JP6766577B2 - Communication control device, communication control program and communication control method - Google Patents

Description

The present invention relates to a communication control device, a communication control program, and a communication control method.

In recent years, in an organization such as a company, a LAN (Local Area Network) by wired and wireless communication is constructed in the organization (called an in-organization LAN), and each information processing device used in the organization is transmitted via the in-organization LAN. It is common practice to connect to each other. When a guest terminal used by a guest user outside the organization is connected to such an in-house LAN and each information device connected to the in-house LAN is made available from the guest terminal, the guest terminal communicates. There is known a technique for designating a enabled network resource by an IP (Internet Protocol) address and performing communication control using an SDN (Software-Defined Network) technique (for example, Patent Document 1).

The network device used in the in-house LAN as described above needs to be set in various ways before the network connection or before the actual operation after the connection. For this setting, for example, a personal computer (hereinafter, PC) accesses a network device via a LAN, for example, and a dedicated Web browser application program (hereinafter, browser) or GUI (Graphical User Interface) is used on the PC. It is common to use a console screen or the like.

By the way, when setting a network device from, for example, a Web UI or a console screen, it is common to input authentication information such as a user name and a password in order to access the Web UI or the console screen. However, if the correct authentication information cannot be entered, such as when the authentication information to be entered is forgotten, the Web UI or console screen cannot be accessed, and the setting screen cannot be displayed or the settings cannot be initialized.

Therefore, it is conceivable to provide, for example, two LAN ports for the network device to be set, and allocate one of the two LAN ports for normal communication and the other for emergency setting. When accessing a network device from the LAN port assigned for emergency settings, it is possible to display the setting screen without entering authentication information.

However, in this case, if an IP address that overlaps with the LAN port for normal communication or an IP address that belongs to the same subnet is set in the LAN port for emergency setting, it will be connected to the network device. There was a problem that communication packets could not be sent and received normally, and settings for network devices could not be executed.

In addition, when accessing from the LAN port for emergency settings, the setting screen is displayed without entering the authentication information, so it is necessary to give due consideration to security.

The present invention has been made in view of the above, and an object of the present invention is to make it easier to set a network device from an external device.

In order to solve the above-mentioned problems and achieve the object, the present invention uses a first configurable address to connect to a first network and a fixed second address. A second connection unit that connects to a second network that is not connected to the first network, a relay unit that relays transmission / reception between the first connection unit and the second connection unit, and a first unit. A first communication control unit that converts an address and an internal address to each other and controls transmission / reception to / from the first connection unit via a relay unit so as to use the internal address, and a second address and the inside. A second communication control unit that converts addresses to each other and controls transmission / reception to and from the second connection unit via the relay unit using an internal address, and a relay transmitted from the second connection unit. In response to the request of the initialization screen for initializing the authentication information passed from the first connection unit via the unit, the display control information for displaying the initialization screen is output and used as the display control information. When input information including the initialization of the authentication information is received, the second connection unit includes a process execution unit that executes an initialization process for initializing the authentication information according to the input information. Includes a table in which the address of an intermediary device that mediates communication with a second network can be set as a destination.

According to the present invention, there is an effect that the setting of the network device from an external device can be performed more easily.

FIG. 1 is a block diagram showing a configuration of an example of a communication system applicable to the first embodiment. FIG. 2 is a diagram showing an example of an IP address assigned to each device in the communication system applicable to the first embodiment. FIG. 3 is a block diagram showing a hardware configuration of an example of the communication control device according to the first embodiment. FIG. 4 is a functional block diagram of an example for explaining the function of the communication control device according to the first embodiment. FIG. 5 is a functional block diagram of an example for explaining the function of the communication control unit according to the first embodiment. FIG. 6 is a functional block diagram of an example for explaining the function of the bridge portion according to the first embodiment. FIG. 7 is a functional block diagram of an example for explaining the function of the Web server unit applicable to the first embodiment. FIG. 8 is a functional block diagram of an example for explaining the function of the initial setting PC applicable to the first embodiment. FIG. 9 is a diagram showing an example of a packet flow when accessing the Web server unit from the administrator PC, which is applicable to the first embodiment. FIG. 10 is a diagram showing an example of a packet flow when accessing the Web server unit from the initial setting PC according to the first embodiment. FIG. 11 is a sequence diagram of an example showing a communication process performed between the initial setting PC and the communication control device according to the first embodiment. FIG. 12 is a diagram showing an example of an initialization screen according to the first embodiment. FIG. 13 is a diagram showing an example of an initialization screen according to the first embodiment. FIG. 14 is a sequence diagram of an example showing a communication process performed between the initial setting PC and the communication control device according to the first modification of the first embodiment. FIG. 15 is a functional block diagram of an example for explaining the function of the communication control device applicable to the second modification of the first embodiment. FIG. 16 is a sequence diagram of an example showing a communication process performed between the initial setting PC and the communication control device according to the second modification of the first embodiment. FIG. 17 is a diagram showing an example of a guidance screen according to a third modification of the first embodiment. FIG. 18 is a diagram showing an example of a proposal screen according to a fourth modification of the first embodiment. FIG. 19 is a block diagram showing a configuration of an example of a communication system according to a second embodiment.

Embodiments of the communication control device, the communication control program, and the communication control method will be described in detail with reference to the accompanying drawings.

(Configuration of communication system applicable to the first embodiment)
FIG. 1 shows an example configuration of a communication system applicable to the first embodiment. In the example of FIG. 1, the communication system 1 includes a communication control device 10, a wired switch (SW) 20a and a wireless access point (AP) 20b connected to the network 11, a personal computer (PC) 21 for an administrator, and the like. It includes a PC 22 for initial setting and a DHCP (Dynamic Host Configuration Protocol) server 23. The communication control device 10 is connected to the network 11 via the router 12. The DHCP server 23 assigns an IP (Internet Protocol) address to each device connected to the network 11. Further, the wired SW20a and the wireless AP20b may include only one of them, or may include a larger number of each.

The confidential network 40 is connected to the network 11. In the example of FIG. 1, the confidential network 40 includes a printer 50, a confidential information server 51, and so on. The confidential network 40 is, for example, an intra-organizational LAN constructed inside the organization, and restricts access from outside the organization.

The communication control device 10 includes a communication control unit 100 and a Web server 101. The Web server 101 provides a user interface to the outside in the communication control device 10. For example, the administrator can manage and set the functions of the communication control unit 100 by accessing the Web server 101 in the communication control device 10 from the administrator PC 21 via the network 11.

Further, the communication control unit 100 includes an OpenFlow® controller (OFC) 102. Further, the wired SW20a and the wireless AP20b include OpenFlow switches (OFS) 200a and 200b, respectively. The OFC 102 generates a flow entry to be set in the OFS 200a and 200b according to the setting by the administrator PC 21, and registers the generated flow entry in the OFS 200a and 200b.

Here, OFC102 and OpenFlow (registered trademark), which is a technique to which OFS200a and 200b are applied, will be schematically described. OpenFlow is one of the technical specifications based on the concept called SDN (Software-Defined Network) that enables the movement of data on the network to be controlled only by software, and is a method for controlling communication on a virtualized network. (Protocol) is provided.

Network virtualization is a plurality of components, including, for example, a virtual interface technology that makes one physical interface appear as one or a plurality of physical interfaces, and a virtual switch technology that connects and relays virtual interfaces. It is a collection of technologies including. Network virtualization virtually separates a logical network configuration from a physical network configuration by combining physical network equipment, virtual network components, and protocol technology, and realizes a flexible network configuration that is not tied to the physical configuration. ..

OpenFlow regards communication as an end-to-end flow, and can perform route control, load distribution, optimization, etc. for each flow. Specifically, OpenFlow is realized by changing to a centralized control type instead of analyzing and transferring each data packet autonomously and decentrally in a relay device of a data communication path or the like.

In OpenFlow, the "control plane" that analyzes data, determines the transfer destination, and controls the determination is separated from the "data plane" that is merely a part responsible for physical transmission of packets. In OpenFlow, the OpenFlow® controller (hereinafter OFC), which controls the control plane, instructs the transfer rules, and the OpenFlow® switch (hereinafter OFS), which is responsible for the data plane, instructs the packet according to the instructions of the OFC. Make a transfer. More specifically, the OFS transfers packets according to the flow table of the OFS, which the OFC adds and rewrites. By using this mechanism, OpenFlow can be utilized as a tool for controlling the above-mentioned network virtualization.

Returning to the description of FIG. 1, the user terminal 30 is an external terminal device used by a user outside the communication system 1, for example, a user who does not have the authentication information for logging in to the communication system 1. The user terminal 30 is connected to the wired SW 20a by wire, and can communicate with the network 11 via the wired SW 20a under the control of the OFS 200a included in the wired SW 20a.

Similarly, the user terminal 31 is also an external terminal device used by an external user. In this example, the user terminal 31 is, for example, a smart device which is an information processing device capable of connecting to a network using a wireless LAN, and includes a tablet computer and a multifunctional mobile phone terminal (smartphone). The user terminal 31 is wirelessly connected to the wireless AP20b by a wireless LAN, and can communicate with the network 11 via the wireless AP20b under the control of the OFS200b included in the wireless AP20b.

The initial setting PC 22 has a CPU, ROM, RAM, storage, communication I / F and data I / F connected to each other by a bus as a hardware configuration, and responds to an input device that accepts user operations and a display signal. It has a general computer configuration in which a display device for displaying a screen is built-in or can be connected.

The initial setting PC 22 is connected to the communication control device 10 directly using a cable or via a network, and at least accesses a management setting screen for managing and setting the functions of the communication control device 10. It is used to initialize the authentication information for. For example, the initial setting PC 22 initializes the authentication information (password, certificate information of the Web server 101, etc.) used to access the Web server 101 when setting the communication control unit 100 in the Web server 101. Can be done.

A confidential network 40 is connected to the network 11. The confidential network 40 includes a plurality of confidential information servers 51 including confidential information that should not be disclosed to external users. Further, the confidential network 40 further includes a printer 50. In the example of FIG. 1, the confidential network 40 is given, for example, the network address "192.168.1.0/24", and the printer 50 is given the IP address "192.168.1.2". It is assumed that the user terminals 30 and 31 are restricted from accessing the inside of the confidential network 40 among the parts connected to the network 11, and free access is permitted to the outside of the confidential network 40.

FIG. 2 shows an example of an IP address assigned to each device in the configuration of FIG. As for the network address and the IP address, the front side of the slash symbol indicates the address and the rear side indicates the netmask. A 24-bit netmask is set for each network address and each IP address shown in FIG.

In FIG. 2, the network address “192.168.10.0/24” is assigned to the network 13 connected to one of the routers 12 with a netmask of 24 bits. The network address "192.168.20.0/24" is assigned to the network 11 (first network) connected to the other connection portion of the router 12. Further, the direct connection between the communication control device 10 and the initial setting PC 22 by the cable or the network 14 is regarded as a network (second network), and the network address "192.168.254.0/24" is assigned to this network. Be done. Table 1 summarizes each of these network addresses.

The DHCP server 23 is assigned the IP address "192.168.20.200/24". IP addresses "192.168.20.102/24", "192.168.20.100/24" and "192.168.20.101/24" are assigned to the administrator PC 21, the wireless AP20b and the user terminal 31, respectively, by the DHCP server 23. In the router 12, the IP address "192.168.10.1" is assigned to the network address "192.168.10.0/24" side, and the IP address "192.168.20.1" is assigned to the network address "192.168.20.0/24".

The communication control device 10 has two communication ports. Of the two communication ports, the transmission / reception unit 130a (first connection unit) includes a communication port called a main port for connecting to the network 11 via the router 12. In the transmission / reception unit 130a, the IP address "192.168.10.2/24" is assigned to the main port. The IP address "192.168.10.2/24" of the transmission / reception unit 130a can be changed according to the setting for the communication control device 10. Hereinafter, unless otherwise specified, the IP address assigned to the main port included in the transmission / reception unit 130a will be described as being the IP address of the transmission / reception unit 130a.

On the other hand, of the two communication ports of the communication control device 10, the transmission / reception unit 130b (second connection unit) is a communication called an initial setting port for connecting to the initial setting PC 22 via a cable or a network 14. Includes port. The transmission / reception unit 130b is assigned the IP address "192.168.254.254/24" to the initial setting port. The IP address "192.168.254.254/24" of the transmission / reception unit 130b is fixed. The IP address "192.168.254.2/24" is assigned to the initial setting PC22. The IP address "192.168.254.2/24" of the initial setting PC 22 is fixedly set manually, for example. Hereinafter, unless otherwise specified, the IP address assigned to the initial setting port included in the transmission / reception unit 130b will be described as being the IP address of the transmission / reception unit 130b.

Further, in the router 12, the IP address "192.168.10.1/24" is assigned to one connection portion connected to the network 13, and the IP address "192.168.10.1/24" is assigned to the other connection portion connected to the network 11. 20.1/24 "is assigned. Here, it is said that the router 12 cannot use the default gateway.

Table 2 summarizes the IP addresses assigned to each device in the communication system 1.

(Structure according to the first embodiment)
Next, the configuration according to the first embodiment will be described. FIG. 3 shows a hardware configuration of an example of the communication control device 10 according to the first embodiment. In FIG. 3, the communication control device 10 includes a CPU (Central Processing Unit) 1000, a ROM (Read Only Memory) 1001, a RAM (Random Access Memory) 1002, a storage 1003, a data I / F 1004, and a communication I /. It includes F1005a and 1005b, which are communicably connected to each other by bus 1010. As described above, the communication control device 10 according to the first embodiment can be realized by the same configuration as a general computer.

The storage 1003 is composed of a hard disk drive and a non-volatile semiconductor memory (flash memory), and stores various programs and data for operating the CPU 1000. Further, the ROM 1001 stores in advance, for example, programs and data used for starting and operating the communication control device 10. The CPU 1000 operates using the RAM 1002 as a work area according to a program stored in the storage 1003 or the ROM 1001, and controls the entire operation of the communication control device 10. The data I / F 1004 is an interface for inputting / outputting data to / from an external device, and for example, USB (Universal Serial Bus) can be applied.

The communication I / F 1005a and 1005b each communicate with the outside of the communication control device 10 according to the instruction of the CPU 1000. The communication I / F 1005a and 1005b correspond to the transmission / reception units 130a and 130b described above, respectively.

FIG. 4 is a functional block diagram of an example for explaining the function of the communication control device 10 according to the first embodiment. In FIG. 4, the communication control device 10 includes a Web server unit 122, transmission / reception units 130a and 130b, communication control units 131a and 131b, and a bridge unit 132. Further, the communication control unit 131a includes OFC 102.

In FIG. 4, the transmission / reception units 130a and 131b are also described as transmission / reception units # 0 and transmission / reception units # 1, respectively. Similarly, the communication control units 131a and 131b are also described as the communication control unit # 0 and the communication control unit # 1, respectively.

The Web server unit 122, the transmission / reception units 130a and 130b, the communication control unit 131a131b, and the bridge unit 132 are configured by operating a program running on the CPU 1000. Not limited to this, the Web server unit 122, the transmission / reception units 130a and 130b, the communication control units 131a and 131b, and a part or all of the bridge unit 132 are configured by a hardware circuit that operates in cooperation with each other. May be good.

The transmission / reception unit 130a controls the communication I / F 1005a according to the routing table stored in advance, connects to the network 11 via the router 12, and performs communication via the network 11. That is, the transmission / reception unit 130a receives the communication packet from the outside of the communication control device 10 as a network interface, and sends the communication packet to the outside of the communication control device 10 according to the routing table.

The communication packet includes a header including information used for communication and a data unit including a main body of data to be transmitted. The data to be transmitted is divided into, for example, a predetermined size, each of the divided data is packed in a data unit, and a header is added to each data unit to form each communication packet.

Table 3 shows an example of a routing table stored in the transmission / reception unit 130a. This routing table is stored in advance in the storage 1003 included in the communication control device 10, for example. Not limited to this, the routing table may be stored in advance in a storage medium such as a ROM included in the communication I / F 1005a.

In Table 3, in the routing table, the IP address "0.0.0.0/0" including the netmask is set as the destination IP address, and the IP address "0.0.0.0/0" is set as the IP address of the gateway. The router 12 "192.168.10.1" is associated. That is, when the destination IP address of the communication packet transmitted from the communication control device 10 is an IP address other than the network address "192.168.10.0/24" of the network to which the transmission / reception unit 130a itself belongs, the transmission / reception unit 130a communicates. The packet is sent to the IP address "192.168.10.1" of the router 12 as a gateway.

The Web server unit 122 corresponds to the Web server 101 in FIG. 1 and provides a user interface to the outside of the communication control device 10. The Web server unit 122 functions as a processing execution unit that provides screen information to the outside by a user interface and executes processing according to input information input via the user interface based on the screen information. The Web server unit 122 can perform communication corresponding to HTTP (Hypertext Transfer Protocol) and FTP (File Transfer Protocol) to the network 11 via the transmission / reception unit 130a.

The communication control unit 131a (first communication control unit) controls communication by the transmission / reception unit 130a using, for example, NAPT (Network Address and Port Translation). The communication control unit 131a determines and executes whether or not to transmit the communication packet received by the transmission / reception unit 130a. Further, the communication control unit 131a can rewrite the destination IP address and the source IP address of the communication packet transmitted from the transmission / reception unit 130a.

Further, the communication control unit 131a includes the function of the OFC 102 (transfer device control unit), and generates a flow entry for application to the flow table included in the OFS 200a and 200b according to, for example, an instruction from the administrator PC 21. The communication control unit 131a generates a flow entry according to the instruction of the Web server unit 122 in response to the request from the administrator PC 21, for example. The communication control unit 131a transfers the generated flow entry to, for example, a wireless AP20b (transfer device) by the function of OFC102. The radio AP20b writes the transferred flow entry to the flow table of the OFS200b included in the radio AP20b.

The transmission / reception unit 130b controls the communication I / F 1005b according to the routing table stored in advance, and communicates with the initial setting PC 22 via the cable or the network 14. That is, the transmission / reception unit 130b receives the communication packet from the initial setting PC 22 as a network interface and sends the communication packet to the initial setting PC 22 according to the routing table, similarly to the transmission / reception unit 130a described above.

Table 4 shows an example of a routing table stored in the transmission / reception unit 130b.

In Table 4, the IP address "0.0.0.0/0" is set as the destination IP address in the routing table. On the other hand, the IP address of the gateway is not set in this routing table. Therefore, the transmission / reception unit 130b communicates when the destination IP address of the communication packet transmitted from the communication control device 10 is an IP address other than the network address "192.168.254.0/24" of the network to which the transmission / reception unit 130b itself belongs. Do not send packets to the outside.

That is, in the first embodiment, the transmission / reception unit 130b is used for communication with the initial setting PC 22 at the time of initial setting and initialization of the communication control device 10. Therefore, the transmission / reception unit 130b does not assume communication with a terminal device connected beyond the router from the viewpoint of security and the like. Therefore, the gateway is not set in the routing table of the transmission / reception unit 130b.

According to the settings of the routing table in Table 4, when the transmission / reception unit 130b is connected to another network to which a network address different from the network to which the transmission / reception unit 130b itself belongs is connected via a router, for example. Communication packets are not sent from 130b to the other network. Therefore, for communication by the transmission / reception unit 130b, for example, it is necessary to directly connect the PC to the transmission / reception unit 130b (communication I / F1005b) without going through a router.

Therefore, the communication by the transmission / reception unit 130b is performed in the vicinity of the communication control device 10. For example, when the communication control device 10 is installed in the server room, the work performed by connecting a PC or the like to the transmission / reception unit 130b is a server. Limited to the room. Therefore, the users who perform the work are limited, and the authority for the work can be managed.

The communication control unit 131b (second communication control unit) controls communication by the transmission / reception unit 130b using, for example, NAT. That is, the communication control unit 131b determines and executes whether or not to transmit the communication packet received by the transmission / reception unit 130b, similarly to the communication control unit 131a described above. Further, the communication control unit 131b can rewrite the destination IP address and the source IP address of the communication packet transmitted from the transmission / reception unit 130b. In this case, the communication control unit 131b fixes the destination IP address and the source IP address of the communication packet transmitted from the transmission / reception unit 130b to the IP addresses "192.168.254.2/24" and "192.168.254.254/24", respectively. Rewrite as a target.

The bridge unit 132 is a relay unit in which the communication control unit 131a is connected to one connection unit, the communication control unit 131b is connected to the other connection unit, and the communication between the communication control unit 131a and the communication control unit 131b is relayed. Functions as. Here, the IP address "169.254.0.1/24" is assigned to the connection unit on the bridge unit 132 side of the communication control unit 131a. On the other hand, the IP address "169.254.0.2 / 24" is assigned to the connection unit on the bridge unit 132 side of the communication control unit 131b. These IP addresses "169.254.0.1/24" and "169.254.0.2/24" are internal addresses used inside the communication control device 10.

Table 5 summarizes the internal addresses used inside the communication control device 10. In the example of Table 5, the IP addresses "169.254.0.1/24" and "169.254.0.2/24" are given the names "INT_0" and "INT_1", respectively.

Here, it is assumed that the transmission / reception units 130a and 130b are interfaces corresponding to Ethernet (registered trademark), respectively, and are connected by a cable, but this is not limited to this example. For example, at least one of the transmission / reception units 130a and 130b may support a wireless LAN. Further, the interface supported by the transmission / reception units 130a and 130b may be a serial interface such as PCI (Peripheral Component Interconnect) Express or USB (Universal Serial Bus). Further, the transmission / reception units 130a and 130b may correspond to different types of interfaces.

The configurations of the communication control units 131a and 131b and the bridge unit 132 can be configured as long as the communication packets transferred from the transmission / reception units 130a and 130b and the communication packets in response to the communication packets can be appropriately processed. There is no particular limitation. Further, in the above description, it has been described that the communication control units 131a and 131b control the communication using NAT, but this is not limited to this example. For example, the communication control units 131a and 131b may control communication using NAT (Network Address Translation).

FIG. 5 is a functional block diagram of an example for explaining the function of the communication control unit 131a according to the first embodiment. In FIG. 5, the communication control unit 131a includes a communication unit 1310, a control unit 1311, a communication path control information storage unit 1312, and a NAT table storage unit 1313. Further, in the communication control unit 131a, the control unit 1311 includes the function of the OFC 102. The communication path control information storage unit 1312 and the NAT table storage unit 1313 use, for example, a predetermined storage area in the storage 1003 of the communication control device 10.

The communication unit 1310 includes two communication ports, a first communication port for transmitting / receiving communication packets to / from the transmission / reception unit 130a, and a second communication port for transmitting / receiving communication packets to / from the bridge unit 132. The communication unit 1310 extracts header information from the communication packet input to the communication unit 1310 from the first communication port and the second communication port, and passes the extracted header information to the control unit 1311. The communication unit 1310 processes the input communication packet in response to the instruction of the control unit 1311 based on the header information.

The control unit 1311 instructs the communication unit 1310 to perform processing according to the header information passed from the communication unit 1310 based on the information stored in the communication path control information storage unit 1312 and the NAT table storage unit 1313.

The communication path control information storage unit 1312 stores control information for performing internal communication and external communication of the communication control device 10. The control information stored in the communication path control information storage unit 1312 is used to communicate with the packet processing table according to the first embodiment for performing communication inside the communication control device 10 and with the outside of the communication control device 10. , Includes information such as a predetermined ARP table for communicating by ARP (Address Resolution Protocol). The NAPT table storage unit 1313 controls storage of a predetermined NAPT table in a storage medium such as storage 1003 of the communication control device 10 and reading of the NAPT table.

Table 6 shows an example of the packet processing table according to the first embodiment included in the communication path control information storage unit 1312 in the communication control unit 131a.

In Table 6, the packet processing table contains items of "in port", "type", "source (src)", "destination (dst)", and "actions". Has one or more entries containing. When the communication packet input to the communication unit 1310 satisfies the conditions described in each item "input port", "type", "source" and "destination" of the entry, the control unit 1311 of the communication control unit 131a Executes the process described in the item "Process" of the entry.

The item "#" at the beginning of each entry indicates the serial number for each entry. For each entry, the conditions described in each item "input port", "type", "source", and "destination" are determined in order from the serial number having the smallest entry value. In the item "#", the value "default" defines the processing for the packet that does not satisfy each condition described in the entry in which the numerical value is described in the item "#".

In the item "input port", information indicating a communication port is described. In the example of Table 6, in the entries of the serial numbers "1" and "2", "transmission / reception unit # 0" and "bridge unit" are described in the item "input port", respectively, and the first communication of the communication unit 1310, respectively. A port and a second communication port are specified. Further, in the entry whose serial number value is "default", "ANY" indicating an arbitrary communication port is described in the item "input port".

In the item "type", the type of communication packet is described. In the example of Table 6, in the entries of the serial numbers "1" and "2", "IP" is described in the item "type", and the IP packet is specified as the communication packet type. Further, in the entry whose serial number value is "defoult", "ANY" indicating an arbitrary type is described in the item "type".

In the item "source", the source of the communication packet is described. In the example of Table 6, in the entry of the serial number "1", the IP address "192.168.10.2" and the port number "80, 443" are described in the item "source", and the IP address of the transmission / reception unit 130a, HTTP, and The port number corresponding to HTTPS (HTTP Secure) is specified. On the other hand, in the entry of the serial number "2", the IP address "169.254.0.2" is described in the item "source", and the communication control unit 131b is specified. Further, in the entry whose serial number value is "default", "ANY" indicating an arbitrary sender is described in the item "source".

In the item "destination", the destination of the communication packet is described. In the example of Table 6, in the entry of the serial number "1", the IP address "169.254.0.2" is described in the item "destination", and the communication control unit 131b is specified. On the other hand, in the entry of the serial number "2", the IP address "169.254.0.1" and the port number "80, 443" are described in the item "destination", and correspond to the IP address of the communication control unit 131a and HTTP and HTTPS. The port number is specified. In this case, the port numbers "80, 443" are determined to match one of them. Further, in the entry whose serial number value is "defalt", "ANY" indicating an arbitrary destination is described in the item "destination".

The item "process" describes the process for executing the communication packet in which the values described in the above-mentioned items "input port", "type", "source" and "destination" all match. To. In the entry with serial number "1", the item "process" translates the source into the IP address "169.254.0.1" and the port number "80, 443" "NAPT (SNAT, 169.254.0.1: {80, 443}". ) ”Is described. The item "processing" further specifies the output of the communication packet (Output). In this case, the communication packet is sent to the bridge unit 132 according to the destination IP address "169.254.0.2".

On the other hand, in the entry of the serial number "2", the item "processing" describes "NAPT (DNAT, 192.168.10.2)" that translates the destination into the IP address "192.168.10.2". The item "processing" further specifies the output of the communication packet (Output). In this case, the communication packet is sent to the transmission / reception unit 130b according to the converted destination IP address "192.168.10.2".

Further, in the entry whose serial number value is "default", "drop" for discarding the communication packet is described in the item "processing".

The communication control unit 131b includes a communication unit 1310, a control unit 1311, a communication path control information storage unit 1312, and a NAT table storage unit 1313, similarly to the communication control unit 131a described above. In the communication control unit 131b, the control unit 1311 can omit the function of the OFC 102.

In the communication control unit 131b, the communication unit 1310 has two communication ports, a third communication port for transmitting / receiving communication packets to / from the transmission / reception unit 130b and a fourth communication port for transmitting / receiving communication packets to / from the bridge unit 132. Includes one communication port. The communication unit 1310 extracts header information from the communication packet input to the communication unit 1310 from the third communication port and the fourth communication port, and passes the extracted header information to the control unit 1311. In the communication control unit 131b, the communication unit 1310 processes the input communication packet in response to the instruction of the control unit 1311 based on the header information.

In the communication control unit 131b, the control unit 1311, like the communication control unit 131a described above, has a header passed from the communication unit 1310 based on the information stored in the communication path control information storage unit 1312 and the NAT table storage unit 1313. The communication unit 1310 is instructed to perform processing according to the information.

The communication control unit 131b differs from the above-mentioned communication control unit 131a in that the transmission / reception unit 130b and the communication control unit 131a are connected to the communication unit 1310 via the bridge unit 132. Since the connection destination of the communication control unit 131b is different from that of the communication control unit 131a, the communication control unit 131a also causes the information stored in the communication path control information storage unit 1312 and the NAT table storage unit 1313 accordingly. It will be different from each information stored in.

Table 7 shows an example of the packet processing table according to the first embodiment included in the communication path control information storage unit 1312 in the communication control unit 131b.

In Table 7, the meanings of each item "input port", "type", "source", "destination" and "processing" included in the entry of the packet processing table are the same as each item of the packet processing table described in Table 6. Since they are the same, detailed description here will be omitted.

As for the item "input port", in the example of Table 7, "transmission / reception unit # 1" and "bridge unit" are described in the entries of the serial numbers "1" and "2", respectively, and the communication unit in the communication control unit 131b, respectively. A third communication port and a fourth communication port of 1310 are designated. Further, in the entry whose serial number value is "default", "ANY" indicating an arbitrary communication port is described in the item "input port".

As for the item "type", in the example of Table 7, "IP" is described in the entries of the serial numbers "1" and "2", and the IP packet is specified as the communication packet type. Further, in the entry whose serial number value is "defoult", "ANY" indicating an arbitrary type is described in the item "type".

As for the item "source", in the example of Table 7, "ANY" is described in the entry of the serial number "1", and an arbitrary sender is specified. On the other hand, in the entry of the serial number "2", the IP address "169.254.0.1" and the port number "80, 443" are described in the item "source", and correspond to the IP address of the communication control unit 131a and HTTP and HTTPS. The port number to be used is specified. Further, in the entry whose serial number value is "default", "ANY" indicating an arbitrary sender is described in the item "source".

As for the item "destination", in the example of Table 7, in the entry of the serial number "1", the IP address "192.168.254.254" and the port number "80, 443" are described in the item "destination", and the IP of the transmission / reception unit 130b is described. An address and a port number corresponding to HTTP and HTTPS are specified. On the other hand, in the entry of the serial number "2", the IP address "169.254.0.2" is described in the item "destination", and the IP address of the communication control unit 131b is specified. Further, in the entry whose serial number value is "defalt", "ANY" indicating an arbitrary destination is described in the item "destination".

In the example of Table 7, the item "Processing" is "NAPT (SNAT, 169.254.0.2)" that translates the source to the IP address "169.254.0.2" and the IP address " "NAPT (DNAT, 169.254.0.1)" to be converted to "169.254.0.1" is described. The item "processing" further specifies the output of the communication packet (Output). In this case, the communication packet is sent to the bridge unit 132 according to the converted destination IP address "169.254.0.1".

On the other hand, in the entry with the serial number "2", the item "processing" is "NAPT (SNAT, 192.168.254.254)" that translates the source to the IP address "192.168.254.254" and the IP address "192.168.254.2" for the destination. It is described as "NAPT (DNAT, 192.168.254.2)" to be converted to. The conversion destination IP address "192.168.254.2" is an example, and a value corresponding to the IP address of the initial setting PC 22 is set. The item "processing" further specifies the output of the communication packet (Output). In this case, according to the converted destination IP address "192.168.254.2", the communication packet is sent to the initial setting PC 22 via the transmission / reception unit 130b.

Further, in the entry whose serial number value is "defalt", "drop" for discarding the communication packet is described in the item "processing".

FIG. 6 is a functional block diagram of an example for explaining the function of the bridge portion 132 according to the first embodiment. In FIG. 6, the bridge unit 132 includes a communication unit 1320, a control unit 1321, and a communication information storage unit 1322.

The communication unit 1320 has two communication ports, a third connection port for transmitting and receiving communication packets to and from the communication control unit 131a, and a fourth connection port for transmitting and receiving communication packets to and from the communication control unit 131b. Including. The communication unit 1320 extracts header information from the communication packet input to the communication unit 1320 from the third communication port and the fourth communication port, and passes the extracted header information to the control unit 1321. The communication unit 1320 processes the input communication packet in response to the instruction of the control unit 1321 based on the header information.

The control unit 1321 instructs the communication unit 1320 to perform processing according to the header information passed from the communication unit 1320 based on the information stored in the communication information storage unit 1322.

The communication information storage unit 1322 stores control information for performing communication between the third communication port and the fourth communication port of the bridge unit 132. The control information stored in the communication information storage unit 1322 is the packet processing table according to the first embodiment for performing communication inside the bridge unit 132, and communication by ARP for performing communication via the bridge unit 132. Includes information such as a predetermined ARP table for performing the above.

Table 8 shows an example of the packet processing table according to the first embodiment included in the communication information storage unit 1322 in the bridge unit 132.

In Table 8, the meanings of each item "input port", "type", "source", "destination" and "processing" included in the entry of the packet processing table are the same as each item of the packet processing table described in Table 6. Since they are the same, detailed description here will be omitted.

As for the item "input port", in the example of Table 8, "communication control unit # 0" and "communication control unit # 1" are described in the entries of the serial numbers "1" and "2", respectively, and the bridge unit 132, respectively. The third communication port and the fourth communication port of the communication unit 1320 in the above are designated. Further, in the entry whose serial number value is "default", "ANY" indicating an arbitrary communication port is described in the item "input port".

As for the item "type", in the example of Table 8, "IP" is described in the entries of the serial numbers "1" and "2", and the IP packet is specified as the communication packet type. Further, in the entry whose serial number value is "defoult", "ANY" indicating an arbitrary type is described in the item "type".

As for the items "source" and "destination", in the example of Table 8, "ANY" is described in all the entries of the serial numbers "1" to "3", and any source and destination are specified. For the item "processing", in the example of Table 8, the output of the communication packet is specified in the entries of the serial numbers "1" and "2" (Output). In the entry of the serial number "1", the communication packet input from the communication control unit 131a shown in the item "input port" to one end of the bridge unit 132 is output to the communication control unit 131b from the other end of the bridge unit 132. Will be done. Further, in the entry of the serial number "2", conversely, the communication packet input from the communication control unit 131b shown in the item "input port" to the other end of the bridge unit 132 communicates from one end of the bridge unit 132. It will be output to the control unit 131a.

Further, in the entry whose serial number value is "defalt", "drop" for discarding the communication packet is described in the item "processing".

From these descriptions in Table 8, the bridge unit 132 sends the communication packet input from the communication control unit 131a to the communication control unit 131b as it is, and sends the communication packet input from the communication control unit 131b to the communication control unit 131a as it is. Performs the process of sending. More specifically, the bridge unit 132 sends and receives communication packets between the communication control unit 131a and the communication control unit 131b without changing the destination IP address and the source IP address.

As shown in Tables 6 and 7 described above, the communication control device 10 sets the destination IP address and the source IP address of the communication packet transmitted / received between the communication control unit 131a and the communication control unit 131b as internal addresses, respectively. It is supposed to be. Therefore, the network connected to the transmission / reception unit 130a and the transmission / reception unit 130b can be separated into the respective networks. Therefore, even if the transmission / reception units 130a and 130b are set with overlapping IP addresses or IP addresses belonging to the same subnet, the transmission / reception of communication packets between the transmission / reception unit 130a and the transmission / reception unit 130b can be performed. It can be executed normally.

Next, the Web server unit 122 (processing execution unit) included in the communication control device 10 will be described. FIG. 7 is a functional block diagram of an example for explaining the function of the Web server unit 122 applicable to the first embodiment. In FIG. 7, the Web server unit 122 includes a password storage unit 1220, a certificate information storage unit 1221, a setting unit 1222, an authentication unit 1223, an input information reception unit 1224, a screen information generation unit 1225, and a communication unit. Includes 1226 and.

The communication unit 1226 communicates with the outside of the communication control device 10 by HTTP and HTTPS. The screen information generation unit 1225 generates display control information for displaying the screen. The screen information generation unit 1225 generates display control information using, for example, HTML (HyperText Markup Language), and gives the generated display control information a predetermined URL (Uniform Resource Locator), for example, storage 1003 of the communication control device 10. Remember in.

The input information receiving unit 1224 receives the input information received by the communication unit 1226. The setting unit 1222 makes settings for controlling the operation of the communication control device 10 according to, for example, the input information received by the input information receiving unit 1224.

The password storage unit 1220 and the certificate information storage unit 1221 store passwords and certificate information as authentication information for performing authentication when accessing the Web server unit 122, respectively. The authentication unit 1223 authenticates the authentication information received by the input information reception unit 1224 based on the password and the certificate information stored in the password storage unit 1220 and the certificate information storage unit 1221, respectively.

FIG. 8 is a functional block diagram of an example for explaining the function of the initial setting PC 22 applicable to the first embodiment. In FIG. 8, the initial setting PC 22 includes a browser unit 220, a control unit 221, a communication unit 222, an input reception unit 223, and a display control unit 224. The browser unit 220, the control unit 221, the communication unit 222, the input reception unit 223, and the display control unit 224 are composed of a program that operates on the CPU of the initial setting PC 22. Not limited to this, a part or all of the browser unit 220, the control unit 221, the communication unit 222, the input reception unit 223, and the display control unit 224 may be configured by a hardware circuit that operates in cooperation with each other.

The control unit 221 controls the entire operation of the initial setting PC 22. The communication unit 222 controls the communication I / F included in the initial setting PC 22 to perform communication via, for example, a cable or a network 14. The input receiving unit 223 receives input information according to an operation on an input device included in the initial setting PC 22. The display control unit 224 generates a display signal according to the display control information.

The browser unit 220 has a function of a browser application program that reads a file described according to HTML and performs a predetermined operation. The browser unit 220 reads, for example, an HTML file according to a designated URL, generates display control information according to the read HTML file, and passes the generated display control information to the display control unit 224. Further, the browser unit 220 executes a process according to the input information received by the input reception unit 223.

Since the administrator PC 21 can apply the same configuration as the initial setting PC 22 described above, the description thereof will be omitted here.

(Communication processing according to the first embodiment)
Next, the process according to the first embodiment will be described more specifically. In the first embodiment, the authentication information for accessing the management setting screen for managing and setting the communication control device 10 is initialized from the initial setting PC 22 connected to the transmission / reception unit 130b. The initialization of the authentication information is a process that is assumed to be executed as an emergency measure, for example, when a user who accesses the management setting screen forgets the authentication information.

In a normal case, that is, when this authentication information can be input accurately, the Web server 101 in the communication control device 10 communicates with the communication control device 10 via the network 11 or the like using the administrator PC 21. To display the management setting screen on the display device of the administrator PC 21. In a normal case, the communication control device 10 is managed and set by using the administrator PC 21.

FIG. 9 shows an example of a packet flow when accessing the Web server unit 122 in the communication control device 10 from the administrator PC 21, which is applicable to the first embodiment. In FIG. 9, in each step S200, step S201, step S210 and step S211, the upper side shows the source IP address and the port (SRC IP: PORT), and the lower side shows the destination IP, as shown in the upper left of the figure. Indicates the address and port (DST IP: PORT). Further, in FIG. 9, the same reference numerals are given to the parts common to those in FIGS. 2 and 4 described above, and detailed description thereof will be omitted.

Since the Web server unit 122 exchanges communication packets with the transmission / reception unit 130a, communication between the administrator PC 21 and the Web server unit 122 is performed via the transmission / reception unit 130a as shown in FIG. It will be the one that was done.

The administrator PC 21 sends, for example, a communication packet including information generated by a browser mounted on the administrator PC 21 to the network 11 (step S200).

In this communication packet, the IP address "192.168.20.102" given to the administrator PC 21 is designated as the source IP address, and the private port number "50376" is designated as the source port number. For example, when the administrator PC 21 accesses the Web server unit 122 by designating a URL, it specifies "80" indicating HTTP or "443" indicating HTTPS as a port number.

Further, in the communication packet, the IP address "192.168.10.2" of the transmission / reception unit 130a is specified as the destination IP address, and the port indicating HTTPS on TCP (Transmission Control Protocol) / UDP (User Datagram Protocol) as the destination port number. The number "443" is specified. For the destination IP address "192.168.10.2", for example, a value manually input to the browser of the administrator PC 21 is used. These source IP addresses and port numbers, as well as destination IP addresses and port numbers, are embedded in the header of the communication packet to be processed.

This communication packet is received by the transmission / reception unit 130a via the router 12. The transmission / reception unit 130a transfers the received communication packet to the Web server unit 122 without changing the content (step S201). For example, when the transmission / reception unit 130a receives a communication packet including "80" or "443" whose port number indicates HTTP or HTTPS, the Web server unit 122 transfers the communication packet to the Web server unit 122. The transmission / reception unit 130a is requested to do so.

The Web server unit 122 transfers the communication packet to the transmission / reception unit 130a in response to the transferred communication packet (step S210). For example, the Web server unit 122 performs a predetermined process in response to the transferred communication packet, and transfers the communication packet generated by the process to the transmission / reception unit 130a.

In this communication packet, the IP address "192.168.10.2" of the transmission / reception unit 130a is specified as the source IP address, and the port number "443" is specified. Further, in the communication packet, the IP address "192.168.20.102" of the transmission / reception unit 130a is designated as the destination IP address, and the port number "50376" is designated as the destination port number.

The header of the communication packet to be processed is rewritten by the source IP address and port number, and the destination IP address and port number.

The transmission / reception unit 130a transmits the communication packet transferred from the Web server unit 122 without changing the content. This communication packet transmitted from the transmission / reception unit 130a is transmitted to the administrator PC 21 via the router 12 (step S211), and is received by the administrator PC 21.

FIG. 10 shows an example of a packet flow when accessing the Web server unit 122 from the initial setting PC 22 according to the first embodiment. In FIG. 10, in steps S220 to S225 and steps S230 to S235, the upper side shows the source IP address and the port, and the lower side shows the destination IP address and the port, as in FIG. 9. Further, in FIG. 10, the same reference numerals are given to the parts common to those in FIGS. 2 and 4 described above, and detailed description thereof will be omitted.

As described above, the Web server unit 122 exchanges communication packets with the transmission / reception unit 130a. Therefore, as shown in FIG. 10, the communication between the initial setting PC 22 and the Web server unit 122 is performed by the transmission / reception unit 130b, the communication control unit 131b, the bridge unit 132, the communication control unit 131a, and the transmission / reception unit. It will be via 130a.

The initial setting PC 22 transmits, for example, a communication packet including information generated by a browser mounted on the initial setting PC 22 to the cable or the network 14 (step S220).

The packet type of this communication packet is "IP", the IP address "192.168.254.2" given to the initial setting PC22 is the source IP address, and the private port number "50382" is the source. Designated as a port number. Further, in the communication packet, the IP address "192.168.254.254" of the transmission / reception unit 130b is specified as the destination IP address, and the port number "80" indicating HTTP on TCP / UDP is specified as the destination port number. For example, when the initial setting PC 22 accesses the Web server unit 122 by designating a URL, it specifies "80" indicating HTTP or "443" indicating HTTPS as a port number. The destination IP address "192.168.254.254" is manually input to the browser on the initial setting PC 22.

Each information including these types, a source IP address and a port number, and a destination IP address and a port number is embedded in the header of the communication packet to be processed.

This communication packet is directly received by the transmission / reception unit 130b via the cable or the network 14. The transmission / reception unit 130b transfers the received communication packet to the communication control unit 131b without changing the content (step S221). In this communication packet, the source IP address and port number are "192.168.254.2:50382", and the destination IP address and port number are "192.168.254.254:80".

When the communication control unit 131b receives the communication packet, the communication control unit 131b receives the input port into which the communication packet is input, the type included in the header of the communication packet, the source IP address and port number, and the destination IP address and port number. Get each information including and. The communication control unit 131b refers to the packet processing table shown in Table 7 based on each acquired information, and determines whether or not there is an entry matching each acquired information.

In this example, the communication control unit 131b determines that the entry of the serial number “1” in Table 7 matches each information acquired from the communication packet. The communication control unit 131b executes the process described in the item "process" of the entry according to the determination result, and sets the source IP address and the destination IP address to the internal IP address "169.254.0.2" and the IP address "169.254.0.2", respectively. Converts to "169.254.0.1" and instructs the output of communication packets. Further, the communication control unit 131b does not change the source and destination port numbers in accordance with the description of the item “processing”. The header of the communication packet to be processed is rewritten by each information including the source IP address and port number, the destination IP address and port number, and the type.

This communication packet is transferred from the communication control unit 131b to the bridge unit 132 according to the output instruction and the destination IP address (step S222). In this communication packet, the source IP address and port number are "169.254.0.2:50382", and the destination IP address and port number are "169.254.0.1:80".

When the bridge unit 132 receives the communication packet, the bridge unit 132 receives the input port into which the communication packet is input, the type included in the header of the communication packet, the source IP address and port number, and the destination IP address and port number. Get each information including. The bridge unit 132 refers to the packet processing table shown in Table 8 and determines whether or not there is an entry that matches each acquired information.

In the example of Table 8, since the source and destination are arbitrary (ANY) in each entry, in the bridge unit 132, the entry with the serial number “2” matches the communication packet based on the input port and the packet type. Then it is determined. The bridge unit 132 executes the process described in the item “process” of the entry and instructs the output of the communication packet. Further, the bridge unit 132 does not change each information (source and destination IP addresses and port numbers) included in the header of the communication packet.

This communication packet is transferred from the bridge unit 132 to the communication control unit 131a according to the output instruction and the destination IP address (step S223). In this communication packet, the source IP address and port number are "169.254.0.2: 50382", which is the same as in step S222, and the destination IP address and port number are "169.254.0.1:80".

Upon receiving the communication packet, the communication control unit 131a determines the input port into which the communication packet is input, the source IP address and port number included in the header of the communication packet, and the destination IP address and port number. Get each information including. The communication control unit 131a refers to the packet processing table shown in Table 6 and determines whether or not there is an entry that matches each acquired information.

In this example, the communication control unit 131a determines that the entry of the serial number “2” in Table 6 matches each information acquired from the communication packet. According to this determination result, the communication control unit 131a executes the process described in the item "process" of the entry, converts the source IP address to the IP address "192.168.10.2", and instructs the output of the communication packet. .. Further, the communication control unit 131a does not change the source and destination port numbers in accordance with the description of the item “processing”.

The header of the communication packet to be processed is rewritten by each information including the source IP address and port number, the destination IP address and port number, and the type.

This communication packet is transferred from the communication control unit 131a to the transmission / reception unit 130a according to the output instruction and the destination IP address (step S224). In this communication packet, the source IP address and port number are "169.254.0.2:50382", and the destination IP address and port number are "192.168.10.2:80".

The transmission / reception unit 130a transfers the received communication packet to the Web server unit 122 without changing the content (step S225). For example, in the received communication packet, the transmission / reception unit 130a has its own IP address "192.168.10.2" and the port number added to the destination IP address is HTTP (port number "80" or HTTPS (port). When the number "443") is indicated, the communication packet is transferred to the Web server unit 122.

In this way, the Web server unit 122 can receive the communication packet transmitted from the initial setting PC 22.

The Web server unit 122 can transmit the communication packet to the initial setting PC 22 according to the content of the communication packet received from the initial setting PC 22. In this case, the communication packet is transferred from the Web server unit 122 to the initial setting PC 22 according to the flow opposite to that in steps S220 to S225 described above.

The Web server unit 122 generates, for example, a communication packet that responds to the communication packet transferred from the initial setting PC 22 by the flow of steps S220 to S225 described above.

In this communication packet, the packet type is "IP", the IP address "192.168.10.2" given to the transmission / reception unit 130a is used as the source IP address, and the port number "80" indicating HTTP is used as the source port number. It is specified. Further, in the communication packet, the source IP address "169.254.0.2" of the communication packet received in step S225 is designated as the destination IP address, and the port number "50382" is designated as the destination port number. The Web server unit 122 generates these source IP addresses and port numbers, as well as destination IP addresses and port numbers, for example, based on the header information of the communication packet received in step S225 described above.

Each information including the source IP address and port number, the destination IP address and port number, and the type is embedded in the header of the communication packet to be processed.

The Web server 122 passes the communication packet for transmission to the initial setting PC 22 described above to the transmission / reception unit 130a (step S230). The transmission / reception unit 130a transfers the passed communication packet to the communication control unit 131a without changing the content. In this communication packet, the source IP address and port number are "192.168.10.2:80", and the destination IP address and port number are "169.254.0.2:50382".

When the communication control unit 131a receives the communication packet, the communication control unit 131a receives the communication packet, the input port into which the communication packet is input, the type included in the header of the communication packet, the source IP address and port number, and the destination IP address and port number. Get each information including and. The communication control unit 131a refers to the packet processing table shown in Table 6 based on each acquired information, and determines whether or not there is an entry matching each acquired information.

In this example, the communication control unit 131a determines that the entry of the serial number “1” in Table 6 matches each information acquired from the communication packet. According to this determination result, the communication control unit 131a executes the process described in the item "process" of the entry, converts the source IP address into the IP address "169.254.0.1" which is the internal address, and sets the communication packet. Instruct the output. Further, the communication control unit 131a does not change the source and destination port numbers in accordance with the description of the item “processing”. The header of the communication packet to be processed is rewritten by each information including the source IP address and port number, the destination IP address and port number, and the type.

This communication packet is transferred from the communication control unit 131a to the bridge unit 132 according to the output instruction and the destination IP address (step S232). In this communication packet, the source IP address and port number are "169.254.0.1:80", and the destination IP address and port number are "169.254.0.2:50382".

When the bridge unit 132 receives the communication packet, the bridge unit 132 receives the input port into which the communication packet is input, the type included in the header of the communication packet, the source IP address and port number, and the destination IP address and port number. Get each information including. The bridge unit 132 refers to the packet processing table shown in Table 8 and determines whether or not there is an entry that matches each acquired information.

In the example of Table 8, since the source and destination are arbitrary (ANY) in each entry, in the bridge unit 132, the entry with the serial number “1” matches the communication packet based on the input port and the packet type. Then it is determined. The bridge unit 132 executes the process described in the item “process” of the entry and instructs the output of the communication packet. Further, the bridge unit 132 does not change each information (source and destination IP addresses and port numbers) included in the header of the communication packet.

This communication packet is transferred from the bridge unit 132 to the communication control unit 131b according to the output instruction and the destination IP address (step S233). In this communication packet, the source IP address and port number are "169.254.0.1:80", which is the same as in step S232, and the destination IP address and port number are "169.254.0.2:50382".

When the communication control unit 131b receives the communication packet, the communication control unit 131b determines the input port into which the communication packet is input, the source IP address and port number included in the header of the communication packet, and the destination IP address and port number. Get each information including. The communication control unit 131b refers to the packet processing table shown in Table 7 and determines whether or not there is an entry that matches each acquired information.

In this example, the communication control unit 131b determines that the entry of the serial number “2” in Table 7 matches each information acquired from the communication packet. The communication control unit 131b executes the process described in the item "process" of the entry according to the determination result, and sets the source IP address and the destination IP address to the IP addresses "192.168.254.254" and "192.168.254.2", respectively. , And indicates the output of the communication packet. Further, the communication control unit 131b does not change the source and destination port numbers in accordance with the description of the item “processing”. The header of the communication packet to be processed is rewritten by each information including the source IP address and port number, the destination IP address and port number, and the type.

This communication packet is transferred from the communication control unit 131b to the transmission / reception unit 130b according to the output instruction and the destination IP address (step S234). In this communication packet, the source IP address and port number are "192.168.254.254:80", and the destination IP address and port number are "192.168.254.2:50382".

The transmission / reception unit 130b forwards the received communication packet to the initial setting PC 22 without changing the content (step S235). As a result, the communication packet sent from the Web server unit 122 is received by the initial setting PC 22.

(Initialization process according to the first embodiment)
Next, the authentication information initialization process performed from the initial setting PC 22 according to the first embodiment will be described. As described above, this initialization process is performed by directly connecting the initial setting PC 22 to the transmission / reception unit 130b (communication I / F 1005b) via a cable or network 14.

FIG. 11 is a sequence diagram of an example showing a communication process performed between the initial setting PC 22 and the communication control device 10 according to the first embodiment. In FIG. 11, the same reference numerals are given to the parts common to those in FIGS. 4 and 8 described above, and detailed description thereof will be omitted.

In FIG. 11, in step S100, the user activates the browser on the initial setting PC 22, and causes the browser unit 220 to access the URL “http://192.168” for accessing the initialization screen for initializing the authentication information. Specify ".254.254 / rescue". Here, it is assumed that the URL is preset in the communication control device 10 and notified to the user.

The browser unit 220 transmits the designated URL to the communication control device 10, and requests the communication control device 10 for an initialization screen for initializing the authentication information (step S110). For example, in the initial setting PC 22, the control unit 221 receives the source IP address and port number described in step S220 of FIG. 10, the destination IP address and port number, and the browser according to the designation of the URL for the browser unit 220. A communication packet including the URL specified in the unit 220 in the header is generated, and the generated communication packet is transmitted to the communication control device 10 by the communication unit 222.

Here, the initial setting PC 22 is directly connected to the communication control device 10 by a cable or a network 14. Therefore, since the users who can operate the initial setting PC 22 can be limited, it is not necessary to input the authentication information as in the case of connecting to the communication control device 10 from the administrator PC 21.

This communication packet transmitted from the initial setting PC 22 is received by the communication I / F 1005b, that is, the transmission / reception unit 130b in the communication control device 10. The communication packet received by the transmission / reception unit 130b is transferred to the Web server unit 122 according to the flow shown in steps S220 to S225 of FIG. The Web server unit 122 sets display control information (for example, an HTML file) for displaying the initialization screen according to the URL included in the communication packet and according to the flow shown in steps S230 to 235 of FIG. (Step S111). This display control information is received by the initial setting PC 22 and passed to the browser unit 220.

The browser unit 220 displays the initialization screen on the display of the initial setting PC 22 according to the passed display control information (step S112). FIG. 12 shows an example of an initialization screen according to the first embodiment. In FIG. 12, the initialization screen 70a includes a URL display input area 700 and buttons 701, 702, and 703. In the URL display input area 700, the URL currently being accessed is displayed. Further, by inputting a URL in the URL display input area 700, the input URL can be accessed.

Buttons 701 and 702 are buttons for instructing the initialization of the authentication information, respectively. In the example of FIG. 12, the button 701 is a button for instructing the initialization of the password in the authentication information. The button 702 is a button for initializing the certificate information for the Web server unit 122 among the authentication information. The button 703 is a button for closing the initialization screen 70a.

In FIG. 11, step S120 shows an example of processing when the button 701 is operated and the password initialization is instructed. Further, step S130 shows a process when the button 702 is operated and the certificate information is initialized. The operation of the button 701 and the operation of the button 702 may be executed respectively, or either one may be executed.

First, the case where the button 701 in step S120 is operated will be described. When the button 701 is specified by the user operation in the initial setting PC 22 (step S1200), a communication packet including an HTTP message including a password initialization instruction is transmitted from the initial setting PC 22 toward the communication control device 10. (Step S1201). This communication packet is received by the transmission / reception unit 130b of the communication control device 10 and is transferred to the Web server unit 122 according to the packet flow of steps S220 to S225 of FIG.

The Web server unit 122 extracts an instruction for initializing the password from the HTTP message included in the communication packet, and executes the password initialization process according to the extracted instruction (step S1202). For example, the Web server unit 122 overwrites the password currently stored in the password storage unit 1220 by the setting unit 1222 with a password preset as a default value.

When the password initialization is completed, the Web server unit 122 transmits a communication packet including an HTTP status including a completion notification indicating the completion of the password initialization to the initial setting PC 22 (step S1203). This communication packet is transferred from the Web server unit 122 to the transmission / reception unit 130b in the communication control device 10 according to the packet flow described in steps S230 to S235 of FIG. 10, and is transmitted from the transmission / reception unit 130b to the initial setting PC 22. The initial setting PC 22 passes the received communication packet to the browser unit 220.

In response to the completion notification included in the passed communication packet, the browser unit 220 displays a completion message 7010 (indicating that the password initialization is completed) on the initialization screen 70a, as illustrated in FIG. In this example, "Done!") Is displayed in the vicinity of, for example, the button 701 (step S1204). The browser unit 220 can delete the completion message 7010 from the initialization screen 70a after a lapse of a predetermined time from the display (step S1205). In FIG. 13, the same reference numerals are given to the parts common to those in FIG. 12 described above, and detailed description thereof will be omitted.

Next, the case where the button 702 in step S130 is operated will be described. The process in step S130 corresponds to the process in step S120 described above.

When the button 702 is specified by the user operation on the initial setting PC 22 (step S1300), a communication packet including an HTTP message including an instruction for initializing the certificate information is directed from the initial setting PC 22 to the communication control device 10. It is transmitted (step S1301). This communication packet is received by the transmission / reception unit 130b of the communication control device 10 and is transferred to the Web server unit 122 according to the packet flow of steps S220 to S225 of FIG.

The Web server unit 122 extracts an instruction for initializing the certificate information from the HTTP message included in the communication packet, and executes the initialization process of the certificate information according to the extracted instruction (step S1302). For example, the Web server unit 122 overwrites the certificate information currently stored in the certificate information storage unit 1221 by the setting unit 1222 with the certificate information preset as a default value.

When the initialization of the certificate information is completed, the Web server unit 122 transmits a communication packet including an HTTP status including a completion notification indicating the completion of the initialization of the certificate information to the initial setting PC 22 (step S1303). This communication packet is transferred from the Web server unit 122 to the transmission / reception unit 130b in the communication control device 10 according to the packet flow described in steps S230 to S235 of FIG. 10, and is transmitted from the transmission / reception unit 130b to the initial setting PC 22. The initial setting PC 22 passes the received communication packet to the browser unit 220.

In response to the completion notification included in the passed communication packet, the browser unit 220 sends a completion message indicating that the initialization of the certificate information is completed to the initialization screen 70a in the same manner as in FIG. For example, it is displayed in the vicinity of the button 702 (step S1304). The browser unit 220 can delete this completion message from the initialization screen 70a after a lapse of a predetermined time from the display (step S1305).

After initializing the authentication information as described above, the user (for example, the administrator) communicates with the communication control device 10 using the administrator PC 21, and informs the Web server unit 122 of the authentication information of the default value. Authentication can be requested using. As a result, the management setting screen presented by the Web server unit 122 can be displayed on the administrator PC 21, and the communication control device 10 can be managed and set.

As described above, according to the first embodiment, the initial setting PC 22 is directly connected to the communication control device 10 by a cable or a network 14. Therefore, since the users who can operate the initial setting PC 22 are limited, it is not necessary to input the authentication information as in the case of connecting to the communication control device 10 from the administrator PC 21, and the external device for the communication control device 10 does not need to input the authentication information. Can be set more easily.

Further, the network to which the initial setting PC 22 is connected to the communication control device 10 is separated inside the communication control device 10 from the network to which the administrator PC 21 and the like are connected. Therefore, an IP address or the like is generated between the communication port (initial setting port) when the initial setting PC 22 is connected to the communication control device 10 and the communication port (main port) to which the administrator PC or the like is connected. Even if it occurs, the initial setting PC 22 can normally communicate with the communication control device 10.

Further, the initial setting port (transmission / reception unit 130b) to which the initial setting PC 22 is connected to the communication control device 10 has a routing table set so as not to transmit a communication packet to a network address different from itself. Therefore, when the initial setting PC 22 is connected to the initial setting port via a router, for example, communication between the initial setting PC 22 and the communication control device 10 becomes impossible, and security is enhanced with a simple configuration. be able to.

(First modification of the first embodiment)
Next, a first modification of the first embodiment will be described. In the first modification of the first embodiment, the initialization process is started after the Web server unit 122 starts the initialization process in response to the instruction of the authentication information initialization process transmitted from the initialization PC 22. The access from the outside of the communication control device 10 to the main port, that is, the transmission / reception unit 130a is invalidated until the above is completed.

FIG. 14 is a sequence diagram of an example showing a communication process performed between the initial setting PC 22 and the communication control device 10 according to the first modification of the first embodiment. In FIG. 14, the same reference numerals are given to the parts common to those in FIGS. 4, 8 and 11 described above, and detailed description thereof will be omitted.

In FIG. 14, in step S100, the user (for example, the administrator) starts the browser on the initial setting PC 22, and causes the browser unit 220 to access the initialization screen for initializing the authentication information. Specify "http://192.168.254.254/rescue".

The browser unit 220 transmits the designated URL to the communication control device 10, and requests the communication control device 10 for an initialization screen for initializing the authentication information. The communication packet including the URL and the request is received by the transmission / reception unit 130b in the communication control device 10 (step S110a), and is transferred to the Web server unit 122 according to the flow shown in steps S220 to S225 of FIG. 10 (step S110b). ).

The Web server unit 122 follows the display control information (for example, HTML) for displaying the initialization screen according to the URL included in the communication packet transferred from the transmission / reception unit 130b and according to the flow shown in steps S230 to S235 of FIG. The communication packet including the file) is transferred to the transmission / reception unit 130b (step S111a). The transmission / reception unit 130b transmits the transferred communication packet including the display control information to the initial setting PC 22 (step S111b). The communication packet including the display control information is received by the initial setting PC 22 and passed to the browser unit 220. The browser unit 220 displays the initialization screen 70a shown in FIG. 12 on the display of the initial setting PC 22 according to the display control information included in the passed communication packet (step S112).

The user operates the buttons 701 and 702 provided on the initialization screen 70a to instruct the initialization of the password and the certificate information. The password initialization process corresponding to the operation of the button 701 and the certificate information initialization process corresponding to the operation of the button 702 are subject to initialization as described in steps S120 and S130 in FIG. It is a common process except that they are different. In FIG. 14, in order to avoid complication, the password initialization process or the certificate information initialization process executed by operating the button 701 or 702 is collectively shown by step S140. That is, when the button 701 is operated and the password initialization is instructed, the password initialization process is executed in step S140. In step S140, the certificate information initialization process is executed. The operation of the button 701 and the operation of the button 702 may be executed respectively, or either one may be executed.

When the button 701 or 702 of the initialization screen 70a is specified by the user operation on the initial setting PC22 (step S1400), a communication packet including an HTTP message including an instruction for initializing the password or certificate information is used for the initial setting. It is transmitted from the PC 22 toward the communication control device 10 (step S1401). This communication packet is received by the transmission / reception unit 130b of the communication control device 10 and transferred to the Web server unit 122 according to the packet flow of steps S220 to S225 of FIG. 10 (step S1402).

In the following, unless otherwise specified, the "password or certificate information initialization process" will be collectively described as the "authentication information initialization process".

When the Web server unit 122 receives the communication packet including the instruction for the initialization processing of the authentication information from the transmission / reception unit 130b, the Web server unit 122 instructs the main port, that is, the transmission / reception unit 130a, to invalidate the access from the outside of the communication control device 10. Is issued (step S1403).

Further, when the Web server unit 122 receives the communication packet including the HTTP message including the initialization instruction of the authentication information from the transmission / reception unit 130b, the Web server unit 122 generates a communication packet including the HTTP status including the processing notification indicating that the initialization processing is in progress. , This communication packet is transmitted to the initial setting PC 22. This communication packet is transferred from the Web server unit 122 to the transmission / reception unit 130b (step S1404) according to the packet flow described in steps S230 to S235 of FIG. 10 in the communication control device 10, and is transferred from the transmission / reception unit 130b to the initial setting PC 22. It is transmitted (step S1405). The initial setting PC 22 passes the received communication packet to the browser unit 220.

The browser unit 220 displays, for example, a message indicating that initialization processing is in progress (for example, “Processing…”) on the initialization screen 70a in response to the processing notification included in the passed communication packet (step S1406). ).

On the other hand, the Web server unit 122 extracts an instruction for initialization processing from the communication packet passed from the transmission / reception unit 130b in step S1402, and executes the initialization processing according to the extracted instruction (step S1407). When the initialization process is completed, the Web server unit 122 issues an instruction to the main port, that is, the transmission / reception unit 130a, to enable access from the outside of the communication control device 10 (step S1408).

For example, when the instruction for the initialization process is the instruction for the password initialization process, the Web server unit 122 uses the password currently stored in the password storage unit 1220 by the setting unit 1222 as a default value in advance. Overwrite with the set password. Similarly, when the instruction of the initialization process is the instruction of the initialization process of the certificate information, the Web server unit 122 has the certificate currently stored in the certificate information storage unit 1221 by the setting unit 1222. Overwrite the information with the certificate information preset as the default value.

When the initialization of the authentication information is completed, the Web server unit 122 transmits a communication packet including an HTTP status including a completion notification indicating the completion of the initialization of the authentication information to the initial setting PC 22. This communication packet is transferred from the Web server unit 122 to the transmission / reception unit 130b (step S1409) according to the packet flow described in steps S230 to S235 of FIG. 10 in the communication control device 10, and is transferred from the transmission / reception unit 130b to the initial setting PC 22. It is transmitted (step S1410). The initial setting PC 22 passes the received communication packet to the browser unit 220.

The browser unit 220 displays a completion message 7010 indicating that the initialization process of the authentication information is completed on the initialization screen 70a in response to the completion notification included in the passed communication packet (step S1410). The browser unit 220 can delete the completion message 7010 from the initialization screen 70a after a lapse of a predetermined time from the display (step S1411).

As described above, in the first modification of the first embodiment, the initialization process is completed in the initial setting PC 22 from the time when the initial setting PC 22 accesses the Web server unit 122 for initializing the authentication information. Until the notification is transmitted, the access from the outside of the communication control device 10 to the main port, that is, the transmission / reception unit 130a is invalidated. Therefore, malfunctions caused by access to the main port from the outside of the communication control device 10 are prevented, and convenience for users and administrators who use the network is improved.

(Second variant of the first embodiment)
Next, a second modification of the first embodiment will be described. In the second modification of the first embodiment, similarly to the first modification described above, the Web server unit 122 performs initialization processing in response to the initialization instruction of the authentication information transmitted from the initialization PC 22. From the time when the operation is started, the access from the outside of the communication control device 10 to the main port, that is, the transmission / reception unit 130a is invalidated. Further, in this second modification, when the initialization process is not completed until a predetermined time elapses from that time point, the access from the outside of the communication control device 10 to the transmission / reception unit 130a is enabled and the initial setting is performed. For example, an error notification is transmitted to the PC 22.

FIG. 15 is a functional block diagram of an example for explaining the function of the communication control device 10'applicable to the second modification of the first embodiment. In the communication control device 10'shown in FIG. 15, a timer unit 124 is added to the communication control device 10 shown in FIG. The timer unit 124 starts timing according to the instruction from the Web server unit 122, and passes the time information indicating the posted time to the Web server unit 122.

FIG. 16 is a sequence diagram of an example showing a communication process performed between the initial setting PC 22 and the communication control device 10'related to the second modification of the first embodiment. In FIG. 16, the same reference numerals are given to the portions common to FIGS. 8, 11 and 15 described above, and detailed description thereof will be omitted.

In FIG. 16, in step S100, the user (for example, the administrator) activates the browser on the initial setting PC 22, and causes the browser unit 220 to access the URL for accessing the initialization screen for initializing the authentication information. Specify "http://192.168.254.254/rescue".

The browser unit 220 transmits the designated URL to the communication control device 10', and requests the communication control device 10'for an initialization screen for initializing the authentication information. The communication packet including the URL and the request is received by the transmission / reception unit 130b in the communication control device 10'(step S110a), and is transferred to the Web server unit 122 according to the flow shown in steps S220 to S225 of FIG. 10 (step S110a). S110b).

The Web server unit 122 provides display control information for displaying the initialization screen according to the URL included in the communication packet transferred from the transmission / reception unit 130b in step S110b, and according to the flow shown in steps S230 to S235 of FIG. The including communication packet is transferred to the transmission / reception unit 130b (step S111a). The transmission / reception unit 130b transmits the transferred communication packet including the display control information to the initial setting PC 22 (step S111b). The communication packet including the display control information is received by the initial setting PC 22 and passed to the browser unit 220. The browser unit 220 displays the initialization screen 70a shown in FIG. 12 on the display of the initial setting PC 22 according to the display control information included in the passed communication packet (step S112).

When the button 701 or 702 of the initialization screen 70a is specified by the user operation in the initial setting PC 22 (step S1500), a communication packet including an HTTP message including an authentication information initialization instruction is controlled from the initial setting PC 22. It is transmitted to the device 10 (step S1501). This communication packet is received by the transmission / reception unit 130b of the communication control device 10 and transferred to the Web server unit 122 according to the packet flow of steps S220 to S225 of FIG. 10 (step S1502).

When the Web server unit 122 receives the communication packet including the HTTP message including the authentication information initialization instruction from the transmission / reception unit 130b in step S1502, the Web server unit 122 instructs the timer unit 124 to initialize and start timing (step S1503). ). In response to this instruction, the timer unit 124 initializes the time counting time to "0" and starts the time counting from this time "0". It is assumed that the timer unit 124 is preset with information indicating a time t having a predetermined length.

After the instruction to the timer unit 124 in step S1503, the Web server unit 122 issues an instruction to invalidate the access from the outside of the communication control device 10 to the main port, that is, the transmission / reception unit 130a (step S1504).

Further, when the Web server unit 122 receives the communication packet including the HTTP message including the initialization instruction of the authentication information from the transmission / reception unit 130b, the Web server unit 122 generates a communication packet including the HTTP status including the processing notification indicating that the initialization processing is in progress. , This communication packet is transmitted to the initial setting PC 22. This communication packet is transferred from the Web server unit 122 to the transmission / reception unit 130b (step S1505) according to the packet flow described in steps S230 to S235 of FIG. 10 in the communication control device 10, and is transferred from the transmission / reception unit 130b to the initial setting PC 22. It is transmitted (step S1506). The initial setting PC 22 passes the received communication packet to the browser unit 220.

The browser unit 220 displays, for example, a message (for example, "Processing ...") indicating that the initialization process is in progress on the initialization screen 70a in response to the processing notification included in the passed communication packet (step S1507). ).

On the other hand, the Web server unit 122 takes out the initialization processing instruction from the communication packet passed from the transmission / reception unit 130b in step S1502, and executes the authentication information initialization processing according to the taken out instruction (step S1508).

For example, when the instruction for the initialization process is the instruction for the password initialization process, the Web server unit 122 uses the password currently stored in the password storage unit 1220 by the setting unit 1222 as a default value in advance. Overwrite with the set password. Similarly, when the instruction of the initialization process is the instruction of the initialization process of the certificate information, the Web server unit 122 has the certificate currently stored in the certificate information storage unit 1221 by the setting unit 1222. Overwrite the information with the certificate information preset as the default value.

When the predetermined time t has elapsed since the time counting was started in step S1503, the timer unit 124 notifies the Web server unit 122 that the predetermined time has elapsed (step S1509).

Here, it is assumed that the authentication information initialization process started in step S1508 is not completed within the above-mentioned time t. In this case, the Web server unit 122 executes an error process (for example, forcibly stopping the initialization process) for the initialization process, assuming that some abnormality has occurred in the authentication information initialization process (step S1510). The Web server unit 122 further issues an instruction to the transmission / reception unit 130a to enable access from the outside of the communication control device 10'(step S1511). Further, the Web server unit 122 transmits a notification packet including an HTTP message including a warning notification warning that the initialization process could not be completed to the initial setting PC 22 via the transmission / reception unit 130b (step S1512, step). S1513).

In the initial setting PC 22, the browser unit 220 displays a screen corresponding to the warning notification included in the passed communication packet on the display of the initial setting PC 22 (step S1514).

If the initialization process of the authentication information is completed before the time t elapses after the time measurement by the timer unit 124 is started in step S1503, the Web server unit 122 cancels the time measurement by the timer unit 124. , Enables access from the outside of the communication control device 10'to the transmission / reception unit 130a. Further, the Web server unit 122 transmits a completion notification indicating that the initialization is completed to the initial setting PC 22.

As described above, in the second modification of the first embodiment, the Web server unit 122 is the main port, that is, the transmission / reception unit when the initial setting PC 22 accesses the Web server unit 122 for initializing the authentication information. The access from the outside of the communication control device 10'to 130a is invalidated. After that, the Web server unit 122 enables access to the transmission / reception unit 130a from the outside of the communication control device 10'when there is no instruction from the initial setting PC 22 during the elapse of a predetermined time.

Therefore, for example, even if the user who operates the initial setting PC 22 is away from the initial setting PC 22 for a long time while displaying the initialization screen 70a, the outside of the communication control device 10'with respect to the transmission / reception unit 130a Access from is automatically enabled, and the convenience of the communication control device 10'is improved.

(Third variant of the first embodiment)
Next, a third modification of the first embodiment will be described. A third modification of the first embodiment relates to processing in the Web server unit 122 when an incorrect URL is specified when accessing the Web server unit 122 of the communication control device 10 from the initial setting PC 22.

As an example, the Web server unit 122 preliminarily states that the communication packet transferred from the transmission / reception unit 130b with the destination IP address as "192.168.254.154" relates to the access to the initialization screen 70a described with reference to FIG. It is assumed that it has been set. Further, it is assumed that the URL of the initialization screen 70a described with reference to FIG. 12 is "http://192.168.254.254/rescue" and the IP address of the initial setting PC22 is "192.168.254.2", and the Web server. The unit 122 accepts only the access to this URL "http://192.168.254.254/rescue" for the access to the transmission / reception unit 130b whose source IP address is "192.168.254.2".

Here, in the initial setting PC 22, an incorrect URL such as a URL "http://192.168.254.254/" is specified for the browser unit 220, and the Web server unit 122 is accessed according to the incorrect URL. It is assumed that it has been broken. In this case, the Web server unit 122 guides the access from the initial setting PC 22 by the incorrect URL "http://192.168.254.254/" to the correct URL "http://192.168.254.254/rescue".

For example, the Web server unit 122 presents the guidance screen 70b as shown in FIG. 17A on the initial setting PC 22. In FIG. 17A, a message 711 indicating that the user is guided to the correct initialization screen 70a is displayed.

That is, the Web server unit 122 is preset so that the communication packet transferred from the transmission / reception unit 130b with the destination IP address as "192.168.254.254" is an access to the URL "http://192.168.254.254/rescue". ing. Therefore, even if an incorrect URL is specified, it is possible to guide to the correct URL "http://192.168.254.254/rescue".

After the guidance, as illustrated in FIG. 17B, an initialization screen 70a equivalent to that in FIG. 12 described above is displayed on the initial setting PC 22. By operating the button 701 or the button 702 on the initialization screen 70a after the guidance, the user can execute the processes of steps S120 and S130 in FIG. 11 described above, and can execute the initialization of the authentication information.

In FIGS. 17 (a) and 17 (b), the same reference numerals are given to the parts common to those in FIG. 12 described above, and detailed description thereof will be omitted.

As described above, according to the third modification of the first embodiment, even if the user forgets the URL for displaying the initialization screen 70a, the correct initialization screen 70a is displayed. This makes it possible to improve the convenience of users and administrators who use the network.

(Fourth modification of the first embodiment)
Next, a fourth modification of the first embodiment will be described. A fourth modification of the first embodiment relates to processing in the Web server unit 122 when an erroneous URL is specified when accessing the Web server unit 122 from the transmission / reception unit 130a.

As an example, when a URL other than the URL to be specified for the Web server unit 122 from the administrator PC 21 (for example, the URL of the management setting screen of the communication control device 10) is specified in the administrator PC 21, the Web server unit 122 presents to the administrator PC 21 a proposal screen that proposes access to the initialization screen 70a.

FIG. 18 shows an example of a proposal screen according to a fourth modification of the first embodiment. In FIG. 18, the same reference numerals are given to the parts common to those in FIG. 12 described above, and detailed description thereof will be omitted. In the example of FIG. 18, the proposal screen 70c displays a message 730 including the fact that an incorrect URL is specified and the suggestion of the user's next action in response to the specified URL.

More specifically, in the example of FIG. 18, the message 730 includes a message indicating that an incorrect URL has been specified and a message prompting the user to confirm whether or not he / she wants to access the initialization screen 70a. Including. Further, the message 730 connects the administrator PC 21 to another port of the communication control device 10 (for example, the transmission / reception unit 130b) and tries to access the same URL again, and tries to access the URL 730a of the initialization screen 70a. Includes a message suggesting that.

As described above, according to the fourth modification of the first embodiment, when the user attempts to access the incorrect URL from the administrator PC 21, the proposal screen 70c that proposes the next action of the user is presented. Therefore, the convenience of users and administrators who use the network is improved.

(Second Embodiment)
Next, the second embodiment will be described. In the first embodiment described above, the IP address of the gateway is not set in the routing table stored in the transmission / reception unit 130b to which the initial setting PC 22 is connected. On the other hand, in the second embodiment, the IP address of the gateway is set in the routing table stored in the transmission / reception unit 130b.

Table 9 shows an example of a routing table stored in the transmission / reception unit 130b, which is applicable to the second embodiment. In Table 9, in the routing table, the IP address "0.0.0.0/0" including the netmask is set as the destination IP address, and the IP address "198.168.168" of the gateway is set to this IP address "0.0.0.0/0". .254.1 "is associated.

Here, as shown in FIG. 19, consider a configuration in which the initial setting PC 22 is connected to the transmission / reception unit 130b via the router 15. Note that FIG. 19 shows an example in which the router 15 is connected between the transmission / reception unit 130b and the initial setting PC 22 with respect to the configuration of FIG. 2 described above, and the same reference numerals are given to the parts common to FIG. 2 described above. The detailed description will be omitted.

In the example of FIG. 19, it is assumed that the network address "192.168.254.0/24" is set in the network to which the router 15 and the transmission / reception unit 130b are connected, and the cable or network 14 between the initial setting PC 22 and the router 15 constitutes the network. Then, the network address "192.168.30.0/24" is assigned to this network. Further, it is assumed that the IP address "192.168.30.2/24" is manually set as a fixed value in the initial setting PC22.

Further, the IP address "192.168.254.1" set as the gateway in Table 9 is set as the IP address of the connection unit on the transmission / reception unit 130b side of the router 15.

In such a configuration, by storing the routing table shown in Table 9 in the transmission / reception unit 130b, bidirectional communication can be performed between the initial setting PC 22 and the transmission / reception unit 130b via the router 15. Therefore, the initial setting PC 22 accesses the Web server unit 122 in the communication control device 10 to display the initialization screen 70a even when the transmission / reception unit 130b is connected to the network beyond the router 15. It can be displayed.

It should be noted that each of the above-described embodiments is an example of a preferred embodiment of the present invention, but is not limited thereto, and can be implemented by various modifications without departing from the gist of the present invention.

1 Communication system 10, 10'Communication control device 11, 13 Network 12, 15 Router 14 Cable or network 21 Administrator's PC
22 Initial setting PC
70a Initialization screen 70b Guidance screen 70c Proposal screen 100, 131a, 131b Communication control unit 101 Web server 122 Web server unit 130a, 130b Transmission / reception unit 132 Bridge unit 220 Browser unit 700 URL display Input area 701, 702, 703 Button 1220 Password storage Department 1221 Certificate information storage unit

Japanese Unexamined Patent Publication No. 2015-084515

Claims (10)

A first connection that connects to the first network using a configurable first address,
A second connection portion that connects to a second network that is not connected to the first network by using a fixed second address, and
A relay unit that relays transmission / reception between the first connection unit and the second connection unit,
With a first communication control unit that converts the first address and the internal address to each other and controls transmission / reception to / from the first connection unit via the relay unit so as to use the internal address. ,
A second communication control unit that converts the second address and the internal address to each other and controls transmission / reception to / from the second connection unit via the relay unit so as to be performed using the internal address. When,
To display the initialization screen in response to a request for an initialization screen for initializing the authentication information transmitted from the second connection unit and passed from the first connection unit via the relay unit. When the display control information of is output and the input information including the initialization of the authentication information corresponding to the display control information is received , the initialization process for initializing the authentication information is executed according to the input information. Equipped with a processing execution unit
The second connection portion
A communication control device including a table in which an address of an intermediary device that mediates communication with the second network can be set as a destination. The communication control device according to claim 1, wherein nothing is set in the table as an address of the mediator. Further, a storage unit for storing authentication information for authenticating that the setting for the first communication control unit can be executed is provided.
The processing execution unit
The communication control device according to claim 1 or 2, wherein the process of initializing the authentication information is executed according to the input information. The processing execution unit
The third aspect of claim 3 is to further execute the process of invalidating access to the first connection portion at least while the initialization process is being executed in response to the initialization instruction based on the input information. Communication control device. The processing execution unit
The access to the first connection portion is invalidated in response to the initialization instruction based on the input information, and then the access is enabled when the initialization is not completed until a predetermined time has elapsed. The communication control device according to claim 3 or 4. The processing execution unit
When the position information for designating the display control information for displaying the screen for performing the initialization included in the request passed from the first connection unit is invalid, the correct position information is presented. The communication control device according to any one of claims 3 to 5. The first communication control unit is
Communication control information is generated according to the instruction, and the generated communication control information is transferred to a transfer device that controls communication between the first network and the terminal device via the first network. The communication control device according to any one of claims 1 to 6, which includes a transfer device control unit. The transfer device control unit
The communication control device according to claim 7, wherein the communication control information is generated according to an instruction from the processing execution unit. A communication control program that allows a computer to execute a communication control method.
The communication control method is
A first connection step of connecting to a first network using a configurable first address by a first connection.
A second connection step of connecting to a second network that is not connected to the first network by using a fixed second address by the second connection.
A relay step that relays transmission / reception between the first connection portion and the second connection portion,
A first communication control step that converts the first address and the internal address to each other and controls transmission / reception to the first connection portion via the relay step so as to be performed using the internal address. ,
A second communication control step in which the second address and the internal address are mutually converted to control transmission / reception to the second connection portion via the relay step so as to be performed using the internal address. When,
To display the initialization screen in response to a request for an initialization screen for initializing the authentication information transmitted from the second connection unit and passed from the first connection unit via the relay step. When the display control information of is output and the input information including the initialization of the authentication information corresponding to the display control information is received , the initialization process for initializing the authentication information is executed according to the input information. Has a process execution step to
The second connection step is
A communication control program that connects to the second network by using a table in which the address of an intermediary device that mediates communication with the second network can be set as a destination. It is a communication control method in a communication control device.
A first connection step of connecting to a first network using a configurable first address by a first connection.
A second connection step of connecting to a second network that is not connected to the first network by using a fixed second address by the second connection.
A relay step that relays transmission / reception between the first connection portion and the second connection portion,
A first communication control step that converts the first address and the internal address to each other and controls transmission / reception to the first connection portion via the relay step so as to be performed using the internal address. ,
A second communication control step in which the second address and the internal address are mutually converted to control transmission / reception to the second connection portion via the relay step so as to be performed using the internal address. When,
To display the initialization screen in response to a request for an initialization screen for initializing the authentication information transmitted from the second connection unit and passed from the first connection unit via the relay step. When the display control information of is output and the input information including the initialization of the authentication information corresponding to the display control information is received , the initialization process for initializing the authentication information is executed according to the input information. Has a process execution step to
The second connection step is
A communication control method for connecting to the second network by using a table in which the address of an intermediary device that mediates communication with the second network can be set as a destination.

Images