manualshive.com logo in svg

virtual access GW2021, User Manual

The "Virtual Access GW2021" user manual is the comprehensive guide you need to maximize the potential of your GW2021. Accessible for free download from 88.208.23.73:8080, this manual provides step-by-step instructions, troubleshooting tips, and setup procedures, ensuring you make the most of this cutting-edge product.

Share
Download
background image

28: Configuring firewall 

_______________________________________________________________________________________________________ 

_______________________________________________________________________________________________________ 

© Virtual Access 2018 

GW2020 Series User Manual 

Issue: 2.1 

 

Page 265 of 423 

28

 

 Configuring firewall 

The firewall itself is not required. It is a set of scripts which configure Netfilter. If 
preferred, you can use Netfilter directly to achieve the desired firewall behaviour.  
Note: the UCI firewall exists to simplify the configuration of Netfilter for many scenarios, 
without requiring the knowledge to deal with the complexity of Netfilter. 
The firewall configuration consists of several zones covering one or more interfaces. 
Permitted traffic flow between the zones is controlled by forwardings. Each zone can 
include multiple rules and redirects (port forwarding rules). 
The Netfilter system is a chained processing filter where packets pass through various 
rules. The first rule that matches is executed often leading to another rule-chain until a 
packet hits either ACCEPT or DROP/REJECT.  
Accepted packets pass through the firewall. Dropped packets are prohibited from 
passing. Rejected packets are also prohibited but an ICMP message is returned to the 
source host. 
A minimal firewall configuration for a router usually consists of one 'defaults' section, at 
least two 'zones' (LAN and WAN) and one forwarding to allow traffic from LAN to WAN. 
Other sections that exist are 'redirects', 'rules' and 'includes'. 

28.1

 

Configuration package used 

Package 

Sections 

firewall 

 

28.2

 

Configuring firewall using the web interface 

In the top menu, select Network -> Firewall. The Firewall page appears. It is divided 
into four sections:  

Section 

Description 

General Zone Settings 

Defines the firewall zones, both global and specific. 

Port Forwards 

Port Forwards are also known as Redirects. This section creates the redirects 

using DNAT (Destination Network Address Translation) with Netfilter. 

Traffic Rules 

Defines rules to allow or restrict access to specific ports, hosts or protocols. 

28.2.1

 

Firewall: zone settings 

The Zone settings section is divided into two: 

Section 

Description 

General Settings 

Defines the global firewall settings that do not belong to any specific zones. 

Zones 

The zones section groups one or more interfaces and serves as a source or 

destination for forwardings, rules and redirects. Masquerading (NAT) of outgoing 

traffic is controlled on a per-zone basis. 

 

Summary of Contents for GW2021

Page 1: ...GW2020 Series User Manual Issue 2 1 Date 01 February 2018 ...

Page 2: ...13 Inserting a SIM card 16 2 14 Connecting the SIM lock 16 2 15 Connecting cables 16 2 16 Connecting the antenna 17 2 17 Powering up the GW2020 Series router 17 2 18 Reset button 17 2 19 Recovery mode 17 3 GW2020 Series router LED behaviour 18 3 1 Main LED behaviour 18 3 2 GW2020 Ethernet port LED behaviour 19 4 Factory configuration extraction from SIM card 20 5 Accessing the router 21 5 1 Config...

Page 3: ...6 9 Importing a configuration file 46 7 Using the Command Line Interface 50 7 1 Overview of some common commands 50 7 2 Using Unified Configuration Interface UCI 53 7 3 Configuration files 58 7 4 Configuration file syntax 58 8 Upgrading router firmware 60 8 1 Software versions 60 8 2 Upgrading firmware using CLI 66 9 System settings 69 9 1 Configuration package used 69 9 2 Configuring system prope...

Page 4: ...ng a GRE connection using the web interface 119 14 3 GRE configuration using command line 124 14 4 GRE configuration using UCI 124 14 5 GRE configuration using package options 124 14 6 GRE diagnostics 125 15 Configuring static routes 127 15 1 Configuration package used 127 15 2 Configuring static routes using the web interface 127 15 3 Configuring IPv6 routes using the web interface 128 15 4 Confi...

Page 5: ...ration package used 178 20 2 Configuring Multi WAN using the web interface 178 20 3 Configuring Multi WAN using UCI 182 20 4 Multi WAN diagnostics 184 21 Automatic operator selection 186 21 1 Configuration package used 186 21 2 Configuring automatic operator selection via the web interface 186 21 3 Configuring via UCI 210 21 4 Configuring no PMP roaming using UCI 214 21 5 Automatic operator select...

Page 6: ...sing the web interface 254 26 4 Dynamic DNS using UCI 256 27 Configuring hostnames 258 27 1 Overview 258 27 2 Local host file records 258 27 3 PTR records 260 27 4 Static leases 262 28 Configuring firewall 265 28 1 Configuration package used 265 28 2 Configuring firewall using the web interface 265 28 3 Configuring firewall using UCI 277 28 4 IPv6 notes 280 28 5 Implications of DROP vs REJECT 280 ...

Page 7: ...29 33 5 Example QoS configurations 332 34 Management configuration settings 333 34 1 Activator 333 34 2 Monitor 333 34 3 Configuration packages used 333 34 4 Autoload boot up activation 334 34 5 Autoload packages 334 34 6 Autoload using UCI 337 34 7 HTTP Client configuring activation using the web interface 338 34 8 Httpclient Activator configuration using UCI 341 34 9 Httpclient Activator configu...

Page 8: ... 398 38 2 Configuration package used 398 38 3 Configuring data usage using the web interface 398 38 4 Data usage status 401 38 5 Data usage diagnostics 401 39 Configuring Terminal Server 403 39 1 Overview 403 39 2 Configuration packages used 403 39 3 Configuring Terminal Server using the web interface 403 39 4 Terminal Server using UCI 414 39 5 Terminal Server using package options 414 39 6 Termin...

Page 9: ... under the International Mobile Telecommunications programme IMT 2000 4G is a mobile communications standard intended to replace 3G allowing wireless internet access at a much higher speed 3G and 4G technologies enable network operators to offer users a wider range of more advanced services while achieving greater network capacity through improved spectral efficiency Services include wide area wir...

Page 10: ...efault value is shown in a grey cell Values for enabling and disabling a feature are varied throughout the web interface for example 1 0 Yes No True False check uncheck a radio button In the table descriptions we use 0 to denote Disable and 1 to denote Enable Some configuration sections can be defined more than once An example of this is the routing table where multiple routes can exist and all ar...

Page 11: ...og The following levels are available 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Informational 7 Debug Web Agent Address UCI snmpd agent 0 agentaddress Opt agentaddress Specifies the address es and port s on which the agent should listen udp tcp port address Table 1 Example of an information table 1 2 2 Definitions Throughout the document we use the host name VA_router to cover al...

Page 12: ...rnet and 3G 4G LTE dual SIM metal case GW2022 2 x Ethernet and 3G 4G LTE dual SIM metal case GW2023 2 x Ethernet 3G 4G LTE and dual RS232 dual SIM metal case GW2024 2 x Ethernet 3G 4G LTE single RS232 and single RS485 dual SIM metal case 2 2 Hardware features Dual SIM sockets Dual antenna SMA connectors Up to eight 10 100 Mbps Ethernet ports Optional 1 or 2 RS232 ports Optional 4KV isolation ports...

Page 13: ...s User Manual Issue 2 1 Page 13 of 423 Figure 2 Serial ports on the GW2020 series router 2 3 1 1 RS232 pinout for the GW2020 Series router Pin Name Direction 1 RTS Out 2 DTR Out 3 TX Data Out 4 GND 5 GND 6 RX Data In 7 DSR In 8 CTS In 2 3 1 2 RS485 pinout for the GW2020 Series router Half Duplex Mode Full Duplex Mode Pin Name Direction From GW2020 Series router Name Direction From GW2020 Series ro...

Page 14: ... checking equipment ratings operating instructions and installation instructions before commissioning or maintenance The user is responsible for ensuring the equipment is installed operated and used for its intended function in the manner specified by Virtual Access Failure to do so may invalidate safety features of the equipment 2 5 1 Power supply symbols Symbol Publication Description IEC 60417 ...

Page 15: ...d to the following standards Safety EN60950 1 EMC EN55022 1998 Class B and EN55024 1998 Class B Environmental ETSI 300 019 1 3 Sinusoidal Vibration and Shock ETSI 300 019 2 3 Random Vibration 2 10 Operating temperature range The operating temperature range depends on the router s type of power supply GW202X 0 C to 40 C Standard AC PSU GW202X ET 20 C to 70 C Extended temperature AC PSU GW202X DC 20...

Page 16: ...standard components Optional components include 1 x lockable SIM cover 1 x extra antenna Virtual Access supplies a wide range of antennas Please visit our website www virtualaccess com or contact Virtual Access for more information Table 4 GW2020 Series router optional components 2 13 Inserting a SIM card 1 Ensure the unit is powered off 2 Hold the SIM 1 card with the chip side facing down and the...

Page 17: ... the reset button all LEDs turn on simultaneously The length of time you hold the reset button will determine its behaviour Press Duration PWR CONFIG LED behaviour Router Behaviour on depress 0 3 seconds On Normal reset to running config No special LED activity Between 3 and 15 seconds Flashing slowly Releasing between 3 15 seconds switches the router back to factory configuration Between 15 and 2...

Page 18: ...020 takes approximately 2 minutes to boot up During this time the power LED flashes Other LEDs display different diagnostic patterns during boot up Booting is complete when the power LED stops flashing and stays on steady Power LED On Power connected Off No power boot loader does not exist Config LED On Unit running a valid configuration file Flashing slowly Unit running in recovery mode 5 Hz Flas...

Page 19: ...Issue 2 1 Page 19 of 423 3 2 GW2020 Ethernet port LED behaviour The Ethernet port has two LEDs a LINK LED green and an ACT LED amber When looking at the port the LED on the left hand side is the LINK LED and the ACT LED is on the right hand side Figure 4 Ethernet LED activity Link LED green Off No physical Ethernet link detected On Physical Ethernet link detected ACT LED amber Off No data is being...

Page 20: ...u are inserting has the required configuration written on it 2 Ensure the router is powered off 3 Hold the SIM 1 card with the chip side facing down and the cut corner front left 4 Gently push the SIM card into SIM slot 1 until it clicks in 5 Power up the router Depending on the model the power LED and or the configuration LED flash as usual The SIM LED starts flashing This indicates the applicati...

Page 21: ...Ethernet using the web interface DHCP is disabled by default so if you do not receive an IP address via DHCP assign a static IP to the PC that will be connected to the router PC IP address 192 168 100 100 Network mask 255 255 255 0 Default gateway 192 168 100 1 Assuming that the PC is connected to Port A on the router in your internet browser type in the default local IP address 192 168 100 1 and ...

Page 22: ... client and connect to the router s management IP address on port 22 192 168 100 1 24 On the first connection you may be asked to confirm that you trust the host Figure 6 Confirming trust of the routers public key over SSH Figure 7 SSH CLI logon screen In the SSH CLI logon screen enter the default username and password Username root Password admin 5 3 1 SCP Secure Copy Protocol As part of accessin...

Page 23: ...ter reboot f To re enable SSH enter root VA_router etc init d dropbear enable root VA_router reboot f Note As SSH is enabled by default initial connection to the router to enable Telnet must be established over SSH 5 5 Configuring the password 5 5 1 Configuration packages used Package Sections system main 5 6 Configuring the password using the web interface To change your password in the top menu ...

Page 24: ...x8A U5kLCMpi9dcahRhOl7eZV1 If you are changing the password using UCI enter the new password in plain text using the password option root VA_router uci system main password newpassword root VA_router uci commit The new password will take effect after reboot and will now be displayed in encrypted format via the hashpassword option 5 8 Configuring the password using package options The root password...

Page 25: ...em config system main option hostname VirtualAccess option timezone UTC config pam_auth option enabled yes option pamservice login option pammodule auth option pamcontrol sufficient option type radius option servers 192 168 0 1 3333 test 20 192 168 2 5 secret 10 config pam_auth option enabled yes option pamservice sshd option pammodule auth option pamcontrol sufficient it checks package management...

Page 26: ...enticates against remote RADIUS if password authentication fails then it tries local database user defined in package management_users Required If either authentication fails or RADIUS server is not reachable then user is not allowed to access the router success done new_authtok_reqd done authinfo_unavail ignore default die Local database is only checked if RADIUS server is not reachable UCI syste...

Page 27: ...ption pamservice sshd option pammodule account option pamcontrol sufficient option type tacplus option servers 192 168 0 1 49 secret option args service ppp config pam_auth option enabled yes option pamservice sshd option pammodule session option pamcontrol sufficient option type tacplus option servers 192 168 0 1 49 secret option args service ppp config pam_auth option enabled yes option pamservi...

Page 28: ...amcontrol sufficient option type tacplus option servers 192 168 0 1 49 secret option args service ppp config pam_auth option enabled yes option pamservice login option pammodule auth option pamcontrol sufficient option type tacplus option servers 192 168 0 1 49 secret config pam_auth option enabled yes option pamservice login option pammodule account option pamcontrol sufficient option type tacplu...

Page 29: ... management_users Required If either authentication fails or TACACS server is not reachable then user is not allowed to access the router success done new_authtok_reqd done authinfo_unavail ignore default die Local database is only checked if TACACS server is not reachable UCI system pam_auth 0 pammodule auth Opt pammodule Selects which TACACS module this part of configuration relates to auth auth...

Page 30: ... Page 30 of 423 The router uses a package called Dropbear to configure the SSH server on the box You can configure Dropbear via the web interface or through an SSH connection by editing the file stored on etc config_name dropbear 5 11 1 Configuration packages used Package Sections dropbear dropbear 5 11 2 SSH access using the web interface In the top menu click System Administration The Administra...

Page 31: ... dropbear dropbear 0 RootPasswordAuth Opt RootPasswordAuth Allows the root user to login with password 0 Disabled 1 Enabled Web Gateway ports UCI dropbear dropbear 0 GatewayPorts Opt GatewayPorts Allows remote hosts to connect to local SSH forwarded ports 0 Disabled 1 Enabled Web Idle Session Timeout UCI dropbear dropbear 0 IdleTimeout Opt IdleTimeout Defines the idle period where remote session w...

Page 32: ...mation about the key its owner s ID and the digital signature of an individual that has verified the content of the certificate In asymmetric cryptography public keys are announced to the public and a different private key is kept by the receiver The public key is used to encrypt the message and the private key is used to decrypt it To access certs and private keys in the top menu click System Adm...

Page 33: ...viour of the server and default values for certificates generated for SSL operation uhttpd supports multiple instances that is multiple listen ports each with its own document root and other features as well as cgi and lua There are two sections defined Main this uHTTPd section contains general server settings Cert this section defines the default values for SSL certificates 5 14 1 Configuration p...

Page 34: ... 0 0 0 80 Bind at port 80 only on IPv4 interfaces 80 Bind at port 80 only on IPv6 interfaces Range IP address and or port Web Secure Listen Address and Port UCI uhttpd main listen_https Opt list listen_https Specifies the ports and address to listen on for encrypted HTTPS access The format is the same as listen_http 0 0 0 0 443 Bind at port 443 only 443 Range IP address and or port Web Home path U...

Page 35: ...for CGI or lua requests in seconds Requested executables are terminated if no output was generated 60 Range Web Network timeout UCI uhttpd main network_timeout Opt network_timeout Maximum wait time for network activity Requested executables are terminated and connection is shut down if no network activity occured for the specified number of seconds 30 Range Web N A UCI uhttpd main realm Opt realm ...

Page 36: ...ay exist The init script will launch one webserver instance per section A standard uhttpd configuration is shown below root VA_router uci show uhttpd uhttpd main uhttpd uhttpd main listen_http 0 0 0 0 80 uhttpd main listen_https 0 0 0 0 443 uhttpd main home www uhttpd main rfc1918_filter 1 uhttpd main cert etc uhttpd crt uhttpd main key etc uhttpd key uhttpd main cgi_prefix cgi bin uhttpd main scr...

Page 37: ...ld UCI Package Option Description Web Days UCI uhttpd px5g days Opt days Validity time of the generated certificates in days 730 Range Web Bits UCI uhttpd px5g bits Opt bits Size of the generated RSA key in bits 1024 Range Web Country UCI uhttpd px5g country Opt country ISO code of the certificate issuer Web State UCI uhttpd px5g state Opt state State of the certificate issuer Web Location UCI uht...

Page 38: ...ublin option location Dublin option commonname 00E0C8000000 5 15 Basic authentication httpd conf For backward compatibility reasons uhttpd uses the file etc httpd conf to define authentication areas and the associated usernames and passwords This configuration file is not in UCI format Authentication realms are defined in the format prefix username password with one entry and a line break Prefix i...

Page 39: ...2 168 1 1 443 config uhttpd main list listen_http 192 168 1 1 80 list listen_https 192 168 1 1 443 5 17 Displaying custom information via login screen The login screen by default shows the hostname of the router in addition to the username and password prompt However the router can be configured to show some other basic information if required using a UDS script Note this can only be configured vi...

Page 40: ...i version serial br local sig luci dispatcher uci cursor_state get mobile 3g_1_1 sig_dbm or 113 sig tonumber sig local hue sig 113 2 local hue math min math max hue 0 120 Signal strength h3 style color hsl hue 90 50 display inline sig h3 dBm 5 17 2 2 Login screen custom information using package options root VA_router uci export luci package luci config core main option login_page_info_template tm...

Page 41: ...b interface and command line interface CLI When showing examples of the command line interface we use the host name VA_router to indicate the system prompt For example the table below displays what the user should see when entering the command to show the current configuration in use on the router root VA_router va_config sh 6 1 System information General information about software and configurati...

Page 42: ... 00E0C8121215 VA_MODEL GW0000 VA_ACTIVEIMAGE image2 VA_ACTIVECONFIG config1 VA_IMAGE1VER VIE 16 00 44 VA_IMAGE2VER VIE 16 00 44 6 2 Identify your software version To check which software version your router is running in the top menu browse to Status Overview Figure 16 The status page showing a software version prior to 72 002 Figure 17 The status page showing software version 72 002 In the Firmwa...

Page 43: ...onfig1 and etc config2 Multiple configuration files exist in each folder Each configuration file contains configuration parameters for different areas of functionality in the system A symbolic link exists at etc config which always points to one of factconf config1 or config2 is the active configuration file Files that appear to be in etc config are actually in etc factconf config1 config2 dependi...

Page 44: ...e format It is used internally to evaluate configuration files as shell scripts import config Imports configuration files in UCI syntax add config section type Adds an anonymous section of type section type to the given configuration add_list config section option string Adds the given string to an existing list option show config section option Shows the given option section or configuration in c...

Page 45: ...t VA_router etc config1 cp etc config2 etc config1 6 8 Exporting a configuration file If you have software versions prior to 72 002 to export a configuration file using the web interface go to section 6 8 1 If you have software version 72 002 or above export a configuration file using the web interface go to section 6 8 2 To export a configuration file using CLI for any software version go to sect...

Page 46: ... operations page In the Flash Operation section click the configuration file in the Contents column to download it 6 8 3 Exporting a configuration file using UCI You can view any configuration file segment using UCI To export the running configuration file enter root VA_router uci export To export the factory configuration file enter root VA_router uci c etc factconf export To export config1 or co...

Page 47: ...figuration file using the web interface for software versions pre 72 002 You can import a configuration file to the alternate configuration segment using the web interface This will automatically reboot the router into this configuration file In the top menu select System Backup Flash Firmware The Flash operations page appears Figure 20 The flash operations page Under Backup Restore choose Restore...

Page 48: ...import a configuration file to the alternate configuration segment using the web interface In the top menu select System Flash Operations The Flash operations page appears Figure 22 The flash operations page In the Operations column click Upload new Select the appropriate file Figure 23 The flash operations succeed upload configuration page If you select Flash image and do not reboot the router wi...

Page 49: ..._____________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 49 of 423 6 9 3 Importing a configuration file using UCI You can import a configuration file to any file segment using UCI To import to config1 enter root VA_router uci c etc config1 import paste in config file CTRL D Note it is very important that the config file is in the correct format otherwise it will not impor...

Page 50: ...d enter root VA_router uci set system main password root VA_router uci commit system To reboot the system enter root VA_router reboot The system provides a Unix like command line Common Unix commands are available such as ls cd cat top grep tail head more and less Typical pipe and redirect operators are also available such as The system log can be viewed using any of the following commands root VA...

Page 51: ...current folder enter root VA_router ls bin etc lib opt sbin usr bkrepos home linuxrc proc sys var dev init mnt root tmp www For more details add the l argument root VA_router ls l drwxrwxr x 2 root root 642 Jul 16 2012 bin drwxr xr x 5 root root 1020 Jul 4 01 27 dev drwxrwxr x 1 root root 0 Jul 3 18 41 etc drwxr xr x 1 root root 0 Jul 9 2012 lib drwxr xr x 2 root root 3 Jul 16 2012 mnt drwxr xr x ...

Page 52: ...prompt To view scheduled jobs enter root VA_router crontab l 0 slaupload 00FF5FF92752 TFTP 1 172 16 250 100 69 To view currently running processes enter root VA_router ps PID Uid VmSize Stat Command 1 root 356 S init 2 root DW keventd 3 root RWN ksoftirqd_CPU0 4 root SW kswapd 5 root SW bdflush 6 root SW kupdated 8 root SW mtdblockd 89 root 344 S logger s p 6 t 92 root 356 S init 93 root 348 S sys...

Page 53: ...em UCI consists of a Command Line Utility CLI the files containing the actual configuration data and scripts that take the configuration data and apply it to the proper parts of the system such as the networking interfaces Entering the command uci on its own will display the list of valid arguments for the command and their format root VA_router lib config uci Usage uci options command arguments C...

Page 54: ...ith a text editor but for scripts GUIs and other programs working directly with UCI files export config Exports the configuration in a UCI syntax and does validation import config Imports configuration files in UCI syntax changes config Lists staged changes to the given configuration file or if none given all configuration files add config section type Adds an anonymous section of type section typ...

Page 55: ... 2 2 Export a configuration Using the uci export command it is possible to view the entire configuration of the router or a specific package Using this method to view configurations does not show comments that are present in the configuration file root VA_router uci export httpd package httpd config httpd option port 80 option home www 7 2 3 Show a configuration tree The configuration tree format ...

Page 56: ..._switch 0 eth1 D It is also possible to display a limited subset of a configuration root VA_router uci show network wan network wan interface network wan username foo network wan password bar network wan proto 3g network wan device dev ttyACM0 network wan service umts network wan auto 0 network wan apn hs vodafone ie 7 2 4 Display just the value of an option To display a specific value of an indiv...

Page 57: ...a_eventd va_eventd main enabled yes va_eventd main event_queue_file tmp event_buffer va_eventd main event_queue_size 128K va_eventd conn_tester 0 conn_tester va_eventd conn_tester 0 name Pinger va_eventd conn_tester 0 enabled yes va_eventd conn_tester 0 type ping va_eventd conn_tester 0 ping_dest_addr 192 168 250 100 va_eventd conn_tester 0 ping_success_duration_sec 5 va_eventd target 0 target va_...

Page 58: ...nd urls etc config monitor Monitor details Basic etc config dropbear SSH server options etc config dhcp Dnsmasq configuration and DHCP settings etc config firewall NAT packet filter port forwarding etc etc config network Switch interface L2TP and route configuration etc config system Misc system settings including syslog Other etc config snmpd SNMPd settings etc config uhttpd Web server options uH...

Page 59: ... be combined into a single list of values with the same order as in the configuration file The indentation of the option and list statements is a convention to improve the readability of the configuration file but it is not syntactically required Usually you do not need to enclose identifiers or values in quotes Quotes are only required if the enclosed value contains spaces or tabs Also it is lega...

Page 60: ... in persistent storage is validated To avoid any unrecoverable errors during the process you must follow several safety steps described in this chapter On successful completion of the process you can restart the device running the new firmware 8 1 Software versions If you have software versions prior to 72 002 to upgrade firmware using the web interface go to section 8 1 2 If you have software ver...

Page 61: ...gure 25 The status page showing software version 72 002 In the Firmware Version row the first two digits of the firmware version identify the hardware platform for example LIS 15 while the remaining digits 00 72 002 show the software version 8 1 2 Upgrading router firmware for software versions pre 72 002 Copy the new firmware issued by Virtual Access to a PC connected to the router In the top men...

Page 62: ... or Browse Note the button will vary depending on the browser you are using Select the appropriate image and then click Flash Image The Flash Firmware Verify page appears Figure 27 The flash firmware verify page Click Proceed The System Flashing page appears Figure 28 The system flashing page When the waiting for router icon disappears the upgrade is complete and the login homepage appears To veri...

Page 63: ...sh operations page appears Figure 30 The flash operations page Under Flash Operations click Flash Image Only the inactive image is available to flash Select the appropriate image and then wait until image has loaded Note this process may take a while depending on the available connection speed When the image has loaded the Update Firmware page appears Figure 31 The flash firmware verify page Click...

Page 64: ...l only run the firmware if you click OK to return to the Flash Operations page There you can manually select Made Active after reboot Then click Reboot Now in the Reboot using Active Configuration section 8 1 5 Update flash image and reboot using new image immediately option Figure 33 The firmware update page after update flash image and reboot option selected If you select Update flash image and ...

Page 65: ... event that the firmware upgrade fails the Failed verification File is most likely corrupt or similar message will appear in the Verify file integrity row No changes will be made to the system and the general message File verification failed appears 8 1 7 Verify the firmware has been upgraded successfully To check the firmware version in the top menu browse to System Flash Operations or after rout...

Page 66: ...ter enter which curl which atftp The output shows the available application usr bin curl ATFTP Inline command usage atftp g r LIS 15 00 72 002 image l tmp LIS 15 00 72 002 image x x x x where x x x x is the IP address of your PC g is get operation and l r are local and remote file name to store CURL Inline command usage curl tftp x x x x LIS 15 00 72 002 image o tmp LIS 15 00 72 002 image where x ...

Page 67: ...plication Note it is the user s responsibility to verify the image before starting to write the image to flash process To use the image check on downloaded image enter image check tmp LIS 15 00 72 002 image In the case of any image corruption an appropriate error message appears Error no SquashFS filesystem after CRC d section data length 3 Error read failed expected at least 3 more bytes or simil...

Page 68: ...h alt After a while the checksum will be calculated Calculating checksum 08761cd03e33c569873bcc24cf2b7389 7006920 LIS 15 00 72 002 This MD5 Verify and compare the checksum with the MD5 sum of the downloaded image If the checksum of the written firmware in altimage matches the one from the downloaded image in tmp the new firmware has been programmed successfully 8 2 1 3 Setup an alternative image P...

Page 69: ... SSH session Note this document shows no host name in screen grabs Throughout the document we use the host name VA_router The system configuration contains a logging section for the configuration of a Syslog client 9 1 Configuration package used Package Sections system main timeserver 9 2 Configuring system properties To set your system properties in the top menu click System There are four sectio...

Page 70: ...ezone UCI system main timezone Opt timezone Specifies the time zone that the date and time should be rendered in by default Web n a UCI system main timezone Opt time_save_interval_min Defines the interval in minutes to store the local time for use on next reboot 10m Table 12 Information table for general settings section 9 2 2 Logging Figure 37 The logging section in system properties Web Field UC...

Page 71: ...ediately 2 Emergency System is unusable 1 Web Cron Log Level UCI system main cronloglevel Opt cronloglevel Sets the maximum log level for kernel messages to be logged to the console Only messages with a level lower or level equal to the configured level will be printed to the console Web value Description UCI Normal Normal operation messages 8 Warning Error messages 9 Debug Debug messages 5 Web n ...

Page 72: ..._hours Opt interval_hours Specifies interval of NTP requests in hours Default value set to auto Auto Range auto 1 23 Web NTP server candidates UCI system ntp server Opt list server Defines the list of NTP servers to poll the time from If the list is empty the built in NTP daemon is not started Multiple servers can be configured and are separated by a space if using UCI By default all fields are se...

Page 73: ...boot The System page appears Ensure you have saved all your configuration changes before you reboot Figure 40 The reboot page Check the Reboot now check box and then click Reboot 9 3 System settings using UCI root VA_router uci show system system main system system main hostname VA_router system main timezone UTC system main log_ip 1 1 1 1 system main log_port 514 system main conloglevel 8 system ...

Page 74: ...server 10 10 10 10 option listen LAN1 LAN2 9 4 System diagnostics 9 4 1 System events Events in the system have a class sub class and severity All events are written to the system log 9 4 1 1 Logread To view the system log enter root VA_router logread Shows the log root VA_router logread tail Shows end of the log root VA_router logread more Shows the log page by page root VA_router logread f Shows...

Page 75: ...e log_size and log_type as below root VA_router uci export system package system config system main option hostname VA_router option zonename UTC option timezone GMT0 option conloglevel 8 option cronloglevel 8 option time_save_interval_hour 10 option log_hostname serial option log_ip 1 1 1 1 option log_port 514 option log_file root syslog messages option log_size 400 option log_type file The above...

Page 76: ...ection describes how to configure an Ethernet interface including configuring the interface as a DHCP server adding the interface to a firewall zone mapping the physical switch ports and defining loopback interface 10 1 Configuration packages used Package Sections network interface route va_switch alias firewall zone dhcp dhcp 10 2 Configuring an Ethernet interface using the web interface To creat...

Page 77: ...hernet interfaces Ports are marked with capital letters starting with A Type in space separated port character in the port map fields ATM Bridges ATM bridges expose encapsulated Ethernet in AAL5 connections as virtual Linux network interfaces which can be used in conjunction with DHCP or PPP to dial into the provider network 10 2 1 Interface overview editing an existing interface To edit an existi...

Page 78: ...faces UCI network if name type Opt type If you select this option then the new logical interface created will act as a bridging interface between the chosen existing physical interfaces Empty Bridge Configures a bridge over multiple interfaces Web Cover the following interface UCI network if name ifname Opt ifname Physical interface name to assign to this logical interface If creating a bridge ove...

Page 79: ...___________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 79 of 423 10 2 3 1 Common configuration general setup Figure 43 The Ethernet connection common configuration settings page ...

Page 80: ...interface This is optional if an IPv6 address is provided Web IPv4 netmask UCI network if name netmask Opt netmask Subnet mask to be applied to the IP address of this interface Web IPv4 gateway UCI network if name gateway Opt gateway IPv4 default gateway to assign to this interface optional Web IPv4 broadcast UCI network if name broadcast Opt broadcast Broadcast address This is automatically gener...

Page 81: ...uto Opt auto Enables the interface to connect automatically on boot up 0 Disabled 1 Enabled Web Monitor interface state UCI network if name monitored Opt monitored Enabled if status of interface is presented on Monitoring platform 0 Disabled 1 Enabled Web Override MAC address UCI network if name macaddr Opt macaddr Override the MAC address assigned to this interface Must be in the form hh hh hh hh...

Page 82: ...eparate multiple interfaces by a space when using UCI Example option dependants PPPADSL MOBILE This replaces the following previous options in child interfaces gre option local_interface lt2p option src_ipaddr iot option wan1 wan2 6in4 option ipaddr 6to4 option ipaddr Web SNMP Alias ifindex UCI network x snmp_alias_ifindex Opt snmp_alias_ifindex Defines a static SNMP interface alias index for this...

Page 83: ...hem when using UCI Example network if name vlan_qos_map_ingress 1 2 2 1 Web skb priority to VLAN PCP mapping UCI network if name vlan_qos_map_egress Opt list vlan_qos_map_egress Socket buffer to VLAN priority code point mapping Multiple priority mappings are entered with a space between them when using UCI Example network if name vlan_qos_map_egress 1 2 2 1 Web Interface UCI network if name ifname...

Page 84: ...Issue 2 1 Page 84 of 423 Figure 46 GRE firewall settings 10 2 4 Interface overview IP aliases IP aliasing means associating more than one IP address to a network interface You can assign multiple aliases 10 2 4 1 IP alias packages Package Sections Network alias 10 2 4 2 IP alias using the web To use IP aliases enter a name for the alias and click Add This name will be assigned to the alias section...

Page 85: ...network alias name proto Opt proto This maps the interface protocol to the alias Table 20 Information table for IP Aliases name assignment The IP Aliases configuration options page appears The IP Alias is divided into two sub sections general setup and advanced 10 2 4 3 IP aliases general setup Figure 48 The IP Aliases general setup section Web Field UCI Package Option Description Web IPv4 Address...

Page 86: ... Broadcast UCI network alias name bcast Opt bcast Defines the IP broadcast address for the IP alias Web DNS Server UCI network alias name dns Opt dns Defines the DNS server for the IP alias Table 22 Information table for IP Alias advanced settings page 10 2 5 Interface overview DHCP server Note this option is only available for interfaces with a static IP address 10 2 5 1 DHCP server packages Pack...

Page 87: ...d be enabled for this interface If not specified for the DHCP pool then default is disabled i e dhcp pool enabled 0 Disabled 1 Enabled Web n a UCI dhcp dhcp x start Opt start Defines the offset from the network address for the start of the DHCP pool It may be greater than 255 to span subnets 100 Range Web n a UCI dhcp dhcp x limit Opt limit Defines the offset from the network address for the end o...

Page 88: ...accept the MTU option for this to work Options that contain multiple vales should be separated by a space Example list dhcp_option 6 192 168 2 1 192 168 2 2 No options defined Syntax Option_number option_value Web n a UCI dhcp dhcp x networkid Opt networked Assigns a network id to all clients that obtain an IP address from this pool Table 24 Information table for DHCP advanced settings page For mo...

Page 89: ...tput ACCEPT firewall zone 0 forward ACCEPT firewall zone 0 network lan newinterface root VA_router uci show dhcp dhcp dhcp 0 dhcp dhcp dhcp 0 start 100 root VA_router uci show firewall dhcp dhcp 0 leasetime 12h dhcp dhcp 0 limit 150 dhcp dhcp 0 interface newinterface To change any of the above values use uci set command 10 3 1 Interface common configuration using package options The configuration ...

Page 90: ... 10 10 255 option dns 8 8 8 8 root VA_router uci export firewall package firewall config zone option name lan option input ACCEPT option output ACCEPT option forward ACCEPT option network lan newinterface root VA_router uci export dhcp package dhcp config dhcp option start 100 option leasetime 12h option limit 150 option interface newinterface To change any of the above values use uci set command ...

Page 91: ...A_router uci export network config interface loopback option proto static option ifname lo option ipaddr 127 0 0 1 option netmask 255 0 0 0 10 4 Configuring port maps 10 5 Port map packages Package Sections Network va_switch 10 5 1 Configuring port map using the web interface The new logical Ethernet interface needs to be mapped to a physical switch port To configure the Ethernet switch physical p...

Page 92: ...assigned to switch port B C Eth1 assigned to switch port C D Eth1 assigned to switch port C Web eth2 UCI network va_switch 0 eth2 Opt eth2 Defines eth0 physical switch port mapping Must be entered in upper case A Eth2 assigned to switch port A B Eth2 assigned to switch port B C Eth2 assigned to switch port C D Eth2 assigned to switch port C Web eth3 UCI network va_switch 0 eth3 Opt eth3 Defines et...

Page 93: ...interface 10 6 Interface diagnostics 10 6 1 Interfaces status To show the current running interfaces enter root VA_router ifconfig 3g CDMA Link encap Point to Point Protocol inet addr 10 33 152 100 P t P 178 72 0 237 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1400 Metric 1 RX packets 6 errors 0 dropped 0 overruns 0 frame 0 TX packets 23 errors 0 dropped 0 overruns 0 carrier 0 ...

Page 94: ...outer ifconfig eth0 eth0 Link encap Ethernet HWaddr 00 E0 C8 12 12 15 inet addr 192 168 100 1 Bcast 192 168 100 255 Mask 255 255 255 0 inet6 addr fe80 2e0 c8ff fe12 1215 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 7710 errors 0 dropped 0 overruns 0 frame 0 TX packets 535 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 RX bytes 647933 632 7 KiB TX ...

Page 95: ...ies User Manual Issue 2 1 Page 95 of 423 11 Configuring VLAN 11 1 Maximum number of VLANs supported Virtual Access routers support up to 4095 VLANs 11 2 Configuration package used Package Sections Network 11 3 Configuring VLAN using the web interface 11 3 1 Create a VLAN interface To configure VLAN using the web interface in the top menu select Network Interfaces Click Add new interface The Create...

Page 96: ...s and netmask DHCP Client Address and netmask are assigned by DHCP Unmanaged Unspecified IPv6 in IPv4 RFC4213 Used with tunnel brokers IPv6 over IPv4 Stateless IPv6 over IPv4 transport GRE Generic Routing Encapsulation protocol IOT L2TP Layer 2 Tunnelling Protocol PPP Point to Point Protocol PPPoE PPP over Ethernet PPPoATM PPP over ATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT s...

Page 97: ... configuration with fixed address and netmask DHCP Client Address and netmask are assigned by DHCP Unmanaged Unspecified IPv6 in IPv4 RFC4213 Used with tunnel brokers IPv6 over IPv4 Stateless IPv6 over IPv4 transport GRE Generic Routing Encapsulation protocol IOT L2TP Layer 2 Tunnelling Protocol PPP Point to Point Protocol PPPoE PPP over Ethernet PPPoATM PPP over ATM LTE UMTS GPRS EV DO CDMA UMTS ...

Page 98: ...st of DNS server IP addresses optional Table 27 Information table for VLAN general settings 11 3 3 Firewall settings VLAN Use this section to select the firewall zone you want to assign to the VLAN interface Select unspecified to remove the interface from the associated zone or fill out the create field to define a new zone and attach the interface to it Figure 56 Firewall settings page When you h...

Page 99: ... configure VLANs through CLI The VLAN configuration file is stored on etc config network uci export network package network config interface vlan100 option proto static option ifname eth0 100 option monitored 0 option ipaddr 192 168 100 1 option netmask 255 255 255 0 option gateway 192 168 100 10 option broadcast 192 168 100 255 option dns 8 8 8 8 Modify these settings by running uci set parameter...

Page 100: ...onnection using the web interface Note if you are creating multiple mobile interfaces simply repeat the steps in this chapter for each interface Multiple interfaces are required for dual SIM or multiple radio module scenarios Configuring static routes and or Multi WAN can be used to manage these interfaces In the top menu select Network Interfaces The Interfaces Overview page appears 12 2 1 Create...

Page 101: ...ayer 2 Tunnelling Protocol PPP PPPoE PPPoATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem Web Create a bridge over multiple interfaces UCI network 3G type Opt type Enables bridge between two interfaces Not relevant when configuring a mobile interface 0 Disabled 1 Enabled Web Cover the following interface UCI network 3G ifname Opt ifname Select interfaces for bridge c...

Page 102: ... UCI network 3G proto Opt proto Protocol type Select LTE UMTS GPRS EV DO Option Description Static Static configuration with fixed address and netmask DHCP Client Address and netmask are assigned by DHCP Unmanaged Unspecified GRE IOT L2TP Layer 2 Tunnelling Protocol PPP PPPoE PPPoATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem Web Service Type UCI network 3G service...

Page 103: ...at Opt opformat Defines the operator format We recommended you use PLMN code The operator is case sensitive so if using long or short character format it must match the operator exactly To see the current operator using SSH enter the command cat var state mobile or using the web mobile stats page at Status Mobile Stats 0 Long character format 1 Short character format 2 PLMN code Web SIM UCI networ...

Page 104: ...Web Monitor interface state UCI network 3G monitored Opt monitored Enabled if status of interface is presented on Monitoring platform 0 Do not monitor interface 1 Monitor interface Web Enable IPv6 negotiation on the PPP link UCI network 3G ipv6 Opt ipv6 Enables IPv6 routing on the interface 0 Do not enable IPv6 1 Enable IPv6 Web Modem int timeout UCI network 3G maxwait Opt maxwait Maximum amount o...

Page 105: ...red separate using space for UCI or option value Example uci set network 3G dns 1 1 1 1 2 2 2 2 Web LCP echo failure threshold UCI network 3G keepalive Opt keepalive Presumes peer to be dead after a given amount of LCP echo failures use 0 to ignore failures This command is used in conjunction with the LCP echo interval The syntax is as follows uci network 3G keepalive echo failure threshold echo i...

Page 106: ...x Range 0 4294966295 Table 30 Information table for general set up page 12 2 1 3 Mobile interface firewall settings Use this section to select the firewall zone you want to assign to the interface Select unspecified to remove the interface from the associated zone or fill out the create field to define a new zone and attach the interface to it Figure 61 Firewall settings page 12 3 Configuring a mo...

Page 107: ...n defaultroute 1 option metric 1 option service auto option apn test apn option username username option password password option ipv4mode dhcp option ipv6mode none 12 4 Diagnositcs Note the information presented on screen and data output using UCI depends on the actual mobile hardware being used Therefore the interfaces or output you see may differ from the samples shown here 12 4 1 Mobile status...

Page 108: ...___________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 108 of 423 Figure 62 The mobile information page Figure 63 The advanced information page ...

Page 109: ...l information page 12 4 2 Mobile status using UCI To display information and status of mobile interfaces such as 3G 4G or CDMA enter mobile_status root VA_router mobile_status Mobile Interface WAN Status idle SIM In yes SIM Slot 1 Operator vodafone IE Technology UMTS CS Network Status Home network PS Network Status Home network Signal dBm 107 IMEI 358743040012737 IMSI 272017113618040 For more adva...

Page 110: ..._______________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 110 of 423 PS Network Status Home network IMEI 358743040012737 IMSI 272017113618040 Operator vodafone IE Phone Number 353874512040 SIM In yes SIM Slot 1 SIM1 ICCID 8935301140701270414 Signal dBm 107 Technology UMTS Temperature C 28 Hardware Revision R1C08 ...

Page 111: ...ation package used Package Sections mobile Main Callers Roaming template 13 2 Configuring mobile manager using the web interface Select Services Mobile Manager The Mobile Manager page appears There are four sections in the mobile manager page Section Description Basic settings Enable SMS configure SIM pin code select roaming SIM collect ICCCIDs and set IMSI CDMA CDMA configuration Callers Configur...

Page 112: ...le Digits Up to 15 digits Web PIN code for SIM1 UCI mobile main sim1pin Opt sim1pin Depending on the SIM card specify the pin code for SIM 1 Blank Range Depends on the SIM provider Web PIN code for SIM2 UCI mobile main sim2pin Opt sim2pin Depending on the SIM card specify the pin code for SIM 2 Blank Range Depends on the SIM provider Web LTE bands for SIM1 UCI mobile main sim1_lte_bands Opt sim1_l...

Page 113: ... service_order Opt service_order Defines a space separated list of services in preferred order Valid options are gprs umts lte auto If no valid_service order is defined then the configured Service Type is used Example mobile main service_order gprs umts lte auto Blank Use configured service type Range gprs umts lte auto Table 31 Information table for mobile manager basic settings 13 2 2 Mobile man...

Page 114: ...x if different from the default 2 0 7 Web Slot Mode UCI mobile main cdma_slot_mode Opt cdma_slot_mode Specifies the slot mode 0 Web Mobile Directory Number UCI mobile main cdma_mobile_directory_number Opt cdma_mobile_directory_number Allows the mobile directory number MDN to be changed Default Programmed in module Digits Up to 15 digits Web MOB_TERM_HOME registration flag UCI mobile main cdma_mob_...

Page 115: ..._channel_a Opt cdma_secondary_channel_a Allows the secondary channel A to be changed 691 1 2016 Any band class 5 channel number Web Secondary Channel B UCI mobile main cdma_secondary_channel_b Opt cdma_secondary_channel_b Allows the secondary channel B to be changed 777 1 2016 Any band class 5 channel number Web Preferred Forward Reverse RC UCI mobile main cdma_preferred_forward_and_re verse_rc Op...

Page 116: ...If checked the router will return an SMS Select Respond if you want the router to reply 0 Disabled 1 Enabled Table 33 Information table for mobile manager callers settings 13 2 4 Mobile manager roaming interface template For more information on Roaming Interface Template configuration read the chapter Automatic Operator Selection 13 3 Configuring mobile manager using command line 13 3 1 Mobile man...

Page 117: ...ler 1 respond 1 13 3 2 Mobile manager using package options root VA_router uci export mobile package mobile config mobile main option sim1pin 0000 option sim2pin 0000 option roaming_sim none option sms 1 option hdr_password 5678 option hdr_userid 1234 option init_get_iccids 1 config caller option name vasupport option number 353871234567 option enabled 1 option respond 1 config caller option name ...

Page 118: ...oot VirtualAccess Aug 10 16 29 11 user notice VirtualAccess mobile 1737 Queue sms to 353879876543 hello 13 5 Sending SMS from the router You can send an outgoing message via the command line using the following syntax sendsms 353879876543 hello root VirtualAccess Aug 10 16 29 1 user notice VirtualAccess mobile 1737 Queue sms to 353879876543 hello 13 6 Sending SMS to the router The router can accep...

Page 119: ...he web interface To create GRE interfaces through the web interface in the top menu select Network Interfaces There are three sections in the Interfaces page Section Description Interface Overview Shows existing interfaces and their status You can create new and edit existing interfaces here Port Map In this section you can map device ports to Ethernet interfaces Ports are marked with capital lett...

Page 120: ...DHCP Client Address and netmask are assigned by DHCP Unmanaged Unspecified IPv6 in IPv4 RFC4213 Used with tunnel brokers IPv6 over IPv4 Stateless IPv6 over IPv4 transport GRE Generic Routing Encapsulation protocol IOT L2TP Layer 2 Tunnelling Protocol PPP Point to Point protocol PPPoE PPP over Ethernet PPPoATM PPP over ATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem ...

Page 121: ...figuration general setup Figure 70 The GRE common configuration page Web Field UCI Package Option Description Web Protocol of the new interface UCI network if name proto Opt proto Shows the protocol the interface will operate on GRE should be currently selected Web Tunnel IP Address UCI network if name ipaddr Opt ipaddr Configures local IP address of the GRE interface Web Mask Length UCI network i...

Page 122: ...g to be linked with the GRE tunnel interface optional Web Remote IP address UCI network if name remote_ip Opt remote_ip For point to point tunnels specifies Remote IP address Web TTL UCI network if name ttl Opt ttl Sets Time To Live value on the interface 128 Range Web Tunnel key UCI network if name key Opt key Sets GRE tunnel ID key optional Usually an integer Web MTU UCI network if name mtu Opt ...

Page 123: ... interface is down and will start or restart when parent interface starts Separate multiple interfaces by a space when using UCI Example option dependants PPPADSL MOBILE This replaces the following previous options in child interfaces gre option local_interface lt2p option src_ipaddr iot option wan1 wan2 6in4 option ipaddr 6to4 option ipaddr Web SNMP Alias ifindex UCI network x snmp_alias_ifindex ...

Page 124: ...etwork Static Routes For more information read the chapter Configuring Static Routes 14 3 GRE configuration using command line The configuration file is stored on etc config network For the examples below tunnel1 is used as the interface logical name 14 4 GRE configuration using UCI root VA_router uci show network network tunnel1 interface network tunnel1 proto gre network tunnel1 monitored 0 netw...

Page 125: ...0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 RX bytes 10889090 10 3 MiB TX bytes 68820 67 2 KiB eth4 Link encap Ethernet HWaddr 00 1E 10 1F 00 00 inet addr 10 68 66 54 Bcast 10 68 66 55 Mask 255 255 255 252 inet6 addr fe80 21e 10ff fe1f 0 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 81 errors 0 dropped 0 overruns 0 frame 0 TX packets 127 errors 0 dropped 0 overr...

Page 126: ...ncap UNSPEC HWaddr 0A 44 42 36 00 00 7F E2 00 00 00 00 00 00 00 00 inet addr 13 13 13 2 Mask 255 255 255 248 inet6 addr fe80 5efe a44 4236 64 Scope Link UP RUNNING MULTICAST MTU 1472 Metric 1 RX packets 7 errors 0 dropped 0 overruns 0 frame 0 TX packets 7 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 912 912 0 B TX bytes 8GRE route status To show the current GRE route ...

Page 127: ...cols are not used or they are not configured for such subnets They can be created based on outgoing interface or next hop IP address 15 1 Configuration package used Package Sections network route 15 2 Configuring static routes using the web interface In the top menu select Network Static Routes The Routes page appears Figure 73 The routes page In the IPv4 Routes section click Add Web Field UCI Pac...

Page 128: ...Package Option Description Web Interface UCI network route 1 interface Opt interface Specifies the logical interface name of the parent or master interface this route belongs to It must refer to one of the defined interface sections Web target UCI network route 1 target Opt target Specifies the route network IP address or subnet in CIDR notation Eample 2001 0DB8 100 F00 BA3 1 64 Web Gateway UCI ne...

Page 129: ...r example a route named myroute will be network myroute To define a named route using UCI enter network name_your_route route network name_your_route interface lan To define a named route using package options enter config route name_your_route option interface lan 15 5 IPv4 routes using UCI The command line example routes in the subsections below do not have a configured name root VA_router uci s...

Page 130: ... option interface lan option target 2 2 2 2 option netmask 255 255 255 255 option gateway 192 168 100 1 option metric 1 option mtu 1500 15 7 IPv6 routes using UCI root VA_router uci show network network route 1 route network route 1 interface lan network route 1 target 2001 0DB8 100 F00 BA3 1 64 network route 1 gateway 2001 0DB8 99 1 network route 1 metric 1 network route 1 mtu 1500 15 8 IPv6 rout...

Page 131: ...________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 131 of 423 15 9 Static routes diagnostics 15 9 1 Route status To show the current routing status enter root VA_router route n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192 168 100 0 255 255 255 0 U 0 0 0 eth0 Note a route will only be displayed in the routing table when the in...

Page 132: ... between gateway hosts each with its own router in a network of autonomous systems BGP is often the protocol used between gateway hosts on the internet The routing table contains a list of known routers the addresses they can reach and a cost metric associated with the path to each router so that the best available route is chosen 16 1 Configuration package used Package Sections bgpd routing peer ...

Page 133: ...een RIB scans 60 60 seconds Range Web Autonomous System Number UCI bgpd bgpd asn Opt asn Defines the ASN for the local router Type in the ASN Blank Range 1 4294967295 Web Network UCI bgpd bgpd network Opt list network Sets the list of networks that will be advertised to neighbours in prefix format 0 0 0 0 0 Separate multiple networks by a space using UCI Ensure the network prefix matches the one s...

Page 134: ...Matches AS path Route Metric Matches route metric BGP Community Matches BGP community Web Match value UCI bgpd ROUTEMAP match Opt match Defines the value of the match type Format depends on the Match Type selected In the case of IP address and BGP Community values the match value is parsed as a list of items to match Web Set Option UCI bgpd ROUTEMAP set_type Opt set_type Defines the set option to ...

Page 135: ...s of the neighbour Web Autonomous System Number UCI bgpd peer 0 asn Opt asn Sets the ASN of the remote peer Blank Range 1 4294967295 Web Route Map UCI bgpd peer 0 route_map Opt route_map Sets route map name to use with this neighbour Web Route Map Direction UCI bgpd peer 0 route_map_in Opt route_map_in Defines the direction the route map should be applied 1 In 0 Out Table 41 Information table for ...

Page 136: ...168 101 1 32 bgpd ROUTEMAP set_type ip next hop bgpd ROUTEMAP set 192 168 101 2 32 To change any of the above values use UCI set command 16 4 Configuring BGP using packages options root VA_router uci export bgpd package bgpd config routing bgpd option enabled yes option router_id 3 3 3 3 option asn 1 list network 11 11 11 0 29 list network 192 168 103 1 32 config peer option route_map_in yes optio...

Page 137: ...________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 137 of 423 16 5 View routes statistics To view routes statistics in the top menu click Status Routes The routing table appears Figure 78 The routing table To view routes via the command line enter root support route n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10 1 0 0 0 0 0 0 ...

Page 138: ...r relationships with adjacent routers in the same area Instead of advertising the distance to connected networks OSPF advertises the status of directly connected links using Link State Advertisements LSAs OSPF sends updates LSAs when there is a change to one of its links and will only send the change in the update LSAs are additionally refreshed every 30 minutes OSPF traffic is multicast either to...

Page 139: ... see a number of subnets reachable via area 0 17 1 2 OSPF neighbours OSPF forms neighbour relationships called adjacencies with other routers in the same Area by exchanging Hello packets to multicast address 224 0 0 5 Only after an adjacency is formed can routers share routing information Each OSPF router is identified by a unique router ID The router ID can be determined in one of three ways The ...

Page 140: ...f the remote interface of each neighbour 17 1 3 OSPF designated routers In multi access networks such as Ethernet there is the possibility of many neighbour relationships on the same physical segment This leads to a considerable amount of unnecessary Link State Advertisement LSA traffic If a link of a router were to fail it would flood this information to all neighbours Each neighbour in turn woul...

Page 141: ...h other Full Indicates that the routers are fully synchronized The topology table of all routers in the area should now be identical Depending on the role of the neighbour the state may appear as Full DR Indicating that the neighbour is a Designated Router DR Full BDR Indicating that the neighbour is a Backup Designated Router BDR Full DROther Indicating that the neighbour is neither the DR nor BD...

Page 142: ...system that separates an autonomous system into individual areas OSPF traffic can either be intra area within one area inter area between separate areas or external from another AS OSPF routers build a topology database of all links within their area and all routers within an area will have an identical topology database Routing updates between these routers will only contain information about lin...

Page 143: ...ecting to a separate Autonomous System such as the internet By redistributing another routing protocol into the OSPF process ASBRs provide access to external networks OSPF defines two types of external routes as shown in the table below Type 2 E2 Includes only the external cost to the destination network External cost is the metric being advertised from outside the OSPF domain This is the default ...

Page 144: ... the ospfd routing section The web automatically names the routing section ospfd Figure 81 The OSPF global settings configuration page Web Field UCI Package Option Description Web OSPF Enabled UCI ospfd ospfd enabled Opt enabled Enables OSPF advertisements on router 0 Disabled 1 Enabled Web Router ID UCI ospfd ospfd router_id Opt router_id This sets the Router ID of the OSPF process The Router ID ...

Page 145: ...ip_addr Opt ip_addr Specify the IP address for OSPF enabled interface Format A B C D Web Mask Length UCI ospfd network 0 mask_length Opt mask_length Specify the mask length for OSPF enabled interface The mask length should be entered in CIDR notation Web Area UCI ospfd network 0 area Opt area Specify the area number for OSPF enabled interface Web Stub Area UCI ospfd network 0 stub_area Opt stub_ar...

Page 146: ...fd interface 0 ospf_interface Opt ospf_interface Defines the interface name Web Network Type UCI ospfd interface 0 network_type Opt network_type Defines network type for specified interface Default Autodetect it will be broadcast If broadcast is not supported on that interface then use point to point broadcast non broadcast point to point point to multipoint Web Passive UCI ospfd interface 0 passi...

Page 147: ...e plain text password included with the packet or via a more secure MD5 based HMAC keyed Hashing for Message AuthentiCation Enabling authentication prevents routes being updated by unauthenticated remote routers but still can allow routes that is the entire OSPF routing table to be queried remotely potentially by anyone on the internet via OSPFv1 no Default value No authentication md5 Set the inte...

Page 148: ...pfd network 0 ip_addr 12 1 1 1 Or using package options config network option ip_addr 12 1 1 1 17 5 OSPF using UCI root VA_router uci show ospfd ospfd ospfd routing ospfd ospfd enabled yes ospfd ospfd default_info_originate yes ospfd ospfd router_id 1 2 3 4 ospfd network 0 network ospfd network 0 ip_addr 12 1 1 1 ospfd network 0 mask_length 24 ospfd network 0 area 0 ospfd network 0 stub_area yes o...

Page 149: ...id 1 ospfd interface 1 md5_auth_key test 17 6 OSPF using package options root VA_router uci export ospfd package ospfd config routing ospfd option enabled yes option default_info_originate yes option router_id 1 2 3 4 config network option ip_addr 12 1 1 1 option mask_length 24 option area 0 option stub_area yes config interface option ospf_interface lan8 option hello_interval 10 option dead_inter...

Page 150: ...U 0 0 0 eth1 10 206 4 64 0 0 0 0 255 255 255 252 U 0 0 0 usb0 11 11 11 0 0 0 0 0 255 255 255 248 U 0 0 0 gre GRE 89 101 154 151 10 206 4 65 255 255 255 255 UGH 0 0 0 usb0 192 168 100 0 0 0 0 0 255 255 255 0 U 0 0 0 eth0 192 168 101 1 11 11 11 1 255 255 255 255 UGH 11 0 0 gre GRE 192 168 104 1 11 11 11 4 255 255 255 255 UGH 20 0 0 gre GRE Note a route will only be displayed in the routing table whe...

Page 151: ...e routing protocol suite embedded in the router firmware Quagga is split into different daemons for implementation of each routing protocol Zebra is a core daemon for Quagga providing the communication layer to the underlying Linux kernel and routing updates to the client daemons Quagga has a console interface to Zebra for advanced debugging of the routing protocols To access enter root VA_router ...

Page 152: ... is directly connected lo C 192 168 100 0 24 is directly connected eth0 O 192 168 101 1 32 110 11 via 11 11 11 1 gre GRE 02 35 28 O 192 168 104 1 32 110 20 via 11 11 11 4 gre GRE 02 30 45 O 192 168 105 1 32 110 10 is directly connected lo 02 47 52 C 192 168 105 1 32 is directly connected lo 17 8 1 OSPF debug console When option tty_enabled see Global settings section above is enabled in the OSPF c...

Page 153: ...irectly attached to lo OSPF router routing table OSPF external routing table To see OSPF neighbours from OSPF debug console enter sh ip ospf neighbour root VA_router sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 1 1 1 1 255 Full DR 33 961s 11 11 11 1 gre GRE 11 11 11 5 0 0 0 To see OSPF interface details from OSPF debug console enter sh ip ospf interface r...

Page 154: ...AST MULTICAST OSPF not enabled on this interface eth7 is down ifindex 16 MTU 1500 bytes BW 0 Kbit BROADCAST MULTICAST OSPF not enabled on this interface gre GRE is up ifindex 19 MTU 1472 bytes BW 0 Kbit UP RUNNING MULTICAST Internet Address 11 11 11 5 29 Area 0 0 0 0 MTU mismatch detection enabled Router ID 192 168 105 1 Network Type BROADCAST Cost 10 Transmit Delay is 1 sec State Backup Priority ...

Page 155: ...outer on this network Multicast group memberships None Timer intervals configured Hello 10s Dead 40s Wait 40s Retransmit 5 Hello due in inactive Neighbor Count is 0 Adjacent neighbor count is 0 sit0 is down ifindex 7 MTU 1480 bytes BW 0 Kbit NOARP OSPF not enabled on this interface teql0 is down ifindex 4 MTU 1500 bytes BW 0 Kbit NOARP OSPF not enabled on this interface tunl0 is down ifindex 5 MTU...

Page 156: ..._________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 156 of 423 192 168 105 1 192 168 105 1 879 0x8000000b 0x4919 2 Net Link States Area 0 0 0 0 Link ID ADV Router Age Seq CkSum 11 11 11 1 1 1 1 1 595 0x80000004 0x5712 ...

Page 157: ...ault first hop router by end hosts The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end host Two or more routers forming the redundancy cluster are configured with the same Router ID and Virtual IP address A VRRP router group operates within the scope of the single LAN Additionally t...

Page 158: ...ual Access 2018 GW2020 Series User Manual Issue 2 1 Page 158 of 423 Figure 84 The VRRP global settings configuration page Web Field UCI Package Option Description Web VRRP Enabled UCI vrrp main enabled Opt Enabled Globally enables VRRP on the router 0 Disabled 1 Enabled 18 3 2 VRRP group configuration settings The VRRP Group Configuration section configures vrrp package vrrp_group section To acces...

Page 159: ...2 1 Page 159 of 423 Figure 85 The VRRP group configuration page Web Field UCI Package Option Description Web Group Enabled UCI vrrp vrrp_group X enabled Opt Enabled Enables a VRRP group on the router 0 Disabled 1 Enabled Web Interface UCI vrrp vrrp_group X interface Opt interface Sets the local LAN interface name in which the VRRP cluster is to operate For example lan The interface name is taken f...

Page 160: ...0 track_ipsec Tunnel2 or using a list of options via package options list track_ipsec Tunnel1 list track_ipsec Tunnel2 Blank No IPSec connection to track Range Web Track IPsec Fail Time UCI vrrp vrrp_group X track_ipsec_fail_sec Opt track_ipsec_fail_sec Defines duration in seconds to determine IPsec tunnel failure 300 300 seconds Range Web IPSec connection UCI vrrp vrrp_group X ipsec_connection Op...

Page 161: ...ould monitor If a monitored IPSec connection goes down on the Master VRRP router it goes into Fault state and the Backup VRRP router becomes the Master Multiple IPsec connections are entered using uci set and uci add_list commands Example uci set vrrp vrrp_group 0 track_ipsec Tunnel1 uci add_list vrrp vrrp_group 0 track_ipsec Tunnel2 or using a list of options via package options list track_ipsec ...

Page 162: ...ot VA_router uci show vrrp vrrp main vrrp vrrp main enabled yes vrrp g1 vrrp_group vrrp g1 enabled yes vrrp g1 interface lan vrrp g1 track_iface WAN MOBILE vrrp g1 init_state BACKUP vrrp g1 router_id 1 vrrp g1 priority 100 vrrp g1 advert_int_sec 120 vrrp g1 password secret vrrp g1 virtual_ipaddr 10 1 10 150 16 vrrp g1 garp_delay_sec 5 vrrp g1 ipsec_connection Test vrrp g1 track_ipsec conn1 conn2 1...

Page 163: ...______________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 163 of 423 option init_state BACKUP option router_id 1 option priority 100 option advert_int_sec 120 option password secret option virtual_ipaddr 10 1 10 150 16 option garp_delay_sec 5 option ipsec_connection Test list track_ipsec conn1 list track_ipsec conn2 ...

Page 164: ...ost networking environments RIP is not the preferred choice for routing as its time to converge and scalability are poor compared to EIGRP or OSPF 19 1 1 RIP characteristics RIP is a standardised distance vector protocol designed for use on smaller networks RIP was one of the first true distance vector routing protocols and is supported on a wide variety of systems RIP adheres to the following dis...

Page 165: ... networks must be contiguous and subnets of a major network must be configured with identical subnet masks Otherwise route table inconsistencies or worse will occur RIPv1 sends updates as broadcasts to address 255 255 255 255 RIPv2 RFC 2453 is classless and therefore does include the subnet mask with its routing table updates RIPv2 fully supports VLSMs allowing discontinuous networks and varying s...

Page 166: ...are four sections in the RIP page Section Description Global Settings Enables RIP and configures the RIP routing section containing global configuration parameters The web automatically names the routing section ripd Interfaces Configuration Configures the interface sections Defines interface configuration for RIP and interface specific parameters Offset Configuration Configures the offset section...

Page 167: ... establish a direct link between routers The neighbour command allows the network administrator to specify a router as a RIP neighbour Multiple RIP neighbours are entered using uci set and uci add_list commands Example uci set ripd ripd neighbor 1 1 1 1 uci add_list ripd ripd neighbor 2 2 2 2 or using a list of options via package options list neighbor 1 1 1 1 list neighbor 2 2 2 2 Web Update Time...

Page 168: ... ripd ripd vty_enabled Opt vty_enabled Enable vty for RIPd telnet to localhost 2602 Table 49 Information table for RIP global settings 19 3 2 Offset configuration This section is used for RIP metric manipulation RIP metric is a value for distance in the network Usually ripd package increments the metric when the network information is received Redistributed routes metric is set to 1 Figure 87 The ...

Page 169: ... UCI ripd interface 0 auth_mode Opt auth_mode RIPv2 only allows packets to be authenticated via either an insecure plain text password included with the packet or via a more secure MD5 based HMAC keyed Hashing for Message AuthentiCation Enabling authentication prevents routes being updated by unauthenticated remote routers but still can allow routes that is the entire RIP routing table to be queri...

Page 170: ...MD5 chain Table 52 Information table for MD5 authentication key chains commands 19 4 Configuring RIP using command line RIP is configured under the ripd package etc config ripd There are four config sections ripd interface key_chain and offset You can configure multiple interface key_chain and offset sections By default all RIP interface instances are named interface it is identified by interface ...

Page 171: ... UCI ripd offset 0 offset ripd offset 0 metric 1 Or using package options config offset option metric 1 19 4 1 RIP using UCI root VA_router uci show ripd ripd ripd routing ripd ripd version 2 ripd ripd enabled yes ripd ripd network lan2 gre1 ripd ripd neighbor 10 1 1 100 10 1 2 100 ripd ripd tb_update_sec 30 ripd ripd tb_timeout_sec 180 ripd ripd tb_garbage_sec 120 ripd ripd default_info_originate...

Page 172: ...rse 0 ripd interface 2 passive 0 ripd interface 2 auth_mode md5 ripd interface 2 key_chain Keychain1 ripd key_chain 0 key_chain ripd key_chain 0 key_chain_name Keychain1 ripd key_chain 0 key_id 1 ripd key_chain 0 auth_key 123 ripd offset 0 offset ripd offset 0 metric 1 ripd offset 0 match_network 10 1 1 1 24 19 4 2 RIP using package options root VA_router uci export ripd package ripd config routin...

Page 173: ... auth_mode no option split_horizon 1 option poison_reverse 0 option passive 0 config interface option rip_interface lan2 option split_horizon 1 option poison_reverse 0 option passive 0 option auth_mode text option auth_key textsecret config interface option rip_interface lan3 option split_horizon 1 option poison_reverse 0 option passive 0 option auth_mode md5 option key_chain keychain1 config key_...

Page 174: ... 0 0 0 0 0 255 255 255 248 U 0 0 0 gre GRE 89 101 154 151 10 205 154 65 255 255 255 255 UGH 0 0 0 usb0 192 168 100 0 0 0 0 0 255 255 255 0 U 0 0 0 eth0 192 168 104 1 11 11 11 4 255 255 255 255 UGH 3 0 0 gre GRE 192 168 154 154 11 11 11 1 255 255 255 255 UGH 2 0 0 gre GRE Note a route will only be displayed in the routing table when the interface is up 19 5 2 Tracing RIP packets RIP uses UDP port 5...

Page 175: ...g updates to the client daemons Quagga has a console interface to Zebra for advanced debugging of the routing protocols To access enter telnet localhost zebra password zebra root VA_router telnet localhost zebra Entering character mode Escape character is Hello this is Quagga version 0 99 21 Copyright 1996 2005 Kunihiro Ishiguro et al User Access Verification Password To see RIP routing informatio...

Page 176: ...in the RIP configuration RIP debug console can be accessed for advanced RIP debugging To access RIP debug console enter telnet localhost ripd password zebra root VA_router telnet localhost ripd Entering character mode Escape character is Hello this is Quagga version 0 99 21 Copyright 1996 2005 Kunihiro Ishiguro et al User Access Verification Password To see RIP status from RIP debug console enter ...

Page 177: ...is rip Sending updates every 30 seconds with 50 next due in 17 seconds Timeout after 180 seconds garbage collect after 120 seconds Outgoing update filter list for all interface is not set Incoming update filter list for all interface is not set Default redistribution metric is 1 Redistributing Default version control send version 2 receive version 2 Interface Send Recv Key chain gre GRE 2 2 lo 2 2...

Page 178: ...ace state pings to an ICMP target signal level checks using signal threshold RSCP threshold and ECIO threshold option values A fail for any of the above health checks results in a fail After a configurable number of health check failures Multi WAN will move to the next highest priority interface Multi WAN will optionally stop the failed interface and start the new interface if required In some cir...

Page 179: ...ending on timer set by ifup_retry_sec 0 Disabled 1 Enabled Web Alternate Mode UCI multiwan config alt_mode Opt alt_mode Enables or disables alternate mode for Multi WAN If enabled the router will use an alternate interface after reboot 0 Disabled 1 Enabled Table 53 Information table for multi WAN page When you have enabled Multi WAN you can add the interfaces that will be managed by Multi WAN for ...

Page 180: ...____________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 180 of 423 Figure 91 Example interface showing failover traffic destination as the added multi WAN interface ...

Page 181: ...cted then multiwan does not send a ping health check to the icmp_host otherwise a ping is sent as normal to the icmp_host By default the conntrack_hosts is checked if the health interval is greater than 5 minutes This time threshold currently cannot be manipulated Conntrack is generally used to limit the traffic sent on a GSM network Default Conntrack checks for traffic from icmp_host IP when heal...

Page 182: ...he value stored for sig_dbm in mobile diagnostics 115 Disabled Range 46 to 115 dBm Web RSCP Threshold dBm UCI multiwan wan rscp_threshold Opt rscp_threshold Specifies the minimum RSCP signal strength in dBm before considering if the interface fails signal health check Uses the value stored for rscp_dbm in mobile diagnostics 115 Disabled Range 46 to 115 dBm Web ECIO Threshold dB UCI multiwan wan ec...

Page 183: ...lth_fail_retries 3 option health_recovery_retries 5 option priority 2 option manage_state yes option exclusive_group 0 option ifup_retry_sec 40 option icmp_hosts disable option icmp_interval 1 option timeout 3 option icmp_count 1 option conntrack_hosts disable option signal_threshold 111 option rscp_threshold 90 option ecio_threshold 15 option ifup_timeout_sec 120 root VA_router uci show multiwan ...

Page 184: ...an wan signal_threshold 111 multiwan wan rscp_threshold 90 multiwan wan ecio_threshold 15 20 4 Multi WAN diagnostics The multi WAN package is linked to the network interfaces within etc config network Note multi WAN will not work if the WAN connections are on the same subnet and share the same default gateway To view the multi WAN package enter root VA_router uci export multiwan package multiwan c...

Page 185: ...r troubleshooting root VA_router etc init d multiwan Syntax etc init d multiwan command Available commands start Start the service stop Stop the service restart Restart the service reload Reload configuration files or restart if that fails enable Enable service autostart disable Disable service autostart When troubleshooting make sure that the routing table is correct using route n Ensure all para...

Page 186: ...ultiwan package is used to run failover between interfaces Typically these auto generated interfaces are sorted by signal strength Details for these interfaces are provided in the mobile package When you have created the interfaces Multi WAN manages the operation of primary predefined and failover auto created interfaces Multi WAN periodically does a health check on the active interface A health c...

Page 187: ...e time set by multiwan option ifup_timeout continue to step 2 Otherwise go to step 4 2 A health check is periodically done on the PMP interface as determined by the multiwan option health_interval If the health check fails for the number of retries multiwan option health_fail_retries disconnect the PMP interface 3 Connect the first auto generated interface 4 If the interface connects within the ti...

Page 188: ...ure 93 The create interface page Web Field UCI Package Option Description Web Name of the new interface UCI network 3g_s sim number _ short operator name Opt 3g_s sim number _ short operator name Type the name of the new interface Type the interface name in following format 3g_s sim number _ short operator name Where sim number is number of roaming SIM 1 or 2 and short operator name is first four ...

Page 189: ...managed Unspecified IPv6 in IPv4 RFC4213 IPv4 tunnels that carry IPv6 IPv6 over IPv4 IPv6 over IPv4 tunnel GRE Generic Routing Encapsulation IOT L2TP Layer 2 Tunnelling Protocol PPP Point to Point Protocol PPPoE Point to Point Protocol over Ethernet PPPoATM Point to Point Protocol over ATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem Web Create a bridge over multiple...

Page 190: ...tocol over ATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem Web Service Type UCI network x service Opt service Service type that will be used to connect to the network gprs_only Allows GSM module to only connect to GPRS network lte_only Allows GSM module to only connect to LTE network cdma Allows GSM module to only connect to CDMA network auto GSM module will automat...

Page 191: ...______________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 191 of 423 21 2 1 4 Set multi WAN options for primary predefined interface On the web interface go to Network Multi Wan The Multi WAN page appears Figure 95 The multi WAN page In the WAN Interfaces section type in the name of the Multi WAN interface Click Add The Multi WAN page appears ...

Page 192: ...bles multiwan 0 Disabled 1 Enabled Web Preempt UCI multiwan config preempt Opt preempt Enables or disables pre emption for multiwan If enabled the router will keep trying to connect to a higher priority interface depending on timer set 0 Disabled 1 Enabled Web Alternate Mode UCI multiwan config alt Opt alt Enables or disables alternate mode for multiwan If enabled the router will use an alternate ...

Page 193: ...ck is generally used to limit the traffic sent on a GSM network Default Conntrack checks for traffic from icmp_host IP when health_interval is greater than 5 minutes Disable Conntrack disabled Custom Specifies an IP other than the icmp_host for conntrack to track Web Health Monitor ICMP Timeout UCI multiwan x timeout Opt timeout Sets ping timeout in seconds Choose the time in seconds that the heal...

Page 194: ... RSCP Threshold dBm UCI multiwan x rscp_threshold Opt rscp_threshold Specifies the minimum RSCP signal strength in dBm before considering if the interface fails signal health check Uses the value stored for rscp_dbm in mobile diagnostics 115 Disabled Range 46 to 115 dBm Web ECIO Threshold dB UCI multiwan x ecio_threshold Opt ecio_threshold Specifies the minimum ECIO signal strength in dB before co...

Page 195: ...tual Access 2018 GW2020 Series User Manual Issue 2 1 Page 195 of 423 Section Description Basic settings Enable SMS configure SIM pin code select roaming SIM collect ICCCIDs and set IMSI CDMA CDMA configuration Callers Configure callers that can use SMS Roaming Interface Template Configure Preferred Roaming List options Option available only for Telit CE910 SL module 21 2 3 Mobile manager basic set...

Page 196: ...ule Digits Up to 15 digits Web PIN code for SIM1 UCI mobile main sim1pin Opt sim1pin Depending on the SIM card specify the pin code for SIM 1 Blank Range Depends on the SIM provider Web PIN code for SIM2 UCI mobile main sim2pin Opt sim2pin Depending on the SIM card specify the pin code for SIM 2 Blank Range Depends on the SIM provider Web LTE bands for SIM1 UCI mobile main sim1_lte_bands Opt sim1_...

Page 197: ...n service_order Opt service_order Defines a space separated list of services in preferred order Valid options are gprs umts lte auto If no valid_service order is defined then the configured Service Type is used Example mobile main service_order gprs umts lte auto Blank Use configured service type Range gprs umts lte auto Table 58 Information table for mobile manager basic settings 21 2 4 Mobile ma...

Page 198: ...ex if different from the default 2 0 7 Web Slot Mode UCI mobile main cdma_slot_mode Opt cdma_slot_mode Specifies the slot mode 0 Web Mobile Directory Number UCI mobile main cdma_mobile_directory_number Opt cdma_mobile_directory_number Allows the mobile directory number MDN to be changed Default Programmed in module Digits Up to 15 digits Web MOB_TERM_HOME registration flag UCI mobile main cdma_mob...

Page 199: ...y_channel_a Opt cdma_secondary_channel_a Allows the secondary channel A to be changed 691 1 2016 Any band class 5 channel number Web Secondary Channel B UCI mobile main cdma_secondary_channel_b Opt cdma_secondary_channel_b Allows the secondary channel B to be changed 777 1 2016 Any band class 5 channel number Web Preferred Forward Reverse RC UCI mobile main cdma_preferred_forward_and_re verse_rc O...

Page 200: ...to the caller Blank Range No limit Web Number UCI mobile caller 0 number Opt number Number of the caller allowed to SMS the router Add in specific caller numbers or use the wildcard symbol Blank Range No limit Characters Global value is accepted International value is accepted Web Enable UCI mobile caller 0 enabled Opt enabled Enables or disables incoming caller ID 0 Disabled 1 Enabled Web Respond...

Page 201: ...________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 201 of 423 21 2 6 Roaming interface template Figure 100 The roaming interface template page ...

Page 202: ...ts_only Allows GSM module to only connect to 3G network gprs_only Allows GSM module to only connect to GPRS network cdma Allows GSM module to only connect to cdma network Web APN UCI mobile roaming_template 0 apn Opt apn APN name of Mobile Network Operator Web PIN UCI mobile roaming_template 0 pincode Opt pincode SIM card s PIN number Web PAP CHAP username UCI mobile roaming_template 0 username Op...

Page 203: ...an ifup_retry_sec Opt ifup_retry_sec Not used for a roaming interface 300 Retry primary interface every 300 seconds Range Web Interface Start Timeout UCI mobile roaming_template 0 ifup_timeo ut_sec Opt ifup_timeout Specifies the time in seconds for interface to start up If it is not up after this period it will be considered a fail 40 40 seconds Range Web Signal Threshold dBm UCI mobile roaming_te...

Page 204: ...face will be reconnected when the current auto created interface fails multiwan health checks after expiration of the ifup_retry_sec timer Follow the instructions in the section above for creation of the PMP interface multi WAN and Mobile Manager roaming interfaces The only change in configuration compared to the PMP roaming pre empt enabled scenario is that you must disable the pre empt option in...

Page 205: ...failures Multi WAN will disconnect the failed interface and attempt to connect to the next best roaming interface 21 2 9 Set options for automatically created interfaces failover In the top menu on the web interface page select Services Mobile Manager The Mobile Manager page appears There are three sections Basic settings Configure SMS select roaming SIM and collect ICCCIDs Callers Configure calle...

Page 206: ...le manager basic settings 21 2 9 2 Caller settings Web Field UCI Package Option Description Web Name UCI mobile caller 0 name Opt name Name assigned to the caller Blank Range Web Number UCI mobile caller 0 number Opt number Number of the caller allowed to SMS the router Add in specific caller numbers or use the wildcard symbol Blank Range Web Enable UCI mobile caller 0 enabled Opt enabled Enables ...

Page 207: ...mplate page Web Field UCI Package Option Description Web Interface Signal Sort UCI mobile roaming_template 0 sort_sig_st rength Opt sort_sig_strength Sorts interfaces by signal strength priority so those that have a better signal strength will be tried first Web Roaming SIM UCI mobile main roaming_sim Opt roaming_sim Sets which slot to insert roaming SIM card 1 SIM slot 1 2 SIM slot 2 Web Firewall...

Page 208: ...I mobile roaming_template 0 health_int erval Opt health_interval Sets the period to check the health status of the interface The Health Monitor interval will be used for Interface state checks Ping interval Signal strength checks Web Health Monitor ICMP Host s UCI mobile roaming_template 0 icmp_host s Opt icmp_hosts Specifies target IP address for ICMP packets Disable Disables the option DNS serve...

Page 209: ...inimum signal strength in dBm before considering if the interface fails signal health check Uses the value stored for sig_dbm in mobile diagnostics 115 dBm Disabled Range 46 to 115 dBm Table 64 Information table for roaming interface template When you have configured your settings click Save Apply 21 2 10 1 Set multi WAN operation From the top menu select Network Multi Wan The Multi WAN page appea...

Page 210: ...w the network configuration file enter root VA_router uci export network package network config interface loopback option ifname lo option proto static option ipaddr 127 0 0 1 option netmask 255 0 0 0 config interface lan option ifname eth0 option proto static option ipaddr 192 168 100 1 option netmask 255 255 255 0 config interface 3g_s1_voda option auto 0 option proto 3g option service umts opti...

Page 211: ...oda service umts network 3g_s1_voda apn test IE network 3g_s1_voda username test network 3g_s1_voda password test network 3g_s1_voda sim 1 network 3g_s1_voda operator vodafone IE 21 3 1 2 Roaming interface configuration The roaming interface configurations are stored in the mobile package etc config mobile To view the mobile configuration file enter root VA_router uci export mobile config mobile m...

Page 212: ...nit_get_iccids no mobile caller 0 caller mobile caller 0 name Test mobile caller 0 number mobile caller 0 enabled yes mobile caller 0 respond yes mobile roaming_template 0 roaming_template mobile roaming_template 0 roaming_sim 1 mobile roaming_template 0 firewall_zone wan mobile roaming_template 0 apn test IE mobile roaming_template 0 username test mobile roaming_template 0 password test mobile ro...

Page 213: ...tion health_fail_retries 3 option health_interval 3 option timeout 1 option icmp_hosts disable option priority 10 option exclusive_group 3g option signal_threshold 95 option ifup_retry_sec 350 option ifup_timeout_sec 180 option manage_state 1 To view the uci command of package multiwan enter root VA_router uci show multiwan multiwan config multiwan multiwan config enabled 1 multiwan config preempt...

Page 214: ...available values are 0 Disabled 1 Enabled 21 4 Configuring no PMP roaming using UCI The roaming interface configuration file is stored in the mobile package etc config mobile To view the mobile package enter root VA_router uci export mobile package mobile config mobile main option sms yes option roaming_sim 1 option debug 1 config caller option name Eval option number option enabled yes option res...

Page 215: ... name Eval mobile caller 0 number mobile caller 0 enabled yes mobile caller 0 respond yes mobile roaming_template 0 roaming_template mobile roaming_template 0 roaming_sim 1 mobile roaming_template 0 firewall_zone wan mobile roaming_template 0 apn stream co uk mobile roaming_template 0 username default mobile roaming_template 0 password void mobile roaming_template 0 service umts mobile roaming_tem...

Page 216: ...wan config option enabled yes option preempt no option alt_mode no To see multiwan package via uci enter root VA_router uci show multiwan multiwan config multiwan multiwan config enabled yes multiwan config preempt no multiwan config alt_mode no 21 5 Automatic operator selection diagnostics via the web interface 21 5 1 Checking the status of the Multi WAN package When interfaces are auto created t...

Page 217: ...___________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 217 of 423 Figure 106 The interface overview page To check the status of the interface you are currently using in the top menu click Status The Interface Status page appears Scroll down to the bottom of the page to view Multi WAN Stats Figure 107 The status page multi WAN status section page ...

Page 218: ...___________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 218 of 423 21 6 Automatic operator selection diagnostics via UCI To check interfaces created in the multi WAN package enter root VA_router cat var const_state multiwan Figure 108 Example of output from the command cat var const_stat multiwan To check interfaces created in the network package enter root VA_router cat v...

Page 219: ...___________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 219 of 423 Figure 109 Example of output from the command cat var const_state network ...

Page 220: ...____________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 220 of 423 To check the status of the interface you are currently using enter root VA_router cat var const_state_ mobile Figure 110 Example of output from the command cat vat const_state_ mobile ...

Page 221: ...If no data is received over the monitored interface during the configured duration then the recovery action is performed If more than one interface is specified under a single Connection Watch the recovery action will be performed only if no data is received on both of the interfaces for the defined period Currently three configurable periods and associated recovery actions can be defined 22 1 Con...

Page 222: ... 0 test_ifaces Opt test_ifaces Defines the interface name s to monitor Multiple interfaces are delimited by space separator Example option test_ifaces WANADSL WANMOBILE If multiple interfaces are defined the failure action will only be triggered if no traffic is received on all interfaces for the defined period Web Failure Time for Action 1 UCI cwatch watch 0 failure_time_1 Opt failure_time_1 Defi...

Page 223: ...duration to monitor an interface for receive traffic Duration can be specified in seconds minutes hours days 24h Range s m h d Web Failure Action 3 UCI cwatch watch 0 failure_action_3 Opt failure_action_3 Defines the failure action associated with failure_time_3 Example to reset usb option failure_action_3 reboot blank Range Table 66 Information table for cwatch section 22 3 Configuring cwatch usi...

Page 224: ...ction_2 etc init d usb_startup restart cwatch WATCH_MOBILE failure_time_3 24h cwatch WATCH_MOBILE failure_action_3 reboot 22 3 2 cwatch using package options root VA_router uci export cwatch package cwatch config watch WATCH_MOBILE option enabled 1 option test_ifaces wan option failure_time_1 1h option failure_action_1 ifup wan option failure_time_2 10h option failure_action_2 etc init d usb_start...

Page 225: ...interfaces and different subnets You can manually configure lease time as well as setting static IP to host mappings Domain Name Server DNS is responsible for resolution of IP addresses to domain names on the internet Dnsmasq is the application which controls DHCP and DNS services Dnsmasq has two sections one to specify general DHCP and DNS settings and one or more DHCP pools to define DHCP operat...

Page 226: ..._____________________________________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 226 of 423 Figure 113 The DHCP and DNS page ...

Page 227: ...local Opt local Specifies the local domain Names matching this domain are never forwarded and are resolved from DHCP or host files only lan Range Web Local Domain UCI dhcp dnsmasq 0 domain Opt domain Specifies local domain suffix appended to DHCP names and hosts file entries lan Range Web Log Queries UCI dhcp dnsmasq 0 logqueries Opt logqueries Writes received DNS requests to syslog 0 Disabled 1 E...

Page 228: ...ere given DHCP leases will be stored The DHCP lease file allows leases to be picked up again if dnsmasq is restarted tmp dhcp leas es Store DHCP leases in this file Range Web Ignore resolve file UCI dhcp dnsmasq 0 noresolv Opt noresolv Defines whether to use the local DNS file for resolving DNS 0 Use local DNS file 1 Ignore local DNS file Web Resolve file UCI dhcp dnsmasq 0 resolvfile Opt resolvfi...

Page 229: ...ttings Figure 115 The TFTP settings section Web Field UCI Package Option Description Web Enable TFTP Server UCI dhcp dnsmasq 0 enable_tftp Opt enable_tftp Enables the TFTP server 0 Disabled 1 Enabled Web Enable TFTP Server UCI dhcp dnsmasq 0 tftp_root Opt tftp_root Defines root directory for file served by TFTP Web Enable TFTP Server UCI dhcp dnsmasq 0 dhcp_boot Opt dhcp_boot Defines the filename ...

Page 230: ...s Figure 116 The advanced settings page Web Field UCI Package Option Description Web Filter private UCI dhcp dnsmasq 0 Opt boguspriv Enables disallow option for forwarding reverse lookups for local networks This rejects reverse lookups to private IP ranges where no corresponding entry exists in etc hosts 1 Enabled 0 Disabled Web Filter useless UCI dhcp dnsmasq 0 filterwin2k Opt filterwin2k Enables...

Page 231: ...order of the resolve file 1 Enabled 0 Disabled Web Bogus NX Domain override UCI dhcp dnsmasq 0 bogusnxdomain Opt list bogusnxdomain A list of hosts that supply bogus NX domain results When using UCI multiple servers should be entered with a space between them Empty list Range Web DNS server port UCI dhcp dnsmasq 0 port Opt port Listening port for inbound DNS queries 53 Set to 0 to disable DNS func...

Page 232: ...I n a Opt n a Displays the remaining lease time Table 71 Information table for active leases section 23 2 6 Static leases Use static leases to assign fixed IP addresses and symbolic hostnames to DHCP clients Static leases are also required for non dynamic interface configurations where only hosts with a corresponding lease are served Click Add to add a new lease entry Figure 118 The static leases ...

Page 233: ...lists all available options their default value as well as the corresponding dnsmasq command line option These are the default settings for the common options root VA_router uci show dhcp dhcp dnsmasq 0 dnsmasq dhcp dnsmasq 0 domainneeded 1 dhcp dnsmasq 0 boguspriv 1 dhcp dnsmasq 0 filterwin2k 0 dhcp dnsmasq 0 localise_queries 1 dhcp dnsmasq 0 logqueries 1 dhcp dnsmasq 0 rebind_protection 1 dhcp d...

Page 234: ...router uci show dhcp config dnsmasq option domainneeded 1 option rebind_protection 1 option rebind_localhost 1 option local lan option domain lan option authoritative 1 option readethers 1 option leasefile tmp dhcp leases list interface lan list server 1 2 3 4 list server 4 5 6 7 list rebind_domain test1 domain list rebind_domain tes2 domain option logqueries 1 option resolvfile tmp resolv1 conf a...

Page 235: ... type present in the etc config dhcp file to cover the LAN interface You can disable a lease pool for a specific interface by specifying the ignore option in the corresponding section A minimal example of a dhcp section is shown below root VA_router uci show dhcp lan dhcp lan dhcp dhcp lan interface lan dhcp lan start 100 dhcp lan limit 150 dhcp lan leasetime 12h dhcp lan ignore 0 root VA_router u...

Page 236: ...th list dhcp_option 26 1470 or list dhcp_option mtu 1470 you can assign a specific MTU per DHCP pool Your client must accept the MTU option for this to work No options defined Syntax Option_number option_value Web n a UCI dhcp pool_name dynamicdhcp Opt dynamicdhcp Defines whether to allocate DHCP leases 1 Dynamically allocate leases 0 Use etc ethers file for serving DHCP leases Web n a UCI dhcp po...

Page 237: ...ion will only detail the configuration for DHCP client For information on how to configure other interface options such as firewall zone mapping of switch ports etc refer to standard interface configuration document 24 1 Configuration packages used Package Sections network interface 24 2 Configuring DHCP client using the web interface DHCP client is configured under the interface configuration by ...

Page 238: ...rnet interfaces Ports are marked with capital letters starting with A Type in space separated port character in the port map fields ATM Bridges ATM bridges expose encapsulated Ethernet in AAL5 connections as virtual Linux network interfaces which can be used in conjunction with DHCP or PPP to dial into the provider network 24 2 1 Editing an existing interface for DHCP client To edit an existing in...

Page 239: ...ing Encapsulation protocol IOT L2TP Layer 2 Tunnelling Protocol PPP Point to Point Protocol PPPoE PPP over Ethernet PPPoATM PPP over ATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem Web Create a bridge over multiple interfaces UCI network if name type Opt type If you select this option then the new logical interface created will act as a bridging interface between th...

Page 240: ...Section Description General Setup Configure the basic interface settings such as protocol IP address gateway netmask custom DNS servers Advanced Settings Bring up on boot Monitor interface state Override MAC address Override MTU and Use gateway metric Physical Settings Bridge interfaces VLAN PCP to SKB priority mapping Firewall settings Assign a firewall zone to the interface Only General setup an...

Page 241: ...over IPv4 transport GRE Generic Routing Encapsulation protocol IOT L2TP Layer 2 Tunnelling Protocol PPP Point to Point protocol PPPoE PPP over Ethernet PPPoATM PPP over ATM LTE UMTS GPRS EV DO CDMA UMTS or GPRS connection using an AT style 3G modem Web Hostname to send when requesting DHCP UCI network if name hostname Opt hostname Defines the hostname to include in DHCP requests Web Accept router ...

Page 242: ... interface state UCI network if name monitored Opt monitored Enabled if status of interface is presented on Monitoring platform 0 Disabled 1 Enabled Web Use broadcast flag UCI network if name broadcast Opt broadcast Enables the broadcast flag in DHCP requests required for certain ISPs 0 Disabled 1 Enabled Web Use default gateway UCI network if name gateway Opt gateway Defines whether to suppress t...

Page 243: ...dr Override the MAC address assigned to this interface Must be in the form hh hh hh hh hh hh where h is a hexadecimal number Web Override MTU UCI network if name mtu Opt mtu Defines the value to override the default MTU on this interface 1500 1500 bytes Web Dependant Interfaces UCI network if_name dependants Opt dependants Lists interfaces that are dependent on this parent interface Dependant inte...

Page 244: ...k config interface DHCPCLIENTLAN option proto dhcp option ifname eth3 option monitored 0 option broadcast 0 option accept_ra 1 option send_rs 0 option metric 1 24 4 DHCP client diagnostics 24 4 1 Interface status To see IP address of DHCP client interface enter ifconfig root VA_router ifconfig 3g CDMA Link encap Point to Point Protocol inet addr 10 33 152 100 P t P 178 72 0 237 Mask 255 255 255 25...

Page 245: ... 16436 Metric 1 RX packets 385585 errors 0 dropped 0 overruns 0 frame 0 TX packets 385585 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 43205140 41 2 MiB TX bytes 43205140 41 2 MiB To display a specific interface enter root VA_router ifconfig eth0 eth0 Link encap Ethernet HWaddr 00 E0 C8 12 12 15 inet addr 192 168 100 1 Bcast 192 168 100 255 Mask 255 255 255 0 inet6 ad...

Page 246: ..._______________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 246 of 423 24 4 3 Route status To show the current routing status enter root VA_router route n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192 168 100 0 255 255 255 0 U 0 0 0 eth0 Note a route will only be displayed in the routing table when the interface is up ...

Page 247: ...P forwarding This section describes how to configure the router to forward DHCP requests from an interface to a network DHCP server 25 1 Configuration packages used Package Sections dhcp_fwd dhcpfwd 25 2 Configuring DHCP forwarding using the web interface To configure DHCP forwarding using the web interface in the top menu click Network DHCP Forwarder The DHCP forwarder page appears The web GUI cr...

Page 248: ...sing a list of options via package options list listen_interface LAN1 list listen_interface LAN2 Web DHCP Servers UCI dhcp_fwd main server Opt list server Defines a list of the network DHCP servers to forward DHCP messages to Multiple interface_name s are entered using uci set and uci add_list commands Example uci set dhcp_fwd main server 1 1 1 1 uci add_list dhcp_fwd main main server 2 2 2 2 or u...

Page 249: ...cket This means that when forwarding over an IPSec tunnel a source NAT firewall rule is required to change the source IP to match an IPSec connection rule 25 4 1 Configuration packages used Package Sections firewall redirect 25 4 2 Configuring source NAT for DHCP forwarding over IPsec To enter a source NAT rule browse to Network Firewall Select Traffic Rules tab The Firewall Traffic Rules page app...

Page 250: ...r the source NAT rule Select the interface where the DHCP requests are originating Web Destination Zone UCI firewall redirect X dest Opt dest Defines destination interface for the source NAT rule Select the interface where the DHCP requests are intended to be transmitted Web To source IP UCI firewall redirect X src_dip Opt src_dip Defines the IP address to rewrite matched traffic souce IP Select t...

Page 251: ...ewall redirect X src Opt src Defines the source interface for the source NAT rule Select the interface where the DHCP requests are originating Web Destination Zone UCI firewall redirect X dest Opt dest Defines destination interface for the source NAT rule Select the interface where the DHCP requests are intended to be transmitted Web Destination port UCI firewall redirect X port Opt port Defines t...

Page 252: ..._port 67 25 5 DHCP forwarding diagnostics 25 5 1 Tracing DHCP packets To trace DHCP packets on any interface on the router enter tcpdump i any n p port 67 root VA_router tcpdump i any n p port 67 root VA_router tcpdump verbose output suppressed use v or vv for full protocol decode listening on any link type LINUX_SLL Linux cooked capture size 65535 bytes 16 39 20 666070 IP 0 0 0 0 68 255 255 255 2...

Page 253: ...______________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 253 of 423 16 39 20 666166 IP 0 0 0 0 68 255 255 255 255 67 BOOTP DHCP Request from 00 e0 c8 13 02 3d length 360 25 5 2 ARP table status To show the current ARP table of the router enter arp root VA_router arp 10 67 253 141 at 30 30 41 30 43 36 ether on eth8 10 47 48 1 at 0a 44 b2 06 ether on gre gr...

Page 254: ...ever the IP address changes the client notifies the DNS provider to update the corresponding domain name When the DNS provider responds to queries for the domain name it sets a low lifetime typically a minute or two at most on the response so that it is not cached Updates to the domain name are thus visible throughout the whole Internet with little delay Note most providers impose restrictions on ...

Page 255: ...I ddns name update_url Opt update_url Defines the customer DNS provider Displayed when the service is set to custom in the web interface Web Hostname UCI ddns name domain Opt domain Defines the fully qualified domain name associated with this entry This is the name to update with the new IP address as needed Web Username UCI ddns name username Opt username Defines the user name to use for authenti...

Page 256: ...k_unit 10 Range Web Check time unit UCI ddns name check_unit Opt check_unit Defines the time unit to use for check for an IP change Used in conjunction with check_interval Minutes hours Web Force update every UCI ddns name force_interval Opt force_interval Defines how often to force an IP update to the provider Used in conjunction with force_unit 72 Disabled Range Enabled Web Force time unit UCI d...

Page 257: ...of 423 ddns ddns1 check_unit minutes ddns ddns1 force_interval 72 ddns ddns1 force_unit hours ddns ddns1 interface dsl0 Package options for DDNS root VA_router uci export ddns package ddns config service ddns1 option enabled 1 option service_name dyndns org option domain fqdn_of_interface option username test option password test option ip_source network option ip_network dsl0 option check_interva...

Page 258: ...resses It is used preferentially to other name resolution methods such as DNS The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names Each field is separated by white space tabs are often preferred for historical reasons but spaces are also used Comment lines may be included they are indicated by an octothorpe in the first positi...

Page 259: ...ion Web Hostname UCI network host hostname Opt hostname Defines the hostname Web IP Address UCI network host addr Opt addr Defines the IP address associated with the hostname Table 81 Information table for host records settings 27 2 3 Local host records using command line Local host records are configured in the host section of the network package etc config network Multiple hosts can be configure...

Page 260: ...package network config host option hostname Device1 option addr 1 1 1 1 27 2 4 Local host records diagnostics 27 2 4 1 Hosts file Local host records are written to the local hosts file stored at etc hosts To view the local hosts file enter root VA_router cat etc hosts 127 0 0 1 localhost 1 ip6 localhost ip6 loopback 1 1 1 1 Device1 27 3 PTR records PTR records are used for reverse DNS The primary ...

Page 261: ... Description Web Hostname UCI dhcp domain name Opt name Defines the domain name for the PTR record Web IP Address UCI dhcp domain ip Opt ip Defines the IP address associated with the domain name Table 82 Information table for hostnames settings 27 3 3 PTR records using command line PTR records are configured in the domain section of the dhcp package etc config dhcp Multiple domains can be configur...

Page 262: ...7 3 4 1 PTR records table To view PTR records enter root VA_router pgrep fl dnsmasq 4724 usr sbin dnsmasq K D y Z b E s lan S lan l tmp dhcp leases r tmp resolv conf auto stop dns rebind rebind localhost ok A Device1 lan 1 1 1 1 ptr record 1 1 1 1 in addr arpa Device1 lan A Device2 lan 2 2 2 2 ptr record 2 2 2 2 in addr arpa Device2 lan 27 4 Static leases Static leases are used to assign fixed IP ...

Page 263: ...iption Web Hostname UCI dhcp host name Opt name Defines the symbolic hostname to assign Web MAC Address UCI dhcp host mac Opt mac Defines the MAC address for this host MAC addresses should be entered in the format aa bb cc dd ee ff Web IPv4 Address UCI dhcp host ip Opt ip Defines the IP address to be used for this host Table 83 Information table for static leases settings 27 4 3 Static leases usin...

Page 264: ...Access 2018 GW2020 Series User Manual Issue 2 1 Page 264 of 423 Or using package options config host option name Host1 27 4 3 1 Static leases using uci root VA_router uci show dhcp dhcp host 0 host dhcp host 0 name Host1 dhcp host 0 mac aa bb cc dd ee ff dhcp host 0 ip 4 4 4 4 27 4 3 2 Static leases using package option root VA_router uci export dhcp package dhcp config host option name Host1 opti...

Page 265: ...pass through the firewall Dropped packets are prohibited from passing Rejected packets are also prohibited but an ICMP message is returned to the source host A minimal firewall configuration for a router usually consists of one defaults section at least two zones LAN and WAN and one forwarding to allow traffic from LAN to WAN Other sections that exist are redirects rules and includes 28 1 Configur...

Page 266: ...alid Opt drop_invalid Drops packets not matching any active connection 0 Disabled 1 Enabled Web Input UCI firewall defaults input Opt input Default policy for the Input chain Accept Accepted packets pass through the firewall Reject Rejected packets are blocked by the firewall and ICMP message is returned to the source host Drop Dropped packets are blocked by the firewall Web Output UCI firewall de...

Page 267: ... by software the only hardware limitation is the amount of RAM installed on the device 28 2 1 3 Firewall zone general settings Figure 135 The firewall zone general settings Web Field UCI Package Option Description Web name UCI firewall zone label name Opt name Sets the unique zone name Maximum of 11 characters allowed Note the zone label is obtained by using the uci show firewall command and is of...

Page 268: ...d Default policy for internal zone traffic between interfaces Forward rules for a zone describe what happens to traffic passing between different interfaces within that zone Accept Accepted packets pass through the firewall Reject Rejected packets are blocked by the firewall and ICMP message is returned to the source host Drop Dropped packets are blocked by the firewall Web Masquerading UCI firewa...

Page 269: ...ssible by prefixing the subnet with Multiple subnets are allowed Web Restrict Masquerading to given destination subnets UCI firewall zone label masq_dest Opt masq_dest Limits masquerading to the given destination subnets Negation is possible by prefixing the subnet with Multiple subnets are allowed Multiple IP addresses subnets should be separated by a space for example option masq_dest 1 1 1 1 2 ...

Page 270: ...er zones Enter the current zone as the source Enabling this option puts two entries into the firewall file destination and source UCI firewall forwarding label src Opt src Web Allow forward from source zones UCI firewall forwarding label dest Opt dest Allows forward from other zones Enter the current zone as the destination Enabling this option puts two entries into the firewall file destination a...

Page 271: ...p udp Match UDP packets only udp Web External port UCI firewall redirect label src_dport Opt src_dport Specifies the incoming TCP UDP port or port range to match This is the incoming destination port specified by the external host Port ranges specified as start stop for example 2001 2020 Blank Match traffic to any port Range 1 65535 Web Internal IP address UCI firewall redirect label dest_ip Opt d...

Page 272: ...ct should be enabled or disabled 0 Disabled 1 Enabled Web name UCI firewall redirect label name Opt name Sets the port forwarding name For Web UI generated redirects the redirect label takes the form of redirect x where x is an integer starting from 0 Web Protocol UCI firewall redirect label proto Opt proto Defines layer 4 protocol to match incoming traffic Option Description UCI tcp udp Match eit...

Page 273: ... incoming TCP UDP port or port range to match This is the incoming destination port specified by the external host Port ranges specified in format start stop for example 2001 2020 You can enter multiple ports using a space separator For example option src_dport 22 23 see note below on use with options src_port and dest_port Blank Match traffic to any port Range 1 65535 Web Internal zone UCI firewa...

Page 274: ...If src_dport dest_port are lists of different lengths then the missing values of the shorter list default to the corresponding port in the other list For example if configuration file is option src_dport 21 22 23 option dest_port 21 22 23 24 then the firmware will interpret the values as option src_dport 21 22 23 24 option dest_port 21 22 23 24 28 2 3 Firewall traffic rules Rules can be defined to...

Page 275: ... specific icmp types This option is only valid when ICMP is selected as the protocol ICMP types can be listed as either type names or type numbers Note for a full list of valid ICMP type names see the ICMP Options table below Web Source zone UCI firewall rule label src Opt src Specifies the traffic source zone must refer to one of the defined zone names For typical port forwards this is usually WA...

Page 276: ... Opt limit Sets maximum average matching rate specified as a number with an optional second minute hour or day suffix Example 3 hour Web n a UCI firewall rule label limit_burst Opt limit_burst Sets maximum initial number of packets to match This number gets recharged by one every time the limit specified above is not reached up to this number Web n a UCI firewall rule label recent Opt recent Sets ...

Page 277: ...alid 1 uci set firewall defaults 0 input ACCEPT uci set firewall defaults 0 output ACCEPT uci set firewall defaults 0 forward ACCEPT Note this command is only required if there is no defaults section 28 3 2 Firewall zone settings By default all firewall zone instances are named zone instances are identified by zone then the zone position in the package as a number For example for the first zone in...

Page 278: ... in the package using UCI firewall forwarding 0 forwarding firewall forwarding 0 src lan Or using package options config forwarding option src lan To enable forwarding of traffic from WAN to LAN enter uci add firewall forwarding uci set firewall forwarding 1 dest wan uci set firewall forwarding 1 src lan 28 3 4 Firewall port forwards By default all port forward instances are named redirect instanc...

Page 279: ...e for the first rule in the package using UCI firewall rule 0 rule firewall rule 0 enabled 1 Or using package options config rule option enabled 1 To set traffic rules enter uci add firewall rule uci set firewall rule 1 enabled 1 uci set firewall rule 1 name Allow_ICMP uci set firewall rule 1 family any uci set firewall rule 1 proto ICMP uci set firewall rule 1 icmp_type any uci set firewall rule ...

Page 280: ...00 ba3 64 option target ACCEPT Similarly the following rule is automatically treated as IPv4 only config rule option src wan option dest_ip 88 77 66 55 option target REJECT Rules without IP addresses are automatically added to iptables and ip6tables unless overridden by the family option Redirect rules port forwards are always IPv4 since there is no IPv6 DNAT support at present 28 5 Implications o...

Page 281: ...tion tracking By default the firewall will disable connection tracking for a zone if no masquerading is enabled This is achieved by generating NOTRACK firewall rules matching all traffic passing via interfaces referenced by the firewall zone The purpose of NOTRACK is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed You can ...

Page 282: ...manner because it is not using default port 22 config redirect option name ssh option src wan option proto tcpudp option src_dport 5555 option dest_ip 192 168 1 100 option dest_port 22 option target DNAT option dest lan 28 7 3 Source NAT SNAT Source NAT changes an outgoing packet destined for the system so that is looks as though the system is the source of the packet Define source NAT for UDP and...

Page 283: ...destination port forwarding This usage is similar to SNAT but as the destination IP address is not changed machines on the destination network need to be aware that they ll receive and answer requests from a public IP address that is not necessarily theirs Port forwarding in this fashion is typically used for load balancing config redirect option src wan option src_dport 80 option dest lan option ...

Page 284: ... a forward rule rejecting traffic from LAN to WAN on the ports 1000 1100 config rule option src lan option dest wan option dest_port 1000 1100 option proto tcpudp option target REJECT 28 7 9 Denial of service protection rule The example below shows a sample configuration of SSH DoS attack where if more than two SSH connections are attempted within 120 seconds every further connection will be dropp...

Page 285: ...n ipaddr 10 1 28 122 option netmask 255 255 0 0 option ifname eth1 eth3 12 option ipv4_rp_filter 1 28 7 11 Simple DMZ rule The following rule redirects all WAN ports for all protocols to the internal host 192 168 1 2 config redirect option src wan option proto all option dest_ip 192 168 1 2 28 7 12 Transparent proxy rule external The following rule redirects all outgoing HTTP traffic from LAN thro...

Page 286: ...le below redirects all outgoing HTTP traffic from LAN through a proxy server listening at port 3128 on the router itself config redirect option src lan option proto tcp option src_dport 80 option dest_port 3128 28 7 14 IPSec passthrough This example enables proper forwarding of IPSec traffic through the WAN AH protocol config rule option src wan option dest lan option proto ah option target ACCEPT...

Page 287: ...cludes is Linux standard and therefore different from UCIs 28 7 16 Firewall management After a configuration change to rebuild firewall rules enter root VA_router etc init d firewall restart Executing the following command will flush all rules and set the policies to ACCEPT on all standard chains root VA_router etc init d firewall stop To manually start the firewall enter root VA_router etc init d...

Page 288: ...______________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 288 of 423 To see the rules as they are executed run the fw command with the FW_TRACE environment variable set to 1 root VA_router FW_TRACE 1 fw reload To direct the output to a file for later inspection enter root VA_router FW_TRACE 1 fw reload 2 tmp iptables lo ...

Page 289: ...ead the chapter Dynamic Multipoint Virtual Private Network DMVPN The number of IPSec tunnels supported by Virtual Access routers is not limited in any way by software the only hardware limitation is the amount of RAM installed on the device 29 1 Configuration package used Package Sections strongswan general connection secret 29 2 Configuring IPSec using the web interface To configure IPSec using t...

Page 290: ...e an old one 0 Disabled 1 Enabled replace Identical to Yes keep Rejects new IKE SA and keep the duplicate established earlier Web Cache CRLs UCI strongswan general cachecrls Opt cachecrls Certificate Revocation Lists CRLs fetched via HTTP or LDAP will be cached in etc ipsec d crls under a unique file name derived from the certification authority s public key 0 Disabled 1 Enabled Web Disable Revoca...

Page 291: ...ressive mode Note using aggressive mode along with PSK authentication is less secure method than main mode and should be avoided 0 Disabled 1 Enabled Web Name UCI strongswan connection X name Opt name Specifies a name for the tunnel Web Autostart Action UCI strongswan connection X auto Opt auto Specifies when the tunnel is initiated start On start up route When traffic routes this way add Loads a ...

Page 292: ...public IP address of the remote peer Web Local ID UCI strongswan connection X localid Opt localid Defines the local peer identifier Web Remote ID UCI strongswan connection X remoteid Opt remoteid Defines the remote peer identifier Web Local LAN IP Address UCI strongswan connection X locallan Opt locallan Defines the local IP of LAN Web Local LAN IP Address Mask UCI strongswan connection X locallan...

Page 293: ... remoteproto Restricts the connection to a single protocol on the remote side Web Remote Port UCI strongswan connection X remoteport Opt remoteport Restricts the connection to a single port on the remote side Web Authby UCI strongswan connection X authby Opt authby Defines how the two secure gateways should authenticate Note using aggressive mode along with PSK authentication is unsecure and shoul...

Page 294: ...Sec settings Figure 144 The IPSec connections settings Web Field UCI Package Option Description Web XAuth Identity UCI strongswan connection X xauth_identity Opt xauth_identity Defines Xauth ID Web IKE Algorithm UCI strongswan connection X ike Opt ike Specifies the IKE algorithm to use The format is encAlgo authAlgo DHGroup encAlgo 3des aes128 aes256 serpent twofish blowfish authAlgo md5 sha sha2 ...

Page 295: ...face names is automatically generated If you want to specify more than one interface use the custom value Example if you have a 3G WAN interface called wan and a WAN ADSL interface called dsl and wanted to use one of these interfaces for this IPSec connection you would use wan adsl Web IKE Life Time UCI strongswan connection X ikelifetime Opt ikelifetime Specifies how long the keyring channel of a...

Page 296: ...ction None Disables DPD Clear Clear down the tunnel if peer does not respond Reconnect when traffic brings the tunnel up Hold Clear down the tunnel and bring up as soon as the peer is available Restart Restarts DPD when no activity is detected Web DPD Delay UCI strongswan connection X dpddelay Opt dpddelay Defines the period time interval with which R_U_THERE messages and INFORMATIONAL exchanges a...

Page 297: ...n secret X idtype Opt idtype Defines whether IP address or userfqdn is used Web ID selector UCI strongswan secret X localaddress Opt localaddress Defines the local address this secret applies to Web ID selector UCI strongswan secret X remoteaddress Opt remoteaddress Defines the remote address this secret applies to Web N A UCI strongswan secret X userfqnd Opt userfqnd FQDN or Xauth name used of Ex...

Page 298: ...an general debug none uci set strongswan general initial_contact 0 uci commit This will create the following output config general general option enabled yes option strictcrlpolicy no option uniqueids yes option cachecrls no option debug none option initial_contact 0 29 3 2 Connection settings touch etc config strongswan uci add strongswan connection uci set strongswan connection 0 ikelifetime 3h ...

Page 299: ...remotelan 172 19 101 3 uci set strongswan connection 0 remotelanmask 255 255 255 255 uci set strongswan connection 0 authby xauthpsk uci set strongswan connection 0 xauth_identity testxauth uci set strongswan connection 0 ike 3des md5 modp1024 uci set strongswan connection 0 esp 3des md5 uci set strongswan connection 0 waniface wan uci set strongswan connection 0 inherit_child 0 uci set strongswan...

Page 300: ...c tunnel This includes the traffic destined to the router s IP address To avoid this situation you must include an additional config connection section Commands touch etc config strongswan uci add strongswan connection uci set strongswan connection 1 name local uci set strongswan connection 1 enabled yes uci set strongswan connection 1 locallan 10 1 1 1 uci set strongswan connection 1 locallanmask...

Page 301: ... uci add strongswan secret uci set strongswan secret 0 enabled yes uci set strongswan secret 0 localaddress 192 168 209 1 uci set strongswan secret 0 remoteaddress 100 100 100 100 uci set strongswan secret 0 secrettype psk uci set strongswan secret 0 secret secret uci commit This will create the following output config secret option enabled yes option localaddress 192 168 209 1 option remoteaddres...

Page 302: ...tion idtype userfqdn option userfqdn testxauth option remoteaddress 100 100 100 100 option secret xauth option secrettype XAUTH 29 4 Configuring an IPSec template for DMVPN via the web interface To configure IPSec using the web interface in the top menu select Services IPSec The strongSwan IPSec VPN page appears There are three sections Common Settings Control the overall behaviour of strongSwan T...

Page 303: ... are unique so a new automatically keyed connection using the same ID is almost invariably intended to replace an old one 0 Disabled 1 Enabled replace Identical to Yes keep Rejects new IKE SA and keep the duplicate established earlier Web Cache CRLs UCI strongswan general cachecrls Opt cachecrls Certificate Revocation Lists CRLs fetched via HTTP or LDAP will be cached in etc ipsec d crls under a u...

Page 304: ..._____________________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 304 of 423 Figure 147 The connections settings section ...

Page 305: ...nection X type Opt type Defines the type of IPSec connection tunnel Connection uses tunnel mode transport Connection uses transport mode pass Connection does not perform any IPSec processing drop Connection drops all the packets Web Remote GW Address UCI strongswan connection X remoteaddress Opt remoteaddress Sets the public IP address of the remote peer Leave blank for DMVPN Web Local ID UCI stro...

Page 306: ...t authby Defines how the two secure gateways should authenticate Note using aggressive mode along with PSK authentication is unsecure and should be avoided Pubkey For public key signatures Rsasig For RSA digital signatures ecdsasig For Elliptic Curve DSA signatures Psk Using a preshared key xauthrsasig Enables eXtended Authentication XAuth with addition to RSA signatures xauthpsk Using extended au...

Page 307: ...n and a WAN ADSL interface called dsl and wanted to use one of these interfaces for this IPSec connection you would use wan adsl Web IKE Life Time UCI strongswan connection X ikelifetime Opt ikelifetime Specifies how long the keyring channel of a connection ISAKMP or IKE SA should last before being renegotiated 3h Timespec 1d 3h 25m 10s Web Key Life UCI strongswan connection X keylife Opt keylife ...

Page 308: ...sent if no other traffic is received 30s Timespec 1d 2h 25m 10s Web DPD Timeout UCI strongswan connection X dpdtimeout Opt dpdtimeout Defines the timeout interval after which all connections to a peer are deleted in case of inactivity 150s Timespec 1d 2h 25m 10s Table 98 Information table for IPSec connections settings 29 4 3 Configure secrect settings Each tunnel requires settings to configure ho...

Page 309: ...an IPSec template to use with DMVPN The following example shows how to configure an IPSec connection template to use with DMVPN Commands touch etc config strongswan uci set strongswan general general uci set strongswan general enabled yes uci set strongswan general strictcrlpolicy no uci set strongswan general uniqueids yes uci set strongswan general cachecrls yes uci set strongswan general nattra...

Page 310: ...ret 0 secrettype psk uci set strongswan secret 0 secret secret This will create package strongswan config general general option enabled yes option strictcrlpolicy no option uniqueids yes option cachecrls yes option nattraversal yes config connection option enabled yes option name dmvpn option type transport option localproto gre option remoteproto gre option ike aes sha1 modp1024 option esp aes12...

Page 311: ...n underscore for example dmvpn_213 233 148 2 29 7 IPSec diagnostics using UCI 29 7 1 IPSec configuration To view IPSec configuration via UCI enter root VA_router uci export strongswan To restart strongSwan enter root VA_router etc init d strongswan restart 29 7 2 IPSec status 29 7 3 To view IPSec status enter root VA_router ipsec statusall Security Associations 1 up 0 connecting dmvpn_89_101_154_1...

Page 312: ... IPSec configuration to the physical interface This reduces the number of lines of configuration required for a VPN development For example for a 1000 site deployment DMVPN reduces the configuration effort at the hub from 3900 lines to 13 Adding new peers spokes to the VPN requires no changes at the hub Better scalability of the network Dynamic IP addresses can be used at the peers site Spokes can...

Page 313: ...AN interface ADSL 3G and initiate main mode IPSec in transport mode to the hub After an IPSec tunnel is established spokes register their NHRP membership with the hub GRE tunnels come up Hub caches the GRE tunnel and real IP addresses of each spoke When spoke1 wants to talk to spoke2 it sends an NHRP resolution request to the hub The hub checks its cache table and forwards that request to spoke2 S...

Page 314: ...ith the source of the packet Hub sends an NHRP registration reply with a NAT extension to spoke1 The NAT extension informs spoke1 that it is behind the NAT ed device Spoke1 registers its pre and post NAT address When spoke1 wants to talk to spoke2 it sends an NHRP resolution request to the hub Hub checks its cache table and forwards that request to spoke2 Spoke2 caches spoke1 s GRE pre and post NA...

Page 315: ...nterface The DMVPN section contains fields required to configure the parameters relative to the DMVPN Hub These are used for DMVPN tunnels such as GRE tunnels GRE tunnel remote IP DMVPN Hub IP and password 30 5 1 DMVPN general settings In the top menu select Network DMVPN The DMVPN page appears There are two sections General and DMVPN Hub Settings Figure 152 The DMVPN general section Web Field UCI...

Page 316: ...terface on the hub For example if the mask is 255 255 0 0 the length will be 16 Web DMVPN Hub IP Address UCI dmvpn interface X nhs_ip Opt nhs_ip Configures the physical IP address for the DMVPN hub Web NHRP Authentication UCI dmvpn interface X cisco_auth Opt cisco_auth Enables authentication on NHRP The password will be applied in plaintext to the outgoing NHRP packets Maximum length is 8 characte...

Page 317: ...ec connections page In the Name column the syntax contains the IPSec name defined in package dmvpn and the remote IP address of the hub or the spoke separated by an underscore for example dmvpn_213 233 148 2 To check the status of DMVPN in the top menu click Status DMVPN Figure 155 The NBMA peers page To check DMVPN status enter opennhrpctl show Status ok Interface gre GRE Type local Protocol Addr...

Page 318: ...n with local route local_addr Local destination IP or off NBMA subnet Protocol Address Tunnel IP address NBMA Address Pre NAT IP address if NBMA NAT OA Address is present or real address if NAT is not present NBMA NAT OA Address Post NAT IP address This field is present when Address is translated in the network Flags up Can send all packets registration ok unique Peer is unique used Peer is kernel...

Page 319: ...ue 2 1 Page 319 of 423 You can check DMVPN status using UCI commands opennhrpctl show Status ok Interface gre GRE Type local Protocol Address 11 11 11 7 32 Alias Address 11 11 11 3 Flags up Interface gre GRE Type local Protocol Address 11 11 11 3 32 Flags up Interface gre GRE Type cached Protocol Address 11 11 11 2 32 NBMA Address 178 237 115 129 NBMA NAT OA Address 172 20 38 129 Flags used up Exp...

Page 320: ...ry group of receivers that expresses an interest in receiving a particular data stream The receivers the designated multicast group are interested in receiving a data stream from the source They indicate this by sending an Internet Group Management Protocol IGMP host report to their closest router in the network The routers are then responsible for delivering the data from the source to the receiv...

Page 321: ... for PIM global settings 31 3 2 Interfaces configuration Figure 157 The interfaces configuration section Web Field UCI Package Option Description Web Enabled UCI pimd interface x enabled Opt enabled Enables multicast management of the given interface by the PIM application 0 Disabled 1 Enabled Web Interface UCI pimd interface x interface Opt interface Selects the interface to apply PIM settings to...

Page 322: ...onfig pimd To view the configuration file enter uci export pimd root VA_router etc config1 uci export pimd package pimd config routing pimd option enabled yes config interface option enabled yes option interface lan option ssm yes option igmp yes config interface option enabled yes option interface wan option ssm yes option igmp no Alternatively enter uci show pimd root VA_router etc config1 uci s...

Page 323: ..._________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 323 of 423 pimd interface 1 ssm yes pimd interface 1 igmp no To change any of the above values use uci set command ...

Page 324: ... network configuration shows how to configure VLAN priorities for specific interfaces VLANs root VA_router uci export network package network config va_switch option eth0 A E option eth1 B F option eth2 C G option eth3 D option eth4 H config interface VLAN_1 option type bridge option proto static option ipaddr 10 1 28 99 option netmask 255 255 0 0 option ifname eth0 eth4 config interface VLAN_2 op...

Page 325: ...vlan_qos_map_egress 0 1 The above sample configuration specifies that any frames on VLAN2 VLAN3 and VLAN4 will be processed or have their PCP value adjusted according to QoS values set VLAN1 VLAN1 is an untagged VLAN so there are no 802 1Q tags on the frames VLAN2 Any frames received on VLAN2 destined to VLAN2 with PCP priority of 1 will be forwarded without altering the priority it will be still ...

Page 326: ...highest priority and 0 is the lowest These queues prioritise 802 1Q tagged frames as they are received on the port these are hardware defined When 802 1Q frames are received on the port they are processed according to the above queues on arrival even if not defined in the configuration Then if value vlan_qos_map_ingress is configured you can modify the PCP priority for egress if the frame was to b...

Page 327: ...ce criteria parameters 33 1 QoS configuration overview A minimal QoS configuration usually consists of One interface section Some rules allocating packets to at least two buckets Configuration of the buckets 33 2 Configuration packages used Package Sections qos interface classgroup class classify 33 3 Configuring QoS using the web interface Browse to the router s IP address and login Select Networ...

Page 328: ...Enables or disables QoS interface 1 Enabled 0 Disabled Web Classification group UCI qos interface classgroup Opt classgroup Creates a mapping before previously created classgroup and interface to which it should be assigned to Web Calculate overhead UCI qos interface overhead Opt overhead Decreases upload and download ratio to prevent link saturation Web Half duplex UCI qos interface halfduplex Op...

Page 329: ...Source host Web Destination host UCI Opt Destination host Web Service UCI Opt Selectable service Web Protocol UCI Opt Protocol to classify Web Ports UCI Opt Upload speed kbits sec Web Number of bytes UCI Opt Number of bytes for bucket Table 106 Information table for classification rules 33 4 Configuring QoS using UCI You can also configure QoS using UCI The configuration file is stored on etc conf...

Page 330: ...ich it should be assigned to Web Calculate overhead UCI qos interface overhead Opt overhead Decrease upload and download ratio to prevent link saturation Web Half duplex UCI qos interface halfduplex Opt halfduplex Enables or disables half duplex operation 1 Enabled 0 Disabled Web Download speed UCI qos interface download Opt download Download speed limit in kbits sec Web Upload speed UCI qos inter...

Page 331: ...etsize 1500 Opt packetsize Specifies packet size for the class in bytes UCI qos Normal avgrate 30 Opt avgrate Average rate for this class value in of bandwidth in UCI qos Normal priority 5 Opt priority Specifies priority for the class in UCI qos Express class Opt Express Specifies class name UCI qos Express packetsize 1000 Opt packetsize Specifies packet size for the class in bytes UCI qos Express...

Page 332: ...s classify 0 target Express Opt target Specifies target class UCI qos classify 0 proto udp Opt proto Specifies protocol 33 5 Example QoS configurations config interface ADSL option classgroup Default option enabled 1 option overhead 1 option download 900 option upload 245 config classgroup Default option classes Express Normal option default Normal config class Normal option packetsize 1500 option...

Page 333: ...nfiguration files when it boots up The router is installed with a factory config that will allow it to contact Activator The autoload feature controls the behaviour of the router in requesting firmware and configuration files this includes when to start the Activation process and the specific files requested The HTTP Client uhttpd contains information about the Activator server and the protocol us...

Page 334: ...ignals the end of the autolaod sequence to Activator Activator identifies the device using the serial number of the router syntax is used to denote the serial number of the router when requesting a file The requested files are written to the alternate image or config segment You can change the settings either directly in the configuration file or via appropriate UCI set commands It is normal proce...

Page 335: ...oload main StartTimer Opt StartTimer Defines how long to wait after the boot up completes before starting activation 10 Range 0 300 secs Web Retry Timer UCI autoload main RetryTimer Opt RetryTimer Defines how many seconds to wait between retries if a download of a particular autoload entry fails 30 Range 0 300 secs Web N A UCI autoload main NumberOfRetries Opt Numberofretries Defines how many retr...

Page 336: ...age Opt BootUsingImage Specifies which image to boot up with after the activation sequence completes successfully Altimage Alternative image Image 1 image 1 Image 2 image 2 Entries Web Configured UCI autoload entry x Configured Opt Configured Enables the autoload sequence to process this entry 1 Enabled 0 Disabled Web Segment Name UCI autoload entry x SegmentName Opt SegmentName Defines where the ...

Page 337: ...ad main BootUsingConfig altconfig autoload main BootUsingImage altimage autoload entry 0 entry autoload entry 0 Configured yes autoload entry 0 SegmentName altconfig autoload entry 0 RemoteFilename ini autoload entry 1 entry autoload entry 1 Configured yes autoload entry 1 SegmentName altimage autoload entry 1 RemoteFilename img autoload entry 2 entry autoload entry 2 Configured yes autoload entry...

Page 338: ...ame img config entry option Configured yes option SegmentName config1 option RemoteFilename vas 34 7 HTTP Client configuring activation using the web interface This section contains the settings for the HTTP Client used during activation and active updates of the device The httpclient core section configures the basic functionality of the module used for retrieving files from Activator during the ...

Page 339: ...or that uses http port 80 This can be an IP address or FQDN The syntax should be x x x x 80 or FQDN 80 Multiple servers should be separated by a space using UCI Web Secure Server IP Address UCI httpclient default SecureFileServer Opt list SecureFileServer Specifies the address of Secure Activator that uses port 443 This can be an IP address or FQDN The syntax should be x x x x 443 or FQDN 443 Mult...

Page 340: ...client default CertificateKey Opt CertificateKey Specifies the directory location of the certificate key etc httpclient key Range Web N A UCI ValidateServerCertificateFieldEnabled Opt ValidateServerCertificate Defines the field in the server certificate that the client should check 1 Enabled 0 Disabled Web N A UCI httpclient default ActivatorChunkyDownlo adPath Opt ActivatorChunkyDownloadPath Enab...

Page 341: ... no httpclient default ValidateServerCertificateEnabled no httpclient default CertificateFile etc httpclient crt httpclient default CertificateFormat PEM httpclient default CertificateKey etc httpclient key httpclient default ActivatorChunkyDownloadPath activator partial download httpclient default ChunkSize 100k httpclient default RateLimit 2 httpclient default CAFile httpclient default IgnoreSer...

Page 342: ...ld UCI Package Option Description General settings Web n a UCI management_users user x enabled Opt enable Enables creates the user 0 Disabled 1 Enabled Web n a UCI management_users user x username Opt username Specifies the user s username Web n a UCI management_users user x password Opt password Specifies the user s password When entering the user password enter in plain text using the password o...

Page 343: ... a space to separate if using UCI Table 109 Information table for config user commands Note webuser will only work if linuxuser is set to yes chapuser will only work if linuxuser is set to no When a new user is created on the system and given web access you will no longer be able to login to the router web interface with the default root user details The user must use their new user login details ...

Page 344: ...ord in plain text using the password option package management_users config user option hashpassword 1 wRYYiJOz EeHN GQcxXhRgNPVbqxVw option password newpassword The new password will take effect after reboot and will now be displayed in encrypted format via the hashpassword option 34 13 User management using UCI root VA_router uci show management_users management_users user 0 user management_user...

Page 345: ...uffMjS4U0 option webuser 1 option linuxuser 1 option papuser 0 option chapuser 0 option srpuser 0 options smsuser 0 34 15 Configuring user access to specific web pages To specify particular pages a user can view add the list allowed_pages Examples are listallowed_pages admin status The user can view admin status page only listallowed_pages admin system flashops The user can view flash operation pa...

Page 346: ...rent information that can be sent to Monitor including the required router configuration for Reporting device status to Monitor Reporting GPS location to Monitor Reporting syslog to Monitor Configuration of interface statistics collection ISAD For detailed information on operating Monitor read the Monitor User Manual 35 2 Reporting device status to Monitor To allow Monitor to track the IP address ...

Page 347: ...kage Option Description Web Enabled UCI monitor keepalive 0 enabled Opt Enabled Enables Monitor to send heartbeats to the router 0 Disabled 1 Enabled Web Dev Reference UCI monitor keepalive 0 dev_reference Opt dev_reference Sets a unique identification for this device known to Monitor Web Monitor Address UCI monitor keepalive 0 monitor_ip Opt list monitor_ip Defines the IP address of Monitor It is...

Page 348: ...r keepalive 0 snmp_auth_pass Opt snmp_auth_pass Specifies snmpv3 authentication password Web Authentication Protocol UCI monitor keepalive 0 snmp_auth_proto Opt snmp_auth_proto Specifies snmpv3 authentication protocol Blank Default value MD5 MD5 as authentication protocol SHA SHA as authentication protocol Web Privacy Protocol UCI monitor keepalive 0 snmp_priv_proto Opt snmp_priv_proto Specifies s...

Page 349: ...eepalive position in the package as a number For example for the first keepalive in the package using UCI monitor keepalive 0 keepalive monitor keepalive 0 enabled 1 Or using package options config keepalive option enabled 1 However to better identify it is recommended to give the keepalive instance a name For example to create a keepalive instance named keepalivev1 To define a named keepalive ins...

Page 350: ...eepalivev3 interval_min 1 monitor keepalivev3 monitor_ip 172 16 250 101 monitor keepalivev3 dev_reference TEST monitor keepalivev3 snmp_version 3 monitor keepalivev3 snmp_uname TEST monitor keepalivev3 snmp_auth_pass vasecret monitor keepalivev3 snmp_auth_proto MD5 monitor keepalivev3 snmp_priv_pass vasecret monitor keepalivev3 snmp_priv_proto DES 35 2 5 Keepalive using package options root VA_rou...

Page 351: ...eat via web interface The keepalive heartbeat can send information on multiple interfaces In order to send an interface status to Monitor select Network Interfaces then under the required interface select Edit Under Advanced Settings enable the Monitor interface state option Figure 165 The interface common configuration page Web Field UCI Package Option Description Web Monitor interface state UCI ...

Page 352: ...r GPS location the GPS coordinates can be configured to be sent in the heartbeat keepalive from the router GPS location is only available in supported hardware models Ensure monitor keepalive heartbeat is correctly configured as in section 35 2 above 35 3 1 Configuration package used Package Sections gpsd gpsd 35 3 2 Configuring GPS location via the web interface Select Services GPS The GPS config...

Page 353: ... 35 3 3 1 GPS using UCI root VA_router uci show gpsd gpsd core gpsd gpsd core enabled 1 35 3 3 2 GPS using package options root VA_router uci export gpsd package gpsd config gpsd core option enabled 1 35 3 4 GPS diagnostics To view information on GPS coordinates via the web interface select Status GPS Information Figure 167 The GPS status page To view GPS coordinates via command line enter gpspeek...

Page 354: ...syslog events are sent to the syslog server Figure 168 The system properties page Web Field UCI Package Option Description Web External system log server UCI system main log_ip Opt log_ip Defines the external syslog server IP address Web External system log server UCI system main log_port Opt log_port Defines the external syslog server destination port number for syslog messages 514 Range Table 11...

Page 355: ...ransmit and receive packets bytes errors for a period Signal strength and also temperature parameters are also stored in the bins Bins are uploaded to Monitor periodically Note Ensure monitor keepalive heartbeat and interface status is correctly configured as in section 30 2 above Interfaces should have option monitored enabled as part of the collection ISAD replaces the deprecated SLA feature 35 ...

Page 356: ...formation table for ISAD Monitor Keepalive ISAD Interface Stats section 35 5 3 Configuring ISAD using the command line ISAD is configured under the Monitor package 35 5 3 1 ISAD using UCI root VA_router uci show monitor monitor keepalivev1 keepalive monitor keepalivev1enabled 1 monitor keepalivev1 interval_min 1 monitor keepalivev1 dev_reference router1 monitor keepalivev1 monitor_ip 10 1 83 36 mo...

Page 357: ...d_ts 85020 monitor bin_0 start_ts 84960 monitor bin_1 isad monitor bin_1 end_ts 85080 monitor bin_1 start_ts 85020 monitor bin_2 isad monitor bin_2 end_ts 85140 monitor bin_2 start_ts 85080 35 5 5 ISAD operation The bin statistics stored on the router must be periodically pushed statistics to Monitor This is normally done centrally when statistics are enabled on Monitor Monitor contacts each route...

Page 358: ...ckage Sections snmpd access agent com2sec constant exec group heartbeat informreceiver inventory inventory_iftable monitor_disk monitor_ioerror monitor_load monitor_memory monitor_process pass system trapreceiver usm_user view The SNMP application has several configuration sections System and Agent Configures the SNMP agent Com2Sec Maps SNMP community names into an arbitrary security name Group As...

Page 359: ...htrapenabled Opt authtrapenabled Enables or disables SNMP authentication trap 0 Disabled 1 Enabled Note this is the SNMP poll authentication trap to be set when there is a community mismatch Web Enable Link State Notification UCI snmpd agent 0 link_updown_notify Opt link_updown_notify Generates trap info when interface goes up or down When enabled the router sends a trap notification link up or do...

Page 360: ...Description Web Security Name UCI snmpd com2sec x secname Opt secname Specifies an arbitrary security name for the user Web Source UCI snmpd com2sec x source Opt source A hostname localhost or a subnet specified as a b c d mask or a b c d bits or default for no restrictions Web Community UCI snmpd com2sec x community Opt community Specifies the community string being presented in the request Table...

Page 361: ...oup Table 118 Information table for group settings 36 2 4 View settings View settings define a named view which is a subset of the overall OID tree This is most commonly a single subtree but several view directives can be given with the same view name to build up a more complex collection of OIDs Figure 173 The view settings section Web Field UCI Package Option Description Web Name UCI snmpd view ...

Page 362: ...NMPv3 request context is matched against the value according to the prefix below For SNMP v1 and SNMP v2c the context must be none none all Web Version UCI snmpd access x version Opt version Specifies the SNMP version number being used in the request any v1 v2c and usm are supported v1 SNMP v1 v2v SNMP v2 usm SNMP v3 any Any SNMP version Web Level UCI snmpd access x level Opt level Specifies the s...

Page 363: ...ings page Web Field UCI Package Option Description Web Host UCI snmpd trapreceiver x host Opt host Host address Can be either an IP address or an FQDN Web Port UCI snmpd trapreceiver x port Opt port UDP port to be used for sending traps Range 162 Web Version UCI snmpd trapreceiver x version Opt version SNMP version v1 V2 Web Community UCI snmpd trapreceiver x community Opt community Community to u...

Page 364: ...munity Community to use in inform messages for this host Table 122 Information table for trap receiver settings 36 3 Configuring SNMP using command line The configuration files are stored on etc config snmpd 36 3 1 System settings using UCI root VA_router uci show snmpd snmpd system system snmpd system sysLocation Office 123 snmpd system sysContact Mr White snmpd system sysName Backup Access 4 snm...

Page 365: ...m the localhost itself using private as the community string will be dealt with using the security name rw Note the security names of ro and rw here are simply names the fact of a security name having read only or read write permissions is handled in the access section and dealt with at a group granularity 36 3 3 1 Com2sec using UCI snmpd c2s_1 com2sec snmpd c2s_1 source default snmpd c2s_1 commun...

Page 366: ...n v2c snmpd grp_1_v2c group public snmpd grp_1_v2c secname ro snmpd grp_1_usm group snmpd grp_1_usm version usm snmpd grp_1_usm group public snmpd grp_1_usm secname ro snmpd grp_1_access access snmpd grp_1_access context none snmpd grp_1_access version any snmpd grp_1_access level noauth snmpd grp_1_access prefix exact snmpd grp_1_access read all snmpd grp_1_access write none snmpd grp_1_access no...

Page 367: ... exact snmpd grp_2_access read all snmpd grp_2_access write all snmpd grp_2_access notify all snmpd grp_2_access group public 36 3 4 2 Group settings using package options config group public_v1 option group public option version v1 option secname ro config group public_v2c option group public option version v2c option secname ro config group public_usm option group public option version usm optio...

Page 368: ...mt mib 2 36 3 5 2 View settings using package options config view all option viewname all option type included option oid 1 config view mib2 option viewname mib2 option type included option oid iso org dod Internet mgmt mib 2 36 3 6 Access settings The following example shows the public group being granted read access on the all view and the private group being granted read and write access on the...

Page 369: ...group private option context none option version any option level noauth option prefix exact option read all option write all option notify all 36 3 7 SNMP traps settings 36 3 7 1 SNMP trap using UCI snmpd trapreceiver 0 trapreceiver snmpd trapreceiver 0 host 1 1 1 1 161 snmpd trapreceiver 0 version v1 snmpd trapreceiver 0 community public 36 3 7 2 SNMP trap using package options for SNMPv1 or v2c...

Page 370: ...iguring SNMP interface alias To enter and SNMP alias for an interface select Network Interfaces Edit Common Configuration Advanced Settings Enter a small index value for SNMP Alias ifindex that is unique to this interface To retrieve SNMP statistics for this interface the SNMP manager should be configured to poll snmp_alias_ifindex 1000 For example if an interface is configured with an snmp_alias_...

Page 371: ... in the ifIndex table If present this option supercedes the default ifDescr value usually the UCI interface name or configured ifName Blank No SNMP interface alias name Range Table 123 Information table for static SNMP alias interface 36 4 3 Configuring SNMP interface alias using the command line SNMP interface alias is configured under the network package etc config network The following examples...

Page 372: ...ried by an snmpwalk or snmpget either locally or remotely 36 5 3 1 snmpwalk To do an snmpwalk locally use snmpwalk An example snmpwalk is shown below root VA_router snmpwalk c public v 1 localhost 1 3 6 1 2 1 1 iso 3 6 1 2 1 1 1 0 STRING Virtual Access GWXXXX SN 00E0C812D1A0 EDG 21 00 07 008 iso 3 6 1 2 1 1 2 0 OID iso 3 6 1 4 1 2078 iso 3 6 1 2 1 1 3 0 Timeticks 71816 0 11 58 16 iso 3 6 1 2 1 1 4...

Page 373: ...38 iso 3 6 1 2 1 1 9 1 4 7 Timeticks 38 0 00 00 38 iso 3 6 1 2 1 1 9 1 4 8 Timeticks 38 0 00 00 38 iso 3 6 1 2 1 1 9 1 4 9 Timeticks 60 0 00 00 60 36 5 3 2 snmpget To do an snmpget locally use snmpget An example snmpget is shown below root VA_router snmpget c public v 1 localhost 1 3 6 1 4 1 2078 3 14 2 iso 3 6 1 4 1 2078 3 14 2 STRING EDG 21 00 07 008 36 5 4 SNMP status To view an overview includ...

Page 374: ...eventd application defines three types of object Forwardings Rules that define what kind of events should be generated For example you might want an event to be created when an IPSec tunnel comes up or down Targets Define the targets to send the event to The event may be sent to a target via a syslog message a snmp trap or email Connection testers Define methods to test the target is reachable IP ...

Page 375: ... type 37 2 4 Supported connection testers The table below describes the methods to test a connection that are currently supported Type Description link Checks if the interface used to reach the target is up ping Pings the target And then assumes there is connectivity during a configurable amount of time Table 125 Event system supported connection tester methods 37 3 Configuring the event system us...

Page 376: ...able 126 Information table for event system basic settings 37 3 2 Connection tester A connection tester is used to verify the event destination before forwarding the event Connection testers configure the uci conn_tester section rules Multiple connection testers can be configured There are two types of connection tester Type Description link Checks if the interface used to reach the target is up p...

Page 377: ...ccessful ping defines a connection tester as up Note only displayed if connection tester type is set to Ping 60 Range Web Link Interface UCI va_eventd conn_tester 0 link_iface Opt link_iface Defines the interface to monitor when the connection tester type is set to link Configured interfaces are listed Note only displayed if connection tester type is set to Link Range Table 127 Information table f...

Page 378: ...ion type For syslog server choose Syslog Web Value Description UCI Syslog syslog SNMP Trap snmptrap Email email Execute exec SMS sms n a File target file Web Connection Tester Name UCI va_eventd target 0 conn_tester Opt conn_tester Defines the connection tester if any to use to verify the syslog target None No connection tester UCI option not present Range Web Destination Address UCI va_eventd tar...

Page 379: ...tion 0 Disabled 1 Enabled Web Destination name UCI va_eventd target 0 name Opt name Defines a name for the event destination Range Web Type UCI va_eventd target 0 type Opt type Defines the event destination type For an email server choose Email Web Value Description UCI Syslog Syslog target syslog SNMP Trap SNMP target snmptrap Email Email target email Execute Execure target exec SMS SMS target sm...

Page 380: ...CI va_eventd target 0 smtp_addr Opt smtp addr Defines the email server address and port Range a b c d port or fqdn port Web SMTP User Name UCI va_eventd target 0 smtp_user Opt smtp_user Defines user name for SMTP authentication Range name site com Web SMTP Password UCI va_eventd target 0 smtp_password Opt smtp_password Defines the password for SMTP authentication Range Web Use TLS UCI va_eventd ta...

Page 381: ...eb Value Description UCI Syslog Syslog target syslog SNMP Trap SNMP target snmptrap Email Email target email Execute Execure target exec SMS SMS target sms n a File target file Web Connection Tester Name UCI va_eventd target 0 conn_tester Opt conn_tester Defines the connection tester if any to use to verify the SNMP target None No connection tester UCI option not present Range Web Destination Addr...

Page 382: ..._auth_pass Opt snmp_auth_pass Defines the SNMPv3 authentication password Only displayed when SNMPv3 authentication protocol is configured MD5 SHA Web Privacy Protocol UCI va_eventd target 0 snmp_priv_proto Opt snmp_priv_proto Defines the SNMPv3 privacy protocol Only displayed when SNMP authentication protocol is configured DES AES Web Privacy Password UCI va_eventd target 0 snmp_priv_pass Opt snmp...

Page 383: ...r the event destination Range Web Type UCI va_eventd target 0 type Opt type Defines the event destination type For shell command execution choose Execute Web Value Description UCI Syslog Syslog target syslog SNMP Trap SNMP target snmptrap Email Email target email Execute Execure target exec SMS SMS target sms n a File target file Web Connection Tester Name UCI va_eventd target 0 conn_tester Opt co...

Page 384: ...e Opt type Defines the event destination type For SMS destination choose SMS Web Value Description UCI Syslog syslog SNMP Trap snmptrap Email email Execute exec SMS sms n a file Web Connection Tester Name UCI va_eventd target 0 conn_tester Opt conn_tester Defines the connection tester if any to use to verify the SMS target None No connection tester UCI option not present Range Web Message Template...

Page 385: ...alue Description UCI Syslog syslog SNMP Trap snmptrap Email email Execute exec SMS sms n a file Web n a UCI va_eventd target 0 file_name Opt file_name Defines a file name for the event destination full path Range Web n a UCI va_eventd target 0 max_size_kb Opt file_name Defines a file size in kilobits 2048 Range Web n a UCI va_eventd target 0 template Opt template Defines the message template to us...

Page 386: ...verity are specified in the one UCI option and entered using a dash separator in the form minimum maximum Example va_eventd forwarding 0 severity debug error debug minimum severity info notice warning error critical alert emergency maximum severity Web Maximum Severity UCI va_eventd forwarding 0 severity Opt severity Defines the maximum event severity The maximum event severity is EMERGENCY Events...

Page 387: ...ed target The target instance is identified by target then the target position in the package as a number For example for the first target in the package using UCI va_eventd target 0 target va_eventd target 0 enabled 1 Or using package options config target option enabled 1 By default all forwarding instances are named forwarding The forwarding instance is identified by forwarding then the forward...

Page 388: ... 192 168 100 126 68 va_eventd target 0 snmp_version 3 va_eventd target 0 snmp_uname v3username va_eventd target 0 snmp_auth_proto MD5 va_eventd target 0 snmp_auth_pass md5password va_eventd target 0 snmp_priv_proto AES va_eventd target 0 snmp_priv_pass aespassword va_eventd target 0 snmp_context v3context va_eventd target 0 snmp_context_eid v3contextID va_eventd target 0 snmp_sec_eid v3SecurityID ...

Page 389: ...d conn_tester 2 type link va_eventd conn_tester 2 link_iface PoAADSL va_eventd target 2 target va_eventd target 2 timeout_sec 10 va_eventd target 2 name EmailTarget va_eventd target 2 type email va_eventd target 2 conn_tester EmailTest va_eventd target 2 from from example com va_eventd target 2 to to example com va_eventd target 2 subject_template serial severityName eventName va_eventd target 2 b...

Page 390: ...et SMStarget va_eventd forwarding 3 className auth va_eventd forwarding 3 eventName LoginSSH va_eventd forwarding 3 severity notice notice Sample Execute va_eventd target 4 target va_eventd target 4 name ExecTarget va_eventd target 4 type exec va_eventd target 4 cmd_template logger t eventer eventName va_eventd forwarding 4 forwarding va_eventd forwarding 4 enabled yes va_eventd forwarding 4 targe...

Page 391: ...nfig conn_tester option type ping option ping_dest_addr 192 168 100 1 option ping_success_duration_sec 60 option name SNMPTest option ping_source LAN1 config target option suppress_duplicate_forwardings no option type snmp option agent_addr localhost option name SNMPTarget option conn_tester SNMPTest option target_addr 192 168 100 126 68 option snmp_version 3 option snmp_uname v3username option sn...

Page 392: ...dest_addr 192 168 100 2 option ping_source LAN1 option ping_success_duration_sec 60 config target option name SyslogTarget option type syslog option conn_tester SyslogTest option target_addr 192 168 100 2 514 option tcp_syslog 0 config forwarding option enabled yes option severity debug error option target SyslogTarget Sample Email config conn_tester option name EmailTest option type link option l...

Page 393: ...ord admin option use_tls no option tls_starttls no option tls_forcessl3 no config forwarding option enabled yes option target EmailTarget option className power option eventName IgnitionOff option severity notice notice Sample SMS config target option name SMStarget option type sms option template serial severityName eventName option callee 0123456789 config forwarding option enabled yes option ta...

Page 394: ...ng option enabled yes option target FileTarget option severity debug error 37 5 Event system diagnostics 37 5 1 Displaying VA events To view a list of all available class names events and severity levels enter root VA_router vae_cli d The following is an example of the output from this command Class ID Name Severity Specific Template internal 1 EventdConfigErr error p1 p2 p3 has bad value internal...

Page 395: ...ent notice Sent SMS to p1 p2 ethernet 1 LinkUp notice Ethernet p1 up ethernet 2 LinkDown notice Ethernet p1 down auth 2 BadPasswordSSH warning SSH login attempt from p2 ba auth 3 BadUserConsole warning Console login attempt on p1 auth 4 BadPasswordConsole warning Console login attempt on p2 auth 5 BadUserTelnet warning Telnet login attempt bad username auth 6 BadPasswordTelnet warning Telnet login...

Page 396: ...1 disconnected from AP wifi 2 WiFiDisconnectedFromAP notice WiFi p1 disconnected from AP wifi 3 WiFiStationAttached notice WiFi station p2 connected to wifi 3 WiFiStationAttached notice WiFi station p2 connected to wifi 4 WiFiStationDetached notice WiFi station p2 disconnected wifi 4 WiFiStationDetached notice WiFi station p2 disconnected wifi 5 WiFiStationAttachFailed notice WiFi station p2 faile...

Page 397: ..._______________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 397 of 423 system 2 DigitalInputChange notice Digital Input p1 changed valu ntp 1 InitialSync notice Initial NTP sync time p1 o ntp 2 Adjust informat NTP adjust by p1 ntp 3 QueryTimeout warning NTP query to p1 timed out Ne ntp 4 QueryFailed warning NTP query failed p1 ...

Page 398: ...n DISCLAIMER data usage statistics calculated by Virtual Access data usage feature are best estimates and may vary from the mobile carrier statistics that are used for billing Virtual Access cannot be held liable for any fees charged by the carrier to the customer for their data usage We recommend that the configured data usage is lower than the allowance and that traffic percentage alerts are use...

Page 399: ...Web Interfaces UCI procrustes limit 0 interfaces Opt interfaces Monitor and apply limits to these interfaces as a group Configure multiple interfaces via UCI using a space separator Example uci set procrustes limit 0 interfaces lan wan Web Monthly Limit MiB UCI procrustes limit 0 monthly_data_limit Opt monthly_data_limit Defines monthly data traffic limit in mebibytes MiB This is total RX and TX o...

Page 400: ... package options config limit option enabled 1 However to better identify it is recommended to give the limit instance a name For example create a limit instance named MOBILE1 To define a named limit instance using UCI enter procrustes limit 0 wan procrustes wan enabled 1 To define a named limit instance using package options enter config limit wan option enabled 1 The following examples show two ...

Page 401: ...rning_levels 15 25 config limit wan option enabled 1 option interfaces MOBILE1 option billing_period_start_day 1 option monthly_data_limit 30 option monthly_warning_levels 15 25 38 4 Data usage status Select System Overview The Status page appears To check current data usage scroll to Network Data Usage MiB row Data usage is presented as progress bar Figure 188 The data usage status progress bar 3...

Page 402: ...CE procrustes No limits defined Exiting ERROR mobile SIM iccid is blacklisted not establishing connection 38 5 2 Viewing data usage The router has monitoring application named procrustatus lua that can be used for viewing data usage This application displays data statistics used for different interface groups percentage of time left to next billing period start and percentage of data left for use ...

Page 403: ... serial port You can configure the IP endpoint of each Terminal Server session to be a TCP server each session is listening on a unique port TCP client Terminal Server makes a TCP connection to external TCP server UDP endpoint Terminal Server forwards data between a UDP stream and a serial port 39 2 Configuration packages used Package Sections tservd main port 39 3 Configuring Terminal Server usin...

Page 404: ...nable Enables detailed debug logging 0 Disabled 1 Enabled Web Syslog severity UCI tservd main log_severity Opt log_severity Determines the syslog level Events up to this priority will be logged 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Informational 7 Debug Web Log RX TX UCI tservd main debug_rx_tx_enable Opt debug_rx_tx_enable Enables logging data transfers 0 Disabled 1 Enabled ...

Page 405: ...twork 256 256 bytes Range 0 2048 Web Network Forwarding Timeout ms UCI tservd port 0 fwd_timeout Opt fwd_timeout Forwarding timeout in milliseconds serial to network 30 30 ms Range 0 10000 Web Network Forwarding Timer Mode UCI tservd port 0 fwd_timer_mode Opt fwd_timer_mode Forwarding timer mode serial to network Idle Timer is re started on each received data Aging Timer started on the first Rx We...

Page 406: ...trol When either side TCP socket closes the main terminal server client re connects to the normal IP destination and the server proxy returns to listening for another connection from the far end 0 Disabled 1 Enabled Web Disable Remote Client s Local Echo Telnet option UCI tservd port 0 disable_echo Opt disable_echo Set to 1 to send IAC WILL ECHO Telnet option to remote client forcing it to disable...

Page 407: ..._____________________________________________________ _______________________________________________________________________________________________________ Virtual Access 2018 GW2020 Series User Manual Issue 2 1 Page 407 of 423 Figure 191 The serial section fields port mode RS232 ...

Page 408: ...port 0 parity Opt parity Serial device parity 0 None 1 Even 2 Odd 3 Space Web Stop Bits UCI tservd port 0 stops Opt stops Serial device number of stop bits 1 Range 1 2 Web Flow Control UCI tservd port 0 fc_mode Opt fc_mode Serial flow control mode 0 None 1 RTS CTS 2 XON XOFF Web RS485 Termination UCI tservd port 0 rs485_line_termination Opt rs485_line_termination Enables or disable RS485 terminati...

Page 409: ... displayed if Atmel USB serial card is enabled and port mode is X21 auto RTS set to on when port is open Off when the port is closed on RTS always on off RTS always off app RTS controlled by the application ontx In HDLC mode RTS is on during frame transmission Web Synchronous rate UCI tservd port 0 sync_speed Opt sync_speed Defines the synchronous speed in bps Set to 0 for external clock If not se...

Page 410: ...al X 21 card DCE RCLK Invert UCI tservd port 0 dce_rclk_inv Opt dce_rclk_inv Enables X 21 DCE RCLK signal inversion 0 Normal 1 Invert Web Dual X 21 card CLK Invert UCI tservd port 0 x21_clk_invert Opt x21_clk_invert Enables X 21 DCE CLK signal inversion 0 Normal 1 Invert Web Dual X 21 card RX data delay UCI tservd port 0 x21_data_delay Opt x21_data_delay Sets X 21 card RX data delay in number of b...

Page 411: ...meout Defines the V23 modem receive echo suppression timeout in milliseconds 20 Range Web n a UCI tservd port 0 v23_tx_rampdown Opt v23_tx_rampdown Defines the time in milliseconds it takes the V23 transmitter to rampdown carrier from peak to zero 30 Range Web n a UCI tservd port 0 v23_tx_maxfill Opt v23_tx_maxfill Defines the maximum transmit queue fill level in bytes 127 Range 0 255 Table 138 In...

Page 412: ...lient mode is enabled 951 Range 1 65535 Web Remote IP 1 UCI tservd port 0 remote_ip1 Opt remote_ip1 Destination peer IP 1 address 0 0 0 0 Range IPv4 address Web Remote IP 2 UCI tservd port 0 remote_ip2 Opt remote_ip2 Destination peer IP 2 address for failover 0 0 0 0 Range IPv4 address Web Enable TCP Keepalives UCI tservd port 0 tcp_keepalives_enabl ed Opt tcp_keepalives_enabled Enable or disables...

Page 413: ...l low Only displayed if Transport Mode is TCP and client mode is enabled 0 Disabled Detecting DSR down does not affect the TCP connection 1 Enabled Detecting DSR down closes the established TCP connection Web Reconnect Time ms UCI tservd port 0 disc_time_ms Opt disc_time_ms Time in milliseconds to start reconnecting after setting DTR low 5000 5 seconds Range 0 10000 Web UDP Keepalive Interval UCI ...

Page 414: ...ain debug_ev_enable 1 tservd port 0 port tservd port 0 devName dev ttySC0 tservd port 0 remote_ip1 0 0 0 0 tservd port 0 remote_ip2 0 0 0 0 39 5 Terminal Server using package options root VA_router uci export tservd package tservd config tservd main option log_severity 0 option debug_rx_tx_enable 1 option debug_ev_enable 1 config port option devName dev ttySC0 option remote_ip1 0 0 0 0 option remo...

Page 415: ... If you have set option tcp_always_on1 or DSR state is UP the TCP connection setup is initiated immediately If you have set option tcp_always_on0 and DSR is DOWN the terminal server waits for a DSR UP signal When DSR UP is detected the TCP connection is initiated 39 6 1 3 TCP connection clearing The TCP connection is cleared either by the network or by the terminal server application itself The TC...

Page 416: ...n is normally never cleared but if it is closed by the network sub system it gets re setup after a hand off timeout A DSR signal DOWN event does not clear UDP session in the connected state 39 6 3 3 UDP session reset After UDP session clearing the terminal server takes action to resetup a UDP session after a hand off timeout If you have set option tcp_always_on1 or DSR state is UP the UDP session ...

Page 417: ...A_router tserv show debug all TERMINAL 1 Dev dev ttySC0 State LISTENING netRxBuf length 0 offset 0 hdrsz 0 ttyRxBuf length 0 offset 16 hdrsz 16 line_status_mask 0x0 line_status 0x0 RFC2217 negotiated 0 Tcp tx last error 0 39 7 4 Terminal Server serial signals debugging To see Terminal Server serial signals statistics enter root VA_router tserv show serial TERMINAL 1 Dev dev ttySC1 DSR 0 DTR 1 RTS ...

Page 418: ...3 start capturing rx serial data tserv print capture N N port number 0 to 3 print captured rx serial data tserv show serial txlog hex Port length Port port cfg index 0 to 3 length length to show tserv show serial rxlog hex Port length Port port cfg index 0 to 3 length length to show tserv show serial txlog asc Port length Port port cfg index 0 to 3 length length to show tserv show serial rxlog asc...

Page 419: ...nal console enabled Opt enabled Enables Terminal on the router 0 Disabled 1 Enabled Web n a UCI terminal console device Opt device String value point at the tty device in dev folder None Default string Device name e g ttySC0 to use serial port 0 Web n a UCI terminal console speed Opt speed Set the speed of serial connection 115200 Default range Supported port speed Web n a UCI terminal console typ...

Page 420: ... terminal config terminal ttySC0 option enabled 0 option device ttySC0 option speed 115200 option type vt100 option flowcontrol 1 40 5 Terminal diagnostics 40 5 1 Checking terminal entry in inittab To check if terminal configuration is running enter the following commands and confirm the line referring to the device name is present and looks similar to the last line below root VA_router cat etc in...

Page 421: ...erface using the relevant application for example Terminal Server therefore there is no standalone serial configuration page You can monitor the various serial interfaces using either the command line or the web interface 41 2 Monitoring serial interfaces using the web interface In the top menu select Status Serial Interfaces Depending on the number of serial interfaces present in the device a num...

Page 422: ... GW2020 Series User Manual Issue 2 1 Page 422 of 423 41 2 2 Serial status Figure 194 The serial status page for serial 0 41 3 Monitoring serial interfaces using command line 41 3 1 Serial statistics using command line To view serial statistics enter serial_stats root VirtualAccess serial_stats ttyU0 statistics Tx Frames 0 Tx Bytes 9 Tx Underruns 0 Tx Discards 0 Rx Frames 0 Rx Bytes 258856 Rx Overr...

Page 423: ... command line To view serial statistics enter serial_status root VirtualAccess serial_status ttyU0 status Cable Id V 24 DTE Hardware Version QD3128B Firmware Version 1 3 15 DAC Voltage 1650000uV DTR 1 DSR 1 RTS 1 DCD 0 41 3 3 Resetting serial statistics To reset serial statistics enter serial_stats_reset root VirtualAccess serial_stats_reset ttyU0 Serial interface statistics reset You can reset st...

Reviews:

No comments

Related manuals for GW2021

D-Link DIR-855L Quick Installation Manual preview
DIR-855L
Brand: D-Link Pages: 28
D-Link DIR-850L Quick Install Manual preview
DIR-850L
Brand: D-Link Pages: 4
D-Link DIR-830L Quick Install Manual preview
DIR-830L
Brand: D-Link Pages: 12
D-Link DIR-826L Quick Install Manual preview
DIR-826L
Brand: D-Link Pages: 2
D-Link DIR-803 Manual Configuration Manual preview
DIR-803
Brand: D-Link Pages: 6
D-Link DIR-655 - Xtreme N Gigabit Router Wireless Quick Start Manual preview
DIR-655 - Xtreme N Gigabit Router Wireless
Brand: D-Link Pages: 3
D-Link DIR-640L Quick Install Manual preview
DIR-640L
Brand: D-Link Pages: 12
D-Link DIR-626L User Manual preview
DIR-626L
Brand: D-Link Pages: 140
D-Link DIR-605L Technical Support Setup Procedure preview
DIR-605L
Brand: D-Link Pages: 11
D-Link DIR-605L Quick Install Manual preview
DIR-605L
Brand: D-Link Pages: 2
D-Link DIR-514 Faq preview
DIR-514
Brand: D-Link Pages: 48
D-Link DIR-510L Quick Install Manual preview
DIR-510L
Brand: D-Link Pages: 16
D-Link DIR-506L Configuration Manual preview
DIR-506L
Brand: D-Link Pages: 16
D-Link DIR-1750 Quick Installation Manual preview
DIR-1750
Brand: D-Link Pages: 2
D-Link DIR-822 Quick Instillation Manual preview
DIR-822
Brand: D-Link Pages: 35
D-Link DIR-880L Quick Install Manual preview
DIR-880L
Brand: D-Link Pages: 12
D-Link DIR-842 Quick Install Manual preview
DIR-842
Brand: D-Link Pages: 12
D-Link DIR-821 Quick Install Manual preview
DIR-821
Brand: D-Link Pages: 24

Brands by name

Popular brands

Load more brands