Datasheet for ADVANTECH models including: ICR-4400, Industrial Cellular Router, ICR-4400 Industrial Cellular Router, Router
Industrial Cellular Router
ICR-4400
CONFIGURATION MANUAL
ICR-4400
Used Symbols
Danger Information regarding user safety or potential damage to the router. Attention Problems that can arise in specific situations. Information, notice Useful tips or information of special interest. Example Example of function, command or script.
Firmware Version
Current version of firmware is 6.3.3 (December 13, 2021).
Open Source Software License
The software in this device uses various pieces of open source software governed by following licenses: GPL versions 2 and 3, LGPL version 2, BSD-style licenses, MIT-style licenses. The list of components together with complete license texts can be found on the device itself: See the Licenses link at the bottom of the router's main Web page (General Status) or point your browser to address DEVICE_IP/licenses.cgi. If you are interested in obtaining the source, please get in touch with us at:
techSupport@advantech-bb.com
Modifications and debugging of LGPL-linked executables: The device manufacturer hereby grants the right to use debugging techniques (e.g., de-
compilation) and making customer modifications of any executable linked with a LGPL library for own purposes. Note these rights are limited to the customer's usage. No further distribution of such modified executables and no transmission of the information obtained during these actions may be done.
Advantech Czech s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic Document No. MAN-0062-EN, revision from December 15, 2021. Released in the Czech Republic.
i
ICR-4400
Contents
1 Basic Information
1
1.1 Document Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Product Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.3 Standard Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.4 Router Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.5 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.6 WebAccess/DMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.7 IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.8 Supported Certificate File Types . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.9 IEEE 802.1X (RADIUS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Web Configuration GUI
6
2.1 Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 HTTPS Certificate for the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3 Valid Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Status
9
3.1 General Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.1 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.2 Ethernet Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.4 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.5 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Mobile WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.4 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.5 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.6 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.7 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.8 WireGuard Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.9 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.10 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 Configuration
28
4.1 Ethernet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.1.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.1.2 IPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 4.1.3 802.1X Authentication to RADIUS Server . . . . . . . . . . . . . . . . . 32 4.1.4 LAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . 33
ii
ICR-4400
4.2 VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.3 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.1 Connection to Mobile Network . . . . . . . . . . . . . . . . . . . . . . . 42 4.3.2 DNS Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.3.3 Check Connection to Mobile Network . . . . . . . . . . . . . . . . . . . 45 4.3.4 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.3.5 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.3.6 Switch between SIM Cards Configuration . . . . . . . . . . . . . . . . . 46 4.3.7 Examples of SIM Card Switching Configuration . . . . . . . . . . . . . . 49 4.3.8 PPPoE Bridge Mode Configuration . . . . . . . . . . . . . . . . . . . . . 50 4.4 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.5 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.6 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 4.7 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.7.1 Default Priorities for Backup Routes . . . . . . . . . . . . . . . . . . . . 66 4.8 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.9 Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 4.9.1 Example of the IPv4 Firewall Configuration . . . . . . . . . . . . . . . . 73 4.10 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.10.1 Examples of NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . 78 4.11 OpenVPN Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.11.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network . . . . 87 4.12 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.12.1 Route-based Configuration Scenarios . . . . . . . . . . . . . . . . . . . 88 4.12.2 IPsec Authentication Scenarios . . . . . . . . . . . . . . . . . . . . . . . 89 4.12.3 Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . 90 4.12.4 Basic IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . 96 4.12.5 TPM-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.13 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.13.1 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . 101 4.14 GRE Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.14.1 Example of the GRE Tunnel Configuration . . . . . . . . . . . . . . . . . 104 4.15 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 4.15.1 Example of the L2TP Tunnel Configuration . . . . . . . . . . . . . . . . 108 4.16 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 4.16.1 Example of the PPTP Tunnel Configuration . . . . . . . . . . . . . . . . 111 4.17 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 4.17.1 DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 4.17.2 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 4.17.3 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 4.17.4 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.17.5 PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 4.17.6 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 4.17.7 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
iii
ICR-4400
4.17.8 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.17.9 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 4.17.10 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 4.17.11 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 4.18 Expansion Port 1 & 2, USB Port . . . . . . . . . . . . . . . . . . . . . . . . . . 137 4.18.1 Examples of the Expansion Port Configuration . . . . . . . . . . . . . . 140 4.19 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 4.19.1 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 4.19.2 Example of Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . 141 4.19.3 Up/Down Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 4.19.4 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . 142 4.20 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 143 4.20.1 Example of Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . 145 4.20.2 Example of Automatic Update Based on MAC . . . . . . . . . . . . . . . 146
5 Customization
147
5.1 User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5.1.1 Examples of Available User Modules . . . . . . . . . . . . . . . . . . . . 148
6 Administration
154
6.1 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 6.2 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 6.3 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 6.4 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 6.5 Set SMS Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 6.6 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 6.7 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.8 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.9 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 6.10 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 6.11 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 6.12 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 6.13 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
7 Typical Situations
164
7.1 Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 164 7.2 Backup Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . 166 7.3 Secure Networks Interconnection or Using VPN . . . . . . . . . . . . . . . . . . 170 7.4 Serial Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
8 Glossary and Acronyms
174
9 Index
179
iv
10 Related Documents
ICR-4400
182
v
ICR-4400
List of Figures
1 IEEE 802.1X Functional Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Mobile WAN status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 7 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 8 WireGuard Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 9 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 10 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 11 Example program syslogd start with the parameter -R . . . . . . . . . . . . . . 27 12 LAN Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 13 IPv6 Address with Prefix Example . . . . . . . . . . . . . . . . . . . . . . . . . 31 14 Network Topology for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 33 15 LAN Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 16 Network Topology for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 17 LAN Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 18 Network Topology for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 19 LAN Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 20 Topology of VRRP configuration example . . . . . . . . . . . . . . . . . . . . . 40 21 Example of VRRP configuration main router . . . . . . . . . . . . . . . . . . . 40 22 Example of VRRP configuration backup router . . . . . . . . . . . . . . . . . 41 23 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 24 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 25 Configuration for SIM card switching Example 1 . . . . . . . . . . . . . . . . . . 49 26 Configuration for SIM card switching Example 2 . . . . . . . . . . . . . . . . . . 50 27 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 28 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 59 29 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 30 Backup Routes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 31 Static Routes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 32 Firewall Configuration IPv6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 70 33 Topology for the IPv4 Firewall Configuration Example . . . . . . . . . . . . . . 73 34 IPv4 Firewall Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 74 35 NAT IPv6 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 36 Topology for NAT Configuration Example 1 . . . . . . . . . . . . . . . . . . . . 78 37 NAT Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 79 38 Topology for NAT Configuration Example 2 . . . . . . . . . . . . . . . . . . . . 80 39 NAT Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vi
ICR-4400
40 OpenVPN tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 41 Topology of OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . 87 42 IPsec Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 43 Topology of IPsec Configuration Example . . . . . . . . . . . . . . . . . . . . . 96 44 WireGuard Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 99 45 Topology of WireGuard Configuration Example . . . . . . . . . . . . . . . . . . 101 46 Router A WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 102 47 Router B WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 102 48 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 49 Topology of GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . 104 50 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 51 Topology of L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . 108 52 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 53 Topology of PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . 111 54 DynDNS Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 112 55 Configuration of FTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 56 Configuration of HTTP and HTTPS services . . . . . . . . . . . . . . . . . . . . 114 57 Example of NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 58 Configuration of Local User Database . . . . . . . . . . . . . . . . . . . . . . . 116 59 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 60 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 61 OID Basic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 62 SNMP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 63 MIB Browser Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 64 SMTP Client Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 123 65 SMS Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 130 66 SMS Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 131 67 SMS Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 132 68 SMS Configuration for Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . 133 69 Configuration of HTTP service . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 70 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 71 Configuration of Telnet service . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 72 Expansion Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 73 Example of Ethernet to serial communication configuration . . . . . . . . . . . 140 74 Example of serial interface configuration . . . . . . . . . . . . . . . . . . . . . . 140 75 Example of a Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 76 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . . . . . 142 77 Example of Automatic Update 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 78 Example of Automatic Update 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 79 User modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 80 Added user module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 81 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 82 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 83 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
vii
ICR-4400
84 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 85 Set SMS Service Center Address . . . . . . . . . . . . . . . . . . . . . . . . . . 157 86 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 87 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 88 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 89 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 90 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 91 Update Firmware Administration Page . . . . . . . . . . . . . . . . . . . . . . . 161 92 Process of Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 93 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 94 Access to the Internet from LAN sample topology . . . . . . . . . . . . . . . . 164 95 Access to the Internet from LAN Ethernet configuration . . . . . . . . . . . . 165 96 Access to the Internet from LAN Mobile WAN configuration . . . . . . . . . . 165 97 Backup access to the Internet sample topology . . . . . . . . . . . . . . . . . 166 98 Backup access to the Internet Ethernet configuration . . . . . . . . . . . . . . 166 99 Backup access to the Internet WiFi configuration . . . . . . . . . . . . . . . . 167 100 Backup access to the Internet Mobile WAN configuration . . . . . . . . . . . . 168 101 Backup access to the Internet Backup Routes configuration . . . . . . . . . . 169 102 Secure networks interconnection sample topology . . . . . . . . . . . . . . . 170 103 Secure networks interconnection OpenVPN configuration . . . . . . . . . . . 171 104 Serial Gateway sample topology . . . . . . . . . . . . . . . . . . . . . . . . . 172 105 Serial Gateway konfigurace Expansion Port 1 . . . . . . . . . . . . . . . . . . 173
viii
ICR-4400
List of Tables
1 Supported Roles of the IEEE 802.1X Authentication . . . . . . . . . . . . . . . 5 1 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 PoE PSE information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5 Mobile Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Value ranges of signal strength for different technologies. . . . . . . . . . . . . 13 7 Description of Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8 Mobile Network Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 9 Information about Neighbouring WiFi Networks . . . . . . . . . . . . . . . . . . 16 10 Description of Interfaces in Network Status . . . . . . . . . . . . . . . . . . . . 18 11 Description of Information in Network Status . . . . . . . . . . . . . . . . . . . . 19 12 DHCP Status Description for IPv4 and IPv6 leases . . . . . . . . . . . . . . . . 22 13 Configuration of the Network Interface IPv4 and IPv6 . . . . . . . . . . . . . . 29 14 Configuration of the Network Interface global items . . . . . . . . . . . . . . . 30 15 Configuration of Dynamic DHCP Server . . . . . . . . . . . . . . . . . . . . . . 31 16 Configuration of Static DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . 31 17 IPv6 prefix delegation configuration . . . . . . . . . . . . . . . . . . . . . . . . . 32 18 Configuration of 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . 32 19 VRRP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 20 Check connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 21 Mobile WAN Connection Configuration . . . . . . . . . . . . . . . . . . . . . . . 43 22 Check Connection to Mobile Network Configuration . . . . . . . . . . . . . . . . 46 23 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 24 Switch between SIM cards configuration . . . . . . . . . . . . . . . . . . . . . . 48 25 Parameters for SIM card switching . . . . . . . . . . . . . . . . . . . . . . . . . 49 26 PPPoE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 27 WiFi Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 28 WLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 29 Backup Route Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 30 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 31 Static Routes Configuration for IPv4 . . . . . . . . . . . . . . . . . . . . . . . . 69 32 Filtering of Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 33 Forwarding filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 34 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 35 Remote Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 36 Configuration of Send all incoming packets to server . . . . . . . . . . . . . . . 77 37 OpenVPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 38 OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 87 39 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
ix
ICR-4400
40 Simple IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . 96 41 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 100 42 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . 101 43 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 44 GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 105 45 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 46 L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 108 47 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 48 PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 111 49 DynDNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 50 Parameters for FTP service configuration . . . . . . . . . . . . . . . . . . . . . 113 51 Parameters for HTTP and HTTPS services configuration . . . . . . . . . . . . . 114 52 NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 53 Available Modes of PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 54 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 55 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 56 SNMP Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 57 SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 58 SNMP Configuration (R-SeeNet) . . . . . . . . . . . . . . . . . . . . . . . . . . 120 59 Object identifier for binary inputs and output . . . . . . . . . . . . . . . . . . . . 121 60 SMTP client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 61 SMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 62 Control via SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 63 Control SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 64 Send SMS on the serial Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 65 Send SMS on the serial Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 66 Sending/receiving of SMS on TCP port specified . . . . . . . . . . . . . . . . . 128 67 List of AT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 68 Parameters for SSH service configuration . . . . . . . . . . . . . . . . . . . . . 134 69 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 70 Parameters for Telnet service configuration . . . . . . . . . . . . . . . . . . . . 136 71 Expansion Port Configuration serial interface . . . . . . . . . . . . . . . . . . 138 72 Expansion Port Configuration Check TCP connection . . . . . . . . . . . . . 138 73 CD Signal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 74 DTR Signal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 75 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 144 76 Connectivity User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 77 Routing User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 78 Services User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 79 Administration User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 80 Protocol Conversion User Modules . . . . . . . . . . . . . . . . . . . . . . . . . 152 81 Node-RED User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 82 Integration User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 83 Development User Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
x
ICR-4400
84 Users Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 85 Add User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
xi
ICR-4400
1. Basic Information
1.1 Document Content
This configuration manual describes the configuration of Advantech ICR-4400 family routers. The manual contains especially the following information:
· Basic information about the product, notes to the HW and SW Chapter 1. · Notes to the web configuration GUI Chapter 2. · Router configuration item by item according to the web interface Chapters 3 to 6. · Configuration in typical situations examples Chapter 7:
Access to the Internet from LAN (Local Area Network) via mobile network. Backed up access to the Internet (from LAN). Secure networks interconnection or using VPN (Virtual Private Network). Serial Gateway (connection of serial devices to the Internet).
1.2 Product Introduction
Industrial cellular routers, described in this manual, are Router & Powerful Edge Computing Gateway designed for wireless communication in the mobile networks that make use of traditional cellular technologies, including the 5G.
The primary purpose of these routers is the usage in services on the cellular LTE network. These routers are capable of achieving typical speeds in 5G coverage areas up to 1 Gbps for download and 150 Mbps for upload.
The router is an ideal solution for demanding IoT applications such as industrial routers and gateways, automatic teller machines (ATM), other self-service terminals, digital signage, industrial computers and tablets etc.
Configuration of the router may be done via a password-protected Web interface. Web interface provides detailed statistics about the router's activities, signal strength, detailed system log etc.
1
ICR-4400
1.3 Standard Equipment
For maximal performance on the cellular network, the 4x4 MIMO technology is used. An antenna for GNSS can be connected to the router. The router, assembled in a robust metal box, is equipped with five 1Gb Ethernet ports, one SFP cage together with interfaces of RS232, RS485, CAN bus, two binary inputs and two binary outputs. To backup the cellular connection, the router offers two SIM card readers on the rear side of the router under the SIM cover. A microSD card can be inserted under this cover as well. The designated router models can be equipped with a WiFi module with 3x3 MIMO antennas.
1.4 Router Configuration Options
Routers can be configured via a web browser or Secure Shell (SSH). Configuration via Web Browser is described in this Configuration Manual. Commands and scripts applicable in the configuration using SSH are described in Commands and Scripts for v2 and v3 Routers Application Note [1]. Technical parameters and a full description of the router can be found in the User Manual of your router. You can also use additional software WebAccess/VPN [2] (see Chapter 1.6) and software for router monitoring R-SeeNet [3].
1.5 Web Configuration GUI
Configuring routers is made easy by name and password-protected web interface. The interface provides detailed statistics about router activities, signal strength, system logs and more. The router supports both IPv4 and IPv6 protocols, the creation of secure VPN tunnels using technologies IPsec, OpenVPN and L2TP. The router also supports DHCP, NAT, NATT, DynDNS client, NTP, VRRP, control by SMS, backup of the primary connection, multiple WANs, RADIUS authentication on Ethernet, and many other functions.
Additional diagnostic features designed to ensure continuous communication include automatic inspection of Mobile WAN connections, an automatic restart feature in case a connection is lost, and a hardware watchdog that monitors the status of the router. Using a startup script window, users can insert Linux scripts for various actions. Users may insert multiple scripts, and the router can switch between configurations as needed. Examples would include using SMS or checking the status of the binary input. The routers can automatically update their configurations and firmware from a central server, allowing for mass reconfiguration of multiple routers simultaneously.
2
ICR-4400
1.6 WebAccess/DMP Configuration
WebAccess/DMP is an advanced enterprise-grade platform solution for provisioning, monitoring, managing, and configuring Advantech's routers and IoT gateways. See the application note [2] for more information of visit the WebAccess/DMP webpage.
New routers have been pre-installed with the WebAccess/DMP client. For its activation, enable it in the router's web interface (Customization -> User Modules -> WebAccess/DMP Client ).
The activated client periodically uploads router identificators, its configuration, and cellular network statistics to the WebAccess/DMP server.
With the WebAccess/DMP client activated, you may configure the router from WebAccess/DMP portal. Navigate your browser to https://www.wadmp.com.
If this is your first time, please self-sign-up with the site. If not, please log in with your username and password. Once logged in, further assistance can be found at https://docs. wadmp.com.
1.7 IPv6 Support
There is an independent IPv4 and IPv6 dual-stack configuration implemented in the router's firmware. This means that you can configure traffic through both IP protocols independently and both are supported. Additional EUI-64 IPv6 addresses of network interfaces are generated automatically by standard methods. In addition, there is a NAT64 internal gateway network interface for automatic translation between IPv6 and IPv4 (see Chapter 3.5 for more information). This gateway works together with DNS64 seamlessly (for domain names translation).
For cellular IPv6 connection, see Mobile WAN Configuration in Chapter 4.3.1. For IPv6 LAN configuration, see LAN Configuration in Chapter 4.1. DHCPv6 server/client is also supported. IPv4 is the default, but IPv6 can be enabled or used with all features and protocols in the router, except for non-secured tunnels GRE, L2TP and PPTP, and VRRP. Using the secured tunnels OpenVPN and IPsec, it is possible to run IPv6 traffic through an IPv4 tunnel and vice versa. The configuration forms for NAT, Firewall and Up/Down Scripts are completely separate for the IPv4 and IPv6 stacks. ICMPv6 protocol is also supported. IPv6 configuration is covered in each following Chapter when possible.
1.8 Supported Certificate File Types
All the GUI forms supporting the uploading of a certificate file support these file types:
· CA, Local/Remote Certificate: *.pem; *.crt; *.p12 · Private Key: *.pem; *.key; *.p12
3
ICR-4400
1.9 IEEE 802.1X (RADIUS) Support
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as "EAP over LAN" or EAPoL.
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server (see Figure 1).
Figure 1: IEEE 802.1X Functional Diagram · The supplicant is a client device (such as a laptop) that wishes to attach to the
LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. · The authenticator is a network device which provides a data link between the client (supplicant) and the network (LAN/WAN) and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point. The authtenticator communicates with the authentication server to determine if the network access for a supplicant will be granted or not. · The authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client's connection or setting. Authentication servers typically run software supporting the RADIUS and EAP protocols.
4
ICR-4400
Table 1 summarizes all the supported cases and roles when the IEEE 802.1X authentication can be used on Advantech routers.
Please note that the role of the authentication server is not supported by Advantech routers.
Interface Supplicant Role
Authenticator Role
LAN
Built-in feature, just configure the LAN with 802.1X authentication, see Chapter 4.1.3.
Not built-in feature, but can be implemented by the UM 802.1X Authenticator. For more information about this module see [UM].
Table 1: Supported Roles of the IEEE 802.1X Authentication
5
2. Web Configuration GUI
ICR-4400
Figure 1: Web Configuration GUI 6
ICR-4400
The cellular router will not operate unless the cellular carrier has been correctly configured and the account activated and provisioned for data communications. For UMTS and LTE carriers, a SIM card must be inserted into the router. Do not insert the SIM card when the router is powered up.
You may use the web interface to monitor, configure and manage the router. To access the router over the web interface enter the router's IP address in your browser. The default address is 192.168.1.1. Only access via secured HTTPS protocol is permitted. So the syntax for the IP address must be https://192.168.1.1. When accessing the router for the first time you will need to install a security certificate if you don't want the browser to show you a domain disagreement message. To avoid receiving domain disagreement messages, follow the procedure described in the following subchapter.
The default username is root. The default password is printed on the router's label. Change the default password as soon as possible!
For increased security of the network connected to the router, change the default router password. When the default password of the router is still active, the Change password title is highlighted in red.
After three unsuccessful login attempts, any HTTP(S) access from an IP address is blocked for one minute.
When you successfully enter login information on the login page, the web interface will be displayed, see Figure 1. The left side of the web interface contains a menu tree with sections for Status monitoring, Configuration, Customization, and Administration of the router. The Name and Location fields, identifying the router, can be displayed in the right upper corner of the web interface. It can be configured in the SNMP configuration (see 4.17.6).
2.1 Factory Reset
After the PWR LED starts to blink you may restore the initial router settings by pressing the reset (RST ) button for a given time, see the technical manual of the router for more information. This action will revert all the configuration settings to the factory defaults and the router will reboot (the PWR LED will be on during the reboot).
2.2 HTTPS Certificate for the GUI
There is the self-signed HTTPS certificate in the router. Because the identity of this certificate cannot be validated, a message can appear in the web browser. To solve this, upload your own certificate, signed by Certification Authority, to the router. If you want to use your
7
ICR-4400
own certificate (e.g. in combination with the dynamic DNS service), you need to replace the /etc/certs/https_cert and /etc/certs/https_key files in the router. This can be done easily in the GUI on HTTP configuration page, see Chapter 4.17.3.
If you decide to use the self-signed certificate in the router to prevent the security message (domain disagreement) from pop up every time you log into the router, you can take the following steps:
· Add the DNS record to your DNS system: Edit /etc/hosts (Linux/Unix OS) or C:\WINDOWS\system32\drivers\etc\hosts (Windows OS) or configure your own DNS server. Add a new record with the IP address of your router and the domain name based of the MAC address of the router (MAC address of the first network interface seen in Network Status in the Web interface of the router.) Use dash separators instead of colons. Example: A router with the MAC address 00:11:22:33:44:55 will have a domain name 00-11-22-33-44-55.
· Access the router via the new domain name address (E.g. https://00-11-22-33-44-55). If you see the security message, add an exception so the next time the message will not pop up (E.g. in Firefox Web browser). If there is no possibility to add an exception, export the certificate to the file and import it to your browser or operating system.
Note: You will have to use the domain name based on the MAC address of the router and it is not guaranteed to work with every combination of an operating system and a browser.
2.3 Valid Characters
If the router is configured through the web interface, avoid entering forbidden characters into any of the input forms (not just for password). Valid and forbidden characters are specified below. Please note that the "space" character may not be allowed for some forms as well. Valid characters are: 0-9 a-z A-Z * , + - . / : = ? ! # % @ [ ] _ { } ~ Forbidden characters are: " $ & ' ( ) ; < > \ ^ ` |
8
ICR-4400
3. Status
3.1 General Status
You can reach a summary of basic router information and its activities by opening the General status page. This page is displayed when you log in to the device by default. The information displayed on this page is divided into several sections, based upon the type of the router and its hardware configuration. Typically, there are sections for the mobile connection, LAN, system information, and eventually for the WiFi and peripheral ports, if the device is equipped with.
IPv6 Address item can show multiple different addresses for one network interface. This is standard behavior since an IPv6 interface uses more addresses. The second IPv6 Address showed after pressing More Information is automatically generated EUI-64 format link local IPv6 address derived from MAC address of the interface. It is generated and assigned the first time the interface is used (e.g. cable is connected, Mobile WAN connecting, etc.).
3.1.1 Mobile Connection
Item SIM Card Interface Flags
IP Address MTU Rx Data Rx Packets Rx Errors Rx Dropped Rx Overruns Tx Data Tx Packets Tx Errors Tx Dropped
Description Identification of the SIM card Defines the interface Displays network interface flags:
None - no flags Up - the interface is administratively enabled Running - the interface is in operational state (cable detected) Multicast - the interface is capable of multicast transmission IP address of the interface Maximum packet size that the equipment is able to transmit Total number of received bytes Received packets Erroneous received packets Dropped received packets Lost received packets because of overload Total number of sent bytes Sent packets Erroneous sent packets Dropped sent packets
Continued on next page
9
ICR-4400
Item Tx Overruns Uptime
Continued from previous page
Description Lost sent packets because of overload Indicates how long the connection to the cellular network has been established
Table 1: Mobile Connection
3.1.2 Ethernet Status
Every Ethernet interface has its separate section on the General status page. Items displayed here have the same meaning as items in the previous part. Moreover, the MAC Address item shows the MAC address of the corresponding router's interface. Visible information depends on the Ethernet configuration, see Chapter 4.1.
If the router is equipped with the PoE PSE board, there is information about it in the appropriate Ethernet section; see table below for description.
Item PoE PSE Status
Description
· Disabled PoE PSE is disabled in the Primary LAN or Secondary LAN configuration form.
· Undervoltage Undervoltage, i.e. a lower voltage than the nominal operating voltage.
· Overcurrent Overcurrent, i.e. a higher current than the permissible positive difference of the nominal current.
· Idle PoE PSE is enabled, but currently not used. · Class 0 Power level (classification unimplemented) · Class 1 Power level (very low power) · Class 2 Power level (low power) · Class 3 Power level (mid power) · Class 4 Power level (high power)
PoE PSE Power PoE PSE Voltage PoE PSE Current
Power of PoE PSE [W] Voltage of PoE PSE [V] Current of PoE PSE [mA]
Table 2: PoE PSE information
10
ICR-4400
3.1.3 WiFi Status
Items displayed in this part have the same meaning as items in the previous part. WiFi AP part displays information for the WiFi interface (wlan0) working in access point mode, for the configuration see Chapter 4.5. WiFi STA part displays information for the WiFi interface (wlan1) working in station mode, for the configuration description see Chapter 4.6.
3.1.4 Peripheral Ports
Item Expansion Port 1 Expansion Port 2 Binary Input 0 Binary Input 1 Binary Output 0 Binary Output 1
Description An interface detected on the first expansion port. An interface detected on the second expansion port. State of the first binary input. State of the second binary input. State of the first binary output. State of the second binary output.
Table 3: Peripheral Ports
3.1.5 System Information
System information about the device is displayed in the System Information section.
Item Firmware Version Serial Number Hardware UUID Profile
Supply Voltage Temperature Time Uptime Licenses
Description Information about the firmware version Serial number of the router (in case of N/A is not available) Unique HW identifier for the device. Current profile standard or alternative profiles (profiles are used for example to switch between different modes of operation) Supply voltage of the router Temperature in the router Current date and time Indicates how long the router is used Link to the list of open source software components of the firmware together with their complete license texts (GPL versions 2 and 3, LGPL version 2, BSD-style licenses, MIT-style licenses).
Table 4: System Information
11
ICR-4400
3.2 Mobile WAN Status
The Mobile WAN menu item contains current information about connections to the mobile network. The first part of this page (Mobile Network Information) displays basic information about mobile network the router operates in. There is also information about the module, which is mounted in the router.
Item Registration Operator Technology PLMN Cell LAC/TAC
Channel
Band Signal Strength Signal Quality
RSSI, RSRP, RSRQ, SINR, RSCP or Ec/Io CSQ
Manufacturer Model Revision IMEI
Description
State of the network registration
Specifies the operator's network the router operates in.
Transmission technology
Code of operator
Cell the router is connected to (in hexadecimal format).
Unique number (in hexadecimal format) assigned to each location area. LAC (Location Area Code) is for 2G/3G networks and TAC (Tracking Area Code) is for 4G networks.
Channel the router communicates on · UARFCN in case of UMTS/HSPA technology, · EARFCN in case of LTE technology.
Cellular band abbreviation.
Signal strength (in dBm) of the selected cell, for details see Table 6.
Signal quality of the selected cell:
· EC/IO for UMTS (it's the ratio of the signal received from the pilot
channel EC to the overall level of the spectral density, ie the
sum of the signals of other cells IO).
·
RSRQ
for
LTE
technology
(Defined
as
the
ratio
N ×RSRP RSSI
).
· The value is not available for the EDGE technology.
Other parameters reporting signal strength or quality. Please note, that some of them may not be available, depending on the cellular module or cellular technology.
Cell signal strength with following value ranges: · 2 9 = Marginal, · 10 14 = OK, · 15 19 = Good, · 20 30 = Excelent.
Module manufacturer
Type of module
Revision of module
IMEI (International Mobile Equipment Identity) number of module
Continued on next page
12
ICR-4400
Item ICCID
Continued from previous page
Description Integrated Circuit Card Identifier is international and unique serial number of the SIM card.
Table 5: Mobile Network Information
The value of signal strength is displayed in different color: in black for good, in orange for fair and in red for poor signal strength.
Signal strength good fair poor
CDMA (RSSI) > -70 dBm -70 dBm to -89 dBm < -89 dBm
UMTS/HSPA (RSCP) > -75 dBm -75 dBm to -94 dBm < -94 dBm
LTE (RSRP) > -90 dBm -90 dBm to -109 dBm < -109 dBm
Table 6: Value ranges of signal strength for different technologies.
The middle part of this page displays information about mobile signal quality, transferred data and number of connections for all the SIM cards (for each period). The router has standard intervals, such as the previous 24 hours and last week, and also period starting with Accounting Start defined for the MWAN module.
Period Today Yesterday This week Last week This period Last period
Description Today from 0:00 to 23:59 Yesterday from 0:00 to 23:59 This week from Monday 0:00 to Sunday 23:59 Last week from Monday 0:00 to Sunday 23:59 This accounting period Last accounting period
Table 7: Description of Periods
Tips for Mobile Network Statistics table:
· Availability is expressed as a percentage. It is the ratio of time connection to the mobile network has been established to the time that router has been is turned on.
· Placing your cursor over the maximum or minimum signal strength will display the last time the router reached that signal strength.
13
ICR-4400
The last part (Connection Log) displays information about the mobile network connections and any problems that occurred while establishing them.
Item
Description
RX data
Total volume of received data
TX data
Total volume of sent data
Connections Number of connection to mobile network establishment
Signal Min
Minimal signal strength
Signal Avg
Average signal strength
Signal Max
Maximal signal strength
Cells
Number of switch between cells
Availability
Availability of the router via the mobile network (expressed as a percentage)
Table 8: Mobile Network Statistics
Figure 2: Mobile WAN status 14
ICR-4400
3.3 WiFi Status
This item is available only if the router is equipped with a WiFi module. Selecting the Status -> WiFi -> Status item in the main menu of the web interface will display information about the WiFi access point (AP) and the WiFi station (STA). Information about all stations connected to the AP are listed as well. Examle of the output for the Wifi status is shown on the following figure.
Figure 3: WiFi Status 15
ICR-4400
3.4 WiFi Scan
This item is available only if the router is equipped with a WiFi module.
Selecting the Status -> WiFi -> Scan item scans for neighboring WiFi networks and displays the results. In the table below is the description of some items in the output of the WiFi scanning.
Item
Description
BSS
MAC address of access point (AP)
TSF
A Timing Synchronization Function (TSF) keeps the timers for
all stations in the same Basic Service Set (BSS) synchronized.
All stations shall maintain a local TSF timer.
freq
Frequency band of WiFi network [MHz]
beacon interval
Period of time synchronization
capability
List of access point (AP) properties
signal
Signal level of access point (AP)
last seen
Last response time of access point (AP)
SSID
Identifier of access point (AP)
Supported rates
Supported rates of access point (AP)
DS Parameter set
The channel on which access point (AP) broadcasts
ERP
Extended Rate PHY information element providing backward compatibility
Extended supported rates
Supported rates of access point (AP) that are beyond the scope of eight rates mentioned in Supported rates item
RSN
Robust Secure Network The protocol for establishing a secure communication through wireless network 802.11
Table 9: Information about Neighbouring WiFi Networks
16
WiFi Scan output may look like this:
ICR-4400
Figure 4: WiFi Scan 17
ICR-4400
3.5 Network Status
To view information about the interfaces and the routing table, open the Network item in the Status menu. The upper part of the window displays detailed information about the active interfaces only:
Interface eth0, eth1, eth2 lan1, lan2, lan3, lan4 lo nat64
switch0 usb0
wlan0 ppp0 tun0 ipsec0 gre1 wg1
Description First, second and third network (Ethernet) interfaces LAN interfaces
Local loopback interface Network interface of internal translator gateway between IPv6 and IPv4 addresses. SWITCH interface Active PPP connection to the mobile network wireless module is connected via USB interface. WiFi interface if configured PPP interface (e.g. PPPoE tunnel if configured) OpenVPN tunnel interface if configured IPSec tunnel interface if configured GRE tunnel interface if configured WireGuard tunnel interface if configured
Table 10: Description of Interfaces in Network Status
The following information can be displayed for network interfaces:
Item HWaddr inet addr inet6 addr
P-t-P Bcast Mask MTU Metric
Description Hardware (unique, MAC) address of a network interface. IPv4 address of interface IPv6 address of interface. There can be more of them for single network interface. IP address of the opposite end (in case of point-to-point connection). Broadcast address Mask of network Maximum packet size that the equipment is able to transmit. Number of routers the packet must go through.
Continued on next page
18
ICR-4400
Item RX
TX
collisions txqueuelen RX bytes TX bytes
Continued from previous page
Description
· packets received packets · errors number of errors · dropped dropped packets · overruns incoming packets lost because of overload. · frame wrong incoming packets because of incorrect packet
size.
· packets transmit packets · errors number of errors · dropped dropped packets · overruns outgoing packets lost because of overload. · carrier wrong outgoing packets with errors resulting from the
physical layer.
Number of collisions on physical layer. Length of buffer (queue) of the network interface. Total number of received bytes. Total number of transmitted bytes. Table 11: Description of Information in Network Status
You may view the status of the mobile network connection on the network status screen. If the connection to the mobile network is active, it will appear in the system information as an usb0 interface.
The Route Table is displayed at the bottom of the Network Status page. There is IPv4 Route Table and IPv6 Route Table below.
If the router is connected to the Internet (a default route is defined), the nat64 network interface is created automatically. This is the NAT64 internal gateway for translating the IPv6 and IPv4 communication. It is used automatically when connected via IPv6 and communicating with IPv4 device or network. It works together with DNS64 running in the router automatically (translation of domain names to IP addresses). The default NAT64 prefix 64:ff9b::/96 is used as you can see in Figure 5 below in the IPv6 Route Table section.
19
ICR-4400
Figure 5: Network Status 20
ICR-4400
3.6 DHCP Status
Information about the DHCP server activity is accessible via DHCP item. The DHCP server provides automatic configuration of the client devices connected to the router. The DHCP server assigns each device an IP address, subnet mask, default gateway (IP address of router) and DNS server (IP address of router). DHCPv6 server is supported.
Figure 6: DHCP Status The DHCP status may occasionally display two records for one IP address. This may be caused by resetting the client network interface.
21
ICR-4400
Records in the DHCP Status window are divided into separate parts according to LAN and WLAN interface and IPv4 (DHCP) and IPv6 (DHCPv6) there are parts Active DHCP Leases (LAN), Active DHCPv6 Leases (LAN), Active DHCP Leases (WLAN) and Active DHCPv6 Leases (WLAN) if the router has WiFi and WLAN network interface is enabled. In Figure 6 above there are both DHCP (IPv4) and DHCPv6 (IPv6) servers enabled LAN interface and WLAN interface. The table below explains information from the client list:
Item lease iaaddr starts epoch ends epoch tstp epoch cltt epoch binding state next binding state hardware ethernet uid client-hostname preferred-life
max-life
Description Assigned IPv4 address. (IPv6) Assigned IPv6 address. Time that the IP address was assigned. Time that the IP address lease expires. What time the peer has been told the lease expires. Client last transaction time. The lease's binding state. What state the lease will move to when the current state expires. Unique hardware MAC address. Unique ID. Host computer name. (IPv6) Length of time the address can be used without any restrictions. When the preferred-life expires, the address should not be used for new communications, but might continue to be used for existing communications in certain cases. (IPv6) Maximum time for which the DHCPv6 server can grant a lease.
Table 12: DHCP Status Description for IPv4 and IPv6 leases
22
ICR-4400
3.7 IPsec Status
Selecting the IPsec option in the Status menu of the web page will bring up the information for any IPsec Tunnels that have been established. If the tunnel has been built correctly, the screen will display ESTABLISHED and the number of running IPsec connections 1 up (orange highlighted in the figure below.) If there is no such text in log (e.g. "0 up"), the tunnel was not created!
Figure 7: IPsec Status
23
ICR-4400
3.8 WireGuard Status
Selecting the WireGuard option in the Status menu of the web page will bring up the information for any WireGuard Tunnels established. In the figure below is an example of the first WireGuard tunnel running.
Figure 8: WireGuard Status Page The Latest handshake time is the time left from the latest successful communication with the opposite tunnel side. This item will not be shown here until there is a tunnel communication (data sent by the client-side or the keepalive data sent when NAT/Firewall Traversal is set to yes).
24
ICR-4400
3.9 DynDNS Status
The router supports DynamicDNS using a DNS server on www.dyndns.org. If Dynamic DNS is configured, the status can be displayed by selecting menu option DynDNS. Refer to www.dyndns.org for more information on how to configure a Dynamic DNS client. You can use the following listed servers for the Dynamic DNS service. It is possible to use the DynDNSv6 service with IP Mode switched to IPv6 on DynDNS Configuration page.
· www.dyndns.org · www.spdns.de · www.dnsdynamic.org · www.noip.com
Figure 9: DynDNS Status When the router detects a DynDNS record update, the dialog displays one or more of the following messages: · DynDNS client is disabled. · Invalid username or password. · Specified hostname doesn't exist. · Invalid hostname format. · Hostname exists, but not under specified username. · No update performed yet. · DynDNS record is already up to date. · DynDNS record successfully update. · DNS error encountered. · DynDNS server failure.
The router's SIM card must have public IP address assigned or DynDNS will not function correctly.
25
ICR-4400
3.10 System Log
If there are any connection problems you may view the system log by selecting the System Log menu item. Detailed reports from individual applications running in the router will be displayed. Use the Save Log button to save the system log to a connected computer. (It will be saved as a text file with the .log extension.) The Save Report button is used for creating detailed reports. (It will be saved as a text file with the .txt extension. The file will include statistical data, routing and process tables, system log, and configuration.)
Sensitive data from the report are filtered out for security reasons. The default length of the system log is 1000 lines. After reaching 1000 lines a new file is created for storing the system log. After completion of 1000 lines in the second file, the first file is overwritten with a new file. The Syslogd program will output the system log. It can be started with two options to modify its behavior. Option "-S" followed by decimal number sets the maximal number of lines in one log file. Option "-R" followed by hostname or IP address enables logging to a remote syslog daemon. (If the remote syslog deamon is Linux OS, there has to be remote logging enabled (typically running "syslogd -R"). If it's the Windows OS, there has to be syslog server installed, e.g. Syslog Watcher). To start syslogd with these options, the "/etc/init.d/syslog" script can be modified via SSH or lines can be added into Startup Script (accessible in Configuration section) according to figure 11.
Figure 10: System Log
26
ICR-4400
The following example (figure) shows how to send syslog information to a remote server at 192.168.2.115 on startup.
Figure 11: Example program syslogd start with the parameter -R
27
ICR-4400
4. Configuration
4.1 Ethernet Configuration
To enter the Local Area Network configuration, select the Ethernet menu item in the Configuration section. The Ethernet item will expand in the menu on the left, so you can choose the proper Ethernet interface to configure: ETH0 for the first Ethernet interface, ETH1 for the second Ethernet interface and ETH2 for the third Ethernet interface.
LAN Configuration page is divided into IPv4 and IPv6 columns, see Figure 12. There is dual stack support of IPv4 and IPv6 protocols they can run alongside, you can configure either one of them or both. If you configure both IPv4 and IPv6, other network devices will choose the communication protocol. Configuration items and IPv6 to IPv4 differences are described in the tables below.
Figure 12: LAN Configuration page 28
ICR-4400
Item DHCP Client
Description
Enables/disables the DHCP client function. If in IPv6 column, the DHCPv6 client is enabled. DHCPv6 client supports all three methods of getting an IPv6 address SLAAC, stateless DHCPv6 and statefull DHCPv6.
· disabled The router does not allow automatic allocation of an IP address from a DHCP server in LAN network.
· enabled The router allows automatic allocation of an IP address from a DHCP server in LAN network.
IP Address Subnet Mask / Prefix Default Gateway
DNS Server
A fixed IP address of the Ethernet interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.
Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address number in range 0 to 128.
Specifies the IP address of a default gateway. If filled-in, every packet with the destination not found in the routing table is sent to this IP address. Use proper IP address notation in IPv4 and IPv6 column.
Specifies the IP address of the DNS server. When the IP address is not found in the Routing Table, the router forwards the request to DNS server specified here. Use proper IP address notation in IPv4 and IPv6 column.
Table 13: Configuration of the Network Interface IPv4 and IPv6
The Default Gateway and DNS Server items are only used if the DHCP Client item is set to disabled and if the ETH0, ETH1 or ETH2 LAN is selected by the Backup Routes system as the default route. (The selection algorithm is described in section 4.7). Since FW 5.3.0, Default Gateway and DNS Server are also supported on bridged interfaces (e.g. eth0 + eth1).
The following three items (in the table below) are global for the configured Ethernet interface. Only one bridge can be active on the router at a time. The DHCP Client, IP Address and Subnet Mask / Prefix parameters of the only one of the interfaces are used to for the bridge. ETH0 LAN has higher priority when both interfaces (ETH0, ETH1) are added to the bridge. Other interfaces can be added to or deleted from an existing bridge at any time. The bridge can be created on demand for such interfaces, but not if it is configured by their respective parameters.
29
ICR-4400
Item Bridged
Media Type
Description Activates/deactivates the bridging function on the router.
· no The bridging function is inactive (default). · yes The bridging function is active.
Specifies the type of duplex and speed used in the network.
· Auto-negation The router automatically sets the best speed and duplex mode of communication according to the network's possibilities.
· 1000 Mbps Full Duplex The router communicates at 1000 Mbps, in the full duplex mode.
· 100 Mbps Full Duplex The router communicates at 100 Mbps, in the full duplex mode.
· 100 Mbps Half Duplex The router communicates at 100 Mbps, in the half duplex mode.
· 10 Mbps Full Duplex The router communicates at 10 Mbps, in the full duplex mode.
· 10 Mbps Half Duplex The router communicates at 10 Mbps, in the half duplex mode.
PoE PSE
· enabled The router provides power on the Ethernet cable.
· disabled The router does not provide power on the Ethernet cable (default).
Table 14: Configuration of the Network Interface global items
4.1.1 DHCP Server
The DHCP server assigns the IP address, gateway IP address (IP address of the router) and IP address of the DNS server (IP address of the router) to the connected clients. If these values are filled in by the user in the configuration form, they will be preferred.
The DHCP server supports static and dynamic assignment of IP addresses. Dynamic DHCP assigns clients IP addresses from a defined address space. Static DHCP assigns IP addresses that correspond to the MAC addresses of connected clients.
If IPv6 column is filled in, the DHCPv6 server is used. DHCPv6 server offers stateful address configuration to connected clients. Only when the Subnet Prefix above is set to 64, the DHCPv6 server offers both the stateful address configuration and SLAAC (Stateless Address Autoconfiguration).
30
ICR-4400
Do not to overlap ranges of static allocated IP addresses with addresses allocated by the dynamic DHCP server. IP address conflicts and incorrect network function can occur if you overlap the ranges.
Item Enable dynamic DHCP leases IP Pool Start
IP Pool End
Lease time
Description
Select this option to enable a dynamic DHCP server.
Starting IP addresses allocated to the DHCP clients. Use proper notation in IPv4 and IPv6 column.
End of IP addresses allocated to the DHCP clients. Use proper IP address notation in IPv4 and IPv6 column.
Time in seconds that the IP address is reserved before it can be re-used.
Table 15: Configuration of Dynamic DHCP Server
Item Enable static DHCP leases MAC Address IPv4 Address IPv6 Address
Description Select this option to enable a static DHCP server. MAC address of a DHCP client. Assigned IPv4 address. Use proper notation. Assigned IPv6 address. Use proper notation.
Table 16: Configuration of Static DHCP Server
4.1.2 IPv6 Prefix Delegation
This is an advanced configuration option. IPv6 prefix delegation works automatically with DHCPv6 use only if different configuration is desired and if you know the consequences.
If you want to override the automatic IPv6 prefix delegation, you can configure it in this form. You have to know your Subnet ID Width (part of IPv6 address), see Figure below for the calculation help it is an example: 48 bits is Site Prefix, 16 bits is Subnet ID (Subnet ID Width) and 64 bits is Interface ID.
Figure 13: IPv6 Address with Prefix Example 31
ICR-4400
Item
Description
Enable IPv6 prefix delegation Enables prefix delegation configuration filled-in below.
Subnet ID Subnet ID Width
The decimal value of the Subnet ID of the Ethernet interface. Maximum value depends on the Subnet ID Width.
The maximum Subnet ID Width depends on your Site Prefix it is the remainder to 64 bits.
Table 17: IPv6 prefix delegation configuration
4.1.3 802.1X Authentication to RADIUS Server
Authentication (802.1X) to RADIUS server can be enabled in next configuration section. The router can be RADIUS client only (not the server). This functionality requires additional setting of identity and certificates as described in the following table.
Item Enable IEEE 802.1X Authentication Authentication Method CA Certificate Local Certificate Local Private Key Identity Password
Local Private Key Password
Description Select this option to enable 802.1X Authentication.
Select authentication method (EAP-PEAPMSCHAPv2 or EAP-TLS).
Definition of CA certificate for EAP-TLS authentication protocol. Definition of local certificate for EAP-TLS authentication protocol. Definition of local private key for EAP-TLS authentication protocol. User name identity. Access password. This item is available for EAP-PEAPMSCHAPv2 protocol only. Enter valid characters only, see chap. 2.3! Definition of password for private key of EAP-TLS protocol. This item is available for EAP-TLS protocol only. Enter valid characters only, see chap. 2.3!
Table 18: Configuration of 802.1X Authentication
32
ICR-4400
4.1.4 LAN Configuration Examples
Example 1: IPv4 Dynamic DHCP Server, Default Gateway and DNS Server · The range of dynamic allocated IPv4 addresses is from 192.168.1.2 to 192.168.1.4. · The address is allocated for 600 second (10 minutes). · Default gateway IP address is 192.168.1.20 · DNS server IP address is 192.168.1.20
Figure 14: Network Topology for Example 1
33
ICR-4400
Figure 15: LAN Configuration for Example 1 34
ICR-4400
Example 2: IPv4 Dynamic and Static DHCP server · The range of allocated addresses is from 192.168.1.2 to 192.168.1.4. · The address is allocated for 600 seconds (10 minutes). · The client with the MAC address 01:23:45:67:89:ab has the IP address 192.168.1.10. · The client with the MAC address 01:54:68:18:ba:7e has the IP address 192.168.1.11.
Figure 16: Network Topology for Example 2
35
ICR-4400
Figure 17: LAN Configuration for Example 2 36
ICR-4400
Example 3: IPv6 Dynamic DHCP Server · The range of dynamic allocated IPv6 addresses is from 2001:db8::1 to 2001:db8::ffff. · The address is allocated for 600 second (10 minutes). · The router is still accessible via IPv4 (192.168.1.1).
Figure 18: Network Topology for Example 3
37
ICR-4400
Figure 19: LAN Configuration for Example 3 38
ICR-4400
4.2 VRRP Configuration
Select the VRRP menu item to enter the VRRP configuration. There are two submenus which allows to configure up to two instances of VRRP. VRRP protocol (Virtual Router Redundancy Protocol) allows you to transfer packet routing from the main router to a backup router in case the main router fails. (This can be used to provide a wireless cellular backup to a primary wired router in critical applications.) If the Enable VRRP is checked, you may set the following parameters.
Item Protocol Version Virtual Server IP Address
Virtual Server ID
Host Priority
Description
Choose version of the VRRP (VRRPv2 or VRRPv3).
This parameter sets the virtual server IP address. This address must be the same for both the primary and backup routers. Devices on the LAN will use this address as their default gateway IP address.
This parameter distinguishes one virtual router on the network from another. The main and backup routers must use the same value for this parameter.
The active router with highest priority set by the parameter Host Priority, is the main router. According to RFC 2338, the main router should have the highest possible priority 255. The backup router(s) have a priority in the range 1 254 (default value is 100). A priority value of 0 is not allowed.
Table 19: VRRP configuration
You may set the Check connection flag in the second part of the window to enable automatic test messages for the cellular network. In some cases, the mobile WAN connection could still be active but the router will not be able to send data over the cellular network. This feature is used to verify that data can be sent over the PPP connection and supplements the normal VRRP message handling. The currently active router (main/backup) will send test messages to the defined Ping IP Address at periodic time intervals (Ping Interval) and wait for a reply (Ping Timeout). If the router does not receive a response to the Ping command, it will retry up to the number of times specified by the Ping Probes parameter. After that time, it will switch itself to a backup router until the PPP connection is restored.
You may use the DNS server of the mobile carrier as the destination IP address for the test messages (Pings).
The Enable traffic monitoring option can be used to reduce the number of messages that are sent to test the PPP connection. When this parameter is set, the router will monitor the interface for any packets different from a ping. If a response to the packet is received within the timeout specified by the Ping Timeout parameter, then the router knows that the connection is still active. If the router does not receive a response within the timeout period, it will attempt to test the mobile WAN connection using standard Ping commands.
39
ICR-4400
Item Ping IP Address
Ping Interval Ping Timeout Ping Probes
Description Destinations IP address for the Ping commands. IP Address can not be specified as a domain name. Interval in seconds between the outgoing Pings. Time in seconds to wait for a response to the Ping. Maximum number of failed ping requests.
Table 20: Check connection
Example of the VRRP protocol:
Figure 20: Topology of VRRP configuration example
Figure 21: Example of VRRP configuration main router 40
ICR-4400
Figure 22: Example of VRRP configuration backup router
41
ICR-4400
4.3 Mobile WAN Configuration
Select the Mobile WAN item in the Configuration menu section to enter the cellular network configuration page. See Mobile WAN Configuration page in Figure 23.
4.3.1 Connection to Mobile Network
If the Create connection to mobile network checkbox is checked, then the router will automatically attempt to establish a connection after booting up. You can specify the following parameters for each SIM card separately.
Item Carrier APN Username Password Authentication
IP Mode
IP Address Dial Number Operator
Description Available For NAM routers only. Network carrier selection. Provides either automatic detection option, or manual selection of AT&T, Rogers or Verizon. Network identifier (Access Point Name). The user name used for logging on to the GSM network. The password used for logging on to the GSM network. Enter valid characters only, see chap. 2.3! Authentication protocol used in the GSM network:
· PAP or CHAP The router selects the authentication method. · PAP The router uses the PAP authentication method. · CHAP The router uses the CHAP authentication method.
Specifies the version of IP protocol used:
· IPv4 IPv4 protocol is used only (default). · IPv6 IPv6 protocol is used only. · IPv4/IPv6 IPv4 and IPv6 independent dual stack is enabled.
For use in IPv4 and IPv4/IPv6 mode only. Specifies the IPv4 address of the SIM card. You manually enter the IP address only when mobile network carrier has assigned the IP address. Specifies the telephone number which the router dials for a CSD connection. The router uses the default telephone number *99***1 #. Specifies the carrier code. You can specify this parameter as the PLNM preferred carrier code.
Continued on next page
42
ICR-4400
Item Network type
PIN MRU MTU
Continued from previous page
Description Specifies the type of protocol used in the mobile network.
Automatic selection - The router automatically selects the transmission method according to the availability of transmission technologies. Automatic selection never selects NB-IoT networks. Use NB-IoT in the selection for NB-IoT networks. Specifies the PIN used to unlock the SIM card. Use only if this is required by a given SIM card. The SIM card will be blocked after several failed attempts to enter the PIN. Maximum Receive Unit maximum size of packet that the router can receive via Mobile WAN. The default value is 1500 B. Other settings may cause the router to receive data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B. Minimal value in IPv6 mode: 1280 B. Maximum Transmission Unit maximum size of packet that the router can transmit via Mobile WAN. The default value is 1500 B. Other settings may cause the router to transmit data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B. Minimal value in IPv6 mode: 1280 B.
Table 21: Mobile WAN Connection Configuration
The following list contains tips for working with the Mobile WAN configuration form:
· If the MTU size is set incorrectly, then the router will not exceed the data transfer. If the MTU value is set too low, more frequent fragmentation of data will occur. More frequent fragmentation will mean a higher overhead and also the possibility of packet damage during defragmentation. In contrast, a higher MTU value can cause the network to drop the packet.
· If the IP address field is left blank, when the router establishes a connection, the mobile network carrier will automatically assign an IP address. If you assign an IP address manually, then the router will access the network quicker.
· If the APN field is left blank, the router automatically selects the APN using the IMSI code of the SIM card. The name of the chosen APN can be found in the System Log.
· If you enter the word blank in the APN field, then the router interprets the APN as blank.
The correct PIN must be filled in. An incorrect PIN may block the SIM card.
Parameters identified with an asterisk require you to enter the appropriate information only if this information is required by the mobile network carrier.
43
ICR-4400
Figure 23: Mobile WAN Configuration 44
ICR-4400
When the router is unsuccessful in establishing a connection to mobile network, you should verify accuracy of the entered data. Alternatively, you could try a different authentication method or network type.
4.3.2 DNS Address Configuration
The DNS Settings parameter is designed for easier configuration on the client's side. When this value is set to get from operator the router will attempt to automatically obtain an IP address from the primary and secondary DNS server of the mobile network carrier. To specify the IP addresses of the Primary DNS servers manually, on the DNS Server pull down list select the value set manually. You can also fill-in the IPv4 or IPv6 address of the DNS server (or both) based on the IP Mode option.
4.3.3 Check Connection to Mobile Network
Enabling the Check Connection function for mobile networks is necessary for uninterrupted and continuous operation of the router.
If the Check Connection item is set to enabled or enabled + bind, the router will be sending the ping requests to the specified domain or IP address configured in Ping IP Address or Ping IPv6 Address at regular time intervals set up in the Ping Interval.
In case of an unsuccessful ping, a new ping will be sent after the Ping Timeout. If the ping is unsuccessful three times in a row, the router will terminate the cellular connection and will attempt to establish a new one.
This monitoring function can be set for both SIM cards separately, but running on the active SIM at given time only. Be sure, you configure a functional address as the destination for the ping, for example an IP address of the operator's DNS server.
If the Check Connection item is set to the enabled, the ping requests are being sent on the basis of the routing table. Therefore, the requests may be sent through any available interface. If you require each ping request to be sent through the network interface, which was created when establishing a connection to the mobile operator, it is necessary to set the Check Connection to enabled + bind. The disabled option deactivates checking of the connection to the mobile network.
A note for routers connected to the Verizon carrier (detected by the router): The retry interval for connecting to the mobile network prolongs with more retries. First two retries are done after 1 minute. Then the interval prolongs to 2, 8 and 15 minutes. The ninth and every other retry is done in 90 minutes interval.
If Enable Traffic Monitoring item is checked, the router will monitor the Mobile WAN traffic without sending the ping requests. If there is no traffic, the router will start sending the ping requests.
45
ICR-4400
Item
Description
Ping IP Address
Specifies the ping queries destination IPv4 address or domain name. Available in IPv4 and IPv4/IPv6 IP Mode.
Ping IPv6 Address
Ping Interval Ping Timeout
Specifies the ping queries destination IPv6 address or domain name. Available in IPv6 and IPv4/IPv6 IP Mode. Specifies the time interval between outgoing pings. Time in seconds to wait for a Ping response.
Table 22: Check Connection to Mobile Network Configuration
4.3.4 Check Connection Example
The figure below displays the following scenario: the connection to the mobile network in IPv4 IP Mode is controlled on the address 8.8.8.8 with a time interval of 60 seconds for the first SIM card and on the address www.google.com with the time interval 80 seconds for the second SIM card (for an active SIM only). Because the Enable traffic monitoring option is enabled, the control pings are not sent, but the data stream is monitored. The ping will be sent, if the data stream is interrupted.
Figure 24: Check Connection Example
4.3.5 Data Limit Configuration
If the parameter Data Limit State (see below) is set to not applicable or Send SMS when data limit is exceeded in SMS Configuration is not selected, the Data Limit set here will be ignored.
4.3.6 Switch between SIM Cards Configuration
In the lower part of the configuration form you can specify the rules for toggling between the two SIM cards. The router will automatically toggle between the SIM cards and their individual setups depending on the configuration settings specified here (manual permission, roaming, data limit, binary input state). Note that the SIM card selected for connection establishment is the result of the logical product (AND) of the configuration here (table below).
46
ICR-4400
Item Data Limit Warning Threshold
Accounting Start
Description
Specifies the maximum expected amount of data transmitted (sent and received) over mobile interface in one billing period (one month). Maximum value is 2 TB (2097152 MB).
Specifies a percentage of the "Data Limit" in the range of 50 % to 99 %. If the given percentage data limit is exceeded, the router will send an SMS in the following form; Router has exceeded (value of Warning Threshold) of data limit.
Specifies the day of the month in which the billing cycle starts for a given SIM card. When the service provider that issued the SIM card specifies the start of the billing period, the router will begin to count the amount of data transferred starting on this day.
Table 23: Data Limit Configuration
Item SIM Card
Roaming State
Data Limit State
Description Enable or disable the use of a SIM card. If you set all the SIM cards to disabled, this means that the entire cellular module is disabled.
· enabled It is possible to use the SIM card. · disabled Never use the SIM card, the usage of this SIM
is forbidden.
Configure the use of SIM cards based on roaming. This roaming feature has to be activated for the SIM card on which it is enabled!
· not applicable It is possible to use the SIM card everywhere.
· home network only Only use the SIM card if roaming is not detected.
Configure the use of SIM cards based on the Data Limit set above:
· not applicable It is possible to use the SIM regardless of the limit.
· not exceeded Use the SIM card only if the Data Limit (set above) has not been exceeded.
Continued on next page
47
ICR-4400
Item BINx State
Continued from previous page
Description Configure the use of SIM cards based on binary input x state, where x is the input number:
· not applicable It is possible to use the SIM regardless of BINx state.
· on Only use the SIM card if the BINx state is logical 0 voltage present.
· off Only use the SIM card if the BINx state is logical 1 no voltage.
Table 24: Switch between SIM cards configuration
Use the following parameters to specify the decision making of SIM card switching in the cellular module.
Item Default SIM Card
Description
Specifies the modules' default SIM card. The router will attempt to establish a connection to mobile network using this default.
· 1st The 1st SIM card is the default one. · 2nd The 2nd SIM card is the default one.
Initial State
Specifies the action of the cellular module after the SIM card has been selected.
· online establish connection to the mobile network after the SIM card has been selected (default).
· offline go to the off-line mode after the SIM card has been selected.
Switch to other SIM card when connection fails
Note: If offline, you can change this initial state by SMS message only see SMS Configuration. The cellular module will also go into off-line mode if none of the SIM cards are not selected.
Applicable only when connection is established on the default SIM card and then fails. If the connection failure is detected by Check Connection feature above, the router will switch to the backup SIM card.
Continued on next page
48
ICR-4400
Continued from previous page
Item
Description
Switch to default SIM card after timeout
If enabled, after timeout, the router will attempt to switch back to the default SIM card. This applies only when there is default SIM card defined and the backup SIM is selected beacuse of a failure of the default one or if roaming settings cause the switch. This feature is available only when Switch to other SIM card when connection fails is enabled.
Initial Timeout
Specifies the length of time that the router waits before the first attempt to revert to the default SIM card, the range of this parameter is from 1 to 10000 minutes.
Subsequent Timeout
Specifies the length of time that the router waits after an unsuccessful attempt to revert to the default SIM card, the range is from 1 to 10000 min.
Additive Constant
Specifies the length of time that the router waits for any further attempts to revert to the default SIM card. This length time is the sum of the time specified in the "Subsequent Timeout" parameter and the time specified in this parameter. The range in this parameter is from 1 to 10000 minutes.
Table 25: Parameters for SIM card switching
4.3.7 Examples of SIM Card Switching Configuration
Example 1: Timeout Configuration Mark the Switch to default SIM card after timeout check box, and fill-in the following values:
Figure 25: Configuration for SIM card switching Example 1 The first attempt to change to the default SIM card is carried out after 60 minutes. When the first attempt fails, a second attempt is made after 30 minutes. A third attempt is made after 50 minutes (30+20). A fourth attempt is made after 70 minutes (30+20+20).
49
ICR-4400
Example 2: Data Limit Switching The following configuration illustrates a scenario in which the router changes to the second
SIM card after exceeding the data limit of 800 MB on the first (default) SIM card. The router sends a SMS upon reaching 400 MB (this settings has to be enabled on the SMS Configuration page). The accounting period starts on the 18th day of the month.
Figure 26: Configuration for SIM card switching Example 2
4.3.8 PPPoE Bridge Mode Configuration
If you mark the Enable PPPoE bridge mode check box, the router activates the PPPoE bridge protocol. PPPoE (point-to-point over ethernet) is a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. The bridge mode allows you to create a PPPoE connection from a device behind the router. For example, a PC connected to the ETH port of the router. You assign the IP address of the SIM card to the PC. The changes in settings will apply after clicking the Apply button.
50
ICR-4400
4.4 PPPoE Configuration
PPPoE (Point-to-Point over Ethernet) is a network protocol which encapsulates PPP frames into Ethernet frames. The router uses the PPPoE client to connect to devices supporting a PPPoE bridge or server. The bridge or server is typically an ADSL router.
To open the PPPoE Configuration page, select the PPPoE menu item. If you mark the Create PPPoE connection check box, then the router attempts to establish a PPPoE connection after boot up. After connecting, the router obtains the IP address of the device to which it is connected. The communications from a device behind the PPPoE server is forwarded to the router.
Item Username Password
Figure 27: PPPoE Configuration
Description Username for secure access to PPPoE. Password for secure access to PPPoE. Enter valid characters only, see chap. 2.3!
Continued on next page
51
ICR-4400
Item Authentication
Continued from previous page
Description Authentication protocol in GSM network.
· PAP or CHAP The router selects the authentication method. · PAP The router uses the PAP authentication method. · CHAP The router uses the CHAP authentication method.
IP Mode
Specifies the version of IP protocol:
· IPv4 IPv4 protocol is used only (default). · IPv6 IPv6 protocol is used only. · IPv4/IPv6 IPv4 and IPv6 dual stack is enabled.
MRU
MTU
DNS Settings DNS IP Address DNS IP Address Interface VLAN Tagging VLAN ID
Specifies the Maximum Receiving Unit. The MRU identifies the maximum packet size, that the router can receive via PPPoE. The default value is 1492 B (bytes). Other settings can cause incorrect data transmission. Minimal value in IPv4 and IPv4/IPv6 mode is 128 B. Minimal value in IPv6 mode is 1280 B.
Specifies the Maximum Transmission Unit. The MTU identifies the maximum packet size, that the router can transfer in a given environment. The default value is 1492 B (bytes). Other settings can cause incorrect data transmission. Minimal value in IPv4 and IPv4/IPv6 mode is 128 B. Minimal value in IPv6 mode is 1280 B.
Can be set to obtain the DNS address from the server or to set it manually.
Manual setting of DNS address.
Manual setting of IPv6 DNS address.
Select an Ethernet interface.
Select yes to turn on the VLAN tagging.
Set the ID for VLAN tagging. The range is from 1 to 1000.
Table 26: PPPoE configuration
Setting an incorrect packet size value (MRU, MTU) can cause unsuccessful transmission.
52
ICR-4400
4.5 WiFi Access Point Configuration
This item is available only if the router is equipped with a WiFi module.
Configuration of two separated WLANs (Multiple SSIDs) is supported.
Multi-role mode, which allows to operate as access point (AP) and station (STA) simultaneously, is supported. The multichannel mode is supported as well, so the AP and the STA can operate on different channels.
RADIUS (Remote Authentication Dial-In User Service) networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users is supported on WiFi. The router can be RADIUS client only (not the server) typically as a WiFi AP (Access Point) negotiating with the RADIUS server.
Activate WiFi access point mode by checking Enable WiFi AP box at the top of the Configuration -> WiFi -> Access Point 1 or Access Point 2 configuration pages. In this mode the router becomes an access point to which other devices in station (STA) mode can connect. You may set the following properties listed in the table below.
Item Enable WiFi AP IP Address
Subnet Mask / Prefix Bridged
Description
Enable WiFi access point (AP).
A fixed IP address of the WiFi interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.
Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address number in range 0 to 128.
Activates bridge mode:
· no Bridged mode is not allowed (default value). WLAN network is not connected with LAN network of the router.
· yes Bridged mode is allowed. WLAN network is connected with one or more LAN networks of the router. In this case, the setting of most items in this table are ignored. Instead, the router uses the settings of the selected network interface (LAN).
Enable dynamic DHCP leases
IP Pool Start
Enable dynamic allocation of IP addresses using the DHCP (DHCPv6) server.
Beginning of the range of IP addresses which will be assigned to DHCP clients. Use proper notation in IPv4 and IPv6 column.
Continued on next page
53
ICR-4400
Continued from previous page
Item IP Pool End
Lease Time Enable IPv6 prefix delegation Subnet ID
Subnet ID Width
SSID Broadcast SSID
Description End of the range of IP addresses which will be assigned to DHCP clients. Use proper notation in IPv4 and IPv6 column. Time in seconds for which the client may use the IP address. Enables prefix delegation configuration filled-in below.
The decimal value of the Subnet ID of the Ethernet inter face. Maximum value depends on the Subnet ID Width. The maximum Subnet ID Width depends on your Site. Prefix it is the remainder to 64 bits. The unique identifier of WiFi network. Method of broadcasting the unique identifier of SSID network in beacon frame and type of response to a request for sending the beacon frame.
· Enabled SSID is broadcasted in beacon frame
· Zero length Beacon frame does not include SSID. Requests for sending beacon frame are ignored.
· Clear All SSID characters in beacon frames are replaced by 0. Original length is kept. Requests for sending beacon frames are ignored.
SSID Isolation Client Isolation WMM
When enabled, by choosing a zone, a WiFi client connected to this Access Point is not able to communicate with another WiFi client connected to another Access Point, having another zone selected. This client still can communicate with a client connected to the same Access Point, unless the Client Isolation is not enabled.
If checked, the access point will isolate every connected client so they do not see each other (they are in different networks, they cannot PING between each other). If unchecked, the access point behavior is like a switch, but wireless the clients are in the same LAN and can see each other.
Basic QoS for WiFi networks is enabled by checking this item. This version doesn't guarantee network throughput. It is suitable for simple applications that require QoS.
Continued on next page
54
ICR-4400
Item Country Code
HW Mode
Channel Bandwidth Short GI
Continued from previous page
Description This option is not available for NAM routers the "US" country code is set by default on these versions of router. Code of the country where the router is installed. This code must be entered in ISO 3166-1 alpha-2 format. If a country code isn't specified and the router has not implemented a system to determine this code, it will use "US" as the default country code. If no country code is specified or if the wrong country code is entered, the router may violate country-specific regulations for the use of WiFi frequency bands.
HW mode of WiFi standard that will be supported by WiFi access point.
· IEEE 802.11b (2.4 GHz) · IEEE 802.11b+g (2.4 GHz) · IEEE 802.11b+g+n (2.4 GHz) · IEEE 802.11a (5 GHz) · IEEE 802.11a+n (5 GHz) · IEEE 802.11ac (5 GHz)
The channel, where the WiFi AP is transmitting. Supported 2.4 GHz channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13. On NAM routers only channels 1 to 11 are supported! Supported 5 GHz channels: 36, 38, 40, 42, 44, 46, 48, 149, 153, 157, 161, 165.
The option for HW mode 802.11n which allows to choose the bandwidth. If the 40 MHz channel is occupied, for 802.11bgn mode, the 20 MHz channel is used instead.
The option for HW mode 802.11n which allows to enable the short guard interval (GI) of 400 ns instead of 800 ns.
Continued on next page
55
ICR-4400
Item Authentication
Encryption
Continued from previous page
Description Access control and authorization of users in the WiFi network.
· Open Authentication is not required (free access point). · Shared Basic authentication using WEP key. · WPA-PSK Authentication using higher authentication meth-
ods PSK-PSK. · WPA2-PSK WPA2-PSK using newer AES encryption. · WPA3-PSK WPA3-PSK using newer AES encryption. · WPA-Enterprise RADIUS authentication done by external
server via username and password. · WPA2-Enterprise RADIUS authentication with better en-
cryption. · WPA3-Enterprise RADIUS authentication with better en-
cryption. · 802.1X RADIUS authentication with port-based Network Ac-
cess Control (PNAC) using encapsulation of the Extensible Authentication Protocol (EAP) over LAN EAPOL.
Type of data encryption in the WiFi network:
· None No data encryption. · WEP Encryption using static WEP keys. This encryption can
be used for Shared authentication. · TKIP Dynamic encryption key management that can be
used for WPA-PSK and WPA2-PSK authentication. · AES Improved encryption used for WPA2-PSK authentica-
tion.
WEP Key Type WEP Default Key
Type of WEP key for WEP encryption:
· ASCII WEP key in ASCII format. · HEX WEP key in hexadecimal format.
This specifies the default WEP key.
Continued on next page
56
ICR-4400
Item WEP Key 14
WPA PSK Type WPA PSK
Continued from previous page
Description Allows entry of four different WEP keys:
· WEP key in ASCII format must be entered in quotes. This key can be specified in the following lengths.
5 ASCII characters (40b WEP key) 13 ASCII characters (104b WEP key) 16 ASCII characters (128b WEP key)
· WEP key in hexadecimal format must be entered in hexadecimal digits. This key can be specified in the following lengths.
10 hexadecimal digits (40b WEP key) 26 hexadecimal digits (104b WEP key) 32 hexadecimal digits (128b WEP key)
The possible key options for WPA-PSK authentication.
· 256-bit secret · ASCII passphrase · PSK File
Key for WPA-PSK authentication. This key must be entered according to the selected WPA PSK type as follows:
· 256-bit secret 64 hexadecimal digits · ASCII passphrase 8 to 63 characters · PSK File absolute path to the file containing the list of pairs
(PSK key, MAC address)
RADIUS Auth Server IP RADIUS Auth Password RADIUS Auth Port
RADIUS Acct Server IP
IPv4 or IPv6 address of the RADIUS server. Only with one of RADIUS authentications selected.
RADIUS server access password. Only with one of RADIUS authentications selected.
RADIUS server port. The default is 1812. Only with one of RADIUS authentications selected.
IPv4 or IPv6 address of the RADIUS accounting server. Define only if different from the authentication and authorization server. Only with one of RADIUS authentications selected.
Continued on next page
57
ICR-4400
Item RADIUS Acct Password RADIUS Acct Port Access List
Accept/Deny List Syslog Level
Extra options
Continued from previous page
Description Access password of RADIUS accounting server. Define only if different from the authentication and authorization server. Only with one of RADIUS authentications selected. RADIUS accounting server port. The default is 1813. Define only if different from the authentication and authorization server. Only with one of RADIUS authentications selected. Mode of Access/Deny list.
· Disabled Access/Deny list is not used. · Accept Clients in Accept/Deny list can access the network. · Deny Clients in Access/Deny list cannot access the network.
Accept or Denny list of client MAC addresses that set network access. Each MAC address is separated by new line. Logging level, when system writes to the system log.
· Verbose debugging The highest level of logging. · Debugging · Informational Default level of logging. · Notification · Warning The lowest level of system communication.
Allows the user to define additional parameters. Table 27: WiFi Configuration
58
ICR-4400
Figure 28: WiFi Access Point Configuration 59
ICR-4400
4.6 WiFi Station Configuration
This item is available only if the router is equipped with a WiFi module.
The WiFi module supports multi-role mode which allows to operate as access point (AP) and station (STA) simultaneously. The multichannel mode is not supported, so the AP and the STA must operate on the same channel only.
Activate WiFi station mode by checking Enable WiFi STA box at the top of the Configuration -> WiFi -> Station configuration page. In this mode the router becomes a client station. It will receive data packets from the available access point (AP) and send data from cable connection via the WiFi network. You may set the following properties listed in the table below.
In WiFi STA mode, only the authentication method EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1) and EAP-TLS are supported.
Item Enable WiFi STA DHCP Client IP Address
Subnet Mask / Prefix Default Gateway
DNS Server
SSID Probe Hidden SSID Country Code
Description
Enable WiFi station (STA).
Activates/deactivates DHCP client. If in IPv6 column, the DHCPv6 client is enabled.
A fixed IP address of the WiFi interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.
Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address number in range 0 to 128.
Specifies the IP address of a default gateway. If filled-in, every packet with the destination not found in the routing table is sent there. Use proper IP address notation in IPv4 and IPv6 column.
Specifies the IP address of the DNS server. When the IP address is not found in the Routing Table, the this DNS server is requested. Use proper IP address notation in IPv4 and IPv6 column.
The unique identifier of WiFi network.
Probes hidden SSID
This option is not available for NAM routers the "US" country code is set by default on these versions of router. Code of the country where the router is installed. This code must be entered in ISO 3166-1 alpha-2 format. If a country code isn't specified and the router has not implemented a system to determine this code, it will use "US" as the default country code. If no country code is specified or if the wrong country code is entered, the router may violate country-specific regulations for the use of WiFi frequency bands.
Continued on next page 60
ICR-4400
Item Authentication
Encryption WEP Key Type WEP Default Key
Continued from previous page
Description Access control and authorization of users in the WiFi network.
· Open Authentication is not required (free access point). · Shared Basic authentication using WEP key. · WPA-PSK Authentication using higher authentication
methods PSK-PSK. · WPA2-PSK WPA2-PSK using newer AES encryption. · WPA3-PSK WPA3-PSK using newer AES encryption. · WPA-Enterprise RADIUS authentication done by external
server via username and password. · WPA2-Enterprise RADIUS authentication with better en-
cryption. · WPA3-Enterprise RADIUS authentication with better en-
cryption. · 802.1X RADIUS authentication with port-based Network
Access Control (PNAC) using encapsulation of the Extensible Authentication Protocol (EAP) over LAN EAPOL.
Type of data encryption in the WiFi network:
· None No data encryption. · WEP Encryption using static WEP keys. This encryption
can be used for Shared authentication. · TKIP Dynamic encryption key management that can be
used for WPA-PSK and WPA2-PSK authentication. · AES Improved encryption used for WPA2-PSK authenti-
cation.
Type of WEP key for WEP encryption:
· ASCII WEP key in ASCII format. · HEX WEP key in hexadecimal format.
This specifies the default WEP key.
Continued on next page
61
ICR-4400
Item WEP Key 14
WPA PSK Type
WPA PSK
RADIUS EAP Authentication RADIUS CA Certificate RADIUS Local Certificate RADIUS Local Private Key
Continued from previous page
Description Allows entry of four different WEP keys:
· WEP key in ASCII format must be entered in quotes. This key can be specified in the following lengths.
5 ASCII characters (40b WEP key) 13 ASCII characters (104b WEP key) 16 ASCII characters (128b WEP key)
· WEP key in hexadecimal format must be entered in hexadecimal digits. This key can be specified in the following lengths.
10 hexadecimal digits (40b WEP key) 26 hexadecimal digits (104b WEP key) 32 hexadecimal digits (128b WEP key)
The possible key options for WPA-PSK authentication.
· 256-bit secret · ASCII passphrase · PSK File
Key for WPA-PSK authentication. This key must be entered according to the selected WPA PSK type as follows:
· 256-bit secret 64 hexadecimal digits · ASCII passphrase 8 to 63 characters · PSK File absolute path to the file containing the list of pairs
(PSK key, MAC address)
Type of authentication protocol (EAP-PEAP/MSCHAPv2 or EAPTLS). Definition of CA certificate for EAP-TLS authentication protocol.
Definition of local certificate for EAP-TLS authentication protocol.
Definition of local private key for EAP-TLS authentication protocol.
Continued on next page
62
ICR-4400
Item RADIUS Identity RADIUS Password Syslog Level
Extra options
Continued from previous page
Description RADIUS user name identity. Only with one of RADIUS authentications selected. RADIUS access password. Only with one of RADIUS authentications selected. Logging level, when system writes to the system log.
· Verbose debugging The highest level of logging. · Debugging · Informational Default level of logging. · Notification · Warning The lowest level of system communication.
Allows the user to define additional parameters. Table 28: WLAN Configuration
All changes in settings will apply after pressing the Apply button.
63
ICR-4400
Figure 29: WiFi Station Configuration 64
ICR-4400
4.7 Backup Routes
Using the configuration form on the Backup Routes page (see Figure 30), you can back up the primary connection with alternative connections to the Internet (mobile network) or enable Multiple WANs mode. It is also possible to prioritize each backup connection option. Switching between connections is carried out according to the order of priority and the state of the connections.
Item Enable backup routes switching
Mode
Description
The default route is selected according to the settings below. If disabled (unchecked), the backup routes system operates in the backward compatibility mode based on the default priorities of the network interfaces (listed below).
· Single WAN The default mode. Only one interface is used for WAN communication at a time. Other interfaces are used for WAN when the preferred interface fails, based on the priorities set.
· Multiple WANs Multiple interfaces can be used for WAN connection. When WAN communication via multiple interfaces is received, the same interface is used in reply, therefor; the traffic will stay on the given interface. The set priorities are used when transmitting data from the router or from the network behind the router. The highest priority interface is used for these transmissions.
· Load Balancing In this mode, the weight for every interface can be set. This setting determines the relative number of data streams going through the interfaces. Please note that this may not exactly match the amount of data, it very depends on the number of streams and the structure of the data.
Table 29: Backup Route Modes
Please note that the weight setting for load balancing may not exactly match the amount of balanced data. It depends on the number of data flows and the structure of the data. The best result of the balancing is achieved for a high amount of data flows.
To add the network interfaces to the backup routes system, mark the checkbox(s) for some of the following interface options: Enable backup routes switching for Mobile WAN, Enable backup routes switching for PPPoE, Enable backup routes switching for WiFi STA, Enable backup routes switching for ETH0, Enable backup routes switching for ETH1 or Enable backup routes switching for ETH2. Enabled interfaces are then used for WAN access either in Single WAN mode (only one interface at a time) or in Multiple WANs mode (multiple interfaces at a time), based on the priorities set.
65
ICR-4400
If you want to use a mobile WAN connection as a backup route, you must choose the enable + bind option in the Check Connection item on the Mobile WAN page and fill in the ping address. See chapter 4.3.1.
Settings, which can be made for an interface, is described in the table below.
Item Priority Ping IP Address
Ping IPv6 Address
Ping Interval Ping Timeout Weight
Description
Priority for the type of connection (network interface).
Destination IPv4 address or domain name of ping queries to check the connection.
Destination IPv6 address or domain name of ping queries to check the connection.
The time interval between consecutive ping queries.
Time in seconds to wait for a response to the Ping.
Weight for the Load Balancing mode only. The number from 1 to 256 determines the ratio for load balancing of the interface. For example, if two interfaces have set up the weight to 1, the ratio is 50% to 50%. If they have set up the weight to 1 and 4, the ratio is 20% to 80%.
Table 30: Backup Routes
Network interfaces belonging to individual backup routes are also checked before use for flags which indicate the state of the interface. (E.g. RUNNING on the Network Status page.) This prevents, for example, the disconnection of an Ethernet cable. You can fill-in one or both Ping IP Addresses (IPv4 and IPv6) based on IP protocol used on particular network interface and WAN connection settings. IPv4 and IPv6 are dual stack implemented in the router. Any changes made to settings will be applied after pressing the Apply button.
4.7.1 Default Priorities for Backup Routes
If the Enable backup routes switching check box is unchecked, the backup routes system will operate in the backward compatibility mode. The router selects the route based on the default priorities of the enabled settings for each of the network interfaces, enabling appropriate services that comply with these network interfaces. The following list contains the names of backup routes and corresponding network interfaces in order of default priorities:
· Mobile WAN (pppX, usbX) · PPPoE (ppp0) · WiFi STA (wlan0) · ETH1 (eth1)
66
ICR-4400
· ETH2 (eth2) · ETH0 (eth0) Example of default priorities: Backup Routes function is disabled. The router selects the ETH1 as the default route only if you unmark the Create connection to mobile network check box on the Mobile WAN page, unmark the Create PPPoE connection check box on the PPPoE page and unmark the Enable WiFi STA on the WiFi -> Station page. To select the ETH0, delete the IP address from the ETH1 page and disable the DHCP Client for the ETH1. Note: Consider there is a concept of variable WAN and LAN interfaces even if the Backup Routes are not enabled. The situation may occur, that LAN intended interface becomes WAN interface (because of specified or default priorities). Communication from WAN interface to LAN interface can then be blocked depending on the NAT and Firewall Configuration.
67
ICR-4400
Figure 30: Backup Routes Configuration 68
ICR-4400
4.8 Static Routes
Static routes can be specified on the Static Routes configuration page. A static route provide fixed routing path through the network. It is manually configured on the router and must be updated if the network topology was changed recently. Static routes are private routers unless they are redistributed by a routing protocol. There are two forms, one for IPv4 and the second for IPv6 configuration. Static routes configuration form for IPv4 is shown on Figure 31.
Figure 31: Static Routes Configuration
The description of all items is listed in Table 31.
Item Enable IPv4 static routes Destination Network
Mask or Prefix Length Gateway
Metric
Interface
Description If checked, static routing functionality is enabled. Active are only routes enabled by the checkbox in the first column of the table. The destination IP address of the remote network or host to which you want to assign a static route. The subnet mask of the remote network or host IP address.
IP address of the gateway device that allows for contact between the router and the remote network or host. Metric definition, means number rating of the priority for the route in the routing table. Routes with lower metrics have higher priority. Select an interface the remote network or host is on.
Table 31: Static Routes Configuration for IPv4
69
ICR-4400
4.9 Firewall Configuration
The first security element for incoming packets is a check of the enabled source IP addresses and destination ports. There is independent IPv4 and IPv6 firewall since there is dual stack IPv4 and IPv6 implemented in the router. If you click the Firewall item in the Configuration menu on the left, it will expand to IPv4 and IPv6 options and you can click IPv6 to enable and configure the IPv6 firewall see Figure below. The configuration fields have the same meaning in the IPv4 Firewall Configuration and IPv6 Firewall Configuration forms.
Figure 32: Firewall Configuration IPv6 Firewall You can specify the rules for IP addresses, protocols and ports to allow or deny the access to the router and internal network connected behind the router. To enable this function, tick the Enable filtering of incoming packets check box located at the top of the IPv4 (IPv6) Firewall Configuration page. Accessibility is checked against the IP address table. This means that access is permitted only to addresses allowed in the table. It is possible to specify up to
70
ICR-4400
sixteen rules. You can specify the following parameters:
Item Source Protocol
Target Port(s) Action Description
Description IP address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration and IPv6 address in IPv6 Firewall Configuration. Specifies the protocol the rule applies to:
· all The rule applies to all protocols.
· TCP The rule applies to TCP protocol.
· UDP The rule applies to UDP protocol.
· GRE The rule applies to GRE protocol.
· ESP The rule applies to ESP protocol.
· ICMP/ICMPv6 The rule applies to ICMP protocol. In IPv6 Firewall Configuration there is the ICMPv6 option.
The port numbers range allowing access to the router. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well. Specifies the rule the type of action the router performs:
· allow The router allows the packets to enter the network.
· deny The router denies the packets from entering the network.
Description of the rule. Table 32: Filtering of Incoming Packets
The next section of the configuration form specifies the forwarding policy. If you unmark the Enabled filtering of forwarded packets check box, then packets are automatically accepted. If you activate this function, and a packet is addressed to another network interface, then the router sends the packet to the FORWARD chain. When the FORWARD chain accepts the packet and there is a rule for forwarding it, the router sends the packet. If a forwarding rule is unavailable, then the router drops the packet. It is possible to specify up to sixteen rules.
This configuration form also contains a table for specifying the filter rules. It is possible to create a rule to allow data with the selected protocol by specifying only the protocol, or to create stricter rules by specifying values for source IP addresses, destination IP addresses, and ports.
71
ICR-4400
Item Source Destination Protocol
Target Port(s) Action
Description
Description IP address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration and IPv6 address in IPv6 Firewall Configuration. Destination IP address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration and IPv6 address in IPv6 Firewall Configuration. Specifies the protocol the rule applies to:
· all The rule applies to all protocols.
· TCP The rule applies to TCP protocol.
· UDP The rule applies to UDP protocol.
· GRE The rule applies to GRE protocol.
· ESP The rule applies to ESP protocol.
· ICMP/ICMPv6 The rule applies to ICMP protocol. In IPv6 Firewall Configuration there is the ICMPv6 option.
The target port numbers. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well. Specifies the rule the type of action the router performs:
· allow The router allows the packets to enter the network.
· deny The router denies the packets from entering the network.
Description of the rule. Table 33: Forwarding filtering
When you enable the Enable filtering of locally destined packets function, the router drops the packets requesting an unsupported service. The packet is dropped automatically without any information.
As a protection against DoS attacks, the Enable protection against DoS attacks limits the number of allowed connections per second to five. The DoS attack floods the target system with meaningless requirements.
72
ICR-4400
4.9.1 Example of the IPv4 Firewall Configuration
The router allows the following access: · From IP address 171.92.5.45 using any protocol. · From IP address 10.0.2.123 using the TCP protocol on port 1000. · From IP address 142.2.26.54 using the ICMP protocol. · from IP address 142.2.26.54 using the TCMP protocol on target ports from 1020 to 1040
See the network topology and configuration form in the figures below.
Figure 33: Topology for the IPv4 Firewall Configuration Example
73
ICR-4400
Figure 34: IPv4 Firewall Configuration Example 74
ICR-4400
4.10 NAT Configuration
To configure the address translation function, click on NAT in the Configuration section of the main menu. There is independent IPv4 and IPv6 NAT configuration since there is dual stack IPv4 and IPv6 implemented in the router. The NAT item in the menu on the left will expand to IPv4 and IPv6 options and you can click IPv6 to enable and configure the IPv6 NAT see Figure below. The configuration fields have the same meaning in the IPv4 NAT Configuration and IPv6 NAT Configuration forms.
The router actually uses Port Address Translation (PAT), which is a method of mapping a TCP/UDP port to another TCP/UDP port. The router modifies the information in the packet header as the packets traverse a router. This configuration form allows you to specify up to 16 PAT rules.
Item Public Port(s)
Private Port(s)
Type Server IPv4 address Server IPv6 address Description
Description
The public port numbers range for NAT. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well.
The private port numbers range for NAT. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well.
Protocol type TCP or UDP.
In IPv4 NAT Configuration only. IPv4 address where the router forwards incoming data.
In IPv6 NAT Configuration only. IPv6 address where the router forwards incoming data.
Description of the rule.
Table 34: NAT Configuration
If you require more than sixteen NAT rules, insert the remaining rules into the Startup Script. The Startup Script dialog is located on Scripts page in the Configuration section of the menu. When creating your rules in the Startup Script, use this command for IPv4 NAT:
iptables -t nat -A pre_nat -p tcp --dport [PORT_PUBLIC] -j DNAT --to-destination [IPADDR]:[PORT_PRIVATE]
Enter the IP address [IPADDR], the public ports numbers [PORT_PUBLIC], and private [PORT_PRIVATE] in place of square brackets. For IPv6 NAT use ip6tables command with same options.:
ip6tables -t nat -A napt -p tcp --dport [PORT_PUBLIC] -j DNAT --to-destination [IP6ADDR]:[PORT_PRIVATE]
If you enable the following options and enter the port number, the router allows you to remotely access to the router from WAN (Mobile WAN) interface.
75
ICR-4400
Figure 35: NAT IPv6 NAT Configuration 76
ICR-4400
Item
Description
Enable remote HTTP access on port
This option sets the redirect from HTTP to HTTPS only (disabled in default configuration).
Enable remote HTTPS access on port
If field and port number are filled in, configuration of the router over web interface is allowed (disabled in default configuration).
Enable remote FTP access on port
Select this option to allow access to the router using FTP (disabled in default configuration).
Enable remote SSH access on port
Select this option to allow access to the router using SSH (disabled in default configuration).
Enable remote Telnet access on port
Select this option to allow access to the router using Telnet (disabled in default configuration).
Enable remote SNMP access on port
Select this option to allow access to the router using SNMP (disabled in default configuration).
Masquerade outgoing packets
Activates/deactivates the network address translation function.
Table 35: Remote Access Configuration
Enable remote HTTP access on port activates the redirect from HTTP to HTTPS protocol only. The router doesn't allow unsecured HTTP protocol to access the web configuration. To access the web configuration, always check the Enable remote HTTPS access on port item. Never enable the HTTP item only to access the web configuration from the Internet (configuration would not be accessible from the Internet). Always check the HTTPS item or HTTPS and HTTP items together (to set the redirect from HTTP).
Use the following parameters to set the routing of incoming data from the WAN (Mobile WAN) to a connected computer.
Item Send all remaining incoming packets to default server
Default Server IP Address Default Server IPv6 Address
Description
Activates/deactivates forwarding unmatched incoming packets to the default server. The prerequisite for the function is that you specify a default server in the Default Server IPv4/IPv6 Address field. The router can forward incoming data from a mobile WAN to a computer with the assigned IP address.
In IPv4 NAT Configuration only. The IPv4 address.
In IPv6 NAT Configuration only. The IPv6 address.
Table 36: Configuration of Send all incoming packets to server
77
ICR-4400
4.10.1 Examples of NAT Configuration
Example 1: IPv4 NAT Configuration with Single Device Connected It is important to mark the Send all remaining incoming packets to default server check
box for this configuration. The IP address in this example is the address of the device behind the router. The default gateway of the devices in the subnetwork connected to router is the same IP address as displayed in the Default Server IPv4 Address field. The connected device replies if a PING is sent to the IP address of the SIM card.
Figure 36: Topology for NAT Configuration Example 1
78
ICR-4400
Figure 37: NAT Configuration for Example 1 79
ICR-4400
Example 2: IPv4 NAT Configuration with More Equipment Connected In this example, using the switch you can connect more devices behind the router. Every
device connected behind the router has its own IP address. Enter the address in the Server IPv Address field in the NAT dialog. The devices are communicating on port 80, but you can set port forwarding using the Public Port and Private Port fields in the NAT dialog. You have now configured the router to access the 192.168.1.2:80 socket behind the router when accessing the IP address 10.0.0.1:81 from the Internet. If you send a ping request to the public IP address of the router (10.0.0.1), the router responds as usual (not forwarding). And since the Send all remaining incoming packets to default server is inactive, the router denies connection attempts.
Figure 38: Topology for NAT Configuration Example 2
80
ICR-4400
Figure 39: NAT Configuration for Example 2 81
ICR-4400
4.11 OpenVPN Tunnel Configuration
Select the OpenVPN item to configure an OpenVPN tunnel. The menu item will expand and you will see four separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. The OpenVPN tunnel function allows you to create a secure connection between two separate LAN networks. The router allows you to create up to four OpenVPN tunnels. IPv4 and IPv6 dual stack is supported.
Item Description Protocol
Description Specifies the description or name of tunnel. Specifies the communication protocol.
· UDP The OpenVPN communicates using UDP. · TCP server The OpenVPN communicates using TCP in
server mode.
· TCP client The OpenVPN communicates using TCP in client mode.
· UDPv6 The OpenVPN communicates using UDP over IPv6.
· TCPv6 server The OpenVPN communicates using TCP over IPv6 in server mode.
· TCPv6 client The OpenVPN communicates using TCP over IPv6 in client mode.
UDP/TCP port Remote IP Address
Remote Subnet Remote Subnet Mask Redirect Gateway
Local Interface IP Address
Remote Interface IP Address
Specifies the port of the relevant protocol (UDP or TCP).
Specifies the IPv4, IPv6 address or domain name of the opposite side of the tunnel.
IPv4 address of a network behind opposite side of the tunnel.
IPv4 subnet mask of a network behind opposite tunnel's side.
Adds (rewrites) the default gateway. All the packets are then sent to this gateway via tunnel, if there is no other specified default gateway inside them.
Specifies the IPv4 address of a local interface. For proper routing it is recommended to fill-in any IPv4 address from local range even if you are using IPv6 tunnel only.
Specifies the IPv4 address of the interface of opposite side of the tunnel. For proper routing it is recommended to fill-in any IPv4 address from local range even if you are using IPv6 tunnel only.
Continued on next page
82
ICR-4400
Item Remote IPv6 Subnet Remote IPv6 Prefix Local Interface IPv6 Address Remote Interface IPv6 Address Ping Interval Ping Timeout
Renegotiate Interval
Max Fragment Size Compression
NAT Rules
Continued from previous page
Description IPv6 address of the remote IPv6 network. Equivalent of the Remote Subnet in IPv4 section. IPv6 prefix of the remote IPv6 network. Equivalent of the Remote Subnet Mask in IPv4 section. Specifies the IPv6 address of a local interface.
Specifies the IPv6 address of the interface of opposite side of the tunnel. Time interval after which the router sends a message to opposite side of tunnel to verify the existence of the tunnel. Specifies the time interval the router waits for a message sent by the opposite side. For proper verification of the OpenVPN tunnel, set the Ping Timeout to greater than the Ping Interval. Specifies the renegotiate period (reauthorization) of the OpenVPN tunnel. You can only set this parameter when the Authenticate Mode is set to username/password or X.509 certificate. After this time period, the router changes the tunnel encryption to keep the tunnel secure. Maximum size of a sent packet. Compression of the data sent:
· none No compression is used. · LZO A lossless compression is used, use the same set-
ting on both sides of the tunnel.
Activates/deactivates the NAT rules for the OpenVPN tunnel:
· not applied NAT rules are not applied to the tunnel. · applied NAT rules are applied to the OpenVPN tunnel.
Continued on next page
83
ICR-4400
Item Authenticate Mode
Security Mode Pre-shared Secret CA Certificate DH Parameters Local Certificate Local Private Key Username Password
Continued from previous page
Description Specifies the authentication mode:
· none No authentication is set.
· Pre-shared secret Specifies the shared key function for both sides of the tunnel.
· Username/password Specifies authentication using a CA Certificate, Username and Password.
· X.509 Certificate (multiclient) Activates the X.509 authentication in multi-client mode.
· X.509 Certificate (client) Activates the X.509 authentication in client mode.
· X.509 Certificate (server) Activates the X.509 authentication in server mode.
Choose the security mode, tls-auth or tls-crypt. We recommend to use the tls-crypt mode for the security reasons. In this mode, all the data is encrypted with a pre-shared key. Moreover, this mode is more robust against the TLS denial of service attacks. Specifies the pre-shared secret which you can use for every authentication mode. Specifies the CA Certificate which you can use for the username/password and X.509 Certificate authentication modes. Specifies the protocol for the DH parameters key exchange which you can use for X.509 Certificate authentication in the server mode. Specifies the certificate used in the local device. You can use this authentication certificate for the X.509 Certificate authentication mode. Specifies the key used in the local device. You can use the key for the X.509 Certificate authentication mode. Specifies a login name which you can use for authentication in the username/password mode. Specifies a password which you can use for authentication in the username/password mode. Enter valid characters only, see chap. 2.3!
Continued on next page
84
ICR-4400
Item Extra Options
Continued from previous page
Description Specifies additional parameters for the OpenVPN tunnel, such as DHCP options. The parameters are proceeded by two dashes. For possible parameters see the help text in the router using SSH run the openvpnd --help command.
Table 37: OpenVPN Configuration
There is a condition for tunnel to be established: WAN route has to be active (for example mobile connection established) even if the tunnel does not go through the WAN.
The changes in settings will apply after pressing the Apply button.
85
ICR-4400
Figure 40: OpenVPN tunnel configuration 86
ICR-4400
4.11.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network
Figure 41: Topology of OpenVPN Configuration Example
OpenVPN tunnel configuration:
Configuration Protocol UDP Port Remote IP Address Remote Subnet Remote Subnet Mask Local Interface IP Address Remote Interface IP Address Compression Authenticate mode
A UDP 1194 10.0.0.2 192.168.2.0 255.255.255.0 19.16.1.0 19.16.2.0 LZO none
B UDP 1194 10.0.0.1 192.168.1.0 255.255.255.0 19.16.2.0 19.16.1.0 LZO none
Table 38: OpenVPN Configuration Example
Examples of different options for configuration and authentication of OpenVPN tunnel can be found in the application note OpenVPN Tunnel [4].
87
ICR-4400
4.12 IPsec Tunnel Configuration
The IPsec tunnel function allows you to create a secured connection between two separate LAN networks. Advantech routers allows you to create up to four IPsec tunnels.
To open the IPsec tunnel configuration page, click IPsec in the Configuration section of the main menu. The menu item will expand and you will see four separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. Supported are both, policy-based and route-based VPN approaches, see the different configuration scenarios in Chapter 4.12.1.
IPv4 and IPv6 tunnels are supported (dual stack), you can transport IPv6 traffic through IPv4 tunnel and vice versa. For different IPsec authentication scenarios, see Chapter 4.12.2.
To encrypt data between the local and remote subnets, specify the appropriate values in the subnet fields on both routers. To encrypt the data stream between the routers only, leave the local and remote subnets fields blank.
If you specify the protocol and port information in the Local Protocol/Port field, then the router encapsulates only the packets matching the settings.
For optimal an secure setup, we recommend to follow instructions on the Security Recommendations strongSwan web page.
FRRouting (FRR) user module is an Internet routing protocol suite for Advantech routers. This UM includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.
4.12.1 Route-based Configuration Scenarios
There are more different route-based configuration options which can be configured and used in Advantech routers. Below are listed the most common cases which can be used (for more details see Route-based VPNs strongSwan web page):
1. Enabled Installing Routes · Remote (local) subnets are used as traffic selectors (routes). · It results to the same outcome as a policy-based VPN. · One benefit of this approach is the possibility to verify non-encrypted traffic passed through an IPsec tunnel number X by tcdump tool: tcpdump -i ipsecX. · Set up the Install Routes to yes option.
2. Static Routes · Routes are installed statically by an application as soon as the IPsec tunnel is up. · As an application for static routes installation can be used for example FRR/STATICD application. · Set up the Install Routes to no option.
88
ICR-4400
3. Dynamic Routing · Routes are installed dynamically while running by an application using a dynamic protocol. · As an application for dynamic routes installation can be used for example FRR/BGP or FRR/OSPF application. This application gains the routes dynamically from an (BGP, OSPF) server. · Set up the Install Routes to no option.
4. Multiple Clients · Allows to create VPN network with multiple clients. One Advantech router acts as the server and assigns IP address to all the clients on the network. · The server has Remote Virtual Network and Remote Virtual Mask items configured and the client has Local Virtual Address item configured. · Set up the Install Routes to yes option.
4.12.2 IPsec Authentication Scenarios
There are four basic authentication options which can be configured and used in Advantech routers:
1. Pre-shared Key · Set Authenticate Mode to pre-shared key option. · Enter the shared key to the Pre-shared key field.
2. Public Key · Set Authenticate Mode to X.509 certificate option. · Enter the public key to the Local Certificate / PubKey field. · CA certificate is not required.
3. Peer Certificate · Set Authenticate Mode to X.509 certificate option. · Enter the remote key to the Remote Certificate / PubKey field. Users with this certificate will be allowed. · CA certificate is not required.
4. CA Certificate · Set Authenticate Mode to X.509 certificate option. · Enter the CA certificate or a list of CA certificates to the CA Certificate field. Any certificate signed by the CA will be accepted. · Remote certificate is not required.
Notes: · The Peer and CA Certificate (options 3 and 4) can be configured and used simultaneously authentication can be done by one of this method. · The Local ID is significant. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.
89
ICR-4400
4.12.3 Configuration Items Description
The configuration GUI for IPsec is shown in Figure 42 and the description of all items, which can be configured for an IPsec tunnel, are described in Table 39.
Figure 42: IPsec Tunnels Configuration 90
ICR-4400
Item Description Type
Host IP Mode
1st Remote IP Address 2nd Remote IP Address Tunnel IP Mode Remote ID Local ID Install Routers First Remote Subnet First Remote Subnet Mask/Prefix Second Remote Subnet Second Remote Subnet Mask/Prefix Remote Protocol/Port
First Local Subnet
Description
Name or description of the tunnel.
· policy-based Choose for the policy-based VPN approach. · route-based Choose for the route-based VPN approach. Note: Data throughput via route-based VPN is slightly lower in comparison with policy-based VPN.
· IPv4 The router communicates via IPv4 with the opposite side of the tunnel. · IPv6 The router communicates via IPv6 with the opposite side of the tunnel.
First IPv4, IPv6 address or domain name of the remote side of the tunnel, based on selected Host IP Mode above.
Second IPv4, IPv6 address or domain name of the remote side of the tunnel, based on selected Host IP Mode above.
· IPv4 The IPv4 communication runs inside the tunnel. · IPv6 The IPv6 communication runs inside the tunnel.
Identifier (ID) of remote side of the tunnel. It consists of two parts: a hostname and a domain-name.
Identifier (ID) of local side of the tunnel. It consists of two parts: a hostname and a domain-name.
For route-based type only. Choose yes to use traffic selectors as route(s).
IPv4 or IPv6 address of a network behind remote side of the tunnel, based on Tunnel IP Mode above.
IPv4 subnet mask of a network behind remote side of the tunnel, or IPv6 prefix (single number 0 to 128).
IPv4 or IPv6 address of the second network behind remote side of the tunnel, based on Tunnel IP Mode above. For IKE Protocol = IKEv2 only.
IPv4 subnet mask of the second network behind remote side of the tunnel, or IPv6 prefix (single number 0 to 128). For IKE Protocol = IKEv2 only.
Specifies Protocol/Port of remote side of the tunnel. The general form is protocol/port, for example 17/1701 for UDP (protocol 17) and port 1701. It is also possible to enter only the number of protocol, however, the above mentioned format is preferred.
IPv4 or IPv6 address of a local network, based on Tunnel IP Mode above.
Continued on next page
91
ICR-4400
Continued from previous page
Item First Local Subnet Mask/Prefix Second Local Subnet Second Local Subnet Mask/Prefix Local Protocol/Port
Remote Virtual Network Remote Virtual Mask Local Virtual Address Cisco FlexVPN
Encapsulation Mode
Force NAT Traversal IKE Protocol IKE Mode
Description
IPv4 subnet mask of a local network, or IPv6 prefix (single number 0 to 128).
IPv4 or IPv6 address of the second local network, based on Tunnel IP Mode above. For IKE Protocol = IKEv2 only.
IPv4 subnet mask of the second local network, or IPv6 prefix (single number 0 to 128). For IKE Protocol = IKEv2 only.
Specifies Protocol/Port of a local network. The general form is protocol/port, for example 17/1701 for UDP (protocol 17) and port 1701. It is also possible to enter only the number of protocol, however, the above mentioned format is preferred.
Specifies virtual remote network for server (responder).
Specifies virtual remote network mask for server (responder).
Specifies virtual local network address for client. To get address from server set up the address to 0.0.0.0.
Enable to support the Cisco FlexVPN functionality. The routebased type must be chossen. For more information, see strongswan.conf page.
Specifies the IPsec mode, according to the method of encapsulation. · tunnel entire IP datagram is encapsulated. · transport only IP header is encapsulated. Not supported by route-based VPN. · beet the ESP packet is formatted as a transport mode packet, but the semantics of the connection are the same as for tunnel mode.
Enable NAT traversal enforcement (UDP encapsulation of ESP packets).
Specifies the version of IKE (IKEv1/IKEv2, IKEv1 or IKEv2).
Specifies the mode for establishing a connection (main or aggressive). If you select the aggressive mode, then the router establishes the IPsec tunnel faster, but the encryption is permanently set to 3DES-MD5. We recommend that you not use the aggressive mode due to lower security!
Continued on next page
92
ICR-4400
Item IKE Algorithm
IKE Encryption IKE Hash IKE DH Group
IKE Reauthentication XAUTH Enabled XAUTH Mode XAUTH Username XAUTH Password ESP Algorithm
ESP Encryption ESP Hash PFS
PFS DH Group Key Lifetime IKE Lifetime Rekey Margin
Rekey Fuzz
Continued from previous page
Description
Specifies the means by which the router selects the algorithm: · auto The encryption and hash algorithm are selected automatically. · manual The encryption and hash algorithm are defined by the user.
Encryption algorithm 3DES, AES128, AES192, AES256, AES128GCM128, AES192GCM128, AES256GCM128.
Hash algorithm MD5, SHA1, SHA256, SHA384 or SHA512.
Specifies the Diffie-Hellman groups which determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require more time to compute the key.
Enable or disable IKE reauthentication (for IKEv2 only).
Enable extended authentication (for IKEv1 only).
Select XAUTH mode (client or server).
XAUTH username.
XAUTH password.
Specifies the means by which the router selects the algorithm: · auto The encryption and hash algorithm are selected automatically. · manual The encryption and hash algorithm are defined by the user.
Encryption algorithm 3DES, AES128, AES192, AES256, AES128GCM128, AES192GCM128, AES256GCM128.
Hash algorithm MD5, SHA1, SHA256, SHA384 or SHA512.
Enables/disables the Perfect Forward Secrecy function. The function ensures that derived session keys are not compromised if one of the private keys is compromised in the future.
Specifies the Diffie-Hellman group number (see IKE DH Group).
Lifetime key data part of tunnel. The minimum value of this parameter is 60 s. The maximum value is 86400 s.
Lifetime key service part of tunnel. The minimum value of this parameter is 60 s. The maximum value is 86400 s.
Specifies how long before a connection expires that the router attempts to negotiate a replacement. Specify a maximum value that is less than half of IKE and Key Lifetime parameters.
Percentage of time for the Rekey Margin extension.
Continued on next page
93
ICR-4400
Item DPD Delay DPD Timeout Authenticate Mode
Pre-shared Key
CA Certificate Remote Certificate \ PubKey Local Certificate \ PubKey Local Private Key Local Passphrase Revocation Check
Debug
Continued from previous page
Description
Time after which the IPsec tunnel functionality is tested.
The period during which device waits for a response.
Specifies the means by which the router authenticates: · Pre-shared key Sets the shared key for both sides of the tunnel. · X.509 Certificate Allows X.509 authentication in multiclient mode.
Specifies the shared key for both sides of the tunnel. The prerequisite for entering a key is that you select pre-shared key as the authentication mode.
Certificate for X.509 authentication.
Certificate for X.509 authentication or PubKey for public key signature authentication.
Certificate for X.509 authentication or PubKey for public key signature authentication.
Private key for X.509 authentication.
Passphrase used during private key generation.
Certificate revocation policy: · if possible Fails only if a certificate is revoked, i.e. it is explicitly known that it is bad. · if URI defined Fails only if a CRL/OCSP URI is available, but certificate revocation checking fails, i.e. there should be revocation information available, but it could not be obtained. · always Fails if no revocation information is available, i.e. the certificate is not known to be unrevoked.
Choose the level of logging verbosity from: silent, audit, control (default), control-more, raw, private (most verbose including the private keys). See Logger Configuration in strongSwan web page for more details.
Table 39: IPsec Tunnel Configuration
We recommend that you keep up the default settings. When you set key exchange times higher, the tunnel produces lower operating costs, but the setting also provides less security. Conversely, when you reducing the time, the tunnel produces higher operating costs, but provides for higher security. The changes in settings will apply after clicking the Apply button.
94
ICR-4400
Do not miss: · If local and remote subnets are not configured then only packets between local and remote IP address are encapsulated, so only communication between two routers is encrypted. · If protocol/port fields are configured then only packets matching these settings are encapsulated.
Detailed information and more examples of IPsec tunnel configuration and authentication can be found in the application note IPsec Tunnel [5].
95
4.12.4 Basic IPv4 IPSec Tunnel Configuration
ICR-4400
Figure 43: Topology of IPsec Configuration Example
Configuration of Router A and Router B is as follows:
Configuration Host IP Mode 1st Remote IP Address Tunnel IP Mode First Remote Subnet First Remote Subnet Mask First Local Subnet First Local Subnet Mask Authenticate mode Pre-shared key
A IPv4 10.0.0.2 IPv4 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 pre-shared key test
B IPv4 10.0.0.1 IPv4 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 pre-shared key test
Table 40: Simple IPv4 IPSec Tunnel Configuration
96
ICR-4400
4.12.5 TPM-based Authentication
This chapter describes the process of creating the TPM keys usable for an IPSec tunnel configuration. This feature uses the TPM 2.0 (Trusted Platform Module) chip mounted directly onto the router's mainboard. For details about the TPM commands, see the tpm2 command description [1] or go to https://github.com/tpm2-software/tpm2-tools/tree/5.1.X/man.
To generate the key, connect to the "TPM-equipped" router's console and execute the following commands:
$ tpm2 createek -c ek.ctx -G rsa
$ tpm2 createak -C ek.ctx -G rsa -g sha256 -s rsassa -c ak_rsa.ctx -u ak_rsa.pub -f pem
loaded-key: name: 000b0a688495f33b96ecfe242807e5b183a41bc5f24f7a4f18716866d084378a6cd2 qualified name: 000 bffac43e487a8658606636a9640e02151ec0603bec90073dd2bc2e8b82f07ff9a
$ tpm2 evictcontrol -c ak_rsa.ctx persistent-handle: 0x81010001 action: persisted
After this, store the ak_rsa.pub, which is the public key in a standard PEM format, and remember the persistent-handle such as 0x81010001 that got printed. This is the location (handle) of the private key. The temporary *.ctx files can be removed at this point.
To list all existing handles, execute the following command: $ tpm2 getcap handles-persistent - 0x81010001
To configure the key for an IPsec tunnel in the GUI: · Set Authentication Mode to X509 Certificate on both routers. · Place content of ak_rsa.pub as local pubkey (item Local Certificate / PubKey) to the router and as a remote pubkey (item Remote Certificate / PubKey) to the peer router. · Put the persistent-handle number printed by tpm2 evictcontrol command above (such as 0x81010001) as a private key (item Local Private Key) to the router.
To remove a persisted key, execute the following command: $ tpm2 evictcontrol -c 0x81010001 persistent-handle: 0x81010001 action: evicted
97
ICR-4400
4.13 WireGuard Tunnel Configuration
WireGuard is a communication protocol and free open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims for better performance and more power than IPsec and OpenVPN, two common tunneling protocols. The WireGuard protocol passes traffic over UDP. Advantech routers allows you to create up to four WireGuard tunnels.
To open the WireGuard tunnel configuration page, click WireGuard in the Configuration section of the main menu. The menu item will expand and you will see four separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel.
IPv4 and IPv6 tunnels are supported (dual stack), you can transport IPv6 traffic through IPv4 tunnel and vice versa. FRRouting (FRR) user module is an Internet routing protocol suite for Advantech routers. This UM includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP. Detailed information and more examples of WireGuard tunnel configuration and authentication can be found in the application note WireGuard Tunnel [7].
The configuration GUI for WireGuard is shown in Figure 44 and the description of all items, which can be configured for an WireGuard tunnel, are described in Table 41.
98
ICR-4400
Figure 44: WireGuard Tunnels Configuration
Item Description Host IP Mode
Remote IP Address
Remote Port
Description
Name or description of the tunnel.
· IPv4 The router communicates via IPv4 with the opposite side of the tunnel. · IPv6 The router communicates via IPv6 with the opposite side of the tunnel.
IPv4, IPv6 address or domain name of the remote side of the tunnel to connect to. The address must match with the selected Host IP Mode above.
Port of the remote side of the tunnel.
Continued on next page
99
ICR-4400
Item Local Port NAT/Firewall Traversal
Interface IPv4 Address Interface IPv4 Prefix Length Interface IPv6 Address Interface IPv6 Prefix Length Install Routes
Traffic Selector
Remote Subnets
Pre-shared Key
Local Private Key
Local Public Key Remote Public Key
Continued from previous page
Description Port of the local side of the tunnel (default port is 51820). If set up to yes, keepalive communication (every 25 seconds) is running to preserve the tunnel established. It is useful when a client is running behind the NAT. Local IPv4 tunnel interface address.
Local IPv4 tunnel interface prefix.
Local IPv6 tunnel interface address.
Local IPv6 tunnel interface prefix.
· no Do not install routes. Use when a dynamic routing protocol is configured. · yes Install routes. · all traffic Procced all the packets to the WireGuard tunnel. · subnets Route based on the subnets listed below. If the Traffic Selector is set to subnets, then other subnets (routes) can be routed through the wire tunnel. The optional key for additional encryption layer and security strengthening. You can use the Generate button to generate a random key. The private key of the local side. You can use the Generate button to generate a random key. The public key of the local tunnel side. The public key of the remote tunnel side. Table 41: WireGuard Tunnel Configuration
The changes in settings will apply after clicking the Apply button.
100
ICR-4400
4.13.1 WireGuard IPv4 Tunnel Configuration Example
There is an example of WireGuard IPv4 tunnel configuration between Router A and Router B.
Figure 45: Topology of WireGuard Configuration Example
Router B is configured to listen, and Router A is the side initiating the tunnel connection. Configuration of Router A and Router B from the topology above is as follows:
Configuration Host IP Mode Remote IP Address Remote Port Local Port NAT/Firewall Traversal Interface IPv4 Address Interface IPv4 Prefix Length Install Routes Traffic Selector Remote Subnets Local Private Key Local Public Key Remote Public Key
Router A IPv4 10.0.6.60 51820 51820 yes 172.16.24.1 30 yes subnets 192.168.2.0/24 a local private key a local public key a public key of the opposite side
Router B IPv4 51820 no 172.16.24.2 30 yes subnets 192.168.1.0/24 a local private key a local public key a public key of the opposite side
Table 42: WireGuard IPv4 Tunnel Configuration Example 101
ICR-4400
In the figure below is the WireGuard status page of Router A. If the tunnel connection is established successfully, the Latest handshake time is shown here. This value is the time left from the latest successful communication with the opposite tunnel side. This item will not be shown here until there is a tunnel communication (data sent by the Router A or the keepalive data sent when NAT/Firewall Traversal is set to yes).
Figure 46: Router A WireGuard Status Page and Route Table
Figure 47: Router B WireGuard Status Page and Route Table 102
ICR-4400
4.14 GRE Tunnels Configuration
GRE is an unencrypted protocol. GRE via IPv6 is not supported.
To open the GRE Tunnel Configuration page, click GRE in the Configuration section of the main menu. The menu item will expand and you will see four separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. The GRE tunnel function allows you to create an unencrypted connection between two separate LAN networks. The router allows you to create four GRE tunnels.
Item Description Remote IP Address Local IP Address Remote Subnet Remote Subnet Mask
Local Interface IP Address Remote Interface IP Address Multicasts
Description Description of the GRE tunnel. IP address of the remote side of the tunnel. IP address of the local side of the tunnel. IP address of the network behind the remote side of the tunnel. Specifies the mask of the network behind the remote side of the tunnel. IP address of the local side of the tunnel.
IP address of the remote side of the tunnel.
Activates/deactivates sending multicast into the GRE tunnel:
· disabled Sending multicast into the tunnel is inactive. · enabled Sending multicast into the tunnel is active.
Pre-shared Key
Specifies an optional value for the 32 bit shared key in numeric format, with this key the router sends the filtered data through the tunnel. Specify the same key on both routers, otherwise the router drops received packets.
Table 43: GRE Tunnel Configuration
The GRE tunnel cannot pass through the NAT. The changes in settings will apply after pressing the Apply button.
103
ICR-4400
Figure 48: GRE Tunnel Configuration
4.14.1 Example of the GRE Tunnel Configuration
Figure 49: Topology of GRE Tunnel Configuration Example 104
ICR-4400
GRE tunnel configuration:
Configuration Remote IP Address Remote Subnet Remote Subnet Mask
A 10.0.0.2 192.168.2.0 255.255.255.0
B 10.0.0.1 192.168.1.0 255.255.255.0
Table 44: GRE Tunnel Configuration Example
Examples of different options for configuration of GRE tunnel can be found in the application note GRE Tunnel [6].
105
ICR-4400
4.15 L2TP Tunnel Configuration
L2TP is an unencrypted protocol. L2TP via IPv6 is not supported. To open the L2TP Tunnel Configuration page, click L2TP in the Configuration section of the main menu. The L2TP tunnel function allows you to create a password-protected connection between two different LAN networks. Enable the Create L2TP tunnel checkbox to activate the tunnel.
Figure 50: L2TP Tunnel Configuration
Item Mode
Description Specifies the L2TP tunnel mode on the router side:
· L2TP server Specify an IP address range offered by the server.
· L2TP client Specify the IP address of the server.
Server IP Address Client Start IP Address
IP address of the server. IP address to start with in the address range. The range is offered by the server to the clients.
Continued on next page
106
ICR-4400
Item Client End IP Address
Local IP Address Remote IP Address Remote Subnet Remote Subnet Mask MRU MTU Username Password
Continued from previous page
Description The last IP address in the address range. The range is offered by the server to the clients. IP address of the local side of the tunnel. IP address of the remote side of the tunnel. Address of the network behind the remote side of the tunnel. The mask of the network behind the remote side of the tunnel. Maximum Receive Unit value. Default value is 1400 bytes. Maximum Transmission Unit value. Default value is 1400 bytes. Username for the L2TP tunnel login. Password for the L2TP tunnel login. Enter valid characters only. Table 45: L2TP Tunnel Configuration
107
4.15.1 Example of the L2TP Tunnel Configuration
ICR-4400
Figure 51: Topology of L2TP Tunnel Configuration Example
Configuration of the L2TP tunnel:
Configuration Mode Server IP Address Client Start IP Address Client End IP Address Local IP Address Remote IP Address Remote Subnet Remote Subnet Mask Username Password
A L2TP Server -- 192.168.2.5 192.168.2.254 192.168.1.1 -- 192.168.2.0 255.255.255.0 username password
B L2TP Client 10.0.0.1 -- -- -- -- 192.168.1.0 255.255.255.0 username password
Table 46: L2TP Tunnel Configuration Example
108
ICR-4400
4.16 PPTP Tunnel Configuration
PPTP is an unencrypted protocol. PPTP via IPv6 is not supported. Select the PPTP item in the menu to configure a PPTP tunnel. PPTP tunnel allows password-protected connections between two LANs. It is similar to L2TP. The tunnels are active after selecting Create PPTP tunnel.
Figure 52: PPTP Tunnel Configuration
Item Mode
Server IP Address Local IP Address Remote IP Address
Description Specifies the L2TP tunnel mode on the router side:
· PPTP server Specify an IP address range offered by the server.
· PPTP client Specify the IP address of the server.
IP address of the server. IP address of the local side of the tunnel. IP address of the remote side of the tunnel.
Continued on next page
109
ICR-4400
Item Remote Subnet Remote Subnet Mask MRU
MTU
Username Password
Continued from previous page
Description Address of the network behind the remote side of the tunnel. The mask of the network behind the remote side of the tunnel Maximum Receive Unit value. Default value is 1460 bytes to avoid fragmented packets. Maximum Transmission Unit value. Default value is 1460 bytes to avoid fragmented packets. Username for the PPTP tunnel login. Password for the PPTP tunnel login. Enter valid characters only. Table 47: PPTP Tunnel Configuration
The changes in settings will apply after pressing the Apply button.
The firmware also supports PPTP passthrough, which means that it is possible to create a tunnel through the router.
110
4.16.1 Example of the PPTP Tunnel Configuration
ICR-4400
Figure 53: Topology of PPTP Tunnel Configuration Example
Configuration of the PPTP tunnel:
Configuration Mode Server IP Address Local IP Address Remote IP Address Remote Subnet Remote Subnet Mask Username Password
A PPTP Server -- 192.168.1.1 192.168.2.1 192.168.2.0 255.255.255.0 username password
B PPTP Client 10.0.0.1 -- -- 192.168.1.0 255.255.255.0 username password
Table 48: PPTP Tunnel Configuration Example
111
ICR-4400
4.17 Services
4.17.1 DynDNS
The DynDNS function allows you to access the router remotely using an easy to remember custom hostname. This DynDNS client monitors the IP address of the router and updates the address whenever it changes. In order for DynDNS to function, you require a public IP address, either static or dynamic, and an active Remote Access service account at www.dyndns.org. Register the custom domain (third-level) and account information specified in the configuration form. You can use other services, too see the table below, Server item. To open the DynDNS Configuration page, click DynDNS in the main menu.
Item Hostname Username Password IP Mode
Server
Description The third order domain registered on the www.dyndns.org server. Username for logging into the DynDNS server. Password for logging into the DynDNS server. Enter valid characters only, see chap. 2.3! Specifies the version of IP protocol:
· IPv4 IPv4 protocol is used only (default). · IPv6 IPv6 protocol is used only. · IPv4/IPv6 IPv4 and IPv6 dual stack is enabled.
Specifies a DynDNS service other than the www.dyndns.org. Possible other services: www.spdns.de, www.dnsdynamic.org, www.noip.com Enter the update server service information in this field. If you leave this field blank, the default server members.dyndns.org will be used.
Table 49: DynDNS Configuration
Example of the DynDNS client configuration with the domain company.dyndns.org:
Figure 54: DynDNS Configuration Example
To access the router's configuration remotely, you will need to have enabled this option in the NAT configuration (bottom part of the form), see Chapter 4.10.
112
ICR-4400
4.17.2 FTP
FTP protocol (File Transfer Protocol) can be used to transfer files between the router and another device on the computer network. Configuration form of TP server can be done in FTP configuration page under Services menu item.
Item
Description
Enable FTP service
Enabling of FTP server.
Maximum Sessions
Indicates how many concurrent connections shall the FTP server accept. Once the maximum is reached, additional connections will be rejected until some of the existing connections are terminated. The range is from 1 to 500.
Session Timeout
Is used to close inactive sessions. The server will terminate a FTP session after it has not been used for the given amount of seconds. The range is from 60 to 7200.
Table 50: Parameters for FTP service configuration
Figure 55: Configuration of FTP server
113
ICR-4400
4.17.3 HTTP
HTTP protocol (Hypertext Transfer Protocol) is internet protocol used for exchange of hypertext documents in HTML format. This protocol is used for accessing the web server used for user's configuration of the router. Recommended usage however is of HTTPS protocol, which used encryption for secure exchange of transferred data. Configuration form of HTTP and HTTPS service can be done in HTTP configuration page under Services menu item. By default, HTTP service is disabled and preferred is using of HTTPS service. For this default setting, a request for communication with HTTP protocol is redirected to HTTPS protocol automatically.
Item Enable HTTP service Enable HTTPS service Minimum TLS Version
Session Timeout Keep the current certificate Generate a new certificate Upload a new certificate
Certificate Private Key
Description Enabling of HTTP service. Enabling of HTTPS service.
If specified, the router will disable TLS versions lower than the specified minimum. For better security choose the highest version of TLS protocol, unless you need to use an older web browser. Inactivity timeout when the session is closed. Left the current one certificate in the router. Generate a new self-signed certificate to the router. Upload custom PEM certificate, which can be signed by Certificate Authority. Choose a file with the PEM certificate. Choose a file with the certificate private key.
Table 51: Parameters for HTTP and HTTPS services configuration
Figure 56: Configuration of HTTP and HTTPS services 114
ICR-4400
4.17.4 NTP
The NTP configuration form allows you to configure the NTP client. To open the NTP page, click NTP in the Configuration section of the main menu. NTP (Network Time Protocol) allows you to periodically set the internal clock of the router. The time is set from servers that provide the exact time to network devices. IPv6 Time Servers are supported.
· If you mark the Enable local NTP service check box, then the router acts as a NTP server for other devices in the local network (LAN).
· If you mark the Synchronize clock with NTP server check box, then the router acts as a NTP client. This means that the router automatically adjusts the internal clock every 24 hours.
Item Primary NTP Server Address Secondary NTP Server Address Timezone Daylight Saving Time
Description IPv4 address, IPv6 address or domain name of primary NTP server. IPv4 address, IPv6 address or domain name of secondary NTP server. Specifies the time zone where you installed the router. Activates/deactivates the DST shift.
· No The time shift is inactive. · Yes The time shift is active.
Table 52: NTP Configuration
The figure below displays an example of a NTP configuration with the primary server set to ntp.cesnet.cz and the secondary server set to tik.cesnet.cz and with the automatic change for daylight saving time enabled.
Figure 57: Example of NTP Configuration 115
ICR-4400
4.17.5 PAM
A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). The configuration made on this configuration page will affect all the router's authentication mechanisms. As the first option, choose the PAM Mode. The modes available and their description are listed in Table 53.
Item PAM Mode
Description
· local user database Authenticate against the local user database only, see Chapter 6.1.
· RADIUS with fallback Authenticate against the RADIUS server first and then against the local database in case the RADIUS server is not accessible.
· RADIUS only Authenticate only against the RADIUS server. Note that you will not be able to authenticate to the router in case the RADIUS server is not accessible!
· TACACS+ with fallback Authenticate against the TACACS+ server first and then against the local database in case the TACACS+ server is not accessible.
· TACACS+ only Authenticate only against the TACACS+ server. Note that you will not be able to authenticate to the router in case the TACACS+ server is not accessible!
Table 53: Available Modes of PAM
To configure the authentication against the local user database, choose local user database and enable the debug mode eventually, see Figure 58.
Figure 58: Configuration of Local User Database
When authenticate against the RADIUS or TACACS+ server, user with the same name must exist locally. It can be created manually (see Chapter 6.1) or can be created automatically based on data from RADIUS/TACACS+ server, if the Take Over Server Users option is enabled as described hereunder.
116
ICR-4400
To configure the authentication against a RADIUS server, choose RADIUS with fallback or RADIUS only as the PAM mode and set up all required items, see Figure 59.
Figure 59: Configuration of RADIUS
Table 54 describes all the configuration options for the RADIUS PAM modes.
Item Server Port Secret Timeout Take Over Server Users
Default User Role
Debug
Description
Address of the RADIUS server. Up to two servers can be configured.
Port of the RADIUS server.
The secret For authentication to the RADIUS server.
Timeout for authentication to the RADIUS server.
If enabled, a new user account is created during the login, in case the RADIUS authentication is successful and appropriate local account does not exist. New accounts are created without the password. An existing user account with a password is never modified by this feature.
Choose the user role (Admin or User). This role corresponds with router's user roles, see Chapter 6.1. Selected role will be used for a user in case the option Take Over Server Users is enabled and if the user's Service-Type set on the RADIUS server is missing or is not set up to NAS-Prompt-User or Administrative-User. When Service-Type is set to NAS-Prompt-User, the User role will be used. When Service-Type is set to Administrative-User, the Admin role will be used.
Enables or disables the logging of the RADIUS debug information into the System Log.
Table 54: Configuration of RADIUS
117
ICR-4400
To configure the authentication against a TACACS+ server, choose TACACS+ with fallback or TACACS+ only as the PAM mode and set up all required items, see Figure 60.
Figure 60: Configuration of TACACS+
Table 55 describes all the configuration options for the TACACS PAM modes.
Item Authentication Type Timeout Server Port Secret Take Over Server Users
Default User Role
Debug
Description Choose ASCII, PAP or CHAP as authentication type.
Timeout for authentication to the TACACS+ server. Address of the TACACS+ server. Up to two servers can be configured. Port of the TACACS+ server. The secret For authentication to the TACACS+ server. If enabled, a new user account is created during the login, in case the TACACS+ authentication is successful and appropriate local account does not exist. New accounts are created without the password. An existing user account with a password is never modified by this feature. Choose the user role (Admin or User). This role corresponds with router's user roles, see Chapter 6.1. Selected role will be used for a new user when Take Over Server Users item is enabled. Enables or disables the logging of the TACACS+ debug information into the System Log.
Table 55: Configuration of TACACS+ 118
ICR-4400
4.17.6 SNMP
The SNMP page allows you to configure the SNMP v1/v2 or v3 agent which sends information about the router (and about its expansion ports eventually) to a management station. To open the SNMP page, click SNMP in the Configuration section of the main menu. SNMP (Simple Network Management Protocol) provides status information about the network elements such as routers or endpoint computers. In the version v3, the communication is secured (encrypted). To enable the SNMP service, mark the Enable the SNMP agent check box. Sending SNMP traps to IPv6 address is supported.
Item Name Location Contact
Description Designation of the router. Location of where you installed the router. Person who manages the router together with information how to contact this person.
Table 56: SNMP Agent Configuration
To enable the SNMPv1/v2 function, mark the Enable SNMPv1/v2 access check box. It is also necessary to specify a password for access to the Community SNMP agent. The default setting is public.
You can define a different password for the Read community (read only) and the Write community (read and write) for SNMPv1/v2. You can also define 2 SNMP users for SNMPv3. You can define a user as read only (Read), and another as read and write (Write). The router allows you to configure the parameters in the following table for every user separately. The router uses the parameters for SNMP access only.
To enable the SNMPv3 function, mark the Enable SNMPv3 access check box, then specify the following parameters:
Item Username Authentication
Authentication Password
Privacy
Privacy Password
Description User name Encryption algorithm on the Authentication Protocol that is used to verify the identity of the users. Password used to generate the key used for authentication. Enter valid characters only, see chap. 2.3! Encryption algorithm on the Privacy Protocol that is used to ensure confidentiality of data. Password for encryption on the Privacy Protocol. Enter valid characters only, see chap. 2.3!
Table 57: SNMPv3 Configuration
119
ICR-4400
Activating the Enable I/O extension function allows you monitor the binary I/O inputs on the router.
Selecting Enable M-BUS extension and entering the Baudrate, Parity and Stop Bits lets you monitor the meter status connected via MBUS interface. MBUS expansion port is not currently supported, but it is possible to use an external RS232/MBUS converter.
Selecting Enable reporting to supervisory system and entering the IP Address and Period lets you send statistical information to the monitoring system, R-SeeNet.
Item IP Address Period
Description IPv4 or IPv6 address. Period of sending statistical information (in minutes).
Table 58: SNMP Configuration (R-SeeNet)
Each monitored value is uniquely identified using a numerical identifier OID Object Identifier. This identifier consists of a progression of numbers separated by a point. The shape of each OID is determined by the identifier value of the parent element and then this value is complemented by a point and current number. So it is obvious that there is a tree structure. The following figure displays the basic tree structure that is used for creating the OIDs.
Figure 61: OID Basic Structure The SNMP values that are specific for Advantech routers create the tree starting at OID = .1.3.6.1.4.1.30140. You interpret the OID in the following manner:
iso.org.dod.internet.private.enterprises.conel
120
ICR-4400
This means that the router provides for example, information about the internal temperature (OID 1.3.6.1.4.1.30140.3.3) or about the power voltage (OID 1.3.6.1.4.1.30140.3.4). For binary inputs and output, the following range of OID is used:
OID
Description
.1.3.6.1.4.1.30140.2.3.1.0
Binary input BIN0 (values 0,1)
.1.3.6.1.4.1.30140.2.3.2.0 .1.3.6.1.4.1.30140.2.3.3.0
Binary output OUT0 (values 0,1) Binary input BIN1 (values 0,1)
Table 59: Object identifier for binary inputs and output
The list of available and supported OIDs and other details can be found in the application note SNMP Object Identifiers [8].
Figure 62: SNMP Configuration Example 121
ICR-4400
Figure 63: MIB Browser Example In order to access a particular device enter the IP address of the SNMP agent which is the router, in the Remote SNMP agent field. The dialog displayed the internal variables in the MIB tree after entering the IP address. Furthermore, you can find the status of the internal variables by entering their OID. The path to the objects is:
iso org dod internet private enterprises Conel protocols The path to information about the router is:
iso org dod internet mgmt mib-2 system
122
ICR-4400
4.17.7 SMTP
Use the SMTP form to configure the Simple Mail Transfer Protocol client (SMTP) for sending e-mails. IPv6 e-mail servers are supported.
Item SMTP Server Address SMTP Port Secure Method
Username Password
Own E-mail Address
Description IPv4 address, IPv6 address or domain name of the mail server. Port the SMTP server is listening on. none, SSL/TLS, or STARTTLS. Secure method has to be supported by the SMTP server. Name for the e-mail account. Password for the e-mail account. Enter valid characters only, see chap. 2.3! Address of the sender.
Table 60: SMTP client configuration
The mobile service provider can block other SMTP servers, then you can only use the SMTP server of the service provider.
Figure 64: SMTP Client Configuration Example
You can send e-mails from the Startup script. The Startup Script dialog is located in Scripts in the Configuration section of the main menu. The router also allows you to send e-mails using an SSH connection. Use the email command with the following parameters:
-t e-mail address of the receiver -s subject, enter the subject in quotation marks -m message, enter the subject in quotation marks -a attachment file -r number of attempts to send e-mail (default setting: 2)
123
ICR-4400
Commands and parameters can be entered only in lowercase. Example of sending an e-mail:
email t john@doe.com s "System Log" -m "Attached" -a /var/log/messages The command above sends an e-mail to address john@doe.com with the subject "System Log", body message "Attached" and attachment messages file with System Log of the router directly from the directory /var/log/.
124
ICR-4400
4.17.8 SMS
Open the SMS page in the Services submenu of the Configuration section of the main menu. The router can automatically send SMS messages to a cell phone or SMS message server when certain events occur. The format allows you to select which events generate an SMS message.
Item
Description
Send SMS on power up
Activates/deactivates the sending of an SMS message automatically on power up.
Send SMS on connect to mobile Activates/deactivates the sending of an SMS mes-
network
sage automatically when the router is connected to
a mobile network.
Send SMS on disconnect to mo- Activates/deactivates the sending of an SMS mes-
bile network
sage automatically when the router is disconnection
from a mobile network.
Send SMS when datalimit exceeded
Activates/deactivates the sending of an SMS message automatically when the data limit exceeded.
Send SMS when binary input on Automatic sending SMS message after binary input
I/O port (BIN0) is active
on I/O port (BIN0) is active. Text of message is in-
tended parameter BIN0.
Add timestamp to SMS
Activates/deactivates the adding a time stamp to the SMS messages. This time stamp has a fixed format YYYY-MM-DD hh:mm:ss.
Phone Number 1
Specifies the phone number to which the router sends the generated SMS.
Phone Number 2
Specifies the phone number to which the router sends the generated SMS.
Phone Number 3
Specifies the phone number to which the router sends the generated SMS.
Unit ID
The name of the router. The router sends the name in the SMS.
BIN0 SMS
Text of the SMS message when the first binary input is activated.
BIN1 SMS
Text of the SMS message when the second binary input is activated.
Table 61: SMS Configuration
125
ICR-4400
Remote Control via SMS
After you enter a phone number in the Phone Number 1 field, the router allows you to configure the control of the device using an SMS message. You can configure up to three numbers for incoming SMS messages. To enable the function, mark the Enable remote control via SMS check box. The default setting of the remote control function is active.
Item Phone Number 1
Phone Number 2
Phone Number 3
Description Specifies the first phone number allowed to access the router using an SMS. Specifies the second phone number allowed to access the router using an SMS. Specifies the third phone number allowed to access the router using an SMS.
Table 62: Control via SMS
If you enter one or more phone numbers, then you can control the router using SMS messages sent only from the specified phone numbers. If you enter the wild card character , then you can control the router using SMS messages sent from any phone number.
Most of the control SMS messages do not change the router configuration. For example, if the router is changed to the off line mode using an SMS message, the router remains in this mode, but it will return back to the on-line mode after reboot. The only exception is set profile command that changes the configuration permanently, see the table below.
To control the router using an SMS, send only message text containing the control command. You can send control SMS messages in the following format:
SMS go online sim 1 go online sim 2 go online go offline set out0=0 set out0=1 set profile std set profile alt1 set profile alt2 set profile alt3
Description Switch the mobile WAN to the SIM1. Switch the mobile WAN to the SIM2. Switch the router to the online mode. Switch the router to the off line mode. Set the binary output to 0. Set the binary output to 1. Set the standard profile. This change is permanent. Set the alternative profile 1. This change is permanent. Set the alternative profile 2. This change is permanent. Set the alternative profile 3. This change is permanent.
Continued on next page
126
ICR-4400
SMS reboot get ip
Continued from previous page
Description Reboot the router. Respond with the IP address of the SIM card.
Table 63: Control SMS
Note: Every received control SMS is processed and then deleted from the router! This may cause a confusion when you want to use AT-SMS protocol for reading received SMS (see section below).
Advanced SMS control: If there is unknown command in received SMS and remote control via SMS is enabled, the script located in "/var/scripts/sms" is run before the SMS is deleted. It is possible to define your own additional SMS commands using this script. Maximum of 7 words can be used in such SMS. Since the script file is located in RAM of the router, it is possible to add creation of such file to Startup Script. See example in Commands and Scripts Application Note [1].
AT-SMS Protocol
AT-SMS protocol is a private set of AT commands supported by the routers. It can be used to access the cellular module in the router directly via commonly used AT commands, work with short messages (send SMS) and cellular module state information and settings.
Choosing Enable AT-SMS protocol on expansion port 1 and Baudrate makes it possible to use AT-SMS protocol on the serial Port 1.
Item Baudrate
Description Communication speed on the expansion port 1
Table 64: Send SMS on the serial Port 1
Choosing Enable AT-SMS protocol on expansion port 2 and Baudrate makes it possible to use AT-SMS protocol on the serial Port 2.
Item Baudrate
Description Communication speed on the expansion port 2
Table 65: Send SMS on the serial Port 2
127
ICR-4400
Setting the parameters in the Enable AT-SMS protocol over TCP frame, you can enable the router to use AT-SMS protocol on a TCP port. This function requires you to specify a TCP port number.
Item TCP Port
Description TCP port on which will be allowed to send/receive SMS messages. Table 66: Sending/receiving of SMS on TCP port specified
If you establish a connection to the router through a serial interface or interface using the TCP protocol, then you can use AT commands to manage SMS messages.
Only the commands supported by the routers are listed in the following table. For other AT commands the OK response is always sent. There is no support for treatment of complex AT commands, so in such a case the router sends ERROR response.
AT Command AT+CGMI AT+CGMM AT+CGMR AT+CGPADDR AT+CGSN AT+CIMI AT+CMGD AT+CMGF AT+CMGL AT+CMGR AT+CMGS AT+CMGW AT+CMSS AT+CNUM AT+COPS? AT+CPIN AT+CPMS
AT+CREG AT+CSCA AT+CSCS
Description Returns the manufacturer specific identity Returns the manufacturer specific model identity Returns the manufacturer specific model revision identity Displays the IP address of the Mobile WAN interface Returns the product serial number Returns the International Mobile Subscriber Identity number (IMSI) Deletes a message from the location Sets the presentation format of short messages Lists messages of a certain status from a message storage area Reads a message from a message storage area Sends a short message from the device to entered tel. number Writes a short message to SIM storage Sends a message from SIM storage location value Returns the phone number, if available (stored on SIM card) Identifies the available mobile networks Is used to find out the SIM card state and enter a PIN code Selects SMS memory storage types, to be used for short message operations Displays network registration status Sets the short message service centre (SMSC) number Selects the character set
Continued on next page
128
ICR-4400
AT Command AT+CSQ AT+GMI AT+GMM AT+GMR AT+GSN ATE ATI
Continued from previous page
Description Returns the signal strength of the registered network Returns the manufacturer specific identity Returns the manufacturer specific model identity Returns the manufacturer specific model revision identity Returns the product serial number Determines whether or not the device echoes characters Transmits the manufacturer specific information about the device
Table 67: List of AT Commands
A detailed description and examples of these AT commands can be found in the application note AT Commands (AT-SMS) [9].
Sending SMS from Router
There are more ways how to send your own SMS from the router:
· Using AT-SMS protocol described above if you establish a connection to the router through a serial interface or interface using the TCP protocol, then you can use AT commands to manage SMS messages. See application note AT Commands (AT-SMS) [9].
· Using HTTP POST method for a remote execution, calling CGI scripts in the router. See Commands and Scripts Application Note [1] for more details and example.
· From Web interface of the router, in Administration section, Send SMS item, see Chapter 6.8.
· Using gsmsms command e.g. in terminal when connected to the router via SSH. See Commands and Scripts Application Note [1].
129
ICR-4400
Examples of SMS Configuration Example 1 Sending SMS Configuration After powering up the router, the phone with the number entered in the dialog receives an SMS in the following format:
Router (Unit ID) has been powered up. Signal strength xx dBm. After connecting to mobile network, the phone with the number entered in the dialog receives an SMS in the following format:
Router (Unit ID) has established connection to mobile network. IP address xxx.xxx.xxx.xxx After disconnecting from the mobile network, the phone with the number entered in the dialog receives an SMS in the following format:
Router (Unit ID) has lost connection to mobile network. IP address xxx.xxx.xxx.xxx
Figure 65: SMS Configuration for Example 1 130
Example 2 Sending SMS via Serial Interface on the Port 1
ICR-4400
Figure 66: SMS Configuration for Example 2 131
ICR-4400
Example 3 Control the Router Sending SMS from any Phone Number
Figure 67: SMS Configuration for Example 3 132
ICR-4400
Example 4 Control the Router Sending SMS from Two Phone Numbers
Figure 68: SMS Configuration for Example 4 133
ICR-4400
4.17.9 SSH
SSH protocol (Secure Shell) allows to carry out a secure remote login to the router. Configuration form of SSH service can be done in SSH configuration page under Services menu item. By ticking Enable SSH service item the SSH server on the router is enabled.
Item Enable SSH service Session Timeout
Description Enabling of SSH service. Inactivity timeout when the session is closed.
Table 68: Parameters for SSH service configuration
Figure 69: Configuration of HTTP service
134
ICR-4400
4.17.10 Syslog
Configuration of system log, called syslog, can be done on this configuration page. Size of this log can be restricted by maximal number of its rows. Optionally, the IP address and UDP port can be configured for the real-time log distribution.
Polozka Log Size Remote IP Address Remote UDP Port
Popis Log size restriction by maximal number of its rows. Optional settings of IP address for real-time log distribution. Optional settings of UDP port for real-time log distribution.
Table 69: Syslog configuration
Figure 70: Syslog configuration
135
ICR-4400
4.17.11 Telnet
Telnet is a protocol used to provide a bidirectional interactive text-oriented communication facility with the router. Configuration form of Telnet service can be done in Telnet configuration page under Services menu item.
Item Enable Telnet service Maximum Sessions
Description
Enabling of Telnet service.
Is used to close inactive sessions. The server will terminate a Telnet session after it has not been used for the given amount of seconds. The range is from 1 to 500.
Table 70: Parameters for Telnet service configuration
Figure 71: Configuration of Telnet service
136
ICR-4400
4.18 Expansion Port 1 & 2, USB Port
Configuration of the RS232 and RS485 interfaces can be done via Expansion Port 1 resp. Expansion Port 2 menu items. Configuration of the USB port can be done via USB Port menu item.
In the upper part of the configuration window, the port can be enabled and the type of the connected port is shown in the Port Type item. Other items are described in the table below. IPv6 TCP/UDP client/server are supported.
Item Baudrate Data Bits
Figure 72: Expansion Port Configuration
Description Applied communication speed. Number of data bits.
Continued on next page
137
ICR-4400
Continued from previous page
Item Parity
Stop Bits Flow Control Split Timeout
Protocol
Description
Control parity bit: · none data will be sent without parity. · even data will be sent with even parity. · odd data will be sent with odd parity.
Number of stop bits.
Set the flow control to none or hardware.
Time to rupture reports. If the gap between two characters exceeds the parameter in milliseconds, any buffered characters will be sent over the Ethernet port.
Protocol: · TCP communication using a linked protocol TCP. · UDP communication using a unlinked protocol UDP.
Mode
Mode of connection: · TCP server The router will listen for incoming TCP connection requests. · TCP client The router will connect to a TCP server on the specified IP address and TCP port.
Server Address
When set to TCP client above, it is necessary to enter the Server address and TCP port. IPv4 and IPv6 addresses are allowed.
TCP Port
TCP/UDP port used for communications. The router uses the value for both the server and client modes.
Inactivity Timeout Time period after which the TCP/UDP connection is interrupted in case of inactivity.
Table 71: Expansion Port Configuration serial interface
If you mark the Reject new connections check box, then the router rejects any other connection attempt. This means that the router no longer supports multiple connections.
If you mark the Check TCP connection check box, the router verifies the TCP connection.
Item
Description
Keepalive Time
Time after which the router verifies the connection.
Keepalive Interval
Length of time that the router waits on an answer.
Keepalive Probes
Number of tests that the router performs.
Table 72: Expansion Port Configuration Check TCP connection
When you mark the Use CD as indicator of the TCP connection check box, the router uses the carrier detection (CD) signal to verify the status of the TCP connection. The CD signal verifies that another device is connected to the other side of the cable.
138
ICR-4400
CD Active Nonactive
Description TCP connection is enabled TCP connection is disabled
Table 73: CD Signal Description
DTR Active
Nonactive
Description server
The router allows the establishment of TCP connections.
The router denies the establishment of TCP connections.
Description client
The router initiates a TCP connection.
The router terminates the TCP connection.
Table 74: DTR Signal Description
When you mark the Use DTR as control of TCP connection check box, the router uses the data terminal ready (DTR) single to control the TCP connection. The remote device sends a DTR single to the router indicating that the remote device is ready for communications.
The changes in settings will apply after pressing the Apply button.
139
ICR-4400
4.18.1 Examples of the Expansion Port Configuration
Figure 73: Example of Ethernet to serial communication configuration
Figure 74: Example of serial interface configuration 140
ICR-4400
4.19 Scripts
There is possibility to create your own shell scripts executed in the specific situations. Go to the Scripts page in the Configuration section in the menu. The menu item will expand and there are Startup Script, Up/Down IPv4 and Up/Down IPv6 scripts you can use there is IPv4 and IPv6 independent dual stack. For more examples of Scripts and possible commands see the Application Note Commands and Scripts [1].
4.19.1 Startup Script
Use the Startup Script window to create your own scripts which will be executed after all of the initialization scripts are run right after the router is turned on or rebooted. To save the script press the Apply button.
Any changes made to a startup script will take effect next time the router is power cycled or rebooted. This can be done with the Reboot button in the Administration section, or by SMS message.
4.19.2 Example of Startup Script
Figure 75: Example of a Startup Script When the router starts up, stop syslogd program and start syslogd with remote logging on address 192.168.2.115 and limited to 100 entries. Add these lines to the startup script: killall syslogd syslogd -R 192.168.2.115 -S 100
141
ICR-4400
4.19.3 Up/Down Scripts
Use the Up/Down IPv4 and Up/Down IPv6 page to create scripts executed when the Mobile WAN connection is established (up) or lost (down). There is an independent IPv4 and IPv6 dual-stack implemented in the router, so there is independent IPv4 and IPv6 Up/Down script. IPv4 Up/Down Script runs only on the IPv4 WAN connection established/lost, IPv6 Up/Down Script runs only on the IPv6 WAN connection established/lost. Any scripts entered into the Up Script window will run after a WAN connection is established. Script commands entered into the Down Script window will run when the WAN connection is lost. The changes in settings will apply after pressing the Apply button. Also you need to reboot the router to make Up/Down Script work.
4.19.4 Example of IPv6 Up/Down Script
Figure 76: Example of IPv6 Up/Down Script After establishing or losing an IPv6 WAN connection (connection to mobile network), the router sends an email with information about the connection state. It is necessary to configure SMTP before. Add this line to the Up Script field: email -t name@domain.com -s "Router" -m "Connection up." Add this line to the Down Script field: email -t name@domain.com -s "Router" -m "Connection down."
142
ICR-4400
4.20 Automatic Update Configuration
The router can be configured to automatically check for firmware updates from an FTP site or a web server and update its firmware or configuration information. IPv6 sites/servers are supported. Use the Automatic update menu to configure the automatic update settings. It is also possible to update the configuration and firmware through the USB host connector of the router. To prevent possible unwanted manipulation of the files, the router verifies that the downloaded file is in the tar.gz format. At first, the format of the downloaded file is checked. Then the type of architecture and each file in the archive (tar.gz file) is checked.
If the Enable automatic update of configuration option is selected, the router will check if there is a configuration file on the remote server, and if the configuration in the file is different than its current configuration, it will update its configuration to the new settings and reboot.
If the Enable automatic update of firmware option is checked, the router will look for a new firmware file and update its firmware if necessary.
The configuration file name consists of Base URL, hardware MAC address of ETH0 interface and cfg extension. Hardware MAC address and cfg extension are added to the file name automatically and it isn't necessary to enter them. When the parameter Unit ID is enabled, it defines the concrete configuration name which will be downloaded to the router, and the hardware MAC address in the configuration name will not be used.
The firmware file name consists of Base URL, type of router and bin extension. For the proper firmware filename, see the Update Firmware page in Administration section it us written out there, see Chapter 6.11.
It is necessary to load two files (*.bin and *.ver) to the HTTP/FTP server. If only the *.bin file is uploaded and the HTTP server sends the incorrect answer of 200 OK (instead of the expected 404 Not Found) when the device tries to download the nonexistent *.ver file, then can happen that the router will download the *.bin file over and over again.
Firmware update can cause incompatibility with the user modules. It is recommended that you update user modules to the most recent version. Information about the user modules and the firmware compatibility is at the beginning of the user module's Application Note.
The automatic update feature is also executed five minutes after the firmware upgrade, regardless of the scheduled time.
143
ICR-4400
Item Source
Description Select the location of the update files:
· HTTP(S)/FTP(S) server Updates are downloaded from the Base URL address below. Used protocol is specified by that address: HTTP, HTTPS, FTP or FTPS (only implicit mode is supported).
· USB flash drive The router finds the current firmware or configuration in the root directory of the connected USB device.
· Both Looking for the current firmware or configuration from both sources.
Base URL
Unit ID
Decryption Password Update Window Start
Update Window Length
Base URL, IPv4 or IPv6 address from which the configuration file will be downloaded. This option also specifies the communication protocol (HTTP, HTTPS, FTP or FTPS), see examples below.
Name of configuration (name of the file without extension). If the Unit ID is not filled, the MAC address of the router is used as the filename (the delimiter colon is used instead of a dot.)
Password for decryption of crypted configuration file. This is required only in case the configuration is encrypted.
Choose an hour (range from 1 to 24) when the automatic update will be performed on a daily basis.
If the time is not specified (set to dynamic), the automatic update is performed five minutes after router boots up and then regularly every 24 hours.
This value defines the period within the update will be done.
This period starts at the time set in the Update Window Start field.
The exact time, when the update will be done, is generated randomly.
Table 75: Automatic Update Configuration
144
ICR-4400
4.20.1 Example of Automatic Update
The following example the router checks for new firmware or configuration file each day at 1:00 a.m. This example is given for the SmartFlex router.
· Firmware file: https://example.com/SPECTRE-v3-LTE.bin · Configuration file: https://example.com/test.cfg
Figure 77: Example of Automatic Update 1
145
ICR-4400
4.20.2 Example of Automatic Update Based on MAC
The following example checks for new firmware or configurations each day between 1:00 a.m. and 3:00 a.m. The configuratin file is encrypted, therefore the decryption password was configured. This example is given for the SmartFlex router with MAC address 00:11:22:33:44:55.
· Firmware file: https://example.com/SPECTRE-v3-LTE.bin · Configuration file: https://example.com/00.11.22.33.44.55.cfg
Figure 78: Example of Automatic Update 2
146
ICR-4400
5. Customization
5.1 User Modules
You may run custom software programs in the router to enhance the features of the router. Use the User Modules menu item to add new software modules to the router, to remove them, or to change their configuration. Use the Browse button to select the user module (compiled module has tgz extension). Use the Add button to add a user module.
Figure 79: User modules The new module appears in the list of modules on the same page. If the module contains an index.html or index.cgi page, the module name serves as a link to this page. The module can be deleted using the Delete button. Updating a module is done the same way. Click the Add button and the module with the higher (newer) version will replace the existing module. The current module configuration is left in the same state. Programming and compiling of modules is described in the Application Note Programming of User Modules [10].
Figure 80: Added user module User modules can be custom-programmed. Some typical user modules are prepared by the manufactured and are available on the website for the download.
147
ICR-4400
5.1.1 Examples of Available User Modules
Here are a few examples of the user modules that are available on the website:
Connectivity
Module name
Description
Band Select
Adjust the portfolio of frequency bands which router supports
Backup APN
Switch to a secondary APN if the primary fails
Ethernet Mirroring
Mirror traffic from one Ethernet interface to another
Modem Bonding
Bond connectivity of multiple routers to a single master
PPP Gateway
Provide internet access to older devices connected via a serial line only
Transparent mode
Transfer mobile WAN IP address is to connected device on ETH
Easy VPN client
Provides secure connection of LAN network behind our router with LAN network behind CISCO router
WiFi SSID Switch
Automatically switch between up to four Wi-Fi Access Points
WiFi STA Relay
WiFi station transparent mode (interface in client mode bridged to ETH)
802.1X Authenticator
Requires an external RADIUS server List of exempted MAC addresses
Layer 2 Firewall (L2FW) Allow or deny traffic from a given MAC address
NAT
Source NAT (SNAT) and Destination NAT (DNAT)
URL Blocker
Block selected domain names (URLs)
Table 76: Connectivity User Modules
Routing
Module name RIP RIPng
Description
RIP v1 (RFC 1058) RIP v2 (RFC 2453) RIPng for IPv6 (RFC 2080) RIP-2 MD5 Authentication (RFC 2082)
Continued on next page
148
ICR-4400
Module name OSPF
IPSec-Tools IS-IS NHRP DMVPN BGP
PIM-SM OpenVPN custom config EasyVPN Client Stunnel
Services Module name Captive Portal
Continued from previous page
Description OSPF v2 (RFC 2328) OSPF v3 for IPv6 (RFC 2740) Opaque LSA Option (RFC 2370) Not-So-Stubby Area (NSSA) (RFC 3101) Stub Router Advertisement (RFC 3137) IPSec-Tools is used for IPsec configuration. This user module uses Racoon instead of OpenSwan. IS-IS (ISO/IEC 10589, RFC 1195) IPv6 support (RFC 5308) NHRP (RFC 2332)
BGP v4 (RFC 1771) Autonomous Systems (RFC 1965) Communities Attribute (RFC 1997) Capabilities Advertisement (RFC 2842) Multiprotocol Extensions (RFC 2858) Multiprotocol Extensions for IPv6 Inter-Domain Routing (RFC 2545) Route Reflection (RFC 2796) Revised PIM-SM protocol (RFC 4601) Bootstrap Router (BSR) Mechanism (RFC 5059) Text-based configuration of OpenVPN tunnels
Provides secure (encrypted) connection between two LAN networks Encrypted network tunnel
Table 77: Routing User Modules
Description Welcome / Ban page for Wi-Fi users Password based authentication Transfer rate limitations Disconnection after given time period or after reaching a data limit Status overview Submission of statistics to an external log server
Continued on next page
149
ICR-4400
Module name GPS
NetFlow/IPFIX
NTRIP Client NTP client NTP server File Uploader
Samba Send Report
Continued from previous page
Description Report GPS position via SNMP Forward raw NMEA output to an expansion port and/or remote sockets Synchronize local time NetFlow v5, Netflow v9, or IPFIX protocol Deterministic, random or hash sampler Export to a remote Collector, or to a limited local Collector Intake flows from external Probes Help to obtain extremely precise positions by using data from an RTK base station via Ntrip protocol NTPv4 protocol
Invoked periodically Downloads files from a given FTP source Uploads files to a given (S)FTP target Removes old files Windows Share (samba) for the Router directory /var/data/samba Periodically sends System log and Report files to an e-mail and/or FTP Table 78: Services User Modules
Administration Module name Daily Reboot Sleep Mode
Customer Logo HTTPS Login Banner Loopback Ethernet Port Detector
Pinger
Description Reboot the router at a given time Configure the low-power mode at a specific time and/or binary status Custom image on the Web Admin pages Custom information banner ahead of the login form Creates a virtual interface for managing the router Sends SNMP Trap and/or SMS upon Ethernet cable disconnection Automatic line failing / line lost check When line lost, sends SNMP Trap, e-mail or SMS, restarts mobile connection or reboots the router
Continued on next page
150
ICR-4400
Continued from previous page
Module name
Description
TCP SYN Keep-Alive Check ability to setup a TCP connection with a given peer
Firmware Over-The-Air Update firmware of the cellular module "over the air" (FOTA)
PduSMS
Send a SMS longer than the common 160 characters
CURL
A tool to transfer data (command: curl)
SCEP Client
Command line tool for certificate enrollment Protocol per draft-gutmann-scep-16
SSH Client
Secure Shell connection (command: ssh)
Ext4 Tools
Support for these commands: mke2fs, e2fsck, mount, umount
NMAP
A tool for network exploration and security auditing (command: nmap)
Midnight Commander Visual file manager (command: mc)
Vim Editor
Highly configurable text editor (command: vim)
Web Terminal
Access to router's console via the web administration GUI
Table 79: Administration User Modules
Protocol Conversion Module name AT Modem Emulator
Serial to network proxy (ser2net) Serial2TCP Packet Splitter WoLGateway
DF1-Ethernet
DNP3 Outstation
IEC101-104
Description
Converts AT commands to TCP/IP and vice versa HAYES compatible
TCP/IP server to access a serial port Telnet control protocol (RFC 2217)
TCP/IP client to access a serial port from one or more servers
Splits TCP, UDP or RS232 data flow to multiple targets
Listens on a specific UDP port and forwards traffic to a broadcast address
Converts DF1 serial protocol to AB CSPv4 and/or industrial EtherNet/IP
Provides data from Binary inputs, Analog inputs and Counters DNP routing table
Converts IEC 60870-5-101 serial protocol to IEC 60870-5-104 IP protocol ASDU conversions
Continued on next page
151
ICR-4400
Continued from previous page
Module name
Description
Suite HT of protocols
Forwards TCP/IP queries from an AMR system to a meter on a serial line
wM-BUS concentrator Store messages received via wireless M-BUS to an XML file at a FTP
Operating Hours Counter
Resettable and non-resettable time counter for each binary input Value can be retrieved via MODBUS
Modbus logger
Logging traffic on a Modbus RTU device connected to the serial interface Store data to a remote FTP(S) server
Modbus to LwM2M
Works as Modbus/TCP master Interconnects Modbus/TCP devices with a LwM2M device
Modbus to MQTT
Works as MQTT publisher/subscriber Interconnects Modbus/TCP devices with an MQTT broker
ALPHA-MODBUS
Converts data from Mitsubishi ALPHA2 to Modbus TCP
MODBUS-RTU2TCP
Converts Modbus RTU over serial line into Modbus TCP messages
MODBUS-RTUMAP
Maps RTU from more Modbus slaves to one Modbus TCP connection.
MODBUS-TCP2RTU
Converts Modbus TCP messages into Modbus RTU over serial line
Table 80: Protocol Conversion User Modules
Node-RED Module name FTP Node GPSd Node
gzip Node KNX Node Modbus Node MQTT Node Splunk Node
Description LIST, GET, PUT and DELETE files on a remote FTP server Retrieving data from a GPS Module via the GPSd Service Daemon Compress/decompress tools KNX device, KNX out and KNX in nodes Serial and TCP Modbus nodes MQTT Broker node Publish to Splunk's HTTP Event Collector Table 81: Node-RED User Modules
152
ICR-4400
Integration
Module name Cumulocity Docker Eltima USB over Ethernet VPN Portal WebAccess/DMP
Zabbix Agent
Description https://www.softwareag.cloud/site/product/cumulocity-iot.html https://www.docker.com/ https://www.eltima.com/products/usb-over-ethernet/
https://icr.advantech.cz/products/software/webaccess-vpn https://icr.advantech.cz/products/software/webaccess-dmpgen2 https://www.zabbix.com Table 82: Integration User Modules
Development
Module name Advantech SDK
Azure IoT SDK Python Python Python3 Node.js LUA GDB (GNU Debugger)
Description https://icr.advantech.cz/devzone/advanced-usage-andscripting https://github.com/Azure/azure-iot-sdk-python https://www.python.org/
https://nodejs.org/en/ https://www.lua.org/ https://www.gnu.org/software/gdb/
Table 83: Development User Modules
In some cases, the firmware update can cause incompatibility with installed user modules. Some of them are dependent on the Linux kernel version. The best practice is to update user modules to the most recent version.
Information about the user module and the firmware compatibility can be found at the beginning of its Application Note.
153
ICR-4400
6. Administration
6.1 Users
This configuration menu is only available for users with the admin role!
For the management of the users, open the Users form in the Administration section of the main menu. The first part of this configuration form contains an overview of all existing users. The table below describes the meaning of the buttons.
Button Lock
Change Password
Delete
Description Locks the user account. This user is not allowed to log in to the router, neither to the web interface or to SSH. Allows you to change the password for the corresponding user. Valid characters are not restricted. Deletes the user account.
Table 84: Users Overview
Be careful to not lock all users of the Admin role. In this state, any user has access rights to configure the users!
The second part of configuration form allows to add a new user. All items are described in the table below.
Item Role
Username Password Confirm Password
Description
Specifies the type of user account: · User user with basic permissions. · Admin user with enhanced permissions has full access to the web GUI, access to the router via Telnet, SSH or SFTP. This user has no the same rights as the superuser on Linuxbased systems.
Specifies the name of the user having access to log in to the device.
Specifies the password for the user. Valid characters are not restricted.
Confirms the password.
Table 85: Add User
154
ICR-4400
A user with the User role cannot access the router via Telnet, SSH or SFTP. Read-only access to the FTP server is allowed.
Figure 81: Users
6.2 Change Profile
In addition to the standard profile, up to three alternate router configurations or profiles can be stored in router's non-volatile memory. You can save the current configuration to a router profile through the Change Profile menu item. Select the alternate profile to store the settings to and ensure that the Copy settings from current profile to selected profile box is checked. The current settings will be stored in the alternate profile after the Apply button is pressed. Any changes will take effect after restarting router through the Reboot menu in the web administrator or using an SMS message. Example of using profiles: Profiles can be used to switch between different modes of operation of the router such as PPP connection, VPN tunnels, etc. It is then possible to switch between these settings using the front panel binary input, an SMS message, or Web interface of the router.
Figure 82: Change Profile
155
ICR-4400
6.3 Change Password
Use the Change Password configuration form in the Administration section of the main menu for changing your password used to log on the device. Enter the new password in the New Password field, confirm the password using the Confirm Password field, and press the Apply button. Characters for the password are not restricted.
The default password for the root user is printed out on the router's label. To maintain the security of your network change the default password. You can not enable remote access to the router for example, in NAT, until you change the password.
Figure 83: Change Password
6.4 Set Real Time Clock
You can set the internal clock directly using the Set Real Time Clock dialog in the Administration section of in the main menu. You can set the Date and Time manually. When entering the values manually use the format yyyy-mm-dd as seen in the figure below. You can also adjust the clock using the specified NTP server. IPv4, IPv6 address or domain name is supported. After you enter the appropriate values, click the Apply button.
Figure 84: Set Real Time Clock
156
ICR-4400
6.5 Set SMS Service Center
The function requires you to enter the phone number of the SMS service center to send SMS messages. To specify the SMS service center phone number use the Set SMS Service Center configuration form in the Administration section of the main menu. You can leave the field blank if your SIM card contains the phone number of the SMS service center by default. This phone number can have a value without an international prefix (xxx-xxx-xxx) or with an international prefix (+420-xxx-xxx-xxx). If you are unable to send or receive SMS messages, contact your carrier to find out if this parameter is required.
Figure 85: Set SMS Service Center Address
6.6 Unlock SIM Card
It is possible to use the SIM card protected by PIN number in the router just fill in the PIN on the Mobile WAN Configuration page. Here you can remove the PIN protection (48 digit Personal Identification Number) from the SIM card, if your SIM card is protected by one. Open the Unlock SIM Card form in the Administration section of the main menu and enter the PIN number in the SIM PIN field, then click the Apply button. It is applied on the currently enabled SIM card, or on the first SIM card if there is no SIM card enabled at the moment.
The SIM card is blocked after three failed attempts to enter the PIN code. Unblocking of SIM card by PUK number is described in next chapter.
Figure 86: Unlock SIM Card
157
ICR-4400
6.7 Unblock SIM Card
On this page you can unblock the SIM card after 3 wrong PIN attempts or change the PIN code of the SIM card. To unblock the SIM card, go to Unblock SIM Card administration page. In both cases enter the PUK code into SIM PUK field and new SIM PIN code into New SIM PIN field. To proceed click on Apply button. It is applied on the currently enabled SIM card, or on the first SIM card if there is no SIM card enabled at the moment.
The SIM card will be permanently blocked after the three unsuccessful attempts of the PUK code entering.
Figure 87: Unblock SIM Card
6.8 Send SMS
You can send an SMS message from the router to test the cellular network. Use the Send SMS dialog in the Administration section of the main menu to send SMS messages. Enter the Phone number and text of your message in the Message field, then click the Send button. The router limits the maximum length of an SMS to 160 characters. (To send longer messages, install the pduSMS user module).
Figure 88: Send SMS It is also possible to send an SMS message using CGI script. For details of this method. See the application note Commands and Scripts [1].
158
ICR-4400
6.9 Backup Configuration
Keep in mind potential security issues when creating backup, especially for user accounts. Encrypted configuration or secured connection to the router should be used. You can save actual configuration of the router using the Backup Configuration item in the Administration menu section. If you click on this item a configuration pane will open, see Figure 89. Here you can choose what will be backed up. You can back up configuration of the router (item Configuration) or configuration of all user accounts (item Users). Both types of the configuration can be backed up separately or at once into one configuration file. It is recommended to save the configuration into an encrypted file. If the encryption password is not configured, the configuration is stored into an unencrypted file. Click on Apply button and the configuration will be stored into configuration file (file with cfg extension) into a directory according the settings of the web browser. Stored configuration can be later used for its restoration, see Chapter 6.10 for more information.
Figure 89: Backup Configuration
159
ICR-4400
6.10 Restore Configuration
Due to the different format it is not possible to import user accounts backed up on a router of v1 product line (and older) to a router of v2 product line (and newer). The same limmitation is for opposite direction. You can restore a configuration of the router stored into a file using the Restore Configuration form. Click on Browse button to navigate to the directory containing the configuration file you wish to load to the router. If the configuration was stored into an encrypted file, the decryption password must be set to decrypt the file successfully. To start the restoration process click on Apply button.
Figure 90: Restore Configuration
160
ICR-4400
6.11 Update Firmware
For security reasons, we highly recommend updating the router's firmware to the latest version regularly. Downgrading the firmware to an older version than the production version or uploading firmware intended for a different device may cause the malfunction of the device. The firmware update can cause an incompatibility issue with a user module. It is recommended to update all user modules to the most recent version together with the firmware of the router. Information about the user's module compatibility is available at the beginning of the module's Application Note. Firmware for the routers can be obtained on the product page on Engineering Portal, which is available at https://icr.advantech.cz/support/router-models. Update Firmware administration page shows the current router's firmware version and current firmware name, see Figure 91. On this page, the firmware of the router can be updated as well.
Figure 91: Update Firmware Administration Page To load new firmware to the router, click on Choose File button, choose the firmware file and press the Update button to start the firmware update.
161
ICR-4400
During the firmware update, the router will display messages, as shown in Figure 92. When done, the router will reboot automatically. When rebooted, click the here link to re-open the web interface.
Figure 92: Process of Firmware Update
162
ICR-4400
6.12 Reboot
To reboot the router select the Reboot menu item and then press the Reboot button. Figure 93: Reboot
6.13 Logout
By clicking the Logout menu item, the user is logged out from the web interface.
163
ICR-4400
7. Configuration in Typical Situations
Although Advantech routers have wide variety of uses, they are commonly used in the following ways. All the examples below are for IPv4 networks.
7.1 Access to the Internet from LAN
Figure 94: Access to the Internet from LAN sample topology In this example, a LAN connecting to the Internet via a mobile network, the SIM card with a data tariff has to be provided by the mobile network operator. This requires no initial configuration. You only need to place the SIM card in the SIM1 slot (Primary SIM card), attach the antenna to the ANT connector and connect the computer (or switch and computers) to the router's ETH0 interface (LAN). Wait a moment after turning on the router. The router will connect to the mobile network and the Internet. This will be indicated by the LEDs on the front panel of the router (WAN and DAT ). Additional configuration can be done in the Ethernet and Mobile WAN items in the Configuration section of the web interface. Ethernet configuration: The factory default IP address of the router's ETH0 interface is in the form of 192.168.1.1. This can be changed (after login to the router) in the Ethernet item in the Configuration section, see Figure 95. In this case there is no need of any additional configuration. The DHCP server is also enabled by factory default (so the first connected computer will get the 192.168.1.2 IP address etc.). Other configuration options are described in Chapter 4.1.
164
ICR-4400
Figure 95: Access to the Internet from LAN Ethernet configuration Mobile WAN Configuration: Use the Mobile WAN item in the Configuration section to configure the connection to the mobile network, see Figure 96. In this case (depending on the SIM card) the configuration form can be blank. But make sure that Create connection to mobile network is checked (this is the factory default). For more details, see Chapter 4.3.1.
Figure 96: Access to the Internet from LAN Mobile WAN configuration To check whether the connection is working properly, go to the Mobile WAN item in the Status section. You will see information about operator, signal strength etc. At the bottom, you should see the message: Connection successfully established. The Network item should display information about the newly created network interface, usb0 (mobile connection). You should also see the IP address provided by the network operator, as well as the route table etc. The LAN now has Internet access.
165
ICR-4400
7.2 Backup Access to the Internet from LAN
Figure 97: Backup access to the Internet sample topology The configuration form on the Backup Routes page lets you back up the primary connection with alternative connections to the Internet/mobile network. Each backup connection can be assigned a priority.
Figure 98: Backup access to the Internet Ethernet configuration 166
ICR-4400
Ethernet configuration: In the Ethernet > ETH0 item, you can use the factory default configuration as in the previous situation. The ETH1 interface on the front panel of the router is used for connection to the Internet. It can be configured in ETH1 menu item. Connect the cable to the router and set the appropriate values as in Figure 98. You may configure the static IP address, default gateway and DNS server. Changes will take effect after you click on the Apply button. Detailed Ethernet configuration is described in Chapter 4.1. WLAN configuration: To use the WLAN you will need to configure the WiFi station in the WiFi - > Station item, as shown in Figure 99. Check the Enable WiFi STA, enable the DHCP client and fill in the adresses of the default gateway and DNS server. Next, fill in the data for the connection (SSID, authentication, encryption, WPA PSK Type and password). For details see Chapter 4.6. Click the Apply button to confirm the changes.
To verify that the WiFi connection is successful, check the WiFi item in the Status section. If the connection is successful you should see the following message: wpa_state=COMPLETED.
Figure 99: Backup access to the Internet WiFi configuration
167
ICR-4400
Mobile WAN configuration: To configure the mobile connection it should be sufficient to insert the SIM card into the SIM1 slot and attach the antenna to the ANT connector. (Depending on the SIM card you are using).
To set up backup routes you will need to enable Check Connection in the Mobile WAN item. (See Figure 100.) Set the Check connection option to enabled + bind and fill in an IP address of the mobile operator's DNS server or any other reliably available server and enter the time interval of the check. For detailed configuration, see Chapter 4.3.1.
Figure 100: Backup access to the Internet Mobile WAN configuration
Backup Routes configuration: After setting up the backup routes you will need to set their priorities. In Figure 101, the ETH1 wired connection has the highest priority. If that connection fails, the second choice will be the WiFi wlan0 network interface. The third choice will be the mobile connection usb0 network interface.
The backup routes system must be activated by checking the Enable backup routes switching item for each of the routes. Click the Apply button to confirm the changes. For detailed configuration see Chapter 4.7.
You can verify the configured network interfaces in the Status section in the Network item. You will see the active network interfaces: eth0 (connection to LAN), eth1 (wired connection to the Internet), wlan0 (WiFi connection to the Internet) and usb0 (mobile connection to the Internet). IP addresses and other data are included.
At the bottom of the page you will see the Route Table and corresponding changes if a wired connection fails or a cable is disconnected (the default route changes to wlan0). Similarly, if a WiFi connection is not available, the mobile connection will be used.
168
ICR-4400
Figure 101: Backup access to the Internet Backup Routes configuration Backup routes work even if they are not activated in the Backup Routes item, but the router will use the factory defaults.
169
ICR-4400
7.3 Secure Networks Interconnection or Using VPN
Figure 102: Secure networks interconnection sample topology VPN (Virtual Private Network) is a protocol used to create a secure connection between two LANs, allowing them to function as a single network. The connection is secured (encrypted) and authenticated (verified). It is used over public, untrusted networks, see fig. 102. You may use several different secure protocols. · OpenVPN (it is a configuration item in the web interface of the router), see Chapter 4.11
or Application Note [4], · IPsec (it is also configuration item in the web interface of the router), see Chapter 4.12
or Application Note [5]. You can also create non-encrypted tunnels: GRE, PPTP and L2TP. You can use GRE or L2TP tunnel in combination with IPsec to create VPNs. There is an example of an OpenVPN tunnel in Figure 102. To establish this tunnel you will need the opposite router's IP address, the opposite router's network IP address (not necessary) and the pre-shared secret (key). Create the OpenVPN tunnel by configuring the Mobile WAN and OpenVPN items in the Configuration section. Mobile WAN configuration: The mobile connection can be configured as described in the previous situations. (The router connects itself after a SIM card is inserted into SIM1 slot and an antenna is attached to the ANT connector.) Configuration is accessible via the Mobile WAN item the Configuration section, see Chapter 4.3.1). The mobile connection has to be enabled.
170
ICR-4400
OpenVPN configuration: OpenVPN configuration is done with the OpenVPN item in the Configuration section. Choose one of the two possible tunnels and enable it by checking the Create 1st OpenVPN tunnel. You will need to fill in the protocol and the port (according to the settings on the opposite side of the tunnel or Open VPN server). You may fill in the public IP address of the opposite side of the tunnel including the remote subnet and mask (not necessary). The important items are Local and Remote Interface IP Address where the information regarding the interfaces of the tunnel's end must be filled in. In the example shown, the pre-shared secret is known, so you would choose this option in the Authentication Mode item and insert the secret (key) into the field. Confirm the configuration clicking the Apply button. For detailed configuration see Chapter 4.11 or Application Note [4].
Figure 103: Secure networks interconnection OpenVPN configuration The Network item in the Status section will let you verify the activated network interface tun0 for the tunnel with the IP addresses of the tunnel's ends set. Successful connection can be verified in the System Log where you should see the message: Initialization Sequence Completed. The networks are now interconnected. This can also be verified by using the ping program. (Ping between tunnel's endpoint IP addresses from one of the routers. The console is accessible via SSH).
171
7.4 Serial Gateway
ICR-4400
Figure 104: Serial Gateway sample topology
The router's serial gateway function lets you establish serial connectivity across the Internet or with another network. Serial devices (meters, PLC, etc.) can then upload and download data, see Figure 104.
Configuration is done in the Configuration section, Mobile WAN, with the Expansion Port 1 item for RS232, or Expansion Port 2 for RS485. In this example, the RS232 interface of the router is used.
Mobile WAN configuration: Mobile WAN configuration is the same as in the previous examples. Just insert the SIM card into the SIM1 slot at the back of the router and attach the antenna to the ANT connector at the front. No extra configuration is needed (depending on the SIM card used). For more details see Chapter 4.3.1.
Expansion Port 1 configuration: The RS232 interface (port) can be configured in the Configuration section, via the Expansion Port 1 item, see Figure 105.) You will need to enable the RS232 port by checking Enable expansion port 1 access over TCP/UDP. You may edit the serial communication parameters (not needed in this example). The important items are Protocol, Mode and Port. These set the parameters of communication out to the network and the Internet. In this example the TCP protocol is chosen, and the router will work as a server listening on the 2345 TCP port. Confirm the configuration clicking the Apply button.
172
ICR-4400
Figure 105: Serial Gateway konfigurace Expansion Port 1 To communicate with the serial device (PLC), connect from the PC (Labeled as SCADA in Figure 104) as a TCP client to the IP address 10.0.6.238, port 2345 (the public IP address of the SIM card used in the router, corresponding to the usb0 network interface). The devices can now communicate. To check the connection, go to System Log (Status section) and look for the TCP connection established message.
173
ICR-4400
8. Glossary and Acronyms
Backup Routes Allows user to back up the primary connection with alternative connections to the Internet/mobile network. Each backup connection can have assigned a priority. Switching between connections is done based upon set priorities and the state of the connections.
DHCP The Dynamic Host Configuration Protocol (DHCP) is a network protocol used to configure devices that are connected to a network so they can communicate on that network using the Internet Protocol (IP). The protocol is implemented in a client-server model, in which DHCP clients request configuration data, such as an IP address, a default route, and one or more DNS server addresses from a DHCP server.
DHCP client Requests network configuration from DHCP server.
DHCP server Answers configuration request by DHCP clients and sends network configuration details.
DNS The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet.
DynDNS client DynDNS service lets you access the router remotely using an easy to remember custom hostname. This client monitors the router's IP address and updates it whenever it changes.
GRE Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. It is possible to create four different tunnels.
HTTP The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text. HTTP is the protocol to exchange or transfer hypertext.
HTTPS The Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.
IP address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: A name indicates what we seek. An address indicates where it is. A route indicates how to get there The designers of the Internet Protocol defined an IP address as a 32-bit number and this system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to the enormous
174
ICR-4400
growth of the Internet and the predicted depletion of available addresses, a new version of IP (IPv6), using 128 bits for the address, was developed in 1995.
IP masquerade Kind of NAT.
IP masquerading see NAT.
IPsec Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. The router allows user to select encapsulation mode (tunnel or transport), IKE mode (main or aggressive), IKE Algorithm, IKE Encryption, ESP Algorithm, ESP Encryption and much more. It is possible to create four different tunnels.
IPv4 The Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. It is one of the core protocols of standards-based internetworking methods of the Internet, and routes most traffic in the Internet. However, a successor protocol, IPv6, has been defined and is in various stages of production deployment. IPv4 is described in IETF publication RFC 791 (September 1981), replacing an earlier definition (RFC 760, January 1980).
IPv6 The Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the longanticipated problem of IPv4 address exhaustion. IPv6 is intended to replace IPv4, which still carries the vast majority of Internet traffic as of 2013. As of late November 2012, IPv6 traffic share was reported to be approaching 1%. IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons
(2001:0db8:85a3:0042:1000:8a2e:0370:7334), but methods of abbreviation of this full notation exist.
L2TP Layer 2 Tunnelling Protocol (L2TP) is a tunnelling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.
LAN A local area network (LAN) is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building using network media. The defining characteristics of LANs, in contrast to wide area networks (WANs), include their usually higher data-transfer rates, smaller geographic area, and lack of a need for leased telecommunication lines.
NAT In computer networking, Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device. The simplest type of NAT provides a one-to-one translation of IP addresses. RFC 2663 refers to this type of NAT as basic NAT, which is often also called a one-to-one NAT. In this type of NAT only the IP addresses, IP header checksum and any higher level checksums that include the IP address are changed. The rest of the packet is left untouched (at least for basic TCP/UDP functionality; some higher level protocols may need further translation). Basic NATs can be used to interconnect two IP networks that have incompatible addressing.
NAT-T NAT traversal (NAT-T) is a computer networking methodology with the goal to establish and maintain Internet protocol connections across gateways that implement network address translation (NAT).
NTP Network Time Protocol (NTP) is a networking protocol for clock synchronization be-
175
ICR-4400
tween computer systems over packet-switched, variable-latency data networks.
OpenVPN OpenVPN implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections. It is possible to create four different tunnels.
PAT Port and Address Translation (PAT) or Network Address Port Translation (NAPT) see NAT.
Port In computer networking, a Port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication. The purpose of ports is to uniquely identify different applications or processes running on a single computer and thereby enable them to share a single physical connection to a packetswitched network like the Internet.
PPTP The Point-to-Point Tunneling Protocol (PPTP) is a tunneling protocol that operates at the Data Link Layer (Layer 2) of the OSI Reference Model. PPTP is a proprietary technique that encapsulates Point-to-Point Protocol (PPP) frames in Internet Protocol (IP) packets using the Generic Routing Encapsulation (GRE) protocol. Packet filters provide access control, endto-end and server-to-server.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services.
Root certificate In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Author-
ity (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA). Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA). See X.509.
Router A router is a device that forwards data packets between computer networks, creating an overlay internetwork. A router is connected to two or more data lines from different networks. When a data packet comes in one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey. Routers perform the traffic directing functions on the Internet. A data packet is typically forwarded from one router to another through the networks that constitute the internetwork until it reaches its destination node.
SFTP Secure File Transfer Protocol (SFTP) is a secure version of File Transfer Protocol (FTP), which facilitates data access and data transfer over a Secure Shell (SSH) data stream. It is part of the SSH Protocol. This term is also known as SSH File Transfer Protocol.
SMTP The SMTP (Simple Mail Transfer Protocol) is a standard e-mail protocol on the Internet and part of the TCP/IP protocol suite, as defined by IETF RFC 2821. SMTP defines the message format and the message transfer agent (MTA), which stores and forwards the mail. SMTP by default uses TCP port 25. The protocol for mail submission is the same, but uses port 587. SMTP connections secured by SSL, known as SMTPS, default to port 465.
SMTPS SMTPS (Simple Mail Transfer Protocol Secure) refers to a method for securing SMTP with transport layer security. For more information about SMTP, see description of the SMTP.
176
ICR-4400
SNMP The Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor networkattached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.
SSH Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities slogin, ssh, and scp that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.
TCP The Transmission Control Protocol (TCP) is one of the core protocols of the Internet protocol suite (IP), and is so common that the entire suite is often called TCP/IP. TCP provides reliable, ordered, error-checked delivery of a stream of octets between programs running on computers connected to a local area network, intranet or the public Internet. It resides at the transport layer. Web browsers use TCP when they connect to servers on the World Wide Web, and it is used to deliver email and transfer files from one location to another.
UDP The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite (the set of network protocols used for the Internet). With UDP, computer applications can send
messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without prior communications to set up special transmission channels or data paths. The protocol was designed by David P. Reed in 1980 and formally defined in RFC 768.
URL A uniform resource locator, abbreviated URL, also known as web address, is a specific character string that constitutes a reference to a resource. In most web browsers, the URL of a web page is displayed on top inside an address bar. An example of a typical URL would be http://www.example.com/ index.html, which indicates a protocol (http), a hostname (www.example.com), and a file name (index.html). A URL is technically a type of uniform resource identifier (URI), but in many technical documents and verbal discussions, URL is often used as a synonym for URI, and this is not considered a problem.
VPN A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. A VPN connection across the Internet is similar to a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from the private network.
VPN server see VPN.
VPN tunnel see VPN.
VRRP VRRP protocol (Virtual Router Redundancy Protocol) allows you to transfer packet routing from the main router to a backup router in case the main router fails. (This can be used
177
ICR-4400
to provide a wireless cellular backup to a primary wired router in critical applications).
WAN A wide area network (WAN) is a network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports. Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations. In essence, this mode of telecommunication allows a business to effectively carry out its daily function regardless of location. The Internet can be considered a WAN as well, and is used by businesses, governments, organizations, and individuals for almost any purpose imaginable.
WebAccess/DMP WebAccess/DMP is an advanced Enterprise-Grade platform solution for provisioning, monitoring, managing and config-
uring Advantech's routers and IoT gateways. It provides a zero-touch enablement platform for each remote device.
WebAccess/VPN WebAccess/VPN is an advanced VPN management solution for safe interconnection of Advantech routers and LAN networks in public Internet. Connection among devices and networks can be regional or global and can combine different technology platforms and various wireless, LTE, fixed and satellite connectivities.
X.509 In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
178
ICR-4400
9. Index
A
Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 53 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Accessing the router . . . . . . . . . . . . . . . . . . . . . . . . 7 Add User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 AT commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
B
Backup Configuration. . . . . . . . . . . . . . . . . . . . . 159 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
C
Change Password . . . . . . . . . . . . . . . . . . . . . . . . 156 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Clock synchronization . . . . . . . . . . . . . . . . . . . . 115 Configuration update . . . . . . . . . . . . . . . . . . . . . 143 Control SMS messages . . . . . . . . . . . . . . . . . . 126
D
Data limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Default Gateway . . . . . . . . . . . . . . . . . . . . . . . 29, 60 Default IP address . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Default password . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Default SIM card . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Default username . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 DHCP . . . . . . . . . . . . . . . . . . . . . . . . 21, 29, 60, 174
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 29, 60 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 DNS server . . . . . . . . . . . . . . . . . . . . . . . . 29, 45, 60
DNS64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Domain Name System . . . . . . . . . . . . . . see DNS DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Dynamic Host Configuration Protocol . . . . . see
DHCP DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25, 112 DynDNSv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 25, 112
E
Expansion Port RS232 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
F
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Filtering of Forwarded Packets . . . . . . . . 71 Filtering of Incoming Packets . . . . . . . . . . 71 Protection against DoS attacks . . . . . . . . 72
Firmware update . . . . . . . . . . . . . . . . . . . . 143, 161 Firmware version . . . . . . . . . . . . . . . . . . . . . . . . . . 11 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
G
GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103, 174
H
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
I
ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88, 175
Authenticate Mode . . . . . . . . . . . . . . . . . . . . 94
179
ICR-4400
Encapsulation Mode . . . . . . . . . . . . . . . . . . 92 IKE Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 IPv6 9, 19, 28, 31, 42, 45, 70, 75, 82, 88, 112,
142
L
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106, 175 LAN
ETH0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 ETH1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 ETH2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 PoE PSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Location Area Code . . . . . . . . . . . . . . . . . . . . . . . 12 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
M
Mobile network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Multiple WANs . . . . . . . . . . . . . . . . . . . . . . . . . 65, 69
N
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75, 175 NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Neighbouring WiFi Networks . . . . . . . . . . . . . . . 16 Network Address Translation . . . . . . . . see NAT NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115, 175 NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
O
Object Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . 120 OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82, 176
Authenticate Mode . . . . . . . . . . . . . . . . . . . . 84
P
PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 PIN number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 PLMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 PoE PSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10, 30 Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 PPPoE Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . 50 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109, 176 Prefix delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 PUK number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
R
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 32, 53, 57 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Restore Configuration . . . . . . . . . . . . . . . . . . . . 160 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Accessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
S
Save Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Save Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Serial line
RS232 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Serial number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Set internal clock . . . . . . . . . . . . . . . . . . . . . . . . . 156 Signal Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Simple Network Management Protocol . . . . see
SNMP SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 SMS Service Center . . . . . . . . . . . . . . . . . . . . . . 157 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123, 176 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119, 177 SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Switch between SIM Cards . . . . . . . . . . . . . . . . 46 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 System Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
180
ICR-4400
T
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Transfer speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Transmission Control Protocol . . . . . . . see TCP
U
UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Unblock SIM card . . . . . . . . . . . . . . . . . . . . . . . . 158 Uniform resource locator . . . . . . . . . . . . see URL Unlock SIM card. . . . . . . . . . . . . . . . . . . . . . . . . . 157 Up/Down script . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Usage Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 User Datagram Protocol . . . . . . . . . . . . . see UDP User Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
V
Virtual private network. . . . . . . . . . . . . . . see VPN VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39, 177
W
Web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 WiFi
Authentication . . . . . . . . . . . . . . . . . . . . . 56, 61 HW Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 WiFi AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 WiFi STA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 60 WireGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
181
ICR-4400
10. Related Documents
[1] Advantech Czech: Commands and Scripts Application Note [2] Advantech Czech: WebAccess/VPN Application Note [3] Advantech Czech: R-SeeNet Application Note [4] Advantech Czech: OpenVPN Tunnel Application Note [5] Advantech Czech: IPsec Tunnel Application Note [6] Advantech Czech: GRE Tunnel Application Note [7] Advantech Czech: WireGuard Application Note [8] Advantech Czech: SNMP Object Identifiers Application Note [9] Advantech Czech: AT Commands Application Note [10] Advantech Czech: Programming of User Modules Application Note [11] Advantech Czech: Security Guidelines Application Note
[EP] Product-related documents and applications can be obtained on Engineering Portal at https://icr.advantech.cz/download address. [UM] User modules and related documents can be obtained on Engineering Portal at https://icr.advantech.cz/products/software/user-modules address.
182
LaTeX with hyperref package pdfeTeX-1.30.6