KNX IP Interface Remote en
KNX IP Interface Remote en
KNX IP Interface Remote en
WEINZIERL ENGINEERING GmbH Achatz 3 DE-84508 Burgkirchen Tel. 08677 / 91 636 0 Fax 08677 / 91 636 19 E-mail: [email protected] Web: www.weinzierl.de
EN Page 1/13
Table of contents
1 2 Introduction ................................................................................................................................. 3 Remote access with NAT ......................................................................................................... 3 2.1 Network Address Translation (NAT)............................................................................... 3 2.2 Example of a configuration .............................................................................................. 3 2.2.1 Structure ..................................................................................................................... 3 2.2.2 Settings in the DSL router ........................................................................................ 4 2.2.3 IP configuration of the KNX IP Interface ................................................................ 5 2.2.4 Establishing a connection with the ETS ................................................................ 6 3 Remote access via a VPN ....................................................................................................... 7 3.1 Virtual Private Network (VPN) ......................................................................................... 7 3.1.1 Introduction ................................................................................................................. 7 3.1.2 Site-to-end .................................................................................................................. 7 3.1.3 Site-to-site................................................................................................................... 7 3.2 Remote access to a KNX/IP router using the DrayTek Vigor2200Eplus as an example........................................................................................................................................... 7 3.2.1 Configuration of the VPN server ............................................................................. 7 3.2.2 Configuration of the VPN client under Windows XP .......................................... 10 3.2.3 Accessing the remote KNX IP device with the ETS........................................... 13 3.2.4 Alternatives ............................................................................................................... 13
Versions
Document version Draft Review Added: KNX IP Linemaster 760 Changed: Formatting Added KNX IP BAOS 772 Date 18 February 2009 04 March 2009 17 June 2010 08 November 2011 Editor F. Heiny F. Heiny F. Heiny S. Matsche
EN Page 2/13
1 Introduction
This document describes how remote access can be established to a KNX installation via the Internet by means of the ETS. Remote access can be achieved using either NAT (Network Address Translation) or VPN (Virtual Private Network). Any device that supports KNXnet/IP tunnelling can be used for remote access. These devices are the KNX IP Interface 730, KNX IP Router 750, KNX IP Linemaster 760 and KNX IP BAOS 770. In this document, they will be collectively referred to as "KNX IP devices".
Internet
Switch
IP addr.: 192.168.1.30
IP addr.: 192.168.1.1
LAN Subnet: 255.255.255.0 IP addr.: 192.168.1.10 KNX IP Router 1.1.0 EIB/KNX EIB/KNX 1.1.10 1.1.11 2.1.1 2.1.2 2.1.10 2.1.11 IP addr.: 192.168.1.11 KNX IP Router 2.1.0
1.1.1 1.1.2
Figure 1: KNX installation The diagram above shows a typical KNX installation that is connected to the Internet via a DSL router: Two TP lines are connected to each other via two KNX IP routers. These KNX IP routers were assigned IP addresses from the local network. The DSL router needed for Internet access has a fixed local IP address (192.168.1.1) and a public IP address (here, 84.145.85.60), which is assigned by the Internet provider. Generally, the public IP address is dynamic, meaning that it is reassigned every time an Internet connection is reestablished.
EN Page 3/13
KNX IP Interface: remote access 2.2.2 Settings in the DSL router In the DSL router, forwarding must be set up under the "NAT" item. For this, a port (standard: 3671) and an IP address (local IP address of the KNX IP device, e.g. 192.168.1.10) must be specified. Afterwards, all telegrams that are received from the Internet and are directed to port 3671 are forwarded to the specified KNX IP device.
EN Page 4/13
KNX IP Interface: remote access 2.2.3 IP configuration of the KNX IP Interface Since the IP address of the KNX IP device must be known, manual configuration is recommended. The IP address (192.168.1.10), subnet mask (255.255.255.0) and gateway IP address (192.168.1.1) must be specified.
EN Page 5/13
KNX IP Interface: remote access 2.2.4 Establishing a connection with the ETS
Figure 6: ETS Connection Manager A separate connection should be created for remote access, such as "IP (NAT)" in the example shown here. Select "KNXnet/IP" for the type. In the "IP address" field, enter the public IP address of the remote KNX installation. The port (3671) specified here must be the same as the one contained in the DSL router settings. Important: The "NAT mode" box must be checked. Note: The IP address must be entered manually since the devices cannot be scanned via the Internet. Remote access by means of NAT requires at least ETS 3.0f.
EN Page 6/13
3.2 Remote access to a KNX/IP router using the DrayTek Vigor2200Eplus as an example
3.2.1 Configuration of the VPN server This example shows how a VPN connection is set up with the PPTP protocol (Point-ToPoint Tunnelling Protocol). Alternatively, a VPN connection can be established via L2TP over IPsec (Layer 2 Tunneling Protocol). Descriptions are only provided for those pages on which settings need to be made. The following figure shows the main menu of the DrayTek router.
EN Page 7/13
KNX IP Interface: remote access Select the "VPN and Remote Access Setup":
Figure 8: VPN and Remote Access Setup Select the "Remote User Profile Setup (Teleworker)". The next dialogue box shows a table in which various accounts can be created:
Figure 9: Remote User Profile Setup (part 1) Select an account. The following box appears:
EN Page 8/13
Figure 10: Remote User Profile Setup (part 2) Activate the account using "Enable this account". Create a "Username" with the associated "Password". Select the protocol under "Allowed Dial-In Type". Several protocols can be activated if necessary. In this example, only "PPTP" is used.
EN Page 9/13
KNX IP Interface: remote access 3.2.2 Configuration of the VPN client under Windows XP Select "Create a new connection" in the Network Connections. In the dialogue box that opens, select "Connect to the network at my workplace".
Figure 11: Network Connection Type In the next box, select "Virtual Private Network connection".
Figure 12: Network Connection The connection should be assigned a meaningful name:
EN Page 10/13
Figure 13: Connection Name To reach the VPN server, its IP address must be entered. Because many DSL connections have a dynamic IP address, it must be determined first. A service such as "DynDNS" can be used instead. In this case, the corresponding name must be entered instead of the IP address.
Figure 14: VPN Server Selection Before the connection is established, the password must be entered in addition to the user name. These must be identical with the entries in the VPN server.
EN Page 11/13
Figure 15: Connection establishment After the connection is established, the client is assigned an IP address from the range of the remote private network.
EN Page 12/13
KNX IP Interface: remote access 3.2.3 Accessing the remote KNX IP device with the ETS Multicast telegrammes are used to search for a KNX IP device. Because the VPN hardware (DrayTek Vigor 2200Eplus) does not allow these to pass, the IP address of the KNX IP device must be known.
Figure 16: ETS Connection Manager The IP address and the port of the KNX IP device must be entered in the communication parameters. If a VPN connection is active, the KNX IP device can be accessed. 3.2.4 Alternatives Apart from the DrayTek Vigor2200Eplus used in this example, a VPN can be built with other devices as well. Devices of this type are available from Linksys, Netgear and AVM (Fritzbox). Either an embedded solution or a PC with "OpenVPN can be used.
EN Page 13/13