VPN Router ECR-LW300
- 4G/LTE, 2G/GPRS/EDGE
- Dual SIM
- 2x Ethernet and 2x2 digital I/Os
- WiFi access point and client
- 1x serial RS232 and 1x serial RS485
- Flexible mounting
- Sleep mode for energy self-sufficient applications
All-purpose with universal mounting options
The routers of the ECR series provide all important interfaces for realising extensive applications from remote services to IIoT. Both, the LAN and the LTE variant provide Wi-Fi for an operation as access point for local connection or as client for integration into an IT infrastructure. The LTE version offers cellular redundancy via dual SIM and fall-back to HSPA and GSM. The ECR is also suitable for an easy retrofit of existing plants due to its interfaces RS232 and RS485. The integrated digital I/Os extend the range of applications additionally. This VPN router can be mounted universally like the SCR and suitable for both, switch cabinets and small distribution boxes.
The icom SmartBox, an integrated Linux environment that enables to execute scripts and programs directly on the router, is also included besides the INSYS operating system icom OS.
With this, an ECR router can not only be used for secure remote maintenance and control, but also for acquiring and processing application data within the scope of edge computing. Amongst other things, this permits to monitor the conditions and values of connected devices as well as realise applications like reporting or benchmarking across different plants thanks to a plug & play connection to cloud services.
You do not want to set up your router yourself for our DELTA LOGIC Connectivity Service? No problem. We will gladly configure your new router for you. Just send us the completed form for the router configuration with the order.
| Cellular communication | |
| Frequency bands1, data rates | 4G/LTE: 1 (2100 MHz), 2 (1900 MHz), 3 (1800 MHz), 4 (2100/1700 MHz, AWS), 5 (850 MHz), 7 (2600 MHz), 8 (900 MHz), 20 (800 MHz), 28 (700 MHz), 38 (2600 MHz),
40 (2300 MHz), 41 (2500 MHz), 66 (2100/1700 MHz, AWS 4), LTE Cat 1 (DL: max. 10,2 Mbit/s, UL: max. 5,2 Mbit/s) 2G/GPRS/EDGE: 850, 900, 1800, 1900 MHz; GPRS/EDGE Class 12 (DL: max. 85,6 kbit/s, UL: max. 85,6 kbit/s) |
| Antenna connection | 1 x SMA female |
| SIM | 2x SIM: 2 slots for Mini-SIM cards (2FF), locked; automatic failover; Further provider redundancy using multi-roaming SIM cards |
| Dual APN | Splitting of cellular data traffic over 2 APNs (with 2 SIM cards) , e.g. separation of user and management data |
| Cellular Status | Signal field strength, RSSI, RSCP / Ec/No, RSRP / RSRQ, Cell-ID, Location-ID |
| Wi-Fi | |
| Standard | IEEE 802.11 b/g/n |
| Frequency, transmission power | 2,4 GHz, max. 100 mW |
| WLAN (Wi-Fi) modes | WLAN (Wi-Fi) Station (Client) or WLAN (Wi-Fi) Access Point with up to 10 stations simultaneously |
| Security | WPA/WPA2 (AES, TKIP), 802.1x (EAP: TLS, TTLS, PEAP) |
| Antenna connection | Reverse SMA male |
| Hardware interfaces | |
| Ethernet ports | 2 x RJ45 shielded, 10/100 Mbit/s, full/half-duplex, auto MDI-X, 1.5 kV isolation voltage |
| Ethernet function | Assignment to IP network freely configurable per port, link up/down detection |
| I/Os | 2 digital inputs, high-active (as per EN 61131-2, Type 1) 2 open drain outputs (24 V/100 mA) |
| RS232 (serial1) | 1 x RS232 / D-Sub-9 (m) |
| RS485 (serial2) | Push-in terminal connector (D+, D-, GND) |
| Functions of serial interface | Serial-Ethernet gateway (incoming and outgoing connections, Modbus TCP/RTU gateway, modem emulation, editable AT answer list, phone number conversion to IP addresses) |
| Signal LEDs | Power, WAN (Internet connection), Signal (Cellular communication) |
| Network | |
| Network functions | 100 local IP networks, IP static/DHCP, TCP, UDP, IPv4, IPv6, NTP, DHCP, DNS, HTTP/S, ARP, SSH, 802.1Q VLAN incl. tags and trunk ports |
| Service | DHCP Server v4/v6 per IP network, DHCP relay, NTP server, DNS, DynDNS, IPv6 Router Advertiser |
| Routing | Static routing, routing priority, RSTP, dynamic routing (OSPF, BGP, RIPv1, RIPv2, RIPng) |
| WAN redundancy/failover | Several WAN connections configurable also in parallel operation, fallback level for connection breakdown (failover), event-based WAN changeover (see events) |
| Connection check | Periodic, ping/icmp, DNS request, link up/down |
| DSL | PPPoE for external DSL modems |
| NAT/PAT | SNAT/DNAT (masquerade, netmapping, port forwarding, IP forwarding) unlimited number of rules |
| VPN | |
| DELTA LOGIC Connectivity Service | Supports VPN service for remote maintenance, remote access and M2M-communication |
| OpenVPN | Client/Server, several parallel tunnels, server with up to 20 clients, tls-auth/tls-crypt, dead peer detection (DPD) |
| OpenVPN encryption | DES EDE 128, DES EDE3 192, AES 128-256 CBC/GCM, SHA 256-512 |
| IPsec | IKEv1, IKEv2 (automatic, fix), several parallel tunnels, pre-shared keys, certificates, tunnel mode, transport mode, dead peer detection (DPD) |
| IPsec encryption | DES EDE3 192, AES 128-256 CBC/GCM, SHA 256-512 DH-Group 1-31 (Diffie-Hellman 768 - 25519), ChaCha20-Poly1305 |
| GRE | GRE via IPsec, point-to-point, multipoint |
| PPTP | PPTP client/server; PAP/CHAP/MS CHAP/MS CHAP V2; MPPE 40-128 |
| Dynamic VPN | Dynamic multipoint VPN (GRE, IPsec, NHRP, EIGRP, OSPF, RIPv1/v2, BGP) |
| IT security | |
| Authentication | Pre-shared key, X.509 certificates, RADIUS, access rights (read, write, status) |
| Firewall/netfilter | IP filters (stateful firewall) also in VPN tunnel; packet filter: TCP, UDP, ICMP, ESP, AP, GRE; MAC filter; pre-defined firewall rules can be activated |
| Security | Booting signed firmware, HTTP/HTTPS attack prevention; response upon events: configuration change, link up/down, restart, login attempt, netfilter violation, password hashing |
| IoT and Cloud (icom Data Suite, license required) | |
| Function icom Data Suite | Machine connection and data processing; connection to cloud and SCADA Systems; arithmetic & logic functions; data logger; dashboard |
| Data acquisition | CODESYS, Modbus TCP/RTU, MQTT, Siemens S7, OPC UA Client, IEC 60870-5-101, digital input, analog input |
| Data transmission | MQTT, OPC UA Server, IEC 60870-5-104, Modbus TCP/RTU, e-mail, SMS, SFTP, digital input, analog input |
| IoT platforms | MQTT compatibility: Thingsboard, Cumulocity, AnyViz, Azure IoT Hub, Bosch IoT Suite, AWS IoT Core |
| Events & Actions | |
| Event & Action Handler | Notification, alarming, diagnosis, attack detection, fault handling, operation and commissioning logic |
| Events/alarms (selection) | Change: digital input, Ethernet port, WAN chain, profile status, cellular field strength; timer expired, firewall violation, login attempt detection, pulse sequence on digital input, counter, netfilter rule |
| Event-triggered (selection) | Messages via e-mail, SMS (only LTE variants), SNMP traps, MCIP; switch profile, switch connection, change modem state, start timer, switch output or pulse sequence, activate firmware, reset, restart container |
| Programming environment/scripting | |
| Container environment | Installation of several application containers, container with own IP end point, assignment to IP networks - full firewall and routing transparency; access control, SDK available |
| Container Ressources | CPU: 50% of ARMv7 (600 MHz), RAM: 448 MB, Flash: 1 GB eMMC |
| Lua scripting | Lua interpreter for own scripts |
| Monitoring and Management | |
| Monitoring | SNMP traps and agent, configurable system logs, remote syslog, link up/down detection, netfilter violation |
| Certificate management | EST, CRL |
| Administration | |
| Configuration | Web Interface HTTP(S) with session management, command line interface (CLI), Telnet, SSH, configuration profiles as ASCII and binary file, ample configuration profiles event-triggered, REST API |
| Diagnosis tools | ping/icmp, tcpdump, traceroute, DNS Lookup, AT commands, port mirroring |
| FW update | Incremental, failsafe, update server (HTTP, FTP, HTTPS, FTPS) |
| System time | NTP client and server |
| Help | Web interface: inline help, online help; example profiles, plausibility check, Configuration Guides |
| Supply | |
| Voltage | 12 ... 24 V DC (± 20% 9,6-28,8 V), reverse-polarity protected |
| Terminals | 2-pin terminal connectors, rigid/flexible conductors up to 1,5 mm2 |
| Power consumption | typical approx. 3.0 W, max. 7.0 W Sleep mode: typical approx. 65 mW |
| Sleep mode | Sleep mode: Energy conservation mode with event-triggered activation, stopping via timer, reset, re-establishing supply or state change of digital input |
| Ambient conditions | |
| Dimensions (WxHxD) | 42 x 95 x 105 mm |
| Weight | 290 g |
| Mounting | DIN rail mounting and wall mounting horizontal pitch (HP) on DIN rail: 2.5 units (control cabinet) or 6 units (small distributor) |
| Operating temperature | -30...+70 °C +65...+70 °C extended temperature range (refer to www.insys-icom.com/en/extended-temperature-range/) |
| Humidity | 0...95% (non-condensing) |
| Protection class | Housing: IP40 |
| Approvals & Standards | |
| Certifications | CE, UKCA |
| EMV | Emission: EN 55032 Class B, EN 61000-6-3; Immunity: EN 55035 (ersetzt EN 55024), EN 61000-6-2 |
| Safety | IEC/EN 62368-1 |
| Environmental conditions | Tests Vibration and mechanic shock as per DIN EN 61131-2 und EN 60068-2-6, EN 60068-2-27; Temperature tests as per EN 60068-2-1, EN 60068-2-2, EN 60068-2-14, EN 60068-2-30 |
| Operation time | MTBF > 770.000 h (25 °C), as per Standard SN 29500 (according to IEC 61709) |
Above specified frequencies are currently used in Europe, Middle East, Africa and, to some extent, in the Asia-Pacific region and South America.
| Data sheet ECR series | ||
| Data_sheet_ECR.pdf | 735 KB | December 19, 2024 |
| Manual ECR | ||
| Manual_ECR.pdf | 1.45 MB | December 19, 2024 |
| Quick Installation Guide Router | ||
| QIG_Router_en.pdf | 1.46 MB | December 12, 2023 |
| DELTA LOGIC Connectivity Service First Steps | ||
| DLCS_First_Steps.pdf | 122 KB | January 08, 2024 |
General
I cannot reach my device via the IP 192.168.1.1.
Have you already tried https://192.168.1.1? The HTTP connection was deactivated by default with firmware version 4.4. Your device should be available via an HTTPS connection.
My device shows that LTE is online, but I have no Internet access.
If you have configured your device, set all firewall rules and no other settings are missing, make sure that you have entered the correct access point name under Interfaces/LTE.
I need to enter the SIM PUK. Where do I have to enter the PUK?
In the new UI under Administration/Debugging, in the classic UI under Help/Debugging. Please select AT command as the tool and enter your PUK and the new PIN in the following format:
AT+CPIN="PUK","NEW PIN"
Here is an example of what this could look like:
AT+CPIN="12345678","0000"
How can I create a support package?
New UI: In the menu under Status/Support package/Create support package
Classic UI: in the menu under Help/Support/Create new support package
I cannot connect to my Siemens HMI panel (KTP1500 Comfort, KTP600 Basic,... ) via VPN in the TIA Portal. Why?
1. With HMI panels only "Advanced online loading" can be used in the TIA Portal, "Advanced online connect" is basically not possible.
2. "PG/PC interface" TAP-Windows Adapter..." must be selected as interface.
3. With some HMI panels (KTP600 Basic) the "PN/IE interface" cannot be used, in these cases the "Ethernet interface" has to be used.
4. For some HMI panels (e.g. TP700 Comfort), the "Display all compatible stations" option must not be active.
OpenVPN
Where can I download the latest Open VPN client?
You can find it here: https://openvpn.net/index.php/open-source/downloads.html
My OpenVPN connection is not going online. I get the error message “UDP link local: (not bound)” ... “Inactivity timeout (-ping-restart), restarting”.
Your firewall is blocking the connection. Make sure that the connection to the VPN server via the required port is not blocked.
My OpenVPN connection is not going online. I receive the error message “Certificate not yet valid”.
This means that the date of your device is set incorrectly. Your certificate is literally not yet valid because your device time is in the past. You can set the correct date and time via Administration/Time.
My OpenVPN connection is not going online. I get the error message “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”.
Explanation: There is no response from the server to the client connection within 60 seconds (see timestamp of the marked entries). This results in a timeout. This can have several causes.
This is one of the most common cases. The most common cause is then point 3.
1. Incorrect destination address or destination port in the VPN client: Check whether the correct address of the VPN server and the correct port are set here.
2. No Internet connection: Check whether VPN servers or other services are pingable on the Internet.
3. Firewall blocks the connection establishment: Make sure that the connection establishment via the required port to the VPN server is not blocked.
I see the message “temporary failure in name resolution” in the OpenVPN logs. What does this mean?
This generally means a DNS error. Make sure that the DNS settings of your Insys device are correct and that DNS queries are allowed.
When I start OpenVPN, I get a blue screen error.
This behavior is possibly caused by the TIA Portal from Siemens, which is also responsible for support in this case. DELTA LOGIC has no influence here. However, experience has shown that it can help to switch off the SIMATIC Industrial Ethernet ISO protocol on the OpenVPN network adapter.
Accessory Items
