Personal aXsguard Routers (PAX)

information for Field Service Engineers

This document gives some information about the

Personal aXsguard Routers, and describes some
basic troubleshooting tips.

PAX Router information

A PAX Router is a Cisco/Linksys WRT54GL v1.1 device that is running the OpenWRT operating
system (with Vasco web-interface front-end) instead of the Cisco/Linksys operation system.

All PAX Routers are preconfigured with their WAN network card configured as DHCP that will
work on most network configurations.

The VPN technology used is SSLVPN, which uses port UDP1194 for communication. The
correct time/data is necessary in order to verify the validity of the certificate, that is why a
PAX router must sync its time via NTP over port UDP123.

Connections through UDP ports are connectionless and far more performant than TCP.
Downside is that UDP connections cannot be “tested”.

Information to give to the customer

In networks with a gateway (95 %) the following configuration must be applied on that
gateway. This is something the customer must do, he needs the following information:

Port UDP1194 to VPN.BESTNV.COM (194.7.27.162) and/or PAX.BESTNV.COM

(194.7.27.163).

Port UDP123 open for NTP over the internet, default is “pool.ntp.org”, another timeserver can
be configured via the settings tab.

Haasrode Industriepark Tel: +32 (0)16 396 396

Romeinsestraat 20 Fax: +32 (0)16 396 390
3001 Heverlee Email: info@bestsorting.com
Belgium www.tomra.com
Accessing web-interface

To access a PAX Router’s web-interface connect your laptop with a straight network cable to 1
of the 4 LAN ports. Then verify the IP address of your laptop. (cmd > ipconfig/all)

IP Laptop IP PAX Router Remark

172.29.x.(y+n) 172.29.x.y PAX Router is either connected, or has been previously

connected.

192.168.1.100 192.168.1.1 PAX Router has been reset to factory defaults (e.g.
battery).

169.254.x.y n/a PAX Router DHCP is down or bad cable, try fixed IP on
laptop.

You can use the following usernames to access the web-interface:

username password remark

admin P@X@dmin Read/write access on SETTINGS tab

user user Read-only, e.g. give to customer.

Example of fully functional PAX Router

A fully functional PAX Router will show this information on its home/Status tab.

WAN The PAX router is physically connected to a

network.

Wireless Disabled by default.

VPN PAX Router is connected to the VPN Server in

Belgium.

LAN and DHCP are of less importance, they are always “up” except when hardware problems.

Haasrode Industriepark Tel: +32 (0)16 396 396

Romeinsestraat 20 Fax: +32 (0)16 396 390
3001 Heverlee Email: info@bestsorting.com
Belgium www.tomra.com
The following LEDs will be active on a working PAX Router: “Power”, “1 and/or through 4” and
“Internet”.
The Internet LED will be lit when a network cable is plugged in to the WAN port – it does not
mean that it is fully functional!
The DMZ LED is only lit when the PAX Router is starting up.

Haasrode Industriepark Tel: +32 (0)16 396 396

Romeinsestraat 20 Fax: +32 (0)16 396 390
3001 Heverlee Email: info@bestsorting.com
Belgium www.tomra.com
Troubleshooting tips

Use these remarks to troubleshoot a PAX Router.

Verify WAN tab

If IP is 169.254.x.y, verify with customer, or verify

cable. If customer does not have DHCP server,
configure “internet type” as “static” in settings tab.
(see below)

Verify VPN tab

Verify “Valid until” date. If expired, ask

ITSupport for new certificate and upload it to
PAX Router. (see below “reconfigure a PAX
Router”)

Verify SETTINGS tab

Haasrode Industriepark Tel: +32 (0)16 396 396

Romeinsestraat 20 Fax: +32 (0)16 396 390
3001 Heverlee Email: info@bestsorting.com
Belgium www.tomra.com
Verify if settings for “Network Time Server” and “HQ Server Name(s) or IP(s)” are as shown in
screenshot. If not, add them. Take care about the checkboxes.

If “Internet type” is “static”, verify “IP Address”, “Net Mask”, “Default Gateway” and “ISP DNS
Servers” with customer.

Verify Network settings on sorter

- Verify is sorter has been connected to 1 of the 4 LAN ports. Maximum length of the
cable is about 100 meters.
- Verify IP Address of the sorter (cmd > ipconfig /all), gateway must be the IP Address of
the PAX Router (172.29.x.y) IP Address of the sorter is then 172.29.x.y+n
- If sorter has 169.254.x.y IP: verify cable, RJ-45 plugs.
- If softer has 192.168.x.y, verify PAX Router.

Read and send LOG file

- If the time/date does not change at the end of the log file, verify UDP123 and UDP1194
with customer.

Haasrode Industriepark Tel: +32 (0)16 396 396

Romeinsestraat 20 Fax: +32 (0)16 396 390
3001 Heverlee Email: info@bestsorting.com
Belgium www.tomra.com
 - Search for any obvious error messages (e.g. “No HQ servers known to establish
openvpn tunnel”)
- Select log entries with mouse, copy them and send them to ITSupport.

Reconfigure a PAX Router when it has been reset to factory defaults

Ask ITSupport for a new P12 certificate file via mail.

The passphrase of the certificate is always “a” (without the “ signs), then follow these steps:

- Connect laptop to PAX Router LAN port.

- Determine IP address of the PAX Router (see above).
- Log in with “admin” username.
- Configure settings tab (see screenshot above).
- On the settings tab: click browse, and choose the P12 file, type the passphrase “a”.
- Reboot the PAX Router and disconnect the network cable to laptop.
- When DMZ led is not lit anymore, connect network cable and verify PAX Router.

Haasrode Industriepark Tel: +32 (0)16 396 396

Romeinsestraat 20 Fax: +32 (0)16 396 390
3001 Heverlee Email: info@bestsorting.com
Belgium www.tomra.com