Skip to main content

Moxa UC-8100A-ME-T-LX Setup

This details steps to set up a Moxa UC-8100A-ME-T-LX for MQTT Transmission for reliable and consistent communications.

Standard Setup

Firmware Updates

To check the firmware of the Moxa, run the following commands via SSH (login is moxa/moxa):

kversion -a

If the device has the Custom-QTC firmware loaded, it most likely has ThingWorks installed which allows configuration through LAN 2 on IP 192.168.4.127. LAN1 is configured as the WAN port and by default is a static IP at 192.168.3.127. Any network or serial port configuration done via SSH is overwritten by the Web interface on every reboot. Only Ignition installation needs done via the SSH interface.

Upgrade the firmware using the following commands if using the non-custom firmware image:

sudo apt update
sudo apt install -y uc8100a-me-base-system
sudo reboot
Software Updates

Upgrade the other software on the unit after it reboots with these commands:

sudo apt update
sudo apt upgrade -y
Network Configuration

If using a model without ThingWorks, configuration of network ports is done via the command line (SSH).

To change the network configuration, run the following command:

sudo nano /etc/network/interfaces

By default the portion of the configuration for the network ports will be as follows:

iface eth0 inet static
        address 192.168.3.127
        network 192.168.3.0
        netmask 255.255.255.0
        broadcast 192.168.3.255
iface eth1 inet static
        address 192.168.4.127
        network 192.168.4.0
        netmask 255.255.255.0
        broadcast 192.168.4.255

To change the static IP to a different static IP and add a gateway modify it as follows (adjust addresses as necessary):

iface eth0 inet static
        address 10.10.4.13
        network 10.10.4.0
        netmask 255.255.255.0
        gateway 10.10.4.1
        broadcast 10.10.4.255
iface eth1 inet static
        address 192.168.4.127
        network 192.168.4.0
        netmask 255.255.255.0
        broadcast 192.168.4.255

To set up the top ethernet port for DHCP, modify the file as follows:

iface eth0 inet dhcp
#        address 192.168.3.127
#        network 192.168.3.0
#        netmask 255.255.255.0
#        broadcast 192.168.3.255
iface eth1 inet static
        address 192.168.4.127
        network 192.168.4.0
        netmask 255.255.255.0
        broadcast 192.168.4.255

If you need to renew a DHCP address, run the following command:

sudo dhclient eth0

The "eth0" restricts it to only doing this on interface "eth0"

To do a thorough release and renew, run these 2 commands instead:

sudo dhclient -r eth0
sudo dhclient eth0

To configure DNS, set up the DNS servers by editing the /etc/resolv.conf file:

sudo nano /etc/resolv.conf

Modify the file to look like below to use Cloudflare and Google DNS servers, or modify to use your own (add or remove lines as necessary):

nameserver 1.1.1.1
nameserver 8.8.8.8
Serial Port Communications

For checking the serial port configuration, run the following commands to view serial ports 1 and 2 current modes:

sudo mx-uart-ctl -p 0
sudo mx-uart-ctl -p 1

For setting up the serial port configuration, run the following commands to set the ports up for RS-485 2-Wire:

sudo mx-uart-ctl -p 0 -m 1
sudo mx-uart-ctl -p 1 -m 1

For other modes, see the following table:

Mode # Operation Mode
(blank) Display Current Mode
0 RS-232
1 RS-485 2-Wire (Half Duplex)
2 RS-422/RS-485 4-Wire (Full Duplex)

To get the configured port modes to set themselves at boot, edit the /etc/rc.local file:

sudo nano /etc/rc.local

Now, add the following lines just before the "exit 0" line:

# Set the serial ports to RS-485 2-Wire
sudo mx-uart-ctl -p 0 -m 1
sudo mx-uart-ctl -p 1 -m 1
Time Synchronization

On the Moxa's it seems they have a bug that doesn't allow the NTP service to keep correct time on the unit.

If you run the following command and it doesn't show the service is running and gives a warning or error, it's most likely broken:

sudo service systemd-timesyncd status

This can be fixed by removing executable permissions on the /usr/sbin/ntpd file with the following command:

sudo chmod -x /usr/sbin/ntpd

Then you need to either reboot or start the time synchronization service with the following command:

sudo service systemd-timesyncd start

To set the timezone to Central time, run the following commands:

sudo rm /etc/localtime
sudo ln -s /usr/share/zoneinfo/US/Central /etc/localtime

Advanced Setup

IPTables Firewall for protecting SSH

Create firewall rules for our custom ICS-INPUT path:

sudo nano /etc/iptables/ics-up.rules

Your file should look something like this:

*filter
-N ICS-INPUT
-A INPUT -j ICS-INPUT
-A ICS-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A ICS-INPUT -i eth0 -p tcp --dport 22:22 -j REJECT
-A ICS-INPUT -j RETURN

COMMIT

Create firewall rules for our custom ICS-INPUT path:

sudo nano /etc/iptables/up.rules

Your file should look something like this:

*filter
-N ICS-INPUT
-A INPUT -j ICS-INPUT
-A ICS-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A ICS-INPUT -i eth0 -p tcp --dport 22:22 -j REJECT
-A ICS-INPUT -j RETURN

COMMIT

Finally, to make sure network ports connecting and disconnecting keep SSH blocked add a file to the if-pre-up.d folder to make sure the iptable rules are added just before a network port comes up:

sudo nano /etc/network/if-pre-up.d/iptables

Your file should look something like this (modify for your selected TCP/UDP port combinations):

#!/bin/sh
/sbin/iptables-restore < /etc/iptables/ics-up.rules

Now, make the file executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables
Port Knocking

Install KnockD with the following command:

sudo apt install -y knockd

Enable the service with this command:

sudo systemctl enable knockd

Enable running KnockD by editing the following file and setting START_KNOCKD=1 and that the Ethernet port for port knocking is specified:

sudo nano /etc/default/knockd

Your file should look something like this:

################################################
#
# knockd's default file, for generic sys config
#
################################################

# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1

# command line options
KNOCKD_OPTS="-i eth0"

Next, edit the port knocking configuration as follows:

sudo nano /etc/knockd.conf

Your file should look something like this (modify for your selected TCP/UDP port combinations):

[options]
        UseSyslog

[SSH]
        sequence       = 54970:udp,33520:udp,12547:udp,45264:udp,23685:udp
        seq_timeout    = 15
        tcpflags       = syn
        start_command   = /sbin/iptables -I ICS-INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        cmd_timeout     = 30
        stop_command    = /sbin/iptables -D ICS-INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Finally, to make sure network ports connecting and disconnecting don't break port knocking add a file to the if-up.d folder to restart knockd when a network port comes up:

sudo nano /etc/network/if-up.d/knockd

Your file should look something like this (modify for your selected TCP/UDP port combinations):

#!/bin/sh
systemctl restart knockd

Now, make the file executable:

sudo chmod +x /etc/network/if-up.d/knockd

 

Back to top