ADVANTECH ICR-3200 Industrial Cellular Router Instruction Manual
- June 10, 2024
- Advantech
Table of Contents
ICR-3200 Industrial Cellular Router
Industrial Cellular Router ICR-3200
Product Information
The ICR-3200 is a router designed for communication across
cellular networks using either LTE technology Category 4 or LTE
Category M1. It has a current firmware version of 6.3.10 (May 5,
2023) and is manufactured by Advantech Czech s.r.o. The router is
ideal for industrial wireless connection of traffic and security
camera systems, individual computers, LANs, automatic teller
machines (ATM), other self-service terminals, and many other
devices.
Standard Equipment
The ICR-3200 router comes with standard equipment necessary for
its operation.
Optional Features
The ICR-3200 router can be ordered as an extended version with
the WiFi and the GPS module. This version is equipped with two WiFi
antenna connectors on the right side and one GNSS antenna connector
between them. Note that routers cannot be retrofitted with an
interface in the future. See the router’s technical manual for
details on versions and possible combinations of interfaces.
Product Usage Instructions
Web Configuration GUI
The ICR-3200 router can be configured using the web
configuration GUI. To access the GUI, enter the IP address of the
router into a web browser. Once logged in, navigate to the desired
configuration section.
Factory Reset
To perform a factory reset on the ICR-3200 router, navigate to
the “Factory Reset” section in the web configuration GUI and click
“Reset”. This will reset all configurations to their defaults.
HTTPS Certificate for the GUI
The ICR-3200 router supports HTTPS for secure communication with
the web configuration GUI. To configure HTTPS, navigate to the
“HTTPS Certificate for the GUI” section in the web configuration
GUI and follow the instructions provided.
Ethernet Configuration
The ICR-3200 router supports Ethernet configuration. To
configure Ethernet, navigate to the “Ethernet Configuration”
section in the web configuration GUI and follow the instructions
provided. This includes configuring the DHCP server, IPv6 prefix
delegation, and 802.1X authentication to RADIUS server.
VRRP Configuration
The ICR-3200 router supports VRRP configuration. To configure
VRRP, navigate to the “VRRP Configuration” section in the web
configuration GUI and follow the instructions provided.
Mobile WAN Configuration
The ICR-3200 router supports mobile WAN configuration. To
configure mobile WAN, navigate to the “Mobile WAN Configuration”
section in the web configuration GUI and follow the instructions
provided.
Administration
The ICR-3200 router can be administered through the web
configuration GUI. To access the administration section, navigate
to the “Administration” tab in the GUI and follow the instructions
provided.
Typical Situations
The ICR-3200 router can be used in various typical situations
such as accessing the internet from LAN, backup access to the
internet from LAN, secure networks interconnection or using VPN,
and serial gateway. Navigate to the “Typical Situations” section in
the web configuration GUI for more information on each situation
and how to configure it.
Customization
The ICR-3200 router can be customized using router apps such as
FirstNet Router App. Navigate to the “Router Apps” section in the
web configuration GUI to install and configure router apps.
Industrial Cellular Router
ICR-3200
CONFIGURATION MANUAL
ICR-3200
Used Symbols
Danger Information regarding user safety or potential damage to the router.
Attention Problems that can arise in specific situations. Information,
notice Useful tips or information of special interest. Example Example of
function, command or script.
Firmware Version
Current version of firmware is 6.3.10 (May 5, 2023).
Advantech Czech s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic
Document No. MAN-0042-EN, revision from May 10, 2023. Released in the Czech
Republic.
i
ICR-3200
Contents
1 Basic Information
1
1.1 Document Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Product Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.3 Standard Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.4 Optional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.5 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.6 WebAccess/DMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.7 Router Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.8 IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.9 Supported Certificate File Types . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.10 IEEE 802.1X (RADIUS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Web Configuration GUI
6
2.1 Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 HTTPS Certificate for the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3 Valid Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Status
9
3.1 General Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 9 3.1.1 Mobile Connection . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 9 3.1.2 Ethernet Status . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 10 3.1.3 WiFi Status . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 11 3.1.4 Peripheral Ports . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.5 System Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Mobile WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 12 3.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 15 3.4 WiFi Scan . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 16 3.5 Network Status . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.6 DHCP Status
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.7 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 22 3.8 WireGuard Status . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 23 3.9 DynDNS Status . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 24 3.10 System Log . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Configuration
27
4.1 Ethernet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.1.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.2 IPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.1.3 802.1X Authentication to RADIUS Server . . . . . . . . . . . . . . . . . 31
ii
ICR-3200
4.1.4 LAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . .
. 32 4.2 VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 38 4.3 Mobile WAN Configuration . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 41
4.3.1 Connection to Mobile Network . . . . . . . . . . . . . . . . . . . . . .
. 42 4.3.2 DNS Address Configuration . . . . . . . . . . . . . . . . . . . . .
. . . . 44 4.3.3 Check Connection to Mobile Network . . . . . . . . . . . . .
. . . . . . 44 4.3.4 Check Connection Example . . . . . . . . . . . . . . . .
. . . . . . . . . 45 4.3.5 Data Limit Configuration . . . . . . . . . . . . .
. . . . . . . . . . . . . . 46 4.3.6 Switch between SIM Cards Configuration .
. . . . . . . . . . . . . . . . 46 4.3.7 Examples of SIM Card Switching
Configuration . . . . . . . . . . . . . . 49 4.3.8 PPPoE Bridge Mode
Configuration . . . . . . . . . . . . . . . . . . . . . 50 4.4 PPPoE
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 51 4.5 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . .
. . . . . . . 53 4.6 WiFi Station Configuration . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 60 4.7 Backup Routes . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 65 4.7.1 Default Priorities for
Backup Routes . . . . . . . . . . . . . . . . . . . . 65 4.7.2 User Customized
Backup Routes . . . . . . . . . . . . . . . . . . . . . . 66 4.7.3 Backup
Routes Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.8
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 75 4.9 Firewall Configuration . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 76 4.9.1 Example of the IPv4 Firewall Configuration
. . . . . . . . . . . . . . . . 79 4.10 NAT Configuration . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 81 4.10.1 Examples of NAT
Configuration . . . . . . . . . . . . . . . . . . . . . . . 84 4.11 OpenVPN
Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.11.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network . . . . 93
4.12 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 94 4.12.1 Route-based Configuration Scenarios . . . . . . . . . .
. . . . . . . . . 94 4.12.2 IPsec Authentication Scenarios . . . . . . . . . .
. . . . . . . . . . . . . 95 4.12.3 Configuration Items Description . . . . .
. . . . . . . . . . . . . . . . . . 97 4.12.4 Basic IPv4 IPSec Tunnel
Configuration . . . . . . . . . . . . . . . . . . . 103 4.13 WireGuard Tunnel
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.13.1
WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . 107
4.14 GRE Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 109 4.14.1 Example of the GRE Tunnel Configuration . . . . . . . . .
. . . . . . . . 110 4.15 L2TP Tunnel Configuration . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 112 4.15.1 Example of the L2TP Tunnel
Configuration . . . . . . . . . . . . . . . . 114 4.16 PPTP Tunnel
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.16.1 Example of the PPTP Tunnel Configuration . . . . . . . . . . . . . . .
. 117 4.17 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 118 4.17.1 DynDNS . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 118 4.17.2 FTP . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 119 4.17.3 HTTP . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.17.4 NTP . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.17.5 PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 122
iii
ICR-3200
4.17.6 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.17.7 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.17.8 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 4.17.9 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 4.17.10 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 4.17.11 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 4.18 Expansion Port SERIAL I/O Configuration . . . . . . . . . . . . . . . . . . . . 144 4.18.1 Examples of the Expansion Port Configuration . . . . . . . . . . . . . . 148 4.19 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.19.1 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.19.2 Example of Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.19.3 Up/Down Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 4.19.4 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . 150 4.20 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 151 4.20.1 Example of Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . 153 4.20.2 Example of Automatic Update Based on MAC . . . . . . . . . . . . . . . 154
5 Administration
155
5.1 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.2 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 5.3 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 5.4 Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 5.5 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 5.6 Set SMS Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 5.7 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 5.8 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 5.9 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 5.10 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 5.11 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 5.12 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 5.13 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 5.14 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6 Typical Situations
170
6.1 Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 170 6.2 Backup Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . 172 6.3 Secure Networks Interconnection or Using VPN . . . . . . . . . . . . . . . . . . 176 6.4 Serial Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7 Customization
180
7.1 Router Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 7.2 FirstNet Router App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Appendix A: Open Source Software License
182
iv
Appendix B: Glossary and Acronyms Appendix C: Index Appendix D: Related Documents
ICR-3200
183 184 186
v
ICR-3200
List of Figures
1 IEEE 802.1X Functional Diagram . . . . . . . . . . . . . . . . . . . . . . .
. . . 4 2 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 6 3 Mobile WAN status . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 14 4 WiFi Status . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 15 5 WiFi Scan . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6 Network Status .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7
DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 21 8 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 22 9 WireGuard Status Page . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 23 10 DynDNS Status . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 24 11 System Log . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 12 Example
program syslogd start with the parameter . . . . . . . . . . . . . . 26 13 LAN
Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 27 14 IPv6 Address with Prefix Example . . . . . . . . . . . . . . . . . . .
. . . . . . 30 15 Network Topology for Example 1 . . . . . . . . . . . . . . .
. . . . . . . . . . . 32 16 LAN Configuration for Example 1 . . . . . . . . .
. . . . . . . . . . . . . . . . . 33 17 Network Topology for Example 2 . . . .
. . . . . . . . . . . . . . . . . . . . . . 34 18 LAN Configuration for
Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 19 Network
Topology for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
20 LAN Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . .
. . . . 37 21 Topology of VRRP configuration example . . . . . . . . . . . . .
. . . . . . . . 39 22 Example of VRRP configuration main router . . . . . .
. . . . . . . . . . . . . 39 23 Example of VRRP configuration backup router
. . . . . . . . . . . . . . . . . 40 24 Mobile WAN Configuration . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 41 25 Check Connection Example .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 26 Configuration
for SIM card switching Example 1 . . . . . . . . . . . . . . . . . . 49 27
Configuration for SIM card switching Example 2 . . . . . . . . . . . . . . . .
. . 50 28 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 51 29 WiFi Access Point Configuration . . . . . . . . . . .
. . . . . . . . . . . . . . . 59 30 WiFi Station Configuration . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 64 31 Backup Routes Configuration
GUI . . . . . . . . . . . . . . . . . . . . . . . . . 68 32 Example 1: GUI
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 33
Example 1: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 69 34 Example 2: GUI Configuration . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 70 35 Example 2: Topology . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 70 36 Example 3: GUI Configuration . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 71 37 Example 3: Topology for
Single WAN mode . . . . . . . . . . . . . . . . . . . . 72 38 Example 3:
Topology for Multiple WAN mode . . . . . . . . . . . . . . . . . . . 72 39
Example 4: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 73 40 Example 4: Topology . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 73
vi
ICR-3200
41 Example 5: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 74 42 Example 5: Topology . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 74 43 Static Routes Configuration . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 75 44 Firewall Configuration IPv6
Firewall . . . . . . . . . . . . . . . . . . . . . . . . 76 45 Topology for
the IPv4 Firewall Configuration Example . . . . . . . . . . . . . . 79 46 IPv4
Firewall Configuration Example . . . . . . . . . . . . . . . . . . . . . . . .
80 47 NAT IPv6 NAT Configuration . . . . . . . . . . . . . . . . . . . . . .
. . . . . 82 48 Topology for NAT Configuration Example 1 . . . . . . . . . . .
. . . . . . . . . 84 49 NAT Configuration for Example 1 . . . . . . . . . . .
. . . . . . . . . . . . . . . 85 50 Topology for NAT Configuration Example 2 .
. . . . . . . . . . . . . . . . . . . 86 51 NAT Configuration for Example 2 .
. . . . . . . . . . . . . . . . . . . . . . . . . 87 52 OpenVPN tunnel
configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 53
Topology of OpenVPN Configuration Example . . . . . . . . . . . . . . . . . .
. 93 54 IPsec Tunnels Configuration . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 97 55 Topology of IPsec Configuration Example . . . . . . . .
. . . . . . . . . . . . . 103 56 WireGuard Tunnels Configuration . . . . . . .
. . . . . . . . . . . . . . . . . . . 105 57 Topology of WireGuard
Configuration Example . . . . . . . . . . . . . . . . . . 107 58 Router A
WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 108 59
Router B WireGuard Status Page and Route Table . . . . . . . . . . . . . . .
108 60 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 110 61 Topology of GRE Tunnel Configuration Example . . . . . .
. . . . . . . . . . . 110 62 L2TP Tunnel Configuration . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 112 63 Topology of L2TP Tunnel Configuration
Example . . . . . . . . . . . . . . . . . 114 64 PPTP Tunnel Configuration . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 115 65 Topology of PPTP
Tunnel Configuration Example . . . . . . . . . . . . . . . . . 117 66 DynDNS
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 118
67 Configuration of FTP server . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 119 68 Configuration of HTTP and HTTPS services . . . . . . . . . .
. . . . . . . . . . 120 69 Example of NTP Configuration . . . . . . . . . . .
. . . . . . . . . . . . . . . . 121 70 Configuration of Local User Database .
. . . . . . . . . . . . . . . . . . . . . . 122 71 Configuration of RADIUS . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 72 Configuration
of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 73
Enabling Two-Factor Authentication Service . . . . . . . . . . . . . . . . . .
. . 125 74 OID Basic Structure . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 127 75 SNMP Configuration Example . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 128 76 MIB Browser Example . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 129 77 SMTP Client Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . 130 78 SMS
Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . .
. 137 79 SMS Configuration for Example 2 . . . . . . . . . . . . . . . . . . .
. . . . . . . 138 80 SMS Configuration for Example 3 . . . . . . . . . . . . .
. . . . . . . . . . . . . 139 81 SMS Configuration for Example 4 . . . . . . .
. . . . . . . . . . . . . . . . . . . 140 82 Configuration of HTTP service . .
. . . . . . . . . . . . . . . . . . . . . . . . . 141 83 Syslog configuration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 84
Configuration of Telnet service . . . . . . . . . . . . . . . . . . . . . . .
. . . . 143
vii
ICR-3200
85 SERIAL I/O configuration pages overview . . . . . . . . . . . . . . . . . .
. . . 144 86 Expansion Port Configuration . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 145 87 Example of Ethernet to serial communication
configuration . . . . . . . . . . . 148 88 Example of serial interface
configuration . . . . . . . . . . . . . . . . . . . . . . 148 89 Example of a
Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
90 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . .
. . . . 150 91 Example of Automatic Update 1 . . . . . . . . . . . . . . . . .
. . . . . . . . . . 153 92 Example of Automatic Update 2 . . . . . . . . . . .
. . . . . . . . . . . . . . . . 154 93 Users Administration Form . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 155 94 Change Profile . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 95 Change
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
158 96 Two-factor User Configuration . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 160 97 Secret Key . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 160 98 Links for Google Authenticator
Application . . . . . . . . . . . . . . . . . . . . . 161 99 Links for
Authenticator-Extension . . . . . . . . . . . . . . . . . . . . . . . . . .
161 100 Standard Logging . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 162 101 Verification Code . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 162 102 SSH Logging . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 162 103 Set Real Time Clock .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 104 Set
SMS Service Center Address . . . . . . . . . . . . . . . . . . . . . . . . . .
164 105 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 164 106 Unblock SIM Card . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 165 107 Send SMS . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 165 108 Backup Configuration . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 109 Restore
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
167 110 Update Firmware Administration Page . . . . . . . . . . . . . . . . .
. . . . . . 168 111 Process of Firmware Update . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 169 112 Reboot . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 169 113 Access to the Internet from
LAN sample topology . . . . . . . . . . . . . . . . 170 114 Access to the
Internet from LAN Ethernet configuration . . . . . . . . . . . . 171 115
Access to the Internet from LAN Mobile WAN configuration . . . . . . . . . .
171 116 Backup access to the Internet sample topology . . . . . . . . . . .
. . . . . . 172 117 Backup access to the Internet Ethernet configuration . .
. . . . . . . . . . . . 172 118 Backup access to the Internet WiFi
configuration . . . . . . . . . . . . . . . . 173 119 Backup access to the
Internet Mobile WAN configuration . . . . . . . . . . . . 174 120 Backup
access to the Internet Backup Routes configuration . . . . . . . . . . 175
121 Secure networks interconnection sample topology . . . . . . . . . . . .
. . . 176 122 Secure networks interconnection OpenVPN configuration . . . .
. . . . . . . 177 123 Serial Gateway sample topology . . . . . . . . . . . .
. . . . . . . . . . . . . 178 124 Serial Gateway konfigurace Expansion Port
1 . . . . . . . . . . . . . . . . . . 179 125 Router Apps GUI . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 180 126 Router Apps
Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
127 FirstNet Router App Global Status . . . . . . . . . . . . . . . . . . .
. . . . . 181
viii
ICR-3200
List of Tables
1 Supported Roles of the IEEE 802.1X Authentication . . . . . . . . . . . . .
. . 5 2 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 10 3 Peripheral Ports . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 11 4 System Information . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 11 5 Mobile Network Information .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Value ranges of
signal strength for different technologies. . . . . . . . . . . . . 13 7
Description of Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 13 8 Mobile Network Statistics . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 13 9 Information about Neighbouring WiFi Networks . . . .
. . . . . . . . . . . . . . 16 10 Description of Interfaces in Network Status
. . . . . . . . . . . . . . . . . . . . 18 11 Description of Information in
Network Status . . . . . . . . . . . . . . . . . . . . 19 12 DHCP Status
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 13
Configuration of the Network Interface IPv4 and IPv6 . . . . . . . . . . . .
. . 28 14 Configuration of the Network Interface global items . . . . . . .
. . . . . . . . 29 15 Configuration of Dynamic DHCP Server . . . . . . . . . .
. . . . . . . . . . . . 30 16 Configuration of Static DHCP Server . . . . . .
. . . . . . . . . . . . . . . . . . 30 17 IPv6 prefix delegation configuration
. . . . . . . . . . . . . . . . . . . . . . . . . 31 18 Configuration of
802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . 31 19 VRRP
configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 38 20 Check connection . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 39 21 Mobile WAN Connection Configuration . . . . . . . . . . .
. . . . . . . . . . . . 43 22 Check Connection to Mobile Network Configuration
. . . . . . . . . . . . . . . . 45 23 Data Limit Configuration . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 46 24 Switch between SIM cards
configuration . . . . . . . . . . . . . . . . . . . . . . 47 25 Parameters for
SIM card switching . . . . . . . . . . . . . . . . . . . . . . . . . 48 26
PPPoE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 52 27 WiFi Configuration . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 58 28 WLAN Configuration . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 63 29 Backup Routes Modes . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 66 30 Backup Routes
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 31
Static Routes Configuration for IPv4 . . . . . . . . . . . . . . . . . . . . .
. . . 75 32 Filtering of Incoming Packets . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 77 33 Forwarding filtering . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 78 34 NAT Configuration . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 81 35 Remote Access
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 36
Configuration of Send all incoming packets to server . . . . . . . . . . . . .
. . 83 37 OpenVPN Configuration . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 91 38 OpenVPN Configuration Example . . . . . . . . . . . . .
. . . . . . . . . . . . . 93 39 IPsec Tunnel Configuration . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 101 40 Simple IPv4 IPSec Tunnel
Configuration . . . . . . . . . . . . . . . . . . . . . . 103
ix
ICR-3200
41 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . .
. . . . 106 42 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . .
. . . . . . . . 107 43 GRE Tunnel Configuration . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 109 44 GRE Tunnel Configuration Example . . . .
. . . . . . . . . . . . . . . . . . . . 111 45 L2TP Tunnel Configuration . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 113 46 L2TP Tunnel
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 114 47
PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 116 48 PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . .
. . . . . . . . 117 49 DynDNS Configuration . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 118 50 Parameters for FTP service configuration
. . . . . . . . . . . . . . . . . . . . . 119 51 Parameters for HTTP and HTTPS
services configuration . . . . . . . . . . . . . 120 52 NTP Configuration . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 53
Available Modes of PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 122 54 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 123 55 Configuration of TACACS+ . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 124 56 SNMP Agent Configuration . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 126 57 SNMPv3 Configuration . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 58 SNMP
Configuration (R-SeeNet) . . . . . . . . . . . . . . . . . . . . . . . . . .
127 59 Object identifier for binary inputs and output . . . . . . . . . . . .
. . . . . . . . 128 60 SMTP client configuration . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 130 61 SMS Configuration . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 132 62 Control via SMS . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 63 Control SMS .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 64
Send SMS on the serial Port 1 . . . . . . . . . . . . . . . . . . . . . . . .
. . . 134 65 Send SMS on the serial Port 2 . . . . . . . . . . . . . . . . . .
. . . . . . . . . 134 66 Sending/receiving of SMS on TCP port specified . . .
. . . . . . . . . . . . . . 135 67 List of AT Commands . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 136 68 Parameters for SSH service
configuration . . . . . . . . . . . . . . . . . . . . . 141 69 Syslog
configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 142 70 Parameters for Telnet service configuration . . . . . . . . . . . . .
. . . . . . . 143 71 Expansion Port Configuration serial interface . . . . .
. . . . . . . . . . . . . 146 72 Expansion Port Configuration Check TCP
connection . . . . . . . . . . . . . 146 73 CD Signal Description . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 147 74 DTR Signal
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
75 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . .
. . . . 151 76 Button Description . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 155 77 User Parameters . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 156
x
ICR-3200
1. Basic Information
1.1 Document Content
This configuration manual contains the following information: · Configuration
of the router item by item according to the web interface (Chapters 3 to 5). ·
Configuration in typical situations examples (Chapter 6): Access to the
Internet from LAN (Local Area Network) via mobile network. Backed up access to
the Internet (from LAN). Secure networks interconnection or using VPN (Virtual
Private Network). Serial Gateway (connection of serial devices to the
Internet).
1.2 Product Introduction
ICR-3200 routers are designed for communication across cellular networks using
either LTE technology Category 4 (theoretically 150 Mbps downlink and 50 Mbps
uplink), or LTE Category M1 (CAT-M1 for IoT and M2M communications). The
router is an ideal solution for industrial wireless connection of traffic and
security camera systems, individual computers, LANs, automatic teller machines
(ATM), other self-service terminals, and many other devices.
1.3 Standard Equipment
Standard features include the LTE cellular module (with two antenna connectors
for main and diversity antenna), two Ethernet 10/100 ports, one binary
input, one binary output, RS232 serial interface, RS-485 serial interface
(single 10-pin connector for serial and binary interfaces), and two SIM card
readers for 3 V and 1.8 V SIM cards. The router is supplied in a metal casing.
1.4 Optional Features
If desired, the router can be ordered as an extended version with the WiFi and
the GPS module. This version is equipped with two WiFi antenna connectors on
the right side and one GNSS antenna connector between them. Note that routers
cannot be retrofitted with an interface in the future. See the router’s
technical manual for details on versions and possible combinations of
interfaces.
1
ICR-3200
1.5 Web Configuration GUI
Configuring ICR-3200 routers is made easy by name and password-protected web
interface. The interface provides detailed statistics about router activities,
signal strength, system logs and more. The router supports both IPv4 and IPv6
protocols, the creation of secure VPN tunnels using technologies IPsec,
OpenVPN and L2TP. The router also supports DHCP, NAT, NAT-T, DynDNS client,
NTP, VRRP, control by SMS, backup of the primary connection, multiple WANs,
RADIUS authentication on Ethernet and WiFi, and many other functions.
Additional diagnostic features designed to ensure continuous communication
include automatic inspection of Mobile WAN connections, an automatic restart
feature in case a connection is lost, and a hardware watchdog that monitors
the status of the router. Using a start up script window, users can insert
Linux scripts for various actions. Users may insert multiple scripts, and the
router can switch between configurations as needed. Examples would include
using SMS or checking the status of the binary input. ICR-3200 routers can
automatically update their configurations and firmware from a central server,
allowing for mass reconfiguration of multiple routers simultaneously.
1.6 WebAccess/DMP Configuration
WebAccess/DMP is an advanced enterprise-grade platform solution for
provisioning, monitoring, managing, and configuring Advantech’s routers and
IoT gateways. It provides a zerotouch enablement platform for each remote
device. See the application note [3] for more information of visit the
WebAccess/DMP webpage.
New routers have been pre-installed with the WebAccess/DMP client, which has
activated the connection to the WebAccess/DMP server by default. You can
disable this connection on the Welcome page when logging into the router’s web
interface or on the (Customization -> Router Apps -> WebAccess/DMP Client)
configuration page.
The activated client periodically uploads router identifiers and configuration
to the WebAccess/DMP server.
1.7 Router Configuration Options
Routers can be configured via a web browser or Secure Shell (SSH).
Configuration via Web Browser is described in this Configuration Manual.
Commands and scripts applicable in the configuration using SSH are described
in Commands and Scripts Application Note [1]. Technical parameters and a full
description of the router can be found in the User Manual of your router. You
can also use additional software WebAccess/VPN [2] and software for router
monitoring R-SeeNet [3].
2
ICR-3200
1.8 IPv6 Support
There is an independent IPv4 and IPv6 dual-stack configuration implemented in
the router’s firmware. This means that you can configure traffic through both
IP protocols independently and both are supported. Additional EUI-64 IPv6
addresses of network interfaces are generated automatically by standard
methods. In addition, there is a NAT64 internal gateway network interface for
automatic translation between IPv6 and IPv4 (see Chapter 3.5 for more
information). This gateway works together with DNS64 seamlessly (for domain
names translation).
For cellular IPv6 connection, see Mobile WAN Configuration in Chapter 4.3.1.
For IPv6 LAN configuration, see LAN Configuration in Chapter 4.1. DHCPv6
server/client is also supported. IPv4 is the default, but IPv6 can be enabled
or used with all features and protocols in the router, except for non-secured
tunnels GRE, L2TP and PPTP, and VRRP. Using the secured tunnels OpenVPN and
IPsec, it is possible to run IPv6 traffic through an IPv4 tunnel and vice
versa. The configuration forms for NAT, Firewall and Up/Down Scripts are
completely separate for the IPv4 and IPv6 stacks. ICMPv6 protocol is also
supported. IPv6 configuration is covered in each following Chapter when
possible.
1.9 Supported Certificate File Types
All the GUI forms supporting the uploading of a certificate file support these
file types: · CA, Local/Remote Certificate: .pem; .crt; .p12 · Private Key:
.pem; .key; .p12
3
ICR-3200
1.10 IEEE 802.1X (RADIUS) Support
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC).
It is part of the IEEE 802.1 group of networking protocols. It provides an
authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE
802.1X defines the encapsulation of the Extensible Authentication Protocol
(EAP) over IEEE 802, which is known as “EAP over LAN” or EAPoL.
802.1X authentication involves three parties: a supplicant, an authenticator,
and an authentication server (see Figure 1).
Figure 1: IEEE 802.1X Functional Diagram
· The supplicant is a client device (such as a laptop) that wishes to attach
to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer
to the software running on the client that provides credentials to the
authenticator.
· The authenticator is a network device which provides a data link between the
client (supplicant) and the network (LAN/WAN) and can allow or block network
traffic between the two, such as an Ethernet switch or wireless access point.
The authtenticator communicates with the authentication server to determine if
the network access for a supplicant will be granted or not.
· The authentication server is typically a trusted server that can receive and
respond to requests for network access, and can tell the authenticator if the
connection is to be allowed, and various settings that should apply to that
client’s connection or setting. Authentication servers typically run software
supporting the RADIUS and EAP protocols.
4
ICR-3200
Table 1 summarizes all the supported cases and roles when the IEEE 802.1X
authentication can be used on Advantech routers.
Please note that the role of the authentication server is not supported by
Advantech routers.
Interface Supplicant Role
Authenticator Role
LAN
Built-in feature, just configure Not built-in feature, but can be
the LAN with 802.1X authentica- implemented by the UM 802.1X
tion, see Chapter 4.1.3.
Authenticator. For more infor-
mation about this module see
[RA].
WiFi
Supported for the Station (STA) Supported for the Access Point
mode, see Chapter 4.6.
(AP) mode, see Chapter 4.5.
Table 1: Supported Roles of the IEEE 802.1X Authentication
5
ICR-3200
2. Web Configuration GUI
Figure 2: Web Configuration GUI 6
ICR-3200
The cellular router will not operate unless the cellular carrier has been
correctly configured and the account activated and provisioned for data
communications. For UMTS and LTE carriers, a SIM card must be inserted into
the router. Do not insert the SIM card when the router is powered up.
You may use the web interface to monitor, configure and manage the router. To
access the router over the web interface enter the router’s IP address in your
browser. The default address is 192.168.1.1. Only access via secured HTTPS
protocol is permitted. So the syntax for the IP address must be
https://192.168.1.1. When accessing the router for the first time you will
need to install a security certificate if you don’t want the browser to show
you a domain disagreement message. To avoid receiving domain disagreement
messages, follow the procedure described in the following subchapter.
The default username is root1. The default password is printed on the router’s
label.2 Change the default password as soon as possible!
For increased security of the network connected to the router, change the
default router password. When the default password of the router is still
active, the Change password title is highlighted in red.
After three unsuccessful login attempts, any HTTP(S) access from an IP address
is blocked for one minute.
When you successfully enter login information on the login page, the web
interface will be displayed, see Figure 2. The left side of the web interface
contains a menu tree with sections for Status monitoring, Configuration,
Customization, and Administration of the router. The Name and Location fields,
identifying the router, can be displayed in the right upper corner of the web
interface. It can be configured in the SNMP configuration (see 4.17.6).
2.1 Factory Reset
After the PWR LED starts to blink you may restore the initial router settings
by pressing the reset (RST ) button for a given time, see the technical manual
of the router for more information. This action will revert all the
configuration settings to the factory defaults and the router will reboot (the
PWR LED will be on during the reboot).
1ICR-3241(W)-1ND models have the defaul username “admin”. 2If the router’s
label does not contain a unique password, use the password “root”.
7
ICR-3200
2.2 HTTPS Certificate for the GUI
There is the self-signed HTTPS certificate in the router. Because the identity
of this certificate cannot be validated, a message can appear in the web
browser. To solve this, upload your own certificate, signed by Certification
Authority, to the router. If you want to use your own certificate (e.g. in
combination with the dynamic DNS service), you need to replace the
/etc/certs/https_cert and /etc/certs/https_key files in the router. This can
be done easily in the GUI on HTTP configuration page, see Chapter 4.17.3.
If you decide to use the self-signed certificate in the router to prevent the
security message (domain disagreement) from pop up every time you log into the
router, you can take the following steps:
· Add the DNS record to your DNS system: Edit /etc/hosts (Linux/Unix OS) or
C:WINDOWSsystem32driversetchosts (Windows OS) or configure your own DNS
server. Add a new record with the IP address of your router and the domain
name based of the MAC address of the router (MAC address of the first network
interface seen in Network Status in the Web interface of the router.) Use dash
separators instead of colons. Example: A router with the MAC address
00:11:22:33:44:55 will have a domain name 00-11-22-33-44-55.
· Access the router via the new domain name address (E.g.
https://00-11-22-33-44-55). If you see the security message, add an exception
so the next time the message will not pop up (E.g. in Firefox Web browser). If
there is no possibility to add an exception, export the certificate to the
file and import it to your browser or operating system.
Note: You will have to use the domain name based on the MAC address of the
router and it is not guaranteed to work with every combination of an operating
system and a browser.
2.3 Valid Characters
If the router is configured through the web interface, avoid entering
forbidden characters into any of the input forms (not just for password).
Valid and forbidden characters are specified below. Please note that the
“space” character may not be allowed for some forms as well. Valid characters
are: Forbidden characters are:
8
ICR-3200
3. Status
All status pages can display live data. To enable this feature, click on the refresh button in the top right corner on the status page. To stop the data update and to limit the amount of data transferred, disable automatic data updates by clicking the pause button again.
3.1 General Status
You can reach a summary of basic router information and its activities by
opening the General status page. This page is displayed when you log in to the
device by default. The information displayed on this page is divided into
several sections, based upon the type of the router and its hardware
configuration. Typically, there are sections for the mobile connection, LAN,
system information, system information, and eventually for the WiFi and
peripheral ports, if the device is equipped with.
IPv6 Address item can show multiple different addresses for one network
interface. This is standard behavior since an IPv6 interface uses more
addresses. The second IPv6 Address showed after pressing More Information is
automatically generated EUI-64 format link local IPv6 address derived from MAC
address of the interface. It is generated and assigned the first time the
interface is used (e.g. cable is connected, Mobile WAN connecting, etc.).
3.1.1 Mobile Connection
Item SIM Card Interface Flags
IP Address MTU Rx Data Rx Packets Rx Errors Rx Dropped Rx Overruns Tx Data Tx
Packets Tx Errors
Description Identification of the SIM card Defines the interface Displays
network interface flags:
None – no flags Up – the interface is administratively enabled Running – the
interface is in operational state (cable detected) Multicast – the interface
is capable of multicast transmission IP address of the interface Maximum
packet size that the equipment is able to transmit Total number of received
bytes Received packets Erroneous received packets Dropped received packets
Lost received packets because of overload Total number of sent bytes Sent
packets Erroneous sent packets
Continued on next page
9
ICR-3200
Item Tx Dropped Tx Overruns Uptime
Continued from previous page
Description Dropped sent packets Lost sent packets because of overload
Indicates how long the connection to the cellular network has been established
Table 2: Mobile Connection
3.1.2 Ethernet Status
Every Ethernet interface has its separate section on the General status page.
Items displayed here have the same meaning as items in the previous part.
Moreover, the MAC Address item shows the MAC address of the corresponding
router’s interface. Visible information depends on the Ethernet configuration,
see Chapter 4.1.
10
ICR-3200
3.1.3 WiFi Status
Items displayed in this part have the same meaning as items in the previous
part. WiFi AP part displays information for the WiFi interface (wlan0) working
in access point mode, for the configuration see Chapter 4.5. WiFi STA part
displays information for the WiFi interface (wlan1) working in station mode,
for the configuration description see Chapter 4.6.
3.1.4 Peripheral Ports
Information about available peripheral ports and status of binary interfaces
is displayed in the Peripheral Ports section.
Item Expansion Port 1 Expansion Port 2 Binary Input Binary Output
Description An interface detected on the first expansion port. An interface
detected on the second expansion port. State of the binary input. State of the
binary output.
Table 3: Peripheral Ports
3.1.5 System Information
System information about the device is displayed in the System Information section.
Item Firmware Version Serial Number Hardware UUID1 Product Revision1 Profile
RTC Battery Supply Voltage Temperature Time Uptime Licenses
Description Information about the firmware version. Serial number of the
router (in case of N/A is not available). Unique HW identifier for the device.
Manufactured product revision number. Current profile standard or
alternative profiles (profiles are used for example to switch between
different modes of operation). RTC battery state. Supply voltage of the
router. Temperature in the router. Current date and time. Indicates how long
the router is used. Link to the list of open source software components of the
firmware together with their license type. Click on the license type to see
the license text.
Table 4: System Information
1It may not be available for some models. 2Only for models with PoE. The
router’s power supply voltage must meet the required voltage.
11
ICR-3200
3.2 Mobile WAN Status
The ICR-3201 (LAN version) has no the Mobile WAN status menu option.
The Mobile WAN menu item contains current information about connections to the mobile network. The first part of this page (Mobile Network Information) displays basic information about mobile network the router operates in. There is also information about the module, which is mounted in the router.
Item Registration Operator Technology PLMN Cell LAC/TAC
Channel
Band Signal Strength Signal Quality
RSSI, RSRP, RSRQ, SINR, RSCP or Ec/Io CSQ
Neighbours Manufacturer Model Revision IMEI
Description
State of the network registration
Specifies the operator’s network the router operates in.
Transmission technology
Code of operator
Cell the router is connected to (in hexadecimal format).
Unique number (in hexadecimal format) assigned to each location area. LAC (Location Area Code) is for 2G/3G networks and TAC (Tracking Area Code) is for 4G networks.
Channel the router communicates on · ARFCN in case of GPRS/EDGE technology, · UARFCN in case of UMTS/HSPA technology, · EARFCN in case of LTE technology.
Cellular band abbreviation.
Signal strength (in dBm) of the selected cell, for details see Table 6.
Signal quality of the selected cell:
· EC/IO for UMTS (it’s the ratio of the signal received from the pilot
channel EC to the overall level of the spectral density, ie the
sum of the signals of other cells IO).
·
RSRQ
for
LTE
technology
(Defined
as
the
ratio
N ×RSRP RSSI
).
· The value is not available for the EDGE technology.
Other parameters reporting signal strength or quality. Please note, that some of them may not be available, depending on the cellular module or cellular technology.
Cell signal strength with following value ranges: · 2 9 = Marginal, · 10
14 = OK, · 15 19 = Good, · 20 30 = Excelent.
Signal strength of neighboring hearing cells (GPRS only)1.
Module manufacturer
Type of module
Revision of module
IMEI (International Mobile Equipment Identity) number of module
Continued on next page
1If a neighboring cell for GPRS is highlighted in red, router may repeatedly switch between the neighboring and the primary cell affecting the router’s performance. To prevent this, re-orient the antenna or use a directional antenna.
12
ICR-3200
Continued from previous page
Item
Description
MEID
MEID number of module
ICCID
Integrated Circuit Card Identifier is international and unique serial number of the SIM card.
Table 5: Mobile Network Information
The value of signal strength is displayed in different color: in black for good, in orange for fair and in red for poor signal strength.
Signal strength GPRS/EDGE/CDMA (RSSI)
UMTS/HSPA (RSCP)
LTE (RSRP)
good
-70 dBm
-75 dBm
-90 dBm
fair
-70 dBm to -89 dBm
-75 dBm to -94 dBm
-90 dBm to -109 dBm
poor
< -89 dBm
< -94 dBm
< -109 dBm
Table 6: Value ranges of signal strength for different technologies.
The middle part of this page, called Statistics, displays information about mobile signal quality, transferred data and number of connections for all the SIM cards (for each period). The router has standard intervals, such as the previous 24 hours and last week, and also period starting with Accounting Start defined for the MWAN module.
Period Today Yesterday This week Last week This period Last period
Description Today from 0:00 to 23:59 Yesterday from 0:00 to 23:59 This week
from Monday 0:00 to Sunday 23:59 Last week from Monday 0:00 to Sunday 23:59
This accounting period Last accounting period
Table 7: Description of Periods
Item RX data TX data Connections Signal Min Signal Avg Signal Max Cells Availability
Description Total volume of received data Total volume of sent data Number of
connection to mobile network establishment Minimal signal strength Average
signal strength Maximal signal strength Number of switch between cells
Availability of the router via the mobile network (expressed as a percentage)
Table 8: Mobile Network Statistics
Tips for Mobile Network Statistics table:
13
ICR-3200
· Availability is expressed as a percentage. It is the ratio of time
connection to the mobile network has been established to the time that router
has been is turned on.
· Placing your cursor over the maximum or minimum signal strength will display
the last time the router reached that signal strength.
Figure 3: Mobile WAN status The last part (Connection Log) displays
information about the mobile network connections and any problems that
occurred while establishing them.
14
ICR-3200
3.3 WiFi Status
This item is available only if the router is equipped with a WiFi module.
Selecting the Status -> WiFi -> Status item in the main menu of the web
interface will display information about the WiFi access point (AP) and the
WiFi station (STA). Information about all stations connected to the AP are
listed as well. Examle of the output for the Wifi status is shown on the
following figure.
Figure 4: WiFi Status 15
ICR-3200
3.4 WiFi Scan
This item is available only if the router is equipped with a WiFi module.
Selecting the Status -> WiFi -> Scan item scans for neighboring WiFi networks and displays the results. In the table below is the description of some items in the output of the WiFi scanning.
Item
Description
BSS
MAC address of access point (AP)
TSF
freq beacon interval capability signal last seen SSID Supported rates
A Timing Synchronization Function (TSF) keeps the timers for all stations in the same Basic Service Set (BSS) synchronized. All stations shall maintain a local TSF timer. Frequency band of WiFi network [MHz] Period of time synchronization List of access point (AP) properties Signal level of access point (AP) Last response time of access point (AP) Identifier of access point (AP) Supported rates of access point (AP)
DS Parameter set
The channel on which access point (AP) broadcasts
ERP
Extended Rate PHY information element providing backward compatibility
Extended supported rates
Supported rates of access point (AP) that are beyond the scope of eight rates mentioned in Supported rates item
RSN
Robust Secure Network The protocol for establishing a secure communication through wireless network 802.11
Table 9: Information about Neighbouring WiFi Networks
16
WiFi Scan output may look like this:
ICR-3200
Figure 5: WiFi Scan 17
ICR-3200
3.5 Network Status
To view information about the interfaces and the routing table, open the Network item in the Status menu. The upper part of the window displays detailed information about the active interfaces only:
Interface eth0, eth1 usbx
wlan0 pppx tunx ipsecx gre1 wg1 lo nat64
Description Network interfaces (Ethernet connection) Active connection to the mobile network wireless module is connected via USB interface. WiFi interface if configured PPP interface (e.g. PPPoE tunnel if configured) OpenVPN tunnel interface if configured IPSec tunnel interface if configured GRE tunnel interface if configured WireGuard tunnel interface if configured Local loopback interface Network interface of internal translator gateway between IPv6 and IPv4 addresses. Table 10: Description of Interfaces in Network Status
The following information can be displayed for network interfaces:
Item HWaddr inet addr inet6 addr
P-t-P Bcast Mask MTU Metric
Description Hardware (unique, MAC) address of a network interface. IPv4
address of interface IPv6 address of interface. There can be more of them for
single network interface. IP address of the opposite end (in case of point-to-
point connection). Broadcast address Mask of network Maximum packet size that
the equipment is able to transmit. Number of routers the packet must go
through.
Continued on next page
18
ICR-3200
Item RX
TX
collisions txqueuelen RX bytes TX bytes
Continued from previous page
Description
· packets received packets · errors number of errors · dropped dropped
packets · overruns incoming packets lost because of overload. · frame
wrong incoming packets because of incorrect packet
size.
· packets transmit packets · errors number of errors · dropped dropped
packets · overruns outgoing packets lost because of overload. · carrier
wrong outgoing packets with errors resulting from the
physical layer.
Number of collisions on physical layer. Length of buffer (queue) of the
network interface. Total number of received bytes. Total number of transmitted
bytes. Table 11: Description of Information in Network Status
You may view the status of the mobile network connection on the network status
screen. If the connection to the mobile network is active, it will appear in
the system information as an usb0 interface.
The Route Table is displayed at the bottom of the Network Status page. There
is IPv4 Route Table and IPv6 Route Table below.
If the router is connected to the Internet (a default route is defined), the
nat64 network interface is created automatically. This is the NAT64 internal
gateway for translating the IPv6 and IPv4 communication. It is used
automatically when connected via IPv6 and communicating with IPv4 device or
network. It works together with DNS64 running in the router automatically
(translation of domain names to IP addresses). The default NAT64 prefix
64:ff9b::/96 is used as you can see in Figure 6 below in the IPv6 Route Table
section.
19
ICR-3200
Figure 6: Network Status 20
ICR-3200
3.6 DHCP Status
Information about the DHCP server activity is accessible via the DHCP item.
The DHCP server automatically configures the client devices connected to the
router. The DHCP server assigns each device an IP address, subnet mask, and
default gateway (IP address of the router) and DNS server (IP address of the
router). DHCPv6 server is supported.
See Figure 7 for the DHCP Status example. Records in the DHCP Status window
are divided into two parts based on the interface.
Figure 7: DHCP Status
The DHCP status window displays the following information on a row for each client in the list. All items are described in Table 12.
Item IPv4 Address IPv6 Address Lease Starts Lease Ends MAC Hostname IA-NA
Description IPv4 address assigned to a client. IPv6 address assigned to a
client. The time the IP address lease started. The time the IP address lease
expires. MAC address of the client. Client hostname. IPv6 unique identifier.
Table 12: DHCP Status Description
The DHCP status may occasionally display two records for one IP address. It may be caused by resetting the client network interface.
21
ICR-3200
3.7 IPsec Status
Selecting the IPsec option in the Status menu of the web page will bring up
the information for any IPsec Tunnels that have been established. If the
tunnel has been built correctly, the screen will display ESTABLISHED and the
number of running IPsec connections 1 up (orange highlighted in the figure
below.) If there is no such text in log (e.g. “0 up”), the tunnel was not
created!
Figure 8: IPsec Status
22
ICR-3200
3.8 WireGuard Status
Selecting the WireGuard option in the Status menu of the web page will bring
up the information for any WireGuard Tunnels established. In the figure below
is an example of the first WireGuard tunnel running.
Figure 9: WireGuard Status Page The Latest handshake time is the time left
from the latest successful communication with the opposite tunnel side. This
item will not be shown here until there is a tunnel communication (data sent
by the client-side or the keepalive data sent when NAT/Firewall Traversal is
set to yes).
23
ICR-3200
3.9 DynDNS Status
The router supports DynamicDNS using a DNS server on www.dyndns.org. If
Dynamic DNS is configured, the status can be displayed by selecting menu
option DynDNS. Refer to www.dyndns.org for more information on how to
configure a Dynamic DNS client. You can use the following listed servers for
the Dynamic DNS service. It is possible to use the DynDNSv6 service with IP
Mode switched to IPv6 on DynDNS Configuration page.
· www.dyndns.org · www.spdns.de · www.dnsdynamic.org · www.noip.com
Figure 10: DynDNS Status When the router detects a DynDNS record update, the
dialog displays one or more of the following messages: · DynDNS client is
disabled. · Invalid username or password. · Specified hostname doesn’t exist.
· Invalid hostname format. · Hostname exists, but not under specified
username. · No update performed yet. · DynDNS record is already up to date. ·
DynDNS record successfully update. · DNS error encountered. · DynDNS server
failure.
The router’s SIM card must have public IP address assigned or DynDNS will not
function correctly.
24
ICR-3200
3.10 System Log
If there are any connection problems you may view the system log by selecting
the System Log menu item. Detailed reports from individual applications
running in the router will be displayed. Use the Save Log button to save the
system log to a connected computer. (It will be saved as a text file with the
.log extension.) The Save Report button is used for creating detailed reports.
(It will be saved as a text file with the .txt extension. The file will
include statistical data, routing and process tables, system log, and
configuration.)
Sensitive data from the report are filtered out for security reasons. The
default length of the system log is 1000 lines. After reaching 1000 lines a
new file is created for storing the system log. After completion of 1000 lines
in the second file, the first file is overwritten with a new file. The Syslogd
program will output the system log. It can be started with two options to
modify its behavior. Option “-S” followed by decimal number sets the maximal
number of lines in one log file. Option “-R” followed by hostname or IP
address enables logging to a remote syslog daemon. (If the remote syslog
deamon is Linux OS, there has to be remote logging enabled (typically running
“syslogd -R”). If it’s the Windows OS, there has to be syslog server
installed, e.g. Syslog Watcher). To start syslogd with these options, the
“/etc/init.d/syslog” script can be modified via SSH or lines can be added into
Startup Script (accessible in Configuration section) according to figure 12.
Figure 11: System Log
25
ICR-3200
The following example (figure) shows how to send syslog information to a
remote server at 192.168.2.115 on startup.
Figure 12: Example program syslogd start with the parameter
26
ICR-3200
4. Configuration
4.1 Ethernet Configuration
To enter the Local Area Network configuration, select the Ethernet menu item
in the Configuration section. The Ethernet item will expand in the menu on the
left, so you can choose the proper Ethernet interface to configure: ETH0 for
the first Ethernet interface and ETH1 for the second Ethernet interface.
LAN Configuration page is divided into IPv4 and IPv6 columns, see Figure 13.
There is dual stack support of IPv4 and IPv6 protocols they can run
alongside, you can configure either one of them or both. If you configure both
IPv4 and IPv6, other network devices will choose the communication protocol.
Configuration items and IPv6 to IPv4 differences are described in the tables
below.
Figure 13: LAN Configuration page 27
ICR-3200
Item DHCP Client
Description
Enables/disables the DHCP client function. If in IPv6 column, the DHCPv6
client is enabled. DHCPv6 client supports all three methods of getting an IPv6
address SLAAC, stateless DHCPv6 and statefull DHCPv6.
· disabled The router does not allow automatic allocation of an IP address
from a DHCP server in LAN network.
· enabled The router allows automatic allocation of an IP address from a
DHCP server in LAN network.
IP Address
A fixed IP address of the Ethernet interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.
Subnet Mask / Prefix Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the Prefix for the IPv6 address number in range 0 to 128.
Default Gateway
Specifies the IP address of a default gateway. If filled-in, every packet with the destination not found in the routing table is sent to this IP address. Use proper IP address notation in IPv4 and IPv6 column.
DNS Server
Specifies the IP address of the DNS server. When the IP address is not found in the Routing Table, the router forwards the request to DNS server specified here. Use proper IP address notation in IPv4 and IPv6 column.
Table 13: Configuration of the Network Interface IPv4 and IPv6
The Default Gateway and DNS Server items are only used if the DHCP Client item is set to disabled and if the ETH0 or ETH1 LAN is selected by the Backup Routes system as the default route. (The selection algorithm is described in section 4.7). Since FW 5.3.0, Default Gateway and DNS Server are also supported on bridged interfaces (e.g. eth0 + eth1).
The following three items (in the table below) are global for the configured Ethernet interface. Only one bridge can be active on the router at a time. The DHCP Client, IP Address and Subnet Mask / Prefix parameters of the only one of the interfaces are used to for the bridge. ETH0 LAN has higher priority when both interfaces (ETH0, ETH1) are added to the bridge. Other interfaces can be added to or deleted from an existing bridge at any time. The bridge can be created on demand for such interfaces, but not if it is configured by their respective parameters.
28
ICR-3200
Item Bridged
Media Type
Description Activates/deactivates the bridging function on the router.
· no The bridging function is inactive (default). · yes The bridging
function is active.
Specifies the type of duplex and speed used in the network.
· Auto-negation The router automatically sets the best speed and duplex mode
of communication according to the network’s possibilities.
· 100 Mbps Full Duplex The router communicates at 100 Mbps, in the full
duplex mode.
· 100 Mbps Half Duplex The router communicates at 100 Mbps, in the half
duplex mode.
· 10 Mbps Full Duplex The router communicates at 10 Mbps, in the full duplex
mode.
· 10 Mbps Half Duplex The router communicates at 10 Mbps, in the half duplex
mode.
MTU
Maximum Transmission Unit value. Default value is 1500 bytes. Table 14: Configuration of the Network Interface global items
4.1.1 DHCP Server
The DHCP server assigns the IP address, gateway IP address (IP address of the
router) and IP address of the DNS server (IP address of the router) to the
connected clients. If these values are filled in by the user in the
configuration form, they will be preferred.
The DHCP server supports static and dynamic assignment of IP addresses.
Dynamic DHCP assigns clients IP addresses from a defined address space. Static
DHCP assigns IP addresses that correspond to the MAC addresses of connected
clients.
If IPv6 column is filled in, the DHCPv6 server is used. DHCPv6 server offers
stateful address configuration to connected clients. Only when the Subnet
Prefix above is set to 64, the DHCPv6 server offers both the stateful
address configuration and SLAAC (Stateless Address Autoconfiguration).
1Available only on models equipped with the PoE PSE functionality.
29
ICR-3200
Do not to overlap ranges of static allocated IP addresses with addresses allocated by the dynamic DHCP server. IP address conflicts and incorrect network function can occur if you overlap the ranges.
Item
Description
Enable dynamic DHCP leases Select this option to enable a dynamic DHCP server.
IP Pool Start
Starting IP addresses allocated to the DHCP clients. Use proper notation in IPv4 and IPv6 column.
IP Pool End
End of IP addresses allocated to the DHCP clients. Use proper IP address notation in IPv4 and IPv6 column.
Lease time
Time in seconds that the IP address is reserved before it can be re-used.
Table 15: Configuration of Dynamic DHCP Server
Item
Description
Enable static DHCP leases
Select this option to enable a static DHCP server.
MAC Address
MAC address of a DHCP client.
IPv4 Address
Assigned IPv4 address. Use proper notation.
IPv6 Address
Assigned IPv6 address. Use proper notation.
Table 16: Configuration of Static DHCP Server
4.1.2 IPv6 Prefix Delegation
This is an advanced configuration option. IPv6 prefix delegation works
automatically with DHCPv6 use only if different configuration is desired and
if you know the consequences.
If you want to override the automatic IPv6 prefix delegation, you can
configure it in this form. You have to know your Subnet ID Width (part of IPv6
address), see Figure below for the calculation help it is an example: 48
bits is Site Prefix, 16 bits is Subnet ID (Subnet ID Width) and 64 bits is
Interface ID.
Figure 14: IPv6 Address with Prefix Example 30
ICR-3200
Item
Description
Enable IPv6 prefix delegation Enables prefix delegation configuration filled- in below.
Subnet ID
The decimal value of the Subnet ID of the Ethernet interface. Maximum value depends on the Subnet ID Width.
Subnet ID Width
The maximum Subnet ID Width depends on your Site Prefix it is the remainder to 64 bits.
Table 17: IPv6 prefix delegation configuration
4.1.3 802.1X Authentication to RADIUS Server
Authentication (802.1X) to RADIUS server can be enabled in next configuration section. This functionality requires additional setting of identity and certificates as described in the following table.
Item
Description
Enable IEEE
Select this option to enable 802.1X Authentication.
802.1X Authenti-
cation
Authentication Method
Select authentication method (EAP-PEAPMSCHAPv2 or EAP-TLS).
CA Certificate
Definition of CA certificate for EAP-TLS authentication protocol.
Local Certificate Definition of local certificate for EAP-TLS authentication protocol.
Local Private Key Definition of local private key for EAP-TLS authentication protocol.
Identity
User name identity.
Password
Access password. This item is available for EAP-PEAPMSCHAPv2 protocol only. Enter valid characters only, see chap. 2.3!
Local Private Key Definition of password for private key of EAP-TLS protocol. This item
Password
is available for EAP-TLS protocol only. Enter valid characters only,
see chap. 2.3!
Table 18: Configuration of 802.1X Authentication
31
ICR-3200
4.1.4 LAN Configuration Examples
Example 1: IPv4 Dynamic DHCP Server, Default Gateway and DNS Server · The
range of dynamic allocated IPv4 addresses is from 192.168.1.2 to 192.168.1.4.
· The address is allocated for 600 second (10 minutes). · Default gateway IP
address is 192.168.1.20 · DNS server IP address is 192.168.1.20
Figure 15: Network Topology for Example 1
32
ICR-3200
Figure 16: LAN Configuration for Example 1 33
ICR-3200
Example 2: IPv4 Dynamic and Static DHCP server · The range of allocated
addresses is from 192.168.1.2 to 192.168.1.4. · The address is allocated for
600 seconds (10 minutes). · The client with the MAC address 01:23:45:67:89:ab
has the IP address 192.168.1.10. · The client with the MAC address
01:54:68:18:ba:7e has the IP address 192.168.1.11.
Figure 17: Network Topology for Example 2
34
ICR-3200
Figure 18: LAN Configuration for Example 2 35
ICR-3200
Example 3: IPv6 Dynamic DHCP Server · The range of dynamic allocated IPv6
addresses is from 2001:db8::1 to 2001:db8::ffff. · The address is allocated
for 600 second (10 minutes). · The router is still accessible via IPv4
(192.168.1.1).
Figure 19: Network Topology for Example 3
36
ICR-3200
Figure 20: LAN Configuration for Example 3 37
ICR-3200
4.2 VRRP Configuration
Select the VRRP menu item to enter the VRRP configuration. There are two submenus which allows to configure up to two instances of VRRP. VRRP protocol (Virtual Router Redundancy Protocol) allows you to transfer packet routing from the main router to a backup router in case the main router fails. (This can be used to provide a wireless cellular backup to a primary wired router in critical applications.) If the Enable VRRP is checked, you may set the following parameters.
Item Protocol Version Virtual Server IP Address
Virtual Server ID
Host Priority
Description
Choose version of the VRRP (VRRPv2 or VRRPv3).
This parameter sets the virtual server IP address. This address must be the
same for both the primary and backup routers. Devices on the LAN will use this
address as their default gateway IP address.
This parameter distinguishes one virtual router on the network from another.
The main and backup routers must use the same value for this parameter.
The active router with highest priority set by the parameter Host Priority, is
the main router. According to RFC 2338, the main router should have the
highest possible priority 255. The backup router(s) have a priority in the
range 1 254 (default value is 100). A priority value of 0 is not allowed.
Table 19: VRRP configuration
You may set the Check connection flag in the second part of the window to
enable automatic test messages for the cellular network. In some cases, the
mobile WAN connection could still be active but the router will not be able to
send data over the cellular network. This feature is used to verify that data
can be sent over the PPP connection and supplements the normal VRRP message
handling. The currently active router (main/backup) will send test messages to
the defined Ping IP Address at periodic time intervals (Ping Interval) and
wait for a reply (Ping Timeout). If the router does not receive a response to
the Ping command, it will retry up to the number of times specified by the
Ping Probes parameter. After that time, it will switch itself to a backup
router until the PPP connection is restored.
You may use the DNS server of the mobile carrier as the destination IP address
for the test messages (Pings).
The Enable traffic monitoring option can be used to reduce the number of
messages that are sent to test the PPP connection. When this parameter is set,
the router will monitor the interface for any packets different from a ping.
If a response to the packet is received within the timeout specified by the
Ping Timeout parameter, then the router knows that the connection is still
active. If the router does not receive a response within the timeout period,
it will attempt to test the mobile WAN connection using standard Ping
commands.
38
ICR-3200
Item Ping IP Address
Ping Interval Ping Timeout Ping Probes
Description Destinations IP address for the Ping commands. IP Address can not
be specified as a domain name. Interval in seconds between the outgoing Pings.
Time in seconds to wait for a response to the Ping. Maximum number of failed
ping requests.
Table 20: Check connection
Example of the VRRP protocol:
Figure 21: Topology of VRRP configuration example
Figure 22: Example of VRRP configuration main router 39
ICR-3200
Figure 23: Example of VRRP configuration backup router
40
ICR-3200
4.3 Mobile WAN Configuration
The ICR-3201 (LAN version) has no the Mobile WAN configuration menu option.
Select the Mobile WAN item in the Configuration menu section to enter the
cellular network configuration page. See Mobile WAN Configuration page in
Figure 24.
Figure 24: Mobile WAN Configuration 41
ICR-3200
4.3.1 Connection to Mobile Network
If the Create connection to mobile network checkbox is checked, then the
router will automatically attempt to establish a connection after booting up.
You can specify the following parameters for each SIM card separately.
Item Carrier APN Username Password Authentication
IP Mode
IP Address Dial Number Operator Network type
Description Available For NAM routers only. Network carrier selection.
Provides either automatic detection option, or manual selection of AT&T,
Rogers or Verizon. Network identifier (Access Point Name). The user name used
for logging on to the GSM network. The password used for logging on to the GSM
network. Enter valid characters only, see chap. 2.3! Authentication protocol
used in the GSM network:
· PAP or CHAP The router selects the authentication method. · PAP The
router uses the PAP authentication method. · CHAP The router uses the CHAP
authentication method.
Specifies the version of IP protocol used:
· IPv4 IPv4 protocol is used only (default). · IPv6 IPv6 protocol is used
only. · IPv4/IPv6 IPv4 and IPv6 independent dual stack is enabled.
For use in IPv4 and IPv4/IPv6 mode only. Specifies the IPv4 address of the SIM
card. You manually enter the IP address only when mobile network carrier has
assigned the IP address. Specifies the telephone number which the router dials
for GPRS or a CSD connection. The router uses the default telephone number
*99***1 #. Specifies the carrier code. You can specify this parameter as the
PLNM preferred carrier code. Specifies the type of protocol used in the mobile
network.
Automatic selection – The router automatically selects the transmission method
according to the availability of transmission technologies. Automatic
selection never selects NB-IoT networks. Use NB-IoT in the selection for NB-
IoT networks.
Continued on next page
42
ICR-3200
Item PIN MRU
MTU
Continued from previous page
Description
Specifies the PIN used to unlock the SIM card. Use only if this is required by
a given SIM card. The SIM card will be blocked after several failed attempts
to enter the PIN.
Maximum Receive Unit maximum size of packet that the router can receive via
Mobile WAN. The default value is 1500 B. Other settings may cause the router
to receive data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B.
Minimal value in IPv6 mode: 1280 B.
Maximum Transmission Unit maximum size of packet that the router can
transmit via Mobile WAN. The default value is 1500 B. Other settings may cause
the router to transmit data incorrectly. Minimal value in IPv4 and IPv4/IPv6
mode: 128 B. Minimal value in IPv6 mode: 1280 B.
Table 21: Mobile WAN Connection Configuration
The following list contains tips for working with the Mobile WAN configuration form:
· If the MTU size is set incorrectly, then the router will not exceed the data
transfer. If the MTU value is set too low, more frequent fragmentation of data
will occur. More frequent fragmentation will mean a higher overhead and also
the possibility of packet damage during defragmentation. In contrast, a higher
MTU value can cause the network to drop the packet.
· If the IP address field is left blank, when the router establishes a
connection, the mobile network carrier will automatically assign an IP
address. If you assign an IP address manually, then the router will access the
network quicker.
· If the APN field is left blank, the router automatically selects the APN
using the IMSI code of the SIM card. The name of the chosen APN can be found
in the System Log.
· If you enter the word in the APN field, then the router interprets the APN
as blank.
The correct PIN must be filled in. An incorrect PIN may block the SIM card.
Parameters identified with an asterisk require you to enter the appropriate
information only if this information is required by the mobile network
carrier.
When the router is unsuccessful in establishing a connection to mobile
network, you should verify accuracy of the entered data. Alternatively, you
could try a different authentication method or network type.
43
ICR-3200
4.3.2 DNS Address Configuration
The DNS Settings parameter is designed for easier configuration on the
client’s side. When this value is set to get from operator the router will
attempt to automatically obtain an IP address from the primary and secondary
DNS server of the mobile network carrier. To specify the IP addresses of the
Primary DNS servers manually, on the DNS Server pull down list select the
value set manually. You can also fill-in the IPv4 or IPv6 address of the DNS
server (or both) based on the IP Mode option.
4.3.3 Check Connection to Mobile Network
Enabling the Check Connection function for mobile networks is necessary for
uninterrupted and continuous operation of the router.
If the Check Connection item is set to enabled or enabled + bind, the router
will be sending the ping requests to the specified domain or IP address
configured in Ping IP Address or Ping IPv6 Address at regular time intervals
set up in the Ping Interval.
In case of an unsuccessful ping, a new ping will be sent after the Ping
Timeout. If the ping is unsuccessful three times in a row, the router will
terminate the cellular connection and will attempt to establish a new one.
This monitoring function can be set for both SIM cards separately, but running
on the active SIM at given time only. Be sure, you configure a functional
address as the destination for the ping, for example an IP address of the
operator’s DNS server.
If the Check Connection item is set to the enabled, the ping requests are
being sent on the basis of the routing table. Therefore, the requests may be
sent through any available interface. If you require each ping request to be
sent through the network interface, which was created when establishing a
connection to the mobile operator, it is necessary to set the Check Connection
to enabled + bind. The disabled option deactivates checking of the connection
to the mobile network.
A note for routers connected to the Verizon carrier (detected by the router):
The retry interval for connecting to the mobile network prolongs with more
retries. First two retries are done after 1 minute. Then the interval prolongs
to 2, 8 and 15 minutes. The ninth and every other retry is done in 90 minutes
interval.
If Enable Traffic Monitoring item is checked, the router will monitor the
Mobile WAN traffic without sending the ping requests. If there is no traffic,
the router will start sending the ping requests.
44
ICR-3200
Item
Description
Ping IP Address
Specifies the ping queries destination IPv4 address or domain name. Available in IPv4 and IPv4/IPv6 IP Mode.
Ping IPv6 Address
Specifies the ping queries destination IPv6 address or domain name. Available in IPv6 and IPv4/IPv6 IP Mode.
Ping Interval
Specifies the time interval between outgoing pings.
Ping Timeout
Time in seconds to wait for a Ping response.
Table 22: Check Connection to Mobile Network Configuration
4.3.4 Check Connection Example
The figure below displays the following scenario: the connection to the mobile
network in IPv4 IP Mode is controlled on the address 8.8.8.8 with a time
interval of 60 seconds for the first SIM card and on the address
www.google.com with the time interval 80 seconds for the second SIM card (for
an active SIM only). Because the Enable traffic monitoring option is enabled,
the control pings are not sent, but the data stream is monitored. The ping
will be sent, if the data stream is interrupted.
Figure 25: Check Connection Example
45
ICR-3200
4.3.5 Data Limit Configuration
Item Data Limit Warning Threshold
Accounting Start
Description
Specifies the maximum expected amount of data transmitted (sent and received)
over mobile interface in one billing period (one month). Maximum value is 2 TB
(2097152 MB).
Specifies a percentage of the “Data Limit” in the range of 50 % to 99 %. If
the given percentage data limit is exceeded, the router will send an SMS in
the following form; Router has exceeded (value of Warning Threshold) of data
limit.
Specifies the day of the month in which the billing cycle starts for a given
SIM card. When the service provider that issued the SIM card specifies the
start of the billing period, the router will begin to count the amount of data
transferred starting on this day.
Table 23: Data Limit Configuration
If the parameter Data Limit State (see below) is set to not applicable or Send
SMS when data limit is exceeded in SMS Configuration is not selected, the Data
Limit set here will be ignored.
4.3.6 Switch between SIM Cards Configuration
In the lower part of the configuration form you can specify the rules for
toggling between the two SIM cards.
The router will automatically toggle between the SIM cards and their
individual setups depending on the configuration settings specified here
(manual permission, roaming, data limit, binary input state). Note that the
SIM card selected for connection establishment is the result of the logical
product (AND) of the configuration here (table below).
Item SIM Card
Description Enable or disable the use of a SIM card. If you set all the SIM
cards to disabled, this means that the entire cellular module is disabled.
· enabled It is possible to use the SIM card. · disabled Never use the SIM
card, the usage of this SIM
is forbidden.
Continued on next page
46
ICR-3200
Continued from previous page
Item Roaming State
Description
Configure the use of SIM cards based on roaming. This roaming feature has to
be activated for the SIM card on which it is enabled!
· not applicable It is possible to use the SIM card everywhere.
· home network only Only use the SIM card if roaming is not detected.
Data Limit State
Configure the use of SIM cards based on the Data Limit set above:
· not applicable It is possible to use the SIM regardless of the limit.
· not exceeded Use the SIM card only if the Data Limit (set above) has not
been exceeded.
BINx State
Configure the use of SIM cards based on binary input x state, where x is the input number:
· not applicable It is possible to use the SIM regardless of BINx state.
· on Only use the SIM card if the BINx state is logical 0 voltage present.
· off Only use the SIM card if the BINx state is logical 1 no voltage.
Table 24: Switch between SIM cards configuration
Use the following parameters to specify the decision making of SIM card
switching in the cellular module.
Item Default SIM Card
Description
Specifies the modules’ default SIM card. The router will attempt to establish
a connection to mobile network using this default.
· 1st The 1st SIM card is the default one. · 2nd The 2nd SIM card is the default one.
Continued on next page
47
ICR-3200
Continued from previous page
Item Initial State
Description
Specifies the action of the cellular module after the SIM card has been
selected.
· online establish connection to the mobile network after the SIM card has
been selected (default).
· offline go to the off-line mode after the SIM card has been selected.
Note: If offline, you can change this initial state by SMS message only see SMS Configuration. The cellular module will also go into off-line mode if none of the SIM cards are not selected.
Switch to other SIM card when connection fails
Applicable only when connection is established on the default SIM card and then fails. If the connection failure is detected by Check Connection feature above, the router will switch to the backup SIM card.
Switch to default SIM card after timeout
If enabled, after timeout, the router will attempt to switch back to the default SIM card. This applies only when there is default SIM card defined and the backup SIM is selected beacuse of a failure of the default one or if roaming settings cause the switch. This feature is available only when Switch to other SIM card when connection fails is enabled.
Initial Timeout
Specifies the length of time that the router waits before the first attempt to revert to the default SIM card, the range of this parameter is from 1 to 10000 minutes.
Subsequent Timeout
Specifies the length of time that the router waits after an unsuccessful attempt to revert to the default SIM card, the range is from 1 to 10000 min.
Additive Constant
Specifies the length of time that the router waits for any further attempts to revert to the default SIM card. This length time is the sum of the time specified in the “Subsequent Timeout” parameter and the time specified in this parameter. The range in this parameter is from 1 to 10000 minutes.
Table 25: Parameters for SIM card switching
48
ICR-3200
4.3.7 Examples of SIM Card Switching Configuration
Example 1: Timeout Configuration Mark the Switch to default SIM card after
timeout check box, and fill-in the following values:
Figure 26: Configuration for SIM card switching Example 1 The first attempt to
change to the default SIM card is carried out after 60 minutes. When the first
attempt fails, a second attempt is made after 30 minutes. A third attempt is
made after 50 minutes (30+20). A fourth attempt is made after 70 minutes
(30+20+20).
49
ICR-3200
Example 2: Data Limit Switching The following configuration illustrates a
scenario in which the router changes to the second
SIM card after exceeding the data limit of 800 MB on the first (default) SIM
card. The router sends a SMS upon reaching 400 MB (this settings has to be
enabled on the SMS Configuration page). The accounting period starts on the
18th day of the month.
Figure 27: Configuration for SIM card switching Example 2
4.3.8 PPPoE Bridge Mode Configuration
If you mark the Enable PPPoE bridge mode check box, the router activates the
PPPoE bridge protocol. PPPoE (point-to-point over ethernet) is a network
protocol for encapsulating Point-to-Point Protocol (PPP) frames inside
Ethernet frames. The bridge mode allows you to create a PPPoE connection from
a device behind the router. For example, a PC connected to the ETH port of the
router. You assign the IP address of the SIM card to the PC. The changes in
settings will apply after clicking the Apply button.
50
ICR-3200
4.4 PPPoE Configuration
PPPoE (Point-to-Point over Ethernet) is a network protocol which encapsulates
PPP frames into Ethernet frames. The router uses the PPPoE client to connect
to devices supporting a PPPoE bridge or server. The bridge or server is
typically an ADSL router.
To open the PPPoE Configuration page, select the PPPoE menu item. If you mark
the Create PPPoE connection check box, then the router attempts to establish a
PPPoE connection after boot up. After connecting, the router obtains the IP
address of the device to which it is connected. The communications from a
device behind the PPPoE server is forwarded to the router.
Item Username Password
Figure 28: PPPoE Configuration
Description Username for secure access to PPPoE. Password for secure access to
PPPoE. Enter valid characters only, see chap. 2.3!
Continued on next page
51
ICR-3200
Item Authentication
Continued from previous page
Description Authentication protocol in GSM network.
· PAP or CHAP The router selects the authentication method. · PAP The
router uses the PAP authentication method. · CHAP The router uses the CHAP
authentication method.
IP Mode
Specifies the version of IP protocol:
· IPv4 IPv4 protocol is used only (default). · IPv6 IPv6 protocol is used
only. · IPv4/IPv6 IPv4 and IPv6 dual stack is enabled.
MRU
MTU
DNS Settings DNS IP Address DNS IP Address Interface VLAN Tagging VLAN ID
Specifies the Maximum Receiving Unit. The MRU identifies the maximum packet
size, that the router can receive via PPPoE. The default value is 1492 B
(bytes). Other settings can cause incorrect data transmission. Minimal value
in IPv4 and IPv4/IPv6 mode is 128 B. Minimal value in IPv6 mode is 1280 B.
Specifies the Maximum Transmission Unit. The MTU identifies the maximum packet
size, that the router can transfer in a given environment. The default value
is 1492 B (bytes). Other settings can cause incorrect data transmission.
Minimal value in IPv4 and IPv4/IPv6 mode is 128 B. Minimal value in IPv6 mode
is 1280 B.
Can be set to obtain the DNS address from the server or to set it manually.
Manual setting of DNS address.
Manual setting of IPv6 DNS address.
Select an Ethernet interface.
Select yes to turn on the VLAN tagging.
Set the ID for VLAN tagging. The range is from 1 to 1000.
Table 26: PPPoE configuration
Setting an incorrect packet size value (MRU, MTU) can cause unsuccessful transmission.
52
ICR-3200
4.5 WiFi Access Point Configuration
This item is available only if the router is equipped with a WiFi module.
ICR-3241(W)-1ND models may have some default configurations different or restricted.
Configuration of two separated WLANs (Multiple SSIDs) is supported.
Multi-role mode, which allows to operate as access point (AP) and station
(STA) simultaneously, is supported. The multichannel mode is not supported, so
the AP and the STA must operate on the same channel only. Please note, that
only one AP can be activated together with the STA in operation.
RADIUS (Remote Authentication Dial-In User Service) networking protocol that
provides centralized Authentication, Authorization, and Accounting (AAA)
management for users is supported on WiFi. The router can be RADIUS client
only (not the server) typically as a WiFi AP (Access Point) negotiating with
the RADIUS server.
Activate WiFi access point mode by checking Enable WiFi AP box at the top of
the Configuration -> WiFi -> Access Point 1 or Access Point 2 configuration
pages. In this mode the router becomes an access point to which other devices
in station (STA) mode can connect. You may set the following properties listed
in the table below.
Item Enable WiFi AP IP Address
Subnet Mask / Prefix Bridged
Description
Enable WiFi access point (AP).
A fixed IP address of the WiFi interface. Use IPv4 notation in IPv4 column and
IPv6 notation in IPv6 column. Shortened IPv6 notation is supported.
Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, fill in the
Prefix for the IPv6 address number in range 0 to 128.
Activates bridge mode:
· no Bridged mode is not allowed (default value). WLAN network is not
connected with LAN network of the router.
· yes Bridged mode is allowed. WLAN network is connected with one or more
LAN networks of the router. In this case, the setting of most items in this
table are ignored. Instead, the router uses the settings of the selected
network interface (LAN).
Enable dynamic DHCP leases
Enable dynamic allocation of IP addresses using the DHCP (DHCPv6) server.
Continued on next page
53
ICR-3200
Continued from previous page
Item IP Pool Start
IP Pool End
Lease Time Enable IPv6 prefix delegation Subnet ID
Subnet ID Width
SSID Broadcast SSID
Description Beginning of the range of IP addresses which will be assigned to
DHCP clients. Use proper notation in IPv4 and IPv6 column. End of the range of
IP addresses which will be assigned to DHCP clients. Use proper notation in
IPv4 and IPv6 column. Time in seconds for which the client may use the IP
address. Enables prefix delegation configuration filled-in below.
The decimal value of the Subnet ID of the Ethernet inter face. Maximum value
depends on the Subnet ID Width. The maximum Subnet ID Width depends on your
Site. Prefix it is the remainder to 64 bits. The unique identifier of WiFi
network. Method of broadcasting the unique identifier of SSID network in
beacon frame and type of response to a request for sending the beacon frame.
· Enabled SSID is broadcasted in beacon frame
· Zero length Beacon frame does not include SSID. Requests for sending
beacon frame are ignored.
· Clear All SSID characters in beacon frames are replaced by 0. Original
length is kept. Requests for sending beacon frames are ignored.
SSID Isolation Client Isolation WMM
When enabled, by choosing a zone, a WiFi client connected to this Access Point
is not able to communicate with another WiFi client connected to another
Access Point, having another zone selected. This client still can communicate
with a client connected to the same Access Point, unless the Client Isolation
is not enabled.
If checked, the access point will isolate every connected client so they do
not see each other (they are in different networks, they cannot PING between
each other). If unchecked, the access point behavior is like a switch, but
wireless the clients are in the same LAN and can see each other.
Basic QoS for WiFi networks is enabled by checking this item. This version
doesn’t guarantee network throughput. It is suitable for simple applications
that require QoS.
Continued on next page
54
ICR-3200
Item Country Code
HW Mode
Channel Bandwidth Short GI
Continued from previous page
Description This option is not available for NAM routers the “US” country
code is set by default on these versions of router. Code of the country where
the router is installed. This code must be entered in ISO 3166-1 alpha-2
format. If a country code isn’t specified and the router has not implemented a
system to determine this code, it will use “US” as the default country code.
If no country code is specified or if the wrong country code is entered, the
router may violate country-specific regulations for the use of WiFi frequency
bands. HW mode of WiFi standard that will be supported by WiFi access point.
· IEEE 802.11b (2.4 GHz) · IEEE 802.11b+g (2.4 GHz) · IEEE 802.11b+g+n (2.4
GHz) · IEEE 802.11a (5 GHz) · IEEE 802.11a+n (5 GHz) · IEEE 802.11ac (5 GHz)
The channel, where the WiFi AP is transmitting. Supported 2.4 GHz channels: 1,
2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13. On NAM routers only channels 1 to 11
are supported! Supported 5 GHz channels: 36, 38, 40, 42, 44, 46, 48, 149, 153,
157, 161, 165. The option for HW mode 802.11n which allows to choose the
bandwidth. If the 40 MHz channel is occupied, for 802.11bgn mode, the 20 MHz
channel is used instead. The option for HW mode 802.11n which allows to enable
the short guard interval (GI) of 400 ns instead of 800 ns.
Continued on next page
55
ICR-3200
Item Authentication
Encryption
Continued from previous page
Description Access control and authorization of users in the WiFi network.
· Open Authentication is not required (free access point). · Shared Basic
authentication using WEP key. · WPA-PSK Authentication using higher
authentication meth-
ods PSK-PSK. · WPA2-PSK WPA2-PSK using newer AES encryption. · WPA3-PSK
WPA3-PSK using newer AES encryption. · WPA-Enterprise RADIUS authentication
done by external
server via username and password. · WPA2-Enterprise RADIUS authentication
with better en-
cryption. · WPA3-Enterprise RADIUS authentication with better en-
cryption. · 802.1X RADIUS authentication with port-based Network Ac-
cess Control (PNAC) using encapsulation of the Extensible Authentication
Protocol (EAP) over LAN EAPOL.
Type of data encryption in the WiFi network:
· None No data encryption. · WEP Encryption using static WEP keys. This
encryption can
be used for Shared authentication. · TKIP Dynamic encryption key management
that can be
used for WPA-PSK and WPA2-PSK authentication. · AES Improved encryption used
for WPA2-PSK authentica-
tion.
WEP Key Type WEP Default Key
Type of WEP key for WEP encryption:
· ASCII WEP key in ASCII format. · HEX WEP key in hexadecimal format.
This specifies the default WEP key.
Continued on next page
56
ICR-3200
Item WEP Key 14
WPA PSK Type WPA PSK
Continued from previous page
Description Allows entry of four different WEP keys:
· WEP key in ASCII format must be entered in quotes. This key can be specified
in the following lengths.
5 ASCII characters (40b WEP key) 13 ASCII characters (104b WEP key) 16
ASCII characters (128b WEP key)
· WEP key in hexadecimal format must be entered in hexadecimal digits. This
key can be specified in the following lengths.
10 hexadecimal digits (40b WEP key) 26 hexadecimal digits (104b WEP key)
32 hexadecimal digits (128b WEP key)
The possible key options for WPA-PSK authentication.
· 256-bit secret · ASCII passphrase · PSK File
Key for WPA-PSK authentication. This key must be entered according to the
selected WPA PSK type as follows:
· 256-bit secret 64 hexadecimal digits · ASCII passphrase 8 to 63
characters · PSK File absolute path to the file containing the list of pairs
(PSK key, MAC address)
RADIUS Auth Server IP RADIUS Auth Password RADIUS Auth Port
RADIUS Acct Server IP
IPv4 or IPv6 address of the RADIUS server. Only with one of RADIUS
authentications selected.
RADIUS server access password. Only with one of RADIUS authentications
selected.
RADIUS server port. The default is 1812. Only with one of RADIUS
authentications selected.
IPv4 or IPv6 address of the RADIUS accounting server. Define only if different
from the authentication and authorization server. Only with one of RADIUS
authentications selected.
Continued on next page
57
ICR-3200
Item RADIUS Acct Password RADIUS Acct Port Access List
Accept/Deny List Syslog Level
Extra options
Continued from previous page
Description Access password of RADIUS accounting server. Define only if
different from the authentication and authorization server. Only with one of
RADIUS authentications selected. RADIUS accounting server port. The default is
1813. Define only if different from the authentication and authorization
server. Only with one of RADIUS authentications selected. Mode of Access/Deny
list.
· Disabled Access/Deny list is not used. · Accept Clients in Accept/Deny
list can access the network. · Deny Clients in Access/Deny list cannot
access the network.
Accept or Denny list of client MAC addresses that set network access. Each MAC
address is separated by new line. Logging level, when system writes to the
system log.
· Verbose debugging The highest level of logging. · Debugging ·
Informational Default level of logging. · Notification · Warning The
lowest level of system communication.
Allows the user to define additional parameters. Table 27: WiFi Configuration
58
ICR-3200
Figure 29: WiFi Access Point Configuration 59
ICR-3200
4.6 WiFi Station Configuration
This item is available only if the router is equipped with a WiFi module.
ICR-3241(W)-1ND models may have some default configurations different or restricted.
The WiFi module supports multi-role mode which allows to operate as access point (AP) and station (STA) simultaneously. The multichannel mode is not supported, so the AP and the STA must operate on the same channel only.
Activate WiFi station mode by checking Enable WiFi STA box at the top of the Configuration -> WiFi -> Station configuration page. In this mode the router becomes a client station. It will receive data packets from the available access point (AP) and send data from cable connection via the WiFi network. You may set the following properties listed in the table below.
In WiFi STA mode, only the authentication method EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1) and EAP-TLS are supported.
Item Enable WiFi STA DHCP Client IP Address
Subnet Mask / Prefix Default Gateway
DNS Server
SSID Probe Hidden SSID
Description Enable WiFi station (STA). Activates/deactivates DHCP client. If
in IPv6 column, the DHCPv6 client is enabled. A fixed IP address of the WiFi
interface. Use IPv4 notation in IPv4 column and IPv6 notation in IPv6 column.
Shortened IPv6 notation is supported. Specifies a Subnet Mask for the IPv4
address. In the IPv6 column, fill in the Prefix for the IPv6 address number
in range 0 to 128. Specifies the IP address of a default gateway. If filled-
in, every packet with the destination not found in the routing table is sent
there. Use proper IP address notation in IPv4 and IPv6 column. Specifies the
IP address of the DNS server. When the IP address is not found in the Routing
Table, the this DNS server is requested. Use proper IP address notation in
IPv4 and IPv6 column. The unique identifier of WiFi network. Probes hidden
SSID
Continued on next page
60
ICR-3200
Item Country Code
Authentication
Continued from previous page
Description This option is not available for NAM routers the “US” country
code is set by default on these versions of router. Code of the country where
the router is installed. This code must be entered in ISO 3166-1 alpha-2
format. If a country code isn’t specified and the router has not implemented a
system to determine this code, it will use “US” as the default country code.
If no country code is specified or if the wrong country code is entered, the
router may violate country-specific regulations for the use of WiFi frequency
bands. Access control and authorization of users in the WiFi network.
· Open Authentication is not required (free access point).
· Shared Basic authentication using WEP key.
· WPA-PSK Authentication using higher authentication methods PSK-PSK.
· WPA2-PSK WPA2-PSK using newer AES encryption.
· WPA3-PSK WPA3-PSK using newer AES encryption.
· WPA-Enterprise RADIUS authentication done by external server via username
and password.
· WPA2-Enterprise RADIUS authentication with better encryption.
· WPA3-Enterprise RADIUS authentication with better encryption.
· 802.1X RADIUS authentication with port-based Network Access Control (PNAC)
using encapsulation of the Extensible Authentication Protocol (EAP) over LAN
EAPOL.
Continued on next page
61
ICR-3200
Item Encryption
WEP Key Type WEP Default Key WEP Key 14
WPA PSK Type
Continued from previous page
Description Type of data encryption in the WiFi network:
· None No data encryption. · WEP Encryption using static WEP keys. This
encryption
can be used for Shared authentication. · TKIP Dynamic encryption key
management that can be
used for WPA-PSK and WPA2-PSK authentication. · AES Improved encryption used
for WPA2-PSK authenti-
cation.
Type of WEP key for WEP encryption:
· ASCII WEP key in ASCII format. · HEX WEP key in hexadecimal format.
This specifies the default WEP key. Allows entry of four different WEP keys:
· WEP key in ASCII format must be entered in quotes. This key can be specified
in the following lengths.
5 ASCII characters (40b WEP key) 13 ASCII characters (104b WEP key) 16
ASCII characters (128b WEP key)
· WEP key in hexadecimal format must be entered in hexadecimal digits. This
key can be specified in the following lengths.
10 hexadecimal digits (40b WEP key) 26 hexadecimal digits (104b WEP key)
32 hexadecimal digits (128b WEP key)
The possible key options for WPA-PSK authentication.
· 256-bit secret · ASCII passphrase · PSK File
Continued on next page
62
ICR-3200
Item WPA PSK
Continued from previous page
Description Key for WPA-PSK authentication. This key must be entered according
to the selected WPA PSK type as follows:
· 256-bit secret 64 hexadecimal digits · ASCII passphrase 8 to 63
characters · PSK File absolute path to the file containing the list of pairs
(PSK key, MAC address)
RADIUS EAP Authentication RADIUS CA Certificate RADIUS Local Certificate
RADIUS Local Private Key RADIUS Identity
RADIUS Password
Syslog Level
Type of authentication protocol (EAP-PEAP/MSCHAPv2 or EAPTLS). Definition of
CA certificate for EAP-TLS authentication protocol.
Definition of local certificate for EAP-TLS authentication protocol.
Definition of local private key for EAP-TLS authentication protocol.
RADIUS user name identity. Only with one of RADIUS authentications selected.
RADIUS access password. Only with one of RADIUS authentications selected.
Logging level, when system writes to the system log.
· Verbose debugging The highest level of logging. · Debugging ·
Informational Default level of logging. · Notification · Warning The
lowest level of system communication.
Extra options
Allows the user to define additional parameters.
Table 28: WLAN Configuration All changes in settings will apply after pressing the Apply button.
63
ICR-3200
Figure 30: WiFi Station Configuration 64
ICR-3200
4.7 Backup Routes
Note that some interfaces, typically WiFi, ETH2, or ETH1, may not be available
for some router product lines or for the model you are currently using.
Typically, you want the router to direct traffic from the whole LAN (Local
Area Network) behind the router to an external WAN (Wide Area Network)
outside, such as the Internet.
Backup Routes is a mechanism that enables customizing which router’s
interfaces will be used for communication to the WAN outside the router. The
Backup Routes configuration page is shown in Figure 31.
You may not care about this configuration and leave this process on the
default router mechanism. In this case, leave the Backup Routes configuration
page as it is, unconfigured, and the router will proceed as described in
Chapter 4.7.1.
If you want to set up this feature your way, see Chapter 4.7.2 for more
information.
4.7.1 Default Priorities for Backup Routes
By default, when the first checkbox, Enable backup routes switching, is
unchecked, the backup routes system is not user customized and operates with
the default mechanism. Instead, the router selects a route to the WAN based on
the default priorities.
The following is the list of the network interfaces in descending order from
the highest priority to the lowest priority interface for use as a WAN
interface.
1. Mobile WAN (pppX, usbX) 2. PPPoE (ppp0) 3. WiFi STA (wlan0) 4. ETH1 (eth1)
5. ETH2 (eth2) 6. ETH0 (eth0)
For example, based on the list above, we can say that the ETH1 interface will
only be used as the WAN interface if Mobile WAN, PPPoE, and WiFI STA
interfaces are down or disabled.
It is clear from the above that an interface connected to a LAN network can
take over the role of a WAN interface under certain circumstances. Possible
communication from the LAN to the WAN can be blocked or forwarded rules
configured on the NAT and Firewall configuration pages.
Note that an ETH interface won’t be used as WAN for the default backup route
priorities if it has no IP address configured or the DHCP client is disabled
for this ETH interface. Also, unplugging the Ethernet cable does not switch
the route to the next one (true just for the Default Priorities mode).
65
ICR-3200
4.7.2 User Customized Backup Routes
You can choose preferred router interfaces acting as the WAN, including their
priorities, on the Backup Routes configuration page; see Figure 31. Switching
between the WAN is then carried out according to the order of priority and the
state of all the affected interfaces.
There are three different modes you can choose for the connection backup as
described in Table 29.
Item Enable backup routes switching
Mode
Description
Enables the customized backup routes setting made on the whole configuration
page. If disabled (unchecked), the backup routes system operates in the
default mechanism, as described in Chapter 4.7.1.
Single WAN
· Just one interface is used for the WAN communication at a time.
· Other interfaces (if enabled) are used as the backup routes for the WAN
communication when the active interface fails (based on the priorities set).
· Just one interface, currently active, is allowed to access the router from a
network outside the router.
Multiple WANs
· Just one interface is used for the WAN communication at a time.
· Other interfaces (if enabled) are used as the backup routes for the WAN
communication when the active interface fails (based on the priorities set).
· The router is accessible from networks outside on all enabled interfaces.
This is the only difference from the Single WAN mode.
Load Balancing
· In this mode, it is possible to split the volume of data passing through
individual WAN interfaces.
· If the mode was chosen, the weight for every interface is enabled in the GUI
and can be set.
· This setting determines the relative number of data streams passing through
the interfaces.
Table 29: Backup Routes Modes
You have now selected a backup route mode. To add a network interface to the backup routes system, mark the enable checkbox of that interface. Enabled interfaces are used for WAN access based on their priorities.
66
ICR-3200
Note for Load Balancing mode: The weight setting for load balancing may not precisely match the amount of balanced data. It depends on the number of data flows and the data structure. The best result of the balancing is achieved for a high amount of data flows.
Note for Mobile WAN: If you want to use a mobile WAN connection as a backup route, choose the enable + bind option in the Check Connection item on the Mobile WAN page and fill in the ping address; see chapter 4.3.1.
Note for an ETH interface: Unlike the default backup route mode, disconnecting the Ethernet cable from an ETH interface switches the route to the next in the sequence.
Settings, which can be made for each interface, are described in the table below. Any changes made to settings will be applied after pressing the Apply button.
Item Priority Ping IP Address
Ping IPv6 Address
Ping Interval Ping Timeout Weight
Description
Priority for the type of connection (network interface).
Destination IPv4 address or domain name of ping queries to check the
connection.
Destination IPv6 address or domain name of ping queries to check the
connection.
The time interval between consecutive ping queries.
Time in seconds to wait for a response to the ping.
Weight for the Load Balancing mode only. The number from 1 to 256 determines
the ratio for load balancing of the interface. For example, if two interfaces
set the weight to 1, the ratio is 50% to 50%. If they set the weight up to 1
and 4, the ratio is 20% to 80%.
Table 30: Backup Routes Configuration
Other notes:
· The system checks the status state of an interface. For example, unlike the
Default Priorities mode, unplugging the Ethernet cable triggers a switchover
to the next WAN interface in the sequence.
· To monitor the interface availability, you can use one or both Ping IP
Addresses (IPv4 and IPv6) based on the IP protocol used on a particular
network interface and WAN connection settings.
67
ICR-3200
Figure 31: Backup Routes Configuration GUI 68
ICR-3200
4.7.3 Backup Routes Examples
Example 1: Default Settings As already described above, by default, if the
Backup Routes are unconfigured, the system
operates with the default priorities as described in Chapter 4.7.1. Figure 32
shows the GUI configuration. Note: Assume all the affected interfaces are
correctly configured and activated on their configuration pages.
Figure 32: Example 1: GUI Configuration Figure 33 illustrates the example
topology.
Figure 33: Example 1: Topology
69
ICR-3200
Example 2: Default Routes Switching This example illustrates when the
interface, primarily used for the WAN connection, is
down. Its role is taken over by the interface with the second highest
priority. Since the Backup Routes configuration is still unconfigured, the
system operates with the default system priorities described in Chapter 4.7.1.
Figure 34 shows the GUI configuration. Note: Assume all the affected
interfaces are correctly configured and activated on their configuration
pages.
Figure 34: Example 2: GUI Configuration Figure 35 illustrates the example
topology.
Figure 35: Example 2: Topology
70
ICR-3200
Example 3: Custom Backup Routes This example illustrates the configuration of
custom backup routes for the Mobile WAN,
PPPoE, and ETH1 interfaces. The Mobile WAN interface has the highest priority,
and the ETH1 interface has the lowest priority. Figure 36 shows the GUI
configuration. Note: Assume all the affected interfaces are correctly
configured and activated on their configuration pages.
Figure 36: Example 3: GUI Configuration 71
ICR-3200
Figure 37 illustrates the example topology for Single WAN mode. If the Mobile
WAN connection goes down, the PPPoE tunnel takes its role, and so on. The ping
to the 172.16.1.1 address, tested every 30 seconds with a timeout of 10
seconds, checks the status of the PPPoE tunnel.
Figure 38 illustrates the example topology for Multiple WAN mode. As you can
see, the only difference between these two modes is that in the Multiple WAN
mode, the router is accessible on all interfaces from the WAN simultaneously.
Figure 37: Example 3: Topology for Single WAN mode
Figure 38: Example 3: Topology for Multiple WAN mode 72
ICR-3200
Example 4: Load Ballancing Mode This example illustrates the Load Balancing
mode configuration. There are just two inter-
faces configured, the Mobile WAN and PPPoE. The weight is set to 4 and 1, so
the traffic data volume is approximately 80 and 20 percent. Figure 39 shows
the GUI configuration.
Figure 39: Example 4: GUI Configuration Figure 40 illustrates the example
topology.
Figure 40: Example 4: Topology 73
ICR-3200
Example 5: No WAN Routes This example illustrates when the Router Backup is
enabled, but any particular interface is
chosen for the WAN route. In this case, the router has no dedicated WAN
interface and routes the traffic within the LANs. Figure 41 shows the GUI
configuration. Note: The Mobile WAN interface is not accessible, even if
configured and connected to a cellular network.
Figure 41: Example 5: GUI Configuration Figure 42 illustrates the example
topology.
Figure 42: Example 5: Topology 74
ICR-3200
4.8 Static Routes
Static routes can be specified on the Static Routes configuration page. A
static route provide fixed routing path through the network. It is manually
configured on the router and must be updated if the network topology was
changed recently. Static routes are private routers unless they are
redistributed by a routing protocol. There are two forms, one for IPv4 and the
second for IPv6 configuration. Static routes configuration form for IPv4 is
shown on Figure 43.
Figure 43: Static Routes Configuration
The description of all items is listed in Table 31.
Item
Description
Enable IPv4 static routes
If checked, static routing functionality is enabled. Active are only routes enabled by the checkbox in the first column of the table.
Destination Network The destination IP address of the remote network or host to which you want to assign a static route.
Mask or Prefix Length
The subnet mask of the remote network or host IP address.
Gateway
IP address of the gateway device that allows for contact between the router and the remote network or host.
Metric
Metric definition, means number rating of the priority for the route in the routing table. Routes with lower metrics have higher priority.
Interface
Select an interface the remote network or host is on.
Table 31: Static Routes Configuration for IPv4
75
ICR-3200
4.9 Firewall Configuration
ICR-3241(W)-1ND models may have some default configurations different or
restricted. The first security element for incoming packets is a check of the
enabled source IP ad-
dresses and destination ports. There is an independent IPv4 and IPv6 firewall
since there is dual stack IPv4 and IPv6 implemented in the router. If you
click the Firewall item in the Configuration menu on the left, it will expand
to IPv4 and IPv6 optionsm and you can click IPv6 to enable and configure the
IPv6 firewall see Figure below. The configuration fields have the same
meaning in the IPv4 Firewall Configuration and IPv6 Firewall Configuration
forms.
Figure 44: Firewall Configuration IPv6 Firewall The first section of the
configuration form specifies the incoming firewall policy. If the Enable
filtering of incoming packets check box is unchecked, all incoming packets are
accepted.
76
ICR-3200
If checked, and a packet comes from the WAN interface, then the router forwards this packet to the INPUT iptable chain. When the INPUT chain accepts the packet, and there is a rule matching this packet with the Action set to allow, the router accepts the packet. The packet is dropped if an INPUT rule is unavailable or the Action is set to deny. You can specify the rules for IP addresses, protocols, and ports to allow or deny access to the router and internal network behind the router. It is possible to specify up to sixteen rules when each rule can be enabled/disabled by ticking the checkbox on the left of the rule row. Please note that the incoming rules are applied to the WAN interface only. See Chapter 4.7.1 to see the priority rules for the WAN interfaces. See Table 32 for the incoming definition table description.
Item Source
Protocol
Description IP address the rule applies to. Use IPv4 address in IPv4 Firewall
Configuration and IPv6 address in IPv6 Firewall Configuration. Specifies the
protocol the rule applies to:
· all The rule applies to all protocols.
· TCP The rule applies to TCP protocol.
· UDP The rule applies to UDP protocol.
· GRE The rule applies to GRE protocol.
· ESP The rule applies to ESP protocol.
· ICMP/ICMPv6 The rule applies to ICMP protocol. In IPv6 Firewall Configuration there is the ICMPv6 option.
Target Port(s) Action
The port numbers range allowing access to the router. Enter the initial and
final port numbers separated by the hyphen mark. One static port is allowed as
well. Specifies the rule the type of action the router performs:
· allow The router allows the packets to enter the network.
· deny The router denies the packets from entering the network.
Description
Description of the rule. Table 32: Filtering of Incoming Packets
The next section of the configuration form specifies the forwarding firewall policy. If the Enabled filtering of forwarded packets check box is unchecked, all incoming packets are accepted. If checked, and a packet is addressed to another network interface, then the router forwards this packet to the FORWARD iptable chain. When the FORWARD chain accepts the packet, and there is a rule for forwarding it, the router forwards the packet. If a forwarding rule is unavailable, then the packet is dropped. It is possible to specify up to sixteen rules when each rule can be enabled/disabled by ticking the checkbox on the left of the rule row. The for-
77
ICR-3200
warding setting is applied to all interfaces, regardless of whether it is the WAN interface. The configuration form also contains a table for specifying the filter rules. It is possible to create a rule to allow data with the selected protocol specifying only the protocol or to create stricter rules by specifying values for source IP addresses, destination IP addresses, and ports. See Table 33 for the forwarding definition table description.
Item Source Destination Protocol
Target Port(s) Action
Description
Description IP address the rule applies to. Use IPv4 address in IPv4 Firewall
Configuration and IPv6 address in IPv6 Firewall Configuration. Destination IP
address the rule applies to. Use IPv4 address in IPv4 Firewall Configuration
and IPv6 address in IPv6 Firewall Configuration. Specifies the protocol the
rule applies to:
· all The rule applies to all protocols.
· TCP The rule applies to TCP protocol.
· UDP The rule applies to UDP protocol.
· GRE The rule applies to GRE protocol.
· ESP The rule applies to ESP protocol.
· ICMP/ICMPv6 The rule applies to ICMP protocol. In IPv6 Firewall
Configuration there is the ICMPv6 option.
The target port numbers. Enter the initial and final port numbers separated by
the hyphen mark. One static port is allowed as well. Specifies the rule the
type of action the router performs:
· allow The router allows the packets to enter the network.
· deny The router denies the packets from entering the network.
Description of the rule. Table 33: Forwarding filtering
When you enable the Enable filtering of locally destined packets function, the
router drops the packets requesting an unsupported service. The packet is
dropped automatically without any information.
As a protection against DoS attacks, the Enable protection against DoS attacks
limits the number of allowed connections per second to five. The DoS attack
floods the target system with meaningless requirements.
78
ICR-3200
4.9.1 Example of the IPv4 Firewall Configuration
The router allows the following access: · From IP address 171.92.5.45 using
any protocol. · From IP address 10.0.2.123 using the TCP protocol on port
1000. · From IP address 142.2.26.54 using the ICMP protocol. · from IP address
142.2.26.54 using the TCMP protocol on target ports from 1020 to 1040
See the network topology and configuration form in the figures below.
Figure 45: Topology for the IPv4 Firewall Configuration Example
79
ICR-3200
Figure 46: IPv4 Firewall Configuration Example 80
ICR-3200
4.10 NAT Configuration
To configure the address translation function, click on NAT in the
Configuration section of the main menu. There is independent IPv4 and IPv6 NAT
configuration since there is dual stack IPv4 and IPv6 implemented in the
router. The NAT item in the menu on the left will expand to IPv4 and IPv6
options and you can click IPv6 to enable and configure the IPv6 NAT see
Figure below. The configuration fields have the same meaning in the IPv4 NAT
Configuration and IPv6 NAT Configuration forms.
The router actually uses Port Address Translation (PAT), which is a method of
mapping a TCP/UDP port to another TCP/UDP port. The router modifies the
information in the packet header as the packets traverse a router. This
configuration form allows you to specify up to 16 PAT rules.
Item Public Port(s)
Private Port(s)
Type Server IPv4 address Server IPv6 address Description
Description
The public port numbers range for NAT. Enter the initial and final port
numbers separated by the hyphen mark. One static port is allowed as well.
The private port numbers range for NAT. Enter the initial and final port
numbers separated by the hyphen mark. One static port is allowed as well.
Protocol type TCP or UDP.
In IPv4 NAT Configuration only. IPv4 address where the router forwards
incoming data.
In IPv6 NAT Configuration only. IPv6 address where the router forwards
incoming data.
Description of the rule.
Table 34: NAT Configuration
If you require more than sixteen NAT rules, insert the remaining rules into the Startup Script. The Startup Script dialog is located on Scripts page in the Configuration section of the menu. When creating your rules in the Startup Script, use this command for IPv4 NAT:
ts t t rt t rt PP tstt PPP
Enter the IP address [IPADDR], the public ports numbers [PORT_PUBLIC], and private [PORT_PRIVATE] in place of square brackets. For IPv6 NAT use ts command with same options.:
ts t t t t rt PP tstt PPP
If you enable the following options and enter the port number, the router
allows you to remotely access to the router from WAN (Mobile WAN) interface.
81
ICR-3200
Figure 47: NAT IPv6 NAT Configuration 82
ICR-3200
Item
Description
Enable remote HTTP access on port
This option sets the redirect from HTTP to HTTPS only (disabled in default configuration).
Enable remote HTTPS access on port
Enable remote FTP access on port Enable remote SSH access on port
If field and port number are filled in, configuration of the router over web
interface is allowed (disabled in default configuration).
Select this option to allow access to the router using FTP (disabled in
default configuration).
Select this option to allow access to the router using SSH (disabled in
default configuration).
Enable remote Telnet access on port
Select this option to allow access to the router using Telnet (disabled in default configuration).
Enable remote SNMP access on port
Select this option to allow access to the router using SNMP (disabled in default configuration).
Masquerade outgoing packets
Activates/deactivates the network address translation function.
Table 35: Remote Access Configuration
Enable remote HTTP access on port activates the redirect from HTTP to HTTPS protocol only. The router doesn’t allow unsecured HTTP protocol to access the web configuration. To access the web configuration, always check the Enable remote HTTPS access on port item. Never enable the HTTP item only to access the web configuration from the Internet (configuration would not be accessible from the Internet). Always check the HTTPS item or HTTPS and HTTP items together (to set the redirect from HTTP).
Use the following parameters to set the routing of incoming data from the WAN (Mobile WAN) to a connected computer.
Item
Description
Send all remaining incoming packets to default server
Activates/deactivates forwarding unmatched incoming packets to the default server. The prerequisite for the function is that you specify a default server in the Default Server IPv4/IPv6 Address field. The router can forward incoming data from a mobile WAN to a computer with the assigned IP address.
Default Server IP Address
In IPv4 NAT Configuration only. The IPv4 address.
Default Server IPv6 Address In IPv6 NAT Configuration only. The IPv6 address.
Table 36: Configuration of Send all incoming packets to server
83
ICR-3200
4.10.1 Examples of NAT Configuration
Example 1: IPv4 NAT Configuration with Single Device Connected It is important
to mark the Send all remaining incoming packets to default server check
box for this configuration. The IP address in this example is the address of
the device behind the router. The default gateway of the devices in the
subnetwork connected to router is the same IP address as displayed in the
Default Server IPv4 Address field. The connected device replies if a PING is
sent to the IP address of the SIM card.
Figure 48: Topology for NAT Configuration Example 1
84
ICR-3200
Figure 49: NAT Configuration for Example 1 85
ICR-3200
Example 2: IPv4 NAT Configuration with More Equipment Connected In this
example, using the switch you can connect more devices behind the router.
Every
device connected behind the router has its own IP address. Enter the address
in the Server IPv Address field in the NAT dialog. The devices are
communicating on port 80, but you can set port forwarding using the Public
Port and Private Port fields in the NAT dialog. You have now configured the
router to access the 192.168.1.2:80 socket behind the router when accessing
the IP address 10.0.0.1:81 from the Internet. If you send a ping request to
the public IP address of the router (10.0.0.1), the router responds as usual
(not forwarding). And since the Send all remaining incoming packets to default
server is inactive, the router denies connection attempts.
Figure 50: Topology for NAT Configuration Example 2
86
ICR-3200
Figure 51: NAT Configuration for Example 2 87
ICR-3200
4.11 OpenVPN Tunnel Configuration
Select the OpenVPN item to configure an OpenVPN tunnel. The menu item will
expand and you will see four separate configuration pages: 1st Tunnel, 2nd
Tunnel, 3rd Tunnel and 4th Tunnel. The OpenVPN tunnel function allows you to
create a secure connection between two separate LAN networks. The router
allows you to create up to four OpenVPN tunnels. IPv4 and IPv6 dual stack is
supported.
Item Description Interface Type
Description
Specifies the description or name of tunnel.
TAP is basically at the Ethernet level (layer 2) and acts as a switch, whereas
TUN works at the network level (layer 3) and routes packets on the VPN. TAP is
bridging, whereas TUN is routing.
· TUN Choose the TUN mode.
· TAP Choose the TAP mode, but remember first to configure the bridge on the
ethernet interface.
Protocol
Specifies the communication protocol.
· UDP The OpenVPN communicates using UDP. · TCP server The OpenVPN
communicates using TCP in
server mode. · TCP client The OpenVPN communicates using TCP in
client mode. · UDPv6 The OpenVPN communicates using UDP over
IPv6. · TCPv6 server The OpenVPN communicates using TCP
over IPv6 in server mode. · TCPv6 client The OpenVPN communicates using TCP
over IPv6 in client mode.
UDP/TCP port 1st Remote IP Address 2nd Remote IP Address Remote Subnet Remote Subnet Mask
Specifies the port of the relevant protocol (UDP or TCP). Specifies the first
IPv4, IPv6 address or domain name of the opposite side of the tunnel.
Specifies the second IPv4, IPv6 address or domain name of the opposite side of
the tunnel. IPv4 address of a network behind opposite side of the tunnel. IPv4
subnet mask of a network behind opposite tunnel’s side.
Continued on next page
88
ICR-3200
Item Redirect Gateway
Local Interface IP Address Remote Interface IP Address
Remote IPv6 Subnet Remote IPv6 Prefix Local Interface IPv6 Address Remote
Interface IPv6 Address Ping Interval Ping Timeout
Renegotiate Interval
Max Fragment Size Compression
Continued from previous page
Description Adds (rewrites) the default gateway. All the packets are then sent
to this gateway via tunnel, if there is no other specified default gateway
inside them. Specifies the IPv4 address of a local interface. For proper
routing it is recommended to fill-in any IPv4 address from local range even if
you are using IPv6 tunnel only. Specifies the IPv4 address of the interface of
opposite side of the tunnel. For proper routing it is recommended to fill-in
any IPv
References
- Web Page Under Construction
- ISO - International Organization for Standardization
- Apps For College Students: A Complete Guide to Programs You Need To Install
- My Dyn Account
- Free Dynamic DNS - Managed DNS - Managed Email - Domain Registration - No-IP
- RFC 6238 - TOTP: Time-Based One-Time Password Algorithm
- GitHub - Authenticator-Extension/Authenticator: Authenticator generates 2-Step Verification codes in your browser.
- Routers & Firmware - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Application Notes - Cellular Routers Engineering Portal
- Router Apps - Cellular Routers Engineering Portal
- Router Apps - Cellular Routers Engineering Portal
- Router Apps - Cellular Routers Engineering Portal
- Source code - Cellular Routers Engineering Portal
- Router Models - Cellular Routers Engineering Portal
- Reference Manual For OpenVPN 2.4 | OpenVPN
- Logging :: strongSwan Documentation
- Route-based VPN :: strongSwan Documentation
- Security Recommendations :: strongSwan Documentation
- strongswan.conf :: strongSwan Documentation
- OATH Toolkit
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>