StoreDocumentationSpecialsLatest PostsContactOther Stuff
Last Update: Feb 15th, 2013

ET/BWMGR Appliance Manual for v4

Getting Started

Unpacking and Setting up the system

In the box with your appliance, you will find a smaller box, which contains the printed version of this manual, the power cord(s), and any rack-mount accessories. If you have purchased support, you will also find a USB stick in this box. Do not format or erase this USB drive, as it has a bootable image for repair and recovery.

Making the Connections

This section describes each of the available appliances. Make sure you read the entire hardware section carefully before making any connections.

Power Supply Requirements & Plug Locations:

The power supply requirements and location of connectors are directly related to which enclosure you have ordered. Make sure you read the appropriate section for your case, as plugging in the unit before selecting the proper voltage can easily (and instantly) ruin your power supply. All of the cases have an ATX-style connection panel with keyboard, mouse, VGA, and at least one serial port, usually coded by color. (VGA=blue, keyboard=purple, COM1 serial=green). For the location of network connections and power supply notes, please read the section below for your case.

1U/SM Cases: (ET/R2800, ET/R2816, ET/R1500SM, ET/R1700SM, ET/R1750D)

The SuperMicro 1U case contains an auto-switching power supply that can accept both 115v and 230v AC input. Viewing the front panel, you will see the CD-ROM drive and hard disk bays, as well as the power and reset buttons. Viewing the back, you will find the primary ethernet ports are located immediately to the right of the ATX cluster, and are labelled port 1 and 2. The bypass/failover ports are located in the card slot(s) to the right.

Units with redundant power supplies (ET/R2800, ET/R2816) have two hot-swappable power supply units. If a module fails, you can remove the failed module (identifiable by an amber or red LED indicator) by pulling squeezing the tab and pull the module straight out from the back of the case. Should one of your power supplies fail, you can run the unit on one supply until you can obtain a replacement. The audible alarm can be silenced by removing the inoperative power supply module.

1U/SM Mini Cases : (ET/R2400[W], ET/A1600, ET/R1710SM, ET/R1750SM, ET/R1800GO-M)

The 1U mini cases have an auto-switching power supply that can accept both 115v and 230v AC input. The layout is similar for all of the models. Viewing the front panel, you will see the CD-ROM (if installed) drive on the left, and the power button on the right, next to the indicator lights. The 1U mini cases are much smaller and lighter than our other appliances, and do not ship with the sliding rail attachments. The only model that currently ships with a CD-ROM drive is the R2400W.

ET/A1600

Viewing the rear of the case, the primary and secondary ethernet ports (re0 and re1) are located immediately on the right of the video output. The failover ports, if installed, will be in the card slot on the right, and will be named em0 and em1. Due to its light weight, the ET/A1600 does not ship with rails for rack-mounting.

ET/R2400[W]

Viewing the rear of the case, the primary and secondary ethernet ports (em0 and em1) are located immediately to the right of the video output, and are labelled 1 and 2. The failover ports (em2 and em3) are located in the card slot on the right.

ET/R2800[W]

Viewing the rear of the case, the primary and secondary ethernet ports (em0 and em1) are located immediately to the right of the video output, and are labelled 1 and 2. The failover ports (em2 and em3) are located in the card slot on the right.

ET/R2816

Viewing the rear of the case, the primary and secondary ethernet ports (igb0 and igb1) are located immediately to the right of the video output, and are labelled 1 and 2. The failover ports (igb2 and igb3 for gigabit, or ix0 and ix1 for 10GB systems) are located in the card slot on the right.

Network Connections:

Now that you have identified your on-board ethernet and Failover ethernet ports, it is time to make your connections and test your appliance.

Connecting a System with Failover Hardware:

Your appliance is pre-configured to act as a transparent bridge between each pair of failover ports. When the unit is powered down, the failover ports are in the "closed" state, and should act like a passive ethernet coupler. Therefore, your first action should be to connect each failover port to a separate segment of your test network, and ensure that traffic is passed through. Use the appropriate network cabling: if you are connecting to a switch, use a regular cat5 cable. If you are connecting directly to another NIC, use a crossover. Care must be taken not to plug any two failover ports into the same network segment. Plugging two bridged ports into the same switch will most likely bring down that network segment and your bandwidth manager.

Once you have tested passing traffic with the appliance off, it's time to power on. Make sure you have a monitor and keyboard connected, and plug in the AC power cord.

Once the machine is powered up and the ET/BWMGR is running, the software watchdog routine will "open" the failover ports. If you are close to the unit, you may hear a "click" as the ports open. When the ports are opened, the ET/BWMGR bridge will pass traffic from one interface to the other. When the failover ports are in the "closed" state traffic should pass as if there is a single wire and the machine is not present. Be aware that some devices do not "negotiate" the link speed and duplex correctly, so you may have to force one or both of the devices into the correct setting. If you see sluggish system performance or the unit won't pass data, see the troubleshooting section for more info.

Once you determine that you are passing traffic correctly and the machine is bridging, you can continue by assigning an IP address.

Booting the System

Your system should boot to a login prompt. Log in with the user name "root" and the default passwd "saturn5". You should then see a shell prompt similar to the following:

ET/R2400#

Initial System Setup

In order for your system to function properly on your network you will need to do some basic set up so that you can access the ET/BWMGR administrative interface. At a minimum, you must enter a password for the appliance, the IP address, DNS server information, and a default gateway before continuing.

Using the Setup Script:

Your appliance comes with a script that will prompt you for the necessary settings. The simplest way to do the initial setup is to run the "etip" command after logging in as root. This will prompt you for a password, followed by the network settings. See the example below. For appliance customers with hardware failover, choose the first on-board ethernet to assign the IP address (em0 on the ET/R2400[W] and ET/R2800[W], igb0 on the ET/R2816, and re0 on the ET/A1600.) Commands typed by the user are shown in italics. For security reasons, the default "saturn5" password is not accepted.

Please choose a password for the 'admin' and 'root' users. You must do

this to enable remote access and use the ET/Admin GUI.

Enter password:

Confirm password:

Updated password of ET/Admin user admin

chpass: user information updated

chpass: user information updated

Next, you must set up networking. You should have 3 interfaces - 1 for administration, and 2 bridge ports. Before continuing, please connect the administrative port ONLY to a switch. In this example, we would pick em0 as we know that is the port that is connected.

(Connect the administrative interface, then press "enter" to continue)

Which interface would you like to assign an IP address? Select from the

following list of detected interfaces.

Interface Status

em0 Up

em1 down

em2 down

em3 down

Interface: em0

Please enter the IP address for em0: 192.168.1.20

Enter your netmask (or hit enter for default of 255.255.255.0):

Enter your default gateway: 192.168.1.1

Enter your primary DNS server: 192.168.1.1

Using the following values for interface re0:

IP Address: 192.168.1.20, Netmask 255.255.255.0

Default Gateway: 192.168.1.1

Primary DNS Server: 192.168.1.1

OK to use these settings? (y/n) y

Setting IP address: Done

Adding/Changing Default Gateway: Done.

(Connect your "outside" interface, and press "enter" to continue) NOTE: Multi-core appliances shipped with FreeBSD 7.0 have the bridge pre-configured. When you set up networking, answer 'n' to skip the bridge setup to use the default configuration, unless you know you need to change the bridge settings.

Enter two interface names, separated by a space. The first interface will be configured as the "outside" interface, and should already be connected

to your upstream switch.

Interface Status

em0 Up

em1 down

em2 Up

em3 down

Interfaces: em2 em3

Configuring bridge on em2 and em3...

Done

Your next step should be to connect to the ET/Admin GUI interface.

Connecting to the ET/ADMIN Interface:

Once you have assigned the ethernet address, you should be able to access the graphical administration interface (ET/Admin). Use your favorite web browser to access the following URL:

http://a.b.c.dr

Where a.b.c.d is the address that you assigned the system. You will be prompted for a username and password. The default username is "admin" and the password is set according to what you entered during "etip". (see "Changing the ET/ADMIN password"). Once you have setup up the address and can connect to the ET/Admin GUI, you can skip the "manual system setup" section, but do take a look at the "setting the time zone" section below:

Setting the Default and Outside Interface:

Your next step is to identify which of your failover ports is connected to the "outside" of your network. It is typical to define one interface to be both the outside and default interface. This way you can put all of your rules on one interface, and ensure that your graphs and the main status page reflect in- and out-bound traffic correctly.
On the main ET/BWMGR screen, click on "default". Alternately you can click on the "set" button next to the interface listing in the "Bwmgr" status section. In this example we have em2 connected to the outside network, so we will select "em2" from the pull-down list for "Default Interface", and then click "Save" to apply the change.
You will now notice that em2 is listed as the Interface on the status page. Click on "em2" to view the interface settings, and then click on "Edit Interface". Check the box next to the word "Outside", and then click on the "Submit" button.

The following indented section is for reference only, in case you need to fix something manually that etip doesn't handle.

Manual System Setup:

If you need to manually set up your system, the following section describes the steps required to make your initial settings and store them so they will be activated whenever your system is restarted. If you have used the etip setup script then you should skip to the section titled "Setting The Time Zone".

Log in as root, and run the following command (where a.b.c.d is the IP address you wish to assign the bandwidth manager, and x.x.x.x is the netmask). You should replace the interface name with whatever port 0 is on your machine, if necessary.

# ifconfig em0 a.b.c.d netmask x.x.x.x

After doing this, your machine should be accessable from the network with the address you specified. Note that the address you give the system must be an address that is accessable locally on the wire that you have attached to the first ethernet port.
Also note that using "ifconfig" to set/change IP addresses is a temporary change and will not be saved if the machine is rebooted. See the section on connecting to the ET/ADMIN interface and permanently setting IP addresses below.

Permanently Setting the IP Address

If you have just set up your system for the first time, you must now use the adminstration tools to permanently change the IP of your bandwidth manager. If you have an machine that's already in use, this is the correct method to change/add IP addresses as well. To tell the system to set the IP address you've assigned at each reboot, click on the Networktab from the left-hand menu and then select theNetwork Configuration link. This will bring up some additional icons:

Select -> Network Interfaces:

Within the table below Interfaces Activated at Boot Time, click on port 0, which will bring up a screen with information about this interface. Set your IP address to a.b.c.d (make sure the button next to the text box is selected) and verify IP and netmask settings. Make sure "Activate at boot?" is 'Yes', then click on save and apply. Make certain that you modify the interface on the bottom section of the page (under the "Interfaces Activated at Boot Time" label), as these changes are carried over to future boots. Changes made from the "Active Interfaces" table will only be temporary. Note that if you are planning to use the appliance as a router, you will want to assign an IP address to each interface that will be active. To return to the menu, Click on

Setting the Default Gateway:

Next you need to set the default gateway for the system if you want the machine to be able to access outside networks. If you DON'T want the machine to be accessable or to have access to the internet, skip this step. Note that in order to register the BWMGR software or use the web update facility you will have to be able to access the internet. To set the default gateway:

Select->Routing and Gateways:

Select the button next to the text box and enter the IP address of your default router, Note that the address must be accessable (typically on the same network as your IP address and network mask entered previously). Click save to save the settings.

Setting up DNS:

In order to access the bandwidth manager by name, or to be able to access other systems by name (required for the web update procedure), you must set up your DNS (Domain Name Service) client. You will also be able to set the hostname of this machine. From the menu:

Select-> DNS Client:

Set the hostname of this machine, and add your namerserver(s) IP address(es) in the DNS Servers box. Click save.

If you don't have a real DNS entry in your server for this system, you can use the "Host Addresses" table to alias names with IP addresses. The host address table will also be looked at before DNS is attempted, so it is a bit faster. Its also useful for aliases that are not real DNS entries. For example, if you wanted to access a machine at 211.14.18.12 with the name "MySunWorkstation", you could add an entry in the host addresses table as such and that name would be translated to the correct address.

Setting the Time Zone:

Making sure the time is correct is fairly important for users who are interested in storing statistics for rules. There are different utilities for selecting the proper time zone depending on which Operating System you are using. For either OS, you must log in to the console as "root" and run the 'tzsetup' program. This will bring up a series of text dialog boxes, which can be navigated by the arrow keys. For Linux, use 'tzselect'. Both programs are fairly self-explanatory and require that you choose the proper geographic area to narrow down the selection list. After confirming the time zone is correct for your location, check the time and adjust it if necessary.

Setting the Time and Date:

Click on the "System" tab from the main ET/Admin menu, then select the "System Time" link. You will see several fields where you can select the current Date, Month, Year, Hour, Minute, and even seconds. Make sure the date and time are current and click the "Apply" button to change the system time.

You are now finished with the basic configuration of the bandwidth manager. You may now want to read the section regarding using SSL encryption with the ET/ADMIN interface, as well as the section on enabling Apache and Apache redirects.

Configuring a NAT System

NAT (Network Address Translation) allows a private network connected to the appliance to share the public IP address assigned to the administrative interface.

NAT with a Failover Bridge:

Failover appliances should have 4 ports. Depending on your appliance, the port names will be:

em0, em1, em2, and em3 (ET/R2400, ET/R2800)

Port 0 is your administrative port.
Port 1 is the NAT port.

Before setting up NAT, you should first configure and connect your appliance as detailed in Initial System Setup. Configure your administrative port with an IP address (which is also referred to here as the "public" address) and connect your failover ports. Once you have the appliance connected and have tested that bridging works, then continue with the NAT configuration.

Connect to the ET/Admin GUI, and Assign the private IP address and netmask to port 1. (eg, 10.0.1.1)

Configure your test machine with an address on the private network (eg, 10.0.1.30, with default gateway 10.0.1.1). Make sure that the test machine can ping 10.0.1.1. At this point, the appliance should be able to access external networks, but not the test machine.

Start NATd:

# sh /etc/rc.natd

Once NATd is started, you should confirm that the test machine can now access external networks. If necessary during testing, the correct way to stop NATd is:

# sh /etc/rc.natd stop

Once you have verified that NAT is working, you can enable it at boot time. From the main ET/Admin menu, select the "System Functions" link on the left side, then select "Boot Startup Tasks" below it. Find the line that starts NATd, and uncomment it by removing the "#" character from the start of the line, then clicking "Save" at the bottom of the screen.

Failover Notes:

Ports 2 and 3 are your bridged failover ports, and do not need IP addresses. Do not change the default bridge configuration. NAT will co-exist with your bridge, and will continue to operate even if the appliance is put into manual bypass mode; however, if the machine goes down or is powered off, the private network will be isolated.

NAT with a 2-port system (without Failover):

The first step is to configure the IP addresses. The primary address on em0 should be set first, using the 'etip' command as outlined in Initial System Setup. The default gateway, netmask, and primary DNS server are also configured at this time. Also see the Registration section, as you will need to enter your licens e key to start the ET/BWMGR software if you haven't already.

Connect to the ET/Admin GUI, and disable bridging on em0 and em1.

Assign the private IP address to em1. (eg, 10.0.1.1). You must use the ET/Admin GUI to assign this address, not 'etip'. At this point, you should be able to reach external networks directly from the appliance, and our test machine (with IP 10.0.1.30 and default gateway of 10.0.1.1) should only be able to reach its default gateway address.

Start NATd:

# sh /etc/rc.natd

Once NATd is started, you should confirm that the test machine can now access external networks. If necessary during testing, the correct way to stop NATd is:

# sh /etc/rc.natd stop

Once you have verified that NAT is working, you can enable it at boot time. From the main ET/Admin menu, select the "System Functions" link on the left side, then select "Boot Startup Tasks" below it. Find the line that starts NATd, and uncomment it by removing the "#" character from the start of the line, then clicking "Save" at the bottom of the screen.

NATd configuration:

The configuration for NATd is stored in "/etc/natd.conf". The basic configuration consists of two options, and can likely be used as-is.

interface defines the ethernet port with the public address.
unregistered_only will restrict NAT to only allowing private, unroutable addresses to be translated. This is enabled by default.

If you wish to use a more advanced configuration, please read the man page for 'natd'. As usual, we recommend testing with the default setup before changing anything.

Registering Your ET/BWMGR License Key

Appliances ship with a demo key installed. You must install the license key issued to the appliance, as the demo is time-limited. When an appliance is shipped, a license key is generated and sent by email to the contact on the purchase order. Additionally, the license key should also be printed on your invoice. You can also find a listing of all of your current license keys by logging into your account on our web site. If you have multiple licenses or appliances, you can view all your keys, and match the serial number of the license to the serial number of the primary ethernet interface on your appliance.
Initially, you should start the ET/BWMGR with your license key to ensure that it works, this will also eliminate the demo time limit. Once you have the unit installed in the final location, you should then register your license. Registration is required in order to access the update server, whether you have the included 30 days of support and updates, or you have purchased the 1-year subscription. If you have the free 30-day subscription, you should make sure to check for any updates or bug fixes that have been added since your system was built before the subscription expires. You can see the expiration date of your keys when viewing them in your account on the ET web site.

When you access the ET/Admin GUI, you will see the main ET/BWMGR configuration on the right side of the screen. If not, click on Bandwidth Manager on the left hand side on the top of the menu. Click on the "Setup BWMGR" button. Make sure your primary interface is selected as the "key interface" (either fxp0 or em0). To double check, display the pull down menu for "Key Interface" and match the serial# in your email with the code shown next to each interface. The serial number must match in order for the key to work. Select the proper interface, and then paste or type your license key into the "Key" field. Click the "Start ET/BWMGR" button. The system should start successfully. Now return to the Startup Menu.

To register your system, you will have to have access to the outside world, which means that at least your default gateway will have to be configured and any firewalls will have to be disabled for ports 4000 to 5000. You must also have a working DNS setup. If you get a "server down" message, it's possible that the server really is down, but more likely the problem is that you can't reach the server for some reason, so check your connectivity to www.etinc.com. This can be done by going to the main "Update System" screen, and then clicking on "Check Versions", which will attempt to connect to etinc.com and will display a reasonably verbose explanation of any errors encountered. See the BWMGR FAQ for more information. To register your system, Click the "Register ET/BWMGR" button.

Connecting to the System from a Network

Once you complete the initial configuration, most configuration tasks can be done via the HTML interface. If you need to get into the command line interface, you can access the console remotely via either Telnet or SSH.

Telnet vs SSH:

Both Telnet and SSH require the use of a program on the client end to connect. There is a Telnet client included as part of most Windows installations. For security reasons, you cannot log in directly as "root" when you access the console remotely. When connecting with Telnet or SSH, you will have to first log in as the "admin" user. Once logged in, you can use the "su" command to become the super-user (root) to perform administration tasks or use the ET/BWMGR tools:

# su -

Telnet is a plain-text protocol while SSH encrypts all communications between the client and the server, including password authentications. This is intended to prevent password sniffing. SSH also provides host authentication via a host key, which is stored by the client the first time it connects to a server, and verified at the beginning of each connection. If the host key changes for any reason, SSH will warn the user and refuse to connect unless they take manual action. This reduces the possibility of someone hijacking an IP address and attempting to steal passwords. Telnet and SSH are configured and accessable on the unit by default. It is recommended, especially if you or your staff may be accessing the system from outside your local network, that you use an SSH client to connect.

Different clients may have different interfaces (particularly from a Windows Box), but from a standard unix system you can access the system remotely via telnet with the command:

# telnet a.b.c.d

where a.b.c.d is the address to use. If successful, you should see a login prompt. Again, you cannot log in as "root" when accessing the system from a network (via Telnet or SSH). so you should log in using "admin" with the appropriate password. Then you can use the "su" program to change to super-user ("root" is super-user by default) as follows:

$ su -
password: saturn5
ET/R2816#

Don't forget the "-" option, which allows you to inherit the root user's paths, so the system and BWMGR programs can be run without using full pathnames.

To access the system via ssh, enter a command similar to the following:

# ssh admin@a.b.c.d

System Backups

Setting up the Hard Drive Backup System

On appliances with two or more drive bays, the additional drives can be used for backups. Looking at the front of the case, the main disk is always installed in the left-most drive bay, and the first backup disk immediately to the right. Disks are numbered from left to right. On a newly purchased appliance, any backup disks will have a copy of the main disk as it was shipped. The backup task is not enabled by default on new appliances. You must enable the scheduled task that backs up the contents of the main disk to the spare disk. Once you have enabled the backup, you can check the status of the backups by viewing the log file "/var/log/backup_appliance".

Enabling/Configuring the Hard Drive Backup

Select "System Functions" and then click on "Scheduled Commands". You will see a table with the list of commands and the status for each. Look for the command "/usr/local/bin/backup_apliance". To change the status or configure the time(s) at which the backup occurs, click on the command name.
At the "Edit Cron Job" menu, you can turn the backup on or off by clicking "Yes" or "No" at the top. In the "When to Execute" box, you can select the time(s) at which the backup will be run. The backup jobs can be enabled as-is, or modified to run at a time of your choosing. By default, the first disk is used as a daily backup, at 4:51 AM. The second and third disks are used as weekly and monthly backups. It is recommended that you use different times for each backup job, to avoid the possibility of two jobs running simultaneously. The backup utility will not run until the corresponding job is enabled.

What to do if your main Hard Drive Fails

If your main disk fails, then you can switch to a backup disk. The appliance must be halted and powered off before swapping the main drive. Depending on your appliance, there may be a release on the front of the drive bay that will allow the drive to be removed, or you may need to slide open the top of the case in order to remove a setscrew. Remove the main drive, and set aside. Then remove the spare disk, place it in the main drive bay, and boot the appliance.

Initializing a new backup hard drive

If you have an older appliance has IDE disks, then you must power-off the appliance before installing the replacement drive. SATA drives can be installed while the appliance is running, but cannot be accessed until the appliance is booted with the drive installed, or the "atacontrol" utility is used to reset the drive controller. As an example, here are the commands to reset drives number 2, 3, and 4 on an ET/R2800 appliance:

# atacontrol detach ata5
# atacontrol attach ata5

# atacontrol detach ata6
# atacontrol attach ata6

# atacontrol detach ata7
# atacontrol attach ata7
Once the spare drive is detected, run the following command as the "root" user:

# backup build ad10 auto

This will partition and format the spare disk named "ad10."

Backing up manually

You may want to run a backup after setting up the disk, to make sure that you have a known starting point. To backup manually, you just need to know what the target disk name is.

# backup ad10 full

Other Configuration Options

Enabling Controls

Before you can use controls you must do two things.
Click the checkbox next to "Show Controls" in the "Defaults" config page.
From the command-line, run "enable_controls", which will enable the periodic task that checks controls at boot and at set intervals (by default, every hour.)
If you are no longer using controls, the "disable_controls" command can be used to disable the period check.

DHCP Server

The DHCP server requires the use of the BPF interface, which is disabled by default for performance reasons. BPF can be enabled by running the following command as the "root" user on the console or SSH login:

# sysctl net.link.bwmgr.bpf_enable=1

Configuring your appliance as a router:

Appliance units with multiple ethernet interfaces are configured as a bridge by default. Here are the steps you must take on a factory-fresh ET machine to enable routing:

From the ET/ADMIN interface, select the "Bandwidth" link on the left, then click on "Setup Bridging" icon.
You will see a list of the interfaces and their bridging status in the "ifac" column. . For each interface, click on the interface name, and change the bridging mode to "disabled", then click on "submit".

Now that you've disabled bridging, you must enable routing. From the main ET/ADMIN menu, select the "Network" tab, then "Network Configuration". Follow the instructions above on IP configuration to set the IP address for each interface.

The next and final step is to use the "Routing and Gateways" tool to enable IP forwarding. Find the line "Act as Router?", and check "yes". Make sure that the default router for the machine is set properly, then click on "save". You will then have to reboot the system. As noted above, using a machine with the -FO failover ethernet option as a router renders the failover function useless, so it's recommended that you not do this.

Changing the ET/ADMIN Password:

The ET/ADMIN password for the default user "admin" can be changed by clicking on "Administration" and selecting "ET/Admin Users", then clicking on the user "admin" in the left column. The second line is the new password entry form. Click "set to", enter the new password, then click on "save". You will then receive an "invalid login" message. Login to ET/ADMIN using the new password.

Note that the user names for the system (which are used for Telnet/SSH and logging in at the console, for example), are not the same. The GUI has its own user/password combinations that are by default unrelated to the normal system users and passwords. In reality, there are 2 distinct "admin" users: one for the ET/ADMIN interface, and one for the system. The passwords for the 2 must be set independently. The "admin" login to the ET/ADMIN interface is the equivalent of "root" and has full access to change aspects of the operating system (known as superuser privileges). The other "admin" is the Unix user, which is simply used when connecting to the system using telnet or SSH. See the example for connecting via telnet and using the su command to become the superuser.

Changing the System Passwords

The password for the default "admin" and "root" user is set when you first log in to the machine. If you need to change your passwords, this can be accomplished by clicking on "Users and Groups" under the "System" tab. Click on each user, then select "Clear-text password", and type the new password in the field. When you click "save", the password will be encrypted and updated. Note that you can also use this area to add new users to the system and to manage their passwords. This menu ONLY changes system passwords. Changing the "Admin" user in this menu will only affect telnet and SSH access, not the ET/ADMIN GUI.

Notes on the Failover Watchdog Timer:

If your system has the Failover Ethernet option (-FO) installed, then there is a program called "bypassd" which monitors your system's "sanity" and informs the failover hardware that the system is working properly. If the system fails, or if the bypassd daemon stops running, the failover hardware will connect the 2 ethernet ports, allowing traffic to flow. You can manually take the system offline to do maintenance with the Failover GUI function (located under the main "Admin" tab in the ET/ADMIN HTML interface). It is also recommended you take the unit offline before performing any upgrade.

Recovering Lost Passwords

Again, there are two types of passwords; system passwords and ET/ADMIN passwords. If you can log in via telnet or SSH, but are unable to access the GUI as user "admin", do the following. SSH (or telnet) to the appliance as "admin", then su to become root. At the prompt:

# cd /usr/local/webmin
# perl changepass.pl /etc/webmin admin password

This will change the "admin" user's password to password. If you are trying to change the password for a different ET/ADMIN user, simply replace "admin" with the correct username.

If, however, you are able to access the ET/ADMIN but not able to access the system via telnet or SSH, then you can change the system passwords via the ET/ADMIN as described above.

Other Appliance Functions

Using SSL Encryption with the graphical interface:

If you are using a browser that supports secure connections via SSL, then you may wish to enable SSL in the web interface. Click on the "Admin" tab, then select the "Admin Configuration" icon. Select the "SSL Encryption" icon. Check the top box to enable SSL encryption, then click "save". You may have to log in to the ET/ADMIN again. Your browser may also pop up several notices about expired certificates. Accept the certificates and continue. Much like SSH, SSL encrypts the web traffic generated by the ET/ADMIN interface, including initial password authentication, and is recommended for all remote access. Please note that when connecting directly to the ET/ADMIN interface with SSL enabled, you must use the "https://host.name:10000". Using the "http://" prefix (or no prefix) will not connect properly (generally with a "connection reset by peer" error message). If you are using Apache redirects make sure your redirect has the appropriate prefix.

Enabling and disabling snmpd (and other services):

Enabling or disabling any service can be done via the ET/ADMIN interface.  Find the line in /etc/rc.local that pertains to the service you wish to modify, and either add or remove the # character to disable/enable the service at boot time.

Checking System Processes:

You can see a list of the active processes running on the system by connecting to the ET/ADMIN interface, and going to

System Functions -> Running Processes

bwmgrd must be running in order for the statistical gathering capabilities of the bwmgr to be utilized. It should be enabled by default. If bwmgrd is not running, it may be because the bwmgr is not running. This can be verified by selecting the "Bandwidth Manager" link, and noting the status of the bwmgr software.

Rebooting the System

From the main ET/ADMIN menu, select the "Admin" tab, then the "Reboot and Shutdown" icon. Clicking on "Shutdown" will halt the machine. To boot the machine after halting requires either a hard reset or "ctrl-alt-delete" from a keyboard. Clicking on "Reboot" will restart the machine. Both options will prompt for confirmation before actually bringing the system down.

Post-Configuration Security

Once you have your system configured and running in a stable manner, there are a few simple steps you can and should take to ensure that only authorized users can access the system. These appliances are not meant to be accessable by the internet at large, except in specific cases (for example, those users running a web server and/or allowing their customers to view graphs.) The below examples assume the bandwidth manager has an address of 207.252.1.110, and the machines allowed to connect are in the subnet 207.252.1.0/27 (netmask of 255.255.255.224).

* Create firewall rule(s) that enable only your local net, or individual machines, access to your system. This rule should be created on the interface you are connected to on the inside, unless you are running an ET/R1700 with the Failover hardware. Then you should create the rule on the administrative port.

# bwmgr fxp0 -x 1000 -name IntAllow -fw -ipprot tcpconnect -saddr 207.252.1.0 -saddrmsk 255.255.255.224 -daddr 207.252.1.110

* On your external (outside) interface, create a firewall rule that denies ALL access to the IP address of your system. Or, if you are using the Failover hardware, create this rule on the administrative port. Leave room in your ruleset to create specific allow rules if you have an employee who needs to work on the machine remotely, or to allow traffic to a specific port (80) in the event that you allow your customers to view their graphs.

:# bwmgr fxp0 -x 1500 -name DenyAll -fw -ipprot tcpconnect -daddr 207.252.1.110 -priority FW-Deny

* Change the default passwords for admin, root, and the "admin" user in the ET/Admin GUI. This is less of a priority if you've already blocked external access to the machine, but it is still a good thing to do. If, for some reason, you do not block access to the bandwidth manager appliance, changing the passwords is an absolute requirement.

Routine Maintenance

Monitoring System Status:

The "System and Server Status" is a useful tool for quickly checking the status of services on the appliance. This module is located in the "Administration" section of the ET/Admin GUI. When the module is selected, you will see a list of the configured monitors and the status for each. A green check icon indicates that the service is running. A red X icon indicates a service that has stopped or is not running. A black circle indicates a service that is not installed or configured.

Clicking on the name of each monitor will show an extended status. For example, clicking on "Bwmgrd Stats Daemon" will show the current status, usually "bwmgrd is running". If the service is not running, you should see the error message instead.

The monitor can also be configured to periodically check the configured services. Clicking the "Scheduled Monitoring" button will take you to the configuration menu. Make sure that "Scheduled checking enabled" is checked "Yes", and fill in the email notification section. Make sure you enter an email in the "Email status report to" field, and check the radio button to the left of this field.

The default setup has monitors configured for the MySQL database server, the bwmgrd stats collection daemon, the Apache webserver, and the Squid proxy server. Additional monitors can be configured, using the "Add Monitor of type" button after selecting the appropriate monitor from the pull-down list. One useful monitor type is "Disk Space". Select a partition and the minimum free space before creating the monitor. Assuming you have scheduled monitoring enabled, you will be emailed when free disk space on the selected partition is below this amount. Typically both /var and /usr partitions should be monitored.

Repairing a Broken Data Base

See Troubleshooting

Using the Demo/Installation USB Flash Drive

The USB Demo image allows you to boot your system and perform various functions, including repairing a hard drive crash, restoring files and even upgrading the base operating system on your drive. In the event of a physical drive failure, it can be used to rebuild a system using a blank hard drive, and load it with the latest release.

Note that most of the recovery functions of the USB Demo image require an active auto-update subscription.

If you received a USB stick with your appliance, it has a factory-fresh installation on it, ready for recovery. If you are using a new stick, or you wish to update the software on the existing stick, you can run a backup to the stick like this:

# backup da0 full (Do a full backup)

If you need to format or initialize a USB stick, this is the command:

# backup da0 build auto

a 2GB or higher capacity stick is needed for use in this fashion, and a 4GB+ may be required for full backups.

Support

Support is available by creating a support ticket on www.etinc.com. When you create your ticket, please try to explain your problem in detail so that we can help you without having to ask you for more info. When sending files, please cut and paste them into the ticket rather than sending attachments. Support is generally available between 10am and 6pm M-F. Tickets are usually answered over the weekends whenever possible.

Troubleshooting

See the latest Troubleshooting Documentation.

Comment Policy Add Comment

Next: rrd2bwdata