Industrial Router IR302 Product User Manual

Industrial Router IR302 Product User Manual

Declaration

Thank you for choosing our product. Before using the product, read this manual carefully. 

The contents of this manual cannot be copied or reproduced in any form without the written permission of InHand.

Due to continuous updating, InHand cannot promise that the contents are consistent with the actual product information, and does not assume any disputes caused by the inconsistency of technical parameters. The information in this document is subject to change without notice. InHand reserves the right of final change and interpretation.

© 2020 InHand Networks. All rights reserved.


Conventions


Symbol

Indication

< >

Content in angle brackets “<>” indicates a button name. For example, the <OK> button.

""

'''' indicates a window name or menu name. For example, the pop-up window "New User."

> 

A multi-level menu is separated by the double brackets ">". For example, the multi-level menu File > New > Folder indicates the menu item [Folder] under the sub-menu [New], which is under the menu [File].

Cautions

Means reader be careful. Improper action may result in loss of data or device damage.

Note

Notes contain detailed descriptions and helpful suggestions.


Contact Us

Add: 43671 Trade Center Place, Suite 100, Dulles, VA 20166 USA

E-mail: support@inhandneworks.com

T: +1 (703) 348-2988

URL: www.inhand.com


UL MARKINGS:

1.UL File:E364742、E509340.

2.Electrical ratingsInput: 9-36 V DC, 0.1-0.2A. (Optional)

3.Model numberIR302

5.Ambient temperature range-20 ℃ to +70 ℃

6. Temperature class:T-5


UL INSTALLATION AND OPERATING INSTRUCTIONS:

1. These devices are open-type devices that are to be installed in an enclosure suitable for the environment and where the internal compartment is only accessible by the use of tool. 

2. Warning - explosion hazard - do not disconnect equipment while the circuit is live or unless the area is known to be free of ignitable concentrations. 

3. The unit shall be powered by a UL listed external AC adapter, output rated 9-36 VDC, MIN-MUM: 0.1-0.2A, marked LPS or CLASS 2

I. INTRODUCTION 

1.1 OVERVIEW

Integrating 3G, 4G LTE and advanced security, the InRouter302 is the next generation of industrial cellular router. With embedded hardware watchdog, link detection, auto-recovery and auto-reboot, the InRouter302 provides reliable communications to unattended sites. Reliable VPN technology secures sensitive data. The InRouter302 also utilizes remote management tools such as a CLI, a web interface and InHand Device Manager Cloud platform for batch configuration and monitoring.

InRouter302 is ideal for large-scale Internet of Things (IoT) and Machine-to-Machine (M2M) applications including ATM/Kiosks, Vending machines, Connected Retail, Medical equipment and Industrial control systems.

1.2 PANEL INTRODUCTION


1.3 LED INDICATION & SIGNAL

Table 1-3-1 LED indication description

POWER

STATUS

Cellular

Description

(Red)

(Green)

(Yellow)

Off

Off

Off

Powered off

On

Off

Off

System failure

On

On

Off

The module or SIM card is not recognized

On

On

Blinking

Dialing

On

On

On

Dialing succeed

On

Blinking

On

Upgrading

On

Blinking->On

Off

Reset 

Reset to factory settings:

1. When the device is powered on, press the reset button immediately and keep it for 10 seconds until the Status LED is steady on

2. Loosen the Reset button and the Status LED will off.

3. Immediately press and hold the Reset button, Status LED will flash, then loosen the Reset button. Then device will reset to default settings.


Table 1-3-2 LED indication description

Signal

Red

Signal 0~10

Yellow

Signal 11~20

Green

Signal 21~30

Wi-Fi(Green)

Unable

Off

AP

Blinking

STA

Blinking

Port

Transmission

Blinking

II. INSTALLATION

2.1 PREPARATIPNS

Precautions:

Please be sure there is 3G/4G network coverage and there is no shield on site. 100-240V AC or 9~36V DC shall be provided on site. First installation shall be done under direction of the engineer recognized by InHand Networks. 

  1. 1 PC 
  2. 1 or 2 SIM card: Ensure the card is enabled with data service and its service is not suspended because of an overdue charge. 
  3. Power supply: 100-240V AC: can be used with DC power adaptor of the device.
                                  9~36V DC: Ripple voltage < 100 mV.
  1. Fixation: Please place InRouter on flat level and have it installed in an environment with small vibrational frequency.

The device shall be installed and operated in powered-off status!

2.2 INSTALLATION

2.2.1 SIM/UIM Card

InRouter302 uses pop-up card holder. Stab the hollow at the left of the card holder and the card holder will pop up. Then, install the SIM/UIM card and press the card holder back to the card slot.

2.2.2 Antenna 

Slightly rotate the movable part of metal SMA-J interface until it cannot be rotated (at this time, external thread of antenna cable cannot be seen).  Do not forcibly screw the antenna by holding black rubber lining.

2.2.3 Protective Grounding

The specific steps are shown in below:

Step 1: Remove the grounding screw.

Step 2: Connect the grounding ring of the cabinet’s grounding wire onto the grounding screw.

Step 3: Tighten the grounding screw up.

To improve the immunity from interference of the whole router, the router must be grounded when used. The ground wire should be connected with grounding stud of router.

2.2.4 Power Supply

Upon installation of the antenna, connect the device to 9~36V DC power and see if the Power LED on the panel of the device is on. If not, please contact technical support of InHand Networks immediately. 

2.3 LOGIN ROUTER

Upon installation of hardware, be sure the Ethernet card has been mounted in the supervisory PC prior to logging in the page of Web settings of the router. 

I. Automatic Acquisition of IP Address (Recommended)

Please set the supervisory computer to "automatic acquisition of IP address" and "automatic acquisition of DNS server address" (default configuration of computer system) to let the device automatically assign IP address for supervisory computer.

II. Set a Static IP Address

Set the IP address of supervisory PC (such as 192. 168. 2. 2) and LAN interface of device in same network segment (initial IP address of LAN interface of device: 192. 168. 2. 1, subnet mask: 255. 255. 255. 0).

III. Cancel the Proxy Server

If the current supervisory PC uses a proxy server to access the Internet, it is required to cancel the proxy service. The operating steps are shown below: 1) In the browser window, select "tools>>Internet options"; 2) select "connection" page and click the button of LAN Settings to enter "LAN Settings" window interface. Please confirm if the option "Use a Proxy Server for LAN" is checked; if it is checked, please cancel and click the button <OK>.

IV. Log in/Exit Web Settings Page

Open IE or other browser and enter IP address of InRouter302, such as http://192.168.2.1 in address bar (default setting of InRouter302). Upon connection, log in from the login interface as Admin, i.e. enter username and password at the login interface (please check the nameplate for getting the default username and password). 


For security, you are suggested to modify the default login password after the first login and safe keep the password information.

III. WEB CONFIGURATION

The device need to be effectively configured before using. This chapter will introduce how to configure your router via Web. 

3. 1 SYSTEM

Here, system and network state and system time of synchronizing device and PC can be checked and router WEB configuration interface language can be set as well as the name of mainframe of router can be customized.

3.1.1 Basic Setup

Here, WEB configuration interface language can be set; name of mainframe of router can be customized. 

From the navigation tree, select System >> Basic Setup, then enter the “Basic Setup” page.

Table 3-1-1 Basic Setup Parameters 

Basic settings

Function description: Select display language of the router configuration interface and set personalized name.

Parameters

Description

Default

Language

Configure language of WEB configuration interface

Chinese

Host Name

Set a name for the host or device connected to the router for viewing.

Router

3.1.2 Time

To ensure the coordination between this device and other devices, user is required to set the system time in an accurate way since this function is used to configure and check system time as well as system time zone. System time is used to configure and view system time and system time zone.  It aims to achieve time synchronization of all devices equipped with a clock on network so as to provide multiple applications based on synced time.

From the navigation tree, select System >> Time, then enter the “Time” webpage, as shown below. Click <Sync Time> to synchronize the time of the gateway with the system time of the host.

Table 3-1-2 Parameters of System Time

System Time

Function description: Set local timezone and automatic updating time of NTP.

Parameters

Description

Default

Time of Router

Display present time of router

8:00:00 AM, 12/12/2015

PC Time

Display present time of PC

Present time

Timezone

Set time zone of router

Custom

Custom TZ String

Set TZ string of router

CST-8

Auto update Time

Select whether to automatically update time, you may select when startup or every 1/2/...hours.

On startup

NTP Time Servers

Set NTP server to sync time via network

114.80.81.1


3.1.3 Admin Access

Admin services include HTTP, HTTPS, TELNET and SSHD. 

HTTP

HTTP (Hypertext Transfer Protocol) is used for transferring web pages on Internet. After enabling HTTP service on device, users can log on via HTTP and access and control the device using a web browser.

HTTPS

HTTPS (Secure Hypertext Transfer Protocol) is the secure version of hypertext transfer protocol. As a HTTP protocol which supports SSL protocol, it is more secure. 

TELNET

Telnet protocol provides telnet and virtual terminal functions through a network. Depending on Server/Client, Telnet Client could send request to Telnet server which provides Telnet services. The device supports Telnet Client and Telnet Server.

SSHD

SSH protocol provides security for remote login sessions and other network services. The SSHD service uses the SSH protocol, which has higher security than Telnet.

From the navigation tree, select System >> Admin Access, then enter “Admin Access” page.

Table3-1-3 Parameters of Admin Access

Admin Access

Function description:

1. Modify username and password of router.

2. The router may be set by the following 5 ways, i.e. http, https, telnet, SSHD and console.

3. Set login timeout.

Parameters

Description

Default

Username/Password

Username

Set name of user who logs in WEB configuration

adm

Old Password

Previous password access to WEB configuration

N/A

New Password

New password access to WEB configuration

N/A

Confirm New Password

Reconfirm the new password

N/A

Amin functions

Service Port

Service port of HTTP/HTTPS/TELNET/SSHD/Console

80/443/23/22

 

Local Access

Enable - Allow local LAN to administrate the router with corresponding service (e.g. HTTP)

Disable - Local LAN cannot administrate the router with corresponding service (e.g. HTTP)

 

Enable

 

Remote Access

Enable - Allow remote host to administrate the router with corresponding service (e.g. HTTP)

Disable - Remote host cannot administrate the router with corresponding service (e.g. HTTP)

 

Enable

 

Allowed Access from WAN (Optional)

Set allowed access from WAN (only HTTP/HTTPS/TELNET/SSHD)

The host controlling service at this moment can be set, e.g. 192.168.2.1/30

or 192.1682.1-192.1682.10

Description

For recording significance of various parameters of admin functions (without influencing router configuration)

 

N/A

Other Parameters

Log Timeout

Set login timeout (router will automatically disconnect the configuration interface after login timeout)

500 seconds


In “Username/Password” section, users can modify username and password rather than create new username, i.e. only this username can be used in logins. 

3.1.4 System Log

A remote log server can be set through “System Log”, and all system logs will be uploaded to the remote log server through the gateway. This makes remote log software, such as Kiwi Syslog Daemon, a necessity on the host.

Kiwi Syslog Daemon is free log server software for Windows. It can receive, record and display logs from host (such as gateway, exchange board and Unix host). After downloading and installing Kiwi Syslog Daemon, it must be configured through the menus “File >> Setup >> Input >> UDP.

From the navigation tree, select System >> System Log, then enter “System Log” page.

Table 3-1-4    Parameters of System Log

System Log

Function description: Configure IP address and port number of remote log server which will record router log.

Parameters

Description

Default

Log to Remote System

Enable log server

Disable

Log server address and port (UDP)

Set address and port of remote log server

N/A: 514

Log to Console

Output device log by serial port

Disable

3.1.5 Configuration Management

Here you can back up the configuration parameters, import the desired parameters backup and reset the router.

From the navigation tree, select System >> Config Management, then enter the “Config Management” page.

Table 3-1-5    Parameters of Configuration Management

Configuration Management

Function description: Set parameters of configuration management.

Parameters

Description

Default

Browse

Choose the configuration file

N/A

Import

Import configuration file to router

N/A

Backup

Backup configuration file to host

N/A

Restore default configuration

Select to restore default configuration (effective after rebooting)

N/A

Modem drive program

For configuring drive program of module

N/A

Network Provider (ISP)

For configuring APN, username, password and other parameters of the network providers across the world

N/A


Validity and order of imported configurations should be ensured. The good configs will later be serially executed in order after system reboot. If the configuration files didn’t be arranged according to effective order, the system won’t enter the desired state.

In order not to affect the operation of the current system, when performing an import configuration and restore default configuration, users need to restart the device to make the new configuration to take effect.

3.1.6 Schedule

After this function is enabled, the device will reboot as the scheduled time. Scheduler function will take effect after router sync time.

From the navigation tree, select “System >> Schedule”, then enter “Schedule” page.

Table 3-1-6    Parameters of Scheduler

Scheduler

Function description: set scheduler for system reboot

Parameters

Description

Default

Enable

Enable/disable this function

Disable

Time

Select the reboot time

0:00

Days

Reboot the router everyday

Everyday

Show advanced options

Enable more detailed schedule rules, allow to set multiple rules to reboot the router in specific time or interval. Enable this feature will disable everyday reboot feature above.

Disable

Reboot after dialed

Router will reboot after dial up successfully, will not take effort if this parameter is blank.

N/A

3.1.7 Upgrade

The upgrading process can be divided into two steps. In the first step, firmware will be written in backup file zone, in the second step: firmware in backup file zone will be copied to main firmware zone, which should be carried out during system restart. During software upgrading, any operation on web page is not allowed, otherwise software upgrading may be interrupted.

From the navigation tree, select “System >> Upgrade”, then enter the “Upgrade” page.

To upgrade the system, firstly, click <Browse> choose the upgrade file, secondly, click <Upgrade> and then click <OK> to begin upgrade; thirdly, upgrade firmware succeed, and click <Reboot> to restart the device. 

3.1.9 Reboot

Please save the configurations before reboot, otherwise the configurations that are not saved will be lost after reboot.

To reboot the system, please click the System>>Reboot, then click <OK>. 

3.1.10 Logout

To logout, click System >> Logout, and then click <OK>. 

3.2 NETWORK

3.2.1 CELLULAR 

Insert SIM card and dial to achieve the wireless network connection function of router.

Click the “Network>>Cellular” menu in the navigation tree to enter the “Dial Interface”.

Table3-2-1-1 Parameters of Dialup/Cellular

Dialup/Cellular Connection

Function description: Configure parameters of PPP dialup. Generally, users only need to set basic configuration instead of advanced options.

Parameters

Description

Default

Enable

Enable cellular dialup.

Enable

Time Schedule

Set time schedule

ALL

Force Reboot

Router will reboot if cannot dialup for a long time and reach the max retry time

Enable

Shared connection (NAT)

Enable—Local device connected to Router can access to the Internet via Router.

Disable—Local device connected to Router cannot access to the Internet via Router.

Enable

Default Route

Enable default route

Enable

SIM1 Network Provider

Select network provider profile for SIM1

Profile 1

Network Type

Select network type, router will try 4G, 3G, 2G in proper order if select in Auto

Auto

Connection Mode

Optional Always Online, Connect On Demand, Manual. It will support to configure Triggered by SMS if select Connect On Demand mode,

Always Online

Redial Interval

Set the redialing time when login fails.

30 s

Show Advanced Options

Dual SIM Enable

Enable Dual SIM card

Disable

SIM2 Network Provider

Select network provider for SIM2 card

Profile 1

SIM2 Blinding ICCID

Set ICCID of SIM2

N/A

SIM2 PIN Code

For setting SIM2 PIN code

N/A

SIM2 SIM Card Operator

Set the ISP that SIM2 card connects to

Auto

Main SIM

Set the SIM card that uses to dialup at first

SIM1

Max Number of Dial

Set max number of dial, if cannot dial up successfully after this number, router will switch SIM card

5

CSQ Threshold

Set threshold of signal, if current signal level is lower than this, router will switch SIM card

0(Disable)

Min Connect Time

Set the min connect time for each try of dial up

0(Disable)

Initial Commands

Set customize initial AT commands which will be operated at the beginning of dialing up

AT

Blinding ICCID

Set ICCID of SIM

N/A

PIN Code

For setting PIN code of SIM

N/A

MTU

Set max transmission unit after enable

1500

Use Peer DNS

Click to receive peer DNS assigned by the ISP

Enable

Link detection interval

Set link detection interval

55 s

Debug

Enable debug mode, print debug log in system log

Disable

Debug Modem*

Send modem debug data to console

Disable

ICMP Detection Mode

Set ICMP detection mode, router will check the link connection status via ICMP packet.

Ignore Traffic: Router will send ICMP packet no matter whether there is traffic in cellular interface.

Monitor Traffic: Router will not send ICMP packet if there is traffic in cellular interface.

Ignore Traffic

ICMP Detection Server

Set the ICMP Detection Server. N/A represents not to enable ICMP detection.

N/A

ICMP Detection Interval

Set ICMP Detection Interval

30 s

ICMP Detection Timeout

Set ICMP Detection Timeout (the link will be regarded as down if ICMP times out)

20 s

ICMP Detection Retries

Set the max. number of retries if ICMP fails (router will redial if reaching max. times)

5


Table3-2-1-2 Parameters of Dialup/Cellular - Schedule

Administration of dialup/Cellular - Schedule

Function description: Online or offline based on the specified time.

Parameters

Description

Default

Name of Schedule

schedule 1

schedule1

Sunday ~ Saturday

Click to enable

 

Time Range 1

Set time range 1

9:00-12:00

Time Range 2

Set time range 2

14::00-18:00

Time Range 3

Set time range 3

0:00-0:00

Description

Set description content

N/A

3.2.2 WAN/LAN Switch

WAN/LAN1 Port supports two types of work mode, include WAN and LAN.

Click the “Network>>WAN/LAN Switch” to set work mode

WAN supports three types of wired access including static IP, dynamic address (DHCP) and ADSL (PPPoE) dialing.

DHCP adopts Client/Server communication mode. Client sends configuration request to Server which feeds back corresponding configuration information, including distributed IP address to the Client to achieve the dynamic configuration of IP address and other information.

PPPoE is a point-to-point protocol over Ethernet. User has to install a PPPoE Client on the basis of original connection way. Through PPPoE, remote access devices could achieve the control and charging of each accessed user.

WAN/LAN1 is working as LAN by default. 

Click the “Network>>WAN” menu in the navigation tree to enter the “WAN" Interface.

Table 3-2-2-1 Static IP Parameters of WAN

WAN - Static IP

Function description: Access to Internet via wired lines with fixed IP.

Parameters

Description

Default

Shared connection (NAT)

Enable—Local device connected to Router can access to the Internet via Router.

Disable—Local device connected to Router cannot access to the Internet via Router.

Enable

Default route

Enable default route

Enable

MAC Address

MAC Address of the device

Device’s MAC address

IP Address

Set IP address of WAN

192.168.1.29

Subnet mask

Set subnet mask of WAN

255. 255. 255. 0

Gateway

Set gateway of WAN

192. 168. 1. 1

MTU

Max. transmission unit, default/manual settings

default (1500)

Multiple IP support (at most 8 additional IP addresses can be set)

IP Address

Set additional IP address of LAN

N/A

Subnet mask

Set subnet mask

N/A

Description

For recording significance of additional IP address

N/A


Table 3-2-2-2 Dynamic Address (DHCP) Parameters of WAN

WAN - Dynamic Address (DHCP)

Function description: Support DHCP and can automatically get the address allocated by other routers.

Parameters

Description

Default

Shared connection (NAT)

Enable—Local device connected to Router can access to the Internet via Router.

Disable—Local device connected to Router cannot access to the Internet via Router.

Enable

Default route

Enable default route

Enable

MAC Address

MAC Address of the device

Device’s MAC address

MTU

Max. transmission unit, default/manual settings

default (1500)


Table 3-2-3-3 ADSL Dialing (PPPoE) Parameters of WAN

WAN - ADSL Dialing (PPPoE)

Function description: Set ADSL dialing parameters.

Parameters

Description

Default

Shared connection

Enable—Local device connected to Router can access to the Internet via Router.

Disable—Local device connected to Router cannot access to the Internet via Router.

Enable

Default route

Enable default route

Enable

MAC Address

MAC Address of the device

Device’s MAC address

MTU

Max. transmission unit, default/manual settings

default (1492)

WAN - ADSL Dialing (PPPoE)

Username

Set name of dialing user

N/A

Password

Set dialing password

N/A

Static IP

Click to enable static IP

Disable

Connection Mode

Set dialing connection method (always online, dial on demand, manual dialing)

Always online

Parameters of Advanced Options

Service Name

Set service name

N/A

Set length of transmit queue.

Set length of transmit queue.

3

Enable IP header compression

Click to enable IP header compression

Disable

Use Peer DNS

Click to enable use peer DNS

Enable

Link detection interval

Set link detection interval

55 s

Link detection Max. Retries

Set link detection max. retries

10

Enable Debug

Click to enable debug

Disable

Expert Option

Set expert options

N/A

ICMP Detection Server

Set ICMP detection server

N/A

ICMP Detection Interval

Set ICMP Detection Interval

30 s

ICMP Detection Timeout

Set ICMP detection timeout

20 s

ICMP Detection Retries

Set ICMP detection max. retries

3

3.2.3 LAN

Click “Network >> LAN” to configure LAN interface of router and other devices can access to Internet via Ethernet cable in LAN.

Table 3-2-3 LAN Parameters

LAN – Static IP

Function description: Devices in LAN use static IP to connect to network.

Parameters

Description

Default

MAC Address

MAC Address of router’s LAN gateway

Router’s LAN MAC address

IP Address

IP Address of router’s LAN gateway

192.168.2.1

Netmask

Subnet mask of LAN gateway

255.255.255.0

MTU

Max. transmission unit, default/manual settings

default (1500)

LAN Mode

Set transport mode in LAN interface

Auto Negotiation

Multi-IP Settings (at most 8 additional IP addresses can be set)

IP Address

Set additional IP address of LAN

N/A

Subnet mask

Set subnet mask

N/A

Description

For recording significance of additional IP address

N/A

LAN Port Enable

port1/port2

Enable corresponding LAN port

Enable

GARP

Enable

Router will send ARP broadcast to LAN devices automatically

Disable

Broadcast Count

Set ARP broadcast times

5

Broadcast Timeout

Set ARP broadcast timeout time

10

3.2.4 Switch WLAN Mode 

IR302-WLAN supports two types of WLAN mode: AP and STA.

Click the “Network>>Switch WLAN Mode” menu in the navigation tree to set WLAN mode of the router. After change and save the configuration, please reboot the device to make the configuration take effort.

3.2.5 WLAN Client (AP Mode)

When working in AP mode, IR302 WLAN will provide network access point for other wireless network devices. Please sure that IR302 has already connect to Internet via WAN or cellular.

Click the “Network>>WLAN” menu in the navigation tree to enter the “WLAN" interface.

Table 3-2-5 Parameters of WLAN Access Port

WLAN

Function description: Support WiFi function and provide wireless LAN access on site and identity authentication of wireless user.

Parameters

Description

Default

SSID broadcast

After turning on, use can search the WLAN via SSID name

Enable

Mode

Six type for options: 802. 11g/n, 802. 11g, 802. 11n, 802. 11b, 802. 11b/g , 802. 11b/g/n

802.11b/g/n

Channel

Select the channel

11

SSID

SSID name defined by user

inhand

Authentication method

Support open type, shared type, auto selection of WEP, WPA-PSK, WPA, WPA2-PSK, WPA2, WPA/WPA2, WPAPSK/WPA2PSK

Open type

Encryption

Support NONE, WEP

NONE

Wireless bandwidth

Both 20MHz and 40MHz for selection

20MHz

Enable WDS

Click to enable WDS

Disable

Default Route

Click to enable Route

Disable

Bridged SSID

Set bridged SSID

None

Bridged BSSID

Set bridged BSSID

None

Scan

Click “Scan” to scan the available AP nearby

 

Auth Mode

Open type, shared type, WPA-PSK, WPA2-PSK

Open type

Encryption Method

Support NONE, WEP

None

3.2.6 WLAN Client (STA Mode)

When working in STA mode, the router can access the Internet by connecting to other AP. 

Click the “Network>>WLAN Client” menu in the navigation tree to enter the “WLAN” interface.  Select “Client” for the interface type and configure relevant parameters. (At this moment, the cellular interface in the "Network>>Cellular" should be closed.)

The SSID scan function is enabled only when Client is selected as WLAN interface. Click “Scan” button to get all available AP and status, select AP and configure corresponding parameter to connect. After configure WLAN Client, please configure access type in “Network>>WAN(STA)”.

Table 3-2-6 Parameters of WLAN Client 

WLAN Client

Function description: Support Wi-Fi function and access to wireless LAN as client.

Parameters

Description

Default

Mode

Support many modes including 802.11b/g/n 

802.11b/g/n

SSID

Name of the SSID to be connected

inhand

Authentication method

Keep consistent with the access point to be connected

Open type

Encryption

Keep consistent with the access point to be connected

NONE

Click the “Network>>Link Backup” in the navigation tree to configuration interface.

Table 3-2-7-1 Parameters of Link Backup

Link Backup

Function description: When the system runs, main link will first be enabled for communication. However, when the main link is disconnected, the system will automatically switch to the backup link to ensure communication.

Parameters

Description

Default

Enable

Click to enable link backup

Disable

Backup mode

Optional hot failover, cold failover or load balance

Hot failover

Main Link

Optional WAN or dialing interface

WAN

ICMP Detection Server

Set ICMP detection server

N/A

Backup Link

Optional cellular or WAN

Cellular 1

ICMP Detection Interval

Set ICMP Detection Interval

10 s

ICMP Detection Timeout

Set ICMP detection timeout

3 s

ICMP Detection Retries

Set ICMP detection max. retries

3

Restart Interface When ICMP Failed

Restart main link when ICMP failed

Disable


Table 3-2-7-2 Parameters of Link Backup - Backup Mode

Link Backup - Backup Mode

Function description: Select the way of link backup.

Parameters

Description

Hot failover

Main link and backup Link keep online at the same time, switch if current link is off

Cold failover

Backup line will only be online when the main link is disconnected.

Load balance

Transfer data via corresponding route after ICMP detect succeed

3.2.8 VRRP

VRRP (Virtual Router Redundancy Protocol) adds a set of routers that can undertake gateway function into a backup group to form a virtual router. The election mechanism of VRRP will decide which router to undertake the forwarding task and the host in LAN is only required to configure the default gateway for the virtual router.

VRRP will bring together a set of routers in LAN. It consists of multiple routers and is similar to a virtual router in respect of function. According to the VLAN interface IP of different network segments, it can be virtualized into multiple virtual routers. Each virtual router has an ID number and up to 255 can be virtualized.

VRRP has the following characteristics:

  1. Virtual router has an IP address, known as the Virtual IP address.  For the host in LAN, it is only required to know the IP address of virtual router, and set it as the address of the next hop of the default route.
  2. Host in the network communicates with the external network through this virtual router.
  3. A router will be selected from the set of routers based on priority to undertake the gateway function. Other routers will be used as backup routers to perform the duties of gateway for the gateway router in case of fault of gateway router, thus to guarantee uninterrupted communication between the host and external network.

Monitor interface function of VRRP better expands backup function: the backup function can be offered when interface of a certain router has fault or other interfaces of the router are unavailable.

When interface connected with the uplink is at the state of Down or Removed, the router actively reduces its priority so that the priority of other routers in the backup group is higher and thus the router with highest priority becomes the gateway for the transmission task.

From navigation tree, select "Network >>VRRP" menu, then enter “VRRP” page. 

Table 3-2-8 VRRP Parameters

VRRP

Function description: Configure parameters of VRRP.

Parameters

Description

Default

Enable VRRP-I

Click to enable VRRP function

Disable

Group ID

Select ID of router group (range: 1-255)

1

Priority

Select a priority (range: 1-254)

20 (the larger the numerical value, the higher the priority)

Advertisement Interval

Set an advertisement interval.

60 s

Virtual IP

Set a virtual IP

N/A

Authentication method

Select "None" or Password type

None (a password is needed when password type is selected)

Monitor

Set monitor

N/A

VRRP-II

Set as above

Disable

3.2.9 IP Passthrough

IP penetration function distributes the address obtained by WAN port to the device at the lower end of LAN port. When external access to the router downstream devices the router transmits data to the downstream device. Click "Network >>IP Passthrough" menu, then enter “IP Passthrough” page.

Table 3-2-9 IP Passthrough Parameters

IP Passthrough

Function description: LAN port device to obtain WAN port address, used for external access to router downstream devices.

Parameters

Description

Default

IP Passthrough

Enable IP Passthrough

Disable

IP Passthrough Mode

Select work mode(DHCP Dynamic/DHCP fix MAC)

DHCP Dynamic

Fix MAC Address

Set fix MAC address if in DHCP fix MAC mode

00:00:00:00:00:00

DHCP lease

Set DHCP lease time and reacquired after expiration

120S

3.2.10 Static Route

Static route needs to be set manually, after which packets will be transferred to appointed routes.

To set static route, click the "Network >> Static Route" menu in the navigation tree, then enter “Static Route” interface.

Table 3-2-10 Static Route Parameters

Static Route

Function description: Add/delete additional static rote of router. Generally, it's unnecessary for users to set it.

Parameters

Description

Default

Destination Address

Set IP address of the destination

0.0.0.0

Netmask

Set subnet mask of the destination

255.255.255.0

Gateway

Set the gateway of the destination

N/A

Interface

Select LAN/CELLULAR/WAN/WAN(STA) interface of the destination

N/A

Description

For recording significance of static route address (not support Chinese characters)

N/A

3.3 SERVICE

3.3.1 DHCP service

DHCP adopts Client/Server communication mode. Client sends configuration request to Server which feeds back corresponding configuration information, including distributed IP address to the Client to achieve the dynamic configuration of IP address and other information.

  1. The duty of DHCP Server is to distribute IP address when Workstation logs on and ensure each workstation is supplied with different IP address. DHCP Server has simplified some network management tasks requiring manual operations before to the largest extent.
  2. As DHCP Client, the device receives the IP address distributed by DHCP server after logging in the DHCP server, so the Ethernet interface of the device needs to be configured into an automatic mode.

To enable the DHCP server, find the navigation tree, select Services >> DHCP Service, then enter “DHCP Service” page.

Table 3-3-1 Parameters of DHCP Service

DHCP Service

Function description: If the host connected with router chooses to obtain IP address automatically, then such service must be activated. Static designation of DHCH allocation could help certain host to obtain specified IP address.

Parameters

Description

Default

Enable DHCP

Enable DHCP service and dynamically allocate IP address

Enable

IP Pool Starting Address

Set starting IP address of dynamic allocation

192.168. 2.2

IP Pool Ending Address

Set ending IP address of dynamic allocation

192.168.2.100

Lease

Set lease of IP allocated dynamically

60 minutes

DNS

Set DNS Server

192.168.2.1

Windows Name Server

Set windows name server.

N/A

Static designation of DHCH allocation (at most 20 DHCPs designated statically can be set)

MAC Address

Set a statically specified DHCP’s MAC address (different from other MACs to avoid confliction)

N/A

IP Address

Set a statically specified IP address

192.168.2.2

Host

Set the hostname.

N/A

3.3.2 DNS

DNA (Domain Name System) is a DDB used in TCP/IP application programs, providing switch between domain name and IP address. Through DNS, user could directly use some meaningful domain name which could be memorized easily and DNS Server in network could resolve the domain name into correct IP address. The device makes analysis on dynamic domain name via DNS.

Manually set the DNS, use DNS via dialing if it is empty. Generally, it needs to set only when static IP is used on the WAN port.

Click the “Service>>Domain Name Service” menu in the navigation tree to enter the “Domain Name Service” interface. 

Table 3-3-2 DNS Parameters

DNS (DNS Settings)

Function description: Configure parameters of DNS.

Parameters

Description

Default

Primary DNS

Set Primary DNS

0. 0. 0. 0

Secondary DNS

Set Secondary DNS

0. 0. 0. 0

Disable local DNS server

Not to transfer local DNS server address

Disable

3.3.3 DNS Relay

IR302 works as a DNS Agent and relays DNS request and response message between DNS Client and DNS Server to carry out domain name resolution in lieu of DNS Client.

From navigation tree, select "Service>>DNS Relay" menu, then enter “DNS Relay” page.

Table 3-3-3 DNS Transfer Parameters

DNS Relay service

Function description: If the host connected with router chooses to obtain DNS address automatically, then such service must be activated.

Parameters

Description

Default

Enable DNS Relay service

Click to enable DNS service

Enable (DNS will be available when DHCP service is enabled.)

Designate [IP address <=> domain name] pair (20 IP address  <=> domain name pairs can be designated)

IP Address

Set IP address of designated IP address <=> domain name

N/A

Host

Domain Name

N/A

Description

For recording significance of IP address <=> domain name

N/A


When enabling DHCP, the DHCP relay is also enabled automatically. Relay cannot be disabled without disabling DHCP.

3.3.4 DDNS

DDNS maps user's dynamic IP address to a fixed DNS service. When the user connects to the network, the client program will pass the host’s dynamic IP address to the server program on the service provider’s host through information passing. The server program is responsible for providing DNS service and realizing dynamic DNS. It means that DDNS captures user's each change of IP address and matches it with the domain name, so that other Internet users can communicate through the domain name. What end customers have to remember is the domain name assigned by the dynamic domain name registrar, regardless of how it is achieved.

DDNS serves as a client tool of DDNS and is required to coordinate with DDNS Server. Before the application of this function, a domain name shall be applied for and registered on a proper website such as www. 3322. org. 

InRouter300-S DDNS service types include QDNS (3322)-Dynamic, QDNS(3322)-Static, DynDNS-Dynamic, DynDNS-Static, DynDNS-Custom and No-IP.com. 

To set DDNS, click the "Service >> Dynamic Domain Name" menu in the navigation tree, then enter “Dynamic Domain Name” interface.

Table 3-3-4-1 Parameters of Dynamic Domain Name

Dynamic Domain Name

Function description: Set dynamic domain name binding.

Parameters

Description

Default

Current Address

Display present IP of router

N/A

Service Type

Select the domain name service providers

Disable


Table 3-2-4-2 Main Parameters of Dynamic Domain Name

Enable function of dynamic domain name

Function description: Set dynamic domain name binding. (Explain with the configuration of QDNS service type)

Parameters

Description

Default

Service Type

QDNS (3322)-Dynamic

Disable

URL

http://www.  3322.  org/

http://www.3322.org/

Username

User name assigned in the application for dynamic domain name

N/A

Password

Password assigned in the application for dynamic domain name

N/A

Host Name

Host name assigned in the application for dynamic domain name

N/A

Wildcard

Enable wildcard character

Disable

MX

Set MX

N/A

Backup MX

Enable backup MX

Disable

Force Update

Enable force update

Disable

3.3.5 Device Manager

InHand provides a software platform to manage devices. The device can be managed and operated via software platform. For instance, the operating status of device can be checked, device software can be upgraded, device can be restarted, configuration parameters can be sent down to device, and transmitting control or message query can be realized on device via Device Manager.

Click the "Service>>Device Manager" menu in the navigation tree to enter the "Device Manager" interface. It only supports three modes, i.e. “Device manager, InConnect Service, Custom”

DM: North American users should select Servicer address-----iot.inhandnetworks.com

    Table 3-3-5 Device remote management platform

Device Manager

Function description: Connect the router to the platform for cloud management

Parameters

Description

Default

Enable

Enable Device Manager

Disable

Service Type

Platform work mode: Device Manager, InConnect or Custom

Device Manager

Server

Select cloud platform address, DM: iot.inhand.com.cn: China, iot.inhandnetworks.com: global

InConnect:

ics.inhandiot.com: China

ics.inhandnetworks.com: global

iot.inhandnetworks.com

Secure Channel

Use encryption protocol for security data transmission between router and platform

Enable

Registered Account

Account registered in Device Manager

N/A

LBS info Upload Interval

Cellular information upload interval

1 Hour

Series Info Upload Interval

Traffic information upload interval

1 Hour

Channel Keepalive

Keep alive packet interval

30 Seconds

3.3.6 SNMP

Network devices are usually sparsely-located on a network. It is time-consuming for the administrator to configure and manage these network devices on site. In addition, if these devices are from different vendors, each of which provides a suite of independent management interfaces (for example, different command line interfaces), the workload of configuring the devices in batches is huge. In this situation, traditional manual configuration method has the deficiencies of high cost and low efficiency. The network administrator can use the Simple Network Management Protocol (SNMP) to remotely configure and manage the devices and perform real-time monitoring on them. 

Figure 3-3-6 SNMP Topology

To run the SNMP protocol on a network, configure the NMS program on the management side and SNMP agent on the managed devices.

By using SNMP:

  1. The NMS can collect status information of the managed devices anytime and anywhere through agents and remotely control these devices.
  2. The agents can promptly report the current status and faults of managed devices to the NMS.

Currently, the SNMP agents support SNMPv1, SNMPv2c and SNMPv3. SNMPv1 and SNMPv2c use community names for authentication; SNMPv3 uses user names and passwords for authentication. Click "Service>>SNMP" menu to configure.

Table 3-3-6-1 SNMPv1 and SNMPv2c Parameters

Parameters

Description

Default

Enable

Enable/disable the SNMP function.

Disabled

Version

Set the version of the SNMP protocol used to manage the router. The versions of SNMPv1, v2c, and v3 are available.

SNMPv1 is applicable to small-sized networks with simple networking and low security requirements, or the secure and stable small networks, such as campus networks and small enterprise networks.

SNMPv2c is applicable to the medium- and large-sized networks with low security requirements, or with good security (for example, VPNs) but running many services, which may lead to traffic congestion.

SNMPv3 is applicable to networks of various sizes, especially the networks that have strict security requirements and can be managed only by authorized network administrators. For example, SNMPv3 can be used if data between the NMS and managed device is transmitted over a public network.

v1

Contact Information

Fill in the contact information.

Empty

Location Information

Fill in the location.

Empty

Community Management

Community Name

User-defined community name.

The community names of SNMPv1 and SNMPv2c are the passwords used by the NMS to read and write data on agents. This parameter must be set the same on both agents and NMS.

public and private

Access Limit

Access limit includes the MIB objects that can be read only or read/written by the NMS.

Read-Only

MIB View

Select the MIB objects that can be monitored and managed by the NMS. Only the default view is supported currently.

defaultView


Table 3-3-6-2 SNMPv3 Parameters

Parameters

Description

Default

User Group Management

Groupname

User-defined user group name. The length is 1 to 32 characters.

None

Security Level

Select a security level for the group. The values include NoAuth/NoPriv, Auth/NoPriv, and Auth/Priv.

NoAuth/NoPriv

Read-only View

Select the SNMP read-only view. Only the default view is supported currently.

defaultView

Read-write View

Select the SNMP read-write view. Only the default view is supported currently.

defaultView

Inform View

Select the SNMP inform view. Only the default view is supported currently.

defaultView

Usm Management

Username

User-defined user name. The length is 1 to 32 characters.

None

Groupname

The group to which a user is added must have been configured in the user group management table.

None

Authentication

Select an authentication mode. Three authentication modes are available: MD5, SHA, and None. If you select None, authentication is disabled.

None

Authentication Password

This parameter is available only when the authentication mode is not None.

The length is 8 to 32 characters.

None

Encryption

Select the encryption mode. The values are None, AES, and DES.

None

Encryption Password

This parameter is available only when the authentication mode is not None.

The length is 8 to 32 characters.

None

3.3.7 SNMP Trap

SNMP trap is a type of entrance. When this entrance is reached, the SNMP managed devices actively notify the NMS, instead of waiting for the polling of NMS. On an SNMP-enabled network, the agents on managed devices can report errors to the NMS anytime, without the need of waiting for the polling of NMS. The errors are reported to the NMS through traps. Click "Service>>SNMP Trap" menu to configure.

Table 3-3-7 SNMP Trap Configuration Parameters

Parameters

Description

Default

Trap SigLevel

Set the trap signal threshold. When this threshold is reached, the agent outputs logs to the NMS.

10

Destination Address

Fill in the IP address of the NMS.

None

Security Name

Fill in the community name for SNMPv1 or SNMPv2c, and fill in the user name for SNMPv3. The length is 1 to 32 characters.

None

UDP Port

Fill in the UDP port number, ranging from 1 to 65535.

162

3.3.8 DTU 

Configure DTU function, device can transmit serial data to customer’s server. 

IR302-S has 1 RS232 serial port.

Table 3-3-8 DTU RS232 Parameters

DTU RS232

Function Description: Transmit RS232/RS485 data to server.

Parameters

Description

Default

Enable

Enable serial port

Disable

Serial Basic Config

Serial type

Serial port type, cannot change

RS232

Baudrate

Set serial port’s baudrate

115200

Data Bits

Set serial port’s data bits

8

Parity

Set parity of serial port

None

Stop Bit

Set stop bit of serial port

1

Software Flow Control

Enable software flow control can avoid data flow lost

Disable

DTU Configuration

Function Description: Configure the protocol of data transmission, take transparent transmission as example

DTU Protocol

Set the transmit protocol of DTU

Transparent

Protocol

Configure type of protocol, TCP/UDP

TCP

Mode

Set the connection mode between router and server

Client

Frame Interval

Set frame interval of serial

100 ms

Serial Buffer Frames

Set the number of serial buffer frames

4

Keep alive Interval

Set the interval to test the connectivity between router and server

60

Keep alive Retry Time

The number of times to retry when connection lose

5

Multi-Server Policy

The policy for multi server

Parallel

Min Reconnect Interval

Set the min interval to reconnect

15

Max Reconnect Interval

Set the max interval to reconnect

180

DTU ID

The ID of router when connect to server

 

Source IP

The source IP router uses when connect to server, will use WAN IP if this parameter is blank

 

Source port

The source port router uses when connect to server, will use random port if this parameter is blank

 

DTU ID Report Interval

Set the interval to upload DTU ID

0

Multi Server

Function Description: Router can transmit data to multi servers, take transparent transmission as example

Server Address

Set the server address to receive data

 

Server Port

Set the server port to receive data

 

3.3.9 I/O

Click “Service >> I/O” in the navigation menu to check and configure I/O and relay of the device.

Voltage range: 

DI: 0~30V, 0~3V means low, 10~30V means high, and the max input voltage is 30V.

DO: Wet contact, low means 0V, high means 13V (pull up, cannot be used as power supply for other device directly).

Only IR302-IO supports this feature.

Table 3-3-9 I/O Parameters 

I/O

Function description: Configuration I/O mode and relay of the device.

Parameters

Description

Default

I/O mode

Set I/O mode, input or output

Output

I/O default output level

Set I/O output level when I/O mode is output, low or high

low

Dry/Wet contract

Set I/O input type when I/O mode is input, Dry or Wet contact

Dry

Input triggered report

Report when input triggers in some situation

Disable

Trigger edge

Set trigger edge of the relay

Falling edge

3.3.10 SMS

SMS permits message-based reboot and manual dialing. Configure Permit to Phone Number and click <Apply and Save>. After that you can send “reboot” command to restart the device or send custom connection or disconnection command to redial or disconnect the device. 

From navigation tree, select "Service>>SMS" menu, then enter “SMS” page. 

Table 3-3-10 SMS Parameters

Short message

Function description: Configuration SMS function to manage the router in the form of SMS.

Parameters

Description

Default

Enable

Click to enable backup DTU function

Disable

Status Query

Users define the English query instruction to inquire current working status of the router.

N/A

Reboot

Users define the English query instruction to reboot the router.

N/A

SMS Access Control

Default Policy

Select the manner of access processing.

Accept

Phone Number

Fill in accessible mobile number

N/A

Action

Accept or block

Accept

Description

Describe SMS control.

 

3.3.11 Traffic Manager 

This function is mainly used to count data traffic in cellular interface. If the threshold is 0, router will only count and the rules will not take effort. This function requires enabling NTP function.

Choose Services >> Traffic Manager to go to the "Traffic Manager" page.

Table 3-3-11 Traffic Manager - Basic Configuration Parameters

Traffic Manager

Function: Monitor and manage the traffic use of the router.

Parameters

Description

Default

Enable

Click to enable the traffic manager function.

Disable

Start Day

The day to start counting data traffic every month

1

Monthly Threshold

Data traffic threshold every month

0MB

When Over Monthly Threshold

Operation when data traffic used within a month reaches the threshold:

Only Reporting,

Block Except Management(will not influence DM and management requirement),

Shutdown Interface

Only Reporting

Last 24-Hours Threshold

Data traffic threshold in last 24 Hours

0KB

When Over 24-Hours Threshold

Operation when data traffic used within 24 hours reaches the threshold

Only Reporting

Advance

Custom statistics and operations last several hours

Disable

3.3.12 Alarm Settings

When an abnormality occurs, router will report alarm according to the settings. Currently router supports sending alarm in following situations: System Service Fault, Memory Low, WAN/LAN1 Link-Up/Down, LAN2 Link-Up/Down, Cellular Up/Down, Traffic Alarm, Traffic Disconnect Alarm, SIM/UIM Card Switch, Active Link Switch, SIM/UIM Card Fault, Signal Quality Fault.

In the Alarm Manager interface, you can perform the following operations: 

  1. Select alarm types in the "Alarm Input" area.
  2. Set the alarm notification method of the console in the "Alarm Output" area.

Choose Services >> Alarm Manager to go to the "Alarm Manager" page.

3.3.13 User Experience Plan

InHand Networks’ User Experience Program is designed to improve the product user experience and customer service quality. 

User can disable or enable User Experience Plan in “Services >> User Experience Plan”.

3.4 FIREWALL

The firewall function of the router implements corresponding control to data flow at entry direction (from Internet to LAN) and exit direction (from LAN to Internet) according to the content features of message (such as: protocol style, source/destination IP address, etc. ) and ensures safe operation of router and host in local area network.

3.4.1 Basic 

From the navigation tree, select Firewall >> Basic Setup, then enter the “Basic Setup” page.

Table 3-4-1 Firewall - Basic Setup Parameters

Basic Setup of Firewall

Function description: Set basic firewall rules.

Parameters

Description

Default

Default Filter Policy

Select accept/block

Accept

Filter PING detection from Internet

Select to filter PING detection

Disable

Filter Multicast

Select to filter multicast function

Enable

Defend DoS Attack

Select to defend DoS attack

Enable

SIP ALG

Select to enable SIP ALG

Disable

3.4.2 Filtering 

Filter the network data by customize rules to allow or prohibit the specified data flow forwarded by router. 

To enable Access Control from the navigation tree, select Firewall >> Filtering, then enter “Filtering” page.

Table 3-4-2 Filtering Parameters

Access Control of Firewall

Function description: Control the protocol, source/destination address and source/destination port passing through network packet of the router to provide a safe intranet.

Parameters

Description

Default

Enable

Check to enable filtering.

Enable

Protocol

Select all/TCP/UDP/ICMP

ALL

Source address

Set source address of access control

0.0.0. 0/0

Source Port

Set source port of access control

Not available

Destination Address

Set destination address

N/A

Destination Port

Set destination port of access control

Not available

Action

Select accept/block

Accept

Log

Click to enable log and the log about access control will be recorded in the system.

Disable

Description

Convenient for recording parameters of access control

N/A

3.4.3 Device Access Filtering

Set customize rules to allow or prohibit data and access to the router.

From the navigation tree, select Firewall >> Device Access Filtering, then enter “Device Access Filtering” page. 

Table 3-4-3 Device Access Filtering Parameters

Device Access Filtering

Function description: Control the protocol, source/destination address and source/destination port to the router.

Parameters

Description

Default

Enable

Check to enable device access filtering.

Enable

Protocol

Select ALL/TCP/UDP/ICMP

ALL

Source

Set source address of network access

0.0.0.0/0

Source Port

Set source port of network access

Not available

Destination

Set destination address

N/A

Destination Port

Set destination port of network access

Not available

Interface

Set interface of network access

All WANs

Action

Select Accept/Block

Accept

Log

Click to enable log and the log about access control will be recorded in the system.

Disable

Description

Convenient for recording parameters of access control

N/A

3.4.4 Content Filtering

Set rules to disable access to specific URLs. 

From navigation tree, select "Firewall>>Content Filtering" menu, then enter “Content Filtering” page. 

Table 3-4-4 Content - Filtering Parameters

Filtering

Function description: Set settings of firewall related to filtering and generally set forbidden URL.

Parameters

Description

Default

Enable

Click to enable filtering

Enable

URL

Set URL that needs to be filtered

N/A

Action

Select accept/block

Accept

Log

Click to write log and the log about filtering will be recorded in the system.

Disable

Description

Record the meanings of various parameters of filtering

N/A

3.4.5 Port Mapping

Port mapping is also called virtual server. Setting of port mapping can enable the host of extranet to access to specific port of host corresponding to IP address of intranet. 

To configure port mapping, go into the navigation tree, select "Firewall >> Port Mapping", then enter “Port Mapping” page.

Table 3-4-5 Firewall - Port Mapping Parameters 

Port Mapping (at most 50 port mappings can be set)

Function description: Configure parameters of port mapping.

Parameters

Description

Default

Enable

Check to enable port mapping.

Enable

Protocol

Select TCP/UDP/ICMP

TCP

Source address

Set source address of port mapping

0.0.0.0/0

Service Port

Set service port number of port mapping

8080

Internal Address

Set external address of port mapping

N/A

Internal Port

Set internal address of port mapping

8080

Log

Click to enable log and the log about port mapping will be recorded in the system.

Disable

External address (optional)

Set external address/tunnel name of port mapping

N/A

Description

For recording significance of each port mapping rule

N/A

3.4.6 Virtual IP Mapping

Both router and the IP address of the host of intranet can correspond with one virtual IP. Without changing IP allocation of intranet, the extranet can access to the host of intranet via virtual IP.  This function is always used with VPN.

To configure virtual IP mapping, go into the navigation tree, select "Firewall >> Virtual IP Mapping". 

Table 3-4-6 Firewall - Virtual IP Mapping Parameters 

Virtual IP Address

Function description: Configure parameters of virtual IP address.

Parameters

Description

Default

Virtual IP address of router

Set virtual IP address of router

N/A

Range of source address

Set range of the external source IP addresses.

N/A

Enable

Click to enable virtual IP address

Enable

Virtual IP

Set virtual IP address of virtual IP mapping

N/A

Real IP

Set real IP address of virtual IP mapping

N/A

Log

Click to enable log and the log about virtual IP address will be recorded in the system.

Disable

Description

For recording significance of each virtual IP address rule

N/A

3.4.7 DMZ 

After mapping all ports, extranet PC can access to all ports of internal device by DMZ settings. 

From the navigation tree, select Firewall >> DMZ, then enter the “DMZ” page.

Table 3-4-7 Firewall - DMZ Parameters

DMZ

Function description: Configure DMZ settings.

Parameters

Description

Default

Enable DMZ

Check to enable the DMZ.

Disable

DMZ Host

Set address of DMZ Host

N/A

Range of Source Address

Enter range of source address

N/A

Interface

Select interface as DMZ: CELLULAR/WAN/VPN Interface

N/A

3.4.8 MAC-IP Binding

If the default filter policy in the basic setting of firewall is disabled, only hosts specified in MAC-IP Binding can have an access to outer net.

From the navigation tree, select Firewall >> MAC-IP Binding, then enter the “MAC-IP Binding” page.

Table 3-4-8 Firewall - MAC-IP Binding Parameters

MAC-IP Binding (at most 20 MAC-IP Bindings can be set)

Function description: Configure MAC-IP parameters.

Parameters

Description

Default

MAC Address

Set the binding MAC address

00:00:00:00:00:00

IP Address

Set the binding MAC address

192. 168. 2. 2

Description

For recording the significance of each MAC-IP binding configuration

N/A

3.4.9 NAT

NAT is the network address translation function, including source address translation (SNAT) and destination address translation (DNAT).

SNAT refers to the communication between the internal network and the external network when the destination address remains unchanged. DNAT refers to the translation of the destination address of the internal network into the external network without changing the source address when accessing the internal network. 

Table 3-4-9 NAT Parameters

NAT

Function description: Configure parameters of NAT

Parameters

Description

Default

Enable

Enable NAT

Enable

Type

Set convert type

SNAT

Proto

Select protocol

TCP

Source IP

Set source IP of the NAT rule

0.0.0.0/0

Source Port

Set source port of the NAT rule

N/A

Destination

Set destination IP of the NAT rule

0.0.0.0/0

Destination Port

Set destination port of the NAT rule

0.0.0.0/0

Interface

Set interface of the NAT rule

N/A

Translated Address

Translate the IP address if match the rule

0.0.0.0

Translated Port

Translate the port if match the rule

N/A

3.5 QoS

To ensure all LAN users can normally get access to network resources, IP traffic control function can limit the flow of specified host in LAN. QoS provides dedicated bandwidth and different service quality for different applications, greatly improving the network service capabilities.

3.5.1 IP BW Limit

Bandwidth control sets a limit on the upload and download speeds when accessing external networks. 

From the navigation tree, select QoS >> Bandwidth Control, then enter the “Bandwidth Control” page.

Table 3-5-1    Parameters of Bandwidth Control

IP Bandwidth Limit

Function description: Configure parameters of IP bandwidth limit.

Parameters

Description

Default

Enable

Click to enable IP bandwidth limit

Disable

Download bandwidth

Set download total bandwidth

1000kbit/s

Upload bandwidth

Set upload total bandwidth

1000kbit/s

Control port of flow

Select CELLULAR/WAN

CELLULAR

Host Download Bandwidth

Enable

Click to enable

Enable

IP Address

Set IP address

N/A

Guaranteed Rate (kbit/s)

Set rate

1000kbit/s

Priority

Select priority

Medium

Description

Describe IP bandwidth limit

N/A

3.6 VPN

VPN is for building a private dedicated network on a public network via the Internet. 'Virtuality" is a logical network.

Two Basic Features of VPN:

  1. Private: the resources of VPN are unavailable to unauthorized VPN users on the internet; VPN can ensure and protect its internal information from external intrusion.
  2. Virtual: the communication among VPN users is realized via public network which, meanwhile can be used by unauthorized VPN users so that what VPN users obtained is only a logistic private network.  This public network is regarded as VPN Backbone.

Build a credible and secure link by connecting remote users, company branches, partners to the network of the headquarters via VPN so as to realize secure transmission of data. 

It is shown in the figure below:

Fundamental Principle of VPN

The fundamental principle of VPN indicates to enclose VPN message into tunnel with tunneling technology and to establish a private data transmission channel utilizing VPN Backbone so as to realize the transparent message transmission.

Tunneling technology encloses the other protocol message with one protocol. Also, encapsulation protocol itself can be enclosed or carried by other encapsulation protocols. To the users, tunnel is logical extension of PSTN/link of ISDN, which is similar to the operation of actual physical link.

VPN settings include IPSec settings, IPSec tunnels, GRE tunnels, L2TP client, PPTP client, OpenVPN, OpenVPN Advanced and certificate management. 

3.6.1 IPSec Settings

A majority of data contents are Plaintext Transmission on the Internet, which has many potential dangers such as password and bank account information stolen and tampered, user identity imitated, suffering from malicious network attack, etc. After disposal of IPSec on the network, it can protect data transmission and reduce risk of information disclosure.

IPSec is a group of open network security protocol made by IETF, which can ensure the security of data transmission between two parties on the Internet via data origin authentication, data encryption, data integrity and anti-replay function on the IP level. It is able to reduce the risk of disclosure and guarantee data integrity and confidentiality and well as maintain security of service transmission of users.

IPSec, including AH, ESP and IKE, can protect one and more date flows between hosts, between host and gateway, and between gateways. The security protocols of AH and ESP can ensure security and IKE is used for cipher code exchange.

IPSec can establish bidirectional Security Alliance on the IPSec peer pairs to form a secure and interworking IPSec tunnel and to realize the secure transmission of data on the Internet.

From navigation tree, select VPN>>IPSec Settings, then enter “IPSec Settings” page.

Table 3-6-1 Parameters of IPSec Settings 

IPSec settings

Function description: Select the log level of IPSec.

Parameters

Description

Default

Log level

Click to select log level.

Normal: Only key log will be printed into   system log.

Debug: More log in debug level will be printed.

Data: All log of IPSec will be printed.

Normal

3.6.2 IPSec Tunnels

From navigation tree, select VPN>>IPSec Tunnels, enter "IPSec Tunnels" and click <add>.

Table 3-6-2 Parameters of IPSec Tunnels 

IPSec Tunnels

Function description: Configure IPSec tunnels

Parameters

Description

Default

Show Advanced Options

Click to enable advanced options

Disable(open advanced options after enabling)

Basic parameters

Tunnel Name

User defines tunnel name

IPSec_tunnel_1

Destination Address

Set destination IP address or domain name

0. 0. 0. 0

IKE Version

Set IKE version: IKEv1/IKEv2

IKEv1

Startup Modes

Select Auto Activated/Triggered by Data/Passive/Manually Activated

Auto Activated

Restart WAN when failed

Click to enable

Enable

Negotiation Mode (IKEv1)

Select main mode or aggressive mode

Main Mode

IPSec Protocol (Advanced Option)

Select ESP/AH

ESP

IPSec Mode (Advanced Option)

Select tunnel mode/transmission mode

Tunnel Mode

VPN over IPSec (Advanced Option)

Select L2TP over IPSec/GRE over IPSec/None

None

Tunnel Type

Select Host-Host/Host-Subnet/Subnet-Host/Subnet-Subnet

Subnet-Subnet

Local subnet address

Set local subnet IP address

192. 168. 2. 1

Local Subnet Mask

Set local subnet mask

255. 255. 255. 0

Peer Subnet Address

Set peer subnet IP address

0. 0. 0. 0

Peer Subnet Mask

Set remote netmask

255. 255. 255. 0

Phase I Parameters

IKE Strategy

Multiple strategies available

3DES-MD5-DH2

IKE Life Cycle

Set IKE life cycle

86400 s

Local ID Type

Select IP address/User FQDN/FQDN Fill in the ID according to the ID type (USERFQDN is standard email format)

IP Address

Peer ID Type

Select IP address/User FQDN/FQDN

IP Address

Authentication method

Select shared key/digital certificate

Shared key

Key

Set IPSec VPN key

N/A

XAUTH Parameters (Advanced Option)

XAUTH Mode

Click to enable XAUTH mode

Disable

XATUTH username

User defines XATUTH username

N/A

XATUTH password

User defines XATUTH password

N/A

MODECFG

Click to enable MODECFG

Disable

Phase II Parameters

IPSec Strategy

Multiple strategies available

3DES-MD5-96

IPSec Life Cycle

Set IPSec life cycle

3600 s

Perfect Forward Secrecy (PFS) (Advanced Option)

Select disable/Group 1/Group 2/Group 5

Disable (this needs to match the server)

Link Detection Parameters (Advanced Option)

DPD Interval

Set time interval.

60 s

DPD Timeout

Set the timeout for dropped packets.

180 s

ICMP Detection Server

Set ICMP detection server

N/A

ICMP Detection Local IP

Set ICMP detection local IP

N/A

ICMP Detection Interval

Set ICMP Detection Interval

60 s

ICMP Detection Timeout

Set ICMP detection timeout

5 s

ICMP Detection Retries

Set ICMP detection max. retries

10


The security level of three encryption algorithms ranks successively: AES, 3DES, DES. The implementation mechanism of encryption algorithm with stricter security is complex and slow arithmetic speed. DES algorithm can satisfy the ordinary safety requirements.

3.6.3 GRE Tunnels

Generic Route Encapsulation (GRE) defines the encapsulation of any other network layer protocol on a network layer protocol. GRE could be used as the L3TP of VPN to provide a transparent transmission channel for VPN data. In simple terms, GRE is a tunneling technology which provides a channel through which encapsulated data message could be transmitted and encapsulation and decapsulation could be realized at both ends. GRE tunnel application networking shown as the following figure:


Along with the extensive application of IPv4, to have messages from some network layer protocol transmitted on IPv4 network, those messages could by encapsulated by GRE to solve the transmission problems between different networks.

In following circumstances GRE tunnel transmission is applied:

  1. GRE tunnel could transmit multicast data packets as if it were a true network interface.  Single use of IPSec cannot achieve the encryption of multicast.
  2. A certain protocol adopted cannot be routed.
  1. A network of different IP address shall be required to connect other two similar networks.

GRE application example: combined with IPSec to protect multicast data

GRE can encapsulate and transmit multicast data in GRE tunnel, but IPSec, currently, could only carry out encryption protection against unicast data. In case of multicast data requiring to be transmitted in IPSec tunnel, a GRE tunnel could be established first for GRE encapsulation of multicast data and then IPSec encryption of encapsulated message so as to achieve the encryption transmission of multicast data in IPSec tunnel. As shown below:


From navigation tree, select VPN>>GRE Tunnels and enter "GRE Tunnels".

Table 3-6-3 Parameters of GRE Tunnels

GRE Tunnels

Function description: Configure GRE tunnels

Parameters

Description

Default

Enable

Click to enable GRE

Enable

Name

User defines name of GRE tunnel

tun0

Local visual IP

Set local virtual IP

0. 0. 0. 0

Destination Address

Set remote IP address

0. 0. 0. 0

Peer visual IP

Set peer virtual IP

0. 0. 0. 0

Peer Subnet Address

Set peer subnet IP address

0. 0. 0. 0

Peer Subnet Mask

Set remote netmask

255. 255. 255. 0

Key

Configure the key of GRE tunnel

N/A

NAT

Click to enable NAT

Disable

Description

For recording the significance of each GRE tunnel configuration

N/A

3.6.4 L2TP Client

L2TP, one of VPDN TPs, has expanded the applications of PPP, known as a very important VPN technology for remote dial-in user to access the network of enterprise headquarters.

L2TP, through dial-up network (PSTN/ISDN), based on negotiation of PPP, and could establish a tunnel between enterprise branches and enterprise headquarters so that remote user has access to the network of enterprise headquarters. PPPoE is applicable in L2TP. Through the connection of Ethernet and Internet, a L2TP tunnel between remote mobile officers and enterprise headquarters could be established.

L2TP-Layer 2 Tunnel Protocol encapsulates private data from user network at the head of L2 PPP. No encryption mechanism is available, thus IPSes is required to ensure safety.

Main Purpose: branches in other places and employees on a business trip could access to the network of enterprise headquarter through a virtual tunnel by public network remotely.

Typical L2TP network diagram is shown below:


From navigation tree, select VPN>>L2TP Client, enter "L2TP Client" and click <add>.

Table 3-6-4 Parameters of L2TP Client

L2TP Client

Function description: Configure parameters of L2TP client.

Parameters

Description

Default

Enable

Click to enable L2TP client

Disable

Tunnel Name

User defines tunnel name of L2TP client

L2TP_tunnel_1

L2TP Server

Set L2TP Server address

N/A

Username

Set server's username

N/A

Password

Set server's password

N/A

Server Name

Set server name

l2tpserver

Startup Modes

Select Auto Activated/Triggered by Data/Passive/Manually Activated/L2TPOverIPSec

Auto Activated

Authentication Method

Select CHAP/PAP

CHAP

Enable Challenge secrets

Click to enable challenge secrets

Disable

Challenge secret (after enabling)

Set challenge secret

N/A

Local IP Address

Set local IP address

N/A

Remote IP Address

Set remote IP address

N/A

Remote Subnet

Set remote subnet address

N/A

Remote Netmask

Set remote subnet mask

255.  255.  255.  0

Link Detection Interval

Set link detection interval

60 s

Max. Retries for Link Detection

Set the max. number of retries

5

Enable NAT

Click to enable NAT

Disable

MTU

Set max. transmission unit

1500

MRU

Set max. receiving unit

1500

Enable Debug

Enable debug mode.

Disable

Expert Option (not recommended)

Set expert option, not recommended

N/A

3.6.5 PPTP Client

From navigation tree, select VPN>>PPTP Client, enter "PPTP Client" and click <add>.

Table 3-6-5 Parameters of PPTP Client


PPTP Client

Function description: Configure parameters of PPTP client.

Parameters

Description

Default

Enable

Click to enable PPTP client

Disable

Tunnel Name

User defines tunnel name

PPTP_tunnel_1

PPTP Server

Set PPTP Server address

N/A

Username

Set username of PPTP server

N/A

Password

Set password of PPTP server

N/A

Startup Modes

Select Auto Activated/Triggered by Data/Passive/Manually Activated

Auto Activated

Authentication method

Select Auto/CHAP/PAP/MS-CHAPv1/MS-CHAPv2

Auto

Local IP Address

Set local IP address

N/A

Remote IP Address

Set remote IP address

N/A

Remote Subnet

Set remote subnet address

N/A

Remote Netmask

Set remote subnet mask

255. 255. 255. 0

Link Detection Interval

Set link detection interval

60 s

Max. Retries for Link Detection

Set the max. number of retries

5

Enable NAT

Click to enable NAT

Disable

Enable MPPE

Click to enable MPPE

Disable

Enable MPPC

Click to enable MPPC

Disable

MTU

Set max. transmission unit

1500

MRU

Set max. receiving unit

1500

Enable Debug

Enable debug mode.

Disable

Set expert option (not recommended)

Set expert option, not recommended

N/A

3.6.6 OpenVPN

Single point participating in the establishment of VPN is allowed to carry out ID verification by preset private key, third-party certificate or username/password. OpenSSL encryption library and SSLv3/TLSv1 protocol are massively used.

In OpenVPN, if a user needs to access to a remote virtual address (address family matching virtual network card), then OS will send the data packet (TUN mode) or data frame (TAP mode) to the visual network card through routing mechanism.  Upon the reception, service program will receive and process those data and send them out through outer net by SOCKET, owing to which, the remote service program will receive those data and carry out processing, then send them to the virtual network card, then application software receive and accomplish a complete unidirectional transmission, vice versa.

From navigation tree, select "VPN>>OpenVPN", then enter “OpenVPN” page, and click <Add>.

Table 3-6-6 IPSec Configuration Parameters

OpenVPN

Function description: Configure OpenVPN parameters.

Parameters

Description

Default

Tunnel Name

OpenVPN tunnel name, cannot be changed by the system

OpenVPN_T_1

Enable

Click to enable

Enable

Mode

Client/server

Client

Protocol

UDP/ICMP

UDP

Port