Declaration
Thank you for choosing our company's product! Before use, please carefully read this user manual. By complying with the following statements, you will help maintain intellectual property rights and legal compliance, ensuring that your user experience aligns with the latest product information. If you have any questions or need written permission, please feel free to contact our technical support team.
Copyright Statement
This user manual contains copyrighted content, and the copyright belongs to InHand Networks and its licensors. Without written permission, no organization or individual may excerpt, copy any part of the content of this manual, or distribute it in any form.
Disclaimer
Due to ongoing updates in product technology and specifications, the company cannot guarantee that the information in the user manual is entirely consistent with the actual product. Therefore, no disputes arising from any discrepancies between the actual technical parameters and the user manual are accepted. Any changes to the product will not be notified in advance, and the company reserves the right to make the final changes and interpretations.
Copyright Information
The content of this user manual is protected by copyright laws, and the copyright belongs to InHand Networks and its licensors, reserving all rights. Without written permission, the content of this manual may not be used, copied, or distributed without authorization.
Conventions
Symbol
|
Indication
|
[ ]
|
Referring to function modules
or menus, such as in the [ Status ] menu."
|
“ ”
|
Referring to a button name,
such as Clicking the “Add” button.
|
〉
|
Multiple levels
of menus are separated by "〉". For example, "File〉New〉Folder" represents the "Folder" menu item under
the "New" submenu, which is under the "File" menu.
|
Cautions
|
Please be
mindful of the following points during the operation, as improper actions may
result in data loss or device damage.
|
Note
|
Supplement and provide
necessary explanations for the description of the operation.
|
Technical Support
E-mail:support@inhandnetworks.com
URL: www.inhandnetworks.com
The Edge Router 805 is a next-generation 5G edge router product introduced by InHand Networks for the commercial networking sector. It seamlessly integrates 4G/5G wireless networks with a variety of broadband services, offering high-speed and secure network access to various industries. Users can enjoy uninterrupted internet connectivity anytime and anywhere, while benefiting from comprehensive security features and exceptional wireless services. The ER805 transforms device interconnectivity into a reality, providing a high-speed gateway for device informatization.
Fig. 1 ER805’s Application
Indicators
|
Status and
Description
|
System
|
Off --- Power Off
Blink in blue --- System booting in progress.
Steady in blue --- The system is running smoothly.
Blink in red --- System
malfunction detected.
Blink in green
--- System upgrading in progress.
|
Network
|
Blink in red --- Network
disconnected.
Blink in green
--- Cellular network connecting.
Steady in green
--- Cellular network connected.
Blink in blue --- Wired network connecting.
Steady in blue --- Wired network connected.
|
Wi-Fi 2.4G
|
Off --- 2.4G Wi-Fi disabled.
Steady in blue --- Starting up.
Blink in blue --- On working
|
Wi-Fi 5G
|
Off --- 5 G Wi-Fi disabled.
Steady in green
--- Starting up.
Blink in green
--- On working.
|
For the network status indicator:
- If both cellular and wired connections are normal, it displays a blue wired indicator.
- If only one type of connection is active and noal, it shows the indicator for the active network.
- If there is no network connection, it displays red.
To reset to factory default settings using the Reset button:
Step
1: After powering on the device, immediately press and hold the Reset button.
Step
2: After holding it for a while, the power indicator light will start flashing.
Approximately half a minute later, the power indicator light will stay on
steadily.
Step
3: Release the Reset button, and the power indicator light will flash again.
Then, press and hold the Reset button once more.
Step
4: The power indicator light will flash slowly. Release the Reset button, and
the factory reset will be successful. The device will restart normally.
No.
|
Function
|
Default Settings
|
1
|
Cellular
Dialing
|
Default dialing is set to "SIM1"
|
2
|
Wi-Fi
|
1.
Wi-Fi 2.4G access point enabled, SSID: Prefixed with "ER805-",
followed by the last 6 digits of the wireless MAC address.
2.
Wi-Fi 5G access point enabled, SSID: Prefixed with "ER805-5G-",
followed by the last 6 digits of the wireless MAC address.
3.
The authentication method is WPA2-PSK.
4.
The password for both is the last 8 digits of the serial number.
|
3
|
Ethernet
|
1. Enable all 4 LAN ports.
2. IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0
3. DHCP server enabled,
with an address pool from 192.168.2.2 to 192.168.2.100 for automatic IP
address assignment to connected devices.
|
4
|
Network
Access Control
|
Local HTTP and HTTPS are enabled with port
numbers 80 and 443 respectively. Disable access from the cellular network.
|
5
|
Username/Password
|
adm/123456
|
Step 1: Install the 4G/5G and Wi-Fi antennas and insert the SIM card.
Step 2: Connect the power cable and an Ethernet cable; connect any LAN port to your PC.
Step 3: Set your PC's IP address to be on the same subnet as the edge router.
Fig. 4.1 Configure PC IP Address
The device's LAN port has DHCP Server functionality enabled by default. Once the PC has automatically obtained an IP address, please ensure that your PC and router are in the same address range.If your PC fails to obtain an IP address automatically, please configure it with a static IP address and the following parameters:
IP Address: 192.168.2.x (Choose an available address within the range of 192.168.2.2 to 192.168.2.254). Subnet Mask: 255.255.255.0. Default Gateway: 192.168.2.1. DNS Servers: 8.8.8.8 (or your ISP's DNS server address)
Step 4: Enter the default device address 192.168.2.1, in the browser's address bar. After entering the username and password (adm/123456), access the device's web management interface. If the page shows a security warning, click on the "Hide" or "Advanced" button and select "Proceed" to continue.
Fig.4-1
Device Web Login Page
4.2 Quickly connect to the Internet
The ER805 supports three access network modes, including wired, cellular, and Wi-Fi. The device's WAN interface has DHCP service enabled by default. Simply connect the WAN interface to the internet using an Ethernet cable, and it will automatically establish an internet connection.
The ER805 supports three wired internet connection methods: DHCP, Static IP, and PPPoE. The device's WAN interface has DHCP service enabled by default. Simply connect the WAN interface to the internet using an Ethernet cable, and it will automatically establish an internet connection.
Fig.
4-2-1-a Edit the WAN1 Interface
In the
usual scenario, as per the instructions, upon inserting the SIM card and
connecting the Wi-Fi antennas, the ER805 router will automatically establish a
dial-up connection and connect to the network when powered on.
ER805 is a cloud-managed router, and with InCloud Manager, you can achieve batch configuration deployment and software upgrades. The cloud platform offers rich visual charts and advanced features such as SD-WAN and Connector for remote maintenance, enabling small and medium-sized enterprise branches to complete their digital network infrastructure. To use InCloud Manager to manage your ER805, please follow the steps below:
4.3.1 Registration
In your web browser (we recommend using Google Chrome), enter the following URL:
https://star.inhandcloud.com. You will be automatically redirected to the portal page, where you can select "InCloud Manager" to access the SaaS platform for enterprise branch networking.Click 'Create now' to create a new platform account.
Fig. 4-3-1 Choose SaaS Services
4.3.2 Login
After completing the email registration, you can log in to InCloud Manager using the username and password you used during the registration.
Fig. 4-3-1 Choose SaaS Services
Note:When a device is initially added to the platform account, it will automatically receive a 1-year Essential license. Users can renew the license through the "License" menu.
4.3.3 Add device
After logging in, go to the "Devices" menu, click the "Add" button, fill in the device's name, serial number, and MAC address, and then click "Finish" to complete the addition.
Fig. 4-3-3 Add Device
Once the device is added to the platform, you can manage and monitor the network from the platform while also supporting users in remotely viewing real-time status information on the device's local interface.
In the "Devices" section, you can click on the "Device Name" to access the device's details page.
5.1.1 Overview
Click on [ Dashboard ] in the left menu to access the dashboard interface. Here, you can view essential device information, interface status, traffic statistics, cellular signal strength, and the number of connected Wi-Fi devices.
Fig. 5-1-1 Overview Devices
5.1.2 Data Usage
In this function, you can view the traffic usage and historical data of various upstream links.
Fig. 5-1-2 Data Usage
5.1.3 Cellular Signal
In this function, you can view cellular signal curves such as RSSI, RSRP, RSRQ, and SINR.
Fig. 5-1-3 Cellular Signal
Through the platform's "Remote Access" feature, you can assist in real-time viewing and configuring of devices. Select the target device, click "Remote Access," and it will open the device's local login interface.
Fig. 5-2-a Remote Access Entry
Fig. 5-2-b Remote Access to Local Page
In the [ Dashboard ] interface, users can find basic device information at the top, including the device name, device model, device serial number, MAC address, online duration, and upstream interface address.
Fig. 5-2-1 Device Information
- Name: Identifies the device's name, which is initially set to "ER805" but can be customized.
- MAC Address: Identifies the device's physical MAC address.
- Local Gateway Address: The default gateway address of the device's subnet.
- Model: Specifies the device's specific model, which can help determine if it supports cellular and WLAN features.
- Uptime: Reflects the device's running time since it was powered on.
- System Time: Displays the device's time zone and system time.
- Serial: A unique code that serves as an identifier for the device and can be used for indexing or adding the device to a platform account.
- Internet Access: The upstream interface used by the device for internet connectivity.
- License Status: Information about the applied license on the device, distinguishing between Small Star Cloud Manager Basic and Small Star Cloud Manager Professional.
- Firmware Version: Shows the device's current software version.
- Uplin IP: The IP address of the upstream interface used for device internet connectivity.
In the "Dashboard > Interface Status" feature, you can visually inspect the operational status of each interface. By clicking on the "Interface Icon," you can access detailed information for each interface in a pop-up box on the right-hand side of the interface.
Fig.
5-2-2 Interface Status
Fig. 5-2-3
Traffic Statistics
In the "Dashboard > Wi-Fi Client Count" feature, users can check the number of active SSIDs on the ER805 and the number of connected clients under each SSID.
Fig.
5-2-4 The number of clients connected per SSID
In the "Dashboard > Top 5 Client Traffic" feature, users can view the current ranking of client traffic usage for devices connected to the router. It displays up to 5 records, and when a client disconnects, its statistical data will be cleared.
Fig 5-2-5
Top 5 clients
by traffic
You can utilize the "Status > Link Monitoring" feature to check the health status of each upstream link and access information about throughput, latency, packet loss, signal strength, and more for each interface.
Fig.
5-2-6 Link Monitor interface
You can access the "Status > Cellular Signal" feature to check the signal strength of SIM cards under the cellular interface, along with parameters such as RSSI, SINR, RSRP, and more.
Fig.
5-2-7 Signal Strength
Through the "Status > Clients" feature, users can view detailed information about both wired and wireless clients connected to the router. This includes details such as names, addresses, MAC addresses, VLANs, connected subnets, traffic usage, online duration, and more.
Fig.
5-2-8 Clients connected to ER805
You can access the "Status > VPN" feature to view information about IPSec VPN and L2TP VPN, including their status, traffic, and the duration of the most recent connection.
Fig.
5-2-9 VPN Information
You can use the "Status > Events" feature to check event information related to the device's operation, helping users understand the device's operational status.
Fig. 5-2-10 Event Types
Currently
supported event types:
- Successful/Failed
User Logins.
- High
CPU Utilization in the Last 5 Minutes.
- High
Memory Utilization in the Last 5 Minutes.
- Cellular
Traffic Reaches Threshold.
- VPN
Status Changes.
- Uplink
Status Changes.
- Uplink
Switching.
- WAN2/LAN1
Switching.
- Reboot.
- Upgrade.
Through the "Status > Logs" feature, users can examine the system logs, which contain information about the device's operational history. When the device encounters issues, technical personnel can use these logs for troubleshooting and diagnosis.
Fig.
5-2-11 Logs information
- Download
Logs: Download the device's operational logs.
- Download Diagnostic Logs: Download the
device's diagnostic logs, which include system operation logs, device
information, and device configurations.
- Clear Logs: Clear the device's
operational logs; this does not clear the device's diagnostic logs.
6. Configuration
You can achieve batch configuration of devices through the platform's remote configuration. Select the target device, click "Edit" in the remote configuration section, and complete the configuration for the device. Below is an introduction to the configuration for a single device:
You can configure the parameters and operational modes of each upstream interface under the "Internet" feature. The ER805 supports three access network modes, including wired, cellular, and Wi-Fi. The device comes with two non-removable upstream links by default, WAN1, and Cellular. It can support up to four upstream links, including WAN1, WAN2, Cellular, and Wi-Fi (STA). WAN2 and Wi-Fi (STA) interfaces need to be manually added and can be removed as needed.
6.1.1 Wired Connection
The ER805 supports three wired internet connection methods: DHCP, Static IP, and PPPoE. You can modify the connection method by clicking on the "Edit" button as shown in the illustration. The default method is "DHCP."
Fig. 6-1-1-a Edit the WAN1 Interface
- DHCP: The device's WAN interface has DHCP service enabled by default. Simply connect the WAN interface to the internet using an Ethernet cable, and it will automatically establish an internet connection.
- Static IP: Users have the option to manually configure an address either obtained from their internet service provider or one that is within the same network segment as their upstream device. Once the configuration is complete, the router will access the network via the specified static IP address.
Fig. 6-1-1-b Assigning a static IP to the Router
- PPPoE: Users have the option to configure broadband dial-up. Once the configuration is complete, the router will establish an internet connection through the broadband dial-up.
Fig. 6-1-1-c Set up Dial-up Internet Access
When you require dual WAN connections, they can click the "Add" button in the [ Internet ] menu to add the WAN2 interface. The WAN2 interface supports the same configuration options as the WAN1 interface.
Fig. 6-1-1-d Add WAN2 Interface
Note:
- After adding the WAN2 interface, the original LAN1 interface role will switch to WAN2.
- After deleting the WAN2 interface, the WAN2 interface role will switch back to LAN1.
- After deleting WAN2, all configuration related to the WAN2 interface, including static routes, inbound/outbound rules, port forwarding, policy routing, and traffic shaping settings will be removed.
6.1.2 Wireless Connection
The ER805 supports connecting as a client to an on-site AP's network. To do this, click on the "Add" button as shown in the illustration, select "Wi-Fi (STA)," and fill in the required parameters, including the SSID name and password.
Fig. 6-1-2 Add Wi-Fi(STA) Interface
Cautions:
- Upon adding Wi-Fi (STA), ER805 will automatically disable SSIDs in the same frequency band within the Wi-Fi settings, and the status field for those SSIDs cannot be modified.
- After removing Wi-Fi (STA), the “Status” field and SSIDs in the same frequency band within the Wi-Fi settings can be modified.
- When Wi-Fi (STA) is deleted, all configuration associated with the Wi-Fi (STA) interface, including static routes, inbound/outbound rules, port forwarding, policy routing, and traffic shaping settings, will be removed
6.1.3 5G/4G Connection
In the usual scenario, as per the instructions, upon inserting the SIM card and connecting the Wi-Fi antennas, the ER805 router will automatically establish a dial-up connection and connect to the network when powered on.
To configure APN (Access Point Name) parameters, users can select the "Cellular" interface in the [ Internet ] menu and click the "Edit" button to access the APN parameter configuration interface.
Fig. 6-1-3-a Edit the cellular Interface
The ER805, in addition to supporting cellular internet access, now includes a traffic policy feature. Once the policy is enabled, the SIM card will take specific actions when the traffic reaches a threshold. Traffic usage statistics will reset at the beginning of the next month.
You can select the "Cellular" interface in the [ Internet ] menu and click the "Policy" button to access the SIM card’s policy parameter configuration interface.
Fig. 6-1-3-b Edit the SIM cards' traffice policy
Actions: These are the actions triggered when SIM card traffic reaches a threshold.
Notification: It generates an event when traffic reaches the threshold but does not stop forwarding regular business traffic. Cloud Management Only: It generates an event when traffic reaches the threshold, allowing only the forwarding of cloud-based management traffic while blocking access to the internet for regular business traffic.
Switch the SIM card: It generates an event when traffic reaches the threshold and switches to another SIM card for internet access.
Cautions:
In certain dedicated network scenarios, it may be necessary to manually disable the "Link Detection" function under the [ Internet ] menu to prevent cellular connectivity issues caused by unsuccessful detection.
In some cases, manual configuration of the subnet mask for the cellular interface may be required to ensure the proper functioning of the ARP (Address Resolution Protocol) feature.
When inserting or removing a SIM card, it is essential to disconnect the power to prevent data loss or damage to the device.
6.1.4 Uplink Table
You can edit the WAN1 and Cellular interfaces and add/edit/remove WAN2 and Wi-Fi (STA) interfaces in the "Internet > Upstream Link List." You can also adjust the priority of each interface by dragging the "Priority" icon. Interfaces are arranged from top to bottom based on their priority, with higher priority interfaces taking precedence in determining the current upstream interface for device operation.
Fig. 6-1-4 Uplink Table Interface
You can configure link detection settings and establish collaboration modes between different upstream interfaces through the "Internet > Upstream Link Settings" feature.
Fig.
6-1-4 Uplink Settings Interface
Link Detection Switch: The device has link detection functionality enabled by default. However, in certain specialized network environments where external communication is not possible, users may need to manually disable link detection. When link detection is turned off, users won't be able to view latency, jitter, packet loss, signal strength, and other information for upstream interfaces in the [ Status ] menu.
Notes:
- Modifying settings in the Internet menu can potentially lead to a disruption in device connectivity. Exercise caution when making changes.
- When the link detection address is left empty, the default behavior is to detect the DNS address via the upstream interface. If you specify a detection address, all upstream interfaces will only detect the address you provided.
- In the router's link backup mode, users can customize detection parameters, and the device will switch links based on the enabled detection items. When detection items are not enabled, upstream link switching will only occur based on priority and link connectivity.
- In the device's load balancing mode, all operational upstream links will forward business traffic, provided they are functioning correctly.
In the [ Local Network ] feature, users have the flexibility to define their local subnets. This includes configuring the address range, VLAN ID, DHCP services, and other related parameters for the local LAN. Once the configuration is complete, users need to further apply these settings to the device's LAN port through [ Interface Management ] or apply them to the desired SSID in the Wi-Fi settings. This series of operations is intended to ensure that client devices can smoothly connect to the local network according to the planned network addresses.
Fig 6-2-a
Local Network List
Click
the "Add/Edit" button to add a new local network or edit an existing
one.
Fig.
6-2-b Add/Edit the local network
Name: Used to identify the network. Users can select this name to apply the network in both [ Wi-Fi ] and [ Interface Management ].
Mode: Choose whether the current subnet operates in 2-layer transparent mode or 3-layer IP mode. The default is "IP mode."
VLAN: This allows for the division of the local network into different virtual logical networks. The default VLAN for all interfaces and Wi-Fi is "default (VLAN1)."
IP Address/Subnet Mask: This is the gateway address for accessing the router through the LAN port or Wi-Fi. The default is "192.168.2.1."
DHCP Server: Clients connecting to the router can obtain IP addresses through this function. It is enabled by default, and the address range is generated based on the "IP Address/Subnet Mask."
Note:
- The default local network cannot be deleted, and you can only modify the IP address/subnet mask and DHCP server settings.
- Once a local network is added, you cannot change its mode.
- The VLAN Only mode is designed for 2-layer transparent operation and doesn't require configuration of IP address/subnet mask or DHCP server settings.
Wi-Fi is a widely used wireless communication technology that enables computers, smartphones, tablets, and other devices to connect to the internet or a local network. Wi-Fi technology allows devices to transmit data over a certain range through wireless signals, providing the convenience of accessing networks without the need for physical connections.
The ER805 can function as an Access Point (AP) to provide multiple SSID wireless network access. Users have the flexibility to customize different SSIDs for various purposes and configurations.
Fig.
6-3-a Wi-Fi List
By
clicking the "Add/Edit" button under "Wi-Fi > Wi-Fi
List," you can add a new SSID or edit an existing one.
Fig.
6-3-b Edit the SSID
Notes:
- The device comes with default 2.4GHz and 5GHz main SSIDs. The frequency bands of these main SSIDs cannot be modified and cannot be deleted.
- Once an SSID is added, its frequency band cannot be changed, and it will automatically use the same channel as its corresponding main SSID.
- If a user creates a Wi-Fi (STA) interface in the "Internet" menu with the same frequency band as an existing SSID, that SSID cannot be enabled until the Wi-Fi (STA) interface is deleted.
A Virtual Private Network (VPN) is an encryption technology used to establish a secure, private network connection over the public internet. It enables users to securely access private network resources over the internet from anywhere. VPNs achieve this by encrypting communication data, ensuring the confidentiality and security of the communication and preventing unauthorized access. This technology is highly valuable for connecting to corporate networks, maintaining online privacy, and accessing restricted content. VPNs have a wide range of applications, including in the corporate, personal, and mobile device sectors, making them a crucial tool for safeguarding privacy and data security.
IPsec (Internet Protocol Security) VPN is a protocol suite designed to enhance network communication security by encrypting and authenticating data transmission. It is widely used for establishing secure remote access, site-to-site connections, and Virtual Private Networks (VPNs). IPsec VPN ensures data protection and security through encryption and authentication methods.
Click
the "Add" button under "VPN > IPSec VPN" to add a new IPSec
VPN.
Fig. 6-4-1 Add an IPSec VPN
Once configurations are completed at both ends, the tunnel can be established. Users can check the tunnel establishment status in the "Status > VPN" menu.
- Name:
This is the user-assigned name for the IPSec VPN to identify it for local management purposes.
- IKE
Version: You can set the version of the Internet Key Exchange (IKE) protocol to be used. It supports both IKEv1 and IKEv2.
- Pre-Shared
Key: This is a secret shared key that must be configured the same on both devices for authentication during IKE negotiation.
- Internet
Interface: Choose the upstream interface used to establish the IPSec VPN locally.
- Tunnel
Mode: This sets the encapsulation mode for IPSec on IP packets. It supports both tunnel mode and transport mode.
- Peer
Address: This is the address of the remote endpoint with which ER805 establishes the IPSec tunnel.
Notes:
This setup allows the device with the public IP address to act as the server, and the client devices connect to it using the server's public IP address. If you have more specific questions or need further assistance with IPSec VPN configuration, please let me know.
- Local Subnet: Specify the subnet addresses that need to communicate through the ER805 IPSec VPN tunnel.
- Remote Subnet: Specify the subnet
address on the other end of the tunnel that needs to communicate through the
IPSec VPN tunnel.
- IKE Policy: Supports configuring the IKE protocol.
- Encryption
Method: Sets the encryption algorithm used by IKE.
- Options: DES, 3DES, AES128, AES192, AES256 (default: AES128)
- Authentication
Method: Set the authentication algorithm used by IKE.
- Options: MD5, SHA1, SHA2-256, SHA2-384, SHA2-512 (default: SHA1)
- DH
Group: Configure the DH exchange parameters used during the IKE phase key
negotiation.
- Options: 1, 2, 5, 14, 15, 16, 19, 20
- Timeout:
Set the IKE SA (Security Association) lifetime, defaulting to 86400 seconds.
- IPSec Policy: This allows you to
configure IPSec parameters.
- Security
Protocol: Sets the security protocol used by the ESP protocol.
- Options: DES, 3DES, AES128, AES192, AES256 (default: AES128)
- Encryption
Method: Sets the encryption algorithm used by the ESP protocol.
- Options: MD5, SHA1, SHA2-256, SHA2-384, SHA2-512 (default: SHA1)
- PFS
Group: In IPSec, during the negotiation of a security policy, an additional key exchange is performed in Phase 2 to enhance communication security.
- Options: 1, 2, 5, 14, 15, 16, 19, 20
- Timeout:
Sets the IPSec SA aging time, default is 86400 seconds.
The Layer 2 Tunneling Protocol (L2TP) is a Layer 2 VPN protocol designed to establish secure point-to-point or site-to-site Virtual Private Network (VPN) connections. It is commonly used for remote access and branch office connectivity, creating secure communication channels for users or networks to protect the privacy and integrity of data transmission.
The ER805 can act as an L2TP client and establish a tunnel with a remote L2TP server. Click on the "L2TP VPN" menu, then navigate to "Client," and use the "Add" button to configure an L2TP client.
Fig.
6-4-2-1 Set the L2TP client parameters
- Name: The name of the L2TP client for local identification.
- Status: The switch to enable or disable the L2TP client tunnel.
- NAT: The switch for NAT functionality when forwarding with the L2TP client.
- Upstream Interface: The upstream interface used for communication between the L2TP client and the server.
- Server Address: The communication address of the remote L2TP server.
- Username/Password: Usernames and passwords that need to be configured the same on both ends during L2TP negotiation.
- Authentication Mode: Setting the L2TP authentication mode.
- Enable Tunnel Authentication: When enabled, both ends need to configure the same username and password for tunnel authentication.
A typical L2TP server is usually deployed at the headquarters of an enterprise, serving as a remote access server for mobile office or branch offices. To configure the L2TP server settings, please click on "VPN > L2TP VPN > Server" to access the L2TP server editing page.
Fig. 6-4-2-2
Set the L2TP server parameters
- Name:
The name of the L2TP server, not editable.
- Status:
The on/off switch for the L2TP server function, default is off.
- Upstream
Interface: The upstream interface used by the L2TP server.
- VPN
Communication Address: The gateway address for L2TP clients, which can be
assigned to devices within the IP address pool.
- Address
Pool: The IP address pool is used for communication when L2TP clients connect.
- Username/Password:
Usernames and passwords that need to be the same on both ends for L2TP negotiation.
- Authentication
Mode: Setting the L2TP authentication mode.
- Enable
Tunnel Verification Function: When enabled, the usernames/passwords for tunnel verification on both ends need to be the same.
VXLAN(Virtual
Extensible LAN)is
essentially a tunnelling technology that establishes a logical tunnel over an
IP network between the source and destination network devices. It achieves data
transmission and forwarding by encapsulating user-side packets in a specific
manner.
Click
the "Add" button under "VPN > VXLAN VPN" to create a new
VXLAN VPN.
Fig. 6-4-3
Add a VXLAN VPN
- Name: Set the name for this VXLAN VPN network.
- Upstream Interface: The outbound interface used to establish a VXLAN tunnel with other devices.
- Peer Address: Configure the IP address of the peer device with which this device needs to establish a VXLAN VPN network.
- VNI: The VXLAN Network Identifier, where each VNI represents a different tenant or network segment.
- Local Subnet: Specify the address range assigned to local client devices when they connect.
Note:
- VXLAN cannot be used with other VPN functions and IP Passthrough functions at the same time.
In the [
Security ] menu, users can configure advanced features related to firewalls,
policy routing, and traffic shaping.
The
firewall currently includes functions such as inbound rules, outbound rules,
port forwarding, MAC address filtering, and more.
You can implement traffic in/out control based on interfaces through the "Security > Firewall > Outbound Rules/Inbound Rules" feature. For example, if a user is subjected to a significant amount of attacks from a specific source IP address, they can use inbound firewall rules to restrict traffic from that IP address.
Fig. 6-5-1-1-a Firewall Function Entry
Furthermore, IT personnel can utilize outbound firewall rules to restrict certain users' access to external networks. Inbound and outbound rules share the same configurable content, with the only distinction being the default rules.
Fig. 6-5-1-1-b Add inbound/outbound rule
- Name: Set the name of the inbound/outbound rule for local identification.
- Status: Rule function switch.
- Interface: For outbound rules, it specifies the upstream interface where traffic leaves the router. For inbound rules, it specifies the upstream interface where traffic enters the router
- Protocol: Match traffic based on the protocol type, with options like Any, TCP, UDP, ICMP, or custom.
- Source: Match the source address for traffic, supporting custom, with the default as Any.
- Destination: Match the destination address for traffic, supporting custom, with the default as Any.
- Action: Action taken for matching traffic in inbound/outbound rules, supporting allow and deny.
- Inbound Rules: Traffic management rules for external network accessing the router, with the default as deny all.
- Outbound Rules: Traffic management rules for traffic going out through the router, with the default allowing all.
- Support for adjusting the priority of inbound and outbound rules.
Port forwarding, also known as port mapping or port redirection, is used to redirect network packets from one network port (or address) to another network port or address. Users can configure port forwarding rules under "Security > Firewall > Port Forwarding." When external traffic accesses a specific port on the router, the device forwards the data to the corresponding port of an internal client, enabling external access to services inside the router.
For example, when a user needs to access the service on port 1024 of the internal client at 192.168.2.10 from the external network, they can map this client's port to port 1024 under the WAN1 interface. External users only need to enter "https://WAN1 address:1024" in their browser to access the target device's data, where the WAN1 address is the IP address of the WAN1 interface.
Fig.
6-5-1-2 Add a Port Forwarding Rule
- Name: The name of the port forwarding rule, used for local identification.
- Status: The on/off switch for the port forwarding rule.
- Interface: The upstream interface that provides mapping functionality for internal clients. The upstream interface needs public IP address support.
- Protocol: The protocol type of the traffic for port mapping, supports TCP, UDP, and TCP & UDP.
- Public Port: The port number on the upstream interface that provides mapping
- Local Address: The address of the target device located under the router that the external network needs to access.
- Local Port: The port of the target device that the external network needs to access. It needs to be consistent with the public port input range.
MAC address filtering involves allowing or disallowing devices in a MAC address list to access the internet, which means controlling LAN devices' internet access requests through MAC address filtering on the router. Users can configure MAC address filtering rules in "Security > Firewall > MAC Address Filtering."
You can create multiple MAC addresses in the list, add address descriptions, and set it to allow only the MAC addresses to access the network (whitelist), or you can block MAC addresses in the list from accessing the network (blacklist).
Fig. 6-5-1-3 Add a MAC address filter
rule
Policy routing is a feature that allows users to create policies based on their specific needs, enabling them to route different data flows through different links. This improves the flexibility and control of routing decisions, enhances link utilization efficiency, and reduces enterprise costs. Click the "Add" button under "Security > Policy Routing" to create a new policy routing rule.
Fig. 6-5-2 Add a router policy
Cations:
- The
source address and destination address in a policy routing rule cannot both be
set as "Any."
Create a traffic shaping policy to optimize your network based on each protocol, giving users control and prioritizing critical business traffic. This feature can also reduce the bandwidth allocated to entertainment traffic.You can configure traffic shaping rules in "Security > Traffic Shaping > Add/Edit."
Fig. 6-5-3-a Traffic Shaping interface
Fig. 6-5-3-b Add a traffic-shaping
rule
Traffic shaping policies consist of a series of rules executed sequentially, similar to custom firewall rules. Each rule comprises two main components: the type of traffic to restrict or adjust and how to limit or adjust that traffic.
Notes:
- Traffic
forwarding priority for unmatched rules is medium.
- When
Limit Bandwidth is set to 0, the system will not limit the bandwidth.
- The
value of Reserved Bandwidth should not be greater than the Limit Bandwidth.
You can configure local networks allowed through a specific interface and set the interface's speed in the "Services > Interface Management" function.
Fig. 6-6-1-a Interface Management
Fig. 6-6-1-b Edit the interface
The
DHCP (Dynamic Host Configuration Protocol) service operates in a client/server
communication mode, where clients request IP addresses from servers, and
servers respond to these requests by assigning IP addresses dynamically to
clients.You can configure the DHCP server’s IP address pool using the "Services >
DHCP Server" feature.
Fig. 6-6-2 DHCP Server
Notes:
- The device's DHCP service is generated based on the network information in the local network. If you remove a local subnet from the "Local Network List," the DHCP Server for that local subnet will also be deleted.
- Local network entries need to be set in “IP” mode for the DHCP server function to take effect. Networks in “VLAN Only” mode are not within the selectable range.
DNS (Domain Name System) servers are a crucial network component responsible for translating human-readable domain names (e.g.,
www.example.com) into computer-understandable IP addresses (e.g., 192.168.1.1). DNS servers act as the address book of the internet, helping computers and devices find the locations of other devices and ensuring that information can be correctly delivered across the network.
When users don't set DNS server addresses in "Services > DNS Server," the DNS addresses obtained from the device's upstream interface will be used for domain name resolution. When users configure DNS server addresses, the configured DNS addresses will be used for domain name resolution.
Fig. 6-6-3 Add a DNS server
You can use the "Services > Fixed Address List" function to allocate a fixed IP address to a device based on its MAC address. This means that the device will consistently receive the same IP address every time it connects to the ER805.
Fig. 6-6-4 Add a fixed IP address
Cautions:
- The available addresses for allocation must fall within the address range of the local network in IP mode, or else the configuration will not take effect
- When the local network is deleted, all fixed address allocation rules within the local network's address range will be removed.
You can configure static routing entries using the "Services > Static Routing" feature to enable data to be forwarded through specified paths and interfaces. The contents of the static routing table are manually created by users, and routing entries generated by other services, such as VPN functionality, will not be displayed in this table.
Fig. 6-6-5
Add a static route
Cautions:
- For static routes with the same destination address/network, the next-hop address, interface, or priority cannot be the same; otherwise, it will result in a non-functional route.
- When WAN2, Wi-Fi (STA), or L2TP Client VPN is deleted, the corresponding static routes using those interfaces will also be removed.
Dynamic DNS (Dynamic Domain Name System) is used to automatically update the name server content in the domain system. According to internet domain rules, domain names are typically associated with fixed IP addresses. Dynamic DNS technology allows users with dynamic IP addresses to have a fixed name server. This enables external users to connect to the URL of users with dynamic IP addresses through regular updates.
You can manually configure the Dynamic DNS server address under the "Services > Dynamic DNS" feature.
Fig. 6-6-6 Add a Dynamic DNS service
- Service
Provider: Provided by the Dynamic DNS service operator, you can choose from dyndns, 3322, oray, no-ip, or use a custom option (requires a URL).
- Hostname:
Register for a hostname by clicking on the URL below the service provider.
- Username:
Register for a username by clicking on the URL below the service provider.
- Password:
The password set by the user during registration.
You can enable the IP Passthrough feature through "Service > Passthrough Settings." Once enabled, client devices can obtain the upstream interface address of the ER805.
Fig. 6-6-7
Enable the IP Passthrough
- Passthrough
MAC: Only clients bound to this MAC can obtain the upstream interface address
of the device.
Cautions:
- When the IP Passthrough mode is enabled, only one client can access the public network. : static routing, VPN, policy-based routing, SD-WAN Overlay, and cloud connectivity.
- When
accessing client devices, you need to release inbound rules.
- You
can still access the router via the default subnet's IP address.
In the "System" menu, users can configure settings related to cloud management, remote access control, clock settings, device options, configuration management, device alerts, tools, and log servers, among other functions.
The initial username and password for the device are "adm" and "123456." To ensure the security of your device, it's recommended that you change the password. You can do this by clicking on "adm" in the top navigation bar and selecting "Change Password" from the dropdown menu.
Fig. 6-7-1 Modify the Password
The
InCloud Service (star.inhandcloud.com) is a cloud platform developed by InHand
Networks to address the challenges faced by enterprise networks, such as slow
deployment, complex operations, and poor user experiences. This platform is
designed with a focus on user needs and integrates features like zero-touch
deployment, intelligent operations and maintenance, security protection, and
excellent user experience capabilities. Once devices are connected to the cloud
platform, users can perform remote management, batch configuration, traffic
monitoring, and other operations through the platform, making network device
management more convenient and efficient. ER805
automatically connects to the InCloud Service after establishing an internet
connection by default. If you do not wish to use the cloud management function,
you can disable it manually in the "System > Cloud Management"
function.
Fig. 6-7-2 Enable the InCloud Service
Fig. 6-7-3 Set the parameters of remote
access
- HTTPS:
When enabled, users can access the router's web interface remotely by entering the public IP address and port number of the upstream interface in a web browser.
- SSH:
When enabled, users can remotely log in to the router's backend using remote tools (such as CRT) by providing the public IP address, port number, username, and password.
- Ping:
When enabled, the upstream interface allows external networks to initiate Ping requests.
You can use the "System > Clock" function to select their current time
zone and configure NTP (Network Time Protocol) server addresses to synchronize
the device's system time with an NTP server.
Fig.
6-7-4 Set the time zone and NTP server
Fig.
6-7-5 Device Options
Cautions:
- When performing a local firmware upgrade, it is essential to ensure that the firmware is obtained from a legitimate source to avoid rendering the device inoperable due to incorrect firmware imports.
- When
a device is connected to the cloud platform, the platform will synchronize the
previous configuration to the device again due to cloud-based configuration
synchronization. The device will only clear historical data during the factory
reset.
Configuring backups and backup recovery are critical tasks in network management and maintenance. They involve saving the configuration information of network devices so that it can be quickly restored or transferred when needed.
Users can export device configurations to local storage in the "System > Configuration Management" menu. This backup can be imported into the device in case of configuration loss or when you need to overwrite the existing configuration.
Fig. 6-7-6 Configuration Management interface
You can choose to focus on specific events that may occur on the device by selecting the corresponding alarm events and configuring the email address for receiving alerts. When an alarm event occurs, the device will automatically send an email notification. It's important to note that even if a user doesn't select certain alarm options, related alarm events will still be recorded in the device's local logs.
You can configure alarm event types and email addresses for alarm notifications in the "System > Device Alarms" menu.
Fig. 6-7-7-a Alarm event types
After
configuring the outgoing email server address, port, username, and password,
the device will use this email account to send alarm notifications. You can use
the "Send Test Email" option to verify whether the outgoing email
configuration is correct. This test email will help you ensure that the device
can successfully send alarm notifications to the specified email address.
Fig. 6-7-7-b Mail receiving settings
You can use ICMP (Internet Control Message Protocol) to check the device's external network connectivity. In the "Target" field, enter any domain name or IP address you want to test the device's connectivity to, and then click "Start" to check the connectivity status between the device and the specified target. This can help you determine whether the device can reach the target over the internet.
You can perform a network ping test on a target by going to "System > Tools > Ping." This allows to send ICMP echo requests to the specified target IP address or domain name and receive ICMP echo replies to check network connectivity and latency to that target.
Fig. 6-7-8-1 Ping
Traceroute is a network diagnostic tool used to determine the network path that data packets take from the source to the destination, as well as the intermediate routers or hops along that path.You can enter the target host's IP address in "System > Tools > Traceroute," choose the outgoing interface for the traffic, click "Start," and check the device's connectivity to the target IP by tracing the route.
Fig.
6-7-8-2 Traceroute
Packet capturing is a network monitoring and analysis technique used to capture and record data packets transmitted over a computer network. Packet capture tools are typically used for network troubleshooting, network performance analysis, security auditing, and protocol analysis, among other purposes.
Users can capture packets passing through a specific interface in "System > Tools > Packet Capture." By selecting the "Output" option, users can choose to display the captured data within the interface or export it locally for further analysis.
Fig.
6-7-8-3 Capture
Scheduled reboot is a network device management strategy that allows administrators to automatically restart a device at a specific time or under certain conditions to ensure the device's normal operation and performance.
In practice, users can set up scheduled reboots in the "System > Scheduled Reboot" function based on their business requirements. The device supports scheduled reboots at fixed times daily, weekly, or monthly.
In the case of monthly reboots, if the selected reboot day exceeds the actual number of days in the month, the device will reboot on the last day of the month. For example, if you choose to reboot on the 31st of every month, it will reboot on the 30th in a month with only 30 days.
Fig. 6-7-9 Set the scheduled reboot
time
A log server is a dedicated server or software application used to collect, store, and manage log information generated by network devices, applications, and operating systems. These log records include events, warnings, errors, activities, and other relevant information and are crucial for monitoring, troubleshooting, and performance optimization.
When users enable the log file server function in the "System > Log Server" feature, the device will periodically upload log files to the specified log server.
Fig. 6-7-10
Set the log server address
When a user logs in to the local interface of the device through the web and the session remains active for a certain period, it will automatically log out or disconnect to protect the user's privacy and security.
You can configure the logout time in "System > Other Settings > Web Login Management." If the online time during a single login session on the device's web page exceeds the configured time, the system will automatically log the user out, and they will need to log in again to continue their operations.
Fig. 6-7-11-1 Set the web page logout
time
This
feature can be used to accelerate packet forwarding and enhance network
performance. It is turned off by default.After
enabling this feature in "System > Other Settings > Accelerated
Forwarding," the device's cellular speed will significantly improve.
Fig. 6-7-11-2 Enable the accelerated
forwarding
Cautions:
- Enabling
this feature will disable the normal functioning of IPSec VPN, traffic shaping,
and other related features.
This feature can be used to quickly forward packets, improving network performance. By default, it is turned off. When users enable this feature in "System > Other Settings > Fast Forward," the device's data forwarding rate will significantly increase.
Fig.
6-7-11-3 Enable the Automatically
SIP ALG consists of two technologies: Session Initiation Protocol (SIP) and Application Layer Gateway (ALG). This protocol is typically used to assist in managing and handling SIP communications (Session Initiation Protocol for establishing and managing real-time communication sessions, such as voice and video calls).
Users can enable this feature in "System > Other Settings > SIP ALG."
Fig. 6-7-11-4 Enable the SIP ALG
Note:
- If
the connected device needs to engage in VoIP (Voice over Internet Protocol)
phone communication, it is recommended to disable this function.
6.7.12 SD-WAN
Backgroud:
Between enterprise branches, there is often a need for mutual access to facilitate business data transfer, video conferencing, and other requirements. Traditional VPN configurations can be complex and troubleshooting can be challenging. InHand Networks introduces SD-WAN network functionality, which, through a user-friendly interface, assists users in rapidly establishing connections between branches. This not only enhances link flexibility but also significantly reduces operational and management complexity, ultimately providing enterprise users with a better network experience.
Fig. 6-7-12-a Application Scenarios
Process:
Fig. 6-7-12-b Application Scenarios
6.7.12.1 Create Network
In the platform's "Network" function, select "SD-WAN," click on "Add," and you will be redirected to the SD-WAN network addition page.
Fig. 6-7-12-1-a SD-WAN Entry
Fig. 6-7-12-1-b Create SD-WAN Network
The current SD-WAN network supports the Hub & Spoke topology, with device roles divided into central and branch devices. All branch devices establish tunnels through the central device, and traffic between branch devices passes through the central device.
Hub:
- Central devices require a public IP address to ensure the operation of the SD-WAN network. Users can also address the issue of insufficient public IPs through IP mapping.
- Tunnels are established between the central device's upstream interface with public IP addresses and all upstream interfaces of the branch devices.
- In the firewall rules, the central device's upstream device needs to allow two port numbers and map them to the upstream interface of the ER series router. The port range is 1-65535.
- Supported device models: ER805, ER605, ER2000
- A maximum of 5 devices can be added.
Spoke:
- Branch devices have no specific requirements for public IP addresses.
- Multiple branch devices can be added, with the final number determined by the performance of the central device.
- Supported device models: ER805, ER605.
6.7.12.2 Add device
On the "Add Network" page, click the "Add" button for either the central device or branch device, depending on the type of device you want to add to the network.After selecting the device, provide the public IP mapping information for the device. If you need to modify the device's network configuration, you can click the "Edit" button for the local network to perform remote configuration.
Fig. 6-7-12-2-a Add Hub
Fig. 6-7-12-2-b Add Spoke
After you've completed the addition, click the "Save" button at the bottom left corner of the page, and the network will be successfully created. All the devices and selected subnets will now be interconnected. In a single network, the local networks of central devices and branch devices cannot be the same, as it could impact communication.
6.7.12.3 Check Status
After the network is added, you will be automatically directed to the topology page. Alternatively, you can go to the "SD-WAN Network" list and click on the network name to access the topology details page. Within the network, all branch devices establish connections with the central device.
Fig. 6-7-12-3-a Topology
When hovering the mouse over a link, it displays the status of the tunnels established with the interfaces of the central device.
Fig. 6-7-12-3-b Link Status
Click on the "VPN Table" at the top-right corner of the "SD-WAN Network Details" page to switch to a tabular view, displaying information about all devices within the network that have established VPN connections with the central device.
Fig. 6-7-12-3-c VPN List
- Please use the original power adapter to avoid damaging the device due to mismatched power adapters.
- When installing the device, avoid placing it in an environment with strong electromagnetic interference, and keep it at a safe distance from high-power equipment. After installation, ensure that the device is stable to prevent accidental drops and potential damage.
- Ensure that the device's operating environment meets the temperature and humidity requirements specified in the user manual.
- Regularly inspect the device's cables, including Ethernet cables and power adapter connections. Keep the cables clean, and replace them if any damage is detected.
- When cleaning the device, avoid spraying chemical agents directly on the device's surface to prevent damage to the housing or internal components. Use a soft cloth for cleaning.
- Do not attempt to disassemble or modify the device on your own, as this can pose safety risks and may void the device's warranty.
1.
Edge Router: Supports both wired and cellular mobile data connectivity (4G, 5G)
for network access, providing more ways to connect to the network. The edge
router is a 5G router that supports SD-WAN and allows for centralized
management through a cloud platform.
2.
Regular Router: Typically relies on fixed broadband connections, such as DSL or
fibre optics, and connects to the network through wired connections. Regular
routers lack a unified management platform and advanced features like firewall
and SD-WAN.
1.
Physical Environment: Start by checking if the SIM card is inserted into the
correct slot and ensure all cellular antennas are properly installed.
2.
APN Settings: Make sure that the APN configuration matches the information
provided by your service provider.
3.
Check Device Connectivity: Log in to the device's local interface and use the
built-in ICMP tool to ping 8.8.8.8 to test connectivity. If it can connect,
then check the connectivity between your device (e.g., computer or smartphone)
and the router.
4.
Check SIM Card: Take out the SIM card and insert it into a phone to see if it
can connect to the internet.
5.
Restart: Try powering off the router, wait a few seconds, and then reconnect
the power to retry the network connection.
6.
Factory Reset: Perform a factory reset on the router and then attempt to
connect again.
InHand
Networks has been committed to providing high-quality network services for
small and medium-sized chain organizations. When users utilize the cloud
platform services, they are required to purchase licenses for each device to
access the extensive cloud-based features.
1.
Start by registering for InCloud Manager account at
https://star.inhandcloud.com/.
2.
Log in to the cloud platform using your registered account. Under the device
menu, click "Add," and follow the prompts to enter the device's
serial number and MAC address. This will complete the device addition process.
When a device is added for the first time, it comes with a complimentary 1-year
free Basic Edition license. Users can renew their licenses as needed in the
future.
Yes,
it is possible. Users can complete the majority of configuration tasks locally.
However, for features like bulk configuration deployment, firmware upgrades,
SD-WAN, Connector, and more, you would need to combine local device settings
with the cloud platform.
If
you are unable to resolve the issue using the above steps or encounter any
other problems, please contact InHand Networks for technical support. You can
visit www.inhandnetworks.com for more information.