Cradlepoint_AER1600_Manual_5 Cradlepoint AER1600 Manual 5
User Manual: Pdf Cradlepoint_AER1600_Manual_5
Open the PDF directly: View PDF 
.
Page Count: 98
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 1
User Manual / AER1600/AER1650 10/30/17
AER Series
Router
AER1600 / AER1650
User Manual
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 2
User Manual / AER1600/AER1650 10/30/17
TABLE OF CONTENTS
INTRODUCTION 4
WHAT’S IN THE BOX 4
KEY FEATURES 4
WAN 4
LAN 4
WIFI (ONLY ON AER1600) 5
MANAGEMENT 5
VPN AND ROUTING 5
SECURITY 6
CLOUD OPTIMIZED IP COMMUNICATIONS 6
SPECIFICATIONS 6
ACCESSORIES 7
BUSINESS-GRADE MODEM SPECIFICATIONS 8
HARDWARE 13
LEDS 14
SUPPORT AND WARRANTY 15
QUICK START 16
BASIC SETUP 16
ACCESSING THE ADMINISTRATION PAGES 16
FIRST TIME SETUP WIZARD 16
USING NETCLOUD MANAGER 17
ADMINISTRATION PAGES 18
QUICK LINKS 18
DASHBOARD 18
CONNECTION MANAGER 19
WAN INTERFACE PROFILES & PRIORITY 19
STATUS 23
INTERNET 23
CLIENT LIST 28
TUNNELS 28
FIREWALL 29
ROUTING 30
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 3
User Manual / AER1600/AER1650 10/30/17
ETHERNET 30
GPS 30
LLDP 30
SYSTEM LOGS 31
NETWORKING 32
LOCAL NETWORKS 32
VLAN INTERFACES 42
TUNNELS 42
ROUTING 53
QOS 62
DNS SERVERS 65
WIFI AS WAN 67
WAN AFFINITY 68
CLIENT DATA USAGE 70
NHRP 70
SECURITY 72
IDENTITIES 72
ZONE FIREWALL 73
CLOUD-BASED SECURITY 77
THREAT MANAGEMENT 79
WEB ACCESS FILTERING 81
CERTIFICATE MANAGEMENT 83
SYSTEM 85
ADMINISTRATION 85
NETCLOUD 89
DEVICE ALERTS 90
SERIAL REDIRECTOR 91
SNMP CONFIGURATION 91
SYSTEM CONTROL 93
DIAGNOSTICS 95
SETUP WIZARDS 95
APPENDIX 98
OPEN SOURCE SOFTWARE 98
WARRANTY INFORMATION 98
LIMITATION OF CRADLEPOINT LIABILITY 98
PRIVACY 98
OTHER BINDING DOCUMENTS; TRADEMARKS; COPYRIGHT 98
ROUTER COMMUNICATION/DATA USAGE 98
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 4
User Manual / AER1600/AER1650 10/30/17
INTRODUCTION
WHAT’S IN THE BOX
The Cradlepoint AER1600/AER1650 is available with different modem options:
• LPE and LP4 models include an embedded modem and a slot to add an MC400 modem
• LP6, LP5, and LP3 models include a bundled MC400 modem and do not include an embedded modem
• AER1600/AER1650 only include a slot for an MC400 modem and do not include an embedded modem
Also included:
• MC400 3G/4G Modem with Antennas*
• External 3G/4G mobile broadband modem antennas‡ (2) (SMA) w/ multiplexing for GPS†
• 12V 3A AC/DC power adapter (WARNING: using a power adapter other than the one provided may damage
the device and will void the warranty)
• Ethernet cable
• Quick Start Guide
• Mounting hardware
• Modem door screw
• Warranty/Regulatory information
* - Included with LP6, LP5, and LP3 models, optional for AER1600/AER1650, LPE, and LP4 models
‡ - LPE and LP4 models only
† - GPS not included on LP4 models
KEY FEATURES
WAN
• LP6 Modems: LTE Advanced LTE/HSPA+ for all North American carriers and European operators (SIM-based
Auto-Carrier Selection)
•
selection)
• LP4 Modems: LTE/HSPA+ for AT&T, Verizon, T-Mobile and Canadian carriers (SIM-based Auto-Carrier
Selection, dual-modem capable)
• LPE Modems: 4G LTE/HSPA+/EVDO (multi-carrier, North America, dual-modem capable)
• LP3 Modems: 4G LTE/HSPA+ (Europe, Middle East, Africa, Australia, New Zealand)
• Dual integrated modem option (LPE and LP4 only)
• Dual SIM slot in each modem
• Most models include support for active GPS
• Five 10/100/1000 Ethernet ports (WAN/LAN switchable)
• WiFi as WAN (only on AER1600)
• Failover/Failback
• Load Balancing
• Advance Modem Failure Check
• WAN Port Speed Control
•
• IP Passthrough
• Standby
LAN
• Five 10/100/1000 Ethernet ports (WAN/LAN switchable)
• LLDP support
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 5
User Manual / AER1600/AER1650 10/30/17
• VLAN 802.1Q
• DHCP Server, Client, Relay
• DNS and DNS Proxy
• DynDNS
• Split DNS
• UPnP
• DMZ
• Multicast/Multicast Proxy
• Auto QoS
• QoS (DSCP and Priority Queuing)
• MAC Address Filtering
WIFI (ONLY ON AER1600)
• Dual-Band Dual-Concurrent (2×2 MIMO; internal antennas)
• 802.11 (a/b/g/n/ac)
• Up to 128 connected devices (64 per channel – 2.4 GHz and 5 GHz)
• WEP Auto, WPA/WPA2 Personal, WPA2 Enterprise (WiFi)
• Hotspot/Captive Portal
• SSID-based Priority
MANAGEMENT
• OOBM (Out-of-Band Management) via USB to Serial
• Cradlepoint NetCloud Manager (NCM)2
• NetCloud Engine gateway support
• SDK support
• Web UI, API, CLI
• GPS Location
• Data Usage Alerts (router and per client)
• Advanced Troubleshooting (support)5
• Device Alerts
• SNMP
• SMS control
VPN AND ROUTING
• IPsec Tunnel – up to 20 concurrent sessions
• IKEv2 support (includes MOBIKE)
• OpenVPN (SSL VPN)1
• L2TP1
• GRE Tunnel
• OSPF/BGP/RIP1
•
• Per-Interface Routing
• Static Routing
• Policy-based Routing
• NAT-less Routing
• Virtual Server/Port Forwarding
• VTI Tunnel Support
• NEMO/DMNR1
• IPv6
• VRRP1
• STP1
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 6
User Manual / AER1600/AER1650 10/30/17
• NHRP1
SECURITY
• RADIUS and TACACS+ support*
• 802.1x authentication for Wireless and Wired Networks
• Zscaler Internet Security4
•
• ALGs
• MAC Address Filtering
• CP Secure Threat Management3
• Advanced Security Mode (local user management only)
• Per-Client Web Filtering
• IP Filtering
• Content Filtering (basic)
• Website Filtering
* - Native support for authentication. Authorization and accounting support through hotspot/captive portal
services.
CLOUD OPTIMIZED IP COMMUNICATIONS
• Automated WAN Failover/Failback support
•
• Advanced VPN connectivity options to HQ
•
• MAC Address Filtering
• 802.1p/q for LAN QoS segmentation and treatment of VoIP on LAN
• Private Network support (wired and 4G WAN)
• Cloud-based management2
1 – Requires an NCM PRIME subscription or an Extended Enterprise License
2 – NetCloud Manager requires a subscription
3 – Requires a CP Secure Threat Management license
4 – Requires Zscaler Internet Security License
5 - Requires CradleCare Support
SPECIFICATIONS
WAN:
• Integrated LP6 Category 6 LTE Advanced LTE modem (with DC-HSPA+ failover), LP5 Category 6 LTE Advanced
LTE modem (with DC-HSPA+ failover), LP4 Category 4 LTE modem (with DC-HSPA+ failover), LPE 4G LTE
modem (with HSPA+/ EVDO/3G and 2G failover), or LP3 4G LTE modem (with HSPA+ and 2G failover)
•
LP4 models)
• 5 10/100/1000 Ethernet ports (cable/DSL/T1/satellite/Metro Ethernet; WAN/LAN switchable)
• WiFi* (as WAN; Metro WiFi) 2×2 MIMO 2.4 GHz or 5 GHz (802.11 a/b/g/n/ac; internal antennas)
LAN:
• Dual-band dual-concurrent WiFi* (802.11 a/b/g/n/ac)
• 5 10/100/1000 Ethernet ports (WAN/LAN switchable)
TEMPERATURE:
• 0 °C to 50 °C (32 °F to 122 °F) operating
•
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 7
User Manual / AER1600/AER1650 10/30/17
HUMIDITY (non-condensing):
• 10% to 85% operating
• 5% to 90% storage
MEMORY: 256 MB DRAM; 16 MB SPI Flash; 256 MB NAND Flash
SIZE:
• 8.3 × 6.6 × 1.7 in (210 × 167 × 44 mm)
• 1U height for rack mount
WEIGHT: 1 lb 4.4 oz (.58 kg)
CERTIFICATIONS:
WIFI POWER (FCC):
• 2402-2483.5 MHz (2.4 GHz band): 28.51 dBm conducted
• 5150-5250 MHz (5 GHz band 1): 26.66 dBm conducted
• 5725-5850 MHz (5 GHz band 3): 23.54 dBm conducted
WIFI POWER (Europe/Rest of World):
• 2.4 GHz band: 19.95 dBm EIRP
• 5150-5250 MHz: 22.98 dBm EIRP
POWER CONSUMPTION (Typical)
AER1600
• Idle: 9.5 W
• Single Modem: 13.1 W
• Dual Modem: 15.2 W
AER1650
• Idle: 7.3 W
• Single Modem: 8.6 W
• Dual Modem: 10.6 W
*-only on AER1600
ACCESSORIES
• Second integrated 4G LTE modem
• MC400LP6 (North America or EU)
•
• MC400LP4 (AT&T, Verizon, T-Mobile, and Canada)
• MC400LPE-VZ (Verizon)
• MC400LPE-AT (AT&T)
• MC400LPE-SP (Sprint)
• MC400LPE-GN (generic – for use on T-Mobile in the U.S. and Rogers, Bell, & TELUS in Canada)
• MC400LP3-EU (Europe)
• 700 MHz – 2700 MHz Wide Band Directional Antenna (Yagi/Log- Periodic) Part #: 170588-000
• 12” Mag-Mount Antenna with SMA Male Connector Part #: 170605-000
• 4” Mini Mag-Mount Antenna with SMA Male Connector Part #: 170606-000
• 2.4/5 GHz Dual-band Dual-concurrent WiFi Antenna Part #: 170628-000 (WiFi models only)
• Universal 3G/4G/LTE Modem Antenna Part #: 170649-000
• GPS Screw-Mount Antenna Part #: 170651-000
• GPS Mag-Mount Antenna Part #: 170652-000
• Multi-Band Omni-Directional Antenna Part #: 170668-000
• Indoor/Outdoor Panel Patch Part #: 170669-000
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 8
User Manual / AER1600/AER1650 10/30/17
BUSINESS-GRADE MODEM SPECIFICATIONS
AER1600/AER1650 LP6 and LP5 models do not include an embedded 4G LTE modem and do not support dual-
modem capability.
AER1600/AER1650 LP6 models include an integrated LTE Advanced Category 6 4G LTE modem. The LP6 modems
support SIM-Based Auto-Carrier selection so there is only one model for all of North America or EU. Simply
insert the SIM and wait for the router to automatically detect the SIM and establish a connection.
AER1600LP6-NA-M, AER1650LP6-NA-M, AER1600LP6-EU-M, AER1650LP6-EU-M
• Technology: LTE Advanced, DC-HSPA+
• Downlink Rates: LTE 300 Mbps, DC-HSPA+ 42.2 Mbps
• Uplink Rates: LTE 50 Mbps, DC-HSPA+ 5.76 Mbps
• Frequency Bands:
• LTE Bands 1-5, 7, 8, 12, 13, 20, 25, 26, 29, 30, 41
• Verizon: 2, 4, 5, 13 (XLTE support w/carrier aggregation)
• AT&T: 2, 4, 5, 12, 29, 30
• Sprint: 25, 26, 41 (LTE Plus Support)
• T-Mobile: 2, 4, 12 (T-Mobile Wideband LTE Support)
• Generic: all
• Carrier Aggregation:
• 1+ 8
• 2+ 2/5/12/13/29
• 3+ 7/20
• 4+ 4/5/12/13/29
• 5+ 2/4/30
• 7+ 3/7/20
• 8+ 1
• 12+ 2/4/30
• 13+ 2/4
• 20+ 3/7
• 30+ 5/12
• 41+ 41
• Fallback: WCDMA/DC-HSPA+ (42/5.76 Mbps): Bands 1, 2, 3, 4, 5, 8
• Power: LTE 23 dBm ± 1; DC-HSPA+ 23 dBm ± 1
• Antennas: )
• GPS: active GPS support
• SMS: SMS support
• Industry Standards & Certs: CE, FCC, GCF-CC, IC, PTCRB, AT&T, Sprint, Verizon
• Modem Part Number: MC400LP6
AER1600/AER1650LP5 models include an integrated LTE Advanced Category 6 4G LTE modem, and support Asia
wait for the router to automatically detect the SIM and establish a connection.
AER1600LP5-AU, AER1650LP5-AU, AER1600LP5-AP-M
• Technology: FDD/TDD (Category 6) LTE Advanced, DC-HSPA+
• Downlink Rates: LTE 300 Mbps, DC-HSPA+ 42.2 Mbps
• Uplink Rates: LTE 50 Mbps, DC-HSPA+ 5.76 Mbps
• Frequency Bands:
• LTE Bands: 1, 3, 5, 7, 8, 11, 18, 19, 21, 28, 38, 39, 40, 41
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 9
User Manual / AER1600/AER1650 10/30/17
• TD-SCDMA: 39
• Carrier Aggregation:
• 1+ 8/18/19/21
• 3+ 5/7/19/28
• 7+ 5/7/28
• 19+ 21
• 38+ 38
• 39+ 39
• 40+ 40
• 41+ 41
• Fallback: WCDMA/DC-HSPA+ (42/5.76 Mbps): Bands 1, 5, 6, 8, 9, 19
• Power: LTE: 23 dBm ± 1; DC-HSPA+: 23 dBm ± 1
• Antennas:)
• GPS: active GPS support
• SMS: SMS support
• Industry Standards & Certs: CE, GCF-CC, RC Australia, others pending
• Modem Part Number: MC400LP5
AER1600/AER1650 LP4 models include an embedded LTE Advanced Category 4 4G LTE modem. The LP4 modems
support SIM-Based Auto-Carrier selection so there is only one model for North America. Simply insert the SIM
and wait for the router to automatically detect the SIM and establish a connection.
AER1600LP4, AER1650LP4
• Technology: Category 4 LTE, DC-HSPA+
• Downlink Rates: LTE 150 Mbps, DC-HSPA+ 42.2 Mbps
• Uplink Rates: LTE 50 Mbps, DC-HSPA+ 5.76 Mbps
• Frequency Bands:
• LTE: Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band 17
(700 MHz)
• DC-HSPA+/UMTS Rel. 9, Cat 24: Bands 5 and 2 (850/1900 MHz)
• Power: LTE 23 dBm ± 1, DC-HSPA+ 23 dBm ± 1
• Antennas:)
• Industry Standards & Certs: FCC, WiFi Alliance (AER1600 only), Verizon, AT&T, PTCRB, carrier Private
Networks, IC
• SIM: two 2FF slots (secured)
• Modem Part Number: MC400LP4
frequency bands in bold below are supported by the listed provider.
AER1600LPE-VZ – 4G LTE/HSPA+/EVDO for Verizon
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band 17
(700 MHz), Band 25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 10
User Manual / AER1600/AER1650 10/30/17
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: FCC, Verizon
AER1650LPE-VZ – 4G LTE/HSPA+/EVDO for Verizon
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band 17
(700 MHz), Band 25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: FCC, Verizon
AER1600LPE-AT – 4G LTE/HSPA+/EVDO for AT&T
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band
17 (700 MHz), Band 25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: PTCRB, FCC, IC, AT&T
AER1650LPE-AT – 4G LTE/HSPA+/EVDO for AT&T
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band
17 (700 MHz), Band 25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 11
User Manual / AER1600/AER1650 10/30/17
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: PTCRB, FCC, IC, AT&T
AER1600LPE-SP – 4G LTE/HSPA+/EVDO for Sprint
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band 17
(700 MHz), Band 25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: FCC, Sprint
AER1650LPE-SP – 4G LTE/HSPA+/EVDO for Sprint
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band 17
(700 MHz), Band 25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: FCC, Sprint
AER1600LP3-EU – 4G LTE/HSPA+ for Europe
• Technology: LTE, HSPA+
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps (theoretical)
• Frequency Bands:
• LTE Band 1 (2100 MHz), Band 3 (1800 MHz), Band 7 (2600 MHz), Band 8 (900 MHz), Band 20 (800 MHz)
• HSPA+/UMTS (800/850/900/1900/2100 MHz)
• GSM/GPRS/EDGE Quad-Band (850/900/1800/1900 MHz)
• Power: LTE Band 1/3/8/20 – 23 dBm ± 1; LTE Band 7 – 22 dBm ± 1, HSPA+ 23 dBm ± 1 (typical conducted)
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: CE, GCF-CC
• Modem Part Number: MC400LP3
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 12
User Manual / AER1600/AER1650 10/30/17
AER1650LP3-EU – 4G LTE/HSPA+ for Europe
• Technology: LTE, HSPA+
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps (theoretical)
• Frequency Bands:
• LTE Band 1 (2100 MHz), Band 3 (1800 MHz), Band 7 (2600 MHz), Band 8 (900 MHz), Band 20 (800 MHz)
• HSPA+/UMTS (800/850/900/1900/2100 MHz)
• GSM/GPRS/EDGE Quad-Band (850/900/1800/1900 MHz)
• Power: LTE Band 1/3/8/20 – 23 dBm ± 1; LTE Band 7 – 22 dBm ± 1, HSPA+ 23 dBm ± 1 (typical conducted)
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: CE, GCF-CC
• Modem Part Number: MC400LP3
AER1600LPE-GN – 4G LTE/HSPA+/EVDO (generic – for use on T-Mobile and US Cellular in the U.S. and Rogers,
Bell, & TELUS in Canada)
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 (AWS), Band 5 (850 MHz), Band 13 (700 MHz), Band 17 (700 MHz), Band
25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: PTCRB, FCC, IC
AER1650LPE-GN – 4G LTE/HSPA+/EVDO (generic – for use on T-Mobile and US Cellular in the U.S. and Rogers,
Bell, & TELUS in Canada)
• Technology: LTE, HSPA+, EVDO Rev A
• Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)
• Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical)
• Frequency Bands:
• LTE Band 2 (1900 MHz), Band 4 (AWS), Band 5 (850 MHz), Band 13 (700 MHz), Band 17 (700 MHz), Band
25 (1900 MHz)
• HSPA+/UMTS (850/900/1900/2100 MHz, AWS)
• GSM/GPRS/EDGE (850/900/1800/1900 MHz)
• CDMA EVDO Rev A/1xRTT (800/1900 MHz)
• Power
• Antennas
spec is 7 kgf/cm)
• GPS: active GPS support
• Industry Standards & Certs: PTCRB, FCC, IC
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 13
User Manual / AER1600/AER1650 10/30/17
HARDWARE LEDs
USB 2.0
Port
Cable Guide 10/100/1000
Ethernet Port
LAN or WAN
Default: WAN)
10/100/1000 Ethernet
or WAN
Default: LAN
Reset Button Lock Slot
Power SwitchPower Port
3G/4G Antenna Connectors
(SMA)
GPS Connector (SMA)
Removable MC400 Modem
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 14
User Manual / AER1600/AER1650 10/30/17
3G/4G Antenna Connectors
(SMA)
GPS Connector (SMA)
Embedded LTE Modem
LEDS
INDICATOR BEHAVIOR
POWER
The Cradlepoint AER1600/AER1650 must be powered using an approved 12 V DC
power source.
• Green = Powered ON.
• No Light = Not receiving power. Check the power switch and the power source connection.
• Amber = Attention. Open the administration pages and check the router status.
WAN WAN Indicates status of WAN connection.
• Blue = Connected to an active Ethernet WAN interface.
VPN VPN Indicates status of VPN connection.
• Blue = Connected to an active VPN.
INTEGRATED MODEM
Indicates information about the integrated modem.
• Green = Modem has established an active connection.
• Blinking Green = Modem is connecting.
• Blinking Amber = Data connection error. No modem connection possible.
• Blinking Red = Modem is in the process of resetting.
REMOVABLE MODEM Indicates the status of removable modem(s).
• Green = Modem has established an active connection.
• Blinking Green = Modem is connecting.
• Blinking Amber = Data connection error. No modem connection possible.
• Blinking Red = Modem is in the process of resetting.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 15
User Manual / AER1600/AER1650 10/30/17
CradleCare Support available with technical support, software upgrades, and advanced hardware exchange – 1-,
3-, and 5-year options.
One-year limited hardware warranty available in the US and Canada; two-year limited hardware warranty for
integrated EU products when purchased from an authorized EU distributor – extend warranty to 2, 3, or 5 years.
SUPPORT AND WARRANTY
INDICATOR BEHAVIOR
EC
EXTERNAL USB MODEM Indicates the status of external USB modem.
Both internal and external USB modems have the following LED indicators:
• Green = Modem has established an active connection.
• Blinking Green = Modem is connecting.
• Blinking Amber = Data connection error. No modem connection possible.
• Blinking Red = Modem is in the process of resetting.
SIGNAL STRENGTH Blue LED bars indicate the active modem’s signal strength (only for
integrated and removable modems).
• 4 Solid Bars = Strongest signal.
• 1 Blinking Bar = Weakest signal. (A blinking bar indicates half of a bar.)
WiFi BROADCAST These two LEDs indicate activity on the WiFi broadcast for both the 2.4
GHz and 5 GHz bands (AER1600 only).
• 2.4 GHz (green) = 2.4 GHz WiFi is on and operating normally.
• 5 GHz (blue) = 5 GHz WiFi is on and operating normally.
Other ADDITIONAL LED INDICATIONS
•
• Two of the modem LEDs blink red in unison for 10 seconds when there is an error
during NCOS upgrade.
• WAN Ethernet LED: only right LED will light up and/or blink with data.
2.4GHz
5GHz
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 16
User Manual / AER1600/AER1650 10/30/17
QUICK START
BASIC SETUP
1. Insert an activated SIM
The Cradlepoint AER1600/AER1650 requires a SIM with an activated wireless broadband data plan. Contact your
carrier for details about selecting a data plan and about the process for provisioning your SIM. Once you have an
activated SIM:
• For AER1600LPE/AER1650LPE only: Open embedded modem SIM cover on bottom of router and insert
activated SIM into the slot marked SIM 1 (use the other slot, SIM 2, for a secondary/backup SIM). Close
embedded modem SIM cover. NOTE: Router will not operate if embedded modem SIM cover is not fully closed.
• For all models with removable MC400 modem: Remove MC400 cover from side of router and insert activated
SIM(s) into removable MC400 modem (optional for AER1600LPE/AER1650LPE and AER1600/AER1650). Insert
the SIM card into the slot marked SIM 1 (use the other slot, SIM 2, for a secondary/backup SIM). Insert the
replace cover, and insert the included security screw if desired. NOTE: To remove modem, remove MC400 cover,
attach included modem antennas (finger-tighten only), and pull modem straight out.
2. Attach included modem antennas
3. Connect the power source
Attach the included adapter to the device and to a power source and loop cable through cable retention slot.
Then turn the power switch on (I).
4. Connect to a computer or other network equipment
Connect via Ethernet or WiFi for local management.
ACCESSING THE ADMINISTRATION PAGES
changes to your router.
1. Open a browser window and type “cp/” or “192.168.0.1” in the address bar.
Press ENTER/RETURN.
2. When prompted for your password, type the eight character DEFAULT
PASSWORD found on the product label.
Cradlepoint NetCloud Manager (NCM) without logging into the local administration
See below for more information about NCM.
NOTE: The product label shown is an example only: your DEFAULT PASSWORD and
SSID will be unique.
FIRST TIME SETUP WIZARD
FIRST TIME SETUP WIZARD, which
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 17
User Manual / AER1600/AER1650 10/30/17
the following:
• Administrator Password
• Time Zone
• WiFi Network Name
• Security Mode
• Access Point Name (APN) for SIM-based modems
• Modem Authentication
• Failure Check
If you are currently using the router’s WiFi network, you will need to reconnect your devices to the network
using the newly established wireless network name and password.
NOTE: To return to the First Time Setup Wizard after your initial login, select SYSTEM from the navigation bar,
expand Setup Wizard, and select First Time Setup.
USING NETCLOUD MANAGER
Rapidly deploy and dynamically manage networks at geographically distributed stores and branch locations with
NetCloud Manager, Cradlepoint’s next generation management and application platform. NetCloud Manager
(NCM) integrates cloud management with your Cradlepoint devices to improve productivity, increase reliability,
reduce costs, and enhance the intelligence of your network and business operations.
Click here to sign up for a free 30-day NCM trial.
Depending on your ordering process, your devices may have already been bulk-loaded into NCM. If so, simply
log in at cradlepointecm.com using your NCM credentials and begin managing your devices seamlessly from the
cloud.
If your device has not yet been loaded into your NCM account, you need to register. Log into the device
administration pages and select NetCloud from the SYSTEM menu. Enter your NCM username and password, and
click on “Register”.
Once you have registered your device, go to cradlepointecm.com and log in using your NCM credentials.
For more information about how to use Cradlepoint NetCloud Manager, see the following:
• Getting Started
• NCM on the Knowledge Base
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 18
User Manual / AER1600/AER1650 10/30/17
ADMINISTRATION PAGES
Quick Links
Dashboard
Connection Manager
Status
Networking
Security
System
QUICK LINKS
DASHBOARD
The Dashboard is a centralized location for basic
information about the status of your router. The
areas include:
• Device Information
• Ethernet WAN*
• Modems*
• WWAN*
• Ethernet LAN*
• WiFi LAN*
*-To quickly edit settings for any of these areas,
click on the pencil icon ( ) in the top-right of the
desired dialog box.
You may return to the Dashboard at any time by
clicking on DASHBOARD from the left menu or by
clicking on the Cradlepoint logo at the top-left of
the screen.
Quick Links allows you to bookmark your most commonly-used settings. Simply click on the bookmark icon ( )
to add an item to your Quick Links menu. To remove an item from your Quick Links menu, select the item and
click on the remove bookmark icon ( ).
Quick Links Menu Add Quick Link Delete Quick Link
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 19
User Manual / AER1600/AER1650 10/30/17
CONNECTION MANAGER
The router can establish an uplink via Ethernet, WiFi as WAN, or 3G/4G modems (removable or external USB).
If the primary WAN connection fails, the router will automatically attempt to bring up a new link on another
device: this feature is called failover. If Load Balance is enabled, multiple WAN devices may establish a link
concurrently.
WAN INTERFACE PROFILES & PRIORITY
This is a list of the available interfaces used to access the Internet. You can enable, stop, or start devices from
this section. Drag the priority icon ( ) up or down to set the interface the router uses by default and the order
that it allows failover.
STANDBY
Standby is used to decrease failover time from one WAN interface to another. When Standby is enabled for a
interface is on Standby, the connection is already established and failover will take much less time.
Note that the current connected interface(s) is/are indicated by a green connection state. For interfaces on
Standby, the interface is indicated by a yellow connection state. If the interface is indicated in red, the interface
is not currently connected or in Standby.
LOAD BALANCE
Availability Key
Enable Load Balance
On Demand
WAN Verify Data Usage
FailbackStandby
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 20
User Manual / AER1600/AER1650 10/30/17
To enable Load Balancing, select the check box for each desired
device. If this is enabled, the router will use multiple WAN
interfaces to increase the data transfer throughput by using any
connected WAN interface consecutively. Selecting Load Balance
will automatically start the WAN interface and add it to the pool of
for an active WAN interface may require the user to restart any
current browsing session.
From WAN Management, select the Load Balance Algorithm from
the following dropdown options:
• Round-Robin: Evenly distribute each session to the available WAN connections.
• Rate: Distribute load based on the current upload and download rates. A WAN device’s upload and download
bandwidth values can be set in Internet > Connection Manager.
• Spillover
the most available bandwidth. The estimated bandwidth rate is based on a combination of the upload and
• Data Usage: This mode works in concert with the Data Usage feature (Internet > Data Usage).
data cap in the data usage rule for each interface, rather than distributing sessions based solely on bandwidth.
For proper functioning you need to create data usage rules for each WAN device you will be load balancing. Make
certain to select the “Use with Load Balancing” checkbox in the data usage rule editor.
ON DEMAND
Typically, modem connections are not always on.
When the On Demand mode is selected a connection
to the Internet is made as needed. When On Demand
is not selected a connection to the Internet is always
maintained.
WAN VERIFY
If this is enabled, the router will check that the highest priority active WAN interface can get to the Internet
even if the WAN connection is not actively being used. If the interface goes down, the router will switch to the
next highest priority interface available. If this is not selected, the router will still failover to the next highest
priority interface but only after the user has attempted to get out to the Internet and failed.
Idle Check Interval: The amount of time between each
check. (Default: 30 seconds. Range: 10-3600 seconds.)
Monitor while connected
following dropdown options:
• Passive DNS (modem only): The router will take no
action until data is detected that is destined for
the WAN. When this data is detected, the data will
be sent and the router will check for received data
for two seconds. If no data is received the router
behaves as described below under Active DNS.
• Active DNS (modem only): A DNS request will be sent to the DNS servers. If no data is received, the DNS
Primary DNS server and the second two requests will be directed at the Secondary DNS server.) If still no
data is received, the device will be disconnected and failover will occur.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 21
User Manual / AER1600/AER1650 10/30/17
• Active Ping: A ping request will be sent to the Ping Target. If no data is received, the ping request will be
failover will occur. When “Active Ping” is selected, the next line gives an estimate of data usage in this
form: “Active Ping could use as much as 9.3 MB of data per month.” This amount depends on the Idle Check
Interval.
• O: Once the link is established the router takes no action to verify that it is still up.
FAILBACK
connection to its network.
Select the Failback Mode from the following options:
• Usage
• Time
• Disabled
Usage Threshold: Fail back based on the amount
of data passed over time. This is a good setting for
when you have a dual-mode EVDO/WiMAX modem
and you are going in and out of WiMAX coverage.
If the router has failed over to EVDO it will wait until you have low data usage before bringing down the EVDO
connection to check if a WiMAX connection can be made.
• High (Rate: 80 KB/s. Time Period: 30 seconds.)
• Normal (Rate: 20 KB/s. Time Period: 90 seconds.)
• Low (Rate: 10 KB/s. Time Period: 240 seconds.)
• Custom (Rate range: 1-100 KB/s. Time Period range: 10-300 seconds.)
Time: Fail back only after a set period of time. (Default: 90 seconds. Range: 10-300 seconds.) This is a good
setting if you have a primary wired WAN connection and only use a modem for failover when your wired
connection goes down. This ensures that the higher priority interface has remained online for a set period of
time before it becomes active (in case the connection is dropping in and out, for example).
Disabled: Deactivate failback mode.
Immediate Mode: Fail back immediately whenever a higher priority interface is plugged in or when there is a
priority change. Immediate failback returns you to the use of your preferred Internet source more quickly which
may have advantages such as reducing the cost of a failover data plan, but it may cause more interruptions in
your network than Usage or Time modes.
DATA USAGE
Data Usage
client. Check Monitor Monthly (or Weekly or Daily) Usage to begin
tracking this information. This data is not retained between router
reboots.
For Monthly and Weekly you are able to specify the day to start
each cycle (e.g. the 1st or Tuesday, respectively).
Usage Cap: Enter a Cap amount in Megabytes. 1024 Megabyte is
equal to 1 Gigabyte.
Use with Load Balancing: When checked, the Load Balancing
feature is allowed to use the thresholds and metrics of this rule
when making balance decisions. This causes Load Balancing to
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 22
User Manual / AER1600/AER1650 10/30/17
spread the data usage between interfaces according to the assigned usage rather than bandwidth. This is a best
the cycle progresses, rather than quickly using 100% of a fast 1GB capped interface while using only a fraction
of a slow 10GB capped interface, thus leaving the rest of the cycle with only the slow interface. The Data Usage
Shutdown on Cap: When checked, the WAN device will shutdown when the assigned usage is reached. A cycle
reset or a rule deletion will re-enable the device.
Alert on Cap: An email alert will be generated and sent when the assigned data cap is reached. NOTE: The SMTP
System > Device Alerts.
Custom Alerts:
usage cap.
Custom Alert Percentages: Example: “50,80,90,110” (values can exceed
100%) (Triggers alerts when 50, 80, 90, 110% of usage cap is used)
NOTE: To enable data usage, check Data Usage Enabled from WAN
Management.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 23
User Manual / AER1600/AER1650 10/30/17
STATUS
Internet
Client List
Tunnels
Firewall
Routing
Ethernet
GPS
LLDP
System Logs
INTERNET
CONNECTIONS
Select your device to reveal
detailed information about the
following device properties:
• Summary
• Modem
• Cellular Network
• General Information
• IPv4 Information
• Statistics
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 24
User Manual / AER1600/AER1650 10/30/17
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 25
User Manual / AER1600/AER1650 10/30/17
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 26
User Manual / AER1600/AER1650 10/30/17
CLIENT DATA USAGE
Displays the following client information:
• Name
• IP Address
• MAC Address
• Data Uploaded
• Data Downloaded
•
To reset information, click Reset Statistics.
STATISTICS
Statistics can be gathered at variable Sample Rate and Sample Size for the following areas:
• Wireless Device
• Data Usage
• Failover/Failback/Load Balance
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 27
User Manual / AER1600/AER1650 10/30/17
QOS
Displays packets and bytes transmitted and received
by your Quality of Service (QoS) queues. To enable
NETWORKING > QoS.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 28
User Manual / AER1600/AER1650 10/30/17
CLIENT LIST
Displays information about
your Wireless, Wired, and
Hotspot Clients, and allows
you to Kick Wireless Clients,
block MAC addresses of both
Wireless and Wired Clients,
and Revoke Hotspot Clients.
TUNNELS
CP SECURE VPN
Displays status of your CP Secure VPN
VPN Tunnels, go to NETWORKING >
Tunnels > CP Secure VPN.
IPSEC VPN
Displays status of your IPSec VPN
VPN Tunnels, go to NETWORKING >
Tunnels > IPSec VPN.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 29
User Manual / AER1600/AER1650 10/30/17
OPEN VPN
GRE
NETWORKING > Tunnels >
OpenVPN.
NETWORKING > Tunnels > GRE.
FIREWALL
SECURITY from
the left navigation.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 30
User Manual / AER1600/AER1650 10/30/17
ROUTING
Displays information about your
System, GRE, and NEMO Routes.
NETWORKING > Tunnels.
ETHERNET
ports, go to NETWORKING > Local Networks > Ethernet Ports.
GPS
SYSTEM > Administration > GPS.
LLDP
Displays LLDP information. To enable LLDP, go to SYSTEM > Administration > LLDP.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 31
User Manual / AER1600/AER1650 10/30/17
SYSTEM LOGS
SYSTEM > Administration > System Logging.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 32
User Manual / AER1600/AER1650 10/30/17
NETWORKING
LOCAL NETWORKS
WIFI RADIO #1 (2.4GHZ)
WIFI RADIO #2 (5GHZ)
To edit your wireless
network, select its name and
click Edit.
WiFi Name (SSID): When
users browse for available
wireless networks, this is the
name that they will see. This
name is referred to as the
Hidden
attack a router that is not broadcasting its SSID, which adds to the wireless security, but it is also more
Isolate: Select this to isolate all wireless clients so they cannot directly communicate with each other on the
wireless network.
WMM
throughput.
Enabled: Whether the network is available.
Security Mode: You have several options for selecting a security
mode. The mode you choose depends on the security features your
wireless adapters support.
• WPA2 Personal
• WPA / WPA2 Personal
• WPA Personal
Local Networks
VLAN Interfaces
Tunnels
Routing
QoS
DNS Servers
WiFi as WAN
WAN Anity
Client Data Usage
NHRP
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 33
User Manual / AER1600/AER1650 10/30/17
• WPA2 Enterprise
• WPA / WPA2 Enterprise
• WPA Enterprise
• WEP Auto
• Open
Select “Open” to create a hotspot: otherwise select the best security that your devices will support
(Cradlepoint recommends WPA2).
• “Personal” security modes require passwords.
• “Enterprise” security modes are linked to a RADIUS server and require RADIUS authentication: IP, Port, and
Shared Key (Secondary IP and NAS ID optional).
• “WPA2” (Personal or Enterprise) forces AES as the WPA Cipher.
• “WPA/WPA2” and “WPA” (Personal or Enterprise) allow AES, TKIP/AES, and TKIP.
• “WEP Auto” requires a WEP Key.
• “Open” has no password or other security measures.
NOTE: If you don’t know whether you should choose Personal or Enterprise, assume Personal since you need to
know RADIUS authentication for Enterprise.
In order to protect your network from hackers and unauthorized users, Cradlepoint highly recommends WPA2/
AES for security if your attached devices can support it. WEP and WPA/TKIP are obsolete and have been
replaced by WPA/AES. Using those security settings will cause the WiFi to limit to 802.11g modes.
NOTE: If you select one of the security modes and are unable to connect to the router afterwards, you can use
When you select either WiFi Radio #1 (2.4GHz) or WiFi Radio #2 (5GHz) from Local Networks, you have several
WiFi Settings heading.
Channel Selection Method: This controls how a WiFi channel is selected.
• User Selection – Manually set the channel
• Random Selection – The router randomly sets the channel
• Smart Selection (Default) – Scans to determine the lowest interference WiFi channel
Channel Selection Schedule: When using the “Smart” channel selection, this controls whether the router will
periodically rescan for a better channel and change to it. Select
from “Once,” “Daily,” “Weekly,” or “Monthly.” Note that there may
be a momentary WiFi disconnection while the channel changes.
Channel: (Shows if User Selection is selected.) The WiFi channel*
corresponds to a frequency the router uses to communicate with
other devices. For 2.4 GHz, the range is 1 to 11, and 1, 6, and 11
do not overlap each other. Select a channel from the dropdown
list:
• 1 (2412 MHz)
• 2 (2417 MHz)
• 3 (2422 MHz)
• 4 (2427 MHz)
• 5 (2432 MHz)
• 6 (2437 MHz)
• 7 (2442 MHz)
• 8 (2447 MHz)
• 9 (2452 MHz)
• 10 (2457 MHz)
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 34
User Manual / AER1600/AER1650 10/30/17
• 11 (2462 MHz)
For 5.0 GHz, the ranges are 36 to 64 and 149 to 165.
• 36 (5180 MHz)
• 40 (5200 MHz)
• 44 (5220 MHz)
• 48 (5240 MHz)
• 149 (5745 MHz)
• 153 (5765 MHz)
• 157 (5785 MHz)
• 161 (5805 MHz)
• 165 (5825 MHz)
* - Channels listed above represent US/FCC settings. EU users will see different settings.
Client Timeout: If the access point is not able to communicate with the client it will disconnect it after this
timeout (in seconds).
TX Power: Normally the wireless transmitter operates at 100% power. In some circumstances, however, there
RTS Threshold: When an excessive number of wireless packet collisions are occurring, wireless performance
can be improved by using the RTS/CTS (Request to Send/Clear to Send) handshake protocol. The wireless
transmitter will begin to send RTS frames (and wait for CTS) when data frame size in bytes is greater than the
RTS Threshold. This setting should remain at its default value.
Fragmentation Threshold: Wireless frames can be divided into smaller units (fragments) to improve
performance in the presence of RF interference and at the limits of RF coverage. Fragmentation will occur
when frame size in bytes is greater than the Fragmentation Threshold. This setting should remain at its default
value. Setting the Fragmentation value too low may result in poor performance.
DTIM: A DTIM is a countdown informing clients of the next window for listening to broadcast and multicast
sends the next DTIM with a DTIM Interval value. Wireless clients detect the beacons and awaken to receive the
broadcast and multicast messages. The default value is 1. Valid settings are between 1 and 255.
Beacon: Beacons are packets sent by a wireless router to synchronize wireless devices. Specify a Beacon
Period value between 20 and 1000 milliseconds.
Short Slot: Slot Time is the period wireless clients use in determining if the channel is free for transmission.
Enabling this value allows clients that can utilize a shorter time to do so. Disabling this option forces all
transmission collisions.
Wireless Mode: Select the WiFi clients with which the router will be compatible. Greater compatibility is a
802.11 a/b/g/n/ac.
2.4 GHz options 5 GHz options
• 802.11 b
• 802.11 b/g
• 802.11 a/b/g/n
• 802.11 b/g/n
• 802.11 n
• 802.11 a/b/g/n/ac
• 802.11 g/n/ac
• 802.11 n/ac
• 802.11 ac
• 802.11 n
• 802.11 g
• 802.11 b
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 35
User Manual / AER1600/AER1650 10/30/17
Protection: In Auto mode the device will use protection to improve performance in mixed mode networks. Turn
Airtime Fairness: Airtime Fairness will attempt to balance air time between faster and slower wireless clients
to more fairly distribute bandwidth.
Channel Width
20 MHz channels to create a 40 MHz channel. Higher performance is possible with the 40 MHz channel.
Selecting Auto is generally best. Enabling WiFi as WAN will force 20 MHz only mode.
Extended Channel: When operating in 40 MHz mode the access point will use an extended channel either below
or above the current channel. Optimal selection will depend on the channels of other networks in the area.
MCS: 802.11n uses multiple Modulation Coding Schemes to enable higher throughput in various environments.
Since clients can dynamically change rates depending on environment, selecting Auto is generally best.
Short GI: Short GI is an optimization for shortening the interval between transmissions. May be incompatible
with older clients.
RADIUS Timeout: (Default: 3600 seconds) When using an Enterprise security mode clients will be forced to re-
authenticate with the RADIUS server at this interval in seconds. This allows administrators to revoke access so
when an attached client’s authentication expires, the client must re-authenticate.
RADIUS Retry: (Default: 60 seconds) When using an Enterprise security mode, if a RADIUS query fails to
receive a response from the server it will delay by this interval (in seconds) before attempting another query.
unreachable.
ETHERNET PORTS
circumstances, you have the ability to control: Mode (WAN or LAN) and Link Speed. Additional controls for WAN
ports are available in CONNECTION MANAGER.
Mode: WAN or LAN. By default there are four LAN (Local Area Network) ports and one WAN (Wide Area
Network) port.
• Internet (WAN) is used as a possible source of Internet for the router
• Local Network (LAN) is for connecting a computer or similar device directly to the router with an Ethernet
cable.
Link Speed: Default setting is Auto. The Auto setting is preferred in most cases.
• Auto
• 10Mbps - Half Duplex
• 10Mbps - Full Duplex
• 100Mbps - Half Duplex
• 100Mbps - Full Duplex
• 1000Mbps - Full Duplex
HOTSPOT SERVICES
Any of your networks can be enabled as a hotspot. To enable a hotspot, you need to select a network and set
it as a hotspot in NETWORKING > Hotspot Services.
NOTE: Although any network can be a hotspot, the router allows only one hotspot.
Hotspot Mode: Choose from the following dropdown options:
• Simple: Allows “Terms of Use” page and timeout settings controlled within the router
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 36
User Manual / AER1600/AER1650 10/30/17
• RADIUS/UAM: Allows you to set up external
authentication servers
Local IP Network: A single LAN Group – including both WiFi
Configure and set the IPv4 Routing Mode to “Hotspot” for
the LAN Group you want to use.
NOTE: Routing Mode is in the Primary LAN Editor under the
IPv4 Settings tab. Select a network in NETWORKING > Local
IP Networks and click Edit to open the Primary LAN Editor.
Allow Service on 3G/4G Modems: Allows you to enable or
disable hotspot access to the Internet over a modem. This is often used if the router has a main wired link and
a secondary modem for failover (typically with a more expensive/limited data plan). Select this option if you
Disable Service if Ethernet Threshold is met: This will block hotspot use of the WAN when the threshold is
met. This can be used if the router is being used as a backup failover connection to another router with a wired
connection. If that other router’s wired connection goes down and it starts using this router for its primary
connection, then disable hotspot use of the WAN connection. Set the limiting Rate (KB/s) and Time Period
(seconds).
Redirect HTTPS Requests: This allows initial requests to HTTPS websites to be redirected appropriately.
Hotspot/UAM Authentication Port
the port.
Simple Mode Settings
Display: This section allows you to choose if a “Terms
of Use” page will be given to the user connecting to the
hotspot.
• Internal Terms of Use. Fill in your own terms of use.
• External Terms of Use. Specify a URL that has the
Terms of Use page. Users will automatically be directed
to this page.
• No Terms of Use. Redirect Only.
Redirection on Successful Authentication: Depending on
your choice for the “Terms of Use” page, your have further
options for where the user will be directed. After the user
accepts the terms, you can either let him/her continue to
the URL they were trying to reach or you can force the user
• To the URL the user intended to visit
•
Redirect URL
address.
Session Timeout: (Default: 60 minutes.) The amount of time the user may use the router before being forced to
authenticate again.
Idle Timeout: (Default: 15 minutes.) If the user is idle for this amount of time, make them re-authenticate.
Bandwidth (upload): (Default: 512 Kbits/sec.) The data rate limit for users uploading data through the hotspot.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 37
User Manual / AER1600/AER1650 10/30/17
Bandwidth (download): (Default: 1024 Kbits/sec.) The data rate limit for users downloading data through the
hotspot.
Allowed Hosts/Domains Prior to Authentication
Adding hostnames to this list will allow access from your
network to any external domain or website prior to being
authenticated. For example, a hotel might allow access to its
own website prior to authentication.
Click Add to enter new hostnames you wish to allow.
Enter the hostname or domain name of the website you wish
to allow, e.g. www.company.com or company.com. To allow all
domain and sub-domain options, use a wildcard, e.g. *.company.com.
Click Update to save your additions.
Authorized MAC Addresses
Add the MAC addresses of trusted machines. This gives them automatic
access through the hotspot portal.
Click Add to enter new MAC Addresses you wish to allow.
Click Update to save your additions.
DHCP SERVER
server automatically assigns IP addresses to the computers and other devices on each local area network
(LAN). In this section you can view a list of assigned IP addresses and reserve IP addresses for particular
devices.
Active Leases: A list of devices that have
been provided DHCP leases. The DHCP server
automatically assigns these leases. This list will not
include any devices that have static IP addresses
on the network. Select a device and click Reserve
to add the device and its IP address to the list of
Reservations.
Reservations: This is a list of devices with reserved
IP addresses. This reservation is almost the same
as when a device has a static IP address except that
the device must still request an IP address from
the router. The router will provide the device the
same IP address every time. DHCP reservations are helpful for server computers on the local network that are
hosting applications such as Web and FTP. Servers on your network should either use a static IP address or a
reservation.
While you have the option to manually input the information to reserve an IP address (Hostname, Hardware
Addr, IP Addr), it is much simpler to select a device under the Active Leases section and click “Reserve.” The
selected device’s information will automatically be added under Reservations.
LOCAL IP NETWORKS
Local IP Networks displays the following information for each network:
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 38
User Manual / AER1600/AER1650 10/30/17
• Network Name, IP address/Netmask, and Enabled/
Disabled (along the top bar)
• Multicast Proxy (Enabled/Disabled)
• DHCP Server (Enabled/Disabled)
• DHCP Relay (Enabled/Disabled)
• Schedule (Enabled/Disabled – See the Schedule tab in
the Local Network Editor)
• VRRP Failover State (Disabled, Backup, or Master)
• IPv4 Routing Mode (NAT, Standard, IP Passthrough,
Hotspot, Disabled)
• IPv6 Addressing Mode (SLAAC Only, SLAAC with
DHCP, Disable SLAAC and DHCP)
• Access Control (Admin Access, UPnP Gateway, LAN
Isolation)
• Attached Interfaces (Ethernet ports, WiFi, VLAN)
Click AddRemove to delete a network, or select an existing network and click Edit
General Settings
Enabled: The network can be manually disabled or in
to work with certain types of modems.
Name: The “name” property primarily helps to identify
this network during other administration tasks.
Hostname: The hostname is the DNS name associated
with the router’s local area network IP address.
IPv4 Settings
IP Address: This is the address used by the router for
local area network communication. Changes to this
parameter may require a restart to computers on this
network.
Netmask: The netmask controls how many IP addresses can be used in this network. The default value is
usually acceptable for most situations.
IPv4 Routing Mode: Each network can use a unique routing mode to connect to the Internet. The default of
• NAT: Network Address Translation hides private IP addresses behind the router’s IP address.
• Standard: Without NAT exposes the subnet addresses which requires them to be externally routable.
• IP Passthrough: IP Passthrough passes the IP address given by the modem WAN through the router.
Hotspot, VPN, and GRE must be disabled. Any Wireless interfaces must be removed from this network in
order to enable IP Passthrough.
• Hotspot: Provide Hotspot Services on this Network, requiring Terms of Service or RADIUS/UAM
authentication before WAN access will occur on both Wireless and Wired LAN connections.
IPv6 Settings
IPv6 Address Source: The Address source has three settings. The default of Delegated is desirable in most
• Delegated: The address is provided by a router connected to this router’s WAN.
• Static: The address is provided by the router admin.
• None: No use of an IPv6 WAN address, IPv6 is disabled on the WAN.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 39
User Manual / AER1600/AER1650 10/30/17
IPv6 Address: An IPv6 Address is a unique numerical label for a computer or device using the Internet Protocol
(IP). IPv6 addresses are typically in the format composed of 8 sets of 4 hexadecimal numbers. Leading zeros
can be ignored and the longest set of continuous zeros can be replaced with ::. For example, the IPv6 address
of 0001:0000:0234:5678:0000:0000:9abc:0def can be expressed as 1:0:234:5678::9abc:def.
Interfaces
Select the network interfaces which will be attached
to this network by either dragging desired interface
or clicking left or right arrows to move them between
Available Interfaces and Selected Interfaces.
Access Control
UPnP Gateway: Select the UPnP (Universal Plug and Play)
option if you want to enable the UPnP Gateway service for
computers on this network.
Admin Access: When enabled users may access these admin pages from this network.
IPv4 DHCP
DHCP Server
• Enable DHCP Server: When the DHCP server is
enabled, users of your network will be able to
automatically connect to the Internet without
you leave this enabled. Advanced DHCP server
NETWORKING > Local
Networks > DHCP Server.
• Range Start: The starting IP address in the DHCP
Server range is the beginning of the reserved pool
of IP addresses which will be given to any DHCP
enabled computers on your network. The default
• Range End: The ending IP address in the DHCP Server range is the end of the reserved pool of IP
addresses which will be given to any DHCP enabled computers on your network. The default value is
• Lease Time:
new DHCP lease. Smaller values are better suited to busy environments.
• Custom Options: Send optional extra options to DHCP clients of this network. This can be used to, for
example, set the boot TFTP server of a network for disk-less clients.
DHCP Relay
• Enable DHCP Relay: DHCP Relay communicates with a DHCP server and acts as a proxy for DHCP
broadcast messages that must be routed to remote segments. This is accomplished by converting
broadcast DHCP messages to unicast messages to communicate between clients and servers.
Multicast Proxy
Multicast Proxy:
Quick Leave Mode: Disable quick leave mode if it’s vital that the daemon should act exactly as a real multicast
client on the upstream interface. However, disabling this function increases the risk of bandwidth saturation.
Altnet:
legal multicast sources.
IPv6 Addressing
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 40
User Manual / AER1600/AER1650 10/30/17
Address Configuration Mode:
DHCP Range Start: The DHCP Range Start is the beginning of the range that will be used for IPV6 DHCP
addresses. The IPv6 range will always start at 1.
DHCP Range End: The ending IP address in the DHCP Server range is the end of the reserved pool of IP addresses
which will be given to any DHCP enabled computers on your network.
IPv6 DHCP Lease Time:
lease.
Schedule
Enable Schedule Service: Enable the interface scheduler. A schedule allows an interface to be enabled or disabled
VRRP
Enable VRRP: Enable or disable VRRP.
Virtual Router IP: IP Address of the Virtual Router.
Virtual Router ID:
Router Priority: Failover priority of this router. The highest priority
router will take ownership of the Virtual IP.
WAN Fault Priority: This optional value sets the failover priority of this
router when no WAN connection is available. If the value matches the
normal router priority, WAN connection state will not be considered.
If the value is empty (the default), the router will always give up the
Virtual IP and let a new master take over when no WAN connection is
available.
Advertisement Interval: Sets the amount of time (in seconds) between
sending VRRP advertisements.
Initial Value Router State: This controls the initial failover state of the
Authentication: VRRP Authentication Method. Note that VRRP Authentication has been deprecated as of RFC
3768.
Password: VRRP Group Password.
Provide Virtual IP in DHCP leases: Select this to automatically set the DHCP default gateway address and DNS
server address to the Virtual IP in DHCP leases provided on this network.
STP
Enable STP: Enable Spanning Tree Protocol loop detection.
Bridge Priority: Set the priority of the bridge. When determining
the root bridge of the spanning tree topology, the bridge priority is
you want this router to be the root bridge, then set it to a value less
than the default of 32768. A valid priority value is between 0 and
65535.
Wired 802.1X
Enable 802.1X: Require IEEE 802.1X Authorization.
Reauthentication Period: EAP reauthentication period in seconds.
Auth Server IP Address: IP address of the connected RADIUS server.
Auth Server MAC Address: Hardware address of the connected RADIUS
server’s interface. NOTE: If you don’t know the MAC address for the
RADIUS server, enter 00:00:00:00:00:00, and the service will try to find
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 41
User Manual / AER1600/AER1650 10/30/17
the MAC address from the given IP address.
Port
Password
Acct Server IP Address: IP address of the connected RADIUS server.
Acct Server MAC Address: This is the Hardware address of the connected RADIUS server’s interface. NOTE: If you
don’t know the MAC address for the RADIUS server, enter 00:00:00:00:00:00, and the service will try to find the MAC
address from the given IP address.
Port
Password
MAC FILTER & LOGGING
connected to your router.
Filter Conguration
The MAC Filter allows you to create a list of devices that have either
exclusive access (whitelist) or no access (blacklist) to your local
network.
Enabled: Click to allow MAC Filter options.
Whitelist: Select either “Whitelist” or “Blacklist” from a dropdown
menu. In “Whitelist” mode, the router will restrict LAN access to all
computers except those contained in the “MAC Filter List” panel. In
“Blacklist” mode, listed devices are completely blocked from local
network access.
MAC Filter List (Whitelist or Blacklist)
Add devices to either your whitelist or blacklist simply by inputting each device’s MAC address.
NOTE: Use caution when using the MAC Filter to avoid accidentally blocking yourself from accessing the router.
MAC Logging Conguration
Enable MAC Logging: Enabling MAC Logging will cause the router to log
MAC addresses that are connected to the router. MAC addresses that you
do not want to have logged (addresses that you expect to be connected)
should be added to the “Ignored MAC Addresses” list.
MAC address that the router doesn’t recognize. Go to SYSTEM > Device
Alerts to set up these email alerts.
Ignored MAC Addresses
This is the list of MAC addresses that will not produce an alert or a log
entry when they are connected to the router. These should be MAC
addresses that you expect to be connected to the router. To add MAC
addresses to this list, simply select devices shown in the MAC Address Log and click “Ignore.” You can also add
addresses manually.
MAC Address Log
This shows the last 64 MAC addresses that have connected to the router, as well as which interface was used
to show the most recent log entries.
Double-clicking on entries from this list will add them to the Ignored MAC Addresses list.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 42
User Manual / AER1600/AER1650 10/30/17
VLAN INTERFACES
A virtual local area network, or VLAN, functions as any other physical
LAN, but it enables computers and other devices to be grouped
together even if they are not physically attached to the same
network switch.
To enable a VLAN, select a VID (virtual LAN ID) and a group of Ethernet
ports through which users can access the VLAN. Then go back up to
the Local Network Editor to attach your new VLAN to a network. To
use a VLAN, the VID must be shared with another router or similar
device so that multiple physical networks have access to the one
virtual network.
Click Add to create a new VLAN interface. To edit an interface, select
the check box next to the desired interface.
TUNNELS
CP SECURE VPN
private data network that minimizes both cost and complexity. Unlike traditional
bulky head-end concentrator hardware solutions, CP Secure VPN allows IT
managers to secure their expanding Edge Networks using architectures that scale
quickly and are easy to maintain. For more information, visit cradlepoint.com.
NOTE: CP Secure VPN requires an NCM Prime subscription. For more information,
visit cradlepoint.com.
IPSEC VPN
VPN (virtual private network) tunnels are used to establish a secure connection
to a remote network over a public network. For example, VPN tunnels can be used
to function as one network. The two networks set up a secure connection across the (normally) unsecure
Internet by assigning VPN encryption protocols.
Cradlepoint VPN tunnels use IPsec (Internet Protocol security) to authenticate and encrypt packets exchanged
across the tunnels. To set up a VPN tunnel with a Cradlepoint router on one end, there must be another device
(usually a router) that also supports IPsec on the other end.
IKE (Internet Key Exchange) is the security protocol in IPsec. IKE has two phases, phase 1 and phase 2. The
The VPN tunnel status page allows you to view the state of the VPN tunnels. If a tunnel fails to connect to the
remote site, check the System Logs for more information. You may double click on a cell to directly edit that
information.
Click AddEdit to make changes to an existing tunnel.
Add/Edit Tunnel – General
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 43
User Manual / AER1600/AER1650 10/30/17
Tunnel Name
Anonymous Mode: Select to allow remote connections from any IP
address.
Responder Mode: When enabled, the router will not initiate negotiation
with peers.
Local Identity
phase 1 negotiation. If left blank it will default to the IP address of
then both must match in order for the negotiation to succeed. If NAT-T
is being used, a single word (instead of an address) can be used if a
DynDNS connection is not being used.
Remote Identity
IP address of the WAN connection. If NAT-T is being used, a single word (instead of an address) can be used if a
DynDNS connection is not being used.
Authentication Mode: Select from Pre-Shared Key and Certificate. Pre-Shared Key is used when there is a
single key common to both ends of the VPN. Certificate
private key that can be uploaded to the router. Select Enable Certificate Support in the Global VPN Settings
Pre-Shared Key: Create a password or key. The routers on both sides of the tunnel must use this same key.
Mode: Select from Tunnel, Transport or V TI-Tunnel. Tunnel Mode
Transport Mode is
used for end-to-end communications (for example, for communications between a client and a server). VTI
Tunnel
Initiation Mode: Always On or On Demand. Always On is used if you want the tunnel to initiate the tunnel
connection whenever the WAN becomes available. Select On Demand if you want the tunnel to initiate a
Tunnel Enabled: Enabled or Disabled.
Add/Edit Tunnel – Local Gateway
IP Version: Select IPv4 or IPv6.
WAN Binding: WAN Binding is an optional parameter
An example use case is when there is a router with both
a primary and failover WAN device and the tunnel should
only be used when the system has failed over to the
backup connection.
Make a selection for “When,” “Condition,” and “Value” to
create a WAN Binding. The condition will be in the form
of these examples:
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 44
User Manual / AER1600/AER1650 10/30/17
When Condition Value
Port Is USB Port 1
Type Is not WiMax
• When:
• Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB
Port 2”).
• Manufacturer – Select by the modem manufacturer (e.g., “Cradlepoint Inc.”).
• Model
• Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX).
• Serial Number – Select a 3G or LTE modem by the serial number.
• MAC Address – Select a WiMAX modem by MAC Address.
• Unique ID – Select by ID. This is generated by the router and displayed when the device is connected
to the router.
• Condition: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition’s
statement.
• Value: If the correct values are available, select from the dropdown list. You may need to manually input
the value.
Invert Binding: Advanced option that inverts the meaning of WAN Binding to only establish this tunnel when
NOT connected.
Add/Edit Tunnel – Local Networks
IP Version: Select IPv4 or IPv6.
The Network Address and the Netmask
VPN tunnel.
NOTE
Optionally: A Port
Add/Edit Tunnel – Remote Gateway
Gateway: This value can be any of the following: an
name in the form of “host.domain.com” (DNS names
are case-insensitive, so only lower case letters are
allowed). It is recommended that you use a dynamic
DNS hostname instead of the static IP address – by
using the dynamic DNS hostname, updates of the
remote WAN IP are compensated for while connecting
to a VPN tunnel.
Add/Edit Tunnel – Remote Networks
The Network Address and the Netmask
access to via the VPN tunnel.
NOTE: the remote network IP address MUST
Optionally: A Port
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 45
User Manual / AER1600/AER1650 10/30/17
Add/Edit Tunnel – IKE Phase 1
IKE security has two phases, phase 1 and phase 2. You
To set up a tunnel with a remote site, you need to match
your tunnel’s IKE negotiation parameters with the remote
site. By selecting several encryption, hash, and DH group
options, you improve your chances for a successful tunnel
negotiation. For greatest compatibility, select all options;
for greatest security, select only the most secure options
that your devices support.
Exchange Mode: The IKE protocol has two modes of
negotiating phase 1 – Main (also called Identity Protection)
and Aggressive.
• In Main mode, IKE separates the key information from
the identities, allowing for the identities of peers to be secure at the expense of extra packet exchanges.
• In Aggressive mode, IKE tries to combine as much information into fewer packets while maintaining
security. Aggressive mode is slightly faster but less secure.
Because it has better security, Main mode is recommended for most users.
Key Lifetime: The lifetime of the generated keys of phase 1 of the IPsec negotiation from IKE. After the time
has expired, IKE will renegotiate a new set of phase 1 keys.
Encryption, Hash, and DH Groups
Each IKE exchange uses one encryption algorithm, one hash function, and one DH group to make a secure
exchange.
Encryption: Used to encrypt messages sent and received by IPsec.
• AES 128
• AES 256
• DES
• 3DES
Hash: Used to compare, authenticate, and validate that data across the VPN arrives in its intended form and to
derive keys used by IPSec.
• MD5
• SHA1
• SHA2 256
• SHA2 384
• SHA2 512
Note that some Encryption/Hash combinations (e.g., 3DES with SHA2 384/512) are computationally expensive,
impacting WAN performance. AES is as strong an encryption and performs much better than 3DES.
DH Groups
numbers associated with key generation. The strength of the key generated is partially determined by the
strength of the DH Group. Group 5, for instance, has greater strength than Group 2.
• Group 1: 768-bit key
• Group 2: 1024-bit key
• Group 5: 1536-bit key
In IKE Phase 1 you can only select one DH group if you are using Aggressive exchange mode.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 46
User Manual / AER1600/AER1650 10/30/17
By default, all the algorithms (encryption, hash, and DH groups) supported by the device are checked, which
means they are allowed for any given exchange. Deselect these options to limit which algorithms will be
accepted. Be sure to check that the router (or similar device) at the other end of the tunnel has matching
algorithms.
The algorithms are listed in order by priority. You can reorder this priority list by clicking and dragging
algorithms up or down. Any selected algorithm may be used for IKE exchange, but the algorithms on the top of
the list are more likely to be used more often.
Add/Edit Tunnel – IKE Phase 2
Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in phase
2 rather than using the same key generated in phase 1. Additionally, with this option enabled the new keys
security.
Key Lifetime: The lifetime of the generated keys of phase 2 of the IPsec negotiation from IKE. After the time
has expired, IKE will renegotiate a new set of phase 2 keys.
Phase 2 has the same selection of Encryption and DH Groups as phase 1, but you are restricted to only one
DH Group. Phase 2 and phase 1 selections do not have to match. For the Hash selection an added value of
truncation, but RFC4868 requires 128-bit. A VPN to newer Cisco or Juniper devices will typically require 128-bit.
Add/Edit Tunnel – Dead Peer Detection
Dead Peer Detection (DPD)
detect when one end of the IPsec session loses connection
while a policy is in use.
Connection Idle Time
allow an IPsec session to be idle before beginning to send
Dead Peer Detection (DPD) packets to the peer machine.
(Default: 30 seconds. Range: 10 – 3600 seconds.)
Request Frequency
these DPD packets. (Default: 15 seconds. Range: 2 – 30
seconds.)
Maximum Requests: Specify how many requests to send at
the selected time interval before the tunnel is considered dead. (Default: 5. Range: 2 – 10.)
Failback Retry Period: If you have VPN tunnel failover/failback enabled (see below), set the time period
between each check on the primary network after failover. (Default: 10 seconds. Range: 5 – 60 seconds.)
Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels – one as the primary tunnel and
1. Create two tunnels: one for primary and one for backup. Make sure that both tunnels have the same
Remote Network and that both have Dead Peer Detection enabled.
2. Choose one to be the primary tunnel. Open the editor for this tunnel and make sure Tunnel Enabled is
selected. Then go to the Dead Peer Detection page. Under Failover Tunnel select the other tunnel you
have created.
3. Open the editor for the failover tunnel. Make sure Tunnel Enabled is not selected. On the Dead Peer
Detection page, set the Failback Tunnel to your primary tunnel.
Global VPN Settings
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 47
User Manual / AER1600/AER1650 10/30/17
Enable VPN Service: Enabling VPN Service will allow you to
Certificate Name
IKE / ISAKMP Port: Internet Key Exchange / Internet
Security Association and Key Management Protocol port.
(Default: 500. This is a standard VPN port that usually
does not need to be changed.)
IKE / ISAKMP NAT-T Port: Internet Key Exchange / Internet
Security Association and Key Management Protocol
network address translation traversal port. (Default: 4500. This is a standard VPN NAT-T port that usually does
not need to be changed.)
NAT-T KeepAlive Interval: Number of seconds between sending NAT-T packets to keep the tunnel alive if no
all cases.)
Tunnel Connect Retry: Number of seconds between connection attempts. (Default: 30 seconds. Range: 10-255
OPEN VPN
OpenVPN is an open source software application that implements virtual private network (VPN) techniques
access facilities.
Once you have a valid feature license, click Add to create a new OpenVPN tunnel. Click Edit to make changes to
an existing tunnel.
Add/Edit Tunnel – General
• Tunnel Name – Enter a name to uniquely identify this tunnel
• Tunnel Mode – Select which mode this tunnel endpoint is required to be. Choose from the following:
• Client
• Server
• Device Type - Select between Routed (TUN) or Bridged (TAP)
virtual device.
• Routed creates an interface that can be used in the Zone
Firewall and is fully routable.
• Bridged creates a network interface that can be assigned
interface is managed through the assigned LAN device.
• Local Endpoint - Enter the IP Address of the LNS (tunnel
server) peer
• Local Netmask – Enter the Netmask of the LNS (tunnel server)
peer
• Remote Endpoint – Enter the IP Address of the LNS (tunnel
server) peer
• Remote Netmask – Enter the Netmask of the LNS (tunnel
server) peer
• Support IPv6 Tunnels
this tunnel. If you select this option, also input an IPv6 Tunnel Address and Tunnel Prefix Length for IPv6
• Tunnel Protocol – Choose UDP or TCP
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 48
User Manual / AER1600/AER1650 10/30/17
• Port – Specify the port if desired
• Ping – (Displays if the Configuration Mode is Advanced) If no packets have been sent in the amount of
time entered, a ping is sent to the remote endpoint
• Ping Restart – (Displays if the Configuration Mode is Advanced) If no pings have been received in the
amount of time entered, OpenVPN restarts the tunnel
• Tunnel Enabled – Click to enable/disable this tunnel
Add/Edit Tunnel – Security
• Cipher
in situations where keys are changed infrequently. OpenVPN
supports the CBC, CFB, and OFB cipher modes, however CBC is
recommended and CFB and OFB should be considered advanced
modes.
• Auth Algorithm – Authenticate packets with HMAC using message
digest algorithm alg. (The default is SHA1). HMAC is a commonly
used message authentication algorithm (MAC) that uses a data
string, a secure hash algorithm, and a key, to produce a digital
signature.
• Verify peer certicate
• TLS-Authentication – In client/server mode: adds an additional layer of HMAC authentication on top of the
tls control channel to protect against DoS attacks. In point-to-point mode: encrypts the communication
using a static key. These keys must match on each endpoint.
Add/Edit Tunnel – Remote Servers
Create a list of remote server connections to connect to. OpenVPN will try to connect to each host in the list. If
a disconnect occurs from a given server, the next server will be tried in a round-robin fashion.
• Host – IP address of the remote server
• Port – Specify the port if desired
• Protocol – Select UDP or TCP
Add/Edit Tunnel – Routes
Add or remove the routes that will be used to direct packets through the tunnel.
• Network Address
• Netmask
Generate Client Conguration
GRE
Generic Routing Encapsulation (GRE) tunnels can be used to create a connection between two private
networks. Most Cradlepoint routers are enabled for both GRE and VPN tunnels. GRE tunnels are simpler to
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 49
User Manual / AER1600/AER1650 10/30/17
• Local Network and Remote Network addresses for the “Glue Network,” the network that is created by
the administrator that serves as the “glue” between the networks of the tunnel. Each address must be a
the tunnel.
• Remote Gateway, the public facing WAN IP address that the local gateway is going to connect to.
• Routes
tunnel.
Optionally, you might also want to enable the tunnel Keep Alive feature to monitor the status of a tunnel and
more accurately determine if the tunnel is alive or not.
Click AddEdit to make changes to an existing tunnel.
Add/Edit Tunnel – General
Tunnel Name
Tunnel Key: Enables an ID key for a GRE tunnel, which can
Local Network: This is the local side of the “Glue
Network,” a network created by the administrator to
form the tunnel. The user creates the IP address entered
networks it is gluing together. Choose any private IP
address from the following three ranges that doesn’t
match either network:
• 10.0.0.0 - 10.255.255.255
• 172.16.0.0 - 172.31.255.255
• 192.168.0.0 - 192.168.255.255
Remote Network: This is the remote side of the “Glue
Network.” Again, the user must create an IP address that
is distinct from the IP addresses of the networks that are
being glued together.
Subnet Mask
with this mask. 255.255.255.0 is a logical choice for most users.
Remote Gateway: This is the public facing, WAN-side IP address of the network to which the local gateway is
going to connect.
TTL: Set the Time to Live (TTL), or hop limit, for the GRE tunnel.
MTU: Set the maximum transmission unit (MTU) for the GRE tunnel.
WAN BindingONLY operate when
both a primary and failover WAN device and the tunnel should only be used when the system has failed over to
the backup connection.
Make a selection for “When,” “Condition,” and “Value” to create a WAN Binding. The condition will be in the
form of these examples:
When Condition Value
Port Is USB Port 1
Type Is not WiMax
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 50
User Manual / AER1600/AER1650 10/30/17
• When:
• Port – Select by the physical port on the router into which you are plugging the modem (e.g., “USB
Port 2”).
• Manufacturer – Select by the modem manufacturer (e.g., “Cradlepoint Inc.”)
• Model
• Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX)
• Serial Number – Select a 3G or LTE modem by the serial number
• MAC Address – Select a WiMAX modem by MAC Address
• Unique ID – Select by ID. This is generated by the router and displayed when the device is connected
to the router.
• Condition: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition’s
statement.
• Value: If the correct values are available, select from the dropdown list. You may need to manually input
the value.
Invert WAN Binding: Advanced option that inverts the meaning of WAN Binding to only establish this tunnel
NOT connected.
Tunnel Enabled: Select to activate the tunnel.
Add/Edit Tunnel – Routes
allowed through the tunnel.
Click Add Route
remote network:
• Network Address – This is the network address that is the destination of the route. This should be set to
the network address at the remote side of the tunnel.
• Netmask
You can set the tunnel to connect to a range of IP addresses or to a single IP address. For example, you could
input 192.168.0.0 and 255.255.255.0 to connect your tunnel to all the addresses of the remote network in
the 192.168.0.x range. Alternatively, you could select a single address by inputting that address along with a
Netmask of 255.255.255.255.
Add/Edit Tunnel – Keep Alive
GRE keep-alive packets can be enabled to be sent through the tunnel in order to monitor the status of the
tunnel and more accurately determine if the tunnel is alive or not.
Enabled: Select to enable GRE Keep Alive to continually
send keep-alive packets to the remote peer.
Rate: Choose the length of time in seconds for each check
(Default: 10 seconds. Range: 2 – 3600 seconds).
Retry: Select the number of attempts before the GRE
tunnel is considered down or up (Default: 3. Range: 1 –
255).
Failover Tunnel and Failback Tunnel: Use these settings
failback, complete the following steps:
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 51
User Manual / AER1600/AER1650 10/30/17
1. Create two tunnels: one for primary and one for backup. Make sure both tunnels have Keep Alive enabled.
2. Choose one to be the primary tunnel. Open the editor for this tunnel and make sure Tunnel Enabled is
selected. Then go to the Keep Alive page. Under Failover Tunnel select the other tunnel you have created.
3. Open the editor for the failover tunnel. Make sure Tunnel Enabled is not selected. On the Keep Alive page,
set the Failback Tunnel to your primary tunnel.
NEMO
session continuity for every node in a mobile network as the network moves.
NEMO requires a service provider, e.g. Verizon Wireless Private Network with DMNR (Dynamic Mobile Network
Once you have a NEMO service provider and a valid feature license, add networks to the Networks Routed by
NEMOAdd. In the popup window, input:
• Network Address - This is the network address that is the destination of the route. This should be set to
the network address at the remote side of the tunnel.
• Netmask
local network you want associated with the NEMO settings.
Network Mobility (NEMO) Settings
Enbable: Enable NEMO.
WAN: Select the WAN(s) to use for the NEMO connection. An expression such as “Unique ID is (any)” will allow
NEMO to operate on any WAN, whereas “Type is LTE” will limit NEMO operation to the WAN(s) provided by any
connected LTE device(s).
With WAN: Register the NEMO connection
becoming available. If not checked, will only register
the NEMO connection when needed.
Home IP Address and Home Netmask – These may
be provided by your NEMO service provider. The IP
address is a placeholder, “dummy” address; any IP
address can be used (1.2.3.4 is common).
Home Agent IP Address, Home Agent Password, and
Home Agent SPI
by your NEMO service provider.
Renew Registration – The NEMO network regularly
re-registers with the home agent (e.g., every 30 seconds). Specify the number of seconds between each check-
in.
MTU – Override the maximum transmission unit (MTU) of the NEMO tunnel. The TCP MSS (maximum segment
size) is automatically derived from the MTU. Leave blank to rely on Path MTU Discovery.
L2TP
Layer 2 Tunneling Protocol (L2TP) tunnels can be used to create a connection between two private networks.
Once you have a valid feature license, click **Add** to create a new L2TP tunnel. Click **Edit** to make changes
to an existing tunnel.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 52
User Manual / AER1600/AER1650 10/30/17
Add/Edit Tunnel – General
• Tunnel Name – Enter a name to uniquely identify this tunnel
• LNS address – Enter the IP Address of the LNS (tunnel server)
peer
• MTU – Set the maximum transmission unit (MTU) for the L2TP
tunnel
• MRU – Set the maximum receive unit (MRU) to request from
the tunnel peer. The MRU is very similar to the MTU: MTU is for
packets sent and MRU is for packets received
• Tunnel Enabled – Click to enable/disable this tunnel. Default:
Enabled.
Authentication
More authentication options and overrides are available in the
next section.
• Username
blank to disable.
• Password – Shared secret (or password) used to authenticate the associated Local and Remote names.
Redial
• Enabled – When this is selected, the tunnel will attempt to reconnect if disconnected.
Add/Edit Tunnel – Authentication
• Remote Name
remote system as its identity, sometimes a username or
hostname. Leave blank to match any.
• Local Name
remote system as the local system identity; sometimes a
username or hostname. Leave blank to match any.
• Secret – Shared secret (or password) used to authenticate the
associated Local and Remote names.
Overrides
Override Authentication methods/parameters. With methods set to
Allow the two ends of the tunnel can negotiate a common scheme.
Sometimes this negotiation fails, or the implementation on one
end is incompatible with the other. To solve those authentication
issues, enable the overrides as needed.
• Authentication
• CHAP – Choose from Allowed, Refused, or Required.
• PAP – Choose from Allowed, Refused, or Required.
• Name – Override names used to authenticate the router. Leave empty to use the default.
Add/Edit Tunnel – Routes
remove routes to be used to funnel packets through the tunnel.
• Network Address – This is the network address that is the destination of the route. This should be set to
the network address at the remote side of the tunnel.
• Netmask
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 53
User Manual / AER1600/AER1650 10/30/17
ROUTING
STATIC ROUTES
Add a new static route to the IP routing table or edit/remove an existing route.
Static routes are used in networks with more than one layer, such as when there is a network within a
network so that packet destinations are hidden behind an additional router. Adding a static route is a way of
telling the router about an additional step that packets will need to take to reach their destination.
Click Add to create a new static route.
IP Version
IP/Network Address or IPv6 Address: The IP address of the target network
CIDR notation to declare a range of
addresses.
Netmask/Prex
network the computer belongs to and which other IP addresses the computer
can see in the same LAN. An IP address of 192.168.0.1 along with a Netmask of
to 192.168.0.255.
Gateway or IPv6 Gateway
is used. A gateway of 0.0.0.0 implies there is no next hop, and the IP address
LAN or
WAN.
Device: Select the network interface
from the dropdown menu (e.g. ethernet-wan). You can use this instead
changing.
Metric: Set the numerical priority of the route. Lower numbers have
higher priority.
Allow Network Access: (Default: Deselected.) Some static routes
will need an IP Filter Rule via the Firewall to allow packets through
the route without being blocked. Selecting this option automatically
creates this IP Filter Rule. If the IP/Network Address falls outside the
LAN IP range, you probably need to select this option.
Distribute: Allow this static route to be distributed via a routing protocol (BGP, OSPF, RIP, RIPng).
POLICY ROUTING
Policy routing allows for the addition of routes which are only evaluated when a certain set of conditions
match. The evaluation occurs before the main system routes and can override the primary route table. If no
policy route is matched, the lookup will fall back on the primary route table instead.
Route Policies:
primary route table instead. To add a route policy, click Add.
• IP Version: Select the IP protocol version.
• Source IP/Network Address
• Source Netmask/Prex
• Destination IP/Network Address
• Destination Netmask/Prex
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 54
User Manual / AER1600/AER1650 10/30/17
• Incoming Device: Select the incoming device upon which this
policy will match. (optional)
• Table: Select the route table to use for routing when this policy
is matched.
Route Tables: Static route tables to be used in policy route lookups.
are not available for use in dynamic routing protocols. To add a
route, click Add.
• IP Version: Select the IP protocol version.
• IP/Network Address
• Netmask/Prex
• Gateway
• Device: Select the interface or enter null0 to install a black hole
route.
• Metric: Set the route metric.
• Allow Network Access: Some static routes will need an IP Filter
Rule added to allow packets to route without being blocked by
rule for you.
ROUTE FILTERS
Common route lters may be used by any of the routing protocols.
the route is denied.
Access List:
Prefix List:
Route Map:
policy to be applied to a route via set actions.
• Description: Displayed to help identify the route map.
• Permit: Checking Permit will carry out the Set Actions
if the Match Conditions are met, and permit the
route. Clearing Permit will deny the route if the Match
Conditions are met.
• Match Conditions:
match.
• Set Actions: A set of actions that are triggered by a
match.
an incompatible protocol will cause errors during operation that prevent the routing protocol from starting.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 55
User Manual / AER1600/AER1650 10/30/17
• OSPF-specific: metric-type.
• BGP-specific: as-path, weight, comm-list, local-preference,
community, ext community.
expressed as two 16-bit values separated by a colon (e.g. 18838:722).
A received or well-known community can be referenced by its number
refering to it by name.
Note certain well-known communities can be used by name without
no-advertise (never advertise these routes), no-export
(don’t advertise beyond confederation boundary), local-AS (don’t
advertise to external peers), internet (advertise to everyone), and
none (used to clear any community associated with a route).
BGP route lters are only used by the BGP protocol. Access lists are
match is found, the route is denied.
Access List:
Community List:
community is a label which is attached to routes learned from that
community. Then that community or label can be used to select which
policy(s) should be applied to those routes.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 56
User Manual / AER1600/AER1650 10/30/17
BGP
The latest version of BGP (Border Gateway Protocol) is version 4. BGP-4 is one of the Exterior Gateway
Protocols and de facto standard of Inter Domain routing protocol. BGP-4 is described in RFC1771, A Border
Gateway Protocol 4 (BGP-4). BGP is a distance vector routing protocol, and the AS-Path framework provides
distance vector metric and loop detection to BGP RFC1930.
BGP Editor
• Enabled: Click to enable/disable the policy. (Default:
enabled).
• Name: Unique name of the policy.
• Router-ID: This sets the router-ID of the BGP process. The
router-ID may be an IP address of the router, but need
not be – it can be any arbitrary 32-bit number. However
it *MUST* be unique within the entire BGP domain to
the BGP speaker: bad things will happen if multiple BGP
• Cluster ID: Specify the cluster ID, used if the BGP cluster
• ASN: The AS (Autonomous System) number is one of the
essential elements of BGP.
• View Name: Specify a view to exchange BGP routing information without adding to the kernel routing
table.
• Distance:
• Maximum Paths: Maximum Paths can be set greater than 1 to allow multipath routing. This setting limits
• Multipath Relax:
• Timers Keepalive/Hold: Keepalive interval is the time between keepalive messages sent to peers. Hold
time is the timeout after the last keepalive message until the peer is declared dead. The Keepalive interval
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 57
User Manual / AER1600/AER1650 10/30/17
must be set in order to set the Hold time. All times are in seconds from 1 to 65535. Set to 0 or empty to
disable (default).
Networks Associated with ASN or IPv6 Networks Associated with ASN
detecting whether the BGP connection is internal one or external one. Use the IPv4 address and netmask or
IPv6 address with a CIDR notation
Neighbor Options or IPv6 Neighbor Options
• Peer Group: Optionally specify a peer group for this
neighbor. You can Bind to an existing peer group
or Define a new one. A neighbor will inherit the
properties from the peer group to which it is bound.
inherited properties.
• IP Address: The IP address of the neighbor. Not
• Port: Specify port.
• Remote ASN: Enter the ASN of the remote AS. The AS
(Autonomous System) number is one of the essential
elements of BGP. BGP is a distance vector routing
protocol, and the AS-Path framework provides
distance vector metric and loop detection to BGP.
RFC1930.
• Weight: Assign a weight to a neighbor connection.
• Maximum Prex: Specify the maximum number of
• Password: Enable message digest5 (MD5)
authentication on a TCP connection between BGP
peers. The same password must be used on both
peers.
• Update Source: Specify the IPv4 source address or
interface name to use for the BGP session to this
neighbor.
• Default Originate: Allow the local router to send
the default route (0.0.0.0) to a neighbor for use as a
• Don’t Send Community:
the BGP neighbor.
• eBGP Multihop: Accept and attempt BGP connections to external peers residing on networks that are not
directly connected. Mutually exclusive with TTL Security. Optionally specify Time To Live from 1 to 255
hops.
• TTL Security: Specify the number of hops to reach eBGP neighbors. Mutually exclusive with eBGP Multihop.
• Next Hop Self:
learned via eBGP. Select All to also apply this setting to routes learned via iBGP.
• Local AS Number:
received AS_PATH when receiving routing updates from the peer, and prepended to the outgoing AS_PATH
when transmitting local routes to the peer. Check No Prepend to not prepend the local AS Number to either
the received or outgoing AS_PATH. Check Replace AS
AS_PATH.
• Distribute-list In/Out: Specify a distribute-list for the peer in either or both directions. Lists are chosen
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 58
User Manual / AER1600/AER1650 10/30/17
• Filter-list In/Out:
BGP tab.
• Prex-list In/Out: Filter this neighbor’s incoming and/or outgoing advertisements according to the
tab.
• Route Map In/Out: Apply a route map to incoming and/or outgoing routes. Maps are chosen from the
• Route Reector Client:
client.
• Capability Negotiation:Strict to completely
match capabilities. Select Disable to suppress sending a negotiation message to peers that are not
Override to ignore the remote peer’s capability value and use the local
value instead.
• Soft Reconguration:
• Advertisement Interval:
• Timers Keepalive/Hold: Keepalive interval is the time between keepalive messages sent to peers. Hold
time is the timeout after the last keepalive message until the peer is declared dead. The Keepalive interval
must be set in order to set the Hold time. All times are in seconds from 1 to 65535. Set to 0 or empty to
disable (default).
Redistribute Routes
• Type: The type is the source of the route. Select from: Main, Connected, Static, RIP, and OSPF.
• Metric: Numerical priority of the route.
• Route Map
applied to routes.
OSPF
OSPF (Open Shortest Path First) version 2 is a routing protocol described in RFC2328, OSPF Version 2. OSPF
is an IGP (Interior Gateway Protocol). Compared with RIP, OSPF can provide more scalable network support
and faster convergence times. OSPF is widely used in large networks such as ISP (Internet Service Provider)
backbone and enterprise networks. Click Add to add an OSPF router.
General
• Enable: Enable and disable the routing protocol policy.
• Router ID
which must be a dotted quad (like an IP address). This ID
MUST be unique within the entire OSPF domain - errors
with the same router-ID.
• ABR Type: The OSPF standard does not allow an ABR
to consider routes through connected non-backbone
areas. Relaxed (default) relaxes this restriction and
will consider routes through non-backbone areas if the
backbone area is down. Standard respects the OSPF
standard regardless if the backbone area is down.
Shortcut will always route through the best path even if it does not go through the backbone area. When
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 59
User Manual / AER1600/AER1650 10/30/17
this is set, shortcut can be enabled/disabled on a per area basis.
• Flags: RFC 1583 Compatibility uses the predecessor standard RFC 1583 path preference algorithm. This
typically is NOT set. Opaque capability enables forwarding Opaque LSA extensions described in RFC 5250.
• Max Metric:
router is unreachable.
• Passive Interface Default:
send link-state advertisements.
• Refresh Timer: Sets the OSPF LSA refresh timer. Default is 10 seconds.
• Reference Bandwith (Mb/s): Sets the reference bandwidth for cost calculations. Link cost will
automatically scale in reference to this bandwidth unless explicitly overridden. The default is 100 Mb/s
equal to cost of 1. Note: this setting MUST be consistent across routers in the OSPF domain.
• SPF Timers:
values allows you to manage CPU usage when calculating SPF. Delay sets the initial delay. SPF calculations
will always be performed at least this many milliseconds apart. Consecutive SPF calculations will always
be separated by at least the Hold Time up to the Max Hold Time increasing by Max Hold Time for each
consecutive calculation.
Interfaces
• Device: Select device interface.
• Options: Set interface options. Passive means no Hellos
will be transmitted out this interface. MTU Ignore
disables MTU mismatch detection.
• Network Type: Set the network type for this interface.
• Authentication: Set OSPF interface authentication.
Key sets the OSPF authentication key to a simple
password. After setting authentication key, all OSPF
packets are authenticated. The authentication key has
a maximum length of eight characters if using plain text
authentication and sixteen characters if using message-
digest authentication. Key ID enables message-digest
authentication. Leave this blank to enable plain text
the protocol and must be consistent across routers on a link.
• Cost: OSPF metric for this interface.
• Transmit Delay: Link state transmit delay.
• Priority: The router with the highest priority will be more eligible to become Designated Router. Setting
this to 0 disables this router from participating in DR elections.
• Intervals: Set hello intervals. Hello sets the number of seconds for the Hello Interval timer value. Setting
this value, Hello packets will be sent every timer value seconds. This value must be the same for all routers
in the area. The default value is 10 seconds. Dead sets the number of seconds for the Router Dead Interval
timer value used for Wait Timer and Inactivity Timer. This value must be the same for all routers attached
an area. The default value is 40 seconds. Retransmit sets the number of seconds between retransmitting
lost link state advertisements.
• Sub-second Hellos: Enable sub-second Hellos and
set the number of Hellos per second. When set, Dead
Interval is set to one second.
Areas
• Area:
a 32-bit unsigned integer or a dotted quad (like an IP
address).
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 60
User Manual / AER1600/AER1650 10/30/17
• Default Cost: Set the cost of default-summary LSAs announced to stubby areas.
• Options: Set options for this area. Stub indicates that this area is a stub and no area router will propagate
routes external to OSPF and AS-External LSAs (Type-5s) or ASBR-Summary LSAs (Type-4) will be
propagated into the area. Only Network-Summary (Type-3) and default-route summary advertisements will
be propagated. Not-So-Stubby indicates this area is Not-So-Stubby or NSSA. This is similar to a stubby area
be translated to Type-5 LSAs with the NSSA Translate option set. No Summary
type 3 summary LSA.
• NSSA Type 7-to-5 Translation: Method of translating Type-7 LSAs to Type-5 when propagating external
routes. Via Election indicates this router is an NSSA Border Router but other border routers exist in the
topology. It will perform Type-7 to Type-5 translation unless another border router has Always set or is set
to Via Election and has a higher router-id. Always indicates this is an NSSA Border Router and must always
perform Type-7 tp Type-5 LSA translations. Never indicates that this router must never perform Type-7 to
Type-5 LSA translations.
• Shortcut: Enable or disable shortcuts through non-backbone areas. Default will shortcut only if the
backbone link is down. Requires that ABR Type be set to Shortcut.
• Access-List Filter: Filter Type-3 summary LSAs to/from area using access lists. This is only applicable on
ABR.
• Prex-List Filter:
ABR.
Redistribute
• Default Originate: Enable broadcasting
default route. Always will cause the default
route (0.0.0.0/0) to be broadcast even if it
is not in the routing table. Metric
the metric of the default route. Metric Type
is the OSPF metric type (default Type-2).
Route Map
• Default Metric: Specify the default metric for routes redistributed to OSPF. This can be overridden under
the Redistribute
• Default Distance: Sets the default administrative distance for intra-area, inter-area and external routes.
Distances. The default is 110.
• Distances: Specify administrative distances for intra-area, inter-area, or external routes. This overrides
the value set in Default Distance.
RIP
RIP (Routing Information Protocol) is a widely deployed interior gateway protocol. RIP is a distance-vector
protocol based on the Bellman-Ford algorithms. As a distance-vector protocol, RIP sends updates from
one router to its neighbors periodically, allowing the convergence to a known topology. In each update, the
distance to any given network will be broadcast to its neighboring router. The router supports RIP version 2 as
described in RFC2453 and RIP version 1 as described in RFC1058.
RIP Editor
• Name: Unique name of the policy.
• Metric: RIP metric is a value for distance for the network. Usually RIP increments the metric when the
network information is received. The metric for redistributed routes is set to 1.
• Protocol Version
send RIPv2 while accepting both RIPv1 and RIPv2 (and replying with packets of the appropriate version for
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 61
User Manual / AER1600/AER1650 10/30/17
REQUESTS / triggered updates).
• Password: RIPv2 allows packets to be authenticated
via either an insecure plain text password, included
with the packet, or a more secure MD5 based HMAC
(keyed-Hashing for Message AuthentiCation). RIPv1
cannot be authenticated at all, so when authentication
via RIPv1 packets.
• Plain text password: Select to use a plain text
password instead of an MD5 HMAC. WARNING: A plain
text password is insecure.
• Enabled: Click to enable/disable the policy. (Default:
enabled.)
• Timers: Update
seconds. TimeoutGarbage
120 seconds.
• Oset list in:
• Oset list out:
Networks: Set the RIP-enabled interfaces by network. RIP is enabled on the interfaces that have addresses
within the network range.
Interfaces:
• Device: Select network interface device.
• Send version: Select the RIP version that will be sent
on this interface, overriding the global setting. Version
can be 1 or 2, or 0 to select both.
• Receive version: Select the RIP version that will
be accepted on this interface, overriding the global
setting. Version can be 1 or 2, or 0 to select both.
• Passive: Select passive mode for the interface. In
passive mode, RIP routing updates are accepted by, but
not sent out of, the interface.
• No split horizon: Disable the split horizon mechanism. Enabling prevents RIP from advertising routes over
the interface on which they were learned.
• Distribute Access-list In/Out:
routes.
• Distribute Prex-list In/Out:
routes.
Neighbors: When a neighbor doesn’t understand multicast, this command is used to specify neighbors. In some
cases, not all routers will be able to understand multicasting, where packets are sent to a network or a group
of addresses. In a situation where a neighbor cannot process multicast packets, it is necessary to establish a
direct link between routers. The neighbor command allows the network administrator to specify a router as a
RIP neighbor. The no neighbor a.b.c.d command will disable the RIP neighbor. Assign a neighbor by inputting an
IP address.
Redistribute Routes
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 62
User Manual / AER1600/AER1650 10/30/17
• Type: The type is the source of the route. Select from: Main, Connected, Static, OSPF, BGP.
• Metric: RIP metric is a value for distance for the network. Usually RIP increments the metric when the
network information is received. The metric for redistributed routes is set to 1.
• Route Map
applied to routes.
RIP
RIPng (RIP next generation) extends RIPv2 to support IPv6. See RIPng on Wikipedia and RFC 2080 for details.
RIPng Editor
• Name: Unique name of the policy.
• Metric: RIPng metric is a value for distance for the network. Usually the RIP
service increments the metric when the network information is received. The
metric for redistributed routes is set to 1.
• Enabled: Click to enable/disable the policy. (Default: enabled.)
Networks: Set the RIPng-enabled interfaces by network using IPv6 addresses.
RIPng is enabled on the interfaces that have addresses within the network
range.
Routes
Redistribute Routes
• Type: The type is the source of the route. Select from: Main, Connected, Static, OSPF, BGP.
• Metric: RIPng metric is a value for distance for the network. Usually the RIP service increments the metric
when the network information is received. The metric for redistributed routes is set to 1.
• Route Map
applied to routes.
QOS
allowing the user to prioritize applications.
Enable QoS
WAN Prole Speeds
Upload Speed and Download Speed: Setting the Upload Speed and
the sliding bar to restrict the maximum upload and/or download
speed for the Internet source(s) you are using. For example, you
might restrict the upload speed to prioritize available bandwidth for
download or to reduce overall bandwidth use in order to lower costs.
particular Internet connection for best results.
NOTE: Upload speed is the speed at which data can be transferred to
your ISP. Download speed is the speed at which data can be transferred
to you from your ISP. You can test your connection speeds with a
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 63
User Manual / AER1600/AER1650 10/30/17
service such as speedtest.net.
Queues
prioritize bandwidth for the most critical
operations. Multiple rules can be associated
with one queue. Use rules to associate your
more critical operations with queues that have
higher bandwidth settings. For example, you
might have two queues, one for “critical” and one for “secondary” with critical having most of the bandwidth
percentage. Use rules to associate your most important bandwidth needs (POS system, VoIP, etc.) with the
critical queue. Restrict the bandwidth available for less important functions with the secondary queue.
Assign percentages of both upload and download bandwidth to each queue. If you assign 80% download
Click Add
Queue Name: Choose a name that is meaningful to
you.
DSCP (DiffServ) Tag
Point (DSCP) is the successor to TOS (Type of
the value in the DSCP header of each IP packet that
clear the existing DSCP value in the packet header.
DSCP Tagging is sometimes used so that other
networking equipment, upstream or post-NAT, can do
to IP addresses or ports.
This setting is optional.
Upload Bandwidth
Enable Upload QoS
this selected to include upload restrictions with this queue.
Borrow Spare Bandwidth: (Default: Enabled.) When this is enabled, the interfaces/protocols associated with
Upload Bandwidth: This is the percentage of the connected WAN upload bandwidth that will be reserved for
share.
Upload Priority
• Lowest
• Lower
• Below Normal
• Normal
• Above Normal
• High
• Higher
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 64
User Manual / AER1600/AER1650 10/30/17
• Highest
Click Next to continue to the next page.
Download Bandwidth
Enable Download QoS
this selected to include download restrictions with this queue.
Borrow Spare Bandwidth: (Default: Enabled.) When this is enabled, the interfaces/protocols associated with
Download Bandwidth: This is the percentage of the connected WAN upload bandwidth that will be reserved for
their share.
Download Priority
Normal):
• Lowest
• Lower
• Below Normal
• Normal
• Above Normal
• High
• Higher
• Highest
Click Finish to save this queue.
Rules
above.
Click Add
Traffic Shaping / QoS Rule Editor
a protocol for the rule, and select a queue to associate the rule with.
Rule Enabled: (Default: Enabled.) Deselect this to disable this
both upload QoS and download QoS are disabled then the rule
will disable automatically.
Rule Name: Create a name for the rule that is meaningful to
you.
Protocol: The protocol used by the messages: TCP/UDP, TCP, UDP,
Queue Name: Select a queue to associate this rule with.
Click Next to continue to the next page.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 65
User Manual / AER1600/AER1650 10/30/17
Source Port(s) and/or Destination Port(s): Enter a port number
between 1 and 65535. To enter a single port number, input
both boxes separated by the colon. For example “80:90” would
represent all ports between 80 and 90 including 80 and 90
themselves.
Source IP Address, Source Netmask, Destination IP Address,
and Destination Netmask: Specify an IP address or range of
IP addresses by combining an IP address with a netmask for
either “source” or “destination” (or both). Source vs. destination
instead).
EXAMPLE: If you want to associate this rule with your guest LAN,
you could input the IP address and netmask for the guest LAN here (leaving the last slot “0” to allow for any
user attached to the guest network):
• Source IP Address: 192.168.10.0
• Source Netmask: 255.255.255.0
Application Set
Application sets require an active license to exist on the device for them to function.
DSCP (DiffServ)
sensitive equipment such as VoIP phones. This setting is optional.
DSCP Negate
Click Finish to save this rule.
DNS SERVERS
DNS, or Domain Name System, is a naming system that translates between domain names (www.cradlepoint.
com, for example) and Internet IP addresses (206.207.82.197). A DNS server acts as an Internet phone book,
page for the device has these distinct functions:
• DNS Settings: By default your router is set to automatically acquire DNS servers through your Internet
provider (Automatic). DNS Settings allows you to specify DNS servers of your choosing instead (Static).
• Split DNS
• Dynamic DNS Conguration: Allows you to host a server (Web, FTP, etc.) using a domain name that you
have purchased (www.example.com) with your dynamically assigned IP address.
• Known Hosts Conguration: Allows you to map a name (printer, scanner, laptop, etc.) to an IP address of a
device on the network.
DNS Settings
assigned by your Internet provider. The default DNS servers are usually adequate. You may want to assign DNS
servers if the default DNS servers are performing poorly, if you want WiFi clients to access DNS servers that
you use for customized addressing, or if you have a local DNS server on your network.
Mode
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 66
User Manual / AER1600/AER1650 10/30/17
the Primary DNS and Secondary DNS
Primary DNS and Secondary DNS: If you choose to specify your DNS
servers, then enter the IP addresses of the servers you want as your
settings will be pre-populated with public DNS server IP addresses.
You can override the IP address with any other DNS server IP
address of your choice. For example, Google Public DNS servers have
the IP addresses 8.8.8.8 and 8.8.4.4 while 4.2.2.2 and 4.2.2.3 are
servers from Level 3 Communications.
Force All DNS Requests To Router: Enabling this will redirect all DNS requests from LAN clients to the router’s
DNS server. This will allow the router even more control over IP addresses even when clients have their own
DNS servers statically set.
Split DNS
Split DNS allows you create two zones for the same domain, one
to be used by the internal network, the other used by the external
network. Split DNS directs internal hosts to an internal domain name
server for name resolution and external hosts are directed to an
external domain name server for name resolution.
Primary Split DNS and Secondary Split DNS: If you choose to specify
your DNS servers, then enter the IP addresses of the servers you want as your primary and secondary DNS
Domain: Click Add to add desired domain for Split DNS.
Dynamic DNS Conguration
The Dynamic DNS feature allows you to host a server (Web,
FTP, etc.) using a domain name that you have purchased (www.
yourname.com) with your dynamically assigned IP address.
Most broadband Internet Service Providers assign dynamic
(changing) IP addresses. When you use a Dynamic DNS service
provider, you can enter your host name to connect to your
server, no matter what your IP address is.
• Enable Dynamic DNS: Enable this option only if you have
purchased your own domain name and registered with a
Dynamic DNS service provider.
• Server Type. Select a dynamic DNS service provider from
the dropdown list:
• DynDNS
• DNS-O-Matic
• ChangeIP
• NO-IP
• Custom Server (DynDNS clone)
• Custom Server Address. Only available if you select Custom Server from the Server Address dropdown list.
Enter your custom DynDNS clone server address here. For example: www.mydyndns.org.
• Use HTTPS: Use the more secure HTTPS protocol. This is recommended, but can be disabled if not
compatible with the server.
• Host name
• User name: Enter the user name or key provided by the dynamic DNS service provider. If the dynamic DNS
provider supplies only a key, enter that key for both the User name and Password
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 67
User Manual / AER1600/AER1650 10/30/17
• Password: Enter the password or key provided by the dynamic DNS service provider.
Advanced Dynamic DNS Settings
Update period (hours): (Default: 576) The time between periodic updates to the dynamic DNS, if your dynamic
IP address has not changed. The timeout period is entered in hours so valid values are from 1 to 8760.
Override External IP
http://myip.dnsomatic.com in a web browser.
Known Hosts Conguration
to map a name (printer, scanner, laptop, etc.) to an IP
address of a device on the network. This assigns a new
hostname that can be used to conveniently identify a
Click Add to name a device in your network.
• Hostname
• IP address: The address of the device within your network.
EXAMPLE: a personal laptop with IP address 192.168.0.164 could be assigned the name “MyLaptop.”
Since the assigned name is mapped to an IP address, the device’s IP address should not change. To ensure that
the device keeps the same IP address, go to NETWORKING > Local Networks > DHCP Server and reserve the IP
address for the device by selecting the device in the Active Leases list and clicking Reserve.
WIFI AS WAN
WiFi as WAN uses an outside WiFi network as its Internet
other WiFi networks that you can select and connect to.
Unless a selected WiFi source is on an unprotected network,
you will need to know its password or key.
• WiFi Radio #1 (2.4 GHz)
• WiFi Radio #2 (5 GHz)
All Cradlepoint routers and some other routers use the same
default IP address for the primary network: 192.168.0.1.
If you attempt to set up WiFi as WAN and there is an “IP
attempting to use the same IP address for both WAN and
LAN, which is impossible. Go to Network Settings > WiFi / Local Networks. Select the network and click Edit.
You can change the IP address under IPv4 Settings. For example, you might change 192.168.0.1 to 192.168.1.1.
Saved Proles
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 68
User Manual / AER1600/AER1650 10/30/17
is in range, then the router will connect with the highest priority network.
Network
BSSID
connect to a hidden network using WiFi as WAN. It is optional when connecting to a visible network. If it is
Auth Mode: The type of encryption that is used by the network.
• None
• WEP Auto
• WEP Open
• WEP Shared
• WPA1 Personal
• WPA2 Personal
• WPA1 & WPA2 Personal
You have two options for adding network
• Automatic – Select a WiFi network in Site
Survey and click Import
• Manual – Click on Add under Saved
Profiles and input the required
information.
Site Survey
This is a list of WiFi networks that the router
about the network such as its mode and
channel. Click “Refresh” if a WiFi network you
want to connect to is not listed. You can sort
If you import a network from Site Survey, most of the information about the network will already be
completed. You need to input the password (if there is one) and then click submit to save the WiFi as WAN
Wireless Scan Settings
Scan Interval: How often WiFi as WAN scans the environment
for updates. (Default: 60 seconds. Range: 5–3600 seconds.)
Scan While Connected: Continue to scan for WiFi as WAN
the wireless communication of the router will be temporarily
interrupted. Normally this should be disabled.
WAN AFFINITY
associated with particular WAN sources. This allows you to prioritize bandwidth.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 69
User Manual / AER1600/AER1650 10/30/17
EXAMPLE: You could specify that your guest LAN
is only associated with your Ethernet connection
with no failover. Then if your Ethernet connection
goes down and the embedded modem connects for
failover for your primary LAN, your guest LAN will
not take bandwidth from your primary LAN, saving
you money.
Click Add
Name: Give a name for your rule that is meaningful to you.
DSCP (DiServ)
DSCP values, you can input one here.
DSCP Negate: When checked this rule will match on
Protocol: Select from the dropdown list to specify the
protocol for a particular data use. Otherwise, leave
“Any” selected.
• Any
• ICMP
• TCP
• UDP
• GRE
• ESP
• SCTP
Source IP Address, Source Netmask, Destination IP Address, and Destination Netmask: Specify an IP address
or range of IP addresses by combining an IP address with a netmask for either “source” or “destination” (or
EXAMPLE: If you want to associate this rule with your guest LAN, you could input the IP address and netmask
for the guest LAN here (leaving the last slot “0” to allow for any user attached to the guest network):
• Source IP Address: 192.168.10.0
• Source Netmask: 255.255.255.0
Failover
interrupted, the router will fail over to another available WAN device. Deselect this option to restrict this
When Condition Value
Port Is USB Port 1
Type Is not WiMax
• When:
• Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB Port
2”).
• Manufacturer – Select by the modem manufacturer (e.g., “Cradlepoint Inc.”).
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 70
User Manual / AER1600/AER1650 10/30/17
• Model
• Type – Select by type of Internet source (Ethernet, LTE, Modem, Wireless as WAN, WiMAX).
• Serial Number – Select a 3G or LTE modem by the serial number.
• MAC Address – Select from a dropdown list of attached devices.
• Unique ID – Select by ID. This is generated by the router and displayed when the device is connected
to the router.
• Condition: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition’s
statement.
• Value: If the correct values are available, select from the dropdown list. You may need to manually input
the value.
Load Balance Algorithm
dropdown options:
• Round-Robin: Evenly distribute each session to the available WAN connections.
• Rate: Distribute load based on the current upload and download rates. A WAN device’s upload and
download bandwidth values can be set in CONNECTION MANAGER.
• Spillover
the most available bandwidth. The estimated bandwidth rate is based on a combination of the upload and
• Data Usage
keep data usage between interfaces at a similar percentage of the assigned data cap in the data usage rule
for each interface, rather than distributing sessions based solely on bandwidth. For proper functioning you
need to create data usage rules for each WAN device you will be load balancing. Make certain to select the
“Use with Load Balancing” checkbox in the data usage rule editor.
CLIENT DATA USAGE
Client Data Usage displays upload and download
Enable Client Data
Usage Monitoring Service to begin tracking this
information. This data is not retained between
router reboots.
For each client this shows: Name, IP address, MAC
The names that are shown are received during a DHCP exchange. If a client disconnects and reconnects with a
new IP address there will be an additional entry in this list.
Pressing Reset Statistics will restart all counters at 0.
NHRP
Next Hop Resolution Protocol is a protocol used to discover addresses of clients on Non-Broadcast Multiple
Access (NBMA) networks. It is used to create next-generation VPN technologies that allow shortcutting
between spokes. With NHRP, systems attached to an NBMA network dynamically learn the NBMA address of
the other systems that are part of that network, allowing these systems to directly communicate without
requiring an intermediate hop.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 71
User Manual / AER1600/AER1650 10/30/17
• Name: Name of the GRE tunnel that NHRP will use
• Protocol Address/Prex: GRE tunnel endpoint
mapping that NHRP associates with the
NBMA server
• NBMA Address: NBMA server address the
• Flags:
• SD: Shortcut-Destination
• N: Non-Caching
• S: Shortcut
• R: Redirect
Click Add to create a new NHRP interface.
• Enabled: Enable or disable the interface.
• Name: Give the interface a unique name that matches the mGRE (multipoint GRE) tunnel. Select from
• Peer Authentication: Embeds the secret plaintext password to outgoing NHRP packets. Incoming NHRP
packets on this interface are discarded unless this password is present. Max length: eight characters.
• Holding Time
registration requests and resolution replies.
• Shortcut-Destination: Reply with authoritative answers
on NHRP resolution requests destined to addresses in this
interface (instead of forwarding the packets).
• Non-Caching: Disables caching of peer information from
forwarded NHRP resolution reply packets.
• Shortcut: Enable creation of shortcut routes.
• Redirect: Enable sending of proprietary enterprise-style
• Multicast: Determines how multicast packets should be
forwarded through NHRP interfaces.
• NHS: Multicast packets will be forwarded to each
• Dynamic: Multicast packets will be forwarded to each
connected peer. This is typically used for an NHRP hub.
You also have the option to create static mappings for this interface. Click Add in the table to open the static
mapping editor.
• Protocol Address: Mapped endpoint to from protocol address to NBMA address
• Protocol Prex
• NBMA Address
• RegisterRegistration Request should be sent to this peer on
R in the static mapping table if selected)
• Proprietary OS
C in the static mapping table if selected).
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 72
User Manual / AER1600/AER1650 10/30/17
SECURITY
IDENTITIES
match on any single item in the group will cause the rule to match. Identities
are referenced in rules by their name. Choosing descriptive names like “NW Sales
Team” or “Engineering” will aid in understanding existing rules and in choosing
identities for new rules.
HOST ADDRESSES
addresses. A single identity can contain a combination of IPv4 and IPv6
addresses. IPv4/6 addresses cannot be combined with FQDN addresses in the
same identity.
IP addresses are entered using CIDR notation, e.g. 1.2.3.4/32 and
0123:4567::CDEF/128. FQDN addresses are entered with at least one dot
separating a top-level domain from a root zone, e.g. cradlepoint.com.
To add a Host Address Identity, click Add.
PORTS
A port identity member can be entered as a single Start port number or as a port range by entering both a
Start and End port number.
To add a Port Identity, click Add.
MAC ADDRESSES
To add a MAC Address Identity, click Add.
REPUTATION
www.spamhaus.org/drop/
applied to them. Files should be in the format where each line starts with an IP address or IP network and
To add a Reputation Identity, click Add,
APPLICATION SETS
Firewall policies.
To add an Application Set Identity, click Add.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 73
User Manual / AER1600/AER1650 10/30/17
ZONE FIREWALL
ZONE DEFINITION
A Zone is a group of network interfaces. By default all interfaces within
a zone are allowed to initialize network communication with each other,
within the zone will be denied.
To add a zone, click Add.
FILTER POLICIES
Removed.
• Default Allow All
traverse the zones back to the source. LAN to WAN
forwardings use this policy by default. The policy
• Default Deny All
to another zone. WAN to LAN forwardings use this
policy by default. The policy can be removed or
Click Add
editor.
• Name: Create a name meaningful to you.
• Action: Choose either Allow or Deny
• Log: When checked, every rule in the policy will log matching packets as if the rule’s Log option had been
selected.
Click Add
Editor.
• Name: Create a rule name meaningful to you.
• Action: Choose either Allow or Deny. This is
• Log: When checked, each packet matching
Log.
• IP Version: Select the IP version to match.
• Enter match criteria under Source,
Destination, Protocols and Application Sets.
• SourceHost, Port and MAC
• Host: Enter an IP address or select a host identity.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 74
User Manual / AER1600/AER1650 10/30/17
• Port: Enter a port, port range, or select a port identity.
• MAC: Enter a MAC address or select a MAC address identity.
• Destination
Source
• Protocols
• Application Sets
ZONE FORWARDING
be Added, Edited, Removed, or Toggled. Toggling a
Forwarding will either enable or disable the Forwarding.
Source and Destination zones are chosen from the list
• The All
forwardings.
• The Router
OPTIONS
Firewall Options
• Anti-Spoof: Anti-Spoof checks help protect against malicious users faking the source address in packets
they transmit in order to either hide themselves or to impersonate someone else. Once the user has
spoofed their address they can launch a network attack without revealing the true source of the attack or
attempt to gain access to network services that are restricted to certain addresses.
• Log Web Access: Enable this option to create a syslog record of web (IP port 80) access. Each entry will
contain the the IP address of the server and the client. Note that this may create a lot of log entries,
especially on a busy network. Sending the system log to a syslog server is recommended.
Application Gateways
to function, or for an application to improve functionality or add features.
NOTE: Exercise caution in enabling application gateways as they impact the security of your network.
• PPTP: For virtual private network access using Point to Point Tunneling Protocol.
• SIP: For Voice over IP using Session Initiation Protocol.
• TFTP:
• FTP: To allow normal mode when using File Transfer Protocol. Not needed for passive mode.
• IRC: For Direct Client to Client (DCC) transfer when using Internet Relay Chat. You may wish to forward TCP
port 113 for incoming identd (RFC 1413) requests.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 75
User Manual / AER1600/AER1650 10/30/17
DMZ (Demilitarized Zone)
remotely access network services at the DMZ IP address. Typical uses involve running a public web server,
NOTE: As with port forwarding, caution should be used when enabling the DMZ feature as it can threaten the
security of your network.
NETWORK PREFIX TRANSLATION
IPv6 prex
translationRFC 6296) trying to achieve address independence similar to NAT
in IPv4. Unlike NAT, however, NPT is stateless and preserves the IPv6 principle that each device has a routable
public address. But it still breaks any protocol embedding IPv6 addresses (e.g. IPsec) and is generally not
recommended for use by the IETF. NPT can help to keep internal network ranges consistent across various IPv6
The primary purpose for Cradlepoint’s NPT implementation is for failover/failback and load balancing setups.
LAN clients can potentially retain the original IPv6 lease information and may experience a more seamless
transition when WAN connectivity changes than if not utilizing NPT.
Mode:
• None – No translation is performed
• Load Balance Only – (Default) Only translate networks when actively load balancing
• First
• Static
the LANs may lose IPv6 connectivity.
REMOTE ACCESS RESTRICTION
Add any IPv4 addresses that need access to remote administration to this list. Clicking Add will allow the
Edit will allow you to change settings for
the selected address. Remove will remove a selected entry.
PORT FORWARD & PROXY
Internet to reach a computer on the inside of your
network. For example, a port forwarding rule
might be used to run a Web server.
NOTE: Exercise caution when adding new rules as
they impact the security of your network.
Click Add to create a new port forwarding rule, or
select an existing rule and click Edit.
Add/Edit Port Forwarding Rule
• Name: Name your rule.
• Enabled: Toggle whether your rule is enabled.
Selected by default.
• Use Port Range: Changes the selection options to allow you to input a range of ports (if desired).
• Internet Port(s)
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 76
User Manual / AER1600/AER1650 10/30/17
same as the local port numbers, but they do not have
to be. These numbers will be mapped to the local port
numbers.
• Local Computer: Select the IP address of an attached
device from the dropdown menu, or manually input the IP
address of a device.
• Local Port(s): The port number(s) that corresponds to
the service (Web server, FTP, etc.) on a local computer
or device. For example, you might input “80” in the
could then also be 80, or you could choose another port
number that will be used across the Internet to access your Web server. If you choose a number other than
80 for the Internet Port, connections to that number will be mapped to 80 – and therefore the Web server
– within your network.
• Protocol: Select from the following options in the dropdown menu:
• TCP
• UDP
• TCP & UDP
Click Save to save your completed port forwarding rule.
Port Proxying Rules
Internet.
Click Add to create a new port proxying rule, or select an existing rule and click Edit.
Add/Edit Port Proxying Rule
• Name: Name your rule.
• Enabled: Toggle whether your rule is enabled. Selected
by default.
• Use Port Range: Check this box to create a rule which
proxies a contiguous range of ports instead of a single
port. The remote port(s) will require the same number
of contiguous ports.
• Local Port(s): Specify the IP port(s) on the LAN to proxy
to a remote computer.
• Remote Computer: Specify the remote computer to
• Remote Port(s)
• Protocol
• TCP
• UDP
• TCP & UDP
Click Save to save your completed port proxying rule.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 77
User Manual / AER1600/AER1650 10/30/17
NAT
Zone NAT is similar to Port Forwarding and provides that functionality by mapping ports available on interfaces
associated with the Zone to ports available on local clients. Zone NAT also has the ability to map many types
Click Add to create a Zone NAT.
• Source Zone Name: The Zone created in Zone Firewall.
Select the Zone to NAT.
• Original Destination IP:
this router will have the destination IP translated to an
internal network.
• Inbound Port(s): Specify the IP port(s) on the inbound
• Local Computer: Specify the local computer to receive
• Local Port(s):
• Protocol:
Dynamic 1:1 NAT
Dynamic NAT allows translating the destination ip of incoming
be forwarded. Netmasks should generally match. If the local
network range is larger than the incoming destination range
One NAT can be accomplished by specifying a host address or a
/32 cidr address.
Click Add to create a Dynamic 1:1 NAT.
CLOUD-BASED SECURITY
CP SECURE WEB FILTER
speed, conserve data, protect users, and maintain compliance.
Global Policy Settings
• Default Action: This setting allows a network administrator to
• Block Traffic:
can be thought of as a whitelist where only allowed or
whitelisted Internet sites are allowed.
• Allow Traffic:
blacklist where all Internet sites are allowed except for
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 78
User Manual / AER1600/AER1650 10/30/17
• Uncategorized Traffic:
Block, any Unknown Internet site or any Internet
Allow, all Unknown and
• Threat Tolerance:
Policies. Threat Tolerance is based on an Internet site’s reputation with the following scale:
• 0 = Highest Threat Score
• 100 = Lowest Threat Score
The default setting for Threat Tolerance is 80. In this scenario, only Internet sites that have a reputation
higher that 80 will be allowed and any site with a lower reputation will be blocked.
Web Filter Policies
Click Add to create a Web Filter Policy.
• Name: Create a unique name for the policy.
• Network: Each policy must be assigned to a single Local IP
Network.
• Allow/Block: Categories can be either Allowed or Blocked
by checking their corresponding box and clicking the
Allow or Block button. Multiple Categories can be allowed
or blocked by checking more than one box. Additionally,
double-clicking a row will toggle the Action from Allow to
Block or Block to Allow.
• Apply Profile:
can be edited, but once changed, they become a “Custom
• CIPA Compliant: Intended for use in K-12 schools and
is compliant with the Children’s Internet Protection
Act.
• Offensive:
Internet sites.
• Personal Use:
• Security Risks:
• Heavy Bandwidth:
ZSCALER
Zscaler
several plan options. Depending on your Zscaler implementation, this
could include:
• Global Cloud Platform
• Real-Time Reporting
• Behavioral Analysis
• URL Filtering
• Advanced Threat Protection
• Inline Anti-Virus & Anti-Spyware
• Web 2.0 Control
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 79
User Manual / AER1600/AER1650 10/30/17
• Data Loss Prevention
• Bandwidth Management
• Web Access Control
• And more…
NOTE: Zscaler requires a feature license. Go to SYSTEM > Feature
Licenses to enable this feature.
Enter your Zscaler account information to enable these settings. Input
local network information (Network Address and Netmask) to assign
your Zscaler implementation to one or more local network(s).
UMBRELLA BY OPENDNS
http://
www.opendns.com/business-security for information about Umbrella.
Enter your Umbrella account information in order to use these content
OpenDNS ISP Filter Bypass Algorithm: It is possible that your Internet
not appear to be working correctly, enabling this will attempt to bypass
THREAT MANAGEMENT
NOTE: Threat Management is only available for the AER family of Cradlepoint products, and requires a feature
license. Enable this feature through NetCloud Manager.
Cradlepoint Secure Threat Management leverages Trend Micro’s security experience and expertise in this
one-pass Deep Packet Inspection (DPI) solution. Threat Management includes settings for both IPS (intrusion
prevention system) and IDS (intrusion detection system
Threat Management to identify and prevent a wide variety of network threats.
This Threat Management
signature database of known threats and statistical anomalies to detect previously unknown threats. Trend
Micro regularly adds new signatures to its database: update your signature database version to ensure you’re
defending yourself against the newest threats. You have the option to update manually or schedule regular
updates.
Follow these steps to get started with Threat Management:
1. To purchase a license or to begin a free trial, log into NetCloud Manager (NCM) and go to the Applications
tab (this is only available to the primary account administrator). Once entitled, the router must be rebooted
for Threat Management to begin working.
2. Set up emailed or logged alerts in the Alerts tab in NCM.
3.
Devices or Groups page (click on Commands in the top toolbar and select Update IPS Signatures from the
dropdown options).
NOTE: Updating the signature database version causes a network disruption for a few seconds. You can schedule
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 80
User Manual / AER1600/AER1650 10/30/17
Status
The Status section shows if Threat Management is enabled.
It shows the current signature database version number, the
timestamp for the most recent update, and the status of the
most recent attempt to update signatures.
Click on the Update button to check for a new signature
database version.
Global Settings
Customize your Threat Management implementation (choose
between IPS and IDS, set up a signature update schedule,
etc.).
Operation Mode: Choose IPS, IDS, or neither.
• Disabled
• Detect and Prevent (default) – IPS mode
• Detect Only – IDS mode
In both Detect and Prevent and Detect Only modes, detected packets are logged to the System Log as well as
sent to your NCM account.
Engine Failure/Error Action: In the unlikely event of an error with the Threat Management engine, you have the
following options:
• Allow Traffic (default)
• Deny Traffic
With Allow Traffic selected, the device will act like a typical router without Threat Management enabled and
Deny Traffic to stop all
Threat Management isn’t working properly.
Application ID Logging
huge amounts of data to the system logs. Cradlepoint recommends enabling a syslog server to manage this
information.
To view the logs, go to STATUS > System Logs
SYSTEM > Administration > System Logging.
Signature Update Schedule
schedule for modems than for other WANs. This is
intended to protect against overages when data usage
limits for 3G/4G modems are restricted. For both Non-
Modem WANs and Modem WANs
Frequency for updates:
• Never
• Daily
• Weekly
• Monthly
cause a minor network disruption, so schedule updates for
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 81
User Manual / AER1600/AER1650 10/30/17
Signature Settings
View a list of all signature categories, all signatures, or
signatures within a category.
By default, the Operation Mode is set under Global
Settings. To edit this for a category or a particular
signature, select a line in the table and click Edit. Choose
from the following:
• Disabled
• Detect and Prevent – IPS mode
• Detect Only – IDS mode
WEB ACCESS FILTERING
UPSTREAM PROXY SETTINGS
Enabled: Select whether the use of an Upstream Proxy server is enabled.
Proxy Address: The Proxy Address is the address the desired HTTP proxy
is hosted at. Addresses can be input as host names or as ip addresses. If
HTTP Port: The port the HTTP Proxy is
listening on.
HTTPS Port (Optional): The port for the
is not transparently intercepted and must
HTTPS to work properly.
MAC WEB FILTER RULES
MAC Address WebFilter Rules
websites. To add a rule, click Add.
• MAC Address: Enter MAC Address.
• Filter Action: Select Block or Allow.
• Domain/URL/IP: Enter the Domain Name or URL
(address) of the website you wish to control access
for, e.g. www.google.com. To make sure the full
domain is blocked, enter the most inclusive domain
com as well as maps.google.com and images.google.
com). Alternatively you can use an IP address, e.g.
8.8.8.8, or address range written in CIDR notation,
e.g. 8.8.8.0/24.
• Rule Priority: Higher number rules overrule lower
number rules.
• Enabled: A rule can be enabled or disabled by
selecting or deselecting the checkbox.
Use MAC Address WebFilter Defaults together with MAC Address WebFilter Rules to control website access for
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 82
User Manual / AER1600/AER1650 10/30/17
Add/Edit to change this
setting for a MAC address.
Input the MAC Address and Default Action you would like to apply to that MAC address.
Default Action: Select from the following dropdown options:
• Allow Access (default)
• Block Access
When a network is set to Allow Access, it will allow access to sites
is set to Block Access
allowed in the WebFilter Rules.
NETWORK WEB FILTER RULES
CIDR notation, e.g. 4.2.2.2/24.
Exceptions to existing rules can be created by adding
another rule with higher priority. For example if access
to maps.example.com is desired, but example.com is
blocked with a priority of 50. The addition of an allow
rule for maps.example.com with a priority of 49 or less
will allow access.
When creating rules keep in mind that some sites use
multiple domains so each domain may need a rule added
to produce the desired behavior.
To add a Network Web Filter Rule, click Add.
Default Network Filter Settings
When a network is set to Allow (Blacklist) it will allow access to those sites not blocked in the Filter Rules.
Selecting Block (Whitelist) will only allow access to websites with an Allow action in the Filter rules, all other
sites will be blocked.
Selecting to Filter URLs by IP Address will cause the
router to perform a DNS lookup on URL entries and the
IP addresses will be appended to the appropriate block/
and sites that are hosted across many domains may
need every domain added the list for full functionality.
The settings can be changed by selecting a network and
clicking the Edit button.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 83
User Manual / AER1600/AER1650 10/30/17
CERTIFICATE MANAGEMENT
LOCAL CERTIFICATES
Name
Location
Organization Information
belongs
Common Name: Name used to match authentication credentials
Add.
Remove
button.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 84
User Manual / AER1600/AER1650 10/30/17
CERTIFICATE SIGNING REQUEST
remote CA. Using an established, third-
party CA increases the likelihood that your
security issues
for more information).
Generate a certicate signing requestCertificate Name
When you export the CSR, select a Digest, or cryptographic hash function. These are listed in order of increasing
security. More security requires more router resources.
• MD5
• SHA-128
• SHA-256
PEM
PEM is a container format for encoding data – in this case,
email (PEM stands for Privacy-enhanced Electronic Mail), but
it has never been widely used for that purpose. The format is
The PEM format uses Base64 and DER (Distinguished Encoding
Rules) encoding.
computer or local device and upload it to the router. Give the
download it to your computer or local device in PEM format.
PKCS12
PKCS #12 is one of the public-key cryptography standards.
secure than the PEM container format because it is protected
by an encryption key.
your computer or local device and upload it to the router. Give
and download it to your computer or local device in PKCS
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 85
User Manual / AER1600/AER1650 10/30/17
SYSTEM
ADMINISTRATION
ROUTER SECURITY
When the router is
advanced security mode,
several aspects of the
networking functionality
will be extended to support high security environments. This includes support
for multiple user accounts, increased password security and additional network
this option is mandatory.
REMOTE ADMIN
Remote Management allows a user to enable incoming WAN pings or change
settings for the router from the Internet using the router’s Internet address.
Allow WAN pings – When enabled the functionality allows an external WAN client
to ping the router.
Allow Remote Web Administration – When remote administration is enabled
it allows access to these administration web pages from the Internet. With it
disabled, you must be a client on the local network to access the administration
website. For security, remote access is usually done via a non-standard http port.
Additionally, encrypted connections can be required for an added level of security.
• Require HTTPS Connection – Requiring a secure (https) connection is
recommended
• HTTP Port: Default –
8080. This option is disabled if you select “Require
Secure Connection”
• Secure HTTPS Port – Default: 8443.
NOTE
addresses in SECURITY > Zone Firewall > Remote Access
Restriction.
Allow Remote SSH Access – This will enable SSH access
to the router from the Internet. It is only available when SSH access is enabled in the Local Management tab.
Some carriers block the remote SSH access ports. If a ping to the router’s WAN port does not work, it is unlikely
that remote SSH access will work.
FEATURE LICENSES
Some Cradlepoint features may require a license. These
features are disabled by default. To obtain a feature license,
contact your Cradlepoint sales representative.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 86
User Manual / AER1600/AER1650 10/30/17
SYSTEM CLOCK
Enabling NTP will tell the router to get its system time from a remote server on the Internet. If you do not
enable NTP, the router time will be based on when the router OS was built, which is guaranteed to be wrong.
Whenever the Internet connection is re-established and once a week thereafter the router will ask the server
for the current time so it can correct itself.
the NTP server port. Select the NTP server from the dropdown
example, you need to synchronize your router’s time with other
devices in a network.
• Time Zone – Select from a dropdown list. Setting your Time
Zone is required to properly show time in your router log.
• Daylight Savings Time – Select this checkbox if your location
observes daylight saving time.
LOCAL MANAGEMENT
• Enable Internet Bounce Pages – Bounce pages show up in
your web browser when the router is not connected to the
Internet. They inform you that you are not connected and try
get the usual browser timeout. In the normal case when the
router is connected to the Internet you don’t see them at all.
• Reboot Count – Track number of router reboots.
• Enable Login Banner – Add the CLI banner to the router’s
login page.
• Local Domain
entries of local hosts. This is tied to the hostnames of DHCP
clients as DHCP_HOSTNAME.LOCAL_DOMAIN.
• System Identier – This is a customizable identity that will
be used in router reporting and alerting. The default value is
the product name and the last three characters of the MAC
address of the router.
• Asset Identier – This is a customizable string that will be
used in router reporting and alerting.
• Require HTTPS Connection – Check this box if you want to encrypt all router administration communication.
• Secure HTTPS Port – Enter the port number you want to use. The default is 443.
• Enable SSH Server – When the router’s SSH server is enabled you may access the router’s command line
interface (CLI) using the standards-based SSH protocol. Use the username “admin” and the standard system
password to log in.
• SSH Server Port – Default: 22.
• Automatically Set System Identier
client that gets a DHCP lease. This feature cannot be used with email alerts but alerts can be sent to NCM.
GPS
If you have an attached device with GPS support, you can enable a graphical view of your router’s location,
which appears in STATUS > GPS. SIM-based models with GPS support require that the SIM be inserted. Some
contact your carrier and ensure that GPS is supported.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 87
User Manual / AER1600/AER1650 10/30/17
Enable GPS – Enable support for querying GPS information from capable modems.
Send to Client(s)
• Enable this Server - Enables a local server to which clients can
connect and recieve GPS sentences.
• Server Name - Your server’s name should include only Aa-Zz,
• Enable GPS server on LAN - Enables a server on the LAN side of
connected clients.
• Enable GPS server on WAN - Enables a server on the WAN side
connected clients.
• Port - Choose a port between 1 and 65535.
Send to Server(s)
• Enable this client - Enables periodic reporting of GPS sentences
errors are encountered or if the Internet connection goes
restored.
• Client name - Your client’s name should include only Aa-Zz,
• Server - Remote server hostname or IP.
• Port - Remote server port.
• Specify Time Interval - Restricts the GPS sentence reporting to
• Start Time - Reporting start time.
• End Time - Reporting end time.
SMS
SMS (Short Message Service, or text messaging) requires a cellular modem with an active data plan. SMS is not
designed to be a full remote management feature: SMS allows you to connect to the router for a few simple
queries or commands with a text messaging service (e.g., from your phone). A modem that does not have
SMS is enabled on the router by default. However, it only works if SMS is supported and enabled on the modem.
Most modems have SMS enabled by default, but the carrier may charge a fee for each text message sent or
received. Contact your carrier to review these fees and/or to enable an SMS plan.
Important notes about SMS:
• Messages are limited to 160 characters.
• SMS is not a guaranteed delivery protocol.
The carriers do not guarantee that the SMS
message will be delivered to the modem or that
the modem’s response will be delivered to the
sender. This means an administrator might have
to send messages multiple times before the
desired action is performed.
• SMS is a slow protocol. It can take seconds or up
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 88
User Manual / AER1600/AER1650 10/30/17
to a few minutes for messages to be delivered.
• SMS messages are not encrypted; they are sent in full readable text over the network.
Enable SMS support – SMS support is enabled by default on the router. Deselect this to disable.
Password – By default, the password is the last eight characters of the router’s MAC address (i.e., the Default
Password on the product label). You can change this password to anything between 1 and 16 characters. It
should be long enough to be useful for security but short enough to easily type into your phone (or other
texting client).
White List – This list is blank by default, which means that the router will accept SMS messages from any phone
number. Leaving this blank is unsecure, so Cradlepoint recommends that you add phone numbers to this list.
Once any numbers are listed, only those numbers have the ability to connect to the router via SMS.
SYSTEM LOGGING
Logging Level: Setting the log level controls which messages are
Debug will record the most
information while a log level of Critical will only record the most
urgent messages. Each level includes all messages from all of the
levels below it on the list (e.g. “Warning” includes all “Error” and
“Critical” messages as well).
• Debug
• Info
• Warning
• Error
• Critical
Enable Logging to a Syslog Server: Enabling this option will send
the Hostname or IP address of the Syslog server (or select from the dropdown menu).
• Syslog Server Address: Select the Hostname or IP address from the dropdown menu, or type this in
manually.
• Include System ID: This option will include the router’s “System ID” at the beginning of every log message.
This is often useful when a single remote Syslog server is handling logs for several routers.
• Include UTF8 Byte Order Mark: The log message is sent using UTF-8 encoding. By default the router will
attach the Unicode Byte Order Mark (BOM) to the Syslog message in compliance with the Syslog protocol,
RFC5424. Some Syslog servers may not fully support RFC5424 and will treat the BOM as ASCII text, which
will appear as garbled characters in the log. If this occurs, disable this option.
Log to attached USB stick: Only enable this option if instructed by a Cradlepoint support agent. This will write a
USB stick, or you may lose some logging data.
Verbose modem logging: Only enable this option if instructed by a Cradlepoint support agent.
Create support log
instructed by a Cradlepoint support agent.
ROUTER SERVICES
By default, router services (NetCloud Manager, NTP, etc.) connect to
the router via the WAN. In some setups it makes sense to use the
LAN instead. For example, if your router is used strictly for 3G/4G
failover behind another router, you may not want to use 3G/4G data
unnecessarily. Select Use LAN Gateway to set your router services to
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 89
User Manual / AER1600/AER1650 10/30/17
connect via the LAN.
LAN Gateway Address: Input the IP address of the LAN side connection. If this is a 3G/4G failover router
operating behind another router, the LAN Gateway Address is the IP address of that other router.
DNS Server and Secondary DNS Server: The primary and secondary DNS server numbers match the static DNS
values (set at NETWORKING > DNS Servers). You can leave the default values or set them manually here.
(Changing these values also changes the static DNS values.)
LLDP
The Link Layer Discovery Protocol (LLDP) is a standard method for network devices
to share information about themselves among their neighbors. The router stores the
information it receives from its neighbors, which can be viewed on the STATUS >
LLDP page.
Enable LLDP for Ethernet on the WAN and/or LAN.
NETCLOUD
Cradlepoint NetCloud Manager
organizing your Cradlepoint routers. Key features include the following:
•
• Health monitoring of router connectivity and data usage
• Remote management and control of routers
• Historical record keeping of device logs and status
Registering Your Router – Once you have signed up for NCM, click on the Register Router button to begin
managing the router through NCM. Input your NCM Username and Password and click Register. You have now
registered the device with NetCloud Manager.
Suspending the NCM Client – Click on the Suspend Client button to stop communication between the device and
NCM. Suspending the client will make it stop any current activity and go dormant. It will not attempt to contact
the server while suspended. This is a temporary setting that will not survive a router reboot; to disable the
client altogether use the Advanced NetCloud Settings panel (below).
NetCloud Settings (Advanced)
• Enabled: Enable the NCM client to contact
the server. While this box is unchecked, the
NCM client will never attempt to contact the
server. (Default: Enabled)
• Server Host:Port: The DNS hostname and port
number for your NCM server. (Default: stream.
cradlepoint.com)
• Session Retry Timer: How long to wait,
in seconds, before starting a new NCM session following a connection drop or connectivity failure. Note
connectivity loss.
• Unmanaged Checkin Timer: How often, in seconds, the router checks with NCM to see if the router is
network usage over time.
• Maximum Alerts Buffer
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 90
User Manual / AER1600/AER1650 10/30/17
DEVICE ALERTS
The Device Alerts submenu choice allows you
events. YOU MUST ENABLE AN SMTP EMAIL SERVER
TO RECEIVE ALERTS.
Alerts can be included for the following:
• NCOS Upgrade Available: An NCOS update is
available for this device.
• System Reboot Occurred: This router has
rebooted. This depends on NTP being enabled
and available to report the correct time.
• Unrecognized MAC Address: Used with the
MAC monitoring lists. An alert is sent when a
new unrecognized MAC address is connected
to the router.
• WAN Device Status Change: An attached
WAN device has changed status. The possible
statuses are plugged, unplugged, connected,
and disconnected.
• Conguration Change: A change to the router
• Login Success: A successful login attempt has been detected.
• Login Failure: A failed login attempt has been detected.
• Account Locked: Account has been locked due to excessive failed login attempts.
• IP Address Banned: An IP address has been banned.
• VPN Tunnel Goes Down: Sends an alert when a VPN tunnel goes down.
• Feature License Expiration: Sends an alert when a feature license is about to expire.
• Router SDK Application: A router SDK Application may send an alert.
• Full System Log
• Recurring System Log: The system log is sent periodically. This alert contains all of the system events since
the last recurring alert. It can be scheduled for daily, weekly and monthly reports (Frequency). You also
choose the Time you want the alert sent.
SMTP Mail Server
Since your router does not have its own email server, to receive alerts you must enable an SMTP server. This is
possible through most email services (Gmail, Yahoo, etc.)
following is an example using Gmail:
• Server Address: smtp.gmail.com
• Server Port: 587 (for TLS, or Transport Layer Security port; the router does not support SSL).
• Authentication Required: For Gmail, mark this checkbox.
• User Name: Your full email address
• Password: Your Gmail password
• From Address: Your email address
• To Address: Your email address
should receive a test email at your account.
Delivery Options (Advanced)
Email Subject Prefix
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 91
User Manual / AER1600/AER1650 10/30/17
Retry Attempts: The number of attempts made to send an alert to the mail server. After the attempts are
exhausted, the alert is discarded.
Retry Delay: The delay between retry attempts.
SERIAL REDIRECTOR
A single USB Serial device can be used to establish a serial link to a host port on the router. The USB Serial
device can also be accessed by running “serial” from an SSH session.
Telnet to Serial Conguration
• Enabled: Enabling Telnet to Serial will start a Telnet server that
passes its connection to the serial adapter. Enabling this service
is not necessary when accessing serial through SSH.
• LAN: Enable serial redirector for LAN connections.
• Authenticated LAN: Enable serial redirector for Authenticated
LAN connections. You must be logged into the router to use the
redirector.
• WAN: Enable serial redirector for WAN connections.
• Server Port: Enter a port number for the redirector to use. (Default: 7218)
SNMP CONFIGURATION
SNMP, or Simple Network Management Protocol,
is an Internet standard protocol for remote
management. You might use this instead of
NetCloud Manager if you want to remotely
manage a set of routers that include both
Cradlepoint and non-Cradlepoint products.
SNMP Conguration
• Enable SNMP: Selecting “Enable SNMP”
options.
Network Settings
• Enable SNMP on LAN: Enabling SNMP on LAN
will make SNMP services available on the
LAN networks provided by this router. SNMP
will not be available on guest or virtual
networks that do not have administrative
access.
• LAN port #
access SNMP services on. (Default: 161)
• Enable SNMP on WAN: Enabling SNMP on WAN will make SNMP services available to the WAN interfaces of
the router.
• WAN port #
services available on. (Default: 161)
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 92
User Manual / AER1600/AER1650 10/30/17
• SNMP Version
• SNMPv1
transmit with settings compatible with SNMP version 1 protocols.
• SNMPv2c: SNMP version 2c has the same features as v1 with some additional commands. SNMPv2c will
• SNMPv3: SNMP version 3 includes all prior features with security available. SNMPv3 is the most secure
SNMP v1 & v2c Settings
• Get community string: The “Get community string” is used to read SNMP information from the router. This
string is like a password that is transmitted in regular text with no protection.
• Set community string: The “Set community string” is used when writing SNMP settings to the router. This
SNMPv3
• Authentication type: Select the authentication and encryption type that will be used when connecting to
SNMP clients.
• MD5 with no encryption
• SHA with no encryption
• MD5 with DES encryption
• SHA with DES encryption
• MD5 with AES encryption
• SHA with AES encryption
• Username
• Password
password must be at least eight characters long.
• Enable SNMP traps
• Trap community string
community name.
• Address for trap server: Enter the address of the host system that you want trap alerts sent to.
• Trap server port #: Enter the port number that the remote host will be listening for trap alerts on. (Default:
162)
General Settings
Read Only.
• System Contact: Input the email address of the system administrator.
• System Name: Input the router’s hostname.
• System Location: Input the physical location of the router. This is simply a string for your own information.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 93
User Manual / AER1600/AER1650 10/30/17
SYSTEM CONTROL
NETCLOUD OS
This allows the administrator to load new NetCloud OS onto the router to add
release notes for information to decide if you should upgrade.
Current NCOS Version: Shows the
number of the current NCOS and the
date it was updated.
Available NCOS Version: If there is a
new NCOS version available, this will
list the version number. Click “Check
Again” to have the router check the
newest NCOS.
Automatic NCOS Check:
upgrade with no user interaction.
Manual NCOS Upload: Upload the router OS from an attached computer. (Go to
cradlepoint.com/rmware to download the router OS.)
System Cong Save/Restore
Download Settings: Click on “Dowload Settings” to save your current settings to
Restore Settings: Click on “Restore Settings” to restore your previous settings
NCOS Management
without rebooting between steps.
MODEM FIRMWARE
to carrier updates or defect resolution. If you are happy with the operation of the modem, you may not want to
to decide if you should upgrade or not.
within the device’s memory.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 94
User Manual / AER1600/AER1650 10/30/17
For modems supporting manual carrier switching (such as LPE), select File
Check/Upgrade or File (manual) process.
• Automatically check for new firmware: Click the checkbox to indicate whether the system is to
This global setting applies to all modems connected to the router.
• Select Modem: Select the appropriate modem which you would like to update. Note that dual SIM devices
are listed as a single modem.
In the Installed Firmware grid, you will see the following columns:
• Active (Multi-firmware modems only):
Indicates which carrier package is
currently active on the modem. Note:
You cannot select the active image. On
multi-firmware modems, the carrier
firmware is selected automatically.
• Carrier: Displays the carrier supported by
otherwise available, “Generic” will be
displayed.
• Current Package Version: Displays the
• Available Firmware Version:
• Upgrade:
upgrade. If a connection error occurs, it is possible that HTTPS is blocked for the upgrade check. Enable Allow
HTTP NCOS Check in SYSTEM > System Control > NetCloud OS to address this issue.
• Check: Click this button to refresh or update the Available Firmware Version status column.
• File:
Note: For modems which
support manual carrier switching, find the appropriate modem firmware package file via NCM or the Cradlepoint
portal.
DEVICE OPTIONS
Reboot Options
• Reboot the Device: Manually restart the router.
• Factory Reset Router: Reset the router to its original
settings. Once reset your SSID and admin password will
match the sticker on the bottom of the router.
• Device Console: Access router’s command line interface
(CLI) console.
Scheduled Reboot
• Scheduled Reboot
time.
• Enable Watchdog Reboot: Router will restart when it
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 95
User Manual / AER1600/AER1650 10/30/17
determines an unrecoverable error condition has occurred.
DIAGNOSTICS
Ping Test
A simple test to check Internet connectivity. Type the Hostname
Ping’
button.
Speed Test
• Tests Against Cradlepoint Server - Up to ten speed tests are
permitted against a Cradlepoint server.
• WAN Device - The WAN Device that is selected will have the
test run on it. If no device is selected then the highest priority
connected device will be used.
• Custom Server - Type the Hostname or IP address of the
server to which you wish to perform a test. If left empty the
test will be done to a Cradlepoint server.
• Custom Port (Optional) - The port to which the test is directed.
• Max Duration - The Max Duration is the Maximum amount
• Data Limit - The Data Limit is the limit of how much data will be transferred while measuring the connection
speed; this should be limited to reduce the expense of a speed test. Setting the limit to 0 will cause the test
to run until enough data is collected or the duration limit is met.
• Test Type - Select the type of test you would like to run. TCP Upload will test speed going to the server, TCP
Download will test speed coming to the client, and UDP will measure the speed going to the server.
SETUP WIZARDS
NETCLOUD REGISTRATION
need to create an account you can signup at cradlepoint.com.
Once you’ve created an account, or if you already have one, you can enter your
NCM username and password to register the router.
FIRST TIME SETUP
Administrator Password and Time Zone
Enter a password for the administrator who will have full access to the router’s
management interface.
You can use the default password
on the back of your product, or you
can create a custom Administrator
Password.
Conguring Your Wireless Network
• Wireless Network Name - When you are browsing for available
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 96
User Manual / AER1600/AER1650 10/30/17
wireless networks, this is the name that will be broadcast from this router. This name is also referred to as
name.
• Enable Guest Network - If the guest network is enabled,
anyone can connect to the special guest network
which allows limited connectivity to the Internet while
preventing access to your local network.
• Security Mode
• Best (WPA2): Select this option if your wireless
adapters support WPA2-only mode. This will
connect to most new devices and is the most
secure, but may not connect to older devices or
some handheld devices such as a PSP.
• Good (WPA1 & WPA2): Select this option if your
wireless adapters support WPA or WPA2. This is the
most compatible with modern devices and PCs.
• Poor (WEP): Select this option if your wireless
adapters only support WEP. This should only be used if a legacy device that only supports WEP will be
connected to the router. WEP is insecure and obsolete and is only supported in the router for legacy
reasons. The router cannot use 802.11n modes if WEP is enabled; router WiFi performance and range
will be limited.
• None (OPEN): Select this option if you do not want to activate any security features.
• WPA Password - The WPA Password must be between 8 and 64 characters long. A combination of upper
and lower case letters along with numbers and special characters is recommended to prevent hackers from
gaining access to your network.
Conguring Your APN and Modem Authentication
the default password on the back of your product, or you
can create a custom Administrator Password.
NOTE: DO NOT USE THIS APN WIZARD if you have already
be overwritten by this generic APN setup. Leave this
the CONNECTION MANAGER page, select your modem, and
edit the settings. The SIM PIN/APN tab has more available
settings than are provided here.
• Authentication Protocol
• Username
• Password
Enable and Congure Failure Check
Failure check will test the connection to verify the WAN device is connected.
• Idle Check Interval: Set the number of seconds the router will wait
between checks to see if the WAN is still available.
• Failure Check:
• Off: Once the link is established the router takes no action to verify
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 97
User Manual / AER1600/AER1650 10/30/17
that it is still up.
• On: Modems will be set to use the Passive DNS failure check type. Ethernet and WiFi as WAN
connections will be set to use Active Ping.
• Ping IP Address: This IP address must be an address that
can be reached through your WAN connection (modem/
Ethernet). Some ISPs/Carriers block certain addresses, so
choose an address that all of your WAN connections can
use.
Summary
Review your settings and click Finish to exit or Back to edit.
IP PASSTHROUGH SETUP
IP passthrough takes a 3G/4G WAN data source (USB,
ExpressCard, or Cradlepoint business-grade modem) and passes the IP address through to Ethernet LAN.
Enabling IP passthrough will make many changes to your
they are compatible with how the router will be used.
• All Ethernet ports will be set to LAN
• All network groups except the primary network
group will be removed
• All WAN devices will have Load Balance disabled and
the highest priority device will be used
• All Wireless interfaces will be removed from the
primary network group
• All Router based VPN and GRE services will be
disabled
• The Routing Mode will be set to IP Passthrough
• The Subnet Selection Mode will be set to
“Automatically Create Subnet” unless overridden via
the Subnet Selection Mode dropdown
Any Ethernet WAN connections should be disconnected
before IP passthrough is enabled.
©2017 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com 98
User Manual / AER1600/AER1650 10/30/17
APPENDIX
OPEN SOURCE SOFTWARE
This product contains software distributed under one or more of the following open source licenses: GNU General Public License Version
2, BSD License, Net-SNMP License, and PSF License Agreement for Python 3.3. For more information on this software, including licensing
terms and your rights to access source code, contact Cradlepoint at cradlepoint.com/opensource.
WARRANTY INFORMATION
the case of resale by an authorized distributor) for a period of one (1) year from the date of shipment. This warranty is limited to a repair
or replacement of the product, at Cradlepoint’s discretion as purchaser’s sole and exclusive remedy. Cradlepoint does not warrant that
the operation of the device will meet your requirements or be error free.
LIMITATION OF CRADLEPOINT LIABILITY
FOR ANY AND ALL: (A) DIRECT, INDIRECT, SPECIAL, GENERAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES, INCLUDING
WITHOUT LIMITATION FOR LOSS OF PROFITS OR REVENUE OR OF ANTICIPATED PROFITS OR REVENUE ARISING OUT OF THE USE OR INABILITY
TO USE THE DEVICE, EVEN IF CRADLEPOINT AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN
IF SUCH DAMAGES ARE FORESEEABLE; OR (B) CLAIMS BY ANY THIRD PARTY. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL THE
AGGREGATE LIABILITY OF CRADLEPOINT AND/OR ITS AFFILIATES ARISING UNDER OR IN CONNECTION WITH THE DEVICE, REGARDLESS OF THE
NUMBER OF EVENTS, OCCURRENCES, OR CLAIMS GIVING RISE TO LIABILITY, EXCEED THE PRICE PAID BY THE ORIGINAL PURCHASER OF THE
DEVICE.
PRIVACY
Cradlepoint collects general data pertaining to the use of Cradlepoint products via the Internet including, by way of example, IP address,
device ID, operating system, browser type and version number, etc. To review Cradlepoint’s privacy policy, please visit cradlepoint.com/
privacy.
OTHER BINDING DOCUMENTS; TRADEMARKS; COPYRIGHT
By activating or using your AER1600 or AER1650 device, you agree to be bound by Cradlepoint’s Terms of Use, User License and other
applicable Legal Policies.
© 2017 Cradlepoint, Inc. All rights reserved. Cradlepoint is not responsible for omissions or errors in typography or photography.
Cradlepoint, AER1600, AER1650, and the Cradlepoint logo are trademarks of Cradlepoint, Inc. in the US and other countries. Other
trademarks are property of their respective owners.
ROUTER COMMUNICATION/DATA USAGE
the latest NCOS and modem updates, clock synchronization (NTP), and NetCloud Manager (NCM) membership. Such communication may
result in data usage and applicable charges regardless of whether the router uses a wired or wireless Internet connection. To avoid such
data usage and potential charges, consult the following Knowledge Base article:
http://knowledgebase.cradlepoint.com/articles/support/router-communication-data-usage
