ET/BWMGR Appliance User Manual

NOTE: This document only describes the hardware setup for ET/BWMGR based hardware appliances. Full system manuals are online at http://www.etinc.com/manuals.htm

Getting Started Unpacking and Setting up the system Making the Connections Power Supply Requirements & Plug Locations: 1U/SM Mini Case (ET/R1750SM, ET/R1800GO-M, ET/R2400) 1U/SM Case (ET/R1500SM, ET/R1700SM, ET/R1750D, ET/R1800GO, ET/R2800) 1U Case (ET/R1500, ET/R1700i) ET/R1800TR Case 4U Case (ET/R4000M) ET/R1800GO Case 3U Case (ET/R4400 Opteron) Network Connections: Connecting a System with Failover Hardware Connecting a 2 (or more) Port System without Failover Booting the System Initial System Setup Using the Setup Script Connecting to the ET/ADMIN Interface Permenantly Setting IP Address(es) Setting the Default Gateway Setting up DNS Setting the timezone Setting the Time and Date Registering Your ET/BWMGR License Key Connecting a NAT System NAT with a Failover Bridge NAT with a 2-port system (without Failover) NATd Configuration Setting up a Web Cache Appliance Default Settings and Important Notes Step-by-Step Configuration Security Notes Accessing the System From a Network Telnet vs SSH Setting up the Hard Drive Backup System Enabling/Configuring backup If your main hard drive fails Initializing a new backup hard drive Other Configuration Settings Enabling Controls Configuring the Appliance as a Router Changing the ET/Admin Password Changing the System Passwords Notes on the Failover Watchdog Timer Notes on the Hardware Watchdog Recovering Lost Passwords Changing the MySQL password Other Appliance Functions Using SSL Encryption with the Graphical Interface Using the Apache HTTP Server with the ET/ADMIN Apache Redirects Using Public Graphs Setting up an extern mySQL Database Enabling and disabling snmpd (and other services) Checking System Processes Rebooting the System Configuring WAN Interfaces Post-Configuration Security System Updates Updating Your System Over the Internet Update Subscription Notes Reverting to the previous version Routine Maintenance Monitoring System Status Backup & Restore Overview Backing up Restoring from Backup Maintaining the Statistics Database - Purging Old Data Repairing a Broken Database Using the Recover CD-ROM Getting Support Troubleshooting

Getting Started

Unpacking and Setting up the system

When you unpack your system you should see a ziplock bag which contains at least a power cord and some screws. Rackmount systems can be set up as a desktop unit or as a rackmount. Rackmount ears are usually installed on rackmountable units when shipped. If your unit has a lockable front panel, the keys should also be included in the bag.

Making the Connections

This section describes each of the appliances available. Make sure you read the entire hardware section carefully before making any connections.

Power Supply Requirements & Plug Locations:

The power supply requirements and location of connectors are directly related to which enclosure you have ordered. Make sure you read the appropriate section for your case, as plugging in the unit before selecting the proper voltage can easily (and instantly) ruin your power supply. All of the cases have an ATX-style connection panel with keyboard, mouse, VGA, and at least one serial port, usually coded by color. (VGA=blue, keyboard=purple, COM1 serial=green). For the location of network connections and power supply notes, please read the section below for your case.

1U Case (ET/R1500, ET/R1700i):

The 1U cases contains an auto-switching power supply that can accept both 115v and 230v AC input. The only switch on the power supply is an on/off switch. On the front panel there are two thumb-screws which can be used to release the front panel and access the power switch, reset switch, and floppy disk drive. Turn the thumbscrews counter-clockwise until they are free, and then swing the front panel down. On the back of the case, to the right of the ATX cluster, you will see two network connections (fxp0/fxp1). Ordering is from left to right. Additional ports may be located in the card slot to the right of the case, depending on options. If you have purchased an ET/R1X00-FO with the hardware failover, the failover ports (fxp2/fxp3) will be in the card slot (again, ordered from left to right).

1U/SM Cases: (ET/R1500SM, ET/R1700SM, ET/R1750D, ET/R1800GO, ET/R2800)

The SuperMicro 1U case contains an auto-switching power supply that can accept both 115v and 230v AC input. Viewing the front panel, you will see the CD-ROM and floppy drives on your left, and the power and reset buttons on the right, next to the indicator lights. The primary ethernet ports are located immediately to the right of the ATX cluster, and are labelled port 1 and 2. If your appliance has hardware bypass/failover the 2 failover ports are located in the card slot. Also note that in the box you should find sliding rails for mounting this unit on racks, if needed.

1U/SM Mini Cases : (ET/R1710SM, ET/R1750SM, ET/R1800GO-M, ET/R2400)

The 1U mini cases have an auto-switching power supply that can accept both 115v and 230v AC input. The layout is similar for all of the models. Viewing the front panel, you will see the CD-ROM and floppy drives on the left, and the power button on the right, next to the indicator lights. The 1U mini cases are much smaller and lighter than our other appliances, and do not ship with the sliding rail attachments.

ET/R1750SM, ET/R1750D, ET/R1800GO-M

Viewing the rear of the case, the primary and secondary ethernet ports (bge0 and bge1) are located immediately to the right of the ATX cluster, and are labelled LAN1 and LAN2. The failover ports (em0 and em1) are located in the card slot on the right.

ET/R2400, ET/R2800

Viewing the rear of the case, the primary and secondary ethernet ports (em0 and em1) are located immediately to the right of the video output, and are labelled 1 and 2. The failover ports (em2 and em3) are located in the card slot on the right. The ET/R2800 has two hot-swap power supply modules, located on the left side of the case. To remove a power supply, simply squeeze the two tabs together, and pull straight back.

Notes on the ET/R1800GD

The ET/R1800G case contains an auto-switching power supply that can accept both 115v and 230v AC input. Viewing the front panel, you will see the CD-ROM and floppy drives on your left, and the power and reset buttons on the right, next to the indicator lights. Viewing the rear of the case, the primary ethernet ports are located immediately to the right of the ATX cluster, and are labelled "LAN1" and "LAN2". These ports are identified as bge0 and bge1. The failover ports are located in the card slot and are ordered from right to left (em0 and em1). The ET/R1800GD ships with only the FreeBSD Operating System installed.

Notes on the ET/R1800TR:

The ET/R1800TR case is a 1U case with redundant power supply units. These power supplies automatically switch between 115v and 230v AC input. Viewing the front of the case, you will see the 4 hot-swap hard drive bays. Above the drive bays, from left to right, are the DVD-ROM drive, floppy drive, indicator lights, and power switch. Viewing the rear of the case, you will see the first two ethernet ports at the far left. bge0 is the left-most port, and will typically be used for administration purposes. Moving to the right you will see the keyboard, mouse, VGA, and serial ports. Above these you will see the failover ports em0 and em1, with em0 on the left. If you have ordered the optional second failover card, then to the right you will find ports em3 and em2, in that order. To the far right you will see the dual power supply modules. Each module has a green indicator of operation. If a module fails, you can remove it by moving the red lever and pulling the unit straight out, using the attached handle.

4U Case (ET/R4000M):

The power supply in the non-redundant 4U case is NOT automatically switched. You must select the proper input voltage before plugging in this unit. The power supply is located in the rear of the case. There should be a small red switch with two positions. Make sure the switch reads the proper voltage before connecting.
If you have the redundant power supply, then the voltage is automatically switched by the power supply. Each power supply module has a green light indicating that the module is receiving and providing power properly. If one of these modules should fail, an alarm will sound, and the lights will indicate which unit has failed. The modules can be hot-swapped, and replaced while the unit is running.
The front panel of the 4U case is hinged at the bottom. The lockable knob at the top can be turned clockwise to open the panel. Behind the panel you will find the floppy drive, CD-ROM drive, power switch, reset switch, and the power and HDD activity lights. On the rear of the unit, you will find the ATX cluster in the middle. Immediately to the right of the video output is the primary ethernet port em0. The card slots to the right will hold additional ports, depending on the configuration you have ordered.

ET/R1710SM (Discontinued)

Viewing the rear of the case, the primary and secondary ethernet ports (em0 and em1) are located immediately to the right of the ATX cluster, and are labelled LAN1 and LAN2. If your appliance has hardware bypass/failover, the 2 failover ports (em2 and em3) will be located in the card slot on the right.

Notes on the ET/R1800GO (Discontinued)

The ET/R1800GO case contains an auto-switching power supply that can accept both 115v and 230v AC input. Viewing the front panel, you will see the CD-ROM and floppy drives on the left, and the two SATA drive bays on the right. The power and reset buttons are located above the drive bays, along with the indicator lights. Viewing the rear of the case, the primary ethernet ports are as follows: (left to right) fxp0 , bge1 and bge0, and the failover ports em1 and em0. By default, fxp0 is used as the administrative port, and em0 and em1 are used as the two-port bridge. bge0 and bge1 are left unused, but can be used as a non-failover bridge or as regular ethernet ports.

3U Case (ET/R4400 Opteron, Discontinued):

The redundant power supply in the 3U case automatically switches between 115v and 230v AC input. Each power supply module has a green light indicating that the module is receiving and providing power properly. If one of these modu les should fail, an alarm will sound, and the light will indicate which unit has failed. The modules can be hot-swapped, and replaced while the unit is running. The alarm can be cancelled by pushing the small button at the top of the module bay. On the front of the case, you will see two bays with doors. These bay doors share the lockable knob in the center of the case. The right-hand bay holds the CD-ROM drive, as well as the power and reset switches, while the left-hand bay holds the floppy drive. Viewing the rear of the case, the primary ethernet ports are as follows: (left to right) fxp0 , bge1 and bge0. Any cards ordered with the appliance will be located in the card slots to the right. Assuming you have purchased two ET/GigFailover cards, they will be ordered (from left to right, top to bottom) em2, em3, and em0, em1. By default, fxp0 is used as the administrative port, and the em devices are used as bridge ports. bge0 and bge1 are left unused, but can be used as a non-failover bridge or as regular ethernet ports.

Network Connections:

Once you have read the above section, you should be aware of how many ports are on your machine and their names. The sections below refer generally to ports 0, 1 (2, 3.. etc). The method for connecting each system is generic, you simply need to match the interface name to the port number. You also need to be aware that any bridged ports on the bandwidth manager act like a 2 (or more) port switch, and care must be taken not to plug any two bridged ports into the same network. Plugging two bridged ports into the same switch or hub will most likely bring down both your network segment and your bandwidth manager. If the machine is running while this happens and the console is connected, you will see LOOP messages if this condition occurs.
Note on the use of crossover cables: If you are connecting the system directly to another router or server, you can use a crossover cable instead of plugging both units into a hub or switch (you CANNOT connect the system directly to a router or server with a regular ethernet cable). However, be aware that some devices do not "negotiate" the link speed and duplex correctly, so you may have to force one or both of the devices into the correct setting. If you see sluggish system performance or the unit won't pass data, see the troubleshooting section for more info.

Connecting a System with Failover Hardware:

NOTE: Multi-core appliances shipped with FreeBSD 7.0 have the bridge pre-configured. When you set up networking, answer 'n' to skip the bridge setup to use the default configuration.

Units equipped with the hardware Failover option will have 3 or more ethernet connectors. Port 0 is the administrative port. This port is assigned an IP address for remote configuration, and is NOT configured as a bridge. Note that if you have a cache system the setup procedure is different, and is described in a separate section below.

3 port system: Port 0 = administrative, Port 1 = failover port 1, Port 2 = failover port 2
4 port system: Port 0 = administrative, Port 1 = unused, Port 2= failover port 1, Port 3 = failover port 2

On 4 port systems, port 1 is located immediately to the right of port 0, but is not used. Three port systems use ports 1 and 2 as the "failover" ports as described above.

Failover port 1 should be connected to your internal network (the same hub or switch as your administrative port), while failover port 2 should be connected to your upstream provider (usually via a router). Both of these failover ports are bridged, in bridge group 1. You can plug the administrative port into the same network as failover port 1 or 2, but failover port 1 and 2 MUST be on physically separate networks or you will create a LOOP.

By default, the failover ports are physically connected together, also known as the "closed" state. In this state, the two ethernet ports are connected as if they were one wire. This means traffic will flow across the ports, even when the machine is powered off. In fact, that is the easiest way to test your unit - place the unit in between two switches, or plug an individual computer via a crossover into one of the bridged ports and try to access a remote host. Even with the unit powered down, the warning about plugging both ports into the same network applies. In this case it won't affect the machine, but can adversely affect your network for the duration.

Once the machine is powered up and the ET/BWMGR is running, the software watchdog routine will "open" the failover ports. If you are close to the unit, you may hear a "click" as the ports open. When the ports are opened, the ET/BWMGR bridge will pass traffic from one interface to the other. When the failover ports are in the "closed" state traffic should pass as if there is a single wire and the machine is not present. Once you determine that you are passing traffic correctly and the machine is bridging, you can start creating some rules.

Connecting a 2 (or more) Port System without a Failover card:

Note: If you are using NAT, please follow the instructions in the NAT section and not this section.

If you have a 2-port machine without the hardware failover option, such as the ET/R1710SM, you should have a default configuration in which port 0 is assigned an IP address, and is the primary port for bridge group 1. Port 1 must also be assigned to bridge group one, and must not be set to primary. The machine in the default configuration acts just like a 2 port switch. As a test, you should plug port 0 into your network, and port 1 via a hub or switch to your upstream network. Or, you can plug an individual computer into one of the ports via a crossover cable. Once you have determined that you are passing packets through the bridged ports and are not looping, then you can start creating and testing rules.

If you have more than 2 ports and want to create a large bridge group, you just need to assign all of the other ports (other than the primary) to be in bridge group 1. So if you have a 4 port card, assign ports fxp1 through fxp4 to bridge group 1. The appliance will then act like a 5 port switch.

Booting the System

Your system should boot to a login prompt. Log in with the user name "root" and the default passwd "saturn5". You should then see a shell prompt similar to the following:

ET/R1800#

Initial System Setup

In order for your system to function properly on your network you will need to do some basic set up so that you can properly access, start and register your license key. At a minimum, you must set up the IP address, DNS client information, and a default gateway before registration.

Using the Setup Script:

Next you will have to configure your ethernet address, default router and DNS server information. If you are setting up the box as a router, then both of your ethernet adapters will probably have addresses. If you are setting up a bridge, then only one should be given an address. On a system with failover hardware, your first port (bge0, or fxp0) must be assigned the address. To fully realize the benefits of the failover hardware, you must use a bridged configuration.

The simplest way to do initial IP configuration is to run the "etip" command after logging in as root. This will prompt you for the interface (enter fxp0 or eth0), IP address, netmask, default gateway, and DNS server IP address. The settings made will be immediately applied to the system configuration, and also saved so that they will take effect on subsequent boots. The example below shows the usage of "etip". Commands typed by the user are shown in italics.

# etip

Which interface would you like to assign an IP address? Select from the following list of detected interfaces. fxp0 fxp1 fxp2 fxp3
Interface: fxp0
Please enter the IP address for fxp0: a.b.c.d
Enter your netmask (or hit enter for default of 255.255.255.0):
Enter your default gateway: a.b.c.d? a.b.c.d
Enter your primary DNS server (or hit enter to skip): y.y.y.y

Using the following values for interface fxp0:
IP Address: a.b.c.d, Netmask x.x.x.x
Default Gateway: a.b.c.?
Primary DNS Server: y.y.y.y

OK to use these settings? (y/n) y

Answering "y" will apply and save the changes. You can now access the machine remotely. You may then be prompted to change the bridge setup. It is recommended that you not do this unless you have a specific need to do so.

Assuming that all went well with the etip script, your next step should be to connect to the ET/Admin GUI interface.

Connecting to the ET/ADMIN Interface:

Once you have assigned the ethernet address, you should be able to access the graphical administration interface (ET/ADMIN), which is running on port 10000. Use your favorite web browser to access the following URL:

http://a.b.c.d:10000

Where a.b.c.d is the address that you assigned the system. You will be prompted for a username and password. The default username is "admin" and the password is "saturn5". (see "Changing the ET/ADMIN password"). Once you have setup up the address and can connect to the ET/Admin GUI, you can skip the "manual system setup" section, but do take a look at the "setting the time zone" section below:

The following indented section is for reference only, in case you need to fix something manually.

Manual System Setup:

If you need to manually set up your system, the following section describes the steps required to make your initial settings and store them so they will be activated whenever your system is restarted. If you have used the etip setup script then you should skip to the section titled "Setting The Time Zone".

Log in as root, and run the following command (where a.b.c.d is the IP address you wish to assign the bandwidth manager, and x.x.x.x is the netmask). You should replace the interface name with whatever port 0 is on your machine, if necessary.

# ifconfig fxp0 a.b.c.d netmask x.x.x.x

After doing this, your machine should be accessable from the network with the address you specified. Note that the address you give the system must be an address that is accessable locally on the wire that you have attached to the first ethernet port.
Also note that using "ifconfig" to set/change IP addresses is a temporary change and will not be saved if the machine is rebooted. See the section on connecting to the ET/ADMIN interface and permanently setting IP addresses below.

Permanently Setting the IP Address

If you have just set up your system for the first time, you must now use the adminstration tools to permanently change the IP of your bandwidth manager. If you have an machine that's already in use, this is the correct method to change/add IP addresses as well. To tell the system to set the IP address you've assigned at each reboot, click on the “Network” tab from the left-hand menu and then select the “Network Configuration” link. This will bring up some additional icons:

Select -> Network Interfaces:

Within the table below “Interfaces Activated at Boot Time”, click on port 0, which will bring up a screen with information about this interface. Set your IP address to a.b.c.d (make sure the button next to the text box is selected) and verify IP and netmask settings. Make sure "Activate at boot?" is 'Yes', then click on “save and apply”. Make certain that you modify the interface on the bottom section of the page (under the "Interfaces Activated at Boot Time" label), as these changes are carried over to future boots. Changes made from the "Active Interfaces" table will only be temporary. Note that if you are planning to use the appliance as a router, you will want to assign an IP address to each interface that will be active. To return to the menu, Click on <- Return to Network Configuration at the bottom of the page.

Setting the Default Gateway:

Next you need to set the default gateway for the system if you want the machine to be able to access outside networks. If you DON'T want the machine to be accessable or to have access to the internet, skip this step. Note that in order to register the BWMGR software or use the web update facility you will have to be able to access the internet. To set the default gateway:

Select->Routing and Gateways:

Select the button next to the text box and enter the IP address of your default router, Note that the address must be accessable (typically on the same network as your IP address and network mask entered previously). Click “save” to save the settings. To return to the Network Configuration menu, click <- Return to Network Configuration.

Setting up DNS:

In order to access the bandwidth manager by name, or to be able to access other systems by name (required for the web update procedure), you must set up your DNS (Domain Name Service) client. You will also be able to set the hostname of this machine. From the menu:

Select-> DNS Client:

Set the hostname of this machine, and add your namerserver(s) IP address(es) in the “DNS Servers” box. Click “save”.

If you don't have a real DNS entry in your server for this system, you can use the "Host Addresses" table to alias names with IP addresses. The host address table will also be looked at before DNS is attempted, so it is a bit faster. Its also useful for aliases that are not real DNS entries. For example, if you wanted to access a machine at 211.14.18.12 with the name "MySunWorkstation", you could add an entry in the host addresses table as such and that name would be translated to the correct address.

Setting the Time Zone:

Making sure the time is correct is fairly important for users who are interested in storing statistics for rules. There are different utilities for selecting the proper time zone depending on which Operating System you are using. For either OS, you must log in to the console as "root" and run the 'tzsetup' program. This will bring up a series of text dialog boxes, which can be navigated by the arrow keys. For Linux, use 'tzselect'. Both programs are fairly self-explanatory and require that you choose the proper geographic area to narrow down the selection list. After confirming the time zone is correct for your location, check the time and adjust it if necessary.

Setting the Time and Date:

Click on the "System" tab from the main ET/Admin menu, then select the "System Time" link. You will see several fields where you can select the current Date, Month, Year, Hour, Minute, and even seconds. Make sure the date and time are current and click the "Apply" button to change the system time.

You are now finished with the basic configuration of the bandwidth manager. You may now want to read the section regarding using SSL encryption with the ET/ADMIN interface, as well as the section on enabling Apache and Apache redirects.

Configuring a NAT System

NAT (Network Address Translation) allows a private network connected to the appliance to share the public IP address assigned to the administrative interface. NAT is only supported on appliances with the FreeBSD Operating System.

NAT with a Failover Bridge:

Failover appliances should have 4 ports. Depending on your appliance, the port names will be:

fxp0, fxp1, fxp2, and fxp3 (ET/R1700SM-BW-FO)
em0, em1, em2, and em3 (ET/R1750SM, ET/R1800G, ET/R1710-SM with the Failover option.)

Port 0 is your administrative port.
Port 1 is the NAT port.

Before setting up NAT, you should first configure and connect your appliance as detailed in Initial System Setup. Configure your administrative port with an IP address (which is also referred to here as the "public" address) and connect your failover ports. Once you have the appliance connected and have tested that bridging works, then continue with the NAT configuration.

Connect to the ET/Admin GUI, and Assign the private IP address and netmask to port 1. (eg, 10.0.1.1)

Configure your test machine with an address on the private network (eg, 10.0.1.30, with default gateway 10.0.1.1). Make sure that the test machine can ping 10.0.1.1. At this point, the appliance should be able to access external networks, but not the test machine.

Start NATd:

# sh /etc/rc.natd

Once NATd is started, you should confirm that the test machine can now access external networks. If necessary during testing, the correct way to stop NATd is:

# sh /etc/rc.natd stop

Once you have verified that NAT is working, you can enable it at boot time. From the main ET/Admin menu, select the "System Functions" link on the left side, then select "Boot Startup Tasks" below it. Find the line that starts NATd, and uncomment it by removing the "#" character from the start of the line, then clicking "Save" at the bottom of the screen.

Failover Notes:

Ports 2 and 3 are your bridged failover ports, and do not need IP addresses. Do not change the default bridge configuration. NAT will co-exist with your bridge, and will continue to operate even if the appliance is put into manual bypass mode; however, if the machine goes down or is powered off, the private network will be isolated.

NAT with a 2-port system (without Failover):

The first step is to configure the IP addresses. The primary address on em0 should be set first, using the 'etip' command as outlined in Initial System Setup. The default gateway, netmask, and primary DNS server are also configured at this time. Also see the Registration section, as you will need to enter your licens e key to start the ET/BWMGR software if you haven't already.

Connect to the ET/Admin GUI, and disable bridging on em0 and em1.

Assign the private IP address to em1. (eg, 10.0.1.1). You must use the ET/Admin GUI to assign this address, not 'etip'. At this point, you should be able to reach external networks directly from the appliance, and our test machine (with IP 10.0.1.30 and default gateway of 10.0.1.1) should only be able to reach its default gateway address.

Start NATd:

# sh /etc/rc.natd

Once NATd is started, you should confirm that the test machine can now access external networks. If necessary during testing, the correct way to stop NATd is:

# sh /etc/rc.natd stop

Once you have verified that NAT is working, you can enable it at boot time. From the main ET/Admin menu, select the "System Functions" link on the left side, then select "Boot Startup Tasks" below it. Find the line that starts NATd, and uncomment it by removing the "#" character from the start of the line, then clicking "Save" at the bottom of the screen.

NATd configuration:

The configuration for NATd is stored in "/etc/natd.conf". The basic configuration consists of two options, and can likely be used as-is.
interface defines the ethernet port with the public address.
unregistered_only will restrict NAT to only allowing private, unroutable addresses to be translated. This is enabled by default.
If you wish to use a more advanced configuration, please read the man page for 'natd'. As usual, we recommend testing with the default setup before changing anything.

Transparent Web Cache (Squid) FreeBSD ONLY

The following documentation applies only to units sold with the web cache hardware option. For a variety of support and performance reasons, the cache should only be used with the FreeBSD operating system, even though your system may have LINUX capability. The default configuration is a transparent proxy. All web traffic requests from your internal network will be transparently cached. Caching is not yet supported in FreeBSD 7.0

Default Configuration:

Systems shipped with the cache option have the cache disabled by default. The cache option can make it difficult to debug a basic setup problem, so we recommend that you first get the system running without the cache, so that you are sure that you have it wired correctly, and that your basic shaping rules work properly. Once you have familiarized yourself with the system, you can enable the web cache and make any adjustments to your ruleset.

Caching on the 1750D:
The ET/R1750D appliance ships with two hard disks. The second disk can be used as either a backup disk, or as a cache disk. By default, the disk is configured as a backup disk. To dedicate the second disk to the web cache, you must run the buildcache utility. This should be done before the cache is started for the first time

# buildcache

Step by Step Configuration:

1: Verify the Wiring

Make sure you have the correct bridge configuration. The cache system should ship from the factory with the correct setup, but we list them here as customers often change the defaults during testing. Make sure that the interface marked "(Inside)" is connected to your internal network.

ET/R1700SM-BW-FO-Cache:

fxp0: Bridge Group 1, Fallback enabled
fxp2: Bridge Group 1, Set as Primary (IP address) (Inside)
fxp3: Bridge Group 1

ET/R1710SM:

em0: Bridge Group 1, Primary (IP address)
em1: Bridge Group 1 (Inside)

ET/R1710SM with Failover:

em2: Bridge Group 1, Primary (IP address) (Inside)
em3: Bridge Group 1
em0: Bridge Group 1, Fallback enabled

ET/R1750SM, ET/R1750D:

em0: Bridge Group 1, Primary (IP address) (Inside)
em1: Bridge Group 1
bge0: Bridge Group 1, Fallback enabled

ET/R1800G, ET/R1800GD, ET/R1800TR:

em0: Bridge Group 1, Primary (IP address) (Inside)
em1: Bridge Group 1
bge0: Bridge Group 1, Fallback enabled

2: Check your rules

Starting the cache will add a firewall rule to your ET/BWMGR ruleset on the inside bridge interface. Leave firewall indices 100-200 open for cache use. If you already have rules in this index range in the firewall, please move them before starting the cache.

3: Start the cache

Find the "Squid Proxy Server" module in the "Servers" section of the ET/Admin GUI. Once you have opened the module, you will see a link at the top right of the screen "Start Squid". Click on "Start Squid". After a few seconds the page will reload and you should now see "Apply Changes" and "Stop Squid". This indicates that the cache has started.

*NOTE* Stopping/Starting Squid from the GUI will also change whether the cache is started at boot time.

3: Test the cache

Connect to an external web site from a browser connected to the inside bridge interface. Generally, if you have started the cache and you can reach external web sites, the cache is working. Look for hits on firewall rule #150 on your inside interface. You can also use the Cache Manager link in the Squid module to check that you are caching web requests. Click on "Cache Manager Statistics" and login as user "Manager", default password of "saturn5". Click on "General Runtime Information" or "Cache Utilization" and see if you are getting cache hits.

For more information on the many functions available in Squid, visit the Squid web site: http://www.squid-cache.org , where you will find manuals and examples. The "Help" link at the top of the ET/Admin Squid GUI also goes to this page.

4: Security and Advanced Usage

The default configuration of the web cache is to transparently cache ALL http requests from your internal network, while disallowing direct access to the cache (to prevent unauthorized outside usage of your cache).

In some situations, you may want to limit the cache usage to individual users or specific subnets. If you wish to exclude a subnet or IP address range from being cached, simply add a firewall allow rule with an index < 100 that matches http requests from the IPs in question. You can also use the Squid ACL (if you are familiar with the syntax) to exclude certain clients or URLs from being cached.

If you need to modify the default rule, or need additional rules to control who gets cached, this MUST be done by editing files in "/usr/local/squid/etc". "cache.config" defines the inside interface, where all your cache rules must be applied. "cachestart" and "cachestop" control the adding and removing of rules when the cache is started and stopped. There are instructions within these files on where to add or modify rules. Use existing rules as examples. Changes made to the rule in the ET/Admin BWMGR GUI will be lost after the next reboot, unless you also change cachestart. Note that if you add any rules to cachestart, you should also add a line to remove that rule in cachestop, otherwise they will not be removed if you stop the cache.

Also note that if you are allowing your customers to view their usage graphs, you will likely want to edit cachestart to avoid caching these requests. Find the line that reads:

#/sbin/ipfw -q add 2500 pass tcp from any to MY.IP.ADDR.HERE 80 in

Change "MY.IP.ADDR.HERE" to be the IP address you are using for customer graph access. Remove the "#" symbol. Then save the file. Changes to /etc/rc.cache will be applied at the next boot, or you can apply them immediately by clicking "Stop Squid" then "Start Squid" in the ET/Admin GUI.

Registering Your ET/BWMGR License Key

Appliances ship with a demo key installed. You must install the license key issued to the appliance, as the demo is time-limited. When an appliance is shipped, a license key is generated and sent by email to the contact on the purchase order. Additionally, the license key should also be printed on your invoice. You can also find a listing of all of your current license keys by logging into your account on our web site. If you have multiple licenses or appliances, you can view all your keys, and match the serial number of the license to the serial number of the primary ethernet interface on your appliance.
Initially, you should start the ET/BWMGR with your license key to ensure that it works, this will also eliminate the demo time limit. Once you have the unit installed in the final location, you should then register your license. Registration is required in order to access the update server, whether you have the included 30 days of support and updates, or you have purchased the 1-year subscription. If you have the free 30-day subscription, you should make sure to check for any updates or bug fixes that have been added since your system was built before the subscription expires. You can see the expiration date of your keys when viewing them in your account on the ET web site.

When you access the ET/Admin GUI, you will see the main ET/BWMGR configuration on the right side of the screen. If not, click on Bandwidth Manager on the left hand side on the top of the menu. Click on the "Setup BWMGR" button. Make sure your primary interface is selected as the "key interface" (either fxp0 or em0). To double check, display the pull down menu for "Key Interface" and match the serial# in your email with the code shown next to each interface. The serial number must match in order for the key to work. Select the proper interface, and then paste or type your license key into the "Key" field. Click the "Start ET/BWMGR" button. The system should start successfully. Now return to the Startup Menu.

To register your system, you will have to have access to the outside world, which means that at least your default gateway will have to be configured and any firewalls will have to be disabled for ports 4000 to 5000. You must also have a working DNS setup. If you get a "server down" message, it's possible that the server really is down, but more likely the problem is that you can't reach the server for some reason, so check your connectivity to www.etinc.com. This can be done by going to the main "Update System" screen, and then clicking on "Check Versions", which will attempt to connect to etinc.com and will display a reasonably verbose explanation of any errors encountered. See the BWMGR FAQ for more information. To register your system, Click the "Register ET/BWMGR" button.

Connecting to the System from a Network

Once you complete the initial configuration, most configuration tasks can be done via the HTML interface. If you need to get into the command line interface, you can access the console remotely via either Telnet or SSH.

Telnet vs SSH:

Both Telnet and SSH require the use of a program on the client end to connect. There is a Telnet client included as part of most Windows installations. For security reasons, you cannot log in directly as "root" when you access the console remotely. When connecting with Telnet or SSH, you will have to first log in as the "admin" user. Once logged in, you can use the "su" command to become the super-user (root) to perform administration tasks or use the ET/BWMGR tools:

# su -

Telnet is a plain-text protocol while SSH encrypts all communications between the client and the server, including password authentications. This is intended to prevent password sniffing. SSH also provides host authentication via a host key, which is stored by the client the first time it connects to a server, and verified at the beginning of each connection. If the host key changes for any reason, SSH will warn the user and refuse to connect unless they take manual action. This reduces the possibility of someone hijacking an IP address and attempting to steal passwords. Telnet and SSH are configured and accessable on the unit by default. It is recommended, especially if you or your staff may be accessing the system from outside your local network, that you use an SSH client to connect.

Different clients may have different interfaces (particularly from a Windows Box), but from a standard unix system you can access the system remotely via telnet with the command:

# telnet a.b.c.d

where a.b.c.d is the address to use. If successful, you should see a login prompt. Again, you cannot log in as "root" when accessing the system from a network (via Telnet or SSH). so you should log in using "admin" with the appropriate password ("saturn5" by default). Then you can use the "su" program to change to super-user ("root" is super-user by default) as follows:

$su - <Enter>
password: saturn5
ET/R1710#

Don't forget the "-" option, which allows you to inherit the root user's paths, so the system and BWMGR programs can be run without using full pathnames.

To access the system via ssh, enter a command similar to the following:

# ssh admin@a.b.c.d

Setting up the Hard Drive Backup System

On appliances with two externally-accessable drive bays, the second drive (if not used as the cache disk on supported appliances) can be used for the spare disk. Looking at the front of the case, the main disk is always installed in the left-hand drive bay, and the spare disk in the right. Note that on newly- purchased appliances with the spare disk option, you must enable the scheduled task that backs up the contents of the main disk to the spare disk. Once you have enabled the backup, you can check the status of the backups by viewing the log file "/var/log/backup_appliance".

Enabling/Configuring the Hard Drive Backup

Select "System Functions" and then click on "Scheduled Commands". You will see a table with the list of commands and the status for each. Look for the command "/usr/local/bin/backup_apliance". To change the status or configure the time(s) at which the backup occurs, click on the command name.
At the "Edit Cron Job" menu, you can turn the backup on or off by clicking "Yes" or "No" at the top. In the "When to Execute" box, you can select the time(s) at which the backup will be run. The default is to run once a day, at 4:51 AM.

What to do if your main Hard Drive fails

If your main disk fails, then you can switch to the spare disk. The appliance must be halted and powered off before swapping drives. Depending on your appliance, there may be a release on the front of the drive bay that will allow the drive to be removed, or you may need to slide open the top of the case in order to remove a setscrew. Remove the main drive, and set aside. Then remove the spare disk, place it in the main drive bay, and boot the appliance.

Initializing a new backup hard drive

If your appliance has IDE disks, then you must power-off the appliance before installing the replacement drive. SATA drives can be installed while the appliance is running, but cannot be accessed until the appliance is booted with the drive installed. Once the spare drive is installed and the appliance is rebooted, run the following command as the "root" user:

# buildspare

This will partition and format the spare disk. The main disk will be backed up at the next scheduled time.

Other Configuration Options

Enabling Controls

Before you can use controls you must do two things.
Click the checkbox next to "Show Controls" in the "Defaults" config page.
From the command-line, run "enable_controls", which will enable the periodic task that checks controls at boot and at set intervals (by default, every hour.)
If you are no longer using controls, the "disable_controls" command can be used to disable the period check.

Configuring the ET/RXX00 as a Router:

Appliance units with multiple ethernet interfaces are configured as a bridge by default. Here are the steps you must take on a factory-fresh ET machine to enable routing:

From the ET/ADMIN interface, select the "Bandwidth" link on the left, then click on "Setup Bridging" icon.
You will see a list of the interfaces and their bridging status in the "ifac" column. . For each interface, click on the interface name, and change the bridging mode to "disabled", then click on "submit".

Now that you've disabled bridging, you must enable routing. From the main ET/ADMIN menu, select the "Network" tab, then "Network Configuration". Follow the instructions above on IP configuration to set the IP address for each interface.

<-- Return to Network Configuration

The next and final step is to use the "Routing and Gateways" tool to enable IP forwarding. Find the line "Act as Router?", and check "yes". Make sure that the default router for the machine is set properly, then click on "save". You will then have to reboot the system. As noted above, using a machine with the -FO failover ethernet option as a router renders the failover function useless, so it's recommended that you not do this.

Changing the ET/ADMIN Password:

The ET/ADMIN password for the default user "admin" can be changed by clicking on "Administration" and selecting "ET/Admin Users", then clicking on the user "admin" in the left column. The second line is the new password entry form. Click "set to", enter the new password, then click on "save". You will then receive an "invalid login" message. Login to ET/ADMIN using the new password.

Note that the user names for the system (which are used for Telnet/SSH and logging in at the console, for example), are not the same. The GUI has its own user/password combinations that are by default unrelated to the normal system users and passwords. In reality, there are 2 distinct "admin" users: one for the ET/ADMIN interface, and one for the system. The passwords for the 2 must be set independently. The "admin" login to the ET/ADMIN interface is the equivalent of "root" and has full access to change aspects of the operating system (known as superuser privileges). The other "admin" is the Unix user, which is simply used when connecting to the system using telnet or SSH. See the example for connecting via telnet and using the su command to become the superuser.

Changing the System Passwords

It is highly recommended that you also change the passwords of "root" and "admin". This can be accomplished by clicking on "Users and Groups" under the "System" tab. Click on each user, then select "Clear-text password", and type the new password in the field. When you click "save", the password will be encrypted and updated. Note that you can also use this area to add new users to the system and to manage their passwords. This menu ONLY changes system passwords. Changing the "Admin" user in this menu will only affect telnet and SSH access, not the ET/ADMIN GUI.

Notes on the Failover Watchdog Timer:

If your system has the Failover Ethernet option (-FO) installed, then there is a program called "bypassd"
which monitors your system's "sanity" and informs the failover hardware that the system is working properly. If the system fails, or if the bypassd daemon stops running, the failover hardware will connect the 2 ethernet ports, allowing traffic to flow. You can manually take the system offline to do maintenance with the Failover GUI function (located under the main "Admin" tab in the ET/ADMIN HTML interface). It is also recommended you take the unit offline before performing an upgrade.

Notes on the Hardware Watchdog:

Most of the systems (including all -SM machines, the ET/R4000i, and all ET/R1X00 units with two on-board
ethernet ports) sold have a built-in watchdog timer which allows the machine to be automatically reset if it
crashes or locks up. This watchdog is controlled by the same utility that handles the Failover ports, however it is an independent function (Failover simply bypasses the machine, while the motherboard
watchdog issues a hard reset). Also, you do not need a failover card installed to enable this feature. The motherboard watchdog is DISABLED by default. To enable it, you must edit the file "/etc/rc.local" and uncomment the line that refers to your motherboard. There is one line for the ET/R1500, one for the ET/R1700, and one for the ET/R4000. Once you have done this, the watchdog utility will be run after the next boot.

Recovering Lost Passwords

Again, there are two types of passwords; system passwords and ET/ADMIN passwords. If you can log in via telnet or SSH, but are unable to access the GUI as user "admin", do the following. SSH (or telnet) to the appliance as "admin", then su to become root. At the prompt:

# cd /usr/local/webmin
# perl changepass.pl /etc/webmin admin password

This will change the "admin" user's password to password. If you are trying to change the password for a different ET/ADMIN user, simply replace "admin" with the correct username.

If, however, you are able to access the ET/ADMIN but not able to access the system via telnet or SSH, then you can change the system passwords via the ET/ADMIN as described above.

Changing the MySQL password:

Changing the default "saturn5" password for the MySQL database is recommended only if you plan on allowing external access to the database: by default, external access is simply not allowed. If you wish to change the password, you can do it via the command line or by using the ET/ADMIN MySQL interface.
Changing the password for the MySQL database via the command line: As root, perform the following command:

#mysqladmin -u root password yourpassword

If using the ET/ADMIN interface, click on the "Servers" tab, then the "MySQL Database Server". If you have not used this module previously, you may have to enter the current MySQL password (by default, "saturn5") before doing anything else. Under the "Global Options" section, you will see an icon for "User Permissions". Click on this icon, then find the entry for username "root", host "localhost". Click on the user to edit their settings. Do not change any permissions for the "root" user, simply select "Set to..." on the "Password" line and type the new password in the adjacent text field, then click "Save".

Then, make sure you are using the same password in the BWMGR section of the ET/ADMIN. Click on the BWMGR icon, then find the button labeled "edit defaults" on the same line as "Graphs". By default, this MySQL password is set to "saturn5", and if you change the MySQL password without changing this entry, no new data will be stored by rules with statistics enabled and you will be unable to retrieve past data, until you change your settings to match.

Other Appliance Functions

Using SSL Encryption with the graphical interface:

If you are using a browser that supports secure connections via SSL, then you may wish to enable SSL in the web interface. Click on the "Admin" tab, then select the "Admin Configuration" icon. Select the "SSL Encryption" icon. Check the top box to enable SSL encryption, then click "save". You may have to log in to the ET/ADMIN again. Your browser may also pop up several notices about expired certificates. Accept the certificates and continue. Much like SSH, SSL encrypts the web traffic generated by the ET/ADMIN interface, including initial password authentication, and is recommended for all remote access. Please note that when connecting directly to the ET/ADMIN interface with SSL enabled, you must use the "https://host.name:10000". Using the "http://" prefix (or no prefix) will not connect properly (generally with a "connection reset by peer" error message). If you are using Apache redirects make sure your redirect has the appropriate prefix.

Using the Apache HTTP Server with the ET/ADMIN:

The Apache webserver runs on port 80, while the ET/ADMIN interface runs on port 10000.
By default, the Apache server is configured to start at boot time. If it is not running, you can enable it
in the ET/Admin GUI. Note that it may be necessary to set the hostname prior to starting Apache.

Under the "System Functions" tab, click on the icon "Boot Startup Tasks".

You will see a box with the contents of the file "/etc/rc.local". The second line should read:
#/usr/local/bin/apachectl start
To enable Apache on boot, remove the "#" character from the start of the line. Click on "Save", then hit your browser's "Back" button. Go to "Admin Index", select the "Servers" tab, then click on "Apache Webserver". To start the server immediately, click on "Start Apache" at the top right of the screen.

Apache Redirects:

If you do not plan to use the appliance as a web server, but wish to access the ET/ADMIN via Apache, configure the webserver to make the ET/ADMIN the default page. (enable it first as shown above).

1)From the ET/ADMIN menu, click on the “Servers” tab, then select “Apache Webserver”
2)Under the “Virtual Servers” heading, select “Default Server”, then click on "Aliases and Redirects".
3)Next to the line "URL Redirects" you will see a "from" and "to" field. Put a forward slash in the "from" field (/), and in the "to" field place the following line (replace a.b.c.d with the IP of your appliance):

"http://a.b.c.d:10000" # Use this line if you have not enabled SSL
" https://a.b.c.d:10000" # Redirect to the SSL enabled port

Once you click on "apply changes" (at the top of the screen), simply connecting to http://a.b.c.d will call up the ET/ADMIN interface, and enable SSL if appropriate.

Using Public Graphs - Allowing Customers To View Graphs from WWW:

The ET/ADMIN GUI Interface has superuser priveleges and can modify any aspect of the running system. Hence, if you wish to allow your customers to access their usage graphs, you must use another access method, one that does not give root access. Your appliance comes with the Apache web server pre-installed, which can be used to view customer graphs. Here are the steps that must be taken to provide customer graph access.

1) Configure the graph you wish to allow acccess to, using the ET/Admin GUI: view the rules and find the rule for the customer. Click on the rule name to view the customer graph, then click on the graph image to see the configuration page. In order for a customer to view their graphs, you must set the "Graph Access" to "Public", and set the Graph Password.

2) Test your setup by accessing "http://yourhostname/custgrph.htm". You should see text boxes for "Date", "Name", and "Password". Enter the graph name and password (if you've set one) in the fields and then click "Daily Graph". This should confirm that the public graph access is working.

The "custgrph.htm" file is an example of how to interface with the ET/BWMGR and allow customer logins. It can be used as-is, or it can be used as a template for creating your own login page. If you do customize this file, make sure you use a different name, as the changes made to custgrph.htm will be lost when you upgrade the machine using the "Update System" module.

Setting up an external MySQL database

If you're keeping statistics for a large number of rules, and/or your traffic levels are high, you may find that the response time of database functions is rather slow. Its also possible that your system will not be able to handle both bandwidth management and statistical gathering if you are trying to gather statistics for 1000s of rules on a heavily utilized system. In such cases, you may benefit from running an external database. This will allow database processing (lookups and row insertion) to be completely offloaded to another system. Note that you will need to do this on your own, as we don't support MySQL generally except as it applies to functions within the appliance, and to provide examples that are known to work on a correctly configured system.

Following are the steps necessary to use an external MySQL database. In our example, assume the ET/BWMGR is running on IP 10.0.1.5, and the remote MySQL server on 10.0.1.33. The default password of 'saturn5' is used in the examples.

On the remote machine (10.0.1.33):

1) install and start the MySQL server (Appliance users unfamiliar with this process should refer to http://www.etinc.com/mysql.htm for steps 1-4)

2) Set default root password for the server:

# mysqladmin -u root password 'saturn5'

3) Install the ET/BWMGR software tarball on to the remote machine, or just copy /usr/hdlc/db from the bwmgr machine.

4) Create the ET/BWMGR databases:

# cd /usr/hdlc/db
# sh et_createdb

5) Allow access to the ET/BWMGR databases from the bwmgr machine.

# mysql -u root -p etbwmgr
Enter password: saturn5
mysql> grant ALL on etbwmgr.* to root@10.0.1.5 identified by 'saturn5';
mysql> exit

On the ET/BWMGR machine (10.0.1.5):

6) Test the connection from the bwmgr machine. If you get the "mysql>" prompt its working properly:

# mysql -u root -p -h 10.0.1.33
Enter password: saturn5
mysql> exit

7) use the "Edit Defaults" button on the ET/BWMGR GUI to change the database settings. Make sure database host points to the remote location of the MySQL server. Make sure the user name and password match the GRANT statement you used.

8) re-start bwmgrd on the bwmgr machine (or reboot).

# killall bwmgrd
# /usr/local/sbin/bwmgrd

Enabling and disabling snmpd (and other services):

Enabling or disabling any service can be done via the ET/ADMIN interface, as shown in Using the Apache HTTP Server with the ET/ADMIN. FreeBSD users should find the line in /etc/rc.local that pertains to the service they wish to modify, and either add or remove the # character to disable/enable the service at boot time. In LINUX, you can enable or disable services by clicking on "System" and then selecting "System Startup" icon and selecting the appropriate service.

Checking System Processes:

You can see a list of the active processes running on the system by connecting to the ET/ADMIN interface, and going to

System Functions -> Running Processes

bwmgrd must be running in order for the statistical gathering capabilities of the bwmgr to be utilized. It should be enabled by default. If bwmgrd is not running, it may be because the bwmgr is not running. This can be verified by selecting the "Bandwidth Manager" link, and noting the status of the bwmgr software.

Rebooting the System

From the main ET/ADMIN menu, select the "Admin" tab, then the "Reboot and Shutdown" icon. Clicking on "Shutdown" will halt the machine. To boot the machine after halting requires either a hard reset or "ctrl-alt-delete" from a keyboard. Clicking on "Reboot" will restart the machine. Both options will prompt for confirmation before actually bringing the system down.
Accessing the Bandwidth Manager

Configuring WAN interfaces:

If you have a system with WAN cards installed, you can edit your WAN interfaces by clicking on the "Network" tab and then selecting the ET/HDLC WAN Configuration icon.

You should see a menu which shows you the ports which have been detected in the system. On FreeBSD, the ports are named eth?, and on LINUX they are named ets?. Each port must be configured with a line protocol and also (typically) with an IP address pair. The exception to this is if you are bridging, in which case the interface may or may not need an IP address assignment.
Setting the WAN Interface Protocol

To set the protocol that will be running on a particular WAN port, click on the "Config Port" button to the left of the associated interface. This will bring up a menu that allows you to select the protocol to run on the card. Typically, all you have to do is select the protocol and them hit "Update Config File" or "Save and Apply". Selecting "Update Config File" will update the startup file which is run at boot time. Selecting "Save and Apply" will also apply the settings immediately to the port. Note that the ports must be configured in order (that is, you can't configure eth2 before eth1).
Setting the WAN IP Addresses

To set the IP addresses of the WAN card, select "IP Config" to the right of the port you wish to configure. Then set the Local and Remote IP addresses. Typically, point to point interfaces do not require netmasks (they are host addresses by default). Even if you are given a netmask, typically the system will not use it. Again, to save the info, click the "Save Config" or "Save and Apply". If you selected "Apply", you should see the new setting on the screen.

This document is designed simply to help in the initial setup of your appliance. Full documentation on utilizing and configuring ET/BWMGR software can be found on the Emerging Technologies web site under "Support".

Post-Configuration Security

Once you have your system configured and running in a stable manner, there are a few simple steps you can and should take to ensure that only authorized users can access the system. These appliances are not meant to be accessable by the internet at large, except in specific cases (for example, those users running a web server and/or allowing their customers to view graphs.) The below examples assume the bandwidth manager has an address of 207.252.1.110, and the machines allowed to connect are in the subnet 207.252.1.0/27 (netmask of 255.255.255.224).

* Create firewall rule(s) that enable only your local net, or individual machines, access to your system. This rule should be created on the interface you are connected to on the inside, unless you are running an ET/R1700 with the Failover hardware. Then you should create the rule on the administrative port.
Example: # bwmgr fxp0 -x 1000 -name IntAllow -fw -ipprot tcpconnect -saddr 207.252.1.0 -saddrmsk 255.255.255.224 -daddr 207.252.1.110

* On your external (outside) interface, create a firewall rule that denies ALL access to the IP address of your system. Or, if you are using the Failover hardware, create this rule on the administrative port. Leave room in your ruleset to create specific allow rules if you have an employee who needs to work on the machine remotely, or to allow traffic to a specific port (80) in the event that you allow your customers to view their graphs.

Example: # bwmgr fxp0 -x 1500 -name DenyAll -fw -ipprot tcpconnect -daddr 207.252.1.110 -priority FW-Deny
* Change the default passwords for admin, root, and the "admin" user in the ET/Admin GUI. This is less of a priority if you've already blocked external access to the machine, but it is still a good thing to do. If, for some reason, you do not block access to the bandwidth manager appliance, changing the passwords is an absolute requirement.

System Updates

Updating Your System Over the Internet:

Your system includes a 30 trial of our "Auto-Update" service, which allows you to automatically update your appliance with the latest code from our server. In order to use the update service, you will have to first register your system as previously described. If you do not receive your system promptly due to customs you can request that we extend the 30 day trial to account for the time lost. You MUST make this request BEFORE you register the system. Once you register the system we cannot extend the trial.

After 30 days, you can purchase the service for a fee (currently $250/year). This fee includes a new license key so that your key will work for the duration of the subscription. If you subscriptions lapses for more than 30 days (either your trial subscription or a yearly subscription), then the cost of the subscription increases by $100. When you receive a new key, either for a new auto-update subscription or extension, then you must register the new key, then start the BWMGR with the new key before starting the update. If you fail to do both of these steps, then the BWMGR may not start properly after the update.

Updating your system is accomplished via a button on the ET/ADMIN GUI. In the "Admin" section, you will see an link labelled "Upgrade System". Clicking on this link will give you two options. You can view the release notes for your OS, or you can press the "Check Versions" button which will connect to the upgrade server and compare your version to the one on the server. If you have a valid subscription and have registered the installation, you should see a listing of the software versions you are currently running, as well as the versions available on the update server. There are two software releases available. The "Stable" release is a version of the ET/BWMGR that has been in service for some time, and free of serious bugs. There is also the "Newest" release, which is of course the most recent version available. While we test these releases in-house (with special attention to functions that are new or have been changed), there are sometimes issues that do not manifest themselves until very specific conditions are encountered. If you do encounter any problems running the newest release, we recommend that you notify our support team. You can always "downgrade" to the Stable release if you encounter problems with the newest, however we recommend that unless you are prepared to monitor your system after upgrading, you consider using stable releases.

"View Upgrade Details" will list the available versions, display the release notes, and allow you to view the log of the last upgrade. It is highly recommended that you read all of the release notes available before upgrading your machine.

If, for any reason, the bandwidth manager cannot access the update server, you will not see any of the above information. Instead, you will see an error message explaining what failed, along with possible causes and solutions.

At times, (including during the release of new software), the update server may be unavailable. You will see a message indicating that the server is locked. Most maintenance takes less than one hour.

Once you begin an upgrade, it is very important that you do not interrupt it in any way, including closing your web browser, clicking the "stop" or "back" buttons, etc. If this does happen, the best thing to do is wait a few minutes, then go back to the update screen and start another upgrade. If the update reports that it has finished successfully, then you can reboot if necessary. A connection error most likely means that the previous update is still running. In this case you should keep trying at regular intervals until you see the update complete.

Update Subscription Notes:

In order to use your update subscription you will need to register the appliance on the IP address that will be used to obtain the updates. This implies that you cannot change the address of the machine, or the update server will not allow you access. If you need to change the address of the machine you will need to contact support and inform them of the move. You will then have to re-register the license key after we have authorized the change.

Reverting to the Previous Version:

If an upgrade fails, either because it was interrupted (by a user, by loss of network connectivity, or other failure), it is possible that the system may be in an unstable state. If you are unable to complete an upgrade, or if an upgrade appears to succeed and you then have serious problems after rebooting, you can use the "Revert" feature of the upgrade utility. Before each upgrade is begun, a backup of several key files (including the current kernel and BWMGR drivers/modules) is done, assuming the previous upgrade succeeded. This way, you always have a fallback to a known-good version. It is necessary to reboot the appliance after the reversion is complete. Note that configuration items, such as your rulesets, are not included in the reversion. To keep a copy of those and other files in a safe location, use the backup tool as explained in the next section.

Routine Maintenance

Monitoring System Status:

The "System and Server Status" is a useful tool for quickly checking the status of services on the appliance. This module is located in the "Administration" section of the ET/Admin GUI. When the module is selected, you will see a list of the configured monitors and the status for each. A green check icon indicates that the service is running. A red X icon indicates a service that has stopped or is not running. A black circle indicates a service that is not installed or configured.

Clicking on the name of each monitor will show an extended status. For example, clicking on "Bwmgrd Stats Daemon" will show the current status, usually "bwmgrd is running". If the service is not running, you should see the error message instead.

The monitor can also be configured to periodically check the configured services. Clicking the "Scheduled Monitoring" button will take you to the configuration menu. Make sure that "Scheduled checking enabled" is checked "Yes", and fill in the email notification section. Make sure you enter an email in the "Email status report to" field, and check the radio button to the left of this field.

The default setup has monitors configured for the MySQL database server, the bwmgrd stats collection daemon, the Apache webserver, and the Squid proxy server. Additional monitors can be configured, using the "Add Monitor of type" button after selecting the appropriate monitor from the pull-down list. One useful monitor type is "Disk Space". Select a partition and the minimum free space before creating the monitor. Assuming you have scheduled monitoring enabled, you will be emailed when free disk space on the selected partition is below this amount. Typically both /var and /usr partitions should be monitored.

Backup & Restore Overview:

The ET/R series servers allow the user to backup select portions of the Operating System, configuration files, and user data to either a local file, to a remote file via FTP, or a local ZIP drive. This feature is independent of the spare drive backup feature on appliances that support spare drives. There are three sets of files that can be backed up individually. We recommend making a backup of at least your ruleset and password information (the "Configuration" backup set) shortly after receiving the box and doing the initial configuration, as well as any time major changes are made to your BWMGR ruleset.

* Configuration Backup

Backs up the contents of /etc and /usr/local/etc/bwmgr/config. Includes all configuration options, such as usernames, passwords, BWMGR rulesets and graph configurations, IP address, DNS information, and others. Also included are copies of the databases used for ET/BWMGR rules (specifically, profiles, controls, and notifications). This set should be backed up soon after receiving the unit and configuring the rulesets, as well as any time major changes are made to rulesets or username/password files. Unlike the other two backup sets, this one will fit on a 1.44MB floppy disk.

* Database Backup

This set backs up the contents of the MySQL database, which holds the data for every rule that has statistics enabled. The BWMGR ruleset is also included in this set. A good candidate for a regular backup to a remote location, as this data changes continually. If you are not storing statistics, you may not want/need to back up this particular set.

* System File Backup

This backs up all system binaries, libraries, and configuration as well as users home directories. This backup should be performed only after system upgrades, since the files included shouldn't change often. This set does NOT include any BWMGR-related configuration files or data, but it does include binaries such as "bwmgr" "bwmgrd", etc.

Backing Up:

In the ET/ADMIN interface, view the "Admin" tab. Click the "Backup/Restore" link. You will be presented with a series of buttons: the first three, "Setup Files", "Data Files", and "System" are used to backup various parts of the system. The "Restore" button can be used to restore any backup previously made. When you click any of the backup buttons, you will see three buttons: "Change Destination", "Change Fileset", and "Start Backup". If you click on a backup set for the first time, you will be asked to use the "Change Destination" button to pick the location to store the backup contents. If you have not chosen a destination, clicking on the "Start Backup" button will display an error.

* Change Destination :

This leads to a menu that allows you to choose where the backup will be stored. You will see a list of possible backup destinations. Make sure the radio button next to your desired choice is selected before clicking on the "Save" button. If a backup location is unavailable, it will not be listed as a choice. When selecting a remote location (FTP), you must fill in all of the text fields with the proper information. To successfully transfer a file via FTP, you must enter the hostname of the FTP server, your username, password, and the directory where you wish to store the backup. If any of these fields are blank, the configuration will not be saved, and an error message(s) will indicate exactly what is missing. Clicking "Cancel" at any point will return to the main backup menu without saving any changes. Once the changes are successfully made, the browser will return to the main backup screen. Obviously, use of the FTP backup requires that you have access to an FTP server on another machine.

* Change Fileset :

*Note* This setup option should typically not be altered except by those users that are familiar with the layout of the filesystem structure and wish to add or remove files from the pre-defined backup sets. For each backup, clicking on this button will show two text boxes. The first, labelled "Include", is a list of all files and directories that will be added to the backup. The second, labelled "Exclude", is a list of files and/or directories that should NOT be a part of the backup (typically only used when an individual file in a directory that exists in the "include" list needs to be excluded from the backup). Only one box may be edited at a time. Click the "Save" button immediately underneath the text window to save your changes. Click "Cancel" to return to a previous menu without saving.

* Start Backup:

Clicking this button will begin the backup process. If you are backing up the configuration set to a floppy, please make sure that it is in the drive and not write-protected before starting the backup (Otherwise you will see a floppy error message). The same applies to the ZIP disk. Once the backup begins, please do not close the browser until the page has finished loading, otherwise the backup may fail or be cut short. The "System" backup will take a relatively long time to finish; regular reports will be printed that show the filesize of the backup in progress.
Once the backup file is created on the local drive, it will be transferred to the remote location if you have selected one. Regardless of the ultimate destination of a backup set (ZIP, FTP, etc) the file will also be stored in the default location for local backups: /usr/local/backup. For FreeBSD users, a "config" backup set would be stored in the file "/usr/local/backup/etbackup.config.tgz". Linux backups use a different filename - "/usr/local/backup/etbackupl.config.tgz" for the above example. So even if you backup a file and lose the ZIP drive you stored it on, it may still be on the local hard drive. This won't help in the event you have a hard disk problem, however; you'll need to restore from the remote location.

Restore:

Clicking on the "Restore" button will prompt you to pick which backup set you would like to restore. Select the set you would like to restore, and press the "Continue" button.
Now you will need to pick the location to restore from. This is handy if you've backed up to multiple locations, but otherwise only one will work properly. Naturally, the floppy disk option will only appear on "Configuration" backup sets, and the ZIP disk option will NOT appear on that set; nor will it appear on systems that do not have a ZIP drive installed.
From this screen, pressing "Restore!" will immediately begin the restore process, so take care to check that you've selected the right backup set. Of course, if you select a backup that doesn't exist (has not been backed up previously, or to a different location), an error will be displayed. You can use the "back" button on your browser or the "Return to Previous" button at the bottom of the page to return to an earlier restore menu. Since all backups are stored first on a local partition, selecting "local filesystem" as the restore location will restore from the last-backed up version of a backup set.
After a configuration or system restore, it is necessary you reboot the machine after the restore, since system binaries and libraries may have been updated.

Maintaining the Statistics Database - Purging Old Data:

Over time it will become necessary to remove older stats information from your database. This will prevent excessive disk usage and also keep the system running smoothly. The "cleardb" command-line utility can be used to clear older data from the database. "cleardb" takes a single option, which is the number of days of stats data to keep. So, for example, to keep only the last 20 days of stats data, you can issue this command:

# cleardb 20

Repairing a Broken Data Base

See Troubleshooting

Using the Recovery CD-ROM

The recovery CD-ROM allows you to boot your system and perform various functions, including repairing a hard drive crash, restoring files and even upgrading the base operating system on your drive. In the event of a physical drive failure, the CD-ROM will allow you to rebuild a system using a blank hard drive, and load it with the latest release.

If your appliance has a CD-ROM drive you can purchase a recovery CD-ROM from the Emerging Technologies website. If your appliance does not have a CD-ROM you may be able to add a CD-ROM drive to your system. Contact ET support to find out if you can ugrade your system.

Note that most of the recovery functions of the CD-ROM require an active auto-update subscription. If you don't currently have an update subscription you can buy a package which includes the CD-ROM and an update subscription.

Detailed instructions for using the recovery CD-ROM are available on the ET web site.

Support

Support is available by creating a support ticket on www.etinc.com. Telephone support is only available for critical, "system down" problems. When you send your email, please try to explain your problem in detail so that we can help you without having to ask you for more info. When sending files, please cut and paste them into the email rather than sending attachments. Support is generally available between 10am and 6pm M-F. Email is usually answered over the weekends whenever possible.

Troubleshooting

See the latest Troubleshooting Documentation.