VPN Router MRX3-LAN
Modular VPN router suitable for every application
- Full-modular in widths 3 and 5, variants for LAN, LTE and DSL
- Flexible expandability through plug-in cards
- Universal WAN technologies (LTE/DSL/LAN/fiber - also combined as failover)
- Extensive routing functions
- IT security at KRITIS level
- IoT-ready
- Quick start for DELTA LOGIC Connectivity Service
Fully modular industrial router for optimal coupling of your networks.
Wide range of applications
The two housing widths
Two housing widths are available for the MRX series
- MRX3: Here you have 3 slots at your disposal, two of which are defined by the selected base variant. In the third slot you can insert any other module (MRXcard)
- MRX5: Here you have 5 slots at your disposal, two of which are defined by the respective selected basic variant. Any other modules (MRXcard) can be inserted into the other three slots.
The four basic variants
The MRX series is available in four basic variants, each with different basic equipment.
- The basic variant MRX LAN consists of an Ethernet module with five LAN ports, as well as a power module for power supply and with 2 digital inputs. The five LAN ports can be divided into up to five IP networks.
- The basic variant MRX LTE consists of an Ethernet module with five LAN ports, as well as a LTE module with integrated power supply and 2 digital inputs. The five LAN ports can be divided into up to five IP networks. The world variant supports a greater variety of cellular frequencies.
- The basic variant MRX Fiber consists of an Ethernet module with five LAN ports, as well as a SFP/Fiber module with integrated power supply and 2 digital inputs. The five LAN ports can be divided into up to five IP networks.
- The basic variant MRX DSL consists of an Ethernet module with five LAN ports, as well as a DSL module with integrated power supply and 2 digital inputs. The five LAN ports can be divided into up to five IP networks. MRX-DSL is available for DSL-Annex A and for DSL-Annex B.
Note: ADSL connections in Germany are usually operated in the Annex B variant. You can obtain precise information on the Vairante used (Annex A or Annex B) from your provider of the connection. This applies especially to connections outside Germany.
Various expansion options
If the possibilities of the respective basic modules are not sufficient for you, you can extend your MRX at any time by different further modules, so-called MRXcards. More detailed information about the available modules can be found in the category Apps & Acessories.
Convincing and versatile
Technical highlights
- Segmentation into several local IP networks
- Multiple VPN tunnels can be used in parallel
- Firewall in the tunnel (e.g. demarcation of remote accesses)
- Flexible administration with profile manager
- Access management via user roles
- Advanced event-based control (e.g. profiles, connections, redundancy)
- High performance for broadband networks and high VPN data rate
- Made in Germany
Cellular communication (MRX LTE) | |
Frequency bands, data rates (LTE world) | 4G/LTE: 1 (2100 MHz), 2 (1900 MHz), 3 (1800 MHz), 4 (2100/1700 MHz, AWS), 5 (850 MHz), 7 (2600 MHz), 8 (900 MHz), 12 (700 MHz), 13 (700 MHz), 14 (700 MHz), 18 (850 MHz), 19 (850 MHz), 20 (800 MHz), 25 (1900 MHz), 26 (850 MHz), 28 (700 MHz), 38 (2600 MHz), 40 (2300 MHz), 41 (2500 MHz), 66 (2100 MHz), 71 (600 MHz) LTE Cat 4 (DL: 150 Mbit/s, UL: 50 Mbit/s) 3G/UMTS/HSPA: 1 (2100 MHz), 2 (1900 MHz), 3 (1800 MHz), 4 (2100/1700 MHz AWS), 5 (850 MHz), 6 (800 MHz), 8 (900 MHz), 19 (850 MHz) HSPA+, HSUPA (DL: max. 21 Mbit/s, UL: max. 5,7 Mbit/s) 2G/GPRS/EDGE: 850, 900, 1800, 1900 MHz; GPRS/EDGE class 12 (DL/UL: max. 237 kbit/s) |
Frequency bands, data rates (LTE Standard/EMEA) | 4G/LTE: 1 (2100 MHz), 3 (1800 MHz), 7 (2600 MHz), 8 (900 MHz), 20 (800 MHz) LTE Cat 3 (DL: 100 Mbit/s, UL: 50 Mbit/s) 3G/UMTS/HSPA: 1 (2100 MHz), 3 (1800 MHz), 8 (900 MHz) HSPA+, HSUPA (DL: max. 42 Mbit/s, UL: max. 5,7 Mbit/s) 2G/GPRS/EDGE: 900, 1800 MHz; GPRS/EDGE class 12 (DL/UL: max. 237 kbit/s) |
Antenna connection | 2x SMA female (Main antenna, optional external antenna MIMO) |
SIM | Slot for 1 Mini-SIM card (2FF), locked Further provider redundancy using multi-roaming SIM cards |
Dual APN | Splitting of cellular data traffic over 2 APNs (with 2 SIM cards) , e.g. separation of user and management data |
Cellular Status | Signal field strength, RSSI, RSCP / Ec/No, RSRP / RSRQ, cell ID, location ID |
VDSL/ADSL (MRX DSL) | |
DSL standards | MRX DSL-A (Annex A): - VDSL2 G.993.2 Profile 8b, 8c, 8d, 12a, 12b, 17a. 30a, VDSL2 Vectoring G.993.5 - ADSL/ADSL2/ADSL2+ G.992.1 Annex A, G.992.3. Annex A/L/M, G.992.5 Annex A und M, T1.413 MRX DSL-B (Annex B): - VDSL2 G.993.2 Profile 8a, 8b, 8c, 8d, 12a, 12b, 17a. 30a, VDSL2 Vectoring G.993.5 - ADSL/ADSL2/ADSL2+ G.992.1 Annex B, G.992.3. Annex B, G.992.5 Annex B und J |
DSL connection | RJ45 connector |
SFP/Fiberglass (MRX Fiber) | |
SFP ports | 2 x SFP cages for fibre optic transceiver modules according to SFP-MSA, 1000BASE-X, 100BASE-X |
Hardware interfaces | |
Ethernet ports | 5 x RJ45 shielded, 10/100 Mbit/s, Full/half duplex, Auto MDI-X, 1.5 kV isolation voltage |
Ethernet function | Assignment to IP network freely configurable per port, link up/down detection, configuration port |
Inputs | 2 digital inputs (available in all basic variants), status can be monitored: 1x low active (connection to GND) 1x high active (connection to 10...24 V DC, as per EN 61131-2, type 1) |
Displays (LEDs) | Power, WAN (Internet connection), Info (configurable), Signal (for cellular communication), DSL (for DSL), SFP1 / SFP2 (SFP status and activity, for MRX Fiber) |
Further interfaces | Optional addition of MRXcards (modular design) |
Network | |
Network functions | 100 local IP networks, IP static/DHCP, TCP, UDP, IPv4, IPv6, NTP, DHCP, DNS, HTTP/S, ARP, SSH, 802.1Q VLAN incl. tags and trunk ports |
Service | DHCP Server v4/v6 per IP network, DHCP relay, NTP server, DNS, DynDNS, IPv6 Router Advertiser |
Routing | Static routing, routing priority, RSTP, dynamic routing (OSPF, BGP, RIPv1, RIPv2, RIPng) |
WAN redundancy/failover | Several WAN connections configurable also in parallel operation, fallback level for connection breakdown (failover), event-based WAN changeover (see events) |
Connection check | Periodic, ping/icmp, DNS request, link up/down |
DSL | PPPoA and PPPoE (MRX3/5 DSL und MRcard PD-A/B); external DSL modems: PPPoE |
NAT/PAT | SNAT/DNAT (masquerade, netmapping, port forwarding, IP forwarding) unlimited number of rules |
VPN | |
DELTA LOGIC Connectivity Service | Supports VPN service for remote maintenance, remote access and M2M-communication |
OpenVPN | Client/Server, several parallel tunnels, server with up to 20 clients, tls-auth/tls-crypt, dead peer detection (DPD) |
OpenVPN encryption | DES EDE 128, DES EDE3 192, AES 128-256 CBC/GCM, SHA 256-512 |
IPsec | IKEv1, IKEv2 (automatic, fix), several parallel tunnels, pre-shared keys, certificates, tunnel mode, transport mode, dead peer detection (DPD) |
IPsec encryption | DES EDE3 192, AES 128-256 CBC/GCM, SHA 256-512 DH-Group 1-31 (Diffie-Hellman 768 - 25519), ChaCha20-Poly1305 |
GRE | GRE via IPsec, point-to-point, multipoint |
PPTP | PPTP client/server; PAP/CHAP/MS CHAP/MS CHAP V2; MPPE 40-128 |
Dynamic VPN | Dynamic multipoint VPN (GRE, IPsec, NHRP, EIGRP, OSPF, RIPv1/v2, BGP) |
IT security | |
Authentication | Pre-shared key, X.509 certificates, RADIUS, access rights (read, write, status) |
Firewall/netfilter | IP filters (stateful firewall) also in VPN tunnel; packet filter: TCP, UDP, ICMP, ESP, AP, GRE; MAC filter; pre-defined firewall rules can be activated |
Security | Booting signed firmware, HTTP/HTTPS attack prevention; response upon events: configuration change, link up/down, restart, login attempt, netfilter violation, password hashing |
IoT and Cloud (icom Data Suite, license required) | |
Function icom Data Suite | Machine connection and data processing; connection to cloud and SCADA Systems; arithmetic & logic functions; data logger; dashboard |
Data acquisition | CODESYS, Modbus TCP/RTU, MQTT, Siemens S7, OPC UA Client, IEC 60870-5-101, digital input, analog input (if present) |
Data transmission | MQTT, OPC UA Server, IEC 60870-5-104, Modbus TCP/RTU, e-mail, SMS, SFTP, digital input, analog input (if present) |
IoT platforms | MQTT compatibility: Thingsboard, Cumulocity, AnyViz, Azure IoT Hub, Bosch IoT Suite, AWS IoT Core |
Events & Actions | |
Event & Action Handler | Notification, alarming, diagnosis, attack detection, fault handling, operation and commissioning logic |
Events/alarms (selection) | Change: digital input, Ethernet port, WAN chain, profile status, supply input (with MRX), cellular field strength; timer expired, firewall violation, login attempt detection, pulse sequence on digital input, counter, netfilter rule |
Event-triggered (selection) | Messages via e-mail, SMS (only LTE variants), SNMP traps, MCIP; switch profile, switch connection, change modem state, start timer, switch output or pulse sequence, activate firmware, reset, restart container |
Programming environment/scripting | |
Container environment | Installation of several application containers, container with own IP end point, assignment to IP networks - full firewall and routing transparency; access control, SDK available |
Container Ressources | CPU: 50% of ARMv7 (720 MHz), RAM: 448 MB, Flash: 3 GB eMMC |
Lua scripting | Lua interpreter for own scripts |
Monitoring and Management | |
Monitoring | SNMP traps and agent, configurable system logs, remote syslog, link up/down detection, netfilter violation |
Certificate management | EST, CRL |
Administration | |
Configuration | Web Interface HTTP(S) with session management, command line interface (CLI), Telnet, SSH, configuration profiles as ASCII and binary file, ample configuration profiles event-triggered, REST API |
Diagnosis tools | ping/icmp, tcpdump, traceroute, DNS Lookup, AT commands, port mirroring |
FW update | Incremental, failsafe, update server (HTTP, FTP, HTTPS, FTPS) |
System time | NTP client and server, buffered real time clock |
Help | Web interface: inline help, online help; example profiles, plausibility check, Configuration Guides |
Supply | |
Voltage | 12 ... 24 V DC (± 20% 9,6-28,8 V), 2 supply connections with changeover detection, reverse-polarity protected |
Terminals | 5-pin push-in terminal connectors (maintenance free), rigid/flexible conductors up to 2,5 mm2 |
Power consumption (basic variants without further MRXcards) | MRX LAN: typical approx. 2.0 W, max. 3.5 W MRX DSL: typical approx. 6.5 W, max. 8.0 W MRX LTE/LTE450: typical approx. 2.5 W, max. 8.0 W MRX Fiber: typical approx. 5.5 W, max. 7.0 W (thereof typically approx. 4.5 W MRX Fiber + assumption approx. 0.5 W typically per SFP module) |
Ambient conditions | |
Dimensions (WxHxD) | MRX3: 82 x 117 x 88 mm MRX5: 136 x 117 x 88 mm |
Weight | MRX3 LAN: 305 g MRX3 LTE/LTE450/Fiber: 320 g MRX3 DSL: 330 g MRX5 LAN: 395 g MRX5 LTE/LTE450/Fiber: 410 g MRX5 DSL: 420 g |
Mounting | DIN rail mounting, Horizontal pitch (HP) on DIN rail: 5 HP (MRX3), 8 HP (MRX5)td> |
Operating temperature | -30...+75 °C (MRX LAN, MRX LTE, MRX LTE450) -25...+60 °C (MRX DSL) -25...+55 °C (MRX DSL in combination with MRXcard PD/PL/PL450/PLS/Fiber) -30...+65 °C (MRX Fiber) -30...+55 °C (MRX Fiber in combination with MRcard PD/PL/PL450/PLS/Fiber) |
Humidity | 0...95% (non-condensing) |
Protection class | Housing: IP40 |
Approvals & Standards | |
Certifications | All variants: CE, UKCA Additionally for MRX LAN 1.x, MRX Fiber 1.x and MRX LTE: FCC part 15 class B, IC |
EMV | Emission: EN 55032 Class B, EN 61000-6-3; immunity: EN 55035 (replaces EN 55024), EN 61000-6-2 |
Safety | IEC/EN 62368-1 |
Environmental conditions | Vibration/shock as per PLC standard EN 61131-2 and EN 60068-2-6, EN 60068-2-27; Temperature tests as per EN 60068-2-1, EN 60068-2-2, EN 60068-2-14, EN 60068-2-30 |
Operation time | MTBF > 880,000 h (25 °C), according to SN 29500 standard (according to IEC 61709) |
Data sheet MRX | ||
Data_sheet_MRX.pdf | 2.22 MB | December 19, 2024 |
Manual MRX | ||
Manual_MRX.pdf | 2.91 MB | December 19, 2024 |
Quick Installation Guide Router English | ||
QIG_Router_en.pdf | 1.46 MB | December 12, 2023 |
DELTA LOGIC Connectivity Service First Steps | ||
DLCS_First_Steps.pdf | 122 KB | January 08, 2024 |
I cannot connect to my Siemens HMI panel (KTP1500 Comfort, KTP600 Basic,... ) via VPN in the TIA Portal. Why?
1. With HMI panels only "Advanced online loading" can be used in the TIA Portal, "Advanced online connect" is basically not possible.
2. "PG/PC interface" TAP-Windows Adapter..." must be selected as interface.
3. With some HMI panels (KTP600 Basic) the "PN/IE interface" cannot be used, in these cases the "Ethernet interface" has to be used.
4. For some HMI panels (e.g. TP700 Comfort), the "Display all compatible stations" option must not be active.