Advance Multimedia Internet Technology ISL500001 IIoT 4G User Manual UM IDG500 IOG500

Advance Multimedia Internet Technology Inc. IIoT 4G UM IDG500 IOG500

Contents

Users Manual-2.pdf

Download: Advance Multimedia Internet Technology ISL500001 IIoT 4G User Manual UM IDG500 IOG500
Mirror Download [FCC.gov]Advance Multimedia Internet Technology ISL500001 IIoT 4G User Manual UM IDG500 IOG500
Document ID3954340
Application IDqNUspuGNAZO6uewQz0wLSQ==
Document DescriptionUsers Manual-2.pdf
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize295.82kB (3697766 bits)
Date Submitted2018-08-07 00:00:00
Date Available2018-08-07 00:00:00
Creation Date2018-08-01 10:02:49
Producing SoftwareAcrobat Distiller 11.0 (Windows)
Document Lastmod2018-08-01 10:03:00
Document TitleMicrosoft Word - UM_IDG500-IOG500
Document CreatorPScript5.dll Version 5.2.2
Document Author: amit_jesee

M2M Cellular Gateway
Chapter 3 Object Definition
3.1 Scheduling
Scheduling provides ability of adding/deleting time schedule rules, which can be applied to other functionality.
3.1.1 Scheduling Configuration
Go to Object Definition > Scheduling > Configuration tab.
Button description
Item
Value setting
Description
Add
Delete
Click the Add button to configure time schedule rule
Click the Delete button to delete selected rule(s)
N/A
N/A
When Add button is applied, Time Schedule Configuration and Time Period Definition screens will appear.
Time Schedule Configuration
Item
Value Setting
Description
Rule Name
Rule Policy
Set rule name
Inactivate/activate the function been applied to in the time period below
String: any text
Default Inactivate
100
M2M Cellular Gateway
Time Period Definition
Item
Value Setting
Description
Week Day
Start Time
End Time
Save
Undo
Refresh
Select everyday or one of weekday
Start time in selected weekday
End time in selected weekday
Click Save to save the settings
Click Undo to cancel the settings
Click the Refresh button to refresh the time schedule list.
Select from menu
Time format (hh :mm)
Time format (hh :mm)
N/A
N/A
N/A
101
M2M Cellular Gateway
3.2 User (not supported)
Not supported feature for the purchased product, leave it as blank.
102
M2M Cellular Gateway
3.3 Grouping (not supported)
Not supported feature for the purchased product, leave it as blank.
103
M2M Cellular Gateway
3.4 External Server
Go to Object Definition > External Server > External Server tab.
The External Server setting allows user to add external server.
Create External Server
When Add button is applied, External Server Configuration screen will appear.
104
M2M Cellular Gateway
External Server Configuration
Item
Value setting
Description
Sever Name
1. String format can be
any text
2. A Must filled setting
Enter a server name. Enter a name that is easy for you to understand.
Specify the Server Type of the external server, and enter the required settings
for the accessing the server.
Email Server (A Must filled setting) :
When Email Server is selected, User Name, and Password are also required.
User Name (String format: any text)
Password (String format: any text)
Server Type
A Must filled setting
Server IP/FQDN
A Must filled setting
Server Port
A Must filled setting
Account Port
1. A Must filled setting
2. 1813 is set by default
RADIUS Server (A Must filled setting) :
When RADIUS Server is selected, the following settings are also required.
Primary :
Shared Key (String format: any text)
Authentication Protocol (By default CHAP is selected)
Session Timeout (By default 1)
The values must be between 1 and 60.
Idle Timeout: (By default 1)
The values must be between 1 and 15.
Secondary :
Shared Key (String format: any text)
Authentication Protocol (By default CHAP is selected)
Session Timeout (By default 1)
The values must be between 1 and 60.
Idle Timeout: (By default 1)
The values must be between 1 and 15.
FTP(SFTP) Server (A Must filled setting) :
When FTP(SFTP) Server is selected, the following settings are also required.
User Name (String format: any text)
Password (String format: any text)
Protocol (Select FTP or SFTP)
Encryprion (Select Plain, Explicit FTPS or Implicit FTPS)
Transfer mode (Select Passive or Active)
Specify the IP address or FQDN used for the external server.
Specify the Port used for the external server. If you selected a certain server
type, the default server port number will be set.
For Email Server 25 will be set by default;
For Syslog Server, port 514 will be set by default;
For RADIUS Server, port 1812 will be set by default;
For FTP(SFTP) Server, port 21 will be set by default;
Value Range: 1 ~ 65535.
Specify the accounting port used if you selected external RADIUS server.
Value Range: 1 ~ 65535.
105
M2M Cellular Gateway
Server
Save
Undo
Refresh
The box is checked by
default
N/A
N/A
N/A
Click Enable to activate this External Server.
Click Save to save the settings
Click Undo to cancel the settings
Click the Refresh button to refresh the external server list.
106
M2M Cellular Gateway
3.5 Certificate
In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an
electronic document used to prove ownership of a public key. The certificate includes information about the
key, information about its owner's identity, and the digital signature of an entity that has verified the
certificate's contents are genuine. If the signature is valid, and the person examining the certificate trusts the
signer, then they know they can use that key to communicate with its owner9.
In a typical public‐key infrastructure (PKI) scheme, the signer is a certificate authority (CA), usually a company
such as VeriSign which charges customers to issue certificates for them. In a web of trust scheme, the signer is
either the key's owner (a self‐signed certificate) or other users ("endorsements") whom the person examining
the certificate might know and trust. The device also plays as a CA role.
Certificates are an important component of Transport Layer Security (TLS, sometimes called by its older name
SSL), where they prevent an attacker from impersonating a secure website or other server. They are also used
in other important applications, such as email encryption and code signing. Here, it can be used in IPSec
tunneling for user authentication.
3.5.1 Configuration (not supported)
Not supported feature for the purchased product, leave it as blank.
9 http://en.wikipedia.org/wiki/Public_key_certificate.
107
M2M Cellular Gateway
3.5.2 My Certificate
My Certificate includes a Local Certificate List. Local Certificate List shows all generated certificates by the root
CA for the gateway. And it also stores the generated Certificate Signing Requests (CSR) which will be signed by
other external CAs. The signed certificates can be imported as the local ones of the gateway.
Self‐signed Certificate Usage Scenario
Scenario Application Timing
When the enterprise gateway owns the root CA and VPN tunneling function, it can generate its own
local certificates by being signed by itself or import any local certificates that are signed by other
external CAs. Also import the trusted certificates for other CAs and Clients. In addition, since it has the
root CA, it also can sign Certificate Signing Requests (CSR) to form corresponding certificates for others.
These certificates can be used for two remote peers to make sure their identity during establishing a
VPN tunnel.
Scenario Description
Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted
certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1.
Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT
certificate. Import the certificate into the Gateway 2 as a local certificate. In addition, also import the
certificates of the root CA of the Gateway 1 into the Gateway 2 as the trusted ones. (Please also refer
to following two sub‐sections)
Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer, so that all
108
M2M Cellular Gateway
client hosts in these both subnets can communicate with each other.
Parameter Setup Example
For Network‐A at HQ
Following tables list the parameter configuration as an example for the "My Certificate" function used
in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The
configuration example must be combined with the ones in following two sections to complete the
whole user scenario.
Use default value for those parameters that are not mentioned in the tables.
Configuration Path
Name
Key
Subject Name
[My Certificate]‐[Root CA Certificate Configuration]
Configuration Path
Name
Key
Subject Name
[My Certificate]‐[Local Certificate Configuration]
Configuration Path
IPSec
[IPSec]‐[Configuration]
Configuration Path
Tunnel
Tunnel Name
Interface
Tunnel Scenario
Operation Mode
[IPSec]‐[Tunnel Configuration]
Configuration Path
Local Subnet
Local Netmask
Full Tunnel
Remote Subnet
Remote Netmask
Remote Gateway
[IPSec]‐[Local & Remote Configuration]
HQRootCA
Key Type: RSA Key Length: 1024‐bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITHQ Organization Unit(OU): HQRD
Common Name(CN): HQRootCA E‐mail: hqrootca@amit.com.tw
HQCRT Self‐signed: ■
Key Type: RSA Key Length: 1024‐bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITHQ Organization Unit(OU): HQRD
Common Name(CN): HQCRT E‐mail: hqcrt@amit.com.tw
■ Enable
■ Enable
s2s‐101
WAN 1
Site to Site
Always on
10.0.76.0
255.255.255.0
Disable
10.0.75.0
255.255.255.0
118.18.81.33
109
M2M Cellular Gateway
Configuration Path
Key Management
Local ID
Remote ID
[IPSec]‐[Authentication]
Configuration Path
Negotiation Mode
X‐Auth
[IPSec]‐[IKE Phase]
IKE+X.509 Local Certificate: HQCRT Remote Certificate: BranchCRT
User Name Network‐A
User Name Network‐B
Main Mode
None
For Network‐B at Branch Office
Following tables list the parameter configuration as an example for the "My Certificate" function used
in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The
configuration example must be combined with the ones in following two sections to complete the
whole user scenario.
Use default value for those parameters that are not mentioned in the tables.
Configuration Path
Name
Key
Subject Name
[My Certificate]‐[Local Certificate Configuration]
Configuration Path
IPSec
[IPSec]‐[Configuration]
Configuration Path
Tunnel
Tunnel Name
Interface
Tunnel Scenario
Operation Mode
[IPSec]‐[Tunnel Configuration]
Configuration Path
Local Subnet
Local Netmask
Full Tunnel
Remote Subnet
[IPSec]‐[Local & Remote Configuration]
BranchCRT Self‐signed: □
Key Type: RSA Key Length: 1024‐bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITBranch Organization Unit(OU): BranchRD
Common Name(CN): BranchCRT E‐mail: branchcrt@amit.com.tw
■ Enable
■ Enable
s2s‐102
WAN 1
Site to Site
Always on
10.0.75.0
255.255.255.0
Disable
10.0.76.0
110
M2M Cellular Gateway
Remote Netmask
Remote Gateway
255.255.255.0
Configuration Path
Key Management
Local ID
Remote ID
[IPSec]‐[Authentication]
Configuration Path
Negotiation Mode
X‐Auth
[IPSec]‐[IKE Phase]
203.95.80.22
IKE+X.509 Local Certificate: BranchCRT Remote Certificate: HQCRT
User Name Network‐B
User Name Network‐A
Main Mode
None
Scenario Operation Procedure
In above diagram, "Gateway 1" is the gateway of Network‐A in headquarters and the subnet of its
Intranet is 10.0.76.0/24. It has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN‐
1 interface. "Gateway 2" is the gateway of Network‐B in branch office and the subnet of its Intranet is
10.0.75.0/24. It has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface.
They both serve as the NAT security gateways.
Gateway 1 generates the root CA and a local certificate (HQCRT) that is signed by itself. Import the
certificates of the root CA and HQCRT into the "Trusted CA Certificate List" and "Trusted Client
Certificate List" of Gateway 2.
Gateway 2 generates a Certificate Signing Request (BranchCSR) for its own certificate (BranchCRT)
(Please generate one not self‐signed certificate in the Gateway 2, and click on the "View" button for
that CSR. Just downloads it). Take the CSR to be signed by the root CA of Gateway 1 and obtain the
BranchCRT certificate (you need rename it). Import the certificate into the "Trusted Client Certificate
List" of the Gateway 1 and the "Local Certificate List" of Gateway 2.
Gateway 2 can establish an IPSec VPN tunnel with "Site to Site" scenario and IKE and X.509 protocols to
Gateway 1.
Finally, the client hosts in two subnets of 10.0.75.0/24 and 10.0.76.0/24 can communicate with each
other.
111
M2M Cellular Gateway
My Certificate Setting
Go to Object Definition > Certificate > My Certificate tab.
The My Certificate setting allows user to create local certificates. In "My Certificate" page, there are two
configuration windows for the "My Certificate" function. The "Local Certificate List" window shows the stored
certificates or CSRs for representing the gateway. The "Local Certificate Configuration" window can let you fill
required information necessary for corresponding certificate to be generated by itself, or corresponding CSR
to be signed by other CAs.
Create Local Certificate
When Add button is applied, Local Certificate Configuration screen will appear. The required information to be
filled for the certificate or CSR includes the name, key and subject name. It is a certificate if the "Self-signed"
box is checked; otherwise, it is a CSR.
112
M2M Cellular Gateway
Local Certificate Configuration
Item
Value setting
Name
Key
1. String format can be any
text
2. A Must filled setting
A Must filled setting
Subject Name
A Must filled setting
Extra Attributes
A Must filled setting
SCEP Enrollment
A Must filled setting
Save
Back
N/A
N/A
Description
Enter a certificate name. It will be a certificate file name
If Self‐signed is checked, it will be signed by root CA. If Self‐signed is not
checked, it will generate a certificate signing request (CSR).
This field is to specify the key attributes of certificate.
Key Type to set public‐key cryptosystems. Currently, only RSA is supported.
Key Length to set the length in bits of the key used in a cryptographic algorithm.
It can be 512/768/1024/1536/2048.
Digest Algorithm to set identifier in the signature algorithm identifier of
certificates. It can be MD5/SHA‐1.
This field is to specify the information of certificate.
Country(C) is the two‐letter ISO code for the country where your organization is
located.
State(ST) is the state where your organization is located.
Location(L) is the location where your organization is located.
Organization(O) is the name of your organization.
Organization Unit(OU) is the name of your organization unit.
Common Name(CN) is the name of your organization.
Email is the email of your organization. It has to be email address setting only.
This field is to specify the extra information for generating a certificate.
Challenge Password for the password you can use to request certificate
revocation in the future.
Unstructured Name for additional information.
This field is to specify the information of SCEP.
If user wants to generate a certificate signing request (CSR) and then signed by
SCEP server online, user can check the Enable box.
Select a SCEP Server to identify the SCEP server for use. The server detailed
information could be specified in External Servers. Refer to Object Definition >
External Server > External Server. You may click Add Object button to
generate.
Select a CA Certificate to identify which certificate could be accepted by SCEP
server for authentication. It could be generated in Trusted Certificates.
Select an optional CA Encryption Certificate, if it is required, to identify which
certificate could be accepted by SCEP server for encryption data information. It
could be generated in Trusted Certificates.
Fill in optional CA Identifier to identify which CA could be used for signing
certificates.
Click the Save button to save the configuration.
When the Back button is clicked, the screen will return to previous page.
When Import button is applied, an Import screen will appear. You can import a certificate from an existed
certificate file, or directly paste a PEM encoded string as the certificate.
113
M2M Cellular Gateway
Import
Item
Value setting
Description
Import
A Must filled setting
PEM Encoded
1. String format can be any
text
2. A Must filled setting
N/A
N/A
Select a certificate file from user’s computer, and click the Apply button to
import the specified certificate file to the gateway.
This is an alternative approach to import a certificate.
You can directly fill in (Copy and Paste) the PEM encoded certificate string, and
click the Apply button to import the specified certificate to the gateway.
Click the Apply button to import the certificate.
Click the Cancel button to discard the import operation and the screen will
return to the My Certificates page.
Apply
Cancel
114
M2M Cellular Gateway
3.5.3 Trusted Certificate
Trusted Certificate includes Trusted CA Certificate List, Trusted Client Certificate List, and Trusted Client Key
List. The Trusted CA Certificate List places the certificates of external trusted CAs. The Trusted Client
Certificate List places the others' certificates what you trust. And the Trusted Client Key List places the others’
keys what you trusted.
Self‐signed Certificate Usage Scenario
Scenario Application Timing (same as the one described in "My Certificate" section)
When the enterprise gateway owns the root CA and VPN tunneling function, it can generate its own
local certificates by being signed by itself. Also imports the trusted certificates for other CAs and Clients.
These certificates can be used for two remote peers to make sure their identity during establishing a
VPN tunnel.
Scenario Description (same as the one described in "My Certificate" section)
Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted
certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1.
Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT
certificate. Import the certificate into the Gateway 2 as a local certificate. In addition, also imports the
certificates of the root CA of Gateway 1 into the Gateway 2 as the trusted ones. (Please also refer to
"My Certificate" and "Issue Certificate" sections).
Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer, so that all
client hosts in these both subnets can communicate with each other.
Parameter Setup Example (same as the one described in "My Certificate" section)
115
M2M Cellular Gateway
For Network‐A at HQ
Following tables list the parameter configuration as an example for the "Trusted Certificate" function
used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The
configuration example must be combined with the ones in "My Certificate" and "Issue Certificate"
sections to complete the setup for the whole user scenario.
Configuration Path
Command Button
[Trusted Certificate]‐[Trusted Client Certificate List]
Configuration Path
File
[Trusted Certificate]‐[Trusted Client Certificate Import from a File]
Import
BranchCRT.crt
For Network‐B at Branch Office
Following tables list the parameter configuration as an example for the "Trusted Certificate" function
used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The
configuration example must be combined with the ones in "My Certificate" and "Issued Certificate"
sections to complete the setup for the whole user scenario.
Configuration Path
Command Button
[Trusted Certificate]‐[Trusted CA Certificate List]
Configuration Path
File
[Trusted Certificate]‐[Trusted CA Certificate Import from a File]
Configuration Path
Command Button
[Trusted Certificate]‐[Trusted Client Certificate List]
Configuration Path
File
[Trusted Certificate]‐[Trusted Client Certificate Import from a File]
Import
HQRootCA.crt
Import
HQCRT.crt
Scenario Operation Procedure (same as the one described in "My Certificate" section)
In above diagram, the "Gateway 1" is the gateway of Network‐A in headquarters and the subnet of its
Intranet is 10.0.76.0/24. It has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN‐
1 interface. The "Gateway 2" is the gateway of Network‐B in branch office and the subnet of its
Intranet is 10.0.75.0/24. It has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐
1 interface. They both serve as the NAT security gateways.
In Gateway 2 import the certificates of the root CA and HQCRT that were generated and signed by
Gateway 1 into the "Trusted CA Certificate List" and "Trusted Client Certificate List" of Gateway 2.
116
M2M Cellular Gateway
Import the obtained BranchCRT certificate (the derived BranchCSR certificate after Gateway 1’s root
CA signature) into the "Trusted Client Certificate List" of the Gateway 1 and the "Local Certificate List"
of the Gateway 2. For more details, refer to the Network‐B operation procedure in "My Certificate"
section of this manual.
Gateway 2 can establish an IPSec VPN tunnel with "Site to Site" scenario and IKE and X.509 protocols to
Gateway 1.
Finally, the client hosts in two subnets of 10.0.75.0/24 and 10.0.76.0/24 can communicate with each
other.
117
M2M Cellular Gateway
Trusted Certificate Setting
Go to Object Definition > Certificate > Trusted Certificate tab.
The Trusted Certificate setting allows user to import trusted certificates and keys.
Import Trusted CA Certificate
When Import button is applied, a Trusted CA import screen will appear. You can import a Trusted CA
certificate from an existed certificate file, or directly paste a PEM encoded string as the certificate.
Trusted CA Certificate List
Item
Value setting
Import from a
File
Import from a
PEM
Apply
Cancel
A Must filled setting
1. String format can be any
text
2. A Must filled setting
N/A
N/A
Description
Select a CA certificate file from user’s computer, and click the Apply button to
import the specified CA certificate file to the gateway.
This is an alternative approach to import a CA certificate.
You can directly fill in (Copy and Paste) the PEM encoded CA certificate string,
and click the Apply button to import the specified CA certificate to the gateway.
Click the Apply button to import the certificate.
Click the Cancel button to discard the import operation and the screen will
return to the Trusted Certificates page.
Instead of importing a Trusted CA certificate with mentioned approaches, you can also get the CA certificate
from the SECP server.
If SCEP is enabled (Refer to Object Definition > Certificate > Configuration), you can click Get CA button, a Get
CA Configuration screen will appear.
118
M2M Cellular Gateway
Get CA Configuration
Item
Value setting
SCEP Server
A Must filled setting
CA Identifier
1. String format can be any
text
N/A
N/A
Save
Close
Description
Select a SCEP Server to identify the SCEP server for use. The server detailed
information could be specified in External Servers. Refer to Object Definition >
External Server > External Server. You may click Add Object button to
generate.
Fill in optional CA Identifier to identify which CA could be used for signing
certificates.
Click Save to save the settings.
Click the Close button to return to the Trusted Certificates page.
Import Trusted Client Certificate
When Import button is applied, a Trusted Client Certificate Import screen will appear. You can import a
Trusted Client Certificate from an existed certificate file, or directly paste a PEM encoded string as the
certificate.
Trusted Client Certificate List
119
M2M Cellular Gateway
Item
Value setting
Description
Import from a
File
Import from a
PEM
A Must filled setting
Select a certificate file from user’s computer, and click the Apply button to import the
specified certificate file to the gateway.
1. String format can be any
text
2. A Must filled setting
N/A
N/A
This is an alternative approach to import a certificate.
You can directly fill in (Copy and Paste) the PEM encoded certificate string, and click the
Apply button to import the specified certificate to the gateway.
Apply
Cancel
Click the Apply button to import certificate.
Click the Cancel button to discard the import operation and the screen will return to the
Trusted Certificates page.
Import Trusted Client Key
When Import button is applied, a Trusted Client Key Import screen will appear. You can import a Trusted
Client Key from an existed file, or directly paste a PEM encoded string as the key.
Trusted Client Key List
Item
Value setting
Import from a
File
Import from a
PEM
Apply
Cancel
Description
A Must filled setting
Select a certificate key file from user’s computer, and click the Apply button to import
the specified key file to the gateway.
1. String format can be any
text
2. A Must filled setting
N/A
N/A
This is an alternative approach to import a certificate key.
You can directly fill in (Copy and Paste) the PEM encoded certificate key string, and click
the Apply button to import the specified certificate key to the gateway.
Click the Apply button to import the certificate key.
Click the Cancel button to discard the import operation and the screen will return to the
Trusted Certificates page.
120
M2M Cellular Gateway
Chapter 4 Field Communication (not supported)
Not supported feature for the purchased product, leave it as blank.
121
M2M Cellular Gateway
Chapter 5 Security
5.1 VPN
A virtual private network (VPN) extends a private network across a public network, such as the Internet. It
enables a computer to send and receive data across shared or public networks as if it were directly connected
to the private network, while benefitting from the functionality, security and management policies of the
private network. This is done by establishing a virtual point‐to‐point connection through the use of dedicated
connections, encryption, or a combination of the two. The tunnel technology supports data confidentiality,
data origin authentication and data integrity of network information by utilizing encapsulation protocols,
encryption algorithms, and hashing algorithms.
The product series supports different tunneling technologies to establish secure tunnels between multiple
sites for data transferring, such as IPSec, OpenVPN, L2TP (over IPSec), PPTP and GRE. Besides, some advanced
functions, like Full Tunnel, Tunnel Failover, Tunnel Load Balance, NetBIOS over IPSec, NAT Traversal and
Dynamic VPN, are also supported.
122
M2M Cellular Gateway
5.1.1 IPSec
Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a communication session. IPSec includes protocols for
establishing mutual authentication between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session.
An IPSec VPN tunnel is established between IPSec client and server. Sometimes, we call the IPSec VPN client as
the initiator and the IPSec VPN server as the responder. This gateway can be configured as different roles and
establish number of tunnels with various remote devices. Before going to setup the VPN connections, you may
need to decide the scenario type for the tunneling.
IPSec Tunnel Scenarios
To build IPSec tunnel, you need to fill in
remote gateway global IP, and optional
subnet if the hosts behind IPSec peer
can access to remote site or hosts.
Under such configuration, there are
four scenarios:
Site to Site: You need to setup remote
gateway IP and subnet of both
gateways. After the IPSec tunnel
established, hosts behind both
gateways can communication each
other through the tunnel.
Site to Host: Site to Host is suitable for tunneling between clients in a subnet and an application server (host).
123
M2M Cellular Gateway
As in the diagram, the clients behind the M2M gateway can access to the host "Host‐DC" located in the
control center through Site to Host VPN tunnel.
Host to Site: On the contrast, for a single host (or mobile user to) to access the resources located in an
intranet, the Host to Site scenario can be applied.
Host to Host: Host to Host is a special configuration for building a VPN tunnel between two single hosts.
Site to Site with "Full Tunnel" enabled
In "Site to Site" scenario, client hosts in remote site can
access the enterprise resources in the Intranet of HQ
gateway via an established IPSec tunnel, as described
above. However, Internet access originates from
remote site still go through its regular WAN connection.
If you want all packets from remote site to be routed
via this IPSec tunnel, including HQ server access and
Internet access, you can just enable the “Full Tunnel"
setting. As a result, every time users surfs web or
searching data on Internet, checking personal emails, or
HQ server access, all traffics will go through the secure
IPSec tunnel and route by the Security Gateway in
control center.
Site to Site with "Hub and Spoke" mechanism
For a control center to manage the secure Intranet
among all its remote sites, there is a simple
configuration, called Hub and Spoke, for the whole
VPN network. A Hub and Spoke VPN Network is set
up in organizations with centralized control center
over all its remote sites, like shops or offices. The
control center acts as the Hub role and the remote
shops or Offices act as Spokes. All VPN tunnels from
remote sites terminate at this Hub, which acts as a
concentrator. Site‐to‐site connections between
spokes do not exist. Traffic originating from one
spoke and destined for another spoke has to go via
the Hub. Under such configuration, you don’t need
to maintain VPN tunnels between each two remote
clients.
124
M2M Cellular Gateway
IPSec Setting
Go to Security > VPN > IPSec tab.
The IPSec Setting allows user to create and configure IPSec tunnels.
Enable IPSec
Configuration Window
Item
Value setting
Description
IPsec
NetBIOS over IPSec
Unchecked by default
Unchecked by default
Click the Enable box to enable IPSec function.
Click the Enable box to enable NetBIOS over IPSec function.
NAT Traversal
Checked by default
Click the Enable box to enable NAT Traversal function.
Max. Concurrent
IPSec Tunnels
Depends on Product
specification.
N/A
N/A
The specified value will limit the maximum number of simultaneous IPSec
tunnel connection. The default value can be different for the purchased model.
Click Save to save the settings
Click Undo to cancel the settings
Save
Undo
Create/Edit IPSec tunnel
Ensure that the IPSec enable box is checked to enable before further configuring the IPSec tunnel settings.
When Add/Edit button is applied, a series of configuration screens will appear. They are Tunnel Configuration,
Local & Remote Configuration, Authentication, IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec
Proposal Definition. You have to configure the tunnel details for both local and remote VPN devices.
125
M2M Cellular Gateway
Tunnel Configuration Window
Item
Value setting
Description
Tunnel
Check the Enable box to activate the IPSec tunnel
Tunnel Name
Interface
Tunnel Scenario
Unchecked by default
1. A Must fill setting
2. String format can be
any text
1. A Must fill setting
2. WAN 1 is selected
by default
1. A Must fill setting
2. Site to site is
selected by default
Tunel TCP MSS
1. An optional setting
2. Auto is set by
default
Hub and Spoke
1. An optional setting
2. None is set by
default
Operation Mode
1. A Must fill setting
2. Alway on is selected
Enter a tunnel name. Enter a name that is easy for you to identify.
Value Range: 1 ~ 19 characters.
Select the interface on which IPSec tunnel is to be established. It can be the
available WAN and LAN interfaces.
Select an IPSec tunneling scenario from the dropdown box for your application.
Select Site‐to‐Site, Site‐to‐Host, Host‐to‐Site, or Host‐to‐Host. If LAN interface
is selected, only Host‐to‐Host scenario is available.
With Site‐to‐Site or Site‐to‐Host or Host‐to‐Site, IPSec operates in tunnel mode.
The difference among them is the number of subnets. With Host‐to‐Host, IPSec
operates in transport mode.
Select from the dropdown box to define the size of Tunel TCP MSS.
Select Auto, and all devices will adjust this parameter automatically.
Select Manual, and specify an expected vaule for Tunel TCP MSS.
Value Range: 64 ~ 1500 bytes.
Select from the dropdown box to setup your gateway for Hub‐and‐Spoke IPSec
VPN Deployments.
Select None if your deployments will not support Hub or Spoke encryption.
Select Hub for a Hub role in the IPSec design.
Select Spoke for a Spoke role in the IPSec design.
Note: Hub and Spoke are available only for Site‐to‐Site VPN tunneling specified
in Tunnel Scenario. It is not available for Dynamic VPN tunneling application.
Define operation mode for the IPSec Tunnel. It can be Always On, or Failover.
If this tunnel is set as a failover tunnel, you need to further select a primary
126
M2M Cellular Gateway
by default
Encapsulation
Protocol
1. A Must fill setting
2. ESP is selected by
default
tunnel from which to failover to.
Note: Failover mode is not available for the gateway with single WAN.
Select the Encapsulation Protocol from the dropdown box for this IPSec tunnel.
Available encapsulations are ESP and AH.
Local & Remote Configuration Window
Item
Value setting
Description
Specify the Local Subnet IP address and Subnet Mask.
Click the Add or Delete button to add or delete a Local Subnet.
Local Subnet List
A Must fill setting
Redirect Traffic
Unchecked by default
Full Tunnel
Unchecked by default
Note_1: When Dynamic VPN option in Tunnel Scenario is selected, there will be
only one subnet available.
Note_2: When Host‐to‐Site or Host‐to‐Host option in Tunnel Scenario is
selected, Local Subnet will not be available.
Note_3: When Hub and Spoke option in Hub and Spoke is selected, there will be
only one subnet available.
Click Enable box to activate the Redirect Traffic function.
Note: Redirect Traffic is available only for Host‐to‐Site specified in Tunnel
Scenario. By default, it is disabled, so it can prevent the un‐expected and
dangerous access to the peer subnet. If you enable such function, all the
network devices behind the VPN host (actually, it is an NAT gateway) can access
to the peer subnet with the host IP.
Click Enable box to enable Full Tunnel.
Note: Full tunnel is available only for Site‐to‐Site specified in Tunnel Scenario.
127
M2M Cellular Gateway
Remote Subnet List
A Must fill setting
Specify the Remote Subnet IP address and Subnet Mask.
Click the Add or Delete button to add or delete Remote Subnet setting.
Remote Gateway
1. A Must fill setting.
2. Format can be a
ipv4 address or FQDN
Specify the Remote Gateway.
Authentication Configuration Window
Item
Value setting
Description
Key Management
1. A Must fill setting
2. Pre‐shared Key 8 to
32 characters.
Local ID
An optional setting
Remote ID
An optional setting
Select Key Management from the dropdown box for this IPSec tunnel.
IKE+Pre‐shared Key: user needs to set a key (8 ~ 32 characters).
IKE+X.509: user needs Certificate to authenticate. IKE+X.509 will be available
only when Certificate has been configured properly. Refer to Certificate section
of this manual and also Object Definition > Certificate in web‐based utility.
Manually: user needs to enter key ID to authenticate. Manual key configuration
will be explained in the following Manual Key Management section.
Specify the Local ID for this IPSec tunnel to authenticate.
Select User Name for Local ID and enter the username. The username may
include but can’t be all numbers.
Select FQDN for Local ID and enter the FQDN.
Select User@FQDN for Local ID and enter the User@FQDN.
Select Key ID for Local ID and enter the Key ID (English alphabet or number).
Specify the Remote ID for this IPSec tunnel to authenticate.
Select User Name for Remote ID and enter the username. The username may
include but can’t be all numbers.
Select FQDN for Local ID and enter the FQDN.
Select User@FQDN for Remote ID and enter the User@FQDN.
Select Key ID for Remote ID and enter the Key ID (English alphabet or number).
Note: Remote ID will be not available when Dynamic VPN option in Tunnel
Scenario is selected.
128
M2M Cellular Gateway
IKE Phase Window
Item
Value setting
IKE Version
Negotiation Mode
X‐Auth
Dead Peer Detection
(DPD)
Phase1 Key Life
Time
1. A must fill setting
2. v1 is selected by
default
Main Mode is set by
default default
None is selected by
default
1. Checked by default
2. Default Timeout
180s and Delay 30s
1. A Must fill setting
2. Default 3600s
3. Max. 86400s
Description
Specify the IKE version for this IPSec tunnel. Select v1 or v2
Note: IKE versions will not be available when Dynamic VPN option in Tunnel
Scenario is selected, or AH option in Encapsulation Protocol is selected.
Specify the Negotiation Mode for this IPSec tunnel. Select Main Mode or
Aggressive Mode.
Specify the X‐Auth role for this IPSec tunnel. Select Server, Client, or None.
Selected None no X‐Auth authentication is required.
Selected Server this gateway will be an X‐Auth server. Click on the X‐Auth
Account button to create remote X‐Auth client account.
Selected Client this gateway will be an X‐Auth client. Enter User name and
Password to be authenticated by the X‐Auth server gateway.
Note: X‐Auth Client will not be available for Dynamic VPN option selected in
Tunnel Scenario.
Click Enable box to enable DPD function. Specify the Timeout and Delay time in
seconds.
Value Range: 0 ~ 999 seconds for Timeout and Delay.
Specify the Phase1 Key Life Time.
Value Range: 30 ~ 86400.
129
M2M Cellular Gateway
IKE Proposal Definition Window
Item
Value setting
Description
Specify the Phase 1 Encryption method. It can be DES / 3DES / AES‐auto / AES‐
128 / AES‐192 / AES‐256.
IKE Proposal
Definition
Specify the Authentication method. It can be None / MD5 / SHA1 / SHA2‐256.
A Must fill setting
Specify the DH Group. It can be None / Group1 / Group2 / Group5 / Group14 /
Group15 / Group16 / Group17 / Group18.
Check Enable box to enable this setting
IPSec Phase Window
Item
Value setting
Phase2 Key Life Time
1. A Must fill setting
2. 28800s is set by
default
3. Max. 86400s
Description
Specify the Phase2 Key Life Time in second.
Value Range: 30 ~ 86400.
130
M2M Cellular Gateway
IPSec Proposal Definition Window
Item
Value setting
Description
Specify the Encryption method. It can be None / DES / 3DES / AES‐auto / AES‐
128 / AES‐192 / AES‐256.
Note: None is available only when Encapsulation Protocol is set as AH; it is not
available for ESP Encapsulation.
IPSec Proposal
Definition
A Must fill setting
Specify the Authentication method. It can be None / MD5 / SHA1 / SHA2‐256.
Note: None and SHA2‐256 are available only when Encapsulation Protocol is set
as ESP; they are not available for AH Encapsulation.
Specify the PFS Group. It can be None / Group1 / Group2 / Group5 / Group14 /
Group15 / Group16 / Group17 / Group18.
Save
Undo
Back
N/A
N/A
N/A
Click Enable to enable this setting
Click Save to save the settings
Click Undo to cancel the settings
Click Back to return to the previous page.
Manual Key Management
When the Manually option is selected for Key Management as described in Authentication Configuration
Window, a series of configuration windows for Manual IPSec Tunnel configuration will appear. The
configuration windows are the Local & Remote Configuration, the Authentication, and the Manual Proposal.
Authentication Window
Item
Value setting
Description
131
M2M Cellular Gateway
Key Management
A Must fill setting
Local ID
An optional setting
Remote ID
An optional setting
Select Key Management from the dropdown box for this IPSec tunnel.
In this section Manually is the option selected.
Specify the Local ID for this IPSec tunnel to authenticate.
Select the Key ID for Local ID and enter the Key ID (English alphabet or number).
Specify the Remote ID for this IPSec tunnel to authenticate.
Select Key ID for Remote ID and enter the Key ID (English alphabet or number).
Local & Remote Configuration Window
Item
Value setting
Description
Local Subnet
Local Netmask
Remote Subnet
Remote Netmask
Remote Gateway
A Must fill setting
A Must fill setting
A Must fill setting
A Must fill setting
1. A Must fill setting
2. An IPv4 address or
FQDN format
Specify the Local Subnet IP address and Subnet Mask.
Specify the Local Subnet Mask.
Specify the Remote Subnet IP address
Specify the Remote Subnet Mask.
Specify the Remote Gateway. The Remote Gateway
Under the Manually Key Management authentication configuration, only one subnet is supported for both
Local and Remote IPSec peer.
Manual Proposal Window
Item
Value setting
Description
Outbound SPI
Specify the Outbound SPI for this IPSec tunnel.
Hexadecimal format
132
M2M Cellular Gateway
Inbound SPI
Hexadecimal format
Encryption
1. A Must fill setting
2. Hexadecimal format
Authentication
1. A Must fill setting
2. Hexadecimal format
Save
Undo
Back
N/A
N/A
N/A
Value Range: 0 ~ FFFF.
Specify the Inbound SPI for this IPSec tunnel.
Value Range: 0 ~ FFFF.
Specify the Encryption Method and Encryption key.
Available encryption methods are DES/3DES/AES‐128/AES‐192/AES‐256.
The key length for DES is 16, 3DES is 48, AES‐128 is 32, AES‐192 is 48, and AES‐
256 is 64.
Note: When AH option in Encapsulation is selected, encryption will not be
available.
Specify the Authentication Method and Authentication key.
Available encryptions are None/MD5/SHA1/SHA2‐256.
The key length for MD5 is 32, SHA1 is 40, and SHA2‐256 is 64.
Note: When AH option in Encapsulation Protocol is selected, None option in
Authentication will not be available.
Click Save to save the settings
Click Undo to cancel the settings
Click Back to return to the previous page.
Create/Edit Dynamic VPN Server List
Similar to create an IPSec VPN Tunnel for site/host to site/host scenario, when Edit button is applied a series
of configuration screen will appear. They are Tunnel Configuration, Local & Remote Configuration,
Authentication, IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec Proposal Definition. You have to
configure the tunnel details for the gateway as a Dynamic VPN server.
Note: For the purchased gateway, you can configure one Dynamic VPN server for each WAN interface.
133
M2M Cellular Gateway
Tunnel Configuration Window
Item
Value setting
Description
Tunnel
Check the Enable box to activate the Dynamic IPSec VPN tunnel.
Tunnel Name
Interface
Tunnel Scenario
Operation Mode
Encapsulation
Protocol
Unchecked by default
1. A Must fill setting
2. String format can be
any text
1. A Must fill setting
2. WAN 1 is selected
by default
1. A Must fill setting
2. Dynamic VPN is
selected by default
1. A Must fill setting
2. Alway on is selected
by default
1. A Must fill setting
2. ESP is selected by
default
Enter a tunnel name. Enter a name that is easy for you to identify.
Value Range: 1 ~ 19 characters.
Select WAN interface on which IPSec tunnel is to be established.
The IPSec tunneling scenario is fixed to Dynamic VPN.
The available operation mode is Always On. Failover option is not available for
the Dynamic IPSec scenario.
Select the Encapsulation Protocol from the dropdown box for this IPSec tunnel.
Available encapsulations are ESP and AH.
Local & Remote Configuration Window
Item
Value setting
Description
Local Subnet
Local Netmask
A Must fill setting
A Must fill setting
Specify the Local Subnet IP address.
Specify the Local Subnet Mask.
Authentication Configuration Window
Item
Value setting
Description
Key Management
1. A Must fill setting
Select Key Management from the dropdown box for this IPSec tunnel.
134
M2M Cellular Gateway
2. Pre‐shared Key 8 to
32 characters.
Local ID
An optional setting
Remote ID
An optional setting
IKE+Pre‐shared Key: user needs to set a key (8 ~ 32 characters).
Specify the Local ID for this IPSec tunnel to authenticate.
Select User Name for Local ID and enter the username. The username may
include but can’t be all numbers.
Select FQDN for Local ID and enter the FQDN.
Select User@FQDN for Local ID and enter the User@FQDN.
Select Key ID for Local ID and enter the Key ID (English alphabet or number).
Specify the Remote ID for this IPSec tunnel to authenticate.
Select User Name for Remote ID and enter the username. The username may
include but can’t be all numbers.
Select FQDN for Local ID and enter the FQDN.
Select User@FQDN for Remote ID and enter the User@FQDN.
Select Key ID for Remote ID and enter the Key ID (English alphabet or number).
Note: Remote ID will be not available when Dynamic VPN option in Tunnel
Scenario is selected.
For the rest IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec Proposal Definition settings, they are the
same as that of creating an IPSec Tunnel described in previous section. Please refer to the related description.
135
M2M Cellular Gateway
5.1.2 OpenVPN
OpenVPN is an application that implements virtual private network (VPN) techniques for creating secure
point‐to‐point or site‐to‐site connections in routed or bridged configurations and remote access facilities. It
uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network
address translators (NATs) and firewalls.
OpenVPN allows peers to authenticate each other using a Static Key (pre‐shared key) or certificates. When
used in a multi‐client‐server configuration, it allows the server to release an authentication certificate for
every client, using signature and certificate authority. It uses the OpenSSL encryption library extensively, as
well as the SSLv3/TLSv1 protocol, and contains many security and control features.
OpenVPN Tunneling is a Client and Server based tunneling technology. The OpenVPN Server must have a
Static IP or a FQDN, and maintain a Client list. The OpenVPN Client may be a mobile user or mobile site with
public IP or private IP, and requesting the OpenVPN tunnel connection. The product can only behave as a
OpenVPN Client role for an OpenVPN tunnel connection.
There are two OpenVPN connection scenarios. They are the TAP and TUN scenarios. The product can create
either a layer‐3 based IP tunnel (TUN), or a layer‐2 based Ethernet TAP that can carry any type of Ethernet
traffic. In addition to configuring the device as a Server or Client, you have to specify which type of OpenVPN
connection scenario is to be adopted.
OpenVPN TUN Scenario
The term "TUN" mode is referred to routing mode and
operates with layer 3 packets. In routing mode, the VPN
client is given an IP address on a different subnet than
the local LAN under the OpenVPN server. This virtual
subnet is created for connecting to any remote VPN
computers. In routing mode, the OpenVPN server
creates a "TUN" interface with its own IP address pool
which is different to the local LAN. Remote hosts that
dial‐in will get an IP address inside the virtual network
and will have access only to the server where OpenVPN
resides.
If you want to offer remote access to a VPN server from
client(s), and inhibit the access to remote LAN resources
under VPN server, OpenVPN TUN mode is the simplest
solution.
As shown in the diagram, the M2M‐IoT Gateway is configured as an OpenVPN TUN Client, and connects to an
OpenVPN UN Server. Once the OpenVPN TUN connection is established, the connected TUN client will be
136
M2M Cellular Gateway
assigned a virtual IP (10.8.0.2) which is belong to a virtual subnet that is different to the local subnet in Control
Center. With such connection, the local networked devices will get a virtual IP 10.8.0.x if its traffic goes
through the OpenVPN TUN connection when Redirect Internet Traffic settings is enabled; Besides, the SCADA
Server in Control Center can access remote attached serial device(s) with the virtual IP address (10.8.0.2).
OpenVPN TAP Scenario
The term "TAP" is referred to bridge mode and operates
with layer 2 packets. In bridge mode, the VPN client is
given an IP address on the same subnet as the LAN
resided under the OpenVPN server. Under such
configuration, the OpenVPN client can directly access to
the resources in LAN. If you want to offer remote access
to the entire remote LAN for VPN client(s), you have to
setup OpenVPN in “TAP” bridge mode.
As shown in the diagram, the M2M‐IoT Gateway is
configured as an OpenVPN TAP Client, and connects to an
OpenVPN TAP Server. Once the OpenVPN TAP connection
is established, the connected TAP client will be assigned a
virtual IP (192.168.100.210) which is the same subnet as
that of local subnet in Control Center. With such connection, the SCADA Server in Control Center can access
remote attached serial device(s) with the virtual IP address (192.168.100.210).
137
M2M Cellular Gateway
Open VPN Setting
Go to Security > VPN > OpenVPN tab.
The OpenVPN setting allows user to create and configure OpenVPN tunnels.
Enable OpenVPN
Configuration
Item
OpenVPN
Client
Value setting
Description
The box is unchecked by
default
Client is selected by
default.
Check the Enable box to activate the OpenVPN function.
Only Client is available, you can specify the client settings in another client
configuration window.
138
M2M Cellular Gateway
As an OpenVPN Client
If Client is selected, an OpenVPN Client List screen will appear.
When Add button is applied, OpenVPN Client Configuration screen will appear. OpenVPN Client Configuration
window let you specify the required parameters for an OpenVPN VPN client, such as "OpenVPN Client Name",
"Interface", "Protocol", "Tunnel Scenario", "Remote IP/FQDN", "Remote Subnet", "Authorization Mode",
"Encryption Cipher", "Hash Algorithm" and tunnel activation.
139
M2M Cellular Gateway
OpenVPN Client Configuration
Item
Value setting
Description
OpenVPN Client
Name
Interface
The OpenVPN Client Name will be used to identify the client in the tunnel list.
Value Range: 1 ~ 32 characters.
Define the physical interface to be used for this OpenVPN Client tunnel.
Protocol
Port
Tunnel Scenario
Remote IP/FQDN
Remote Subnet
Redirect Internet
Traffic
NAT
Authorization Mode
Local Endpoint IP
Address
A Must filled setting
1. A Must filled setting
2. By default WAN‐1 is
selected.
1. A Must filled setting
2. By default TCP is
selected.
1. A Must filled setting
2. By default 443 is
set.
1. A Must filled setting
2. By default TUN is
selected.
A Must filled setting
1. An Optional setting.
2. The box is
unchecked by default.
1. An Optional setting.
2. The box is
unchecked by default.
1. An Optional setting.
2. The box is
unchecked by default.
1. A Must filled setting
2. By default TLS is
selected.
A Must filled setting
Define the Protocol for the OpenVPN Client.
 Select TCP
‐>The OpenVPN will use TCP protocol, and Port will be set as 443 automatically.
 Select UDP
‐> The OpenVPN will use UDP protocol, and Port will be set as 1194
automatically.
Specify the Port for the OpenVPN Client to use.
Value Range: 1 ~ 65535.
Specify the type of Tunnel Scenario for the OpenVPN Client to use. It can be
TUN for TUN tunnel scenario, or TAP for TAP tunnel scenario.
Specify the Remote IP/FQDN of the peer OpenVPN Server for this OpenVPN
Client tunnel.
Fill in the IP address or FQDN.
Check the Enable box to activate remote subnet function, and specify Remote
Subnet of the peer OpenVPN Server for this OpenVPN Client tunnel.
Fill in the remote subnet address and remote subnet mask.
Check the Enable box to activate the Redirect Internet Traffic function.
Check the Enable box to activate the NAT function.
Specify the authorization mode for the OpenVPN Server.
 TLS
‐>The OpenVPN will use TLS authorization mode, and the following items CA
Cert., Client Cert. and Client Key will be displayed.
CA Cert. could be selected in Trusted CA Certificate List. Refer to Object
Definition > Certificate > Trusted Certificate.
Client Cert. could be selected in Local Certificate List. Refer to Object Definition
> Certificate > My Certificate.
Client Key could be selected in Trusted Client key List. Refer to Object Definition
> Certificate > Trusted Certificate.
 Static Key
‐>The OpenVPN will use static key authorization mode, and the following items
Local Endpoint IP Address, Remote Endpoint IP Address and Static Key will be
displayed.
Specify the virtual Local Endpoint IP Address of this OpenVPN gateway.
Value Range: The IP format is 10.8.0.x, the range of x is 1~254.
Note: Local Endpoint IP Address will be available only when Static Key is chosen
in Authorization Mode.
140
M2M Cellular Gateway
Remote Endpoint IP
Address
A Must filled setting
Static Key
A Must filled setting
Encryption Cipher
By default Blowfish is
selected.
By default SHA‐1 is
selected.
By default Adaptive is
selected.
1. An Optional setting.
2. The box is checked
by default.
1. An Optional setting.
2. The box is checked
by default.
N/A
Hash Algorithm
LZO Compression
Persis Key
Persis Tun
Advanced
Configuration
Tunnel
Save
Undo
Back
The box is unchecked
by default
N/A
N/A
N/A
Specify the virtual Remote Endpoint IP Address of the peer OpenVPN gateway.
Value Range: The IP format is 10.8.0.x, the range of x is 1~254.
Note: Remote Endpoint IP Address will be available only when Static Key is
chosen in Authorization Mode.
Specify the Static Key.
Note: Static Key will be available only when Static Key is chosen in Authorization
Mode.
Specify the Encryption Cipher.
It can be Blowfish/AES‐256/AES‐192/AES‐128/None.
Specify the Hash Algorithm.
It can be SHA‐1/MD5/MD4/SHA2‐256/SHA2‐512/None/Disable.
Specify the LZO Compression scheme.
It can be Adaptive/YES/NO/Default.
Check the Enable box to activate the Persis Key function.
Check the Enable box to activate the Persis Tun function.
Click the Edit button to specify the Advanced Configuration setting for the
OpenVPN server.
If the button is clicked, Advanced Configuration will be displayed below.
Check the Enable box to activate this OpenVPN tunnel.
Click Save to save the settings.
Click Undo to cancel the changes.
Click Back to return to last page.
141
M2M Cellular Gateway
When Advanced Configuration is selected, an OpenVPN Client Advanced Configuration screen will appear.
OpenVPN Advanced Client Configuration
Item
Value setting
Description
TLS Cipher
1. A Must filled setting.
2. TLS‐RSA‐WITH‐
AES128‐SHA is selected
by default
TLS Auth. Key
1. An Optional setting.
2. String format: any text
Specify the TLS Cipher from the dropdown list.
It can be None / TLS‐RSA‐WITH‐RC4‐MD5 / TLS‐RSA‐WITH‐AES128‐SHA / TLS‐
RSA‐WITH‐AES256‐SHA / TLS‐DHE‐DSS‐AES128‐SHA / TLS‐DHE‐DSS‐AES256‐
SHA.
Note: TLS Cipher will be available only when TLS is chosen in Authorization
Mode.
Specify the TLS Auth. Key for connecting to an OpenVPN server, if the server
required it.
Note: TLS Auth. Key will be available only when TLS is chosen in Authorization
Mode.
142
M2M Cellular Gateway
User Name
An Optional setting.
Password
An Optional setting.
Bridge TAP to
By default VLAN 1 is
selected
Firewall Protection
Tunnel UDP
Fragment
The box is unchecked by
default.
By default Dynamic IP is
selected
1.A Must filled setting
2.The value is 1500 by
default
The value is 1500 by
default
Tunnel UDP MSS‐
Fix
The box is unchecked by
default.
nsCerType
Verification
The box is unchecked by
default.
TLS Renegotiation
Time (seconds)
Connection
Retry(seconds)
The value is 3600 by
default
The value is ‐1 by default
DNS
By default Automatically
is selected
An Optional setting.
Client IP Address
Tunnel MTU
Additional
Configuration
Save
Undo
Back
N/A
N/A
N/A
Enter the User account for connecting to an OpenVPN server, if the server
required it.
Note: User Name will be available only when TLS is chosen in Authorization
Mode.
Enter the Password for connecting to an OpenVPN server, if the server
required it.
Note: User Name will be available only when TLS is chosen in Authorization
Mode.
Specify the setting of “Bridge TAP to” to bridge the TAP interface to a certain
local network interface or VLAN.
Note: Bridge TAP to will be available only when TAP is chosen in Tunnel
Scenario and NAT is unchecked.
Check the box to activate the Firewall Protection function.
Note: Firewall Protection will be available only when NAT is enabled.
Specify the virtual IP Address for the OpenVPN Client.
It can be Dynamic IP/Static IP.
Specify the value of Tunnel MTU.
Value Range: 0 ~ 1500.
Specify the value of Tunnel UDP Fragment.
Value Range: 0 ~ 1500.
Note: Tunnel UDP Fragment will be available only when UDP is chosen in
Protocol.
Check the Enable box to activate the Tunnel UDP MSS‐Fix function.
Note: Tunnel UDP MSS‐Fix will be available only when UDP is chosen in
Protocol.
Check the Enable box to activate the nsCerType Verification function.
Note: nsCerType Verification will be available only when TLS is chosen in
Authorization Mode.
Specify the time interval of TLS Renegotiation Time.
Value Range: ‐1 ~ 86400.
Specify the time interval of Connection Retry.
The default ‐1 means that it is no need to execute connection retry.
Value Range: ‐1 ~ 86400, and ‐1 means no retry is required.
Specify the setting of DNS.
It can be Automatically/Manually.
Enter optional configuration string here. Up to 256 characters is allowable.
Value Range: 0 ~ 256characters.
Click Save to save the settings.
Click Undo to cancel the changes.
Click Back to return to last page.
143
M2M Cellular Gateway
5.1.3 L2TP
Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as
part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it
relies on an encryption protocol that it passes within the tunnel to provide privacy. This Gateway can only
behave as a L2TP client for a L2TP VPN tunel.
L2TP Client: It can be mobile users or gateways in remote offices with dynamic IP. To setup tunnel, it should
get “user name”, “password” and server’s global IP. In addition, it is required to identify the operation mode
for each tunnel as main connection, failover for another tunnel, or load balance tunnel to increase overall
bandwidth. It needs to decide “Default Gateway” or “Remote Subnet” for packet flow. Moreover, you can also
define what kind of traffics will pass through the L2TP tunnel in the “Default Gateway / Remote Subnet”
parameter.
Besides, for the L2TP client peer, a Remote
Subnet item is required. It is for the Intranet of
L2TP server peer. So, at L2TP client peer, the
packets whose destination is in the dedicated
subnet will be transferred via the L2TP tunnel.
Others will be transferred based on current
routing policy of the gateway at L2TP client
peer. But, if you entered 0.0.0.0/0 in the
Remote Subnet field, it will be treated as a
"Default Gateway" setting for the L2TP client
peer, all packets, including the Internet
accessing of L2TP client peer, will go through
the established L2TP tunnel. That means the
144
M2M Cellular Gateway
remote L2TP server peer controls the flow of any packets from the L2TP client peer. Certainly, those packets
come through the L2TP tunnel.
L2TP Setting
Go to Security > VPN > L2TP tab.
The L2TP setting allows user to create and configure L2TP tunnels.
Enable L2TP
Enable L2TP Window
Item
Value setting
L2TP
Unchecked by default
Client
A Must filled setting
Save
N/A
Description
Click the Enable box to activate L2TP function.
Specify the role of L2TP. Only Client role is available for this gateway. Below are
the configuration windows for L2TP Client.
Click Save button to save the settings
As a L2TP Client
L2TP Client Configuration
Item Setting
Value setting
L2TP Client
Save
Undo
The box is unchecked
by default
N/A
N/A
Description
Check the Enable box to enable L2TP client role of the gateway.
Click Save button to save the settings.
Click Undo button to cancel the settings.
145
M2M Cellular Gateway
146
M2M Cellular Gateway
Create/Edit L2TP Client
When Add/Edit button is applied, a series of configuration screen will appear. You can add up to 8 L2TP
Clients.
L2TP Client Configuration
Item Setting
Value setting
Tunnel Name
A Must filled setting
Interface
A Must filled setting
Description
Enter a tunnel name. Enter a name that is easy for you to identify.
Value Range: 1 ~ 32 characters.
Define the selected interface to be the used for this L2TP tunnel
(WAN‐1 is available only when WAN‐1 interface is enabled)
147
M2M Cellular Gateway
L2TP over IPSec
The box is unchecked
by default
The same applies to other WAN interfaces (e.g. WAN‐2).
Define operation mode for the L2TP Tunnel. It can be Always On, or Failover.
If this tunnel is set as a failover tunnel, you need to further select a primary
tunnel from which to failover to.
Note: Failover mode is not available for the gateway with single WAN.
Check the Enable box to activate L2TP over IPSec, and further specify a Pre‐
shared Key (8~32 characters).
Remote LNS
IP/FQDN
A Must filled setting
Enter the public IP address or the FQDN of the L2TP server.
Remote LNS Port
1. A Must filled setting
2. 1701 is set by
default
Enter the Remote LNS Port for this L2TP tunnel.
Value Range: 1 ~ 65535.
Operation Mode
1. A Must filled setting
2. Alwasy on is
selected by default
User Name
A Must filled setting
Password
A Must filled setting
Tunneling
Password(Optional)
The box is unchecked
by default
Remote Subnet
Authentication
Protocol
MPPE Encryption
A Must filled setting
1. A Must filled setting
2. Unchecked by
default
1. Unchecked by
default
2. an optional setting
1. Auto is set by
default
LCP Echo Type
Service Port
A Must filled setting
Enter the User Name for this L2TP tunnel to be authenticated when connect to
L2TP server.
Value Range: 1 ~ 32 characters.
Enter the Password for this L2TP tunnel to be authenticated when connect to
L2TP server.
Enter the Tunneling Password for this L2TP tunnel to authenticate.
Specify the remote subnet for this L2TP tunnel to reach L2TP server.
The Remote Subnet format must be IP address/netmask (e.g. 10.0.0.2/24).
It is for the Intranet of L2TP VPN server. So, at L2TP client peer, the packets
whose destination is in the dedicated subnet will be transferred via the L2TP
VPN tunnel. Others will be transferred based on current routing policy of the
security gateway at L2TP client peer.
If you entered 0.0.0.0/0 in the Remote Subnet field, it will be treated as a
default gateway setting for the L2TP client peer, all packets, including the
Internet accessing of L2TP Client peer, will go through the established L2TP VPN
tunnel. That means the remote L2TP VPN server controls the flow of any
packets from the L2TP client peer. Certainly, those packets come through the
L2TP VPN tunnel.
Specify one ore multiple Authentication Protocol for this L2TP tunnel.
Available authentication methods are PAP / CHAP / MS‐CHAP / MS‐CHAP v2.
Specify whether L2TP server supports MPPE Protocol. Click the Enable box to
enable MPPE.
Note: when MPPE Encryption is enabled, the Authentication Protocol PAP /
CHAP options will not be available.
Specify the LCP Echo Type for this L2TP tunnel. It can be Auto, User‐defined, or
Disable.
Auto: the system sets the Interval and Max. Failure Time.
User‐defined: enter the Interval and Max. Failure Time. The default value for
Interval is 30 seconds, and Maximum Failure Times is 6 Times.
Disable: disable the LCP Echo.
Value Range: 1 ~ 99999 for Interval Time, 1~999 for Failure Time.
Specify the Service Port for this L2TP tunnel to use. It can be Auto, (1701) for
148
M2M Cellular Gateway
Tunnel
Save
Undo
Unchecked by default
N/A
N/A
Cisco), or User‐defined.
Auto: The system determines the service port.
1701 (for Cisco): The system use port 1701 for connecting with CISCO L2TP
Server.
User‐defined: Enter the service port. The default value is 0.
Value Range: 0 ~ 65535.
Check the Enable box to enable this L2TP tunnel.
Click Save button to save the settings.
Click Undo button to cancel the settings.
149
M2M Cellular Gateway
5.1.4 PPTP
Point‐to‐Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a
control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. It is a client‐server based
technology. There are various levels of authentication and encryption for PPTP tunneling, usually natively as
standard features of the Windows PPTP stack. The security gateway can only play "PPTP Client" role for a PPTP
VPN tunnel. PPTP tunnel process is nearly the same as L2TP.
PPTP Client: It can be mobile users or gateways in remote offices with dynamic IP. To setup tunnel, it should
get “user name”, “password” and server’s global IP. In addition, it is required to identify the operation mode
for each tunnel as main connection, failover for another tunnel, or load balance tunnel to increase overall
bandwidth. It needs to decide “Default Gateway” or “Remote Subnet” for packet flow. Moreover, you can also
define what kind of traffics will pass through the PPTP tunnel in the “Default Gateway / Remote Subnet”
parameter.
Besides, for the PPTP client peer, a Remote
Subnet item is required. It is for the Intranet of
PPTP server peer. So, at PPTP client peer, the
packets whose destination is in the dedicated
subnet will be transferred via the PPTP tunnel.
Others will be transferred based on current
routing policy of the gateway at PPTP client
peer. But, if you entered 0.0.0.0/0 in the
Remote Subnet field, it will be treated as a
"Default Gateway" setting for the PPTP client
peer, all packets, including the Internet
150
M2M Cellular Gateway
accessing of PPTP client peer, will go through the established PPTP tunnel. That means the remote PPTP server
peer controls the flow of any packets from the PPTP client peer. Certainly, those packets come through the
PPTP tunnel.
PPTP Setting
Go to Security > VPN > PPTP tab.
The PPTP setting allows user to create and configure PPTP tunnels.
Enable PPTP
Enable PPTP Window
Item
Value setting
PPTP
Unchecked by default
Client
A Must fill setting
Save
N/A
Description
Click the Enable box to activate PPTP function.
Specify the role of PPTP. Only Client role is available for this gateway. Below are
the configuration windows for PPTP Client.
Click Save button to save the settings.
As a PPTP Client
PPTP Client Configuration
Item
Value setting
Description
PPTP Client
Save
Undo
Check the Enable box to enable PPTP client role of the gateway.
Click Save button to save the settings.
Click Undo button to cancel the settings.
Unchecked by default
N/A
N/A
151
M2M Cellular Gateway
Create/Edit PPTP Client
When Add/Edit button is applied, a series PPTP Client Configuration will appear.
PPTP Client Configuration Window
Item
Value setting
Tunnel Name
Interface
Operation Mode
A Must fill setting
1. A Must fill setting
2. WAN1 is selected by
default
1. A Must fill setting
2. Alwasy on is
selected by default
Description
Enter a tunnel name. Enter a name that is easy for you to identify.
Value Range: 1 ~ 32 characters.
Define the selected interface to be the used for this PPTP tunnel
(WAN‐1 is available only when WAN‐1 interface is enabled)
The same applies to other WAN interfaces (e.g. WAN‐2).
Define operation mode for the PPTP Tunnel. It can be Always On, or Failover.
If this tunnel is set as a failover tunnel, you need to further select a primary
tunnel from which to failover to.
Note: Failover mode is not available for the gateway with single WAN.
152
M2M Cellular Gateway
Remote IP/FQDN
1. A Must fill setting.
2. Format can be a
ipv4 address or FQDN
A Must fill setting
User Name
Password
A Must fill setting
A Must fill setting
Enter the public IP address or the FQDN of the PPTP server.
Enter the User Name for this PPTP tunnel to be authenticated when connect to
PPTP server.
Value Range: 1 ~ 32 characters.
Enter the Password for this PPTP tunnel to be authenticated when connect to
PPTP server.
Specify the remote subnet for this PPTP tunnel to reach PPTP server.
The Remote Subnet format must be IP address/netmask (e.g. 10.0.0.2/24).
It is for the Intranet of PPTP VPN server. So, at PPTP client peer, the packets
whose destination is in the dedicated subnet will be transferred via the PPTP
VPN tunnel. Others will be transferred based on current routing policy of the
security gateway at PPTP client peer.
Remote Subnet
Authentication
Protocol
MPPE Encryption
1. A Must fill setting
2. Unchecked by
default
1. Unchecked by
default
2. an optional setting
Auto is set by default
LCP Echo Type
Tunnel
Save
Undo
Back
Unchecked by default
N/A
N/A
N/A
If you entered 0.0.0.0/0 in the Remote Subnet field, it will be treated as a
default gateway setting for the PPTP client peer, all packets, including the
Internet accessing of PPTP Client peer, will go through the established PPTP VPN
tunnel. That means the remote PPTP VPN server controls the flow of any
packets from the PPTP client peer. Certainly, those packets come through the
PPTP VPN tunnel.
Specify one ore multiple Authentication Protocol for this PPTP tunnel.
Available authentication methods are PAP / CHAP / MS‐CHAP / MS‐CHAP v2.
Specify whether PPTP server supports MPPE Protocol. Click the Enable box to
enable MPPE.
Note: when MPPE Encryption is enabled, the Authentication Protocol PAP /
CHAP options will not be available.
Specify the LCP Echo Type for this PPTP tunnel. It can be Auto, User‐defined, or
Disable.
Auto: the system sets the Interval and Max. Failure Time.
User‐defined: enter the Interval and Max. Failure Time. The default value for
Interval is 30 seconds, and Maximum Failure Times is 6 Times.
Disable: disable the LCP Echo.
Value Range: 1 ~ 99999 for Interval Time, 1~999 for Failure Time.
Check the Enable box to enable this PPTP tunnel.
Click Save button to save the settings.
Click Undo button to cancel the settings.
Click Back button to return to the previous page.
153
M2M Cellular Gateway
5.1.5 GRE
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that encapsulates a
wide variety of network layer protocols inside virtual point‐to‐point links over an Internet Protocol
internetwork.
Deploy a M2M gateway for remote site and establish a virtual private network with control center by using
GRE tunneling. So, all client hosts behind M2M gateway can make data communication with server hosts
behind control center gateway.
GRE Tunneling is similar to IPSec Tunneling, client requesting the tunnel establishment with the server. Both
the client and the server must have a Static IP or a FQDN. Any peer gateway can be worked as either a client
or a server, even using the same set of configuration rule.
GRE Tunnel Scenario
To setup a GRE tunnel, each peer needs to
setup its global IP as tunnel IP and fill in the
other's global IP as remote IP.
Besides, each peer must further specify the
Remote Subnet item. It is for the Intranet of
GRE server peer. So, at GRE client peer, the
packets whose destination is in the dedicated
subnet will be transferred via the GRE tunnel.
Others will be transferred based on current
routing policy of the gateway at GRE client peer.
But, if you entered 0.0.0.0/0 in the Remote
Subnet field, it will be treated as a "Default
Gateway" setting for the GRE client peer, all
packets, including the Internet accessing of GRE
client peer, will go through the established GRE
tunnel. That means the remote GRE server peer controls the flow of any packets from the GRE client peer.
Certainly, those packets come through the GRE tunnel.
154
M2M Cellular Gateway
If the GRE server supports DMVPN Hub function, like Cisco router as the VPN concentrator, the GRE client can
active the DMVPN spoke function here since it is implemented by GRE over IPSec tunneling.
GRE Setting
Go to Security > VPN > GRE tab.
The GRE setting allows user to create and configure GRE tunnels.
Enable GRE
Enable GRE Window
Item
Value setting
GRE Tunnel
Max. Concurrent
GRE Tunnels
Save
Undo
Unchecked by default
Depends on Product
specification.
N/A
N/A
Description
Click the Enable box to enable GRE function.
The specified value will limit the maximum number of simultaneous GRE tunnel
connection. The default value can be different for the purchased model.
Click Save button to save the settings
Click Undo button to cancel the settings
Create/Edit GRE tunnel
When Add/Edit button is applied, a GRE Rule Configuration screen will appear.
155
M2M Cellular Gateway
GRE Rule Configuration Window
Item
Value setting
Description
Tunnel Name
A Must fill setting
Enter a tunnel name. Enter a name that is easy for you to identify.
Value Range: 1 ~ 9 characters.
Interface
1. A Must fill setting
2. WAN 1 is selected
by default
Select the interface on which GRE tunnel is to be established. It can be the
available WAN and LAN interfaces.
Operation Mode
1. A Must fill setting
2. Alway on is selected
by default
Tunnel IP
An Optional setting
Remote IP
A Must fill setting
MTU
1. A Must filled setting
2. Auto (value zero) is
set by default
Define operation mode for the GRE Tunnel. It can be Always On, or Failover.
If this tunnel is set as a failover tunnel, you need to further select a primary
tunnel from which to failover to.
Note: Failover mode is not available for the gateway with single WAN.
Enter the Tunnel IP address and corresponding subnet mask.
Enter the Remote IP address of remote GRE tunnel gateway. Normally this is the
public IP address of the remote GRE gateway.
MTU refers to Maximum Transmission Unit. It specifies the largest packet size
permitted for Internet transmission.
When set to Auto (value ‘0’), the router selects the best MTU for best Internet
156
M2M Cellular Gateway
Key
An Optional setting
TTL
1. A Must fill setting
2. 1 to 255 range
Keep alive
1. Unchecked by
default
2. 5s is set by default
Remote Subnet
A Must fill setting
DMVPN Spoke
Unchecked by default
IPSec Pre‐shared
Key
A Must fill setting
IPSec NAT Traversal
Unchecked by default
IPSec Encapsulation
Mode
Unchecked by default
Tunnel
Save
Undo
Back
Unchecked by default
N/A
N/A
N/A
connection performance.
Value Range: 0 ~ 1500.
Enter the Key for the GRE connection.
Value Range: 0 ~ 9999999999.
Specify TTL hop‐count value for this GRE tunnel.
Value Range: 1 ~ 255.
Check the Enable box to enable Keep alive function.
Select Ping IP to keep live and enter the IP address to ping.
Enter the ping time interval in seconds.
Value Range: 5 ~ 999 seconds.
Specify the remote subnet for this GRE tunnel.
The Remote Subnet format must be IP address/netmask (e.g. 10.0.0.2/24).
It is for the Intranet of GRE server peer. So, at GRE client peer, the packets
whose destination is in the dedicated subnet will be transferred via the GRE
tunnel. Others will be transferred based on current routing policy of the security
gateway at GRE client peer.
If you entered 0.0.0.0/0 in the Remote Subnet field, it will be treated as a
default gateway setting for the GRE client peer, all packets, including the
Internet accessing of GRE client peer, will go through the established GRE
tunnel. That means the remote GRE server peer controls the flow of any packets
from the GRE client peer. Certainly, those packets come through the GRE
tunnel.
Specify whether the gateway will support DMVPN Spoke for this GRE tunnel.
Check Enable box to enable DMVPN Spoke.
Enter a DMVPN spoke authentication Pre‐shared Key (8~32 characters).
Note: Pre‐shared Key is available only when DMVPN Spoke is enabled.
Check Enable box to enable NAT‐Traversal.
Note: IPSec NAT Traversal will not be available when DMVPN is not enabled.
Specify IPSec Encapsulation Mode from the dropdown box. There are Transport
mode and Tunnel mode supported.
Note: IPSec Encapsulation Mode will not be available when DMVPN is not
enabled.
Check Enable box to enable this GRE tunnel.
Click Save button to save the settings.
Click Undo button to cancel the settings.
Click Back button to return to the previous page.
157
M2M Cellular Gateway
5.2 Firewall
The firewall functions include Packet Filter, URL Blocking, Content Filter, MAC Control, Application Filter, IPS
and some firewall options. The supported function can be different for the purchased gateway.
5.2.1 Packet Filter
158
M2M Cellular Gateway
"Packet Filter" function can let you define some filtering rules for incoming and outgoing packets. So the
gateway can control what packets are allowed or blocked to pass through it. A packet filter rule should
indicate from and to which interface the packet enters and leaves the gateway, the source and destination IP
addresses, and destination service port type and port number. In addition, the time schedule to which the rule
will be active.
Packet Filter with White List Scenario
As shown in the diagram, specify "Packet Filter Rule
List" as white list (Allow those match the following
rules) and define the rules. Rule‐1 is to allow HTTP
packets to pass, and Rule‐2 is to allow HTTPS packets
to pass.
Under such configuration, the gateway will allow only
HTTP and HTTPS packets, issued from the IP range
192.168.123.200 to 250, which are targeted to TCP
port 80 or 443 to pass the WAN interface.
Packet Filter Setting
Go to Security > Firewall > Packet Filter Tab.
The packet filter setting allows user to create and customize packet filter policies to allow or reject specific
inbound/outbound packets through the router based on their office setting.
Enable Packet Filter
Configuration Window
Item Name
Value setting
Description
Packet Filter
Check the Enable box to activate Packet Filter function
The box is unchecked by
159
M2M Cellular Gateway
default
Black List /
White List
Log Alert
Save
Undo
Deny those match the
following rules is set by
default
The box is unchecked by
default
N/A
N/A
When Deny those match the following rules is selected, as the name suggest,
packets specified in the rules will be blocked –black listed. In contrast, with
Allow those match the following rules, you can specifically white list the
packets to pass and the rest will be blocked.
Check the Enable box to activate Event Log.
Click Save to save the settings
Click Undo to cancel the settings
Create/Edit Packet Filter Rules
The gateway allows you to customize your packet filtering rules. It supports up to a maximum of 20 filter rule
sets.
When Add button is applied, Packet Filter Rule Configuration screen will appear.
Packet Filter Rule Configuration
Item Name
Value setting
Description
Rule Name
Enter a packet filter rule name. Enter a name that is easy for you to remember.
1. String format can be
160
M2M Cellular Gateway
any text
2. A Must filled setting
From Interface
1. A Must filled setting
2. By default Any is
selected
To Interface
1. A Must filled setting
2. By default Any is
selected
Source IP
1. A Must filled setting
2. By default Any is
selected
Destination IP
1. A Must filled setting
2. By default Any is
selected
Source MAC
1. A Must filled setting
2. By default Any is
selected
Protocol
1. A Must filled setting
2. By default Any(0) is
selected
Value Range: 1 ~ 30 characters.
Define the selected interface to be the packet‐entering interface of the router.
If the packets to be filtered are coming from LAN to WAN then select LAN for
this field. Or VLAN‐1 to WAN then select VLAN‐1 for this field. Other examples
are VLAN‐1 to VLAN‐2. VLAN‐1 to WAN.
Select Any to filter packets coming into the router from any interfaces.
Please note that two identical interfaces are not accepted by the router. e.g.,
VLAN‐1 to VLAN‐1.
Define the selected interface to be the packet‐leaving interface of the router. If
the packets to be filtered are entering from LAN to WAN then select WAN for
this field. Or VLAN‐1 to WAN then select WAN for this field. Other examples are
VLAN‐1 to VLAN‐2. VLAN‐1 to WAN.
Select Any to filter packets leaving the router from any interfaces.
Please note that two identical interfaces are not accepted by the router. e.g.,
VLAN‐1 to VLAN‐1.
This field is to specify the Source IP address.
Select Any to filter packets coming from any IP addresses.
Select Specific IP Address to filter packets coming from an IP address.
Select IP Range to filter packets coming from a specified range of IP address.
This field is to specify the Destination IP address.
Select Any to filter packets that are entering to any IP addresses.
Select Specific IP Address to filter packets entering to an IP address entered in
this field.
Select IP Range to filter packets entering to a specified range of IP address
entered in this field.
This field is to specify the Source MAC address.
Select Any to filter packets coming from any MAC addresses.
Select Specific MAC Address to filter packets coming from a MAC address.
For Protocol, select Any to filter any protocol packets
Then for Source Port, select a predefined port dropdown box when Well‐known
Service is selected, otherwise select User‐defined Service and specify a port
range.
Then for Destination Port, select a predefined port dropdown box when Well‐
known Service is selected, otherwise select User‐defined Service and specify a
port range.
Value Range: 1 ~ 65535 for Source Port, Destination Port.
For Protocol, select ICMPv4 to filter ICMPv4 packets
For Protocol, select TCP to filter TCP packets
Then for Source Port, select a predefined port dropdown box when Well‐known
Service is selected, otherwise select User‐defined Service and specify a port
range.
Then for Destination Port, select a predefined port dropdown box when Well‐
known Service is selected, otherwise select User‐defined Service and specify a
port range.
Value Range: 1 ~ 65535 for Source Port, Destination Port.
161
M2M Cellular Gateway
Time Schedule
A Must filled setting
Save
Undo
The box is unchecked by
default.
N/A
N/A
Back
N/A
Rule
For Protocol, select UDP to filter UDP packets
Then for Source Port, select a predefined port dropdown box when Well‐known
Service is selected, otherwise select User‐defined Service and specify a port
range.
Then for Destination Port, select a predefined port dropdown box when Well‐
known Service is selected, otherwise select User‐defined Service and specify a
port range.
Value Range: 1 ~ 65535 for Source Port, Destination Port.
For Protocol, select GRE to filter GRE packets
For Protocol, select ESP to filter ESP packets
For Protocol, select SCTP to filter SCTP packets
For Protocol, select User‐defined to filter packets with specified port number.
Then enter a pot number in Protocol Number box.
Apply Time Schedule to this rule, otherwise leave it as Always.
If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to
Object Definition > Scheduling > Configuration tab.
Click Enable box to activate this rule then save the settings.
Click Save to save the settings
Click Undo to cancel the settings
When the Back button is clicked the screen will return to the Packet Filter
Configuration page.
162
M2M Cellular Gateway
5.2.2 URL Blocking
"URL Blocking" function can let you define blocking or allowing rules for incoming and outgoing Web request
packets. With defined rules, gateway can control the Web requests containing the complete URL, partial
domain name, or pre‐defined keywords. For example, one can filter out or allow only the Web requests based
on domain input suffixes like .com or .org or keywords like “bct” or “mpe”.
An URL blocking rule should specify the URL, partial domain name, or included keywords in the Web requests
from and to the gateway and also the destination service port. Besides, a certain time schedule can be applied
to activate the URL Blocking rules during pre‐defined time interval(s).
The gateway will logs and displays the disallowed web accessing requests that matched the defined URL
blocking rule in the black‐list or in the exclusion of the white‐list.
When you choose "Allow all to pass except those match the following rules" for the "URL Blocking Rule List",
you are setting the defined URL blocking rules to belong to the black list. The packets, listed in the rule list, will
be blocked if one pattern in the requests matches to one rule. Other Web requests can pass through the
gateway. In contrast, when you choose "Deny all to pass except those match the following rules" for the "URL
Blocking Rule List", you are setting the defined packet filtering rules to belong to the white list. The Web
requests, listed in the rule, will be allowed if one pattern in the requests matches to one rule. Other Web
requests will be blocked.
URL Blocking Rule with Black List
When the administrator of the gateway wants to
block the Web requests with some dedicated
patterns, he can use the "URL Blocking" function
to block specific Web requests by defining the
black list as shown in above diagram. Certainly,
when the administrator wants to allow only the
Web requests with some dedicated patterns to
go through the gateway, he can also use the
"URL Blocking" function by defining the white
list to meet the requirement.
As shown in the diagram, enable the URL
blocking function and create the first rule to
deny the Web requests with "sex" or "sexygirl" patterns and the other to deny the Web requests with
"playboy" pattern to go through the gateway. System will block the Web requests with "sex", "sexygirl" or
"playboy" patterns to pass through the gateway.
163
M2M Cellular Gateway
URL Blocking Setting
Go to Security > Firewall > URL Blocking Tab.
In "URL Blocking" page, there are three configuration windows. They are the "Configuration" window, "URL
Blocking Rule List" window, and "URL Blocking Rule Configuration" window.
The "Configuration" window can let you activate the URL blocking function and specify to black listing or to
white listing the packets defined in the "URL Blocking Rule List" entry. In addition, log alerting can be enabled
to record on‐going events for any disallowed Web request packets. Refer to "System Status" in "6.1.1 System
Related" section in this user manual for how to view recorded log.
The "URL Blocking Rule List" window lists all your defined URL blocking rule entry. And finally, the "URL
Blocking Rule Configuration" window can let you define URL blocking rules. The parameters in a rule include
the rule name, the Source IP or MAC, the URL/Domain Name/Keyword, the destination service ports, the
integrated time schedule rule and the rule activation.
Enable URL Blocking
Configuration
Item
URL Blocking
Black List /
White List
Log Alert
Save
Undo
Value setting
The box is unchecked
by default
Deny those match the
following rules is set
by default
The box is unchecked
by default
NA
NA
Description
Check the Enable box to activate URL Blocking function.
Specify the URL Blocking Policy, either Black List or White List.
Black List: When Deny those match the following rules is selected, as the name
suggest, the matched Web request packets will be blocked.
White List: When Allow those match the following rules is selected, the matched
Web request packets can pass through the Gateway, and the others that don’t match
the rules will be blocked.
Check the Enable box to activate Event Log.
Click Save button to save the settings
Click Undo button to cancel the settings
Create/Edit URL Blocking Rules
The Gateway supports up to a maximum of 20 URL blocking rule sets. Ensure that the URL Blocking is enabled before we
can create blocking rules.
164
M2M Cellular Gateway
When Add button is applied, the URL Blocking Rule Configuration screen will appear.
URL Blocking Rules Configuration
Value setting
Item
Rule Name
1. String format can be any
text
2. A Must filled setting
Source IP
1.
2.
A Must filled setting
Any is set by default
Source MAC
1.
2.
A Must filled setting
Any is set by default
URL / Domain
Name /
Keyword
1. A Must filled setting
2. Supports up to a
maximum of 10 Keywords
in a rule by using the
delimiter “;”.
Destination
Port
1.
2.
Time
A Must filled setting
A Must filled setting
Any is set by default
Description
Specify an URL Blocking rule name. Enter a name that is easy for you to
understand.
This field is to specify the Source IP address.
 Select Any to filter packets coming from any IP addresses.
 Select Specific IP Address to filter packets coming from an IP address entered in
this field.
 Select IP Range to filter packets coming from a specified range of IP address
entered in this field.
This field is to specify the Source MAC address.
 Select Any to filter packets coming from any MAC addresses.
 Select Specific MAC Address to filter packets coming from a MAC address
entered in this field.
Specify URL, Domain Name, or Keyword list for URL checking.
 In the Black List mode, if a matched rule is found, the packets will be dropped.
 In the White List mode, if a matched rule is found, the packets will be accepted
and the others which don’t match any rule will be dropped.
This field is to specify the Destination Port number.
 Select Any to filter packets going to any Port.
 Select Specific Service Port to filter packets going to a specific Port entered in this field.
 Select Port Range to filter packets going to a specific range of Ports entered in this field.
Apply a specific Time Schedule to this rule; otherwise leave it as (0) Always.
If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object
165
M2M Cellular Gateway
Schedule Rule
Rule
Save
Undo
Back
Definition > Scheduling > Configuration tab.
The box is unchecked by
default.
NA
NA
NA
Click the Enable box to activate this rule.
Click the Save button to save the settings.
Click the Undo button to cancel the changes.
Click the Back button to return to the URL Blocking Configuration page.
166
M2M Cellular Gateway
5.2.3 MAC Control
"MAC Control" function allows you to assign the accessibility to the gateway for different users based on
device’s MAC address. When the administrator wants to reject the traffics from some client hosts with specific
MAC addresses, he can use the "MAC Control" function to reject with the black list configuration.
MAC Control with Black List Scenario
As shown in the diagram, enable the MAC control
function and specify the "MAC Control Rule List" is
a black list, and configure one MAC control rule for
the gateway to deny the connection request from
the "JP NB" with its own MAC address
20:6A:6A:6A:6A:6B.
System will block the connecting from the "JP NB"
to the gateway but allow others.
167
M2M Cellular Gateway
MAC Control Setting
Go to Security > Firewall > MAC Control Tab.
The MAC control setting allows user to create and customize MAC address policies to allow or reject packets
with specific source MAC address.
Enable MAC Control
Configuration Window
Item
Value setting
Description
The box is unchecked by
default
Check the Enable box to activate the MAC filter function
Black List /
White List
Deny MAC Address Below
is set by default
When Deny MAC Address Below is selected, as the name suggest, packets
specified in the rules will be blocked –black listed. In contrast, with Allow MAC
Address Below, you can specifically white list the packets to pass and the rest
will be blocked.
Log Alert
The box is unchecked by
default
Check the Enable box to activate to activate Event Log.
Known MAC
from LAN PC List
N/A
Save
Undo
N/A
N/A
MAC Control
Select a MAC Address from LAN Client List. Click the Copy to to copy the
selected MAC Address to the filter rule.
Click Save to save the settings
Click Undo to cancel the settings
168
M2M Cellular Gateway
Create/Edit MAC Control Rules
The gateway supports up to a maximum of 20 filter rule sets. Ensure that the MAC Control is enabled before
we can create control rules.
When Add button is applied, Filter Rule Configuration screen will appear.
MAC Control Rule Configuration
Item
Value setting
Rule Name
MAC Address
(Use: to
Compose)
Time Schedule
Enable
Save
Undo
Back
1. String format can be any
text
2. A Must fill setting
1. MAC Address string
Format
2. A Must fill setting
A Must fill setting
The box is unchecked by
default.
N/A
N/A
N/A
Description
Enter a MAC Control rule name. Enter a name that is easy for you to remember.
Specify the Source MAC Address to filter rule.
Apply Time Schedule to this rule; otherwise leave it as (0) Always.
If the dropdown list is empty, ensure Time Schedule is pre‐configured. Refer to
Object Definition > Scheduling > Configuration tab
Click Enable box to activate this rule, and then save the settings.
Click Save to save the settings
Click Undo to cancel the settings
Click Back to return to the MAC Control Configuration page.
169
M2M Cellular Gateway
5.2.4 Content Filter (not supported)
Not supported feature for the purchased product, leave it as blank.
170
M2M Cellular Gateway
5.2.5 Application Filter (not supported)
Not supported feature for the purchased product, leave it as blank.
171
M2M Cellular Gateway
5.2.6 IPS
To provide application servers in the Internet, administrator may need to open specific ports for the services.
However, there are some risks to always open service ports in the Internet. In order to avoid such attack risks,
it is important to enable IPS functions.
Intrusion Prevention System (IPS) is network security appliances that monitor network and/or system
activities for malicious activity. The main functions of IPS are to identify malicious activity, log information
about this activity, attempt to block/stop it and report it. You can enable the IPS function and check the listed
intrusion activities when needed. You can also enable the log alerting so that system will record Intrusion
events when corresponding intrusions are detected.
IPS Scenario
As shown in the diagram, the gateway serves
as an E‐mail server, Web Server and also
provides TCP port 8080 for remote
administration. So, remote users or unknown
users can request those services from Internet.
With IPS enabled, the gateway can detect
incoming attack packets, including the TCP
ports (25, 80, 110, 443 and 8080) with services.
It will block the attack packets and let the
normal access to pass through the gateway
172
M2M Cellular Gateway
IPS Setting
Go to Security > Firewall > IPS Tab.
The Intrusion Prevention System (IPS) setting allows user to customize intrusion prevention rules to prevent
malicious packets.
Enable IPS Firewall
Configuration Window
Item
Value setting
IPS
Log Alert
Save
Undo
The box is unchecked by
default
The box is unchecked by
default
N/A
N/A
Description
Check the Enable box to activate IPS function
Check the Enable box to activate to activate Event Log.
Click Save to save the settings
Click Undo to cancel the settings
Setup Intrusion Prevention Rules
The router allows you to select intrusion prevention rules you may want to enable. Ensure that the IPS is
enabled before we can enable the defense function.
173
M2M Cellular Gateway
Setup Intrusion Prevention Rules
Item Name Value setting
SYN Flood
Defense
UDP Flood
Defense
ICMP Flood
Defense
Port Scan
Defection
Block Land
Attack
Block Ping of
Death
Block IP Spoof
Block TCP Flag
Scan
Block Smurf
Description
1. A Must filled setting
2. The box is unchecked by default.
3. Traffic threshold is set to 300 by default
4. The value range can be from 10 to
10000.
Click Enable box to activate this intrusion prevention rule and
enter the traffic threshold in this field.
Click Enable box to activate this intrusion prevention rule and
enter the traffic threshold in this field.
Click Enable box to activate this intrusion prevention rule and
enter the traffic threshold in this field.
Value Range: 10 ~ 10000.
1. A Must filled setting
2. The box is unchecked by default.
3. Traffic threshold is set to 200 by default
4. The value range can be from 10 to
10000.
Click Enable box to activate this intrusion prevention rule and
enter the traffic threshold in this field.
Value Range: 10 ~ 10000.
The box is unchecked by default.
Click Enable box to activate this intrusion prevention rule.
174
M2M Cellular Gateway
Block
Traceroute
Block Fraggle
Attack
ARP Spoofing
Defence
Save
Undo
1. A Must filled setting
2. The box is unchecked by default.
3. Traffic threshold is set to 300 by default
4. The value range can be from 10 to
10000.
NA
NA
Click Enable box to activate this intrusion prevention rule and
enter the traffic threshold in this field.
Value Range: 10 ~ 10000.
Click Save to save the settings
Click Undo to cancel the settings
175
M2M Cellular Gateway
5.2.7 Options
There are some additional useful firewall options in this page.
“Stealth Mode” lets gateway not to respond to port scans from the WAN so that makes it less susceptible to
discovery and attacks on the Internet. ”SPI” enables gateway to record the packet information like IP address,
port address, ACK, SEQ number and so on while they pass through the gateway, and the gateway checks every
incoming packet to detect if this packet is valid.
“Discard Ping from WAN” makes any host on the WAN side can`t ping this gateway. And finally, “Remote
Administrator Hosts” enables you to perform administration task from a remote host. If this feature is enabled,
only specified IP address(es) can perform remote administration.
176
M2M Cellular Gateway
Enable SPI Scenario
As shown in the diagram, Gateway has the IP
address of 118.18.81.200 for WAN interface and
192.168.1.253 for LAN interface. It serves as a NAT
gateway. Users in Network‐A initiate to access
cloud server through the gateway. Sometimes,
unknown users will simulate the packets but use
different source IP to masquerade. With the SPI
feature been enabled at the gateway, it will block
such packets from unknown users.
Discard Ping from WAN & Remote Administrator Hosts Scenario
“Discard Ping from WAN” makes any host on the
WAN side can`t ping this gateway reply any ICMP
packets. Enable the Discard Ping from WAN function
to prevent security leak when local users surf the
internet.
Remote administrator knows the gateway’s global IP,
and he can access the Gateway GUI via TCP port
8080.
Firewall Options Setting
Go to Security > Firewall > Options Tab.
The firewall options setting allows network administrator to modify the behavior of the firewall and to enable
Remote Router Access Control.
Enable Firewall Options
177
M2M Cellular Gateway
Firewall Options
Item
Value setting
Stealth Mode
SPI
Discard Ping
from WAN
The box is unchecked by
default
The box is checked by
default
The box is unchecked by
default
Description
Check the Enable box to activate the Stealth Mode function
Check the Enable box to activate the SPI function
Check the Enable box to activate the Discard Ping from WAN function
Define Remote Administrator Host
The router allows network administrator to manage router remotely. The network administrator can assign
specific IP address and service port to allow accessing the router.
Remote Administrator Host Definition
Item
Value setting
Description
Protocol
HTTP is set by default
Select HTTP or HTTPS method for router access.
A Must filled setting
This field is to specify the remote host to assign access right for remote access.
Select Any IP to allow any remote hosts
Select Specific IP to allow the remote host coming from a specific subnet. An IP
address entered in this field and a selected Subnet Mask to compose the
subnet.
IP
178
M2M Cellular Gateway
Service Port
Enabling the
rule
Save
Undo
1. 80 for HTTP by default
2. 443 for HTTPS by
default
The box is unchecked by
default.
N/A
N/A
This field is to specify a Service Port to HTTP or HTTPS connection.
Value Range: 1 ~ 65535.
Click Enable box to activate this rule.
Click Enable box to activate this rule then save the settings.
Click Undo to cancel the settings
179
M2M Cellular Gateway
Chapter 6 Administration
6.1 Configure & Manage
Configure & Manage refers to enterprise‐wide administration of distributed systems including (and commonly
in practice) computer systems. Centralized management has a time and effort trade‐off that is related to the
size of the company, the expertise of the IT staff, and the amount of technology being used. This device
supports many system management protocols, such as Command Script, TR‐069, SNMP, and Telnet with CLI.
You can setup those configurations in the "Configure & Manage" section.
180
M2M Cellular Gateway
6.1.1 Command Script
Command script configuration is the application that allows administrator to setup the pre‐defined
configuration in plain text style and apply configuration on startup.
Go to Administration > Command Script > Configuration Tab.
Enable Command Script Configuration
Configuration
Item
Value setting
Description
Configuration
The box is unchecked by
default
Check the Enable box to activate the Command Script function.
Backup Script
N/A
Upload Script
N/A
Script Name
1.An Optional setting
2.Any valid file name
Version
Description
Update time
1.An Optional setting
2.Any string
1.An Optional setting
2.Any string
N/A
Click the Via Web UI or Via Storage button to backup the existed command
script in a .txt file. You can specify the script file name in Script Name below.
Click the Via Web UI or Via Storage button to Upload the existed command
script from a specified .txt file.
Specify a script file name for script backup, or display the selected upload script
file name.
Value Range: 0 ~ 32 characters.
Specify the version number for the applied Command script.
Value Range: 0 ~ 32 characters.
Enter a short description for the applied Command script.
It records the upload time for last commad script upload.
181
M2M Cellular Gateway
Edit/Backup Plain Text Command Script
You can edit the plain text configuration settings in the configuration screen as above.
Plain Text Configuration
Item
Value setting
Description
Clean
NA
Backup
Save
NA
NA
Clean text area. (You should click Save button to further clean the configuration
already saved in the system.)
Backup and download configuration.
Save configuration
The supported plain text configuration items are shown in the following list. For the settings that can be
executed with standard Linux commands, you can put them in a script file, and apply to the system configure
with STARTUP command. For those configurations without corresponding Linux command set to configure,
you can configure them with proprietary command set.
Configuration Content
Key
Value setting Description
OPENVPN_ENABLED
OPENVPN_DESCRIPTION
OPENVPN_PROTO
OPENVPN_PORT
1 : enable
0 : disable
A Must filled
Setting
udp
tcp
OPENVPN_REMOTE_IPADDR
A Must filled
Setting
IP or FQDN
OPENVPN_PING_INTVL
OPENVPN_PING_TOUT
OPENVPN_COMP
OPENVPN_AUTH
seconds
seconds
Adaptive
Static Key/TLS
Enable or disable OpenVPN Client function.
Specify the tunnel name for the OpenVPN Client connection.
Define the Protocol for the OpenVPN Client.
 Select TCP or TCP /UDP
‐>The OpenVPN will use TCP protocol, and Port will be set as 443
automatically.
 Select UDP
‐> The OpenVPN will use UDP protocol, and Port will be set as 1194
automatically.
Specify the Port for the OpenVPN Client to use.
Specify the Remote IP/FQDN of the peer OpenVPN Server for this
OpenVPN Client tunnel.
Fill in the IP address or FQDN.
Specify the time interval for OpenVPN keep‐alive checking.
Specify the timeout value for OpenVPN Client keep‐alive checking.
Specify the LZO Compression algorithm for OpenVPN client.
Specify the authorization mode for the OpenVPN tunnel.
182
M2M Cellular Gateway
OPENVPN_CA_CERT
OPENVPN_LOCAL_CERT
OPENVPN_LOCAL_KEY
OPENVPN_EXTRA_OPTS
IP_ADDR1
IP_NETM1
PPP_MONITORING
A Must filled
Setting
A Must filled
Setting
A Must filled
Setting
Options
Ip
Net mask
1 : enable
0 : disable
PPP_PING
0 : DNS Query
1 : ICMP Query
PPP_PING_IPADDR
IP
PPP_PING_INTVL
seconds
STARTUP
Script file
 TLS
‐>The OpenVPN will use TLS authorization mode, and the following
items CA Cert., Client Cert. and Client Key need to specify as well.
Specify the Trusted CA certificate for the OpenVPN client. It will go
through Base64 Conversion.
Specify the local certificate for OpenVPN client. It will go through
Base64 Conversion.
Specify the local key for the OpenVPN client. It will go through Base64
Conversion.
Specify the extra options setting for the OpenVPN client.
Ethernet LAN IP
Ethernet LAN MASK
When the Network Monitoring feature is enabled, the router will use
DNS Query or ICMP to periodically check Internet connection –
connected or disconnected.
With DNS Query, the system checks the connection by sending DNS
Query packets to the destination specified in PPP_PING_IPADDR.
With ICMP Query, the system will check connection by sending ICMP
request packets to the destination specified in PPP_PING_IPADDR.
Specify an IP address as the target for sending DNS query/ICMP
request.
Specify the time interval for between two DNS Query or ICMP
checking packets.
For the configurations that can be configured with standard Linux
commands, you can put them in a script file, and apply the script file
with STARTUP command.
For example,
STARTUP=#!/bin/sh
STARTUP=echo “startup done” > /tmp/demo
Plain Text System Configuration with Telnet
In addition to the web‐style plain text configuration as mentioned above, the gateway system also allow the
configuration via Telnet CLI. Administrator can use the proprietary telnet command “txtConfig” and related
action items to perform the plain system configuration.
The command format is: txtConfig (action) [option]
Action
Option
Description
clone
Output file
commit
a existing file
enable
NA
Duplicate the configuration content from database and stored as a
configuration file.
(ex: txtConfig clone /tmp/config)
The contents in the configuration file are the same as the plain text commands
mentioned above. This action is exactly the same as performing the “Backup”
plain text configuration.
Commit the configuration content to database.
(ex: txtConfig commit /tmp/config)
Enable plain text system config.
183
M2M Cellular Gateway
disable
NA
run_immediately
NA
run_immediately
a existing file
(ex: txtConfig enable)
Disable plain text system config.
(ex: txtConfig disable)
Apply the configuration content that has been committed in database.
(ex: txtConfig run_immediately)
Assign a configuration file to apply.
(ex: txtConfig run_immediately /tmp/config)
184
M2M Cellular Gateway
6.1.2 TR‐069
TR‐069 (Technical Report 069) is a Broadband Forum technical specification entitled CPE WAN Management
Protocol (CWMP). It defines an application layer protocol for remote management of end‐user devices, like this
gateway device. As a bidirectional SOAP/HTTP‐based protocol, it provides the communication between
customer‐premises equipment (CPE) and Auto Configuration Servers (ACS). The Security Gateway is such CPE.
TR‐069 is a customized feature for ISP. It is not recommend that you change the configuration for this. If you
have any problem in using this feature for device management, please contact with your ISP or the ACS
provider for help. At the right upper corner of TR‐069 Setting screen, one “[Help]” command let you see the
same message about that.
Scenario ‐ Managing deployed gateways through an ACS Server
Scenario Application Timing
When the enterprise data center wants to use an ACS server to manage remote gateways
geographically distributed elsewhere in the world, the gateways in all branch offices must have an
embedded TR‐069 agent to communicate with the ACS server. So that the ACS server can configure,
FW upgrade and monitor these gateways and their corresponding Intranets.
Scenario Description
The ACS server can configure, upgrade with latest FW and monitor these gateways.
Remote gateways inquire the ACS server for jobs to do in each time period.
The ACS server can ask the gateways to execute some urgent jobs.
Parameter Setup Example
185
M2M Cellular Gateway
Following tables list the parameter configuration as an example for the Gateway 1 in above diagram
with "TR‐069" enabling.
Use default value for those parameters that are not mentioned in the tables.
Configuration Path
TR‐069
[TR‐069]‐[Configuration]
ACS URL
http://qa.acslite.com/cpe.php
ACSUserName
ACS User Name
ACS Password
ConnectionRequest Port
ConnectionRequest User Name
ConnectionRequest Password
Inform
■ Enable
ACSPassword
8099
ConnReqUserName
ConnReqPassword
■ Enable Interval 900
Scenario Operation Procedure
In above diagram, the ACS server can manage multiple gateways in the Internet. The "Gateway 1" is
one of them and has 118.18.81.33 IP address for its WAN‐1 interface.
When all remote gateways have booted up, they will try to connect to the ACS server.
Once the connections are established successfully, the ACS server can configure, upgrade with latest
FW and monitor these gateways.
Remote gateways inquire the ACS server for jobs to do in each time period.
If the ACS server needs some urgent jobs to be done by the gateways, it will issue the "Connection
Request" command to those gateways. And those gateways make immediate connections in response
to the ACS server’s immediate connection request for executing the urgent jobs.
186
M2M Cellular Gateway
TR‐069 Setting
Go to Administration > Configure & Manage > TR‐069 tab.
In "TR‐069" page, there is only one configuration window for TR‐069 function. In the window, you must
specify the related information for your security gateway to connect to the ACS. Drive the function to work by
specifying the URL of the ACS server, the account information to login the ACS server, the service port and the
account information for connection requesting from the ACS server, and the time interval for job inquiry.
Except the inquiry time, there are no activities between the ACS server and the gateways until the next inquiry
cycle. But if the ACS server has new jobs that are expected to do by the gateways urgently, it will ask these
gateways by using connection request related information for immediate connection for inquiring jobs and
executing.
Enable TR‐069
TR‐069
Item
Value setting
Description
187
M2M Cellular Gateway
TR‐069
Interface
The box is unchecked by
default
Check the Enable box to activate TR‐069 function.
WAN‐1 is selected by
default.
When you finish set basic network WAN‐1 ~ WAN‐n, you can choose WAN‐1 ~
WAN‐n
When you finish set Security > VPN > IPSec/OpenVPN/PPTP/L2TP/GRE, you
can choose IPSec/OpenVPN/PPTP/L2TP/GRE tunnel, the interface just like
“IPSec #1”
Data Model
ACS Cloud Data Model
is selected by default.
ACS URL
ACS Username
ACS Password
A Must filled setting
A Must filled setting
A Must filled setting
ConnectionRequest
Port
1. A Must filled setting.
2. By default 8099 is set.
ConnectionRequest
UserName
A Must filled setting
ConnectionRequest
Password
A Must filled setting
Inform
1. The box is checked by
default.
2. The Interval value is
300 by default.
Certification Setup
The default box is
selected by default
Save
Undo
N/A
N/A
Select the TR‐069 dat model for the remote management.
Standard : the ACS Server is a standard one, which is fully comply with TR‐
069.
ACS Cloud Data Model : Select this data model if you intend to use Cloud ACS
Server to managing the deployed gateways.
You can ask ACS manager provide ACS URL and manually set
You can ask ACS manager provide ACS username and manually set
You can ask ACS manager provide ACS password and manually set
You can ask ACS manager provide ACS ConnectionRequest Port and manually
set
Value Range: 0 ~ 65535.
You can ask ACS manager provide ACS ConnectionRequest Username and
manually set
You can ask ACS manager provide ACS ConnectionRequest Password and
manually set
When the Enable box is checked, the gateway (CPE) will periodicly send
inform message to ACS Server according to the Interval setting.
Value Range: 0 ~ 86400 for Inform Interval.
You can leave it as default or select an expected certificate and key from the
drop down list.
Refer to Object Definition > Certificate Section for the Certificate
configuration.
Click Save to save the settings.
Click Undo to cancel the modifications.
When you finish set ACS URL ACS Username ACS Password, your gateway (CPE, Client Premium Equipment)
can send inform to ACS Server.
When you finish set ConnectionRequest Port ConnectionRequest Username ConnectionRequest Password,
ACS Server can ask the gateway (CPE) to send inform to ACS Server.
Enable STUN Server
188
M2M Cellular Gateway
STUN Settings Configuration
Item
Value setting
Description
STUN
The box is checked by
default
Check the Enable box to activate STUN function.
Server Address
1. String format: any
IPv4 address
2. It is an optional item.
Server Port
1. An optional setting
2.3478 is set by default
Keep Alive Period
1. An optional setting
2.0 is set by default
Save
Undo
N/A
N/A
Specify the IP address for the expected STUN Server.
Specify the port number for the expected STUN Server.
Value Range: 1 ~ 65535.
Specify the keep alive time period for the connection with STUN Server.
Value Range: 0 ~ 65535.
Click Save to save the settings.
Click Undo to cancel the modifications.
189
M2M Cellular Gateway
6.1.3 SNMP
In brief, SNMP, the Simple Network Management Protocol, is a protocol designed to give a user the capability
to remotely manage a computer network by polling and setting terminal values and monitoring network
events.
In typical SNMP uses, one or more administrative computers, called managers, have the task of monitoring or
managing a group of hosts or devices on a computer network. Each managed system executes, at all times, a
software component called an agent which reports information via SNMP to the manager.
SNMP agents expose management data on the managed systems as variables. The protocol also permits active
management tasks, such as modifying and applying a new configuration through remote modification of these
variables. The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other
metadata (such as type and description of the variable), are described by Management Information Bases
(MIBs).
The device supports several public MIBs and one private MIB for the SNMP agent. The supported MIBs are as
follow: MIB-II (RFC 1213, Include IPv6), IF-MIB, IP-MIB, TCP-MIB, UDP-MIB, SMIv1 and SMIv2,
SNMPv2-TM and SNMPv2-MIB, and AMIB (a Proprietary MIB)
SNMP Management Scenario
Scenario Application Timing
There are two application scenarios of SNMP Network Management Systems (NMS). Local NMS is in
190
M2M Cellular Gateway
the Intranet and manage all devices that support SNMP protocol in the Intranet. Another one is the
Remote NMS to manage some devices whose WAN interfaces are connected together by using a
switch or a router with UDP forwarding. If you want to manage some devices and they all have
supported SNMP protocol, use either one application scenario, especially the management of devices
in the Intranet. In managing devices in the Internet, the TR‐069 is the better solution. Please refer to
last sub‐section.
Scenario Description
The NMS server can monitor and configure the managed devices by using SNMP protocol, and those
devices are located at where UDP packets can reach from NMS.
The managed devices report urgent trap events to the NMS servers.
Use SNMPv3 version of protocol can protected the transmitting of SNMP commands and responses.
The remote NMS with privilege IP address can manage the devices, but other remote NMS can't.
Parameter Setup Example
Following tables list the parameter configuration as an example for the Gateway 1 in above diagram
with "SNMP" enabling at LAN and WAN interfaces.
Use default value for those parameters that are not mentioned in the tables.
[SNMP]‐[Configuration]
Configuration Path
SNMP Enable
Supported Versions
Get / Set Community
Trap Event Receiver 1
WAN Access IP Address
Configuration Path
ID
User Name
Password
Authentication
Encryption
Privacy Mode
Privacy Key
Authority
Enable
■ LAN ■ WAN
■ v1 ■ v2c ■ v3
ReadCommunity / WriteCommunity
118.18.81.11
118.18.81.11
[SNMP]‐[User Privacy Definition]
UserName1
UserName2
UserName3
Password1
Password2
Disable
MD5
SHA‐1
Disable
DES
Disable
Disable
authPriv
authNoPriv
noAuthNoPriv
12345678
Disable
Disable
Read/Write
Read
Read
■ Enable
■ Enable
■ Enable
Scenario Operation Procedure
In above diagram, the NMS server can manage multiple devices in the Intranet or a UDP‐reachable
network. The "Gateway 1" is one of the managed devices, and it has the IP address of 10.0.75.2 for
LAN interface and 118.18.81.33 for WAN‐1 interface. It serves as a NAT router.
191
M2M Cellular Gateway
At first stage, the NMS manager prepares related information for all managed devices and records
them in the NMS system. Then NMS system gets the status of all managed devices by using SNMP get
commands.
When the manager wants to configure the managed devices, the NMS system allows him to do that by
using SNMP set commands. The "UserName1" account is used if the manager uses SNMPv3 protocol
for configuring the "Gateway 1". Only the "UserName1" account can let the "Gateway 1" accept the
configuration from the NMS since the authority of the account is "Read/Write".
Once a managed device has an urgent event to send, the device will issue a trap to the Trap Event
Receivers. The NMS itself could be one among them.
If you want to secure the transmitted SNMP commands and responses between the NMS and the
managed devices, use SNMPv3 version of protocol.
The remote NMS without privilege IP address can't manage the "Gateway 1", since "Gateway 1" allows
only the NMS with privilege IP address can manage it via its WAN interface.
192
M2M Cellular Gateway
SNMP Setting
Go to Administration > Configure & Manage > SNMP tab.
The SNMP allows user to configure SNMP relevant setting which includes interface, version, access control
and trap receiver.
Enable SNMP
SNMP
Item
Value setting
SNMP Enable
1.The boxes are
unchecked by default
WAN Interface
1.A Must filled setting
2. ALL WANs is
selected by default
Supported Versions
1.A Must filled setting
2.The boxes are
unchecked by default
Remote Aceess IP
1. String format: any
IPv4 address
2. It is an optional
item.
Description
Select the interface for the SNMP and enable SNMP functions.
When Check the LAN box, it will activate SNMP functions and you can access
SNMP from LAN side;
When Check the WAN box, it will activate SNMP functions and you can access
SNMP from WAN side.
Specify the WAN interface that a remote SNMP host can access to the device.
By default, All WANs is selected, and there is no limitation for the WAN
inferface.
Select the version for the SNMP
When Check the v1 box.
It means you can access SNMP by version 1.
When Check the v2c box.
It means you can access SNMP by version 2c.
When Check the v3 box.
It means you can access SNMP by version 3.
Specify the Remote Access IP for WAN.
Select Specific IP Address, and fill in a certain IP address. It means only this IP
address can access SNMP from LAN/WAN side.
Select IP Range, and fill in a range of IP addresses. It means the IP address
within specified range can access SNMP from LAN/WAN side.
If you left it as blank, it means any IP address can access SNMP from WAN side.
193
M2M Cellular Gateway
SNMP Port
Save
Undo
1. String format: any
port number
2. The default SNMP
port is 161.
3. A Must filled setting
N/A
N/A
Specify the SNMP Port.
You can fill in any port number. But you must ensure the port number is not to
be used.
Value Range: 1 ~ 65535.
Click Save to save the settings
Click Undo to cancel the settings
Create/Edit Multiple Community
The SNMP allows you to custom your access control for version 1 and version 2 user. The router supports up to
a maximum of 10 community sets.
When Add button is applied, Multiple Community Rule Configuration screen will appear.
Multiple Community Rule Configuration
Item
Value setting
Description
Community
Enable
1. Read Only is
selected by default
2. A Must filled setting
3. String format: any
text
1.The box is checked
by default
Save
N/A
Undo
Back
N/A
N/A
Specify this version 1 or version v2c user’s community that will be allowed Read
Only (GET and GETNEXT) or Read‐Write (GET, GETNEXT and SET) access
respectively.
The maximum length of the community is 32.
Click Enable to enable this version 1 or version v2c user.
Click the Save button to save the configuration. But it does not apply to SNMP
functions. When you return to the SNMP main page. It will show “Click on save
button to apply your changes” remind user to click main page Save button.
Click the Undo button to cancel the settings.
Click the Back button to return to last page.
194
M2M Cellular Gateway
Create/Edit User Privacy
The SNMP allows you to custom your access control for version 3 user. The router supports up to a maximum
of 128 User Privacy sets.
When Add button is applied, User Privacy Rule Configuration screen will appear.
User Privacy Rule Configuration
Item
Value setting
User Name
Password
1. A Must filled setting
2. String format: any
text
1. String format: any
text
Authentication
1. None is selected by
default
Encryption
1. None is selected by
default
Description
Specify the User Name for this version 3 user.
Value Range: 1 ~ 32 characters.
When your Privacy Mode is authNoPriv or authPriv, you must specify the
Password for this version 3 user.
Value Range: 8 ~ 64 characters.
When your Privacy Mode is authNoPriv or authPriv, you must specify the
Authentication types for this version 3 user.
Selected the authentication types MD5/ SHA‐1 to use.
When your Privacy Mode is authPriv, you must specify the Encryption
protocols for this version 3 user.
Selected the encryption protocols DES / AES to use.
195
M2M Cellular Gateway
Privacy Mode
1. noAuthNoPriv is
selected by default
Privacy Key
Save
1. String format: any
text
1. Read is selected by
default
1. The default value is
2. A Must filled setting
3. String format: any
legal OID
1.The box is checked
by default
N/A
Undo
Back
N/A
N/A
Authority
OID Filter Prefix
Enable
Specify the Privacy Mode for this version 3 user.
Selected the noAuthNoPriv.
You do not use any authentication types and encryption protocols.
Selected the authNoPriv.
You must specify the Authentication and Password.
Selected the authPriv.
You must specify the Authentication, Password, Encryption and Privacy Key.
When your Privacy Mode is authPriv, you must specify the Privacy Key (8 ~ 64
characters) for this version 3 user.
Specify this version 3 user’s Authority that will be allowed Read Only (GET and
GETNEXT) or Read‐Write (GET, GETNEXT and SET) access respectively.
The OID Filter Prefix restricts access for this version 3 user to the sub‐tree
rooted at the given OID.
Value Range: 1 ~2080768.
Click Enable to enable this version 3 user.
Click the Save button to save the configuration. But it does not apply to SNMP
functions. When you return to the SNMP main page. It will show “Click on save
button to apply your changes” remind user to click main page Save button.
Click the Undo button to cancel the settings
Click the Back button to return the last page.
Create/Edit Trap Event Receiver
The SNMP allows you to custom your trap event receiver. The router supports up to a maximum of 4 Trap
Event Receiver sets.
When Add button is applied, Trap Event Receiver Rule Configuration screen will appear. The default SNMP
Version is v1. The configuration screen will provide the version 1 must filled items.
196
M2M Cellular Gateway
When you selected v2c, the configuration screen is exactly the same as that of v1, except the version.
When you selected v3, the configuration screen will provide more setting items for the version 3 Trap.
Trap Event Receiver Rule Configuration
Item
Value setting
Description
Server IP
Server Port
1. A Must filled setting
2. String format: any
IPv4 address or FQDN
1. String format: any
port number
2. The default SNMP
trap port is 162
3. A Must filled setting
Specify the trap Server IP or FQDN.
The DUT will send trap to the server IP/FQDN.
Specify the trap Server Port.
You can fill in any port number. But you must ensure the port number is not to
be used.
Value Range: 1 ~ 65535.
197
M2M Cellular Gateway
SNMP Version
Community Name
User Name
Password
Privacy Mode
Authentication
Encryption
Privacy Key
Enable
1. v1 is selected by
default
1. A v1 and v2c Must
filled setting
2. String format: any
text
1. A v3 Must filled
setting
2. String format: any
text
1. A v3 Must filled
setting
2. String format: any
text
1. A v3 Must filled
setting
2. noAuthNoPriv is
selected by default
1. A v3 Must filled
setting
2. None is selected by
default
1. A v3 Must filled
setting
2. None is selected by
default
1. A v3 Must filled
setting
2. String format: any
text
1.The box is checked
by default
Save
N/A
Undo
Back
N/A
N/A
Select the version for the trap
Selected the v1.
The configuration screen will provide the version 1 must filled items.
Selected the v2c.
The configuration screen will provide the version 2c must filled items.
Selected the v3.
The configuration screen will provide the version 3 must filled items.
Specify the Community Name for this version 1 or version v2c trap.
Value Range: 1 ~ 32 characters.
Specify the User Name for this version 3 trap.
Value Range: 1 ~ 32 characters.
When your Privacy Mode is authNoPriv or authPriv, you must specify the
Password for this version 3 trap.
Value Range: 8 ~ 64 characters.
Specify the Privacy Mode for this version 3 trap.
Selected the noAuthNoPriv.
You do not use any authentication types and encryption protocols.
Selected the authNoPriv.
You must specify the Authentication and Password.
Selected the authPriv.
You must specify the Authentication, Password, Encryption and Privacy Key.
When your Privacy Mode is authNoPriv or authPriv, you must specify the
Authentication types for this version 3 trap.
Selected the authentication types MD5/ SHA‐1 to use.
When your Privacy Mode is authPriv, you must specify the Encryption
protocols for this version 3 trap.
Selected the encryption protocols DES / AES to use.
When your Privacy Mode is authPriv, you must specify the Privacy Key (8 ~ 64
characters) for this version 3 trap.
Click Enable to enable this trap receiver.
Click the Save button to save the configuration. But it does not apply to SNMP
functions. When you return to the SNMP main page. It will show “Click on save
button to apply your changes” remind user to click main page Save button.
Click the Undo button to cancel the settings.
Click the Back button to return the last page.
198
M2M Cellular Gateway
Specify SNMP MIB‐2 System
If required, you can also specify the required onformation the the MIB‐2 System.
SNMP MIB‐2 System Configuration
Item
Value setting
sysContact
sysLocation
1. An Optional filled
setting
2. String format: any
text
1. An Optional filled
setting
2. String format: any
text
Description
Specify the contact information forMIB‐2 system.
Value Range: 0 ~ 64 characters.
Specify the location information forMIB‐2 system.
Value Range: 0 ~ 64 characters.
Edit SNMP Options
If you use some particular private MIB, you must fill the enterprise name, number and OID.
Options
199
M2M Cellular Gateway
Item
Enterprise Name
Enterprise Number
Enterprise OID
Value setting
1. The default value is
Default
2. A Must filled setting
3. String format: any
text
The default value is
12823
(Default Enterprise
Number)
2. A Must filled setting
3. String format: any
number
1. The default value is
1.3.6.1.4.1.12823.4.4.9
(Default Enterprise OID)
2. A Must filled setting
3. String format: any
legal OID
Save
N/A
Undo
N/A
Description
Specify the Enterprise Name for the particular private MIB.
Value Range: 1 ~ 10 characters, and only string with A~Z, a~z, 0~9, ’–‘, ‘_’.
Specify the Enterprise Number for the particular private MIB.
Value Range: 1 ~2080768.
Specify the Enterprise OID for the particular private MIB.
The range of the each OID number is 1‐2080768.
The maximum length of the enterprise OID is 31.
The seventh number must be identical with the enterprise number.
Click the Save button to save the configuration and apply your changes to
SNMP functions.
Click the Undo button to cancel the settings.
200
M2M Cellular Gateway
6.1.4 Telnet & SSH
A command‐line interface (CLI), also known as command‐line user interface, and console user interface are
means of interacting with a computer program where the user (or client) issues commands to the program in
the form of successive lines of text (command lines). The interface is usually implemented with a command
line shell, which is a program that accepts commands as text input and converts commands to appropriate
operating system functions. Programs with command‐line interfaces are generally easier to automate via
scripting. The device supports both Telnet and SSH (Secure Shell) CLI with default service port 23 and 22,
respectively.
Telnet & SSH Scenario
Scenario Application Timing
When the administrator of the gateway wants to manage it from remote site in the Intranet or Internet,
he may use "Telnet with CLI" function to do that by using "Telnet" or "SSH" utility.
Scenario Description
The Local Admin or the Remote Admin can manage the Gateway by using "Telnet" or "SSH" utility with
privileged user name and password.
The data packets between the Local Admin and the Gateway or between the Remote Admin and the
Gateway can be plain texts or encrypted texts. Suggest they are plain texts in the Intranet for Local
Admin to use "Telnet" utility, and encrypted texts in the Internet for Remote Admin to use "SSH" utility.
201
M2M Cellular Gateway
Parameter Setup Example
Following table lists the parameter configuration as an example for the Gateway in above diagram with
"Telnet with CLI" enabling at LAN and WAN interfaces.
Use default value for those parameters that are not mentioned in the table.
Configuration Path
Telnet
SSH
[Telnet & SSH]‐[Configuration]
LAN: ■ Enable WAN:  Enable
Service Port: 23
LAN: ■ Enable WAN: ■ Enable
Service Port: 22
Scenario Operation Procedure
In above diagram, "Local Admin" or "Remote Admin" can manage the "Gateway" in the Intranet or
Internet. The "Gateway" is the gateway of Network‐A, and the subnet of its Intranet is 10.0.75.0/24. It
has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface. It serves as a
NAT gateway.
The "Local Admin" in the Intranet uses "Telnet" utility with privileged account to login the Gateway.
Or the "Remote Admin" in the Internet uses "SSH" utility with privileged account to login the Gateway.
The administrator of the gateway can control the device as like he is in front of the gateway.
202
M2M Cellular Gateway
Telnet & SSH Setting
Go to Administration > Configure & Manage > Telnet & SSH tab.
The Telnet & SSH setting allows administrator to access this device through the traditional Telnet or SSH
Telnet program. Before you can telnet (login) to the device, please configure the related settings and
password with care. The password management part allows you to set root password for logging telnet and
SSH.
Configuration
Item
Value setting
Description
Telnet
1.
The LAN Enable box is
checked by default.
By default Service
Port is 23.
Check the Enable box to activate the Telnet function for connecting from LAN or WAN
interfaces.
You can set which number of Service Port you want to provide for the corresponding
service.
The LAN Enable box is
checked by default.
By default Service
Port is 22.
Check the Enable box to activate the SSH Telnet function for connecting from LAN or
WAN interfaces.
You can set which number of Service Port you want to provide for the corresponding
service.
2.
SSH
3.
4.
Save
Undo
N/A
N/A
Value Range: 1 ~65535.
Value Range: 1 ~65535.
Click Save to save the settings
Click Undo to cancel the settings
203
M2M Cellular Gateway
Configuration
Item
root
Save
Undo
Value setting
Description
1. String: any text but no
blank character
2. The default password
for telnet is
‘wirelessm2m’.
N/A
N/A
Type old password and specify new password to change root password.
Note_1: You are highly recommended to change the default telnet password with
yours before the device is deployed.
Note_2: If you have trouble for the default password for previous FW version, please
check the corresponding User Manual to get the correct one.
Click Save to save the settings
Click Undo to cancel the settings
204
M2M Cellular Gateway
6.2 System Operation
System Operation allows the network administrator to manage system, settings such as web‐based utility
access password change, system information, system time, system log, firmware/configuration backup &
restore, and reset & reboot.
6.2.1 Password & MMI
Go to Administration > System Operation > Password & MMI tab.
Change UserName
Change Username screen allows network administrator to change the web‐based MMI login account to access
gateway. Click the Modify button and provide the new username setting.
Username Configuration
Item
Value setting
New Username
1. The default Username
for web‐based MMI is
‘admin’.
String: any text
Password
String: any text
Save
Undo
N/A
N/A
Username
Description
Display the current MMI login account (Username).
Enter new Username to replace the current setting.
Enter current password to verify if you have the permission to change the
username setting.
Click Save button to save the settings
Click Undo button to cancel the settings
Change Password
Change password screen allows network administrator to change the web‐based MMI login password to
access gateway.
205
M2M Cellular Gateway
Password Configuration
Item
Value setting
Old Password
New Password
New Password
Confirmation
Save
Undo
1. String: any text
2. The default password
for web‐based MMI is
‘admin’.
String: any text
Description
Enter the current password to enable you unlock to change password.
Enter new password
String: any text
Enter new password again to confirm
N/A
N/A
Click Save button to save the settings
Click Undo button to cancel the settings
Change MMI Setting for Accessing
This is the gateway’s web‐based MMI access which allows administrator to access the gateway for
management. The gateway’s web‐based MMI will automatically logout when the idle time has elapsed. The
setting allows administrator to enable automatic logout and set the logout idle time. When the login timeout
is disabled, the system won’t logout the administrator automatically.
206
M2M Cellular Gateway
MMI Configuration
Item
Value setting
Description
Login
3 times is set by default
Login Timeout
The Enable box is
checked, and 300 is set
by default.
Enter the login trial counting value.
Value Range: 3 ~ 10.
If someone tried to login the web GUI with incorrect password for more
than the counting value, an warning message “Already reaching maximum
Password‐Guessing times, please wait a few seconds!” will be displayed
and ignore the following login trials.
Check the Enable box to activate the auto logout function, and specify the
maximum idle time as well.
Value Range: 30 ~ 65535.
GUI Access Protocol
http/https is
selected by default.
Select the protocol that will be used for GUI access. It can be http/https,
http only, or https only.
HTTPs Certificate
Setup
The default box is
selected by default
http Compression
The box is unchecked by
default.
System Boot Mode
Save
Undo
Normal Mode is selected
by default.
N/A
N/A
If the https Access Protocol is selected, the HTTPs Certificate Setup option
will be available for further configuration.
You can leave it as default or select a expected certificate and key from the
drop down list.
Refer to Object Definition > Certificate Section for the Certificate
configuration.
Check the box (gzip, or deflate) if any comprerssion method is preferred.
Select the system boot mode that will be adopted to boot up the device.
Normal Mode: It takes longer boot up time, about 200 seconds, with
complete firmware image check during the device booting.
Fast Mode: It takes shorter boot up time, about 120 seconds, without
checking the firmwareimage during the device booting.
Quick Mode: It takes shorter boot up time, about 90 seconds, without
checking the firmware image and create the internal database for
User/Group/Captive Portal functions.
Note: Use Quick Mode with care, once selected, the User/Group/Captive
Portal function will become non‐functional.
Click Save button to save the settings
Click Undo button to cancel the settings
207
M2M Cellular Gateway
6.2.2 System Information
System Information screen gives network administrator a quick look up on the device information for the
purchades gateway.
Go to Administration > System Operation > System Information tab.
System Information
Item
Model Name
Device Serial
Number
Kernel Version
FW Version
CPU Usage
Memory Usage
System Time
Device Up‐Time
Refresh
Value Setting
N/A
Description
It displays the model name of this product.
N/A
It displays the serial number of this product.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
It displays the Linux kernel version of the product
It displays the firmware version of the product
It displays the percentage of CPU utilization.
It displays the percentage of device memory utilization.
It displays the current system time that you browsed this web page.
It displays the statistics for the device up‐time since last boot up.
Click the Refresh button to update the system Information immediately.
208
M2M Cellular Gateway
6.2.3 System Time
The gateway provides manually setup and auto‐synchronized approaches for the administrator to setup the
system time for the gateway.
Go to Administration > System Operation > System Time tab.
System Time Information
Item
Value Setting
Time Zone
1. It is an optional item.
2. GMT+00 :00 is
selected by default.
Auto‐
synchronization
1. Checked by default.
2. Auto is selected by
default.
Daylight Saving
Time
1. It is an optional item.
2. Un‐checked by default
Set Date & Time
1. It is an optional item.
Save
Refresh
N/A
N/A
Description
Select a time zone where this device locates.
Check the Enable button to activate the time auto‐synchronization function with
a certain NTP server.
You can enter the IP or FQDN for the NTP server you expected, or leave it as
auto mode so that the available server will be used for time synchronization one
by one.
Check the Enable button to activate the daylight saving function.
When you enabled this function, you have to specify the start date and end date
for the daylight saving time duration.
If you do not enable the time auto-synchronization function, you can also
manually set the date (Year/Month/Day) and time (Hour:Minute:Second).
Click the Save button to save the settings.
Click the Refresh button to update the system time immediately.
Instead of manually configuring the system time for the gateway, there are two simple and quick solutions for
you to set the correct time information and set it as the system time for the gateway.
209
M2M Cellular Gateway
The first one is “Sync with Timer Server”. Based on your selection of time zone and time server in above time
information configuration window, system will communicate with time server by NTP Protocol to get system
date and time after you click on the Sync with Timer Server button.
Note: Remember to select a correct time zone for the device, otherwise, you will just get the UTC
(Coordinated Universal Time) time, not the local time for the device.
The second one is “Sync with my PC”. Click on the Sync with my PC button to let system synchronize its date
and time to the time of the administration PC.
210
M2M Cellular Gateway
6.2.4 System Log
System Log screen contains various event log tools facilitating network administrator to perform local event
logging and remote reporting.
Go to Administration > System Operation > System Log tab.
View & Email Log History
View button is provided for network administrator to view log history on the gateway. Email Now button
enables administrator to send instant Email for analysis.
View & Email Log History
Item
Value setting
View button
Email Now
button
Description
N/A
Click the View button to view Log History in Web Log List Window.
N/A
Click the Email Now button to send Log History via Email instantly.
211
M2M Cellular Gateway
Web Log List Window
Item
Value Setting
Description
Time column
Log column
It displays event time stamps
It displays Log messages
N/A
N/A
Web Log List Button Description
Item
Value setting
Description
Previous
Next
First
Last
Download
Clear
Back
Click the Previous button to move to the previous page.
Click the Next button to move to the next page.
Click the First button to jump to the first page.
Click the Last button to jump to the last page.
Click the Download button to download log to your PC in tar file format.
Click the Clear button to clear all log.
Click the Back button to return to the previous page.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Web Log Type Category
Web Log Type Category screen allows network administrator to select the type of events to log and be
displayed in the Web Log List Window as described in the previous section. Click on the View button to view
Log History in the Web Log List window.
212
M2M Cellular Gateway
Web Log Type Category Setting Window
Item
Value Setting
Description
System
Attacks
Drop
Login message
Debug
Checked by default
Checked by default
Checked by default
Checked by default
Un‐checked by default
Check to log system events and to display in the Web Log List window.
Check to log attack events and to display in the Web Log List window.
Check to log packet drop events and to display in the Web Log List window.
Check to log system login events and to display in the Web Log List window.
Check to log debug events and to display in the Web Log List window.
Email Alert
Email Alert screen allows network administrator to select the type of event to log and be sent to the destined
Email account.
Email Alert Setting Window
Item
Value Setting
Enable
Un‐checked by default
Server
N/A
E‐mail address
String : email format
Subject
String : any text
Log type category
Default unchecked
Description
Check Enable box to enable sending event log messages to destined Email
account defined in the E‐mail Addresses blank space.
Select one email server from the Server dropdown box to send Email. If none
has been available, click the Add Object button to create an outgoing Email
server.
You may also add an outgoing Email server from Object Definition > External
Server > External Server tab.
Enter the recipient’s Email address. Separate Email addresses with comma ‘,’ or
semicolon ‘ ;’
Enter the Email address in the format of ‘myemail@domain.com’
Enter an Email subject that is easy for you to identify on the Email client.
Select the type of events to log and be sent to the designated Email account.
Available events are System, Attacks, Drop, Login message, and Debug.
213
M2M Cellular Gateway
Syslogd
Syslogd screen allows network administrator to select the type of event to log and be sent to the designated
Syslog server.
Syslogd Setting Window
Item
Value Setting
Enable
Un‐checked by default
Server
N/A
Log type
category
Un‐checked by default
Description
Check Enable box to activate the Syslogd function, and send event logs to a syslog server
Select one syslog server from the Server dropdown box to sent event log to.
If none has been available, click the Add Object button to create a system log server.
You may also add an system log server from the Object Definition > External Server >
External Server tab.
Select the type of event to log and be sent to the destined syslog server. Available
events are System, Attacks, Drop, Login message, and Debug.
Log to Storage
Log to Storage screen allows network administrator to select the type of events to log and be stored at an
internal or an external storage.
Log to Storage Setting Window
Item
Value Setting
Description
Enable
Check to enable sending log to storage.
Log file name
Split file Enable
Un‐checked by default
Internal is selected by
default
Un‐checked by default
Un‐checked by default
Split file Size
200 KB is set by default
Log type category
Un‐checked by default
Select Device
Log to Storage Button Description
Item
Value setting
Download log
file
N/A
Select internal or external storage.
Enter log file name to save logs in designated storage.
Check enable box to split file whenever log file reaching the specified limit.
Enter the file size limit for each split log file.
Value Range: 10 ~1000.
Check which type of logs to send: System, Attacks, Drop, Login message, Debug
Description
Click the Download log file button to download log files to a log.tar file.
214
M2M Cellular Gateway
6.2.5 Backup & Restore
In the Backup & Restore window, you can upgrade the device firmware when new firmware is available and
also backup / restore the device configuration.
In addition to the factory default settings, you can also customize a special configuration setting as a
customized default value. With this customized default value, you can reset the device to the expected default
setting if needed.
Go to Administration > System Operation > Backup & Restore tab.
FW Backup & Restore
Item
Value Setting
FW Upgrade
Via Web UI is selected by
default
Backup
Configuration
Settings
Download is selected by
default
Auto Restore
Configuration
The Enable box is
unchecked by default
Description
If new firmware is available, click the FW Upgrade button to upgrade the device
firmware via Web UI, or Via Storage.
After clicking on the “FW Upgrade” command button, you need to specify the
file name of new firmware by using “Browse” button, and then click “Upgrade”
button to start the FW upgrading process on this device. If you want to upgrade
a firmware which is from GPL policy, please check “Accept unofficial firmware”
You can backup or restore the device configuration settings by clicking the Via
Web UI button.
Download: for backup the device configuration to a config.bin file.
Upload: for restore a designated configuration file to the device.
Via Web UI: to retrieve the configuration file via Web GUI.
Chick the Enable button to activate the customized default setting function.
Once the function is activated, you can save the expected setting as a
customized default setting by clicking the Save Conf. button, or clicking the
Clean Conf. button to erase the stored customized configuration.
215
M2M Cellular Gateway
6.2.6 Reboot & Reset
For some special reason or situation, you may need to reboot the gateway or reset the device configuration to
its default value. In addition to perform these operations through the Power ON/OFF, or pressing the reset
button on the device panel, you can do it through the web GUI too.
Go to Administration > System Operation > Reboot & Reset tab.
In the Reboot & Reset window, you can reboot this device by clicking the “Reboot” button, and reset this
device to default settings by clicking the “Reset” button.
System Operation Window
Item
Value Setting
Reboot
Now is selected by
default
Reset to Default
N/A
Description
Chick the Reboot button to reboot the gateway immediately or on a pre‐defined
time schedule.
Now: Reboot immediately
Time Schedule: Select a pre‐defined auto‐reboot time schedule rule to reboot
the auto device on a designated tim. To define a time schedule rule, go to
Object Definition > Scheduling > Configuration tab.
Click the Reset button to reset the device configuration to its default value.
216
M2M Cellular Gateway
6.3 FTP (not supported)
Not supported feature for the purchased product, leave it as blank.
217
M2M Cellular Gateway
6.4 Diagnostic
This gateway supports simple network diagnosis tools for the administrator to troubleshoot and find the root
cause of the abnormal behavior or traffics passing through the gateway. There can be a Packet Analyzer to
help record the packets for a designated interface or specific source/destination host, and another Ping and
Tracert tools for testing the network connectivity issues.
6.4.1 Diagnostic Tools
The Diagnostic Tools provide some frequently used network connectivity diagnostic tools (approaches) for the
network administrator to check the device connectivity.
Go to Administration > Diagnostic > Diagnostic Tools tab.
Diagnostic Tools
Item
Value setting
Ping Test
Optional Setting
Tracert Test
Optional setting
Wake on LAN
Optional setting
Save
N/A
Description
This allows you to specify an IP / FQDN and the test interface (LAN, WAN, or
Auto), so system will try to ping the specified device to test whether it is alive
after clicking on the Ping button. A test result window will appear beneath it.
Trace route (tracert) command is a network diagnostic tool for displaying the
route (path) and measuring transit delays of packets across an IP network.
Trace route proceeds until all (three) sent packets are lost for more than
twice, then the connection is lost and the route cannot be evaluated.
First, you need to specify an IP / FQDN, the test interface (LAN, WAN, or
Auto) and the protocol (UDP or ICMP), and by default, it is UDP.
Then, system will try to trace the specified host to test whether it is alive
after clicking on Tracert button. A test result window will appear beneath it.
Wake on LAN (WOL) is an Ethernet networking standard that allows a
computer to be turned on or awakened by a network message. You can
specify the MAC address of the computer, in your LAN network, to be
remotely turned on by clicking on the Wake up command button.
Click the Save button to save the configuration.
218
M2M Cellular Gateway
Chapter 7 Service
7.1 Cellular Toolkit
Besides cellular data connection, you may
also like to monitor data usage of cellular
WAN, sending text message through SMS,
changing PIN code of SIM card,
communicating with carrier/ISP by USSD
command, or doing a cellular network scan
for diagnostic purpose.
In Cellular Toolkit section, it includes several
useful features that are related to cellular
configuration or application. You can
configure settings of Data Usage, SMS, SIM
PIN, USSD, and Network Scan here. Please
note at least a valid SIM card is required to be
inserted to device before you continue settings in this section.
219
M2M Cellular Gateway
7.1.1 Data Usage
Most of data plan for cellular connection is with a limited amount of data usage. If data usage has been over
limited quota, either you will get much lower data throughput that may affect your daily operation, or you will
get a ‘bill shock’ in the next month because carrier/ISP charges a lot for the over‐quota data usage.
With help from Data Usage feature, device will monitor cellular data usage continuously and take actions. If
data usage reaches limited quota, device can be set to drop the cellular data connection right away. Otherwise,
if secondary SIM card is inserted, device will switch to secondary SIM and establish another cellular data
connection with secondary SIM automatically.
If Data Usage feature is enabled, all history of cellular data usage can be viewed at Status > Statistics &
Reports > Cellular Usage tab.
3G/4G Data Usage
Data Usage feature enabling gateway device to
continuously monitor cellular data usage and take
actions. In the diagram, quota limit of SIM A is 1Gb
per month and bill start date is 20th of every month.
The device is smart to start a new calculation of
data usage on every 20th of month. Enable
Connection Restrict will force gateway device to
drop cellular connection of SIM A when data usage
reaches quota limit (1Gb in this case). If SIM
failover feature is configured in Internet Setup,
then gateway will switch to SIM B and establish a
new cellular data connection automatically.
220
M2M Cellular Gateway
Data Usage Setting
Go to Service > Cellular Toolkit > Data Usage tab.
Before finished settings for Data Usage, you need to know bill start date, bill period, and quota limit of data
usage according to your data plan. You can ask this information from your carrier or ISP.
Create / Edit 3G/4G Data Usage Profile
When Add button is applied, 3G/4G Data Usage Profile Configuration screen will appear. You can create up to
four data usage profiles, one profile for each SIM card used in the Gateway.
3G/4G Data Usage Profile Configuration
Item Setting Value setting
Description
SIM Select
Carrier Name
Cycle Period
3G/4G‐1 and SIM A by
default.
It is an optional item.
Days by default
Start Date
N/A
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2), and a SIM card bound to the
selected cellular interface to configure its data usage profile.
Fill in the Carrier Name for the selected SIM card for identification.
The first box has three types for cycle period. They are Days, Weekly and Monthly.
Days: For per Days cycle periods, you have to further specify the number of days in
the second box.
Value Range: 1 ~ 90 days.
Weekly, Monthly: The cycle period is one week or one month.
Specify the date to start measure network traffic.
Please don’t select the day before now, otherwise, the traffic statistics will be
incorrect.
221
M2M Cellular Gateway
Data Limitation
Connection
Restrict
N/A
Un‐Checked by default.
Enable
Un‐Checked by default.
Specify the allowable data limitation for the defined cycle period.
Check the Enable box to activate the connection restriction function.
During the specified cycle period, if the actual data usage exceeds the allowable data
limitation, the cellular connection will be forced to disconnect.
Check the Enable box to activate the data usage profile.
222
M2M Cellular Gateway
7.1.2 SMS
Short Message Service (SMS) is a text messaging service, which is used to be widely‐used on mobile phones. It
uses standardized communications protocols to allow mobile phones or cellular devices to exchange short text
messages in an instant and convenient way.
SMS Setting
Go to Service > Cellular Toolkit > SMS tab
With this gateway device, you can send SMS text messages or browse received SMS messages as you usually
do on a cellular phone.
Setup SMS Configuration
Configuration
Item
Physical
Interface
SMS
SIM Status
SMS Storage
Save
Value setting
Description
The box is 3G/4G‐1 by
default
The box is checked by
default
N/A
The box is SIM Card Only
by default
N/A
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) for the following SMS function
configuration.
This is the SMS switch. If the box checked that the SMS function enable, if the
box unchecked that the SMS function disable.
Depend on currently SIM status. The possible value will be SIM_A or SIM_B.
This is the SMS storage location. Currently the option only SIM Card Only.
Click the Save button to save the settings
223
M2M Cellular Gateway
SMS Summary
Show Unread SMS, Received SMS, Remaining SMS, and edit SMS context to send, read SMS from SIM card.
SMS Summary
Item
Value setting
Unread SMS
N/A
Received SMS
N/A
Remaining SMS
N/A
New SMS
N/A
SMS Inbox
N/A
Refresh
N/A
Description
If SIM card insert to router first time, unread SMS value is zero. When received the
new SMS but didn’t read, this value plus one.
This value record the existing SMS numbers from SIM card, When received the new
SMS, this value plus one.
This value is SMS capacity minus received SMS, When received the new SMS, this
value minus one.
Click New SMS button, a New SMS screen appears. User can set the SMS setting
from this screen. Refer to New SMS in the next page.
Click SMS Inbox button, a SMS Inbox List screen appears. User can read or delete
SMS, reply SMS or forward SMS from this screen. Refer to SMS Inbox List in the
next page.
Click the Refresh button to update the SMS summary immediately.
New SMS
You can set the SMS setting from this screen.
224
M2M Cellular Gateway
New SMS
Item
Value setting
Receivers
N/A
Text Message
N/A
Send
N/A
Result
N/A
Description
Write the receivers to send SMS. User need to add the semicolon and compose
multiple receivers that can group send SMS.
Write the SMS context to send SMS. The router supports up to a maximum of
1023 character for SMS context length.
Click the Send button, above text message will be sent as a SMS.
If SMS has been sent successfully, it will show Send OK, otherwise Send Failed
will be displayed.
SMS Inbox List
You can read or delete SMS, reply SMS or forward SMS from this screen.
SMS Inbox List
Item
Value setting
ID
From Phone
Number
Timestamp
SMS Text
Preview
Description
N/A
The number or SMS.
N/A
What the phone number from SMS
N/A
What time receive SMS
N/A
Preview the SMS text. Click the Detail button to read a certain message.
Action
The box is unchecked by
default
Refresh
Delete
Close
N/A
N/A
N/A
Click the Detail button to read the SMS detail; Click the Reply / Forward button
to reply/forward SMS.
Besides, you can check the box(es), and then click the Delete button to delete
the checked SMS(s).
Refresh the SMS Inbox List.
Delete the SMS for all checked box from Action.
Close the Detail SMS Message screen.
225
M2M Cellular Gateway
7.1.3 SIM PIN
With most cases in the world, users need to insert a SIM card (a.k.a. UICC) into end devices to get on cellular
network for voice service or data surfing. The SIM card is usually released by mobile operators or service
providers. Each SIM card has a unique number (so‐called ICCID) for network owners or service providers to
identify each subscriber. As SIM card plays an important role between service providers and subscribers, some
security mechanisms are required on SIM card to prevent any unauthorized access.
Enabling a PIN code in SIM card is an easy and effective way of protecting cellular devices from unauthorized
access. This gateway device allows you to activate and manage PIN code on a SIM card through its web GUI.
Activate PIN code on SIM Card
This gateway device allows you to activate PIN code on SIM card. This
example shows how to activate PIN code on SIM‐A for 3G/4G‐1 with
default PIN code “0000”.
Change PIN code on SIM Card
This gateway device allows you to change PIN code on SIM card.
Following the example above, you need to type original PIN code
“0000”, and then type new PIN code with ‘1234’ if you like to set new
PIN code as ‘1234’. To confirm the new PIN code you type is what you
want, you need to type new PIN code ‘1234’ in Verified New PIN Code
again.
Unlock SIM card by PUK Code
If you entered incorrect PIN code at configuration page for 3G/4G‐1
WAN over three times, and then it will cause SIM card to be locked by
PUK code. Then you have to call service number to get a PUK code to
unlock SIM card. In the diagram, the PUK code is “12345678” and new
PIN code is “5678”.
226
M2M Cellular Gateway
SIM PIN Setting
Go to Service > Cellular Toolkit > SIM PIN Tab
With the SIM PIN Function window, it allows you to enable or disable SIM lock (which means protected by PIN
code), or change PIN code. You can also see the information of remaining times of failure trials as we
mentioned earlier. If you run out of these failure trials, you need to get a PUK code to unlock SIM card.
Select a SIM Card
Configuration Window
Item
Value setting
Physical
Interface
The box is 3G/4G‐1 by
default
SIM Status
N/A
SIM Selection
N/A
Description
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) to change the SIM PIN setting
for the selected SIM Card.
The number of physical modems depends on the gateway model you
purchased.
Indication for the selected SIM card and the SIM card status.
The status could be Ready, Not Insert, or SIM PIN.
Ready -- SIM card is inserted and ready to use. It can be a SIM card without PIN
protection or that SIM card is already unlocked by correct PIN code.
Not Insert -- No SIM card is inserted in that SIM slot.
SIM PIN -- SIM card is protected by PIN code, and it’s not unlocked by a
correct PIN code yet. That SIM card is still at locked status.
Select the SIM card for further SIM PIN configuration.
Press the Switch button, then the Gateway will switch SIM card to another one.
After that, you can configure the SIM card.
227
M2M Cellular Gateway
Enable / Change PIN Code
Enable or Disable PIN code (password) function, and even change PIN code function.
SIM function Window
Item Setting
Value setting
SIM lock
Depend on SIM card
Remaining times
Save
Change PIN Code
Depend on SIM card
N/A
N/A
Description
Click the Enable button to activate the SIM lock function.
For the first time you want to enable the SIM lock function, you have to
fill in the PIN code as well, and then click Save button to apply the setting.
Represent the remaining trial times for the SIM PIN unlocking.
Click the Save button to apply the setting.
Click the Change PIN code button to change the PIN code (password).
If the SIM Lock function is not enabled, the Change PIN code button is
disabled. In the case, if you still want to change the PIN code, you have to
enable the SIM Lock function first, fill in the PIN code, and then click the Save
button to enable. After that, You can click the Change PIN code button to
change the PIN code.
When Change PIN Code button is clicked, the following screen will appear.
Item
Current PIN
Code
New PIN Code
Verified New
PIN Code
Apply
Cancel
Value Setting
Description
A Must filled setting
Fill in the current (old) PIN code of the SIM card.
A Must filled setting
A Must filled setting
Fill in the new PIN Code you want to change.
Confirm the new PIN Code again.
N/A
N/A
Click the Apply button to change the PIN code with specified new PIN code.
Click the Cancel button to cancel the changes and keep current PIN code.
Note: If you changed the PIN code for a certain SIM card, you must also change the corresponding PIN code
228
M2M Cellular Gateway
specified in the Basic Network > WAN & Uplink > Internet Setup > Connection with SIM Card page.
Otherwise, it may result in wrong SIM PIN trials with invalid (old) PIN code.
Unlock with a PUK Code
The PUK Function window is only available for configuration if that SIM card is locked by PUK code. It means
that SIM card is locked and needs additional PUK code to unlock. Usually it happens after too many trials of
incorrect PIN code, and the remaining times in SIM Function table turns to 0. In this situation, you need to
contact your service provider and request a PUK code for your SIM card, and try to unlock the locked SIM card
with the provided PUK code. After unlocking a SIM card by PUK code successfully, the SIM lock function will be
activated automatically.
PUK Function Window
Item
Value setting
PUK status
PUK Unlock
/ PUK Lock
Remaining times
Depend on SIM card
PUK Code
New PIN Code
A Must filled setting
A Must filled setting
Save
N/A
Description
Indication for the PUK status.
The status could be PUK Lock or PUK Unlock. As mentioned earlier, the SIM card
will be locked by PUK code after too many trials of failure PIN code. In this case,
the PUK Status will turns to PUK Lock. In a normal situation, it will display PUK
Unlock.
Represent the remaining trial times for the PUK unlocking.
Note : DO NOT make the remaining times down to zero, it will damage the SIM
card FOREVER ! Call for your ISP’s help to get a correct PUK and unlock the SIM if
you don’t have the PUK code.
Fill in the PUK code (8 digits) that can unlock the SIM card in PUK unlock status.
Fill in the New PIN Code (4~8 digits) for the SIM card.
You have to determine your new PIN code to replace the old, forgotten one.
Keep the PIN code (password) in mind with care.
Click the Save button to apply the setting.
Note: If you changed the PUK code and PIN code for a certain SIM card, you must also change the
corresponding PIN code specified in the Basic Network > WAN & Uplink > Internet Setup > Connection with
SIM Card page. Otherwise, it may result in wrong SIM PIN trials with invalid (old) PIN code.
229
M2M Cellular Gateway
7.1.4 USSD
Unstructured Supplementary Service Data (USSD) is a protocol used by GSM cellular telephones to
communicate with the service provider's computers. USSD can be used for WAP browsing, prepaid callback
service, mobile‐money services, location‐based content services, menu‐based information services, and as
part of configuring the phone on the network.
An USSD message is up to 182 alphanumeric characters in length. Unlike Short Message Service (SMS)
messages, USSD messages create a real‐time connection during an USSD session. The connection remains
open, allowing a two‐way exchange of a sequence of data. This makes USSD more responsive than services
that use SMS.
USSD Scenario
USSD allows you to have an instant bi‐directional
communication with carrier/ISP. In the diagram, the USSD
command ‘*135#’ is referred to data roaming services.
After sending that USSD command to carrier, you can get
a response at window USSD Response. Please note the
USSD command varies for different carriers/ISP.
230
M2M Cellular Gateway
USSD Setting
Go to Service > Cellular Toolkit > USSD tab.
In "USSD" page, there are four windows for the USSD function. The "Configuration" window can let you specify
which 3G/4G module (physical interface) is used for the USSD function, and system will show which SIM card in
the module is the current used one. The second window is the "USSD Profile List" and it shows all your defined
USSD profiles that store pre‐commands for activating an USSD session. An "Add" button in the window can let
you add one new USSD profile and define the command for the profile in the third window, the "USSD Profile
Configuration". When you want to start the activation of an USSD connection session to the USSD server,
select the USSD profile or type in the correct pre‐command, and then click on the "Send" button for the
session. The responses from the USSD server will be displayed beneath the "USSD Command" line. When
commands typed in the "USSD Command" field are sent, received responses will be displayed in the "USSD
Response" blank space. User can communicate with the USSD server by sending USSD commands and getting
USSD responses via the gateway.
USSD Configuration
Configuration
Item
Physical Interface
SIM Status
Value setting
Description
The box is 3G/4G‐1 by
default.
N/A
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) to configure the USSD setting
for the connected cellular service (identified with SIM_A or SIM_B).
Show the connected cellular service (identified with SIM_A or SIM_B).
Create / Edit USSD Profile
The cellular gateway allows you to custom your USSD profile. It supports up to a maximum of 35 USSD profiles.
When Add button is applied, USSD Profile Configuration screen will appear.
231
M2M Cellular Gateway
USSD Profile Configuration
Item
Value setting
Profile Name
N/A
USSD Command
N/A
Comments
N/A
Description
Enter a name for the USSD profile.
Enter the USSD command defined for the profile.
Normally, it is a command string composed with numeric keypad “0~9”, “*”,
and “#”. The USSD commands are highly related to the cellular service, please
check with your service provider for the details.
Enter a brief comment for the profile.
Send USSD Request
When send the USSD command, the USSD Response screen will appear.
When click the Clear button, the USSD Response will disappear.
USSD Request
Item
Value setting
USSD Profile
USSD Command
N/A
N/A
USSD Response
N/A
Description
Select a USSD profile name from the dropdown list.
The USSD Command string of the selected profile will be shown here.
Click the Send button to send the USSD command, and the USSD Response
screen will appear. You will see the response message of the corresponding
service, receive the service SMS.
232
M2M Cellular Gateway
7.1.5 Network Scan
"Network Scan" function can let administrator specify the device how to connect to the mobile system for
data communication in each 3G/4G interface. For example, administrator can specify which generation of
mobile system is used for connection, 2G, 3G or LTE. Moreover, he can define their connection sequence for
the gateway device to connect to the mobile system automatically. Administrator also can scan the mobile
systems in the air manually, select the target operator system and apply it. The manual scanning approach is
used for problem diagnosis.
Network Scan Setting
Go to Service > Cellular Toolkit > Network Scan tab.
In "Network Scan" page, there are two windows for the Network Scan function. The "Configuration" window
can let you select which 3G/4G module (physical interface) is used to perform Network Scan, and system will
show the current used SIM card in the module. You can configure each 3G/4G WAN interface by executing the
network scanning one after another. You can also specify the connection sequence of the targeted generation
of mobile system, 2G/3G/LTE.
Network Scan Configuration
Configuration
Item
Physical
Interface
SIM Status
Value setting
Description
The box is 3G/4G‐1 by
default
N/A
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) for the network scan function.
Note: 3G/4G‐2 is only available for for the product with dual cellular module.
Show the connected cellular service (identified with SIM_A or SIM_B).
Specify the network type for the network scan function.
It can be Auto, 2G Only, 2G prefer, 3G Only, 3G prefer, or LTE Only.
When Auto is selected, the network will be register automatically;
If the prefer option is selected, network will be register for your option first;
If the only option is selected, network will be register for your option only.
When Auto selected, cellular module register automatically.
If the Manually option is selected, a Network Provider List screen appears.
Press Scan button to scan for the nearest base stations. Select (check the box)
the preferred base stations then click Apply button to apply settings.
233
Network Type
Auto is selected by
default.
Scan Approach
Auto is selected by
default.
M2M Cellular Gateway
Save
N/A
Click Save to save the settings
The second window is the "Network Provider List" window and it appears when the Manually Scan Approach
is selected in the Configuration window. By clicking on the "Scan" button and wait for 1 to 3 minutes, the found
mobile operator system will be displayed for you to choose. Click again on the "Apply" button to drive system
to connect to that mobile operator system for the dedicated 3G/4G interface.
234
M2M Cellular Gateway
Chapter 8 Status
8.1 Dashboard (not supported)
Not supported feature for the purchased product, leave it as blank.
235
M2M Cellular Gateway
8.2 Basic Network
8.2.1 WAN & Uplink Status
Go to Status > Basic Network > WAN & Uplink tab.
The WAN & Uplink Status window shows the current status for different network type, including network
configuration, connecting information, modem status and traffic statistics. The display will be refreshed on
every five seconds.
WAN interface IPv4 Network Status
WAN interface IPv4 Network Status screen shows status information for IPv4 network.
WAN interface IPv4 Network Status
Item
Value setting
ID
N/A
Interface
N/A
WAN Type
N/A
Network Type
N/A
IP Addr.
N/A
Subnet Mask
N/A
Gateway
N/A
DNS
N/A
MAC Address
N/A
Conn. Status
N/A
Description
It displays corresponding WAN interface WAN IDs.
It displays the type of WAN physical interface.
Depending on the model purchased, it can be Ethernet, 3G/4G, etc...
It displays the method which public IP address is obtained from your ISP.
Depending on the model purchased, it can be Static IP, Dynamic IP, PPPoE,
PPTP, L2TP, 3G/4G.
It displays the network type for the WAN interface(s).
Depending on the model purchased, it can be NAT, Routing, Bridge, or IP Pass‐
through.
It displays the public IP address obtained from your ISP for Internet
connection. Default value is 0.0.0.0 if left unconfigured.
It displays the Subnet Mask for public IP address obtained from your ISP for
Internet connection. Default value is 0.0.0.0 if left unconfigured.
It displays the Gateway IP address obtained from your ISP for Internet
connection. Default value is 0.0.0.0 if left unconfigured.
It displays the IP address of DNS server obtained from your ISP for Internet
connection. Default value is 0.0.0.0 if left unconfigured.
It displays the MAC Address for your ISP to allow you for Internet access. Note:
Not all ISP may require this field.
It displays the connection status of the device to your ISP.
236
M2M Cellular Gateway
Status are Connected or disconnected.
This area provides functional buttons.
Renew button allows user to force the device to request an IP address from
the DHCP server. Note: Renew button is available when DHCP WAN Type is
used and WAN connection is disconnected.
Release button allows user to force the device to clear its IP address setting to
disconnect from DHCP server. Note: Release button is available when DHCP
WAN Type is used and WAN connection is connected.
Action
N/A
Connect button allows user to manually connect the device to the Internet.
Note: Connect button is available when Connection Control in WAN Type
setting is set to Connect Manually (Refer to Edit button in Basic Network >
WAN & Uplink > Internet Setup) and WAN connection status is disconnected.
Disconnect button allows user to manually disconnect the device from the
Internet. Note: Connect button is available when Connection Control in WAN
Type setting is set to Connect Manually (Refer to Edit button in Basic Network
> WAN & Uplink > Internet Setup) and WAN connection status is connected.
WAN interface IPv6 Network Status
WAN interface IPv6 Network Status screen shows status information for IPv6 network.
WAN interface IPv6 Network Status
Item
Value setting
ID
N/A
Interface
N/A
WAN Type
N/A
Link‐local IP Address
N/A
Global IP Address
N/A
Conn. Status
N/A
Action
N/A
Description
It displays corresponding WAN interface WAN IDs.
It displays the type of WAN physical interface.
Depending on the model purchased, it can be Ethernet, 3G/4G, etc...
It displays the method which public IP address is obtained from your ISP. WAN
type setting can be changed from Basic Network > IPv6 > Configuration.
It displays the LAN IPv6 Link‐Local address.
It displays the IPv6 global IP address assigned by your ISP for your Internet
connection.
It displays the connection status. The status can be connected, disconnected
and connecting.
This area provides functional buttons.
237
M2M Cellular Gateway
Edit Button when pressed, web‐based utility will take you to the IPv6
configuration page. (Basic Network > IPv6 > Configuration.)
LAN Interface Network Status
LAN Interface Network Status screen shows IPv4 and IPv6 information of LAN network.
LAN Interface Network Status
Item
Value setting
IPv4 Address
N/A
IPv4 Subnet Mask
N/A
IPv6 Link‐local
Address
N/A
IPv6 Global Address
N/A
MAC Address
N/A
Action
N/A
Description
It displays the current IPv4 IP Address of the gateway
This is also the IP Address user use to access Router’s Web‐based Utility.
It displays the current mask of the subnet.
It displays the current LAN IPv6 Link‐Local address.
This is also the IPv6 IP Address user use to access Router’s Web‐based Utility.
It displays the current IPv6 global IP address assigned by your ISP for your
Internet connection.
It displays the LAN MAC Address of the gateway
This area provides functional buttons.
Edit IPv4 Button when press, web‐based utility will take you to the Ethernet
LAN configuration page. (Basic Network > LAN & VLAN > Ethernet LAN tab).
Edit IPv6 Button when press, web‐based utility will take you to the IPv6
configuration page. (Basic Network > IPv6 > Configuration.)
3G/4G Modem Status
3G/4G Modem Status List screen shows status information for 3G/4G WAN network(s).
3G/4G Modem Status List
Item
Value setting
Description
Physical
Interface
It displays the type of WAN physical interface.
Note: Some device model may support two 3G/4G modules. Their physical interface
N/A
238
M2M Cellular Gateway
name will be 3G/4G‐1 and 3G/4G‐2.
Card
Information
N/A
It displays the vendor’s 3G/4G modem model name.
Link Status
N/A
It displays the 3G/4G connection status. The status can be Connecting, Connected,
Disconnecting, and Disconnected.
N/A
It displays the 3G/4G wireless signal level.
N/A
It displays the name of the service network carrier.
N/A
Click the Refresh button to renew the information.
N/A
This area provides functional buttons.
Detail Button when press, windows of detail information will appear. They are the
Modem Information, SIM Status, and Service Information. Refer to next page for
more.
Signal
Strength
Network
Name
Refresh
Action
When the Detail button is pressed, 3G/4G modem information windows such as Modem Information, SIM
Status, Service Information, Signal Strength / Quality, and Error Message will appear.
Interface Traffic Statistics
Interface Traffic Statistics screen displays the Interface’s total transmitted packets.
Interface Traffic Statistics
Item
Value setting
ID
N/A
Interface
N/A
Received Packets
(Mb)
Transmitted Packets
(Mb)
N/A
N/A
Description
It displays corresponding WAN interface WAN IDs.
It displays the type of WAN physical interface.
Depending on the model purchased, it can be Ethernet, 3G/4G, etc…
It displays the downstream packets (Mb). It is reset when the device is
rebooted.
It displays the upstream packets (Mb). It is reset when the device is rebooted.
239
M2M Cellular Gateway
8.2.2 LAN & VLAN Status
Go to Status > Basic Network > LAN & VLAN tab.
Client List
The Client List shows you the LAN Interface, IP address, Host Name, MAC Address, and Remaining Lease Time
of each device that is connected to this gateway.
LAN Client List
Item
Value setting
Description
LAN Interface
N/A
IP Address
N/A
Host Name
MAC Address
Remaining Lease
Time
N/A
Client record of LAN Interface. String Format.
Client record of IP Address Type and the IP Address. Type is String Format and
the IP Address is IPv4 Format.
Client record of Host Name. String Format.
N/A
Client record of MAC Address. MAC Address Format.
N/A
Client record of Remaining Lease Time. Time Format.
240
M2M Cellular Gateway
8.2.3 WiFi Status (not supported)
Not supported feature for the purchased product, leave it as blank.
241
M2M Cellular Gateway
8.2.4 DDNS Status
Go to Status > Basic Network > DDNS tab.
The DDNS Status window shows the current DDNS service in use, the last update status, and the last update
time to the DDNS service server.
DDNS Status
DDNS Status
Item
Value Setting
Description
Host Name
Provider
Effective IP
N/A
N/A
N/A
Last Update
Status
N/A
Last Update Time
Refresh
N/A
N/A
It displays the name you entered to identify DDNS service provider
It displays the DDNS server of DDNS service provider
It displays the public IP address of the device updated to the DDNS server
It displays whether the last update of the device public IP address to the DDNS
server has been successful (Ok) or failed (Fail).
It displays time stamp of the last update of public IP address to the DDNS server.
The refresh button allows user to force the display to refresh information.
242
M2M Cellular Gateway
8.3 Security
8.3.1 VPN Status
Go to Status > Security > VPN tab.
The VPN Status widow shows the overall VPN tunnel status. The display will be refreshed on every five
seconds.
IPSec Tunnel Status
IPSec Tunnel Status windows show the configuration for establishing IPSec VPN connection and current
connection status.
IPSec Tunnel Status
Item
Value setting
Description
Tunnel Name
Tunnel Scenario
Local Subnets
Remote IP/FQDN
Remote Subnets
Conn. Time
Status
It displays the tunnel name you have entered to identify.
It displays the Tunnel Scenario specified.
It displays the Local Subnets specified.
It displays the Remote IP/FQDN specified.
It displays the Remote Subnets specified.
It displays the connection time for the IPSec tunnel.
It displays the Status of the VPN connection. The status displays are
N/A
N/A
N/A
N/A
N/A
N/A
N/A
243
M2M Cellular Gateway
Edit Button
Connected, Disconnected, Wait for traffic, and Connecting.
Click on Edit Button to change IPSec setting, web‐based utility will take you
to the IPSec configuration page. (Security > VPN > IPSec tab)
N/A
OpenVPN Client Status
OpenVPN Client Status
Item
Value setting
OpenVPN Client
Name
Interface
Remote
IP/FQDN
Remote Subnet
TUN/TAP
Read(bytes)
TUN/TAP
Write(bytes)
TCP/UDP
Read(bytes)
TCP/UDP
Write(bytes)
Conn. Time
Conn. Status
Description
N/A
It displays the Client name you have entered for identification.
N/A
N/A
N/A
N/A
It displays the WAN interface specified for the OpenVPN client connection.
It displays the peer OpenVPN Server’s Public IP address (the WAN IP address) or
FQDN.
It displays the Remote Subnet specified.
It displays the TUN/TAP Read Bytes of OpenVPN Client.
N/A
It displays the TUN/TAP Write Bytes of OpenVPN Client.
N/A
It displays the TCP/UDP Read Bytes of OpenVPN Client.
N/A
It displays the TCP/UDP Write Bytes of OpenVPN Client.
Connection
It displays the connection time for the corresponding OpenVPN tunnel.
It displays the connection status of the corresponding OpenVPN tunnel.
The status can be Connected, or Disconnected.
N/A
N/A
244
M2M Cellular Gateway
L2TP Client Status
LT2TP Client Status shows the configuration for establishing LT2TP tunnel and current connection status.
L2TP Client Status
Item
Value setting
Description
Client Name
N/A
Interface
N/A
Virtual IP
N/A
Remote IP/FQDN
N/A
Default
Gateway/Remote
Subnet
N/A
Conn. Time
N/A
Status
N/A
Edit
N/A
It displays Name for the L2TP Client specified.
It displays the WAN interface with which the gateway will use to request
PPTP tunneling connection to the PPTP server.
It displays the IP address assigned by Virtual IP server of L2TP server.
It displays the L2TP Server’s Public IP address (the WAN IP address) or
FQDN.
It displays the specified IP address of the gateway device used to connect to
the internet to connect to the L2TP server –the default gateway. Or other
specified subnet if the default gateway is not used to connect to the L2TP
server –the remote subnet.
It displays the connection time for the L2TP tunnel.
It displays the Status of the VPN connection. The status displays Connected,
Disconnect, and Connecting.
Click on Edit Button to change L2TP client setting, web‐based utility will take
you to the L2TP client page. (Security > VPN > L2TP tab)
245
M2M Cellular Gateway
PPTP Client Status
PPTP Client Status shows the configuration for establishing PPTP tunnel and current connection status.
PPTP Client Status
Item
Value setting
Description
Client Name
N/A
Interface
N/A
Virtual IP
N/A
Remote IP/FQDN
N/A
Default Gateway /
Remote Subnet
N/A
Conn. Time
N/A
Status
N/A
Edit Button
N/A
It displays Name for the PPTP Client specified.
It displays the WAN interface with which the gateway will use to request
PPTP tunneling connection to the PPTP server.
It displays the IP address assigned by Virtual IP server of PPTP server.
It displays the PPTP Server’s Public IP address (the WAN IP address) or
FQDN.
It displays the specified IP address of the gateway device used to connect to
the internet to connect to the PPTP server –the default gateway. Or other
specified subnet if the default gateway is not used to connect to the PPTP
server –the remote subnet.
It displays the connection time for the PPTP tunnel.
It displays the Status of the VPN connection. The status displays Connected,
Disconnect, and Connecting.
Click on Edit Button to change PPTP client setting, web‐based utility will
take you to the PPTP server page. (Security > VPN > PPTP tab)
246
M2M Cellular Gateway
8.3.2 Firewall Status
Go to Status > Security > Firewall Status Tab.
The Firewall Status provides user a quick view of the firewall status and current firewall settings. It also keeps
the log history of the dropped packets by the firewall rule policies, and includes the administrator remote
login settings specified in the Firewall Options.
By clicking the icon [+], the status table will be expanded to display log history. Clicking the Edit button the
screen will be switched to the configuration page.
Packet Filter Status
Packet Filter Status
Item
Value setting
Activated Filter
Rule
N/A
Detected
Contents
N/A
IP
N/A
Time
N/A
Description
This is the Packet Filter Rule name.
This is the logged packet information, including the source IP, destination IP,
protocol, and destination port –the TCP or UDP.
String format:
Source IP to Destination IP : Destination Protocol (TCP or UDP)
The Source IP (IPv4) of the logged packet.
The Date and Time stamp of the logged packet. Date & time format. ("Month"
"Day" "Hours":"Minutes":"Seconds")
Note: Ensure Packet Filter Log Alert is enabled.
Refer to Security > Firewall > Packet Filter tab. Check Log Alert and save the setting.
URL Blocking Status
URL Blocking Status
Item
Value setting
Activated
N/A
Blocking Rule
Blocked URL
N/A
Description
This is the URL Blocking Rule name.
This is the logged packet information.
247
M2M Cellular Gateway
IP
N/A
Time
N/A
The Source IP (IPv4) of the logged packet.
The Date and Time stamp of the logged packet. Date & time format. ("Month"
"Day" "Hours":"Minutes":"Seconds")
Note: Ensure URL Blocking Log Alert is enabled.
Refer to Security > Firewall > URL Blocking tab. Check Log Alert and save the setting.
Web Content Filter Status
Web Content Filter Status
Item
Activated Filter
Rule
Detected
Contents
IP
Time
Value setting
Description
N/A
Logged packet of the rule name. String format.
N/A
Logged packet of the filter rule. String format.
N/A
Logged packet of the Source IP. IPv4 format.
Logged packet of the Date Time. Date time format ("Month" "Day"
"Hours":"Minutes":"Seconds")
N/A
Note: Ensure Web Content Filter Log Alert is enabled.
Refer to Security > Firewall > Web Content Filter tab. Check Log Alert and save the setting.
248
M2M Cellular Gateway
MAC Control Status
MAC Control Status
Item
Activated
Control Rule
Blocked MAC
Addresses
IP
Time
Value setting
Description
N/A
This is the MAC Control Rule name.
N/A
This is the MAC address of the logged packet.
N/A
The Source IP (IPv4) of the logged packet.
The Date and Time stamp of the logged packet. Date & time format. ("Month"
"Day" "Hours":"Minutes":"Seconds")
N/A
Note: Ensure MAC Control Log Alert is enabled.
Refer to Security > Firewall > MAC Control tab. Check Log Alert and save the setting.
Application Filters Status
Application Filters Status
Item
Value setting
Filtered Application
Category
Filtered Application
Name
IP
Time
Description
N/A
The name of the Application Category being blocked.
N/A
The name of the Application being blocked.
N/A
The Source IP (IPv4) of the logged packet.
The Date and Time stamp of the logged packet. Date & time format. ("Month"
"Day" "Hours":"Minutes":"Seconds")
N/A
Note: Ensure Application Filter Log Alert is enabled.
Refer to Security > Firewall > Application Filter tab. Check Log Alert and save the setting.
249
M2M Cellular Gateway
IPS Status
IPS Firewall Status
Item
Value setting
Detected
Intrusion
IP
Time
Description
N/A
This is the intrusion type of the packets being blocked.
N/A
The Source IP (IPv4) of the logged packet.
The Date and Time stamp of the logged packet. Date & time format. ("Month" "Day"
"Hours":"Minutes":"Seconds")
N/A
Note: Ensure IPS Log Alert is enabled.
Refer to Security > Firewall > IPS tab. Check Log Alert and save the setting.
Firewall Options Status
Firewall Options Status
Item
Value setting
Stealth Mode
N/A
SPI
N/A
Discard Ping from
WAN
N/A
Remote
Administrator
Management
N/A
Description
Enable or Disable setting status of Stealth Mode on Firewall Options.
String Format: Disable or Enable
Enable or Disable setting status of SPI on Firewall Options.
String Format : Disable or Enable
Enable or Disable setting status of Discard Ping from WAN on Firewall
Options.
String Format: Disable or Enable
Enable or Disable setting status of Remote Administrator.
If Remote Administrator is enabled, it shows the currently logged in
administrator’s source IP address and login user name and the login time.
Format:
IP : "Source IP", User Name: "Login User Name", Time: "Date time"
Example:
IP: 192.168.127.39, User Name: admin, Time: Mar 3 01:34:13
Note: Ensure Firewall Options Log Alert is enabled.
Refer to Security > Firewall > Options tab. Check Log Alert and save the setting.
250
M2M Cellular Gateway
8.4 Administration
8.4.1 Configure & Manage Status
Go to Status > Administration > Configure & Manage tab.
The Configure & Manage Status window shows the status for managing remote network devices. The type of
management available in your device is depended on the device model purchased. The commonly used ones
are the SNMP, TR‐069, and UPnP.
SNMP Linking Status
SNMP Link Status screen shows the status of current active SNMP connections.
SNMP Link Status
Item
Value setting
User Name
N/A
IP Address
N/A
Port
N/A
Community
Auth. Mode
Privacy Mode
SNMP Version
N/A
N/A
N/A
N/A
Description
It displays the user name for authentication. This is only available for SNMP
version 3.
It displays the IP address of SNMP manager.
It displays the port number used to maintain connection with the SNMP
manager.
It displays the community for SNMP version 1 or version 2c only.
It displays the authentication method for SNMP version 3 only.
It displays the privacy mode for version 3 only.
It displays the SNMP Version employed.
SNMP Trap Information
SNMP Trap Information screen shows the status of current received SNMP traps.
SNMP Trap Information
Item
Value setting
Description
Trap Level
Time
Trap Event
It displays the trap level.
It displays the timestamp of trap event.
It displays the IP address of the trap sender and event type.
N/A
N/A
N/A
251
M2M Cellular Gateway
TR‐069 Status
TR‐069 Status screen shows the current connection status with the TR‐068 server.
TR‐069 Status
Item
Link Status
Value setting
Description
N/A
It displays the current connection status with the TR‐068 server. The connection
status is either On when the device is connected with the TR‐068 server or Off
when disconnected.
252
M2M Cellular Gateway
8.5 Statistics & Report
8.5.1 Connection Session
Go to Status > Statistics & Reports > Connection Session tab.
Internet Surfing Statistic shows the connection tracks on this router.
Internet Surfing Statistic
Item
Value setting
Previous
Next
First
Last
Export (.xml)
Export (.csv)
Refresh
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Description
Click the Previous button; you will see the previous page of track list.
Click the Next button; you will see the next page of track list.
Click the First button; you will see the first page of track list.
Click the Last button; you will see the last page of track list.
Click the Export (.xml) button to export the list to xml file.
Click the Export (.csv) button to export the list to csv file.
Click the Refresh button to refresh the list.
253
M2M Cellular Gateway
8.5.2 Network Traffic (not supported)
Not supported feature for the purchased product, leave it as blank.
254
M2M Cellular Gateway
8.5.3 Device Administration
Go to Status > Statistics & Reports > Device Administration tab.
Device Administration shows the login information.
Device Manager Login Statistic
Item
Value setting
Previous
Next
First
Last
Export (.xml)
Export (.csv)
Refresh
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Description
Click the Previous button; you will see the previous page of login statistics.
Click the Next button; you will see the next page of login statistics.
Click the First button; you will see the first page of login statistics.
Click the Last button; you will see the last page of login statistics.
Click the Export (.xml) button to export the login statistics to xml file.
Click the Export (.csv) button to export the login statistics to csv file.
Click the Refresh button to refresh the login statistics.
255
M2M Cellular Gateway
8.5.4 Cellular Usage
Go to Status > Statistics & Reports > Cellular Usage tab.
Cellular Usage screen shows data usage statistics for the selected cellular interface. The cellular data usage
can be accumulated per hour or per day.
256
M2M Cellular Gateway
Appendix A GPL WRITTEN OFFER
This product incorporates open source software components covered by the terms of third party copyright notices
and license agreements contained below.
GPSBabel
Version 1.4.4
Copyright (C) 2002-2005 Robert Lipe
GPL License: https://www.gpsbabel.org/
Curl
Version 7.19.6
Copyright (c) 1996-2009, Daniel Stenberg, .
MIT/X derivate License: https://curl.haxx.se/
OpenSSL
Version 1.0.2c
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
GPL License: https://www.openssl.org/
brctl - ethernet bridge administration
Stephen Hemminger 
Lennert Buytenhek 
version 1.1
GNU GENERAL PUBLIC LICENSE Version 2, June 1991
tc - show / manipulate traffic control settings
Stephen Hemminger
Alexey Kuznetsov
version iproute2-ss050330
GNU GENERAL PUBLIC LICENSE Version 2, June 1991
dhcp-fwd — starts the DHCP forwarding agent
Enrico Scholz 
version 0.7
GNU GENERAL PUBLIC LICENSE Version 2, June 1991
lftp - Sophisticated file transfer program
Alexander V. Lukyanov 
version:4.5.x
Copyright (c) 1996-2014 by Alexander V. Lukyanov (lav@yars.free.net)
dnsmasq - A lightweight DHCP and caching DNS server.
Simon Kelley 
version:2.72
dnsmasq is Copyright (c) 2000-2014 Simon Kelley
257
M2M Cellular Gateway
socat - Multipurpose relay
Version: 2.0.0-b8
GPLv2
http://www.dest-unreach.org/socat/
LibModbus
Version: 3.0.3
LGPL v2
http://libmodbus.org/news/
LibIEC60870
GPLv2
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 021111307 USA
https://sourceforge.net/projects/mrts/
Openswan
Version: v2.6.38 GNU GENERAL PUBLIC LICENSE Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 021111307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
https://www.openswan.org/
Opennhrp
Version: v0.14.1
OpenNHRP is an NHRP implementation for Linux. It has most of the RFC2332
and Cisco IOS extensions.
Project homepage: http://sourceforge.net/projects/opennhrp
Git repository: git://opennhrp.git.sourceforge.net/gitroot/opennhrp
LICENSE
OpenNHRP is licensed under the MIT License. See MIT-LICENSE.txt for
additional details.
OpenNHRP embeds libev. libev is dual licensed with 2-clause BSD and
GPLv2+ licenses. See libev/LICENSE for additional details.
OpenNHRP links to c-ares. c-ares is licensed under the MIT License.
https://sourceforge.net/projects/opennhrp/
IPSec-tools
Version: v0.8
No GPL be written
http://ipsec-tools.sourceforge.net/
PPTP
Version: pptp-1.7.1
GNU GENERAL PUBLIC LICENSE Version 2, June 1991
258
M2M Cellular Gateway
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
http://pptpclient.sourceforge.net/
PPTPServ
Version: 1.3.4
GNU GENERAL PUBLIC LICENSE Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed. http://poptop.sourceforge.net/
L2TP
Version: 0.4
Copying All software included in this package is Copyright 2002 Roaring
Penguin Software Inc. You may distribute it under the terms of the
GNU General Public License (the "GPL"), Version 2, or (at your option)
any later version.
http://www.roaringpenguin.com/
L2TPServ
Version: v 1.3.1 GNU GENERAL PUBLIC LICENSEVersion 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.59 Temple Place, Suite 330, Boston, MA 021111307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
http://www.xelerance.com/software/xl2tpd/
Mpstat: from sysstat, system performance tools for Linux
Version: 10.1.6
Copyright: (C) 1999-2013 by Sebastien Godard (sysstat  orange.fr)
SSHD: dropbear, a SSH2 server
Version: 0.53.1
Copyright: (c) 2002-2008 Matt Johnston
Libncurses: The ncurses (new curses) library is a free software emulation of curses in System V Release 4.0
(SVr4), and more.
Version: 5.9
Copyright: (c) 1998,2000,2004,2005,2006,2008,2011,2015 Free Software Foundation, Inc., 51 Franklin Street,
Boston, MA 02110-1301, USA
MiniUPnP: The miniUPnP daemon is an UPnP IGD (internet gateway device) which provide NAT traversal
services to any UPnP enabled client on the network.
Version: 1.7
Copyright: (c) 2006-2011, Thomas BERNARD
259
M2M Cellular Gateway
CoovaChilli is an open-source software access controller for captive portal (UAM) and 802.1X access
provisioning.
Version: 1.3.0
Copyright: (C) 2007-2012 David Bird (Coova Technologies) 
Krb5: Kerberos is a network authentication protocol. It is designed to provide strong authentication for
client/server applications by using secret-key cryptography.
Version: 1.11.3
Copyright: (C) 1985-2013 by the Massachusetts Institute of Technology and its contributors
OpenLDAP: a suite of the Lightweight Directory Access Protocol (v3) servers, clients, utilities, and
development tools.
Version: 2.4
Copyright: 1998-2014 The OpenLDAP Foundation
Samba3311: the free SMB and CIFS client and server for UNIX and other operating systems
Version: 3.3.11
Copyright: (C) 2007 Free Software Foundation, Inc. 
NTPClient: an NTP (RFC-1305, RFC-4330) client for unix-alike computers
Version: 2007_365
Copyright: 1997, 1999, 2000, 2003, 2006, 2007 Larry Doolittle
exFAT: FUSE-based exFAT implementation
Version: 0.9.8
Copyright: (C) 2010-2012 Andrew Nayenko
ONTFS_3G: The NTFS-3G driver is an open source, freely available read/write NTFS driver for Linux,
FreeBSD, Mac OS X, NetBSD, Solaris and Haiku.
Version: 2009.4.4
Copyright: (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 021101301 USA
mysql-5_1_72: a release of MySQL, a dual-license SQL database server
Version: 5.1.72
Copyright: (c) 2000, 2013, Oracle and/or its affiliates
FreeRadius: a high performance and highly configurable RADIUS server
Version: 2.1.12
Copyright: (C) 1999-2011 The FreeRADIUS server project and contributors
Linux IPv6 Router Advertisement Daemon – radvd
Version: V 1.15
Copyright (c) 1996,1997 by Lars Fenneberg
BSD License: http://www.litech.org/radvd/
WIDE-DHCPv6
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) clients, servers, and relay agents.
260
M2M Cellular Gateway
Version: 20080615
Copyright (C) 1998-2004 WIDE Project.
BSD License: https://sourceforge.net/projects/wide-dhcpv6/
Federal Communication Commission Interference Statement
This device complies with Part 15 of the FCC Rules. Operation is subject to
the following two conditions: (1) This device may not cause harmful
interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.
This equipment has been tested and found to comply with the limits for a
Class B digital device, pursuant to Part 15 of the FCC Rules. These limits
are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses and can radiate radio
frequency energy and, if not installed and used in accordance with the
instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the equipment off
and on, the user is encouraged to try to correct the interference by one of the
following measures:
- Reorient or relocate the receiving antenna.
- Increase the separation between the equipment and receiver.
- Connect the equipment into an outlet on a circuit different from that
to which the receiver is connected.
- Consult the dealer or an experienced radio/TV technician for help.
FCC Caution: Any changes or modifications not expressly approved by the
party responsible for compliance could void the user's authority to operate this
equipment.
This transmitter must not be co-located or operating in conjunction with any
other antenna or transmitter.
261
M2M Cellular Gateway
FOR MOBILE DEVICE USAGE (>20cm/low power)
Radiation Exposure Statement:
This equipment complies with FCC radiation exposure limits set forth for an
uncontrolled environment. This equipment should be installed and operated
with minimum distance 20cm between the radiator & your body.
262

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.7
Linearized                      : Yes
Encryption                      : Standard V2.3 (128-bit)
User Access                     : Print, Extract
XMP Toolkit                     : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39
Modify Date                     : 2018:08:01 10:03+08:00
Create Date                     : 2018:08:01 10:02:49+08:00
Metadata Date                   : 2018:08:01 10:03+08:00
Creator Tool                    : PScript5.dll Version 5.2.2
Format                          : application/pdf
Title                           : Microsoft Word - UM_IDG500-IOG500
Creator                         : amit_jesee
Document ID                     : uuid:96d1d48b-e0c9-4198-a483-d5aa150298da
Instance ID                     : uuid:224f9964-4054-4b1d-b169-31fef984e8a5
Producer                        : Acrobat Distiller 11.0 (Windows)
Has XFA                         : No
Page Count                      : 163
Author                          : amit_jesee
EXIF Metadata provided by EXIF.tools
FCC ID Filing: PBLISL500001

Navigation menu