Updated
Apr 13th, 2012
First Posted
Apr 13th, 2012

Bandwidth Management Appliance Manual

Getting Started

Unpacking and Setting up the system

In the box with your appliance, you will find a smaller box, which contains the printed version of this manual, the power cord(s), and any rack-mount accessories. If you have purchased support, you will also find a USB stick in this box. Do not format or erase this USB drive, as it has a bootable image for repair and recovery.

Making the Connections

Before making any connections, please refer to the Quick-Start Guide, a copy of which should have come with your appliance. This document will show you where your ports are located and how they are named.

Power Supply Requirements & Plug Locations:

All of the appliances currently sold (including ET/A1600, ET/R2400[W], ET/R2800[W], ET/R2816) have auto-switching power supplies which can accept 110v-220v AC input. The R2800[W] with redundant power supply option, and the ET/R2816 both have two power inputs. Both inputs should be connected to ensure proper operation in the event that one supply module fails. If a module does fail, you can remove the failed module (identifiable by an amber or red LED indicator) by pulling squeezing the tab and pull the module straight out from the back of the case. Should one of your power supplies fail, you can run the unit on one supply until you can obtain a replacement. The audible alarm can be silenced by removing the inoperative power supply module.

Booting the System

Your appliance should boot directly into the network configuration prompt, which will ask you to enter your password and IP address for remote management. If you have exited out of the configuration prompt and need to run it again, simply run this command on the command-line
# bwmgr_setup

Setting the Date and Time Zone:

Making sure the time zone is set correctly is crucial for users who are interested in storing statistics for rules. By default the time zone is set to US/Eastern, which may not be correct for your location. The time zone must be set both for the OS, and for PHP. The time zone should be set before changing the current system time & date. You can use the unix date(1) and tzsetup(8) commands, if you are familiar with those, or you may use the ET/Admin GUI to set it as follows:
Click on SysAdmin at the top of the ET/BWMGR GUI to access ET/Admin Log in as admin with the default system password you entered during system configuration Hover over Hardware, click on System Time, then click on the Change timezone tab. Select the correct local time zone from the list and click Apply. Next, click on Set time, enter the correct date and time for your location, and click Apply.
Settng the time zone in PHP Add an entry to /usr/local/lib/php.ini, using the time zone that you configured using tzsetup. Here are some examples:
date.timezone="America/New_York" date.timezone="Africa/Dar_es_Salaam" date.timezone="Asia/Dhaka"
You can see the available system time zones by running this command:
find /usr/share/zoneinfo This will return a list of available time zones in the REGION/LOCALE format

Using the ET/BWMGR

Starting with your License

If you have purchased a Bandwidth Management Appliance from Emerging Technologies, then your license is pre-installed. If you have upgraded or installed a new image, then you may have to relicense the hardware using the bwmgr_license utility. See the USB Appliance Installation guide for more information.

Connecting to the System from a Network

Once you complete the initial configuration, most configuration tasks can be done via the HTML interface. If you need to get into the command line interface, you can access the console remotely via either Telnet or SSH. Telnet vs SSH: Both Telnet and SSH require the use of a program on the client end to connect. There is a Telnet client included as part of most Windows installations. For security reasons, you cannot log in directly as "root" when you access the console remotely. When connecting with Telnet or SSH, you will have to first log in as the "admin" user. Once logged in, you can use the "su" command to become the super-user (root) to perform administration tasks or use the ET/BWMGR tools:
# su -
Telnet is a plain-text protocol while SSH encrypts all communications between the client and the server, including password authentications. This is intended to prevent password sniffing. SSH also provides host authentication via a host key, which is stored by the client the first time it connects to a server, and verified at the beginning of each connection. If the host key changes for any reason, SSH will warn the user and refuse to connect unless they take manual action. This reduces the possibility of someone hijacking an IP address and attempting to steal passwords. Telnet and SSH are configured and accessable on the unit by default. It is recommended, especially if you or your staff may be accessing the system from outside your local network, that you use an SSH client to connect. Different clients may have different interfaces (particularly from a Windows Box), but from a standard unix system you can access the system remotely via telnet with the command:
# telnet a.b.c.d
where a.b.c.d is the address to use. If successful, you should see a login prompt. Again, you cannot log in as "root" when accessing the system from a network (via Telnet or SSH). so you should log in using "admin" with the appropriate password. Then you can use the "su" program to change to super-user ("root" is super-user by default) as follows:
$ su - password: ****** ET/R2816#
Don't forget the "-" option, which allows you to inherit the root user's paths, so the system and BWMGR programs can be run without using full pathnames. To access the system via ssh, enter a command similar to the following:
# ssh admin@a.b.c.d

Setting up the Hard Drive Backup System

On appliances with two or more drive bays, the additional drives can be used for backups. Disks are numbered from left to right: looking at the front of the case, the main disk is always installed in the left-most drive bay, and the first backup disk immediately to the right. On a newly purchased appliance, any backup disks will have a copy of the main disk as it was shipped. Appliances purchased with the "Quad Drives" option shipped after March 2013 will have a rotating (odd/even day) backup on drives 2 and 3, with disk 4 as a "factory-fresh" backup.

Modifying the Backup Schedule

: You may enable, disable, or alter the backup schedule. In the ET/Admin GUI, select System and then click on Scheduled Cron Jobs. You will see a table with the list of commands and the status for each. Look for the command "/usr/local/bin/diskutil". To change the status or configure the time(s) at which the backup occurs, click on the command name. At the "Edit Cron Job" menu, you can turn the backup on or off by clicking "Yes" or "No" at the top. In the "When to Execute" box, you can select the time(s) at which the backup will be run. The backup jobs can be enabled as-is, or modified to run at a time of your choosing. By default, the first disk is used as a daily backup, at 4:51 AM on odd-numbered days. The second disk is is configured to back up at 4:51 AM on even-numbered days. The fourth disk is reserved for elective or manual back-ups. You could back-up every month, or simply back-up before system changes, like a large-scale change to your rules, or a software upgrade. If you have multiple back-ups configured that could be run on the same day (for example, odd-numbered days and the 1st of the month,) it is recommended that you choose different times for each job, to avoid running two backup jobs at the same time.

Checking the status of Backups

You can check the status of the backups by viewing the log file "/var/log/diskutil.log". Also note that an email is sent to the "root" user whenever a backup job is run by "cron".

What to do if your main Hard Drive Fails

  • Halt and power-down the appliance, if it is not already powered off.
  • Remove the main drive. Appliances will typically have a button-and-lever release on the front of the drive bay that will allow the drive to be removed.
  • Remove the spare drive, using the same procedure.
  • Insert the spare drive into the primary drive bay, using the lever to lock it into place.
  • Boot the appliance.

Initializing a new backup hard drive

If you have an older appliance with IDE disks, then you must power-off the appliance before installing the replacement drive. SATA drives can be installed while the appliance is running, but cannot be accessed until the OS detects their presence. Once the drive is detected, run the following commands as the "root" user:
# diskutil list Make sure the new drive is listed before proceeding. Our example is "ada1". # diskutil build ada1 This will partition and format the spare disk named "ada1". Once this is done, scheduled back-ups will proceed normally.
FreeBSD 9.1 will auto-detect a drive shortly after it is inserted, while FreeBSD 7.0 will require that the controller be reset. As an example, here are the commands to reset drives number 2, 3, and 4 on an ET/R2800 appliance.
These steps are not necessary on a FreeBSD 9.1 appliance: # atacontrol list This will output all controllers and detected disks. You will have to interpolate from the controller # for each detected drive what controller your newly inserted drive is on. For example, if "ad0" is on controller #4, and "ad2" is on controller #6, then "ad1" is likely on controller #5. # atacontrol detach ata5 # atacontrol attach ata5 # atacontrol detach ata6 # atacontrol attach ata6 # atacontrol detach ata7 # atacontrol attach ata7

Other Configuration Options

Bandwidth Reports

Creating the "bwdata" table

Before you can use Bandwidth Reports, you must enable a secondary storage of stats information in the MySQL database. This allows for quick access to the required data for the applications that need it. You can create the necessary tables using the buildbwdata command.

Enabling bwdata storage

There are two ways to store data in bwdata. The first way is to run buildbwdata at intervals, for example, once every hour. This is very efficient, but the reports will lag up to 1 hour behind actual usage. This can be done by enabling a schedule task in "cron". The second way is to enable storing of stats every time the stats are updated (every 5 minutes). Visit the "Settings" tab in the ET/BWMGR GUI, turn on the "Enable BWdata" setting, then click on "Save Settings".

DHCP Server

The DHCP server requires the use of the BPF interface, which is disabled by default for performance reasons. BPF can be enabled by running the following command as the "root" user on the console or SSH login:
# sysctl net.link.bwmgr.bpf_enable=1

Configuring your appliance as a router:

Appliance units with multiple ethernet interfaces are configured as a bridge by default. Here are the steps you must take on a factory-fresh ET machine to enable routing: From the ET/ADMIN interface, select the "Bandwidth" link on the left, then click on "Setup Bridging" icon. You will see a list of the interfaces and their bridging status in the "ifac" column. . For each interface, click on the interface name, and change the bridging mode to "disabled", then click on "submit". Now that you've disabled bridging, you must enable routing. From the main ET/ADMIN menu, select the "Network" tab, then "Network Configuration". Follow the instructions above on IP configuration to set the IP address for each interface. The next and final step is to use the "Routing and Gateways" tool to enable IP forwarding. Find the line "Act as Router?", and check "yes". Make sure that the default router for the machine is set properly, then click on "save". You will then have to reboot the system. As noted above, using a machine with the -FO failover ethernet option as a router renders the failover function useless, so it's recommended that you not do this.

Changing the ET/BWMGR GUI Password

The ET/BWMGR GUI is on the default www port of your appliance, and this is where you add and maintain your bandwidth rules. If you want to change your password, click on the "Users" tab, and either select a user to edit, or add a new one. You will note that there are 2 user roles: Administrator, and Readonly. The Administrator user role has full access to all functions of the ET/BWMGR GUI. The readonly can look at the settings, but cannot change them. If you have forgotten your ET/BWMGR GUI password, you can apply a new one from the command-line, assuming you have root access to the console or SSH. # bwmgr guipassword newpassword

Changing the ET/ADMIN Password:

As of ET/BWMGR v5.0, the ET/Admin GUI is used for system administrator functions only, so access should only be granted to internal staff who need to use certain functions. There is no need to provide ET/Admin access to users who are working on the ET/BWMGR ruleset, or viewing graphs, etc. The ET/ADMIN password for the default user "admin" can be changed by clicking on "Administration" and selecting "ET/Admin Users", then clicking on the user "admin" in the left column. The second line is the new password entry form. Click "set to", enter the new password, then click on "save". You will then receive an "invalid login" message. Login to ET/ADMIN using the new password. Note that the user names for the system (which are used for Telnet/SSH and logging in at the console, for example), are not the same. The GUI has its own user/password combinations that are by default unrelated to the normal system users and passwords. In reality, there are 2 distinct "admin" users: one for the ET/ADMIN interface, and one for the system. The passwords for the 2 must be set independently. The "admin" login to the ET/ADMIN interface is the equivalent of "root" and has full access to change aspects of the operating system (known as superuser privileges). The other "admin" is the Unix user, which is simply used when connecting to the system using telnet or SSH. See the example for connecting via telnet and using the su command to become the superuser.

Changing the System Passwords

The password for the default "admin" and "root" user is set when you first log in to the machine. If you need to change your passwords, this can be accomplished by clicking on "Users and Groups" under the "System" tab. Click on each user, then select "Clear-text password", and type the new password in the field. When you click "save", the password will be encrypted and updated. Note that you can also use this area to add new users to the system and to manage their passwords. This menu ONLY changes system passwords. Changing the "Admin" user in this menu will only affect telnet and SSH access, not the ET/ADMIN GUI.

Notes on the Failover Watchdog Timer:

If your system has the ET/Bypass Failover option installed, then there is a program called "bypassd" which monitors your system's "sanity" and informs the failover hardware that the system is working properly. If the system fails, or if the bypassd daemon stops running, the failover hardware will connect the 2 ethernet ports, allowing traffic to flow. You can manually take the system offline to do maintenance with the Failover GUI function (located under the main "Admin" tab in the ET/ADMIN HTML interface). It is also recommended you take the unit offline before performing any upgrade.

Recovering Lost Passwords

Again, there are two types of passwords; system passwords and ET/ADMIN passwords. If you can log in via telnet or SSH, but are unable to access the GUI as user "admin", do the following. SSH (or telnet) to the appliance as "admin", then su to become root. At the prompt:
# cd /usr/local/webmin # perl changepass.pl /etc/webmin admin password
This will change the "admin" user's password to password. If you are trying to change the password for a different ET/ADMIN user, simply replace "admin" with the correct username. If, however, you are able to access the ET/ADMIN but not able to access the system via telnet or SSH, then you can change the system passwords via the ET/ADMIN as described above.

Other Appliance Functions

Using SSL Encryption with the graphical interface:

If you are using a browser that supports secure connections via SSL, then you may wish to enable SSL in the web interface. Click on the "Admin" tab, then select the "Admin Configuration" icon. Select the "SSL Encryption" icon. Check the top box to enable SSL encryption, then click "save". You may have to log in to the ET/ADMIN again. Your browser may also pop up several notices about expired certificates. Accept the certificates and continue. Much like SSH, SSL encrypts the web traffic generated by the ET/ADMIN interface, including initial password authentication, and is recommended for all remote access. Please note that when connecting directly to the ET/ADMIN interface with SSL enabled, you must use the "https://host.name:10000". Using the "http://" prefix (or no prefix) will not connect properly (generally with a "connection reset by peer" error message). If you are using Apache redirects make sure your redirect has the appropriate prefix.

Enabling and disabling snmpd (and other services):

Enabling or disabling any service can be done via the ET/ADMIN interface. Find the line in /etc/rc.local that pertains to the service you wish to modify, and either add or remove the # character to disable/enable the service at boot time.

Checking System Processes:

You can see a list of the active processes running on the system by connecting to the ET/ADMIN interface, and going to System Functions -> Running Processes bwmgrd must be running in order for the statistical gathering capabilities of the bwmgr to be utilized. It should be enabled by default. If bwmgrd is not running, it may be because the bwmgr is not running. This can be verified by selecting the "Bandwidth Manager" link, and noting the status of the bwmgr software.

Rebooting the System

From the main ET/ADMIN menu, select the "Admin" tab, then the "Reboot and Shutdown" icon. Clicking on "Shutdown" will halt the machine. To boot the machine after halting requires either a hard reset or "ctrl-alt-delete" from a keyboard. Clicking on "Reboot" will restart the machine. Both options will prompt for confirmation before actually bringing the system down.

Post-Configuration Security

Once you have your system configured and running in a stable manner, there are a few simple steps you can and should take to ensure that only authorized users can access the system. These appliances are not meant to be accessable by the internet at large, except in specific cases (for example, those users running a web server and/or allowing their customers to view graphs.) The below examples assume the bandwidth manager has an address of 207.252.1.110, and the machines allowed to connect are in the subnet 207.252.1.0/27 (netmask of 255.255.255.224). * Create firewall rule(s) that enable only your local net, or individual machines, access to your system. This rule should be created on the interface you are connected to on the inside, unless you are running an ET/R1700 with the Failover hardware. Then you should create the rule on the administrative port. Example: # bwmgr fxp0 -x 1000 -name IntAllow -fw -ipprot tcpconnect -saddr 207.252.1.0 -saddrmsk 255.255.255.224 -daddr 207.252.1.110 * On your external (outside) interface, create a firewall rule that denies ALL access to the IP address of your system. Or, if you are using the Failover hardware, create this rule on the administrative port. Leave room in your ruleset to create specific allow rules if you have an employee who needs to work on the machine remotely, or to allow traffic to a specific port (80) in the event that you allow your customers to view their graphs. Example: # bwmgr fxp0 -x 1500 -name DenyAll -fw -ipprot tcpconnect -daddr 207.252.1.110 -priority FW-Deny * Change the default passwords for admin, root, and the "admin" user in the ET/Admin GUI. This is less of a priority if you've already blocked external access to the machine, but it is still a good thing to do. If, for some reason, you do not block access to the bandwidth manager appliance, changing the passwords is an absolute requirement.

Routine Maintenance

Monitoring System Status:

The "System and Server Status" is a useful tool for quickly checking the status of services on the appliance. This module is located in the "Administration" section of the ET/Admin GUI. When the module is selected, you will see a list of the configured monitors and the status for each. A green check icon indicates that the service is running. A red X icon indicates a service that has stopped or is not running. A black circle indicates a service that is not installed or configured. Clicking on the name of each monitor will show an extended status. For example, clicking on "Bwmgrd Stats Daemon" will show the current status, usually "bwmgrd is running". If the service is not running, you should see the error message instead. The monitor can also be configured to periodically check the configured services. Clicking the "Scheduled Monitoring" button will take you to the configuration menu. Make sure that "Scheduled checking enabled" is checked "Yes", and fill in the email notification section. Make sure you enter an email in the "Email status report to" field, and check the radio button to the left of this field. The default setup has monitors configured for the MySQL database server, the bwmgrd stats collection daemon, the Apache webserver, and the Squid proxy server. Additional monitors can be configured, using the "Add Monitor of type" button after selecting the appropriate monitor from the pull-down list. One useful monitor type is "Disk Space". Select a partition and the minimum free space before creating the monitor. Assuming you have scheduled monitoring enabled, you will be emailed when free disk space on the selected partition is below this amount. Typically both /var and /usr partitions should be monitored. Repairing a Broken Data Base See Troubleshooting

Using the Demo/Installation USB Flash Drive

The USB Demo image allows you to boot your system and perform various functions, including repairing a hard drive crash, restoring files and even upgrading the base operating system on your drive. In the event of a physical drive failure, it can be used to rebuild a system using a blank hard drive, and load it with the latest release. Note that most of the recovery functions of the USB Demo image require an active auto-update subscription. If you received a USB stick with your appliance, it has a factory-fresh installation on it, ready for recovery. If you are using a new stick, or you wish to update the software on the existing stick, you can run a backup to the stick like this:
# backup da0 full (Do a full backup)
If you need to format or initialize a USB stick, this is the command:
# backup da0 build auto
a 2GB or higher capacity stick is needed for use in this fashion, and a 4GB+ may be required for full backups.

Support

Support is available by creating a support ticket on www.etinc.com. When you create your ticket, please try to explain your problem in detail so that we can help you without having to ask you for more info. When sending files, please cut and paste them into the ticket rather than sending attachments. Support is generally available between 10am and 6pm M-F. Tickets are usually answered over the weekends whenever possible.

Troubleshooting

See the latest Troubleshooting Documentation.
Add Comment

Next: Redundant Bandwidth Management Appliances