ICR-3200 Industrial Cellular Router

Industrial Cellular Router ICR-3200

Product Information

The ICR-3200 is a router designed for communication across
cellular networks using either LTE technology Category 4 or LTE
Category M1. It has a current firmware version of 6.3.10 (May 5,
2023) and is manufactured by Advantech Czech s.r.o. The router is
ideal for industrial wireless connection of traffic and security
camera systems, individual computers, LANs, automatic teller
machines (ATM), other self-service terminals, and many other
devices.

Standard Equipment

The ICR-3200 router comes with standard equipment necessary for
its operation.

Optional Features

The ICR-3200 router can be ordered as an extended version with
the WiFi and the GPS module. This version is equipped with two WiFi
antenna connectors on the right side and one GNSS antenna connector
between them. Note that routers cannot be retrofitted with an
interface in the future. See the router’s technical manual for
details on versions and possible combinations of interfaces.

Product Usage Instructions

Web Configuration GUI

The ICR-3200 router can be configured using the web
configuration GUI. To access the GUI, enter the IP address of the
router into a web browser. Once logged in, navigate to the desired
configuration section.

Factory Reset

To perform a factory reset on the ICR-3200 router, navigate to
the “Factory Reset” section in the web configuration GUI and click
“Reset”. This will reset all configurations to their defaults.

HTTPS Certificate for the GUI

The ICR-3200 router supports HTTPS for secure communication with
the web configuration GUI. To configure HTTPS, navigate to the
“HTTPS Certificate for the GUI” section in the web configuration
GUI and follow the instructions provided.

Ethernet Configuration

The ICR-3200 router supports Ethernet configuration. To
configure Ethernet, navigate to the “Ethernet Configuration”
section in the web configuration GUI and follow the instructions
provided. This includes configuring the DHCP server, IPv6 prefix
delegation, and 802.1X authentication to RADIUS server.

VRRP Configuration

The ICR-3200 router supports VRRP configuration. To configure
VRRP, navigate to the “VRRP Configuration” section in the web
configuration GUI and follow the instructions provided.

Mobile WAN Configuration

The ICR-3200 router supports mobile WAN configuration. To
configure mobile WAN, navigate to the “Mobile WAN Configuration”
section in the web configuration GUI and follow the instructions
provided.

Administration

The ICR-3200 router can be administered through the web
configuration GUI. To access the administration section, navigate
to the “Administration” tab in the GUI and follow the instructions
provided.

Typical Situations

The ICR-3200 router can be used in various typical situations
such as accessing the internet from LAN, backup access to the
internet from LAN, secure networks interconnection or using VPN,
and serial gateway. Navigate to the “Typical Situations” section in
the web configuration GUI for more information on each situation
and how to configure it.

Customization

The ICR-3200 router can be customized using router apps such as
FirstNet Router App. Navigate to the “Router Apps” section in the
web configuration GUI to install and configure router apps.

Industrial Cellular Router
ICR-3200
CONFIGURATION MANUAL

ICR-3200
Used Symbols
Danger ­ Information regarding user safety or potential damage to the router. Attention ­ Problems that can arise in specific situations. Information, notice ­ Useful tips or information of special interest. Example ­ Example of function, command or script.
Firmware Version
Current version of firmware is 6.3.10 (May 5, 2023).
Advantech Czech s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic Document No. MAN-0042-EN, revision from May 10, 2023. Released in the Czech Republic.
i

ICR-3200

Contents

1 Basic Information

1

1.1 Document Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Product Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.3 Standard Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.4 Optional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.5 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.6 WebAccess/DMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.7 Router Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.8 IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.9 Supported Certificate File Types . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.10 IEEE 802.1X (RADIUS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Web Configuration GUI

6

2.1 Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 HTTPS Certificate for the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 Valid Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 Status

9

3.1 General Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.1 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.2 Ethernet Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.4 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.5 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Mobile WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.4 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.5 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.6 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.7 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.8 WireGuard Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.9 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.10 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Configuration

27

4.1 Ethernet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.1.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.2 IPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.1.3 802.1X Authentication to RADIUS Server . . . . . . . . . . . . . . . . . 31

ii

ICR-3200
4.1.4 LAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2 VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.3 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.1 Connection to Mobile Network . . . . . . . . . . . . . . . . . . . . . . . 42 4.3.2 DNS Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 44 4.3.3 Check Connection to Mobile Network . . . . . . . . . . . . . . . . . . . 44 4.3.4 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.3.5 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.3.6 Switch between SIM Cards Configuration . . . . . . . . . . . . . . . . . 46 4.3.7 Examples of SIM Card Switching Configuration . . . . . . . . . . . . . . 49 4.3.8 PPPoE Bridge Mode Configuration . . . . . . . . . . . . . . . . . . . . . 50 4.4 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.5 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.6 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 4.7 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.7.1 Default Priorities for Backup Routes . . . . . . . . . . . . . . . . . . . . 65 4.7.2 User Customized Backup Routes . . . . . . . . . . . . . . . . . . . . . . 66 4.7.3 Backup Routes Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.8 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.9 Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.9.1 Example of the IPv4 Firewall Configuration . . . . . . . . . . . . . . . . 79 4.10 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.10.1 Examples of NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . 84 4.11 OpenVPN Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.11.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network . . . . 93 4.12 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 4.12.1 Route-based Configuration Scenarios . . . . . . . . . . . . . . . . . . . 94 4.12.2 IPsec Authentication Scenarios . . . . . . . . . . . . . . . . . . . . . . . 95 4.12.3 Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . 97 4.12.4 Basic IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . 103 4.13 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.13.1 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . 107 4.14 GRE Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 4.14.1 Example of the GRE Tunnel Configuration . . . . . . . . . . . . . . . . . 110 4.15 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 4.15.1 Example of the L2TP Tunnel Configuration . . . . . . . . . . . . . . . . 114 4.16 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.16.1 Example of the PPTP Tunnel Configuration . . . . . . . . . . . . . . . . 117 4.17 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 4.17.1 DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 4.17.2 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 4.17.3 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.17.4 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 4.17.5 PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
iii

ICR-3200

4.17.6 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.17.7 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.17.8 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 4.17.9 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 4.17.10 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 4.17.11 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 4.18 Expansion Port ­ SERIAL I/O Configuration . . . . . . . . . . . . . . . . . . . . 144 4.18.1 Examples of the Expansion Port Configuration . . . . . . . . . . . . . . 148 4.19 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.19.1 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.19.2 Example of Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.19.3 Up/Down Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 4.19.4 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . 150 4.20 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 151 4.20.1 Example of Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . 153 4.20.2 Example of Automatic Update Based on MAC . . . . . . . . . . . . . . . 154

5 Administration

155

5.1 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.2 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 5.3 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 5.4 Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 5.5 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 5.6 Set SMS Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 5.7 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 5.8 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 5.9 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 5.10 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 5.11 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 5.12 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 5.13 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 5.14 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

6 Typical Situations

170

6.1 Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 170 6.2 Backup Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . 172 6.3 Secure Networks Interconnection or Using VPN . . . . . . . . . . . . . . . . . . 176 6.4 Serial Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

7 Customization

180

7.1 Router Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 7.2 FirstNet Router App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Appendix A: Open Source Software License

182

iv

Appendix B: Glossary and Acronyms Appendix C: Index Appendix D: Related Documents

ICR-3200
183 184 186

v

ICR-3200
List of Figures
1 IEEE 802.1X Functional Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3 Mobile WAN status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 8 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 9 WireGuard Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 10 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 11 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 12 Example program syslogd start with the parameter . . . . . . . . . . . . . . 26 13 LAN Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 14 IPv6 Address with Prefix Example . . . . . . . . . . . . . . . . . . . . . . . . . 30 15 Network Topology for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 32 16 LAN Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 33 17 Network Topology for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 18 LAN Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 19 Network Topology for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 20 LAN Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 21 Topology of VRRP configuration example . . . . . . . . . . . . . . . . . . . . . 39 22 Example of VRRP configuration ­ main router . . . . . . . . . . . . . . . . . . . 39 23 Example of VRRP configuration ­ backup router . . . . . . . . . . . . . . . . . 40 24 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 25 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 26 Configuration for SIM card switching Example 1 . . . . . . . . . . . . . . . . . . 49 27 Configuration for SIM card switching Example 2 . . . . . . . . . . . . . . . . . . 50 28 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 29 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 59 30 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 31 Backup Routes Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . 68 32 Example 1: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 33 Example 1: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 34 Example 2: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 35 Example 2: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 36 Example 3: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 37 Example 3: Topology for Single WAN mode . . . . . . . . . . . . . . . . . . . . 72 38 Example 3: Topology for Multiple WAN mode . . . . . . . . . . . . . . . . . . . 72 39 Example 4: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 40 Example 4: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
vi

ICR-3200
41 Example 5: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 42 Example 5: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 43 Static Routes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 44 Firewall Configuration ­ IPv6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 76 45 Topology for the IPv4 Firewall Configuration Example . . . . . . . . . . . . . . 79 46 IPv4 Firewall Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 80 47 NAT ­ IPv6 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 48 Topology for NAT Configuration Example 1 . . . . . . . . . . . . . . . . . . . . 84 49 NAT Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 85 50 Topology for NAT Configuration Example 2 . . . . . . . . . . . . . . . . . . . . 86 51 NAT Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 87 52 OpenVPN tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 53 Topology of OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . 93 54 IPsec Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 55 Topology of IPsec Configuration Example . . . . . . . . . . . . . . . . . . . . . 103 56 WireGuard Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 105 57 Topology of WireGuard Configuration Example . . . . . . . . . . . . . . . . . . 107 58 Router A ­ WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 108 59 Router B ­ WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 108 60 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 61 Topology of GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . 110 62 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 63 Topology of L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . 114 64 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 65 Topology of PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . 117 66 DynDNS Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 118 67 Configuration of FTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 68 Configuration of HTTP and HTTPS services . . . . . . . . . . . . . . . . . . . . 120 69 Example of NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 70 Configuration of Local User Database . . . . . . . . . . . . . . . . . . . . . . . 122 71 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 72 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 73 Enabling Two-Factor Authentication Service . . . . . . . . . . . . . . . . . . . . 125 74 OID Basic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 75 SNMP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 76 MIB Browser Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 77 SMTP Client Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 130 78 SMS Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 137 79 SMS Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 138 80 SMS Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 139 81 SMS Configuration for Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . 140 82 Configuration of HTTP service . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 83 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 84 Configuration of Telnet service . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
vii

ICR-3200
85 SERIAL I/O configuration pages overview . . . . . . . . . . . . . . . . . . . . . 144 86 Expansion Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 87 Example of Ethernet to serial communication configuration . . . . . . . . . . . 148 88 Example of serial interface configuration . . . . . . . . . . . . . . . . . . . . . . 148 89 Example of a Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 90 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . . . . . 150 91 Example of Automatic Update 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 92 Example of Automatic Update 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 93 Users Administration Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 94 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 95 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 96 Two-factor User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 97 Secret Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 98 Links for Google Authenticator Application . . . . . . . . . . . . . . . . . . . . . 161 99 Links for Authenticator-Extension . . . . . . . . . . . . . . . . . . . . . . . . . . 161 100 Standard Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 101 Verification Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 102 SSH Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 103 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 104 Set SMS Service Center Address . . . . . . . . . . . . . . . . . . . . . . . . . . 164 105 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 106 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 107 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 108 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 109 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 110 Update Firmware Administration Page . . . . . . . . . . . . . . . . . . . . . . . 168 111 Process of Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 112 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 113 Access to the Internet from LAN ­ sample topology . . . . . . . . . . . . . . . . 170 114 Access to the Internet from LAN ­ Ethernet configuration . . . . . . . . . . . . 171 115 Access to the Internet from LAN ­ Mobile WAN configuration . . . . . . . . . . 171 116 Backup access to the Internet ­ sample topology . . . . . . . . . . . . . . . . . 172 117 Backup access to the Internet ­ Ethernet configuration . . . . . . . . . . . . . . 172 118 Backup access to the Internet ­ WiFi configuration . . . . . . . . . . . . . . . . 173 119 Backup access to the Internet ­ Mobile WAN configuration . . . . . . . . . . . . 174 120 Backup access to the Internet ­ Backup Routes configuration . . . . . . . . . . 175 121 Secure networks interconnection ­ sample topology . . . . . . . . . . . . . . . 176 122 Secure networks interconnection ­ OpenVPN configuration . . . . . . . . . . . 177 123 Serial Gateway ­ sample topology . . . . . . . . . . . . . . . . . . . . . . . . . 178 124 Serial Gateway ­ konfigurace Expansion Port 1 . . . . . . . . . . . . . . . . . . 179 125 Router Apps GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 126 Router Apps Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 127 FirstNet Router App ­ Global Status . . . . . . . . . . . . . . . . . . . . . . . . 181
viii

ICR-3200
List of Tables
1 Supported Roles of the IEEE 802.1X Authentication . . . . . . . . . . . . . . . 5 2 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5 Mobile Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Value ranges of signal strength for different technologies. . . . . . . . . . . . . 13 7 Description of Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8 Mobile Network Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 9 Information about Neighbouring WiFi Networks . . . . . . . . . . . . . . . . . . 16 10 Description of Interfaces in Network Status . . . . . . . . . . . . . . . . . . . . 18 11 Description of Information in Network Status . . . . . . . . . . . . . . . . . . . . 19 12 DHCP Status Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 13 Configuration of the Network Interface ­ IPv4 and IPv6 . . . . . . . . . . . . . . 28 14 Configuration of the Network Interface ­ global items . . . . . . . . . . . . . . . 29 15 Configuration of Dynamic DHCP Server . . . . . . . . . . . . . . . . . . . . . . 30 16 Configuration of Static DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . 30 17 IPv6 prefix delegation configuration . . . . . . . . . . . . . . . . . . . . . . . . . 31 18 Configuration of 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . 31 19 VRRP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 20 Check connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 21 Mobile WAN Connection Configuration . . . . . . . . . . . . . . . . . . . . . . . 43 22 Check Connection to Mobile Network Configuration . . . . . . . . . . . . . . . . 45 23 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 24 Switch between SIM cards configuration . . . . . . . . . . . . . . . . . . . . . . 47 25 Parameters for SIM card switching . . . . . . . . . . . . . . . . . . . . . . . . . 48 26 PPPoE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 27 WiFi Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 28 WLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 29 Backup Routes Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 30 Backup Routes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 31 Static Routes Configuration for IPv4 . . . . . . . . . . . . . . . . . . . . . . . . 75 32 Filtering of Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 33 Forwarding filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 34 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 35 Remote Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 36 Configuration of Send all incoming packets to server . . . . . . . . . . . . . . . 83 37 OpenVPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 38 OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 93 39 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 40 Simple IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . 103
ix

ICR-3200
41 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 106 42 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . 107 43 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 44 GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 111 45 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 46 L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 114 47 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 48 PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 117 49 DynDNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 50 Parameters for FTP service configuration . . . . . . . . . . . . . . . . . . . . . 119 51 Parameters for HTTP and HTTPS services configuration . . . . . . . . . . . . . 120 52 NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 53 Available Modes of PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 54 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 55 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 56 SNMP Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 57 SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 58 SNMP Configuration (R-SeeNet) . . . . . . . . . . . . . . . . . . . . . . . . . . 127 59 Object identifier for binary inputs and output . . . . . . . . . . . . . . . . . . . . 128 60 SMTP client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 61 SMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 62 Control via SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 63 Control SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 64 Send SMS on the serial Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 65 Send SMS on the serial Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 66 Sending/receiving of SMS on TCP port specified . . . . . . . . . . . . . . . . . 135 67 List of AT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 68 Parameters for SSH service configuration . . . . . . . . . . . . . . . . . . . . . 141 69 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 70 Parameters for Telnet service configuration . . . . . . . . . . . . . . . . . . . . 143 71 Expansion Port Configuration ­ serial interface . . . . . . . . . . . . . . . . . . 146 72 Expansion Port Configuration ­ Check TCP connection . . . . . . . . . . . . . 146 73 CD Signal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 74 DTR Signal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 75 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 151 76 Button Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 77 User Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
x

ICR-3200
1. Basic Information
1.1 Document Content
This configuration manual contains the following information: · Configuration of the router item by item according to the web interface (Chapters 3 to 5). · Configuration in typical situations examples (Chapter 6): Access to the Internet from LAN (Local Area Network) via mobile network. Backed up access to the Internet (from LAN). Secure networks interconnection or using VPN (Virtual Private Network). Serial Gateway (connection of serial devices to the Internet).
1.2 Product Introduction
ICR-3200 routers are designed for communication across cellular networks using either LTE technology Category 4 (theoretically 150 Mbps downlink and 50 Mbps uplink), or LTE Category M1 (CAT-M1 for IoT and M2M communications). The router is an ideal solution for industrial wireless connection of traffic and security camera systems, individual computers, LANs, automatic teller machines (ATM), other self-service terminals, and many other devices.
1.3 Standard Equipment
Standard features include the LTE cellular module (with two antenna connectors ­ for main and diversity antenna), two Ethernet 10/100 ports, one binary input, one binary output, RS232 serial interface, RS-485 serial interface (single 10-pin connector for serial and binary interfaces), and two SIM card readers for 3 V and 1.8 V SIM cards. The router is supplied in a metal casing.
1.4 Optional Features
If desired, the router can be ordered as an extended version with the WiFi and the GPS module. This version is equipped with two WiFi antenna connectors on the right side and one GNSS antenna connector between them. Note that routers cannot be retrofitted with an interface in the future. See the router’s technical manual for details on versions and possible combinations of interfaces.
1

ICR-3200
1.5 Web Configuration GUI
Configuring ICR-3200 routers is made easy by name and password-protected web interface. The interface provides detailed statistics about router activities, signal strength, system logs and more. The router supports both IPv4 and IPv6 protocols, the creation of secure VPN tunnels using technologies IPsec, OpenVPN and L2TP. The router also supports DHCP, NAT, NAT-T, DynDNS client, NTP, VRRP, control by SMS, backup of the primary connection, multiple WANs, RADIUS authentication on Ethernet and WiFi, and many other functions.
Additional diagnostic features designed to ensure continuous communication include automatic inspection of Mobile WAN connections, an automatic restart feature in case a connection is lost, and a hardware watchdog that monitors the status of the router. Using a start up script window, users can insert Linux scripts for various actions. Users may insert multiple scripts, and the router can switch between configurations as needed. Examples would include using SMS or checking the status of the binary input. ICR-3200 routers can automatically update their configurations and firmware from a central server, allowing for mass reconfiguration of multiple routers simultaneously.
1.6 WebAccess/DMP Configuration
WebAccess/DMP is an advanced enterprise-grade platform solution for provisioning, monitoring, managing, and configuring Advantech’s routers and IoT gateways. It provides a zerotouch enablement platform for each remote device. See the application note [3] for more information of visit the WebAccess/DMP webpage.
New routers have been pre-installed with the WebAccess/DMP client, which has activated the connection to the WebAccess/DMP server by default. You can disable this connection on the Welcome page when logging into the router’s web interface or on the (Customization -> Router Apps -> WebAccess/DMP Client) configuration page.
The activated client periodically uploads router identifiers and configuration to the WebAccess/DMP server.
1.7 Router Configuration Options
Routers can be configured via a web browser or Secure Shell (SSH). Configuration via Web Browser is described in this Configuration Manual. Commands and scripts applicable in the configuration using SSH are described in Commands and Scripts Application Note [1]. Technical parameters and a full description of the router can be found in the User Manual of your router. You can also use additional software ­ WebAccess/VPN [2] and software for router monitoring R-SeeNet [3].
2

ICR-3200
1.8 IPv6 Support
There is an independent IPv4 and IPv6 dual-stack configuration implemented in the router’s firmware. This means that you can configure traffic through both IP protocols independently and both are supported. Additional EUI-64 IPv6 addresses of network interfaces are generated automatically by standard methods. In addition, there is a NAT64 internal gateway network interface for automatic translation between IPv6 and IPv4 (see Chapter 3.5 for more information). This gateway works together with DNS64 seamlessly (for domain names translation).
For cellular IPv6 connection, see Mobile WAN Configuration in Chapter 4.3.1. For IPv6 LAN configuration, see LAN Configuration in Chapter 4.1. DHCPv6 server/client is also supported. IPv4 is the default, but IPv6 can be enabled or used with all features and protocols in the router, except for non-secured tunnels GRE, L2TP and PPTP, and VRRP. Using the secured tunnels OpenVPN and IPsec, it is possible to run IPv6 traffic through an IPv4 tunnel and vice versa. The configuration forms for NAT, Firewall and Up/Down Scripts are completely separate for the IPv4 and IPv6 stacks. ICMPv6 protocol is also supported. IPv6 configuration is covered in each following Chapter when possible.
1.9 Supported Certificate File Types
All the GUI forms supporting the uploading of a certificate file support these file types: · CA, Local/Remote Certificate: .pem; .crt; .p12 · Private Key: .pem; .key; .p12
3

ICR-3200
1.10 IEEE 802.1X (RADIUS) Support
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as “EAP over LAN” or EAPoL.
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server (see Figure 1).
Figure 1: IEEE 802.1X Functional Diagram
· The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator.
· The authenticator is a network device which provides a data link between the client (supplicant) and the network (LAN/WAN) and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point. The authtenticator communicates with the authentication server to determine if the network access for a supplicant will be granted or not.
· The authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client’s connection or setting. Authentication servers typically run software supporting the RADIUS and EAP protocols.
4

ICR-3200

Table 1 summarizes all the supported cases and roles when the IEEE 802.1X authentication can be used on Advantech routers.
Please note that the role of the authentication server is not supported by Advantech routers.

Interface Supplicant Role

Authenticator Role

LAN

Built-in feature, just configure Not built-in feature, but can be

the LAN with 802.1X authentica- implemented by the UM 802.1X

tion, see Chapter 4.1.3.

Authenticator. For more infor-

mation about this module see

[RA].

WiFi

Supported for the Station (STA) Supported for the Access Point

mode, see Chapter 4.6.

(AP) mode, see Chapter 4.5.

Table 1: Supported Roles of the IEEE 802.1X Authentication

5

ICR-3200
2. Web Configuration GUI
Figure 2: Web Configuration GUI 6

ICR-3200
The cellular router will not operate unless the cellular carrier has been correctly configured and the account activated and provisioned for data communications. For UMTS and LTE carriers, a SIM card must be inserted into the router. Do not insert the SIM card when the router is powered up.
You may use the web interface to monitor, configure and manage the router. To access the router over the web interface enter the router’s IP address in your browser. The default address is 192.168.1.1. Only access via secured HTTPS protocol is permitted. So the syntax for the IP address must be https://192.168.1.1. When accessing the router for the first time you will need to install a security certificate if you don’t want the browser to show you a domain disagreement message. To avoid receiving domain disagreement messages, follow the procedure described in the following subchapter.
The default username is root1. The default password is printed on the router’s label.2 Change the default password as soon as possible!
For increased security of the network connected to the router, change the default router password. When the default password of the router is still active, the Change password title is highlighted in red.
After three unsuccessful login attempts, any HTTP(S) access from an IP address is blocked for one minute.
When you successfully enter login information on the login page, the web interface will be displayed, see Figure 2. The left side of the web interface contains a menu tree with sections for Status monitoring, Configuration, Customization, and Administration of the router. The Name and Location fields, identifying the router, can be displayed in the right upper corner of the web interface. It can be configured in the SNMP configuration (see 4.17.6).
2.1 Factory Reset
After the PWR LED starts to blink you may restore the initial router settings by pressing the reset (RST ) button for a given time, see the technical manual of the router for more information. This action will revert all the configuration settings to the factory defaults and the router will reboot (the PWR LED will be on during the reboot).
1ICR-3241(W)-1ND models have the defaul username “admin”. 2If the router’s label does not contain a unique password, use the password “root”.
7

ICR-3200
2.2 HTTPS Certificate for the GUI
There is the self-signed HTTPS certificate in the router. Because the identity of this certificate cannot be validated, a message can appear in the web browser. To solve this, upload your own certificate, signed by Certification Authority, to the router. If you want to use your own certificate (e.g. in combination with the dynamic DNS service), you need to replace the /etc/certs/https_cert and /etc/certs/https_key files in the router. This can be done easily in the GUI on HTTP configuration page, see Chapter 4.17.3.
If you decide to use the self-signed certificate in the router to prevent the security message (domain disagreement) from pop up every time you log into the router, you can take the following steps:
· Add the DNS record to your DNS system: Edit /etc/hosts (Linux/Unix OS) or C:WINDOWSsystem32driversetchosts (Windows OS) or configure your own DNS server. Add a new record with the IP address of your router and the domain name based of the MAC address of the router (MAC address of the first network interface seen in Network Status in the Web interface of the router.) Use dash separators instead of colons. Example: A router with the MAC address 00:11:22:33:44:55 will have a domain name 00-11-22-33-44-55.
· Access the router via the new domain name address (E.g. https://00-11-22-33-44-55). If you see the security message, add an exception so the next time the message will not pop up (E.g. in Firefox Web browser). If there is no possibility to add an exception, export the certificate to the file and import it to your browser or operating system.
Note: You will have to use the domain name based on the MAC address of the router and it is not guaranteed to work with every combination of an operating system and a browser.
2.3 Valid Characters
If the router is configured through the web interface, avoid entering forbidden characters into any of the input forms (not just for password). Valid and forbidden characters are specified below. Please note that the “space” character may not be allowed for some forms as well. Valid characters are: Forbidden characters are:
8

ICR-3200

3. Status

All status pages can display live data. To enable this feature, click on the refresh button in the top right corner on the status page. To stop the data update and to limit the amount of data transferred, disable automatic data updates by clicking the pause button again.

3.1 General Status
You can reach a summary of basic router information and its activities by opening the General status page. This page is displayed when you log in to the device by default. The information displayed on this page is divided into several sections, based upon the type of the router and its hardware configuration. Typically, there are sections for the mobile connection, LAN, system information, system information, and eventually for the WiFi and peripheral ports, if the device is equipped with.
IPv6 Address item can show multiple different addresses for one network interface. This is standard behavior since an IPv6 interface uses more addresses. The second IPv6 Address showed after pressing More Information is automatically generated EUI-64 format link local IPv6 address derived from MAC address of the interface. It is generated and assigned the first time the interface is used (e.g. cable is connected, Mobile WAN connecting, etc.).

3.1.1 Mobile Connection

Item SIM Card Interface Flags
IP Address MTU Rx Data Rx Packets Rx Errors Rx Dropped Rx Overruns Tx Data Tx Packets Tx Errors

Description Identification of the SIM card Defines the interface Displays network interface flags:
None – no flags Up – the interface is administratively enabled Running – the interface is in operational state (cable detected) Multicast – the interface is capable of multicast transmission IP address of the interface Maximum packet size that the equipment is able to transmit Total number of received bytes Received packets Erroneous received packets Dropped received packets Lost received packets because of overload Total number of sent bytes Sent packets Erroneous sent packets
Continued on next page

9

ICR-3200

Item Tx Dropped Tx Overruns Uptime

Continued from previous page
Description Dropped sent packets Lost sent packets because of overload Indicates how long the connection to the cellular network has been established
Table 2: Mobile Connection

3.1.2 Ethernet Status
Every Ethernet interface has its separate section on the General status page. Items displayed here have the same meaning as items in the previous part. Moreover, the MAC Address item shows the MAC address of the corresponding router’s interface. Visible information depends on the Ethernet configuration, see Chapter 4.1.

10

ICR-3200

3.1.3 WiFi Status
Items displayed in this part have the same meaning as items in the previous part. WiFi AP part displays information for the WiFi interface (wlan0) working in access point mode, for the configuration see Chapter 4.5. WiFi STA part displays information for the WiFi interface (wlan1) working in station mode, for the configuration description see Chapter 4.6.

3.1.4 Peripheral Ports
Information about available peripheral ports and status of binary interfaces is displayed in the Peripheral Ports section.

Item Expansion Port 1 Expansion Port 2 Binary Input Binary Output

Description An interface detected on the first expansion port. An interface detected on the second expansion port. State of the binary input. State of the binary output.
Table 3: Peripheral Ports

3.1.5 System Information

System information about the device is displayed in the System Information section.

Item Firmware Version Serial Number Hardware UUID1 Product Revision1 Profile
RTC Battery Supply Voltage Temperature Time Uptime Licenses

Description Information about the firmware version. Serial number of the router (in case of N/A is not available). Unique HW identifier for the device. Manufactured product revision number. Current profile ­ standard or alternative profiles (profiles are used for example to switch between different modes of operation). RTC battery state. Supply voltage of the router. Temperature in the router. Current date and time. Indicates how long the router is used. Link to the list of open source software components of the firmware together with their license type. Click on the license type to see the license text.
Table 4: System Information

1It may not be available for some models. 2Only for models with PoE. The router’s power supply voltage must meet the required voltage.
11

ICR-3200

3.2 Mobile WAN Status

The ICR-3201 (LAN version) has no the Mobile WAN status menu option.

The Mobile WAN menu item contains current information about connections to the mobile network. The first part of this page (Mobile Network Information) displays basic information about mobile network the router operates in. There is also information about the module, which is mounted in the router.

Item Registration Operator Technology PLMN Cell LAC/TAC
Channel
Band Signal Strength Signal Quality
RSSI, RSRP, RSRQ, SINR, RSCP or Ec/Io CSQ
Neighbours Manufacturer Model Revision IMEI

Description

State of the network registration

Specifies the operator’s network the router operates in.

Transmission technology

Code of operator

Cell the router is connected to (in hexadecimal format).

Unique number (in hexadecimal format) assigned to each location area. LAC (Location Area Code) is for 2G/3G networks and TAC (Tracking Area Code) is for 4G networks.

Channel the router communicates on · ARFCN in case of GPRS/EDGE technology, · UARFCN in case of UMTS/HSPA technology, · EARFCN in case of LTE technology.

Cellular band abbreviation.

Signal strength (in dBm) of the selected cell, for details see Table 6.

Signal quality of the selected cell:

· EC/IO for UMTS (it’s the ratio of the signal received from the pilot

channel ­ EC ­ to the overall level of the spectral density, ie the

sum of the signals of other cells ­ IO).

·

RSRQ

for

LTE

technology

(Defined

as

the

ratio

N ×RSRP RSSI

).

· The value is not available for the EDGE technology.

Other parameters reporting signal strength or quality. Please note, that some of them may not be available, depending on the cellular module or cellular technology.

Cell signal strength with following value ranges: · 2 ­ 9 = Marginal, · 10 ­ 14 = OK, · 15 ­ 19 = Good, · 20 ­ 30 = Excelent.
Signal strength of neighboring hearing cells (GPRS only)1.
Module manufacturer
Type of module
Revision of module
IMEI (International Mobile Equipment Identity) number of module
Continued on next page

1If a neighboring cell for GPRS is highlighted in red, router may repeatedly switch between the neighboring and the primary cell affecting the router’s performance. To prevent this, re-orient the antenna or use a directional antenna.

12

ICR-3200

Continued from previous page

Item

Description

MEID

MEID number of module

ICCID

Integrated Circuit Card Identifier is international and unique serial number of the SIM card.

Table 5: Mobile Network Information

The value of signal strength is displayed in different color: in black for good, in orange for fair and in red for poor signal strength.

Signal strength GPRS/EDGE/CDMA (RSSI)

UMTS/HSPA (RSCP)

LTE (RSRP)

good

-70 dBm

-75 dBm

-90 dBm

fair

-70 dBm to -89 dBm

-75 dBm to -94 dBm

-90 dBm to -109 dBm

poor

< -89 dBm

< -94 dBm

< -109 dBm

Table 6: Value ranges of signal strength for different technologies.

The middle part of this page, called Statistics, displays information about mobile signal quality, transferred data and number of connections for all the SIM cards (for each period). The router has standard intervals, such as the previous 24 hours and last week, and also period starting with Accounting Start defined for the MWAN module.

Period Today Yesterday This week Last week This period Last period

Description Today from 0:00 to 23:59 Yesterday from 0:00 to 23:59 This week from Monday 0:00 to Sunday 23:59 Last week from Monday 0:00 to Sunday 23:59 This accounting period Last accounting period
Table 7: Description of Periods

Item RX data TX data Connections Signal Min Signal Avg Signal Max Cells Availability

Description Total volume of received data Total volume of sent data Number of connection to mobile network establishment Minimal signal strength Average signal strength Maximal signal strength Number of switch between cells Availability of the router via the mobile network (expressed as a percentage)
Table 8: Mobile Network Statistics

Tips for Mobile Network Statistics table:

13

ICR-3200
· Availability is expressed as a percentage. It is the ratio of time connection to the mobile network has been established to the time that router has been is turned on.
· Placing your cursor over the maximum or minimum signal strength will display the last time the router reached that signal strength.
Figure 3: Mobile WAN status The last part (Connection Log) displays information about the mobile network connections and any problems that occurred while establishing them.
14

ICR-3200
3.3 WiFi Status
This item is available only if the router is equipped with a WiFi module. Selecting the Status -> WiFi -> Status item in the main menu of the web interface will display information about the WiFi access point (AP) and the WiFi station (STA). Information about all stations connected to the AP are listed as well. Examle of the output for the Wifi status is shown on the following figure.
Figure 4: WiFi Status 15

ICR-3200

3.4 WiFi Scan

This item is available only if the router is equipped with a WiFi module.

Selecting the Status -> WiFi -> Scan item scans for neighboring WiFi networks and displays the results. In the table below is the description of some items in the output of the WiFi scanning.

Item

Description

BSS

MAC address of access point (AP)

TSF
freq beacon interval capability signal last seen SSID Supported rates

A Timing Synchronization Function (TSF) keeps the timers for all stations in the same Basic Service Set (BSS) synchronized. All stations shall maintain a local TSF timer. Frequency band of WiFi network [MHz] Period of time synchronization List of access point (AP) properties Signal level of access point (AP) Last response time of access point (AP) Identifier of access point (AP) Supported rates of access point (AP)

DS Parameter set

The channel on which access point (AP) broadcasts

ERP

Extended Rate PHY ­ information element providing backward compatibility

Extended supported rates

Supported rates of access point (AP) that are beyond the scope of eight rates mentioned in Supported rates item

RSN

Robust Secure Network ­ The protocol for establishing a secure communication through wireless network 802.11

Table 9: Information about Neighbouring WiFi Networks

16

WiFi Scan output may look like this:

ICR-3200

Figure 5: WiFi Scan 17

ICR-3200

3.5 Network Status

To view information about the interfaces and the routing table, open the Network item in the Status menu. The upper part of the window displays detailed information about the active interfaces only:

Interface eth0, eth1 usbx
wlan0 pppx tunx ipsecx gre1 wg1 lo nat64

Description Network interfaces (Ethernet connection) Active connection to the mobile network ­ wireless module is connected via USB interface. WiFi interface ­ if configured PPP interface (e.g. PPPoE tunnel ­ if configured) OpenVPN tunnel interface ­ if configured IPSec tunnel interface ­ if configured GRE tunnel interface ­ if configured WireGuard tunnel interface ­ if configured Local loopback interface Network interface of internal translator gateway between IPv6 and IPv4 addresses. Table 10: Description of Interfaces in Network Status

The following information can be displayed for network interfaces:

Item HWaddr inet addr inet6 addr
P-t-P Bcast Mask MTU Metric

Description Hardware (unique, MAC) address of a network interface. IPv4 address of interface IPv6 address of interface. There can be more of them for single network interface. IP address of the opposite end (in case of point-to- point connection). Broadcast address Mask of network Maximum packet size that the equipment is able to transmit. Number of routers the packet must go through.
Continued on next page

18

ICR-3200

Item RX
TX
collisions txqueuelen RX bytes TX bytes

Continued from previous page
Description
· packets ­ received packets · errors ­ number of errors · dropped ­ dropped packets · overruns ­ incoming packets lost because of overload. · frame ­ wrong incoming packets because of incorrect packet
size.
· packets ­ transmit packets · errors ­ number of errors · dropped ­ dropped packets · overruns ­ outgoing packets lost because of overload. · carrier ­ wrong outgoing packets with errors resulting from the
physical layer.
Number of collisions on physical layer. Length of buffer (queue) of the network interface. Total number of received bytes. Total number of transmitted bytes. Table 11: Description of Information in Network Status

You may view the status of the mobile network connection on the network status screen. If the connection to the mobile network is active, it will appear in the system information as an usb0 interface.
The Route Table is displayed at the bottom of the Network Status page. There is IPv4 Route Table and IPv6 Route Table below.
If the router is connected to the Internet (a default route is defined), the nat64 network interface is created automatically. This is the NAT64 internal gateway for translating the IPv6 and IPv4 communication. It is used automatically when connected via IPv6 and communicating with IPv4 device or network. It works together with DNS64 running in the router automatically (translation of domain names to IP addresses). The default NAT64 prefix 64:ff9b::/96 is used as you can see in Figure 6 below in the IPv6 Route Table section.

19

ICR-3200
Figure 6: Network Status 20

ICR-3200
3.6 DHCP Status
Information about the DHCP server activity is accessible via the DHCP item. The DHCP server automatically configures the client devices connected to the router. The DHCP server assigns each device an IP address, subnet mask, and default gateway (IP address of the router) and DNS server (IP address of the router). DHCPv6 server is supported.
See Figure 7 for the DHCP Status example. Records in the DHCP Status window are divided into two parts based on the interface.

Figure 7: DHCP Status

The DHCP status window displays the following information on a row for each client in the list. All items are described in Table 12.

Item IPv4 Address IPv6 Address Lease Starts Lease Ends MAC Hostname IA-NA

Description IPv4 address assigned to a client. IPv6 address assigned to a client. The time the IP address lease started. The time the IP address lease expires. MAC address of the client. Client hostname. IPv6 unique identifier.
Table 12: DHCP Status Description

The DHCP status may occasionally display two records for one IP address. It may be caused by resetting the client network interface.

21

ICR-3200
3.7 IPsec Status
Selecting the IPsec option in the Status menu of the web page will bring up the information for any IPsec Tunnels that have been established. If the tunnel has been built correctly, the screen will display ESTABLISHED and the number of running IPsec connections 1 up (orange highlighted in the figure below.) If there is no such text in log (e.g. “0 up”), the tunnel was not created!
Figure 8: IPsec Status
22

ICR-3200
3.8 WireGuard Status
Selecting the WireGuard option in the Status menu of the web page will bring up the information for any WireGuard Tunnels established. In the figure below is an example of the first WireGuard tunnel running.
Figure 9: WireGuard Status Page The Latest handshake time is the time left from the latest successful communication with the opposite tunnel side. This item will not be shown here until there is a tunnel communication (data sent by the client-side or the keepalive data sent when NAT/Firewall Traversal is set to yes).
23

ICR-3200
3.9 DynDNS Status
The router supports DynamicDNS using a DNS server on www.dyndns.org. If Dynamic DNS is configured, the status can be displayed by selecting menu option DynDNS. Refer to www.dyndns.org for more information on how to configure a Dynamic DNS client. You can use the following listed servers for the Dynamic DNS service. It is possible to use the DynDNSv6 service with IP Mode switched to IPv6 on DynDNS Configuration page.
· www.dyndns.org · www.spdns.de · www.dnsdynamic.org · www.noip.com
Figure 10: DynDNS Status When the router detects a DynDNS record update, the dialog displays one or more of the following messages: · DynDNS client is disabled. · Invalid username or password. · Specified hostname doesn’t exist. · Invalid hostname format. · Hostname exists, but not under specified username. · No update performed yet. · DynDNS record is already up to date. · DynDNS record successfully update. · DNS error encountered. · DynDNS server failure.
The router’s SIM card must have public IP address assigned or DynDNS will not function correctly.
24

ICR-3200
3.10 System Log
If there are any connection problems you may view the system log by selecting the System Log menu item. Detailed reports from individual applications running in the router will be displayed. Use the Save Log button to save the system log to a connected computer. (It will be saved as a text file with the .log extension.) The Save Report button is used for creating detailed reports. (It will be saved as a text file with the .txt extension. The file will include statistical data, routing and process tables, system log, and configuration.)
Sensitive data from the report are filtered out for security reasons. The default length of the system log is 1000 lines. After reaching 1000 lines a new file is created for storing the system log. After completion of 1000 lines in the second file, the first file is overwritten with a new file. The Syslogd program will output the system log. It can be started with two options to modify its behavior. Option “-S” followed by decimal number sets the maximal number of lines in one log file. Option “-R” followed by hostname or IP address enables logging to a remote syslog daemon. (If the remote syslog deamon is Linux OS, there has to be remote logging enabled (typically running “syslogd -R”). If it’s the Windows OS, there has to be syslog server installed, e.g. Syslog Watcher). To start syslogd with these options, the “/etc/init.d/syslog” script can be modified via SSH or lines can be added into Startup Script (accessible in Configuration section) according to figure 12.
Figure 11: System Log
25

ICR-3200
The following example (figure) shows how to send syslog information to a remote server at 192.168.2.115 on startup.
Figure 12: Example program syslogd start with the parameter
26

ICR-3200
4. Configuration
4.1 Ethernet Configuration
To enter the Local Area Network configuration, select the Ethernet menu item in the Configuration section. The Ethernet item will expand in the menu on the left, so you can choose the proper Ethernet interface to configure: ETH0 for the first Ethernet interface and ETH1 for the second Ethernet interface.
LAN Configuration page is divided into IPv4 and IPv6 columns, see Figure 13. There is dual stack support of IPv4 and IPv6 protocols ­ they can run alongside, you can configure either one of them or both. If you configure both IPv4 and IPv6, other network devices will choose the communication protocol. Configuration items and IPv6 to IPv4 differences are described in the tables below.
Figure 13: LAN Configuration page 27

ICR-3200

Item DHCP Client

Description
Enables/disables the DHCP client function. If in IPv6 column, the DHCPv6 client is enabled. DHCPv6 client supports all three methods of getting an IPv6 address ­ SLAAC, stateless DHCPv6 and statefull DHCPv6.

· disabled ­ The router does not allow automatic allocation of an IP address from a DHCP server in LAN network.
· enabled ­ The router allows automatic allocation of an IP address from a DHCP server in LAN network.

IP Address

A fixed IP address of the Ethernet interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.

Subnet Mask / Prefix Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address ­ number in range 0 to 128.

Default Gateway

Specifies the IP address of a default gateway. If filled-in, every packet with the destination not found in the routing table is sent to this IP address. Use proper IP address notation in IPv4 and IPv6 column.

DNS Server

Specifies the IP address of the DNS server. When the IP address is not found in the Routing Table, the router forwards the request to DNS server specified here. Use proper IP address notation in IPv4 and IPv6 column.

Table 13: Configuration of the Network Interface ­ IPv4 and IPv6

The Default Gateway and DNS Server items are only used if the DHCP Client item is set to disabled and if the ETH0 or ETH1 LAN is selected by the Backup Routes system as the default route. (The selection algorithm is described in section 4.7). Since FW 5.3.0, Default Gateway and DNS Server are also supported on bridged interfaces (e.g. eth0 + eth1).

The following three items (in the table below) are global for the configured Ethernet interface. Only one bridge can be active on the router at a time. The DHCP Client, IP Address and Subnet Mask / Prefix parameters of the only one of the interfaces are used to for the bridge. ETH0 LAN has higher priority when both interfaces (ETH0, ETH1) are added to the bridge. Other interfaces can be added to or deleted from an existing bridge at any time. The bridge can be created on demand for such interfaces, but not if it is configured by their respective parameters.

28

ICR-3200

Item Bridged
Media Type

Description Activates/deactivates the bridging function on the router.
· no ­ The bridging function is inactive (default). · yes ­ The bridging function is active.
Specifies the type of duplex and speed used in the network.
· Auto-negation ­ The router automatically sets the best speed and duplex mode of communication according to the network’s possibilities.
· 100 Mbps Full Duplex ­ The router communicates at 100 Mbps, in the full duplex mode.
· 100 Mbps Half Duplex ­ The router communicates at 100 Mbps, in the half duplex mode.
· 10 Mbps Full Duplex ­ The router communicates at 10 Mbps, in the full duplex mode.
· 10 Mbps Half Duplex ­ The router communicates at 10 Mbps, in the half duplex mode.

MTU

Maximum Transmission Unit value. Default value is 1500 bytes. Table 14: Configuration of the Network Interface ­ global items

4.1.1 DHCP Server
The DHCP server assigns the IP address, gateway IP address (IP address of the router) and IP address of the DNS server (IP address of the router) to the connected clients. If these values are filled in by the user in the configuration form, they will be preferred.
The DHCP server supports static and dynamic assignment of IP addresses. Dynamic DHCP assigns clients IP addresses from a defined address space. Static DHCP assigns IP addresses that correspond to the MAC addresses of connected clients.
If IPv6 column is filled in, the DHCPv6 server is used. DHCPv6 server offers stateful address configuration to connected clients. Only when the Subnet Prefix above is set to 64, the DHCPv6 server offers both ­ the stateful address configuration and SLAAC (Stateless Address Autoconfiguration).
1Available only on models equipped with the PoE PSE functionality.

29

ICR-3200

Do not to overlap ranges of static allocated IP addresses with addresses allocated by the dynamic DHCP server. IP address conflicts and incorrect network function can occur if you overlap the ranges.

Item

Description

Enable dynamic DHCP leases Select this option to enable a dynamic DHCP server.

IP Pool Start

Starting IP addresses allocated to the DHCP clients. Use proper notation in IPv4 and IPv6 column.

IP Pool End

End of IP addresses allocated to the DHCP clients. Use proper IP address notation in IPv4 and IPv6 column.

Lease time

Time in seconds that the IP address is reserved before it can be re-used.

Table 15: Configuration of Dynamic DHCP Server

Item

Description

Enable static DHCP leases

Select this option to enable a static DHCP server.

MAC Address

MAC address of a DHCP client.

IPv4 Address

Assigned IPv4 address. Use proper notation.

IPv6 Address

Assigned IPv6 address. Use proper notation.

Table 16: Configuration of Static DHCP Server

4.1.2 IPv6 Prefix Delegation
This is an advanced configuration option. IPv6 prefix delegation works automatically with DHCPv6 ­ use only if different configuration is desired and if you know the consequences.
If you want to override the automatic IPv6 prefix delegation, you can configure it in this form. You have to know your Subnet ID Width (part of IPv6 address), see Figure below for the calculation help ­ it is an example: 48 bits is Site Prefix, 16 bits is Subnet ID (Subnet ID Width) and 64 bits is Interface ID.

Figure 14: IPv6 Address with Prefix Example 30

ICR-3200

Item

Description

Enable IPv6 prefix delegation Enables prefix delegation configuration filled- in below.

Subnet ID

The decimal value of the Subnet ID of the Ethernet interface. Maximum value depends on the Subnet ID Width.

Subnet ID Width

The maximum Subnet ID Width depends on your Site Prefix ­ it is the remainder to 64 bits.

Table 17: IPv6 prefix delegation configuration

4.1.3 802.1X Authentication to RADIUS Server

Authentication (802.1X) to RADIUS server can be enabled in next configuration section. This functionality requires additional setting of identity and certificates as described in the following table.

Item

Description

Enable IEEE

Select this option to enable 802.1X Authentication.

802.1X Authenti-

cation

Authentication Method

Select authentication method (EAP-PEAPMSCHAPv2 or EAP-TLS).

CA Certificate

Definition of CA certificate for EAP-TLS authentication protocol.

Local Certificate Definition of local certificate for EAP-TLS authentication protocol.

Local Private Key Definition of local private key for EAP-TLS authentication protocol.

Identity

User name ­ identity.

Password

Access password. This item is available for EAP-PEAPMSCHAPv2 protocol only. Enter valid characters only, see chap. 2.3!

Local Private Key Definition of password for private key of EAP-TLS protocol. This item

Password

is available for EAP-TLS protocol only. Enter valid characters only,

see chap. 2.3!

Table 18: Configuration of 802.1X Authentication

31

ICR-3200
4.1.4 LAN Configuration Examples
Example 1: IPv4 Dynamic DHCP Server, Default Gateway and DNS Server · The range of dynamic allocated IPv4 addresses is from 192.168.1.2 to 192.168.1.4. · The address is allocated for 600 second (10 minutes). · Default gateway IP address is 192.168.1.20 · DNS server IP address is 192.168.1.20
Figure 15: Network Topology for Example 1
32

ICR-3200
Figure 16: LAN Configuration for Example 1 33

ICR-3200
Example 2: IPv4 Dynamic and Static DHCP server · The range of allocated addresses is from 192.168.1.2 to 192.168.1.4. · The address is allocated for 600 seconds (10 minutes). · The client with the MAC address 01:23:45:67:89:ab has the IP address 192.168.1.10. · The client with the MAC address 01:54:68:18:ba:7e has the IP address 192.168.1.11.
Figure 17: Network Topology for Example 2
34

ICR-3200
Figure 18: LAN Configuration for Example 2 35

ICR-3200
Example 3: IPv6 Dynamic DHCP Server · The range of dynamic allocated IPv6 addresses is from 2001:db8::1 to 2001:db8::ffff. · The address is allocated for 600 second (10 minutes). · The router is still accessible via IPv4 (192.168.1.1).
Figure 19: Network Topology for Example 3
36

ICR-3200
Figure 20: LAN Configuration for Example 3 37

ICR-3200

4.2 VRRP Configuration

Select the VRRP menu item to enter the VRRP configuration. There are two submenus which allows to configure up to two instances of VRRP. VRRP protocol (Virtual Router Redundancy Protocol) allows you to transfer packet routing from the main router to a backup router in case the main router fails. (This can be used to provide a wireless cellular backup to a primary wired router in critical applications.) If the Enable VRRP is checked, you may set the following parameters.

Item Protocol Version Virtual Server IP Address
Virtual Server ID
Host Priority

Description
Choose version of the VRRP (VRRPv2 or VRRPv3).
This parameter sets the virtual server IP address. This address must be the same for both the primary and backup routers. Devices on the LAN will use this address as their default gateway IP address.
This parameter distinguishes one virtual router on the network from another. The main and backup routers must use the same value for this parameter.
The active router with highest priority set by the parameter Host Priority, is the main router. According to RFC 2338, the main router should have the highest possible priority ­ 255. The backup router(s) have a priority in the range 1 ­ 254 (default value is 100). A priority value of 0 is not allowed.
Table 19: VRRP configuration

You may set the Check connection flag in the second part of the window to enable automatic test messages for the cellular network. In some cases, the mobile WAN connection could still be active but the router will not be able to send data over the cellular network. This feature is used to verify that data can be sent over the PPP connection and supplements the normal VRRP message handling. The currently active router (main/backup) will send test messages to the defined Ping IP Address at periodic time intervals (Ping Interval) and wait for a reply (Ping Timeout). If the router does not receive a response to the Ping command, it will retry up to the number of times specified by the Ping Probes parameter. After that time, it will switch itself to a backup router until the PPP connection is restored.
You may use the DNS server of the mobile carrier as the destination IP address for the test messages (Pings).
The Enable traffic monitoring option can be used to reduce the number of messages that are sent to test the PPP connection. When this parameter is set, the router will monitor the interface for any packets different from a ping. If a response to the packet is received within the timeout specified by the Ping Timeout parameter, then the router knows that the connection is still active. If the router does not receive a response within the timeout period, it will attempt to test the mobile WAN connection using standard Ping commands.

38

ICR-3200

Item Ping IP Address
Ping Interval Ping Timeout Ping Probes

Description Destinations IP address for the Ping commands. IP Address can not be specified as a domain name. Interval in seconds between the outgoing Pings. Time in seconds to wait for a response to the Ping. Maximum number of failed ping requests.
Table 20: Check connection

Example of the VRRP protocol:

Figure 21: Topology of VRRP configuration example

Figure 22: Example of VRRP configuration ­ main router 39

ICR-3200
Figure 23: Example of VRRP configuration ­ backup router
40

ICR-3200
4.3 Mobile WAN Configuration
The ICR-3201 (LAN version) has no the Mobile WAN configuration menu option. Select the Mobile WAN item in the Configuration menu section to enter the cellular network configuration page. See Mobile WAN Configuration page in Figure 24.
Figure 24: Mobile WAN Configuration 41

ICR-3200

4.3.1 Connection to Mobile Network
If the Create connection to mobile network checkbox is checked, then the router will automatically attempt to establish a connection after booting up. You can specify the following parameters for each SIM card separately.

Item Carrier APN Username Password Authentication
IP Mode
IP Address Dial Number Operator Network type

Description Available For NAM routers only. Network carrier selection. Provides either automatic detection option, or manual selection of AT&T, Rogers or Verizon. Network identifier (Access Point Name). The user name used for logging on to the GSM network. The password used for logging on to the GSM network. Enter valid characters only, see chap. 2.3! Authentication protocol used in the GSM network:
· PAP or CHAP ­ The router selects the authentication method. · PAP ­ The router uses the PAP authentication method. · CHAP ­ The router uses the CHAP authentication method.
Specifies the version of IP protocol used:
· IPv4 ­ IPv4 protocol is used only (default). · IPv6 ­ IPv6 protocol is used only. · IPv4/IPv6 ­ IPv4 and IPv6 independent dual stack is enabled.
For use in IPv4 and IPv4/IPv6 mode only. Specifies the IPv4 address of the SIM card. You manually enter the IP address only when mobile network carrier has assigned the IP address. Specifies the telephone number which the router dials for GPRS or a CSD connection. The router uses the default telephone number *99***1 #. Specifies the carrier code. You can specify this parameter as the PLNM preferred carrier code. Specifies the type of protocol used in the mobile network.

Automatic selection – The router automatically selects the transmission method according to the availability of transmission technologies. Automatic selection never selects NB-IoT networks. Use NB-IoT in the selection for NB- IoT networks.
Continued on next page

42

ICR-3200

Item PIN MRU
MTU

Continued from previous page
Description
Specifies the PIN used to unlock the SIM card. Use only if this is required by a given SIM card. The SIM card will be blocked after several failed attempts to enter the PIN.
Maximum Receive Unit ­ maximum size of packet that the router can receive via Mobile WAN. The default value is 1500 B. Other settings may cause the router to receive data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B. Minimal value in IPv6 mode: 1280 B.
Maximum Transmission Unit ­ maximum size of packet that the router can transmit via Mobile WAN. The default value is 1500 B. Other settings may cause the router to transmit data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B. Minimal value in IPv6 mode: 1280 B.
Table 21: Mobile WAN Connection Configuration

The following list contains tips for working with the Mobile WAN configuration form:

· If the MTU size is set incorrectly, then the router will not exceed the data transfer. If the MTU value is set too low, more frequent fragmentation of data will occur. More frequent fragmentation will mean a higher overhead and also the possibility of packet damage during defragmentation. In contrast, a higher MTU value can cause the network to drop the packet.
· If the IP address field is left blank, when the router establishes a connection, the mobile network carrier will automatically assign an IP address. If you assign an IP address manually, then the router will access the network quicker.
· If the APN field is left blank, the router automatically selects the APN using the IMSI code of the SIM card. The name of the chosen APN can be found in the System Log.
· If you enter the word in the APN field, then the router interprets the APN as blank.

The correct PIN must be filled in. An incorrect PIN may block the SIM card.

Parameters identified with an asterisk require you to enter the appropriate information only if this information is required by the mobile network carrier.
When the router is unsuccessful in establishing a connection to mobile network, you should verify accuracy of the entered data. Alternatively, you could try a different authentication method or network type.

43

ICR-3200
4.3.2 DNS Address Configuration
The DNS Settings parameter is designed for easier configuration on the client’s side. When this value is set to get from operator the router will attempt to automatically obtain an IP address from the primary and secondary DNS server of the mobile network carrier. To specify the IP addresses of the Primary DNS servers manually, on the DNS Server pull down list select the value set manually. You can also fill-in the IPv4 or IPv6 address of the DNS server (or both) based on the IP Mode option.
4.3.3 Check Connection to Mobile Network
Enabling the Check Connection function for mobile networks is necessary for uninterrupted and continuous operation of the router.
If the Check Connection item is set to enabled or enabled + bind, the router will be sending the ping requests to the specified domain or IP address configured in Ping IP Address or Ping IPv6 Address at regular time intervals set up in the Ping Interval.
In case of an unsuccessful ping, a new ping will be sent after the Ping Timeout. If the ping is unsuccessful three times in a row, the router will terminate the cellular connection and will attempt to establish a new one.
This monitoring function can be set for both SIM cards separately, but running on the active SIM at given time only. Be sure, you configure a functional address as the destination for the ping, for example an IP address of the operator’s DNS server.
If the Check Connection item is set to the enabled, the ping requests are being sent on the basis of the routing table. Therefore, the requests may be sent through any available interface. If you require each ping request to be sent through the network interface, which was created when establishing a connection to the mobile operator, it is necessary to set the Check Connection to enabled + bind. The disabled option deactivates checking of the connection to the mobile network.
A note for routers connected to the Verizon carrier (detected by the router): The retry interval for connecting to the mobile network prolongs with more retries. First two retries are done after 1 minute. Then the interval prolongs to 2, 8 and 15 minutes. The ninth and every other retry is done in 90 minutes interval.
If Enable Traffic Monitoring item is checked, the router will monitor the Mobile WAN traffic without sending the ping requests. If there is no traffic, the router will start sending the ping requests.
44

ICR-3200

Item

Description

Ping IP Address

Specifies the ping queries destination IPv4 address or domain name. Available in IPv4 and IPv4/IPv6 IP Mode.

Ping IPv6 Address

Specifies the ping queries destination IPv6 address or domain name. Available in IPv6 and IPv4/IPv6 IP Mode.

Ping Interval

Specifies the time interval between outgoing pings.

Ping Timeout

Time in seconds to wait for a Ping response.

Table 22: Check Connection to Mobile Network Configuration

4.3.4 Check Connection Example
The figure below displays the following scenario: the connection to the mobile network in IPv4 IP Mode is controlled on the address 8.8.8.8 with a time interval of 60 seconds for the first SIM card and on the address www.google.com with the time interval 80 seconds for the second SIM card (for an active SIM only). Because the Enable traffic monitoring option is enabled, the control pings are not sent, but the data stream is monitored. The ping will be sent, if the data stream is interrupted.

Figure 25: Check Connection Example

45

ICR-3200

4.3.5 Data Limit Configuration

Item Data Limit Warning Threshold
Accounting Start

Description
Specifies the maximum expected amount of data transmitted (sent and received) over mobile interface in one billing period (one month). Maximum value is 2 TB (2097152 MB).
Specifies a percentage of the “Data Limit” in the range of 50 % to 99 %. If the given percentage data limit is exceeded, the router will send an SMS in the following form; Router has exceeded (value of Warning Threshold) of data limit.
Specifies the day of the month in which the billing cycle starts for a given SIM card. When the service provider that issued the SIM card specifies the start of the billing period, the router will begin to count the amount of data transferred starting on this day.
Table 23: Data Limit Configuration

If the parameter Data Limit State (see below) is set to not applicable or Send SMS when data limit is exceeded in SMS Configuration is not selected, the Data Limit set here will be ignored.
4.3.6 Switch between SIM Cards Configuration
In the lower part of the configuration form you can specify the rules for toggling between the two SIM cards.
The router will automatically toggle between the SIM cards and their individual setups depending on the configuration settings specified here (manual permission, roaming, data limit, binary input state). Note that the SIM card selected for connection establishment is the result of the logical product (AND) of the configuration here (table below).

Item SIM Card

Description Enable or disable the use of a SIM card. If you set all the SIM cards to disabled, this means that the entire cellular module is disabled.
· enabled ­ It is possible to use the SIM card. · disabled ­ Never use the SIM card, the usage of this SIM
is forbidden.
Continued on next page

46

ICR-3200

Continued from previous page

Item Roaming State

Description
Configure the use of SIM cards based on roaming. This roaming feature has to be activated for the SIM card on which it is enabled!

· not applicable ­ It is possible to use the SIM card everywhere.
· home network only ­ Only use the SIM card if roaming is not detected.

Data Limit State

Configure the use of SIM cards based on the Data Limit set above:

· not applicable ­ It is possible to use the SIM regardless of the limit.
· not exceeded ­ Use the SIM card only if the Data Limit (set above) has not been exceeded.

BINx State

Configure the use of SIM cards based on binary input x state, where x is the input number:

· not applicable ­ It is possible to use the SIM regardless of BINx state.
· on ­ Only use the SIM card if the BINx state is logical 0 ­ voltage present.
· off ­ Only use the SIM card if the BINx state is logical 1 ­ no voltage.

Table 24: Switch between SIM cards configuration
Use the following parameters to specify the decision making of SIM card switching in the cellular module.

Item Default SIM Card

Description
Specifies the modules’ default SIM card. The router will attempt to establish a connection to mobile network using this default.

· 1st ­ The 1st SIM card is the default one. · 2nd ­ The 2nd SIM card is the default one.

Continued on next page

47

ICR-3200

Continued from previous page

Item Initial State

Description
Specifies the action of the cellular module after the SIM card has been selected.

· online ­ establish connection to the mobile network after the SIM card has been selected (default).
· offline ­ go to the off-line mode after the SIM card has been selected.

Note: If offline, you can change this initial state by SMS message only ­ see SMS Configuration. The cellular module will also go into off-line mode if none of the SIM cards are not selected.

Switch to other SIM card when connection fails

Applicable only when connection is established on the default SIM card and then fails. If the connection failure is detected by Check Connection feature above, the router will switch to the backup SIM card.

Switch to default SIM card after timeout

If enabled, after timeout, the router will attempt to switch back to the default SIM card. This applies only when there is default SIM card defined and the backup SIM is selected beacuse of a failure of the default one or if roaming settings cause the switch. This feature is available only when Switch to other SIM card when connection fails is enabled.

Initial Timeout

Specifies the length of time that the router waits before the first attempt to revert to the default SIM card, the range of this parameter is from 1 to 10000 minutes.

Subsequent Timeout

Specifies the length of time that the router waits after an unsuccessful attempt to revert to the default SIM card, the range is from 1 to 10000 min.

Additive Constant

Specifies the length of time that the router waits for any further attempts to revert to the default SIM card. This length time is the sum of the time specified in the “Subsequent Timeout” parameter and the time specified in this parameter. The range in this parameter is from 1 to 10000 minutes.

Table 25: Parameters for SIM card switching

48

ICR-3200
4.3.7 Examples of SIM Card Switching Configuration
Example 1: Timeout Configuration Mark the Switch to default SIM card after timeout check box, and fill-in the following values:
Figure 26: Configuration for SIM card switching Example 1 The first attempt to change to the default SIM card is carried out after 60 minutes. When the first attempt fails, a second attempt is made after 30 minutes. A third attempt is made after 50 minutes (30+20). A fourth attempt is made after 70 minutes (30+20+20).
49

ICR-3200
Example 2: Data Limit Switching The following configuration illustrates a scenario in which the router changes to the second
SIM card after exceeding the data limit of 800 MB on the first (default) SIM card. The router sends a SMS upon reaching 400 MB (this settings has to be enabled on the SMS Configuration page). The accounting period starts on the 18th day of the month.
Figure 27: Configuration for SIM card switching Example 2
4.3.8 PPPoE Bridge Mode Configuration
If you mark the Enable PPPoE bridge mode check box, the router activates the PPPoE bridge protocol. PPPoE (point-to-point over ethernet) is a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. The bridge mode allows you to create a PPPoE connection from a device behind the router. For example, a PC connected to the ETH port of the router. You assign the IP address of the SIM card to the PC. The changes in settings will apply after clicking the Apply button.
50

ICR-3200
4.4 PPPoE Configuration
PPPoE (Point-to-Point over Ethernet) is a network protocol which encapsulates PPP frames into Ethernet frames. The router uses the PPPoE client to connect to devices supporting a PPPoE bridge or server. The bridge or server is typically an ADSL router.
To open the PPPoE Configuration page, select the PPPoE menu item. If you mark the Create PPPoE connection check box, then the router attempts to establish a PPPoE connection after boot up. After connecting, the router obtains the IP address of the device to which it is connected. The communications from a device behind the PPPoE server is forwarded to the router.

Item Username Password

Figure 28: PPPoE Configuration
Description Username for secure access to PPPoE. Password for secure access to PPPoE. Enter valid characters only, see chap. 2.3!
Continued on next page

51

ICR-3200

Item Authentication

Continued from previous page
Description Authentication protocol in GSM network.
· PAP or CHAP ­ The router selects the authentication method. · PAP ­ The router uses the PAP authentication method. · CHAP ­ The router uses the CHAP authentication method.

IP Mode

Specifies the version of IP protocol:
· IPv4 ­ IPv4 protocol is used only (default). · IPv6 ­ IPv6 protocol is used only. · IPv4/IPv6 ­ IPv4 and IPv6 dual stack is enabled.

MRU
MTU
DNS Settings DNS IP Address DNS IP Address Interface VLAN Tagging VLAN ID

Specifies the Maximum Receiving Unit. The MRU identifies the maximum packet size, that the router can receive via PPPoE. The default value is 1492 B (bytes). Other settings can cause incorrect data transmission. Minimal value in IPv4 and IPv4/IPv6 mode is 128 B. Minimal value in IPv6 mode is 1280 B.
Specifies the Maximum Transmission Unit. The MTU identifies the maximum packet size, that the router can transfer in a given environment. The default value is 1492 B (bytes). Other settings can cause incorrect data transmission. Minimal value in IPv4 and IPv4/IPv6 mode is 128 B. Minimal value in IPv6 mode is 1280 B.
Can be set to obtain the DNS address from the server or to set it manually.
Manual setting of DNS address.
Manual setting of IPv6 DNS address.
Select an Ethernet interface.
Select yes to turn on the VLAN tagging.
Set the ID for VLAN tagging. The range is from 1 to 1000.
Table 26: PPPoE configuration

Setting an incorrect packet size value (MRU, MTU) can cause unsuccessful transmission.

52

ICR-3200

4.5 WiFi Access Point Configuration

This item is available only if the router is equipped with a WiFi module.

ICR-3241(W)-1ND models may have some default configurations different or restricted.

Configuration of two separated WLANs (Multiple SSIDs) is supported.
Multi-role mode, which allows to operate as access point (AP) and station (STA) simultaneously, is supported. The multichannel mode is not supported, so the AP and the STA must operate on the same channel only. Please note, that only one AP can be activated together with the STA in operation.
RADIUS (Remote Authentication Dial-In User Service) networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users is supported on WiFi. The router can be RADIUS client only (not the server) ­ typically as a WiFi AP (Access Point) negotiating with the RADIUS server.
Activate WiFi access point mode by checking Enable WiFi AP box at the top of the Configuration -> WiFi -> Access Point 1 or Access Point 2 configuration pages. In this mode the router becomes an access point to which other devices in station (STA) mode can connect. You may set the following properties listed in the table below.

Item Enable WiFi AP IP Address
Subnet Mask / Prefix Bridged

Description
Enable WiFi access point (AP).
A fixed IP address of the WiFi interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.
Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address ­ number in range 0 to 128.
Activates bridge mode:

· no ­ Bridged mode is not allowed (default value). WLAN network is not connected with LAN network of the router.
· yes ­ Bridged mode is allowed. WLAN network is connected with one or more LAN networks of the router. In this case, the setting of most items in this table are ignored. Instead, the router uses the settings of the selected network interface (LAN).

Enable dynamic DHCP leases

Enable dynamic allocation of IP addresses using the DHCP (DHCPv6) server.
Continued on next page

53

ICR-3200

Continued from previous page

Item IP Pool Start
IP Pool End
Lease Time Enable IPv6 prefix delegation Subnet ID
Subnet ID Width
SSID Broadcast SSID

Description Beginning of the range of IP addresses which will be assigned to DHCP clients. Use proper notation in IPv4 and IPv6 column. End of the range of IP addresses which will be assigned to DHCP clients. Use proper notation in IPv4 and IPv6 column. Time in seconds for which the client may use the IP address. Enables prefix delegation configuration filled-in below.
The decimal value of the Subnet ID of the Ethernet inter face. Maximum value depends on the Subnet ID Width. The maximum Subnet ID Width depends on your Site. Prefix ­ it is the remainder to 64 bits. The unique identifier of WiFi network. Method of broadcasting the unique identifier of SSID network in beacon frame and type of response to a request for sending the beacon frame.

· Enabled ­ SSID is broadcasted in beacon frame
· Zero length ­ Beacon frame does not include SSID. Requests for sending beacon frame are ignored.
· Clear ­ All SSID characters in beacon frames are replaced by 0. Original length is kept. Requests for sending beacon frames are ignored.

SSID Isolation Client Isolation WMM

When enabled, by choosing a zone, a WiFi client connected to this Access Point is not able to communicate with another WiFi client connected to another Access Point, having another zone selected. This client still can communicate with a client connected to the same Access Point, unless the Client Isolation is not enabled.
If checked, the access point will isolate every connected client so they do not see each other (they are in different networks, they cannot PING between each other). If unchecked, the access point behavior is like a switch, but wireless ­ the clients are in the same LAN and can see each other.
Basic QoS for WiFi networks is enabled by checking this item. This version doesn’t guarantee network throughput. It is suitable for simple applications that require QoS.
Continued on next page

54

ICR-3200

Item Country Code
HW Mode
Channel Bandwidth Short GI

Continued from previous page
Description This option is not available for NAM routers ­ the “US” country code is set by default on these versions of router. Code of the country where the router is installed. This code must be entered in ISO 3166-1 alpha-2 format. If a country code isn’t specified and the router has not implemented a system to determine this code, it will use “US” as the default country code. If no country code is specified or if the wrong country code is entered, the router may violate country-specific regulations for the use of WiFi frequency bands. HW mode of WiFi standard that will be supported by WiFi access point.
· IEEE 802.11b (2.4 GHz) · IEEE 802.11b+g (2.4 GHz) · IEEE 802.11b+g+n (2.4 GHz) · IEEE 802.11a (5 GHz) · IEEE 802.11a+n (5 GHz) · IEEE 802.11ac (5 GHz)
The channel, where the WiFi AP is transmitting. Supported 2.4 GHz channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13. On NAM routers only channels 1 to 11 are supported! Supported 5 GHz channels: 36, 38, 40, 42, 44, 46, 48, 149, 153, 157, 161, 165. The option for HW mode 802.11n which allows to choose the bandwidth. If the 40 MHz channel is occupied, for 802.11bgn mode, the 20 MHz channel is used instead. The option for HW mode 802.11n which allows to enable the short guard interval (GI) of 400 ns instead of 800 ns.
Continued on next page

55

ICR-3200

Item Authentication
Encryption

Continued from previous page
Description Access control and authorization of users in the WiFi network.
· Open ­ Authentication is not required (free access point). · Shared ­ Basic authentication using WEP key. · WPA-PSK ­ Authentication using higher authentication meth-
ods PSK-PSK. · WPA2-PSK ­ WPA2-PSK using newer AES encryption. · WPA3-PSK ­ WPA3-PSK using newer AES encryption. · WPA-Enterprise ­ RADIUS authentication done by external
server via username and password. · WPA2-Enterprise ­ RADIUS authentication with better en-
cryption. · WPA3-Enterprise ­ RADIUS authentication with better en-
cryption. · 802.1X ­ RADIUS authentication with port-based Network Ac-
cess Control (PNAC) using encapsulation of the Extensible Authentication Protocol (EAP) over LAN ­ EAPOL.
Type of data encryption in the WiFi network:
· None ­ No data encryption. · WEP ­ Encryption using static WEP keys. This encryption can
be used for Shared authentication. · TKIP ­ Dynamic encryption key management that can be
used for WPA-PSK and WPA2-PSK authentication. · AES ­ Improved encryption used for WPA2-PSK authentica-
tion.

WEP Key Type WEP Default Key

Type of WEP key for WEP encryption:

· ASCII ­ WEP key in ASCII format. · HEX ­ WEP key in hexadecimal format.

This specifies the default WEP key.

Continued on next page

56

ICR-3200

Item WEP Key 1­4
WPA PSK Type WPA PSK

Continued from previous page
Description Allows entry of four different WEP keys:
· WEP key in ASCII format must be entered in quotes. This key can be specified in the following lengths.
­ 5 ASCII characters (40b WEP key) ­ 13 ASCII characters (104b WEP key) ­ 16 ASCII characters (128b WEP key)
· WEP key in hexadecimal format must be entered in hexadecimal digits. This key can be specified in the following lengths.
­ 10 hexadecimal digits (40b WEP key) ­ 26 hexadecimal digits (104b WEP key) ­ 32 hexadecimal digits (128b WEP key)
The possible key options for WPA-PSK authentication.
· 256-bit secret · ASCII passphrase · PSK File
Key for WPA-PSK authentication. This key must be entered according to the selected WPA PSK type as follows:
· 256-bit secret ­ 64 hexadecimal digits · ASCII passphrase ­ 8 to 63 characters · PSK File ­ absolute path to the file containing the list of pairs
(PSK key, MAC address)

RADIUS Auth Server IP RADIUS Auth Password RADIUS Auth Port
RADIUS Acct Server IP

IPv4 or IPv6 address of the RADIUS server. Only with one of RADIUS authentications selected.
RADIUS server access password. Only with one of RADIUS authentications selected.
RADIUS server port. The default is 1812. Only with one of RADIUS authentications selected.
IPv4 or IPv6 address of the RADIUS accounting server. Define only if different from the authentication and authorization server. Only with one of RADIUS authentications selected.
Continued on next page

57

ICR-3200

Item RADIUS Acct Password RADIUS Acct Port Access List
Accept/Deny List Syslog Level
Extra options

Continued from previous page
Description Access password of RADIUS accounting server. Define only if different from the authentication and authorization server. Only with one of RADIUS authentications selected. RADIUS accounting server port. The default is 1813. Define only if different from the authentication and authorization server. Only with one of RADIUS authentications selected. Mode of Access/Deny list.
· Disabled ­ Access/Deny list is not used. · Accept ­ Clients in Accept/Deny list can access the network. · Deny ­ Clients in Access/Deny list cannot access the network.
Accept or Denny list of client MAC addresses that set network access. Each MAC address is separated by new line. Logging level, when system writes to the system log.
· Verbose debugging ­ The highest level of logging. · Debugging · Informational ­ Default level of logging. · Notification · Warning ­ The lowest level of system communication.
Allows the user to define additional parameters. Table 27: WiFi Configuration

58

ICR-3200
Figure 29: WiFi Access Point Configuration 59

ICR-3200

4.6 WiFi Station Configuration

This item is available only if the router is equipped with a WiFi module.

ICR-3241(W)-1ND models may have some default configurations different or restricted.

The WiFi module supports multi-role mode which allows to operate as access point (AP) and station (STA) simultaneously. The multichannel mode is not supported, so the AP and the STA must operate on the same channel only.

Activate WiFi station mode by checking Enable WiFi STA box at the top of the Configuration -> WiFi -> Station configuration page. In this mode the router becomes a client station. It will receive data packets from the available access point (AP) and send data from cable connection via the WiFi network. You may set the following properties listed in the table below.

In WiFi STA mode, only the authentication method EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1) and EAP-TLS are supported.

Item Enable WiFi STA DHCP Client IP Address
Subnet Mask / Prefix Default Gateway
DNS Server
SSID Probe Hidden SSID

Description Enable WiFi station (STA). Activates/deactivates DHCP client. If in IPv6 column, the DHCPv6 client is enabled. A fixed IP address of the WiFi interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported. Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address ­ number in range 0 to 128. Specifies the IP address of a default gateway. If filled- in, every packet with the destination not found in the routing table is sent there. Use proper IP address notation in IPv4 and IPv6 column. Specifies the IP address of the DNS server. When the IP address is not found in the Routing Table, the this DNS server is requested. Use proper IP address notation in IPv4 and IPv6 column. The unique identifier of WiFi network. Probes hidden SSID
Continued on next page

60

ICR-3200

Item Country Code
Authentication

Continued from previous page
Description This option is not available for NAM routers ­ the “US” country code is set by default on these versions of router. Code of the country where the router is installed. This code must be entered in ISO 3166-1 alpha-2 format. If a country code isn’t specified and the router has not implemented a system to determine this code, it will use “US” as the default country code. If no country code is specified or if the wrong country code is entered, the router may violate country-specific regulations for the use of WiFi frequency bands. Access control and authorization of users in the WiFi network.
· Open ­ Authentication is not required (free access point).
· Shared ­ Basic authentication using WEP key.
· WPA-PSK ­ Authentication using higher authentication methods PSK-PSK.
· WPA2-PSK ­ WPA2-PSK using newer AES encryption.
· WPA3-PSK ­ WPA3-PSK using newer AES encryption.
· WPA-Enterprise ­ RADIUS authentication done by external server via username and password.
· WPA2-Enterprise ­ RADIUS authentication with better encryption.
· WPA3-Enterprise ­ RADIUS authentication with better encryption.
· 802.1X ­ RADIUS authentication with port-based Network Access Control (PNAC) using encapsulation of the Extensible Authentication Protocol (EAP) over LAN ­ EAPOL.
Continued on next page

61

ICR-3200

Item Encryption
WEP Key Type WEP Default Key WEP Key 1­4
WPA PSK Type

Continued from previous page
Description Type of data encryption in the WiFi network:
· None ­ No data encryption. · WEP ­ Encryption using static WEP keys. This encryption
can be used for Shared authentication. · TKIP ­ Dynamic encryption key management that can be
used for WPA-PSK and WPA2-PSK authentication. · AES ­ Improved encryption used for WPA2-PSK authenti-
cation.
Type of WEP key for WEP encryption:
· ASCII ­ WEP key in ASCII format. · HEX ­ WEP key in hexadecimal format.
This specifies the default WEP key. Allows entry of four different WEP keys:
· WEP key in ASCII format must be entered in quotes. This key can be specified in the following lengths.
­ 5 ASCII characters (40b WEP key) ­ 13 ASCII characters (104b WEP key) ­ 16 ASCII characters (128b WEP key)
· WEP key in hexadecimal format must be entered in hexadecimal digits. This key can be specified in the following lengths.
­ 10 hexadecimal digits (40b WEP key) ­ 26 hexadecimal digits (104b WEP key) ­ 32 hexadecimal digits (128b WEP key)
The possible key options for WPA-PSK authentication.
· 256-bit secret · ASCII passphrase · PSK File
Continued on next page

62

ICR-3200

Item WPA PSK

Continued from previous page
Description Key for WPA-PSK authentication. This key must be entered according to the selected WPA PSK type as follows:
· 256-bit secret ­ 64 hexadecimal digits · ASCII passphrase ­ 8 to 63 characters · PSK File ­ absolute path to the file containing the list of pairs
(PSK key, MAC address)

RADIUS EAP Authentication RADIUS CA Certificate RADIUS Local Certificate RADIUS Local Private Key RADIUS Identity
RADIUS Password
Syslog Level

Type of authentication protocol (EAP-PEAP/MSCHAPv2 or EAPTLS). Definition of CA certificate for EAP-TLS authentication protocol.
Definition of local certificate for EAP-TLS authentication protocol.
Definition of local private key for EAP-TLS authentication protocol.
RADIUS user name ­ identity. Only with one of RADIUS authentications selected. RADIUS access password. Only with one of RADIUS authentications selected. Logging level, when system writes to the system log.
· Verbose debugging ­ The highest level of logging. · Debugging · Informational ­ Default level of logging. · Notification · Warning ­ The lowest level of system communication.

Extra options

Allows the user to define additional parameters.

Table 28: WLAN Configuration All changes in settings will apply after pressing the Apply button.

63

ICR-3200
Figure 30: WiFi Station Configuration 64

ICR-3200
4.7 Backup Routes
Note that some interfaces, typically WiFi, ETH2, or ETH1, may not be available for some router product lines or for the model you are currently using.
Typically, you want the router to direct traffic from the whole LAN (Local Area Network) behind the router to an external WAN (Wide Area Network) outside, such as the Internet.
Backup Routes is a mechanism that enables customizing which router’s interfaces will be used for communication to the WAN outside the router. The Backup Routes configuration page is shown in Figure 31.
You may not care about this configuration and leave this process on the default router mechanism. In this case, leave the Backup Routes configuration page as it is, unconfigured, and the router will proceed as described in Chapter 4.7.1.
If you want to set up this feature your way, see Chapter 4.7.2 for more information.
4.7.1 Default Priorities for Backup Routes
By default, when the first checkbox, Enable backup routes switching, is unchecked, the backup routes system is not user customized and operates with the default mechanism. Instead, the router selects a route to the WAN based on the default priorities.
The following is the list of the network interfaces in descending order from the highest priority to the lowest priority interface for use as a WAN interface.
1. Mobile WAN (pppX, usbX) 2. PPPoE (ppp0) 3. WiFi STA (wlan0) 4. ETH1 (eth1) 5. ETH2 (eth2) 6. ETH0 (eth0)
For example, based on the list above, we can say that the ETH1 interface will only be used as the WAN interface if Mobile WAN, PPPoE, and WiFI STA interfaces are down or disabled.
It is clear from the above that an interface connected to a LAN network can take over the role of a WAN interface under certain circumstances. Possible communication from the LAN to the WAN can be blocked or forwarded rules configured on the NAT and Firewall configuration pages.
Note that an ETH interface won’t be used as WAN for the default backup route priorities if it has no IP address configured or the DHCP client is disabled for this ETH interface. Also, unplugging the Ethernet cable does not switch the route to the next one (true just for the Default Priorities mode).
65

ICR-3200

4.7.2 User Customized Backup Routes
You can choose preferred router interfaces acting as the WAN, including their priorities, on the Backup Routes configuration page; see Figure 31. Switching between the WAN is then carried out according to the order of priority and the state of all the affected interfaces.
There are three different modes you can choose for the connection backup as described in Table 29.

Item Enable backup routes switching
Mode

Description
Enables the customized backup routes setting made on the whole configuration page. If disabled (unchecked), the backup routes system operates in the default mechanism, as described in Chapter 4.7.1.
Single WAN
· Just one interface is used for the WAN communication at a time.
· Other interfaces (if enabled) are used as the backup routes for the WAN communication when the active interface fails (based on the priorities set).
· Just one interface, currently active, is allowed to access the router from a network outside the router.
Multiple WANs
· Just one interface is used for the WAN communication at a time.
· Other interfaces (if enabled) are used as the backup routes for the WAN communication when the active interface fails (based on the priorities set).
· The router is accessible from networks outside on all enabled interfaces. This is the only difference from the Single WAN mode.
Load Balancing
· In this mode, it is possible to split the volume of data passing through individual WAN interfaces.
· If the mode was chosen, the weight for every interface is enabled in the GUI and can be set.
· This setting determines the relative number of data streams passing through the interfaces.

Table 29: Backup Routes Modes

You have now selected a backup route mode. To add a network interface to the backup routes system, mark the enable checkbox of that interface. Enabled interfaces are used for WAN access based on their priorities.

66

ICR-3200

Note for Load Balancing mode: The weight setting for load balancing may not precisely match the amount of balanced data. It depends on the number of data flows and the data structure. The best result of the balancing is achieved for a high amount of data flows.

Note for Mobile WAN: If you want to use a mobile WAN connection as a backup route, choose the enable + bind option in the Check Connection item on the Mobile WAN page and fill in the ping address; see chapter 4.3.1.

Note for an ETH interface: Unlike the default backup route mode, disconnecting the Ethernet cable from an ETH interface switches the route to the next in the sequence.

Settings, which can be made for each interface, are described in the table below. Any changes made to settings will be applied after pressing the Apply button.

Item Priority Ping IP Address
Ping IPv6 Address
Ping Interval Ping Timeout Weight

Description
Priority for the type of connection (network interface).
Destination IPv4 address or domain name of ping queries to check the connection.
Destination IPv6 address or domain name of ping queries to check the connection.
The time interval between consecutive ping queries.
Time in seconds to wait for a response to the ping.
Weight for the Load Balancing mode only. The number from 1 to 256 determines the ratio for load balancing of the interface. For example, if two interfaces set the weight to 1, the ratio is 50% to 50%. If they set the weight up to 1 and 4, the ratio is 20% to 80%.
Table 30: Backup Routes Configuration

Other notes:
· The system checks the status state of an interface. For example, unlike the Default Priorities mode, unplugging the Ethernet cable triggers a switchover to the next WAN interface in the sequence.
· To monitor the interface availability, you can use one or both Ping IP Addresses (IPv4 and IPv6) based on the IP protocol used on a particular network interface and WAN connection settings.

67

ICR-3200
Figure 31: Backup Routes Configuration GUI 68

ICR-3200
4.7.3 Backup Routes Examples
Example 1: Default Settings As already described above, by default, if the Backup Routes are unconfigured, the system
operates with the default priorities as described in Chapter 4.7.1. Figure 32 shows the GUI configuration. Note: Assume all the affected interfaces are correctly configured and activated on their configuration pages.
Figure 32: Example 1: GUI Configuration Figure 33 illustrates the example topology.
Figure 33: Example 1: Topology
69

ICR-3200
Example 2: Default Routes Switching This example illustrates when the interface, primarily used for the WAN connection, is
down. Its role is taken over by the interface with the second highest priority. Since the Backup Routes configuration is still unconfigured, the system operates with the default system priorities described in Chapter 4.7.1. Figure 34 shows the GUI configuration. Note: Assume all the affected interfaces are correctly configured and activated on their configuration pages.
Figure 34: Example 2: GUI Configuration Figure 35 illustrates the example topology.
Figure 35: Example 2: Topology
70

ICR-3200
Example 3: Custom Backup Routes This example illustrates the configuration of custom backup routes for the Mobile WAN,
PPPoE, and ETH1 interfaces. The Mobile WAN interface has the highest priority, and the ETH1 interface has the lowest priority. Figure 36 shows the GUI configuration. Note: Assume all the affected interfaces are correctly configured and activated on their configuration pages.
Figure 36: Example 3: GUI Configuration 71

ICR-3200
Figure 37 illustrates the example topology for Single WAN mode. If the Mobile WAN connection goes down, the PPPoE tunnel takes its role, and so on. The ping to the 172.16.1.1 address, tested every 30 seconds with a timeout of 10 seconds, checks the status of the PPPoE tunnel.
Figure 38 illustrates the example topology for Multiple WAN mode. As you can see, the only difference between these two modes is that in the Multiple WAN mode, the router is accessible on all interfaces from the WAN simultaneously.
Figure 37: Example 3: Topology for Single WAN mode
Figure 38: Example 3: Topology for Multiple WAN mode 72

ICR-3200
Example 4: Load Ballancing Mode This example illustrates the Load Balancing mode configuration. There are just two inter-
faces configured, the Mobile WAN and PPPoE. The weight is set to 4 and 1, so the traffic data volume is approximately 80 and 20 percent. Figure 39 shows the GUI configuration.
Figure 39: Example 4: GUI Configuration Figure 40 illustrates the example topology.
Figure 40: Example 4: Topology 73

ICR-3200
Example 5: No WAN Routes This example illustrates when the Router Backup is enabled, but any particular interface is
chosen for the WAN route. In this case, the router has no dedicated WAN interface and routes the traffic within the LANs. Figure 41 shows the GUI configuration. Note: The Mobile WAN interface is not accessible, even if configured and connected to a cellular network.
Figure 41: Example 5: GUI Configuration Figure 42 illustrates the example topology.
Figure 42: Example 5: Topology 74

ICR-3200
4.8 Static Routes
Static routes can be specified on the Static Routes configuration page. A static route provide fixed routing path through the network. It is manually configured on the router and must be updated if the network topology was changed recently. Static routes are private routers unless they are redistributed by a routing protocol. There are two forms, one for IPv4 and the second for IPv6 configuration. Static routes configuration form for IPv4 is shown on Figure 43.

Figure 43: Static Routes Configuration

The description of all items is listed in Table 31.

Item

Description

Enable IPv4 static routes

If checked, static routing functionality is enabled. Active are only routes enabled by the checkbox in the first column of the table.

Destination Network The destination IP address of the remote network or host to which you want to assign a static route.

Mask or Prefix Length

The subnet mask of the remote network or host IP address.

Gateway

IP address of the gateway device that allows for contact between the router and the remote network or host.

Metric

Metric definition, means number rating of the priority for the route in the routing table. Routes with lower metrics have higher priority.

Interface

Select an interface the remote network or host is on.

Table 31: Static Routes Configuration for IPv4

75

ICR-3200
4.9 Firewall Configuration
ICR-3241(W)-1ND models may have some default configurations different or restricted. The first security element for incoming packets is a check of the enabled source IP ad-
dresses and destination ports. There is an independent IPv4 and IPv6 firewall since there is dual stack IPv4 and IPv6 implemented in the router. If you click the Firewall item in the Configuration menu on the left, it will expand to IPv4 and IPv6 optionsm and you can click IPv6 to enable and configure the IPv6 firewall ­ see Figure below. The configuration fields have the same meaning in the IPv4 Firewall Configuration and IPv6 Firewall Configuration forms.
Figure 44: Firewall Configuration ­ IPv6 Firewall The first section of the configuration form specifies the incoming firewall policy. If the Enable filtering of incoming packets check box is unchecked, all incoming packets are accepted.
76

ICR-3200

If checked, and a packet comes from the WAN interface, then the router forwards this packet to the INPUT iptable chain. When the INPUT chain accepts the packet, and there is a rule matching this packet with the Action set to allow, the router accepts the packet. The packet is dropped if an INPUT rule is unavailable or the Action is set to deny. You can specify the rules for IP addresses, protocols, and ports to allow or deny access to the router and internal network behind the router. It is possible to specify up to sixteen rules when each rule can be enabled/disabled by ticking the checkbox on the left of the rule row. Please note that the incoming rules are applied to the WAN interface only. See Chapter 4.7.1 to see the priority rules for the WAN interfaces. See Table 32 for the incoming definition table description.

Item Source
Protocol

Description IP address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration and IPv6 address in IPv6 Firewall Configuration. Specifies the protocol the rule applies to:
· all ­ The rule applies to all protocols.
· TCP ­ The rule applies to TCP protocol.

· UDP ­ The rule applies to UDP protocol.

· GRE ­ The rule applies to GRE protocol.

· ESP ­ The rule applies to ESP protocol.

· ICMP/ICMPv6 ­ The rule applies to ICMP protocol. In IPv6 Firewall Configuration there is the ICMPv6 option.

Target Port(s) Action

The port numbers range allowing access to the router. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well. Specifies the rule ­ the type of action the router performs:
· allow ­ The router allows the packets to enter the network.
· deny ­ The router denies the packets from entering the network.

Description

Description of the rule. Table 32: Filtering of Incoming Packets

The next section of the configuration form specifies the forwarding firewall policy. If the Enabled filtering of forwarded packets check box is unchecked, all incoming packets are accepted. If checked, and a packet is addressed to another network interface, then the router forwards this packet to the FORWARD iptable chain. When the FORWARD chain accepts the packet, and there is a rule for forwarding it, the router forwards the packet. If a forwarding rule is unavailable, then the packet is dropped. It is possible to specify up to sixteen rules when each rule can be enabled/disabled by ticking the checkbox on the left of the rule row. The for-

77

ICR-3200

warding setting is applied to all interfaces, regardless of whether it is the WAN interface. The configuration form also contains a table for specifying the filter rules. It is possible to create a rule to allow data with the selected protocol specifying only the protocol or to create stricter rules by specifying values for source IP addresses, destination IP addresses, and ports. See Table 33 for the forwarding definition table description.

Item Source Destination Protocol
Target Port(s) Action
Description

Description IP address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration and IPv6 address in IPv6 Firewall Configuration. Destination IP address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration and IPv6 address in IPv6 Firewall Configuration. Specifies the protocol the rule applies to:
· all ­ The rule applies to all protocols.
· TCP ­ The rule applies to TCP protocol.
· UDP ­ The rule applies to UDP protocol.
· GRE ­ The rule applies to GRE protocol.
· ESP ­ The rule applies to ESP protocol.
· ICMP/ICMPv6 ­ The rule applies to ICMP protocol. In IPv6 Firewall Configuration there is the ICMPv6 option.
The target port numbers. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well. Specifies the rule ­ the type of action the router performs:
· allow ­ The router allows the packets to enter the network.
· deny ­ The router denies the packets from entering the network.
Description of the rule. Table 33: Forwarding filtering

When you enable the Enable filtering of locally destined packets function, the router drops the packets requesting an unsupported service. The packet is dropped automatically without any information.
As a protection against DoS attacks, the Enable protection against DoS attacks limits the number of allowed connections per second to five. The DoS attack floods the target system with meaningless requirements.

78

ICR-3200
4.9.1 Example of the IPv4 Firewall Configuration
The router allows the following access: · From IP address 171.92.5.45 using any protocol. · From IP address 10.0.2.123 using the TCP protocol on port 1000. · From IP address 142.2.26.54 using the ICMP protocol. · from IP address 142.2.26.54 using the TCMP protocol on target ports from 1020 to 1040
See the network topology and configuration form in the figures below.
Figure 45: Topology for the IPv4 Firewall Configuration Example
79

ICR-3200
Figure 46: IPv4 Firewall Configuration Example 80

ICR-3200

4.10 NAT Configuration

To configure the address translation function, click on NAT in the Configuration section of the main menu. There is independent IPv4 and IPv6 NAT configuration since there is dual stack IPv4 and IPv6 implemented in the router. The NAT item in the menu on the left will expand to IPv4 and IPv6 options and you can click IPv6 to enable and configure the IPv6 NAT ­ see Figure below. The configuration fields have the same meaning in the IPv4 NAT Configuration and IPv6 NAT Configuration forms.
The router actually uses Port Address Translation (PAT), which is a method of mapping a TCP/UDP port to another TCP/UDP port. The router modifies the information in the packet header as the packets traverse a router. This configuration form allows you to specify up to 16 PAT rules.

Item Public Port(s)
Private Port(s)
Type Server IPv4 address Server IPv6 address Description

Description
The public port numbers range for NAT. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well.
The private port numbers range for NAT. Enter the initial and final port numbers separated by the hyphen mark. One static port is allowed as well.
Protocol type ­ TCP or UDP.
In IPv4 NAT Configuration only. IPv4 address where the router forwards incoming data.
In IPv6 NAT Configuration only. IPv6 address where the router forwards incoming data.
Description of the rule.
Table 34: NAT Configuration

If you require more than sixteen NAT rules, insert the remaining rules into the Startup Script. The Startup Script dialog is located on Scripts page in the Configuration section of the menu. When creating your rules in the Startup Script, use this command for IPv4 NAT:

ts t t rt t rt PP tstt PPP

Enter the IP address [IPADDR], the public ports numbers [PORT_PUBLIC], and private [PORT_PRIVATE] in place of square brackets. For IPv6 NAT use ts command with same options.:

ts t t t t rt PP tstt PPP

If you enable the following options and enter the port number, the router allows you to remotely access to the router from WAN (Mobile WAN) interface.
81

ICR-3200
Figure 47: NAT ­ IPv6 NAT Configuration 82

ICR-3200

Item

Description

Enable remote HTTP access on port

This option sets the redirect from HTTP to HTTPS only (disabled in default configuration).

Enable remote HTTPS access on port
Enable remote FTP access on port Enable remote SSH access on port

If field and port number are filled in, configuration of the router over web interface is allowed (disabled in default configuration).
Select this option to allow access to the router using FTP (disabled in default configuration).
Select this option to allow access to the router using SSH (disabled in default configuration).

Enable remote Telnet access on port

Select this option to allow access to the router using Telnet (disabled in default configuration).

Enable remote SNMP access on port

Select this option to allow access to the router using SNMP (disabled in default configuration).

Masquerade outgoing packets

Activates/deactivates the network address translation function.

Table 35: Remote Access Configuration

Enable remote HTTP access on port activates the redirect from HTTP to HTTPS protocol only. The router doesn’t allow unsecured HTTP protocol to access the web configuration. To access the web configuration, always check the Enable remote HTTPS access on port item. Never enable the HTTP item only to access the web configuration from the Internet (configuration would not be accessible from the Internet). Always check the HTTPS item or HTTPS and HTTP items together (to set the redirect from HTTP).

Use the following parameters to set the routing of incoming data from the WAN (Mobile WAN) to a connected computer.

Item

Description

Send all remaining incoming packets to default server

Activates/deactivates forwarding unmatched incoming packets to the default server. The prerequisite for the function is that you specify a default server in the Default Server IPv4/IPv6 Address field. The router can forward incoming data from a mobile WAN to a computer with the assigned IP address.

Default Server IP Address

In IPv4 NAT Configuration only. The IPv4 address.

Default Server IPv6 Address In IPv6 NAT Configuration only. The IPv6 address.

Table 36: Configuration of Send all incoming packets to server

83

ICR-3200
4.10.1 Examples of NAT Configuration
Example 1: IPv4 NAT Configuration with Single Device Connected It is important to mark the Send all remaining incoming packets to default server check
box for this configuration. The IP address in this example is the address of the device behind the router. The default gateway of the devices in the subnetwork connected to router is the same IP address as displayed in the Default Server IPv4 Address field. The connected device replies if a PING is sent to the IP address of the SIM card.
Figure 48: Topology for NAT Configuration Example 1
84

ICR-3200
Figure 49: NAT Configuration for Example 1 85

ICR-3200
Example 2: IPv4 NAT Configuration with More Equipment Connected In this example, using the switch you can connect more devices behind the router. Every
device connected behind the router has its own IP address. Enter the address in the Server IPv Address field in the NAT dialog. The devices are communicating on port 80, but you can set port forwarding using the Public Port and Private Port fields in the NAT dialog. You have now configured the router to access the 192.168.1.2:80 socket behind the router when accessing the IP address 10.0.0.1:81 from the Internet. If you send a ping request to the public IP address of the router (10.0.0.1), the router responds as usual (not forwarding). And since the Send all remaining incoming packets to default server is inactive, the router denies connection attempts.
Figure 50: Topology for NAT Configuration Example 2
86

ICR-3200
Figure 51: NAT Configuration for Example 2 87

ICR-3200

4.11 OpenVPN Tunnel Configuration
Select the OpenVPN item to configure an OpenVPN tunnel. The menu item will expand and you will see four separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. The OpenVPN tunnel function allows you to create a secure connection between two separate LAN networks. The router allows you to create up to four OpenVPN tunnels. IPv4 and IPv6 dual stack is supported.

Item Description Interface Type

Description
Specifies the description or name of tunnel.
TAP is basically at the Ethernet level (layer 2) and acts as a switch, whereas TUN works at the network level (layer 3) and routes packets on the VPN. TAP is bridging, whereas TUN is routing.

· TUN ­ Choose the TUN mode.
· TAP ­ Choose the TAP mode, but remember first to configure the bridge on the ethernet interface.

Protocol

Specifies the communication protocol.

· UDP ­ The OpenVPN communicates using UDP. · TCP server ­ The OpenVPN communicates using TCP in
server mode. · TCP client ­ The OpenVPN communicates using TCP in
client mode. · UDPv6 ­ The OpenVPN communicates using UDP over
IPv6. · TCPv6 server ­ The OpenVPN communicates using TCP
over IPv6 in server mode. · TCPv6 client ­ The OpenVPN communicates using TCP
over IPv6 in client mode.

UDP/TCP port 1st Remote IP Address 2nd Remote IP Address Remote Subnet Remote Subnet Mask

Specifies the port of the relevant protocol (UDP or TCP). Specifies the first IPv4, IPv6 address or domain name of the opposite side of the tunnel. Specifies the second IPv4, IPv6 address or domain name of the opposite side of the tunnel. IPv4 address of a network behind opposite side of the tunnel. IPv4 subnet mask of a network behind opposite tunnel’s side.
Continued on next page

88

ICR-3200

Item Redirect Gateway
Local Interface IP Address Remote Interface IP Address
Remote IPv6 Subnet Remote IPv6 Prefix Local Interface IPv6 Address Remote Interface IPv6 Address Ping Interval Ping Timeout
Renegotiate Interval
Max Fragment Size Compression

Continued from previous page
Description Adds (rewrites) the default gateway. All the packets are then sent to this gateway via tunnel, if there is no other specified default gateway inside them. Specifies the IPv4 address of a local interface. For proper routing it is recommended to fill-in any IPv4 address from local range even if you are using IPv6 tunnel only. Specifies the IPv4 address of the interface of opposite side of the tunnel. For proper routing it is recommended to fill-in any IPv

References

• Web Page Under Construction
• ISO - International Organization for Standardization
• Apps For College Students: A Complete Guide to Programs You Need To Install
• My Dyn Account
• Free Dynamic DNS - Managed DNS - Managed Email - Domain Registration - No-IP
• RFC 6238 - TOTP: Time-Based One-Time Password Algorithm
• GitHub - Authenticator-Extension/Authenticator: Authenticator generates 2-Step Verification codes in your browser.
• Routers & Firmware - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• Router Apps - Cellular Routers Engineering Portal
• Router Apps - Cellular Routers Engineering Portal
• Router Apps - Cellular Routers Engineering Portal
• Source code - Cellular Routers Engineering Portal
• Router Models - Cellular Routers Engineering Portal
• Reference Manual For OpenVPN 2.4 | OpenVPN
• Logging :: strongSwan Documentation
• Route-based VPN :: strongSwan Documentation
• Security Recommendations :: strongSwan Documentation
• strongswan.conf :: strongSwan Documentation
• OATH Toolkit

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>