VPN Router MRX2-LTES Standard
Industrial-grade VPN router with internal LTE modem
- 4G/LTE, 3G/UMTS/HSPA, GPRS/EDGE
- Five Ethernet ports, 2x digital inputs, 1x digital output, 1x serial RS232
- Extensive network functionality with multiple IP networks
- High IT security
- IoT-ready
Industrial VPN router with internal LTE modem
The all-in-one cellular LTE router MRX2 LTES has a high performance and latest technology in a compact housing.
- EMEA: with LTE frequencies for Europe, Middle East and Africa
- US: with LTE frequencies for North America
- World: with wide bandwidth support
The supported frequencies can be found in the product data sheet and in the Technical details tab of the respective variant.
Besides an internal LTE modem (LTE, HSPA, UMTS, GPRS, EDGE) provides the MRX2 LTES a 5-port switch and a serial interface (RS232). Completed is the equipment with two digital inputs, one digital output and an integrated Linux environment.
You do not want to set up your router yourself for our DELTA LOGIC Connectivity Service? No problem. We will gladly configure your new router for you. Just send us the completed form for the router configuration with the order.
| Cellular communication | |
| Frequency bands, data rates (world) | 4G/LTE: 1 (2100 MHz), 2 (1900 MHz), 3 (1800 MHz), 4 (2100/1700 MHz, AWS), 5 (850 MHz), 7 (2600 MHz), 8 (900 MHz), 12 (700 MHz), 13 (700 MHz), 14 (700 MHz), 18 (850 MHz), 19 (850 MHz), 20 (800 MHz), 25 (1900 MHz), 26 (850 MHz), 28 (700 MHz), 38 (2600 MHz), 40 (2300 MHz), 41 (2500 MHz), 66 (2100 MHz), 71 (600 MHz) LTE Cat 4 (DL: 150 Mbit/s, UL: 50 Mbit/s) 3G/UMTS/HSPA: 1 (2100 MHz), 2 (1900 MHz), 3 (1800 MHz), 4 (2100/1700 MHz AWS), 5 (850 MHz), 6 (800 MHz), 8 (900 MHz), 19 (850 MHz) HSPA+, HSUPA (DL: max. 21 Mbit/s, UL: max. 5,7 Mbit/s) 2G/GPRS/EDGE: 850, 900, 1800, 1900 MHz; GPRS/EDGE class 12 (DL/UL: max. 237 kbit/s) |
| Frequency bands, data rates (EMEA) 1 | 4G/LTE: 1 (2100 MHz), 3 (1800 MHz), 7 (2600 MHz), 8 (900 MHz), 20 (800 MHz) LTE Cat 3 (DL: 100 Mbit/s, UL: 50 Mbit/s) 3G/UMTS/HSPA: 1 (2100 MHz), 3 (1800 MHz), 8 (900 MHz) HSPA+, HSUPA (DL: max. 42 Mbit/s, UL: max. 5,7 Mbit/s) 2G/GPRS/EDGE: 900, 1800 MHz; GPRS/EDGE class 12 (DL/UL: max. 237 kbit/s) |
| Frequency bands, data rates (US/Canada) | 4G/LTE: 2 (1900 MHz), 4 (2100/1700 MHz AWS), 5 (850 MHz), 13 (700 MHz), 17 (700 MHz); LTE Cat 3 (DL: max.100 Mbit/s, UL: max. 50 Mbit/s) 3G/UMTS/HSPA: 2 (1900 MHz), 4 (2100/1700 MHz AWS), 5 (850 MHz) ; UMTS, HSPA+ HSPA+, HSUPA (DL: max. 42 Mbit/s, UL: max. 5,7 Mbit/s) 2G/GPRS/EDGE: 850, 900, 1800, 1900 MHz; GPRS/EDGE Class 12 (DL/UL: max. 237 kbit/s) |
| Antenna connection | 2x SMA female (Main antenna, optional external antenna MIMO) |
| SIM | Slot for 1 Mini-SIM card (2FF), locked Further provider redundancy using multi-roaming SIM cards |
| Dual APN | Splitting of cellular data traffic over 2 APNs (with 2 SIM cards) , e.g. separation of user and management data |
| Cellular Status | Signal field strength, RSSI, RSCP / Ec/No, RSRP / RSRQ, cell ID, location ID |
| Hardware interfaces | |
| Ethernet ports | 5 x RJ45 shielded, 10/100 Mbit/s, Full/half duplex, Auto MDI-X, 1.5 kV isolation voltage |
| Ethernet function | Assignment to IP network freely configurable per port, link up/down detection, configuration port |
| Inputs | 2 digital inputs (available in all basic variants), status can be monitored: 1x low active (connection to GND) 1x high active (connection to 10...24 V DC, as per EN 61131-2, type 1) |
| Displays (LEDs) | Power, WAN (Internet connection), Info (configurable), Signal (for cellular communication), DSL (for DSL), SFP1 / SFP2 (SFP status and activity, for MRX Fiber) |
| RS232 | 1 x RS232 / D-Sub-9 (m) |
| Functions Serial interface | Serial Ethernet gateway (incoming and outgoing connections, Modbus TCP/RTU gateway, modem emulation, editable AT answer list, translation of phone numbers to IP addresses) |
| Digital Outputs | 1 open collector output |
| Network | |
| Network functions | 100 local IP networks, IP static/DHCP, TCP, UDP, IPv4, IPv6, NTP, DHCP, DNS, HTTP/S, ARP, SSH, 802.1Q VLAN incl. tags and trunk ports |
| Service | DHCP Server v4/v6 per IP network, DHCP relay, NTP server, DNS, DynDNS, IPv6 Router Advertiser |
| Routing | Static routing, routing priority, RSTP, dynamic routing (OSPF, BGP, RIPv1, RIPv2, RIPng) |
| WAN redundancy/failover | Several WAN connections configurable also in parallel operation, fallback level for connection breakdown (failover), event-based WAN changeover (see events) |
| Connection check | Periodic, ping/icmp, DNS request, link up/down |
| DSL | PPPoA and PPPoE (MRX3/5 DSL und MRcard PD-A/B); external DSL modems: PPPoE |
| NAT/PAT | SNAT/DNAT (masquerade, netmapping, port forwarding, IP forwarding) unlimited number of rules |
| VPN | |
| DELTA LOGIC Connectivity Service | Supports VPN service for remote maintenance, remote access and M2M-communication |
| OpenVPN | Client/Server, several parallel tunnels, server with up to 20 clients, tls-auth/tls-crypt, dead peer detection (DPD) |
| OpenVPN encryption | DES EDE 128, DES EDE3 192, AES 128-256 CBC/GCM, SHA 256-512 |
| IPsec | IKEv1, IKEv2 (automatic, fix), several parallel tunnels, pre-shared keys, certificates, tunnel mode, transport mode, dead peer detection (DPD) |
| IPsec encryption | DES EDE3 192, AES 128-256 CBC/GCM, SHA 256-512 DH-Group 1-31 (Diffie-Hellman 768 - 25519), ChaCha20-Poly1305 |
| GRE | GRE via IPsec, point-to-point, multipoint |
| PPTP | PPTP client/server; PAP/CHAP/MS CHAP/MS CHAP V2; MPPE 40-128 |
| Dynamic VPN | Dynamic multipoint VPN (GRE, IPsec, NHRP, EIGRP, OSPF, RIPv1/v2, BGP) |
| IT security | |
| Authentication | Pre-shared key, X.509 certificates, RADIUS, access rights (read, write, status) |
| Firewall/netfilter | IP filters (stateful firewall) also in VPN tunnel; packet filter: TCP, UDP, ICMP, ESP, AP, GRE; MAC filter; pre-defined firewall rules can be activated |
| Security | Booting signed firmware, HTTP/HTTPS attack prevention; response upon events: configuration change, link up/down, restart, login attempt, netfilter violation, password hashing |
| IoT and Cloud (icom Data Suite, license required) | |
| Function icom Data Suite | Machine connection and data processing; connection to cloud and SCADA Systems; arithmetic & logic functions; data logger; dashboard |
| Data acquisition | CODESYS, Modbus TCP/RTU, MQTT, Siemens S7, OPC UA Client, IEC 60870-5-101, digital input, analog input (if present) |
| Data transmission | MQTT, OPC UA Server, IEC 60870-5-104, Modbus TCP/RTU, e-mail, SMS, SFTP, digital input, analog input (if present) |
| IoT platforms | MQTT compatibility: Thingsboard, Cumulocity, AnyViz, Azure IoT Hub, Bosch IoT Suite, AWS IoT Core |
| Events & Actions | |
| Event & Action Handler | Notification, alarming, diagnosis, attack detection, fault handling, operation and commissioning logic |
| Events/alarms (selection) | Change: digital input, Ethernet port, WAN chain, profile status, supply input (with MRX), cellular field strength; timer expired, firewall violation, login attempt detection, pulse sequence on digital input, counter, netfilter rule |
| Event-triggered (selection) | Messages via e-mail, SMS (only LTE variants), SNMP traps, MCIP; switch profile, switch connection, change modem state, start timer, switch output or pulse sequence, activate firmware, reset, restart container |
| Programming environment/scripting | |
| Container environment | Installation of several application containers, container with own IP end point, assignment to IP networks - full firewall and routing transparency; access control, SDK available |
| Container Ressources | CPU: 50% of ARMv7 (720 MHz), RAM: 448 MB, Flash: 3 GB eMMC |
| Lua scripting | Lua interpreter for own scripts |
| Monitoring and Management | |
| Monitoring | SNMP traps and agent, configurable system logs, remote syslog, link up/down detection, netfilter violation |
| Certificate management | EST, CRL |
| Administration | |
| Configuration | Web Interface HTTP(S) with session management, command line interface (CLI), Telnet, SSH, configuration profiles as ASCII and binary file, ample configuration profiles event-triggered, REST API |
| Diagnosis tools | ping/icmp, tcpdump, traceroute, DNS Lookup, AT commands, port mirroring |
| FW update | Incremental, failsafe, update server (HTTP, FTP, HTTPS, FTPS) |
| System time | NTP client and server, buffered real time clock |
| Help | Web interface: inline help, online help; example profiles, plausibility check, Configuration Guides |
| Supply | |
| Voltage | 12 ... 24 V DC (± 20% 9,6-28,8 V), 2 supply connections with changeover detection, reverse-polarity protected |
| Terminals | 5-pin push-in terminal connectors (maintenance free), rigid/flexible conductors up to 2,5 mm2 |
| Power consumption (basic variants without further MRXcards) | typical approx. 2.5 W, max. 8.0 W |
| Ambient conditions | |
| Dimensions (WxDxH) | 54 x 117 x 88 mm |
| Weight | 280 g |
| Mounting | DIN rail mounting, Horizontal pitch (HP) on DIN rail: 3 HP |
| Operating temperature | -30...+75 °C +70 ... +75 °C: extended temperature range (refer to www.insys-icom.com/en/extended-temperature-range/) |
| Humidity | 0...95% (non-condensing) |
| Protection class | Housing: IP40 |
| Approvals & Standards | |
| Certifications | All variants: CE, UKCA Additionally MRX2 LTES world: FCC part 15 class B, IC Additionally for MRX2 LTES-US: FCC part 15 class B, IC, UL 62368-1 |
| EMV | Emission: EN 55032 Class B, EN 61000-6-3; immunity: EN 55035 (replaces EN 55024), EN 61000-6-2 |
| Safety | IEC/EN 62368-1 |
| Environmental conditions | Vibration/shock as per PLC standard EN 61131-2 and EN 60068-2-6, EN 60068-2-27; Temperature tests as per EN 60068-2-1, EN 60068-2-2, EN 60068-2-14, EN 60068-2-30 |
| Operation time | MTBF > 880,000 h (25 °C), according to SN 29500 standard (according to IEC 61709) |
| Data sheet MRX | ||
| Data_sheet_MRX.pdf | 2.22 MB | December 19, 2024 |
| Manual MRX | ||
| Manual_MRX.pdf | 2.91 MB | December 19, 2024 |
| Quick Installation Guide Router English | ||
| QIG_Router_en.pdf | 1.46 MB | December 12, 2023 |
| DELTA LOGIC Connectivity Service First Steps | ||
| DLCS_First_Steps.pdf | 122 KB | January 08, 2024 |
General
I cannot reach my device via the IP 192.168.1.1.
Have you already tried https://192.168.1.1? The HTTP connection was deactivated by default with firmware version 4.4. Your device should be available via an HTTPS connection.
My device shows that LTE is online, but I have no Internet access.
If you have configured your device, set all firewall rules and no other settings are missing, make sure that you have entered the correct access point name under Interfaces/LTE.
I need to enter the SIM PUK. Where do I have to enter the PUK?
In the new UI under Administration/Debugging, in the classic UI under Help/Debugging. Please select AT command as the tool and enter your PUK and the new PIN in the following format:
AT+CPIN="PUK","NEW PIN"
Here is an example of what this could look like:
AT+CPIN="12345678","0000"
How can I create a support package?
New UI: In the menu under Status/Support package/Create support package
Classic UI: in the menu under Help/Support/Create new support package
I cannot connect to my Siemens HMI panel (KTP1500 Comfort, KTP600 Basic,... ) via VPN in the TIA Portal. Why?
1. With HMI panels only "Advanced online loading" can be used in the TIA Portal, "Advanced online connect" is basically not possible.
2. "PG/PC interface" TAP-Windows Adapter..." must be selected as interface.
3. With some HMI panels (KTP600 Basic) the "PN/IE interface" cannot be used, in these cases the "Ethernet interface" has to be used.
4. For some HMI panels (e.g. TP700 Comfort), the "Display all compatible stations" option must not be active.
OpenVPN
Where can I download the latest Open VPN client?
You can find it here: https://openvpn.net/index.php/open-source/downloads.html
My OpenVPN connection is not going online. I get the error message “UDP link local: (not bound)” ... “Inactivity timeout (-ping-restart), restarting”.
Your firewall is blocking the connection. Make sure that the connection to the VPN server via the required port is not blocked.
My OpenVPN connection is not going online. I receive the error message “Certificate not yet valid”.
This means that the date of your device is set incorrectly. Your certificate is literally not yet valid because your device time is in the past. You can set the correct date and time via Administration/Time.
My OpenVPN connection is not going online. I get the error message “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”.
Explanation: There is no response from the server to the client connection within 60 seconds (see timestamp of the marked entries). This results in a timeout. This can have several causes.
This is one of the most common cases. The most common cause is then point 3.
1. Incorrect destination address or destination port in the VPN client: Check whether the correct address of the VPN server and the correct port are set here.
2. No Internet connection: Check whether VPN servers or other services are pingable on the Internet.
3. Firewall blocks the connection establishment: Make sure that the connection establishment via the required port to the VPN server is not blocked.
I see the message “temporary failure in name resolution” in the OpenVPN logs. What does this mean?
This generally means a DNS error. Make sure that the DNS settings of your Insys device are correct and that DNS queries are allowed.
When I start OpenVPN, I get a blue screen error.
This behavior is possibly caused by the TIA Portal from Siemens, which is also responsible for support in this case. DELTA LOGIC has no influence here. However, experience has shown that it can help to switch off the SIMATIC Industrial Ethernet ISO protocol on the OpenVPN network adapter.
