Cradlepoint AER1600 Series, User Manual

Page 1: ... 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 1 User Manual AER3100 AER3150 AER Series Router AER3100 AER3150 User Manual ...

Page 2: ...CLOUD OPTIMIZED IP COMMUNICATIONS 6 SYSTEM REQUIREMENTS 6 SPECIFICATIONS 6 ACCESSORIES 7 BUSINESS GRADE MODEM SPECIFICATIONS 7 HARDWARE 11 LEDS 12 SUPPORT AND WARRANTY 12 QUICK START 13 BASIC SETUP 13 ACCESSING THE ADMINISTRATION PAGES 15 FIRST TIME SETUP WIZARD 16 USING ENTERPRISE CLOUD MANAGER 16 ADMINISTRATION PAGES 17 QUICK LINKS 17 DASHBOARD 17 CONNECTION MANAGER 18 WAN INTERFACE PROFILES PRI...

Page 3: ...NELS 43 ROUTING 55 QOS 59 DNS SERVERS 63 WIFI AS WAN 65 WAN AFFINITY 67 CLIENT DATA USAGE 68 NHRP 69 SECURITY 71 IDENTITIES 71 ZONE FIREWALL 72 CONTENT FILTERING 77 THREAT MANAGEMENT 80 CERTIFICATE MANAGEMENT 82 SYSTEM 85 ADMINISTRATION 85 ENTERPRISE CLOUD MANAGER 91 DEVICE ALERTS 92 SERIAL REDIRECTOR 93 SNMP CONFIGURATION 94 SYSTEM CONTROL 96 DIAGNOSTICS 97 SETUP WIZARDS 98 APPENDIX 101 SAFETY RE...

Page 4: ...real time clock with pull tab If ordered with MC400 modem KEY FEATURES WAN Integrated 4G LTE with 3G failover Multi Carrier Software Defined radio Verizon AT T Sprint Europe and generic models available Dual integrated modem option Dual SIM slots in each modem Most models include support for active GPS 13 10 100 1000 Ethernet ports WAN LAN switchable WiFi as WAN only on AER3100 Failover Failback L...

Page 5: ...t Enterprise Cloud Manager ECM 2 Web UI API CLI GPS Location Data Usage Alerts router and per client Advanced Troubleshooting support 5 Device Alerts SNMP SMS control Console Port for OOBM Management VPN AND ROUTING IPsec Tunnel up to 40 concurrent sessions OpenVPN SSL VPN 1 L2TP1 GRE Tunnel OSPF BGP RIP1 Per Interface Routing Static Routing NAT less Routing Virtual Server Port Forwarding VTI Tunn...

Page 6: ...tchable Serial console TEMPERATURE 0 C to 50 C 32 F to 122 F operating 20 C to 70 C 4 F to 158 F storage Redundant internal fans for reliable cooling Advanced Security Mode local user management only Per Client Web Filtering IP Filtering Content Filtering basic Website Filtering Real time clock with battery backup for CA certificate validation CLOUD OPTIMIZED IP COMMUNICATIONS Automated WAN Failov...

Page 7: ... VZ modem for Verizon Please note that LPE models are flexible and support bands for multiple cellular providers however only the frequency bands in bold below are supported by the listed provider AER3100LPE VZ 4G LTE HSPA EVDO for Verizon Technology LTE HSPA EVDO Rev A HUMIDITY non condensing 10 to 85 operating 5 to 90 storage MEMORY 1 GB DRAM 16MB SPI Flash 1 GB NAND Flash SIZE 12 2 x 10 6 x 1 7...

Page 8: ...z Band 4 AWS 1700 2100 MHz Band 5 850 MHz Band 13 700 MHz Band 17 700 MHz Band 25 1900 MHz HSPA UMTS 850 900 1900 2100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm 1 EVDO 24 dBm 0 5 1 typical conducted Antennas two SMA male plug 1 dBi LTE 2 dBi Cellular PCS gain finger tighten only maximum torque spec is 7 kgf cm GPS active GPS suppo...

Page 9: ...PA 5 76 Mbps EVDO 1 8 Mbps theoretical Frequency Bands LTE Band 2 1900 MHz Band 4 AWS 1700 2100 MHz Band 5 850 MHz Band 13 700 MHz Band 17 700 MHz Band 25 1900 MHz HSPA UMTS 850 900 1900 2100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm 1 EVDO 24 dBm 0 5 1 typical conducted Antennas two SMA male plug 1 dBi LTE 2 dBi Cellular PCS gain...

Page 10: ...HSPA 5 76 Mbps theoretical Frequency Bands LTE Band 1 2100 MHz Band 3 1800 MHz Band 7 2600 MHz Band 8 900 MHz Band 20 800 MHz HSPA UMTS 800 850 900 1900 2100 MHz GSM GPRS EDGE Quad Band 850 900 1800 1900 MHz Power LTE Band 1 3 8 20 23 dBm 1 LTE Band 7 22 dBm 1 HSPA 23 dBm 1 typical conducted Antennas two SMA male plug 1 dBi LTE 2 dBi Cellular PCS gain finger tighten only GPS active GPS support Ind...

Page 11: ...100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm 1 EVDO 24 dBm 0 5 1 typical conducted Antennas two SMA male plug 1 dBi LTE 2 dBi Cellular PCS gain finger tighten only maximum torque spec is 7 kgf cm GPS active GPS support Industry Standards Certs PTCRB FCC IC Modem Part Number MC400LPE HARDWARE 3G 4G Antenna Connectors SMA 3G 4G Ant...

Page 12: ...outer status ETHERNET WAN Indicates information about a data source connected to the Ethernet WAN port Blue Connected to an active Ethernet WAN interface WiFi BROADCAST only on AER3100 These two LEDs indicate activity on the WiFi broadcast for both the 2 4 GHz and 5 GHz bands 2 4GHz green 2 4 GHz WiFi is on and operating normally 5GHz blue 5 GHz WiFi is on and operating normally REMOVABLE MODEM In...

Page 13: ...t into the integrated modem Insert the SIM card into the slot marked SIM 1 use the other slot SIM 2 for a secondary backup SIM Insert the card with the notch end first and the gold contacts facing down it will click into place Notch end goes in first Gold contacts face down 2 Insert the removable modem Follow these steps to insert the removable modem s 1 On front of router press two tabs on modem ...

Page 14: ...onnect the power source Plug the provided power supply 54V DC wall adapter into an electrical outlet Then connect the power supply to the router Ensure power is switched on O OFF ON When you set the power switch to the ON position watch for the power LED to illuminate 6 Connect to a computer or other network equipment Connect wirelessly to the WiFi broadcast or with an Ethernet cable connected to ...

Page 15: ... the address bar Press ENTER RETURN 2 When prompted for your password type the eight character DEFAULT PASSWORD found on the product label NOTE The product label below is an example only your DEFAULT PASSWORD and SSID will be unique It s possible and more efficient to do all your configuration changes through Cradlepoint Enterprise Cloud Manager ECM without logging into the local administration pa...

Page 16: ...t geographically distributed stores and branch locations with Enterprise Cloud Manager Cradlepoint s next generation management and application platform Enterprise Cloud Manager ECM integrates cloud management with your Cradlepoint devices to improve productivity increase reliability reduce costs and enhance the intelligence of your network and business operations Click here to sign up for a free ...

Page 17: ...net LAN WiFi LAN To quickly edit settings for any of these areas click on the pencil icon in the top right of the desired dialog box You may return to the Dashboard at any time by clicking on DASHBOARD from the left menu or by clicking on the Cradlepoint logo at the top left of the screen Quick Links allows you to bookmark your most commonly used settings Simply click on the bookmark icon to add a...

Page 18: ...nd the order that it allows failover In the example shown Ethernet is set as the primary Internet source an LTE only modem is set as secondary while an MC400LPE VZ modem is attached for failover and is connected A WiFi as WAN interface is also attached and Available WAN INTERFACE PROFILES PRIORITY Availability Key Enable Load Balance On Demand WAN Verify Data Usage Failback LOAD BALANCE To enable ...

Page 19: ...ata usage between interfaces at a similar percentage of the assigned data cap in the data usage rule for each interface rather than distributing sessions based solely on bandwidth For proper functioning you need to create data usage rules for each WAN device you will be load balancing Make certain to select the Use with Load Balancing checkbox in the data usage rule editor ON DEMAND Typically mode...

Page 20: ...the router takes no action to verify that it is still up FAILBACK This is used to configure failback which is the ability to go back to a higher priority WAN interface if it regains connection to its network Select the Failback Mode from the following options Usage Time Disabled Usage Threshold Fail back based on the amount of data passed over time This is a good setting for when you have a dual m...

Page 21: ...keep all interfaces with these rules at a similar percentage utilization of data e g 10 50 90 as the cycle progresses rather than quickly using 100 of a fast 1GB capped interface while using only a fraction of a slow 10GB capped interface thus leaving the rest of the cycle with only the slow interface The Data Usage algorithm on the WAN Affinity Load Balancing page must be selected or this checkbo...

Page 22: ...AER3100 AER3150 STATUS Internet Client List Tunnels Firewall Routing Ethernet GPS LLDP System Logs INTERNET CONNECTIONS Select your device to reveal detailed information about the following device properties Summary Modem Cellular Network General Information IPv4 Information Statistics ...

Page 23: ... 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 23 User Manual AER3100 AER3150 ...

Page 24: ... 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 24 User Manual AER3100 AER3150 ...

Page 25: ...E Displays the following client information Name IP Address MAC Address Data Uploaded Data Downloaded Last Traffic To reset information click Reset Statistics STATISTICS Statistics can be gathered at variable Sample Rate and Sample Size for the following areas Wireless Device Data Usage Failover Failback Load Balance ...

Page 26: ...l Rights Reserved 1 855 813 3385 cradlepoint com 26 User Manual AER3100 AER3150 QOS Displays packets and bytes transmitted and received by your Quality of Service QoS queues To enable and configure QoS go to NETWORKING QoS ...

Page 27: ...ws you to Kick Wireless Clients block MAC addresses of both Wireless and Wired Clients and Revoke Hotspot Clients TUNNELS CP SECURE VPN Displays status of your CP Secure VPN Tunnels To add and configure CP Secure VPN Tunnels go to NETWORKING Tunnels CP Secure VPN IPSEC VPN Displays status of your IPSec VPN Tunnels To add and configure IPSec VPN Tunnels go to NETWORKING Tunnels IPSec VPN ...

Page 28: ...your OpenVPN Tunnels To add and configure OpenVPN Tunnels go to NETWORKING Tunnels OpenVPN Displays status of your GRE Tunnels To add and configure GRE Tunnels go to NETWORKING Tunnels GRE FIREWALL Displays information about your Firewall Connection Tracking States To configure your firewall select SECURITY from the left navigation ...

Page 29: ...mation about your System GRE and NEMO Routes To configure these routes go to NETWORKING Tunnels ETHERNET Displays information about your Ethernet ports To configure Ethernet ports go to NETWORKING Local Networks Ethernet Ports GPS Displays GPS location and status To enable and configure GPS go to SYSTEM Administration GPS ...

Page 30: ...3 3385 cradlepoint com 30 User Manual AER3100 AER3150 LLDP Displays LLDP information To enable LLDP go to SYSTEM Administration LLDP SYSTEM LOGS Displays System Log information To configure System Logging go to SYSTEM Administration System Logging ...

Page 31: ...ther the router broadcasts its SSID It is somewhat harder for hackers to find and attack a router that is not broadcasting its SSID which adds to the wireless security but it is also more difficult for friendly users to attach to a WiFi network with a hidden SSID Isolate Select this to isolate all wireless clients so they cannot directly communicate with each other on the wireless network WMM WiFi...

Page 32: ...ey Open has no password or other security measures NOTE If you don t know whether you should choose Personal or Enterprise assume Personal since you need to know RADIUS authentication for Enterprise In order to protect your network from hackers and unauthorized users Cradlepoint highly recommends WPA2 AES for security if your attached devices can support it WEP and WPA TKIP are obsolete and have b...

Page 33: ...e circumstances however there might be a need to isolate specific frequencies to a smaller area By reducing the power of the radio you can prevent transmissions from reaching beyond your corporate home office or designated wireless area RTS Threshold When an excessive number of wireless packet collisions are occurring wireless performance can be improved by using the RTS CTS Request to Send Clear ...

Page 34: ...her performance is possible with the 40 MHz channel Selecting Auto is generally best Enabling WiFi as WAN will force 20 MHz only mode Extended Channel When operating in 40 MHz mode the access point will use an extended channel either below or above the current channel Optimal selection will depend on the channels of other networks in the area MCS 802 11n uses multiple Modulation Coding Schemes to ...

Page 35: ... wired link and a secondary modem for failover typically with a more expensive limited data plan Select this option if you want the router to allow data traffic over the modem if the wired connection goes down Disable Service if Ethernet Threshold is met This will block hotspot use of the WAN when the threshold is met This can be used if the router is being used as a backup failover connection to ...

Page 36: ...Timeout Default 60 minutes The amount of time the user may use the router before being forced to authenticate again Idle Timeout Default 15 minutes If the user is idle for this amount of time make them re authenticate Bandwidth upload Default 512 Kbits sec The data rate limit for users uploading data through the hotspot Bandwidth download Default 1024 Kbits sec The data rate limit for users downlo...

Page 37: ...such as Web and FTP Servers on your network should either use a static IP address or a reservation While you have the option to manually input the information to reserve an IP address Hostname Hardware Addr IP Addr it is much simpler to select a device under the Active Leases section and click Reserve The selected device s information will automatically be added under Reservations LOCAL IP NETWORK...

Page 38: ...hrough Hotspot Provide Hotspot Services on this Network requiring Terms of Service or RADIUS UAM authentication before WAN access will occur on both Wireless and Wired LAN connections IPv6 Settings IPv6 Address Source The Address source has three settings The default of Delegated is desirable in most configurations Delegated The address is provided by a router connected to this router s WAN Static...

Page 39: ...for DHCP broadcast messages that must be routed to remote segments This is accomplished by converting broadcast DHCP messages to unicast messages to communicate between clients and servers Multicast Proxy Multicast Proxy Enables IGMP proxying to allow Multicast Streams to flow across this network Quick Leave Mode Disable quick leave mode if it s vital that the daemon should act exactly as a real m...

Page 40: ... default gateway address and DNS server address to the Virtual IP in DHCP leases provided on this network STP Enable STP Enable Spanning Tree Protocol loop detection Bridge Priority Set the priority of the bridge When determining the root bridge of the spanning tree topology the bridge priority is compared first The bridge with the lowest priority with will win If you want this router to be the ro...

Page 41: ...ally blocking yourself from accessing the router MAC Logging Configuration Enable MAC Logging Enabling MAC Logging will cause the router to log MAC addresses that are connected to the router MAC addresses that you do not want to have logged addresses that you expect to be connected should be added to the Ignored MAC Addresses list You can configure the router to send an alert if a connected device...

Page 42: ...ection The page may need to be refreshed to show the most recent log entries Double clicking on entries from this list will add them to the Ignored MAC Addresses list VLAN INTERFACES A virtual local area network or VLAN functions as any other physical LAN but it enables computers and other devices to be grouped together even if they are not physically attached to the same network switch To enable ...

Page 43: ...r device usually a router that also supports IPsec on the other end IKE Internet Key Exchange is the security protocol in IPsec IKE has two phases phase 1 and phase 2 The router has several different security protocol options for each phase but the default selections will be sufficient for most users The VPN tunnel status page allows you to view the state of the VPN tunnels If a tunnel fails to co...

Page 44: ...ame key Mode Select from Tunnel Transport or VTI Tunnel Tunnel Mode is used for protecting traffic between different networks when traffic must pass through an intermediate untrusted network Transport Mode is used for end to end communications for example for communications between a client and a server VTI Tunnel creates a virtual tunnel interface with a specified virtual IP address This interfac...

Page 45: ...4 or IPv6 The Network Address and the Netmask define what local devices have access to or can be accessed from the VPN tunnel NOTE the local network IP address MUST be different from the remote network IP address Optionally A Port can be defined that will limit the traffic going through the VPN tunnel to only that port If the field is left blank any port will be accepted by the tunnel Add Edit Tun...

Page 46: ...s while maintaining security Aggressive mode is slightly faster but less secure Because it has better security Main mode is recommended for most users Key Lifetime The lifetime of the generated keys of phase 1 of the IPsec negotiation from IKE After the time has expired IKE will renegotiate a new set of phase 1 keys Encryption Hash and DH Groups Each IKE exchange uses one encryption algorithm one ...

Page 47: ...ryption and DH Groups as phase 1 but you are restricted to only one DH Group Phase 2 and phase 1 selections do not have to match For the Hash selection an added value of SHA 256_128 128 bit truncation is avaliable The original specification and the Cradlepoint default is 96 bit truncation but RFC4868 requires 128 bit A VPN to newer Cisco or Juniper devices will typically require 128 bit Add Edit T...

Page 48: ...hat usually does not need to be changed NAT T KeepAlive Interval Number of seconds between sending NAT T packets to keep the tunnel alive if no other traffic is being sent Default 20 seconds Range 0 3600 seconds 20 seconds will be sufficient in almost all cases Tunnel Connect Retry Number of seconds between connection attempts Default 30 seconds Range 10 255 seconds 30 seconds will be sufficient i...

Page 49: ...uration Mode is Advanced If no pings have been received in the amount of time entered OpenVPN restarts the tunnel Tunnel Enabled Click to enable disable this tunnel Add Edit Tunnel Security Cipher Encrypt packets with the selected algorithm The default is BF CBC an abbreviation for Blowfish in Cipher Block Chaining mode Blowfish has the advantages of being fast very secure and allowing key sizes o...

Page 50: ...al Tunnel Name Give the tunnel a name that uniquely identifies it Tunnel Key Enables an ID key for a GRE tunnel which can be used as an identifier for mGRE Multipoint GRE Local Network This is the local side of the Glue Network a network created by the administrator to form the tunnel The user creates the IP address inputted here It must be different from the IP addresses of the networks it is glu...

Page 51: ... device s are available and connected An example use case is when there is a router with both a primary and failover WAN device and the tunnel should only be used when the system has failed over to the backup connection Make a selection for When Condition and Value to create a WAN Binding The condition will be in the form of these examples When Condition Value Port Is USB Port 1 Type Is not WiMax ...

Page 52: ...dress by inputting that address along with a Netmask of 255 255 255 255 Add Edit Tunnel Keep Alive GRE keep alive packets can be enabled to be sent through the tunnel in order to monitor the status of the tunnel and more accurately determine if the tunnel is alive or not GRE keep alive packets may be sent from both sides of a tunnel or from just one side Enabled Select to enable GRE Keep Alive to ...

Page 53: ...e Network Address and Netmask or subnet mask together define a range of IP addresses that comprise the local network you want associated with the NEMO settings Network Mobility NEMO Settings Enbable Enable NEMO WAN Select the WAN s to use for the NEMO connection An expression such as Unique ID is any will allow NEMO to operate on any WAN whereas Type is LTE will limit NEMO operation to the WAN s p...

Page 54: ...el peer The MRU is very similar to the MTU MTU is for packets sent and MRU is for packets received Tunnel Enabled Click to enable disable this tunnel Default Enabled Authentication More authentication options and overrides are available in the next section Username Username for user specific authorization Leave blank to disable Password Shared secret or password used to authenticate the associated...

Page 55: ...ly connected to the router on the interface specified LAN or WAN Device Select the network interface from the dropdown menu e g ethernet wan You can use this instead of defining the IP address especially in cases when the IP address is changing Metric Set the numerical priority of the route Lower numbers have higher priority Allow Network Access Default Deselected Some static routes will need an I...

Page 56: ... Editor Name Unique name of the policy ASN The AS Autonomous System number is one of the essential elements of BGP Router ID This sets the router ID of the BGP process The router ID may be an IP address of the router but need not be it can be any arbitrary 32 bit number However it MUST be unique within the entire BGP domain to the BGP speaker bad things will happen if multiple BGP speakers are con...

Page 57: ...n key all OSPF packets are authenticated The authentication key has a maximum length of eight characters Enabled Click to enable disable the policy Default enabled Network Areas Areas are identified by an ID number Use the IP address and netmask fields to associate a network with this policy Redistribute Routes Redistribute routes of the specified protocol or kind into BGP with the metric type and...

Page 58: ...ed at all so when authentication is configured RIP will discard routing updates received via RIPv1 packets Plain text password Select to use a plain text password instead of an MD5 HMAC WARNING A plain text password is insecure Enabled Click to enable disable the policy Default enabled Networks Set the RIP enabled interfaces by network RIP is enabled on the interfaces that have addresses within th...

Page 59: ...s within the network range Routes Set RIPng static routing announcement of specified network address Redistribute Routes Redistribute routes of the specified protocol or kind into RIPng with the metric type and metric set if specified filtering the routes using the given route map if specified Type The type is the source of the route Select from Main Connected Static OSPF BGP Metric RIPng metric i...

Page 60: ...th one queue Use rules to associate your more critical operations with queues that have higher bandwidth settings For example you might have two queues one for critical and one for secondary with critical having most of the bandwidth percentage Use rules to associate your most important bandwidth needs POS system VoIP etc with the critical queue Restrict the bandwidth available for less important ...

Page 61: ...ct from the following options Default Normal Lowest Lower Below Normal Normal Above Normal High Higher Highest Click Next to continue to the next page Download Bandwidth Enable Download QoS Default Enabled Deselect if you want your rule to apply to upload traffic only Leave this selected to include download restrictions with this queue Borrow Spare Bandwidth Default Enabled When this is enabled th...

Page 62: ...addresses to define the type s of traffic attached to this rule Leaving any field blank will match all values all fields are optional Source Port s and or Destination Port s Enter a port number between 1 and 65535 To enter a single port number input the number into the left box To enter a range of ports fill in both boxes separated by the colon For example 80 90 would represent all ports between 8...

Page 63: ... network Mode Automatic or Static default Automatic Switching to Static enables you to set specific DNS servers in the Primary DNS and Secondary DNS fields Primary DNS and Secondary DNS If you choose to specify your DNS servers then enter the IP addresses of the servers you want as your primary and secondary DNS servers in these fields The DNS server settings will be pre populated with public DNS ...

Page 64: ...NS O Matic ChangeIP NO IP Custom Server DynDNS clone Custom Server Address Only available if you select Custom Server from the Server Address dropdown list Enter your custom DynDNS clone server address here For example www mydyndns org Use HTTPS Use the more secure HTTPS protocol This is recommended but can be disabled if not compatible with the server Host name Enter your host name fully qualifie...

Page 65: ...the IP address for the device by selecting the device in the Active Leases list and clicking Reserve WIFI AS WAN WiFi as WAN uses an outside WiFi network as its Internet source When WiFi as WAN is enabled the router will find other WiFi networks that you can select and connect to Unless a selected WiFi source is on an unprotected network you will need to know its password or key To enable WiFi as ...

Page 66: ...sonal WPA2 Personal WPA1 WPA2 Personal You have two options for adding network profiles Automatic Select a WiFi network in Site Survey and click Import Manual Click on Add under Saved Profiles and input the required information Site Survey This is a list of WiFi networks that the router can currently find along with information about the network such as its mode and channel Click Refresh if a WiFi...

Page 67: ...you know specific DSCP values you can input one here DSCP Negate When checked this rule will match on any packet that does NOT match the DSCP field Protocol Select from the dropdown list to specify the protocol for a particular data use Otherwise leave Any selected Any ICMP TCP UDP GRE ESP SCTP Source IP Address Source Netmask Destination IP Address and Destination Netmask Specify an IP address or...

Page 68: ... be set in CONNECTION MANAGER Spillover This was the default algorithm in older version 3 firmware Load is always given to devices with the most available bandwidth The estimated bandwidth rate is based on a combination of the upload and download configuration values and the observed capabilities of the device Data Usage This mode works in concert with the Data Usage feature The router will make a...

Page 69: ...server NBMA Address NBMA server address the protocol address prefix is associated with Flags SD Shortcut Destination N Non Caching S Shortcut R Redirect Click Add to create a new NHRP interface Enabled Enable or disable the interface Name Give the interface a unique name that matches the mGRE multipoint GRE tunnel Select from configured GRE tunnels or input manually Peer Authentication Embeds the ...

Page 70: ...atic mappings for this interface Click Add in the table to open the static mapping editor Protocol Address Mapped endpoint to from protocol address to NBMA address Protocol Prefix Optional prefix for protocol address NBMA Address Destination mapped address from protocol address prefix Register This optional parameter specifies that a Registration Request should be sent to this peer on startup disp...

Page 71: ...ost Address Identity click Add PORTS A port identity member can be entered as a single Start port number or as a port range by entering both a Start and End port number To add a Port Identity click Add MAC ADDRESSES MAC addresses are entered in the form aa bb cc dd ee ff To add a MAC Address Identity click Add REPUTATION A reputation file contains a list of IPv4 and IPv6 addresses and networks wit...

Page 72: ...lter the traffic flow Default Deny All is a preconfigured policy to deny all traffic initialized from one zone to be blocked to another zone WAN to LAN forwardings use this policy by default The policy can be removed or altered to filter the traffic flow Click Add to create a new filter policy or select an existing policy and click Edit to open the filter policy editor Name Create a name meaningfu...

Page 73: ...he list of Zone Definitions In addition two special zones can be selected for forwarding endpoints The All zone will match any traffic handled by the router and is used as an endpoint for IP Filter Rules migrated from previous firmware versions User editable zones are preferred when adding new forwardings The Router zone will match any traffic initialized from or directed to router services and ca...

Page 74: ...without problems as some of the LANs may lose IPv6 connectivity REMOTE ACCESS RESTRICTION Add any IPv4 addresses that need access to remote administration to this list Clicking Add will allow the addition of IP address and netmask pairs to the administration filter Edit will allow you to change settings for the selected address Remove will remove a selected entry Application Gateways Enabling an a...

Page 75: ...cal Computer Select the IP address of an attached device from the dropdown menu or manually input the IP address of a device Local Port s The port number s that corresponds to the service Web server FTP etc on a local computer or device For example you might input 80 in the Local Port s field to open a port for a Web server on a computer within your network The Internet Port s field could then als...

Page 76: ...l computer to receive forwarded traffic Protocol Select the IP protocol traffic to forward Dynamic 1 1 NAT Dynamic NAT allows translating the destination ip of incoming network traffic to a local network All ports and protocols will be forwarded Netmasks should generally match If the local network range is larger than the incoming destination range then network traffic will begin using port overlo...

Page 77: ...resses By default each MAC MAC WEB FILTER RULES CONTENT FILTERING WEBFILTER SETTINGS General Settings Enbable Webfilter Selecting Enable Webfilter will enable the webfiltering service This is used to enable or disable all router based webfiltering and forwarding Filter HTTPS Selecting Filter HTTPS enables redirection of all port 443 traffic into the proxy The proxy will then extract the host name ...

Page 78: ... Web Filter Rule click Add Default Network Filter Settings When a network is set to Allow Blacklist it will allow access to those sites not blocked in the Filter Rules Selecting Block Whitelist will only allow access to websites with an Allow action in the Filter rules all other sites will be blocked Selecting to Filter URLs by IP Address will cause the router to perform a DNS lookup on URL entrie...

Page 79: ...ring If OpenDNS does not appear to be working correctly enabling this will attempt to bypass those ports when using an OpenDNS content filtering level Zscaler Zscaler is a cloud based web filtering and security provider that offers several plan options Depending on your Zscaler implementation this could include Global Cloud Platform Real Time Reporting Behavioral Analysis URL Filtering Advanced Th...

Page 80: ... ECM and go to the Applications tab this is only available to the primary account administrator Once entitled the router must be rebooted for Threat Management to begin working 2 Set up emailed or logged alerts in the Alerts tab in ECM 3 Set up regularly scheduled signature updates in the configuration pages or update manually in ECM via the Devices or Groups page click on Commands in the top tool...

Page 81: ...w the logs go to STATUS System Logs For configuration options including syslog server setup go to SYSTEM Administration System Logging Signature Update Schedule You can choose to have a different signature update schedule for modems than for other WANs This is intended to protect against overages when data usage limits for 3G 4G modems are restricted For both Non Modem WANs and Modem WANs first ch...

Page 82: ...ng certificate details Name Friendly description of the certificate Location The certificate issuer s locality city town etc Organization Information The organization to which the certificate issuer belongs Common Name Name used to match authentication credentials To add a local certificate click Add Remove a local certificate by selecting the certificate and clicking the Remove button ...

Page 83: ... bundle public and private certificate keys in an archive file format The PKCS 12 container format is more secure than the PEM container format because it is protected by an encryption key To import choose a certificate file in PKCS 12 format from your computer or local device and upload it to the router Give the certificate a name that is meaningful to you PKCS 12 files are protected by a passphr...

Page 84: ... User Manual AER3100 AER3150 To export select a local certificate from the dropdown list and download it to your computer or local device in PKCS 12 format When you export this file you must create a passphrase to protect it This key is required for future use of the file ...

Page 85: ...able incoming WAN pings or change settings for the router from the Internet using the router s Internet address Allow WAN pings When enabled the functionality allows an external WAN client to ping the router Allow Remote Web Administration When remote administration is enabled it allows access to these administration web pages from the Internet With it disabled you must be a client on the local ne...

Page 86: ...nabling NTP will tell the router to get its system time from a remote server on the Internet If you do not enable NTP then the router time will be based on when the router firmware was built which is guaranteed to be wrong Whenever the Internet connection is re established and once a week thereafter the router will ask the server for the current time so it can correct itself You then have the opti...

Page 87: ...SH Server When the router s SSH server is enabled you may access the router s command line interface CLI using the standards based SSH protocol Use the username admin and the standard system password to log in SSH Server Port Default 22 Automatically Set System Identifier This will automatically set the system ID to the name of the first client that gets a DHCP lease This feature cannot be used wi...

Page 88: ...o the router for a few simple queries or commands with a text messaging service e g from your phone A modem that does not have an active data connection may still be reachable by SMS because Internet traffic and SMS traffic operate on separate channels so SMS can be used to bring an offline router back online SMS is enabled on the router by default However it only works if SMS is supported and ena...

Page 89: ...ver Address Select the Hostname or IP address from the dropdown menu or type this in manually Include System ID This option will include the router s System ID at the beginning of every log message This is often useful when a single remote Syslog server is handling logs for several routers Include UTF8 Byte Order Mark The log message is sent using UTF 8 encoding By default the router will attach t...

Page 90: ...eir neighbors The router stores the information it receives from its neighbors which can be viewed on the STATUS LLDP page Enable LLDP for Ethernet on the WAN and or LAN TEMPERATURE Use this to track the internal temperature with alerts logging The router also has a mechanism to shut down functions when the internal temperature is dangerously high 80 C Router Temperature C Modem Temperature C Thes...

Page 91: ...d configuration management Health monitoring of router connectivity and data usage Remote management and control of routers Historical record keeping of device logs and status Registering Your Router Once you have signed up for ECM click on the Register Router button to begin managing the router through ECM Input your ECM Username and ECM Password and click Register You have now registered the dev...

Page 92: ...on NTP being enabled and available to report the correct time Unrecognized MAC Address Used with the MAC monitoring lists An alert is sent when a new unrecognized MAC address is connected to the router WAN Device Status Change An attached WAN device has changed status The possible statuses are plugged unplugged connected and disconnected Configuration Change A change to the router configuration Lo...

Page 93: ...in the information for the SMTP server click on the Verify SMTP Settings button You should receive a test email at your account Delivery Options Advanced Email Subject Prefix This optional string is prefixed to the alert subject It can be customized to help you identify alerts from specific routers Retry Attempts The number of attempts made to send an alert to the mail server After the attempts ar...

Page 94: ...e to the WAN interfaces of the router WAN port Use the WAN port field to configure which publicly accessible port you wish to make SNMP services available on Default 161 SNMP Version SNMPv1 SNMP version 1 is the most basic version of SNMP SNMPv1 will configure the router to transmit with settings compatible with SNMP version 1 protocols SNMPv2c SNMP version 2c has the same features as v1 with some...

Page 95: ...d fields This password must be at least eight characters long Enable SNMP traps Enabling traps will allow you to configure a destination server community and port for trap notifications Trap notifications are returned to the server with SNMPv1 Trap community string The trap notifications will be returned to the trap server using this SNMPv1 trap community name Address for trap server Enter the add...

Page 96: ...the firmware System Config Save Restore Download Settings Click on Dowload Settings to save your current settings to a file on a computer Restore Settings Click on Restore Settings to restore your previous settings from a file on a computer Firmware Management Load new firmware and restore your previous settings from a file on a computer without rebooting between steps MODEM FIRMWARE DEVICE OPTION...

Page 97: ...ed then the highest priority connected device will be used Custom Server Type the Hostname or IP address of the server to which you wish to perform a test If left empty the test will be done to a Cradlepoint server Custom Port Optional The port to which the test is directed Max Duration The Max Duration is the Maximum amount of time for which the test should be run The test may finish sooner if su...

Page 98: ...tivity to the Internet while preventing access to your local network Security Mode Best WPA2 Select this option if your wireless adapters support WPA2 only mode This will connect to most new devices and is the most secure but may not connect to older devices or some handheld devices such as a PSP Good WPA1 WPA2 Select this option if your wireless adapters support WPA or WPA2 This is the most compa...

Page 99: ...ettings will not be overwritten by this generic APN setup Leave this setting as default and after finishing this Wizard go to the CONNECTION MANAGER page select your modem and edit the settings The SIM PIN APN tab has more available settings than are provided here Some modems require a username and password to be entered to authenticate with a carrier Do not fill in the following fields unless you...

Page 100: ...w the router will be used All Ethernet ports will be set to LAN All network groups except the primary network group will be removed All WAN devices will have Load Balance disabled and the highest priority device will be used All Wireless interfaces will be removed from the primary network group All Router based VPN and GRE services will be disabled The Routing Mode will be set to IP Passthrough Th...

Page 101: ...pment and receiver Consult the dealer or an experienced radio TV technician for help FCC CAUTION Any changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate this equipment This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference ...

Page 102: ...uillage est susceptible d en compromettre le fonctionnement Pour les produits disponibles aux États Unis Canada du marché seul le canal 1 à 11 peuvent être exploités Sélection d autres canaux n est pas possible Les dispositifs fonctionnant dans la bande 5150 5250 MHz sont réservés uniquement pour une utilisation à l intérieur afin de réduire les risques de brouillage préjudiciable aux systèmes de ...

Page 103: ...roduct contains software distributed under one or more of the following open source licenses GNU General Public License Version 2 BSD License Net SNMP License and PSF License Agreement for Python 3 3 For more information on this software including licensing terms and your rights to access source code contact Cradlepoint at cradlepoint com opensource WARRANTY INFORMATION Cradlepoint Inc warrants th...

Page 104: ...olicy please visit cradlepoint com privacy OTHER BINDING DOCUMENTS TRADEMARKS COPYRIGHT By activating or using your AER3100 or AER3150 device you agree to be bound by Cradlepoint s Terms of Use User License and other applicable Legal Policies 2015 Cradlepoint Inc All rights reserved Cradlepoint is not responsible for omissions or errors in typography or photography Cradlepoint AER3100 AER3150 and ...