) options allow you to manage the traffic performance of various services, such
as Voice over IP (VoIP), cloud computing, traffic shaping, traffic prioritizing, and bandwidth allocation.
When configuring QOS, you can only control the queue for outgoing packets on each interface (egress
packets), not what is received on the interface (packet ingress).
A QoS binding contains the policies and rules that apply to packets exiting the Connect EZ 16/32
device on the binding's interface. By default, the Connect EZ 16/32 device has two preconfigured QoS
bindings, Outbound and Inbound. These bindings are an example configuration designed for a
typical VoIP site:
n Outbound provides an example of matching packets as they are routed from the device onto
the WAN interface.
n Inbound provides an example of matching packets as they are routed from the device onto a
LAN interface.
These example bindings are disabled by default.

Enable the preconfigured bindings

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 778

Firewall Configure Quality of Service options

The Configuration window is displayed.

3. Click Firewall > Quality of Service.
4. Click to expand either Outbound or Inbound.
5. Enable the binding.
6. Select an Interface.
7. Examine the remaining default settings and modify as appropriate for your network.
8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable one of the preconfiged bindings:

n To enable the Outbound binding:

(config)> firewall qos 0 enable true

(config)>

n To enable the Inbound binding:

(config)> firewall qos 1 enable true

(config)>

4. Set the interface for the binding. Use the index number of the binding; for example, to set the
interface for the Outbound binding:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config)> firewall qos 0 interface /network/interface/eth1

(config)>

5. Examine the remaining default settings and modify as appropriate for your network.
6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 779

Firewall Configure Quality of Service options

Create a new binding

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Quality of Service.
4. For Add Binding, click .

The quality of service binding configuration window is displayed.

5. Enable the binding.

6. (Optional) Type a Label for the binding.
7. Select an Interface to queue egress packets on. The binding will only match traffic that is
being sent out on this interface.
8. (Optional) For Interface bandwidth (Mbit), set the maximum egress bandwidth of the
interface, in megabits, allocated to this binding. Typically, this should be 95% of the available
bandwidth. Allowed value is any integer between 1 and 1000.

Digi Connect EZ 16/32 User Guide 780

Firewall Configure Quality of Service options

9. Create a policy for the binding:

At least one policy is required for each binding. Each policy can contain up to 30 rules.
a. Click to expand Policy.
b. For Add Policy, click .

The QoS binding policy configuration window is displayed.

New QoS binding policies are enabled by default. To disable, toggle off Enable.
c. (Optional) Type a Label for the binding policy.
d. For Weight, type a value for the amount of available bandwidth allocated to the policy,
relative to other policies for this binding.
The larger the weight, with respect to the other policy weights, the larger portion of the
maximum bandwidth is available for this policy. For example, if a binding contains three
policies, and each policy contains a weight of 10, each policy will be allocated one third of
the total interface bandwidth.
e. For Latency, type the maximum delay before the transmission of packets. A lower latency
means that the packets will be scheduled more quickly for transmission.
f. Select Default to identify this policy as a fall-back policy. The fall-back policy will be used
for traffic that is not matched by any other policy. If there is no default policy associated
with this binding, packets that do not match any policy rules will be dropped.
g. If Default is disabled, you must configure at least one rule:
i. Click to expand Rule.
ii. For Add Rule, click .

The QoS binding policy rule configuration window is displayed.

Digi Connect EZ 16/32 User Guide 781

Firewall Configure Quality of Service options

New QoS binding policy rules are enabled by default. To disable, toggle off Enable.
iii. (Optional) Type a Label for the binding policy rule.
iv. For Type Of Service, type the value of the Type of Service (ToS) packet header that
defines packet priority. If unspecified, this field is ignored.
See https://www.tucny.com/Home/dscp-tos for a list of common TOS values.
v. For Protocol, select the IP protocol matching criteria for this rule.
vi. For Source port, type the port, or any, as a source traffic matching criteria.
vii. For Destination port, type the port, or any, as a destination traffic matching criteria.
viii. Click to expand Source address and select the Type:
n Any: Source traffic from any address will be matched.
n Interface: Only traffic from the selected Interface will be matched.
n IPv4 address: Only traffic from the IP address typed in IPv4 address will be
matched. Use the format IPv4_address[/netmask], or use any to match any
IPv4 address.
n IPv6 address: Only traffic from the IP address typed in IPv6 address will be
matched. Use the format IPv6_address[/prefix_length], or use any to match
any IPv6 address.
n MAC address: Only traffic from the MAC address typed in MAC address will be
matched.
ix. Click to expand Destination address and select the Type:
n Any: Traffic destined for anywhere will be matched.
n Interface: Only traffic destined for the selected Interface will be matched.
n IPv4 address: Only traffic destined for the IP address typed in IPv4 address
will be matched. Use the format IPv4_address[/netmask], or use any to match
any IPv4 address.
n IPv6 address: Only traffic destined for the IP address typed in IPv6 address
will be matched. Use the format IPv6_address[/prefix_length], or use any to
match any IPv6 address.
Repeat to add a new rule. Up to 30 rules can be configured.
10. Click Apply to save the configuration and apply the change.

Digi Connect EZ 16/32 User Guide 782

Firewall Configure Quality of Service options

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a binding:

(config)> add firewall qos end

(config firewall qos 2)>

New binding are enabled by default. To disable:

(config firewall qos 2)> enable false

(config firewall qos 2)>

4. (Optional) Set a label for the new binding:

(config firewall qos 2)> label my_binding

(config firewall qos 2)>

5. Set the interface to queue egress packets on. The binding will only match traffic that is being
sent out on this interface:
a. Use the ? to determine available interfaces:
b. Set the interface. For example:

(config firewall qos 2)> interface /network/interface/eth1

(config firewall qos 2)>

6. (Optional) Set the maximum egress bandwidth of the interface, in megabits, allocated to this
binding.

(config firewall qos 2)> bandwidth int

(config firewall qos 2)>

where int is an integer between 1 and 1000. Typically, this should be 95% of the available
bandwidth. The default is 95.
7. Create a policy for the binding:
At least one policy is required for each binding. Each policy can contain up to 30 rules.
a. Change to the policy node of the configuration:

(config firewall qos 2)> policy

(config firewall qos 2 policy)>

Digi Connect EZ 16/32 User Guide 783

Firewall Configure Quality of Service options

b. Add a policy:

(config firewall qos 2 policy)> add end

(config firewall qos 2 policy 0)>

New QoS binding policies are enabled by default. To disable:

(config firewall qos 2 policy 0)> enable false

(config firewall qos 2 policy 0)>

c. (Optional) Set a label for the new binding policy:

(config firewall qos 2 policy 0)> label my_binding_policy

(config firewall qos 2 policy 0)>

d. Set a value for the amount of available bandwidth allocated to the policy, relative to other
policies for this binding.
The larger the weight, with respect to the other policy weights, the larger portion of the
maximum bandwidth is available for this policy. For example, if a binding contains three
policies, and each policy contains a weight of 10, each policy will be allocated one third of
the total interface bandwidth.

(config firewall qos 2 policy 0)> weight int

(config firewall qos 2 policy 0)>

where int is any integer between 1 and 65535. The default is 10.
e. Set the maximum delay before the transmission of packets. A lower number means that
the packets will be scheduled more quickly for transmission.

(config firewall qos 2 policy 0)> latency int

(config firewall qos 2 policy 0)>

where int is any integer, 1 or greater. The default is 100.

f. To identify this policy as a fall-back policy:

(config firewall qos 2 policy 0)> default true

(config firewall qos 2 policy 0)>

The fall-back policy will be used for traffic that is not matched by any other policy. If there
is no default policy associated with this binding, packets that do not match any policy
rules will be dropped. If the policy is not a fall-back policy, you must configure at least one
rule:
i. Change to the rule node of the configuration:

(config firewall qos 2 policy 0)> rule

(config firewall qos 2 policy 0 rule)>

ii. Add a rule:

(config firewall qos 2 policy 0 rule)> add end

(config firewall qos 2 policy 0 rule 0)>

Digi Connect EZ 16/32 User Guide 784

Firewall Configure Quality of Service options

New QoS binding policy rules are enabled by default. To disable:

(config firewall qos 2 policy 0 rule 0)> enable false

(config firewall qos 2 policy 0 rule 0)>

iii. (Optional) Set a label for the new binding policy rule:

(config firewall qos 2 policy 0 rule 0)> label my_binding_policy_

rule
(config firewall qos 2 policy 0 rule 0)>

iv. Set the value of the Type of Service (ToS) packet header that defines packet priority. If
unspecified, this field is ignored.

(config firewall qos 2 policy 0 rule 0)> tos value

(config firewall qos 2 policy 0 rule 0)>

where value is a hexadecimal number. See https://www.tucny.com/Home/dscp-tos for

a list of common TOS values.
v. Set the IP protocol matching criteria for this rule:

(config firewall qos 2 policy 0 rule 0)> protocol value

(config firewall qos 2 policy 0 rule 0)>

where value is one of tcp, udp, or any.

vi. Set the source port to define a source traffic matching criteria:

(config firewall qos 2 policy 0 rule 0)> srcport value

(config firewall qos 2 policy 0 rule 0)>

where value is the IP port number, a range of port numbers using the format IP_port-
IP_port, or any.
vii. Set the destination port to define a destination matching criteria:

(config firewall qos 2 policy 0 rule 0)> dstport value

(config firewall qos 2 policy 0 rule 0)>

where value is the IP port number, a range of port numbers using the format IP_port-
IP_port, or any.
viii. Set the source address type:

(config network qos 2 policy 0 rule 0)> src type value

(config network qos 2 policy 0 rule 0)>

where value is one of:

n any: Source traffic from any address will be matched.
See Firewall configuration for more information about firewall zones.
n interface: Only traffic from the selected interface will be matched. Set the
interface:

Digi Connect EZ 16/32 User Guide 785

Firewall Configure Quality of Service options

i. Use the ? to determine available interfaces:

ii. Set the interface. For example:

(config network qos 2 policy 0 rule 0)> src interface

/network/interface/eth1
(config network qos 2 policy 0 rule 0)>

n address: Only traffic from the IP address typed in IPv4 address will be
matched. Set the address that will be matched:

(config network qos 2 policy 0 rule 0)> src address value

(config network qos 2 policy 0 rule 0)>

where value uses the format IPv4_address[/netmask], or any to match any

IPv4 address.
n address6: Only traffic from the IP address typed in IPv6 address will be
matched. Set the address that will be matched:

(config network qos 2 policy 0 rule 0)> src address6 value

(config network qos 2 policy 0 rule 0)>

where value uses the format IPv6_address[/prefix_length], or any to match

any IPv6 address.
n mac: Only traffic from the MAC address typed in MAC address will be matched.
Set the MACaddress to be matched:

(config network qos 2 policy 0 rule 0)> src mac MAC_address

(config network qos 2 policy 0 rule 0)>

ix. Set the destination address type:

(config network qos 2 policy 0 rule 0)> dst type value

(config network qos 2 policy 0 rule 0)>

where value is one of:

n any: Traffic destined for anywhere will be matched.
See Firewall configuration for more information about firewall zones.
n interface: Only traffic destined for the selected Interface will be matched. Set
the interface:
i. Use the ? to determine available interfaces:
ii. Set the interface. For example:

(config network qos 2 policy 0 rule 0)> dst interface

/network/interface/eth1
(config network qos 2 policy 0 rule 0)>

n address: Only traffic destined for the IP address typed in IPv4 address will be
matched. Set the address that will be matched:

Digi Connect EZ 16/32 User Guide 786

Firewall Web filtering

(config network qos 2 policy 0 rule 0)> src address value

(config network qos 2 policy 0 rule 0)>

where value uses the format IPv4_address[/netmask], or any to match any

IPv4 address.
n address6: Only traffic destined for the IP address typed in IPv6 address will be
matched. Set the address that will be matched:

(config network qos 2 policy 0 rule 0)> src address6 value

(config network qos 2 policy 0 rule 0)>

where value uses the format IPv6_address[/prefix_length], or any to match

any IPv6 address.
Repeat to add a new rule. Up to 30 rules can be configured.
8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Web filtering
Web filtering allows you to control access to services that can be accessed through the Connect EZ
16/32 device by forwarding all Domain Name System (DNS) traffic to a web filtering service. This
allows the network security administrator to configure a set of policies with the web filtering service
that are applied to all routing devices with web filtering enabled. For example, a policy may allow or
deny access to a specific service or type of service such as social media, gaming, and so on.
Your Connect EZ 16/32 device supports two methods for configuring web filtering:
n Cisco Umbrella (formally known as OpenDNS).
n Manual DNS server entry.

Configure web filtering with Cisco Umbrella

Required configuration items
n Enable web filtering.
n A Cisco Umbrella account.
See https://umbrella.cisco.com for information about how to create a Cisco Umbrella account.
A 14 day trial account is available.
n A customer-specific API token.

Digi Connect EZ 16/32 User Guide 787

Firewall Web filtering

Task one: Generate a Cisco Umbrella API token

1. Log into the Cisco Umbrella Dashboard (https://dashboard.umbrella.com).
2. On the menu, select Admin > API Keys.
The API Keys page displays.
3. Click  (Create).
4. Select Legacy Network Devices.
5. Click Create.
6. Copy the token.

Task two: Configure web filtering

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Firewall > Web filtering service.

4. Click Enable web filtering to enable.

5. For Web filtering service, select Cisco Umbrella.
6. Paste the API token that was generated in Task one: Generate a Cisco Umbrella API token.

Digi Connect EZ 16/32 User Guide 788

Firewall Web filtering

7. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable web filtering:

(config)> firewall web-filter enable true

(config)>

4. Set the web filter service type to umbrella:

(config)> firewall web-filter service umbrella

(config)>

5. Set umbrella_token to the API token generated in Task one: Generate a Cisco Umbrella API
token:

(config)> firewall web-filter umbrella_token token

(config)>

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Clear the Cisco Umbrella device ID

If the Cisco Umbrella device ID being used by your Connect EZ 16/32 is invalid, you can clear the
device ID.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, use the rm command to delete the web-filter-id file, and confirm
the deletion:

Digi Connect EZ 16/32 User Guide 789

Firewall Web filtering

> rm /etc/config/web-filter-id
rm: remove '/etc/config/web-filter-id'? yes
>

3. Restart the web filtering service:

> config firewall web-filter enable false

> config firewall web-filter enable true
>

Configure web filtering with manual DNS servers

Required configuration items
n Enable web filtering.
n The IP address of one or more DNS servers. Cisco provides two open DNS servers for web
filtering:
l 208.67.222.222
l 208.67.220.220

Note These two IP addresses do not work with the OpenDNS option. See
https://www.opendns.com/setupguide/ for more information about using Cisco DNS servers
for web filtering.

To configure web filtering with manual DNS servers:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 790

Firewall Web filtering

3. Click Firewall > Web filtering service.

4. Click Enable web filtering to enable.

5. For Web filtering service, select Manual.
6. Click to expand Servers.
7. Click  to add a server.

8. For IP address, enter the IP address of the DNS server.

9. (Optional) Repeat for additional DNS servers.

10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable web filtering:

(config)> firewall web-filter enable true

(config)>

Digi Connect EZ 16/32 User Guide 791

Firewall Web filtering

4. Set the web filter service type to manual:

(config)> firewall web-filter service manual

(config)>

5. Add a DNS server:

(config)> add firewall web-filter server end

(config firewall web-filter server 0)>

6. Set the DNS server's IP address:

(config firewall web-filter server 0)> ip ip_address

(config firewall web-filter server 0)>

7. (Optional) Repeat for additional DNS servers.

For example, to configure manual web-filtering using Cisco's open DNS servers:
a. Enable web filtering:

(config)> firewall web-filter enable true

(config)>

b. Set the web filter service type to manual:

(config)> firewall web-filter service manual

(config)>

c. Add the first DNS server:

i. Add the server:

(config)> add firewall web-filter server end

(config firewall web-filter server 0)>

ii. Set the server's IP address:

(config firewall web-filter server 0)> ip 208.67.222.220

(config firewall web-filter server 0)>

d. Add the second DNS server:

i. Move back one node in the configuration tree:

(config firewall web-filter server 0)> ..

(config firewall web-filter server)>

ii. Add the server:

(config firewall web-filter server)> add end

(config firewall web-filter server 1)>

Digi Connect EZ 16/32 User Guide 792

Firewall Web filtering

iii. Set the server's IP address:

(config firewall web-filter server 1)> ip 208.67.222.222

(config firewall web-filter server 0)>

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Verify your web filtering configuration

If your web filtering implementation has the service set to Cisco Umbrella, or if it is configured to use
manual DNS servers and uses the Cisco open DNS servers, you can verify the web filtering
implementation by using the Cisco test site www.internetbadguys.com.
To verify the implementation:

 Web
This procedure assumes you have already configured web filtering to use either Cisco Umbrella or the
Cisco open DNS servers.
n See Configure web filtering with Cisco Umbrella for information about configuring web filtering
with Cisco Umbrella.
n See Configure web filtering with manual DNS servers for information about configuring web
filtering to use Cisco open DNS servers.

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 793

Firewall Web filtering

The Configuration window is displayed.

3. Disable web filtering:
a. Click Firewall > Web filtering service.
b. Click Enable web filtering to disable.

c. Click Apply to save the configuration and apply the change.

4. From a new tab in your browser, attempt to connect to the Cisco test
URL http://www.internetbadguys.com.
The connection should be successful.
5. Return to the Connect EZ 16/32 WebUI and enable web filtering:
a. Click Firewall > Web filtering service.
b. Click Enable web filtering to enable.
c. Click Apply to save the configuration and apply the change.
6. From your browser, attempt to connect to http://www.internetbadguys.com again.
The connection attempt should fail with the message, "This site is blocked due to a phishing
threat."

 Command line
This procedure assumes you have already configured web filtering to use either Cisco Umbrella or the
Cisco open DNS servers.
n See Configure web filtering with Cisco Umbrella for information about configuring web filtering
with Cisco Umbrella.
n See Configure web filtering with manual DNS servers for information about configuring web
filtering to use Cisco open DNS servers.

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Disable web filtering:

> config firewall web-filter enable false

>

3. Attempt to connect to the Cisco test URL http://www.internetbadguys.com by using either a

web browser or the curl command from a Linux shell:

$ curl -I http://www.internetbadguys.com
HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Accept-Ranges: bytes
Date: Thu, Jan 11, 2024 12:10:00

Digi Connect EZ 16/32 User Guide 794

Firewall Web filtering

X-Varnish: 4201397492
Age: 0
Via: 1.1 varnish
Connection: keep-alive

You should receive an "HTTP/1.1 200 OK" message, as highlighted above.

4. Return to the Admin CLI and enable web filtering:

> config firewall web-filter enable true

>

5. Attempt to connect to http://www.internetbadguys.com again:

$ curl -I www.internetbadguys.com
HTTP/1.1 403 Forbidden
Server: openresty/1.9.7.3
Date: Thu, Jan 11, 2024 12:10:00
Content-Type: text/html
Connection: keep-alive

You should receive an "HTTP/1.1 403 Forbidden" message, as highlighted above.

Show web filter service information

To view information about the web filter service:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, use the show web-filtercommand to view information about the
web-filter service:

> show web-filter

Enabled : true
Service : umbrella
Device ID : 0004b5s63f5e2de7aa

>

If the device is configured to use Cisco Umbrella for web filtering, a device ID is displayed. The
device ID is a unique ID assigned to the device by Cisco Umbrella. If there is a problem with the
device ID, you can clear the ID. See Clear the Cisco Umbrella device ID for instructions.

Digi Connect EZ 16/32 User Guide 795

 Containers
The Connect EZ 16/32 device includes support for LXCLinux containers. LXCcontainers are a
lightweight, operating system level method of virtualization that allows you to run one or more
isolated Linux instances on a the same host using the host's Linux kernal.

Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales
representative for information.

This chapter contains the following topics:

Use Digi Remote Manager to deploy and run containers 797

Upload a new LXCcontainer 801
Configure a container 802
Starting and stopping the container 807
View the status of containers 808
Schedule a script to run in the container 810
Create a custom container 812

Digi Connect EZ 16/32 User Guide 796

Containers Use Digi Remote Manager to deploy and run containers

Use Digi Remote Manager to deploy and run containers

Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales
representative for information.

1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide for
instructions.
a. For the Settings step:
n Click Import from device and import settings from an appropriate device.
n Configure a script to run the container:
i. Click System.
ii. Click Scheduled tasks > Custom scripts.
iii. Click  to add a custom script.
iv. Click the Label checkbox and type an identifiable label for the script, for
example, StartContainerScript.
v. To ensure that the script is always running:
i. Click the Run mode checkbox and select Interval.
ii. Click the Interval checkbox and enter a very short interval (for example,
one minute).
iii. Click the Run single checkbox, and toggle on to enable.
This will configure the device to regularly check if the script is running, but
only run if it is currently not running.
vi. For Commands, type the command to run the script. The command will vary
depending on how you want to run the script, and what application you want
to run inside the script. For example, to run the ping command inside a
container, the command would be:

lxc container_name /bin/ping -c 30 1.1.1.1

b. For the Containers step:

i. Click  to add a container to the configuration.
If no containers have been uploaded, or if Click  to upload a container file.

Digi Connect EZ 16/32 User Guide 797

Containers Use Digi Remote Manager to deploy and run containers

i. Click Browse and select the container file.

ii. Type the Name of the container.
The Name entered here must be the same name as the container .tgz file. This is
absolutely necessary, otherwise the container file will not be properly configured
on the local devices.
iii. (Optional) Include a version number for the container.
iv. (Optional) Select the Device Type and Firmware Version that applies to the
container.
If set, these options will limit the container to only be included in Configuration
templates that match the specified device type and firmware version. If these are
left blank, the container can be included in any Configuration template.
v. Click Upload.
vi. Repeat to upload additional containers.
ii. Select one or more containers to add to the configuration.
iii. Click Done.
iv. Click Save.
v. Click Continue.

Digi Connect EZ 16/32 User Guide 798

Containers Use Digi Remote Manager to deploy and run containers

c. For the Automation step:

i. Click to toggle on Enable Scanning.
ii. Click to toggle on Remediate.
2. Run a manual configuration scan to apply the container and configuration settings to all
applicable devices.
3. Verify that the container is running on a device:
n To verify by using device metrics:
a. From the Remote Manager main menu, click  Management >  Devices.
b. Click the Device ID to open the device's Details page..
c. Click Metrics.
d. Information about configured containers is located under the Container Details
heading.

n To verify by using the Data streams page:

a. From the Remote Manager main menu, click  Management >  Data Streams.
b. Locate the container's data stream:
i. Click  to search using advance filtering.
ii. Click in the search text bar and select Device ID from the menu.

iii. Type the device ID and press the Enter key.

iv. Click in the search text bar again and select Stream ID from the menu.
v. Type container and press the Enter key.

Digi Connect EZ 16/32 User Guide 799

Containers Use Digi Remote Manager to deploy and run containers

vi. Click the Stream ID to view container status.

n To verify by using the show containers command on the local device:

a. From the Remote Manager main menu, click  Management >  Devices.
b. Select the device.
c. From the Actions menu, select  Open Console.
d. At the prompt, type show containers.

Use an automation to start the container

You can also use an automation to start a container:

1. Follow the steps in the previous procedure, except:

n For Run mode, select Manual.
n Do not set Interval or Run single.
2. Create an automation that uses a Command Line Interface step.
For the Command Line Message, use the system script start command, using the label
provided for the script in the previous procedure:

system script start StartContainerScript

Once the automation has been created, you can:

Digi Connect EZ 16/32 User Guide 800

Containers Upload a new LXCcontainer

n Run the automation manually.

n Include the automation in a Configuration template as a post-remediation or post-scan step.
When creating or editing a Configuration template, at the Automation page:
1. For Post Remediation Options, click Run Automation and select the automation.
2. For On Successful Scan Options, click Run Automation and select the automation.
n Include a trigger for the automation.
When creating or editing an automation, at the Triggers page:
1. Click to enable Triggered to configure the automation to be triggered, either on a
schedule or by device activity.
a. To configure the script to be run on a schedule:
i. Click to enable By Schedule.
ii. Click Start Time.
iii. From the calendar provided, select the date and time that the script should be
started for the first time.
iv. By default, the script will run only once. Click to enable Repeat to configure
the script to run on a regular basis:

i. Type or select the number of times, and select the time period.
ii. (Optional) Click Until to select a date and time when the automation
schedule will stop repeating.
b. To configure the automation to be triggered by device activity, click to enable one
or more of the following:
l Run when a device enters the target scope
l Run when a device in the target scope enters a maintenance window:
l Run when a device in the target scope leaves debug mode
Target scope refers to a device that either:
l Is member of a group that was selected on the Target page.
l Has a tag that was selected on the Target page.
l Is one of the devices included on the Target page.

Upload a new LXC container

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the main menu, click Status. Under Services, click Containers.
2. Click Upload New Container.

Digi Connect EZ 16/32 User Guide 801

Containers Configure a container

3. From your local file system, select the container file in *.tgz format.
You can download a simple example container file, test_lxc.tgz, from the Digi website.
4. Create Configuration is selected by default. This will create a configuration on the device for
the container when it is installed. If deselected, you will need to create the configuration
manually.
5. Click Apply.
6. If Create Configuration was deselected when the container was created, click  to go to the
container configuration.

See Configure a container for further information about configuring the container.

Configure a container
Required configuration items
n The following configuration options are completed automatically if Create Configuration was
selected when the container was created. See Upload a new LXCcontainer for details:
l Name of the container.
l Enable the container.
l Whether or not the container should use the device's system libraries.
n Determine whether or not the device should including virtual networking capabilities.

Additional configuration items

n If virtual networking is enabled:
l The bridge to be used to provide network connectivity.
l A static IP address for the container.
l The network gateway.
n Serial ports on the device that the container will have access to.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.

Digi Connect EZ 16/32 User Guide 802

Containers Configure a container

b. Click the Device ID.

c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Containers.
4. For Add Container, type the name of the container and click .
The Container configuration window is displayed.

New containers are enabled by default. To disable, toggle off Enable.

5. Clone host system libraries is enabled by default. This allows the container to use the
device's system libraries.
6. Enable Virtual Network if the container should have network access:
a. Select a Network Bridge Device that will provide access to the container.
b. (Optional) Enter a static IP Address and netmask for the container. This must be a valid IP
address for the bridge, or, if left blank, a DHCP server can assign the container an IP
address.
c. (Optional) For Gateway, type the IP address of the network gateway.
7. Enable Start on boot to configure the container to start when the system boots.
a. For Restart timeout, set the amount of time to wait before restarting the container, if the
container ever stops. The default timeout of 0s means that if the container stops, it will
not be restarted.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Restart timeout to ten minutes, enter 10m or 600s.
8. (Optional) Type any Optional parameters for the container. Parameters are in the format
accepted by the lxc utility.

Digi Connect EZ 16/32 User Guide 803

Containers Configure a container

9. (Optional) Type a Working directory to configure an initial working directory for the
container. The directory is an absolute path within the container and must begin with "/". The
default is /.
10. (Optional) Click to expand Mounted directories to configure system directories that will be
mounted inside the container. Any mounted directories need to be accessible to a non-
privileged user.
a. For Add Directory, click .
b. For Directory, type the pathname of the directory to be mounted. The leading slash
should be removed, so for example to mount the /opt directory, type opt.
11. (Optional) Click to expand Serial ports to assign serial ports that the container will have
access to.
a. For Add Port, click .
b. For Port, select the serial port.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new container:

(config)> add system container name

(config system container name)>

where name is the

New access points are enabled by default.
4. New containers are enabled by default. To disable:

(config system container name)> enable false

(config system container name)>

5. By default, the container will use the device's system libraries. To disable:

(config system container name)> dal false

(config system container name)>

6. If the device will use virtual networking:

a. Enable virtual networking:

(config system container name)> network true

(config system container name)>

Digi Connect EZ 16/32 User Guide 804

Containers Configure a container

b. Set the network bridge device that will be used to provide network access:
i. Use the ? to determine the available bridges:

(config system container name)> bridge ?

Network Bridge Device: Containers require a bridge to access the

network. Choose
which bridge to connect the container to.
Format:
hotspot_bridge
lan1
Current value:

(config system container name)>

ii. Set the bridge:

(config system container name)> bridge lan1

(config system container name)>

c. (Optional) Set the IP address and netmask for the container:

(config system container name)> address IP_address/netmask

(config system container name)>

d. (Optional) Set the IP address of the network gateway:

(config system container name)> gateway IP_address

(config system container name)>

7. To configure the container to start when the device boots:

(config system container name)> start_on_boot true

(config system container name)>

a. Set the amount of time to wait before restarting the container, if the container ever stops:

(config system container name)> restart_timeout value

(config system container name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set restart_timeout to ten minutes, enter either 10m or 600s:

(config system container name)> restart_timeout 600s

(config system container name)>

The default timeout of 0s means that if the container stops, it will not be restarted.
8. Type any optional parameters for the container:

(config system container name)> args parameters

(config system container name)>

Digi Connect EZ 16/32 User Guide 805

Containers Configure a container

Parameters are in the format accepted by the lxc utility.

9. (Optional) Set an initial working directory for the container.

(config system container name)> workdir /value

(config system container name)>

The directory is an absolute path within the container and must begin with "/". The default is /.
10. (Optional) Set any system directories that should be mounted inside the container. Any
mounted directories need to be accessible to a non-privileged user.
a. Add a system directory to be mounted:

(config system container name)> system_dirs directory

(config system container name)>

where directory is the pathname of the directory to be mounted. The leading slash should
be removed, so for example to mount the /opt directory, type opt.
b. Repeat for additional directories.
11. For Add Directory, click .
a. For Directory, type the pathname of the directory to be mounted. The leading slash
should be removed, so for example to mount the /opt directory, type opt.
12. (Optional) Assign serial ports that the container will have access to:
a. Determine available serial ports:

(config system container name)> ... serial

Serial

Additional Configuration
---------------------------------------------------------------------
----------
port1 Port 1
...

(config system container name)>

b. Add the port:

(config system container name)> add ports end port1

(config system container name)>

13. Save the configuration and apply the change.

(config network wireless client new_client)> save

Configuration saved.
>

14. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 806

Containers Starting and stopping the container

Starting and stopping the container

Container commands are not available from the Admin CLI. You must access the device shell in order
to run Python applications from the command line. See Authentication groups for information about
configuring authentication groups that include shell access.

Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales
representative for information.

Starting the container

There are two methods to start containers:
n Non-persistent: Changes made to the container file system will be lost when the container is
stopped.
n Persistent: Changes made to the container file system when not be lost when the container is
stopped.

Starting a container in non-persistent mode

To start the container in non-persistent mode:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, type:

# lxc container_name
lxc #

where container_name is the name of the container as configured on the device. For example:

# lxc test_lxc
lxc #

This will start the container by using /bin/sh -l, which runs the shell and loads the shell profile. The
default shell profile includes an lxc # prompt.

Starting a container in persistent mode

To start the container in persistent mode, include the -p option at the command line. For example:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.

Digi Connect EZ 16/32 User Guide 807

Containers View the status of containers

2. At the shell prompt, type:

# lxc test_lxc -p
lxc #

This will start the container by using /bin/sh -l, which runs the shell and loads the shell profile. The
default shell profile includes an lxc # prompt.

Starting a container by including an executable

You can supply an executable to run when you start the container, along with any parameters. If you
don't supply a parameter, the default behavior is to run the executable by using /bin/sh -l, which runs
the shell and loads the shell profile. This is useful when you use the Clone DAL option when
uploading the container, which includes the devices's system libraries. In this case, the command
without any additional parameters will use the device's shell. See Upload a new LXCcontainer for
more information.
For example, to start a container and run a python script called my_python_script.py in the default
shell, type:

# lxc test_lxc /usr/bin/python3 /usr/bin/my_python_sctipt.py

This will run the script from /usr/bin inside the container. If you have /usr/bin/my_python_script.py
on your device's native system, it will be ignored.

Stopping the container

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the lxc shell prompt, type:

lxc # exit
#

View the status of containers

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the main menu, click Status. Under Services, click Containers.
The Containers status page is displayed.

Digi Connect EZ 16/32 User Guide 808

Containers View the status of containers

 Command line

Show status of all containers

Use the show containers command with no additional arguments to show the status of all containers
on the system:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the prompt, type:

> show containers

Container Configured Enabled State

--------- ---------- ------- -----------------
mytest1 True enabled STOPPED
test_lxc True enabled RUNNING PID 19327
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show status of a specific container

Use the show containers container name command to show the status of the specified container:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the prompt, type:

> show containers container test_lxc

Container Configured Enabled State

--------- ---------- ------- -----------------

Digi Connect EZ 16/32 User Guide 809

Containers Schedule a script to run in the container

test_lxc True enabled RUNNING PID 19327

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Schedule a script to run in the container

This simple example will:

1. Start the container in non-persistent mode.

2. Execute a ping command every ten seconds from inside the container.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Scheduled tasks > Custom scripts.
4. For Add Script, click .

The script configuration window is displayed.

Digi Connect EZ 16/32 User Guide 810

Containers Schedule a script to run in the container

5. (Optional) For Label, type container_script.

6. For Run mode, select Interval.
7. For Interval, type 10s.
8. For Commands, type the following:

lxc container_name /bin/ping -c 1 IP_address

For example:

lxc test_lxc /bin/ping -c 1 192.168.1.146

9. Click to disable Sandbox. Sandbox restrictions are not necessary when a container is used.
10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a script:

(config)> add system schedule script end

(config system schedule script 0)>

4. Provide a label for the script, for example:

(config system schedule script 0)> label test_lxc

(config system schedule script 0)>

5. Set the mode to interval:

(config system schedule script 0)> when interval

(config system schedule script 0)>

Digi Connect EZ 16/32 User Guide 811

Containers Create a custom container

6. Set the interval to ten seconds:

(config system schedule script 0)> on_interval 10s

(config system schedule script 0)>

7. Set the commands that will execute the script:

(config system schedule script 0)> commands "lxc script_name /bin/ping -c

1 IP_address"
(config system schedule script 0)>

For example:

(config system schedule script 0)> commands "lxc test_lxc /bin/ping -c 1

192.168.1.146"
(config system schedule script 0)>

8. Disable the sandbox. Sandbox restrictions are not necessary when a container is used.

(config system schedule script 0)> sandbox false

(config system schedule script 0)>

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Create a custom container

This example creates a simple custom container that contains a python script in the /etc directory.
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz
from the Digi website.
At the command line of a Linux host, we will unpack the file, add a simple python script, and create a
new container file that includes the python script.

Create the custom container file

1. At the command line of a Linux host, unpack the test_lxc.tgz file:

$ tar -xfv test_lxc.tgz

rootfs/
rootfs/usr/
rootfs/etc/
rootfs/etc/group
rootfs/etc/profile
rootfs/etc/passwd

Digi Connect EZ 16/32 User Guide 812

Containers Create a custom container

rootfs/tmp/
$

2. Change to the rootfs/etc directory:

$ cd rootfs/etc
$

3. Create a file named test.py with the following contents:

print("Hello world.\n")

4. Change directories to leave the container file structure:

$ cd ../..

5. Change user and group permissions on all files in the container file structure:

$ sudo chown -R 165536 rootfs

$ sudo chgrp -R 165536 rootfs

6. Tar and zip the directory structure to create a new container file:

$ sudo tar -czvf python_lxc.tgz rootfs

If using macOS, include the --disable-copyfile option with this command:

$ sudo tar --disable-copyfile -czvf python_lxc.tgz rootfs

Test the custom container file

1. Add the new container to your Connect EZ 16/32 device:
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
a. From the main menu, click Status. Under Services, click Containers.
b. Click Upload New Container.
c. From your local file system, select the container file.
You can download a simple example container file, test_lxc.tgz, from the Digi website.
d. Create Configuration is selected by default. This will create a configuration on the device
for the container when it is installed. If deselected, you will need to create the
configuration manually.
e. Click Apply.
2. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.

Digi Connect EZ 16/32 User Guide 813

Containers Create a custom container

3. At the shell prompt, type:

# lxc python_lxc
lxc #

4. Execute the python command:

lxc # python /etc/test.py

Hello world.
lxc #

Digi Connect EZ 16/32 User Guide 814

 Containers
The Connect EZ 16/32 device includes support for LXCLinux containers. LXCcontainers are a
lightweight, operating system level method of virtualization that allows you to run one or more
isolated Linux instances on a the same host using the host's Linux kernal.

Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales
representative for information.

This chapter contains the following topics:

Use Digi Remote Manager to deploy and run containers 816

Upload a new LXCcontainer 820
Configure a container 821
Starting and stopping the container 826
View the status of containers 827
Schedule a script to run in the container 829
Create a custom container 831

Digi Connect EZ 16/32 User Guide 815

Containers Use Digi Remote Manager to deploy and run containers

Use Digi Remote Manager to deploy and run containers

Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales
representative for information.

1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide for
instructions.
a. For the Settings step:
n Click Import from device and import settings from an appropriate device.
n Configure a script to run the container:
i. Click System.
ii. Click Scheduled tasks > Custom scripts.
iii. Click  to add a custom script.
iv. Click the Label checkbox and type an identifiable label for the script, for
example, StartContainerScript.
v. To ensure that the script is always running:
i. Click the Run mode checkbox and select Interval.
ii. Click the Interval checkbox and enter a very short interval (for example,
one minute).
iii. Click the Run single checkbox, and toggle on to enable.
This will configure the device to regularly check if the script is running, but
only run if it is currently not running.
vi. For Commands, type the command to run the script. The command will vary
depending on how you want to run the script, and what application you want
to run inside the script. For example, to run the ping command inside a
container, the command would be:

lxc container_name /bin/ping -c 30 1.1.1.1

b. For the Containers step:

i. Click  to add a container to the configuration.
If no containers have been uploaded, or if Click  to upload a container file.

Digi Connect EZ 16/32 User Guide 816

Containers Use Digi Remote Manager to deploy and run containers

i. Click Browse and select the container file.

ii. Type the Name of the container.
The Name entered here must be the same name as the container .tgz file. This is
absolutely necessary, otherwise the container file will not be properly configured
on the local devices.
iii. (Optional) Include a version number for the container.
iv. (Optional) Select the Device Type and Firmware Version that applies to the
container.
If set, these options will limit the container to only be included in Configuration
templates that match the specified device type and firmware version. If these are
left blank, the container can be included in any Configuration template.
v. Click Upload.
vi. Repeat to upload additional containers.
ii. Select one or more containers to add to the configuration.
iii. Click Done.
iv. Click Save.
v. Click Continue.

Digi Connect EZ 16/32 User Guide 817

Containers Use Digi Remote Manager to deploy and run containers

c. For the Automation step:

i. Click to toggle on Enable Scanning.
ii. Click to toggle on Remediate.
2. Run a manual configuration scan to apply the container and configuration settings to all
applicable devices.
3. Verify that the container is running on a device:
n To verify by using device metrics:
a. From the Remote Manager main menu, click  Management >  Devices.
b. Click the Device ID to open the device's Details page..
c. Click Metrics.
d. Information about configured containers is located under the Container Details
heading.

n To verify by using the Data streams page:

a. From the Remote Manager main menu, click  Management >  Data Streams.
b. Locate the container's data stream:
i. Click  to search using advance filtering.
ii. Click in the search text bar and select Device ID from the menu.

iii. Type the device ID and press the Enter key.

iv. Click in the search text bar again and select Stream ID from the menu.
v. Type container and press the Enter key.

Digi Connect EZ 16/32 User Guide 818

Containers Use Digi Remote Manager to deploy and run containers

vi. Click the Stream ID to view container status.

n To verify by using the show containers command on the local device:

a. From the Remote Manager main menu, click  Management >  Devices.
b. Select the device.
c. From the Actions menu, select  Open Console.
d. At the prompt, type show containers.

Use an automation to start the container

You can also use an automation to start a container:

1. Follow the steps in the previous procedure, except:

n For Run mode, select Manual.
n Do not set Interval or Run single.
2. Create an automation that uses a Command Line Interface step.
For the Command Line Message, use the system script start command, using the label
provided for the script in the previous procedure:

system script start StartContainerScript

Once the automation has been created, you can:

Digi Connect EZ 16/32 User Guide 819

Containers Upload a new LXCcontainer

n Run the automation manually.

n Include the automation in a Configuration template as a post-remediation or post-scan step.
When creating or editing a Configuration template, at the Automation page:
1. For Post Remediation Options, click Run Automation and select the automation.
2. For On Successful Scan Options, click Run Automation and select the automation.
n Include a trigger for the automation.
When creating or editing an automation, at the Triggers page:
1. Click to enable Triggered to configure the automation to be triggered, either on a
schedule or by device activity.
a. To configure the script to be run on a schedule:
i. Click to enable By Schedule.
ii. Click Start Time.
iii. From the calendar provided, select the date and time that the script should be
started for the first time.
iv. By default, the script will run only once. Click to enable Repeat to configure
the script to run on a regular basis:

i. Type or select the number of times, and select the time period.
ii. (Optional) Click Until to select a date and time when the automation
schedule will stop repeating.
b. To configure the automation to be triggered by device activity, click to enable one
or more of the following:
l Run when a device enters the target scope
l Run when a device in the target scope enters a maintenance window:
l Run when a device in the target scope leaves debug mode
Target scope refers to a device that either:
l Is member of a group that was selected on the Target page.
l Has a tag that was selected on the Target page.
l Is one of the devices included on the Target page.

Upload a new LXC container

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the main menu, click Status. Under Services, click Containers.
2. Click Upload New Container.

Digi Connect EZ 16/32 User Guide 820

Containers Configure a container

3. From your local file system, select the container file in *.tgz format.
You can download a simple example container file, test_lxc.tgz, from the Digi website.
4. Create Configuration is selected by default. This will create a configuration on the device for
the container when it is installed. If deselected, you will need to create the configuration
manually.
5. Click Apply.
6. If Create Configuration was deselected when the container was created, click  to go to the
container configuration.

See Configure a container for further information about configuring the container.

Configure a container
Required configuration items
n The following configuration options are completed automatically if Create Configuration was
selected when the container was created. See Upload a new LXCcontainer for details:
l Name of the container.
l Enable the container.
l Whether or not the container should use the device's system libraries.
n Determine whether or not the device should including virtual networking capabilities.

Additional configuration items

n If virtual networking is enabled:
l The bridge to be used to provide network connectivity.
l A static IP address for the container.
l The network gateway.
n Serial ports on the device that the container will have access to.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.

Digi Connect EZ 16/32 User Guide 821

Containers Configure a container

b. Click the Device ID.

c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Containers.
4. For Add Container, type the name of the container and click .
The Container configuration window is displayed.

New containers are enabled by default. To disable, toggle off Enable.

5. Clone host system libraries is enabled by default. This allows the container to use the
device's system libraries.
6. Enable Virtual Network if the container should have network access:
a. Select a Network Bridge Device that will provide access to the container.
b. (Optional) Enter a static IP Address and netmask for the container. This must be a valid IP
address for the bridge, or, if left blank, a DHCP server can assign the container an IP
address.
c. (Optional) For Gateway, type the IP address of the network gateway.
7. Enable Start on boot to configure the container to start when the system boots.
a. For Restart timeout, set the amount of time to wait before restarting the container, if the
container ever stops. The default timeout of 0s means that if the container stops, it will
not be restarted.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Restart timeout to ten minutes, enter 10m or 600s.
8. (Optional) Type any Optional parameters for the container. Parameters are in the format
accepted by the lxc utility.

Digi Connect EZ 16/32 User Guide 822

Containers Configure a container

9. (Optional) Type a Working directory to configure an initial working directory for the
container. The directory is an absolute path within the container and must begin with "/". The
default is /.
10. (Optional) Click to expand Mounted directories to configure system directories that will be
mounted inside the container. Any mounted directories need to be accessible to a non-
privileged user.
a. For Add Directory, click .
b. For Directory, type the pathname of the directory to be mounted. The leading slash
should be removed, so for example to mount the /opt directory, type opt.
11. (Optional) Click to expand Serial ports to assign serial ports that the container will have
access to.
a. For Add Port, click .
b. For Port, select the serial port.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Create a new container:

(config)> add system container name

(config system container name)>

where name is the

New access points are enabled by default.
4. New containers are enabled by default. To disable:

(config system container name)> enable false

(config system container name)>

5. By default, the container will use the device's system libraries. To disable:

(config system container name)> dal false

(config system container name)>

6. If the device will use virtual networking:

a. Enable virtual networking:

(config system container name)> network true

(config system container name)>

Digi Connect EZ 16/32 User Guide 823

Containers Configure a container

b. Set the network bridge device that will be used to provide network access:
i. Use the ? to determine the available bridges:

(config system container name)> bridge ?

Network Bridge Device: Containers require a bridge to access the

network. Choose
which bridge to connect the container to.
Format:
hotspot_bridge
lan1
Current value:

(config system container name)>

ii. Set the bridge:

(config system container name)> bridge lan1

(config system container name)>

c. (Optional) Set the IP address and netmask for the container:

(config system container name)> address IP_address/netmask

(config system container name)>

d. (Optional) Set the IP address of the network gateway:

(config system container name)> gateway IP_address

(config system container name)>

7. To configure the container to start when the device boots:

(config system container name)> start_on_boot true

(config system container name)>

a. Set the amount of time to wait before restarting the container, if the container ever stops:

(config system container name)> restart_timeout value

(config system container name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set restart_timeout to ten minutes, enter either 10m or 600s:

(config system container name)> restart_timeout 600s

(config system container name)>

The default timeout of 0s means that if the container stops, it will not be restarted.
8. Type any optional parameters for the container:

(config system container name)> args parameters

(config system container name)>

Digi Connect EZ 16/32 User Guide 824

Containers Configure a container

Parameters are in the format accepted by the lxc utility.

9. (Optional) Set an initial working directory for the container.

(config system container name)> workdir /value

(config system container name)>

The directory is an absolute path within the container and must begin with "/". The default is /.
10. (Optional) Set any system directories that should be mounted inside the container. Any
mounted directories need to be accessible to a non-privileged user.
a. Add a system directory to be mounted:

(config system container name)> system_dirs directory

(config system container name)>

where directory is the pathname of the directory to be mounted. The leading slash should
be removed, so for example to mount the /opt directory, type opt.
b. Repeat for additional directories.
11. For Add Directory, click .
a. For Directory, type the pathname of the directory to be mounted. The leading slash
should be removed, so for example to mount the /opt directory, type opt.
12. (Optional) Assign serial ports that the container will have access to:
a. Determine available serial ports:

(config system container name)> ... serial

Serial

Additional Configuration
---------------------------------------------------------------------
----------
port1 Port 1
...

(config system container name)>

b. Add the port:

(config system container name)> add ports end port1

(config system container name)>

13. Save the configuration and apply the change.

(config network wireless client new_client)> save

Configuration saved.
>

14. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 825

Containers Starting and stopping the container

Starting and stopping the container

Container commands are not available from the Admin CLI. You must access the device shell in order
to run Python applications from the command line. See Authentication groups for information about
configuring authentication groups that include shell access.

Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales
representative for information.

Starting the container

There are two methods to start containers:
n Non-persistent: Changes made to the container file system will be lost when the container is
stopped.
n Persistent: Changes made to the container file system when not be lost when the container is
stopped.

Starting a container in non-persistent mode

To start the container in non-persistent mode:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the shell prompt, type:

# lxc container_name
lxc #

where container_name is the name of the container as configured on the device. For example:

# lxc test_lxc
lxc #

This will start the container by using /bin/sh -l, which runs the shell and loads the shell profile. The
default shell profile includes an lxc # prompt.

Starting a container in persistent mode

To start the container in persistent mode, include the -p option at the command line. For example:

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.

Digi Connect EZ 16/32 User Guide 826

Containers View the status of containers

2. At the shell prompt, type:

# lxc test_lxc -p
lxc #

This will start the container by using /bin/sh -l, which runs the shell and loads the shell profile. The
default shell profile includes an lxc # prompt.

Starting a container by including an executable

You can supply an executable to run when you start the container, along with any parameters. If you
don't supply a parameter, the default behavior is to run the executable by using /bin/sh -l, which runs
the shell and loads the shell profile. This is useful when you use the Clone DAL option when
uploading the container, which includes the devices's system libraries. In this case, the command
without any additional parameters will use the device's shell. See Upload a new LXCcontainer for
more information.
For example, to start a container and run a python script called my_python_script.py in the default
shell, type:

# lxc test_lxc /usr/bin/python3 /usr/bin/my_python_sctipt.py

This will run the script from /usr/bin inside the container. If you have /usr/bin/my_python_script.py
on your device's native system, it will be ignored.

Stopping the container

1. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.
2. At the lxc shell prompt, type:

lxc # exit
#

View the status of containers

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the main menu, click Status. Under Services, click Containers.
The Containers status page is displayed.

Digi Connect EZ 16/32 User Guide 827

Containers View the status of containers

 Command line

Show status of all containers

Use the show containers command with no additional arguments to show the status of all containers
on the system:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the prompt, type:

> show containers

Container Configured Enabled State

--------- ---------- ------- -----------------
mytest1 True enabled STOPPED
test_lxc True enabled RUNNING PID 19327
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Show status of a specific container

Use the show containers container name command to show the status of the specified container:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the prompt, type:

> show containers container test_lxc

Container Configured Enabled State

--------- ---------- ------- -----------------

Digi Connect EZ 16/32 User Guide 828

Containers Schedule a script to run in the container

test_lxc True enabled RUNNING PID 19327

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Schedule a script to run in the container

This simple example will:

1. Start the container in non-persistent mode.

2. Execute a ping command every ten seconds from inside the container.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Scheduled tasks > Custom scripts.
4. For Add Script, click .

The script configuration window is displayed.

Digi Connect EZ 16/32 User Guide 829

Containers Schedule a script to run in the container

5. (Optional) For Label, type container_script.

6. For Run mode, select Interval.
7. For Interval, type 10s.
8. For Commands, type the following:

lxc container_name /bin/ping -c 1 IP_address

For example:

lxc test_lxc /bin/ping -c 1 192.168.1.146

9. Click to disable Sandbox. Sandbox restrictions are not necessary when a container is used.
10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a script:

(config)> add system schedule script end

(config system schedule script 0)>

4. Provide a label for the script, for example:

(config system schedule script 0)> label test_lxc

(config system schedule script 0)>

5. Set the mode to interval:

(config system schedule script 0)> when interval

(config system schedule script 0)>

Digi Connect EZ 16/32 User Guide 830

Containers Create a custom container

6. Set the interval to ten seconds:

(config system schedule script 0)> on_interval 10s

(config system schedule script 0)>

7. Set the commands that will execute the script:

(config system schedule script 0)> commands "lxc script_name /bin/ping -c

1 IP_address"
(config system schedule script 0)>

For example:

(config system schedule script 0)> commands "lxc test_lxc /bin/ping -c 1

192.168.1.146"
(config system schedule script 0)>

8. Disable the sandbox. Sandbox restrictions are not necessary when a container is used.

(config system schedule script 0)> sandbox false

(config system schedule script 0)>

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Create a custom container

This example creates a simple custom container that contains a python script in the /etc directory.
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz
from the Digi website.
At the command line of a Linux host, we will unpack the file, add a simple python script, and create a
new container file that includes the python script.

Create the custom container file

1. At the command line of a Linux host, unpack the test_lxc.tgz file:

$ tar -xfv test_lxc.tgz

rootfs/
rootfs/usr/
rootfs/etc/
rootfs/etc/group
rootfs/etc/profile
rootfs/etc/passwd

Digi Connect EZ 16/32 User Guide 831

Containers Create a custom container

rootfs/tmp/
$

2. Change to the rootfs/etc directory:

$ cd rootfs/etc
$

3. Create a file named test.py with the following contents:

print("Hello world.\n")

4. Change directories to leave the container file structure:

$ cd ../..

5. Change user and group permissions on all files in the container file structure:

$ sudo chown -R 165536 rootfs

$ sudo chgrp -R 165536 rootfs

6. Tar and zip the directory structure to create a new container file:

$ sudo tar -czvf python_lxc.tgz rootfs

If using macOS, include the --disable-copyfile option with this command:

$ sudo tar --disable-copyfile -czvf python_lxc.tgz rootfs

Test the custom container file

1. Add the new container to your Connect EZ 16/32 device:
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
a. From the main menu, click Status. Under Services, click Containers.
b. Click Upload New Container.
c. From your local file system, select the container file.
You can download a simple example container file, test_lxc.tgz, from the Digi website.
d. Create Configuration is selected by default. This will create a configuration on the device
for the container when it is installed. If deselected, you will need to create the
configuration manually.
e. Click Apply.
2. Select a device in Remote Manager that is configured to allow shell access to the admin user,
and click Actions > Open Console. Alternatively, log into the Connect EZ 16/32 local command
line as a user with shell access.
Depending on your device configuration, you may be presented with an Access selection
menu. Type shell to access the device shell.

Digi Connect EZ 16/32 User Guide 832

Containers Create a custom container

3. At the shell prompt, type:

# lxc python_lxc
lxc #

4. Execute the python command:

lxc # python /etc/test.py

Hello world.
lxc #

Digi Connect EZ 16/32 User Guide 833

 System administration
This chapter contains the following topics:

Review device status 835

Configure system information 836
Update system firmware 838
Update cellular module firmware 844
External storage 848
Reboot your Connect EZ 16/32 device 850
Erase device configuration and reset to factory defaults 853
Locate the device by using the Find Me feature 858
Enable FIPS mode 859
Configuration files 862
Schedule system maintenance tasks 867
Disable device encryption 872
Configure the speed of your Ethernet ports 874
Watchdog service 876
Configure the Watchdog service 876
View Watchdog metrics 879

Digi Connect EZ 16/32 User Guide 834

System administration Review device status

Review device status

You can review the system of your device from either the Status page of the Web interface, or from
the command line:

 Web
To display system information:
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click Status.
A secondary menu appears, along with a status panel.
2. On the secondary menu, click to display the details panel for the status you want to view.

 Command line
To display system information, use the show system command.
n Show basic system information:
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access
selection menu. Type admin to access the Admin CLI.
2. Enter show system at the prompt:

> show system

Model : Digi Connect EZ 16/32

Serial Number : Connect EZ 16/32xxxxxxxxyyyyxx
SKU : Connect EZ 16/32
Hostname : Connect EZ 16/32
MAC Address : DF:DD:E2:AE:21:18

Hardware Version : 50001947-01 1P

Firmware Version : 24.9
Alt. Firmware Version : 24.9
Alt. Firmware Build Date : Fri, Jan 12, 2024 12:10:00
Bootloader Version : 19.7.23.0-15f936e0ed

Current Time : Thu, Jan 11, 2024 12:10:00 +0000

CPU : 1.4%
Uptime : 6 days, 6 hours, 21 minutes, 57 seconds
(541317s)
Temperature : 40C
Location :

Digi Connect EZ 16/32 User Guide 835

System administration Configure system information

Contact :

>

n Show more detailed system information:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access
selection menu. Type admin to access the Admin CLI.
2. Enter show system verbose at the prompt:

> show system verbose

Model : Digi Connect EZ 16/32

Serial Number : Connect EZ 16/32xxxxxxxxyyyyxx
SKU : Connect EZ 16/32
Hostname : Connect EZ 16/32
MAC Address : DF:DD:E2:AE:21:18

Hardware Version : 50001947-01 1P

Firmware Version : 24.9
Alt. Firmware Version : 24.9
Alt. Firmware Build Date : Fri, Jan 12, 2024 12:10:00
Bootloader Version : 19.7.23.0-15f936e0ed
Schema Version : 715

Timezone : UTC
Current Time : Thu, Jan 11, 2024 12:10:00 +0000
CPU : 1.4%
Uptime : 6 days, 6 hours, 21 minutes, 57 seconds
(541317s)
Load Average : 0.01, 0.03, 0.02
RAM Usage : 119.554MB/1878.984MB(6%)
Temperature : 40C
Location :
Contact :
Disk
----
Disk /etc/config Usage : 18.421MB/4546.371MB(0%)
Disk /var/log_mnt Usage : 0.104MB/14.868MB(1%)
Disk /opt Usage : 215.739MB/458.328MB(50%)
Disk /tmp Usage : 0.003MB/120.0MB(0%)
Disk /var Usage : 0.816MB/32.0MB(3%)

>

Configure system information

You can configure information related to your Connect EZ 16/32 device, such as providing a name and
location for the device.

Digi Connect EZ 16/32 User Guide 836

System administration Configure system information

Configuration items
n A name for the device.
n The name of a contact for the device.
n The location of the device.
n A description of the device.
n A banner that will be displayed when users access terminal services on the device.
To enter system information:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System.
4. For Name, type a name for the device. This name will appear in log messages and at the
command prompt.
5. For Contact, type the name of a contact for the device.
6. For Location, type the location of the device.
7. For Banner, type a banner message that will be displayed when users log into terminal
services on the device.
8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 837

System administration Update system firmware

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set a name for the device. This name will appear in log messages and at the command prompt.

(config)> system name 192.168.3.1

192.168.3.1(config)>

4. Set the contact for the device:

192.168.3.1(config)> system contact "Jane User"

192.168.3.1(config)>

5. Set the location for the device:

192.168.3.1(config)> system location "9350 Excelsior Blvd., Suite 700,

Hopkins, MN"
192.168.3.1(config)>

6. Set the banner for the device. This is displayed when users access terminal services on the
device.

192.168.3.1(config)> system banner "Welcome to the Digi Connect EZ

16/32."
192.168.3.1(config)>

7. Save the configuration and apply the change.

192.168.3.1(config)> save
Configuration saved.
192.168.3.1>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Update system firmware

The Connect EZ 16/32 operating system firmware images consist of a single file with the following
naming convention:
platform-version.bin
For example, Connect EZ 16/32-24.9.bin.

Manage firmware updates using Digi Remote Manager

If you have a network of many devices, you can use Digi Remote Manager Profiles to manage
firmware updates. Profiles ensure all your devices are running the correct firmware version and that

Digi Connect EZ 16/32 User Guide 838

System administration Update system firmware

all newly installed devices are updated to that same version. For more information, see the Profiles
section of the Digi Remote Manager User Guide.

Certificate management for firmware images

The system firmware files are signed to ensure that only Digi-approved firmware load onto the device.
The Connect EZ 16/32 device validates the system firmware image as part of the update process and
only successfully updates if the system firmware image can be authenticated.

Downgrading
Downgrading to an earlier release of the firmware may result in the device configuration being erased.

Downgrading from firmware version 22.2.9.x

Beginning with firmware version 22.2.9.x, the Connect EZ 16/32 device uses certificate-based
communication for enhanced security when connecting to Digi Remote Manager. If you downgrade
your firmware from version 22.2.9.x to version 21.11.x or previous, your device will no longer be able
to communicate with Remote Manager.
To remedy this issue, select the device in Remote Manager and select Actions > Reset Device
Certificate.

Update firmware over the air (OTA) from the Digi firmware server
 Web

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System. Under Administration, click Firmware Update.

2. Click Download from server.

3. For Version:, select the appropriate version of the device firmware.

4. Click Update Firmware.

 Command line

Digi Connect EZ 16/32 User Guide 839

System administration Update system firmware

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. >Use the system firmware ota check command to determine if new modem firmware is
available on the Digi firmware repository.

> system firmware ota check

Current firmware version is 23.9.74.0
Checking for latest Connect EZ 16/32 firmware...
Newest firmware version available to download is '24.9'
Device firmware update from '23.9.74.0' to '24.9' is needed
>

3. Use the modem firmware ota list command to list available firmware on the Digi firmware
repository.

> system firmware ota list

23.9.74.0
24.9
>

4. Perform an OTA firmware update:

n To perform an OTA firmware update by using the most recent available firmware from
the Digi firmware repository:
a. Update the firmware:

> system firmware ota update

Downloading firmware version '24.9'...
Downloaded firmware /tmp/cli_firmware.bin remaining
Applying firmware version '24.9'...
41388K
netflash: got "/tmp/cli_firmware.bin", length=42381373
netflash: authentication successful
netflash: vendor and product names are verified.
netflash: programming FLASH device /dev/flash/image1
41408K 100%
Firmware update completed, reboot device
>

b. Reboot the device:

> reboot
>

n To perform an OTA firmware update by using a specific version from the Digi firmware
repository, use the version parameter to identify the appropriate firmware version as
determined by using system firmware ota list command. For example:

Digi Connect EZ 16/32 User Guide 840

System administration Update system firmware

a. Update the firmware:

> system firmware ota update version 24.9

Downloading firmware version '24.9'...
Downloaded firmware /tmp/cli_firmware.bin remaining
Applying firmware version '24.9'...
41388K
netflash: got "/tmp/cli_firmware.bin", length=42381373
netflash: authentication successful
netflash: vendor and product names are verified.
netflash: programming FLASH device /dev/flash/image1
41408K 100%
Firmware update completed, reboot device
>

b. Reboot the device:

> reboot
>

Update firmware from a local file

 Web
1. Download the Connect EZ 16/32 operating system firmware from the Digi Support FTP site to
your local machine.
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the main menu, click System. Under Administration, click Firmware Update.

3. Click Choose file.

4. Browse to the location of the firmware on your local file system and select the file.
5. Click Update Firmware.

 Command line
1. Download the Connect EZ 16/32 operating system firmware from the Digi Support FTP site to
your local machine.
2. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 841

System administration Update system firmware

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
3. Load the firmware image onto the device. We recommend using the /tmp directory.

> scp host hostname-or-ip user username remote remote-path local local-
path to local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be copied
to the Connect EZ 16/32 device.
n local-path is the location on the Connect EZ 16/32 device where the copied file will be
placed.
For example:

> scp host 192.168.4.1 user admin remote /home/admin/bin/Connect EZ

16/32-24.9.bin local /tmp/ to local
admin@192.168.4.1's password: adminpwd
Connect EZ 16/32-24.9.bin 100% 36MB 11.1MB/s 00:03
>

4. Verify that the firmware file has been successfully uploaded to the device:

> ls /tmp
-rw-r--r-- 1 root root 37511229 May 16 20:10 Connect EZ
16/32-24.9.bin
-rw-r--r-- 1 root root 2580 May 16 16:44 blank.json
...
>

5. Update the firmware by entering the system firmware update command, specifying the path
and file name to the firmware file:

> system firmware update file /tmp/Connect EZ 16/32-24.9.bin

36632K
netflash: got "/tmp/Connect EZ 16/32-24.9.bin", length=37511229
netflash: authentication successful
netflash: programming FLASH device /dev/flash/image
36633K 100%
Firmware update completed, reboot device
>

6. Reboot the device to run the new firmware image using the reboot command.

> reboot
Rebooting system
>

7. Once the device has rebooted, log into the Connect EZ 16/32's command line as a user with
Admin access and verify the running firmware version by entering the show system command.

Digi Connect EZ 16/32 User Guide 842

System administration Update system firmware

> show system

Hostname : Connect EZ 16/32

FW Version : 24.9
MAC : 0040FF800120
Model : Digi Connect EZ 16/32
Current Time : Thu, Jan 11, 2024 12:10:00 +0000
Uptime : 42 seconds (42s)

>

Dual boot behavior

By default, the Connect EZ 16/32 device stores two copies of firmware in two flash memory banks:
n The current firmware version that is used to boot the device.
n A copy of the firmware that was in use prior to your most recent firmware update.
When the device reboots, it will attempt to use the current firmware version. If the current firmware
version fails to load after three consecutive attempts, it is marked as invalid and the device will use
the previous firmware version stored in the alternate memory bank.
If the device consistently loses power during the boot process, this may result in the current firmware
being marked as invalid and the device downgrading to a previous version of the firmware. As a result
of this behavior, you can use the following procedure to guarantee that the same firmware is stored in
both memory banks:

 Web

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System. Under Administration, click Firmware Update.

2. Click Duplicate firmware.

3. Click Duplicate Firmware.

Digi Connect EZ 16/32 User Guide 843

System administration Update cellular module firmware

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Duplicate the firmware:

> system duplicate-firmware

>

Update cellular module firmware

You can update modem firmware by downloading firmware from the Digi firmware repository, or by
uploading firmware from your local storage onto the device. You can also schedule modem firmware
updates. See Schedule system maintenance tasks for details.

Note Before attempting to update cellular module firmware, you should either ensure that there is a
SIM card in the module, or disable SIM failover. See Configure a Wireless Wide Area Network (WWAN)
for details about SIM failover.

 Web
1. (Optional) Download the appropriate modem firmware from the Digi repository to your local
machine.
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. From the main menu, click Status > Modems.
3. Click the modem firmware version.

The Modem firmware update window opens.

Digi Connect EZ 16/32 User Guide 844

System administration Update cellular module firmware

4. To update using firmware from the Digi firmware repository:

a. Click  to view available versions.
b. For Available firmware, select the firmware.
5. To update using firmware from your local file system:
a. Click Choose File.
b. Select the firmware.
6. To schedule firmware updates, click System maintenance configuration page. See Schedule
system maintenance tasks for details.
7. Click Update.

 Command line

Update modem firmware over the air (OTA)

You can update your modem firmware by querying the Digi firmware repository to determine if there
is new firmware available for your modem and performing an OTA modem firmware update:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the modem firmware ota check command to determine if new modem firmware is
available on the Digi firmware repository.

> modem firmware ota check

Checking for latest ATT firmware ...

Retrieving modem firmware list ...
Newest firmware version available to download is '24.01.5x4_ATT'
Modem firmware update from '24.01.544_ATT' to '24.01.5x4_ATT' is needed
24.01.5x4_ATT
24.01.544_ATT

>

3. Use the modem firmware ota list command to list available firmware on the Digi firmware
repository.

> modem firmware ota list

Retrieving modem firmware list ...

25.20.664_CUST_044_3
25.20.666_CUST_067_1
25.20.663_CUST_040

>

Digi Connect EZ 16/32 User Guide 845

System administration Update cellular module firmware

4. Perform an OTA firmware update:

n A firmware bundle includes images for each carrier supported by a specific modem. To
perform an OTA update by choosing a firmware bundle based on the type of modem in
your device:

modem firmware bundle ota [check|list|download|update]

n To perform an OTA firmware update by using the most recent available modem
firmware from the Digi firmware repository, type:

> modem firmware ota update

Checking for latest Generic firmware ...

Retrieving modem firmware list ...
Newest firmware version available to download is '25.20.666_CUST_
067_1'
Retrieving download location for modem firmware '25.20.666_CUST_067_
1' ...

>

n To perform an OTA firmware update by using a specific version from the Digi firmware
repository, use the version parameter to identify the appropriate firmware version as
determined by using modem firmware ota list command. For example::

> modem firmware ota update version 24.01.5x4_ATT

Retrieving download location for modem firmware '24.01.5x4_ATT' ...

Downloading modem firmware '24.01.5x4_ATT' to '/opt/LE910C4_
NF/Custom_Firmware' ...
Modem firmware '24.01.5x4_ATT' downloaded
Updating modem firmware ...
Programming modem firmware ...

Found modem ...

Validate modem firmware ...
Getting ready for update ...
Stopping services ...
Running update pass 1 of 3 ...
Restarting services ...
-----------------------------
Successfully updated firmware
Modem firmware update complete

>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 846

System administration Update cellular module firmware

Update modem firmware by using a local firmware file

You can update your modem firmware by uploading a modem firmware file to your Connect EZ 16/32
device. Firmware should be uploaded to /opt/MODEM_MODEL/Custom_Firmware, for example,
/opt/LM940/Custom_Firmware.
Modem firmware can be downloaded from Digi here. Follow instructions on this page to determine
the cellular module used by your device. After downloading, use tar or a similar unzipping tool to
extract the firmware prior to uploading to the device. Note that the firmware file may not have a
tar.gz extension, but it is a tar file and can be unzipped with tar or a similar tool. See Use the scp
command for information about uploading files to the Connect EZ 16/32 device.

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the modem firmware check command to determine if new modem firmware is available
on local device.

> modem firmware check

Checking for latest ATT firmware in flash ...

Newest firmware version available in flash is '05.05.58.00_ATT_005.026_
000'
Modem firmware up to date
05.05.58.00_ATT_005.026_000

> modem firmware check

3. Use the modem firmware list command to list available firmware on the Connect EZ 16/32
device.

> modem firmware list

ATT, 24.01.544_ATT, current

Generic, 24.01.514_Generic, image
Verizon, 24.01.524_Verizon, image
ATT, 24.01.544_ATT, image
Sprint, 24.01.531-B003_Sprint, image

>

4. To perform an firmware update by using a local file, use the version parameter to identify the
appropriate firmware version as determined using the modem firmware check or modem
firmware list command. For example::

> modem firmware update version 24.01.5x4_ATT

Updating modem firmware ...

-----------------------------
Successfully updated firmware

Digi Connect EZ 16/32 User Guide 847

System administration External storage

Modem firmware update complete

>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

External storage
You can mount and define partitions on an SD card from the External Storage page.
You can also enable the automount feature, which allows an SD card to automount onto the Connect
EZ 16/32 when the SD card is connected to the Connect EZ 16/32.

Configure external storage on an SD card

You can configure the external storage on an SD card by formatting the SD card and selecting a
partition to mount.
Once you have configured the SD card storage options, you can enable the automount feature, which
ensures that the defined storage configuration is automatically applied each time you connect an SD
card to the Connect EZ 16/32.

Note As an alternative, you can use the following CLI commands to configure an SD card:system
storage show, system storage mount, system storage format, and config system storage mount.

1. Connect an SD card to the Connect EZ 16/32.

The SD card is on the front of the device. See Front panel and LEDs.
2. Log into the WebUI as a user with Admin access.
3. From the main menu, click System.
4. Click External Storage.
5. Expand the SD Card section. Information about the SD card displays.

Note If an SD card is not connected to the device, the default mount path displays and a
message displays for the device path. No other fields display.

n Mount Path: /opt/ext/sd

n Device Path: The device path assigned to the mounted SD card. If an SD card is not
connected to the device, the message "Device not present" displays.
n Total Size: The amount of space on the SD card.
n Partitions: The number of partitions on the SD card, and the file system and size of
each partition.
6. You can format the SD card.
a. From the Format Device list box, select a format option: exfat or ext4.
b. Click Format.

Digi Connect EZ 16/32 User Guide 848

System administration External storage

7. You can specify the partition on the SD card that you want to use.
a. From the Mount Device list box, select a partition.
b. Click Mount.
8. Enable the automount feature. When enabled, the SD card is automatically mounted as
configured when is is connected to the Connect EZ 16/32 or if it is rebooted.
a. Click Auto Mount.
b. Click Apply. Additional fields display.
9. Review the space available. The amount of space currently used and the corresponding
percentage displays in the Used Size field
(Optional) You can choose to generate a system log event when a specified percentage of the
share is used.
a. In the Monitor field, enter the threshold percentage. When this threshold is met, an
External Storage system log event is generated. For information about system log event
categories, see Configure options for the event and system logs.
b. If a system log event is generated, you can choose email a notification or save it to an
SNMP trap. See Configure an email notification for a system event and Configure an
SNMP trap for a system event.
c. Click Apply.

Configure external storage on a network server

You can configure the external storage on a network server.

1. Log into the WebUI as a user with Admin access.

2. From the main menu, click System.
3. Click External Storage.
4. Expand the NFS Filesystem section. Information about the NFS share displays.
n Mount Path: /opt/ext/nfs
5. Specify the server name and server path.
a. In the Server Name field, enter the hostname or IP address of the network server.
b. In the Server Path field, enter the NFS share that can be used for storage.
c. Click Apply.
6. Enable the automount feature. When enabled, the NFS share is automatically mounted when
the Connect EZ 16/32 is powered or if it is rebooted.
a. Click Enable.
b. Click Apply. Additional fields display.
7. Review the space available. The amount of space currently used and the corresponding
percentage displays in the Used Size field
(Optional) You can choose to generate a system log event when a specified percentage of the
share is used.
a. In the Monitor field, enter the threshold percentage. When this threshold is met, an
External Storage system log event is generated. For information about system log event
categories, see Configure options for the event and system logs.

Digi Connect EZ 16/32 User Guide 849

System administration Reboot your Connect EZ 16/32 device

b. If a system log event is generated, you can choose email a notification or save it to an
SNMP trap. See Configure an email notification for a system event and Configure an
SNMP trap for a system event.
c. Click Apply.

Configure log location

You can configure the location to which system and serial logs are stored.

1. Log into the Connect EZ 16/32 WebUI as a user with Admin access.
2. From the main menu, click System.
3. Click External Storage.
4. Expand the Logging Location section.
5. From the Store Logs to list box, select an option.
n RAM: The system and serial logs are stored in volatile memory. Log contents are not
retained across a reboot.
n SD Card: The system and serial logs are stored on the SD card. When this option is
selected, the Log Path field displays. The log path defaults to the mount path for the
SD card, but can be changed.
n NFS: The system and serial logs are stored on a network server. When this option is
selected, the Log Path field displays. The log path defaults to the mount path for the
network server, but can be changed.
6. Click Apply.

Reboot your Connect EZ 16/32 device

You can reboot the Connect EZ 16/32 device immediately or schedule a reboot for a specific time
every day.

Note You may want to save your configuration settings to a file before rebooting. See Save
configuration to a file.

Reboot your device immediately

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. From the main menu, click System.

Digi Connect EZ 16/32 User Guide 850

System administration Reboot your Connect EZ 16/32 device

2. Click Reboot.

3. Click Reboot to confirm that you want to reboot the device.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the prompt, type:

> reboot

Schedule reboots of your device

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Select System > Scheduled tasks.

Digi Connect EZ 16/32 User Guide 851

System administration Reboot your Connect EZ 16/32 device

4. For Reboot time, enter the time of the day that the device should reboot, using the format
HH:MM. The device will reboot at this time every day.
If Reboot time is set, but the device is unable to synchronize its time with an NTP server, the
device will reboot after it has been up for 24 hours. See System time synchronization for
information about configuring NTP servers. If Reboot window is set, the reboot will occur
during a random time within the reboot window.
5. For Reboot window, enter the maximum random delay that will be added to Reboot Time.
Allowed values are any number of hours, minutes, or seconds, and take the format number
{h|m|s}.
For example, to set parameter name to ten minutes, enter 10m or 600s.
The default is 10m, and the maximum allowed time is 24h.
6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Set the reboot time:

(config>> system schedule reboot_time time

(config)>

where time is the time of the day that the device should reboot, using the format HH:MM. For
example, the set the device to reboot at two in the morning every day:

(config>> system schedule reboot_time 02:00

(config)>

If reboot_time is set, but the device is unable to synchronize its time with an NTP server, the
device will reboot after it has been up for 24 hours. See System time synchronization for
information about configuring NTP servers. If reboot_window is set, the reboot will occur
during a random time within the reboot window.
4. Set the maximum random delay that will be added to reboot_time:

(config>> system schedule reboot_window value

(config)>

where value is any number of hours, minutes, or seconds, and takes the format number
{h|m|s}.
For example, to set reboot_window to ten minutes, enter either 10m or 600s:

(config)> system schedule reboot_window 600s

(config)>

Digi Connect EZ 16/32 User Guide 852

System administration Erase device configuration and reset to factory defaults

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Erase device configuration and reset to factory defaults

You can erase the device configuration in the WebUI, at the command line, or by using the RESET
button on the device. Erasing the device configuration performs the following actions:
n Clears all configuration settings. When the device restarts, it uses the factory default
configuration.
n Deletes all user files including Python scripts.
n Clears event and system log files.
Additionally, if the RESET button is used to erase the configuration, pressing the RESET button a
second time immediately after the device has rebooted:
n Erases all automatically generated certificates and keys.
n With firmware release 22.2.9.x and newer, erases the client-side certificate used for
communication with Digi Remote Manager.
If you are using Digi Remote Manager with firmware release 22.2.9.x and newer, by default the
device uses a client-side certificate for communication with Remote Manager. If the client-side
certificate is erased, you must use the Remote Manager interface to reset the certificate.
n If your device uses a custom factory default, the custom factory default will be removed and
the device will reboot using standard factory default settings.
You can also reset the device to the default configuration without removing scripts, keys, and logfiles
by using the revert command.
Reset the device by using the RESET button
1. Locate the RESET button on your device.
2. Press the RESET button perform a device reset. The RESET button has the following modes:
n Configuration reset:
l Press and release the RESET button for 10 seconds.
l The device reboots automatically and resets to factory defaults. This does not
remove any automatically generated certificates and keys.
n Full device reset:
l After the device reboots from the first button press, immediately press and release
the RESET button for 10 seconds again.
l The device reboots again and resets to factory defaults, as well as also removing
generated certificates and keys.

Digi Connect EZ 16/32 User Guide 853

System administration Erase device configuration and reset to factory defaults

3. After resetting the device:

a. Connect to the Connect EZ 16/32 by using the serial port or by using an Ethernet cable to
connect the Connect EZ 16/32 ETH2 port to your PC.
b. Log into the Connect EZ 16/32:
User name: Use the default user name: admin.
Password: Use the unique password printed on the bottom label of the device (or the
printed label included in the package).
c. (Optional) Reset the default password for the admin account. See Change the default
password for the admin user for further information.

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the main menu, click System. Under Configuration, click Configuration Maintenance.

The Configuration Maintenance windows is displayed.

3. In the Erase configuration section, click ERASE.

4. Click CONFIRM.
5. After resetting the device:
a. Connect to the Connect EZ 16/32 by using the serial port or by using an Ethernet cable to
connect the Connect EZ 16/32 ETH2 port to your PC.
b. Log into the Connect EZ 16/32:
User name: Use the default user name: admin.
Password: Use the unique password printed on the bottom label of the device (or the
printed label included in the package).

Digi Connect EZ 16/32 User Guide 854

System administration Erase device configuration and reset to factory defaults

c. (Optional) Reset the default password for the admin account. See Change the default
password for the admin user for further information.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Enter the following:

> system factory-erase

A confirmation message appears.

3. Type yes to confirm that you want all configurations deleted, the factory configuration reset,
and the device rebooted.
4. After resetting the device:
a. Connect to the Connect EZ 16/32 by using the serial port or by using an Ethernet cable to
connect the Connect EZ 16/32 ETH2 port to your PC.
b. Log into the Connect EZ 16/32:
User name: Use the default user name: admin.
Password: Use the unique password printed on the bottom label of the device (or the
printed label included in the package).
c. (Optional) Reset the default password for the admin account. See Change the default
password for the admin user for further information.

Reset the device with the revert command

You can reset the device to the default configuration without removing scripts, keys, and logfiles by
using the revert command:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, enter revert:

(config)> revert
(config)>

4. Set the password for the admin user prior to saving the changes:

(config)> auth user admin password pwd

(config)>

Digi Connect EZ 16/32 User Guide 855

System administration Erase device configuration and reset to factory defaults

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Custom factory default settings

You can configure your Connect EZ 16/32 device to use custom factory default settings. This way,
when you erase the device's configuration, the device will reset to your custom configuration rather
than to the original factory defaults.

Required configuration items

n Custom factory default file.

Configure the Connect EZ 16/32 device to use custom factory default settings

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. Configure your Connect EZ 16/32 device to match the desired custom factory default
configuration.
For example, you may want to configure the device to use a custom APN or a particular
network configuration, so that when you reset the device to factory defaults, it will
automatically have your required network configuration.
2. On the main menu, click System. Under Configuration, click Configuration Maintenance.

The Configuration Maintenance windows is displayed.

Digi Connect EZ 16/32 User Guide 856

System administration Erase device configuration and reset to factory defaults

3. In the Configuration backup section, click SAVE.

Do not set a Passphrase for the configuration backup. The file will be downloaded using your
browser's standard download process.
4. After the configuration backup file has been downloaded, rename the file to:
custom-default-config.bin
5. Upload the file to the device:
a. From the main menu, select System > Filesystem.
b. Under Default device configuration, click .

c. Select the file from your local file system.

6. Reboot the device.

Note After configuring a device to use custom factory default settings, wait five minutes after
restoring to defaults before:
n Powering off the device.
n Performing any additional configuration restoration activities.
If you do not wait five minutes after restoring to custom factory defaults before performing these
activities, the device will clear the custom factory defaults and reboot to standard factory defaults.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Enter the following:

> system backup / type custom-defaults

Backup saved as /opt/custom-default-config.bin
>

Digi Connect EZ 16/32 User Guide 857

System administration Locate the device by using the Find Me feature

3. Reboot the device:

> reboot
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Note After configuring a device to use custom factory default settings, wait five minutes after
restoring to defaults before:
n Powering off the device.
n Performing any additional configuration restoration activities.
If you do not wait five minutes after restoring to custom factory defaults before performing these
activities, the device will clear the custom factory defaults and reboot to standard factory defaults.

Clear the custom factory default settings

After configuring the device to use custom factory default settings, to clear the custom default
configuration and reset the device to standard factory defaults:

1. Press the device's RESET button.

2. Wait for the device to reboot.
3. Press the RESET button a second time.
You must press the RESET the second time within five minutes of the first in order to clear the custom
default configuration.

Locate the device by using the Find Me feature

Use the Find Me feature to cause LEDs on the device to blink, which can help you to identify the
specific device.
To use this feature:
 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click Find Me.
A notification message appears, noting that the LED is flashing on the device. Click the x in the
message to close it.

2. On the menu, click System again. Ablue circle next to Find Me is blinking, indicating that the
Find Me feature is active.

Digi Connect EZ 16/32 User Guide 858

System administration Enable FIPSmode

3. To deactivate the Find Me feature, click System and click Find Me again.
A notification message appears, noting that the LED is no longer flashing on the device. Click
the x in the message to close it.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. To activate the Find Me feature, at the prompt, type the following at the command prompt:

> system find-me on

>

3. To deactivate the Find Me feature, type the following at the command prompt:

> system find-me off

>

4. To determine the status of the Find Me feature, type the following at the command prompt:

> system find-me status

off
>

Enable FIPS mode

You can enable your device to be Federal Information Processing Standard (FIPS) 140-2 compliant.
With FIPs 140-2 compliance, only FIPS 140-2 cipher and MACalgorithms are available. As a result,
features like stunnel, ssh, and openvpn are limited in what they can use. For example, in FIPS mode
ssh will only offer and negotiate AES based ciphers.
When the FIPS setting is changed, the device will reboot automatically. Disabling FIPS after it has
been enabled will cause the current configuration to be erased.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.

Digi Connect EZ 16/32 User Guide 859

System administration Enable FIPSmode

c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Expand System.

4. Click to enable FIPs.

5. Click Apply to save the configuration and apply the change. The the device will reboot
automatically.
 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 860

System administration Enable FIPSmode

2. Enable FIPS:

(config)> system fips true

>

3. Save the change. The the device will reboot automatically.

(config)> save
>

Digi Connect EZ 16/32 User Guide 861

System administration Configuration files

Configuration files
The Connect EZ 16/32 configuration file, /etc/config/accns.json, contains all configuration changes
that have been made to the device. It does not contain the complete device configuration; it only
contains changes to the default configuration. Both the default configuration and the changes
contained in the accns.json file are applied when the device reboots.

Save configuration changes

When you make changes to the Connect EZ 16/32 configuration, the changes are not automatically
saved. You must explicitly save configuration changes, which also applies the changes. If you do not
save configuration changes, the system discards the changes.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Make any necessary configuration changes.
4. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 862

System administration Configuration files

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Make any necessary configuration changes.

4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Save configuration to a file

You can save your Connect EZ 16/32 device's configuration to a file and use this file to restore the
configuration, either to the same device or to similar devices.

 Web
This procedure creates a binary archive file containing the device's configuration, certificates and
keys, and other information.
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System. Under Configuration, click Configuration Maintenance.

The Configuration Maintenance windows is displayed.

2. In the Configuration backup section:

a. (Optional) To encrypt the configuration using a passphrase, for Passphrase
(save/restore), enter the passphrase.
b. Click SAVE.

Digi Connect EZ 16/32 User Guide 863

System administration Configuration files

The file will be downloaded using your browser's standard download process.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Enter the following:

> system backup path [passphrase passphrase] type type

where
n path is the location on the Connect EZ 16/32's filesystem where the configuration
backup file should be saved.
n passphrase (optional) is a passphrase used to encrypt the configuration backup.
n type is the type of backup, either:
l archive: Creates a binary archive file containing the device's configuration,
certificates and keys, and other information.
l cli-config: Creates a text file containing only the configuration changes.
For example:

> system backup /etc/config/scripts/ type archive

3. (Optional) Use scp to copy the file from your device to another host:

> scp host hostname-or-ip user username remote remote-path local local-
path to remote

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the location on the remote host where the file will be copied.
n local-path is the path and filename on the Connect EZ 16/32 device.
For example:

> scp host 192.168.4.1 user admin remote /home/admin/bin/ local

/etc/config/backup-archive-0040FF800120-19.05.17-19.01.17.bin to remote

Restore the device configuration

You can restore a configuration file to your Connect EZ 16/32 device by using a backup from the
device, or a backup from a similar device.

 Web

Digi Connect EZ 16/32 User Guide 864

System administration Configuration files

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System. Under Configuration, click Configuration Maintenance.

The Configuration Maintenance windows is displayed.

2. In the Configuration Restore section:

a. If a passphrase was used to create the configuration backup, for Passphrase
(save/restore), enter the passphrase.
b. Under Configuration Restore, click Choose File.
c. Browse to the system firmware file location on your local computer and select the file.
d. Click RESTORE.
3. Click CONFIRM.
The configuration will be restored and the device will be rebooted.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. If the configuration backup is on a remote host, use scp to copy the file from the host to your
device:

> scp host hostname-or-ip user username remote remote-path local local-
path to local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be copied
to the Connect EZ 16/32 device.

Digi Connect EZ 16/32 User Guide 865

System administration Configuration files

n local-path is the location on the Connect EZ 16/32 device where the copied file will be
placed.
For example:

> scp host 192.168.4.1 user admin remote /home/admin/bin/backup-archive-

0040FF800120-24.9-19.23.42.bin local /opt to local

3. Enter the following:

> system restore filepath [passphrase passphrase]

where
n filepath is the the path and filename of the configuration backup file on the Connect EZ
16/32's filesystem (local-path in the previous step).
n passphrase (optional) is the passphrase to restore the configuration backup, if a
passphrase was used when the backup was created.
For example:

> system restore /opt/backup-archive-0040FF800120-24.9-

19.23.42.bin

Digi Connect EZ 16/32 User Guide 866

System administration Schedule system maintenance tasks

Schedule system maintenance tasks

You can configure tasks to be run during a specified maintenance window. When the device is within
its maintenance window, firmware updates and Digi Remote Manager configuration checks will be
performed.
You can also schedule custom scripts to run during the maintenance window. See Configure scripts to
run automatically for more information.

Required configuration items

n Events that trigger the maintenance window to begin.
n Whether all configured triggers, or only one of the triggers, must be met.
n The tasks to be performed. Options are:
l Firmware updates.
l Digi Remote Manager configuration check.
n Whether the device will check for updates to the device firmware.
n Whether the device will check for updates to the modem firmware.
n The frequency (daily, weekly, or monthly) that checks for firmware updates will run.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 867

System administration Schedule system maintenance tasks

3. Click System > Scheduled tasks > System maintenance.

4. Click to expand Maintenance window triggers.

5. Click  to add a maintenance window trigger.

6. For Maintenance window trigger type, select one of the following:

n Check if interface is up, for Test Interface, select the interface.
n Time period for maintenance window:
a. Click to expand Maintenance window.
b. For Start time, type the time of day that the maintenance window should start,
using the syntax HH:MM. If Start time is not set, maintenance tasks are not
scheduled and will not be run.
The behavior of Start time varies depending on the setting of Duration window,
which is configured in the next step.
l If Duration window is set to Immediately, all scheduled tasks will begin at the
exact time specified in Start time.
l If Duration window is set to 24 hours, Start time is effectively obsolete and
the maintenance tasks will be scheduled to run at any time. Setting Duration
window to 24 hours can potentially overstress the device and should be used
with caution.
l If Duration window is set to any value other than to Immediately or 24 hours,
the maintenance tasks will run at a random time during the time allotted for
the duration window.
l If Duration window is set to one or more hours, the minutes field in Start time
is ignored and the duration window will begin at the beginning of the specified
hour.
c. For Duration window, select the amount of time that the maintenance tasks will
be run. If Immediately is selected, all scheduled tasks will begin at the exact time
specified in Start time.
d. For Frequency, select whether the maintenance window will be started every day,
or once per week.

Digi Connect EZ 16/32 User Guide 868

System administration Schedule system maintenance tasks

n If Check if Python Out-of-Service is set, the maintenance window will only start if the
Python Out-of-Service is set. See Use Python to set the maintenance window for further
information.
7. If Central Management is disabled, click Device firmware update to instruct the system to
look for any updated device firmware during the maintenance window. If updated firmware is
found, it will then be installed. This options is only available if Central Management is
disabled; see Central management for more information.
8. If Central Management is disabled, click to enable Modem firmware update to instruct the
system to look for any updated modem firmware during the maintenance window. If updated
firmware is found, it will then be installed. Modem firmware update looks for updated firmware
both on the local device and over the network, using either a WAN or cellular connection. This
options is only available if Central Management is disabled; see Central management for
more information.
9. (Optional) Configure automated checking for device and modem firmware updates:
a. Click to expand Firmware update check.
b. Device firmware update check is enabled by default. This enables the automated
checking for device firmware updates.
c. Modem firmware update check is enabled by default. This enables the automated
checking for modem firmware updates.
d. For Frequency, select how often automated checking for device and modem firmware
should take place. Allowed values are Daily, Weekly, and Monthly. The default is Daily.
10. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Configure a system maintenance trigger:

a. Add a trigger:

(config)> add system schedule maintenance trigger end

(config)>

b. Set the type of trigger:

(config add system schedule maintenance trigger)> type value

(config)>

where value is one of:

Digi Connect EZ 16/32 User Guide 869

System administration Schedule system maintenance tasks

n interface_up: If interface_up is set:

i. Set the interface:

(config add system schedule maintenance trigger)> interface

value
(config)>

ii. i. Use the ? to determine available interfaces:

ii. Set the interface. For example:

(config system schedule maintenance trigger 0)> interface

/network/interface/eth1
(config system schedule maintenance trigger 0)>

n out_of_service: The maintenance window will only start if the Python Out-of-
Service is set. See Use Python to set the maintenance window for further
information.
n time: Configure a time period for the maintenance window:
i. Configure the time of day that the maintenance window should start, using the
syntax HH:MM. If the start time is not set, maintenance tasks are not scheduled
and will not be run.

(config system schedule maintenance trigger 0)> time from

HH:MM
(config system schedule maintenance trigger 0)>

The behavior of the start time varies depending on the setting of the duration
length, which is configured in the next step.
l If the duration length is set to 0, all scheduled tasks will begin at the exact
time specified in the start time.
l If the duration length is set to 24 hours, the start time is effectively
obsolete and the maintenance tasks will be scheduled to run at any time.
Setting the duration length to 24 hours can potentially overstress the
device and should be used with caution.
l If the duration length is set to any value other than to 0 or 24 hours, the
maintenance tasks will run at a random time during the time allotted for
the duration window.
l If the duration length is set to one or more hours, the minutes field in the
start time is ignored and the duration window will begin at the beginning
of the specified hour.
ii. Configure the duration length (the amount of time that the maintenance tasks
will be run). If 0 is used, all scheduled tasks will begin at the start time, defined
in the previous step.

(config system schedule maintenance trigger 0)> length num

(config system schedule maintenance trigger 0)>

where num is any whole number between 0 and 24.

Digi Connect EZ 16/32 User Guide 870

System administration Schedule system maintenance tasks

iii. Configure the frequency that the maintenance tasks should be run:

(config system schedule maintenance trigger 0)> frequency

value
(config system schedule maintenance trigger 0)>

where value is either daily or weekly. Daily is the default.

4. If Central Management is disabled, configure the device to look for any updated device
firmware during the maintenance window. If updated firmware is found, it will then be
installed. The device will look for updated firmware both on the local device and over the
network, using either a WAN or cellular connection.
This options is only available if Central Management is disabled; see Central management for
more information.

(config)> system schedule maintenance device_fw_update true

(config)>

5. If Central Management is disabled, configure the device to look for any updated modem
firmware during the maintenance window. If updated firmware is found, it will then be
installed. The device will look for updated firmware both on the local device and over the
network, using either a WAN or cellular connection.
This options is only available if Central Management is disabled; see Central management for
more information.

(config)> system schedule maintenance modem_fw_update true

(config)>

6. (Optional) Configure automated checking for device firmware updates:

a. Device firmware update check is enabled by default. This enables to automated
checking for device firmware updates. To disable:

(config)> system schedule maintenance firmware_update_check device

false
(config)>

b. Set how often automated checking for device firmware should take place:

(config)> system schedule maintenance frequency value

(config)>

where value is either daily, weekly, or monthly. daily is the default.

7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 871

System administration Disable device encryption

7. (Optional) Configure automated checking for device firmware updates:

a. Device firmware update check is enabled by default. This enables to automated
checking for device firmware updates. To disable:

(config)> system schedule maintenance firmware_update_check device

false
(config)>

b. Set how often automated checking for device firmware should take place:

(config)> system schedule maintenance frequency value

(config)>

where value is either daily, weekly, or monthly. daily is the default.

8. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

9. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Disable device encryption

You can disable the cryptography on your Connect EZ 16/32 device. This can be used to ship unused
devices from overseas without needing export licenses from the country from which the device is
being shipped.
When device encryption is disabled, the following occurs:
n The device is reset to the default configuration and rebooted.
n After the reboot:
l Access to the device via the WebUI and SSH are disabled.
l All internet connectivity is disabled, including WAN and WWAN. Connectivity to central
management software is also disabled.
l All IP networks and addresses are disabled except for the default 192.168.210.1/24 network
on the local LAN Ethernet port. DHCP server is also disabled.
The device can only be accessed by using telnet from a local machine connecting to the
192.168.210.1/24 network.
Disabling device encryption is not available in the WebUI. It can only be performed from the Admin
CLI.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 872

System administration Disable device encryption

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Disable encryption with the following command:

> system disable-cryptography

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Re-enable cryptography after it has been disabled.

To re-enable cryptography:

1. Configure your PCnetwork to connect to the 192.168.210 subnet. For example, on a Windows
PC:
a. Select the Properties of the relevant network connection on the Windows PC.

b. Click the Internet Protocol Version 4 (TCP/IPv4) parameter.

c. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears.
d. Configure with the following details:

Digi Connect EZ 16/32 User Guide 873

System administration Configure the speed of your Ethernet ports

n IP address for PC: 192.168.210.2

n Subnet: 255.255.255.0
n Gateway: 192.168.210.1

2. Connect the PC's Ethernet port to the ETH1 Ethernet port on your Connect EZ 16/32 device.
3. Open a telnet session and connect to the Connect EZ 16/32 device at the IP address of
192.168.210.1.
4. Log into the device:
n Username: admin
n Password: The default unique password for your device is printed on the device label.
5. At the shell prompt, type:

# rm /etc/config/.nocrypt
# flatfsd -i

This will re-enable encryption and leave the device at its factory default setting.

Configure the speed of your Ethernet ports

You can configure the speed of your Connect EZ 16/32 device's Ethernet ports.

 Web

Digi Connect EZ 16/32 User Guide 874

System administration Configure the speed of your Ethernet ports

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Device.
4. Click to expand the Ethernet port to be configured.
5. For Speed, select the appropriate speed for the Ethernet port, or select Auto to automatically
detect the speed. The default is Auto.
6. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, type:

(config)> network device eth_port value

where:
n eth_port is the name of the Ethernet port (for example, eth1)
n value is one of:
l 10—Sets the speed to 10 Mbps.
l 100—Sets the speed to 100 Mbps.

Digi Connect EZ 16/32 User Guide 875

System administration Watchdog service

l 1000—Sets the speed to 1 Gbps. Available only for devices with Gigabit Ethernet
ports.
auto—Configures the device to automatically determine the best speed for the
Ethernet port.
The default is auto.
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Watchdog service
The Watchdog service can monitor the operation of your device, test the system for problems, and
automatically restart that device if it detects a fault or failure. You can also see metrics for the
Watchdog service and performance results of the tests performed.
When the Watchdog service has been enabled, the service name and green check mark displays in the
dashboard.

Configure the Watchdog service

To configure the Watchdog service on your Connect EZ 16/32:
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 876

System administration Configure the Watchdog service

3. Click System > Advanced Watchdog.

4. The watchdog is disabled by default. To enable, click to toggle off Disable.
5. For Watchdog test interval, type the amount of time between running system tests.
Allowed values are any number of days, hours, minutes, or seconds, and take the format
number{d|h|m|s}.
For example, to set Watchdog test interval to ten minutes, enter 10m or 600s.
The maximum is two days (2d), and the default is five minutes (5m).
6. Type or select the Number of test failures before a reboot.
7. Configure the tests that the watchdog will perform:
a. Click to expand Fault detection tests.
b. Click to expand Memory usage.
i. The memory check is enabled by default. To disable, click the Enable memory check
toggle.
ii. For RAM usage threshold to trigger a warning, type or select the percentage of RAM
usage that will trigger a warning. The minimum value is 60 percent, the maximum is
100 percent. The default is 90 percent.
iii. Type or select the Percentage of system memory used before triggering a reboot.
The minimum value is 60 percent, the maximum is 100 percent. The default is 95
percent.
iv. To log memory usage with every watchdog memory usage test, click to enable Log
memory usage every interval.
c. Click to expand Interface tests.
i. Click the Enable interface(s) down check toggle to enable. The system periodically
checks the interfaces you configure here and, after the specified amount of time,
reboots them.
ii. Click to expand Check interface(s).
iii. Click  to add a new interface.
iv. For Interface, choose the interface you want to test.
d. Click to expand Modem down. This configuration is enabled by default.
i. Click the Enable modem check toggle to disable.
ii. Click the Enable modem power cycle toggle if you want the modem to be power
cycled after an initial timeout instead of this timeout being reported as a failure.
iii. For Downtime, type the amount of time the modem is down before it is reported.
8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 877

System administration Configure the Watchdog service

2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The watchdog is enabled by default. To disable:

(config)> system watchdog enable false

(config)>

4. Set the amount of time between running system tests:

(config)> system watchdog interval value

(config)>

where value is any number of days, hours, minutes, or seconds, and takes the format number
{d|h|m|s}.
For example, to set interval to ten minutes, enter either 10m or 600s:

(config)> system watchdog interval 600s

(config)>

The maximum is two days (2d), and the default is five minutes (5m).
5. Set the number of test failures before the system reboots:

(config)> system watchdog num_failures int

(config)>

6. Configure the tests that the watchdog will perform:

a. The memory check is enabled by default. To disable:

(config)> system watchdog tests memory enable false

(config)>

b. Set the percentage of RAM usage that will trigger a warning:

(config)> system watchdog tests memory max_memory_warning int

(config)>

The minimum value is 60 percent, the maximum is 100 percent. The default is 90 percent.
c. Set the percentage of RAM usage that will trigger a reboot of the device:

(config)> system watchdog tests memory max_memory_critical int

(config)>

The minimum value is 60 percent, the maximum is 100 percent. The default is 95 percent.
d. To log memory usage with every watchdog memory usage test, enable log_memory:

(config)> system watchdog tests memory log_memory true

(config)>

Digi Connect EZ 16/32 User Guide 878

System administration View Watchdog metrics

e. To have the interface(s) checked and rebooted after the specified amount of time:

(config)> system watchdog tests interfaces interfaces add [value]

(config)>

with value being the name of the interface.

f. To have the modem power cycled after an initial timeout instead of this timeout being
reported as a failure:

(config)> system watchdog tests modem

(config)>

7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

View Watchdog metrics

To view metrics for the Watchdog service and the tests performed:
 Web
In the local Web UI of your Connect EZ 16/32:

1. Log in to the local Web UI of your device as a user with full Admin access rights.
2. To access the Watchdog Service page:
From the Dashboard of the device:
a. In the Services card, you can see the operational status of the Watchdog service.

b. Click Watchdog to view metrics.

Digi Connect EZ 16/32 User Guide 879

System administration View Watchdog metrics

From the menu:

Click Status > Services > Watchdog to see the page.
In Digi Remote Manager, to view the test failures:

a. Click Devices, and select a device from the list.

b. Click Metrics.
c. Click to expand Sys Details.
d. Click Sys Watchog Failures.

A new window opens and displays a chart showing the test failures and when they occurred.

 Command line
To view the results of the Watchdog tests:

1. Access the Command Line Interface for your Connect EZ, from either the local web UI as an
administrator with full access rights or from Digi Remote Manager.
2. At the prompt, type

show watchdog

All tests that were performed, as well as their status are listed.
3. Type exit to exit the CLI.

Digi Connect EZ 16/32 User Guide 880

System administration View Watchdog metrics

Digi Connect EZ 16/32 User Guide 881

 Monitoring
This chapter contains the following topics:

intelliFlow 883
Configure NetFlow Probe 895

Digi Connect EZ 16/32 User Guide 882

Monitoring intelliFlow

intelliFlow
Digi intelliFlow is a reporting and graphical presentation tool for visualizing your network’s data usage
and network traffic information.
intelliFlow can be enabled on Digi Remote Manager to provide a full analysis of all Digi devices on
your network. Contact your Digi sales representative for information about enabling intelliFlow on
Remote Manager.

IntelliFlow is also available on the local device for device-specific visualization of network use. To use
intelliFlow on the local device, you must have access to the local WebUI. Once you enable intelliFlow,
the Status > intelliFlow option is available in the main menu. By default, intelliFlow is disabled on
the local device.
On the local device, intelliFlow provides charts on the following information:
n System utilisation
n Top data usage by host
n Top data usage by server
n Top data usage by service
n Host data usage over time
intelliFlow charts are dymanic; at any point, you can click inside the chart to drill down to view more
granular information, and menu options allow you to change various aspects of the information being
displayed.
This section contains the following topics:

Enable intelliFlow 884

Configure service types 886
Configure domain name groups 888
Use intelliFlow to display average CPU and RAM usage 891
Use intelliFlow to display top data usage information 892
Use intelliFlow to display data usage by host over time 894

Digi Connect EZ 16/32 User Guide 883

Monitoring intelliFlow

Enable intelliFlow

Required configuration items

n Enable intelliFlow.

Additional configuration items

n The firewall zone for internal clients being monitored by intelliFlow.
To enable intelliFlow:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Monitoring > intelliFlow.
The intelliFlow configuration window is displayed.

4. Click Enable intelliFlow.

5. For Zone, select the firewall zone. Internal clients that are being monitored by IntelliFlow
should be present on the specified zone.
6. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 884

Monitoring intelliFlow

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable IntelliFlow:

(config)> monitoring intelliflow enable true

4. Set the firewall zone. Internal clients that are being monitored by IntelliFlow should be present
on the specified zone:
a. Determine available zones:

(config)> monitoring intelliflow zone ?

Zone: The firewall zone which is assigned to the network interface(s)

that
intelliFlow will see as internal clients. intelliFlow relies on an
internal to
external relationship, where the internal clients are present on the
zone specified.
Format:
any
dynamic_routes
edge
external
internal
ipsec
loopback
setup
Default value: internal
Current value: internal

(config)>

b. Set the zone to be used by IntelliFlow:

(config)> monitoring intelliflow zone my_zone

5. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 885

Monitoring intelliFlow

Configure service types

The service type is used to categorize several ports under one service. For example, port numbers 80,
443, and 8080 are included in the Web service type.
There are several predefined service types:
n Web: Ports 80, 443, and 8080.
n FTP: Ports 20, 21, 989, and 990.
n SSH: Port 22.
n Telnet: Ports 23 and 992.
n Mail: Ports 25, 110, 143, 220, 993 and 995.
n DNS: Port 53.
n IRC: Ports 194 and 994.
n RSYNC: Ports 873.
You can add and remove ports from the predefined service port types, and you can also define your
own service types. For example, to define a service type called "MyService" using ports 9000 and 9001:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Monitoring > intelliFlow.
4. Click to expand Ports.

Digi Connect EZ 16/32 User Guide 886

Monitoring intelliFlow

5. At the bottom of the list of ports, click  to add a port.

6. Label is optional.
7. For Port number, type 9000.
8. For Service name, type MyService.

9. Click  to add a another port.

10. For Port number, type 9001.
11. For Service name, type MyService.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a port:

(config)> add monitoring intelliflow ports end

(config monitoring intelliflow ports 20)>

4. Set the port number:

(config monitoring intelliflow ports 20)> port 9000

(config monitoring intelliflow ports 20)>

5. Set the service type:

(config monitoring intelliflow ports 20)> service MyService

(config monitoring intelliflow ports 20)>

Digi Connect EZ 16/32 User Guide 887

Monitoring intelliFlow

6. Add another port:

(config monitoring intelliflow ports 20)> add .. end

(config monitoring intelliflow ports 21)>

7. Set the port number:

(config monitoring intelliflow ports 21)> port 9001

(config monitoring intelliflow ports 21)>

8. Set the service type:

(config monitoring intelliflow ports 21)> service MyService

(config monitoring intelliflow ports 21)>

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure domain name groups

Domain name groups are used to categorize serveral domains names in one group. For example,
digi.com and devicecloud.com could be grouped together in an intelliFlow group called Digi.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

Digi Connect EZ 16/32 User Guide 888

Monitoring intelliFlow

The Configuration window is displayed.

3. Click Monitoring > intelliFlow > Groups.
4. Click  to add a domain.

5. Label is optional.
6. For Domain name, type digi.com.
7. For Group, type Digi.
8. Click  to add a another port.
9. For Domain name, type devicecloud.com.
10. For Group, type Digi.
11. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a group:

(config)> add monitoring intelliflow groups end

(config monitoring intelliflow groups 1)>

4. Set the domain name:

(config monitoring intelliflow groups 1)> domian digi.com

(config monitoring intelliflow groups 1)>

5. Set the group name:

(config monitoring intelliflow groups 1)> group Digi

(config monitoring intelliflow groups 1)>

Digi Connect EZ 16/32 User Guide 889

Monitoring intelliFlow

6. Add another port:

(config monitoring intelliflow groups 1)> add .. end

(config monitoring intelliflow groups 2)>

7. Set the port number:

(config monitoring intelliflow groups 2)> domain devicecloud.com

(config monitoring intelliflow groups 2)>

8. Set the service type:

(config monitoring intelliflow groups 2)> group Digi

(config monitoring intelliflow groups 2)>

9. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

10. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 890

Monitoring intelliFlow

Use intelliFlow to display average CPU and RAM usage

This procedure is only available from the WebUI.
To display display average CPU and RAM usage:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
2. From the menu, click Status > intelliFlow.
The System Utilisation chart is displayed:

n Display more granular information:

1. Click and drag over an area in the chart to zoom into that area and provide more
granular information.

2. Release to display the selected portion of the chart:

Digi Connect EZ 16/32 User Guide 891

Monitoring intelliFlow

3. Click Reset zoom to return to the original display:

n Change the time period displayed by the chart.

By default, the System utilisation chart displays the average CPU and RAM usage over the last
minute. You can change this to display the average CPU and RAM usage:
l Over the last hour.
l Over the last day.
l Over the last 30 days.
l Over the last 180 days.
1. Click the menu icon ().
2. Select the time period to be displayed.

n Save or print the chart.

1. Click the menu icon ().
2. To save the chart to your local filesystem, select Export to PNG.
3. To print the chart, select Print chart.

Use intelliFlow to display top data usage information

With intelliFlow, you can display top data usage information based on the following:
n Top data usage by host
n Top data usage by server
n Top data usage by service

To generate a top data usage chart:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
2. From the menu, click Status > intelliFlow.

Digi Connect EZ 16/32 User Guide 892

Monitoring intelliFlow

3. Display a data usage chart:

n To display the Top Data Usage by Host chart, click Top Data Usage by Host.

n To display the Top Data Usage by Server chart, click Top Data Usage by Server.

n To display the Top Data Usage by Service chart, click Top Data Usage by Service.

4. Change the type of chart that is used to display the data:

a. Click the menu icon ().
b. Select the type of chart.

5. Change the number of top users displayed.

You can display the top five, top ten, or top twenty data users.

Digi Connect EZ 16/32 User Guide 893

Monitoring intelliFlow

a. Click the menu icon ().

b. Select the number of top users to displayed.

6. Save or print the chart.

a. Click the menu icon ().
b. To save the chart to your local filesystem, select Export to PNG.
c. To print the chart, select Print chart.

Use intelliFlow to display data usage by host over time

To generate a chart displaying a host's data usage over time:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
2. From the menu, click Status > intelliFlow.
3. Click Host Data Usage Over Time.

n Display more granular information:

a. Click and drag over an area in the chart to zoom into that area and provide more
granular information.

Digi Connect EZ 16/32 User Guide 894

Monitoring Configure NetFlow Probe

b. Release to display the selected portion of the chart:

c. Click Reset zoom to return to the original display:

n Save or print the chart.

a. Click the menu icon ().
b. To save the chart to your local filesystem, select Export to PNG.
c. To print the chart, select Print chart.

Configure NetFlow Probe

NetFlow probe is used to probe network traffic on the Connect EZ 16/32 device and export statistics to
NetFlow collectors.

Required configuration items

n Enable NetFlow.
n The IP address of a NetFlow collector.

Additional configuration items

n The NetFlow version.
n Enable flow sampling and select the flow sampling technique.
n The number of flows from which the flow sampler can sample.
n The number of seconds that a flow is inactive before it is exported to the NetFlow collectors.
n The number of seconds that a flow is active before it is exported to the NetFlow collectors.
n The maximum number of simultaneous flows.
n A label for the NetFlow collector.
n The port of the NetFlow collector.
n Additional NetFlow collectors.
To probe network traffic and export statistics to NetFlow collectors:

Digi Connect EZ 16/32 User Guide 895

Monitoring Configure NetFlow Probe

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Monitoring > NetFlow probe.

4. Enable NetFlow probe.

5. Protocol version: Select the Protocol version. Available options are:
n NetFlow v5—Supports IPv4 only.
n NetFlow v9—Supports IPv4 and IPv6.
n NetFlow v10 (IPFIX)—Supports both IPv4 and IPv6 and includes IP Flow Information
Export (IPFIX).
The default is NetFlow v10 (IPFIX).
6. Enable Flow sampler by selecting a sampling technique. Flow sampling can reduce flow
processing and transmission overhead by providing a representative subset of all flows.
Available options are:
n None—No flow sampling method is used. Each flow is accounted.
n Deterministic—Selects every nth flow, where n is the value of Flow sampler
population.

Digi Connect EZ 16/32 User Guide 896

Monitoring Configure NetFlow Probe

n Random—Randomly selects one out of every n flows, where n is the value of Flow
sampler population.
n Hash—Randomly selects one out of every n flows using the hash of the flow key, where
n is the value of Flow sampler population.
7. For Flow sampler population, if you selected a flow sampler, enter the number of flows for
the sampler. Allowed value is any number between 2 and 16383. The default is 100.
8. For Inactive timeout, type the the number of seconds that a flow can be inactive before sent
to a collector. Allowed value is any number between 1 and 15. The default is 15.
9. For Active timeout, type the number of seconds that a flow can be active before sent to a
collector. Allowed value is any number between 1 and 1800. The default is 1800.
10. For Maximum flows, type the maximum number of flows to probe simultaneously. Allowed
value is any number between 0 and 2000000. The default is 2000000.
11. Add collectors:
a. Click to expand Collectors.
b. For Add Collector, click .
c. (Optional) Type a Label for the collector.
d. For Address, type the IP address of the collector.
e. (Optional) For Port, enter the port number used by the collector. The default is 2055.
Repeat to add additional collectors.
12. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Enable NetFlow:

(config)> monitoring netflow enable true

(config)>

4. Set the protocol version:

(config)> monitoring netflow protocol version

(config)>

where version is one of:

n v5—NetFlow v5 supports IPv4 only.
n v9—NetFlow v9 supports IPv4 and IPv6.
n v10—NetFlow v10 (IPFIX) supports both IPv4 and IPv6 and includes IP Flow Information
Export (IPFIX).

Digi Connect EZ 16/32 User Guide 897

Monitoring Configure NetFlow Probe

The default is v10.

1. Enable flow sampling by selecting a sampling technique. Flow sampling can reduce flow
processing and transmission overhead by providing a representative subset of all flows.

(config)> monitoring netflow sampler type

(config)>

where type is one of:

n none—No flow sampling method is used. Each flow is accounted.
n deterministic—Selects every nth flow, where n is the value of the flow sample
population.
n random—Randomly selects one out of every n flows, where n is the value of the flow
sample population.
n hash—Randomly selects one out of every n flows using the hash of the flow key, where
n is the value of the flow sample population.
5. If you are using a flow sampler, set the number of flows for the sampler:

(config)> monitoring netflow sampler_population value

(config)>

where value is any number between 2 and 16383. The default is 100.
6. Set the number of seconds that a flow can be inactive before sent to a collector:

(config)> monitoring netflow inactive_timeout value

(config)>

where value is any is any number between 1 and 15. The default is 15.
7. Set the number of seconds that a flow can be active before sent to a collector:

(config)> monitoring netflow active_timeout value

(config)>

where value is any is any number between 1 and 1800. The default is 1800.
8. Set the maximum number of flows to probe simultaneously:

(config)> monitoring netflow max_flows value

(config)>

where value is any is any number between 0 and 2000000. The default is 2000000.
9. Add collectors:
a. Add a collector:

(config)> add monitoring netflow collector end

(config monitoring netflow collector 0)>

b. Set the IP address of the collector:

(config monitoring netflow collector 0)> address ip_address

(config monitoring netflow collector 0)>

Digi Connect EZ 16/32 User Guide 898

Monitoring Configure NetFlow Probe

c. (Optional) Set the port used by the collector:

(config monitoring netflow collector 0)> port port

(config monitoring netflow collector 0)>

d. (Optional) Set a label for the collector:

(config monitoring netflow collector 0)> label "This is a collector."

(config monitoring netflow collector 0)>

Repeat to add additional collectors.

10. Save the configuration and apply the change.

(config monitoring netflow collector 0)> save

Configuration saved.
>

11. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 899

 Central management
This chapter contains the following topics:

Digi Remote Manager support 901

Certificate-based enhanced security 901
Configure your device for Digi Remote Manager support 901
Reach Digi Remote Manager on a private network 913
Log into Digi Remote Manager 913
Use Digi Remote Manager to view and manage your device 915
Add a device to Remote Manager 915
Configure multiple Connect EZ 16/32 devices by using Digi Remote Manager configurations 917
View Digi Remote Manager connection status 918
Learn more 919

Digi Connect EZ 16/32 User Guide 900

Central management Digi Remote Manager support

Digi Remote Manager support

Digi Remote Manager is a hosted remote configuration and management system that allows you to
remotely manage a large number of devices. Remote Manager includes a web-based interface that
you can use to perform device operations, such as viewing and changing device configurations and
performing firmware updates. Remote Manager servers also provide a data storage facility. The Digi
Remote Manager is the default cloud-based management system, and is enabled by default.
To use Remote Manager, you must set up a Remote Manager account. To set up a Remote Manager
account and learn more about Digi Remote Manager, go to http://www.digi.com/products/cloud/digi-
remote-manager.
To learn more about Remote Manager features and functions, see the Digi Remote Manager User
Guide.

Certificate-based enhanced security

Beginning with firmware version 22.2.9.x, the default URL for the device's Remote Manager connection
is edp12.devicecloud.com. This URL is required to utilize the client-side certificate support. Prior to
release 22.2.9.x, the default URL was my.devicecloud.com.
n If your Digi device is configured to use a non-default URL to connect to Remote Manager,
updating the firmware will not change your configuration. However, if you erase the device's
configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
n If you perform a factory reset by pressing the RESET twice, the client-side certificate will be
erased and you must use the Remote Manager interface to reset the certificate. Select the
device in Remote Manager and select Actions > Reset Device Certificate.
n The certificate that is provided to the client by Remote Manager is signed by a specific
certificate authority, and the device is expecting that same certificate authority. If your IT
infrastructure uses its own certificate-based authentication, this might cause the device to
interpret the certificate provided by Remote Manager as being from an incorrect certificate
authority. If this is the case, you need to include an exception to allow edp12.devicecloud.com
to authenticate using its own certificate.
The new URL of edp12.devicecloud.com is for device communication only. Use
https://remotemanager.digi.com for user interaction with remote manager.

Firewall issues
To utilize the certificate-based security, you may need to open a port through your firewall for egress
connectivity to edp12.devicecloud.com. TCP port 3199 is used for communication with Remote
Manager.

Configure your device for Digi Remote Manager support

By default, your Connect EZ 16/32 device is configured to use for central management.

Additional configuration options

These additional configuration settings are not typically configured, but you can set them as needed:
n Disable the Digi Remote Manager connection if it is not required. You can also configure an
alternate cloud-based central management application.

Digi Connect EZ 16/32 User Guide 901

Central management Configure your device for Digi Remote Manager support

n Change the reconnection timer.

n The non-cellular keepalive timeout.
n The cellular keepalive timeout.
n The keepalive count before the Remote Manager connection is dropped.
n SMS support.
n HTTP proxy server support.
To configure your device's Digi Remote Manager support:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Digi Connect EZ 16/32 User Guide 902

Central management Configure your device for Digi Remote Manager support

3. Click Central management.

The Central management configuration window is displayed.

Digi Remote Manager support is enabled by default. To disable, toggle off Enable central
management.
4. For Service, select Digi Remote Manager.
5. (Optional) For Management server, type the URL for the central management server.
The default varies depending on firmware versions:
n Firmware version 22.2.9.x and newer, the default is the edp12.devicecloud.com. This
server is for device-connectivity only, and uses enhanced security through certificate-
based communication. See Digi Remote Manager support for further infomation.
n Firmware prior to version 22.2.9.x, the default is the Digi Remote Manager server,
https://remotemanager.digi.com.
6. (Optional) For Management port, type the destination port for the remote cloud services
connection. The default is 3199.
7. Firmware server should normally be left at the default location.
8. (Optional) For Speedtest server, type the name or IP address of the server to use to test the
speed of the device's internet connection(s).
9. (Optional) For Retry interval, type the amount of time that the Connect EZ 16/32 device
should wait before reattempting to connect to remote cloud services after being disconnected.
The default is 30 seconds.
Allowed values are any number of hours, minutes, or seconds, and take the format number
{h|m|s}.
For example, to set Retry interval to ten minutes, enter 10m or 600s.
10. (Optional) For Keep-alive interval, type the amount of time that the Connect EZ 16/32 device
should wait between sending keep-alive messages to remote cloud services when using a non-
cellular interface. The default is 60 seconds.
Allowed values are any number of hours, minutes, or seconds, and take the format number
{h|m|s}.
For example, to set Keep-alive interval to ten minutes, enter 10m or 600s.
11. (Optional) For Cellular keep-alive interval, type the amount of time that the Connect EZ
16/32 device should wait between sending keep-alive messages to remote cloud services when
using a cellular interface. The default is 290 seconds.

Digi Connect EZ 16/32 User Guide 903

Central management Configure your device for Digi Remote Manager support

Allowed values are any number of hours, minutes, or seconds, and take the format number
{h|m|s}.
For example, to set Cellular keep-alive interval to ten minutes, enter 10m or 600s.
12. (Optional) For Allowed keep-alive misses, type the number of allowed keep-alive misses. The
default is 3.
13. Enable watchdog is used to monitor the connection to Digi Remote Manager. If the
connection is down, you can configure the device to restart the connection, or to reboot. The
watchdog is enabled by default. To configure the Watchdog service and view metrics, see
Watchdog service.
14. If Enable watchdog is enabled:
a. (Optional) For Restart Timeout, type the amount of time to wait before restarting the
connection to the remote cloud services, once the connection is down.
Allowed values are any number of hours, minutes, or seconds, and take the format
number{h|m|s}.
For example, to set Restart Timeout to ten minutes, enter 10m or 600s.
The minimum value is 30 minutes and the maximum is 48 hours. If not set, this option is
disabled. The default is 30 minutes.
b. (Optional) For Reboot Timeout, type the amount of time to wait before rebooting the
device, once the connection to the remote cloud servicesis down. By default, this option is
not set, which means that the option is disabled.
Allowed values are any number of hours, minutes, or seconds, and take the format
number{h|m|s}.
For example, to set Reboot Timeout to ten minutes, enter 10m or 600s.
The minimum value is 30 minutes and the maximum is 48 hours. If not set, this option is
disabled. The default is disabled.
15. (Optional) Enable Locally authenticate CLI to require a login and password to authenticate
the user from the remote cloud services CLI. If disabled, no login prompt will be presented and
the user will be logged in as admin. The default is disabled.
16. (Optional) Configure the Connect EZ 16/32 device to communicate with remote cloud services
by using SMS:
a. Click to expand Short message service.
b. Enable SMS messaging.
c. For Destination phone number, type the phone number for the remote cloud services:
n Within the US: 12029823370
n International: 447537431797
d. (Optional) Type the Service identifier.
17. (Optional) Configure the Connect EZ 16/32 device to communicate with remote cloud services
via one of two methods: Pinhole or Proxy server.
If using the Pinhole method, refer to the following
If using the Proxy server method:
a. Click to expand HTTP Proxy.
b. Enable the use of an HTTP proxy server.
c. For Server, type the hostname of the HTTP proxy server.

Digi Connect EZ 16/32 User Guide 904

Central management Configure your device for Digi Remote Manager support

d. For Port, type or select the port number on the HTTP proxy server that the device should
connect to. The default is 2138.
18. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Digi Remote Manager support is enabled by default. To disable Remote Manager support:

(config)> cloud enable false

(config)>

4. (Optional) Set the URL for the central management server.

(config)> cloud drm drm_url url

(config)>

The default varies depending on firmware versions:

n Firmware version 22.2.9.x and newer, the default is the edp12.devicecloud.com. This
server is for device-connectivity only, and uses enhanced security through certificate-
based communication. See Digi Remote Manager support for further infomation.
n Firmware prior to version 22.2.9.x, the default is the Digi Remote Manager server,
https://remotemanager.digi.com.
5. (Optional) Set the amount of time that the Connect EZ 16/32 device should wait before
reattempting to connect to the remote cloud services after being disconnected. The minimum
value is ten seconds. The default is 30 seconds.

(config)> cloud drm retry_interval value

where value is any number of hours, minutes, or seconds, and takes the format number
{h|m|s}.
For example, to set the retry interval to ten minutes, enter either 10m or 600s:

(config)> cloud drm retry_interval 600s

(config)>

6. (Optional) Set the amount of time that the Connect EZ 16/32 device should wait between
sending keep-alive messages to the Digi Remote Manager when using a non-cellular interface.
Allowed values are from 30 seconds to two hours. The default is 60 seconds.

(config)> cloud drm keep_alive value

(config)>

Digi Connect EZ 16/32 User Guide 905

Central management Configure your device for Digi Remote Manager support

where value is any number of hours, minutes, or seconds, and takes the format number
{h|m|s}.
For example, to set the keep-alive interval to ten minutes, enter either 10m or 600s:

(config)> cloud drm keep_alive 600s

(config)>

7. (Optional) Set the amount of time that the Connect EZ 16/32 device should wait between
sending keep-alive messages to the Digi Remote Manager when using a cellular interface.
Allowed values are from 30 seconds to two hours. The default is 290 seconds.

(config)> cloud drm cellular_keep_alive value

(config)>

where value is any number of hours, minutes, or seconds, and takes the format number
{h|m|s}.
For example, to set the cellular keep-alive interval to ten minutes, enter either 10m or 600s:

(config)> cloud drm cellular_keep_alive 600s

(config)>

8. Set the number of allowed keep-alive misses. Allowed values are any integer between 2 and
64. The default is 3.

(config)> cloud drm keep_alive_misses integer

(config)>

9. The watchdog is used to monitor the connection to remote cloud services. If the connection is
down, you can configure the device to restart the connection, or to reboot. The watchdog is
enabled by default. To disable:

(config)> cloud drm watchdog false

(config)>

10. If watchdog is enabled:

a. (Optional) Set the amount of time to wait before restarting the connection to the remote
cloud services, once the connection is down.
where value is any number of hours, minutes, or seconds, and takes the format number
{h|m|s}.
For example, to set restart_timeout to ten minutes, enter either 10m or 600s:

(config)> cloud drm restart_timeout 600s

(config)>

The minimum value is 30 minutes and the maximum is 48 hours. If not set, this option is
disabled. The default is 30 minutes.
b. (Optional) Set the amount of time to wait before rebooting the device, once the
connection to the remote cloud servicesis down. By default, this option is not set, which
means that the option is disabled.

Digi Connect EZ 16/32 User Guide 906

Central management Configure your device for Digi Remote Manager support

where value is any number of hours, minutes, or seconds, and takes the format number
{h|m|s}.
For example, to set reboot_timeout to ten minutes, enter either 10m or 600s:

(config)> cloud drm reboot_timeout 600s

(config)>

The minimum value is 30 minutes and the maximum is 48 hours. If not set, this option is
disabled. The default is disabled.
11. firmware_url should normally be left at the default location. To change:

(config)> cloud drm firmware_url url

(config)>

12. (Optional) Set the hostname or IP address of the speedtest server. The default is
speedtest.accns.com.

(config)> cloud drm speedtest_server name

(config)>

13. (Optional) Determine whether to require a login and password to authenticate the user from
the remote cloud services CLI:

(config)> cloud drm cli_local_auth true

(config)>

If set to false, no login prompt will be presented and the user will be logged in as admin. The
default is false.
14. (Optional) Configure the Connect EZ 16/32 device to communicate with remote cloud
services by using SMS:
a. Enable SMS messaging:

(config)> cloud drm sms enable true

(config)>

b. Set the phone number for Digi Remote Manager:

(config)> cloud drm sms destination value

(config)>

where value is either:

n Within the US: 12029823370
n International: 447537431797
c. (Optional) Set the service identifier:

(config)> cloud drm sms sercice_id id

(config)>

15. (Optional) Configure the Connect EZ 16/32 device to communicate with remote cloud
services by using an HTTP proxy server:

Digi Connect EZ 16/32 User Guide 907

Central management Configure your device for Digi Remote Manager support

a. Enable the use of an HTTP proxy server:

(config)> cloud drm proxy enable true

(config)>

b. Set the hostname of the proxy server:

(config)> cloud drm proxy host hostname

(config)>

c. (Optional) Set the port number on the proxy server that the device should connect to. The
default is 2138.

(config)> cloud drm proxy port integer

(config)>

16. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

17. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Collect device health data and set the sample interval

You can enable or disable the collection of device health data to upload to Digi Remote Manager, and
configure the interval between health sample uploads. By default, device health data upload is
enabled, and the health sample interval is set to 60 minutes. Each time a device connects to Digi
Remote Manager after the device boots (or re-boots), the device immediately uploads all health
metrics.
To avoid a situation where several devices are uploading health metrics information to Remote
Manager at the same time, the Connect EZ 16/32 device includes a preconfigured randomization of
two minutes for uploading metrics. For example, if Health sample interval is set to five minutes, the
metrics will be uploaded to Remote Manager at a random time between five and seven minutes.
To disable the collection of device health data or enable it if it has been disabled, or to change the
health sample interval:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.

Digi Connect EZ 16/32 User Guide 908

Central management Configure your device for Digi Remote Manager support

d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Monitoring > Device Health.

4. (Optional) Click to expand Data point tuning.

Data point tuning options allow to you configure what data are uploaded to the Digi Remote
Manager. All options are enabled by default.
5. Only report changed values to Digi Remote Manager is enabled by default.
When enabled:
n The device only reports device health metrics that have changed health metrics were
last uploaded. This is useful to reduce the bandwidth used to report health metrics.
n All metrics are uploaded once every hour.
When disabled, all metrics are uploaded every Health sample interval.
6. Device health data upload is enabled by default. To disable, toggle off Enable Device Health
samples upload.
7. For Health sample interval, select the interval between health sample uploads.
8. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

Digi Connect EZ 16/32 User Guide 909

Central management Configure your device for Digi Remote Manager support

3. Device health data upload is enabled by default. To enable or disable:

n To enable:

(config)> monitoring devicehealth enable true

(config)>

n To disable:

(config)> monitoring devicehealth enable false

(config)>

4. The interval between health sample uploads is set to 60 minutes by default. To change:

(config)> monitoring devicehealth interval value

(config)>

where value is one of 1, 5, 15, 30, or 60, and represents the number of minutes between
uploads of health sample data.
5. By default, the device will only report health metrics values to Digi Remote Manager that have
changed health metrics were last uploaded. This is useful to reduce the bandwidth used to
report health metrics. This is useful to reduce the bandwidth used to report health metrics.
Even if enabled, all metrics are uploaded once every hour.
To disable:

(config)> monitoring devicehealth only_send_deltas false

(config)>

When disabled, all metrics are uploaded every Health sample interval.
6. (Optional) Tuning parameters allow to you configure what data are uploaded to the Digi
Remote Manager. By default, all tuning parameters are enabled.
To view a list of all available tuning parameters, use the show command:

(config)> show monitoring devicehealth tuning

all
cellular
rx
bytes
enable true
tx
bytes
enable true
eth
rx
bytes
enable true
tx
bytes
enable true
serial
rx

Digi Connect EZ 16/32 User Guide 910

Central management Configure your device for Digi Remote Manager support

bytes
enable true
tx
bytes
enable true
cellular
1
rx
bytes
enable true
packets
enable true
...
(config)>

To disable a tuning parameter, set its value to false. For example, to turn off all reporting for
the serial port:

(config)> monitoring devicehealth tuning all serial rx bytes enabled

false
(config)> monitoring devicehealth tuning all serial tx bytes enabled
false
(config)>

7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Event log upload to Digi Remote Manager

Your device is automatically configured to upload the event log to Digi Remote Manager. These logs
are uploaded every 60 minutes.

Change the upload interval

To change how often the event logs are uploaded to Digi Remote Manager:
 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.

Digi Connect EZ 16/32 User Guide 911

Central management Configure your device for Digi Remote Manager support

b. Click the Device ID.

c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Monitoring > Device event logs.

4. For Device event log upload interval, change the interval between health sample uploads.
The default is 60 minutes.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. The interval between event log uploads is set to 60 minutes by default. To change:

(config)> monitoring events interval value

(config)>

where value is one of 1, 5, 15, 30, or 60, and represents the number of minutes between
uploads of health sample data.
4. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

Digi Connect EZ 16/32 User Guide 912

Central management Reach Digi Remote Manager on a private network

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Reach Digi Remote Manager on a private network

If your company has a private network and you have devices that need to reach Digi Remote Manager,
there are several methods available:
n Pinhole: a communication port on your network not protected by the firewall which allows the
application on the device to reach Digi Remote Manager.
n Proxy server: a dedicated software system equipped with its own IP address that runs on your
network and acts as an intermediary between the device and Digi Remote Manager.
n VPN Tunnel: a virtual private network that offers a secure, encrypted connection between a
device and the internet.

Pinhole method
Using the pinhole method requires your network administrator to remove the firewall connection on a
communication port. For more information, see Firewall concerns for outbound EDP connections to
Digi Remote Manager.

Proxy server method

The device is capable of connecting through an HTTP proxy, such as Squid, but it is up to the network
administrator to decide which HTTP proxy type to use.
To enable a proxy server and enter the server and port in Digi Remote Manager, see step 17 in
Configure your device for Digi Remote Manager support.

Tip To see instructions for setting up Squid and then configuring a device (not DAL) to reach Digi
Remote Manager, see the Digi Quick Note, Connecting to Digi Remote Manager Through Web Proxy.
Though this Quick Note references older technology and device types, it may provide a network
administrator with concrete examples from which they can draw correlations to newer technology
and devices.

VPN Tunnel method

Configuring a VPN tunnel to communicate with Digi Remote Manager is a two-step process. One step
is done by your organization's network administrator and the other by Digi Support.
Step 1: Set up the VPN tunnel
Your organization's network administrator needs to set up a VPN tunnel on your network, which will
be used to communicate with Digi Remote Manager through the Digi cloud service.
Step 2. Contact Digi Support.
Digi Support configures the Digi cloud service to allow your VPN to communicate with Digi Remote
Manager. Contact Digi Support at https://www.digi.com/contactus.

Log into Digi Remote Manager

To start Digi Remote Manager

Digi Connect EZ 16/32 User Guide 913

Central management Log into Digi Remote Manager

1. If you have not already done so, click here to sign up for a Digi Remote Manager account.
2. Check your email for Digi Remote Manager login instructions.
3. Go to remotemanager.digi.com.
4. Log into your Digi Remote Manager account.

Digi Connect EZ 16/32 User Guide 914

Central management Use Digi Remote Manager to view and manage your device

Use Digi Remote Manager to view and manage your device

To view and manage your device:

1. If you have not already done so, connect to your Digi Remote Manager account.
2. From the menu, click Devices to display a list of your devices.
3. Use the Filter bar to locate the device you want to manage. For example, to search by type of
device:
a. Click the Advanced Search button (  )
b. Click in the filter bar.

c. Type the type of device (for example, Connect EZ 16/32).

Add a device to Remote Manager

There are several options for adding a device to Remote Manager.
n Quick Start process. Use this process to both install a device and then add it to Remote
Manager. See the Connect EZ 16/32 .
n Device label information. Use the information on the device label (e.g., Device ID, MAC
address, Password) to add a new device to Remote Manager. See Add a device to Remote
Manager using information from the label.
n Digi Remote Manager credentials. Use your Remote Manager credentials to add a device to
Remote Manager when you do not have the device password. See Add a device to Remote
Manager using your Remote Manager login credentials.

Add a device to Remote Manager using information from the label

Tip If you do not have access to the device label, you can add the device using your Remote Manager
login credentials. See Add a device to Remote Manager using your Remote Manager login credentials.

1. If you have not already done so, connect to your Digi Remote Manager account.
2. From the menu, click Devices to display a list of your devices.

Digi Connect EZ 16/32 User Guide 915

Central management Add a device to Remote Manager

3. Click Add.

4. Type the Device ID, MACAddress, or IMEI.

5. For Device Default Password, enter the default password on the printed label packaged with
your device. The same default password is also shown on the label affixed to the bottom of the
device.
6. (Optional) Complete the other fields.
1. Click Add Device.
Remote Manager adds the Connect EZ 16/32 device to your account and it appears in the
Device Management view.

Add a device to Remote Manager using your Remote Manager login

credentials
If you want to add a device to Remote Manager, and you do not have its password, you can add it
using your Remote Manager login credentials.
To add a device using your Remote Manager credentials:

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
2. On the dashboard, in Digi Remote Manager status pane, click Register device in new
account.

3. The Register Device in New Account page displays.

4. For Digi Remote Manager Username, type your Remote Manager username.
5. For Digi Remote Manager Password, type your Remote Manager password.
6. For Digi Remote Manager Group (optional), type the group to which the device will be
added, if needed.

Digi Connect EZ 16/32 User Guide 916

Central Configure multiple Connect EZ 16/32 devices by using Digi Remote Manager
management configurations

7. Click Register.
The device is added to Remote Manager.

 Command line
1. Log into the Connect EZ 16/32 local command line as a user with full Admin access rights.
2. Register a device.

(register) [group STRING] password STRING username STRING

where:
n group: group to add device in Digi Remote Manager.
n password: Digi Remote Manager password (required).
n username: Digi Remote Manager username (required).
1. Click Apply to save the configuration and apply the change.
2. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure multiple Connect EZ 16/32 devices by using Digi

Remote Manager configurations
Digi recommends you take advantage of Remote Manager configurations to manage multiple Connect
EZ 16/32 devices. A Remote Manager configuration is a named set of device firmware, settings, and
file system options. You use the configuration to automatically update multiple devices and to
periodically scan devices to check for compliance with the configuration. See the Digi Remote
Manager User Guide for more information about Remote Manager configurations.
Typically, if you want to provision multiple Connect EZ 16/32 routers:

1. Using the Connect EZ 16/32 local WebUI, configure one Connect EZ 16/32 router to use as the
model configuration for all subsequent Connect EZ 16/32s you need to manage.
2. Register the configured Connect EZ 16/32 device in your Remote Manager account.

Digi Connect EZ 16/32 User Guide 917

Central management View Digi Remote Manager connection status

3. In Remote Manager, create a configuration:

a. From the Dashboard, select Configurations.

b. Click Create.

c. Enter a Name and an optional Description for the configuration, and select the Groups,
Device Type, and Firmware Version.
d. Click Save and continue.
e. Click Import from device and select the device configured above.
f. Click Import.
g. At the Settings page, configure any desired configuration overrides and click Continue.
h. At the File System page, make any desired changes to the files that were imported from
the device and click Continue.
i. At the Automations page, click Enable Scanning, make any other desired changes, and
click Save.
Digi Remote Manager provides multiple methods for applying configurations to registered devices.
You can also include site-specific settings with a profile to override settings on a device-by-device
basis.

View Digi Remote Manager connection status

To view the current Digi Remote Manager connection status from the local device:

 Web
1. Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
The dashboard includes a Digi Remote Manager status pane:

 Command line

Digi Connect EZ 16/32 User Guide 918

Central management Learn more

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show cloud command to view the status of your device's connection to Remote
Manager:

> show cloud

Device Cloud Status

-------------------

Status : Connected
Server : edp12.devicecloud.com Device ID : 00000000-00000000-89E1FE-
7550D7>

1. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Learn more
To learn more about Digi Remote Manager features and functions, see the Digi Remote Manager User
Guide.

Digi Connect EZ 16/32 User Guide 919

 File system
This chapter contains the following topics:

The Connect EZ 16/32 local file system 921

Display directory contents 921
Create a directory 922
Display file contents 923
Copy a file or directory 923
Move or rename a file or directory 924
Delete a file or directory 925
Upload and download files 926

Digi Connect EZ 16/32 User Guide 920

File system The Connect EZ 16/32 local file system

The Connect EZ 16/32 local file system

The Connect EZ 16/32 local file system has approximately 150 MB of space available for storing files,
such as Python programs, alternative configuration files and firmware versions, and release files, such
as cellular module images. The writable directories within the filesystem are:
n /tmp
n /opt
n /etc/config
Files stored in the /tmp directory do not persist across reboots. Therefore, /tmp is a good location to
upload temporary files, such as files used for firmware updates. Files stored in /opt and /etc/config do
persist across reboots, but are deleted if a factory reset of the system is performed. See Erase device
configuration and reset to factory defaults for more information.

Display directory contents

To display directory contents by using the WebUI or the Admin CLI:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight a directory and click  to open the directory and view the files in the directory.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 921

File system Create a directory

2. At the Admin CLI prompt, type ls /path/dir_name. For example, to display the contents of the
/etc/config directory:

> ls /etc/config
-rw-r--r-- 1 root root 856 Nov 20 20:12 accns.json
drw------- 2 root root 160 Sep 23 04:02 analyzer
drwxr-xr-x 3 root root 224 Sep 23 04:02 cc_acl
-rw-r--r-- 1 root root 47 Sep 23 04:02 dhcp.leases
...
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Create a directory

 Command line
This procedure is not available through the WebUI. To make a new directory, use the mkdir command,
specifying the name of the directory.
For example:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type mkdir /path/dir_name. For example, to create a directory
named temp in /etc/config:

> mkdir /etc/config/temp

>

3. Verify that the directory was created:

> ls /etc/config
...
-rw-r--r-- 1 root root 1436 Aug 12 21:36 ssl.crt
-rw------- 1 root root 3895 Aug 12 21:36 ssl.pem
-rw-r--r-- 1 root root 10 Aug 5 06:41 start
drwxr-xr-x 2 root root 160 Aug 25 17:49 temp
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 922

File system Display file contents

Display file contents

This procedure is not available through the WebUI. To display the contents of a file by using the
Admin CLI, , use the more command, specifying the name of the directory.
For example:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type more /path/filename. For example, to view the contenct of the
file accns.json in /etc/config:

> more /etc/config/accns.json

{
"auth":
"user": {
"admin": {
"password":
"$2a$05$W1sls1oxsadf/n4J0XT.Rgr6ewr1yerHtXQdbafsatGswKg0YUm"
}
}
},
"schema": {
"version": "461"
}
}
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Copy a file or directory

This procedure is not available through the WebUI. To copy a file or directory by using the Admin CLI,
use the cp command, specifying the existing path and filename followed by the path and filename of
the new file, or specifying the existing path and directory name followed by the path and directory
name of the new directory.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 923

File system Move or rename a file or directory

2. At the Admin CLI prompt, type cp /path/filename|dir_name /path[filename]|dir_name. For

example:
n To copy the file /etc/config/accns.json to a file named backup_cfg.json in a directory
named /etc/config/test, enter the following:

> cp /etc/config/accns.json /etc/config/test/backup_cfg.json

>

n To copy a directory named /etc/config/test to /opt:

> cp /etc/config/test/ /opt/

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Move or rename a file or directory

This procedure is not available through the WebUI. To move or rename a file or directory by using the
Admin CLI, use the mv command.

 Command line
To rename a file named test.py in /etc/config/scripts to final.py:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type:

> mv /etc/config/scripts/test.py /etc/config/scripts/final.py

>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.
To move test.py from /etc/config/scripts to /opt:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type:

> mv /etc/config/scripts/test.py /opt/

>

Digi Connect EZ 16/32 User Guide 924

File system Delete a file or directory

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Delete a file or directory

To delete a file or directory by using the WebUI or the Admin CLI:

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight the directory containing the file to be deleted and click  to open the directory.
3. Highlight the file to be deleted and click .
4. Click OK to confirm.
 Command line
To delete a file named test.py in /etc/config/scripts:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type:

> rm /etc/config/scripts/test.py
rm: remove '/etc/config/scripts/test.py'? yes
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 925

File system Upload and download files

To delete a directory named temp from /opt:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type:

> rm /opt/temp/
rm: descend into directory '/opt/temp'? yes
rm: remove directory '/opt/temp'? yes
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Upload and download files

You can download and upload files by using the WebUI or from the command line by using the scp
Secure Copy command, or by using a utility such as SSH File Transfer Protocol (SFTP) or an SFTP
application like FileZilla.

Upload and download files by using the WebUI

Upload files
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight the directory to which the file will be uploaded and click  to open the directory.
3. Click  (upload).

Digi Connect EZ 16/32 User Guide 926

File system Upload and download files

4. Browse to the location of the file on your local machine. Select the file and click Open to
upload the file.

Download files
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight the directory to which the file will be uploaded and click  to open the directory.
3. Highlight the appropriate file and click  (download).

Upload and download files by using the Secure Copy command

Copy a file from a remote host to the Connect EZ 16/32 device

To copy a file from a remote host to the Connect EZ 16/32 device, use the scp command as follows:

> scp host hostname-or-ip user username remote remote-path local local-path to
local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be copied to the
Connect EZ 16/32 device.
n local-path is the location on the Connect EZ 16/32 device where the copied file will be placed.
For example:
To copy firmware from a remote host with an IP address of 192.168.4.1 to the /etc/config directory on
the Connect EZ 16/32 device, issue the following command:

> scp host 192.168.4.1 user admin remote /home/admin/bin/Connect EZ 16/32-

24.9.bin local /etc/config/scripts to local

Digi Connect EZ 16/32 User Guide 927

File system Upload and download files

admin@192.168.4.1's password: adminpwd

Connect EZ 16/32-24.9.bin 100% 36MB 11.1MB/s 00:03
>

Transfer a file from the Connect EZ 16/32 device to a remote host

To copy a file from the Connect EZ 16/32 device to a remote host, use the scp command as follows:

> scp host hostname-or-ip user username remote remote-path local local-path to
remote

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the location on the remote host where the file will be copied.
n local-path is the path and filename on the Connect EZ 16/32 device.
For example:
To copy a support report from the Connect EZ 16/32 device to a remote host at the IP address of
192.168.4.1:

1. Use the system support-report command to generate the report:

> system support-report path /var/log/

Saving support report to /var/log/support-report-0040D0133536-24-01-12-
12:10:00.bin
Support report saved.
>

2. Use the scp command to transfer the report to a remote host:

> scp host 192.168.4.1 user admin remote /home/admin/temp/ local

/var/log/support-report-00:40:D0:13:35:36-24-01-12-12:10:00.bin to remote
admin@192.168.4.1's password: adminpwd
support-report-0040D0133536-24-01-12-12:10:00.bin
>

Upload and download files using SFTP

Transfer a file from a remote host to the Connect EZ 16/32 device

This example uploads firmware from a remote host to the Connect EZ 16/32 device with an IP address
of 192.168.2.1, using the username ahmed:

$ sftp ahmed@192.168.2.1
Password:
Connected to 192.168.2.1
sftp> put Connect EZ 16/32-24.9
Uploading Connect EZ 16/32-24.9 to Connect EZ 16/32-24.9
Connect EZ 16/32-24.9
100% 24M 830.4KB/s 00:00
sftp> exit
$

Digi Connect EZ 16/32 User Guide 928

File system Upload and download files

Transfer a file from the Connect EZ 16/32 device to a remote host

This example downloads a file named test.py from the Connect EZ device at the IP address of
192.168.2.1 with a username of ahmed to the local directory on the remote host:

$ sftp ahmed@192.168.2.1
Password:
Connected to 192.168.2.1
sftp> get test.py
Fetching test.py to test.py
test.py
100% 254 0.3KB/s 00:00
sftp> exit
$

Digi Connect EZ 16/32 User Guide 929

 Diagnostics
This chapter contains the following topics:

Perform a speedtest 931

Generate a support report 931
View system and event logs 936
Configure syslog servers 941
Configure options for the event and system logs 943
Configure an email notification for a system event 948
Configure an SNMP trap for a system event 948
Analyze network traffic 950
Use the ping command to troubleshoot network connections 968
Use the traceroute command to diagnose IP routing problems 968

Digi Connect EZ 16/32 User Guide 930

Diagnostics Perform a speedtest

Perform a speedtest
To perform a speedtest:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the iperf command to generate the report:

> iperf host

where host is the hostname or IP address of a speedtest host. For example:

> iperf speedtest.accns.com

Tx (upload) average: 50.1110 Mbps
Tx latency: 31.45 ms
Rx (download) average: 44.7588 Mbps
Rx latency: 30.05 ms
>

3. To output the result in json format, use the output parameter:

> iperf host output json

{"tx_avg": "51.8510", "tx_avg_units": "Mbps", "tx_latency": "31.07",
"tx_latency_units": "ms", "rx_avg": "39.5770", "rx_avg_units": "Mbps",
"rx_latency": "34.19", "rx_latency_units": "ms" }
>

4. To change the size of the speedtest packet, use the size parameter:

> iperf host size int

5. By default, the speedtest uses nuttcp for the mode. To change this setting from nuttcp to iperf,
use the mode parameter:

> iperf host mode iperf

6. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Generate a support report

To generate and download a support report:

 Web

Digi Connect EZ 16/32 User Guide 931

Diagnostics Generate a support report

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System. Under Administration, click Support Report.

2. Click  to generate and download the support report.

Attach the support report to any support requests.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the system support-report command to generate the report:

> system support-report path /var/log/

Saving support report to /var/log/support-report-0040D0133536-24-01-12-
12:10:00.bin
Support report saved.
>

3. Use the scp command to transfer the report to a remote host:

> scp host 192.168.4.1 user admin remote /home/admin/temp/ local

/var/log/support-report-00:40:D0:13:35:36-24-01-12-12:10:00.bin to remote
admin@192.168.4.1's password: adminpwd
support-report-0040D0133536-24-01-12-12:10:00.bin
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.
See Support report overview for an overview of what is contained in the support report.

Support report overview

Generating a Support Report
Support reports provide a snapshot of a device's current settings and connection status at the time of
the report's generation. The relevant log files are packaged into a .bin file that can be downloaded
from the local (web) UI. For more information about generating support reports, see Generate a
support report.

Digi Connect EZ 16/32 User Guide 932

Diagnostics Generate a support report

Note Information logged on the device will be erased when the device is powered off or rebooted to
avoid unnecessary wear to the flash memory. See Configure options for the event and system logs for
more information on how to enable persistent system logs.

Use 7-Zip or any other file-archiving utility to extract a support report. Its contents are organized into
the following directories:
/etc
This folder most notably contains a running list of the cellular connections that have been registered
by the device's radio.

Directory Filename Notes

/etc version Active firmware version
/etc/config mn.json Cellular connections logged as having been engaged by
the radio; establishes previous APN associations

/opt
Information stored here persists between reboots and system resets.

Directory Filename Notes

/opt/log_last messages With persistent system logs enabled, syslog info will be
stored in the /opt directory which isn't erased after
reboots or system resets

/tmp
Output from a series of diagnostic queries is stored in a randomly generated sub-directory within
/tmp. When combing through these logs, pay particular attention to config_dump-public (to verify
local device settings) and mmcli-dump (to validate the cellular connection status).

Directory Filename Notes

/tmp/#* *# is generated at random
arp_-nv The table of IP-address to MAC-address translations
used by the address resolution protocol (ARP)
arptables_-nvv_-L The tables of ARP packet filter rules in the Linux
kernel
cat_procmeminfo A breakdown of memory utilization at the time when
the support report was generated
config_dump- The device's current settings, scrubbed of passwords
public and preshared keys
conntrack_-L A list of all currently tracked connections through the
system

Digi Connect EZ 16/32 User Guide 933

Diagnostics Generate a support report

Directory Filename Notes

conntrack_-S A summary of currently tracked connections
date Local system time. If the device isn't online when the
support report is generated, the date will be based on
the date/month/year that the firmware running on the
device was created (e.g. 18.4.54.41 was created 2018-
07-05)
df_-h A report of the file system disk space usage
event_list A list of events leveraged for syslog messages
fw_printenv The entire environment for the bootloader U-Boot
ip_addr_list IP addresses listed per interface
ip_route_list Default routing information per interface
ip6tables_-nv_-L A list of IPv6 routing tables
ip6tables_-nv_-L_ Firewall table used when handling
-t_mangle mangled/fragmented IPv6 packets
ip6tables_-nv_-L_ Firewall table used to direct NAT'd traffic
-t_nat
iptables_-nv_-L A list of IPv4 firewall tables
iptables_-nv_-L_- Firewall table used when handling
t_mangle mangled/fragmented IPv4 packets
iptables_-nv_-L_- Firewall table used to direct NAT'd traffic
t_nat
s_-RlhA_etcconfig An index of items in /etc/config (and its sub-
directories)
ls_-RlhA_opt An index of items in /opt (and its sub-directories)
ls_-RlhA_tmp An index of items in /tmp (and its sub-directories)
ls_-RlhA_var An index of items in /var (and its sub-directories)
mmcli-dump A repository of critical information about the cellular
radio based off of the cited modem-manager output
and defined set of AT commands
netstat_-i Interface statistics for transmitted/ received packets
netstat_-na List of both listening and non-listening network
sockets on the device
ps_l A snapshot of the current processes running at the
time of generating the report

Digi Connect EZ 16/32 User Guide 934

Diagnostics Generate a support report

Directory Filename Notes

runt_json Storage for active/ engaged system variables
sprite_config_ Not used for cellular devices
dump
ubus-dump A log of ubus calls for network devices and interfaces
uptime The device's uptime at the time of generating the
report, along with CPU load averages for the past 1, 5,
and 15 minutes

/var/log
The running system log is stored in "messages" until reaching a set line count (1,000 lines by default).
Once this limit is exceeded, that file is renamed to "messages.0" and a new running log is written to
the now-empty "messages" log.

Directory Filename Notes

/var/log messages Current syslog information
messages.0 Rollover syslog information

/var/run
This directory can be disregarded for most troubleshooting/ diagnostic purposes.

Directory Filename Notes

/var/run all files Runtime settings for the device -- referenced in the syslog
data gathered in /tmp (see above)

Digi Connect EZ 16/32 User Guide 935

Diagnostics View system and event logs

View system and event logs

See Configure options for the event and system logs for information about configuring the
information displayed in event and system logs.

View System Logs

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System > Logs.

The system log displays:

2. Limit the display in the system log by using the Find search tool.

3. Use filters to configure the types of information displayed in the system logs.

Digi Connect EZ 16/32 User Guide 936

Diagnostics View system and event logs

4. Click  to download the system log.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show log command at the Admin CLI prompt:

> show log

Timestamp Message
-------------- ---------------------------------------------------------
----
Nov 26 21:54:34 Connect EZ 16/32 netifd: Interface 'interface_wan' is
setting up now
Nov 26 21:54:35 Connect EZ 16/32 firewalld[621]: reloading status
...
>

3. (Optional) Use the show log number num command to limit the number of lines that are
displayed. For example, to limit the log to the most recent ten lines:

> show log number 10

Timestamp Message
-------------- ---------------------------------------------------------
----
Nov 26 21:54:34 Connect EZ 16/32 netifd: Interface 'interface_wan' is
setting up now
Nov 26 21:54:35 Connect EZ 16/32 firewalld[621]: reloading status
...
>

4. (Optional) Use the show log filter value command to limit the number of lines that are
displayed. Allowed values are critical, warning, info, and debug. For example, to limit the
event list to only info messages:

> show log filter info

Timestamp Type Category Message

---------------- ------- --------- --------------------------------------
-----
Nov 26 22:01:26 info user
name=admin~service=cli~state=opened~remote=192.168.1.2

Digi Connect EZ 16/32 User Guide 937

Diagnostics View system and event logs

Nov 26 22:01:25 info user

name=admin~service=cli~state=closed~remote=192.168.1.2
...
>

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

View Event Logs

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the main menu, click System > Logs.

2. Click  System Logs to collapse the system logs viewer, or scroll down to Events.
3. Click  Events to expand the event viewer.

4. Limit the display in the event log by using the Find search tool.

5. Click  to download the event log.

 Command line

Digi Connect EZ 16/32 User Guide 938

Diagnostics View system and event logs

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Use the show event command at the Admin CLI prompt:

> show event

Timestamp Type Category Message

---------------- ------- --------- --------------------------------------
-----
Nov 26 21:42:37 status stat
intf=eth1~type=ethernet~rx=11332435~tx=5038762
Nov 26 21:42:35 status system local_time=Thu, 08 Aug 2019 21:42:35
+0000~uptime=3 hours, 0 minutes, 48 seconds
...
>

3. (Optional) Use the show event number num command to limit the number of lines that are
displayed. For example, to limit the event list to the most recent ten lines:

> show event number 10

Timestamp Type Category Message

---------------- ------- --------- --------------------------------------
-----
Nov 26 21:42:37 status stat
intf=eth1~type=ethernet~rx=11332435~tx=5038762
Nov 26 21:42:35 status system local_time=Thu, 08 Aug 2019 21:42:35
+0000~uptime=3 hours, 0 minutes, 48 seconds
...
>

4. (Optional) Use the show event table value command to limit the number of lines that are
displayed. Allowed values are error, info, and status. For example, to limit the event list to
only info messages:

> show event table info

Timestamp Type Category Message

---------------- ------- --------- --------------------------------------
-----
Nov 26 22:01:26 info user
name=admin~service=cli~state=opened~remote=192.168.1.2
Nov 26 22:01:25 info user
name=admin~service=cli~state=closed~remote=192.168.1.2
...
>

Digi Connect EZ 16/32 User Guide 939

Diagnostics View system and event logs

5. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 940

Diagnostics Configure syslog servers

Configure syslog servers

You can configure remote syslog servers for storing event and system logs.

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Log.

4. Add and configure a remote syslog server:

a. Click to expand Server list.
b. For Add Server, click .

Digi Connect EZ 16/32 User Guide 941

Diagnostics Configure syslog servers

The log server configuration window is displayed.

Log servers are enabled by default. To disable, toggle off Enable.

c. Type the host name or IP address of the Server.
d. Select the event categories that will be sent to the server. By default, all event categories
are enabled. You can disable logging for error, informational, and status event categories
by clicking to toggle off the category.
e. For Syslog egress port, type the port number to use for the syslog server. The default is
514.
f. For Protocol, select the IP protocol to use for communication with the syslog server.
Available options are TCP and UPD. The default is UPD.
5. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) To configure remote syslog servers:

a. Add a remote server:

(config)> add system log remote end

(config system log remote 0)>

b. Enable the server:

(config system log remote 0)> enable true

(config system log remote 0)>

c. Set the host name or IP address of the server:

(config system log remote 0)> server hostname

(config system log remote 0)>

d. The event categories that will be sent to the server are automatically enabled when the
server is enabled.

Digi Connect EZ 16/32 User Guide 942

Diagnostics Configure options for the event and system logs

n To disable informational event messages:

(config system log remote 0)> info false

(config system log remote 0)>

n To disable status event messages:

(config system log remote 0)> status false

(config system log remote 0)>

n To disable informational event messages:

(config system log remote 0)> error false

(config system log remote 0)>

4. Set the port number to use for the syslog server:

(config system log remote 0)> port value

(config system log remote 0)>

where value is any integer between 1 and 65535. The default is 514.
5. Set the IP protocol to use for communication with the syslog server:

(config system log remote 0)> protocol value

(config system log remote 0)>

where value is either tcp or udp. The default is udp.

6. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

7. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Configure options for the event and system logs

The default configuration for event and system logging is:
n The heartbeat interval, which determines the amount of time to wait before sending a
heartbeat event if no other events have been sent, is set to 30 minutes.
n All event categories are enabled.
To change or disable the heartbeat interval, or to disable event categories, and to perform other log
configuration:

 Web

Digi Connect EZ 16/32 User Guide 943

Diagnostics Configure options for the event and system logs

1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click System > Log.

4. (Optional) To change the Heartbeat interval from the default of 30 minutes, type a new value.
The heartbeat interval determines the amount of time to wait before sending a heartbeat
event if no other events have been sent.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Heartbeat interval to ten minutes, enter 10m or 600s.
To disable the Heartbeat interval, enter 0s.
5. (Optional) To disable event categories, or to enable them if they have been disabled:
a. Click to expand Event Categories.
b. Click an event category to expand.
c. Depending on the event category, you can enable or disable informational events, status
events, and error events. Some categories also allow you to set the Status interval, which

Digi Connect EZ 16/32 User Guide 944

Diagnostics Configure options for the event and system logs

is the time interval between periodic status events.

You can enable or disable Enable email notifications if you want to email a system log
event notification to a specified email address. The email address must also be specified
before a notification can be sent. To configure, see Configure an email notification for a
system event.
You can enable or disable Enable SNMP traps if you want system log event information
saved to an SNMP trap. At least one SNMP destination must be defined before event
information can be saved. To configure, seeConfigure an SNMP trap for a system event .
6. (Optional) See Configure syslog servers for information about configuring remote syslog
servers to which log messages will be sent.
7. (Optional) To change the system log settings from the defaults, type in a new value.
n System log rotation size: Specify the maximum size (measured in kilobytes) the
system log file can reach before log rotation. When the specified size is reached, the
system log rotates.
Default is 200 kb. Minimum is 10 kb.
n System log rotation count: Specify the number of system log files to keep.
Default is 8. Minimum is 1; maximum is 20.
8. Enable Preserve system logs to save the current session's system log after a reboot.
By default, the Connect EZ 16/32 device erases system logs each time the device is powered off
or rebooted.

Note You should only enable Preserve system logs temporarily to debug issues. Once you are
finished debugging, immediately disable Preserve system logs to avoid unnecessary wear to
the flash memory.

9. Click Apply to save the configuration and apply the change.

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. (Optional) To change the heartbeat interval from the default of 30 minutes, set a new value.
The heartbeat interval determines the amount of time to wait before sending a heartbeat
event if no other events have been sent.

(config)> system log heartbeat_interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the format
number{w|d|h|m|s}.

Digi Connect EZ 16/32 User Guide 945

Diagnostics Configure options for the event and system logs

For example, to set the heartbeat interval to ten minutes, enter either 10m or 600s:

(config)> system log heartbeat_interval 600s

(config)>

To disable the heartbeat interval, set the value to 0s

4. Enable preserve system logs functionality to save the current session's system log after a
reboot. By default, the Connect EZ 16/32 device erases system logs each time the device is
powered off or rebooted.

Note You should only enable Preserve system logs temporarily to debug issues. Once you are
finished debugging, immediately disable Preserve system logs to avoid unnecessary wear to
the flash memory.

(config)> system log persistent true

(config)>

5. (Optional) To disable event categories, or to enable them if they have been disabled:
a. Use the question mark (?) to determine available event categories:

(config)> system log event ?

Event categories: Settings to enable individual event categories.

Additional Configuration
---------------------------------------------------------------------
----------
arping ARP ping
config Configuration
dhcpserver DHCP server
firmware Firmware
location Location
modem Modem
netmon Active recovery
network Network interfaces
openvpn OpenVPN
portal Captive portal
remote Remote control
restart Restart
serial Serial
sms SMS commands
speed Speed
stat Network statistics
user User
wol Wake-On-LAN

(config)> system log event

b. Depending on the event category, you can enable or disable informational events, status
events, and error events. Some categories also allow you to set the status interval, which is
the time interval between periodic status events. For example, to configure DHCP server

Digi Connect EZ 16/32 User Guide 946

Diagnostics Configure options for the event and system logs

logging:
i. Use the question mark (?) to determine what events are available for DHCP server
logging configuration:

(config)> system log event dhcpserver ?

...
DHCP server: Settings for DHCP server events. Informational events
are generated
when a lease is obtained or released. Status events report the
current list of
leases.

Parameters Current Value

-----------------------------------------------------------------
--------------
info true Enable informational
events
status true Enable status events
status_interval 30m Status interval

(config)> system log event dhcpserver

ii. To disable informational messages for the DHCP server:

(config)> system log event dhcpserver info false

(config)>

iii. To change the status interval:

(config)> system log event dhcpserver status_interval value

(config)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set the status interval to ten minutes, enter either 10m or 600s:

(config)> system log event dhcpserver status_interval 600s

(config)>

6. (Optional) See Configure syslog servers for information about configuring remote syslog
servers to which log messages will be sent.
7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 947

Diagnostics Configure an email notification for a system event

Configure an email notification for a system event

You can configure the Connect EZ 16/32 to send an email notification of a system event.
Step 1: Configure the SMTP server that is used to send email notifications when a system log event
occurs by enabling the Email notifications system log feature.
Step 2: Review the system log event categories and select the type of information that you want to
save to the system log: errors, informational events, or status events, depending on the event
category. To ensure the notification is sent, enable the Enable email notification option for the event
category.

1. Log in to the web UI.

2. Click System > Device Configuration. The Configuration page displays.
3. Expand System > Log.
4. Expand Email notifications.
5. Click Enable. The slider is blue when enabled.
a. From the Server type list box, select the method used to connect and authenticate with
the SMTP server.
b. In the SMTP server name field, enter the host name or IP address of the SMTP server.
c. In the SMTP server port field, enter the TCP port of the SMTP server.
d. In the Server user name field, enter the server login name.
e. In the Server password field, enter the server password.
f. In the Email from address field, enter the email address that should be placed in the
From field on an email.
g. the Email to address field, enter the email address that should be place in the To field on
an email.
h. In the Email subject field, enter the text for the subject line of the email.
6. Click Apply to save the configuration and apply the change.
7. Review the system log event categories and select the type of information that you want to
save to the system log, and enable the Enable email notification option. To configure these
options, see Configure options for the event and system logs.

Configure an SNMP trap for a system event

You can configure an SNMP trap destination for a Connect EZ 16/32 to save system event information.
Step 1: Configure an SNMP trap by enabling the SNMP traps system log feature.
Step 2: Review the system log event categories and select the type of information that you want to
save to the system log and the SNMP trap: errors, informational events, or status events, depending
on the event category. To ensure the log information is saved to an SNMP trap, enable the Enable
SNMP traps option for the event category.

1. Log in to the web UI.

2. Click System > Device Configuration. The Configuration page displays.
3. Expand System > Log.
4. Expand SNMP traps.
5. Click Enable. The slider is blue when enabled.

Digi Connect EZ 16/32 User Guide 948

Diagnostics Configure an SNMP trap for a system event

6. Add a destination.
a. Click Add Destination.
b. In the Host Name field, enter the host name or IP address of the SNMP destination.
c. In the Port field, enter the UDP port of the SNMP destination. The default is 162.
d. In the Community name field, enter the SNMP destination community name. The default
is public.
e. Repeat this process to add an additional destination, if needed.
7. Click Apply to save the configuration and apply the change.
8. Review the system log event categories and select the type of information that you want to
save to the system log, and enable the Enable SNMP traps option. To configure these options,
see Configure options for the event and system logs.

Digi Connect EZ 16/32 User Guide 949

Diagnostics Analyze network traffic

Analyze network traffic

The Connect EZ 16/32 device includes a network analyzer tool that captures data traffic on any
interface and decodes the captured data traffic for diagnostics. You can capture data traffic on
multiple interfaces at the same time and define capture filters to reduce the captured data. You can
capture up to 10 MB of data traffic in two 5 MB files per interface.
To perform a more detailed analysis, you can download the captured data traffic from the device and
view it using a third-party application.

Note Data traffic is captured to RAM and the captured data is lost when the device reboots unless you
save the data to a file. See Save captured data traffic to a file.

This section contains the following topics:

Configure packet capture for the network analyzer 951

Example filters for capturing data traffic 960
Capture packets from the command line 961
Stop capturing packets 962
Show captured traffic data 963
Save captured data traffic to a file 964
Download captured data to your PC 965
Clear captured data 966

Digi Connect EZ 16/32 User Guide 950

Diagnostics Analyze network traffic

Configure packet capture for the network analyzer

To use the network analyzer, you must create one or more packet capture configuration.

Required configuration items

n The interface used by this packet capture configuration.

Additional configuration items

n The filter expression for this packet capture configuration.
n Schedule the analyzer to run based on a specified event or at a particular time:
l The events or time that will trigger the analyzer to run, using this capture configuration.
l The amount of time that the analyzer session will run.
l The frequency with which captured events will be saved.
To configure a packet capture configuration:

 Web
1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access
rights.
2. Access the device configuration:

Remote Manager:
a. Locate your device as described in Use Digi Remote Manager to view and manage your
device.
b. Click the Device ID.
c. Click Settings.
d. Click to expand Config.

Local Web UI:

a. On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

3. Click Network > Analyzer.

Digi Connect EZ 16/32 User Guide 951

Diagnostics Analyze network traffic

4. For Add Capture settings, type a name for the capture filter and click .

The new capture filter configuration is displayed.

5. (Optional) Add a filter type:

a. Click to expand Filter.

You can select from preconfigured filters to determine which types of packets to capture
or ignore, or you can create your own Berkeley packet filter expression.
b. To create a filter that either captures or ignores packets from a particular IP address or
network:
i. Click to expand Filter IP addresses or networks.
ii. Click  to add an IP address/network.

iii. For IP address or network, type the IPv4 or IPv6 address (and optional netmask).
iv. For Source or destination IP address, select whether the filter should apply to
packets when the IP address/network is the source, the destination, or both.
v. Click Ignore this IP address or network if the filter should ignore packets from this
IP address/network. By default, is option is disabled, which means that the filter will
capture packets from this IP address/network.
vi. Click  to add additional IP address/network filters.

Digi Connect EZ 16/32 User Guide 952

Diagnostics Analyze network traffic

c. To create a filter that either captures or ignores packets that use a particular IP protocol:
i. Click to expand Filter IP protocols.
ii. Click  to add an IP protocol.
iii. For IP protocol to capture or ignore, select the protocol. If Other protocol is
selected, type the number of the protocol.
iv. Click Ignore this protocol if the filter should ignore packets that use this protocol. By
default, is option is disabled, which means that the filter will capture packets that use
this protocol.
v. Click  to add additional IP protocols filters.
d. To create a filter that either captures or ignores packets from a particular port:
i. Click to expand Filter TCP/UDP port.
ii. Click  to add a TCP /UDP port.
iii. For IP TCP/UDP port to capture or ignore, type the number of the port to be
captured or ingored.
iv. For TCP or UDP port, select the type of transport protocol.
v. For Source or destination TCP/UDP port, select whether the filter should apply to
packets when the port is the source, the destination, or both.
vi. Click Ignore this TCP/UDP port if the filter should ignore packets that use this port.
By default, is option is disabled, which means that the filter will capture packets that
use this port.
vii. Click  to add additional port filters.
e. To create a filter that either captures or ignores packets from one or more specified MAC
addresses:
i. Click to expand Filter Ethernet MAC addresses.
ii. Click  to add a MACaddress.
iii. For Ethernet MAC address, type the MAC address to be captured or ingored.
iv. For Source or destination Ethernet MAC address, select whether the filter should
apply to packets when the Ethernet MAC address is the source, the destination, or
both.
v. Click Ignore this MAC address if the filter should ignore packets that use this port. By
default, is option is disabled, which means that the filter will capture packets that use
this port.
vi. Click  to add additional MACaddress filters.
f. To create a filter that either captures or ignores packets from one or more VLANs:
i. Click to expand Filter VLANs.
ii. Click  to add a VLAN.
iii. For The VLAN to capture or ignore, type the number of the VLAN.
iv. Click Ignore this VLAN if the filter should ignore packets that use this port. By default,
is option is disabled, which means that the filter will capture packets that use this
port.
v. Click  to add additional VLAN filters.

Digi Connect EZ 16/32 User Guide 953

Diagnostics Analyze network traffic

g. For Berkeley packet filter expression, type a filter using Berkeley Packet Filter (BPF)
syntax. See Example filters for capturing data traffic for examples of filters using BPF
syntax.
6. Add one or more interface to the capture filter:
a. Click to expand Device.
b. Click  to add an interface to the capture setting instance.

c. For Device, select an interface.

d. Repeat to add additional interfaces to the capture filter.
7. (Optional) For Berkeley packet filter expression, type a filter using Berkeley Packet Filter
(BPF) syntax. See Example filters for capturing data traffic for examples of filters using BPF
syntax.
8. (Optional) Schedule the analyzer to run, using this capture filter, based on a specified event or
at a particular time:
a. For Run mode, select the mode that will be used to run the capture filter. Available
options are:
n On boot: The capture filter will run once each time the device boots.
n Interval: The capture filter will start running at the specified interval, within 30
seconds after the configuration change is saved.
l If Interval is selected, in Interval, type the interval.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and
take the format number{w|d|h|m|s}.
For example, to set Interval to ten minutes, enter 10m or 600s.
n Set time: Runs the capture filter at a specified time of the day.
l If Set Time is selected, specify the time that the capture filter should run in
Run time, using the format HH:MM.
n During system maintenance: The capture filter will run during the system
maintenance time window.
b. Enable the capture filter schedule.
c. For Duration, type the amount of time that the scheduled analyzer session will run.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Duration to ten minutes, enter 10m or 600s.
d. For Save interval, type the frequency with which captured events will be saved.
Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the
format number{w|d|h|m|s}.
For example, to set Save interval to ten minutes, enter 10m or 600s.
9. Click Apply to save the configuration and apply the change.

 Command line

Digi Connect EZ 16/32 User Guide 954

Diagnostics Analyze network traffic

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. Add a new capture filter:

(config)> add network analyzer name

(config network analyzer name)>

4. Add an interface to the capture filter:

(config network analyzer name)> add device end device

(config network analyzer name)>

Determine available devices and the proper syntax.

To determine available devices and proper syntax, use the space bar autocomplete feature:

(config network analyzer name)> add device end <space>

(config network analyzer name)> add interface end /network/

Repeat to add additional interfaces.

5. (Optional) Set a filter for the capture filter:
a. To create a filter that either captures or ignores packets from a particular IP address or
network:
i. Add a new IP address/network filter:

(config network analyzer name)> add filter address end

(config network analyzer name filter address 0)>

ii. Set the IPv4 or IPv6 address (and optional netmask):

(config network analyzer name filter address 0)> address ip_

address[/netmask]
(config network analyzer name filter address 0)>

iii. Set whether the filter should apply to packets when the IP address/network is the
source, the destination, or both:

(config network analyzer name filter address 0)> match value

(config network analyzer name filter address 0)>

where value is one of:

n source: The filter will apply to packets when the IP address/network is the
source.
n destination: The filter will apply to packets when the IP address/network is
the destination.

Digi Connect EZ 16/32 User Guide 955

Diagnostics Analyze network traffic

n either: The filter will apply to packets when the IP address/network is either
the source or the destination.
iv. (Optional) Set the filter should ignore packets from this IP address/network:

(config network analyzer name filter address 0)> ignore true

(config network analyzer name filter address 0)>

By default, is option is set to false, which means that the filter will capture packets
from this IP address/network.
v. Repeat these steps to add additional IP address filters.
b. To create a filter that either captures or ignores packets that use a particular IP protocol:
i. Add a new IP protocol filter:

(config network analyzer name)> add filter protocol end

(config network analyzer name filter protocol 0)>

ii. Use the ? to determine available protocols and the appropriate format:

(config network analyzer name filter protocol 0)> protocol ?

IP protocol to capture or ignore: IP protocol to capture or

ignore.
Format:
ah
esp
gre
icmp
icmpv6
igmp
ospf
other
tcp
udp
vrrp
Current value:

(config network analyzer name filter protocol 0)>

iii. Set the protocol:

(config network analyzer name filter protocol 0)> protocol value

(config network analyzer name filter protocol 0)>

iv. If other is set for the protocol, set the number of the protocol:

(config network analyzer name filter protocol 0)> protocol_other

value
(config network analyzer name filter protocol 0)>

where value is an integer between 1 and 255 and represents the the number of the
protocol.

Digi Connect EZ 16/32 User Guide 956

Diagnostics Analyze network traffic

v. (Optional) Set the filter should ignore packets from this protocol:

(config network analyzer name filter protocol 0)> ignore true

(config network analyzer name filter protocol 0)>

By default, is option is set to false, which means that the filter will capture packets
from this protocol.
vi. Repeat these steps to add additional protocol filters.
c. To create a filter that either captures or ignores packets from a particular port:
i. Add a new port filter:

(config network analyzer name)> add filter port end

(config network analyzer name filter port 0)>

ii. Set the transport protocol that should be filtered for the port:

(config network analyzer name filter port 0)> protocol value

(config network analyzer name filter port 0)>

where value is one of tcp, udp, or either. The default is either.

iii. Set whether the filter should apply to packets when the port is the source, the
destination, or both:

(config network analyzer name filter port 0)> match value

(config network analyzer name filter port 0)>

where value is one of:

n source: The filter will apply to packets when the port is the source.
n destination: The filter will apply to packets when the port is the destination.
n either: The filter will apply to packets when the port is either the source or the
destination.
iv. (Optional) Set the filter should ignore packets from this port:

(config network analyzer name filter port 0)> ignore true

(config network analyzer name filter port 0)>

By default, is option is set to false, which means that the filter will capture packets
from this port.
v. Repeat these steps to add additional port filters.
d. To create a filter that either captures or ignores packets from one or more specified MAC
addresses:
i. Add a new MACaddress filter:

(config network analyzer name)> add filter mac_address end

(config network analyzer name filter mac_address 0)>

Digi Connect EZ 16/32 User Guide 957

Diagnostics Analyze network traffic

ii. Set the MACaddress that should be be captured or ignored:

(config network analyzer name filter mac_address 0)> address value

(config network analyzer name filter mac_address 0)>

where value is the MACaddress to be filtered, using colon-hexadecimal notation with

lower case, for example, 00:aa:11:bb:22:cc.
iii. Set whether the filter should apply to packets when the MAC address is the source,
the destination, or both:

(config network analyzer name filter mac_address 0)> match value

(config network analyzer name filter mac_address 0)>

where value is one of:

n source: The filter will apply to packets when the MAC address is the source.
n destination: The filter will apply to packets when the MACaddress is the
destination.
n either: The filter will apply to packets when the MAC address is either the
source or the destination.
iv. (Optional) Set the filter should ignore packets from this port:

(config network analyzer name filter mac_address 0)> ignore true

(config network analyzer name filter mac_address 0)>

By default, is option is set to false, which means that the filter will capture packets
from this MACaddress.
v. Repeat these steps to add additional MAC addresses.
e. To create a filter that either captures or ignores packets from one or more specified VLANs:
i. Add a new VLAN filter:

(config network analyzer name)> add filter vlan end

(config network analyzer name filter vlan 0)>

ii. Set the VLAN that should be be captured or ignored:

(config network analyzer name filter vlan 0)> vlan value

(config network analyzer name filter vlan 0)>

where value is number o the VLAN.

iii. (Optional) Set the filter should ignore packets from this VLAN:

(config network analyzer name filter vlan 0)> ignore true

(config network analyzer name filter vlan 0)>

By default, is option is set to false, which means that the filter will capture packets
from this MACaddress.
iv. Repeat these steps to add additional VLANs.
f. To create a filter using Berkeley Packet Filter (BPF) syntax:

Digi Connect EZ 16/32 User Guide 958

Diagnostics Analyze network traffic

(config network analyzer name)> filter custom value

(config network analyzer name)>

where value is a filter using Berkeley Packet Filter (BPF) syntax. Values that contain spaces
must be enclosed in double quotes (").
See Example filters for capturing data traffic for examples of filters using BPF syntax.
6. (Optional) Schedule the analyzer to run, using this capture filter, based on a specified event or
at a particular time:
a. Enable scheduling for this capture filter:

(config network analyzer name)> schedule enable true

(config network analyzer name)>

b. Set the mode that will be used to run the capture filter:

(config network analyzer name)> when mode

(config network analyzer name)>

where mode is one of the following:

n boot: The script will run once each time the device boots.
n interval: The script will start running at the specified interval, within 30 seconds
after the configuration change is saved. If interval is selected, set the interval:

(config add network analyzer name)> on_interval value

(config add network analyzer name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes
the format number{w|d|h|m|s}.
For example, to set on_interval to ten minutes, enter either 10m or 600s:

(config network analyzer name)> on_interval 600s

(config network analyzer name)>

n set_time: Runs the script at a specified time of the day. If set_time is set, set the
time that the script should run, using the format HH:MM:

(config network analyzer name)> run_time HH:MM

(config network analyzer name)>

n maintenance_time: The script will run during the system maintenance time
window.
c. Set the amount of time that the scheduled analyzer session will run:

(config network analyzer name)> duration value

(config network analyzer name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set duration to ten minutes, enter either 10m or 600s:

Digi Connect EZ 16/32 User Guide 959

Diagnostics Analyze network traffic

(config network analyzer name)> save_interval 600s

(config network analyzer name)>

d. Set the frequency with which captured events will be saved:

(config network analyzer name)> save_interval value

(config network analyzer name)>

where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set save_interval to ten minutes, enter either 10m or 600s:

(config network analyzer name)> save_interval 600s

(config network analyzer name)>

7. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Example filters for capturing data traffic

The following are examples of filters using Berkeley Packet Filter (BPF) syntax for capturing several
types of network data. See https://biot.com/capstats/bpf.html for detailed information about BPF
syntax.

Example IPv4 capture filters

n Capture traffic to and from IP host 192.168.1.1:

ip host 192.168.1.1

n Capture traffic from IP host 192.168.1.1:

ip src host 192.168.1.1

n Capture traffic to IP host 192.168.1.1:

ip dst host 192.168.1.1

n Capture traffic for a particular IP protocol:

ip proto protocol

where protocol is a number in the range of 1 to 255 or one of the following keywords: icmp,
icmp6, igmp, pim, ah, esp, vrrp, udp, or tcp.

Digi Connect EZ 16/32 User Guide 960

Diagnostics Analyze network traffic

n Capture traffic to and from a TCP port 80:

ip proto tcp and port 80

n Capture traffic to UDP port 53:

ip proto udp and dst port 53

n Capture traffic from UDP port 53:

ip proto udp and src port 53

n Capture to and from IP host 10.0.0.1 but filter out ports 22 and 80:

ip host 10.0.0.1 and not (port 22 or port 80)

Example Ethernet capture filters

n Capture Ethernet packets to and from a host with a MACaddress of 00:40:D0:13:35:36:

ether host 00:40:D0:13:35:36

n Capture Ethernet packets from host 00:40:D0:13:35:36:

ether src 00:40:D0:13:35:36:

n Capture Ethernet packets to host 00:40:D0:13:35:36:

ether dst 00:40:D0:13:35:36

Capture packets from the command line

You can start packet capture at the command line with the analyzer start command. Alternatively, you
can schedule the network analyzer to run based on a specified event or at a particular time. See
Configure packet capture for the network analyzer for information about scheduling packet capturing.
Additional analyzer commands allow you to:
n Stop capturing packets.
n Save captured data traffic to a file.
n Clear captured data.

Required configuration items

n A configured packet capture. See Configure packet capture for the network analyzer for packet
capture configuration information.
To start packet capture from the command line:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.

Digi Connect EZ 16/32 User Guide 961

Diagnostics Analyze network traffic

Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Type the following at the Admin CLI prompt:

> analyzer start name capture_filter

>

where capture_filter is the name of a packet capture configuration. See Configure packet
capture for the network analyzer for more information.
To determine available packet capture configurations, use the ?:

> analyzer start name ?

name: Name of the capture filter to use.

Format:
test_capture
capture_ping

> analyzer start name

You can capture up to 10 MB of data traffic in two 5 MB files per interface.

Note Data traffic is captured to RAM and the captured data is lost when the device reboots unless you
save the data to a file. See Save captured data traffic to a file.

Stop capturing packets

You can stop packet capture at the command line with the analyzer stop command.
To stop packet capture from the command line:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Type the following at the Admin CLI prompt:

> analyzer stop name capture_filter

>

where capture_filter is the name of a packet capture configuration. See Configure packet
capture for the network analyzer for more information.
To determine available packet capture configurations, use the ?:

> analyzer stop name ?

name: Name of the capture filter to use.

Format:
test_capture

Digi Connect EZ 16/32 User Guide 962

Diagnostics Analyze network traffic

capture_ping

> analyzer stop name

Show captured traffic data

To view captured data traffic, use the show analyzer command. The command output show the
following information for each packet:
n The packet number.
n The timestamp for when the packet was captured.
n The length of the packet and the amount of data captured.
n Whether the packet was sent or received by the device.
n The interface on which the packet was sent or received.
n A hexadecimal dump of the packet of up to 256 bytes.
n Decoded information of the packet.
To show captured data traffic:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Type the following at the Admin CLI prompt:

> show analyzer name capture_filter

Packet 1 : Sept-29-2023 12:10:00.287682, Length 60 bytes (Captured Length

60 bytes)

Received on interface eth1

00 40 ff 80 01 20 b4 b6 86 21 b5 73 08 00 45 00 .@... ..
.!.s..E.
00 28 3d 36 40 00 80 06 14 bc 0a 0a 4a 82 0a 0a .(=6@... ....J..
4a 48 cd ae 00 16 a4 4b ff 5f ee 1f d8 23 50 10 JH.....K
._...#P.
08 02 c7 40 00 00 00 00 00 00 00 00 ...@.... ....

Ethernet Header
Destination MAC Addr : 00:40:D0:13:35:36
Source MAC Addr : fb:03:53:05:11:2f
Ethernet Type : IP (0x0800)
IP Header
IP Version : 4
Header Length : 20 bytes
ToS : 0x00

Digi Connect EZ 16/32 User Guide 963

Diagnostics Analyze network traffic

Total Length : 40 bytes

ID : 15670 (0x3d36)
Flags : Do not fragment
Fragment Offset : 0 (0x0000)
TTL : 128 (0x80)
Protocol : TCP (6)
Checksum : 0x14bc
Source IP Address : 10.10.74.130
Dest. IP Address : 10.10.74.72
TCP Header
Source Port : 52654
Destination Port : 22
Sequence Number : 2756443999
Ack Number : 3995064355
Data Offset : 5
Flags : ACK
Window : 2050
Checksum : 0xc740
Urgent Pointer : 0
TCP Data
00 00 00 00 00 00 ......

>

where capture_filter is the name of a packet capture configuration. See Configure packet
capture for the network analyzer for more information.
To determine available packet capture configurations, use the ?:

> show anaylzer name ?

name: Name of the capture filter to use.

Format:
test_capture
capture_ping

> show anaylzer name

Save captured data traffic to a file

Data traffic is captured to RAM and when the device reboots, the data is lost. To retain the captured
data, first save the data to a file and then upload the file to a PC.
To save captured traffic data to a file, use the analyzer save command:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.

Digi Connect EZ 16/32 User Guide 964

Diagnostics Analyze network traffic

2. Type the following at the Admin CLI prompt:

> analyzer save filename filename path path

>

where:
n filename is the name of the file that the captured data will be saved to.
Determine filenames already in use:
Use the tab autocomplete feature to determine filenames that are currently in use:

> analyzer save name <tab>

test1_analyzer_capture test2_analyzer_capture
> analyzer save name

n path is the path and filename to save captured traffic to. If a relative path is provided,
/etc/config/analyzer will be used as the root directory for the path and file.
To transfer the file to your PC, see Download captured data to your PC.

Download captured data to your PC

After saving captured data to a file (see Save captured data traffic to a file), you can download the file
from the WebUI or from the command line by using the scp (secure copy file) command.

 Web
Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. On the menu, click System. Under Administration, click File System.

The File System page appears.

2. Highlight the analyzer directory and click  to open the directory.

3. Select the saved analyzer report you want to download and click  (download).

 Command line

Digi Connect EZ 16/32 User Guide 965

Diagnostics Analyze network traffic

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Type scp to use the Secure Copy program to copy the file to your PC:

> scp host hostname-or-ip user username remote remote-path local local-
path to remote

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the location on the remote host where the file will be copied.
n local-path is the path and filename on the Connect EZ 16/32 device.
For example:
To download the traffic saved in the file /etc/config/analyzer/eth0.pcpng to a PCwith the IP
192.168.210.2, for a user named maria, to the /home/maria directory:

> scp host 192.168.210.2 user maria remote /home/maria local

/etc/config/analyzer/eth0.pcpng to remote

maria@192.168.210.2's password:
eth0.pcpng 100% 11KB 851.3KB/s
00:00

Clear captured data

To clear captured data traffic in RAM, use the analyzer clear command:

 Command line
1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. Type the following at the Admin CLI prompt:

> analyzer clear name capture_filter

>

where capture_filter is the name of a packet capture configuration. See Configure packet
capture for the network analyzer for more information.
To determine available packet capture configurations, use the ?:

> anaylzer clear name ?

name: Name of the capture filter to use.

Format:

Digi Connect EZ 16/32 User Guide 966

Diagnostics Analyze network traffic

test_capture
capture_ping

> anaylzer clear name

Note You can remove data traffic saved to a file using the rm command.

Digi Connect EZ 16/32 User Guide 967

Diagnostics Use the ping command to troubleshoot network connections

Use the ping command to troubleshoot network connections

Use the ping command troubleshoot connectivity problems.

Ping to check internet connection

To check your internet connection:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, type the ping command followed by the host name or IP address of
the server to be pinged:

> ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=11.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=54 time=10.7 ms
...
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Stop ping commands

To stop pings when the number of pings to send (the count parameter) has been set to a high value,
enter Ctrl+C.

Use the traceroute command to diagnose IP routing problems

Use the traceroute command to diagnose IP routing problems. This command traces the route to a
remote IP host and displays results. The traceroute command differs from ping in that traceroute
shows where the route fails, while ping simply returns a single error on failure.
See the traceroute command description for command syntax and examples. The traceroute
command has several parameters. Only host is required.
n host: The IP address of the destination host.
n bypass: Send directly to a host on an attached network.
n debug: Enable socket level debugging.
n dontfragment: Do not fragment probe packets.
n first_ttl: Specifies with what TTL to start. (Default: 1)
n gateway: Route the packet through a specified gateway.
n icmp: Use ICMP ECHO for probes.
n interface: Specifies the interface.

Digi Connect EZ 16/32 User Guide 968

Diagnostics Use the traceroute command to diagnose IP routing problems

n ipchecksums: Calculate ip checksums.

n max_ttl: Specifies the maximum number of hops. (Default: 30)
n nomap: Do not map IP addresses to host names
n nqueries: Sets the number of probe packets per hop. (Default: 3)
n packetlen: Total size of the probing packet. (Default: -1)
n pausemsecs: Minimal time interval between probes (Default: 0)
n port: Specifies the destination port. (Default: -1)
n src_addr: Chooses an alternative source address.
n tos: Set Type of Service. (Default: -1)
n verbose: Verbose output.
n waittime: Max wait for a response to a probe. (Default: 5)

Example
This example shows using traceroute to verify that the Connect EZ device can route to host 8.8.8.8
(www.google.com) through the default gateway. The command output shows that 15 routing hops
were required to reach the host:

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the Admin CLI prompt, use the traceroute command to view IP routing information:

> traceroute 8.8.8.8

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
1 192.168.8.1 (192.168.8.1) 0 ms 0 ms 0 ms
2 10.10.10.10 (10.10.10.10) 0 ms 2 ms 2 ms
3 * 10.10.8.23 (10.10.8.23) 1 ms 1 ms
4 96.34.84.22 (96.34.84.22) 1 ms 1 ms 1 ms
5 96.34.81.190 (96.34.81.190) 2 ms 2 ms 2 ms
6 * * *
7 96.34.2.12 (96.34.2.12) 11 ms 11 ms 11 ms
8 * * *
9 8.8.8.8 (8.8.8.8) 11 ms 11 ms 11 ms
>

By entering a whois command on a Unix device, the output shows that the route is as follows:

1. 192/8: The local network of the Connect EZ 16/32 device.

2. 192.168.8.1: The local network gateway to the Internet.
3. 96/8: Charter Communications, the network provider.
4. 216/8: Google Inc.

Stop the traceroute process

To stop the traceroute process, enter Ctrl-C.

Digi Connect EZ 16/32 User Guide 969

 AnywhereUSB 2 Plus USB ports on a Connect EZ
16/32
Your Connect EZ 16/32 includes two USB ports, which act as an AnywhereUSB 2 Plus Hub. The USB
ports can only be used in conjunction with the AnywhereUSB Manager, which must be installed
separately.
The AnywhereUSB 2 Plus ports implement USB over IP®technology over Gigabit Ethernet networks.
This Gigabit Ethernet-attached solution provides two USB 3.1 ports to connect a wide range of
peripheral devices such as USB license dongles, scanners, printers, cameras, storage media, or other
USB devices.

Get started
The steps in this section explain how to install the AnywhereUSB Manager and configure the
Connect EZ 16/32 to allow you to use the AnywhereUSB ports.

Step 1: Install the AnywhereUSB Manager

The AnywhereUSB Manager is a separate application that you use to configure and manage the
USB ports included in the Connect EZ 16/32. The two USB ports on the Connect EZ 16/32 act as an
AnywhereUSB 2 Plus Hub.
You can install the Anywhere USB Manager on a computer with a Windows or Linux OS. After the
software installs, the AnywhereUSB Manager launches and automatically discovers the USB ports on
the Connect EZ 16/32.

Installation instructions
n Install the AnywhereUSB Manager: Windows
n Install the AnywhereUSB Manager: Linux

Install the AnywhereUSB Manager: Windows

The AnywhereUSB Manager is a separate application that you use to configure and manage the
USB ports included in the Connect EZ 16/32. The two USB ports on the Connect EZ 16/32 act as an
AnywhereUSB 2 Plus Hub.
The Anywhere USB Manager software must be downloaded from the Digi support site and installed
on your computer. After the software installs, the AnywhereUSB Manager launches and
automatically discovers the USB ports on the Connect EZ 16/32.

Digi Connect EZ 16/32 User Guide 970

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

CAUTION! Only a Windows Administrator can perform the software install. If you are logged
in as a non-Windows Administrator user and you attempt to install the software, you will be
required to enter Windows Administrator log in credentials to be able to complete the
installation process.

Prerequisites
Before you begin, you should determine the following:
n Mode: Decide whether you want to run the AnywhereUSB Manager as a stand-alone or as a
service. For detailed information, see Service.
n Client ID: Determine a client ID for the computer on which you are installing the Manager. The
client ID is associated with the login credentials for the user currently logged on to the
computer, and is used by your computer and the Hub to create a connection. See Client ID
overview for more information.
n Uninstall previous version of the Manager: If you have previously installed the Manager on
your PC, you must uninstall the existing version before installing a newer version.

Step 1: Install the AnywhereUSB Manager

1. Download the AnywhereUSB Manager installer from the AnywhereUSB Drivers section of the
support page.
a. Navigate to the AnywhereUSB Plus support page.
b. Click the Product Resources tab. This should be selected by default.
c. In the Drivers & Patches section, click the AnywhereUSB Manager link.
d. From the drop-down list box, select Microsoft Windows.
e. Click the download link for the version of the installer than you want to download. Make a
note of the version number for future reference.

Note You should save the downloaded software to your computer before you start the
install process. This is useful if you decide to uninstall the AnywhereUSB Manager from
the original installer in the future.

2. Right-click on the downloaded software and select the Run as Administrator menu option.
3. Enter your Administrator login credentials. The AnywhereUSB Manager installation wizard
launches.

Digi Connect EZ 16/32 User Guide 971

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

4. Click Next. The Ready to Install screen appears. You must specify which mode you want to
install: Standalone or Service. For detailed information about each mode, refer to Service.

5. Click Install. A status bar shows the progress of the installation process. When complete, the
Completed screen appears.
6. The options in the Completed screen are selected by default. De-select the option if you do
not want to use the feature.

Digi Connect EZ 16/32 User Guide 972

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

n Launch AnywhereUSB Manager: Launch the AnywhereUSB Manager when the

installation completes.
n Run AnywhereUSB Manager at Logon: Automatically launch AnywhereUSB Manager
each time you log in to your Windows user account. Digi recommends that you do not
de-select this option.

Note If you have installed the Manager as a service, this option applies only to the
current admin user. Each time this admin user logs in, the Manager launches so the
user can administer the service. If a non-admin user logs in, the service is available, but
the AnywhereUSB Manager does not display.

7. Click Finish. The client ID entry dialog appears.

Note If you deselected the Launch AnywhereUSB Manager option, the client ID entry dialog
does not automatically display. You must manually launch the Manager to continue with the
installation process. If you are in service mode, you must run it as Administrator.

n Stand-alone: If you installed the Manager in stand-alone mode, the client ID

confirmation dialog looks like this:

n Service: If you installed the Manager in service mode, the client ID confirmation dialog
looks like this:

Digi Connect EZ 16/32 User Guide 973

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

8. Enter a unique client ID. This client ID is associated with the login credentials for the user
currently logged on to the computer. See Client ID overview for more information about how
the client ID is used by your computer and the Hub to create a connection.
9. Click OK.

Step 2: Add the client ID for the PC to the AnywhereUSB Hub client ID list
This step allows the PCand the Hub to connect.

1. Right-click on the Hub name in the AnywhereUSB Manager and choose the Open Web
UI menu option. The web UI for the Hub launches.
2. Log in to the web UI using the Hub's user name and password.
3. Select System > AnywhereUSB Configuration.
4. In the Client Settings section, click Add Client.
5. In the Client ID field, enter the client ID that you just entered during the AnywhereUSB
Manager installation.
6. A list of the group numbers displays beneath the Group Access field. Click the check box next
to a group to which this client ID is allowed access. As you select groups, the selected group
numbers appear in the Group Access field. As an alternative, you can enter group numbers in
the Group Access field, for example: 1, 5-8, 10-24.
7. Click Apply.
8. Return to the AnywhereUSB Manager. The Manager should connect to the Hub within 60
seconds. You can select File > Refresh to have the Manager immediately try to connect to the
Hub.

Step 3: Verify that you can see a USB device in the AnywhereUSB Manager that is connected to
the Hub

1. Insert a USB memory stick into port 1 on the Hub. The memory stick appears in the
AnywhereUSB Manager.
2. Double-click on the group the memory stick is in to connect to the group.
3. In the Manager, verify that the memory stick and the group that it is in both have the message
(in use by you), which indicates that the USB device is connected to your PC.

NEXT STEP: Proceed to the next step: Step 2: Enable the AnywhereUSB Service.

Determine AnywhereUSB Manager mode for Windows: Service or stand-alone

You can choose to install the AnywhereUSB Manager in service or stand-alone mode. Each mode
offers different features and may interact differently with the Manager.

Note The AnywhereUSB Manager shows information that pertains to the installed mode. Most
importantly, if you install the Manager in service mode, "SERVICE MODE" displays in the Manager
title bar and in the Status pane. See AnywhereUSB Manager Status pane for detailed information.

The table below compares the features in each mode. Refer to the table to help you determine which
mode is best for your organization. For more information about the user roles, see User roles.

Digi Connect EZ 16/32 User Guide 974

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

Feature Service mode Stand-alone mode

Run and configure the Only an Administrator can Any user (an
AnywhereUSB Manager run the Administrator or a non-
AnywhereUSB Manager Administrator) can run
to configure the service. and configure the
AnywhereUSB Manager.
USB device availability The devices in the groups Devices in connected
connected to the groups are only available
computer are always when the Manager is
available to the computer. running.
The service automatically
runs in the background.

Note To ensure that all

USB devices are
connected to your
computer at boot time,
you must select Enable
Auto Connect for each
group assigned to the
client ID for the computer.

Which users can see devices connected All users can see all the All users can see all the
to the computer devices in the groups that devices in the groups that
are connected to the are connected to the
computer. computer.

Note The devices that can

be seen are changeable,
depending on which users
are logged into the
computer.

Mode interactions with AnywhereUSB features

The sections below explain how each mode interacts with the AnywhereUSB Manager features.

Service
n To ensure that all USB devices are connected to your computer at boot time, you must select
Enable Auto Connect for each group assigned to the client ID for the computer. The USB
devices in the groups connected to the computer are available to the users.
n Multiple users can log on with their Windows user account and use the devices connected by
the service to the computer at the same time.
n If you are not an Administrator, you cannot run the Manager but you can see and use the
devices that are connected from the Hub to you.
n Groups and devices remain connected when users log in or out.

Digi Connect EZ 16/32 User Guide 975

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

Stand-alone
n If you install the AnywhereUSB Manager as a stand-alone, Digi recommends that you select
the Run AnywhereUSB Manager at Startup option during the installation process to
automatically launch the Manager each time you log in to your Windows user account.
n When the user logs in and starts the AnywhereUSB Manager, the Manager automatically
connects to groups that have Enable Auto Connect enabled. The USB devices in those groups
are connected to the machine.
n Groups and devices are connected when the Manager starts running if auto connect is enabled
for the group. If auto connect is not enabled for the group, you can manually connect to a
group. Groups and devices are disconnected when the Manager stops running, which typically
occurs when the user running the Manager logs off the computer.

Warnings
n Only an Administrator has the rights to install the AnywhereUSB Manager.
If you log onto the computer as a non-Administrative user and attempt to install the
AnywhereUSB Manager, you will be prompted during the installation process for an
Administrator user name and password. If you do not provide Administrator credentials, you
will not be able to complete the installation process.
n In stand-alone mode, only one user can open the AnywhereUSB Manager at a time. The
Manager cannot be opened simultaneously by multiple users. In addition, a single user cannot
run multiple instances of the Manager.
n In stand-alone mode, each user must have a different client ID, which results in an individual
Manager configuration. Digi does not support sharing a client ID between two different
Windows users or computers.
n Digi recommends that you do NOT install the AnywhereUSB Manager as a stand-alone, re-
install it, and then choose to run the Manager as a service. If this does occur, be aware that the
stand-alone and the service will have separate configurations. The Manager or service will only
use the stand-alone or service configuration, respectively.
n If you install the Manager as a service and then stop the service, the AnywhereUSB Manager
will choose not to run.

Install the AnywhereUSB Manager: Linux

You can use distros using RPM or DEB package managers to install the awusbmanager package.
n DEB: For Debian derived distributions such as Debian or the Ubuntu-based distros.
n RPM: For RedHat derived distributions such as RHEL or openSUSE release packages.
You can install the Linux awusbmanager package as headless only, or as headless and stand-alone.
Only root has the rights to install the awusbmanager package.

Note If you have previously installed an anywhereusb package on your PC, Digi recommends
uninstalling the existing awusbmanager package before installing the desired version.

Prerequisite
Client ID: A client ID is required during the awusbmanager package installation. Before you begin you
should determine the client ID you want to use for this computer. The client ID is associated with the

Digi Connect EZ 16/32 User Guide 976

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

user currently logged on to the computer, and is used by your computer and the Hub to create a
connection. See Client ID overview for more information.

Step 1: Download the Linux awusbmanager package

1. Navigate to the AnywhereUSB Plus support page.

Note This link navigates to the AnywhereUSB 2 Plus support page, but you can also navigate to
any of the AnywhereUSB Plus support pages. The Linux AnywhereUSB Manager package is
the same on all support pages.

2. Click the Product Resources tab. This should be selected by default.

3. In the Drivers & Patches section, click AnywhereUSB Manager.
4. From the drop-down list box, select Linux.
5. Click the download link. The Linux AnywhereUSB Manager package is downloaded to your
computer. If necessary, transfer it to your Linux PC.
6. Confirm the integrity of the 40003060_C.tgz tarball.
a. Use this command to display the SHA256 hash.

$ sha256sum ./40003060_C.tgz

b. Download the release notes.

c. In the release notes, scroll to the Change Log section.
d. Compare the hash on your computer to the hash included in the Change Log section.
7. Extract the files from the downloaded package so that you can access the file you want to
install.

$ tar xvzf ./40003060_C.tgz

8. Review the release notes to ensure that you have all of the information you may need.

Step 2: Choose the Linux AnywhereUSB Manager package

You need to choose the awusbmanager package for your distro from the packages that were extracted
in the previous step.

Stand-alone or headless
For ease of use, Digi recommends that you choose a stand-alone package, which includes both the
stand-alone awusbmanager and the awusbmanager-headless binaries.

Note The headless package is intended for advanced Linux users.

Distro type
n DEB: For Ubuntu, Debian and distros with aptitude/apt/apt-get/dpkg package manager, select
a deb package.
l 64-bit hosts: Choose the amd64 package.
l 32-bit hosts: Choose the i386 package.
l 64-bit server systems (without X11 or Wayland packages installed): Choose the headless
amd64 package.

Digi Connect EZ 16/32 User Guide 977

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

n RPM: For RedHat, Rocky, AlmaLinux and distros with dnf/yum/zypper/rpm package manager,
select an rpm package.
l 64-bit hosts: Choose the x86_64 package.
l 32-bit hosts: Choose the i386 package.
l 64-bit server systems (without X11 or Wayland packages installed): Choose the headless
x86_64 package.

Step 3: Install the Linux AnywhereUSB Manager package

1. Install the selected awusbmanager package.

n DEB: Debian, Ubuntu, Kubuntu and similar distros (aptitude/apt/apt-get/dpkg):

apt install

$ sudo apt install ./SELECTED.RPM

where SELECTED.RPM is the name of the anywhereusb package

Note The dot and slash notation (./) is required to install the file.

dpkg
On some distros you may need to use dpkg:

$ sudo dpkg -i SELECTED.RPM

where SELECTED.RPM is the name of the anywhereusb package

n RPM: RedHat and similar distros (dnf/yum/zypper/rpm):

$ sudo dnf install ./SELECTED.RPM

where SELECTED.RPM is the name of the anywhereusb package

Note The dot and slash notation (./) is required to install the file.

2. Reboot the PC.

This ensures that the user becomes a member of the new awusb group. Being a member of the
awusb group allows that user to successfully use the Manager for configuration and
monitoring.

Note On some distros, log out and log back in is not enough and a reboot is required.

3. Install vhci_hcd if necessary. Some distributions (RHEL/Rocky/AlmaLinux/CentOS) do not

provide the vhci_hcd kernel module.
a. Verify that the kernel module is not already available on your system.

$ modinfo vhci-hcd
modinfo: ERROR: Module vhci-hcd not found.

b. If you see this error message, you must manually install the vhci-hcd module.

Digi Connect EZ 16/32 User Guide 978

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

For RPM distros (RedHat-derived), the vhci-hcd module is available in the kmod-usbip
package from the add-on El Repo (https://elrepo.org) repository.

Note The release you pick must match the release version of the OS. For example, elrepo-
release-8.el8 for RHEL 8, elrepo-release-9.el9 for RHEL 9, etc.

You can install the El Repo versions with:

$ sudo rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

$ sudo yum install https://www.elrepo.org/elrepo-release-
8.el8.elrepo.noarch.rpm

$ sudo yum --enablerepo=elrepo install kmod-usbip

c. When complete, re-run the modinfo to confirm the presence of the vhci-hcd driver.

$ modinfo vhci-hcd

Note For additional information on this topic, see /usr/share/doc/awusbmanager/README

after installation is complete.

4. Run the awusbmanager stand-alone binary.

Note If you chose a headless package, stop at this step and follow the installation process for
the headless package. When that is complete, proceed to Additional information: Get started
with the Manager and configuring the Hub.

$ awusbmanager

Note The Manager is not normally run as root on Linux systems.

5. You are prompted to enter a client ID for this PC.

a. Enter a unique client ID. This client ID is associated with the login credentials for the user
currently logged on to the computer.
b. Click OK.
6. The AnywhereUSB Manager is launched. Look for your Hub in the Manager. If it does not
appear, you can add the Hub's IP address to the list of known Hubs.
a. Click Configure > Known Hubs. The Known Hubs dialog appears.
b. Enter the Hub's IP address.
c. Click OK. The Hub appears in the Hub list in the Known Hubs dialog.
7. Add the client ID for the PCto the AnywhereUSB Hub client ID list.
a. Right-click on the Hub name in the AnywhereUSB Manager and choose the Open Web
UI menu option. The web UI for the Hub launches.
b. Log in to the web UI using the Hub's user name and password.
c. Select System > AnywhereUSB Configuration.
d. In the Client Settings section, click Add Client.
e. In the Client ID field, enter the client ID.

Digi Connect EZ 16/32 User Guide 979

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

f. A list of the group numbers displays beneath the Group Access field. Click the check box
next to a group to which this client ID is allowed access. As you select groups, the selected
group numbers appear in the Group Access field. As an alternative, you can enter group
numbers in the Group Access field, for example: 1, 5-8, 10-24.
g. Click Apply.
h. Return to the AnywhereUSB Manager. The Manager should connect to the Hub within 60
seconds. You can select File > Refresh to have the Manager immediately try to connect to
the Hub.
8. Verify that you can see a USB device in the AnywhereUSB Manager that is connected to the
Hub.
a. Insert a USB memory stick into port 1 on the Hub. The memory stick appears in the
AnywhereUSB Manager.
b. Double-click on the group the memory stick is in to connect to the group.
c. Look for the inserted notification or find the USB device as /dev/sd*.

AnywhereUSB Manager installation is complete!

Additional information: Get started with the Manager and configuring the Hub
Review additional information about using the Manager with Linux and configuring your Hub.
n Work with the stand-alone or headless Manager: For detailed information about the
Manager and important notes, see Script: Initial configuration.
n Use the command line: Refer to the command line section in Script: Initial configuration for
information about using the command line.
n Monitor USB devices: Refer to Manage the Hubs using the AnywhereUSB Manager to learn
how to monitor devices connected to the Hub.
n Advanced topics and troubleshooting: Refer to the documentation in
/usr/share/doc/awusbmanager/ for next steps, advanced topics, troubleshooting information
and notes for various distributions.

Start the AnywhereUSB Manager: Linux

After installation is complete, you can run the stand-alone Manager. Within the Manager you can
monitor, configure, control the connected AnywhereUSB Hubs, connected groups and the USB
devices in each.
Linux considerations
n Any normal (non-root) user that wants to run the Manager needs to be in the awusb group. For
more information see /usr/share/doc/awusbmanager/README.
n Certain Linux distributions provide a limited number of virtual USB devices. See the release
notes for more information.
n Both the root user and every normal (non-root) user has an individual AnywhereUSB
configuration. Headless and stand-alone mode share the same configuration for each user.

Stand-alone
The simplest way to start the AnywhereUSB Manager is to run the stand-alone Manager .

Digi Connect EZ 16/32 User Guide 980

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

Run this command to launch the stand-alone Manager:

$ awusbmanager

Notes
n You should run the stand-alone Manager as a normal (non-root) user, and not as root.
n The stand-alone client Managercan be used to control and monitor the headless Manager.
n USB devices connected through AnywhereUSB will be available to all users who have
appropriate access permissions.
n Only one user can open the AnywhereUSB Manager at a time. The Manager cannot be
opened simultaneously by multiple users. In addition, a single user cannot run multiple
instances of the Manager.
n When it is monitoring the headless Manager, the stand-alone Manager displays "HEADLESS" in
the AnywhereUSB Manager title bar and in the Status pane.
n If you run both the stand-alone and the headless Managers, the first Manager started
determines if it is running in headless or stand-alone mode.
n All other Managers must be stopped before you start the headless Manager.
n When the user logs in and runs the stand-alone Manager, the Manager automatically connects
to groups that have Enable Auto Connect enabled. The USB devices in those groups are
connected to the PC. If auto-connect is not enabled for the group, you can manually connect
to a group.
n When the Manager is iconized, the USB devices will still be available to users on the PC.
n When the Manager is stopped with File > Exit, or the user logs off, the USB devices will no
longer be available to the PC.

Headless

Note The headless package is intended for advanced Linux users.

The standard awusbmanager package and the headless package provide a headless version of the
AnywhereUSB Manager. The awusbmanager-headless does not provide a window for AnywhereUSB
management, and is appropriate for server VMs without a display.
Run this command to launch the headless manager:

$ awusbmanager-headless

Notes
n You cannot run the awusbmanager binary as a GUI client manger.
n All other Managers must be stopped before you start the headless Manager.
n The awusbmanager-headless binary can be controlled via the cmdline using either the
awusbmanager or awusbmanager-headless binary. It can also be controlled by running a client
awusbmanager if the system has a graphical display.
n Only root or the same user can run the awusbmanager binary to configure the service.
n Once running, USB devices connected through the Hub are available to all users who have
appropriate access permissions.

Digi Connect EZ 16/32 User Guide 981

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

n USB devices are available to users on the PC, even if the user that started the headless
Manager logs off. The headless agent runs until the PCis shut down.
n To start the awusbmanager-headless at boot, you will need to create and add a systemd
startup script.
n To ensure that all USB devices are connected to your computer at boot time, you must select
Enable Auto Connect for each group assigned to the client ID for the computer. The USB
devices in the groups connected to the computer are available to the users, and the users can
see and access the devices for which they have permission.
n USB devices connected through AnywhereUSB will be available to all users who have
appropriate access permissions.
n Only the user that initially started the Manager or the root user is allowed to monitor and
control the running Manager.

Command line
AnywhereUSB provides a cmdline to control and monitor the Hub. The stand-alone Manager or the
headless Manager needs to be running to use the cmdline.
Either Manager binary can be used to send commands to the running Manager. For example:

$ awusbmanager LIST

$ awusbmanager-headless LIST

Notes
n The same user or root can send cmdline commands to that running Manager.

Script: Initial configuration

The cmdline also enables scripting of AnywhereUSB for configuration and monitoring after the
installation is complete.
Example: Configuration

#!/bin/bash -e
# Example script to configure Digi awusbmanager-headless
# Configure headless awusbmanager (once after install)
awusbmanager-headless KNOWN HUB ADD,AW24-010000
awusbmanager-headless AUTOCONNECT GROUP,AW24-010000.1
awusbmanager-headless AUTOCONNECT GROUP,AW24-010000.2
awusbmanager-headless AUTOCONNECT GROUP,AW24-010000.3
awusbmanager-headless AUTOFIND,OFF
awusbmanager-headless SET KEEPALIVES,3,120

Example: Monitoring

#!/bin/bash -e
# Check status of AnywhereUSB Manager devices
awusbmanager-headless LIST FULL

Advanced: Complete the Manager installation using the headless package

Generally, you should choose a stand-alone package, which includes both the stand-alone
awusbmanager and the awusbmanager-headless binaries. For ease of use, Digi recommends choosing
the stand-alone package.

Digi Connect EZ 16/32 User Guide 982

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

The headless package is intended for advanced Linux users.

1. Run the awusbmanager headless binary.

$ awusbmanager-headless

Note The Manager is not normally run as root on Linux systems.

2. Provide a client ID for this PC.

$ awusbmanager-headless set clientid,CLIENTIDNAME

where the CLIENTIDNAMEis the client ID you have chosen for this PC.
3. Get the IP address of the Hub. This is needed to complete the connection between the
Manager and the Hub.

$ awusbmanager-headless list

Note This command can be used if you are on the same local subnet as the Hub. If you are not,
another method should be used.

4. Add the client ID for the PCto the AnywhereUSB Hub client ID list.
a. In a web browser, enter the Hub's IP address in the URL field and press Enter. The log in
screen for the Hub displays.
b. Log in to the web UI using the Hub's user name and password.
c. Select System > AnywhereUSB Configuration.
d. In the Client Settings section, click Add Client, then enter the client ID and the desired
group access.
e. Click Apply.
5. Verify that the Hub is connected to the Manager. When the connection is complete, the groups
you selected for the client ID display.

$ awusbmanager-headless list

Example output

$ awusbmanager LIST
AnywhereUSB Manager, below are the available devices:

AW8W-000001 (192.168.0.1:18574)
Group 1 (AW8W-000001.1) (In-use by you)
Group 2 (AW08-000001.2)
Group 3 (AW08-000001.3)
Group 4 (AW08-000001.4)
Group 5 (AW08-000001.5)
Group 6 (AW08-000001.6)
Group 7 (AW08-000001.7)
Group 8 (AW8W-002007.8)
Group 8 (AW08-000001.8)

6. Connect a device to the Hub and verify that you can see the device in the Manager.

Digi Connect EZ 16/32 User Guide 983

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

a. Insert a USB memory stick into port 1.

b. Run the list command so you can see the memory stick in the group.

$ awusbmanager-headless list

c. Look for the inserted notification or find the USB device as /dev/sd*.
Example output

$ awusbmanager LIST
AnywhereUSB Manager, below are the available devices:

AW8W-000001 (192.168.0.1:18574)
* Group 1 (AW8W-000001.1) (In-use by you)
USB DISK 3.0 (AW08-000001.1601) (In-use by you)
Group 2 (AW08-000001.2)
Group 3 (AW08-000001.3)
Group 4 (AW08-000001.4)
Group 5 (AW08-000001.5)
Group 6 (AW08-000001.6)
Group 7 (AW08-000001.7)
Group 8 (AW8W-002007.8)
Group 8 (AW08-000001.8)

7. Enable auto-connect for the group(s) to which you want to automatically connect each time
you start the headless agent.

$ awusbmanager-headless AUTOCONNECT GROUP,AW08-000001.1

8. Refer to Manage the Hubs using the AnywhereUSB Manager to learn how to monitor devices
connected to the Hub.to learn how to monitor devices connected to the Hub.
Refer to the documentation in /usr/share/doc/awusbmanager/ for next steps, advanced topics,
troubleshooting information and notes for various distributions.

Step 2: Enable the AnywhereUSB Service

You must enable the AnywhereUSB service and specify a port to be able to connect the to
AnywhereUSB ports on your Connect EZ 16/32 from the AnywhereUSB Manager.
For detailed information about all of the optional fields, see Configure AnywhereUSB services.

Note You can also enable the AnywhereUSB service and specify the port on the AnywhereUSB
Configuration page. To display this page, click System > Configuration > AnywhereUSB
Configuration. See AnywhereUSB Configuration page.

1. Open the web UI.

2. Click System > Configuration > Device Configuration. The Configuration window displays.
3. Click Services > AnywhereUSB.
4. Click Enable to enable the service.
5. In the Port field, enter the port number that is used to access the Hub. The default value is
18574. If you change the port number you must also change the corresponding port number on

Digi Connect EZ 16/32 User Guide 984

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

your computer.
6. Click Apply to save the configuration and apply the change.

NEXT STEP: Proceed to the next step: Step 3: Name groups and assign ports to a group.

Step 3: Name groups and assign ports to a group

Each USB port on the Connect EZ 16/32 is assigned to a group in the AnywhereUSB Manager. By
default, all ports are assigned to Group 1. You can update the default name for each group, and then
configure the USB ports into the desired groups.
The number of groups available matches the number of USB ports on the Connect EZ 16/32. Each port
can only be assigned to one group. If you do not want a port assigned to any group, you can assign
that port to the Unassigned row that displays beneath the list of groups.
If a group has ports assigned to it, the group will display in the AnywhereUSB Manager, even if a USB
device is not connected to a port.
To create a group and assign USB ports to the group:

1. Open the web UI.

2. Select System > Configuration > AnywhereUSB Configuration. The AnywhereUSB
Configuration page appears.
3. Expand the Group Settings section.
4. In the Group Description field, update the name of a group. This name displays in the Group
Name field in the Group Status pane in the Anywhere USB Manager.
5. In the row for the group, select the ports for that group. Each port on a Hub can be assigned to
only one group. Ports that are not assigned to a group can be put in the Unassigned group.
6. Repeat the steps 4 and 5 for each group that you want to name and to which you want to add
ports.
7. Click Apply to save the changes.

NEXT STEP: Proceed to the next step: Step 4: Assign groups to a client ID.

Step 4: Assign groups to a client ID

You can assign the groups to a client ID that was specified when you installed the
AnywhereUSB Manager. When the client ID connects to the AnywhereUSB Manager, the computer
can access all of the ports in the specified groups.

Note Make sure that you have at least one client ID created for the AnywhereUSB Manager and
device combination. You can manually add client IDs, if needed. See Add client IDs to the client list.

1. Open the web UI.

2. Select System > Configuration > AnywhereUSB Configuration. The AnywhereUSB
Configuration page appears.
3. Expand the Client Settings section.
4. In the Select a client to configure list, select the client ID to which you want to assign groups.
Information about the selected client ID displays in the Settings for Client section.

Digi Connect EZ 16/32 User Guide 985

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

5. A list of the group numbers displays beneath the Group Access field. Click the check box next
to a group to which this client ID is allowed access. As you select groups, the selected group
numbers appear in the Group Access field.
You can also manually enter group numbers in the Group Access field.

6. Click Apply to save the changes.

NEXT STEP: Proceed to the next step: Step 5: Connect to a group of USB ports.

Step 5: Connect to a group of USB ports

To be able to use the USB ports on the Connect EZ 16/32, you must launch the
AnywhereUSB Manager and connect to the group to which the USB port is assigned.

Note You can connect to only the groups that have been assigned to your client ID and that are not
currently connected to a different client ID.

Once you have connected to a group, no one else can connect to that group. You cannot connect to a
group that is already is use.
For detailed information about connecting to a group and USB ports, see Connect to a group or USB
device in the AnywhereUSB Manager.
When you have connected to a group, a note appears next to the group name, next to the devices in
the group, and in the Group Status pane to show that the device is being used by you.

1. Open the Anywhere USB Manager.

2. Expand AnywhereUSB Plus Hubs to display the Hubs.
3. Expand a Hub to display the groups in the Hub.
4. Right-click on the group to which you want to connect.
5. Select Connect to Group. A note appears next to the group name, next to the devices in the
group, and in the Group Status pane to show that the device is being used by you.

NEXT STEP: Proceed to the next step: Step 6: Connect to a USB device in a group.

Step 6: Connect to a USB device in a group

You can connect to a device connected to a USB port in a group to which you are currently connected.
You cannot connect to a device in a group that is already is use by another user.
When you have connected to a device, a note appears next to the device name and in the Device
Status pane to show that the device is being used by you. The port on the Hub to which the USB
device is connected is also listed.

Digi Connect EZ 16/32 User Guide 986

AnywhereUSB 2 Plus USB ports on a Connect EZ 16/32 Get started

1. Open the Anywhere USB Manager.

2. Expand AnywhereUSB Hubs to display the Hubs.
3. Expand a Hub to display the groups in the Hub.
4. Expand a group to display the devices in the group.
5. Right-click on the device to which you want to connect. A menu displays.
6. The menu option depends on whether you are already connected to the group.
n Connected to the group: Right-click on the USB device name and click Connect to
Device to connect to the USB device.
n Not connected to the group: Right-click on the USB device name and click Connect to
Group to connect to the group and the USB device.
A note appears next to the device name and in the Device Status pane to show that the device
is being used by you.

NEXT STEP: You have now completed all the steps. You can return to AnywhereUSB 2 Plus USB ports
on a Connect EZ 16/32.

Digi Connect EZ 16/32 User Guide 987

Manage the Hubs using the AnywhereUSB Manager
You can use the AnywhereUSB Manager to view the AnywhereUSB Plus Hubs that are allowed to
connect to your computer. You can also connect to groups of USB ports on the Hubs.
By default, the AnywhereUSB Manager is configured to automatically discover Hubs that are
connected to the same network as your computer. You can also allow a connection to additional Hubs
that are not on the same network.

Note Before you begin, make sure you have installed the AnywhereUSB Manager.

Digi Connect EZ 16/32 User Guide 988

 Manage the Hubs using the AnywhereUSB Manager

Launch the AnywhereUSB Manager

You can search for and launch the Anywhere USB Manager using the Windows application search
feature or from the Start menu. If the Anywhere USB Manager was configured during the installation
process to automatically launch when you logged in, you do not need to do this step.

Note If the AnywhereUSB Manager was installed in service mode, only an Administrator can launch
the AnywhereUSB Manager.

To manually start the Anywhere USB Manager:

1. Log in to your computer.

2. Double-click the Anywhere USB Manager shortcut on your desktop.

AnywhereUSB Manager overview: Status panes, menus, and icons

The AnywhereUSB Manager displays AnywhereUSB Hubs, groups, and USB devices. Click the plus
sign next to each name in the window to display a hierarchy of found Hubs, groups, and USB devices.
AnywhereUSB Manager application dialog
Information about the title bar, the icons on the screen, and the menu options can be found here:
n AnywhereUSB Manager title bar
n AnywhereUSB Manager icons and toolbar
n AnywhereUSB Manager menu options
Hub, group, and USB device menus
You can use the menus associated with the Hubs, groups, and USB devices to configure local names,
preferences, and connections. Right-click on a Hub, group, or device name to display the menus.
n AnywhereUSB Manager Hub menu options
n AnywhereUSB Manager Group menu options
n AnywhereUSB Manager USB device menu options
Status panes
Click on a Hub, group, or device name to display information about the selected Hub, group, or device
in the status pane on the right side of the AnywhereUSB Manager.
n AnywhereUSB Manager Status pane
n AnywhereUSB Manager Hub Status pane
n AnywhereUSB Manager Group Status pane
n AnywhereUSB Manager USB Device Status pane

Digi Connect EZ 16/32 User Guide 989

 Manage the Hubs using the AnywhereUSB Manager

AnywhereUSB Manager title bar

The AnywhereUSB Manager title bar displays the mode in which the Manager is installed (stand-
alone or service) and the client ID for the user currently logged into the computer.

Label Description
Application AnywhereUSB Manager displays in the title bar.
name
Client ID The client ID assigned to the user credentials used to log into the computer. For
information about the client ID, see Client ID overview.
Mode The mode that was selected during installation is indicated in the title bar. You can
install the Manager in either stand-alone or service mode.

Stand-alone mode
When installed in stand-alone mode, the AnywhereUSB Manager dialog title is
"AnywhereUSB Manager - <ClientID>", where <ClientID> is the client ID assigned to
the user credentials used to logged into the computer.

Service mode
When installed in service mode, the AnywhereUSB Manager dialog title is
"AnywhereUSB Manager - <ClientID> - SERVICE MODE", where <ClientID> is the client
ID assigned to the user credentials used to logged into the computer.

AnywhereUSB Manager icons and toolbar

This section explains how to use the icons in the AnywhereUSB Manager and what they represent.
The icons in the AnywhereUSB Manager show the status of a Hub or a USB device.

Icon Location Description

Hub Green lock: Active and secure connection between the Hub and the
PC.

Digi Connect EZ 16/32 User Guide 990

 Manage the Hubs using the AnywhereUSB Manager

Icon Location Description

Hub Yellow dot: The PCand Hub are attempting to connect.

Hub Red X: Connection between the Hub and the PCfailed.

USB device Question mark: Signifies unknown device class.

The toolbar icons manage the AnywhereUSB Manager dialog.

Icon Description
Minimizes the AnywhereUSB Manager into the task bar and the notification area of
the task bar.

Maximizes the AnywhereUSB Manager.

Minimizes the AnywhereUSB Manager into the notification area of the task bar.

AnywhereUSB Manager menu options

You can use the menu options to view AnywhereUSB Hub information.
n File > Refresh: Select File > Refresh to refresh the Hub information.
n File > Preferences
n File > Exit
n Configure > Known Hubs
n Configure > Hidden Hubs
n Configure > Manage Hub Credentials
n Configure > Device to Port Assignment
n Help > System Messages
n Help > Latency graph
n Help > Always on Top
n Help > Create Support File
n Help > Online Manual
n Help > About

AnywhereUSB Manager Hub menu options

Right-click on a Hub name in the AnywhereUSB Manager to configure and maintain the Hub.

Digi Connect EZ 16/32 User Guide 991

 Manage the Hubs using the AnywhereUSB Manager

n Open Web UI
n Assign Local Name
n Add to Known Hubs
n Hide Hub

AnywhereUSB Manager Group menu options

Right-click on a group name in the AnywhereUSB Manager to configure and maintain the group.
n Connect to Group
n Disconnect from Group
n Enable Auto Connect
n Disable Auto Connect
n Assign Local Name

AnywhereUSB Manager USB device menu options

Right-click on a USB device name in the AnywhereUSB Manager to configure and connect to the USB
device.
n Connect to Device
n Connect to Group
n Disconnect from Device
n Power Cycle Device
n Assign Local Name

AnywhereUSB Manager Status pane

When you select the top node the AnywhereUSB Manager, information about the Manager displays
in the Manager Status pane. The information displayed depends on whether the Manager was
installed in service mode or stand-alone mode for Windows OS, or as stand-alone or headless for
Linux.

Label Description
Mode The AnywhereUSB Manager mode that was selected during installation.
n Windows: You can install the Manager in either stand-alone or service mode.
n Linux: You can pick a package and install the Manager as either headless or
stand-alone.

Stand-alone mode
When installed in stand-alone mode, AnywhereUSB displays in the Status pane.

Digi Connect EZ 16/32 User Guide 992

 Manage the Hubs using the AnywhereUSB Manager

Label Description

Service mode
When installed in service mode, AnywhereUSB SERVICE MODE displays in the
Status pane.

Headless mode
When installed in service mode, AnywhereUSB Headless displays in the Status
pane.
Manager The version number of the currently installed version of the
Version AnywhereUSB Manager.
Service The version number of the currently running AnywhereUSB service.
Version
Note This displays only when the Manager is installed in service mode.

Client ID The client ID assigned to the user credentials used to log into the computer. For
information about the client ID, see Client ID overview.
Connection A summary of the connection status for each of the Hubs listed in the
Summary AnywhereUSB Manager.
For information about the connection status messages, see AnywhereUSB Manager
connection status messages.

AnywhereUSB Manager Hub Status pane

When you select an AnywhereUSB Hub in the AnywhereUSB Manager, information about the Hub
displays in the Hub Status pane.

Label Description
State The current state of the Hub. For a list of status messages, see
AnywhereUSB Manager connection status messages.

Digi Connect EZ 16/32 User Guide 993

 Manage the Hubs using the AnywhereUSB Manager

Label Description
Name The name of the Hub supplied by the Hub. The default value for
the Hub name is the serial number assigned to the Hub. You can
change the Hub name in the Ethernet Network section of the web
UI. See Rename the AnywhereUSB Hub.
Local Name A descriptive local name for the Hub. The local name also displays
in the tree view in the left-hand pane in the AnywhereUSB
Manager. The local name is local to the computer on which the
AnywhereUSB Manager is running.
You can change the local name using the Assign Local Name menu
option for the Hub.
Model The model name for the AnywhereUSB Hub.

Version The version number of the firmware running on the Hub.

Address The network address of the Hub.

Serial The serial number of the Hub, which is found on the Hub label.

AnywhereUSB Manager Group Status pane

When you select a group in the AnywhereUSB Manager, information about the group displays in the
Group Status pane.

Label Description
Group No The group number from the Hub.
Group Name The name of the group supplied by the Hub. By default, a group is
named "Group" appended by a consecutive number, such as Group
1, Group 2, and so on.
You can change the group name in the AnywhereUSB screen in the
web UI. See Step 3: Name groups and assign ports to a group.

Digi Connect EZ 16/32 User Guide 994

 Manage the Hubs using the AnywhereUSB Manager

Label Description
Local Name A descriptive local name for the group. The local name also
displays in the tree view in the left-hand pane in the AnywhereUSB
Manager. The local name is local to the computer on which the
AnywhereUSB Manager is running.
You can change the local name using the Assign Local Name menu
option for the group.
Status A status message indicates whether a user is currently connected
this group. Options are:
n You are using this group
n No one is using this group
n In use by <client ID> at <machine name>
n Temporarily Blocked: This message displays when the client
ID has been blocked from a group and cannot connect to it.
See Block a client ID from connecting to groups.

AnywhereUSB Manager USB Device Status pane

When you select a USB device in a group in the AnywhereUSB Manager, information about the
device displays in the Device Status pane.

Label Description
Vendor Name of the USB device vendor, if supplied by the device.
Product Name of the USB product, if supplied by the device.
Local A descriptive local name for the USB device. The local name also displays in the tree
Name view in the left-hand pane in the AnywhereUSB Manager. The local name is local to
the computer on which the AnywhereUSB Manager is running.
You can change the local name using the Assign a Local Name menu option for the
device. See Assign a local name to a USB device.
Vendor ID The USB vendor ID.
Product The USB product ID.
ID

Digi Connect EZ 16/32 User Guide 995

 Manage the Hubs using the AnywhereUSB Manager

Label Description
Address The USB device address that helps to identify a device.
Serial The serial number of the USB device, if supplied by the device.
Port on The number of the port on the Hub to which the USB device is connected.
Hub
Assigned The Windows address assigned to the virtual port. See Assign Device Address (use the
Port same virtual port number).
Status A status message indicates whether a user is currently using this device. Options are:
n You are using this device
n No one is using this device
n In use by <client ID> at <machine name>
n A question mark icon displays if the device class is unknown.

AnywhereUSB Manager connection status messages

The connection status messages describe the current status of the Hub connection.

Message Description
Active The number of Hubs that are currently connected to the AnywhereUSB Manager.
(secure)
Attempting to The AnywhereUSB Manager is trying to connect to the Hub but a connection has
connect not yet been made. For troubleshooting information, see Hub connection is taking
too long.
Duplicate The Hub has been found twice and appears twice in the AnywhereUSB Manager.
Connection See Duplicate Connection.
Invalid Client A mismatch has occurred between the certificate associated with the client ID and
Certificate the certificate for the client ID on the Hub. See Multiple user accounts with the
same client ID.
Invalid Hub The Hub certificate has become invalid. See Step 1: Remove the Hub certificate.
Certificate
Unregistered The client ID is not registered with the Hub, and a connection between the Hub
Client ID and the PCcannot be established. See Problem: Client ID has not been added to
the Hub.
Unable to The number of Hubs that are unable to connect to the AnywhereUSB Manager.
Connect See Problem: TCP port is not configured correctly.

Duplicate Connection
The "Duplicate Connection" message displays if a Hub is found twice and appears twice in the
AnywhereUSB Manager.
This occurs if you have added a Hub to the known Hub list that is on same network as your computer,
and you have the Autofind Hubs feature enabled. The AnywhereUSB Manager attempts both

Digi Connect EZ 16/32 User Guide 996

 Manage the Hubs using the AnywhereUSB Manager

connections, and the first one to connect will connect as expected. The second connection is
discovered as a duplicate, and the Manager closes that connection and red Xdisplays.
In this situation, the Hub added to the known Hubs list is considered a duplicate Hub, and should be
removed from the known Hubs list.

Invalid Client Certificate

In some situations, a mismatch occurs between the certificate associated with the client ID and the
certificate for the client ID on the Hub. When this happens, the message "Invalid client cert" displays
as the State in the AnywhereUSB Manager.
The client ID is a unique identifier assigned to a user account the first time a user logs in to a
computer and opens the AnywhereUSB Manager. The client ID is associated with the login
credentials for the user currently logged on to the computer.
During initial log in process, the AnywhereUSB Manager creates a secure identity certificate that is
associated with the client ID. This certificate is used to validate your user account with the Hub. The
certificate associated with the user account client ID must match the certificate for this client ID on
the Hub to allow a connection.

Note For more information about the client ID, see Client ID overview.

The list below describes situations during which this may occur, and includes a resolution.

Multiple user accounts with the same client ID

In some cases, multiple computers may inadvertently use the same client ID. When this occurs and
computers with the same client ID attempt to connect with the same Hub, the first computer to
associate itself with the Hub will be able to connect to the Hub. Subsequent computers will not be
able to connect that Hub.
Resolution
If you discover that multiple computers are assigned the same client ID, see AnywhereUSB Manager
client ID is not unique for help solving this issue.

AnywhereUSB Manager was uninstalled and then reinstalled

The AnywhereUSB Manager was completely removed from the PC, and then reinstalled. In this
situation the Manager creates a new certificate for the client ID during the reinstall process.
Resolution
You can fix the client ID and Hub certificates mismatch with this process:

Digi Connect EZ 16/32 User Guide 997

 Manage the Hubs using the AnywhereUSB Manager

1. Remove the client ID from the Hub. See Remove a Hub certificate.
2. Add the client ID to the Hub. See Add a Hub certificate.

AnywhereUSB Manager created a new certificate

The AnywhereUSB Manager created a new certificate for some other reason, such as a factory reset
of the Manager.
Resolution
You can fix the client ID and Hub certificates mismatch with this process:

1. Remove the client ID from the Hub. See Remove a Hub certificate.
2. Add the client ID to the Hub. See Add a Hub certificate.

Invalid Hub Certificate

The status message "Invalid Hub Certificate" displays when the Hub certificate has become invalid.
If this occurs, you should remove the Hub from the Manage Hub Credentials list and then add the Hub
certificate to the AnywhereUSB Manager.
Prerequisite
The Hub must be on a secure network before you manually add the Hub to the Manage Hub
Credentials list, or if you remove the certificate and a new one is automatically assigned over the
network.

Step 1: Remove the Hub certificate

Remove the Hub from the Manage Hub Credentials list. See Remove a Hub certificate.

Step 2: Add the Hub certificate to the Manager

After the Hub has been removed from the Manage Hub Credentials list, the AnywhereUSB Manager
forgets the Hub certificate and gets a new one on the next connection attempt.
n If the Auto-register Hub Cert option is selected in the Preferences dialog, the Hub gets a new
certificate on the next connection attempt.
n If the Auto-register Hub Cert option in the Preferences dialog is not selected, you can
manually add the Hub to the Manage Hub Credentials list. After it is added, the AnywhereUSB
Manager gets a new certificate for the Hub on the next connection attempt.

Unable to connect
The "Unable to connect" status message displays in the Hub Status pane when the Hub is included in
the known Hubs list but the Hub is offline or the network is unreachable. For example, a firewall issue
or other network issue could be blocking access from the Manager to the Hub.

Digi Connect EZ 16/32 User Guide 998

 Manage the Hubs using the AnywhereUSB Manager

Problem: TCP port is not configured correctly

The Hub cannot be reached via the TCP port (18574 by default) that is used by the AnywhereUSB
Manager and is listened to by the Hub. Both the Hub and the Manager must be configured with the
same TCP port in order for the Hub to connect to the client.
Resolution
Verify that the TCP port settings match for the Hub and the client.
n Hub: See AnywhereUSB Configuration page.
n Client: Verify the TCP port on your computer.

Problem: Hub is offline

The Hub could be powered off.
Resolution
Verify that it is connected to a power source and turned on.

Problem: Invalid Hub certificate

In some situations, the Hub certificate may become invalid. The Hub and the AnywhereUSB Manager
must have matching certificates to be able to communicate. If the certificates do no match, the Hub
and the AnywhereUSB Manager cannot communicate and a red Xdisplays next to the Hub name in
the Manager.
Resolution
For more information, see Manage Hub credentials and Step 1: Remove the Hub certificate.

Problem: Hub has a different IP address

The device is no longer connected or has been moved to another network segment. The
AnywhereUSB Manager does not discover Hubs that are not on the same network segment as the
client.
Resolution
Add the Hub to the list of known Hubs. This ensures that the AnywhereUSB Manager can connect to
the Hub, even it is on a different network. See Manage the list of known Hubs.

Note If you add a Hub to the list of known Hubs and you have the Hub autofind feature enabled, this
may result in a duplicate connection for the same Hub. See Duplicate Hub.

Problem: Network issue blocking access

You should verify whether a network issue is blocking access to the Hub.
Attempt to ping the Hub:
n If you have a firewall that blocks TCP ports but allows ping, you will see successful pings but
still not be able to connect. Contact your system administrator to verify that your firewall is
not blocking TCP ports.
n If you can ping the Hub and are able to connect, a network issue does not exist and a different
issue has occurred.

Digi Connect EZ 16/32 User Guide 999

 Manage the Hubs using the AnywhereUSB Manager

n If you cannot ping the Hub, check the configuration of the PC, and the Hub network settings,
including firewalls and the network between them.

Problem: Duplicate Hub

If you have added a Hub to the known Hub list that is on same network as your computer, and you
have the Autofind Hubs feature enabled, the Hub is found twice. The AnywhereUSB Manager
attempts both connections, and the first one to connect will connect as expected. The second
connection is discovered as a duplicate, and the Manager closes that connection and red Xdisplays.
For more information, see Duplicate Connection.
Resolution
The Hub added to the known Hubs list is considered a duplicate Hub, and should be removed from
the known Hubs list.

Problem: Old version of AnywhereUSB Manager

In same cases, a Hub cannot connect to an older version of the AnywhereUSB Manager.
Resolution
Update to the most recent version of the AnywhereUSB Manager. See Step 1: Install the
AnywhereUSB Manager.

Problem: Incompatible Hub

In some cases, the Hub firmware is old and must be updated to ensure that it can connect to the
AnywhereUSB Manager.
Resolution
Update to the most recent version of the Hub firmware. See Update system firmware.

Unregistered Client ID
The message "Invalid Client ID" displays when the client ID is not registered with the Hub, and a
connection between the Hub and the PCcannot be established.
The client ID is a unique identifier assigned to a user account the first time a user logs in to a
computer and opens the AnywhereUSB Manager. The client ID is associated with the login
credentials for the user currently logged on to the computer.

Note For more information about the client ID, see Client ID overview.

Problem: Client ID has not been added to the Hub

The client ID has not been added to the list of client IDs for the Hub.
Resolution
Add the client ID, which creates a certificate for the client ID.
n You can add a client ID to the Hub during the AnywhereUSB Manager installation process. See
Client ID overview.
n You can manually add a client ID to the client list for the Hub. See Manually add a client ID.

Digi Connect EZ 16/32 User Guide 1000

 Manage the Hubs using the AnywhereUSB Manager

Problem: Initial connection

A red Xdisplays next to a Hub name during the initial connection of the hardware to your PC. This is
expected, and is a security feature.
For an example, see Verify initial connection.
Resolution
The Hub administrator needs to allow each new client ID to connect to the Hub by adding the client
ID to the client list. See Manually add a client ID.

Set Hub preferences

In the AnywhereUSB Manager, you can set preferences for keepalive time messages and responses
and how often the AnywhereUSB Manager searches for a Hub and the Hub response time.
Click File > Preferences to display the Preferences dialog.

Setup tab
n Client ID
n Start Manager minimized
n Autofind Hubs
n Include IPv6 Addrs in Autofind
n Use All Hub IPv4 Addresses
n Hide unauthorized Hubs
n Auto-register Hub Cert
n Restore default settings
n Minimum TLS Version

Advanced tab
n Specify search, response, and keepalive intervals for a Hub

Digi Connect EZ 16/32 User Guide 1001

 Manage the Hubs using the AnywhereUSB Manager

Note The Power cycle off time option is not used. Any value in the field is ignored. The power cycle
off time configured for the Hub is 1 second.

Performance tab
n Manage USB isochronous transfers for audio and video streams

Configure the Auto-register Hub Cert feature

The Auto-register Hub Cert option determines what happens when the AnywhereUSB Manager
doesn't have a certificate for a Hub, and the Hub attempts to connect to the Manager. The Auto-
register Hub Cert option configuration determines whether the Manager collects and stores the
Hub's certificate.
The table below explains the configuration options.

Digi Connect EZ 16/32 User Guide 1002

 Manage the Hubs using the AnywhereUSB Manager

Does the Does the Auto- Outcome

Manager have a Manager have register
certificate for the correct Hub Hub Cert
the Hub? certificate?

No N/A Enabled The Manager collects the Hub certificate and

connects. The Manager requires that same
certificate from the Hub on future
connections.

No N/A Disabled The Manager does not collect the Hub's

certificate and rejects the connection.

Yes Yes Not The Hub connects to the Manager.

considered

Yes No Not The connection between the Hub and

considered Manager fails and the Invalid Hub
Certificate message displays in the
Manager.

To enable or disable the Auto-register Hub Cert option:

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Click the Setup tab.
4. Determine the Auto-register Hub Cert configuration.
n Enable: The Manager collects the Hub certificate and connects. The Manager requires
that same certificate from the Hub on future connections.
n Disable: The Manager does not collect the Hub's certificate and rejects the connection.
5. Click Save.

Autofind Hubs and Include IPv6 Addrs in Autofind options

The Autofind Hubs feature in the AnywhereUSB Manager enables the Manager to automatically
create a list of Hubs found on on the same network segment.
n When the Autofind Hubs option is enabled, the Manager repeatedly reaches out to your
network and looks for Hubs, based on the interval specified in the Preferences dialog. Each
Hub has its own certificate that the Manager uses to authenticate the Hub. When a Hub found
on your network has a certificate that matches a certificate in the Manager, the Manager
attempts to connect to the Hub. In addition to matching certificates, the Hub also needs a
configured client ID.
n When the Autofind Hubs option is disabled, only the Hubs included in the Manager's Known
Hubs list are allowed to connect. The Hub configuration controls the connections from
Managers.

Include IPv6 Addrs in Autofind option

The Autofind Hubs feature works with the Include IPv6 Addrs in Autofind option. This option
determines whether IPv6 addresses found during the Autofind process are used to attempt to connect
to the Hub. See Configure the Include IPv6 Addrs in Autofind option for details.

Digi Connect EZ 16/32 User Guide 1003

 Manage the Hubs using the AnywhereUSB Manager

The table below shows how the Autofind Hubs and Include IPv6 Addrs in Autofind options work
together to influence which Hubs can connect to the Manager.

Autofind Does the Does the Include Outcome

Hubs Manager have Manager have IPv6
a certificate the correct Hub Addrs in
for the Hub? certificate? Autofind
Enabled Yes Yes Enabled A Hub with either a IPv6 and IPv4
address can connect to the Manager.
Enabled Yes Yes Disabled Only Hubs with an IPv4 address can
connect to the Manager.
Enabled Yes No N/A The connection between the Hub
and Manager fails and the Invalid
Hub Certificate message displays in
the Manager.
Enabled No N/A N/A The Manager rejects the connection.
Disabled N/A N/A N/A The Autofind feature is not used and
Hubs are not found automatically.

Disable Autofind Hubs option after initial connection

After the initial Autofind connection, you can add the Hubs that were automatically found to your list
of Known Hubs, which is a list of Hub IP addresses that your AnywhereUSB Manager is allowed to
connect to when you open the Manager.
Digi recommends that after your Hubs have made the initial connection to the AnywhereUSB
Manager and you have added the Hubs that were automatically found to the list of Known Hubs, you
should disable the Autofind Hubs feature. This reduces your network traffic and duplicate Hub
connection attempts.

Note You can manually add Hubs to the Known Hubs list. This can include Hubs that are on the same
network as your computer, or on a different network. You can also manually add Hubs with an IPv6 or
an IPv4 address, regardless of how the Include IPv6 Addrs in Autofind option is configured.

After you have added your Hubs to the known Hubs list, you should disable Autofind Hubs.
For an overview of this process, see Create initial list of Known Hubs.

Configure the Autofind Hubs option

The Autofind Hubs feature in the AnywhereUSB Manager enables the Manager to create a list of
Hubs to which the Manager may be able to connect. The Manager repeatedly reaches out to the
network to create this list, based on the interval specified in the Preferences dialog.
In some cases the Manager discovers multiple addresses for one Hub and makes duplicate
connection attempts. The Manager will not connect twice to a Hub. When the Manager discovers it is
already connected to a Hub and connects a second time, it disconnects the second connection.

Note For detailed information about the Autofind Hubs option, see Autofind Hubs and Include IPv6
Addrs in Autofind options.

Digi Connect EZ 16/32 User Guide 1004

 Manage the Hubs using the AnywhereUSB Manager

The status of the Autofind Hubs option determines which Hubs can automatically connect to the
Manager.
To configure the Autofind Hubs option:

1. Open the AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Click the Setup tab.
4. Determine the Autofind Hubs configuration.
n Enable: Hubs are found automatically. This is the default.

Note The list of Hubs that is automatically found is influenced by the configuration of
the Include IPv6 Addrs in Autofind option. Verify the status of the Include IPv6 Addrs
in Autofind option.

n Disable: Hubs are not found automatically.

5. Click Save.

Configure the Include IPv6 Addrs in Autofind option

When a Hub is discovered by the Autofind feature, the AnywhereUSBManager receives multiple
addresses for that Hub. The first IP address that successfully completes a connection will be the one
used for the duration of that connection.
The Include IPv6 Addrs in Autofind option works with the Autofind Hubs option to determine
whether IPv6 addresses received are used to attempt connection to that Hub. If IPv6 addresses will
not be used, only IPv4 addresses received will be tried.

Note You can manually add IPv6 addresses to the the Known Hubs list and these are able to connect
to the Manager, regardless of the status of the Include IPv6 Addrs in Autofind option.

IPv6 addresses may fail to connect to Hubs if:

n The Hub does not have IPv6 enabled.
n The PCrunning the Manager does not have IPv6 transport enabled on the interface that would
be used to connect to that Hub.
n A router or firewall in between the Hub and the Manager is blocking IPv6 traffic.

Note The status of the Include IPv6 Addrs in Autofind option is considered only if the Autofind
Hubs option is enabled.

Autofind Included IPv6 Addrs Outcome

Hubs in Autofind
Enabled Enabled Connection attempts using all discovered IPv4 and IPv6
addresses for Hub. This is the default.

Enabled Disabled Connection attempts using all discovered IPv4 addresses for
Hub, if any.

Disabled N/A The Autofind feature is not used. The only connection
attempts are from the Known Hubs list.

Digi Connect EZ 16/32 User Guide 1005

 Manage the Hubs using the AnywhereUSB Manager

To enable or disable the Include IPv6 Addrs in Autofind option:

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Click the Setup tab.
4. Determine the Include IPv6 Addrs in Autofind configuration.

Note This option is considered only if the Autofind Hubs option is enabled.

n Enable: Both IPv4 and IPv6 addresses of Hubs discovered by Autofind are used to
attempt connections to the Manager.
This is the default.
n Disable: Only IPv4 addresses of Hubs discovered by Autofind are used to attempt
connections to the Manager.
5. Click Save.

Rename AnywhereUSB Hubs, groups, and USB devices

Each AnywhereUSB Hub and group has a default name that displays in the AnywhereUSB Manager.
You can also assign a local name to each Hub, group, or USB device that displays in the
AnywhereUSB Manager, which can help you to uniquely identify your local Hubs, groups, and USB
devices.
The local name is local to the computer on which the AnywhereUSB Manager is running. No other
user can see the local name.
n Assign a local name to a Hub
n Assign a local name to a group
n Assign a local name to a USB device

Assign a local name to a Hub

You can give an AnywhereUSB Hub a local name. The name displays in the Hub Status pane in the
AnywhereUSB Manager and also in the tree view. The local name is local to the computer on which
the AnywhereUSB Manager is running. No other user can see the local name.

Note The Hub local name is different from the default Hub name. For detailed information about the
default name, see Rename a Hub and the groups in a Hub.

1. Open the AnywhereUSB Manager.

2. Expand AnywhereUSB Hubs to display the Hubs.
3. Right-click on the Hub towhich you want to give a local name.
4. Select the Assign Local Name menu option. A dialog appears.
5. In the field, enter a local name for the Hub.
6. Click OK.

Assign a local name to a group

You can give a group a descriptive local name. The local name can be seen only on the computer on
which the AnywhereUSB Manager is running. The name assigned to the group (default or local)
displays in the Group Status pane in the AnywhereUSB Manager and also in the tree view.

Digi Connect EZ 16/32 User Guide 1006

 Manage the Hubs using the AnywhereUSB Manager

Note The group local name is different from the default group name. For detailed information about
the default name, see Rename a Hub and the groups in a Hub.

1. Open the AnywhereUSB Manager.

2. Expand AnywhereUSB Hubs to display the Hubs.
3. Expand the Hub that has the group you want to give a local name.
4. Right-click on the group that you want to rename.
5. Select the Assign Local Name menu option. A dialog appears.
6. Enter a local name for the group.
7. Click OK.

Assign a local name to a USB device

You can assign a local name to a USB device. The local name is local to the computer on which the
AnywhereUSB Manager is running.
The name assigned to a USB device (default or local) displays in the in the Device Status pane and
also in the tree view.

1. Open the AnywhereUSB Manager.

2. Expand AnywhereUSB Hubs to display the Hubs.
3. Expand the Hub that has the group to which the to USB device is attached.
4. Expand the appropriate group to display the USB devices in the group.
5. Right-click on the USB device to which you want to give a local name.
6. Select the Assign Local Name menu option. A dialog appears.
7. In the field, enter a local name for the USB device.
8. Click OK.

Disconnect from a group or a USB device

You can disconnect from a group or a USB device in a group to which you no longer need access.

Disconnect from a group

n Disconnect from a group

Disconnect from a USB device:

n Disconnect a USB device from a group. This process is done from the AnywhereUSB Manager,
and can only be done if you are running the Manager as a stand-alone. See Disconnect from a
USB device in a group.
n Move the port to a group on the Hub to which you are not connected. See Step 3: Name groups
and assign ports to a group.

Disconnect from a group

You can disconnect from a group that has ports you no longer need access to. You are disconnected
from all USB devices and ports in that group. Any other user can then connect to that group.
Warnings

Digi Connect EZ 16/32 User Guide 1007

 Manage the Hubs using the AnywhereUSB Manager

n Auto-connect: If you have auto-connect enabled for the group, you are not allowed to
disconnect from the group. You have to first disable auto-connect, and then disconnect from
the group. The next time you log in to your computer, you will not be automatically connected
to this group.
n Power cycle on disconnect: The power cycle on disconnect feature ensures that when a
group is disconnected from a Hub, the Hub turns off power to all of the USB ports in the group
and then one second later turns it back on. This feature is globally enabled by default on the
Hub, so to be able to disconnect from a group, you need to globally disable the power cycle on
disconnect feature.
To disconnect from a group:

1. Open AnywhereUSB Manager.

2. Ensure you are able to disconnect from a group.
a. Disable auto-connect for a group.
b. Disable the power cycle on disconnect feature.
3. Expand AnywhereUSB Hubs to display the Hubs.
4. Expand a Hub to display the groups in the Hub.
5. Right-click on the group from which you want to disconnect.
6. Select Disconnect from Group. A note appears in the Group Status pane to show that the
group is not being used.

Disconnect from a USB device in a group

You can disconnect from a USB device that is in a group.

Note To ensure that you can no longer connect to a USB device in a group, the best method is to
move the port to a group on the Hub to which you are not connected. See Step 3: Name groups and
assign ports to a group.

Warnings
n Auto-connect: If you have auto-connect enabled for the group, you are not allowed to
disconnect from a USB device in the group until you disable auto-connect. If the USB device is
in a group to which you are connected, other users cannot connect the USB device after you
have disconnected from it, since you still own the group that the USB device is in. See Disable
auto-connect for a group.
n Power cycle on disconnect: If you have the power cycle on disconnect feature enabled, the
Hub automatically cycles the power to each USB device when it disconnects. To ensure that a
USB device remains disconnected, you must disable this feature. See Cycle the power to a
device when it disconnects from a PC.
To disconnect from a device in a group:

1. Open AnywhereUSB Manager.

2. Ensure you are able to disconnect from a group.
a. Disable auto-connect for a group.
b. Disable the power cycle on disconnect feature.
3. Expand AnywhereUSB Hubs to display the Hubs.

Digi Connect EZ 16/32 User Guide 1008

 Manage the Hubs using the AnywhereUSB Manager

4. Expand a Hub to display the groups in the Hub.

5. Expand a group to display the USB devices in the group.
6. Right-click on the USB device from which you want to disconnect.
7. Select Disconnect from Device. A note appears in the Device Status pane to show that the
device is not being used.

Configure the auto-connect feature for a group

You can enable the auto-connect feature for a group (or multiple groups). This feature ensures that
whenever you open the AnywhereUSB Manager, you are automatically connected to all of the
groups to which you are allowed access that have auto-connect enabled.

Note When you open the AnywhereUSB Manager, the Manager attempts to connect to the groups to
which you are allowed access. If someone else already owns the group, you will not be connected to
that group.

If you have auto-connect enabled for the group, it controls how you can disconnect:
n If auto-connect is enabled, you are not allowed to disconnect from the group. The Disconnect
from Group option cannot be selected. You have to first disable auto-connect, and then
disconnect from the group.
n You can disconnect from a USB device in the group, but if auto-connect is enabled, the device
is immediately re-connected.
For this to work as expected, you should also choose to automatically start the AnywhereUSB
Manager each time you start your computer. For example, you can enable auto-connect for a group
that has a camera connected to a port in the group. Every time the computer starts, the
AnywhereUSB Manager starts and automatically connects the camera to your computer.

Enable auto-connect for a group

You can choose to automatically connect to a selected group each time you open the AnywhereUSB
Manager.

Note You can disable auto-connect at any time.

1. Open AnywhereUSB Manager.

2. Expand AnywhereUSB Hubs to display the Hubs.
3. Expand a Hub to display the groups in the Hub.
4. Right-click on the group to which you want to automatically connect.
5. Select Enable Auto Connect. If you were not already connected to the group, you are
immediately connected to the group. A note appears next to the group name and in the Group
Status pane to show that you are connected to the group.

Disable auto-connect for a group

When auto-connect is disabled, the Hub no longer automatically connects to this group when you
open the AnywhereUSB Manager.

1. Open the AnywhereUSB Manager.

2. Expand AnywhereUSB Hubs to display the Hubs.

Digi Connect EZ 16/32 User Guide 1009

 Manage the Hubs using the AnywhereUSB Manager

3. Expand a Hub to display the groups in the Hub.

4. Right-click on the group to which you no longer want to automatically connect at start up.
5. Select Disable Auto Connect to turn off the auto connect feature for the group.

Manage the list of known Hubs

You can create a list of Hubs to which your AnywhereUSB Manager is allowed to connect when you
open it. The Hubs you add to the list can be on the same network as your computer, or on a different
network.
Hubs that you have added to the known Hubs list display when you open the AnywhereUSB
Manager. These Hubs are in addition to any Hubs that are automatically discovered if you have
enabled the Autofind Hubs feature.

Add a Hub to the known Hub list

You can use one of two methods to manually add a Hub to the known Hubs list:
n Right-click method
n Known Hubs dialog
The Hubs can be on the same network as your computer, or on a different network.

Right-click Hub menu option

When you use this method, a duplicate connection for this Hub is made until you disable the Autofind
Hubs feature in the Preferences dialog.

1. Open the AnywhereUSB Manager.

2. Right-click on a Hub name in the AnywhereUSB Manager. A short cut menu displays.
3. Click Add to Known Hubs. The Hub is added to the known hubs list.
4. To ensure that you don't have a duplicate connection for this Hub, you should navigate to File
> Preferences and disable the Autofind Hubs feature.

(Optional) You can verify that the Hub was added to the list

1. Select the Hub and make a note of the IP address in the Hub status pane.
2. Select Configure > Known Hubs. The Known Hubs dialog appears.
3. Verify that the IP address for the Hub is in the list.

Known Hubs dialog

1. Open the AnywhereUSB Manager.

2. Select Configure > Known Hubs. The Known Hubs dialog appears.
3. Click Add. The Add Known Hub dialog appears.
4. In the Hub Address field, enter the Hub IP address or a network name, such as a DNS name,
for the Hub.
5. If you want to update the TCP port number, click Advanced. The Hub TCP port (most
systems should leave at default) field displays.

Digi Connect EZ 16/32 User Guide 1010

 Manage the Hubs using the AnywhereUSB Manager

a. In the Hub TCP port (most systems should leave at default) field, a TCP port number is
entered by default. You can change this entry, but it is not recommended.
b. Click Standard to hide the Hub TCP port (most systems should leave at default) field.
6. Click OK. The Hub appears in the Hub list in the Known Hubs dialog.
7. Click Close to close the Known Hubs dialog. The AnywhereUSB Manager attempts to connect
to the new Hub.

Remove a Hub from the known Hub list

You can remove a known Hub that was added to the known Hubs list.

1. Open the AnywhereUSB Manager.

2. Select Configure > Known Hubs. The Known Hubs dialog appears.
3. From the list of known Hubs, select the Hub you want to remove.
4. Click Remove.
5. Click Close to close the Known Hubs dialog.

Working with the known Hubs list and the Autofind Hubs option
You should be aware of how the Autofind Hubs option works with the Hubs you add to the known
Hubs list.
If you have the Autofind Hubs option selected for the Hub, when you open the
AnywhereUSB Manager, all Hubs connected to the same network as your computer are
automatically found and appear in the AnywhereUSB Manager. In addition, any Hubs you have
added to the known Hubs list are found and also appear.

Duplicate Connection
The "Duplicate Connection" message displays if a Hub is found twice and appears twice in the
AnywhereUSB Manager.
This occurs if you have added a Hub to the known Hub list that is on same network as your computer,
and you have the Autofind Hubs feature enabled. The AnywhereUSB Manager attempts both
connections, and the first one to connect will connect as expected. The second connection is
discovered as a duplicate, and the Manager closes that connection and red Xdisplays.
In this situation, the Hub added to the known Hubs list is considered a duplicate Hub, and should be
removed from the known Hubs list.

Digi Connect EZ 16/32 User Guide 1011

 Manage the Hubs using the AnywhereUSB Manager

Considerations for removing a Hub on the same network as your computer

If you have the Autofind Hubs feature enabled and then remove a Hub from the known Hubs list that
was on the same network as your computer, the Hub will still be automatically found and connected
to your computer when you open the AnywhereUSB Manager.
If you do not want the computer to be able to connect this Hub, you must de-select the Autofind
Hubs option. Note, however, that if this option is de-selected, Hubs on the same network as your
computer will not be automatically found. Only the Hubs in the list of known Hubs will be available
when you open the AnywhereUSB Manager.

Note As an alternative, you can choose to hide a Hub that is automatically found. This ensures that
while the Hub is still automatically found, it does not appear in the AnywhereUSB Manager.

Hide an individual Hub

You can choose to hide an individual Hub so that it does not appear in the AnywhereUSB Manager.
For example, you can hide an unauthorized Hub, or a Hub which users shouldn't access.
n You can choose to hide Hubs that currently display in the AnywhereUSB Manager, such as an
unauthorized Hub (which displays with a red Xnext to the Hub name), or a Hub which users
shouldn't access. See Hide a Hub that displays in the AnywhereUSB Manager.
n You can also choose to hide Hubs that don't currently display in the AnywhereUSB Manager,
but the client ID may have access in the future, such as a Hub on another network. See Hide a
Hub that does not currently display in the AnywhereUSB Manager.

Note You can choose to automatically hide all unauthorized Hubs, which is a Hub that has failed to
connect to your computer. See Hide all unauthorized Hubs.

Hide a Hub that displays in the AnywhereUSB Manager

Note After you have hidden a Hub, you can choose to re-display it. See Display a hidden Hub.

1. Open AnywhereUSB Manager.

2. Right-click on the Hub that you want to hide. The shortcut menu appears.
3. Click Hide Hub. The next time the AnywhereUSB Manager updates, the hidden Hub is
removed from the Hub list and no longer displays.
4. You can display a hidden Hub when needed.

Hide a Hub that does not currently display in the AnywhereUSB Manager

Note After you have hidden a Hub, you can choose to re-display it. See Display a hidden Hub.

1. Open the AnywhereUSB Manager.

2. Select Configure > Hidden Hubs. The Hidden Hubs dialog appears.
3. Click Add. The Add Hidden Hub dialog appears.
4. In the Hub Address field, enter the Hub IP address.
5. If you want to update the TCP port number, click Advanced. The Hub TCP port (most
systems should leave at default) field displays.

Digi Connect EZ 16/32 User Guide 1012

 Manage the Hubs using the AnywhereUSB Manager

a. In the Hub TCP port (most systems should leave at default) field, a TCP port number is
entered by default. You can change this entry, but it is not recommended.
b. Click Standard to hide the Hub TCP port (most systems should leave at default) field.
6. Click OK. The Hub appears in the Hub list in the Hidden Hubs dialog.
7. Click Close to close the Hidden Hubs dialog.

Display a hidden Hub

You can display any Hub that was hidden using the Hide Hub menu option.

1. Open AnywhereUSB Manager.

2. Choose Configure > Hidden Hubs. The Hidden Hubs dialog appears.
3. Click on the Hub that you no longer want to hide. To select more than one Hub, press CTRL as
you select Hub.
4. Click Remove. The selected Hubs are removed from the list.
5. Click Close. The next time the AnywhereUSB Manager updates, the hidden Hubs appear in
the list of Hubs.

Hide all unauthorized Hubs

You can choose to automatically hide all unauthorized Hubs, so they do not display in the
AnywhereUSB Manager. An unauthorized Hub is a Hub that has failed to connect to your computer.
A red Xappears next to the Hub name.
n Automatically hide unauthorized Hubs
n Display unauthorized Hubs

Note You can choose to automatically hide any individual Hub. See Hide an individual Hub.

Automatically hide unauthorized Hubs

You can choose to automatically hide all unauthorized Hubs, which is a Hub that has failed to connect
to your computer. An unauthorized Hub appears with a red Xnext to it in the list of Hubs in the
AnywhereUSB Manager.

Note After you have hidden unauthorized Hubs, you can choose to re-display unauthorized, hidden
Hubs. See Display unauthorized Hubs.

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Select the Hide unauthorized Hubs option.
4. Click Save. Hubs that have failed to connect no longer display in the AnywhereUSB Manager.

Display unauthorized Hubs

You can display the unauthorized Hubs that were hidden using the Hide unauthorized Hubs option.

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.

Digi Connect EZ 16/32 User Guide 1013

 Manage the Hubs using the AnywhereUSB Manager

3. De-select the Hide unauthorized Hubs option.

4. Click Save. Hubs that have failed to connect now display in the AnywhereUSB Manager.

Use all Hub IPv4 addresses

The AnywhereUSB Hub may have default IPv4 IP addresses that are reported by mDNS to the
AnywhereUSB Manager, but in many network environments, the Manager cannot connect to them.
As part of normal operation, the Manager tries to sequentially connect to all of the Hub IPv4 IP
addresses, so if it starts trying these extra default IPv4 IP addresses, it may take extra time (minutes)
for the Manager to connect or reconnect.
You can use the Use All Hub Addresses option to determine whether the AnywhereUSB Manager is
allowed to connect to extra default IPv4 IP addresses. By default, this option is deselected and the
Manager does not attempt to connect to these addresses.

Note This can also be done using a CLI command: use all hub addresses

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Determine your connection option:
n Not selected: When Use All Hub IPv4 Addresses is not selected, the AnywhereUSB
Manager does not attempt to connect to the extra IPv4 IP addresses. This is the default.
n Selected: When Use All Hub IPv4 Addresses is selected, the AnywhereUSB Manager
attempts to connect to the extra IPv4 IP addresses.
4. Click Save to save your change and close the dialog.

Specify search, response, and keepalive intervals for a Hub

You can specify the search and response time for Hubs on the network, and the keepalive intervals for
the connection between the Hub and the AnywhereUSB Manager.

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Click the Advanced tab.
4. Enter the following:
n Search for Hubs every .... sec: Specifies how often the AnywhereUSB Manager
searches the local network to discover Hubs and refresh the AnywhereUSB Manager
display. Default and minimum values are both 30 seconds.

Note You cannot manually perform a refresh of the Hubs displayed in the
AnywhereUSB Manager.

n Wait for Hub response for .... sec: Specifies the time interval from the last discovery
refresh that the AnywhereUSB Manager will stop looking for more Hubs. Default and
minimum values are both 4 seconds.
n Send Keep-Alive every ... sec: Specifies how often the AnywhereUSB Manager sends
a keepalive request to the Hubs connected to the network. This impacts network
utilization because each AnywhereUSB Manager will send one packet at this interval

Digi Connect EZ 16/32 User Guide 1014

 Manage the Hubs using the AnywhereUSB Manager

to each Hub to which it is connected. Default is 3 seconds. The minimum value is 1

second.
n Keep-Alive Timeout ... sec: Specifies how long the AnywhereUSB Manager should
wait for a keepalive response. When the value of the response time is reached, the
Manager decides that a Hub is no longer available, and the computer is disconnected
from all groups and devices on that Hub. The default value is 20 seconds. The minimum
value is 15 seconds.
l The keepalive timeout value would need to be longer if the network has more
latency (such as a cellular or satellite link), or an internet link with unreliable packet
delivery.
l If the value is too short, devices will be disconnected, which may have an adverse
affect on some devices, such as USB memory.
l If the value is too long, Hubs that are removed from the network will not be noticed
as gone for a long time, and devices that are no longer connected will be
unresponsive for a long time.
n Power cycle off time: This option is not used, and any value in the field is ignored. The
power cycle off time configured for the Hub is 1 second.

5. Click Save.

Configure the minimum TLS version

You can specify the minimum TLS version that the AnywhereUSB service will accept. The default is
TLS version 1.3.

Note You can also configure the minimum TLS version in the Hub's web UI. See Configure
AnywhereUSB services.

1. Open the AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog displays.
3. Click the Setup tab.
4. From the Minimum TLS version list box, select the minimum TLS version that the
AnywhereUSB service will accept. The default is TLS version 1.3.
5. Click Save.

Manage Hub credentials

You can manually add, update, or remove the certificate associated with a Hub on the
AnywhereUSB Manager. The Hub and the AnywhereUSB Manager must have matching certificates
to be able to communicate.

Auto-register Hub Cert option

The Auto-register Hub Cert option determines whether a Hub's certificate is automatically registered
with a Manager. When the Manager attempts to connect to a Hub in the list, the Hub provides a
certificate. If the Manager doesn't have the Hub's certificate, the Manager's connection outcome
depends on the status of the Auto-register Hub Cert option.

Digi Connect EZ 16/32 User Guide 1015

 Manage the Hubs using the AnywhereUSB Manager

n If Auto-register Hub Cert is enabled, the Manager stores the Hub certificate and connects to
the Hub.
n If Auto-register Hub Cert is disabled, the Manager rejects the connection the Hub.
For detailed information, see Configure the Auto-register Hub Cert feature.

Manually manage the Hub certifications

For more control over the Hub certificates, you can also manually add, remove, and update them.
n Add a Hub certificate
n Remove a Hub certificate
n Update a Hub certificate

Add a Hub certificate

You can manually add a Hub certificate to the AnywhereUSB Manager.

1. Open AnywhereUSB Manager.

2. Choose Configure > Manage Hub Credentials. The Manage Hub Credentials dialog appears.
3. In the Serial number field, enter the Hub's serial number.
4. Click Add. The Choose a credential file window appears.
5. Browse for the new certificate file and click Open. The file should have a .pem extension.
6. An update message displays in the Manage Hub Credentials dialog.
7. Click Close.

Update a Hub certificate

You can choose to manually update a Hub's certificate and register a new certificate with the
AnywhereUSB Manager.

1. Open AnywhereUSB Manager.

2. Choose Configure > Manage Hub Credentials. The Manage Hub Credentials dialog appears.
3. Select the Hub for which you want to update the certificate.
4. Click Update. The Choose a credential file window appears.
5. Browse for the new certificate file and click Open. The file should have a .pem extension.
6. An update message displays in the Manage Hub Credentials dialog.
7. Click Close.

Remove a Hub certificate

You can choose to remove a Hub certificate from the AnywhereUSB Manager. After the Hub's
certificate is removed, the Manager will not be able to connect to the Hub.
However, if you have enabled the Auto-register Hub Cert option, a new certificate for the Hub is
automatically registered with the AnyhwereUSB Manager the next time the Manager attempts to
connect to the Hub.
To ensure that a Hub certificate is not automatically registered with the Manager, you should disable
the Auto-register Hub Cert option. You can manually add the Hub to register a new certificate if
desired.

Digi Connect EZ 16/32 User Guide 1016

 Manage the Hubs using the AnywhereUSB Manager

1. Open AnywhereUSB Manager.

2. Choose Configure > Manage Hub Credentials. The Manage Hub Credentials dialog appears.
3. Select the Hub that you want to remove.
4. Click Remove.
5. Click Close.

Assign Device Address (use the same virtual port number)

The Assign Device Address feature allows you to use the same virtual port number every time the
user connects to the device group.
When you connect to a group that has USB devices, the AnywhereUSB Manager assigns a virtual port
number to each device. When the AnywhereUSB Manager announces a device to Windows, Windows
assigns an identifier to the device. By using the same virtual port, Windows usually sees it as the same
device after a reboot.
In some situations after a reboot, Windows may give a device a different identifier, which causes
Windows applications to see it as a different device. If this situation occurs, this feature can help
Windows use the same identifier.

Note This feature is only available for Windows 10 and newer, and Windows Server 2016 and newer.

Configure the Hub to assign a device address

You can configure the Hub to retain the Windows address for the ports in a group. You must connect
to the group before you can assign a port address to a device address.

Note You must restart your PC after configuration is complete to apply the configuration changes.

1. Power on the Hub and connect the USB device (or devices) to the desired USB ports.
For best results, you should connect all of the devices that you want to use.
2. Open the AnywhereUSB Manager.
3. Expand the Hub that has the group or groups that contain the USB ports to which you have
connected devices.
4. Connect to the group or groups that contain the connected devices.
a. Right-click on the group name.
b. Click Connect to the Group.
c. Repeat for all groups.
5. Choose Configure > Device to Port Assignment. The Device Address to Port Assignment
dialog displays. A list of the devices connected to the groups displays.
n Host: The name of the Hub.
n Device: The identifier assigned to the device by the Hub.
n Port: Virtual port number assigned internally by the AnywhereUSB Manager. The
assign device address feature allows you to use the same virtual port number on every
connect.

Digi Connect EZ 16/32 User Guide 1017

 Manage the Hubs using the AnywhereUSB Manager

6. Select the devices that you want to pin to a virtual port number.
Click on one port, or press the CTRL key to select multiple ports. When selections are
complete, click Assign. To select all of the ports, click Assign All. The assigned ports are
bolded.
7. To remove a selected port from the list:
Click on the port that you want to unassign, or press the CTRL key to select multiple ports.
When selections are complete, click Unassign. To de-select all of the ports, click Unassign All.
8. Select the Show Assign Port in Device Menu option to display the assigned virtual port
number in the AnywhereUSB Manager USB Device Status pane.

9. Click Close to close the dialog.

10. Restart your PCto apply the configuration changes.

View the AnywhereUSB Manager system messages

You can view the system message log of the AnywhereUSB Manager events. The date and time at
which an event occurred is listed, as well as the event type and additional information. A new log is
created each time you start the AnywhereUSB Manager.
The system message log is used for troubleshooting.

1. Open the AnywhereUSB Manager.

2. Select Help > System Messages. The System Messages dialog appears.
n Click Refresh to update the system messages.
n Click Clear Log to clear the system messages from the log.
n Click Copy to Clipboard to copy the messages to the Windows clipboard. You can then
paste the messages into another application or document.
3. Click Close to close the System Messages dialog.

Digi Connect EZ 16/32 User Guide 1018

 Manage the Hubs using the AnywhereUSB Manager

Restore AnywhereUSB Manager default configuration

You can restore the AnywhereUSB Manager to the default settings. During this process, you have the
option to keep your currently configured client ID and credentials during this process. See Client ID
overview for more information about how the client ID is used by your computer and the Hub to
create a connection.
n Keep the current client ID
n Change the client ID

Keep the current client ID

To restore the Hub's default settings and keep your currently configured client ID and identity
certificate:

1. Open the AnywhereUSB Manager.

2. Select File > Preferences. The Preferences dialog appears.
3. Click the Setup tab.
4. Click Restore default settings. A dialog appears.
5. Select the Keep Client ID option. This is selected by default.
6. Click OK. The AnywhereUSB Manager closes automatically. The next time you launch the
AnywhereUSB Manager, the default settings will be restored.

Change the client ID

To restore the Hub's default settings and change your currently configured client ID and credentials:

1. Open the AnywhereUSB Manager.

2. Select File > Preferences. The Preferences dialog appears.
3. Click Restore default settings. A pop-up dialog appears.
4. De-select the Keep Client ID option.
5. Click OK. The pop-up dialog closes and the Preferences dialog is available.
6. In the Client ID field, enter a new, unique client ID.
7. Click Save.

Manage USB isochronous transfers for audio and video streams

Isochronous USB device transfer is used to transfer audio and video streams. Generally, Isoch devices
are cameras, microphones, speakers, and other data-streaming devices. A High performance
Isochronous feature is available with AnywhereUSB.
The High performance Isochronous USB feature is enabled in the AnywhereUSB Manager by default,
and should remain enabled unless your Isochronous USB device does not function correctly with it
enabled. You can disable this feature to attempt to allow older Isochronous USB data-streaming
devices to operate when connected to a Hub over a network.

Note If you change any options in the Performance tab, you must restart the AnywhereUSB
Manager to apply the change.

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.

Digi Connect EZ 16/32 User Guide 1019

 Manage the Hubs using the AnywhereUSB Manager

3. Click the Performance tab.

4. De-select the High performance Isoch option.
5. Click Save.
6. To apply the change, you must restart the AnywhereUSB Manager. The process depends on
the mode.
n Standalone mode
a. From the AnywhereUSB Manager, click File > Exit to disconnect all USB devices
connected to your computer, close all connections, and close the AnywhereUSB
Manager.
b. To restart the AnywhereUSB Manager, double-click the Anywhere USB Manager
shortcut on your desktop.
n Service mode
a. If the AnywhereUSB Manager is running, you have to close it. From the
AnywhereUSB Manager, click File > Exit to disconnect all USB devices connected
to your computer, close all connections, and close the AnywhereUSB Manager.
b. In the Windows search field, enter: services.msc
c. The Services dialog displays. Scroll through the list to find the Digi
AnywhereUSB Manager service.
d. Right-click on the service to display the shortcut menu, and click Stop.
e. Right-click on the service to display the shortcut menu, and click Start.

Create support log file

You can use the Create Support File feature in the AnywhereUSB Manager when you need to collect
logs and other information for Digi Technical Support. The information is saved to a .bin file which
you can send to technical support.
The location in which the file is saved depends on whether the Manager was installed in service or
stand-alone mode. After you have created the file, a dialog displays the location in which the .bin file
was saved.
The file is overwritten each time you create a file. If you want to save a file before it is overwritten,
rename the file or move it to a different location.

Note You can also create a debug log file using the USB Debug Logging Wizard, which is accessed
from the web UI. See Create a debug log file with the USB Debug Logging Wizard.

1. Open AnywhereUSB Manager.

2. Choose Help > Create Support File. The support file is created. When complete, a dialog
displays, showing you the location of the file.
3. Make a note of the file location.
4. Click OK to close the dialog.
5. Navigate to the file location and copy it. You can then email the copy to Digi Technical
Support.

Note If you installed the AnywhereUSB Manager in service mode, you must have
Administrator rights on the computer to copy the file.

Digi Connect EZ 16/32 User Guide 1020

 Manage the Hubs using the AnywhereUSB Manager

Access the online help from the AnywhereUSB Manager

1. Open the AnywhereUSB Manager.
2. Click Help > Online Manual to launch the online help file.

Always display the AnywhereUSB Manager on top

You can choose to always display the AnywhereUSB Manager on top of all open windows. This
feature is disabled by default.

1. Open the AnywhereUSB Manager.

2. Select Help > Always on top. This option toggles between disabled and enabled, and is
disabled by default. When it is enabled, a check mark displays next to the option.

Minimize the AnywhereUSB Manager when launched

You can choose to automatically minimize the AnywhereUSB Manager when it launches.

1. Open AnywhereUSB Manager.

2. Choose File > Preferences. The Preferences dialog appears.
3. Click the Setup tab.
4. Determine whether you want to automatically minimize the AnywhereUSB Manager when it
launches.
n Select Start Manager minimized to automatically minimize the
AnywhereUSB Manager when it launches.
n De-select Start Manager minimized to open the AnywhereUSB Manager when it
launches.
5. Click Save.

View AnywhereUSB Manager version and license information

You can view version and license information about the Hub.
The version numbers for the currently installed version of the AnywhereUSB Manager, the driver,
and the installer are listed at the top of the screen.

1. Open the AnywhereUSB Manager.

2. Select Help > About. The License dialog appears.
3. View the version numbers at the top of the screen.
n Manager Version: The currently installed version of the AnywhereUSB Manager.
n Driver Version: The version of the Windows driver installed when the Manager was
installed.
n Installer Version: The version of the AnywhereUSB installer that was used to install the
Manager and the Windows driver.
4. In the License window, scroll down to review the license information.
5. Click Close to close the dialog.

Digi Connect EZ 16/32 User Guide 1021

 Manage the Hubs using the AnywhereUSB Manager

View latency graph

You can review the relative latency of all of the Hubs connected to the network.

Note The Latency Graph menu item is not available when the AnywhereUSB Manager is installed in
service mode.

1. Open the AnywhereUSB Manager.

2. Select Help > Latency graph to display the latency graph.

Stop and start the AnywhereUSB Manager Windows service

If you have installed the AnywhereUSB Manager in service mode, you may need to stop and restart
the Digi AnywhereUSB Manager service.

Stop the service

When the Digi AnywhereUSB Manager service is stopped, you cannot access the
AnywhereUSB Manager.

1. In the Windows search field, enter: services.msc

2. The Services dialog displays. Scroll through the list to find the Digi AnywhereUSB Manager
service.
3. Right-click on the service to display the shortcut menu, and click Stop. The Status for the
service becomes blank.

Start the service

1. In the Windows search field, enter: services.msc
2. The Services dialog displays. Scroll through the list to find the Digi AnywhereUSB Manager
service.

Digi Connect EZ 16/32 User Guide 1022

 Manage the Hubs using the AnywhereUSB Manager

3. Right-click on the service to display the shortcut menu, and click Start. The Status for the
service changes to Running.

Stop and start the Linux headless AnywhereUSB Manager

If you have installed the Linux headless Manager, you may need to stop and restart it.
Stop the headless Manager
Stopping the headless manager can take up to one minute, depending whether the Manager is
connected to USB devices.

$ anywhereusb-headless stop

Start the headless Manager

$ anywhereusb-headless

Note To start the awusbmanager-headless at boot, you will need to create and add a systemd
startup script.

Power loss and Hub configuration

The Hub retains its configuration if power is lost and then power is restored when the Hub is plugged
into a main power supply, or if the device is commanded to restart automatically or interactively.

Exit the AnywhereUSB Manager

You can log out of the AnywhereUSB Manager close the dialog.

1. Open the AnywhereUSB Manager.

2. Click File > Exit to disconnect all USB devices connected to your computer, close all
connections, and close the AnywhereUSB Manager.
3. If you are connected to any USB devices, a confirmation dialog appears.

4. Click Yes to exit the AnywhereUSB Manager.

Digi Connect EZ 16/32 User Guide 1023

Power cycle feature
You can cycle the power to the devices connected to an AnywhereUSB Hub using one of the following
methods. When the power is cycled, the power is turned off for 1 second and then turned back on.
Review the details of each method to determine which one you can use cycle the power.

User type Tool

AnywhereUSB
AnywhereUSB Manager
Non- Web Manager Standalone
Power cycle action Admin Admin UI Service Mode Mode
Cycle the power to all of the X X
devices connected to one
selected port.
See Cycle the power to a port
on a Hub from the web UI.

Cycle the power to one selected X X

device.
See Cycle the power to a USB
device connected to the Hub
X X X
from the
AnywhereUSB Manager.

Cycle the power to all devices Automatic if Enabled

in a group on a disconnect.
Enabled by default.
See Cycle the power to a device
when it disconnects from a PC.
X X
To disable this feature:
See Disable the power cycle on
disconnect feature.
Disconnects happen when:
n A device is manually X X
disconnected from the
Manager X X X
n A group is manually X X
disconnected from the
Hub X X X

Digi Connect EZ 16/32 User Guide 1024

 Power cycle feature

User type Tool

AnywhereUSB
AnywhereUSB Manager
Non- Web Manager Standalone
Power cycle action Admin Admin UI Service Mode Mode
n PC and/or Hub reboots Automatic if Enabled
n PCand/or Hub loses Automatic if Enabled
connection to the
network

Cycle the power to a USB device connected to the Hub from the
AnywhereUSB Manager
This feature enables you to cycle the power to a selected USB device from the
AnywhereUSB Manager.
The USB device can be connected directly to the AnywhereUSB Hub or to a downstream USB hub.
Cycling the power has the same effect as removing the USB device from the Hub and then
reconnecting it. When you use this feature, the power supplied by the port to the USB device is turned
off for 1 second and then turned on. The USB device you choose to power cycle must be assigned to a
group that you are allowed to access.
If an externally powered USB device (one that is not powered by the Hub) is connected to the Hub,
the power cycle feature may have no effect on the USB device.

Note You can also cycle the power to a selected USB device using the power cycle CLI command.

Note Additional power cycle methods are available. See Power cycle feature.

1. Open AnywhereUSB Manager.

2. Expand the Hub and group to which the USB device is connected.
3. Right-click on the USB device and click Power Cycle Device. The power supplied to the port to
the USB device is turned off for 1 second and then turned on.

Cycle the power to a port on a Hub from the web UI

This feature enables you to power cycle a port on an AnywhereUSB Hub from the web UI.
When you power cycle the port, the port is powered off for 1 second and then powered on.
If a USB device is connected to the port, the USB device is powered off and then powered back on,
which has the same effect as removing the USB device from the Hub and then reconnecting it.
If an externally powered USB device (one that is not powered by the Hub) is connected to the Hub,
the power cycle feature may have no effect on the USB device.

Note You can also power cycle a port using the powercycle port CLI command.

Note Additional power cycle methods are available. See Power cycle feature.

Digi Connect EZ 16/32 User Guide 1025

 Power cycle feature

1. Open the web UI.

2. Click Status > AnywhereUSB. The AnywhereUSB Status page displays.
3. Expand USB Devices.
4. Click Cycle for the port that you want power off and then on.

5. When the power cycle is complete, a success message displays.

Cycle the power to a device when it disconnects from a PC

The power cycle on disconnect feature cycles the power to each USB device when it disconnects from
a PC. The power is turned off for 1 second and then turned on. This is useful for security devices that
may refuse to reconnect to a PCwithout a power cycle, virtual machines that reboot, and devices left
in an unexpected state.
This feature is globally enabled by default on the Hub. You can choose to globally disable it.

Note This feature is disabled by default on the AnywhereUSB Plus 24 variant without Wi-Fi. If your
device has a serial number greater than or equal to AW24-010000, this feature can be enabled.
Otherwise, the feature does not work as expected and should not be enabled.

When a disconnect occurs, the Hub turns off power to the device and then one second later turns it
back on. The re-powered device is then ready to make a new connection to the same or a different
PC. Note that if the PCis connected to the group, the USB device can only reconnect to that same PC.
Disconnects happen when:
n A device is manually disconnected from the PC.
n From the AnywhereUSB Manager, expand a Hub to display the groups connected to the PC.
Right-click on a device in a group and select Disconnect Device to disconnect the device from
the PC. This menu option is not available if a PC is not connected to the group. The power to
the device is cycled and the device reconnects to the same PC.
n A group of devices is disconnected from the Hub

Digi Connect EZ 16/32 User Guide 1026

 Power cycle feature

From the AnywhereUSB Manager, expand a Hub to display the groups. Right-click on a group
and select Disconnect from Group. The power to all of the USB devices in the group is cycled
and the group waits to be connected to the same or a different PC.
n PC and/or the Hub reboots
If the PCand/or the Hub reboots, then after the keepalive timeout occurs, all of the USB
devices that were connected to that PCare power cycled.
n PCand/or the Hub loses connection to the network
If the PCand the Hub lose network connectivity, then the USB devices that were connected to
that Hub are power cycled if the connectivity is not restored before the keepalive timeout
occurs. The groups are then ready to connect to the same or a different PC.

Considerations
The following examples explain situations in which this feature does not work as expected.
n If you have self-powered USB devices, then this feature will not be able to power cycle this
device. An example is a hard drive with a power cord plugged into a power source other than
the Hub.
n If you have devices connected on a downstream USB hub and the hub does not support USB
power control, then the feature will not cycle those devices.

Note Additional power cycle methods are available. See Power cycle feature.

Disable the power cycle on disconnect feature

The power cycle on disconnect feature is globally enabled by default on the Hub. You can choose to
globally disable this feature if desired.
When enabled, the power is cycled by default to each USB device when the device disconnects from a
PC.

Note This feature is disabled by default on the AnywhereUSB Plus 24 variant without Wi-Fi. If your
device has a serial number greater than or equal to AW24-010000, this feature can be enabled.
Otherwise, the feature does not work as expected and should not be enabled.

Note You can also disable this feature using the power_cycle_on_unbind CLI command.

1. Open the web UI.

2. Select System > Device Configuration > Services > AnywhereUSB.
3. Expand Power cycle on disconnect. The feature is enabled by default.
4. Click Enable to disable the feature.
5. Click Apply to save the changes.

Digi Connect EZ 16/32 User Guide 1027

Configure and manage the AnywhereUSB Hub in the web user
interface
You can configure the AnywhereUSB Hub from the web user interface. You can access the web UI from
the AnywhereUSB Manager or from a browser window. See Open the web UI to manage the
AnywhereUSB ports.

AnywhereUSB Configuration page

The AnywhereUSB Configuration page consists of all configuration options related to a
AnywhereUSB Hub.
To access this page, open the web UI and click System > Configuration > AnywhereUSB
Configuration.

Service Settings
Click Service Settings to expand this section.

Item Description
Enable Click Enable to enable the AnywhereUSB service.

Port Specify the port number that is used to access the Hub. The default
value is 18574. If you change the port number you must also change
the corresponding port number on your computer.
Enable USB debug logging Select this option to enable USB debug logging. This feature should
only be used when working with Digi Technical Support to debug an
issue.

Group Settings
Click Group Settings to expand this section. In this section you can name groups and assign USB
ports to the groups.
For instructions, see Step 3: Name groups and assign ports to a group.

Item Description
Group Description A free-form description of a group. You can type over the default
description.
One row displays for each group, and 2 groups are available.
The Unassigned group row is used for any port that is not assigned
to a group.

Digi Connect EZ 16/32 User Guide 1028

 Configure and manage the AnywhereUSB Hub in the web user interface

Item Description
Port Assignments Specify the USB ports in each group. Each port on a Hub can be
assigned to only one group. Ports that are not assigned to a group
can be put in the Unassigned group.

Client Settings
Click Client Settings to expand this section and display information about the clients that can
connect to the Hub.
For more information, see Configure and manage client IDs.

Item Description
Select a client to configure Select the existing client that you want to update or remove.
n Edit: Click Edit to update the selected client.
n Remove: Click Remove to remove the selected client.
Client ID The client ID is a unique identifier assigned to a user account the
first time a user logs in to a computer and opens the
AnywhereUSB Manager. During this process, the AnywhereUSB
Manager creates a secure identity certificate that is associated with
the client ID. This certificate is used to validate your user account
with the Hub.
See Configure and manage client IDs.
Certificate The status of the certificate associated with the client ID. This
certificate is used to validate your user account with the Hub.
The Certificate value is Unavailable until certificates have been
exchanged between the computer and the Hub. After this occurs,
the Certificate value is updated to Available.
See Configure a client ID.
Description A free-form description of the client.

Group Access The groups that this client is allowed to access. The USB ports in
the group can be accessed by this user account.
See Configure a client ID.
Add Client Click Add Client to manually add a new client ID.
See Manually add a client ID.
Automatically Register This feature is not currently implemented.
Unknown Clients

Group Access This section is related to the Automatically Register Unknown

Clients option, which is not currently implemented.

AnywhereUSB Status page

The AnywhereUSB Status page contains status information about the USB devices and groups
connected to the AnywhereUSB Hub.

Digi Connect EZ 16/32 User Guide 1029

 Configure and manage the AnywhereUSB Hub in the web user interface

You can access this page in two ways from the web UI:
n Click Dashboard, and then click Show Details in the AnywhereUSB Service pane.
n Click Status > Services > AnywhereUSB.

USB Devices
Click USB Devices to expand this section and display information about the USB devices connected
to the AnywhereUSB Hub.

Item Description
 Click the  (configuration) icon in the upper right corner of the page
configuration icon to access the AnywhereUSB Configuration page. See
AnywhereUSB Configuration page for more information.
Port The number of the USB port to which the USB device is connected.

Group The group to which the USB port is assigned.

USB The USB technology of the connected device.

Manufacturer Name of the USB device manufacturer, if supplied by the device.

Product Name of the USB product, if supplied by the device.

Serial number The serial number of the USB device, if supplied by the device.

Cycle Click Cycle to power off the port for 3 seconds, and then power it
back on. For more information, see Cycle the power to a port on a
Hub from the web UI.

Groups in Use
Click to expand this section and display information about the groups connected to the AnywhereUSB
Hub.

Item Description
 Click the  (configuration) icon in the upper right corner of the page
configuration icon to access the AnywhereUSB Configuration page. See Configure and
manage the AnywhereUSB Hub in the web user interface for more
information.
Group A group to which the client has connected. See Connect to a group
or USB device in the AnywhereUSB Manager.
Client ID The unique identifier of the client that has connected to this group.
For more information, see Client ID overview.
IP Address The network address of the client's computer.

Digi Connect EZ 16/32 User Guide 1030

 Configure and manage the AnywhereUSB Hub in the web user interface

Blocked Client
Click Blocked Client to block a client ID from connecting to a device group or groups.
The first section displays information about the client IDs that are currently blocked.

Item Description
Client ID A client ID that is currently blocked.
Blocked Groups The number of groups from which the client ID is blocked.
Expiration The remaining time for the block.
Unblock When a client ID is blocked, the Unblock button displays. Click
Unblock to remove the block before the default time period.
For more detailed information, see Unblock a client ID.

 Click the  (configuration) icon in the upper right corner of the page
configuration icon to access the AnywhereUSB Configuration page. See
AnywhereUSB Configuration page for more information.

Block a Client section

The fields and options in this section are used to block a client ID. For more detailed information, see
Block a client ID.

Item Description
Client ID From the Client ID list box, select the client ID that you want to
block.
Block Groups Select the group(s) that you want to block for the client ID. All of the
groups are selected by default.
You can enter the groups in the Block Groups field, or click on a
group from the group options below the field to deselect it.
Apply Click Apply to the block the selected client ID from the selected
group(s).

Debug Logging
Click Debug Logging to expand this section and access the USB Debug Logging Wizard.

Item Description
Debug Logging Wizard Click Debug Logging Wizard to launch the USB Debug Logging
Wizard. See Create a debug log file with the USB Debug Logging
Wizard.

Open the web UI to manage the AnywhereUSB ports

You can open the web user interface to configure the USB ports on the Connect EZ 16/32 from the
AnywhereUSB Manager or the Connect EZ 16/32 web UI.

Digi Connect EZ 16/32 User Guide 1031

 Configure and manage the AnywhereUSB Hub in the web user interface

Open the web UI from the AnywhereUSB Manager

1. Open the AnywhereUSB Manager.
2. Expand AnywhereUSB Hubs to display the Hub.
3. Right-click on the Hub to display the shortcut menu.
4. Click Open Web UI.
n If you are currently logged into the Connect EZ 16/32, the web UI Dashboard displays.
n If you are not currently logged into the Connect EZ 16/32, the login page displays. Enter
the device's user name and password and click Login. The web UI Dashboard displays.

Open the web UI from a browser window

Before you begin, make sure you know the following information.
n IP address for the Connect EZ 16/32
n User name and password for the Connect EZ 16/32
To open the web UI from a browser window:

1. Open a browser window.

2. Enter the IP address for the Connect EZ 16/32. A login screen displays.
3. Enter the user name and password.
4. Click Login. The web UI Dashboard displays by default.

Rename a Hub and the groups in a Hub

A default name is assigned to an AnywhereUSB Hub and to the groups in the Hub. These names are
associated with the physical Hub and groups on the Hub, and can be changed in the web user
interface.

Note A USB device does not have a name that can be changed. However, a local name can be
assigned to a USB device in the AnywhereUSB Manager. See Assign a local name to a USB device.

The default Hub name and group name can be seen by every user that connects to the Hub. You can
also give a Hub and groups a local name that can be see only by the user that assigns the name. See
Assign a local name to a Hub and Assign a local name to a group.

Note Only administrators can rename the Hubs and the groups.

n Rename the AnywhereUSB Hub

n Rename a group

Rename the AnywhereUSB Hub

You can rename the AnywhereUSB Hub in the Ethernet Network Configuration page.

Note The name can consist of the following characters: 0-9, A-Z, a-z, dash (-), or period (.). You cannot
use spaces, underscores (_), comma (,), forward slash (/), or ampersand (&).

1. Open the web UI.

2. Select System > Configuration > Device Configuration.

Digi Connect EZ 16/32 User Guide 1032

 Configure and manage the AnywhereUSB Hub in the web user interface

3. Expand System.
4. In the Name field, enter a descriptive name for the Hub. The name cannot have spaces or
underscores.
5. Click Apply.

Rename a group
You can rename a group in the AnywhereUSB page in the web UI.
By default, a group is named "Group" appended by a consecutive number, such as Group 1. The group
name displays in the Group Name field in the Group Status pane in the AnywhereUSB Manager.

1. Open the web UI.

2. Select System > AnywhereUSB Configuration.
3. Expand Group Settings.
4. Enter a new name for a group in the desired Group Description field.
5. Click Apply to save the changes.

Configure and manage client IDs

The client ID is a unique identifier assigned to a user account the first time a user logs in to a
computer and opens the AnywhereUSB Manager. During this process, the AnywhereUSB Manager
creates a secure identity certificate that is associated with the client ID. This certificate is used to
validate your user account with the Hub. For more information, see Client ID overview.
Manage the client IDs
For each Hub, you can view a list of client IDs that are allowed to connect to the Hub. You can
manually add client IDs or choose to automatically add client IDs to the list.

Note You can have up to 255 client IDs in the client list.

Assign client IDs to USB ports on the Hub

The client IDs are assigned to groups of USB ports on the Hub. When a computer connects to a group
in the AnywhereUSB Manager, the computer has access to all of the ports in the group and the
devices connected to those ports. No other computer is allowed to access any of the devices in the
group. A computer can connect to more than one group at a time.
n Configure a client ID
n Manually add a client ID
n Remove a client ID
n Automatically register or reject unknown clients
n Client ID overview

Configure a client ID
You can assign a descriptive name to a client ID in the client list, and update the groups the client ID is
allowed to access. The client ID can access all of the ports in the specified groups, as defined in the
Group Settings section.

Note If needed, you can also add additional client IDs to the list.

Digi Connect EZ 16/32 User Guide 1033

 Configure and manage the AnywhereUSB Hub in the web user interface

1. Open the web UI.

2. Select System > Configuration > AnywhereUSB Configuration. The AnywhereUSB
Configuration page appears.
3. Expand the Client Settings section.
4. From the client list, select the client ID that you want to configure. Information about the
selected client ID displays in the Settings for Client section.
5. Click Edit.
6. In the Description field, enter a descriptive name for the client ID.
7. Click the check box next to a group to which the computer is allowed access. As you select
groups, the selected group numbers appear in the Group Access field in the Settings for
Client section. You can also manually enter group numbers in the Group Access field.

Note The Certificate value is Unavailable until certificates have been exchanged between the
computer and the Hub. After this occurs, the Certificate value is updated to Available.

8. Click Apply to save the changes.

Manually add a client ID

You can manually add client IDs to the client list. When a computer searches for Hubs, any computer
with a client ID on the client list can connect to the Hub.

Note You can have up to 255 client IDs in the client list.

After you have added a client ID, the certificate is unavailable until the first time a computer with the
new client ID connects to the Hub. For more information about client IDs, see Client ID overview.
When the computer connects to the Hub for the first time, the credentials are exchanged between the
computer and the Hub. After the initial connection, only that computer with the client ID and unique
identity certificate is able to connect to the Hub. Any other computer with the same client ID will be
rejected. For information about computers with the same client ID, see AnywhereUSB Manager client
ID is not unique.

WARNING! Digi recommends that you use a private network to connect the computer to
the Hub. This ensures that only clients IDs with known user credentials can connect to the
Hub. The first time that a client ID on a computer connects to the Hub, the unique
credentials for this known user are stored in your Hub. If you do not use a private network,
an unknown computer with the same client ID may happen to connect to the Hub before
the known computer connects. In this case, the known computer will not be able to
connect and authenticate.

Note Digi recommends disabling the Automatically Register Unknown Clients option if you choose
to manually add multiple client IDs to the client list. See Automatically reject unknown clients.

1. Open the web UI.

2. Select System > Configuration > AnywhereUSB Configuration. The AnywhereUSB
Configuration page appears.
3. Expand the Client Settings section.

Digi Connect EZ 16/32 User Guide 1034

 Configure and manage the AnywhereUSB Hub in the web user interface

4. Click Add Client. A new row labeled "New Client" is added to the client list and the Settings
for Client section is populated for the new client.

5. Enter information about the client ID in the Settings for Client "New Client" section.
a. In the Client ID field, enter the client ID for the computer.
b. In the Description field, enter a descriptive name for the client ID.
c. Click the check box next to a group to which the computer is allowed access. As you select
groups, the selected group numbers appear in the Group Access field in the Settings for
Clients section.

Note The Certificate value is Unavailable until certificates have been exchanged between the
computer and the Hub. After this occurs, the Certificate value is updated to Available.

6. Click Apply. The client ID is added to the client list.

Remove a client ID
You can remove a client ID from the client list when a user logged in to a computer should no longer
have access to the Hub.

Note If you have selected the Automatically Register Unknown Clients option, any client ID
removed from the list is automatically added to the client list again the next time the computer tries
to connect.

1. Open the web UI.

2. Select System > Configuration > AnywhereUSB Configuration. The AnywhereUSB
Configuration page appears.
3. Expand the Client Settings section.
4. In the Select a client to configure section, select the client ID you want to remove from the
list.
5. Click Remove. A confirmation dialog appears.
6. Click OK.

Client ID overview
The client ID is a unique identifier for the computer that you assign when you initially install the
Anywhere USB Manager. When you launch the Manager for the first time and log in, the Manager
creates a secure identity certificate that is associated with the client ID. This certificate is used to
validate your account with the Hub.
n Stand-alone: If you installed the Manager as a stand-alone, the client ID and the certificate
identify the user on the computer.
n Service: If you installed the Manager as a service, the client ID and the certificate identify the
computer.
When the client ID and certificate have been created, the computer is able to connect to the Hubs that
recognize that client ID. Any other computer with the same client ID will be rejected.

Note In some cases, multiple computers may inadvertently be used by multiple users that have the
same client ID. To fix this issue, see AnywhereUSB Manager client ID is not unique.

Digi Connect EZ 16/32 User Guide 1035

 Configure and manage the AnywhereUSB Hub in the web user interface

Client ID length
The number of characters allowed in the Client ID field is variable and is dependent on UTF-8
encoding of the characters. Note that some characters are multi-byte characters, which reduces the
number of characters that are allowed in the field. Currently, the Client ID field is a maximum of 63
bytes encoded in UTF-8.

Assign a client ID to a user account

A client ID is assigned to user credentials the first time a user logs into a computer and launches the
AnywhereUSB Manager.

WARNING! Digi recommends that you use a private network to connect the computer to
the Hub. This ensures that only clients IDs with known user credentials can connect to the
Hub. The first time that a client ID on a computer connects to the Hub, the unique
credentials for this known user are stored in your Hub. If you do not use a private network,
an unknown computer with the same client ID may happen to connect to the Hub before
the known computer connects. In this case, the known computer will not be able to
connect and authenticate.

Step 1: Create a client ID during initial launch of the AnywhereUSB Manager

The AnywhereUSB Manager can be initially opened by a user in one of the following ways:
n Installation: When the AnywhereUSB Hub software is installed, the Launch AnywhereUSB
Manager option is selected by default. When the installation completes, the client ID
confirmation dialog appears. The user enters a client ID, and then the AnywhereUSB Manager
is automatically launched.

Note If the user deselects the Launch AnywhereUSB Manager option during installation, the
AnywhereUSB Manager does not automatically open after the installation process completes.
In this case, the client ID dialog does not display.

n New user logs in: After the AnywhereUSB Hub software is installed, any user can log into that
computer and open the AnywhereUSB Manager. The first time a new user opens the
AnywhereUSB Manager, the client ID dialog appears. The user must enter a client ID before
the AnywhereUSB Manager will open.
After the initial launch of the AnywhereUSB Manager, the next time the user logs in, the computer is
able to connect to the Hubs that recognize that client ID.

Step 2: Manually add a client ID to the client ID list in the Hub

You can manually add a client ID to the client list before a new user launches the AnywhereUSB
Manager for the first time. In this situation, the certificate is unavailable until the first time a
computer with the new client ID connects to the Hub. The new client ID is associated with the
credentials for the user currently logged on to the computer.
When the computer connects to the Hub for the first time, the identity certificates are exchanged
between the computer and the Hub. After the initial connection, only that computer with the client ID
and unique identity certificate is able to connect to the Hub.

Automatically register or reject unknown clients

In the AnywhereUSB Configuration page, you have the choice to automatically register or reject
computers that have not previously connected to the Hub. The Automatically Register Unknown

Digi Connect EZ 16/32 User Guide 1036

 Configure and manage the AnywhereUSB Hub in the web user interface

Clients option is disabled by default, meaning that computers that have not previously connected to
the Hub are rejected, and cannot connect to the Hub.
You can enable this feature so that client IDs for an unknown computer are automatically added to
the client list for the Hub. When any AnywhereUSB Manager starts (stand-alone) or is running as
service and the Hub is visible, that Manager's client ID is added to the Hub's configuration.
n Disable (this is the default): Automatically reject unknown clients
n Enable: Automatically register unknown clients

Additional considerations
Specify groups for an automatically registered client
You can specify the groups which the automatically registered clients can access. By default, when the
client connects to the Hub, that user has access to the ports in those groups. If you do not specify
groups, the user can connect to the Hub but does not have access to any ports on the Hub until you
manually assign groups to that client ID.

If the auto-register feature is enabled on any network (secure or insecure), be aware that
any client that has the AnywhereUSB Manager installed is able to connect to the Hub and
access all USB devices in the groups that allow access to automatically registered clients.

Using this feature on secure and insecure (public) networks

Note This feature is inherently insecure. Digi recommends that you disable the Automatically
Register Unknown Clients option and manually add client IDs to the list. See Manually add a client
ID.

n Secure network: If the Hub is on a secure network, you may want to enable this feature for
the initial set up, when many clients are connecting to the Hub. Once initial set up is complete,
you can disable this feature and then manually add client IDs to the Hub. This method gives
you more control over the clients that can connect to the Hub.
If you choose to not disable this feature after initial set up, any new clients that install the
AnywhereUSB Manager are able to automatically connect to the Hub.
n Insecure (public) network: If the Hub is on an insecure or a public network, you should keep
the auto-register feature disabled, to ensure that you have control over the clients that
connect to the Hub. This method helps to eliminate access from an unwanted client to your
Hub and any devices connected to the Hub.

Automatically reject unknown clients

You can choose to have the Hub automatically reject any client ID that is not on the Hub's registered
client list. This is the default.
When you open the AnywhereUSB Manager, if the Manager's client ID is not included in the Hub's
registered client list, a red Xdisplays next to the Hub name. The client ID is not able to connect to the
Hub.

Note A red Xmay display in other situations as well. See Red Xicon next to a Hub in the
AnywhereUSB Manager.

Digi Connect EZ 16/32 User Guide 1037

 Configure and manage the AnywhereUSB Hub in the web user interface

1. Open the web UI.

2. Select System > AnywhereUSB Configuration. The AnywhereUSB Configuration page
appears.
3. Scroll down to the Client Settings section. Expand the section if it is not already expanded.
4. Scroll down to the Settings for Unknown Clients section.
5. De-select the Automatically Register Unknown Clients option so the Hub rejects any client
ID that is not on the Hub's registered client list. In this case, a red Xdisplays next to the name
of the Hub in the AnywhereUSB Manager.
6. Click Apply to save the changes.

Automatically register unknown clients

When you enable the Automatically Register Unknown Clients feature, any client that has the
AnywhereUSB Manager can automatically connect to your Hub. When this happens, the client ID is
added to the Hub's client list in the Hub's configuration.

Note This feature is inherently insecure. Digi recommends that you disable the Automatically
Register Unknown Clients option and manually add client IDs to the list. See Manually add a client
ID.

To confirm that a client ID has been added automatically, you can review the client ID list.
Specify groups for an automatically registered client
You can specify the groups which the automatically-registered clients can access. If you do not specify
groups in the auto-register feature, you can manually configure group access to the client.
By default, the client will have access to the ports in the groups specified in the Group Access field.
To ensure that the automatically registered clients are given access to the desired ports, you should
verify which ports are assigned to each group.
If needed, you can change the groups for the client in the Hub configuration after the client ID has
been registered.

1. Open the web UI.

2. Select System > AnywhereUSB Configuration. The AnywhereUSB Configuration page
appears.
3. Scroll down to the Client Settings section. Expand the section if it is not already expanded.
4. Scroll down to the Settings for Unknown Clients section.
5. Enable Automatically Register Unknown Clients.
6. Determine whether groups should automatically be assigned to the automatically registered
users.
Click the check box next to the group(s) to which the computer is allowed access. As you select
groups, the selected group numbers appear in the Group Access field in the
Settings for Unknown Clients section. You can also manually enter group numbers in the
Group Access field.

Note If you do not specify groups you can manually give that client access to selected groups
after they have been registered with the Hub. See Configure a client ID.

7. Click Apply to save the changes.

Digi Connect EZ 16/32 User Guide 1038

 Configure and manage the AnywhereUSB Hub in the web user interface

Block a client ID from connecting to groups

You can temporarily block a client ID from connecting to a group or a set of groups for a specified
time period. This allows a different client ID to access the devices in a group.
For example, User A has left work for the day, and remains connected to a group that User B needs to
access. The Hub administrator can block the User A's client ID from the group that is needed by User
B. User A is disconnected from the group, which allows User B to connect.
Blocking a client ID
When you apply a block to a group or groups, the client ID is automatically disconnected from the
devices in the group(s). During the block time period, the client ID can't manually reconnect to the
devices in the blocked group, and auto-connect is suspended. This enables another client ID to
connect to the group(s).
When the blocked time period limit is reached or if the client ID is manually unblocked, and if no other
client ID has connected to the group, any group that has auto-connect enabled automatically
reconnects and the client ID is able to use the devices in those groups. The client ID can also manually
reconnect to devices in the previously blocked groups.

Block a client ID
You can temporarily block a client ID from being able to connect to the devices in a group or a set of
groups. This feature is useful if you need to control which client IDs can access the devices in a group
or groups. The client ID is blocked for the default time period.
When you apply a block, the client ID is automatically disconnected from the devices in the group(s)
selected for the block. During the block time period, the client ID can't manually reconnect to the
devices in the blocked group, and auto-connect is suspended. Another client ID can connect to the
group during the block time period.
You can block a client ID that is already blocked. Any existing block is replaced by the new block, and
the default block time period starts over. This is useful if you need to change the groups included in
the block or if you need to extend the block time period.

Note Only a Hub administrator can access the AnywhereUSB Status page and block a client ID.

1. Open the web UI.

2. Select Status > Services > AnywhereUSB. The AnywhereUSB Status page displays.
3. (Optional) Expand the Groups in Use section to review the groups used by each client ID.
4. Expand the Blocked Clients section.
5. From the Client ID list box, select the client ID that you want to block.
6. Select the group(s) that you want to block for the client ID. All of the groups are selected by
default.
To change the default list of groups, enter the desired groups in the Block Groups field, or
click on a group from the group options below the field to deselect it.
7. Click Apply to block the selected client ID from the selected group(s).
n The Blocked Clients section is updated to display the blocked client ID in the blocked
client list.
n The Groups in Use section is updated to show that the client ID is no longer connected
to the blocked groups.
n In the AnywhereUSB Manager, the message Temporarily Blocked displays as the
group Status in the status pane. See AnywhereUSB Manager Group Status pane.

Digi Connect EZ 16/32 User Guide 1039

 Configure and manage the AnywhereUSB Hub in the web user interface

Unblock a client ID
You can unblock a client ID before the default block client ID time limit is reached.
When a client ID is unblocked, any group that has auto-connect enabled automatically reconnects.
The client ID can also manually reconnect to devices in the previously blocked groups.

Note Only a Hub administrator can access the AnywhereUSB Status page and unblock a client ID.

1. Open the web UI.

2. Select Status > Services > AnywhereUSB. The AnywhereUSB Status page displays.
3. Expand the Blocked Clients section.
4. In the Client ID list, find the the client you want to unblock and click Unblock in that row. The
client ID is removed from the list of blocked clients.

Configure the block client ID time limit

You can configure the default time limit for the client ID block. The default is 10 minutes.
When you apply a block, the client ID is automatically disconnected from the devices in the group(s)
for the default time period. The client ID can't manually reconnect to the devices in the blocked
group, and auto-connect is suspended.
When the blocked time period limit is reached, any group that has auto-connect enabled
automatically reconnects. The client ID can also manually reconnect to devices in the previously
blocked groups.

1. Open the web UI.

2. Select System > Configuration > Device Configuration > Services > AnywhereUSB.

3. In the Client block duration field, enter the default time period.
n Default: 10 minutes
n Maximum: 100 hours
n Minimum: 30 seconds
4. Click Apply to save the changes.

View Hub system information

You can view current status information about the Hub in the Dashboard. This page appears by
default when you launch the web UI.

1. Open the web UI.

2. In the AnywhereUSB Service pane, click Show Details to display additional information in the
AnywhereUSB Status page.

Digi Connect EZ 16/32 User Guide 1040

 Configure and manage the AnywhereUSB Hub in the web user interface

USB Devices
Click USB Devices to expand this section and display information about the USB devices connected
to the AnywhereUSB Hub.

Item Description
 Click the  (configuration) icon in the upper right corner of the page
configuration icon to access the AnywhereUSB Configuration page. See
AnywhereUSB Configuration page for more information.
Port The number of the USB port to which the USB device is connected.

Group The group to which the USB port is assigned.

USB The USB technology of the connected device.

Manufacturer Name of the USB device manufacturer, if supplied by the device.

Product Name of the USB product, if supplied by the device.

Serial number The serial number of the USB device, if supplied by the device.

Cycle Click Cycle to power off the port for 3 seconds, and then power it
back on. For more information, see Cycle the power to a port on a
Hub from the web UI.

Groups in Use
Click to expand this section and display information about the groups connected to the AnywhereUSB
Hub.

Item Description
 Click the  (configuration) icon in the upper right corner of the page
configuration icon to access the AnywhereUSB Configuration page. See Configure and
manage the AnywhereUSB Hub in the web user interface for more
information.
Group A group to which the client has connected. See Connect to a group
or USB device in the AnywhereUSB Manager.
Client ID The unique identifier of the client that has connected to this group.
For more information, see Client ID overview.
IP Address The network address of the client's computer.

Blocked Client
Click Blocked Client to block a client ID from connecting to a device group or groups.
The first section displays information about the client IDs that are currently blocked.

Digi Connect EZ 16/32 User Guide 1041

 Configure and manage the AnywhereUSB Hub in the web user interface

Item Description
Client ID A client ID that is currently blocked.
Blocked Groups The number of groups from which the client ID is blocked.
Expiration The remaining time for the block.
Unblock When a client ID is blocked, the Unblock button displays. Click
Unblock to remove the block before the default time period.
For more detailed information, see Unblock a client ID.

 Click the  (configuration) icon in the upper right corner of the page
configuration icon to access the AnywhereUSB Configuration page. See
AnywhereUSB Configuration page for more information.

Block a Client section

The fields and options in this section are used to block a client ID. For more detailed information, see
Block a client ID.

Item Description
Client ID From the Client ID list box, select the client ID that you want to
block.
Block Groups Select the group(s) that you want to block for the client ID. All of the
groups are selected by default.
You can enter the groups in the Block Groups field, or click on a
group from the group options below the field to deselect it.
Apply Click Apply to the block the selected client ID from the selected
group(s).

Debug Logging
Click Debug Logging to expand this section and access the USB Debug Logging Wizard.

Item Description
Debug Logging Wizard Click Debug Logging Wizard to launch the USB Debug Logging
Wizard. See Create a debug log file with the USB Debug Logging
Wizard.

Configure device identity settings

You can configure the device description, contact, and location information for the Hub in the
Configuration page. This feature is useful to identify a specific Hub when working with a large
number of Hubs in multiple locations. See Configure system information.

View current connections to the Hub

You can view information about current connections to the Hub in the AnywhereUSB Status page.
For more information, see AnywhereUSB Status page.

Digi Connect EZ 16/32 User Guide 1042

 Configure and manage the AnywhereUSB Hub in the web user interface

1. Open the web UI.

2. Select Status > Services > AnywhereUSB. The AnywhereUSB Status page appears.
n USB Devices: Expand the USB Devices section to display information about the devices
connected to the Hub.
n Client Connections: Expand the Client Connection section to display information
about the computers connected to the Hub.

Manually configure the PC and assign an IP address to a Hub

You can manually assign an IP address to the Hub. You would need to do this when your computer
and the Hub are both connected to a private network and you do not have a DHCP server.

Prerequisites
n Access to the Hub from your computer using one of these options:
l An Ethernet cable must be connected to the Hub and your computer.
l Both your computer and Hub must be connected to your private network.
n A power supply must be connected to the Hub and the Hub powered on.
n Determine the IP address that you want to assign to the Hub.
To configure your laptop and assign an IP address to the Hub:

1. On your PC, navigate to the Ethernet network settings dialog.

2. Click the Internet Protocol Version 4 (TCP/IPv4) parameter.

3. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears.
4. Select Use the following IP address.

Digi Connect EZ 16/32 User Guide 1043

 Configure and manage the AnywhereUSB Hub in the web user interface

Note IMPORTANT: Make note of the current IP address entries for IP address, Subnet mask,
and Default gateway. You will need this information to complete the final step of the process.

5. Configure with the following details:

n IP address for PC: 192.168.210.2
n Subnet: 255.255.255.0
n Gateway: 192.168.210.1

6. Click OK.
7. Open a browser window.
8. Enter the default gateway IP address to access the Hub: 192.168.210.1. The Hub login screen
displays.
9. Log into the Hub using the default user name and password. The default user name is admin
and the default password is printed on the bottom label of the device and on the loose label
included in the package. If the defaults to not work, they may have been changed. Confirm this
information with your system administrator.
10. Update the IP address for the device.
11. On your PC, revert the IP address information to the original entries.
a. Return to the Internet Protocol Version 4 (TCP/IPv4) Properties dialog.
b. Enter the original IP address entries for IP address, Subnet mask, and Default gateway.
c. Click OK.

Create a debug log file with the USB Debug Logging Wizard
You can use the USB Debug Logging Wizard to help you collect debug logs when you are having
issues with a USB device connected to a Hub. When the wizard process is complete, you can send the
debug logs to Digi Technical Support.

Digi Connect EZ 16/32 User Guide 1044

 Configure and manage the AnywhereUSB Hub in the web user interface

Note You should create a debug log file only at the direction of Digi Tech Support.

During the process, the Enable USB debug logging option is temporarily enabled to allow USB debug
logging. When the wizard is completed, the option is disabled. For information about this option, see
AnywhereUSB Configuration page.
During the process, two log files are created, and you should send both of these to Digi Tech Support.
n USB Debug Log: The USB debug log file is created by running the USB Debug Logging Wizard
from the Hub's web UI: usbtrace.tar.gz
n AnywhereUSB Manager Support Log: The support log is created from the AnywhereUSB
Manager: awusbmanager_support.bin.

Note The location of the saved files displays in a dialog after the files have been completed and
downloaded. The file is overwritten each time you create a new log file. If you want to save a file
before it is overwritten, rename the file or move it to a different location.

Step 1: Prepare the Hub

In this step, you prepare the Hub to collect the debug log.

1. Physically unplug all of the USB devices connected to the Hub.

Note Be sure to note which USB device(s) are currently plugged into which USB port(s) of the
Hub as you unplug the devices. This ensures that you can plug each device into the same USB
port when the testing procedure is complete.

2. Reboot the Hub. This ensures that the log files are as helpful as possible.

Step 2: Run the USB Debug Logging Wizard

This step explains how to run the USB Debug Logging Wizard to create both of the debug log files
that you will send to Digi Tech Support.

1. Open the web UI.

2. Click Status > Services > AnywhereUSB. The AnywhereUSB Status page displays.
3. Click Debug Logging Wizard to display the USB Debug Logging Wizard page.
4. Click Next three times through three pages and review information about preparing your Hub,
which you completed in Step 1.
5. Click Start Logging to start collecting debug logging information. The Debug logging has
been started page displays.
6. Connect to the Hub the fewest USB devices that are needed to reproduce the issue.
7. Open the AnywhereUSB Manager and connect to the groups that allow you to access the
USB ports you are using for debug logging.
8. Use the USB devices connected to the Hub and recreate the issue you want to debug.
9. When the issue with the Hub occurs, quickly perform these tasks:
a. IMMEDIATELYclick Stop Logging to stop the USB debug logging.
b. Manually note the time of the occurrence using a wall clock. You will share that
information with Dig Tech Support in Step 3.
c. Quickly create a support file from the AnywhereUSB Manager.

Digi Connect EZ 16/32 User Guide 1045

 AnywhereUSB Manager reference

n Choose Help > Create Support File. The support file is created: awusbmanager_
support.bin
n When complete, a dialog displays, showing you the location of the file. Make a note
of the file location and click OK to close the dialog.
10. Download the debug logging file from the USB Debug Logging Wizard.
a. Click Next to move to the next page of the USB Debug Logging Wizard.
b. Click Download Logs to download the debug log file: usbtrace.tar.gz
11. Click Next in the USB Debug Logging Wizard to review the final instructions. You will do these
in Step 3.
12. Click Finish to close the USB Debug Logging Wizard.
13. Copy the files created in step 9 (support file from the Manager) and step 10 (debug log file
from the USB Debug Logging Wizard) to a known location.

Step 3: Send log files to Digi Tech Support and reconnect USB devices to your
Hub.
1. Navigate to the known location where you saved the log files.
2. Combine the usbtrace.tar.gz and awusbmanager_support.bin files into a .zip file.
3. Email the zipped file to Digi Technical Support.
a. From the Digi Tech Support case documenting the issue, open an email reply to Digi
Technical Support.
b. In the body of the email, enter the wall clock time of the occurrence that you just collected
and your time zone.
c. Attach the .zip file.
If the resulting .zip file is too large for email, the Digi Tech Support Engineer you're
working with can provide a Box folder so you can upload the files. Please coordinate as
necessary.
d. Send the email reply.
4. Physically reconnect all of the USB devices to the Hub that you had disconnected from the
Hub.

Note Be sure to plug each device into the same USB port it originally was plugged into. This
ensures that Hub is restored to normal operation.

AnywhereUSB Manager reference

User roles
The actions that users can perform in the AnywhereUSB Manager and in the AnywhereUSB Hub's
web UI are determined by the user's access rights.
n Windows Administrator: A user must have Windows administrative rights to be able to install
the AnywhereUSB Manager in either service or stand-alone mode.
n Hub Administrator: A Hub Administrator must have the AnywhereUSB Hub's user name and
password to be able to log into the Hub's web UI to configure the Hub.

Digi Connect EZ 16/32 User Guide 1046

 AnywhereUSB Manager reference

n User: A user can access the AnywhereUSB Manager to configure the Manager and access
devices connected to the Hub. A user does not have the Hub's user name and password and
cannot access the Hub's web UI.

AnywhereUSB Manager: Stand-alone mode

This table describes the actions that can be performed in the AnywhereUSB Manager by different
types of users when the Manager is installed in stand-alone mode.
For more information about stand-alone mode, see Service.

Windows
Action User Administrator
Install the AnywhereUSB Manager X
Uninstall the AnywhereUSB Manager X
Launch the AnywhereUSB Manager X X
Configure the AnywhereUSB Manager X X
Manage devices connected to the Hub in the AnywhereUSB Manager X X
In the AnywhereUSB Manager, see the devices connected to the Hub X X
that are in the groups to which you have access
In the AnywhereUSB Manager, use the devices connected to the Hub X X
that are in the group assigned to your client ID
Send commands using the AnywhereUSB Manager command line X X

AnywhereUSB Manager: Service mode

This table describes the actions that can be performed in the AnywhereUSB Manager by different
types of users when the Manager is installed in service mode.
For more information about service mode, see Service.

Note When installed in service mode, the Manager runs only if the user logged into the computer has
Windows Administrator credentials.

Windows
Action User Administrator
Install AnywhereUSB Manager X
Uninstall the AnywhereUSB Manager X
Launch the AnywhereUSB Manager X
Configure the AnywhereUSB Manager X
Manage devices connected to the Hub in the AnywhereUSB Manager X
In the AnywhereUSB Manager, see the devices connected to the Hub X
that are in the groups assigned to your client ID

Digi Connect EZ 16/32 User Guide 1047

 AnywhereUSB Manager reference

Windows
Action User Administrator
In the AnywhereUSB Manager, use the devices connected to the Hub X
that are in the groups assigned to your client ID
Send commands using the AnywhereUSB Manager command line X
Start and stop the AnywhereUSB Service from the Windows OS X

Configure the AnywhereUSB Hub in the web UI

This table describes the actions that can be performed in the Hub's web UI by different types of users.
The Hub's user name and password is required to log into the Hub's web UI.

Note If you need to configure the Hub, see your system administrator for the Hub's login credentials.

Hub
Administrator

(user with login access

Action to the Hub's web UI)

Log into the Hub web UI X

Configure the Hub in the web UI X

Configure the Hub using the X

CLI commands

Terminology

Role Description
Computer The physical or virtual equipment (such as a PC, laptop, or virtual
machine), which is used to remotely access the AnywhereUSB Plus
Hub.
Client ID The client ID is a unique identifier assigned to a user account the first
time a user logs in to a computer and opens the
AnywhereUSB Manager.
During this process, the AnywhereUSB Manager creates a secure
identity certificate that is associated with the client ID. This certificate
is used to validate your user account with the Hub. For more
information, see Client ID overview.
Group A group is a set of USB ports on an AnywhereUSB Plus Hub with
exclusive access to a single user account. Each USB port can be
assigned to only one group by the Hub administrator.
When you log into the computer and connect to a Hub, you are
allowed to connect to any groups assigned to your client ID.
See Create groups and assign client IDs to the groups for more
information.

Digi Connect EZ 16/32 User Guide 1048

 AnywhereUSB Manager reference

Client ID overview
The client ID is a unique identifier for the computer that you assign when you initially install the
Anywhere USB Manager. When you launch the Manager for the first time and log in, the Manager
creates a secure identity certificate that is associated with the client ID. This certificate is used to
validate your account with the Hub.
n Stand-alone: If you installed the Manager as a stand-alone, the client ID and the certificate
identify the user on the computer.
n Service: If you installed the Manager as a service, the client ID and the certificate identify the
computer.
When the client ID and certificate have been created, the computer is able to connect to the Hubs that
recognize that client ID. Any other computer with the same client ID will be rejected.

Note In some cases, multiple computers may inadvertently be used by multiple users that have the
same client ID. To fix this issue, see AnywhereUSB Manager client ID is not unique.

Client ID length
The number of characters allowed in the Client ID field is variable and is dependent on UTF-8
encoding of the characters. Note that some characters are multi-byte characters, which reduces the
number of characters that are allowed in the field. Currently, the Client ID field is a maximum of 63
bytes encoded in UTF-8.

Assign a client ID to a user account

A client ID is assigned to user credentials the first time a user logs into a computer and launches the
AnywhereUSB Manager.

WARNING! Digi recommends that you use a private network to connect the computer to
the Hub. This ensures that only clients IDs with known user credentials can connect to the
Hub. The first time that a client ID on a computer connects to the Hub, the unique
credentials for this known user are stored in your Hub. If you do not use a private network,
an unknown computer with the same client ID may happen to connect to the Hub before
the known computer connects. In this case, the known computer will not be able to
connect and authenticate.

Step 1: Create a client ID during initial launch of the AnywhereUSB Manager

The AnywhereUSB Manager can be initially opened by a user in one of the following ways:
n Installation: When the AnywhereUSB Hub software is installed, the Launch AnywhereUSB
Manager option is selected by default. When the installation completes, the client ID
confirmation dialog appears. The user enters a client ID, and then the AnywhereUSB Manager
is automatically launched.

Note If the user deselects the Launch AnywhereUSB Manager option during installation, the
AnywhereUSB Manager does not automatically open after the installation process completes.
In this case, the client ID dialog does not display.

Digi Connect EZ 16/32 User Guide 1049

 AnywhereUSB Manager reference

n New user logs in: After the AnywhereUSB Hub software is installed, any user can log into that
computer and open the AnywhereUSB Manager. The first time a new user opens the
AnywhereUSB Manager, the client ID dialog appears. The user must enter a client ID before
the AnywhereUSB Manager will open.
After the initial launch of the AnywhereUSB Manager, the next time the user logs in, the computer is
able to connect to the Hubs that recognize that client ID.

Step 2: Manually add a client ID to the client ID list in the Hub

You can manually add a client ID to the client list before a new user launches the AnywhereUSB
Manager for the first time. In this situation, the certificate is unavailable until the first time a
computer with the new client ID connects to the Hub. The new client ID is associated with the
credentials for the user currently logged on to the computer.
When the computer connects to the Hub for the first time, the identity certificates are exchanged
between the computer and the Hub. After the initial connection, only that computer with the client ID
and unique identity certificate is able to connect to the Hub.

Install the AnywhereUSB Manager using Windows 2019 Server Core

edition
You can install the Anywhere USB Manager software onto a Hub using the Windows 2019 Core
edition.
You must first download the Anywhere USB Manager software and install it on your computer. After
the manager software is installed, the AnywhereUSB Manager automatically discovers AnywhereUSB
Hubs on the local subnet.

Prerequisites
Before you begin, you should decide whether you want to run the AnywhereUSB Manager as a
stand-alone or as a service. For detailed information, see Service.

CAUTION! Only a Windows Administrator can perform the software install. If you are logged
in as a non-Windows Administrator user and you attempt to install the software, you will be
required to enter Windows Administrator login credentials to be able to complete the
installation process.

1. Download the AnywhereUSB Manager installer from the AnywhereUSB Drivers section of the
support page.
a. Navigate to the AnywhereUSB Plus support page.
b. Click the Product Resources tab. This should be selected by default.
c. In the Drivers & Patches section, click the AnywhereUSB Manager link.
d. From the drop-down list box, select Microsoft Windows.
e. Click the download link for the version of the installer than you want to download. Make a
note of the version number for future reference.

Note You should save the downloaded software to your computer before you start the
install process. This is useful if you decide to uninstall the AnywhereUSB Manager from
the original installer in the future.

Digi Connect EZ 16/32 User Guide 1050

 AnywhereUSB Manager reference

2. Run the downloaded installer.

a. Navigate to a command line prompt.
b. Type: <version>.exe
where version is replaced with the version number of the installer that you downloaded,
such as 40003045_Win64_x.x.xx.xxx_X.exe.
c. Press Enter. The AnywhereUSB Manager installation wizard launches.
3. Follow the standard Windows installation process to complete the installation of the
AnywhereUSB Manager. For instructions, see Install the AnywhereUSB Manager: Windows.

Uninstall the Manager from the Windows Control Panel

Before you install the AnywhereUSB Manager, you must uninstall the currently installed version. The
preferred method is from the Windows Control Panel.
This method can be used with Windows 10 and Windows 11.

Note You can also uninstall the AnywhereUSB Manager using the AnywhereUSB Manager installer.
See Uninstall the AnywhereUSB Manager on a Windows OS using the original installer.

To uninstall the Manager from the Windows Control Panel:

1. If you have a client AnywhereUSB Manager window open, you must exit the Manager.
a. Navigate to the Manager.
b. Choose File > Exit. The Manager closes.
2. Open the Windows Control Panel and select Programs > Progams and Features.
3. Find Digi AnywhereUSB Manager in the list, and right-click on the name to display the
shortcut menu.
4. Click Change. The AnywhereUSB Manager installation wizard appears.
5. Click Next. The Program Maintenance window appears.
6. Select the Remove option.
7. Click Next. The Remove the Program screen appears.
8. Make sure that Remove User Configuration is not selected. This preserves your current
configuration.
9. Click Remove.
10. Click Finish.

Uninstall the AnywhereUSB Manager on a Windows OS using the

original installer
You can uninstall the AnywhereUSB Manager when installed on a Windows OS and when you have
access to your original installer.
If you can't meet these requirements, other uninstall options are available:
n Windows Control Panel: You can use this process if you don't have access to your original
installer. This is the preferred method. This method can be used with Windows 10 and
Windows 11.

Digi Connect EZ 16/32 User Guide 1051

 AnywhereUSB Manager reference

n Linux
n Windows 2019 Server Core edition
To uninstall the AnywhereUSB Manager from a Windows OS:

1. Locate the AnywhereUSB Manager installer. You must run the same version of the installer to
uninstall the AnywhereUSB Manager that you used to install it.
n If you saved the installer when you originally installed the AnywhereUSB Manager,
navigate to that location on your computer.
n If you did not, you can download the installer from the Support Tools website.
a. Navigate to https://www.digi.com/support#support-tools.
b. From the Support Downloads section, click Drivers.
c. Find and select AnywhereUSB Plus from the product list.
d. Select your AnywhereUSB Plus model.
e. Select and download the appropriate software for your operating system.

2. Click on the downloaded software to launch the AnywhereUSB Manager installation wizard.
The Welcome screen appears.

Digi Connect EZ 16/32 User Guide 1052

 AnywhereUSB Manager reference

3. Click Next. The Program Maintenance screen appears.

4. Select Remove.

5. Click Next. The Remove the Program screen appears.

6. Determine whether you want to remove the Connect EZ configuration settings that you have
selected.
n Do not select Remove User Configuration: The configuration settings you have made
are retained and re-applied the next time you install the AnywhereUSB Manger. This is
the default.
n Select Remove User Configuration: The configuration settings you have made are not
retained and removed with the program.

7. Click Remove. If the AnywhereUSB Manager is open, the following dialog displays. Do not
change the default settings.

Digi Connect EZ 16/32 User Guide 1053

 AnywhereUSB Manager reference

8. Click OK. A progress bar appears.

9. When the uninstall is complete, the InstallShield Wizard Completed screen appears.
10. Click Finish to complete the uninstall and close the dialog.

Uninstall the AnywhereUSB Manager using Windows 2019 Server

Core edition
You can uninstall the AnywhereUSB Manager from the Windows 2019 Server Core.

Prerequisites
n Powershell must be installed on your Windows server. Powershell is used to get the identifying
number for the AnywhereUSB Manager.
n Make sure that your Windows OS is updated to the latest version available.
To uninstall the AnywhereUSB Manager:

1. Get the identifying number for the AnywhereUSB Manager.

a. Navigate to Powershell.
b. Run the following command to get a list of the installed programs and the associated
IdentifyingNumber for each program:
Get-WmiObject -Class Win32_Product
c. From the list, note the IdentifyingNumber for the AnywhereUSB Manager.
2. Run the uninstall command. You can run the command from Powershell or from a command
line.
MsiExec.exe /I"{IdentifyingNumber}"
Where IdentifyingNumber is the IdentifyingNumber for the AnywhereUSB Manager.
Example: MsiExec.exe /I"{2D71XX4E-4CD3-4781-80C6-76CC0210X0X5}"

Note Be sure to include the double-quotes before and after the bracketed command. The
identifying number is an example so do not copy and paste the command.

3. Press Enter to launch the AnywhereUSB Manager window. The Welcome screen displays.

Digi Connect EZ 16/32 User Guide 1054

 AnywhereUSB Manager reference

4. Follow the standard Windows uninstall process to complete the removal of the AnywhereUSB
Manager. For instructions, see Uninstall the AnywhereUSB Manager on a Windows OS using
the original installer and begin at Step 3.

Stop and start the Linux headless AnywhereUSB Manager

If you have installed the Linux headless Manager, you may need to stop and restart it.
Stop the headless Manager
Stopping the headless manager can take up to one minute, depending whether the Manager is
connected to USB devices.

$ anywhereusb-headless stop

Start the headless Manager

$ anywhereusb-headless

Note To start the awusbmanager-headless at boot, you will need to create and add a systemd
startup script.

Update the AnywhereUSB Manager: Linux

You can update from one release previous to the current release except for installations using the rpm
-i.

Note For installations using the rpm -i, see /usr/share/doc/awusbmanager/README for more
information.

The awusbmanager and awusbmanager-headless packages can be installed over each other and will
replace the previously installed package.

Troubleshooting an update
n If the update does not appear to be installed correctly, Digi recommends uninstalling and then
installing the awusbmanager package.
n If a newer version of the awusbmanager package is currently installed on your PC, Digi
recommends uninstalling any old awusbmanager package before installing this version.
n A reboot may be required after you have installed the awusbmanager package to ensure that
the user is able to properly manage AnywhereUSB.

Uninstall the AnywhereUSB Manager: Linux

In some instances, the awusbmanager package may not install as expected. If this happens, you
should uninstall the awusbmanager package and then install it again.
In addition, if you have previously installed an anywhereusb package on your PC, Digi recommends
uninstalling the existing package before installing the desired version.

Digi Connect EZ 16/32 User Guide 1055

 AnywhereUSB Manager reference

Uninstall the awusbmanager package

1. The awusbmanager package can be uninstalled using the appropriate command.
n DEB: On Debian, Ubuntu, Kubuntu and similar distros:

$ sudo apt remove awusbmanager

n RPM: On RedHat and similar distros:

$ sudo dnf remove awusbmanager

2. Once the uninstall is complete, you can re-install the awusbmanager packagee. See Install the
AnywhereUSB Manager: Linux.

Connect to a group or USB device in the AnywhereUSB Manager

You can connect to a group which has been assigned to your client ID and that is not connected to a
different client ID to which the group has been assigned.
When you connect to a group, you are given exclusive access to all of the USB ports in the group to
which you are allowed access. All other users are blocked from access to the ports in that group until
you disconnect from the group.
A user can connect to more than one group at a time. A group can be connected to only one user at a
time.
When a USB device is plugged in to a port on a Hub, the device displays in the list of devices in the
group. Note that a group may have ports that do not have a connected device. Only ports with a
connected USB device display in the AnywhereUSB Manager.
Auto-connect enabled for a group
If you have enabled auto-connect for a group, you are automatically connected to those groups when:
n You log in to your computer and AnywhereUSB Manager opens automatically
n You manually open and log into AnyhwereUSB Manager.
n The Manager is running as a service.
See Configure the auto-connect feature for a group for more information.

Note When you open the AnywhereUSB Manager, the Manager attempts to connect to the groups to
which you are allowed access. If someone else already owns the group, you will not be connected to
that group.

Connect to a group or a USB device in the AnywhereUSB Manager

You can connect to all of the USB devices and ports in a group, or to one device in a group.
n Connect to a group: To connect to a group, right-click on the group name and click Connect
to Group.
n Connect to USB ports in a group: You can connect to the USB ports in a group depending on
whether you are allowed access to the port and if you are connected to the group:
l If you are connected to the group, right-click on a USB device name and click Connect to
Device. You are connected to that USB device and to all of the USB ports in the group.
l If you are not connected to the group, right-click on the USB device name and click

Digi Connect EZ 16/32 User Guide 1056

 AnywhereUSB Manager reference

Connect to Group to connect to the group and the USB device.

l If the group is owned by another user, you are not allowed to connect to the device.

Digi Connect EZ 16/32 User Guide 1057

Command line interface: AnywhereUSB Manager
You can manage the AnywhereUSB Manager features from the command line.
Prerequisites for the AnywhereUSB Manager commands
n Service: If you run the AnywhereUSB Manager as a service, you need to be an Administrator.
The service must be running.
n Stand-alone: If you run the AnywhereUSB Manager as a stand-alone, you need to be the
same user that started the Manager, or an Administrator. The AnywhereUSB Manager must
be open and active.
Get a device or group address, or a Hub name
For some CLI commands you will need to provide a device address, a group address, or a Hub name.
You can use the list command to get that information. See the list command for examples.

Create a new client ID from the CLI

You can create a new client ID from the CLI by adding a new client, assigning a client ID, and then
giving permission for this client to use the specified groups.

Note Digi recommends that you create new client IDs and assign groups from the web UI. See
Manually add a client ID.

Example: Create a client ID

This example explains how to create a client ID named "client1" and assign groups "group01" and
"group02" to "client1". In this example, the client ID being created is the first client ID on the Hub, so
the identifier for this client in the configuration is 0.

> config
(config)> service anywhereusb clients
(config service anywhereusb clients)> add end
(config service anywhereusb clients 0)> id client1
(config service anywhereusb clients 0)> descripton "lab computer"
(config service anywhereusb clients 0)> groups
(config service anywhereusb clients 0 groups)> add end group01
(config service anywhereusb clients 0 groups)> add end group02
(config service anywhereusb clients 0 groups)> save
Configuration saved.

autoconnect clear all

Disables the auto-connect feature for all Hubs, groups, and devices. When complete no asterisks or
plus signs display next to Hub, group, or device names.

Digi Connect EZ 16/32 User Guide 1058

 Command line interface: AnywhereUSB Manager

Syntax
>awusbmanager autoconnect clear all

Examples
Run the list command to verify the current state of the auto-connect feature for the Hubs, groups, and
devices. In this example, Group 1 has auto connect enabled, and the device in Group 1 has inherited
the auto connect feature.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2)
* Group 1 (AW02-000001.1) (In-use by you)
+ U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the autoconnect clear all command.

>awusbmanager autoconnect clear all

Run the list command again to verify that the auto connect feature has been disabled. No asterisks or
plus signs should display.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

autoconnect clear group

Disable the auto-connect feature for a specified group.
When you disable auto connect for a group, an asterisk no longer displays next to the group name. In
addition, any devices in the group no longer inherit the auto-connect feature, and the plus sign no
longer displays next to the device names.

Note For more information about auto connect, see Configure the auto-connect feature for a group.

Syntax
>awusbmanager autoconnect clear group,<address>

Digi Connect EZ 16/32 User Guide 1059

 Command line interface: AnywhereUSB Manager

Parameters
address: The address of the group for which you want to disable the auto connect feature.

Examples
Run the list command to verify the current state of the auto-connect feature for a group and to
determine the address for a group. In this example, Group 1 has the auto connect feature enabled, so
an asterisk displays next to the group name.
The [address] for a group is the name of the Hub appended by the number of the group. In this
example, the auto connect feature will be disabled for Group 1, so the group name is highlighted
below.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2)
* Group 1 (AW02-000001.1) (In-use by you)
+ U3 Cruzer Micro (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the autoconnect clear group command.

>awusbmanager autoconnect clear group,AW02-000001.1

Run the list command again to verify that the auto connect feature has been disabled. In this
example, the auto connect feature has been disabled for Group 1, so an asterisk no longer displays
next to the group name. In addition, the plus sign no longer displays next to the devices in Group 1.

Note If you were connected to the group and the devices in the group, you will still be connected. If
you want do disconnect from them, you can use the disconnect group command.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

autoconnect group
Enable the auto-connect feature for a specified group. This feature ensures that when you start the
AnywhereUSB Manager as a stand-alone or when it starts at Windows start-up if installed as a
service, you are automatically connected to all of the groups to which you are allowed access that
have auto connect enabled.
When you enable auto-connect for a group, an asterisk displays next to the group name. In addition,
any devices in the group inherit the auto connect feature, and will also be automatically connected. A
plus sign displays next to the devices when the auto-connect feature is inherited.

Digi Connect EZ 16/32 User Guide 1060

 Command line interface: AnywhereUSB Manager

You can disable the auto-connect feature for the group if needed.

Note For more information about auto connect, see Configure the auto-connect feature for a group.

Syntax
>awusbmanager autoconnect group,<address>

Parameters
address: The address of the group for which you want to enable the auto connect feature.

Examples
Run the list command to verify the current state of the auto-connect feature for a group and to
determine the address for a group. In this example, Group 2 has the auto connect feature enabled, so
an asterisk displays next to the group name. The auto connect feature is not enabled for Group 1, so
an asterisk does not display.
The [address] for a group is the name of the Hub appended by the number of the group. In this
example, the auto connect feature will be enabled for Group 1, so the group name is highlighted
below.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
* Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the the autoconnect group command.

>awusbmanager autoconnect group,AW02-000001.1

Run the list command again to verify that the auto connect feature has been enabled. An asterisk
displays next to the group name. A plus sign displays next to the names of the devices in the group to
show that the auto connect feature is inherited from the group.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
* Group 2 (AW02-000001.2) (In-use by you)
* Group 1 (AW02-000001.1) (In-use by you)
+ U3 Cruzer Micro (AW02-000001.1101( (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Digi Connect EZ 16/32 User Guide 1061

 Command line interface: AnywhereUSB Manager

autofind
Enables and disables the autofind feature. When enabled, all Hubs connected to the network when
AnywhereUSB Manager launches are automatically found. This command works as a toggle, or you
can can specify "on" or "off." Before you used the command, you should verify the status of the
autofind feature.
The status of the autofind feature is displayed when you run the list command.

Note For information about this feature in the AnywhereUSB Manager, see Autofind Hubs and
Include IPv6 Addrs in Autofind options.

Syntax
>awusbmanager autofind[,on|,off]

Parameters
on: Enables the autofind feature. When enabled, all Hubs connected to the network when
AnywhereUSB Manager launches are automatically found. This option is not required.
off: Disables the autofind feature. When disabled, Hubs are not automatically found when
AnywhereUSB Manager launches. In this case, you must manually add the Hubs to which you want
to connect to the known Hubs list. This option is not required.

Examples
Run the list command to verify the status of the autofind feature. In this example, the autofind feature
is enabled.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the autofind command to disable the feature. You can specify the "off" option, but it is not
required.

>awusbmanager autofind,off

Run the list command again.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: disabled

Digi Connect EZ 16/32 User Guide 1062

 Command line interface: AnywhereUSB Manager

Autoconnect All: disabled

AnywhereUSB Manager not running as a service

You can run the autofind command again to enable the feature. You can specify the "on" option, but it
is not required.

>awusbmanager autofind

Run the list command again to verify.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

connect device
Connect to a USB device in a group to which you have access. You cannot connect to a device in a
group that is already in use.
You must be connected to the group before you can connect to a device in that group.

Syntax
>awusbmanager connect device,<address>

Parameters
address: The address of the device to which you want to connect. Run the list command to get the
device address.

Examples
If you have connected to a group, and then disconnect from a device in that group, you no longer
have access to the device. You can reconnect to that device.
Run the list command to make sure you are connected to the group that the device you want to
connect to is in. In this example, the device is in Group 1, so you should be connected to Group 1.
You will need the address for device to which you want to connect.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Digi Connect EZ 16/32 User Guide 1063

 Command line interface: AnywhereUSB Manager

Run the connect device command. If required to access the device, include the device password.

>awusbmanager connect device,AW02-000001.1101

Run the list command again to verify that the device is connected.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

connect group
You can connect to a group so that you have access to the ports in the group. Once you have
connected to a group, no one else can connect to that group. You cannot connect to a group that is
already is use.
When you connect to a group, you are automatically connected to all of the ports in the group to
which you are allowed access.

Syntax
>awusbmanager connect group,<address>

Parameters
address: The address of the group to which you want to connect.

Examples
Run the list command to determine the address for the group to which you want to connect. In this
example, you will connect to Group 1.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the connect group command.

>awusbmanager connect group,AW02-000001.1

Run the list command again to verify that you are connected to the group and to all of the ports in the
group to which you are allowed access.

Digi Connect EZ 16/32 User Guide 1064

 Command line interface: AnywhereUSB Manager

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

device info
Displays information about a device. For more information, see AnywhereUSB Manager USB Device
Status pane.

Syntax
>awusbmanager device info,<address>

Parameters
address: The address of the device for which you want to display information. The address is required.

Examples
Run the list command to determine the device's address.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
* Group 2 (AW02-000001.2) (In-use by you)
* Group 1 (AW02-000001.1) (In-use by you)
+ U3 Cruzer Micro "USB stick 1" (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the device info command.

>awusbmanager device info,AW02-000001.1101

Information about the device displays.

ADDRESS: AW02-000001.1101
LOCALNAME: USB stick 1
VENDOR: SanDisk
VENDOR ID: 0x0781
PRODUCT: U3 Cruzer Micro
PRODUCT ID: 0x5406
SERIAL: 0770000F0000000C
PORT ON HUB: 2
AUTOCONNECT: inherited
IN USE BY: YOU

Digi Connect EZ 16/32 User Guide 1065

 Command line interface: AnywhereUSB Manager

device name
Change or assign the local name of a device.

Syntax
>awusbmanager device name,<address>,<new name>

Parameters
device name: The device's address.
new name: The new local name for the device.

Examples
Run the list command to determine the device's address.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "Hub 1" (AW02-000001.local.:18574)

Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the device name command.

>awusbmanager device name,AW02-000001.1101,USB Stick

Run the list command again to verify the name change.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "Hub 1" (AW02-000001.local.:18574)

Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro "USB Stick" (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

disconnect device
Disconnect from a USB device to which you no longer need access. You will remain connected to the
group that the device is in. Other users cannot connect the USB device, since you still own the group
that the USB device is in.

Note To ensure that you can no longer connect to a USB device in a group, the best method is to
move the port to a group on the Hub to which you are not connected. See Step 3: Name groups and
assign ports to a group.

Digi Connect EZ 16/32 User Guide 1066

 Command line interface: AnywhereUSB Manager

Warnings
n Auto-connect: If you have auto-connect enabled for the group, you are not allowed to
disconnect from a USB device in the group until you disable auto-connect. If the USB device is
in a group to which you are connected, other users cannot connect the USB device after you
have disconnected from it, since you still own the group that the USB device is in. See Disable
auto-connect for a group.
n Power cycle on disconnect: If you have the power cycle on disconnect feature enabled, the
Hub automatically cycles the power to each USB device when it disconnects. To ensure that a
USB device remains disconnected, you must disable this feature. See Cycle the power to a
device when it disconnects from a PC.

Syntax
>awusbmanager disconnect device,<address>

Parameters
address: The address of the device from which you want to disconnect.

Examples
Run the list command to view the address for device from which you want to disconnect.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the disconnect device command.

>awusbmanager disconnect device,AW02-000001.1101

Run the list command again to verify that the device is disconnected.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Digi Connect EZ 16/32 User Guide 1067

 Command line interface: AnywhereUSB Manager

disconnect group
You can disconnect from a group that has ports you no longer need access to. You are disconnected
from all USB devices and ports in that group. Any other user can then connect to that group.
Warnings
n Auto-connect: If you have auto-connect enabled for the group, you are not allowed to
disconnect from a USB device in the group until you disable auto-connect. If the USB device is
in a group to which you are connected, other users cannot connect the USB device after you
have disconnected from it, since you still own the group that the USB device is in. See Disable
auto-connect for a group.
n Power cycle on disconnect: If you have the power cycle on disconnect feature enabled, the
Hub automatically cycles the power to each USB device when it disconnects. To ensure that a
USB device remains disconnected, you must disable this feature. See Cycle the power to a
device when it disconnects from a PC.

Syntax
>awusbmanager disconnect group, [address]

Parameters
address: The address of the group from which you want to disconnect.

Examples
Run the list command to determine the address for the group to which you want to connect.
Make sure that auto connect is disabled for the group. When it is disabled, an asterisk does not
display next to the group name. If you need to disable auto connect for the group, see autoconnect
clear group.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101) (In-use by you)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the disconnect group command.

>awusbmanager disconnect group,AW02-000001.1

Run the list command again to verify that the group is disconnected.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1)
U3 Cruzer Micro (AW02-000001.1101)

Digi Connect EZ 16/32 User Guide 1068

 Command line interface: AnywhereUSB Manager

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

exit
Shuts down the service. If the AnywhereUS Manager is open, it is shut down as well.

Syntax
>awusbmanager exit

group info
Displays information about a group. For more information, see AnywhereUSB Manager Group Status
pane.

Syntax
>awusbmanager group info,[address]

Parameters
address: The address of the group for which you want to display information. The address is required

Examples
Run the list command to determine the group's address.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "HUB-000001" (AW02-000001.local.:18574)

* Group 2 "Admin group" (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the group info command.

>awusbmanager group info,AW02-000001.2

Information about the group displays.

ADDRESS: AW02-000001.2
LOCALNAME: Admin group
GROUP: 2
NAME: Group 2
PORTS: 2
AUTOCONNECT: enabled
IN USE BY: YOU

Digi Connect EZ 16/32 User Guide 1069

 Command line interface: AnywhereUSB Manager

group name
Change or assign the local name of the group.

Syntax
>awusbmanager group name,<address,<new name>

Parameters
group name: The group's address.
new name: The new local name for the group.

Examples
Run the list command to determine the group's address.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "Hub 1" (AW02-000001.local.:18574)

Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the group name command.

>awusbmanager group name,AW02-000001.2,New Group

Run the list command again to verify the name change.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "Hub 1" (AW02-000001.local.:18574)

Group 2 "New Group" (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

hidden hub add

Hide a Hub by adding it to the hidden Hubs list.

Note For information on hiding Hubs in the AnywhereUSB Manager, see Hide an individual Hub and
Hide all unauthorized Hubs.

Digi Connect EZ 16/32 User Guide 1070

 Command line interface: AnywhereUSB Manager

Syntax
>awusbmanager hidden hub add,<address>[:port]

Parameters
address: The address of the Hub that you want to hide.
port: The TCP port number for the Hub you want to hide. This is required if the TCP port number is
not the default (18574).

Examples
Run the hidden hub add command to add a Hub to the hidden Hub list.
n Use the default port of 18574:

>awusbmanager hidden hub add,10.10.10.34

n Change the TCP port number:

>awusbmanager hidden hub add,10.10.10.56:5600

You can then run the hidden hub list command to verify that the Hubs were added to the list of
hidden Hubs.

10.10.10.34:18574
10.10.10.56:5600

hidden hub list

Displays a list of Hubs that have been added to the hidden Hubs list.
n You can choose to hide Hubs that currently display in the AnywhereUSB Manager, such as an
unauthorized Hub (which displays with a red Xnext to the Hub name), or a Hub which users
shouldn't access.
n You can also choose to hide Hubs that don't currently display in the AnywhereUSB Manager,
but the client ID may have access in the future, such as a Hub on another network.

Note For information on hiding Hubs in the AnywhereUSB Manager, see Hide an individual Hub and
Hide all unauthorized Hubs.

Syntax
>awusbmanager hidden hub list

Examples
Run the hidden hub list command.

>awusbmanager hidden hub list

A list of hidden Hubs is returned.

Digi Connect EZ 16/32 User Guide 1071

 Command line interface: AnywhereUSB Manager

10.10.10.50:18574
10.10.10.21:18574

hidden hub remove

Remove a Hub from the hidden Hubs list.

Syntax
>awusbmanager hidden hub remove,<address>[:port]

Parameters
address: The address of the hub that you want to remove from the hidden Hub list. This is required.
port: The TCP port number for the Hub you want to remove. This is required if the TCP port number is
not the default (18574).

Examples
Run the hidden hub list command to verify the address and port number of the Hub that you
want to remove.

10.10.10.21:18574
10.10.10.34:18574
10.10.10.56:5600

Run the hidden hub remove command.

n If the TCP port number is the default, entering the port number in the command is optional.

>awusbmanager hidden hub remove,10.10.10.34

n If the TCP port number is not the default, entering the port number in the command is
required.

>awusbmanager hidden hub remove,10.10.10.56:5600

Run the hidden hub list command again to verify that the specified Hubs have been removed.

10.10.10.21:18574

hidden hub remove all

Remove all the Hubs in the hidden Hubs list.

Syntax
>awusbmanager hidden hub remove all

Examples
Run the hidden hub list command to view the list of hidden Hubs.

Digi Connect EZ 16/32 User Guide 1072

 Command line interface: AnywhereUSB Manager

10.10.10.12:18574
10.10.10.14:18574
10.10.10.15:5600

Run the hidden hub remove all command.

>awusbmanager hidden hub remove all

Run the hidden hub list command again to verify that the Hubs have been removed.

help
Displays a list of the CLI commands for the AnywhereUSB Manager.

Syntax
>awusbmanager help

hub info
Displays information about the Hubs. For more information, see AnywhereUSB Manager Hub Status
pane.

Syntax
>awusbmanager hub info,<hub name>

Parameters
hub name: The address of the Hub for which you want to display information. The address is required.

Examples
Run the list command to determine Hub's address.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "HUB-000001" (AW02-000001.local.:18574)

Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the hub info command.

>awusbmanager hub info,AW02-000001

Information about the Hub displays.

NAME: AW02-000001
LOCALNAME: HUB-000001
MODEL: AnywhereUSB 2 Plus

Digi Connect EZ 16/32 User Guide 1073

 Command line interface: AnywhereUSB Manager

VERSION: 3.0.0.54 awusb dby-3.0.0.54 01/03/2019 16:44:25 CST 20190103224522

STATE: Active (secure)
ADDRESS: AW02-000001.local. (SSL Subject:/C=US/ST=Minnesota/O=Digi
International Inc/CN=unknown ,Issuer:/C=US/ST=Minnesota/O=Digi International
Inc/CN=unknown) (10.10.74.xxx)
PORT: 18574
CONNECTED FOR: 22115 sec
CONNECTION ID: 1
INTERFACE: eth0
SERIAL NUMBER: AW02-000001
AUTOCONNECT: disabled

hub name
Change or assign the local name of the Hub.

Syntax
>awusbmanager hub name,<address[:port]>,<new name>

Parameters
address: The Hub's address.
port: The TCP port number for the Hub you want to rename. This is required if the TCP port number is
not the default (18574).
new name: The new local name for the Hub.

Examples
Run the list command to determine the Hub's address.

AnywhereUSB Manager, below are the available devices:

AW02-000001 (AW02-000001.local.:18574)
Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

Run the hub name command.

>awusbmanager hub name,AW02-000001,Hub 1

Run the list command again to verify the local name.

AnywhereUSB Manager, below are the available devices:

AW02-000001 "Hub 1" (AW02-000001.local.:18574)

Group 2 (AW02-000001.2) (In-use by you)
Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Digi Connect EZ 16/32 User Guide 1074

 Command line interface: AnywhereUSB Manager

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

known hub add

Add a Hub to the known Hubs list. The Hubs in this list can be on the same network as your computer,
or on a different network. If you add Hubs to the known Hubs list that are on the same network as our
computer AND the autofind feature is enabled, duplicate entries display in the Hubs list.

Note For information about using this feature in the AnywhereUSB Manager, see Manage the list of
known Hubs.

Syntax
>awusbmanager known hub add,<address>[:port]

Parameters
address: The address of the Hub or a Hub hostname that can be resolved by your network
nameservers. This is required.
port: The TCP port number, which is 18574 by default. You can change the TCP port number if needed.

Examples
Add a known Hub
Run the known hub add command to add a Hub to the known Hub list.
n Use and address and the default port of 18574:

>awusbmanager known hub add,10.10.56.12

n Use a hostname and change the TCP port number:

>awusbmanager known hub add,awusb1.work.com:9999

n Change the TCP port number:

>awusbmanager known hub add,10.10.56.14:5600

You can then run the known hub list command to verify that the Hub was added to the list.

10.10.10.56:18574
awusb1.work.com:9999
10.10.56.14:5600

known hub list

Displays a list of Hubs that have been added to the known Hubs list.

Note For more information about known Hubs, see Manage the list of known Hubs.

Digi Connect EZ 16/32 User Guide 1075

 Command line interface: AnywhereUSB Manager

Syntax
>awusbmanager known hub list

Examples
Run the known hub list command.

>awusbmanager known hub list

A list of known Hubs is returned.

10.10.10.50:18574
10.10.10.12:18574

known hub remove

Remove a Hub from the known Hubs list.

Note For information about using this feature in the AnywhereUSB Manager, see Manage the list of
known Hubs.

Syntax
>awusbmanager known hub remove,<address>[:port]

Parameters
address: The address of the hub that you want to remove from the known Hub list. This is required.
port: The TCP port number for the Hub you want to remove. This is required if the TCP port number is
not the default (18574).

Examples
Run the known hub list command to verify the address and port number of the Hub that you
want to remove.

10.10.01.12:18574
10.10.01.14:18574
10.10.01.15:5600

Run the known hub remove command.

n If the TCP port number is the default, entering the port number in the command is optional.

>awusbmanager known hub remove,10.10.01.14

n If the TCP port number is not the default, entering the port number in the command is
required.

>awusbmanager known hub remove,10.10.01.15:5600

Run the known hub list command again to verify that the Hubs have been removed.

10.10.01.12:18574

Digi Connect EZ 16/32 User Guide 1076

 Command line interface: AnywhereUSB Manager

known hub remove all

Remove all the Hubs in the known Hubs list.

Syntax
>awusbmanager known hub remove all

Examples
Run the known hub list command to view the list of known Hubs.

10.10.01.12:18574
10.10.01.14:18574
10.10.01.15:5600

Run the known hub remove all command.

>awusbmanager known hub remove all

Run the known hub list command again to verify that the Hubs have been removed.

list
Displays a list of Hubs, groups, and devices on the network as well as any Hubs the
AnywhereUSB Manager knows about.

Note This information is similar to what displays in the AnywhereUSB Manager. See AnywhereUSB
Manager overview: Status panes, menus, and icons.

If a group has auto-connect enabled, an asterisk displays next to the group name.
Additional information about features displays at the bottom of the list:
n Status of the autofind feature: enabled or disabled.
n Status of the auto connect all feature: enabled or disabled.
n Specifies whether the AnywhereUSB Manager is running as a service.

Syntax
>awusbmanager list

Examples
This example shows one Hub: AW02-000001. If assigned, the local name for the Hub displays
surrounded by quotes: "Hub 1".
On the Hub, Group 1 has the auto connect feature enabled, as specified by the asterisk next to the
group name.
The address for each group is in parentheses after the group name. In this example the address for
Group 1 is AW02-000001.1.
The address for a device is in parentheses after the device name. In this example the address for the
US Cruzer Micro device is AW02-000001.1101.

Digi Connect EZ 16/32 User Guide 1077

 Command line interface: AnywhereUSB Manager

AnywhereUSB Manager, below are the available devices:

AW02-000001 "Hub 1" (AW02-000001.local.:18574)

Group 2 (AW02-000001.2) (In-use by you)
* Group 1 (AW02-000001.1) (In-use by you)
U3 Cruzer Micro (AW02-000001.1101)

* means Autoconnect enabled, + means Autoconnect inherited

Auto-Find: enabled
Autoconnect All: disabled
AnywhereUSB Manager not running as a service

list full
Displays a list of all Hubs, groups, and devices on the network and includes all information about each
Hub, group, or device. This command displays the same information retrieved by running these
commands: list, hub info, group info, and device info.
If a group has auto-connect enabled, an asterisk displays next to the group name.
Additional information about features displays at the bottom of the list:
n Status of the autofind feature: enabled or disabled.
n Status of the auto connect all feature: enabled or disabled.
n Specifies whether the AnywhereUSB Manager is running as a service.

Syntax
>awusbmanager list full

Examples
Run the list full command.

>awusbmanager list full

The example below shows the Hub on the network, and the groups and devices on that Hub.
Information about the Hub, group, and device is also returned.

AnywhereUSB Manager, below are the available devices:

AW08-D00001 (10.10.12.12:18574)
NAME: AW08-D00001
MODEL: AnywhereUSB 8 Plus
VERSION: 3.0.1.2 awusb
STATE: Active (secure)
ADDRESS: 10.10.12.12
PORT: 18574
CONNECTED FOR: 14 sec
CONNECTION ID: 3
INTERFACE: eth0
SERIAL NUMBER: AW08-D00001
AUTOCONNECT: disabled

Group 2 (AW08-D00001.2)
ADDRESS: AW08-D00001.2
GROUP: 2
NAME: Group 2

Digi Connect EZ 16/32 User Guide 1078

 Command line interface: AnywhereUSB Manager

PORTS: 5 6 7 8
AUTOCONNECT: disabled
IN USE BY: NO ONE

Cruzer (AW08-D00001.1906)
ADDRESS: AW08-D00001.1906
VENDOR: SanDisk
VENDOR ID: 0x0781
PRODUCT: Cruzer
PRODUCT ID: 0x5530
SERIAL: 20040000920A1C707B00
AUTOCONNECT: disabled
IN USE BY: NO ONE

* Group 1 (AW08-D00001.1) (In-use by you)

ADDRESS: AW08-D00001.1
GROUP: 1
NAME: Group 1
PORTS: 1 2 3 4
AUTOCONNECT: enabled
IN USE BY: YOU

+ USB DISK 3.0 (AW08-D00001.1803) (In-use by you)

ADDRESS: AW08-D00010.1803
VENDOR:
VENDOR ID: 0x13fe
PRODUCT: USB DISK 3.0
PRODUCT ID: 0x6300
SERIAL: 070A00376967E000
AUTOCONNECT: inherited
IN USE BY: YOU

* means Autoconnect enabled, + means Autoconnect inherited

Autofind: disabled
Autoconnect All: disabled
AnywhereUSB Manager is running as a service

power cycle
This command enables you to power cycle a selected USB device.
The USB device can be connected directly to the AnywhereUSB Hub or to a downstream USB hub.
Cycling the power has the same effect as removing the USB device from the Hub and then
reconnecting it. When you use this feature, the power supplied by the port to the USB device is turned
off for 1 second and then turned on. The USB device you choose to power cycle must be assigned to a
group that you are allowed to access.
If an externally powered USB device (one that is not powered by the Hub) is connected to the Hub,
the power cycle feature may have no effect on the USB device.

Note You can also cycle the power to a selected USB device from the AnywhereUSB Manager. See
Cycle the power to a USB device connected to the Hub from the AnywhereUSB Manager.

Note Additional power cycle methods are available. See Power cycle feature.

Digi Connect EZ 16/32 User Guide 1079

 Command line interface: AnywhereUSB Manager

Syntax
>awusbmanager power cycle,<device address>

Parameters
device address: The address of the device that you want power cycle.

Example
Run the list command to get the device address. In this example, the device address is AW08-
000016.1905.

awusbmanager.exe POWER CYCLE,AW08-000016.1905

Digi Connect EZ 16/32 User Guide 1080

Command line interface: Hub
You can manage the Hub features from the command line.

config service anywhereusb enable

Allow remote access to USB devices connected to this server.

Syntax

config service anywhereusb enable <true|false>

Parameters
true|false: Enter true to allow remote access to USB devices connected to this server. Enter false to
not allow remote access to USB devices connected to this server.

config service anywhereusb port

Specify the port number that is used to access the Hub. If you change the port number you must also
change the corresponding port number on your computer.

Syntax
config service anywhereusb port {1-65535}

Parameters
port {1-65535}: The port number that is used to access the Hub. The default value is 18574.

config service anywhereusb groups

Assign a name to each group and specify the ports in each group. When a client connects to a group in
the AnywhereUSB Manager, the user has access to all of the ports in the group.
You can change the name for a group in the Group Description field. By default, a group is named
"Group" appended by a consecutive number, such as Group 1, Group 2, and so on. This name displays
in the Group Name field in the Group Status pane.
For each group, you can specify ports.

Note Each port should be assigned to only one group.

You can also do this in the web UI. See Step 3: Name groups and assign ports to a group.

Digi Connect EZ 16/32 User Guide 1081

 Command line interface: Hub

Syntax
config service anywhereusb groups [option]

Options
group(01-24) description "string": Enter a name for the group. Replace string with the group name.
You must have double quotes around the name.
group(01-24) ports (0-23) (1-24): Specify group number to change and a single port or a range of ports
to assign to this group.

Note Ports can only be assigned to one group at a time. If a port is assigned to a new group, it is
removed from the current group.

Examples
Specify a group name for group 2

config service anywhereusb groups group02 description "Group 2 name"

Replace the group 1 port at index 0 with port 1

config service anywhereusb groups group01 ports 0 1

View current port settings

In this example, there are three assigned ports: port 1 (occupying index position 0), port 2 (index
position 1) and port 3 (index position 2).

config show service anywhereusb groups group01 ports

0 1
1 2
2 3

Delete a port from a group

In the previous example, there are three assigned ports in group 1: port 1 (occupying index position
0), port 2 (index position 1) and port 3 (index position 2). This example shows how to delete ports 2
and 3, leaving only port 1 in this group. Ports are deleted by index number, not port number.

config del service anywhereusb groups group01 ports 1

config del service anywhereusb groups group01 ports 2

Add a port to the first available index number

Add port 1 to the first available index number.

config add service anywhereusb groups group01 ports end 1

Reassign ports based on the port's index number

In this example, one port is defined in the group: port 2 (occupying index position 0):

config show service anywhereusb groups group01 ports

0 2

You can change this port designation to "1". The syntax here changes the value of the index 0 item to
port 1.

config service anywhereusb groups group01 ports 0 1

Digi Connect EZ 16/32 User Guide 1082

 Command line interface: Hub

config service anywhereusb clients

Add a client ID to the client list. When a computer searches for Hubs, any computer with a client ID on
the client list can connect to the Hub. You can also add client IDs in the web UI. See Manually add a
client ID.

Syntax
config service anywhereusb clients [option]

Options
0-255: Specify the client index.
[id "string"]: Specify the client ID for the computer.
[description "string]" : Specify a descriptive name for the computer.
groups (0-23) (group01-24): Specify the groups this client ID can access.

Examples
You must be in configuration mode to use these commands.
Show a list of clients
This command shows the client description, the groups assigned to the client, and the client ID for
each client.

> config
(config) > show service anywhereusb clients
0
description Client description
groups
0 group01
1 group02
id Client_ID
......

Add a new client

A new elements is added before the given index. You can add "end" with the index to add the new
client to the end of the array. Specifying a client ID is required. Other fields are optional.

> config
(config)> add service anywhereusb clients (0-254|end)
(config service anywhereusb clients 0)> id "Client_ID"
(config service anywhereusb clients 0)> save

Replace a group
This example replaces the group at index 0 with group 2. The client must have at least one group
already assigned.

config service anywhereusb clients 0 groups 0 group02

Delete a client
You must specify the index of the client (0-254) to delete it.

> config
(config)> del service anywhereusb clients (6)
(config)> save

Digi Connect EZ 16/32 User Guide 1083

 Command line interface: Hub

config service anywhereusb autoreg

Automatically register or reject computers that have not previously connected to the Hub. See
Automatically register unknown clients for more information.

Syntax
config service anywhereusb autoreg [option]

enable (true|false)
Determine whether unknown clients should be registered.
groups (0-23) (group01-24)
List the group numbers to which an unknown client is allowed access.

Examples
Enable autoregistration for the Hub

config service anywhereusb autoreg enable true

Allow access to an unknown client to group 1

This example allows unknown clients to access group 1. For this command to be successful, the client
must have at least one group already assigned.

config service anywhereusb autoreg groups 0 group01

config service anywhereusb client_block_duration

You can configure the default time limit for the client ID block. The default is 10 minutes. See
Configure the block client ID time limit for more information.

Syntax
config service anywhereusb client_block_duration [number{w|d|h|m|s}]

where number is length of time followed by the time measurement.

Examples
Set the default time limit to 15 minutes

config service anywhereusb client_block_duration 15m

Set the default time limit to 2 days

config service anywhereusb client_block_duration 2d

powercycle port
This command enables you to power cycle a port on an AnywhereUSB Hub.
When you power cycle the port, the port is powered off for 1 second and then powered on.
If a USB device is connected to the port, the USB device is powered off and then powered back on,
which has the same effect as removing the USB device from the Hub and then reconnecting it.

Digi Connect EZ 16/32 User Guide 1084

 Command line interface: Hub

If an externally powered USB device (one that is not powered by the Hub) is connected to the Hub,
the power cycle feature may have no effect on the USB device.

Note You can also perform a power cycle a port from the web UI. See Cycle the power to a port on a
Hub from the web UI.

Note Additional power cycle methods are available. See Power cycle feature.

Syntax
system anywhereusb powercycle <portN>

Parameters
portN: The port number that you want to power cycle.

Example
Run the device info command to get the port number on the Hub to which the USB device is
connected. In this example, the USB device is connected to port 2.

system anywhereusb powercycle port2

power_cycle_on_unbind
Globally enable and disable the power cycle on disconnect feature. When enabled, the power to each
USB device is cycled by default when it disconnects from a PC.
The power cycle on disconnect feature is globally enabled by default for all groups and ports on the
Hub. You can choose to globally disable this feature if desired.

Note This feature is disabled by default on the AnywhereUSB Plus 24 variant without Wi-Fi. If your
device has a serial number greater than or equal to AW24-010000, this feature can be enabled.
Otherwise, the feature does not work as expected and should not be enabled.

Note You can also disable this feature from the web UI. See Disable the power cycle on disconnect
feature.

Syntax
config service anywhereusb power_cycle_on_unbind enable <true|false>

Parameters
true|false: Enter false to disable the feature. Enter true to enable the feature.

use all hub addresses

Enable or disable the AnywhereUSB Manager from connecting to extra IPv4 IP addresses.
The AnywhereUSB Hub may have default IP addresses that are reported by mDNS to the
AnywhereUSB Manager, but in many network environments, the Manager cannot connect to them.
As part of normal operation, the Manager tries to sequentially connect to all of the Hub IP addresses,

Digi Connect EZ 16/32 User Guide 1085

 Command line interface: Hub

so if it starts trying these extra default IPv4 IP addresses, it may take extra time (minutes) for the
Manager to connect or reconnect.
By default, this option is deselected and the Manager does not attempt to connect to these
addresses.

Note This can also be done in the Preferences dialog. See Use all Hub IPv4 addresses.

Syntax
USEALLHUBADDRS,[on|off]

Parameters
off: Disable the feature. The AnywhereUSB Manager will not attempt to connect to the extra IPv4 IP
addresses. This is the default.
on: Enable the feature. The AnywhereUSB Manager will attempt to connect to the extra IPv4 IP
addresses.

Digi Connect EZ 16/32 User Guide 1086

Troubleshooting
The following information provides troubleshooting steps for the most common issues. To find
information on other issues, visit our Knowledge Base at knowledge.digi.com.
If you need to gather log files and other information, you can use the Create Support File feature.

AnywhereUSB Manager client ID is not unique

During the initial installation of the Anywhere USB Manager, you are required to assign a unique
client ID. When you launch the Manager for the first time and log in, the Manager creates a secure
identity certificate that is associated with the client ID. This certificate is used to validate your account
with the Hub.
n Stand-alone: If you installed the Manager as a stand-alone, the client ID and the certificate
identify the user's login credentials on the computer.
n Service: If you installed the Manager as a service, the client ID and the certificate identify the
computer.

Note See Client ID overview for more information about how the client ID is used by your computer
and the Hub to create a connection.

In some cases, multiple computers may inadvertently be used by multiple users that have the same
client ID. When this occurs, and computers with the same client ID attempt to connect with the same
Hub, the first computer to associate itself with the Hub will be able to connect to the Hub.
Subsequent computers with the same client ID will not be able to connect to that Hub.
You can fix this issue by changing the client ID of your computer to a unique client ID. See Change the
client ID.

No remote Hubs found

When the host computer is unable to discover any AnywhereUSB Hubs on the network, no Hubs are
displayed in the AnywhereUSB Manager.

Firewall software blocks the port used for Hub discovery

When firewall software blocks the port used for Hub discovery, try the following:
n For firewall software, either disable it or add an exception for the port (UDP port 5353).
n Check for a link light on the Ethernet port. If the link light is not lit, connect all of the Hubs to
switches using network cables.
n Verify that the Autofind Hubs option is selected in the Preferences dialog in the
AnywhereUSB Manager. Start the Manager and choose File > Preferences to open the dialog.
n Connect the Hub directly to the host computer.
n Some anti-virus software might block the connection. You can either temporarily disable it or
add an exception for the AnywhereUSB Manager executable.

Digi Connect EZ 16/32 User Guide 1087

 Troubleshooting

n If the Hub is across a switch or router that does not forward mDSN traffic, the
AnywhereUSB Manager will not be able to discover the Hub. In this case, add the Hub to the
known Hubs list. See Manage the list of known Hubs.
n The firewall or router may block access to the AnywhereUSB port, which by default is TCP port
18574. If the Hub can be discovered but the connection fails (the state of the connection is
"Unable to connect"), you may need to reopen the AnywhereUSB port.

Hide a group in the AnywhereUSB Manager

Any group that has ports assigned to it displays in the AnywhereUSB Manager, even if no USB
devices are connected to a port. If you don't want groups with unused ports to display in the
AnywhereUSB Manager, you can reassign all of the ports in a group to a different group. Once the
group does not have any ports assigned to it, that group will not display.

1. Open the web UI.

2. Click AnywhereUSB from the Configuration section. The AnywhereUSB Configuration page
appears.
3. Locate the group that has the unused ports.
4. Reassign each port in the group to a different group, or to the Unassigned row.
5. When done, click Apply to save the changes.
6. Return to the AnywhereUSB Manager. The group no longer appears.

Microsoft Windows restrictions

Microsoft Remote Desktop
Some devices (such as a web camera), and some input devices (such as a USB keyboard or a mouse),
are blocked and may not display when Microsoft Remote Desktop is connected to a laptop or a virtual
machine.
For example, laptop A is connected to an AnywhereUSB Hub on the network, and a web camera is
connected to a port on the Hub. Laptop A is able to see the video feed from the camera.
A user on laptop B can use Microsoft Remote Desktop to gain access to laptop A. In this situation, the
video feed for both laptop A and laptop B is restricted by Windows and neither user can view the
video feed from the web camera.

Allow remote access to USB devices

You can configure the Hub to allow remote access to USB devices connected to this server. You must
specify the port number that is used to access the Hub.

1. Open the web UI.

2. Select System > Configuration > AnywhereUSB Configuration. The AnywhereUSB
Configuration page appears.
3. Select Enable.
4. Enter the port number in the Port field. The default TCP Port value is 18574. If you change the
port number on this page, you must also change the corresponding port number on your
computer.
5. Click Apply to apply and save the changes.

Digi Connect EZ 16/32 User Guide 1088

 Troubleshooting

Hub connection is taking too long

The "Attempting to connect" message displays in the AnywhereUSB Manager when the Manager is
trying to connect to the Hub but a connection has not yet been made.
You can troubleshoot a connection if needed using these methods:
n Attempt to ping the Hub IP address from your computer.
n Verify that your firewall is not blocking the TCP port 18574.
n Ensure that Hub is configured correctly and the IP address is in the correct zone, which is
generally the Edge option. See Review Connect EZ 16/32 default settings.
n Collect a support file from the AnywhereUSB Manager and a support_report from the Hub for
analysis by Tech Support.

Red X icon next to a Hub in the AnywhereUSB Manager

In some situations, a red Xdisplay next to a Hub in the AnywhereUSB Manager when the Hub has
failed to connect to your PCor the network. The list below describes situations during which this may
occur, and includes a resolution.

Note If you do not want to display the Hubs that have failed to connect with your computer, you can
hide them. See Hide all unauthorized Hubs.

n Duplicate Connection
n Multiple user accounts with the same client ID
n Step 1: Remove the Hub certificate
n Problem: TCP port is not configured correctly
n Problem: Client ID has not been added to the Hub

Digi Connect EZ 16/32 User Guide 1089

 Command line interface
This chapter contains the following topics:

Access the command line interface 1091

Log in to the command line interface 1091
Exit the command line interface 1092
Execute a command from the web interface 1092
Display help for commands and parameters 1093
Auto-complete commands and parameters 1095
Available commands 1096
Use the scp command 1097
Display status and statistics using the show command 1099
Device configuration using the command line interface 1100
Execute configuration commands at the root Admin CLI prompt 1100
Configuration mode 1102
Command line reference 1115

Digi Connect EZ 16/32 User Guide 1090

Command line interface Access the command line interface

Access the command line interface

You can access the Connect EZ 16/32 command line interface using an SSH connection, a telnet
connection, or a serial connection. You can use an open-source terminal software, such as PuTTYor
TeraTerm, to access the device through one of these mechanisms.
You can also access the command line interface in the WebUI by using the Terminal, or the Digi
Remote Manager by using the Console.
To access the command line, your device must be configured to allow access, and you must log in as
a user who has been configured for the appropriate access.
For further information about configuring access to these services, see:
n Serial: Serial port
n WebUI: Configure the web administration service
n SSH: Configure SSH access
n Telnet: Configure telnet access

Log in to the command line interface

 Command line
1. Connect to the Connect EZ 16/32 device by using a serial connection, SSH or telnet, or the
Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command
line interface for more information.
n For serial connections, the default configuration is:
l 115200 baud rate
l 8 data bits
l no parity
l 1 stop bit
l no flow control
n For SSH and telnet connections, the Setup IP address of the device is 192.168.2.1 on
the .
2. At the login prompt, enter the username and password of a user with Admin access:

login: admin
Password: **********

The default username is admin. The default unique password for your device is printed on the
device label.
3. Depending on the device configuration, you may be presented with another menu, for
example:

Access selection menu:

a: Admin CLI
q: Quit

Digi Connect EZ 16/32 User Guide 1091

Command line interface Exit the command line interface

Select access or quit [admin] :

Type a or admin to access the Connect EZ 16/32 command line.

You will now be connected to the Admin CLI:

Connecting now...
Press Tab to autocomplete commands
Press '?' for a list of commands and details
Type 'help' for details on navigating the CLI
Type 'exit' to disconnect from the Admin CLI

>

See Command line interface for detailed instructions on using the command line interface.

Exit the command line interface

 Command line
1. At the command prompt, type exit.

> exit

2. Depending on the device configuration, you may be presented with another menu, for
example:

Access selection menu:

a: Admin CLI
q: Quit

Select access or quit [admin] :

Type q or quit to exit.

Execute a command from the web interface

Log into the Connect EZ 16/32 WebUI as a user with full Admin access rights.
1. At the main menu, click Terminal. The device console appears.

Connect EZ 16/32 login:

2. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
The Admin CLI prompt appears.

>

Digi Connect EZ 16/32 User Guide 1092

Command line interface Display help for commands and parameters

Display help for commands and parameters

The help command

When executed from the root command prompt, help displays information about autocomplete
operations, how to move the cursor on the Connect EZ 16/32 command line, and other keyboard
shortcuts:

> help

Commands
------------------------------------------------------------------------------
-
? Show commands help
<Tab> Tab completion, displays all valid commands to complete command,
if only one command is possible, it is used
<Space> Like tab except shortest prefix is used if command is valid
<Enter> Enter an input. If quoting then a new line is created instead. If
the input is invalid then characters will be deleted until a
prefix for a valid command is found.
Ctrl + A Move cursor to start of line
Ctrl + E Move cursor to end of line
Ctrl + W Delete word under cursor until start of line or [\',", ,\,/,.]
Ctrl + R If the current input is invalid then characters will be deleted
until a prefix for a valid command is found.
Ctrl + left Jump cursor left until start of line or [\',", ,\,/,.]
Ctrl + right Jump cursor right until start of line or [\',", ,\,/,.]

>

The question mark (?) command

When executed from the root command prompt, ? displays available commands:

> ?

Commands
------------------------------------------------------------------------------
-
config View and modify the configuration
exit Exit the CLI
analyzer Analyzer commands.
cp Copy a file or directory.
grep Grep a file.
help Show CLI editing and navigation commands.
ls List a directory.
mkdir Create a directory.
modem Modem commands.
more View a file.
mv Move a file or directory.
ping Ping a host.
reboot Reboot the system.
rm Remove a file or directory.
scp Copy a file or directory over SSH.
show Show instance statistics.

Digi Connect EZ 16/32 User Guide 1093

Command line interface Display help for commands and parameters

system System commands.

tail Tail a file.
traceroute Print the route packets trace to network host.
update Update firmware.

>

Display help for individual commands

When included with a command name, both ? and help provide further information about the
command. For example:

1. To display further information about the show command, type either show ? or show help:

> show ?

Commands
------------------------------------------------------------------------
--

arp Show ARP tables

cloud Show drm statistics
config Show config deltas.
containers Show container statistics.
dhcp-lease Show DHCP leases.
dns Show DNS servers.
event Show event list
ipsec Show IPsec statistics.
l2tp Show L2TP statistics.
l2tppeth Show L2TPv3 ethernet statistics.
location Show loction information.
log Show syslog.
manufacture Show manufacturer information.
modbus-gateway Show modbus gateway status & statistics.
modem Show modem statistics.
nemo Show NEMO statistics.
network Show network interface statistics.
ntp Show NTP information.
openvpn Show OpenVPN statistics.
route Show IP routing information.
scep-client Show SCEP client statistics.
serial Show serial statistics.
surelink Show Surelink statistics.
system Show system statistics.
version Show firmware version.

> show

Digi Connect EZ 16/32 User Guide 1094

Command line interface Auto-complete commands and parameters

Use the Tab key or the space bar to display abbreviated help
When executed from the root command prompt, pressing the Tab key or the space bar displays an
abbreviated list of available commands:
Similar behavior is available with any command name:

> config network interface <space>

.. ... setupip setuplinklocalip lan
loopback
> config network interface

Auto-complete commands and parameters

When entering a command and parameter, press the Tab key to cause the command line interface to
auto-complete as much of the command and parameter as possible. Typing the space bar has similar
behavior. If multiple commands are available that will match the entered text, auto-complete is not
performed and the available commands are displayed instead.
Auto-complete applies to these command elements only :
n Command names. For example, typing net<Tab> auto-completes the command as network.
n Parameter names. For example:
l ping hostname int<Tab> auto-completes the parameter as interface.
l system b<Tab> auto-completes the parameter as backup.
n Parameter values, where the value is one of an enumeration or an on|off type; for example:

(config)> serial port1 enable t<Tab>

auto-completes to

(config)> serial port1 enable true

Auto-complete does not function for:

n Parameter values that are string types.
n Integer values.
n File names.
n Select parameters passed to commands that perform an action.

Digi Connect EZ 16/32 User Guide 1095

Command line interface Available commands

Available commands
The following commands are available from the Admin CLI prompt:

Command Description
config Used to view and modify the configuration.

See Device configuration using the command line interface for more information
about using the config command.
exit Exits the CLI.
analyzer Analyzer commands.
cat View a file.
clear Commands to clear the device's status or systems.
container Create, delete, or interact with a container.
cp Copies a file or directory.
grep Grep a file.
help Displays:
n CLI editing and navigation commands, when executed from the root of the
Admin CLI prompt.
n Available commands, syntax diagram, and parameter information, when
executed in conjunction with another command.
See Display help for commands and parameters for information about the help
command.
ls Lists the contents of a directory.
mkdir Creates a directory.
modem Executes modem commands.
monitoring Monitoring commands.
more Displays the contents of a file.
mv Moves a file or directory.
ping Pings a remote host using Internet Control Message Protocol (ICMP) Echo Request
messages.
poweroff Powers off the system.
reboot Reboots the Connect EZ 16/32 device.
rm Removes a file.
scp Uses the secure copy protocol (SCP) to transfer files between the Connect EZ 16/32

Digi Connect EZ 16/32 User Guide 1096

Command line interface Use the scp command

Command Description
device and a remote host.

See Use the scp command for information about using the scp command.
show Displays information about the device and the device's configuration.

See Display status and statistics using the show command for more information
about the show command.
iperf Perform a speedtest.
ssh SSH login to a remote server.
system Issues commands related to system functionality.
tail Tail a file.
telnet Telnet login to a remote server.
traceroute Sends and tracks route packets to a destination host.

Note For commands that operate on the Connect EZ 16/32's file system, such as the cp, ls, and mkdir
commands, see File system for information about the file system, including how to copy, move and
delete files and directories.

Use the scp command

The scp command uses Secure Copy Protocol (SCP) to transfer files between the Connect EZ 16/32
device and a remote host.

Required configuration items

n The hostname or IP address of the remote host.
n The username and password of the user on the remote host.
n Whether the file is being copied to the Connect EZ 16/32 device from a remote host, or to the
remote host from the Connect EZ 16/32 device.
l If the file is being copied to the Connect EZ 16/32 device from a remote host:
o The path and filename of the file on the remote host that will be copied to the Connect
EZ 16/32 device.
o The location on the Connect EZ 16/32 device where the file will be copied.
l If the file is being copied to a remote host from the Connect EZ 16/32 device:
o The path and filename of the file on the Connect EZ 16/32 device that will be copied to
the remote host.
o The location on the remote host where the file will be copied.

Copy a file from a remote host to the Connect EZ 16/32 device

To copy a file from a remote host to the Connect EZ 16/32 device, use the scp command as follows:

Digi Connect EZ 16/32 User Guide 1097

Command line interface Use the scp command

> scp host hostname-or-ip user username remote remote-path local local-path to
local

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the path and filename of the file on the remote host that will be copied to the
Connect EZ 16/32 device.
n local-path is the location on the Connect EZ 16/32 device where the copied file will be placed.
For example:
To copy firmware from a remote host with an IP address of 192.168.4.1 to the /etc/config directory on
the Connect EZ 16/32 device, issue the following command:

> scp host 192.168.4.1 user admin remote /home/admin/bin/Connect EZ 16/32-

24.9.bin local /etc/config/scripts to local
admin@192.168.4.1's password: adminpwd
Connect EZ 16/32-24.9.bin 100% 36MB 11.1MB/s 00:03
>

Transfer a file from the Connect EZ 16/32 device to a remote host

To copy a file from the Connect EZ 16/32 device to a remote host, use the scp command as follows:

> scp host hostname-or-ip user username remote remote-path local local-path to
remote

where:
n hostname-or-ip is the hostname or IP address of the remote host.
n username is the name of the user on the remote host.
n remote-path is the location on the remote host where the file will be copied.
n local-path is the path and filename on the Connect EZ 16/32 device.
For example:
To copy a support report from the Connect EZ 16/32 device to a remote host at the IP address of
192.168.4.1:

1. Use the system support-report command to generate the report:

> system support-report path /var/log/

Saving support report to /var/log/support-report-0040D0133536-24-01-12-
12:10:00.bin
Support report saved.
>

2. Use the scp command to transfer the report to a remote host:

> scp host 192.168.4.1 user admin remote /home/admin/temp/ local

/var/log/support-report-00:40:D0:13:35:36-24-01-12-12:10:00.bin to remote
admin@192.168.4.1's password: adminpwd

Digi Connect EZ 16/32 User Guide 1098

Command line interface Display status and statistics using the show command

support-report-0040D0133536-24-01-12-12:10:00.bin
>

Display status and statistics using the show command

The Connect EZ 16/32 show command display status and statistics for various features.
For example:

show config
The show config command displays all the configuration settings for the device that have been
changed from the default settings. This is a particularly useful when troubleshooting the device.

> show config

auth tacacs+ service "login"

auth user admin password
"$2a$05$WlJQhquI7BgsytkpobKhaeLPtWraGANBcrlEaJX/wJv63JENW/HOu"
add auth user test
add auth user test group end "admin"
add auth user test group end "serial"
auth user test password
"$2a$05$RdGYz1sLKbWrqe6cZjlsd.otg03JZR6n9939XV6EYWUSP0tMAzO5W"
network interface lan ipv4 type "dhcp"
network interface lan zone "external"
network interface modem modem apn 0 apn "00000.000"
network interface modem modem apn_lock "true"
schema version "445"

>

show system
The show system command displays system information and statistics for the device, including CPU
usage.

> show system

Model : Digi Connect EZ 16/32

Serial Number : Connect EZ 16/32xxxxxxxxyyyyxx
SKU : Connect EZ 16/32
Hostname : Connect EZ 16/32
MAC Address : DF:DD:E2:AE:21:18

Hardware Version : 50001947-01 1P

Firmware Version : 24.9
Alt. Firmware Version : 24.9
Alt. Firmware Build Date : Fri, Jan 12, 2024 12:10:00
Bootloader Version : 19.7.23.0-15f936e0ed

Current Time : Thu, Jan 11, 2024 12:10:00 +0000

CPU : 1.4%
Uptime : 6 days, 6 hours, 21 minutes, 57 seconds (541317s)
Temperature : 40C
Location :

Digi Connect EZ 16/32 User Guide 1099

Command line interface Device configuration using the command line interface

Contact :

>

show network
The show network command displays status and statistics for network interfaces.

> show network

Interface Proto Status Address

---------------- ----- ------- -------------------------------
setupip IPv4 up 192.168.210.1/24
setuplinklocalip IPv4 up 169.254.100.100/16
lan IPv4 up 192.168.2.1
lan IPv6 up 0:0:0:0:0:ffff:c0a8:301
loopback IPv4 up 127.0.0.1/8
wan IPv4 up 192.168.3.1/24
wan IPv6 up fd00:2704::240:ffff:fe80:120/64

>

Device configuration using the command line interface

The config command allows for device configuration from the command line. All configuration tasks
that can be performed by using the WebUI can also be performed by using the config command.
There are two ways to invoke the config command from the CLI:
n Execute the config command and parameters at the root prompt. See Execute configuration
commands at the root Admin CLI prompt for more information.
n Enter configuration mode by executing the config command without any parameters. See
Configuration mode for more information.

Execute configuration commands at the root Admin CLI prompt

You can execute the config command at the root Admin CLI prompt with any appropriate parameters.
When the config command is used in this way, changes to the device's configuration are
automatically saved when the command is executed.
For example, to disable the SSH service from the root prompt, enter the following command:

> config service ssh enable false

>

The Connect EZ 16/32 device's ssh service is now disabled.

Note When the config command is executed at the root prompt, certain configuration actions that
are available in configuration mode cannot be performed. This includes validating configuration
changes, canceling and reverting configuration changes, and performing actions on elements in lists.
See Configuration mode for information about using configuration mode.

Digi Connect EZ 16/32 User Guide 1100

Command line interface Execute configuration commands at the root Admin CLI prompt

Display help for the config command from the root Admin CLI
prompt
Display additional configuration commands, as well as available parameters and values, by entering
the question mark (?) character after the config command.

1. For example:

> config ?

Will display the following help information:

> config ?

Additional Configuration
-------------------------------------------------------------------------
-
application Custom scripts
auth Authentication
cloud Central management
firewall Firewall
monitoring Monitoring
network Network
serial Serial
service Services
system System
vpn VPN

Run "config" with no arguments to enter the configuration editing mode.

> config

2. You can then display help for the additional configuration commands. For example, to display
help for the config service command:

> config service ?

Services

Additional Configuration
-------------------------------------------------------------------------
-
dns DNS
mdns Service Discovery (mDNS)
multicast Multicast
ntp NTP
remote_control Remote control
snmp SNMP
ssh SSH
telnet Telnet
web_admin Web administration

> config service

Digi Connect EZ 16/32 User Guide 1101

Command line interface Configuration mode

3. Next, display help for the config service ssh command:

> config service ssh ?

SSH: An SSH server for managing the device.

Parameters Current Value

-------------------------------------------------------------------------
-
enable true Enable
key [private] Private key
port 22 Port

Additional Configuration
-------------------------------------------------------------------------
-
acl Access control list
mdns

> config service ssh

4. Lastly, display the allowed values and other information for the enable parameter:

> config service ssh enable ?

Enable: Enable the service.

Format: true, false, yes, no, 1, 0
Default value: true
Current value: true

> config service ssh enable

Configuration mode
Configuration mode allows you to perform multiple configuration tasks and validate the changes prior
to saving them. You can cancel all changes without saving them at any time. Configuration changes
do not take effect until the configuration is saved.

Enable configuration mode

To enable configuration mode, at the root prompt, enter the config command without any
parameters:

> config
(config)>

When the command line is in configuration mode, the prompt will change to include (config), to
indicate that you are currently in configuration mode.

Enter configuration commands in configuration mode

There are two ways to enter configuration commands while in configuration mode:

Digi Connect EZ 16/32 User Guide 1102

Command line interface Configuration mode

n Enter the full command string from the config prompt.

For example, to disable the ssh service by entering the full command string at the config
prompt:

(config)> service ssh enable false

(config)>

n Execute commands by moving through the configuration schema.

For example, to disable the ssh service by moving through the configuration and then
executing the enable false command:
1. At the config prompt, enter service to move to the service node:

(config)> service
(config service)>

2. Enter ssh to move to the ssh node:

(config service)> ssh

(config service ssh)>

3. Enter enable false to disable the ssh service:

(config service ssh)> enable false

(config service ssh)>

See Move within the configuration schema for more information about moving within the
configuration.

Save changes and exit configuration mode

To save changes that you have made to the configuration while in configuration mode, use save. The
save command automatically validates the configuration changes; the configuration will not be saved
if it is not valid. Note that you can also validate configuration changes at any time while in
configuration mode by using the validate command.

(config)> save
Configuration saved.
>

After using save to save changes to the configuration, you will automatically exit configuration mode.
To return to configuration mode, type config again.

Exit configuration mode without saving changes

You can discard any unsaved configuration changes and exit configuration mode by using the cancel
command:

(config)> cancel
>

After using cancel to discard unsaved changes to the configuration, you will automatically exit
configuration mode.

Digi Connect EZ 16/32 User Guide 1103

Command line interface Configuration mode

Configuration actions
In configuration mode, configuration actions are available to perform tasks related to saving or
canceling the configuration changes, and to manage items and elements in lists. The commands can
be listed by entering a question mark (?) at the config prompt.
The following actions are available:

Configuration actions Description

cancel Discards unsaved configuration
changes and exits configuration mode.
save Saves configuration changes and exits
configuration mode.
validate Validates configuration changes.
revert Reverts the configuration to default
settings. See The revert command for
more information.

show Displays configuration settings.

add Adds a named element, or an element
in a list. See Manage elements in lists
for information about using the add
command with lists.

del Deletes a named element, or an

element in a list. See Manage elements
in lists for information about using the
del command with lists.

move Moves elements in a list. See Manage

elements in lists for information about
using the move command with lists.

Display command line help in configuration mode

Display additional configuration commands, as well as available parameters and values, by entering
the question mark (?) character at the config prompt. For example:

1. Enter ? at the config prompt:

(config)> ?

This will display the following help information:

(config)> ?

Additional Configuration
------------------------------------------------------------------------
--
application Custom scripts

Digi Connect EZ 16/32 User Guide 1104

Command line interface Configuration mode

auth Authentication
cloud Central management
firewall Firewall
monitoring Monitoring
network Network
serial Serial
service Services
system System
vpn VPN

(config)>

2. You can then display help for the additional configuration commands. For example, to display
help for the config service command, use one of the following methods:
n At the config prompt, enter service ?:

(config)> service ?

n At the config prompt:

a. Enter service to move to the service node:

(config)> service
(config service)>

b. Enter ? to display help for the service node:

(config service)> ?

Either of these methods will display the following information:

config> service ?

Services

Additional Configuration
------------------------------------------------------------------------
--
dns DNS
mdns Service Discovery (mDNS)
multicast Multicast
ntp NTP
remote_control Remote control
snmp SNMP
ssh SSH
telnet Telnet
web_admin Web administration

(config)> service

Digi Connect EZ 16/32 User Guide 1105

Command line interface Configuration mode

3. Next, to display help for the service ssh command, use one of the following methods:
n At the config prompt, enter service ssh ?:

(config)> service ssh ?

n At the config prompt:

a. Enter service to move to the service node:

(config)> service
(config service)>

b. Enter ssh to move to the ssh node:

(config service)> ssh

(config service ssh)>

c. Enter ? to display help for the ssh node:

(config service ssh)> ?

Either of these methods will display the following information:

(config)> service ssh ?

SSH: An SSH server for managing the device.

Parameters Current Value

------------------------------------------------------------------------
--
enable true Enable
key [private] Private key
port 22 Port

Additional Configuration
------------------------------------------------------------------------
--
acl Access control list
mdns

(config)> service ssh

4. Lastly, to display allowed values and other information for the enable parameter, use one of
the following methods:
n At the config prompt, enter service ssh enable ?:

(config)> service ssh enable ?

n At the config prompt:

a. Enter service to move to the service node:

(config)> service
(config service)>

Digi Connect EZ 16/32 User Guide 1106

Command line interface Configuration mode

b. Enter ssh to move to the ssh node:

(config service)> ssh

(config service ssh)>

c. Enter enable ? to display help for the enable parameter:

(config service ssh)> enable ?

(config service ssh)>

Either of these methods will display the following information:

(config)> service ssh enable ?

Enable: Enable the service.

Format: true, false, yes, no, 1, 0
Default value: true
Current value: true

(config)> service ssh enable

Move within the configuration schema

You can perform configuration tasks at the CLI by moving within the configuration.
n Move forward one node in the configuration by entering the name of an Additional
Configuration option:
1. At the config prompt, type service to move to the service node:

(config)> service
(config service)>

2. Type ssh to move to the ssh node:

(config service)> ssh

(config service ssh)>

3. Type acl to move to the acl node:

(config service ssh)> acl

(config service ssh acl)>

4. Type zone to move to the zone node:

(config service ssh acl)> zone

(config service ssh acl zone)>

You can also enter multiple nodes at once to move multiple steps in the configuration:

(config)> service ssh acl zone

(config service ssh acl zone)>

Digi Connect EZ 16/32 User Guide 1107

Command line interface Configuration mode

n Move backward one node in the configuration by entering two periods (..):

(config service ssh acl zone)> ..

(config service ssh acl)>

You can also move back multiples nodes in the configuration by typing multiple sets of two
periods:

(config service ssh acl zone)> .. .. ..

(config service)>

n Move to the root of the config prompt from anywhere within the configuration by entering
three periods (...):

(config service ssh acl zone)> ...

(config)>

Manage elements in lists

While in configuration mode, you can use the add, del, and move action commands to manage
elements in a list. When working with lists, these actions require an index number to identify the list
item that will be acted on.

Add elements to a list

When used with parameters that contains lists of elements, the add command is used to add an
element to the list.
For example, to add an authentication method:

1. Display current authentication method by using the show command:

(config)> show auth method

0 local
(config)>

2. Add an authentication method by using the add index_item command. For example:
n To add the TACACS+ authentication method to the beginning of the list, use the index
number 0:

(config)> add auth method 0 tacacs+

(config)> show auth method
0 tacacs+
1 local
(config)>

n To add the TACACS+ authentication method to the end of the list, use the end keyword:

(config)> add auth method end tacacs+

(config)> show auth method
0 local
1 tacacs+
(config)>

Digi Connect EZ 16/32 User Guide 1108

Command line interface Configuration mode

The end keyword

As demonstrated above, the end keyword is used to add an element to the end of a list. Additionally,
the end keyword is used to add an element to a list that does not have any elements.
For example, to add an authentication group to a user that has just been created:

1. Use the show command to verify that the user is not currently a member of any groups:

(config)> show auth user new-user group

(config)>

2. Use the end keyword to add the admin group to the user's configuration:

(config)> add auth user new-user group end admin

(config)>

3. Use the show command again to verify that the admin group has been added to the user's
configuration:

(config)> show auth user new-user group

0 admin
(config)>

Delete elements from a list

When used with parameters that contains lists of elements, the del command is used to delete an
element in the list.
For example, to delete an authentication method:

1. Use the show command to display current authentication method configuration:

(config)> show auth method

0 local
1 tacacs+
2 radius
(config)>

2. Delete one of the authentication methods by using the del index_number command. For
example:
a. To delete the local authentication method, use the index number 0:

(config)> del auth method 0

(config)>

b. Use the show command to verify that the local authentication method was removed:

(config)> show auth method

0 tacacs+
1 radius
(config)>

Move elements within a list

Use the move command to reorder elements in a list.
For example, to reorder the authentication methods:

Digi Connect EZ 16/32 User Guide 1109

Command line interface Configuration mode

1. Use the show command to display current authentication method configuration:

(config)> show auth method

0 local
1 tacacs+
2 radius
(config)>

2. To configure the device to use TACACS+ authentication first to authenticate a user, use the
move index_number_1 index_number_2 command:

(config)> move auth method 1 0

(config)>

3. Use the show command again to verify the change:

(config)> show auth method

0 tacacs+
1 local
2 radius
(config)>

The revert command

The revert command is used to revert changes to the Connect EZ 16/32 device's configuration and
restore default configuration settings. The behavior of the revert command varies depending on
where in the configuration hierarchy the command is executed, and whether the optional path
parameter is used. After executing the revert command, you must save the configuration changes by
using the save command. You can also discard the configuration changes by using the cancel
command.

CAUTION! The revert command reverts all changes to the default configuration, not only
unsaved changes.

Revert all configuration changes to default settings

To discard all configuration changes and revert to default settings, use the revert command at the
config prompt without the optional path parameter:

1. At the config prompt, enter revert:

(config)> revert
(config)>

2. Set the password for the admin user prior to saving the changes:

(config)> auth user admin password pwd

(config)>

Digi Connect EZ 16/32 User Guide 1110

Command line interface Configuration mode

3. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Revert a subset of configuration changes to the default settings

There are two methods to revert a subset of configuration changes to the default settings.
n Enter the revert command with the path parameter. For example, to revert all changes to the
authentication methods configuration:
1. Enter the revert command with the path set to auth method:

(config)> revert auth method

(config)>

2. Save the configuration and apply the change.

(config)> save
Configuration saved.
>

3. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access
selection menu. Type quit to disconnect from the device.
n Move to the location in the configuration and enter the revert command without the path
parameter. For example:
1. Change to the auth method node:

(config)> auth method

(config auth method)>

2. Enter the revert command:

(config auth method)> revert

(config auth method)>

3. Save the configuration and apply the change.

(config auth method)> save

Configuration saved.
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access
selection menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 1111

Command line interface Configuration mode

n You can also use a combination of both of these methods:

1. Change to the auth node:

(config)> auth
(config auth)>

2. Enter the revert command with the path set to method:

(config auth)> revert method

(config auth)>

3. Save the configuration and apply the change.

(config auth)> save

Configuration saved.
>

4. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access
selection menu. Type quit to disconnect from the device.

Enter strings in configuration commands

For string parameters, if the string value contains a space, the value must be enclosed in quotation
marks. For example, to assign a descriptive name for the device using the system command, enter:

(config)> system description "Digi Connect EZ 16/32"

Example: Create a new user by using the command line

In this example, you will use the Connect EZ 16/32 command line to create a new user, provide a
password for the user, and assign the user to authentication groups.

1. Select the device in Remote Manager and click Actions > Open Console, or log into the
Connect EZ 16/32 local command line as a user with full Admin access rights.
Depending on your device configuration, you may be presented with an Access selection
menu. Type admin to access the Admin CLI.
2. At the command line, type config to enter configuration mode:

> config
(config)>

3. At the config prompt, create a new user with the username user1:
n Method one: Create a user at the root of the config prompt:

(config)> add auth user user1

(config auth user user1)>

Digi Connect EZ 16/32 User Guide 1112

Command line interface Configuration mode

n Method two: Create a user by moving through the configuration:

a. At the config prompt, enter auth to move to the auth node:

(config)> auth
(config auth)>

b. Enter user to move to the user node:

(config auth)> user

(config auth user)>

c. Create a new user with the username user1:

(config auth user)> add user1

(config auth user user1)>

4. Configure a password for the user:

(config auth user user1)> password pwd1

(config auth user user1)>

5. List available authentication groups:

(config auth user user1)> show .. .. group

admin
acl
admin
enable true
nagios
enable false
openvpn
enable false
no tunnels
portal
enable false
no portals
serial
enable false
no ports
shell
enable false

serial
acl
admin
enable true
nagios
enable false
openvpn
enable false
no tunnels

Digi Connect EZ 16/32 User Guide 1113

Command line interface Configuration mode

portal
enable false
no portals
serial
enable true
ports
0 port1
shell
enable false
(config auth user user1)>

6. Add the user to the admin group:

(config auth user user1)> add group end admin

(config auth user user1)>

7. Save the configuration and apply the change.

(config auth user user1)> save

Configuration saved.
>

8. Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection
menu. Type quit to disconnect from the device.

Digi Connect EZ 16/32 User Guide 1114

Command line interface Command line reference

Command line reference

ain calibrate
Measure current value of analog input, and set it as zero offset.

Syntax
ain calibrate <name> <type> <setpoint>

Parameters
name: Name of the analog input.
type: Calibrate low or high-end of analog input range.
setpoint: Reference voltage/current connected on the analog input (in mV/uA). (Minimum: 0)

ain calibration-reset
Reset both voltage and current calibration of analog input.

Syntax
ain calibration-reset <name>

Parameters
name: Name of the analog input.

analyzer clear
Clears the traffic captured by the analyzer.

Syntax
analyzer clear <name>

Parameters
name: Name of the capture filter to use.

analyzer save
Saves the current captured traffic to a file.

Syntax
analyzer save <name> <path>

Parameters
name: Name of the capture filter to use.
path: The path and filename to save captured traffic to. If a relative path is provided,
/etc/config/analyzer will be used as the root directory for the path and file.

Digi Connect EZ 16/32 User Guide 1115

Command line interface Command line reference

analyzer start
Start a capture session of packets on this devices interfaces.

Syntax
analyzer start <name>

Parameters
name: Name of the capture filter to use.

analyzer stop
Stops the traffic capture session.

Syntax
analyzer stop <name>

Parameters
name: Name of the capture filter to use.

cat
View the contents of a file.

Syntax
cat <path>

Parameters
path: The file to view.

clear dhcp-lease ip-address

Clear the DHCP lease for the specified IP address.

Syntax
clear dhcp-lease ip-address ADDRESS

Parameters
address: An IPv4 or IPv6 address

clear dhcp-lease mac

Clear the DHCP lease for the specified MACaddress.

Syntax
clear dhcp-lease mac ADDRESS

Digi Connect EZ 16/32 User Guide 1116

Command line interface Command line reference

Parameters
address: 12-digit, colon-delimited MACaddress [00:11:22:AA:BB:CC]

config system storage mount

Enable or disable automount.

Syntax
config system storage sd mount [true|false]

Parameters
mount: Enable automount (true) or disable automount (false)

config system storage partition

Automount a partition on an SD card.

Syntax
config system storage sd partition [1-N]

Parameters
partition: Specify the partition number to be automounted.

config system storage used percent

Generate an event when a specified percent of space is used on an SD card.

Syntax
config system storage [sd|nfs] used_percent [1-N]

Parameters
system storage: Specify the storage device (sd, nfs).
used-percent: Specify a percent value of the used storage. When this percent value is met, a system
event is generated.

cp
Copy a file or directory.

Syntax
cp <source> <destination> [force]

Parameters
source: The source file or directory to copy.
destination: The destination path to copy the source file or directory to.
force: Do not ask to overwrite the destination file if it exists.

Digi Connect EZ 16/32 User Guide 1117

Command line interface Command line reference

dio state
Set digital I/O.

Syntax
dio state <name> <state>

Parameters
name: Name of the digital I/O.
state: State of the digital I/O.

grep
Grep the contents of a file.

Syntax
grep <match> <path>

Parameters
match: Output all lines in file matching string.
path: The file to grep.

help
Show CLI editing and navigation commands.

Syntax
help

Parameters
None

Digi Connect EZ 16/32 User Guide 1118

Command line interface Command line reference

ls
List a directory.

Syntax
ls <path> [show-hidden]

Parameters
path: List files and directories under this path.
show-hidden: Show hidden files and directories. Hidden filenames begin with '.'.

Digi Connect EZ 16/32 User Guide 1119

Command line interface Command line reference

mkdir
Create a directory. Parent directories are created as needed.

Syntax
mkdir <path>

Parameters
path: The directory path to create.

modem at
Send an AT command to the modem and display the response.

Syntax
modem at <cmd> [name STRING] [imei STRING]

Parameters
cmd: The AT command string.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem at-interactive
Start an AT command session on the modem's AT serial port.

Syntax
modem at-interactive [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem firmware bundle ota check

Query the Digi firmware server for the latest remote modem firmware version.

Syntax
modem firmware bundle ota check [name STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.

modem firmware bundle ota download

Downloads modem firmware from the server. The firmware will be downloaded on the device but the
modem won't be updated.

Digi Connect EZ 16/32 User Guide 1120

Command line interface Command line reference

Syntax
modem firmware bundle ota download [name STRING] [version STRING] [binary
STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
version: Firmware version name.
binary: Firmware binary position.

modem firmware bundle ota list

Query the Digi firmware server for a list of modem firmware versions.

Syntax
modem firmware bundle ota list [name STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.

modem firmware bundle ota update

Perform FOTA (firmware-over-the-air) update. The modem will be updated to the latest modem
firmware image unless a specific firmware version is specified.

Syntax
modem firmware bundle ota update [name STRING] [version STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
version: Firmware version name.

modem firmware check

Inspect /opt/[MODEM_MODEL]/Custom_Firmware/ directory for new modem firmware file.

Syntax
modem firmware check [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem firmware list

List modem firmware files found in the /opt/[MODEM_MODEL]/ directory.

Digi Connect EZ 16/32 User Guide 1121

Command line interface Command line reference

Syntax
modem firmware list [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem firmware ota check

Query the Digi firmware server for the latest remote modem firmware version.

Syntax
modem firmware ota check [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem firmware ota download

Downloads modem firmware from the server. The firmware will be downloaded on the device but the
modem won't be updated.

Syntax
modem firmware ota download [name STRING] [imei STRING] [version STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.
version: Firmware version name.

modem firmware ota list

Query the Digi firmware server for a list of modem firmware versions.

Syntax
modem firmware ota list [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem firmware ota update

Perform FOTA (firmware-over-the-air) update. The modem will be updated to the latest modem
firmware image unless a specific firmware version is specified.

Digi Connect EZ 16/32 User Guide 1122

Command line interface Command line reference

Syntax
modem firmware ota update [name STRING] [imei STRING] [version STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.
version: Firmware version name.

modem firmware update

Update modem firmware using local firmware file. The modem will be updated to the firmware
specified in the /opt/[MODEM_MODEL]/Custom_Firmware/ directory unless a specific firmware version
is specified.

Syntax
modem firmware update [name STRING] [imei STRING] [version STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.
version: Firmware version name.

modem pin change

Change the SIM's PIN code.
Warning: Attempting to use an incorrect PIN code may PUK lock the SIM.

Syntax
modem pin change <old-pin> <new-pin> [name STRING] [imei STRING]

Parameters
old-pin: The SIM's PIN code.
new-pin: The PIN code to change to.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem pin disable

Disable the PIN lock on the SIM card that is active in the modem.
Warning: Attempting to use an incorrect PIN code may PUK lock the SIM.

Syntax
modem pin disable <pin> [name STRING] [imei STRING]

Parameters
pin: The SIM's PIN code.

Digi Connect EZ 16/32 User Guide 1123

Command line interface Command line reference

name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem pin enable

Enable the PIN lock on the SIM card that is active in the modem. The SIM card will need to be
unlocked before each use.
Warning: Attempting to use an incorrect PIN code may PUK lock the SIM.

Syntax
modem pin enable <pin> [name STRING] [imei STRING]

Parameters
pin: The SIM's PIN code.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem pin status

Print the PIN lock status and the number of PIN enable/disable/unlock attempts remaining. The SIM
will be PUK locked when there are no remaining retries.

Syntax
modem pin status [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem pin unlock

Temporarily unlock the SIM card with a PIN code. Set the PIN field in the modem interface's
configuration to unlock the SIM card automatically before use.
Warning: Attempting to use an incorrect PIN code may PUK lock the SIM.

Syntax
modem pin unlock <pin> [name STRING] [imei STRING]

Parameters
pin: The SIM's PIN code.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem puk status

Print the PUK status and the number of PUK unlock attempts remaining.

Digi Connect EZ 16/32 User Guide 1124

Command line interface Command line reference

Syntax
modem puk status [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem puk unlock

Unlock the SIM with a PUK code from the SIM provider.

Syntax
modem puk unlock <puk> <new-pin> [name STRING] [imei STRING]

Parameters
puk: The SIM's PUK code.
new-pin: The PIN code to change to.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem reset
Reset the modem hardware (reboot it). This can be useful if the modem has stopped responding to
the network or is behaving inconsistently.

Syntax
modem reset [name STRING] [imei STRING]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem scan
List of carriers present in the network.

Syntax
modem scan [name STRING] [imei STRING] [timeout INTEGER]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.
timeout: The amount of time in seconds to wait for modem scan to complete. (Default: 300)

modem sim-slot

Digi Connect EZ 16/32 User Guide 1125

Command line interface Command line reference

Show or change the modem's active SIM slot. This applies only to modems with multiple SIM slots.

Syntax
modem sim-slot <slot> [name STRING] [imei STRING]

Parameters
slot: The SIM slot to change to.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem sms send

Send an SMS message to the provided phone number (MSISDN).

Syntax
modem sms send <msisdn> <message> [name STRING] [imei STRING]

Parameters
msisdn: Destination phone number (MSISDN).
message: Message to send.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

modem sms send-binary

Send a binary SMS message to the provided phone number (MSISDN).

Syntax
modem sms send-binary <msisdn> <message> [name STRING] [imei STRING]

Parameters
msisdn: Destination phone number (MSISDN).
message: Message to send.
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.

monitoring metrics upload

Immediately upload current device health metrics. Functions as if a scheduled upload was triggered.

Syntax
monitoring metrics upload

Parameters
None

Digi Connect EZ 16/32 User Guide 1126

Command line interface Command line reference

monitoring
Commands to clear the device's status or systems.

monitoring metrics
Device metrics commands.

uplaod
Immediately upload current device health metrics. Functions as if a scheduled upload was triggered.

Parameters
None

monitoring metrics upload

Immediately upload current device health metrics. Functions as if a scheduled upload was triggered.

Syntax
monitoring metrics upload

Parameters
None

more
View a file.

Syntax
more <path>

Parameters
path: The file to view.

mv
Move a file or directory.

Syntax
mv <source> <destination> [force]

Parameters
source: The source file or directory to move.
destination: The destination path to move the source file or directory to.
force: Do not ask to overwrite the destination file if it exists.

ping
Ping a host using ICMP echo.

Digi Connect EZ 16/32 User Guide 1127

Command line interface Command line reference

Syntax
ping <host> [interface STRING] [source STRING] [ipv6] [size INTEGER] [count
INTEGER] [broadcast]

Parameters
host: The name or address of the remote host to send ICMP ping requests to. If broadcast is enabled,
can be the broadcast address.
interface: The network interface to send ping packets from when the host is reachable over a default
route. If not specified, the system's primary default route will be used.
source: The ping command will send a packet with the source address set to the IP address of this
interface, rather than the address of the interface the packet is sent from.
ipv6: If a hostname is defined as the value of the 'host' parameter, use the hosts IPV6 address.
size: The number of bytes sent in the ICMP ping request. (Minimum: 0, Default: 56)
count: The number of ICMP ping requests to send before terminating. (Minimum: 1, Default: 100)
broadcast: Enable broadcast ping functionality.

poweroff
Power off the system.

Syntax
poweroff

Parameters
None

reboot
Reboot the system.

Parameters
None

rm
Remove a file or directory.

Syntax
rm <path> [force]

Parameters
path: The path to remove.
force: Force the file to be removed without asking.

Digi Connect EZ 16/32 User Guide 1128

Command line interface Command line reference

scp
Copy a file or directory over SSH.

Syntax
scp <local> <remote> <host> <user> <to> [port INTEGER]

Parameters
local: The path and name of the file on the local device to copy to or from.
remote: The path and name of the file on the remote host to copy to or from.
host: The hostname or IP address of the remote host.
user: The username to use when connecting to the remote host.
to: Determine whether to copy the file from the local device to the remote host, or from the remote
host to the local device.
port: The SSH port to use to connect to the remote host. (Minimum: 1, Maximum: 65535, Default: 22)

show ain
Show analog input status.

Syntax
show ain [name STRING]

Parameters
name: Name of the analog input.

show analyzer
Show packets from a specified analyzer capture.

Syntax
show analyzer <name>

Parameters
name: Name of the capture filter to use.

show arp
Show ARP tables. If no IP version is specified IPv4 & IPV6 will be displayed.

Syntax
show arp [ipv4] [ipv6] [verbose]

Parameters
ipv4: Display IPv4 routes. If no IP version is specified IPv4 & IPV6 will be displayed.
ipv6: Display IPv6 routes. If no IP version is specified IPv4 & IPV6 will be displayed.
verbose: Display more information (less concise, more detail).

Digi Connect EZ 16/32 User Guide 1129

Command line interface Command line reference

show cloud
Show drm status & statistics.

Syntax
show cloud

Parameters
None

show config
Show a summary of changes made to the default configuration. The changes shown are not suitable
for pasting into a CLI session.

Syntax
show config [cli_format]

Parameters
cli_format: Show the exact CLI commands required to configure the device from a default
configuration. The changes shown are suitable for pasting into a CLI session, although individual
output lines maybe context sensitive and unable to be entered in isolation.

show dhcp-lease
Show DHCP leases.

Syntax
show dhcp-lease [all] [verbose]

Parameters
all: Show all leases (active and inactive (not in etc/config/dhcp.*lease)).
verbose: Display more information (less concise, more detail).

show dio
Show digital I/O status.

Syntax
show dio [name STRING]

Parameters
name: Name of the digital I/O.

show dns
Show DNS servers and associated domains.

Digi Connect EZ 16/32 User Guide 1130

Command line interface Command line reference

Syntax
show dns

Parameters
None

show eth
Show ethernet status & statistics.

Syntax
show eth [name STRING]

Parameters
name: Display more details and configuration data for a specific ethernet instance.

show event
Show event list (high level).

Syntax
show event [table <status|error|info>] [number INTEGER]

Parameters
table: Type of event log to be displayed (status, error, info).
number: Number of lines to retrieve from log. (Minimum: 1, Default: 20)

show hotspot
Show hotspot statistics.

Syntax
show hotspot [name STRING] [ip STRING]

Parameters
name: The configured instance name of the hotspot.
ip: IP address of a specific client, to limit the status display to only this client.

show ipsec
Show IPsec status & statistics.

Syntax
show ipsec [tunnel STRING] [all] [verbose]

Digi Connect EZ 16/32 User Guide 1131

Command line interface Command line reference

Parameters
tunnel: Display more details and config data for a specific IPsec tunnel.
all: Display all tunnels including disabled tunnels.
verbose: Display status of one or all tunnels in plain text.

show l2tp lac

Show L2TP access concentrator status & statistics.

Syntax
show l2tp lac [name STRING]

Parameters
name: Display more details for a specific L2TP access concentrator.

show l2tp lns

Show L2TP network server status & statistics.

Syntax
show l2tp lns [name STRING]

Parameters
name: Display more details for a specific L2TP network server.

show l2tpeth
Show L2TPv3 ethernet tunnel session status and statistics.

Syntax
show l2tpeth [name STRING]

Parameters
name: Display more details for a specific L2TPv3 ethernet tunnel session.

show location
Show location information.

Syntax
show location [geofence]

Parameters
geofence: Show geofence information.

show log

Digi Connect EZ 16/32 User Guide 1132

Command line interface Command line reference

Show system log (low level).

Syntax
show log [number INTEGER] [filter <critical|warning|debug|info>]

Parameters
number: Number of lines to retrieve from log. (Minimum: 1, Default: 20)
filter: Filters for type of log message displayed (critical, warning, info, debug). Note, filters from the
number of messages retrieved not the whole log (this can be very time consuming). If you require
more messages of the filtered type, increase the number of messages retrieved using 'number'.

show manufacture
Show manufacturer information.

Syntax
show manufacture [verbose]

Parameters
verbose: Display more information (less concise, more detail).

show modbus-gateway
Show modbus gateway status & statistics.

Syntax
show modbus-gateway [verbose]

Parameters
verbose: Display more information (less concise, more detail).

show modem
Show modem status & statistics.

Syntax
show modem [name STRING] [imei STRING] [verbose]

Parameters
name: The configured name of the modem to execute this CLI command on.
imei: The IMEI of the modem to execute this CLI command on.
verbose: Display more information (less concise, more detail).

show nemo
Show NEMO status and statistics.

Digi Connect EZ 16/32 User Guide 1133

Command line interface Command line reference

Syntax
show nemo [name STRING]

Parameters
name: Display more details and configuration data for a specific NEMO instance.

show network
Show network interface status & statistics.

Syntax
show network [interface STRING] [all] [verbose]

Parameters
interface: Display more details and config data for a specific network interface.
all: Display all interfaces including disabled interfaces.
verbose: Display more information (less concise, more detail).

show ntp
Show NTP status & statistics.

Syntax
show ntp

Parameters
None

show openvpn client

Show OpenVPN client status & statistics.

Syntax
show openvpn client [name STRING] [all]

Parameters
name: Display more details and config data for a specific OpenVPN client.
all: Display all clients including disabled clients.

show openvpn server

Show OpenVPN server status & statistics.

Syntax
show openvpn server [name STRING] [all]

Digi Connect EZ 16/32 User Guide 1134

Command line interface Command line reference

Parameters
name: Display more details and config data for a specific OpenVPN server.
all: Display all servers including disabled servers.

show route
Show IP routing information.

Syntax
show route [ipv4] [ipv6] [verbose]

Parameters
ipv4: Display IPv4 routes.
ipv6: Display IPv6 routes.
verbose: Display more information (less concise, more detail).

show scep-client
Show SCEP client status and statistics.

Syntax
show scep-client [name STRING]

Parameters
name: Display more details and configuration data for a specific SCEP client instance.

show scripts
Show scheduled system scripts.

Syntax
show scripts

Parameters
None

show serial
Show serial status and statistics.
If the

Syntax
show serial [port STRING]

Parameters
port: Display more details and configuration data for a specific serial port.

Digi Connect EZ 16/32 User Guide 1135

Command line interface Command line reference

show surelink interface

Show SureLink status & statistics for network interfaces.

Syntax
show surelink interface [name STRING] [all]

Parameters
name: The name of a specific network interface.
all: Show all network interfaces.

show surelink ipsec

Show SureLink status & statistics for IPsec tunnels.

Syntax
show surelink ipsec [tunnel STRING] [all]

Parameters
tunnel: The name of a specific IPsec tunnel.
all: Show all IPsec tunnels.

show surelink openvpn

Show SureLink status & statistics for OpenVPN clients.

Syntax
show surelink openvpn [client STRING] [all]

Parameters
client: The name of the OpenVPN client.
all: Show all OpenVPN clients.

show surelink state

Show SureLink state & fail counts for each network interfaces.

Syntax
show surelink state

Parameters
None

show system
Show system status & statistics.

Digi Connect EZ 16/32 User Guide 1136

Command line interface Command line reference

Syntax
show system [verbose]

Parameters
verbose: Display more information (disk usage, etc).

show version
Show firmware version.

Syntax
show version [verbose]

Parameters
verbose: Display more information (build date).

show vrrp
Show VRRP status & statistics.

Syntax
show vrrp [name STRING] [all] [verbose]

Parameters
name: Display more details and config data for a specific VRRP instance.
all: Display all VRRP instances including disabled instances.
verbose: Display all VRRP status and statistics including disabled instances.

show web-filter
Show web filter status & statistics.

Syntax
show web-filter

Parameters
None

iperf
Perform a speedtest to a remote host using nuttcp or iPerf. The system's primary default route will be
used. The speed test will take approximately 30 seconds to complete.

Syntax
iperf <host> [size INTEGER] [mode <nuttcp|iperf>] [output <text|json>]

Digi Connect EZ 16/32 User Guide 1137

Command line interface Command line reference

Parameters
host: The name or address of the remote speed test host/server.
size: The number of kilobytes sent in the speed test packets. (Minimum: 0, Default: 1000)
mode: The type of speed test protocol to run. (Default: nuttcp)
output: The format of output to display the speed test results as. (Default: text)

ssh
Use SSH protocol to log into a remote server.

Syntax
ssh <host> <user> [port INTEGER] [command STRING]

Parameters
host: The hostname or IP address of the remote host.
user: The username to use when connecting to the remote host.
port: The SSH port to use to connect to the remote host. (Minimum: 1, Maximum: 65535, Default: 22)
command: The command that will be automatically executed once the SSH session to the remote
host is established.

system backup
Save the device's configuration to a file. Archives are full backups including generated SSH keys and
dynamic DHCP lease information. Command backups are a list of CLI commands required to build the
device's configuration.

Syntax
system backup [type <custom-defaults|cli-config|archive>] [path STRING]
[passphrase STRING] [remove <custom-defaults>]

Parameters
type: The type of backup file to create. Archives are full backups including generated SSH keys and
dynamic DHCP lease information. CLI configuration backups are a list of CLI commands used to build
the device's configuration. (Default: archive)
path: The file path to save the backup to. (Default: /var/log/)
passphrase: Encrypt the archive with a passphrase.
remove: Remove a backup file.

system cloud register

Register with Digi Remote Manager account.

Syntax
system cloud register <username> <password> [group STRING]

Parameters
username: Digi Remote Manager username.

Digi Connect EZ 16/32 User Guide 1138

Command line interface Command line reference

password: Digi Remote Manager password.

group: Group to add device in Digi Remote Manager.

system disable-cryptography
Erase the device's configuration and reboot into a limited mode with no cryptography available. The
device's shell will be accessible over Telnet (port 23) at IP address 192.168.210.1. To return the device
to normal operation, perform the configuration erase procedure with the device's ERASE button twice
consecutively.

Syntax
system disable-cryptography

Parameters
None

system duplicate-firmware
Duplicate the running firmware to the alternate partition so that the device will always boot the same
firmware version.

Syntax
system duplicate-firmware

Parameters
None

system factory-erase
Erase the device to restore to factory defaults. All configuration and automatically generated keys will
be erased.

Syntax
system factory-erase

Parameters
None

system find-me
Find Me function to flash LEDs on this device to help users locate the unit.

Syntax
system find-me <state>

Parameters
state: Find Me control to flash cellular-related LEDs.

Digi Connect EZ 16/32 User Guide 1139

Command line interface Command line reference

system firmware ota check

Query the Digi firmware server for the latest device firmware version.

Syntax
system firmware ota check

Parameters
None

system firmware ota list

Query the Digi firmware server for a list of device firmware versions.

Syntax
system firmware ota list

Parameters
None

system firmware ota update

Perform FOTA (firmware-over-the-air) update. The device will be updated to the latest firmware
version unless the version argument is used to specify the firmware version.

Syntax
system firmware ota update [version STRING]

Parameters
version: Firmware version name.

system firmware update

Update the current firmware image. Upon reboot the new firmware will be run.

Syntax
system firmware update <file>

Parameters
file: Firmware filename and path.

system power ignition off_delay

Update the current ignition off delay without changing the configuration.

Syntax
system power ignition off_delay <off_delay>

Digi Connect EZ 16/32 User Guide 1140

Command line interface Command line reference

Parameters
off_delay: Ignition power off delay. Format: number{h|m|s}, Max: 18h. (Minimum: 0s, Maximum: 18h)

system restore
Restore the device's configuration from a backup archive or CLI commands file.

Syntax
system restore <path> [passphrase STRING]

Parameters
path: The path to the backup file.
passphrase: Decrypt the archive with a passphrase.

system script start

Run a manual script. Scripts that are disabled, not a manual script, or already running can not be run.

Syntax
system script start <script>

Parameters
script: Script to start.

system script stop

Stop an active running script. Scripts scheduled to run again will still run again (disable a script to
prevent it from running again).

Syntax
system script stop <script>

Parameters
script: Script to stop.

system serial clear

Clears the serial log.

Syntax
system serial clear <port>

Parameters
port: Serial port.

system serial copy

Copy serial settings from a port to a list of ports.

Digi Connect EZ 16/32 User Guide 1141

Command line interface Command line reference

Syntax
system serial copy <source> <destination> [all] [label] [base] [serial]
[session] [monitor] [service] [hangup] [autoconnect] [framing] [modem] [ppp_
dialin] [udp] [logging]

Parameters
source: The serial port to copy settings from.
destination: A list of serial ports to copy settings to. Example: 1-4,8-10 or all.
all: Copy all serial port settings.
label: Copy label setting.
base: Copy enable, mode, sharing, and signal settings.
serial: Copy baudrate, data bits, parity, stop bits, and flow control settings.
session: Copy escape, history, exclusive, and idle timeout settings.
monitor: Copy signal change monitoring settings.
service: Copy SSH, TCP, and Telnet service settings.
hangup: Copy hangup on signal loss settings.
autoconnect: Copy autoconnect settings.
framing: Copy data framing settings.
modem: Copy modem emulator settings.
ppp_dialin: Copy PPP dial-in settings.
udp: Copy UDP serial settings.
logging: Copy logging settings.

system serial ipport

Set sequential IP port numbers for a service on a list of ports.

Syntax
system serial ipport <destination> <service> <base>

Parameters
destination: A list of serial ports to set IP port numbers. Example: 1-4,8-10 or all.
service: The service type to set IP port numbers.
base: Set service IP port numbers to base port + serial port number. (Minimum: 1, Maximum: 65535)

system serial restart

Delete and restart the serial log.

Syntax
system serial restart <port>

Parameters
port: Serial port.

Digi Connect EZ 16/32 User Guide 1142

Command line interface Command line reference

system serial save

Saves the current serial log to a file.

Syntax
system serial save <port> <path>

Parameters
port: Serial port.
path: The path and filename to save captured traffic to. If a relative path is provided, /etc/config/serial
will be used as the root directory for the path and file.

system serial show

Displays the serial log on the screen.

Syntax
system serial show <port>

Parameters
port: Serial port.

system storage format

Format the SD card.

Syntax
system storage format sd [ext4|exfat]

Parameters
file system type: Select file system type for an SD card (exfat4, exfat).

system storage mount

Mount an SD card on a specified partition.

Syntax
system storage mount /opt/ext/sd <partition>

Parameters
partition: Specify the partition number to be mounted.

system storage show

Shows information about an SD card.

Digi Connect EZ 16/32 User Guide 1143

Command line interface Command line reference

Syntax
system storage show

Parameters
None

Example

> system storage show

SD Card
-------
Mount Path: /opt/ext/sd
Device Path: /dev/sdb
Total Size: 3965MB
Partitions:
Num Type Size
--- ----- ------
1 exfat 3964MB

system storage unmount

Unmount the mounted SD card.

Syntax
system storage unmount /opt/ext/sd

Parameters
None

system support-report
Save a support report to a file and include with support requests.

Syntax
system support-report [path STRING]

Parameters
path: The file path to save the support report to. (Default: /var/log/)

system time set

Set the local date and time using the timezone set in the system.time.timezone config setting.

Syntax
system time set <datetime>

Parameters
datetime: The date in year-month-day hour:minute:second format (e.g "2021-09-26 12:24:48").

Digi Connect EZ 16/32 User Guide 1144

Command line interface Command line reference

system time sync

Set the local time to the first enabled time source that returns valid time information.

Syntax
system time sync

Parameters
None

system time test

Test each enabled time source. This test will not affect the device's current local date and time.

Syntax
system time test

Parameters
None

tail
Tail a file to see its contents.

Syntax
tail <path> [timeout INTEGER] [filter STRING] [match STRING]

Parameters
path: The file to tail.
timeout: The amount of time in seconds to tail the file. (Default: 10)
filter: Only see output that contains this string.
match: Stop tail when this string is detected in output.

telnet
Use Telnet protocol to log into a remote server.

Syntax
telnet <host> [port INTEGER]

Parameters
host: The hostname or IP address of the remote host.
port: The telnet port to use to connect to the remote host. (Minimum: 1, Maximum: 65535, Default: 23)

traceroute
Print the route packets trace to network host.

Digi Connect EZ 16/32 User Guide 1145

Command line interface Command line reference

Syntax
traceroute <host> [ipv6] [gateway STRING] [interface STRING] [first_ttl
INTEGER] [max_ttl INTEGER] [port INTEGER] [nqueries INTEGER] [src_addr STRING]
[tos INTEGER] [waittime INTEGER] [pausemsecs INTEGER] [packetlen INTEGER]
[debug] [dontfragment] [icmp] [nomap] [bypass]

Parameters
host: The host that we wish to trace the route packets for.
ipv6: If a hostname is defined as the value of the 'host' parameter, use the hosts IPV6 address.
gateway: Tells traceroute to add an IP source routing option to the outgoing packet that tells the
network to route the packet through the specified gateway.
interface: Specifies the interface through which traceroute should send packets. By default, the
interface is selected according to the routing table.
first_ttl: Specifies with what TTL to start. (Minimum: 1, Default: 1)
max_ttl: Specifies the maximum number of hops (max time-to-live value) traceroute will probe.
(Minimum: 1, Default: 30)
port: Specifies the destination port base traceroute will use (the destination port number will be
incremented by each probe). A value of -1 specifies that no specific port will be used. (Minimum: -1,
Default: -1)
nqueries: Sets the number of probe packets per hop. A value of -1 indicated. (Minimum: 1, Default: 3)
src_addr: Chooses an alternative source address. Note that you must select the address of one of the
interfaces. By default, the address of the outgoing interface is used.
tos: For IPv4, set the Type of Service (ToS) and Precedence value. Useful values are 16 (low delay) and
8 (high throughput). Note that in order to use some TOS precedence values, you have to be super
user. For IPv6, set the Traffic Control value. A value of -1 specifies that no value will be used.
(Minimum: -1, Default: -1)
waittime: Determines how long to wait for a response to a probe. (Minimum: 1, Default: 5)
pausemsecs: Minimal time interval between probes. (Minimum: 0, Default: 0)
packetlen: Total size of the probing packet. Default 60 bytes for IPv4 and 80 for Ipv6. A value of -1
specifies that the default value will be used. (Minimum: -1, Default: -1)
debug: Enable socket level debugging.
dontfragment: Do not fragment probe packets.
icmp: Use ICMP ECHO for probes.
nomap: Do not try to map IP addresses to host names when displaying them.
bypass: Bypass the normal routing tables and send directly to a host on an attached network.

vtysh
Opens the integrated shell for FRRouting (FRR), for more information on FRRouting and VTYSH, visit
the FRRouting documentation at https://docs.frrouting.org/projects/dev-guide/en/latest/vtysh.html.

Syntax
vtysh

Parameters
None

Digi Connect EZ 16/32 User Guide 1146

 Safety warnings

English

Operation of this equipment in a residential environment could cause radio interference.

Bulgarian--български

Работата с това оборудване в жилищна среда може да причини радиосмущения.

Croatian--Hrvatski

Rad ove opreme u stambenom okruženju mogao bi prouzročiti radio smetnje.

French--Français

L'utilisation de cet équipement dans un environnement résidentiel peut provoquer des

interférences radio.

Greek--Ελληνικά

Η λειτουργία αυτού του εξοπλισμού σε οικιστικό περιβάλλον μπορεί να προκαλέσει

παρεμβολές ραδιοφ ώνου.

Hungarian--Magyar

A berendezés lakókörnyezetben történő működtetése rádiózavarokat okozhat.

Digi Connect EZ 16/32 User Guide 1147

Safety warnings Italian--Italiano

Italian--Italiano

Il funzionamento di questa apparecchiatura in un ambiente residenziale potrebbe causare

interferenze radio.

Latvian--Latvietis

Šīs ierīces darbība dzīvojamā vidē var izraisīt radio traucējumus.

Lithuanian--Lietuvis

Naudojant šią įrangą gyvenamojoje aplinkoje, gali kilti radijo trukdžių.

Polish--Polskie

Praca tego sprzętu w środowisku mieszkalnym może powodować zakłócenia radiowe.

Portuguese--Português

A operação deste equipamento em um ambiente residencial pode causar interferência de

rádio.

Slovak--Slovák

Prevádzka tohto zariadenia v obytnom prostredí by mohla spôsobiť rádiové rušenie.

Slovenian--Esloveno

Delovanje te opreme v stanovanjskem okolju lahko povzroči radijske motnje.

Digi Connect EZ 16/32 User Guide 1148

Safety warnings Spanish--Español

Spanish--Español

El funcionamiento de este equipo en un entorno residencial puede provocar interferencias

de radio.

Digi Connect EZ 16/32 User Guide 1149

 Digi Connect EZ 16/32 regulatory and safety
statements

RF exposure statement
In order to comply with RF exposure limits established in the ANSI C95.1 standards, the distance
between the antenna or antennas and the user should not be less than 20 cm.

Federal Communication (FCC) Part 15 Class B

Radio Frequency Interference (RFI) (FCC 15.105)

The Digi Connect EZ 16/32 has been tested and found to comply with the limits for a Class B digital
device, pursuant to Part 15 of the FCCRules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This equipment generates, uses,
and can radiate radio frequency energy and, if not installed and used in accordance with the
instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause
harmful interference to radio or television reception, which can be determined by turning the
equipment off and on, the user is encouraged to correct the interference by one or more of the
following measures:
n Reorient or relocate the receiving antenna.
n Increase the separation between the equipment and the receiver.
n Connect the equipment into an outlet that is on a circuit different from the receiver.
n Consult the dealer or an experienced radio/TVtechnician for help.
Labeling Requirements (FCC 15.19)
Connect EZ 16/32 complies with Part 15 of FCCrules. Operation is subject to the following two
conditions: (1) this device may not cause harmful interference, and (2) this device must accept any
interference received, including interference that may cause undesired operation.
If the FCCID is not visible when installed inside another device, then the outside of the device into
which the module is installed must also display a label referring to the enclosed module FCCID.
Modifications (FCC 15.21)
Changes or modifications to this equipment not expressly approved by Digi may void the user’s
authority to operate this equipment.

Digi Connect EZ 16/32 User Guide 1150

Digi Connect EZ 16/32 regulatory and safety European Community - CEMark Declaration of Conformity
statements (DoC)

European Community - CE Mark Declaration of Conformity (DoC)

Digi has issued Declarations of Conformity for the Connect EZ 16/32 concerning emissions, EMC, and
safety. For more information, see www.digi.com/resources/certifications.
Important note
Digi customers assume full responsibility for learning and meeting the required guidelines for each
country in their distribution market. Refer to the radio regulatory agency in the desired countries of
operation for more information.

CE and UKCA OEM labeling requirements

The CE and UKCA markings must be clearly visible and legible when you affix it to the product. If this
is not possible, you must attach these marks to the packaging (if any) or accompanying documents.

CE labeling requirements
The “CE” marking must be affixed to a visible location on the OEM product. The following figure
shows CE labeling requirements.

The CE mark shall consist of the initials “CE” taking the following form:
n If the CE marking is reduced or enlarged, the proportions given in the above graduated
drawing must be respected.
n The CE marking must have a height of at least 5 mm except where this is not possible on
account of the nature of the apparatus.
n The CE marking must be affixed visibly, legibly, and indelibly.

Digi Connect EZ 16/32 User Guide 1151

Digi Connect EZ 16/32 regulatory and safety statements CEand UKCAOEM labeling requirements

UK Conformity Assessed (UKCA) labeling requirements

See guidance/using-the-ukca-marking for further details.

You must make sure that:
n If you reduce or enlarge the size of your marking, the letters forming the UKCA marking must
be in proportion to the version set out below.
n The UKCA marking is at least 5 mm in height – unless a different minimum dimension is
specified in the relevant legislation.
n The UKCA marking is easily visible, legible (from 1 January 2023 it must be permanently
attached).
n The UKCA marking can take different forms (for example, the color does not have to be solid),
as long as it remains visible, legible and maintains the required proportions.

Digi Connect EZ 16/32 User Guide 1152

 RoHScompliance statement

RoHS compliance statement

All Digi International Inc. products that are compliant with the RoHS Directive (EU Directive
2002/95/ECand subsequent amendments) are marked as RoHS COMPLIANT. RoHS COMPLIANT
means that the substances restricted by the EU Directive 2002/95/ECand subsequent amendments of
the European Parliament are not contained in a finished product above threshold limits mandated by
EU Directive 2002/95/ECand subsequent amendments, unless the restrictive substance is subject of
an exemption contained in the RoHS Directive. Digi International Inc., cannot guarantee that inventory
held by distributors or other third parties is RoHS compliant.

Safety notices
n Read all instructions before installing and powering the router. You should keep these
instructions in a safe place for future reference.
n If the power supply shows signs of damage or malfunction, stop using it immediately, turn off
the power and disconnect the power supply before contacting your supplier for a repair or
replacement.
n Changes or modifications not expressly approved by the party responsible for compliance
could void the user’s authority to operate the equipment. Use only the accessories,
attachments, and power supplies provided by the manufacturer-connecting non-approved
antennas or power supplies may damage the router, cause interference or create an electric
shock hazard, and will void the warranty.
n Do not attempt to repair the product. The router contains no electronic components that can
be serviced or replaced by the user. Any attempt to service or repair the router by the user will
void the product warranty.
n Ports that are capable of connecting to other apparatus are defined as SELVports. To ensure
conformity with IEC60950 ensure that these ports are only connected to ports of the same type
on other apparatus.

Cautionary statements for Connect EZ 16/32

Residential environment warnings

Note This equipment meets Class A requirements that may not offer adequate protection to
broadcast services within a residential environment.

Product disposal instructions

The WEEE (Waste Electrical and Electronic Equipment: 2002/96/EC) directive has been introduced to
ensure that electrical/ electronic products are recycled using the best available recovery techniques to
minimize the impact on the environment.

Digi Connect EZ 16/32 User Guide 1153

 Product disposal instructions

This product contains high quality materials and components which can be
recycled. At the end of its life this product MUST NOT be mixed with other
commercial waste for disposal. Check with the terms and conditions of your
supplier for disposal information.

Digi International Ltd WEEE Registration number: WEE/HF1515VU

Digi Connect EZ 16/32 User Guide 1154