Updated
Nov 30th, 2013
First Posted
Nov 30th, 2013

ET/BWMGR Appliance Manual

Getting Started

Unpacking and setting up the system

In the box with your new appliance, you will find a smaller box or bag containing the printed Quick-Start Guide, the power cord(s), and rack-mount accessories [note: the mini appliances do not ship with rails]. If you have purchased support, you should find a USB flash drive along with the other accessories. Do not format or erase this USB drive, as it has a bootable, factory-fresh appliance image installed, which is useful for disaster recovery or re-installation of the appliance.

Power Supply Requirements

All of the appliances currently sold (including ET/A1600, ET/R2400[W], ET/R2800[W], ET/R2816) have auto-switching power supplies which can accept 110v-220v AC input. The R2800[W] with redundant power supply option, and the ET/R2816 both have two power inputs. Both inputs should be connected to ensure proper operation in the event that one supply module fails. If a module does fail, you can remove the failed module (identifiable by an amber or red LED indicator) by pulling squeezing the tab and pull the module straight out from the back of the case. Should one of your power supplies fail, you can run the unit on one supply until you can obtain a replacement. The audible alarm can be silenced by removing the inoperative power supply module.

Making the Connections

The very first thing to do when setting up a new appliance is to follow the Quick-Start Guide, which shows how to make the connections for your new appliance, and set your passwords and management IP address. Once you have finished doing the intial set-up, return to this document for more advanced information. In particular, you must set up the time zone on your appliance before you can properly utilize the bandwidth usage graphs and stats properly.

Accessing the ET/BWMGR GUI

You can access the Graphical User Interface by accessing the system via HTTP on the default address (http://IP_ADDRESS). If you've set up a host name for the system, you can access it via the base root address.

Starting the ET/BWMGR

If you have purchased an appliance, your license should already be installed, and the ET/BWMGR will be running. If you have purchased a license for your own hardware, you will need to install the license and start the ET/BWMGR. For specific instructions, see the License instructions for how to generate a request and install the license.

Accessing the Command-Line Interface

Most configuration tasks can be done via the HTML interface(aka GUI). If you need to get into the command line interface, you can access the console remotely via either Telnet or SSH. Telnet vs SSH: Both Telnet and SSH require the use of a program on the client end to connect. For security reasons, you cannot log in directly as "root" when you access the console remotely. When connecting with Telnet or SSH, you will have to first log in as the "admin" user. Once logged in, you can use the "su" command to become the super-user (root) to perform administration tasks or use the ET/BWMGR CLI.
# su -
Telnet is a plain-text protocol, while SSH encrypts all communications between the client and the server, including password authentications. This is intended to prevent password sniffing. SSH also provides host authentication via a host key, which is stored by the client the first time it connects to a server, and verified at the beginning of each connection. If the host key changes for any reason, SSH will warn the user and refuse to connect unless they take manual action. This reduces the possibility of someone hijacking an IP address and attempting to steal passwords. Both Telnet and SSH are configured and accessable on the unit by default. It is recommended, especially if you or your staff may be accessing the system from outside your local network, that you use an SSH client to connect.

Connecting via Telnet

From a standard unix system you can access the system remotely via telnet with the command:
# telnet a.b.c.d
where a.b.c.d is the address to use. If successful, you should see a login prompt. Again, you cannot log in as "root" when accessing the system from a network, so you should log in using "admin" with the appropriate password. Then you can use the "su" program to change to super-user ("root" is super-user by default) as follows:
$ su - password: saturn5 ET/R2816#
Don't forget the "-" option, which allows you to inherit the root user's paths, so the system and BWMGR programs can be run without using full pathnames.

Connecting via SSH

To access the system via ssh, enter a command similar to the following:
# ssh admin@a.b.c.d

Changing Passwords

When you run bwmgr_setup, you are changing the admin, root and GUI admin password to the same value. This may or may not be what you want. You can change these independently from the command line. To Change the Root or Admin Password:
# passwd root # passwd admin
To Change the GUI Password
# bwmgr guipassword NEWPASSWORD

Setting the Time Zone, Time & Date

Making sure the time zone is set correctly is crucial for users who are interested in storing statistics for rules. By default the time zone is set to US/Eastern, which may not be correct for your location. The time zone must be set both for the OS, and for PHP. The time zone should be set before changing the current system time & date.

Setting the OS Time and Time Zone

You can use the unix tzsetup(8) and date(1) commands, if you are familiar with those, or you may use the ET/Admin GUI to set it as follows:

Click on SysAdmin at the top of the ET/BWMGR GUI to access ET/Admin
Log in as admin with the default system password you entered during system configuration
Hover over Hardware, click on System Time, then click on the Change timezone tab. Select the correct local time zone from the list and click Apply.
Next, click on Set time, enter the correct date and time for your location, and click Apply.

Setting the PHP Time Zone

Add an entry to /usr/local/lib/php.ini, using the time zone that you configured using tzsetup. Here are some examples:

date.timezone="America/New_York"
date.timezone="Africa/Dar_es_Salaam"
date.timezone="Asia/Dhaka"

You can see the available system time zones by running this command:
# find /usr/share/zoneinfo
This will return a list of available time zones in the REGION/LOCALE format used by PHP's time zone setting.

Note that php.ini is part of the upgrade distribution, but it rarely changes. You can exclude php.ini from being upgraded by adding it to /usr/local/www/bwmgr/upgrader_excludes

Securing the System

Once you have the machine configured, it's a good idea to restrict access to server ports, such as Telnet, SSH, and the ET/BWMGR and ET/Admin GUI.

System Backups

Setting up the Hard Drive Backup System

On appliances with two or more drive bays, the additional drives can be used for backups. Looking at the front of the case, the main disk is always installed in the left-most drive bay, and the first backup disk immediately to the right. Disks are numbered from left to right. On a newly purchased appliance, any backup disks will have a copy of the main disk as it was shipped. The backup task is not enabled by default on new appliances. You must enable the scheduled task that backs up the contents of the main disk to the backup disk(s).

Enabling/Configuring the Hard Drive Backup

To enable automatic backups, edit /etc/crontab to include a line that runs diskutil. On current systems running FreeBSD 9.1, the first backup disk will be named "ada1".
/usr/local/bin/diskutil backup ada1 full The entry may also read diskutil backup DISK full
in which case you should change DISK to the name of your second drive, which is typically named ada1. You can double-check this with the diskutil list command:
# diskutil list ada0 (Root): [152627 MB] WDC WD1600AAJS-08B4A0/01.03A01> Serial ATA II ada1 [152627 MB] WDC WD1600AAJS-00YZCA0/01.03B01> Serial ATA II
To change the status or configure the time(s) at which the backup occurs, edit /etc/crontab
To enable the backup, remove the hashtab (comment indicator) at the beginning of the line. The first 2 entries are minutes and hours. So the setting above would enable a backup at 2:10 AM. It's a good idea to check the first time to make sure it works. Just mount the backup disk and look at a log file like /var/log/messages to see when the update occurred.
The backup utility will not run until the corresponding job is enabled.

Preparing a new Backup Disk

Appliances are shipped with a working mirror backup drive. To prepare a new drive:
diskutil ada1 build diskutil ada1 backup bwmgr_license register-backup bwmgr_license check-backup

What to do if your main Hard Drive Fails

If your main disk fails, then you can switch to a backup disk.
  • Halt and power-down the appliance, if it is not already powered off.
  • Remove the main drive. Appliances will typically have a button-and-lever release on the front of the drive bay that will allow the drive to be removed. First press the button, and the lever should be released. Unfold the lever before sliding the drive out.
  • Remove the spare drive, using the same procedure.
  • Insert the spare drive into the primary drive bay, using the lever to lock it into place.
  • Boot the appliance.

Initializing a new backup hard drive

If you have an older appliance has IDE disks, then you must power-off the appliance before installing the replacement drive. SATA drives, with the exception of the Root drive, can be installed while the appliance is running. Once you have installed the backup drive, run the following command as the "root" user, using the the target disk name. Run "diskutil list" to show the available drives if you are unsure which disk name to use. Our example shows the typical name "ada1".
# diskutil list ada0 (Root): [152627 MB] WDC WD1600AAJS-08B4A0/01.03A01> Serial ATA II ada1 [152627 MB] WDC WD1600AAJS-00YZCA0/01.03B01> Serial ATA II # diskutil build ada1 This will partition and format the backup disk.

Backing up your Database

If you don't have a dual disk system, it's prudent to back up your database. Database crashes are a common occurrance

Using Bypass/Failover Cards

Almost all appliances sold by Emerging Technologies have a hardware bypass (AKA Failover) card installed. During normal system operation, when the unit is powered on, has booted successfully, and the ET/BWMGR has started, the Failover ports act as normal network ports. If the system loses power or crashes, the ports will enter bypass mode, in which the ports are connected physically as with a cross-over coupler. This will enable traffic to pass unrestricted through the failover ports. You can also manually take the system offline to do maintenance, using the ET/BWMGR GUI. Click on the "Bypass" tab, and click on Close, which will bypass the failover ports. It is also recommended you take the unit offline in this manner before performing system upgrades. Appliances are shipped with bypass function disabled; the system should be set up with bypass closed. Traffic should pass with the system powered down and with the system powered up and the bypass closed. When setting up the system, you can open the bypass manually in the GUI and the links should come up; if bridges are set up traffic should pass. You need to test that the connection re-establishes when you close the bypass; when the bypass is closed, the 2 switches or routers connected to the BWMGR have to re-establish a link. the BYPASS hardware does add quite a bit of capacitance to the line (likely out of spec), so you have to make sure you have switches and wires that will work. Sometimes a long or poor quality wire will not be able to connect when the bypass card is in the circuit.

Enabling the bypassd daemon

Systems are shipped with the bypass daemon disabled to give you an opportunity to set up the system. The bypass daemon is started in /etc/rc.local. When you're ready to put the system into production, you'll need to uncomment the line that enables it.
# Open the bypass ports and start the watchdog #/usr/bwmgr/utils/bypassd
Remove the # before the line with bypassd so that the daemon is run at boot. To run the daemon from the command line, simply run it.
# bypassd
You should hear the relays click (if you're near the system) and the bypass ports should "open".

Other Appliance Functions

Enabling SNMP

To enable SNMP, you must enable the daemon in your /etc/rc.conf startup configuration:
bsnmpd_enable="YES" bsnmpd_flags=""
To verify that it's running, use the bsnmpwalk command:
serverA# bsnmpwalk sysDescr.0 = etserver 1657590134 FreeBSD 9.1-RELEASE sysObjectId.0 = begemotSnmpdAgentFreeBSD sysUpTime.0 = 537 sysContact.0 = sysmeister@example.com sysName.0 =serverA sysLocation.0 = Room 200 sysServices.0 = 76 sysORLastChange.0 = 4 sysORID[1] = begemotSnmpdTransUdp sysORID[2] = begemotSnmpdTransLsock sysORID[3] = snmpMIB ...
It should dump the entire default MIB to the screen. For detailed information about configuring snmpd, please see the online manual.

Bandwidth Reports

Creating the "bwdata" table

Before you can use Bandwidth Reports, you must enable a secondary storage of stats information in the MySQL database. This allows for quick access to the required data for the applications that need it. You can create the necessary tables using the buildbwdata command, or by setting the value of Enable BWdata to "1" in the Settings tab of the GUI.

Enabling bwdata storage

There are two ways to store data in bwdata. The first way is to run buildbwdata at intervals, for example, once every hour. This is very efficient, but the reports will lag up to 1 hour behind actual usage. This can be done by enabling a schedule task in "cron". The second way is to enable storing of stats every time the stats are updated (every 5 minutes). Visit the "Settings" tab in the ET/BWMGR GUI, turn on the "Enable BWdata" setting, then click on "Save Settings".

Using SSL Encryption with the graphical interface:

If you are using a browser that supports secure connections via SSL, then you may wish to enable SSL in the web interface. Click on the "Admin" tab, then select the "Admin Configuration" icon. Select the "SSL Encryption" icon. Check the top box to enable SSL encryption, then click "save". You may have to log in to the ET/ADMIN again. Your browser may also pop up several notices about expired certificates. Accept the certificates and continue. Much like SSH, SSL encrypts the web traffic generated by the ET/ADMIN interface, including initial password authentication, and is recommended for all remote access. Please note that when connecting directly to the ET/ADMIN interface with SSL enabled, you must use the URI scheme "https://host.name:10000". Using the "http://" prefix (or no prefix) will not connect properly.

Checking System Processes:

You can see a list of the active processes running on the system by connecting to the ET/ADMIN interface, selecting "System Functions," and then "Running Processes."

Rebooting the System

From the ET/ADMIN main menu, select the "Admin" tab, then the "Bootup and Shutdown" icon. Clicking on "Shutdown" will halt the machine. To boot the machine after halting requires either a hard reset or "ctrl-alt-delete" from a keyboard. Clicking on "Reboot" will restart the machine. Both options will prompt for confirmation before actually bringing the system down.

Post-Configuration Security

Once you have your system configured and running in a stable manner, there are a few simple steps you can and should take to ensure that only authorized users can access the system. These appliances are not meant to be accessable by the internet at large, except in specific cases (for example, those users running a web server and/or allowing their customers to view graphs.) The below examples assume the bandwidth manager has an address of 192.168.1110, and the machines allowed to connect are in the subnet 192.168.0/24 (netmask of 255.255.255.224). * Create firewall rule(s) that enable only your local net, or individual machines, access to your system. This rule should be created on the outside interface.
# bwmgr em2 -x 1000 -name IntAllow -fw -ipprot tcpconnect -saddr 192.168.1.0 -saddrmsk 255.255.255.224 -daddr 192.168.1.110
* On your external (outside) interface, create a firewall rule that denies ALL access to the IP address of your system. Or, if you are using the Failover hardware, create this rule on the administrative port. Leave room in your ruleset to create specific allow rules if you have an employee who needs to work on the machine remotely, or to allow traffic to a specific port (80) in the event that you allow your customers to view their graphs.
# bwmgr fxp0 -x 1500 -name DenyAll -fw -ipprot tcpconnect -daddr 207.252.1.110 -priority FW-Deny
* Change the default passwords for admin, root, and the "admin" user in the ET/Admin GUI. This is less of a priority if you've already blocked external access to the machine, but it is still a good thing to do. If, for some reason, you do not block access to the bandwidth manager appliance, changing the passwords is an absolute requirement.

Repairing a database

See Troubleshooting

Using the Demo/Installation USB Flash Drive

The USB Appliance Demo image allows you to boot your system and perform various functions, including repairing a hard drive crash, restoring files and even upgrading the base operating system on your drive. In the event of a physical drive failure, it can be used to rebuild a system using a blank hard drive, and load it with the latest release. Re-installing from the USB Demo requires an active auto-update subscription. If you received a USB stick with your appliance, it has a factory-fresh installation on it, ready for recovery. If you are using a new stick, or you wish to update the software on the existing stick, you can run a backup to the stick.
The first time you use a device, you will need to use the build command to create and format the required filesystems. If your device was previously used as a USB Demo, then you will want to run build, as the Demo image is artificially limited to 2GB, and running build will ensure full use of the device. # diskutil da0 build Backup the appliance to the USB device: # diskutil install da0
a 2GB or higher capacity stick is needed for use in this fashion, and a 4GB+ may be required for full backups on some systems with a large number of stats-enabled rules.

Support

Support is available by creating a support ticket on the Emerging Technologies web site. When you create your ticket, please try to explain your problem in detail so that we can help you without having to ask you for more info. When sending files, please cut and paste them into the ticket rather than sending attachments. Support is generally available between 10am and 6pm M-F. Tickets are usually answered over the weekends whenever possible.

Troubleshooting

See the latest Troubleshooting Documentation.

Further Reading

Once you have the basic configuration of networking and bridging set up, and have connected the bridged ports to your network, you will want to read the more advanced manuals. A good starting point is the Manuals section of the web site, in particular the ET/BWMGR V5.0 User Guide, which provides an overview of how the ET/BWMGR operates, and the ET/BWMGR V5.0 CLI Manual, which shows all of the command-line options.
Add Comment

Next: ET/BWMGR Protocol Engine