FCC ID: PBLISL500001 IIoT 4G

by: Advance Multimedia Internet Technology Inc. latest update: 2018-08-07 model: ISL500001

One grant has been issued under this FCC ID on 08/07/2018 (this is the only release in 2018 for this grantee). Public details available include frequency information, manuals, and internal & external photos. some products also feature user submitted or linked warrantee terms, password defaults, instructions, drivers, & troubleshooting guides.

permalink for this FCC identifier

search for: Repair details

from iFixIt

Trade-in? Recycling locations

eg for Slack usage

all	frequencies						exhibits	applications
		manuals		photos		label

all exhibits 11
1 ~ 2018-08-07 11

app s				submitted / available
1	Users Manual-1	Users Manual	pdf	2.62 MiB	July 08 2018
1	Users Manual-2	Users Manual	pdf	3.53 MiB	July 08 2018
1	Internal Photos	Internal Photos	pdf	2.41 MiB	July 08 2018
1	External Photos rev 3	External Photos	pdf	1012.99 KiB	July 08 2018
1	Label Sample & Label Location	ID Label/Location Info	pdf	150.47 KiB	July 08 2018
1	Attestation (Channel and Mode Declaration)	Attestation Statements	pdf	208.99 KiB	July 08 2018
1	Confidentiality Request	Cover Letter(s)	pdf	285.05 KiB	July 08 2018
1	Cover Letter (Agent Authorization)	Cover Letter(s)	pdf	297.66 KiB	July 08 2018
1		RF Exposure Info	pdf		July 08 2018
1		Test Report	pdf		July 08 2018
1		Test Setup Photos	pdf		July 08 2018

exhibit
download
text

Users Manual-1

Users Manual

pdf

2.62 MiB

July 08 2018

M2MCellularGateway IDG500/IOG500(LTEcat.4) UserManual M2MCellularGateway Chapter 1 Introduction ........................................................................................................................................... 6 1.1 Introduction .............................................................................................................................................. 6 1.2 Contents List ............................................................................................................................................ 7 1.2.1 Package Contents ........................................................................................................................... 7 1.3 Hardware Configuration .......................................................................................................................... 8 1.4 LED Indication ......................................................................................................................................... 9 1.5 Installation & Maintenance Notice ........................................................................................................ 10 1.5.1 SYSTEM REQUIREMENTS ..................................................................................................... 10 1.5.2 WARNING .................................................................................................................................. 10 1.5.3 HOT SURFACE CAUTION ....................................................................................................... 11 1.5.4 Product Information for CE RED Requirements ........................................................................ 12 1.6 Hardware Installation ............................................................................................................................. 14 1.6.1 Mount the Unit ............................................................................................................................ 14 1.6.2 Insert the SIM Card ..................................................................................................................... 14 1.6.3 Install the External Antenna ........................................................................................................ 15 1.6.4 Connecting Power ....................................................................................................................... 16 1.6.5 Connecting to the Network or a Host ......................................................................................... 16 1.6.6 Setup by Configuring WEB UI .................................................................................................. 17 Chapter 2 Basic Network ..................................................................................................................................... 18 2.1 WAN & Uplink ...................................................................................................................................... 18 2.1.1 Physical Interface ........................................................................................................................ 19 2.1.2 Internet Setup .............................................................................................................................. 24 2.2 LAN & VLAN ....................................................................................................................................... 43 2.2.1 Ethernet LAN ............................................................................................................................... 43 2.2.2 VLAN ......................................................................................................................................... 46 2.2.3 DHCP Server ............................................................................................................................... 57 2.3 WiFi (not supported) .............................................................................................................................. 65 2.4 IPv6 ........................................................................................................................................................ 66 2.4.1 IPv6 Configuration...................................................................................................................... 66 2.5 Port Forwarding .................................................................................................................................... 75 2.5.1 Configuration .............................................................................................................................. 76 2.5.2 Virtual Server & Virtual Computer ............................................................................................. 77 2 M2MCellularGateway 2.5.3 DMZ & Pass Through ................................................................................................................. 83 2.6 Routing ................................................................................................................................................... 86 2.6.1 Static Routing.............................................................................................................................. 87 2.6.2 Dynamic Routing ........................................................................................................................ 90 2.6.3 Routing Information .................................................................................................................... 95 2.7 DNS & DDNS ....................................................................................................................................... 96 2.7.1 DNS & DDNS Configuration ..................................................................................................... 96 Chapter 3 Object Definition ............................................................................................................................... 100 3.1 Scheduling............................................................................................................................................ 100 3.1.1 Scheduling Configuration ......................................................................................................... 100 3.2 User (not supported) ............................................................................................................................ 102 3.3 Grouping (not supported) ..................................................................................................................... 103 3.4 External Server..................................................................................................................................... 104 3.5 Certificate ............................................................................................................................................. 107 3.5.1 Configuration (not supported)................................................................................................... 107 3.5.2 My Certificate ........................................................................................................................... 108 3.5.3 Trusted Certificate ..................................................................................................................... 115 Chapter 4 Field Communication (not supported) .............................................................................................. 121 Chapter 5 Security .............................................................................................................................................. 122 5.1 VPN ...................................................................................................................................................... 122 5.1.1 IPSec ......................................................................................................................................... 123 5.1.2 OpenVPN .................................................................................................................................. 136 5.1.3 L2TP ......................................................................................................................................... 144 5.1.4 PPTP ......................................................................................................................................... 150 5.1.5 GRE........................................................................................................................................... 154 5.2 Firewall ................................................................................................................................................ 158 5.2.1 Packet Filter .............................................................................................................................. 158 5.2.2 URL Blocking ........................................................................................................................... 163 5.2.3 MAC Control ............................................................................................................................ 167 5.2.4 Content Filter (not supported) ................................................................................................... 170 5.2.5 Application Filter (not supported) ............................................................................................. 171 5.2.6 IPS ............................................................................................................................................. 172 3 M2MCellularGateway 5.2.7 Options ...................................................................................................................................... 176 Chapter 6 Administration ................................................................................................................................... 180 6.1 Configure & Manage ........................................................................................................................... 180 6.1.1 Command Script ....................................................................................................................... 181 6.1.2 TR-069 ...................................................................................................................................... 185 6.1.3 SNMP ........................................................................................................................................ 190 6.1.4 Telnet & SSH ............................................................................................................................ 201 6.2 System Operation ................................................................................................................................. 205 6.2.1 Password & MMI ...................................................................................................................... 205 6.2.2 System Information ................................................................................................................... 208 6.2.3 System Time.............................................................................................................................. 209 6.2.4 System Log ............................................................................................................................... 211 6.2.5 Backup & Restore ..................................................................................................................... 215 6.2.6 Reboot & Reset ........................................................................................................................ 216 6.3 FTP (not supported) ............................................................................................................................. 217 6.4 Diagnostic ............................................................................................................................................ 218 6.4.1 Diagnostic Tools ....................................................................................................................... 218 Chapter 7 Service ............................................................................................................................................... 219 7.1 Cellular Toolkit .................................................................................................................................... 219 7.1.1 Data Usage ................................................................................................................................ 220 7.1.2 SMS........................................................................................................................................... 223 7.1.3 SIM PIN .................................................................................................................................... 226 7.1.4 USSD ........................................................................................................................................ 230 7.1.5 Network Scan ............................................................................................................................ 233 Chapter 8 Status ................................................................................................................................................. 235 8.1 Dashboard (not supported) ................................................................................................................... 235 8.2 Basic Network ...................................................................................................................................... 236 8.2.1 WAN & Uplink Status .............................................................................................................. 236 8.2.2 LAN & VLAN Status ............................................................................................................... 240 8.2.3 WiFi Status (not supported) ...................................................................................................... 241 8.2.4 DDNS Status ............................................................................................................................. 242 8.3 Security ................................................................................................................................................ 243 4 M2MCellularGateway 8.3.1 VPN Status ................................................................................................................................ 243 8.3.2 Firewall Status .......................................................................................................................... 247 8.4 Administration...................................................................................................................................... 251 8.4.1 Configure & Manage Status...................................................................................................... 251 8.5 Statistics & Report ............................................................................................................................... 253 8.5.1 Connection Session ................................................................................................................... 253 8.5.2 Network Traffic (not supported) ............................................................................................... 254 8.5.3 Device Administration .............................................................................................................. 255 8.5.4 Cellular Usage ........................................................................................................................... 256 Appendix A GPL WRITTEN OFFER................................................................................................................ 257 5 M2MCellularGateway Chapter1Introduction 1.1Introduction Congratulationsonyourpurchaseofthisoutstandingproduct:M2MCellularGateway.ForM2M(Machineto Machine)applications,AMITM2MCellularGatewayisabsolutelytherightchoice.Withbuiltinworldclass 3G/4Gmodule,youjustneedtoinsertSIMcardfromlocalmobilecarriertogettoInternet.ByVPNtunneling technology,remotesiteseasilybecomeapartofIntranet,andalldataaretransmittedinasecure(256bitAES encryption)link. MainFeatures:

Compactdesign:BuiltinLTEandconfigurableEthernetWAN/LANcanprovideEthernetmachineeasy connectiontointernet/intranetbyLTEorhighreliablefailoverwired/LTEconnection. Dual SIM: Embedded 3G/4G with configurable dualSIM achieve location free multiISP failover requirement. VersatileCellular:Preferredserviceselectioncansimplifyuplinksetting;toolkitfunctionofdatausage cancontrolbudget;configurableSMScommandisusefulandefficientforremoteadministration. CompleteNetwork:BuiltinNAT/PortForward/Routing/IPv6arecompatibletoexistingIPnetwork. HighlySecurity:VariousVPNprotocol&scenariocansetupsecureintranet;builtinFirewallprevents maliciousattacks;ACL&AuthenticationbyMAC/Userenhancessecureaccess. FlexibleAdministration:WebUIisusedforbasicsetting;programmableCLIandCommandScriptare usedforadvancedconfiguration;systemcanbemanagedbyNMSbasedonTR069. SmartEventHanding:Mechanismtomanageactionforpredefinedeventsbyadministrator.Events canbetriggeredornotifiedbasedonSystem/Interfacestatuschange,SMS,SNMPtrap,oremail. Beforeyouinstallandusethisproduct,pleasereadthismanualindetailforfullyexploitingthefunctionsof thisproduct. 6 M2MCellularGateway 1.2 ContentsList 1.2.1PackageContents

#StandardPackage Items Description 1 2 3 4 5 6 IDG500 M2MCellularGateway PowerAdapter

(DC5V/2A)

(*1) DINRailBracket MaleDCJacktoScrewTerminal BlockAdaptor RubberFeet CD

(Manual) Contents Quantity 1pcs 1pcs 1set(2pcs) 1pcs 4pcs 1pcs 1 The maximum power consumption of IDG500 series product is 7.0W. 7 M2MCellularGateway 1.3HardwareConfiguration LeftView RightView LAN2 LAN1/

WAN DCPower Receptacle Reset Button SIM-B SIM-A 3G/4G Antenna 3G/4G Antenna ResetButton TheRESETbuttonprovidesuserwithaquickandeasywaytoresortthedefaultsetting.PresstheRESETbutton continuouslyfor6seconds,andthenreleaseit.Thedevicewillrestoretofactorydefaultsettings. MicroSD 8 M2MCellularGateway 1.4 LEDIndication Indication LED Color Description WhentheLEDcolorisshownin:

Blue:CellularmoduleisinLTEMode. Purple:CellularmoduleisinHSPA/3GMode. Red:CellularmoduleisinGSM/2GMode. WhenthebehaviorofLEDis:

FastFlash(per0.5second):SignalStrengthis0~30%

Flash(Slow,persecond):SignalStrengthis31~60%

SteadyOn:SignalStrengthis61~100%

Flash(persecond):Thegateway works normally. Flash(Fast):ThegatewayisinRecoveryModeorabnormalsituation. Note:Ifyouencounteredtheabnormalsituation,evenpowerOFF/ONthedevice,theremightbe somethingwrongduringthedevicebootupsessionanditwasdamaged.YouneedtocallforRMA servicetorecoverit. Off:Hostdisconnected. On:Ethernetconnectionestablished. Flash:DatapackettransferredviaEthernet. Signal LTE/3G Blue Purple Red Status Blue LAN/WAN Green 9 M2MCellularGateway 1.5Installation&MaintenanceNotice 1.5.1SYSTEMREQUIREMENTS Network Requirements Web-based Configuration Utility Requirements 1.5.2WARNING AfastEthernetRJ45cable 3G/4Gcellularservicesubscription 10/100EthernetadapteronPC Computerwiththefollowing:

Windows,Macintosh,orLinuxbasedoperating system AninstalledEthernetadapter BrowserRequirements:

InternetExplorer6.0orhigher Chrome2.0orhigher Firefox3.0orhigher Safari3.0orhigher Attention Only use the power adapter that comes with the package. Using a different voltage rating power adaptor is dangerous and may damage the product. Do not open or repair the case yourself. If the product is too hot, turn off the power immediately and have it repaired at a qualified service center. Place the product on a stable surface and avoid using this product and all accessories outdoors. 10 M2MCellularGateway 1.5.3HOTSURFACECAUTION CAUTION:Thesurfacetemperatureforthemetallicenclosurecanbeveryhigh!

Especiallyafteroperatingforalongtime,installedataclosedcabinet without air conditioning support, or in a high ambient temperature space. DONOTtouchthehotsurfacewithyourfingerswhileservicing!!

11 M2MCellularGateway 1.5.4ProductInformationforCEREDRequirements ThefollowingproductinformationisrequiredtobepresentedinproductUserManualforlatestCERED requirements.2

(1) FrequencyBand&MaximumPower 1.aFrequencyBandforCellularConnection(forME3630E1Cversion)3 Maxoutputpower Bandnumber LTEFDDBAND1 LTEFDDBAND3 LTEFDDBAND7 LTEFDDBAND8 LTEFDDBAND20 WCDMABAND1 WCDMABAND8 EGSM DCS Bandnumber LTEFDDBAND1 LTEFDDBAND3 LTEFDDBAND7 LTEFDDBAND8 LTEFDDBAND20 OperatingFrequency Uplink:19201980MHz Downlink:21102170MHz Uplink:17101785MHz Downlink:18051880MHz Uplink:25002570MHz Downlink:26202690MHz Uplink:880915MHz Downlink:925960MHz Uplink:832862MHz Downlink:791821MHz Uplink:19201980MHz Downlink:21102170MHz Uplink:880915MHz Downlink:925960MHz Uplink:880915MHz Downlink:925960MHz Uplink:17101785MHz Downlink:18051880MHz OperatingFrequency Uplink:19201980MHz Downlink:21102170MHz Uplink:17101785MHz Downlink:18051880MHz Uplink:25002570MHz Downlink:26202690MHz Uplink:880915MHz Downlink:925960MHz Uplink:832862MHz 1.bFrequencyBandforCellularConnection(forEC25Eversion) 232.7dBm 24+1/3dBm 332dBm 302dBm Maxoutputpower 23.1dBm 23.0dBm 22.8dBm 23.2dBm 23.5dBm 2TheinformationpresentedinthissectionisONLYvalidfortheEU/EFTAregionalversion.ForthosenonCE/EFTAversions,please refertothecorrespondingproductspecification. 3TherecanbedifferentcellularmoduleintrgratedinthedeviceforEU/EFTAregionalversion.Refertothecellularmoduleidentifier printedonthedevicelabelforthepurchaseddevice. 12 M2MCellularGateway LTEFDDBAND38 LTEFDDBAND40 WCDMABAND1 WCDMABAND8 EGSM DCS Bandnumber WCDMABAND1 WCDMABAND8 EGSM DCS Downlink:791821MHz Uplink:25702620MHz Downlink:25702620MHz Uplink:23002400MHz Downlink:23002400MHz Uplink:19201980MHz Downlink:21102170MHz Uplink:880915MHz Downlink:925960MHz Uplink:880915MHz Downlink:925960MHz Uplink:17101785MHz Downlink:18051880MHz OperatingFrequency Uplink:1922.41977.6MHz Downlink:2112.42167.6MHz Uplink:882.4912.6 MHz Downlink:927.4957.6MHz Uplink:880.2914.8MHz Downlink:925.2959.8MHz Uplink:1710.21784.8MHz Downlink:1805.21879.8MHz 21.7dBm 21.5dBm 23.3dBm 32.9dBm 29.9dBm Maxoutputpower 22.47dBm 22.48dBm 32.1dBm 28.9dBm 1.cFrequencyBandforCellularConnection(forUC20Gversion)

(2) DoCInformation

(3) RFExposureStatements YoucangettheDoCinformationofthisproductfromthefollowingURL:

http://www.amit.com.tw/productsdoc/

Theantennaoftheproduct,undernormalusecondition,isatleast20cmawayfromthebodyofuser. 13 M2MCellularGateway 1.6 HardwareInstallation Thischapterdescribeshowtoinstallandconfigurethehardware 1.6.1MounttheUnit TheIDG500seriescanbeplacedonadesktop,ormountedonthewall. 1.6.2InserttheSIMCard WARNING: BEFORE INSERTING OR CHANGING THE SIM CARD, PLEASE MAKE SURE THATPOWEROFTHEDEVICEISSWITCHEDOFF. TheSIMcardslotsarelocatedattherightsideofIDG500 serieshousinginordertoprotecttheSIMcard.You need to unscrew and remove the outer SIM card cover before installing or removing the SIM card. Please followtheinstructionstoinsertorejectaSIMcard.AfterSIMcardiswellplaced,screwbacktheouterSIM cardcover. Step2:

PushtheSIMcard intotheslotA(SIM A)orslotB(SIMB). Step3:

PushtheinsertedSIMcard againtoejectitfromthe SIMslot. Step1:

Loosenthescrewsand removetheSIMcover. 14 M2MCellularGateway 1.6.3InstalltheExternalAntenna AsillustratedinSection1.3,thereareseveralSMAantennaJacksforyoutoinstalltherequiredantennasfor theRFsignaltransmissionandreceiving.YouhavetopurchaserequiredRFcablesandantennasseparatelyfor aspecificprojectorinstallationsitetogetexcellentRFperformance. SincethereislimitedspacingforallocatingallSMAantennaJacksaroundtheenclosure,theseparationamong SMA Jacks (or directattached antennas) could be not the optimized arrangement. It is very likely to get degradedRFperformanceatspecificcircumstances.Itdependsheavilyontheenvironment. However,therearewellknownrulesofthumbforsolvingtheantennaseparationissue. 1:Thehorizontaldistancebetweenantennasshouldbegreaterthan1/4ofitswavelength,andtherewillbe bestseparationat1/2ofitswavelength. 2. If multiple frequency antennas are near each other, then use spacing distance of the lower frequency antenna,orevenbettertrytosatisfytheruleforbothfrequencies. WavelengthTableforMajorRFCategory RFCategory CelllularLTE Frequency 2600MHz CellularLTE CellularLTE CellularLTE 2100MHz 900MHz 700MHz Wavelength 11.5cm 14.3cm 33.3cm 42.8cm 1/2WaveLength

(BestSeparation) 5.8cm 1/4WaveLength

(GoodSeparation) 2.9cm 7.1cm 16.6cm 21.4cm 3.7cm 8.3cm 10.7cm So,itisrecommendedtousesomeexternalRFcablestoextendandseparatetheadjacentantennasandget betterantennaseparationandRFperformance. 15 M2MCellularGateway 1.6.4ConnectingPower There are a DC5V/2A power adapter4and a 2pin Terminal Block adapter in the package for you to easily connectDCpowertothisgateway. IfyoupoweredthegatewaywithotherDCPowerSource,PleasemakesuretheDCPowervoltageiscomplyto 5V~18V,andtheelectrodeshavebeenpluggedintotherightpinsaccordingtotheirassignments(+forthe DCPowerandfortheGNDwire). WARNNING:Thiscommercialgradepoweradapterismainlyforeaseofpoweringup the purchased device while initial configuration. Its not for operating at wide temperaturerangeenvironment.PLEASEPREPAREORPURCHASEOTHERINDUSTRIAL GRADEPOWERSUPPLYFORPOWERINGUPTHEDEVICE. 1.6.5ConnectingtotheNetworkoraHost TheIDG500seriesproductprovidesoneRJ45porttoconnect10/100MbpsEthernet.Itcanautodetectthe transmissionspeedonthenetworkandconfigureitselfautomatically.ConnectoneEthernetcabletotheRJ45 port(LAN)ofthedeviceandpluganotherendoftheEthernetcableintoyourcomputersnetworkport.Inthis way,youcanusetheRJ45EthernetcabletoconnectthedevicetothehostPCsEthernetportforconfiguring thedevice. 4 The maximum power consumption of IDG500 series product is 7.0W. 16 M2MCellularGateway 1.6.6SetupbyConfiguringWEBUI YoucanbrowsewebUItoconfigurethedevice. TypeintheIPAddress(http://192.168.123.254)5 Whenyouseetheloginpage,entertheusernameandpasswordandthenclickLoginbutton. Thedefaultsettingforbothusernameandpasswordisadmin6. 5ThedefaultLANIPaddressofthisgatewayis192.168.123.254.Ifyouchangeit,youneedtologinbyusing thenewIPaddress. 6Forsecurityconsideration,youarestronglyrecommendedtochangetheloginusernameandpasswordfrom defaultvalues.RefertoSection6.1.2forhowtochangethesetting. 17 M2MCellularGateway Chapter2BasicNetwork 2.1 WAN&Uplink ThegatewayprovidesmultipleWANinterfacestoletallclient hostsinIntranetofthegatewayaccessthe InternetviaISP.ButISPsintheworldapplyvariousconnectionprotocolstoletgatewaysoruser'sdevicesdial inISPsandthenlinktotheInternetviadifferentkindsoftransmitmedia. So, the WAN Connection lets you specify the WAN Physical Interface, WAN Internet Setup and WAN Load BalanceforIntranettoaccessInternet.ForeachWANinterface,youmustspecifyitsphysicalinterfacefirst andthenitsInternetsetuptoconnecttoISP.Besides,sincethegatewayhasmultipleWANinterfaces,youcan assignphysicalinterfacetoparticipateintheLoadBalancefunction. 18 M2MCellularGateway 2.1.1PhysicalInterface M2M gateways are usually equipped with various WAN interfacess to support different WAN connection scenarioforrequirement.YoucanconfiguretheWANinterfaceonebyonetogetproperinternetconnection setup.RefertotheproductspecificationfortheavailableWANinterfacesintheproductyoupurchased. ThefirststeptoconfigureoneWANinterfaceistospecifywhichkindofconnectionmediatobeusedforthe WANconnection,asshownin"PhysicalInterface"page. In "Physical Interface" page, there are two configuration windows, "Physical Interface List" and "Interface Configuration"."PhysicalInterfaceList"windowshowsalltheavailablephysicalinterfaces.Afterclickingon the"Edit"buttonfortheinterfacein"PhysicalInterfaceList"windowthe"InterfaceConfiguration"window willappeartoletyouconfigureaWANinterface. PhysicalInterface:

Ethernet WAN: The gateway has one or more RJ45 WAN ports that can be configured to be WAN connections.YoucandirectlyconnecttoexternalDSLmodemorsetupbehindafirewalldevice. 3G/4G WAN: Thegatewayhasonebuiltin3G/4GcellularasWANconnection. ForeachcellularWAN, thereare1or2SIMcardstobeinsertedforspecialfailoverfunction. Please MUST POWER OFF the gateway before you insert or remove SIM card. The SIM card can be damaged if you insert or remove SIM card while the gateway is in operation. 19 M2MCellularGateway OperationMode:

TherearethreeoptionitemsAlwayson,Failover,andDisablefortheoperationmodesetting. Always on: Set this WAN interface to be active all the time. When two or more WAN are established at

"Alwayson"mode,outgoingdatawillthroughtheseWANconnectionsbaseonloadbalancepolicies. Failover:

A failover interface is a backup connection to the primary. That means only when its primary WAN connectionisbroken,thebackupconnectionwillbe starteduptosubstitutetheprimaryconnection. Asshowninthediagram,WAN2isbackupWANfor WAN1.WAN1servesastheprimaryconnectionwith operation mode "Always on". WAN2 wont be activated until WAN1 disconnected. When WAN1 connectionisrecoveredbackwithaconnection,itwill take over data traffic again. At that time, WAN2 connectionwillbeterminated. SeamlessFailover:

Inaddition,thereisa"Seamless"optionforFailover operationmode.Whenseamlessoptionisactivated by checking on the "Seamless" box in configuration window, both the primary connection and the failover connection are started up after system rebooting.Butonlytheprimaryconnectionexecutes the data transfer, while the failover one just keeps alive of connection line. As soon as the primary connection is broken, the system will switch, meaning failover, the routing path to the failover connection to save the dial up time of failover connectionsinceithasbeenalive. WhentheSeamlessenablecheckboxisactivated,it can allow the Failover interface to be connected continuouslyfromsystembootingup.FailoverWAN interfacejustkeepsconnectingwithoutdatatraffic. 20 M2MCellularGateway The purpose is to shorten the switch time during failover process. So, when primary connection is disconnected,failoverinterfacewilltakeoverthedatatransfermissioninstantlybyonlychangingrouting path to the failover interface. The dialingup time of failover connection is saved since it has been connectedbeforehand. VLANTagging Sometimes, your ISP required a VLAN tag to be inserted into the WAN packets from Gateway for specific services.PleaseenableVLANtaggingandspecifytagintheWANphysicalinterface.Pleasebenotedthatonly EthernetandADSLphysicalinterfacessupportthefeature.Forthedevicewith3G/4GWANonly,itisdisabled. 21 M2MCellularGateway PhysicalInterfaceSetting GotoBasicNetwork>WAN>PhysicalInterfacetab. ThePhysicalInterfaceallowsusertosetupthephysicalWANinterfaceandtoadjustWANsbehavior. Note:NumbersofavailableWANInterfacescanbedifferentforthepurchasedgateway. WhenEditbuttonisapplied,anInterface Configurationscreenwillappear.WAN1interfaceisusedinthis example. InterfaceConfiguration:

InterfaceConfiguration Item PhysicalInterface Valuesetting 1.AMustfillsetting 2.WAN1istheprimary interfaceandisfactory settoAlwayson. Description Selectoneexpectedinterfacefromtheavailableinterfacedropdownlist.It canbe3G/4GorEtherent. Dependingonthegatewaymodel,DisableandFailoveroptionswillbe availableonlytomultipleWANgateways.WAN2~WAN4interfacesare onlyavailabletomultipleWANgateway. 22 M2MCellularGateway OperationMode AMustfillsetting VLANTagging Optionalsetting Definetheoperationmodeoftheinterface. SelectAlwaysontomakethisWANalwaysactive. SelectDisabletodisablethisWANinterface. SelectFailovertomakethisWANaFailoverWANwhentheprimaryorthe secondaryWANlinkfailed.Thenselecttheprimaryortheexisted secondaryWANinterfacetoswitchFailoverfrom.

(Note:forWAN1,onlyAlwaysonoptionisavailable.) CheckEnableboxtoentertagvalueprovidedbyyourISP.Otherwise uncheckthebox. ValueRange:1~4095. Note:ThisfeatureisNOTavailablefor3G/4GWANconnection. 23 M2MCellularGateway 2.1.2InternetSetup After specifying the physical interface for each WAN connection, administrator must configure their connectionprofiletomeetthedialinprocessofISP,sothatallclienthostsintheIntranetofthegatewaycan accesstheInternet. In "Internet Setup" page, there are some configuration windows: "Internet Connection List", "Internet ConnectionConfiguration","WANTypeConfiguration"andrelatedconfigurationwindowsforeachWANtype. FortheInternetsetupofeachWANinterface,youmustspecifyitsWANtypeofphysicalinterfacefirstand thenitsrelatedparameterconfigurationforthatWANtype. After clicking on the "Edit" button of a physical interface in "Internet Setup List" window, the "Internet ConnectionConfiguration"windowwillappeartoletyouspecifywhichkindofWANtypethatyouwillusefor thatphysicalinterfacetomakeanInternetconnection.BasedonyourchosenWANtype,youcanconfigure necessaryparametersineachcorrespondingconfigurationwindow. 24 M2MCellularGateway InternetConnectionListEthernetWAN WANTypeforEthernetInterface:

EthernetisthemostcommonWANanduplinkinterfaceforM2Mgateways.UsuallyitisconnectedwithxDSL orcablemodemforyoutosetuptheWANconnection.TherearevariousWANtypestoconnectwithISP. StaticIP:SelectthisoptionifISPprovidesafixedIPtoyouwhenyousubsribetheservice.Usuallyismore expensivebutveryimportatforcooperaterequirement. DynamicIP:TheassignedIPaddressfortheWANbyaDHCPserverisdifferenteverytime.Itischeaper PPPoverEthernet:AsknownasPPPoE.ThisWANtypeiswidelyusedforADSLconnection.IPisusually andusuallyforconsumeruse. differentforeverydialup. PPTP:ThisWANtypeispopularinsomecountries,likeRussia. L2TP:ThisWANtypeispopularinsomecountries,likeIsrael. ConfigureEthernetWANSetting WhenEditbuttonisapplied,InternetConnectionConfigurationscreenwillappear.WAN1interfaceisusedin thisexample. 25 M2MCellularGateway WANType=DynamicIP Whenyouselectit,"DynamicIPWANTypeConfiguration"willappear.Itemsandsettingisexplainedbelow DynamicIPWANTypeConfiguration Item HostName Valuesetting An optional setting ISPRegisteredMAC Address Anoptionalsetting WANType=StaticIP Description Enterthehostnameprovidedbyyour ServiceProvider. Enter theMACaddressthatyouhaveregisteredwithyourserviceprovider. OrClicktheClonebuttontocloneyourPCsMACtothisfield. UsuallythisisthePCsMACaddressassignedtoallowyoutoconnectto Internet. Whenyouselectit,"StaticIPWANTypeConfiguration"willappear.Itemsandsettingisexplainedbelow 26 M2MCellularGateway StaticIPWANTypeConfiguration Valuesetting Item WANIPAddress AMustfilledsetting WANSubnetMask AMustfilledsetting WANGateway AMustfilledsetting PrimaryDNS AMustfilledsetting SecondaryDNS Anoptionalsetting WANType=PPPoE Description Enter theWANIPaddress givenbyyourServiceProvider Enter theWANsubnetmaskgivenbyyourServiceProvider Enter theWANgatewayIPaddress givenbyyourServiceProvider Enter the primary WANDNSIPaddress givenbyyourServiceProvider Enter the secondary WANDNSIPaddress givenbyyourServiceProvider Whenyouselectit,"PPPoEWANTypeConfiguration"willappear.Itemsandsettingisexplainedbelow PPPoEWANTypeConfiguration Item PPPoEAccount PPPoEPassword PrimaryDNS SecondaryDNS ServiceName AssignedIPAddress Valuesetting AMustfilledsetting AMustfilledsetting Anoptionalsetting Anoptionalsetting Anoptionalsetting Anoptionalsetting Description Enter thePPPoEUserNameprovidedbyyourServiceProvider. Enter thePPPoEpassword providedbyyourServiceProvider. Enter theIPaddressofPrimaryDNSserver. Enter theIPaddressofSecondaryDNSserver. EntertheservicenameifyourISPrequiresit EntertheIPaddressassignedbyyourServiceProvider. 27 M2MCellularGateway WANType=PPTP Whenyouselectit,"PPTPWANTypeConfiguration"willappear.Itemsandsettingisexplainedbelow PPTPWANTypeConfiguration Item Valuesetting IPMode A Must filled setting ServerIP Address/Name PPTPAccount PPTPPassword ConnectionID MPPE A Must filled setting AMustfilledsetting AMustfilledsetting Anoptionalsetting Anoptionalsetting Description SelecteitherStaticorDynamicIPaddressforPPTPInternetconnection. WhenStaticIPAddressisselected,youwillneedtoentertheWANIP Address,WANSubnetMask,andWANGateway. WANIPAddress(AMustfilledsetting):EntertheWANIP addressgivenbyyourServiceProvider. WANSubnetMask(AMustfilledsetting):EntertheWAN subnetmaskgivenbyyourServiceProvider. WANGateway(AMustfilledsetting):EntertheWANgateway IPaddressgivenbyyourServiceProvider. WhenDynamicIPisselected,therearenoabovesettingsrequired. EnterthePPTPservernameorIPAddress. Enter thePPTP usernameprovidedbyyourServiceProvider. Enter thePPTPconnectionpasswordprovidedbyyourServiceProvider. EnteranametoidentifythePPTPconnection. SelectEnabletoenableMPPE (MicrosoftPointtoPointEncryption) securityforPPTPconnection. 28 M2MCellularGateway WANType=L2TP Whenyouselectit,"L2TPWANTypeConfiguration"willappear.Itemsandsettingisexplainedbelow L2TPWANTypeConfiguration Item Valuesetting IPMode A Must filled setting ServerIP Address/Name L2TPAccount L2TPPassword A Must filled setting AMustfilledsetting AMustfilledsetting ServicePort A Must filled setting MPPE Anoptionalsetting Description SelecteitherStaticorDynamicIPaddressforL2TPInternetconnection. WhenStaticIPAddressisselected,youwillneedtoentertheWANIP Address,WANSubnetMask,andWANGateway. WANIPAddress(AMustfilledsetting):EntertheWANIP addressgivenbyyourServiceProvider. WANSubnetMask(AMustfilledsetting):EntertheWAN subnetmaskgivenbyyourServiceProvider. WANGateway(AMustfilledsetting):EntertheWANgateway IPaddressgivenbyyourServiceProvider. WhenDynamicIPisselected,therearenoabovesettingsrequired. EntertheL2TP servernameorIPAddress. Enter theL2TP usernameprovidedbyyourServiceProvider. Enter theL2TP connectionpasswordprovidedbyyourServiceProvider. Enter theservice portthattheInternetservice. Therearethreeoptionscanbeselected:

Auto:Portwillbeautomaticallyassigned. 1701(ForCisco):Setserviceporttoport1701toconnectto CISCOserver. Userdefined:enteraserviceportprovidedbyyourService Provider. SelectEnabletoenableMPPE (MicrosoftPointtoPointEncryption) securityforPPTPconnection. 29 M2MCellularGateway EthernetConnectionCommonConfiguration TherearesomeimportantparameterstobesetupnomatterwhichEthernetWANtypeisselected.Youshould followuptheruletoconfigure. ConnectionControl. Autoreconnect: This gateway will establish Internet connection automatically once it has been booted up, and try to reconnect once the connectionisdown.Itsrecommendedtochoose thisschemeifformissioncriticalapplicationsto ensurefulltimeInternetconnection. Connectondemand:Thisgatewaywontstartto establish Internet connection until local data is goingtobesenttoWANside.Afternormaldata transferring between LAN and WAN sides, this gateway will disconnect WAN connection if idle timereachesvalueofMaximumIdleTime. 30 M2MCellularGateway Manually: This gateway wont start to establish WAN connection until you press Connect buttononwebUI.Afternormaldatatransferring between LAN and WAN sides, this gateway will disconnectWANconnectionifidletimereaches valueofMaximumIdleTime. Pleasebenoted,iftheWANinterfaceservesastheprimaryoneforanotherWANinterfaceinFailoverrole, theConnectionControlparameterwillnotbeavailabletoyoutoconfigureasthesystemmustsetittoAuto reconnect(Alwayson). NetworkMonitoring It is necessary to monitor connection status continuous. To do it, "ICMP Check" and "FQDN Query" are used to check. When there is trafiic of connection, checking packet will waste bandwidth. Response time of replied

"Network packets may also increase. To avoid Monitoring" work abnormally, enabling

"Checking Loading"optionwillstopconnectioncheckwhenthereis traffic.Itwillwaitforanother"CheckInterval"andthen checkloadingagain. WhenyoudoNetworkMonitoring,ifreplytimelonger than "Latency" or even no response longer than

"CheckingTimeout","Fail"countwillbeincreased.Ifitis continuousand"Fail"countismorethan"FailThreshold", gateway will do exception handingprocess and reinitial this connection again . Otherwise, network monitoring processwillbestartagain. 31 M2MCellularGateway SetupEthernetCommonConfiguration EthernetWANCommonConfiguration Item Valuesetting ConnectionControl AMustfilledsetting MaximumIdleTime 1.AnOptionalsetting 2.Bydefault600 secondsisfilledin MTUSetup 1.AnOptionalsetting 2.Uncheckbydefault MTUSetup NAT 1. AMustfilledsetting 2. Auto(valuezero)is setbydefault 3. Manualsetrange 1200~1500 1. Anoptionalsetting 2. NATisenabledby default NetworkMonitoring 1. Anoptionalsetting 2. Enabledbydefault Description Therearethree connection modes. AutoreconnectenablestheroutertoalwayskeeptheInternet connectionon. Connectondemandenablestheroutertoautomaticallyre establishInternetconnectionassoonasuserattemptstoaccess theInternet.Internetconnectionwillbedisconnectedwhenithas beeninactiveforaspecifiedidletime. ConnectManuallyallowsusertoconnecttoInternetmanually. Internetconnectionwillbeinactiveafterithasbeeninactivefor specifiedidletime. SpecifythemaximumIdletimesettingtodisconnecttheinternet connectionwhentheconnectionidletimedout. ValueRange:300~86400. Note:ThisfieldisavailableonlywhenConnectondemandorConnect Manuallyisselectedastheconnectioncontrolscheme. ChecktheEnableboxtoenabletheMTU(MaximumTransmissionUnit) limit,andspecifytheMTUforthe3G/4Gconnection. MTUreferstoMaximumTransmissionUnit.Itspecifiesthelargestpacket sizepermittedforInternettransmission. ValueRange:1200~1500. MTUreferstoMaximumTransmissionUnit.Itspecifiesthelargestpacket sizepermittedforInternettransmission. WhensettoAuto(value0),therouterselectsthebestMTUforbest Internetconnectionperformance. EnableNATtoapplyNATontheWANconnection.Unchecktheboxto disableNATfunction. When theNetworkMonitoringfeatureisenabled,thegateway willuse DNSQueryorICMPtoperiodicallycheckInternetconnectionconnected ordisconnected. ChooseeitherDNSQueryorICMPCheckingtodetectWANlink. WithDNSQuery,thesystemcheckstheconnectionbysendingDNS QuerypacketstothedestinationspecifiedinTarget1andTarget2. WithICMPChecking,thesystemwillcheckconnectionbysending ICMPrequestpacketstothedestinationspecifiedinTarget1and Target2. LoadingCheck EnableLoadingCheckallowstheroutertoignoreunreturnedDNS QueriesorICMPrequestswhenWANbandwidthisfullyoccupied. Thisistopreventfalselinkdownstatus. CheckIntervaldefinesthetransmittingintervalbetweentwoDNS QueryorICMPcheckingpackets. CheckTimeoutdefinesthetimeoutofeachDNSquery/ICMP. LatencyThresholddefinesthetolerancethresholdofresponding time. FailThresholdspecifiesthedetecteddisconnectionbeforetherouter recognizetheWANlinkdownstatus.Enteranumberofdetecting 32 M2MCellularGateway DNS1:settheprimaryDNStobethetarget. DNS2:setthesecondaryDNStobethetarget. Gateway:settheCurrentgatewaytobethetarget. OtherHost:enteranIPaddresstobethetarget. disconnectiontimestobethe thresholdbeforedisconnection is acknowledged. Target1(DNS1setbydefault)specifiesthefirsttargetofsendingDNS query/ICMPrequest. Target2(Nonesetbydefault)specifiesthesecondtargetofsending DNSquery/ICMPrequest. None:todisableTarget2. DNS1:settheprimaryDNStobethetarget. DNS2:setthesecondaryDNStobethetarget. Gateway:settheCurrentgatewaytobethetarget. OtherHost:enteranIPaddresstobethetarget. EnableIGMP(InternetGroupManagementProtocol)wouldenablethe routertolistentoIGMPpacketstodiscoverwhichinterfacesareconnected towhichdevice.Therouterusestheinterfaceinformationgeneratedby IGMPtoreducebandwidthconsumptioninamultiaccessnetwork environmenttoavoidfloodingtheentirenetwork. EnableWANIPAlias thenentertheIPaddressprovidedbyyourservice provider. WANIPAliasisusedbythedevicerouterandistreatedasasecondsetof WANIPtoprovidedualWANIPaddresstoyourLANnetwork. ClickSave tosavethesettings. ClickUndo tocancelthesettings. 33 IGMP WANIPAlias Save Undo 1.AMustfilledsetting 2.Disableissetby default 1.Anoptionalsetting 2.Uncheckbydefault N/A N/A M2MCellularGateway InternetConnection3G/4GWAN PreferredSIMCardDualSIMFailOver For3G/4Gembeddeddevice,oneembeddedcellularmodulecancreateonlyoneWANinterface.Thisdevice hasfeaturedbyusingdualSIMcardsforonemodulewithspecialfailovermechanism.ItiscalledDualSIM Failover.ThisfeatureisusefulforISPswitchoverwhenlocationischanged.WithinDualSIMFailover,there arevarioususagescenarios,including"SIMAFirst","SIMBFirstwithFailbackenabledornot,andSIMA OnlyandSIMBOnly. 34 M2MCellularGateway SIMA/SIMBonly:WhenSIMAOnlyorSIMBOnlyisused,thespecifiedSIMslotcardistheonlyoneto beusedfornegotiationparametersbetweengatewaydeviceandcellularISP. SIMA/SIMBfirstwithoutenableFailback By default, SIMA First scenario is used to connect to cellular ISP for datatransfer.InthecaseofSIMAFirstorSIMBFirstscenario,the gatewaywilltrytoconnecttotheInternetbyusingSIMAorSIMBcard first.Andwhentheconnectionisbroken,thegatewaywillswitchtouse theotherSIMcardforanalternateautomaticallyandwillnotswitchback to use original SIM card except current SIM connection is also broken. That is, SIMA and SIMB are used iteratively, but either one will keep beingusedfordatatransferwhencurrentconnectionisstillalive. SIMA/SIMBfirstwithFailbackenable With Failback option enabled, SIMA First scenario is usedtoconnectwhentheconnectionisbroken,gateway system will switch to use SIMB. And when SIMA connectionisrecovered,itwillswitchbacktouseoriginal SIMAcard Configure3G/4GWANSetting WhenEditbuttonisapplied,InternetConnectionConfiguration,and3G/4GWANConfigurationscreenswill appear. 35 M2MCellularGateway 3G/4GConnectionConfiguration Item Valuesetting 1. AMustfilledsetting 2. 3G/4Gissetby default. WANType PreferredSIMCard 1.AMustfilledsetting 2.BydefaultSIMAFirst isselected 3.Failbackisunchecked bydefault AutoFlightMode Theboxisuncheckedby default Description Fromthedropdownbox,select Internetconnectionmethodfor3G/4G WANConnection.Only3G/4Gisavailable. ChoosewhichSIMcardyouwanttousefortheconnection. WhenSIMAFirstorSIMBFirstisselected,itmeanstheconnectionisbuilt firstbyusingSIMA/SIMB.Andiftheconnectionisfailed,itwillchangeto theotherSIMcardandtrytodialagain,untiltheconnectionisup. WhenSIMAonlyorSIMBonlyisselected,itwilltrytodialuponlyusing theSIMcardyouselected. WhenFailbackischecked,itmeansiftheconnectionisdialedupnotusing themainSIMyouselected,itwillfailbacktothemainSIMandtryto establishtheconnectionperiodically. Note_1:FortheproductwithsingleSIMdesign,onlySIMAOnlyoptionis available. Note_2:FailbackisavailableonlywhenSIMAFirstorSIMBFirstis selected. ChecktheEnable boxtoactivatethefunction. Bydefault,ifyoudisabledtheAutoFlightMode,thecellularmodulewill alwaysoccupyaphysicalchannelwithcellulartower.Itcangetdata connectioninstantly,andreceivemanagingSMSallthetimeonrequired. IfyouenabledtheAutoFlightMode,thegatewaywillpopupamessage Flightmodewillcausecellularfunctiontobemalfunctionedwhenthe datasessionisoffline.,anditwillmakethecellularmoduleintoflight modeanddisconnectedwithcellulartowerphycially.In,addition, wheneverthecellularmoduleisgoingtobeusedfordataconnectionto backupthefailedprimaryconnection,thecellularmodulewillbeactiveto connectwithcellulartowerandgetthedataconnectionforuse,Ittakes fewmoreseconds. Note:KeepituncheckedunlessyourcellularISPaskedtheconnected gatewaytoenabletheAutoFlightMode. ConfigureSIMA/SIMBCard Hereyoucansetconfigurationsforthecellularconnectionaccordingtoyoursituationorrequirement. 36 M2MCellularGateway Note_1:ConfigurationsofSIMBCardfollowsthesameruleofConfigurationsofSIMACard,herewelistSIM Aastheexample. Note_2:BothConnectionwithSIMACardandConnectionwithSIMBCardwillpopuponlywhentheSIMA FirstorSIMBFirstisselected,otherwiseitonlypopsoutoneofthem. ConnectionwithSIMA/BCard Item Valuesetting NetworkType 1.AMustfilledsetting 2.BydefaultAutois selected DialUpProfile 1.AMustfilledsetting 2.BydefaultManual configurationisselected Description SelectAuto toregisteranetworkautomatically,regardlessofthenetwork type. Select2GOnlytoregisterthe2Gnetworkonly. Select2GPrefertoregisterthe2Gnetworkfirstifitisavailable. Select3Gonlytoregisterthe3Gnetworkonly. Select3GPrefertoregisterthe3Gnetworkfirstifitisavailable. SelectLTEonlytoregistertheLTEnetworkonly. Note:Optionsmaybedifferentduetothespecificationofthemodule. Specifythetypeofdialupprofileforyour3G/4Gnetwork.Itcanbe Manualconfiguration,APNProfileList,orAutodetection. SelectManualconfigurationtosetAPN(AccessPointName),DialNumber, Account,andPasswordtowhatyourcarrierprovides. SelectAPNProfileListtosetmorethanoneprofiletodialupinturn,until theconnectionisestablished.Itwillpopupanewfiled,pleasegotoBasic Network>WAN&Uplink>InternetSetup>SIMAAPNProfileListfor details. 37 M2MCellularGateway SelectAutodetection toautomaticallybringoutallconfigurationsneeded whiledialingup,bycomparingtheIMSIoftheSIMcardtotherecordlisted inthemanufacturersdatabase. Note_1:YouarehighlyrecommendedtoselecttheManualorAPNProfile Listtospecifythenetworkforyoursubscription.YourISPalwaysprovides suchnetworksettingsforthesubscribers. Note_2:IfyouselectAutodetection,itislikelytoconnecttoimproper network,orfailedtofindavalidAPNforyourISP. EntertheAPN youwanttousetoestablishtheconnection. ThisisamustfilledsettingifyouselectedManualconfigurationasdialup profilescheme. SpecifytheIPtypeofthenetworkserveiceprovidedbyyour3G/4G network.ItcanbeIPv4,IPv6,orIPv4/6. Enter the PIN (Personal IdentificationNumber)codeifitneedsto unlock yourSIMcard. EntertheoptionalDialNumber,Account,andPasswordsettingsifyourISP providedsuchsettingstoyou. Note: These settings are only displayed when Manualconfiguration is selected. SelectPAP (PasswordAuthenticationProtocol)andusesuchprotocoltobe authenticatedwiththecarriersserver. SelectCHAP(ChallengeHandshakeAuthenticationProtocol)andusesuch protocoltobeauthenticatedwiththecarriersserver. WhenAutoisselected,itmeansitwillauthenticatewiththeservereither PAPorCHAP. WhenDynamicIP isselected,itmeansitwillgetallIPconfigurationsfrom thecarriersserverandsettothedevicedirectly. Ifyouhavespecificapplicationprovidedbythecarrier,andwanttosetIP configurationsonyourown,youcanswitchtoStaticIPmodeandfillinall parametersthatrequired,suchasIPaddress,subnetmaskandgateway. Note:IPSubnetMaskisamustfilledsetting,andmakesureyouhavethe rightconfiguration.Otherwise,theconnectionmaygetissues. EntertheIPaddresstochangetheprimaryDNS(DomainNameServer) setting.Ifitisnotfilledin,theserveraddressisgivenbythecarrierwhile dialingup. EntertheIPaddresstochangethesecondaryDNS(DomainNameServer) setting.Ifitisnotfilledin,theserveraddressisgivenbythecarrierwhile dialingup. Checktheboxtoestablishtheconnectioneventheregistrationstatusis roaming,notinhomenetwork. Note:Itmaycostadditionalchargesiftheconnectionisunderroaming. 1.AMustfilledsetting 2.Stringformat:any text 1.AMustfilledsetting 2.BydefaultIPv4is selected 1.AnOptionalsetting 2.Stringformat:

interger 1.AnOptionalsetting 2.Stringformat:any text 1.AMustfilledsetting 2.BydefaultAutois selected 1.AMustfilledsetting 2.BydefaultDynamicIP isselected 1.AnOptionalsetting 2.Stringformat:IP address(IPv4type) 1.AnOptionalsetting 2.Stringformat:IP address(IPv4type) Theboxisuncheckedby default APN IPType PINcode DialNumber, Account, Password Authentication IPMode PrimaryDNS SecondaryDNS Roaming Create/EditSIMA/SIMBAPNProfileList YoucanaddanewAPNprofilefortheconnection,ormodifythecontentoftheAPNprofileyouadded.Itis availableonlywhenyouselectDialUpProfileasAPNProfileList. 38 M2MCellularGateway ListalltheAPNprofileyoucreated,easilyforyoutocheckandmodify.Itisavailableonlywhenyouselect DialUpProfileasAPNProfileList. WhenAddbuttonisapplied,anAPNProfileConfigurationscreenwillappear. SIMA/BAPNProfileConfiguration Item ProfileName APN IPType Account Password Authentication Priority Profile Save Undo Valuesetting 1.BydefaultProfilexis listed 2.Stringformat:anytext Stringformat:anytext 1.AMustfilledsetting 2.BydefaultIPv4is selected Stringformat:anytext Stringformat:anytext 1.AMustfilledsetting 2.BydefaultAutois selected 1.AMustfilledsetting 2.Stringformat:integer Theboxischeckedby default N/A N/A Description Entertheprofilenameyouwanttodescribeforthisprofile. EntertheAPN youwanttousetoestablishtheconnection. SpecifytheIPtypeofthenetworkserveiceprovidedbyyour3G/4G network.ItcanbeIPv4,IPv6,orIPv4/6. EntertheAccount youwanttousefortheauthentication. ValueRange:0~53characters. EnterthePassword youwanttousefortheauthentication. SelecttheAuthenticationmethodforthe3G/4Gconnection. ItcanbeAuto,PAP,CHAP,orNone. Enterthevalueforthedialinguporder.Thevalidvalueisfrom1to16.It willstarttodialupwiththeprofilethatassignedwiththesmallestnumber. ValueRange:1~16. Checktheboxtoenablethisprofile. Unchecktheboxtodisablethisprofileindialingupaction. ClicktheSavebuttontosavetheconfiguration. ClicktheUndobuttontorestorewhatyoujustconfiguredbacktothe previoussetting. 39 M2MCellularGateway Back N/A WhentheBackbuttonisclicked,thescreenwillreturntotheprevious page. Setup3G/4GConnectionCommonConfiguration Hereyoucanchangecommonconfigurationsfor3G/4GWAN. 3G/4GConnectionCommonConfiguration Item Valuesetting ConnectionControl BydefaultAuto reconnectisselected 1.AnOptionalsetting 2.Bydefault600 secondsisfilledin 1.AMustfilledsetting 2.Bydefault(0)Always isselected 1.AnOptionalsetting 2.Uncheckbydefault MaximumIdleTime TimeSchedule MTUSetup Description WhenAutoreconnect isselected,itmeansitwilltrytokeepthe Internet connectiononallthetimewheneverthephysicallinkisconnected. WhenConnectondemandisselected,itmeanstheInternetconnection willbeestablishedonlywhendetectingdatatraffic. WhenConnectManuallyisselected,itmeansyouneedtoclickthe Connectbuttontodialuptheconnectionmanually.PleasegotoStatus>

BasicNetwork>WAN&Uplinktabfordetails. Note:IftheWANinterfaceservesastheprimaryoneforanotherWAN interfaceinFailoverrole(andviceversa),theConnectionControl parameterwillnotbeavailableonbothWANsasthesystemmustsetitto Autoreconnect SpecifythemaximumIdletimesettingtodisconnecttheinternet connectionwhentheconnectionidletimedout. ValueRange:300~86400. Note:ThisfieldisavailableonlywhenConnectondemandorConnect Manuallyisselectedastheconnectioncontrolscheme. When(0)Always isselected,itmeansthisWANisunderoperationallthe time.Onceyouhavesetotherschedulerules,therewillbeotheroptionsto select.PleasegotoObjectDefinition>Schedulingfordetails. ChecktheEnableboxtoenabletheMTU(MaximumTransmissionUnit) limit,andspecifytheMTUforthe3G/4Gconnection. MTUreferstoMaximumTransmissionUnit.Itspecifiesthelargestpacket sizepermittedforInternettransmission. 40 M2MCellularGateway IPPassthrough

(CellularBridge) NAT IGMP WANIPAlias 1.Theboxisunchecked bydefault 2.StringformatforFixed MAC:

MACaddress,e.g. 00:50:18:aa:bb:cc Checkbydefault BydefaultDisableis selected 1.Uncheckedbydefault 2.Stringformat:IP address(IPv4type) ValueRange: 1200~1500. WhenEnable boxischecked,itmeansthedevicewilldirectlyassignthe WANIPtothefirstconnectedlocalLANclient. However,whenanoptionalFixedMACisfilledinanonzerovalue,it meansonlytheclientwiththisMACaddresscangettheWANIPaddress. Note:WhentheIPPassthroughison,NATandWANIPAliaswillbe unavailableuntilthefunctionisdisabledagain. UnchecktheboxtodisableNAT (NetworkAddressTranslation)function. SelectAuto to enableIGMP function. ChecktheEnableboxtoenableIGMPProxy. ChecktheboxtoenableWANIPAlias,andfillintheIPaddressyouwantto assign. NetworkMonitoringConfiguration Valuesetting Item 1.Anoptionalsetting NetworkMonitoring 2.Boxischeckedby Configuration default CheckingMethod 1.AnOptionalsetting 2.DNSQueryissetby default LoadingCheck 1.Anoptionalsetting 2.Boxischeckedby default Description ChecktheEnable boxtoactivatethenetworkmonitoringfunction. ChooseeitherDNSQuery orICMPCheckingtodetectWANlink. WithDNSQuery,thesystemcheckstheconnectionbysendingDNSQuery packetstothedestinationspecifiedinTarget1andTarget2. WithICMPChecking,thesystemwillcheckconnectionbysendingICMP requestpacketstothedestinationspecifiedinTarget1andTarget2. QueryIntervaldefinesthetransmittingintervalbetweentwoDNSQueryor ICMPcheckingpackets. ChecktheEnable boxtoactivatetheloadingcheckfunction. EnableLoadingCheckallowsthegatewaytoignoreunreturnedDNS queriesorICMPrequestswhenWANbandwidthisfullyoccupied.Thisisto preventfalselinkdownstatus. LatencyThresholddefinesthetolerancethresholdofrespondingtime. 41 M2MCellularGateway FailThreshold specifies thedetecteddisconnectionbeforetherouter recognizetheWANlinkdownstatus.Enteranumberofdetecting disconnectiontimestobethethresholdbeforedisconnectionis acknowledged. Target1 specifies thefirsttargetofsendingDNSquery/ICMPrequest. DNS1:settheprimaryDNStobethetarget. DNS2:setthesecondaryDNStobethetarget. Gateway:settheCurrentgatewaytobethetarget. OtherHost:enteranIPaddresstobethetarget. Target1 specifies thesecond targetofsendingDNSquery/ICMPrequest. None:nosecondtargetisrequired. DNS1:settheprimaryDNStobethetarget. DNS2:setthesecondaryDNStobethetarget. Gateway:settheCurrentgatewaytobethetarget. OtherHost:enteranIPaddresstobethetarget. ClickSave tosavethesettings. ClickUndo tocancelthesettings. Target1 Target2 Save Undo 1.AnOptionalfilled setting 2.DNS1isselectedby default 1.AnOptionalfilled setting 2.Noneisselectedby default N/A N/A 42 M2MCellularGateway 2.2LAN&VLAN ThissectionprovidestheconfigurationofLANandVLAN.VLANisanoptionalfeature,anditdependsonthe productspecificationofthepurchasedgateway. 2.2.1EthernetLAN The Local Area Network (LAN) can be used to share data or files among computers attached to a network. Following diagram the network that wired and interconnects computers. PleasefollowthefollowinginstructionstodoIPv4EthernetLANSetup. illustrates Configuration Item Valuesetting IPMode N/A LANIP Address 1.AMustfilledsetting 2.192.168.123.254issetby default SubnetMask 1.AMustfilledsetting 2.255.255.255.0(/24)isset Description ItshowstheLANIPmodeforthegatewayaccordingtherelatedconfiguration. StaticIP:IfthereisatleastoneWANinterfaceactivated,theLANIPmodeis fixedinStaticIPmode. DynamicIP:IfalltheavailableWANinferfacesaredisabled,theLANIPmode canbeDynamicIPmode. EnterthelocalIPaddressofthisdevice. Thenetworkdevice(s)onyournetworkmustusetheLANIPaddressofthis deviceastheirDefaultGateway.Youcanchangeitifnecessary. Note:ItsalsotheIPaddressofwebUI.Ifyouchangeit,youneed totypenewIPaddressinthebrowsertoseewebUI. Selectthesubnetmaskforthisgatewayfromthedropdownlist. Subnetmaskdefineshowmanyclientsareallowedinonenetworkorsubnet. 43 M2MCellularGateway bydefault Save Undo N/A N/A Thedefaultsubnetmaskis255.255.255.0(/24),anditmeansmaximum254IP addressesareallowedinthissubnet.However,oneofthemisoccupiedbyLAN IPaddressofthisgateway,sotherearemaximum253clientsallowedinLAN network. ValueRange:255.0.0.0(/8)~255.255.255.252(/30). ClicktheSavebuttontosavetheconfiguration ClicktheUndobuttontorestorewhatyoujustconfiguredbacktotheprevious setting. Create/EditAdditionalIP ThisgatewayprovidestheLANIPaliasfunctionforsomespecialmanagementconsideration.Youcanadd additionalLANIPforthisgateway,andaccesstothisgatewaywiththeadditionalIP. WhenAddbuttonisapplied,AdditionalIPConfigurationscreenwillappear. Configuration Item Name Interface IPAddress SubnetMask Valuesetting

.1AnOptionalSetting 1.AMustfilledsetting 2.loissetbydefault 1.AnOptionalsetting 2.192.168.123.254issetby default 1.AMustfilledsetting 2.255.255.255.0(/24)isset bydefault Description EnterthenameforthealiasIPaddress. SpecifytheInterfacetype.Itcanbeloorbr0. EntertheadditionIPaddressforthisdevice. Selectthesubnetmaskforthisgatewayfromthedropdownlist. Subnetmaskdefineshowmanyclientsareallowedinonenetworkorsubnet. Thedefaultsubnetmaskis255.255.255.0(/24),anditmeansmaximum254IP addressesareallowedinthissubnet.However,oneofthemisoccupiedbyLAN IPaddressofthisgateway,sotherearemaximum253clientsallowedinLAN 44 M2MCellularGateway Save NA network. ValueRange:255.0.0.0(/8)~255.255.255.255(/32). ClicktheSavebuttontosavetheconfiguration 45 M2MCellularGateway 2.2.2VLAN VLAN(VirtualLAN)isalogicalnetworkunderacertainswitchorrouterdevicetogroupclienthostswitha specificVLANID.ThisgatewaysupportsbothPortbasedVLANandTagbasedVLAN.Thesefunctionsallow you to divide local network into different virtual LANs. It is common requirement for some application scenario.Forexample,therearevariousdepartmentswithinSMB.Allclienthostsinthesamedepartment should own common access privilege and QoS property. You can assign departments either by portbased VLANortagbasedVLANasagroup,andthenconfigureitbyyourplan.Insomecases,ISPmayneedrouterto supportVLANtagforcertainkindsofservices(e.g.IPTV).Youcangroupalldevicesrequiredthisserviceas onetagbasedVLAN. If the gateway has only one physical Ethernet LAN port, only very limited configuration is available if you enablethePortbasedVLAN. PortbasedVLAN PortbasedVLANfunctioncangroupEthernetports,Port1~Port4,andWiFiVirtualAccessPoints,VAP1~

VAP8,togetherfordifferentiatedserviceslikeInternetsurfing,multimediaenjoyment,VoIPtalking,andsoon. Twooperationmodes,NATandBridge,canbeappliedtoeachVLANgroup.OneDHCPservercanbeallocated foraNATVLANgrouptoletgrouphostmembergetitsIPaddress.Thus,eachhostcansurfInternetviathe NATmechanismofbusinessaccessgateway.Inbridgemode,IntranetpacketflowisdeliveredoutWANtrunk portwithVLANtagtoupperlinkfordifferentservices. AportbasedVLANisagroupofportsonanEthernetorVirtualAPsofWiredorWirelessGatewaythatforma logicalLANsegment.Followingisanexample. Forexample,inacompany,administratorschemesout3networksegments,Lobby/MeetingRoom,Office, and Data Center. In a Wireless Gateway, administrator can configure Lobby/Meeting Room segment with VLAN ID 3. The VLAN group includes Port3 and VAP8 (SSID: Guest) with NAT mode and DHCP3 server equipped.HealsoconfigureOfficesegmentwithVLANID2.TheVLANgroupincludesPort2andVAP1(SSID:

46 M2MCellularGateway Staff)withNATmodeandDHCP2serverequipped.Atlast,administratoralsoconfigureDataCentersegment with VLAN ID 1. The VLAN group includes Port1 with NAT mode to WAN interface as shown in following diagram. Aboveisthegeneralcasefor3EthernetLANportsinthegateway.ButifthedevicejusthasoneEthernetLAN port,therewillbeonlyoneVLANgroupforthedevice.Undersuchsituation,itstillsupportsboththeNATand BridgemodeforthePortbasedVLANconfiguration. TagbasedVLAN TagbasedVLANfunctioncangroupEthernetports,Port1~Port4,andWiFiVirtualAccessPoints,VAP1~

VAP8,togetherwithdifferentVLANtagsfordeployingsubnetsinIntranet.Allpacketflowscancarrywith different VLAN tags even at the same physical Ethernet port for Intranet. These flows can be directed to differentdestinationbecausetheyhavedifferentiatedtags.Theapproachisveryusefultogroupsomehosts atdifferentgeographiclocationtobeinthesameworkgroup. TagbasedVLANisalsocalledaVLANTrunk.TheVLANTrunkcollectsallpacketflowswithdifferentVLANIDs fromRouterdeviceanddeliversthemintheIntranet.VLANmembershipinataggedVLANisdeterminedby VLANIDinformationwithinthepacketframesthatarereceivedonaport.Administratorcanfurtherusea VLANswitchtoseparatetheVLANtrunktodifferentgroupsbasedonVLANID.Followingisanexample. 47 M2MCellularGateway Forexample,inacompany,administratorschemesout3networksegments,Lab,MeetingRooms,andOffice. InaSecurityVPNGateway,administratorcanconfigureOfficesegmentwithVLANID12.TheVLANgroupis equippedwithDHCP3servertoconstructa192.168.12.xsubnet.HealsoconfigureMeetingRoomssegment with VLAN ID 11. The VLAN group is equipped with DHCP2 server to construct a 192.168.11.x subnet for Intranetonly.Thatis,anyclienthostinVLAN11groupcantaccesstheInternet.Atlast,heconfiguresLab segmentwithVLANID10.TheVLANgroupisequippedwithDHCP1servertoconstructa192.168.10.xsubnet. 48 M2MCellularGateway VLANGroupsAccessControl Administrator can specify the Internet access permissionfor allVLAN groups. He can also configure which VLANgroupsareallowedtocommunicatewitheachother. VLANGroupInternetAccess AdministratorcanspecifymembersofoneVLANgrouptobeabletoaccessInternetornot.Followingisan example that VLAN groups of VID is 2 and 3 can access Internet but the one with VID is 1 cannot access Internet. That is, visitors in meeting room and staffs in office network can access Internet. But the computers/serversindatacentercannotaccessInternetsincesecurityconsideration.Serversindatacenter onlyfortrustedstaffsorareaccessedinsecuretunnels. 49 M2MCellularGateway InterVLANGroupRouting:

InPortbasedtagging,administratorcanspecifymemberhostsofoneVLANgrouptobeabletocommunicate withtheonesofanotherVLANgroupornot.Thisisacommunicationpair,andoneVLANgroupcanjoinmany communication pairs. But communication pair doesnt have the transitive property. That is, A can communicatewithB,andBcancommunicatewithC,itdoesntimplythatAcancommunicatewithC.An exampleisshownatfollowingdiagram.VLANgroupsofVIDis1and2canaccesseachotherbuttheones betweenVID1andVID3andbetweenVID2andVID3cant. 50 M2MCellularGateway VLANSetting GotoBasicNetwork>LAN&VLAN>VLANTab. TheVLANfunctionallowsyoutodividelocalnetworkintodifferentvirtualLANs.TherearePortbasedand TagbasedVLANtypes.Selectonethatapplies. Configuration Item VLANType Valuesetting Portbasedisselectedby default Description Select theVLANtypethatyouwanttoadopt fororganizingyoulocalsubnets. Portbased:PortbasedVLANallowsyoutoaddruleforeachLANport,andyou candoadvancedcontrolwithitsVLANID. Tagbased:TagbasedVLANallowsyoutoaddVLANID,andselectmemberand DHCPServerforthisVLANID.GotoTagbasedVLANListtable. ClicktheSavebuttontosavetheconfiguration Save NA PortbasedVLANCreate/EditVLANRules TheportbasedVLANallowsyoutocustomeachLANport.Thereisadefaultruleshowstheconfigurationofall LANports.Also,ifyourdevicehasaDMZport,youwillseeDMZconfiguration,too.Themaximarulenumbers isbasedonLANportnumbers. WhenAddbuttonisapplied,PortbasedVLANConfigurationscreenwillappear,whichisincluding3sections:

PortbasedVLANConfiguration,IPFixedMappingRuleList,andInterVLANGroupRouting(enterthrougha button) PortbasedVLANConfiguration 51 M2MCellularGateway PortbasedVLANConfiguration Item Valuesetting 1.AMustfilledsetting 2.Stringformat:already havedefaulttexts AMustfilledsetting Name VLANID VLANTagging Disableisselectedby default. NAT/Bridge PortMembers NATisselectedbydefault. Theseboxisuncheckedby default. 52 Description DefinetheName ofthisrule.Ithasadefaulttextandcannotbemodified. Definethe VLANIDnumber,rangeis1~4094. TheruleisactivatedaccordingtoVLANID andPortMembersconfiguration whenEnableisselected. TheruleisactivatedaccordingPortMembersconfigurationwhenDisableis selected. SelectNAT modeorBridge modefortherule. SelectwhichLANport(s) andVAP(s) thatyouwanttoaddtotherule. Note:Theavailablememberlistcanbedifferentforthepurchasedproduct. M2MCellularGateway WAN&WAN VIDtoJoin LANIP Address SubnetMask AllWANsisselectedby default. AMustfilledsetting 255.255.255.0(/24)is selectedbydefault. DHCPServer

/Relay DHCPServer IPAddress

(forDHCP Relayonly) DHCPServer Name Serverisselectedbydefault. AMustfilledsetting AMustfilledsetting IPPool AMustfilledsetting LeaseTime AMustfilledsetting DomainName PrimaryDNS Secondary DNS PrimaryWINS Secondary WINS Gateway Enable Save Stringformatcanbeany text IPv4format IPv4format IPv4format IPv4format IPv4format Theboxisuncheckedby default. NA Undo NA SelectwhichWAN orAllWANs thatallowaccessingInternet. Note:IfBridgemodeisselected,youneedtoselectaWANandenteraVID. Assignan IPAddressfortheDHCPServerthattheruleused,thisIPaddressisa gatewayIP. Selecta SubnetMask fortheDHCPServer. DefinetheDHCPServertype. Therearethreetypesyoucanselect:Server,Relay,andDisable. Relay:SelectRelaytoenableDHCPRelayfunctionfortheVLANgroup,andyou onlyneedtofilltheDHCPServerIPAddressfield. Server:SelectServertoenableDHCPServerfunctionfortheVLANgroup,and youneedtospecifytheDHCPServersettings. Disable:SelectDisabletodisabletheDHCPServerfunctionfortheVLANgroup. IfyouselectRelay typeofDHCPServer,assignaDHCPServerIPAddress that thegatewaywillrelaytheDHCPrequeststotheassignedDHCPserver. DefinenameoftheDHCPServer forthespecifiedVLANgroup. DefinetheIPPoolrange. ThereareStartingAddressandEndingAddressfields.IfaclientrequestsanIP addressfromthisDHCPServer,itwillassignanIPaddressintherangeofIP pool. DefineaperiodoftimeforanIPAddressthattheDHCPServerleasestoanew device.Bydefault,theleasetimeis86400seconds. TheDomainNameofthisDHCPServer. ValueRange:0~31characters. ThePrimaryDNSofthisDHCPServer. TheSecondaryDNSofthisDHCPServer. ThePrimaryWINSofthisDHCPServer. TheSecondaryWINSofthisDHCPServer. TheGatewayofthisDHCPServer. ClickEnableboxtoactivatethisrule. ClicktheSavebuttontosavetheconfiguration ClicktheUndobuttontorestorewhatyoujustconfiguredbacktotheprevious setting. 53 M2MCellularGateway Besides,youcanaddsomeIPrulesintheIPFixedMappingRuleListifDHCPServerfortheVLANgroupsis required. WhenAddbuttonisapplied,MappingRuleConfigurationscreenwillappear. MappingRuleConfiguration Valuesetting Item MACAddress AMustfilledsetting IPAddress AMustfilledsetting Enable Save Theboxisuncheckedby default. NA Description DefinetheMACAddresstargetthattheDHCPServerwantstomatch. DefinetheIPAddressthattheDHCPServerwillassign. IfthereisarequestfromtheMACAddressfilledintheabovefield,theDHCP ServerwillassignthisIPAddresstotheclientwhoseMACAddressmatchedthe rule. ClickEnableboxtoactivatethisrule. ClicktheSavebuttontosavetheconfiguration Note:ensuretoalwaysclickonApplybuttontoapplythechangesafterthewebbrowserrefreshedtakenyou backtotheVLANpage. 54 M2MCellularGateway PortbasedVLANInterVLANGroupRouting ClickVLANGroupRoutingbutton,theVLANGroupInternetAccessDefinitionandInterVLANGroupRouting screenwillappear. WhenEditbuttonisapplied,ascreensimilartothiswillappear. InterVLANGroupRouting Item Valuesetting VALNGroup Internet Access Definition Allboxesarecheckedby default. InterVLAN GroupRouting Theboxisuncheckedby default. Save N/A Description Bydefault,allboxesarecheckedmeansallVLANIDmembersareallowto accessWANinterface. IfuncheckacertainVLANIDbox,itmeanstheVLANIDmembercantaccess Internetanymore. Note:VLANID1isavailablealways;itisthedefaultVLANIDofLANrule.The otherVLANIDsareavailableonlywhentheyareenabled. ClicktheexpectedVLANIDsboxtoenabletheInterVLANaccessfunction. Bydefault,membersindifferentVLANIDscantaccesseachother.Thegateway supportsupto4rulesforInterVLANGroupRouting. Forexample,ifID_1andID_2arechecked,itmeansmembersinVLANID_1can accessmembersofVLANID_2,andviceversa. ClicktheSavebuttontosavetheconfiguration 55 M2MCellularGateway TagbasedVLANCreate/EditVLANRules The Tagbased VLAN allows you to customize each LAN port according to VLAN ID. There is a default rule showstheconfigurationofallLANportsandallVAPs.Also,ifyourdevicehasaDMZport,youwillseeDMZ configuration,too.Theroutersupportsuptoamaximumof128tagbasedVLANrulesets. WhenAddbuttonisapplied,TagbasedVLANConfigurationscreenwillappear. TagbasedVLANConfiguration Item VALNID Internet Access Port Valuesetting AMustfilledsetting Theboxischeckedby default. Theboxisuncheckedby default. Theboxisuncheckedby default. DHCP1isselectedby default. VAP DHCPServer Save N/A Description Definethe VLANID number,rangeis6~4094. ClickEnable boxtoallowthemembersintheVLANgroupaccesstointernet. ChecktheLANportbox(es)tojointheVLANgroup. ChecktheVAP box(es)tojointheVLANgroup. Note:OnlythewirelessgatewayhastheVAPlist. Select aDHCPServer tothesemembersofthisVLANgroup. TocreateoreditDHCPserverforVLAN,refertoBasicNetwork>LAN&VLAN>

DHCPServer. ClickSavebuttontosavetheconfiguration Note:AfterclickingSavebutton,alwaysclickApplybuttontoapplythesettings. 56 M2MCellularGateway 2.2.3DHCPServer DHCPServer Thegatewaysupportsupto4DHCPserverstofulfilltheDHCPrequestsfromdifferentVLANgroups(please refer to VLAN section for getting more usage details). And there is one default setting for whose LAN IP AddressisthesameoneofgatewayLANinterface,withitsdefaultSubnetMasksettingas255.255.255.0, anditsdefaultIPPoolrangesisfrom.100to.200asshownattheDHCPServerListpageongateways WEBUI. UsercanaddmoreDHCPserverconfigurationsbyclickingontheAddbuttonbehindDHCPServerList,or clickingontheEditbuttonattheendofeachDHCPServeronlisttoedititscurrentsettings.Besides,user canselectaDHCPServeranddeleteitbyclickingontheSelectcheckboxandtheDeletebutton. 57 M2MCellularGateway FixedMapping UsercanassignfixedIPaddresstomapthespecificclientMACaddressbyselectthemthencopy,whentargets werealreadyexistedintheDHCPClientList,ortoaddsomeotherMappingRulesbymanuallyinadvance, oncethetarget'sMACaddresswasnotreadytoconnect. 58 M2MCellularGateway DHCPServerSetting GotoBasicNetwork>LAN&VLAN>DHCPServerTab. TheDHCPServersettingallowsusertocreateandcustomizeDHCPServerpoliciestoassignIPAddressesto thedevicesonthelocalareanetwork(LAN). Create/EditDHCPServerPolicy ThegatewayallowsyoutocustomyourDHCPServerPolicy.IfmultipleLANportsareavailable,youcandefine onepolicyforeachLAN(orVLANgroup),anditsupportsuptoamaximumof4policysets. WhenAddbuttonisapplied,DHCPServerConfigurationscreenwillappear. 59 M2MCellularGateway IPPool LeaseTime SubnetMask LANIP Address DHCPServerConfiguration Valuesetting Item 1.Stringformatcanbeany DHCPServer text Name 2.AMustfilledsetting 1.IPv4format. 2.AMustfilledsetting 255.0.0.0(/8)issetby default 1.IPv4format. 2.AMustfilledsetting 1.Numbericstringformat. 2.AMustfilledsetting Stringformatcanbeany text IPv4format IPv4format IPv4format IPv4format IPv4format Theboxisuncheckedby default. N/A PrimaryDNS Secondary DNS PrimaryWINS Secondary WINS Gateway DomainName Server Save Undo Back N/A N/A Description EnteraDHCPServername.Enteranamethatiseasyforyoutounderstand. TheLANIPAddressofthisDHCPServer. TheSubnetMaskofthisDHCPServer. TheIPPoolofthisDHCPServer.ItcomposedofStartingAddressenteredinthis fieldandEndingAddressenteredinthisfield. TheLeaseTimeofthisDHCPServer. ValueRange:300~604800seconds. TheDomainNameofthisDHCPServer. ThePrimaryDNSofthisDHCPServer. TheSecondaryDNSofthisDHCPServer. ThePrimaryWINSofthisDHCPServer. TheSecondaryWINSofthisDHCPServer. TheGatewayofthisDHCPServer. ClickEnableboxtoactivatethisDHCPServer. ClicktheSavebuttontosavetheconfiguration ClicktheUndobuttontorestorewhatyoujustconfiguredbacktotheprevious setting. WhentheBackbuttonisclickedthescreenwillreturntotheDHCPServer Configurationpage. Create/EditMappingRuleListonDHCPServer ThegatewayallowsyoutocustomyourMappingRuleListonDHCPServer.Itsupportsuptoamaximumof64 rulesets.WhenFixMappingbuttonisapplied,theMappingRuleListscreenwillappear. WhenAddbuttonisapplied,MappingRuleConfigurationscreenwillappear. 60 M2MCellularGateway MACAddress MappingRuleConfiguration Valuesetting Item 1.MACAddressstring format 2.AMustfilledsetting 1.IPv4format. 2.AMustfilledsetting Theboxisuncheckedby default. N/A IPAddress Save Rule Undo Back N/A N/A Description TheMACAddressofthismappingrule. TheIPAddressofthismappingrule. ClickEnableboxtoactivatethisrule. View/CopyDHCPClientList WhenDHCPClientListbuttonisapplied,DHCPClientListscreenwillappear. ClicktheSavebuttontosavetheconfiguration ClicktheUndobuttontorestorewhatyoujustconfiguredbacktotheprevious setting. WhentheBackbuttonisclickedthescreenwillreturntotheDHCPServer Configurationpage. WhentheDHCPClientisselectedandCopytoFixedMappingbuttonisapplied.TheIPandMACaddressof DHCPClientwillapplytotheMappingRuleListonspecificDHCPServerautomatically. Enable/DisableDHCPServerOptions TheDHCPServerOptionssettingallowsusertosetDHCPOPTIONS66,72,or114.ClicktheEnablebuttonto activate the DHCP option function, and the DHCP Server will add the expected options in its sending out DHCPOFFERDHCPACKpackages. 61 M2MCellularGateway Option 66 72 114 Meaning TFTPservername DefaultWorldWideWebServer URL RFC

[RFC2132]

[RFC3679]

Create/EditDHCPServerOptions Thegatewaysupportsuptoamaximumof99optionsettings. WhenAdd/Editbuttonisapplied,DHCPServerOptionConfigurationscreenwillappear. DHCPServerOptionConfiguration Item OptionName DHCPServer Select OptionSelect Valuesetting 1. String format can be any text 2.AMustfilledsetting. Dropdownlistofallavailable DHCPservers. 1.AMustfilledsetting. 2. Option 66 is selected by default. Description Enter a DHCP Server Option name. Enter a name that is easy for you to understand. ChoosetheDHCPserverthisoptionshouldapplyto. Choosethespecificoption fromthedropdownlist.ItcanbeOption66,Option 72,Option144,Option42,Option150,orOption160. Option42forntpserver;

Option66fortftp;

Option72forwww;

62 M2MCellularGateway Type Dropdown serveroptionvaluestype list of DHCP Option144 forurl;

Eachdifferentoptionshasdifferentvaluetypes. 66 72 114 42 150 160 SingleIPAddress SingleFQDN IPAddressesList,separatedby, SingleURL IPAddressesList,separatedby, IPAddressesList,separatedby, SingleIPAddress SingleFQDN ShouldconformtoType:

Value Enable Save Undo 1.IPv4format 2.FQDNformat 3.IPlist 4.URLformat 5.AMustfilledsetting 66 72 Type SingleIPAddress SingleFQDN IPAddressesList,separatedby, Value IPv4format FQDNformat IPv4format,separatedby, 114 SingleURL URLformat is unchecked by The box default. NA NA ClickEnableboxtoactivatethissetting. ClicktheSavebuttontosavethesetting. When the Undo button is clicked the screen will return back with nothing changed. Create/EditDHCPRelay Thegatewaysupportsuptoamaximumof6DHCPRelayconfigurations. WhenAdd/Editbuttonisapplied,DHCPRelayConfigurationscreenwillappear. 63 M2MCellularGateway DHCPRelayConfiguration Item Valuesetting 1. String format can be any text 2.AMustfilledsetting. 1.AMustfilledsetting. 2.LANisselectedbydefault. 1.AMustfilledsetting. 2. WAN1 default. 1.AMustfilledsetting. 2.nullbydefault. The box default. NA NA is unchecked by is selected by AgentName LANInterface WANInterface ServerIP Enable Save Undo Description EnteraDHCPRelayname.Enteranamethatiseasyforyoutounderstand. ValueRange:1~64characters. Choose a LAN Interface for the dropdown list to apply with the DHCP Relay function. Choosea WANInterface for the dropdown list toapplywiththe DHCPRelay function.ItcanbetheavailableWANinterface(s),andL2TPconnection. AssignaDHCPServerIPAddress thatthegatewaywillrelaytheDHCPrequests totheassignedDHCPserverviaspecifiedWANinterface. ClickEnableboxtoactivatethissetting. ClicktheSavebuttontosavethesetting. When the Undo button is clicked the screen will return back with nothing changed. 64 M2MCellularGateway 2.3WiFi(notsupported) Not supported feature for the purchased product, leave it as blank. 65 M2MCellularGateway 2.4IPv6 ThegrowthoftheInternethascreatedaneedformoreaddressesthanarepossiblewithIPv4.IPv6(Internet Protocolversion6)isaversionoftheInternetProtocol(IP)intendedtosucceedIPv4,whichistheprotocol currentlyusedtodirectalmostallInternettraffic.IPv6alsoimplementsadditionalfeaturesnotpresentinIPv4. Itsimplifiesaspectsofaddressassignment(statelessaddressautoconfiguration),networkrenumberingand routerannouncementswhenchangingInternetconnectivityproviders. 2.4.1IPv6Configuration TheIPv6ConfigurationsettingallowsusertosettheIPv6connectiontypetoaccesstheIPv6network.This gatewaysupportsvarioustypesofIPv6connection,includingStaticIPv6,DHCPv6,andPPPoEv6 Note:Fortheproductsjusthaving3G/4GWANinterface,onlyIPv6issupported.PleasecontactyourISPfor theIPv6supportsbeforeyouproceedwithIPv6setup. 66 M2MCellularGateway IPv6WANConnectionType StaticIPv6 StaticIPv6doesthesamefunctionasstaticIPv4.ThestaticIPv6providesmanualsettingofIPv6address,IPv6 defaultgatewayaddress,andIPv6DNS. AbovediagramdepictstheIPv6IPaddressing,typeintheinformationprovidedbyyourISPtosetuptheIPv6 network. DHCPv6 DHCPinIPv6doesthesamefunctionasDHCPinIPv4.TheDHCPserversendsIPaddress,DNSserveraddresses andotherpossibledatatotheDHCPclienttoconfigureautomatically.Theserveralsosendsaleasetimeof the address and time to recontact the server for IPv6 address renewal. The client has then to resend a requesttorenewtheIPv6address. 67 M2MCellularGateway AbovediagramdepictsDHCPIPv6IPaddressing,theDHCPv6serverontheISPsideassignsIPv6address,IPv6 defaultgatewayaddress,andIPv6DNStoclienthostsautomatically. PPPoEv6 PPPoEv6 in IPv6 does the same function as PPPoE in IPv4. The PPPoEv6 server provides configuration parameters based on PPPoEv6 client request. When PPPoEv6 server gets client request and successfully authenticates it, the server sends IP address, DNS server addresses and other required parameters to automaticallyconfiguretheclient. The diagram above depicts the IPv6 addressing through PPPoE, PPPoEv6 server (DSLAM) on the ISP side providesIPv6configurationuponreceivingPPPoEv6clientrequest.WhenPPPoEv6servergetsclientrequest and successfully authenticates it, the server sends IP address, DNS server addresses and other required parameterstoautomaticallyconfiguretheclient. 68 M2MCellularGateway IPv6ConfigurationSetting GotoBasicNetwork>IPv6>ConfigurationTab. TheIPv6ConfigurationsettingallowsusertosettheIPv6connectiontypetoaccesstheIPv6network. IPv6Configuration Item IPv6 Valuesetting Theboxisunchecked bydefault, WANConnection Type 1.Onlycanbe selectedwhenIPv6 Enable 2.AMustfilledsetting StaticIPv6WANTypeConfiguration Description ChecktheEnableboxtoactivatetheIPv6function. DefinetheselectedIPv6WANConnectionTypetoestablishtheIPv6 connectivity. SelectStaticIPv6whenyourISPprovidesyouwithasetIPv6addresses.Thengo toStaticIPv6WANTypeConfiguration. SelectDHCPv6whenyourISPprovidesyouwithDHCPv6services. SelectPPPoEv6whenyourISPprovidesyouwithPPPoEv6accountsettings. SelectIPv6whenyouwanttouseIPv6connection. Note:Fortheproductsjusthaving3G/4GWANinterface,onlyIPv6issupported. StaticIPv6WANTypeConfiguration 69 M2MCellularGateway Item IPv6Address SubnetPrefix Length DefaultGateway PrimaryDNS SecondaryDNS MLDSnooping Valuesetting AMustfilledsetting AMustfilledsetting AMustfilledsetting Anoptionalsetting Anoptionalsetting Theboxisunchecked bydefault LANConfiguration Description EntertheWANIPv6Address fortherouter. EntertheWANSubnetPrefixLengthfortherouter. EntertheWANDefaultGateway IPv6address. EntertheWANprimaryDNSServer. EntertheWANsecondaryDNSServer. Enable/DisabletheMLDSnoopingfunction LANConfiguration Item GlobalAddress LinklocalAddress Valuesetting AMustfilledsetting Valueautocreated Description EntertheLANIPv6Address fortherouter. ShowthelinklocaladdressforLANinterfaceofrouter. ThengotoAddressAutoconfiguration(summary)forsettingLANenvironment. Ifabovesettingisconfigured,clicktheSavebuttontosavetheconfiguration,andclicktheRebootbuttonto reboottherouter. 70 M2MCellularGateway DHCPv6WANTypeConfiguration DNS DHCPv6WANTypeConfiguration Valuesetting Item Theoption[From Server]isselectedby default Cannotmodifiedby default Cannotmodifiedby default Theboxisunchecked bydefault SecondaryDNS PrimaryDNS MLD LANConfiguration Selectthe[SpecificDNS]optiontoactivePrimaryDNSandSecondaryDNS.Then filltheDNSinformation. Description EntertheWANprimaryDNSServer. EntertheWANsecondaryDNSServer. Enable/DisabletheMLDSnoopingfunction LANConfiguration Item GlobalAddress LinklocalAddress Valuesetting Valueautocreated Valueautocreated Description EntertheLANIPv6Address fortherouter. ShowthelinklocaladdressforLANinterfaceofrouter. ThengotoAddressAutoconfiguration(summary)forsettingLANenvironment. If above setting is configured, click the Save button to save the configuration, and click Reboot button to reboottherouter. 71 M2MCellularGateway PPPoEv6WANTypeConfiguration PPPoEv6WANTypeConfiguration Item Valuesetting Account AMustfilledsetting Password AMustfilledsetting ServiceName ConnectionControl AMustfilled setting/Option Fixedvalue MTU AMustfilledsetting Theboxisunchecked bydefault MLDSnooping LANConfiguration Description EntertheAccountforsettingupPPPoEv6connection.Ifyouwantmore information,pleasecontactyourISP. ValueRange:0~45characters. EnterthePasswordforsettingupPPPoEv6connection.Ifyouwantmore information,pleasecontactyourISP. EntertheServiceNameforsettingupPPPoEv6connection.Ifyouwantmore information,pleasecontactyourISP. ValueRange:0~45characters. ThevalueisAutoreconnect(Alwayson). EntertheMTUforsettingupPPPoEv6connection.Ifyouwantmore information,pleasecontactyourISP. ValueRange:1280~1492. Enable/DisabletheMLDSnoopingfunction LANConfiguration Item GlobalAddress LinklocalAddress Valuesetting Valueautocreated Valueautocreated Description TheLANIPv6Addressfortherouter. ShowthelinklocaladdressforLANinterfaceofrouter. ThengotoAddressAutoconfiguration(summary)forsettingLANenvironment. Ifabovesettingisconfigured,clickthesavebuttontosavetheconfigurationandclickrebootbuttontoreboot 72 M2MCellularGateway therouter. ThengotoAddressAutoconfiguration(summary)forsettingLANenvironment. Ifabovesettingisconfigured,clickthesavebuttontosavetheconfigurationandclickrebootbuttontoreboot therouter. AddressAutoconfiguration AddressAutoconfiguration Item Autoconfiguration Valuesetting Theboxisunchecked bydefault Description ChecktoenabletheAutoconfigurationfeature. DefinetheselectedIPv6WANConnectionTypetoestablishtheIPv6 connectivity. SelectStatelesstomanagetheLocalAreaNetworktobeSLAAC+RDNSS RouterAdvertisementLifetime(AMustfilledsetting):EntertheRouter AdvertisementLifetime(inseconds).200issetbydefault. ValueRange:0~65535. SelectStatefultomanagetheLocalAreaNetworktobeStateful(DHCPv6). IPv6AddressRange(Start)(AMustfilledsetting):EnterthestartIPv6Address fortheDHCPv6rangeforyourlocalcomputers.0100issetbydefault. ValueRange:0001~FFFF. IPv6AddressRange(End)(AMustfilledsetting):EntertheendIPv6Addressfor theDHCPv6rangeforyourlocalcomputers.0200issetbydefault. ValueRange:0001~FFFF. 73 Autoconfiguration Type 1.Onlycanbe selectedwhenAuto configurationenabled 2.Statelessisselected bydefault M2MCellularGateway IPv6AddressLifetime(AMustfilledsetting):EntertheDHCPv6lifetimeforyour localcomputers.36000issetbydefault. ValueRange:0~65535. 74 M2MCellularGateway 2.5 PortForwarding Network address translation (NAT) is a methodology of remapping one IP address space into another by modifyingnetworkaddressinformationinInternetProtocol(IP)datagrampacketheaderswhiletheyarein transit across a traffic routing device. The technique was originally used for ease of rerouting traffic in IP networkswithoutrenumberingeveryhost.Ithasbecomeapopularandessentialtoolinconservingglobal addressspaceallocationsinfaceofIPv4addressexhaustion.Theproductyoupurchasedembedsandactivates theNATfunction.YoualsocandisabletheNATfunctionin[BasicNetwork][WAN&Uplink][InternetSetup]

[WANTypeConfiguration]page. UsuallyalllocalhostsorserversbehindcorporategatewayareprotectedbyNATfirewall.NATfirewallwillfilter outunrecognizedpacketstoprotectyourIntranet.So,alllocalhostsareinvisibletotheoutsideworld.Port forwardingorportmappingis functionthatredirectsacommunicationrequestfromoneaddressandport number combination to assigned one. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway(externalnetwork),byremappingthedestinationIPaddressandportnumber ThereareseveraloptionalPortForwardingrelatedfunctionsinthisgateway.TheyareVirtualServer,Virtual Computer, IP Translation, Special AP & ALG, DMZ and Pass Through, etc. The availablefunctions might be differentforthepurchasedmodel. 75 M2MCellularGateway 2.5.1Configuration NATLoopback ThisfeatureallowsyoutoaccesstheWANglobalIPaddressfromyourinsideNATlocalnetwork.Itisuseful when you run a server inside your network. For example, if you set a mail server at LAN side, your local devicescanaccessthismailserverthroughgatewaysglobalIPaddresswhenenableNATloopbackfeature.On eithersideareyouinaccessingtheemailserver,attheLANsideorattheWANside,youdontneedtochange theIPaddressofthemailserver. ConfigurationSetting GotoBasicNetwork>PortForwarding>Configurationtab. TheNATLoopbackallowsusertoaccesstheWANIPaddressfrominsideyourlocalnetwork. EnableNATLoopback Configuration Item NATLoopback Save Undo Valuesetting Theboxischeckedbydefault N/A N/A Description ChecktheEnableboxtoactivatethisNATfunction ClicktheSavebuttontosavethesettings. ClicktheUndobuttontocancelthesettings 76 M2MCellularGateway 2.5.2VirtualServer&VirtualComputer There are some important Pot Forwarding functions implemented within the gateway, including "Virtual Server","NATloopback"and"VirtualComputer". It is necessary for cooperate staffs who travel outside and want to access various servers behind office gateway.Youcansetupthoseserversbyusing"VirtualServer"feature.Aftertrip,ifwanttoaccessthose serversfromLANsidebyglobalIP,withoutchangeoriginalsetting,NATLoopbackcanachieveit.

"Virtualcomputer"isahostbehindNATgatewaywhoseIPaddressisaglobaloneandisvisibletotheoutside world.SinceitisbehindNAT,itisprotectedbygatewayfirewall.ToconfigureVirtualComputer,youjusthave tomapthelocalIPofthevirtualcomputertoaglobalIP. 77 M2MCellularGateway VirtualServer&NATLoopback

"Virtual Server" allows you to access servers with the globalIPaddressorFQDNofthegatewayasiftheyare serversexistedintheInternet.Butinfact,theseservers arelocatedintheIntranetandarephysicallybehindthe gateway.Thegatewayservestheservicerequestsbyport forwardingtherequeststotheLANserversandtransfers the replies from LAN servers to the requester on the WANside.Asshowninexample,anEmailvirtualserver is defined to be located at a server with IP address 10.0.75.101intheIntranetofNetworkA,includingSMTP service port 25 and POP3 service port 110. So, the remote user can access the Email server with the gatewaysglobalIP118.18.81.33fromitsWANside.ButtherealEmailserverislocatedatLANsideandthe gatewayistheportforwarderforEmailservice. NATLoopbackallowsyoutoaccesstheWANglobalIPaddressfromyourinsideNATlocalnetwork.Itisuseful when you run a server inside your network. For example, if you set a mail server at LAN side, your local devicescanaccessthismailserverthroughgatewaysglobalIPaddresswhenenableNATloopbackfeature.On eithersideareyouinaccessingtheemailserver,attheLANsideorattheWANside,youdontneedtochange theIPaddressofthemailserver. VirtualComputer

"Virtual Computer" allows you to assign LAN hosts to globalIPaddresses,sothattheycanbevisibletooutside world.Whileso,theyarealsoprotectedbythegateway firewallasbeingclienthostsintheIntranet.Forexample, if you set a FTP file server at LAN side with local IP address10.0.75.102andglobalIPaddress118.18.82.44, aremoteusercanaccessthefileserverwhileitishidden behind the NAT gateway. That is because the gateway takescareofallaccessingtotheIPaddress118.18.82.44, including to forward the access requests to the file serverandtosendtherepliesfromtheservertooutside world. 78 M2MCellularGateway VirtualServer&VirtualComputerSetting GotoBasicNetwork>PortForwarding>VirtualServer&VirtualComputertab. EnableVirtualServerandVirtualComputer Configuration Item VirtualServer VirtualComputer Save Undo Valuesetting Theboxisuncheckedby default Theboxischeckedby default N/A N/A Description ChecktheEnableboxtoactivatethisportforwardingfunction ChecktheEnableboxtoactivatethisportforwardingfunction ClicktheSavebuttontosavethesettings. ClicktheUndobuttontocancelthesettings. Create/EditVirtualServer ThegatewayallowsyoutocustomyourVirtualServerrules.Itsupportsuptoamaximumof20rulebased VirtualServersets. WhenAddbuttonisapplied,VirtualServerRuleConfigurationscreenwillappear. 79 M2MCellularGateway VirtualServerRuleConfiguration Item Valuesetting WANInterface 1.AMustfilledsetting 2.DefaultisALL. ServerIP AMustfilledsetting Protocol AMustfilledsetting Description Definetheselectedinterfacetobethepacketenteringinterfaceofthe gateway. IfthepacketstobefilteredarecomingfromWANxthenselectWANxforthis field. SelectALLforpacketscomingintothegatewayfromanyinterface. ItcanbeselectedWANxboxwhenWANxenabled. Note:Theavailablecheckboxes(WAN1~WAN4)dependonthenumberof WANinterfacesfortheproduct. ThisfieldistospecifytheIPaddressoftheinterfaceselectedintheWAN Interfacesettingabove. WhenICMPv4isselected ItmeanstheoptionProtocolofpacketfilterruleisICMPv4. ApplyTimeScheduletothisrule,otherwiseleaveitasAlways.(referto SchedulingsettingunderObjectDefinition) ThencheckEnableboxtoenablethisrule. WhenTCPisselected ItmeanstheoptionProtocolofpacketfilterruleisTCP. PublicPortselectedapredefinedportfromWellknownService,andPrivate PortisthesamewithPublicPortnumber. PublicPortisselectedSinglePortandspecifyaportnumber,andPrivatePort canbesetaSinglePortnumber. PublicPortisselectedPortRangeandspecifyaportrange,andPrivatePort canbeselectedSinglePortorPortRange. ValueRange:1~65535forPublicPort,PrivatePort. WhenUDPisselected ItmeanstheoptionProtocolofpacketfilterruleisUDP. PublicPortselectedapredefinedportfromWellknownService,andPrivate 80 M2MCellularGateway 1.Anoptionalfilledsetting 2.(0)AlwaysIsselectedby default. 1.Anoptionalfilledsetting 2.Theboxisuncheckedby default. N/A N/A N/A TimeSchedule Rule Save Undo Back PortisthesamewithPublicPortnumber. PublicPortisselectedSinglePortandspecifyaportnumber,andPrivatePort canbesetaSinglePortnumber. PublicPortisselectedPortRangeandspecifyaportrange,andPrivatePort canbeselectedSinglePortorPortRange. ValueRange:1~65535forPublicPort,PrivatePort. WhenTCP&UDPisselected ItmeanstheoptionProtocolofpacketfilterruleisTCPandUDP. PublicPortselectedapredefinedportfromWellknownService,andPrivate PortisthesamewithPublicPortnumber. PublicPortisselectedSinglePortandspecifyaportnumber,andPrivatePort canbesetaSinglePortnumber. PublicPortisselectedPortRangeandspecifyaportrange,andPrivatePort canbeselectedSinglePortorPortRange. ValueRange:1~65535forPublicPort,PrivatePort. WhenGREisselected ItmeanstheoptionProtocolofpacketfilterruleisGRE. WhenESPisselected ItmeanstheoptionProtocolofpacketfilterruleisESP. WhenSCTPisselected ItmeanstheoptionProtocolofpacketfilterruleisSCTP. WhenUserdefinedisselected ItmeanstheoptionProtocolofpacketfilterruleisUserdefined. ForProtocolNumber,enteraportnumber. ApplyTimeScheduletothisrule;otherwiseleaveitas(0)Always.(referto SchedulingsettingunderObjectDefinition) ChecktheEnableboxtoactivatetherule. ClicktheSavebuttontosavethesettings. ClicktheUndobuttontocancelthesettings. WhentheBackbuttonisclickedthescreenwillreturntopreviouspage. 81 M2MCellularGateway Create/EditVirtualComputer ThegatewayallowsyoutocustomyourVirtualComputerrules.Itsupportsuptoamaximumof20rulebased VirtualComputersets. WhenAddbuttonisapplied,VirtualComputerRuleConfigurationscreenwillappear. VirtualComputerRuleConfiguration Item GlobalIP LocalIP Enable Save Valuesetting AMustfilledsetting AMustfilledsetting N/A N/A Description ThisfieldistospecifytheIPaddressoftheWANIP. ThisfieldistospecifytheIPaddressoftheLANIP. ThencheckEnableboxtoenablethisrule. ClicktheSavebuttontosavethesettings. 82 M2MCellularGateway 2.5.3DMZ&PassThrough DMZ (De Militarized Zone) Host is a host that is exposed to the Internet cyberspace but still within the protectionoffirewallbygatewaydevice.So,thefunctionallowsacomputertoexecute2waycommunication for Internet games, Video conferencing, Internet telephony and other special applications. In some cases whenaspecificapplicationisblockedbyNATmechanism,youcanindicatethatLANcomputerasaDMZhost tosolvethisproblem. TheDMZfunctionallowsyoutoaskthegatewaypassthroughallnormalpacketstotheDMZhostbehindthe NATgatewayonlywhenthesepacketsarenotexpectedtoreceivebyapplicationsinthegatewayorbyother clienthostsintheIntranet.Certainly,theDMZhostisalsoprotectedbythegatewayfirewall.Activatethe featureandspecifytheDMZhostwithahostintheIntranetwhenneeded. DMZScenario When the network administrator wants to set up some service daemons in a host behind NAT gatewaytoallowremoteusersrequestforservices fromserveractively,youjusthavetoconfigurethis hostasDMZHost.Asshowninthediagram,there is an X server installed as DMZ host, whose IP address is 10.0.75.100. Then, remote user can requestservicesfromXserverjustasitisprovided by the gateway whose global is 118.18.81.33. The gateway will forward those packets, not belonging to any configured virtual serverorapplications,directlytotheDMZhost. IP address 83 M2MCellularGateway VPNPassthroughScenario DMZ&PassThroughSetting Since VPN traffic is different from that of TCP or UDPconnection,itwillbeblockedbyNATgateway. TosupportthepassthroughfunctionfortheVPN connectionsinitiatingfromVPNclientsbehindNAT gateway,thegatewaymustimplementsomekind ofVPNpassthroughfunctionforsuchapplication. Thegatewaysupportthepassthroughfunctionfor IPSec,PPTP,andL2TPconnections,youjusthave tocheckthecorrespondingcheckboxtoactivateit. GotoBasicNetwork>PortForwarding>DMZ&PassThroughtab. TheDMZhostisahostthatisexposedtotheInternetcyberspacebutstillwithintheprotectionoffirewallby gatewaydevice. EnableDMZandPassThrough Configuration Item DMZ Valuesetting 1.AMustfilledsetting2. DefaultisALL. Description ChecktheEnableboxtoactivatetheDMZfunction Definetheselectedinterfacetobethepacketenteringinterfaceofthe gateway,andfillintheIPaddressofHostLANIPinDMZHostfield

. IfthepacketstobefilteredarecomingfromWANxthenselectWANxfor thisfield. SelectALLforpacketscomingintotherouterfromanyinterfaces. 84 M2MCellularGateway ItcanbeselectedWANxboxwhenWANxenabled. Note:Theavailablecheckboxes(WAN1~WAN4)dependonthenumber ofWANinterfacesfortheproduct. ChecktheboxtoenablethepassthroughfunctionfortheIPSec,PPTP,and L2TP. Withthepassthroughfunctionenabled,theVPNhostsbehindthegateway stillcanconnecttoremoteVPNservers. ClicktheSavebuttontosavethesettings. ClicktheUndobuttontocancelthesettings PassThroughEnable Theboxesarecheckedby Save Undo default N/A N/A 85 M2MCellularGateway 2.6Routing Ifyouhavemorethanonerouterandsubnet,youwillneedtoenableroutingfunctiontoallowpacketstofind properroutingpathandallowdifferentsubnetstocommunicatewitheachother.Routingistheprocessof selectingbestpathsinanetwork.Itisperformedformanykindsofnetworks,likeelectronicdatanetworks

(suchastheInternet),byusingpacketswitchingtechnology.Theroutingprocessusuallydirectsforwardingon the basis of routing tables which maintain a record of the routes to various network destinations. Thus, constructingroutingtables,whichareheldintherouter'smemory,isveryimportantforefficientrouting.Most routingalgorithmsuseonlyonenetworkpathatatime. The routing tables record your predefined routing paths for some specific destination subnets. It is static routing.However,ifthecontentsofroutingtablesrecordtheobtainedroutingpathsfromneighborroutersby usingsomeprotocols,suchasRIP,OSPFandBGP.Itisdynamicrouting.Thesebothroutingapproacheswillbe illustratedoneafterone.Inaddition,thegatewayalsobuilt inoneadvancedconfigurableroutingsoftware Quaggaformorecomplexroutingapplications,youcanconfigureitifrequiredviaTelnetCLI. 86 M2MCellularGateway 2.6.1StaticRouting

"Static Routing" function lets you define the routing paths for some dedicated hosts/servers or subnets to store in the routing table of the gateway. The gateway routes incoming packets to different peer gateways based on the routing table. You need to define the static routing information in gateway routing rule list. When the administrator of the gateway wants to specify what kinds of packets to be transferred via which gateway interface and which peer gateway to their destination. It can be carried out by the "Static Routing" feature. Dedicated packet flows from the Intranetwillberoutedtotheirdestinationviathepre defined peer gateway and corresponding gateway interfacethataredefinedinthesystemroutingtable bymanual. As shown in the diagram, when the destination is Google access, rule 1 set interface as ADSL, routing gatewayasIPDSLAMgateway192.168.121.253.Allthe packets to Google will go through WAN1. And the samewayappliedtorule2ofaccessYahoo.Rule2sets 3G/4Gasinterface. 87 M2MCellularGateway StaticRoutingSetting GotoBasicNetwork>Routing>StaticRoutingTab. Therearethreeconfigurationwindowsforstaticroutingfeature,including"Configuration","StaticRouting Rule List" and "Static Routing Rule Configuration" windows. "Configuration" window lets you activate the globalstaticroutingfeature.Eventherearealreadyroutingrules,ifyouwanttodisableroutingtemporarily, justunchecktheEnableboxtodisableit."StaticRoutingRuleList"windowlistsallyourdefinedstaticrouting rule entries. Using "Add" or "Edit" button to add and create one new static routing rule or to modify an existedone. When"Add"or"Edit"buttonisapplied,the"StaticRoutingRuleConfiguration"windowwillappeartoletyou defineastaticroutingrule. EnableStaticRouting JustchecktheEnableboxtoactivatethe"StaticRouting"feature. StaticRouting Item StaticRouting Valuesetting Theboxisuncheckedby default Description ChecktheEnableboxtoactivatethisfunction Create/EditStaticRoutingRules TheStaticRoutingRuleListshowsthesetupparametersofallstaticroutingruleentries.Toconfigureastatic routing rule, you must specify related parameters including the destination IP address and subnet mask of dedicatedhost/serverorsubnet,theIPaddressofpeergateway,themetricandtheruleactivation. Thegatewayallowsyoutocustomyourstaticroutingrules.Itsupportsuptoamaximumof64rulesets.When Addbuttonisapplied,StaticRoutingRuleConfigurationscreenwillappear,whiletheEditbuttonattheend 88 M2MCellularGateway ofeachstaticroutingrulecanletyoumodifytherule. IPv4StaticRouting Item DestinationIP SubnetMask GatewayIP Valuesetting 1.IPv4Format 2.AMustfilledsetting 255.255.255.0(/24)issetby default 1.IPv4Format 2.AMustfilledsetting Description SpecifytheDestinationIPofthisstaticroutingrule. SpecifytheSubnetMaskofthisstaticroutingrule. SpecifytheGatewayIPofthisstaticroutingrule. Interface Autoissetbydefault Metric Rule Save Undo Back 1.NumbericStringFormat 2.AMustfilledsetting Theboxisuncheckedby default. NA NA NA SelecttheInterfaceofthisstaticroutingrule.ItcanbeAuto,ortheavailable WAN/LANinterfaces. TheMetricofthisstaticroutingrule. ValueRange:0~255. ClickEnableboxtoactivatethisrule. ClicktheSavebuttontosavetheconfiguration ClicktheUndobuttontorestorewhatyoujustconfiguredbacktotheprevious setting. WhentheBackbuttonisclickedthescreenwillreturntotheStaticRouting Configurationpage. 89 M2MCellularGateway 2.6.2DynamicRouting DynamicRouting,alsocalledadaptiverouting,describesthecapabilityofasystem,throughwhichroutesare characterizedbytheirdestination,toalterthepaththattheroutetakesthroughthesysteminresponsetoa changeinnetworkconditions. Thisgatewaysupportsdynamicroutingprotocols,includingRIPv1/RIPv2(RoutingInformationProtocol),and OSPF (Open Shortest Path First), for you to establish routing table automatically. The feature of dynamic routingwillbeveryusefulwhentherearelotsofsubnetsinyournetwork.Generallyspeaking,RIPissuitable forsmallnetwork.OSPFismoresuitableformediumnetwork. Thesupporteddynamicroutingprotocolsaredescribedasfollows. 90 M2MCellularGateway RIPScenario OSPFScenario The Routing Information Protocol (RIP) is one of the oldest distancevector routing protocols, which employs the hop count as a routing metric. RIP preventsroutingloopsbyimplementingalimitonthe numberofhopsallowedinapathfromthesourcetoa destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the sizeofnetworksthatRIPcansupport.Ahopcountof 16 is considered an infinite distance, in other words the route is considered unreachable. RIP implements the split horizon, route poisoning and holddown mechanisms to prevent incorrect routing information frombeingpropagated. OpenShortestPathFirst(OSPF)isaroutingprotocol that uses link state routing algorithm. It is the most widely used interior gateway protocol (IGP) in large enterprisenetworks.Itgatherslinkstateinformation fromavailableroutersandconstructsatopologymap ofthenetwork.Thetopologyispresentedasarouting table which routes datagrams based solely on the destinationIPaddress. Network administrator can deploy OSPF gateway in largeenterprisenetworktogetitsroutingtablefrom the enterprise backbone, and routing information to other routers, which are no linked to theenterprisebackbone.Usually,anOSPFnetworkis subdivided simplify administration and optimize traffic and resource utilization. forward routing areas into to Asshowninthediagram,OSPFgatewaygathersroutinginformationfromthebackbonegatewaysinarea0, andwillforwarditsroutinginformationtotheroutersinarea1andarea2whicharenotinthebackbone. 91 M2MCellularGateway DynamicRoutingSetting GotoBasicNetwork>Routing>DynamicRoutingTab. ThedynamicroutingsettingallowsusertocustomizeRIP,andOSPFprotocolsthroughtherouterbasedon theirofficesetting. Inthe"DynamicRouting"page,thereareseveralconfigurationwindowsfordynamicroutingfeature.Theyare the "RIP Configuration" window, "OSPF Configuration" window, "OSPF Area List", and "OSPF Area Configuration"window.RIP,andOSPFprotocolscanbeconfiguredindividually. The"RIPConfiguration"windowletsyouchoosewhichversionofRIPprotocoltobeactivatedordisableit. The "OSPF Configuration" window can let you activate the OSPF dynamic routing protocol and specify its backbonesubnet.Moreover,the"OSPFAreaList"windowlistsalldefinedareasintheOSPFnetwork. RIPConfiguration TheRIPconfigurationsettingallowsusertocustomizeRIPprotocolthroughtherouterbasedontheiroffice setting. RIPConfiguration Item Valuesetting RIPEnable Disableissetbydefault Description SelectDisablewilldisableRIPprotocol. SelectRIPv1willenableRIPv1protocol. SelectRIPv2willenableRIPv2protocol. OSPFConfiguration The OSPF configuration setting allows user to customize OSPF protocol through the router based on their officesetting. 92 M2MCellularGateway OSPFConfiguration Item OSPF RouterID Valuesetting Disableissetbydefault 1.IPv4Format 2.AMustfilledsetting Authentication Noneissetbydefault Backbone Subnet 1.ClasslessInterDomain Routing(CIDR)Subnet MaskNotation.(Ex:

192.168.1.0/24) 2.AMustfilledsetting Description ClickEnableboxtoactivatetheOSPFprotocol. TheRouterIDofthisrouteronOSPFprotocol TheAuthenticationmethodofthisrouteronOSPFprotocol. SelectNonewilldisableAuthenticationonOSPFprotocol. SelectTextwillenableTextAuthenticationwithenteredtheKeyinthisfieldon OSPFprotocol. SelectMD5willenableMD5AuthenticationwithenteredtheIDandKeyin thesefieldsonOSPFprotocol. TheBackboneSubnetofthisrouteronOSPFprotocol. Create/EditOSPFAreaRules ThegatewayallowsyoutocustomyourOSPFAreaListrules.Itsupportsuptoamaximumof32rulesets. WhenAddbuttonisapplied,OSPFAreaRuleConfigurationscreenwillappear. 93 M2MCellularGateway OSPFAreaConfiguration Item Valuesetting 1.ClasslessInterDomain Routing(CIDR)Subnet MaskNotation.(Ex:

192.168.1.0/24) 2.AMustfilledsetting 1.IPv4Format 2.AMustfilledsetting Theboxisuncheckedby default. N/A AreaSubnet AreaID Area Save Description TheAreaSubnetofthisrouteronOSPFAreaList. TheAreaIDofthisrouteronOSPFAreaList. ClickEnableboxtoactivatethisrule. ClicktheSavebuttontosavetheconfiguration 94 M2MCellularGateway 2.6.3RoutingInformation Theroutinginformationallowsusertoviewtheroutingtableandpolicyroutinginformation.PolicyRouting InformationisonlyavailablewhentheLoadBalancefunctionisenabledandtheLoadBalanceStrategyisBy UserPolicy. GotoBasicNetwork>Routing>RoutingInformationTab. RoutingTable Item DestinationIP SubnetMask GatewayIP Metric Interface Valuesetting N/A N/A N/A N/A N/A Description RoutingrecordofDestinationIP.IPv4Format. RoutingrecordofSubnetMask.IPv4Format. RoutingrecordofGatewayIP.IPv4Format. RoutingrecordofMetric.NumericStringFormat. RoutingrecordofInterfaceType.StringFormat. PolicyRoutingInformation Item PolicyRoutingSource SourceIP DestinationIP DestinationPort WANInterface Valuesetting N/A N/A N/A N/A N/A Description PolicyRoutingofSource.StringFormat. PolicyRoutingofSourceIP.IPv4Format. PolicyRoutingofDestinationIP.IPv4Format. PolicyRoutingofDestinationPort.StringFormat. PolicyRoutingofWANInterface.StringFormat. 95 M2MCellularGateway 2.7 DNS&DDNS HowdoesuseraccessyourserverifyourWANIPaddresschangesallthetime?Onewayistoregisteranew domainname,andmaintainyourownDNSserver.Anothersimplerwayistoapplyadomainnametoathird partyDDNSserviceprovider.Theservicecanbefreeorcharged.Ifyouwanttounderstandthebasicconcepts ofDNSandDynamicDNS,youcanrefertoWikipediawebsite7,8. 2.7.1DNS&DDNSConfiguration DynamicDNS To host your server on a changing IP address, you havetousedynamicdomainnameservice(DDNS). Therefore, anyone wishing to reach your host only needstoknowthedomainname.DynamicDNSwill map the name of your host to your current IP address,whichchangeseachtimeyouconnectyour Internetserviceprovider. TheDynamicDNSserviceallowsthegatewaytoalias apublicdynamicIPaddresstoastaticdomainname, allowing the gateway to be more easily accessed fromvariouslocationsontheInternet.Asshownin the diagram, user registered a domain name toa thirdparty DDNS service provider (NOIP) to use DDNS function. Once the IP address of designated WAN interfacehaschanged,thedynamicDNSagentinthegatewaywillinformtheDDNSserverwiththenewIP address.TheserverautomaticallyremapsyourdomainnamewiththechangedIPaddress.So,otherhostsor remoteusersintheInternetworldareabletolinktoyourgatewaybyusingyourdomainnameregardlessof thechangingglobalIPaddress. 7http://en.wikipedia.org/wiki/Domain_Name_System 8http://en.wikipedia.org/wiki/Dynamic_DNS 96 M2MCellularGateway DNS&DDNSSetting GotoBasicNetwork>DNS&DDNS>ConfigurationTab. TheDNS&DDNSsettingallowsusertosetupDynamicDNSfeatureandDNSredirectrules. SetupDynamicDNS ThegatewayallowsyoutocustomyourDynamicDNSsettings. DDNS(DynamicDNS)Configuration Item DDNS Valuesetting Theboxisuncheckedby default Description ChecktheEnableboxtoactivatethisfunction. WANInterface WAN1issetbydefault Provider HostName UserName/E Mail Password/Key Save Undo DynDNS.org(Dynamic)is setbydefault 1.Stringformatcanbeany text 2.AMustfilledsetting 1.Stringformatcanbeany text 2.AMustfilledsetting 1.Stringformatcanbeany text 2.AMustfilledsetting N/A N/A SelecttheWANInterfaceIPAddressofthegateway. SelectyourDDNSproviderofDynamicDNS.ItcanbeDynDNS.org(Dynamic), DynDNS.org(Custom),NOIP.com,etc... YourregisteredhostnameofDynamicDNS. ValueRange:0~63characters. EnteryourUsernameorEmailaddresssofDynamicDNS. EnteryourPasswordorKeyofDynamicDNS. ClickSavetosavethesettings ClickUndotocancelthesettings 97 M2MCellularGateway SetupDNSRedirect DNSredirectisaspecialfunctiontoredirectcertaintrafficstoaspecifiedhost.Administatorcanmanagethe internet/intranettrafficsthataregoingtoaccesssomerestrictedDNSandforcethosetrafficstoberedirected toaspecifiedhost. DNSRedirectConfiguration Valuesetting Item Theboxisuncheckedby DNSRedirect default N/A N/A Save Undo Description ChecktheEnableboxtoactivatethisfunction. ClickSavetosavethesettings ClickUndotocancelthesettings IfyouenabledtheDNSRedirectfunction,youhavetofurtherspecifytheredirectrules.Accordingtotherules, thegatewaycanredirectthetrafficthatmatchedtheDNStocorrespondingpredefinedIPaddress. WhenAddbuttonisapplied,RedirectRulescreenwillappear. RedirectRuleConfiguration Valuesetting Item 1.Stringformatcanbeany DomainName text Description Enteradomainnametoberedirect.Thetraffictospecifieddomainnamewill beredirecttothefollowingIPaddress. 98 M2MCellularGateway ValueRange:atleast1characterisrequired;*forany. EnteranIPAddressasthetargetfortheDNSredirect. SpecifywhenwilltheDNSredirectactioncanbeapplied. ItcanbeAlways,orWANBlock. Always:TheDNSredirectfunctioncanbeappliedtomatchedDNSallthetime. WANBlock:TheDNSredirectfunctioncanbeappliedtomatchedDNSonly whentheWANconnectionisdisconneced,orunreachable. Enterabriefdescriptionforthisrule. ValueRange:0~63characters. ClicktheEnablebuttontoactivatethisrule. ClickSavetosavethesettings ClickUndotocancelthesettings IP Condition Description Enable Save Undo 2.AMustfilledsetting 1.IPv4format 2.AMustfilledsetting 1.AMustfilledsetting 2.Alwaysisselectedby default. 1.Stringformatcanbeany text 2.AMustfilledsetting Theboxisuncheckedby default N/A N/A 99

exhibit
download
text

Users Manual-2

Users Manual

pdf

3.53 MiB

July 08 2018

M2MCellularGateway Chapter3ObjectDefinition 3.1Scheduling Schedulingprovidesabilityofadding/deletingtimeschedulerules,whichcanbeappliedtootherfunctionality. 3.1.1SchedulingConfiguration GotoObjectDefinition>Scheduling>Configurationtab. Buttondescription Item Add Delete Valuesetting N/A N/A Description ClicktheAddbuttontoconfiguretimeschedulerule ClicktheDeletebuttontodeleteselectedrule(s) WhenAddbuttonisapplied,TimeScheduleConfigurationandTimePeriodDefinitionscreenswillappear. TimeScheduleConfiguration Item RuleName RulePolicy ValueSetting String:anytext DefaultInactivate Description Setrulename Inactivate/activatethefunctionbeenappliedtointhetimeperiodbelow 100 M2MCellularGateway TimePeriodDefinition Item WeekDay StartTime EndTime Save Undo Refresh ValueSetting Selectfrommenu Timeformat(hh:mm) Timeformat(hh:mm) N/A N/A N/A Description Selecteverydayoroneofweekday Starttimeinselectedweekday Endtimeinselectedweekday Click Save to save the settings Click Undo to cancel the settings Click the Refresh button to refresh the time schedule list. 101 M2MCellularGateway 3.2User(notsupported) Not supported feature for the purchased product, leave it as blank. 102 M2MCellularGateway 3.3Grouping(notsupported) Not supported feature for the purchased product, leave it as blank. 103 M2MCellularGateway 3.4ExternalServer GotoObjectDefinition>ExternalServer>ExternalServertab. TheExternalServersettingallowsusertoaddexternalserver. CreateExternalServer WhenAddbuttonisapplied,ExternalServerConfigurationscreenwillappear. 104 M2MCellularGateway ExternalServerConfiguration Item SeverName Valuesetting 1.Stringformatcanbe anytext 2.AMustfilledsetting ServerType AMustfilledsetting ServerIP/FQDN AMustfilledsetting ServerPort AMustfilledsetting AccountPort 1.AMustfilledsetting 2.1813issetbydefault Description Enteraservername.Enteranamethatiseasyforyoutounderstand. SpecifytheServerTypeoftheexternalserver,andentertherequiredsettings fortheaccessingtheserver. EmailServer(AMustfilledsetting):

WhenEmailServerisselected,UserName,andPasswordarealsorequired. UserName(Stringformat:anytext) Password(Stringformat:anytext) RADIUSServer(AMustfilledsetting):

WhenRADIUSServerisselected,thefollowingsettingsarealsorequired. Primary:

SharedKey(Stringformat:anytext) AuthenticationProtocol(BydefaultCHAPisselected) SessionTimeout(Bydefault1) Thevaluesmustbebetween1and60. IdleTimeout:(Bydefault1) Thevaluesmustbebetween1and15. Secondary:

WhenFTP(SFTP)Serverisselected,thefollowingsettingsarealsorequired. UserName(Stringformat:anytext) Password(Stringformat:anytext) Protocol(SelectFTPorSFTP) Encryprion(SelectPlain,ExplicitFTPSorImplicitFTPS) Transfermode(SelectPassiveorActive) SpecifytheIPaddressorFQDNusedfortheexternalserver. SpecifythePortusedfortheexternalserver.Ifyouselectedacertainserver type,thedefaultserverportnumberwillbeset. ForEmailServer25willbesetbydefault;

ForSyslogServer,port514willbesetbydefault;

ForRADIUSServer,port1812willbesetbydefault;

ForFTP(SFTP)Server,port21willbesetbydefault;

ValueRange:1~65535. SpecifytheaccountingportusedifyouselectedexternalRADIUSserver. ValueRange:1~65535. 105 M2MCellularGateway Server Save Undo Refresh Theboxischeckedby default N/A N/A N/A ClickEnabletoactivatethisExternalServer. ClickSavetosavethesettings ClickUndotocancelthesettings ClicktheRefreshbuttontorefreshtheexternalserverlist. 106 M2MCellularGateway 3.5 Certificate In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronicdocumentusedtoproveownershipofapublickey.Thecertificateincludesinformationaboutthe key, information about its owner's identity, and the digital signature of an entity that has verified the certificate'scontentsaregenuine.Ifthesignatureisvalid,andthepersonexaminingthecertificatetruststhe signer,thentheyknowtheycanusethatkeytocommunicatewithitsowner9. Inatypicalpublickeyinfrastructure(PKI)scheme,thesignerisacertificateauthority(CA),usuallyacompany suchasVeriSignwhichchargescustomerstoissuecertificatesforthem.Inaweboftrustscheme,thesigneris eitherthekey'sowner(aselfsignedcertificate)orotherusers("endorsements")whomthepersonexamining thecertificatemightknowandtrust.ThedevicealsoplaysasaCArole. CertificatesareanimportantcomponentofTransportLayerSecurity(TLS,sometimescalledbyitsoldername SSL),wheretheypreventanattackerfromimpersonatingasecurewebsiteorotherserver.Theyarealsoused in other important applications, such as email encryption and code signing. Here, it can be used in IPSec tunnelingforuserauthentication. 3.5.1Configuration(notsupported) Not supported feature for the purchased product, leave it as blank. 9 http://en.wikipedia.org/wiki/Public_key_certificate. 107 M2MCellularGateway 3.5.2MyCertificate MyCertificateincludesaLocalCertificateList.LocalCertificateListshowsallgeneratedcertificatesbytheroot CAforthegateway.AnditalsostoresthegeneratedCertificateSigningRequests(CSR)whichwillbesignedby otherexternalCAs.Thesignedcertificatescanbeimportedasthelocalonesofthegateway. SelfsignedCertificateUsageScenario ScenarioApplicationTiming WhentheenterprisegatewayownstherootCAandVPNtunnelingfunction,itcangenerateitsown local certificates by being signed by itself or import any local certificates that are signed by other externalCAs.AlsoimportthetrustedcertificatesforotherCAsandClients.Inaddition,sinceithasthe rootCA,italsocansignCertificateSigningRequests(CSR)toformcorrespondingcertificatesforothers. Thesecertificatescanbeusedfortworemotepeerstomakesuretheiridentityduringestablishinga VPNtunnel. ScenarioDescription Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted certificate(BranchCRT)aBranchCSRcertificateofGateway2signedbyrootCAofGateway1. Gateway2createsaCSR(BranchCSR)tolettherootCAoftheGateway1signittobetheBranchCRT certificate.ImportthecertificateintotheGateway2asalocalcertificate.Inaddition,alsoimportthe certificatesoftherootCAoftheGateway1intotheGateway2asthetrustedones.(Pleasealsorefer tofollowingtwosubsections) EstablishanIPSecVPNtunnelwithIKEandX.509protocolsbystartingfromeitherpeer,sothatall 108 M2MCellularGateway clienthostsinthesebothsubnetscancommunicatewitheachother. ParameterSetupExample ForNetworkAatHQ Followingtableslisttheparameterconfigurationasanexampleforthe"MyCertificate"functionused in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in following two sections to complete the wholeuserscenario. Usedefaultvalueforthoseparametersthatarenotmentionedinthetables. ConfigurationPath Name Key SubjectName ConfigurationPath Name Key SubjectName ConfigurationPath IPSec ConfigurationPath Tunnel TunnelName Interface TunnelScenario OperationMode ConfigurationPath LocalSubnet LocalNetmask FullTunnel RemoteSubnet RemoteNetmask RemoteGateway

[MyCertificate][RootCACertificateConfiguration]

HQRootCA KeyType:RSAKeyLength:1024bits Country(C):TWState(ST):Taiwan Location(L):Tainan Organization(O):AMITHQOrganizationUnit(OU):HQRD CommonName(CN):HQRootCAEmail:hqrootca@amit.com.tw

[MyCertificate][LocalCertificateConfiguration]

HQCRTSelfsigned:

KeyType:RSAKeyLength:1024bits Country(C):TWState(ST):Taiwan Location(L):Tainan Organization(O):AMITHQOrganizationUnit(OU):HQRD CommonName(CN):HQCRTEmail:hqcrt@amit.com.tw

[IPSec][Configuration]

Enable

[IPSec][TunnelConfiguration]

Enable s2s101 WAN1 SitetoSite Alwayson

[IPSec][Local&RemoteConfiguration]

10.0.76.0 255.255.255.0 Disable 10.0.75.0 255.255.255.0 118.18.81.33 109 M2MCellularGateway ConfigurationPath KeyManagement LocalID RemoteID

[IPSec][Authentication]

IKE+X.509LocalCertificate:HQCRTRemoteCertificate:BranchCRT UserNameNetworkA UserNameNetworkB

[IPSec][IKEPhase]

MainMode None ConfigurationPath NegotiationMode XAuth ForNetworkBatBranchOffice Followingtableslisttheparameterconfigurationasanexampleforthe"MyCertificate"functionused in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in following two sections to complete the wholeuserscenario. Usedefaultvalueforthoseparametersthatarenotmentionedinthetables. ConfigurationPath Name Key SubjectName ConfigurationPath IPSec ConfigurationPath Tunnel TunnelName Interface TunnelScenario OperationMode ConfigurationPath LocalSubnet LocalNetmask FullTunnel RemoteSubnet

[MyCertificate][LocalCertificateConfiguration]

BranchCRTSelfsigned:

KeyType:RSAKeyLength:1024bits Country(C):TWState(ST):Taiwan Location(L):Tainan Organization(O):AMITBranchOrganizationUnit(OU):BranchRD CommonName(CN):BranchCRTEmail:branchcrt@amit.com.tw

[IPSec][Configuration]

Enable

[IPSec][TunnelConfiguration]

Enable s2s102 WAN1 SitetoSite Alwayson

[IPSec][Local&RemoteConfiguration]

10.0.75.0 255.255.255.0 Disable 10.0.76.0 110 M2MCellularGateway RemoteNetmask RemoteGateway 255.255.255.0 203.95.80.22

[IPSec][IKEPhase]

MainMode None

[IPSec][Authentication]

IKE+X.509LocalCertificate:BranchCRTRemoteCertificate:HQCRT UserNameNetworkB UserNameNetworkA ConfigurationPath KeyManagement LocalID RemoteID ConfigurationPath NegotiationMode XAuth ScenarioOperationProcedure In above diagram, "Gateway 1" is the gateway of NetworkA in headquarters and the subnet of its Intranetis10.0.76.0/24.IthastheIPaddressof10.0.76.2forLANinterfaceand203.95.80.22forWAN 1interface."Gateway2"isthegatewayofNetworkBinbranchofficeandthesubnetofitsIntranetis 10.0.75.0/24.IthastheIPaddressof10.0.75.2forLANinterfaceand118.18.81.33forWAN1interface. TheybothserveastheNATsecuritygateways. Gateway1generatestherootCAandalocalcertificate(HQCRT)thatissignedbyitself.Importthe certificates of the root CA and HQCRT into the "Trusted CA Certificate List" and "Trusted Client CertificateList"ofGateway2. Gateway 2 generates a Certificate Signing Request (BranchCSR) for its own certificate (BranchCRT)

(PleasegenerateonenotselfsignedcertificateintheGateway2,andclickonthe"View"buttonfor thatCSR.Justdownloadsit).TaketheCSRtobesignedbytherootCAofGateway1andobtainthe BranchCRTcertificate(youneedrenameit).Importthecertificateintothe"TrustedClientCertificate List"oftheGateway1andthe"LocalCertificateList"ofGateway2. Gateway2canestablishanIPSecVPNtunnelwith"SitetoSite"scenarioandIKEandX.509protocolsto Gateway1. Finally,theclienthostsintwosubnetsof10.0.75.0/24and10.0.76.0/24cancommunicatewitheach other. 111 M2MCellularGateway MyCertificateSetting GotoObjectDefinition>Certificate>MyCertificatetab. The My Certificate setting allows user to create local certificates. In "My Certificate" page, there are two configurationwindowsforthe"MyCertificate"function.The"LocalCertificateList"windowshowsthestored certificatesorCSRsforrepresentingthegateway.The"LocalCertificateConfiguration"windowcanletyoufill requiredinformationnecessaryforcorrespondingcertificatetobegeneratedbyitself,orcorrespondingCSR tobesignedbyotherCAs. CreateLocalCertificate WhenAddbuttonisapplied,LocalCertificateConfigurationscreenwillappear.The required information to be filled for the certificate or CSR includes the name, key and subject name. It is a certificate if the "Self-signed"

box is checked; otherwise, it is a CSR. 112 M2MCellularGateway LocalCertificateConfiguration Valuesetting Item Name 1.Stringformatcanbeany text 2.AMustfilledsetting AMustfilledsetting Key SubjectName AMustfilledsetting ExtraAttributes AMustfilledsetting SCEPEnrollment AMustfilledsetting Description Enteracertificatename.Itwillbeacertificatefilename IfSelfsignedischecked,itwillbesignedbyrootCA.IfSelfsignedisnot checked,itwillgenerateacertificatesigningrequest(CSR). Thisfieldistospecifythekeyattributesofcertificate. KeyTypetosetpublickeycryptosystems.Currently,onlyRSAissupported. KeyLengthtosetthelengthinbitsofthekeyusedinacryptographicalgorithm. Itcanbe512/768/1024/1536/2048. DigestAlgorithmtosetidentifierinthesignaturealgorithmidentifierof certificates.ItcanbeMD5/SHA1. Thisfieldistospecify theinformationofcertificate. Country(C)isthetwoletterISOcodeforthecountrywhereyourorganizationis located. State(ST)isthestatewhereyourorganizationislocated. Location(L)isthelocationwhereyourorganizationislocated. Organization(O)isthenameofyourorganization. OrganizationUnit(OU)isthenameofyourorganizationunit. CommonName(CN)isthenameofyourorganization. Emailistheemailofyourorganization.Ithastobeemailaddresssettingonly. Thisfieldistospecify theextrainformationforgeneratingacertificate. Challenge Password for the password you can use to request certificate revocationinthefuture. UnstructuredNameforadditionalinformation. Thisfieldistospecify theinformationofSCEP. Ifuserwantstogenerateacertificatesigningrequest(CSR)andthensignedby SCEPserveronline,usercanchecktheEnablebox. SelectaSCEPServertoidentifytheSCEPserverforuse.Theserverdetailed informationcouldbespecifiedinExternalServers.RefertoObjectDefinition>

ExternalServer>ExternalServer.YoumayclickAddObjectbuttonto generate. SelectaCACertificatetoidentifywhichcertificatecouldbeacceptedbySCEP serverforauthentication.ItcouldbegeneratedinTrustedCertificates. SelectanoptionalCAEncryptionCertificate,ifitisrequired,toidentifywhich certificatecouldbeacceptedbySCEPserverforencryptiondatainformation.It couldbegeneratedinTrustedCertificates. FillinoptionalCAIdentifiertoidentifywhichCAcouldbeusedforsigning certificates. ClicktheSavebuttontosavetheconfiguration. WhentheBackbuttonisclicked,thescreenwillreturntopreviouspage. Save Back N/A N/A WhenImportbuttonisapplied,anImportscreenwillappear.Youcanimportacertificatefromanexisted certificatefile,ordirectlypasteaPEMencodedstringasthecertificate. 113 M2MCellularGateway Import Item Import PEMEncoded Apply Cancel Valuesetting AMustfilledsetting 1.Stringformatcanbeany text 2.AMustfilledsetting N/A N/A Description Selectacertificatefilefromuserscomputer,andclicktheApplybuttonto importthespecifiedcertificatefiletothegateway. Thisisanalternativeapproachtoimportacertificate. Youcandirectlyfillin(CopyandPaste)thePEMencodedcertificatestring,and clicktheApplybuttontoimportthespecifiedcertificatetothegateway. ClicktheApplybuttontoimportthecertificate. ClicktheCancelbuttontodiscardtheimportoperationandthescreenwill returntotheMyCertificatespage. 114 M2MCellularGateway 3.5.3TrustedCertificate TrustedCertificateincludesTrustedCACertificateList,TrustedClientCertificateList,andTrustedClientKey List. The Trusted CA Certificate List places the certificates of external trusted CAs. The Trusted Client CertificateListplacestheothers'certificateswhatyoutrust.AndtheTrustedClientKeyListplacestheothers keyswhatyoutrusted. SelfsignedCertificateUsageScenario ScenarioApplicationTiming(sameastheonedescribedin"MyCertificate"section) WhentheenterprisegatewayownstherootCAandVPNtunnelingfunction,itcangenerateitsown localcertificatesbybeingsignedbyitself.AlsoimportsthetrustedcertificatesforotherCAsandClients. Thesecertificatescanbeusedfortworemotepeerstomakesuretheiridentityduringestablishinga VPNtunnel. ScenarioDescription(sameastheonedescribedin"MyCertificate"section) Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted certificate(BranchCRT)aBranchCSRcertificateofGateway2signedbyrootCAofGateway1. Gateway2createsaCSR(BranchCSR)tolettherootCAoftheGateway1signittobetheBranchCRT certificate.ImportthecertificateintotheGateway2asalocalcertificate.Inaddition,alsoimportsthe certificatesoftherootCAofGateway1intotheGateway2asthetrustedones.(Pleasealsoreferto

"MyCertificate"and"IssueCertificate"sections). EstablishanIPSecVPNtunnelwithIKEandX.509protocolsbystartingfromeitherpeer,sothatall clienthostsinthesebothsubnetscancommunicatewitheachother. ParameterSetupExample(sameastheonedescribedin"MyCertificate"section) 115 M2MCellularGateway ForNetworkAatHQ Followingtableslisttheparameterconfigurationasanexampleforthe"TrustedCertificate"function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in "My Certificate" and "Issue Certificate"

sectionstocompletethesetupforthewholeuserscenario. ConfigurationPath CommandButton

[TrustedCertificate][TrustedClientCertificateList]

Import ConfigurationPath File

[TrustedCertificate][TrustedClientCertificateImportfromaFile]

BranchCRT.crt ForNetworkBatBranchOffice Followingtableslisttheparameterconfigurationasanexampleforthe"TrustedCertificate"function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configurationexamplemustbe combinedwiththeonesin"MyCertificate"and"IssuedCertificate"

sectionstocompletethesetupforthewholeuserscenario. ConfigurationPath CommandButton ConfigurationPath File ConfigurationPath CommandButton ConfigurationPath File

[TrustedCertificate][TrustedCACertificateList]

Import

[TrustedCertificate][TrustedCACertificateImportfromaFile]

HQRootCA.crt

[TrustedCertificate][TrustedClientCertificateList]

Import

[TrustedCertificate][TrustedClientCertificateImportfromaFile]

HQCRT.crt ScenarioOperationProcedure(sameastheonedescribedin"MyCertificate"section) Inabovediagram,the"Gateway1"isthegatewayofNetworkAinheadquartersandthesubnetofits Intranetis10.0.76.0/24.IthastheIPaddressof10.0.76.2forLANinterfaceand203.95.80.22forWAN 1 interface. The "Gateway 2" is the gateway of NetworkB in branch office and the subnet of its Intranetis10.0.75.0/24.IthastheIPaddressof10.0.75.2forLANinterfaceand118.18.81.33forWAN 1interface.TheybothserveastheNATsecuritygateways. InGateway2importthecertificatesoftherootCAandHQCRTthatweregenerated andsignedby Gateway1intothe"TrustedCACertificateList"and"TrustedClientCertificateList"ofGateway2. 116 M2MCellularGateway ImporttheobtainedBranchCRTcertificate(thederivedBranchCSRcertificateafterGateway1sroot CAsignature)intothe"TrustedClientCertificateList"oftheGateway1andthe"LocalCertificateList"

oftheGateway2.Formoredetails,refertotheNetworkBoperationprocedurein"MyCertificate"

sectionofthismanual. Gateway2canestablishanIPSecVPNtunnelwith"SitetoSite"scenarioandIKEandX.509protocolsto Gateway1. Finally,theclienthostsintwosubnetsof10.0.75.0/24and10.0.76.0/24cancommunicatewitheach other. 117 M2MCellularGateway TrustedCertificateSetting GotoObjectDefinition>Certificate>TrustedCertificatetab. TheTrustedCertificatesettingallowsusertoimporttrustedcertificatesandkeys. ImportTrustedCACertificate When Import button is applied, a Trusted CA import screen will appear. You can import a Trusted CA certificatefromanexistedcertificatefile,ordirectlypasteaPEMencodedstringasthecertificate. TrustedCACertificateList Item Importfroma File Importfroma PEM Valuesetting AMustfilledsetting 1.Stringformatcanbeany text 2.AMustfilledsetting N/A N/A Apply Cancel Description SelectaCAcertificatefilefromuserscomputer,andclicktheApply buttonto importthespecifiedCAcertificatefiletothegateway. ThisisanalternativeapproachtoimportaCAcertificate. Youcandirectlyfillin(CopyandPaste)thePEMencodedCAcertificatestring, andclicktheApplybuttontoimportthespecifiedCAcertificatetothegateway. ClicktheApplybuttontoimportthecertificate. ClicktheCancelbuttontodiscardtheimportoperationandthescreenwill returntotheTrustedCertificatespage. InsteadofimportingaTrustedCAcertificatewithmentionedapproaches,youcanalsogettheCAcertificate fromtheSECPserver. IfSCEPisenabled(RefertoObjectDefinition>Certificate>Configuration),youcanclickGetCAbutton,aGet CAConfigurationscreenwillappear. 118 M2MCellularGateway GetCAConfiguration Item SCEPServer Valuesetting AMustfilledsetting CAIdentifier Save Close 1.Stringformatcanbeany text N/A N/A ImportTrustedClientCertificate Description SelectaSCEPServer toidentifytheSCEPserverforuse.Theserverdetailed informationcouldbespecifiedinExternalServers.RefertoObjectDefinition>

ExternalServer>ExternalServer.YoumayclickAddObjectbuttonto generate. FillinoptionalCAIdentifier toidentifywhichCAcouldbeusedforsigning certificates. ClickSave tosavethesettings. ClicktheClosebuttontoreturntotheTrustedCertificatespage. When Import button is applied, a Trusted Client Certificate Import screen will appear. You can import a Trusted Client Certificate from an existed certificate file, or directly paste a PEM encoded string as the certificate. TrustedClientCertificateList 119 M2MCellularGateway Item Importfroma File Importfroma PEM Apply Cancel Valuesetting AMustfilledsetting 1.Stringformatcanbeany text 2.AMustfilledsetting N/A N/A ImportTrustedClientKey Description Selectacertificatefilefromuserscomputer,andclicktheApplybuttontoimportthe specifiedcertificatefiletothegateway. Thisisanalternativeapproachtoimportacertificate. Youcandirectlyfillin(CopyandPaste)thePEMencodedcertificatestring,andclickthe Applybuttontoimportthespecifiedcertificatetothegateway. ClicktheApplybuttontoimportcertificate. ClicktheCancelbuttontodiscardtheimportoperationandthescreenwillreturntothe TrustedCertificatespage. WhenImportbuttonisapplied,aTrusted ClientKey Importscreenwillappear.YoucanimportaTrusted ClientKeyfromanexistedfile,ordirectlypasteaPEMencodedstringasthekey. TrustedClientKeyList Item Importfroma File Importfroma PEM Valuesetting AMustfilledsetting 1.Stringformatcanbeany text 2.AMustfilledsetting N/A N/A Apply Cancel Description Selectacertificatekeyfilefromuserscomputer,andclicktheApplybuttontoimport thespecifiedkeyfiletothegateway. Thisisanalternativeapproachtoimportacertificatekey. Youcandirectlyfillin(CopyandPaste)thePEMencodedcertificatekeystring,andclick theApplybuttontoimportthespecifiedcertificatekeytothegateway. ClicktheApplybuttontoimportthecertificatekey. ClicktheCancelbuttontodiscardtheimportoperationandthescreenwillreturntothe TrustedCertificatespage. 120 M2MCellularGateway Chapter4FieldCommunication(notsupported) Not supported feature for the purchased product, leave it as blank. 121 M2MCellularGateway Chapter5Security 5.1 VPN Avirtualprivatenetwork(VPN)extendsaprivatenetworkacrossapublicnetwork,suchastheInternet.It enablesacomputertosendandreceivedataacrosssharedorpublicnetworksasifitweredirectlyconnected to the private network, while benefitting from the functionality, security and management policies of the privatenetwork.Thisisdonebyestablishingavirtualpointtopointconnectionthroughtheuseofdedicated connections,encryption,oracombinationof thetwo.Thetunnel technology supports data confidentiality, data origin authentication and data integrity of network information by utilizing encapsulation protocols, encryptionalgorithms,andhashingalgorithms. The product series supports different tunneling technologies to establish secure tunnels between multiple sitesfordatatransferring,suchasIPSec,OpenVPN,L2TP(overIPSec),PPTPandGRE.Besides,someadvanced functions, like Full Tunnel, Tunnel Failover, Tunnel Load Balance, NetBIOS over IPSec, NAT Traversal and DynamicVPN,arealsosupported. 122 M2MCellularGateway 5.1.1IPSec Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographickeystobeusedduringthesession. AnIPSecVPNtunnelisestablishedbetweenIPSecclientandserver.Sometimes,wecalltheIPSecVPNclientas theinitiatorandtheIPSecVPNserverastheresponder.Thisgatewaycanbeconfiguredasdifferentrolesand establishnumberoftunnelswithvariousremotedevices.BeforegoingtosetuptheVPNconnections,youmay needtodecidethescenariotypeforthetunneling. IPSecTunnelScenarios TobuildIPSectunnel,youneedtofillin remotegatewayglobalIP,andoptional subnet if the hosts behind IPSec peer can access to remote site or hosts. Under such configuration, there are fourscenarios:

SitetoSite:Youneedtosetupremote IP and subnet of both gateway gateways. After tunnel established, both gateways can communication each otherthroughthetunnel. IPSec behind hosts the SitetoHost:SitetoHostissuitablefortunnelingbetweenclientsinasubnetandanapplicationserver(host). 123 M2MCellularGateway As in the diagram, the clients behind the M2M gateway can access to the host "HostDC" located in the controlcenterthroughSitetoHostVPNtunnel. Host to Site: On the contrast, for a single host (or mobile user to) to access the resources located in an intranet,theHosttoSitescenariocanbeapplied. HosttoHost:HosttoHostisaspecialconfigurationforbuildingaVPNtunnelbetweentwosinglehosts. SitetoSitewith"FullTunnel"enabled Internet access originates In"SitetoSite"scenario,clienthostsinremotesitecan access the enterprise resources in the Intranet of HQ gateway via an established IPSec tunnel, as described above. However, from remotesitestillgothroughitsregularWANconnection. Ifyouwantallpacketsfromremotesite toberouted via this IPSec tunnel, including HQ server access and Internet access, you can just enable the Full Tunnel"

setting. As a result, every time users surfs web or searchingdataonInternet,checkingpersonalemails,or HQserveraccess,alltrafficswillgothroughthesecure IPSec tunnel and route by the Security Gateway in controlcenter. SitetoSitewith"HubandSpoke"mechanism its remote sites, there ForacontrolcentertomanagethesecureIntranet among all is a simple configuration,calledHubandSpoke,forthewhole VPNnetwork.AHubandSpokeVPNNetworkisset up in organizations with centralized control center over all its remote sites, like shops or offices. The controlcenteractsastheHubroleandtheremote shopsorOfficesactasSpokes.AllVPNtunnelsfrom remotesitesterminateatthisHub,whichactsasa concentrator. Sitetosite connections between spokes do not exist. Traffic originating from one spokeanddestinedforanotherspokehastogovia theHub.Undersuchconfiguration,youdontneed tomaintainVPNtunnelsbetweeneachtworemote clients. 124 M2MCellularGateway IPSecSetting GotoSecurity>VPN>IPSectab. TheIPSecSettingallowsusertocreateandconfigureIPSectunnels. EnableIPSec ConfigurationWindow Item IPsec NetBIOSoverIPSec Valuesetting Uncheckedbydefault Uncheckedbydefault Description ClicktheEnableboxtoenableIPSecfunction. ClicktheEnableboxtoenableNetBIOSoverIPSecfunction. NATTraversal Checkedbydefault ClicktheEnableboxtoenableNATTraversalfunction. Max.Concurrent IPSecTunnels Save Undo DependsonProduct specification. N/A N/A ThespecifiedvaluewilllimitthemaximumnumberofsimultaneousIPSec tunnelconnection.Thedefaultvaluecanbedifferentforthepurchasedmodel. ClickSavetosavethesettings ClickUndotocancelthesettings Create/EditIPSectunnel EnsurethattheIPSecenableboxischeckedtoenablebeforefurtherconfiguringtheIPSectunnelsettings. WhenAdd/Editbuttonisapplied,aseriesofconfigurationscreenswillappear.TheyareTunnelConfiguration, Local & Remote Configuration, Authentication, IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec ProposalDefinition.YouhavetoconfigurethetunneldetailsforbothlocalandremoteVPNdevices. 125 M2MCellularGateway TunnelConfigurationWindow Item Tunnel TunnelName Interface TunnelScenario TunelTCPMSS Valuesetting Uncheckedbydefault 1.AMustfillsetting 2.Stringformatcanbe anytext 1.AMustfillsetting 2.WAN1isselected bydefault 1.AMustfillsetting 2.Sitetositeis selectedbydefault 1.Anoptionalsetting 2.Autoissetby default HubandSpoke 1.Anoptionalsetting 2.Noneissetby default OperationMode 1.AMustfillsetting 2.Alwayonisselected Description ChecktheEnableboxtoactivatetheIPSectunnel Enteratunnelname.Enteranamethatiseasyforyoutoidentify. ValueRange:1~19characters. SelecttheinterfaceonwhichIPSectunnelistobeestablished.Itcanbethe availableWANandLANinterfaces. SelectanIPSectunnelingscenariofromthedropdownboxforyourapplication. SelectSitetoSite,SitetoHost,HosttoSite,orHosttoHost.IfLANinterface isselected,onlyHosttoHostscenarioisavailable. WithSitetoSiteorSitetoHostorHosttoSite,IPSecoperatesintunnelmode. Thedifferenceamongthemisthenumberofsubnets.WithHosttoHost,IPSec operatesintransportmode. SelectfromthedropdownboxtodefinethesizeofTunelTCPMSS. SelectAuto,andalldeviceswilladjustthisparameterautomatically. SelectManual,andspecifyanexpectedvauleforTunelTCPMSS. ValueRange:64~1500bytes. SelectfromthedropdownboxtosetupyourgatewayforHubandSpokeIPSec VPNDeployments. SelectNoneifyourdeploymentswillnotsupportHuborSpokeencryption. SelectHubforaHubroleintheIPSecdesign. SelectSpokeforaSpokeroleintheIPSecdesign. Note:HubandSpokeareavailableonlyforSitetoSiteVPNtunnelingspecified inTunnelScenario.ItisnotavailableforDynamicVPNtunnelingapplication. DefineoperationmodefortheIPSecTunnel.ItcanbeAlwaysOn,orFailover. Ifthistunnelissetasafailovertunnel,youneedtofurtherselectaprimary 126 M2MCellularGateway Encapsulation Protocol bydefault 1.AMustfillsetting 2.ESPisselectedby default tunnelfromwhichtofailoverto. Note:FailovermodeisnotavailableforthegatewaywithsingleWAN. SelecttheEncapsulationProtocolfromthedropdownboxforthisIPSectunnel. AvailableencapsulationsareESPandAH. Local&RemoteConfigurationWindow Item Valuesetting LocalSubnetList AMustfillsetting RedirectTraffic Uncheckedbydefault FullTunnel Uncheckedbydefault Description SpecifytheLocalSubnetIPaddressandSubnetMask. ClicktheAddorDeletebuttontoaddordeleteaLocalSubnet. Note_1:WhenDynamicVPNoptioninTunnelScenarioisselected,therewillbe onlyonesubnetavailable. Note_2:WhenHosttoSiteorHosttoHostoptioninTunnelScenariois selected,LocalSubnetwillnotbeavailable. Note_3:WhenHubandSpokeoptioninHubandSpokeisselected,therewillbe onlyonesubnetavailable. ClickEnableboxtoactivatetheRedirectTrafficfunction. Note:RedirectTrafficisavailableonlyforHosttoSitespecifiedinTunnel Scenario.Bydefault,itisdisabled,soitcanpreventtheunexpectedand dangerousaccesstothepeersubnet.Ifyouenablesuchfunction,allthe networkdevicesbehindtheVPNhost(actually,itisanNATgateway)canaccess tothepeersubnetwiththehostIP. ClickEnableboxtoenableFullTunnel. Note:FulltunnelisavailableonlyforSitetoSitespecifiedinTunnelScenario. 127 M2MCellularGateway RemoteSubnetList AMustfillsetting RemoteGateway 1.AMustfillsetting. 2.Formatcanbea ipv4addressorFQDN SpecifytheRemoteSubnetIPaddressandSubnetMask. ClicktheAddorDeletebuttontoaddordeleteRemoteSubnetsetting. SpecifytheRemoteGateway. AuthenticationConfigurationWindow Item Valuesetting KeyManagement 1.AMustfillsetting 2.PresharedKey8to 32characters. LocalID Anoptionalsetting RemoteID Anoptionalsetting Description SelectKeyManagementfromthedropdownboxforthisIPSectunnel. IKE+PresharedKey: userneedstosetakey(8~32characters). IKE+X.509:userneedsCertificatetoauthenticate.IKE+X.509willbeavailable onlywhenCertificatehasbeenconfiguredproperly.RefertoCertificatesection ofthismanualandalsoObjectDefinition>Certificateinwebbasedutility. Manually:userneedstoenterkeyIDtoauthenticate.Manualkeyconfiguration willbeexplainedinthefollowingManualKeyManagementsection. SpecifytheLocalIDforthisIPSectunneltoauthenticate. SelectUserNameforLocalIDandentertheusername.Theusernamemay includebutcantbeallnumbers. SelectFQDNforLocalIDandentertheFQDN. SelectUser@FQDNforLocalIDandentertheUser@FQDN. SelectKeyIDforLocalIDandentertheKeyID(Englishalphabetornumber). SpecifytheRemoteIDforthisIPSectunneltoauthenticate. SelectUserNameforRemoteIDandentertheusername.Theusernamemay includebutcantbeallnumbers. SelectFQDNforLocalIDandentertheFQDN. SelectUser@FQDNforRemoteIDandentertheUser@FQDN. SelectKeyIDforRemoteIDandentertheKeyID(Englishalphabetornumber). Note:RemoteIDwillbenotavailablewhenDynamicVPNoptioninTunnel Scenarioisselected. 128 M2MCellularGateway IKEPhaseWindow Item IKEVersion NegotiationMode Valuesetting 1.Amustfillsetting 2.v1isselectedby default MainModeissetby defaultdefault XAuth Noneisselectedby default DeadPeerDetection

(DPD) Phase1KeyLife Time 1.Checkedbydefault 2.DefaultTimeout 180sandDelay30s 1.AMustfillsetting 2.Default3600s 3.Max.86400s Description SpecifytheIKEversionforthisIPSectunnel.Selectv1orv2 Note:IKEversionswillnotbeavailablewhenDynamicVPNoptioninTunnel Scenarioisselected,orAHoptioninEncapsulationProtocolisselected. SpecifytheNegotiationModeforthisIPSectunnel.SelectMainModeor AggressiveMode. SpecifytheXAuthroleforthisIPSectunnel.SelectServer,Client,orNone. SelectedNonenoXAuthauthenticationisrequired. SelectedServerthisgatewaywillbeanXAuthserver.ClickontheXAuth AccountbuttontocreateremoteXAuthclientaccount. SelectedClientthisgatewaywillbeanXAuthclient.EnterUsernameand PasswordtobeauthenticatedbytheXAuthservergateway. Note:XAuthClientwillnotbeavailableforDynamicVPNoptionselectedin TunnelScenario. ClickEnableboxtoenableDPDfunction.SpecifytheTimeoutandDelaytimein seconds. ValueRange:0~999secondsforTimeoutandDelay. SpecifythePhase1KeyLifeTime. ValueRange:30~86400. 129 M2MCellularGateway IKEProposalDefinitionWindow Item Valuesetting IKEProposal Definition AMustfillsetting Description SpecifythePhase1Encryptionmethod.ItcanbeDES/3DES/AESauto/AES 128/AES192/AES256. SpecifytheAuthenticationmethod.ItcanbeNone/MD5/SHA1/SHA2256. SpecifytheDHGroup.ItcanbeNone/Group1/Group2/Group5/Group14/

Group15/Group16/Group17/Group18. CheckEnableboxtoenablethissetting IPSecPhaseWindow Item Phase2KeyLifeTime Valuesetting 1.AMustfillsetting 2.28800sissetby default 3.Max.86400s Description SpecifythePhase2KeyLifeTimeinsecond. ValueRange:30~86400. 130 M2MCellularGateway IPSecProposalDefinitionWindow Item Valuesetting IPSecProposal Definition AMustfillsetting Description SpecifytheEncryptionmethod.ItcanbeNone/DES/3DES/AESauto/AES 128/AES192/AES256. Note:NoneisavailableonlywhenEncapsulationProtocolissetasAH;itisnot availableforESPEncapsulation. SpecifytheAuthenticationmethod.ItcanbeNone/MD5/SHA1/SHA2256. Note:NoneandSHA2256areavailableonlywhenEncapsulationProtocolisset asESP;theyarenotavailableforAHEncapsulation. SpecifythePFSGroup.ItcanbeNone/Group1/Group2/Group5/Group14/

Group15/Group16/Group17/Group18. ClickEnabletoenablethissetting ClickSavetosavethesettings ClickUndotocancelthesettings ClickBacktoreturntothepreviouspage. Save Undo Back N/A N/A N/A ManualKeyManagement When the Manually option is selected for Key Management as described in Authentication Configuration Window, a series of configuration windows for Manual IPSec Tunnel configuration will appear. The configurationwindowsaretheLocal&RemoteConfiguration,theAuthentication,andtheManualProposal. AuthenticationWindow Item Valuesetting Description 131 M2MCellularGateway KeyManagement AMustfillsetting LocalID RemoteID Anoptionalsetting Anoptionalsetting SelectKeyManagementfromthedropdownboxforthisIPSectunnel. InthissectionManuallyistheoptionselected. SpecifytheLocalIDforthisIPSectunneltoauthenticate. SelecttheKeyIDforLocalIDandentertheKeyID(Englishalphabetornumber). SpecifytheRemoteIDforthisIPSectunneltoauthenticate. SelectKeyIDforRemoteIDandentertheKeyID(Englishalphabetornumber). Local&RemoteConfigurationWindow Item LocalSubnet LocalNetmask RemoteSubnet RemoteNetmask Valuesetting AMustfillsetting AMustfillsetting AMustfillsetting AMustfillsetting 1.AMustfillsetting 2.AnIPv4addressor FQDNformat RemoteGateway Description SpecifytheLocalSubnetIPaddressandSubnetMask. SpecifytheLocalSubnetMask. SpecifytheRemoteSubnetIPaddress SpecifytheRemoteSubnetMask. SpecifytheRemoteGateway.TheRemoteGateway Under the Manually Key Management authentication configuration, only one subnet is supported for both LocalandRemoteIPSecpeer. ManualProposalWindow Item OutboundSPI Valuesetting Hexadecimalformat Description SpecifytheOutboundSPIforthisIPSectunnel. 132 M2MCellularGateway InboundSPI Hexadecimalformat Encryption 1.AMustfillsetting 2.Hexadecimalformat Authentication 1.AMustfillsetting 2.Hexadecimalformat Save Undo Back N/A N/A N/A Create/EditDynamicVPNServerList ValueRange:0~FFFF. SpecifytheInboundSPIforthisIPSectunnel. ValueRange:0~FFFF. SpecifytheEncryptionMethodandEncryptionkey. AvailableencryptionmethodsareDES/3DES/AES128/AES192/AES256. ThekeylengthforDESis16,3DESis48,AES128is32,AES192is48,andAES 256is64. Note:WhenAHoptioninEncapsulationisselected,encryptionwillnotbe available. SpecifytheAuthenticationMethodandAuthenticationkey. AvailableencryptionsareNone/MD5/SHA1/SHA2256. ThekeylengthforMD5is32,SHA1is40,andSHA2256is64. Note:WhenAHoptioninEncapsulationProtocolisselected,Noneoptionin Authenticationwillnotbeavailable. ClickSavetosavethesettings ClickUndotocancelthesettings ClickBacktoreturntothepreviouspage. SimilartocreateanIPSecVPNTunnelforsite/hosttosite/hostscenario,whenEditbuttonisappliedaseries of configuration screen will appear. They are Tunnel Configuration, Local & Remote Configuration, Authentication,IKEPhase,IKEProposalDefinition,IPSecPhase,andIPSecProposalDefinition.Youhaveto configurethetunneldetailsforthegatewayasaDynamicVPNserver. Note:Forthepurchasedgateway,youcanconfigureoneDynamicVPNserverforeachWANinterface. 133 M2MCellularGateway TunnelConfigurationWindow Item Tunnel Valuesetting Uncheckedbydefault 1.AMustfillsetting 2.Stringformatcanbe anytext 1.AMustfillsetting 2.WAN1isselected bydefault 1.AMustfillsetting 2.DynamicVPNis selectedbydefault 1.AMustfillsetting 2.Alwayonisselected bydefault 1.AMustfillsetting 2.ESPisselectedby default Description ChecktheEnableboxtoactivatetheDynamicIPSecVPNtunnel. Enteratunnelname.Enteranamethatiseasyforyoutoidentify. ValueRange:1~19characters. SelectWANinterfaceonwhichIPSectunnelistobeestablished. TheIPSectunnelingscenarioisfixedtoDynamicVPN. TheavailableoperationmodeisAlwaysOn.Failoveroptionisnotavailablefor theDynamicIPSecscenario. SelecttheEncapsulationProtocolfromthedropdownboxforthisIPSectunnel. AvailableencapsulationsareESPandAH. TunnelName Interface TunnelScenario OperationMode Encapsulation Protocol Local&RemoteConfigurationWindow Item LocalSubnet LocalNetmask Valuesetting AMustfillsetting AMustfillsetting Description SpecifytheLocalSubnetIPaddress. SpecifytheLocalSubnetMask. AuthenticationConfigurationWindow Item KeyManagement Valuesetting 1.AMustfillsetting Description SelectKeyManagementfromthedropdownboxforthisIPSectunnel. 134 M2MCellularGateway 2.PresharedKey8to 32characters. IKE+PresharedKey: userneedstosetakey(8~32characters). LocalID Anoptionalsetting RemoteID Anoptionalsetting SpecifytheLocalIDforthisIPSectunneltoauthenticate. SelectUserNameforLocalIDandentertheusername.Theusernamemay includebutcantbeallnumbers. SelectFQDNforLocalIDandentertheFQDN. SelectUser@FQDNforLocalIDandentertheUser@FQDN. SelectKeyIDforLocalIDandentertheKeyID(Englishalphabetornumber). SpecifytheRemoteIDforthisIPSectunneltoauthenticate. SelectUserNameforRemoteIDandentertheusername.Theusernamemay includebutcantbeallnumbers. SelectFQDNforLocalIDandentertheFQDN. SelectUser@FQDNforRemoteIDandentertheUser@FQDN. SelectKeyIDforRemoteIDandentertheKeyID(Englishalphabetornumber). Note:RemoteIDwillbenotavailablewhenDynamicVPNoptioninTunnel Scenarioisselected. FortherestIKEPhase,IKEProposalDefinition,IPSecPhase,andIPSecProposalDefinitionsettings,theyarethe sameasthatofcreatinganIPSecTunneldescribedinprevioussection.Pleaserefertotherelateddescription. 135 M2MCellularGateway 5.1.2OpenVPN OpenVPN is an application that implements virtual private network (VPN) techniques for creating secure pointtopointorsitetositeconnectionsinroutedorbridgedconfigurationsandremoteaccessfacilities.It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network addresstranslators(NATs)andfirewalls. OpenVPNallowspeerstoauthenticateeachotherusingaStaticKey(presharedkey)orcertificates.When used in a multiclientserver configuration, it allows the server to release an authentication certificate for everyclient,usingsignatureandcertificateauthority.ItusestheOpenSSLencryptionlibraryextensively,as wellastheSSLv3/TLSv1protocol,andcontainsmanysecurityandcontrolfeatures. OpenVPN Tunneling is a Client and Server based tunneling technology. The OpenVPN Server must have a StaticIPoraFQDN,andmaintainaClientlist.TheOpenVPNClientmaybeamobileuserormobilesitewith public IP or private IP,and requesting theOpenVPN tunnel connection. The product can only behave as a OpenVPNClientroleforanOpenVPNtunnelconnection. TherearetwoOpenVPNconnectionscenarios.TheyaretheTAPandTUNscenarios.Theproductcancreate eitheralayer3basedIPtunnel(TUN),oralayer2basedEthernetTAPthatcancarryanytypeofEthernet traffic.InadditiontoconfiguringthedeviceasaServerorClient,youhavetospecifywhichtypeofOpenVPN connectionscenarioistobeadopted. OpenVPNTUNScenario Theterm"TUN"modeisreferredtoroutingmodeand operateswithlayer3packets.Inroutingmode,theVPN clientisgivenanIPaddressonadifferentsubnetthan the local LAN under the OpenVPN server. This virtual subnet is created for connecting to any remote VPN computers. In routing mode, the OpenVPN server creates a "TUN" interface with its own IP address pool which is different to the local LAN. Remote hosts that dialin will get an IP address inside the virtual network andwillhaveaccessonlytotheserverwhereOpenVPN resides. IfyouwanttoofferremoteaccesstoaVPNserverfrom client(s),andinhibittheaccesstoremoteLANresources under VPN server, OpenVPN TUN mode is the simplest solution. Asshowninthediagram,theM2MIoTGatewayisconfiguredasanOpenVPNTUNClient,andconnectstoan OpenVPN UN Server. Once the OpenVPN TUN connection is established, the connected TUN client will be 136 M2MCellularGateway assignedavirtualIP(10.8.0.2)whichisbelongtoavirtualsubnetthatisdifferenttothelocalsubnetinControl Center. With such connection, the local networked devices will get a virtual IP 10.8.0.x if its traffic goes throughtheOpenVPNTUNconnectionwhenRedirectInternetTrafficsettingsisenabled;Besides,theSCADA ServerinControlCentercanaccessremoteattachedserialdevice(s)withthevirtualIPaddress(10.8.0.2). OpenVPNTAPScenario Theterm"TAP"isreferredtobridgemodeandoperates with layer 2 packets. In bridge mode, the VPN client is given an IP address on the same subnet as the LAN resided under the OpenVPN server. Under such configuration,theOpenVPNclientcandirectlyaccessto theresourcesinLAN.Ifyouwanttoofferremoteaccess totheentireremoteLANforVPNclient(s),youhaveto setupOpenVPNinTAPbridgemode. As shown in the diagram, the M2MIoT Gateway is configuredasanOpenVPNTAPClient,andconnectstoan OpenVPNTAPServer.OncetheOpenVPNTAPconnection isestablished,theconnectedTAPclientwillbeassigneda virtualIP(192.168.100.210)whichisthesamesubnetas thatoflocalsubnetinControlCenter.Withsuchconnection,theSCADAServerinControlCentercanaccess remoteattachedserialdevice(s)withthevirtualIPaddress(192.168.100.210). 137 M2MCellularGateway OpenVPNSetting GotoSecurity>VPN>OpenVPNtab. TheOpenVPNsettingallowsusertocreateandconfigureOpenVPNtunnels. EnableOpenVPN Description ChecktheEnable boxtoactivatetheOpenVPNfunction. Only Clientis available,youcanspecifytheclientsettingsinanotherclient configurationwindow. Valuesetting Theboxisuncheckedby default Client default. is selected by Configuration Item OpenVPN Client 138 M2MCellularGateway AsanOpenVPNClient IfClientisselected,anOpenVPNClientListscreenwillappear. WhenAddbuttonisapplied,OpenVPNClientConfigurationscreenwillappear.OpenVPNClientConfiguration windowletyouspecifytherequiredparametersforanOpenVPNVPNclient,suchas"OpenVPNClientName",

"Interface", "Protocol", "Tunnel Scenario", "Remote IP/FQDN", "Remote Subnet", "Authorization Mode",

"EncryptionCipher","HashAlgorithm"andtunnelactivation. 139 M2MCellularGateway OpenVPNClientConfiguration Item OpenVPNClient Name Interface Valuesetting AMustfilledsetting 1.AMustfilledsetting 2.BydefaultWAN1is selected. 1.AMustfilledsetting 2.BydefaultTCPis selected. Protocol Port TunnelScenario RemoteIP/FQDN RemoteSubnet RedirectInternet Traffic NAT AuthorizationMode 1.AMustfilledsetting 2.Bydefault443is set. 1.AMustfilledsetting 2.BydefaultTUNis selected. AMustfilledsetting 1.AnOptionalsetting. 2.Theboxis uncheckedbydefault. 1.AnOptionalsetting. 2.Theboxis uncheckedbydefault. 1.AnOptionalsetting. 2.Theboxis uncheckedbydefault. 1.AMustfilledsetting 2.BydefaultTLSis selected. LocalEndpointIP Address AMustfilledsetting Description TheOpenVPNClientName willbeusedtoidentifytheclientinthetunnellist. ValueRange:1~32characters. DefinethephysicalinterfacetobeusedforthisOpenVPNClienttunnel. DefinetheProtocol fortheOpenVPNClient. SelectTCP

>TheOpenVPNwilluseTCPprotocol,andPortwillbesetas443automatically. SelectUDP

>TheOpenVPNwilluseUDPprotocol,andPortwillbesetas1194 automatically. SpecifythePort fortheOpenVPNClienttouse. Value Range: 1 ~ 65535. Specify thetypeof Tunnel Scenario fortheOpenVPN Clientto use. Itcanbe TUNforTUNtunnelscenario,orTAPforTAPtunnelscenario. SpecifytheRemoteIP/FQDN ofthepeerOpenVPNServerforthisOpenVPN Clienttunnel. FillintheIPaddressorFQDN. ChecktheEnable boxtoactivateremotesubnetfunction,andspecifyRemote SubnetofthepeerOpenVPNServerforthisOpenVPNClienttunnel. Fillintheremotesubnetaddressandremotesubnetmask. ChecktheEnable boxtoactivatetheRedirectInternetTrafficfunction. ChecktheEnable boxtoactivatetheNAT function. Specify theauthorizationmode fortheOpenVPNServer. TLS

>The OpenVPN will use TLS authorization mode, and the following items CA Cert.,ClientCert.andClientKeywillbedisplayed. CA Cert. could be selected in Trusted CA Certificate List. Refer to Object Definition>Certificate>TrustedCertificate. ClientCert.couldbeselectedinLocalCertificateList.RefertoObjectDefinition

>Certificate>MyCertificate. ClientKeycouldbeselectedinTrustedClientkeyList.RefertoObjectDefinition

>Certificate>TrustedCertificate. StaticKey

>TheOpenVPNwillusestatickeyauthorizationmode,andthefollowingitems LocalEndpointIPAddress,RemoteEndpointIPAddressandStaticKeywillbe displayed. Specifythe virtual LocalEndpointIPAddress ofthisOpenVPNgateway. ValueRange:TheIPformatis10.8.0.x,therangeofxis1~254. Note:LocalEndpointIPAddresswillbeavailableonlywhenStaticKeyischosen inAuthorizationMode. 140 M2MCellularGateway RemoteEndpointIP Address AMustfilledsetting StaticKey AMustfilledsetting EncryptionCipher HashAlgorithm LZOCompression PersisKey PersisTun Advanced Configuration Tunnel Save Undo Back BydefaultBlowfishis selected. BydefaultSHA1is selected. BydefaultAdaptiveis selected. 1.AnOptionalsetting. 2.Theboxischecked bydefault. 1.AnOptionalsetting. 2.Theboxischecked bydefault. N/A Theboxisunchecked bydefault N/A N/A N/A Specifythevirtual Remote EndpointIPAddressofthepeerOpenVPNgateway. ValueRange:TheIPformatis10.8.0.x,therangeofxis1~254. Note: Remote Endpoint IP Address will be available only when Static Key is choseninAuthorizationMode. SpecifytheStaticKey. Note:StaticKeywillbeavailableonlywhenStaticKeyischoseninAuthorization Mode. SpecifytheEncryptionCipher. ItcanbeBlowfish/AES256/AES192/AES128/None. SpecifytheHashAlgorithm. ItcanbeSHA1/MD5/MD4/SHA2256/SHA2512/None/Disable. SpecifytheLZOCompressionscheme. ItcanbeAdaptive/YES/NO/Default. ChecktheEnable boxtoactivatethePersisKeyfunction. ChecktheEnable boxtoactivatethePersisTunfunction. Click the Edit button to specify the Advanced Configuration setting for the OpenVPNserver. Ifthebuttonisclicked,AdvancedConfigurationwillbedisplayedbelow. Checkthe Enable boxtoactivate thisOpenVPNtunnel. Click Savetosavethesettings. Click Undo tocancelthechanges. ClickBack toreturntolastpage. 141 M2MCellularGateway WhenAdvancedConfigurationisselected,anOpenVPNClientAdvancedConfigurationscreenwillappear. OpenVPNAdvancedClientConfiguration Item TLSCipher Valuesetting 1.AMustfilledsetting. 2.TLSRSAWITH AES128SHAisselected bydefault TLSAuth.Key 1.AnOptionalsetting. 2.Stringformat:anytext Description SpecifytheTLS Cipher from thedropdownlist. ItcanbeNone/TLSRSAWITHRC4MD5/TLSRSAWITHAES128SHA/TLS RSAWITHAES256SHA / TLSDHEDSSAES128SHA / TLSDHEDSSAES256 SHA. Note: TLS Cipher will be available only when TLS is chosen in Authorization Mode. SpecifytheTLSAuth.Key forconnectingtoanOpenVPNserver,iftheserver requiredit. Note:TLSAuth.KeywillbeavailableonlywhenTLSischoseninAuthorization Mode. 142 M2MCellularGateway UserName AnOptionalsetting. Password AnOptionalsetting. BridgeTAPto BydefaultVLAN1is selected FirewallProtection ClientIPAddress TunnelMTU TunnelUDP Fragment Theboxisuncheckedby default. BydefaultDynamicIPis selected 1.AMustfilledsetting 2.Thevalueis1500by default Thevalueis1500by default TunnelUDPMSS Fix Theboxisuncheckedby default. nsCerType Verification Theboxisuncheckedby default. TLSRenegotiation Time(seconds) Connection Retry(seconds) Thevalueis3600by default Thevalueis1bydefault DNS Additional Configuration Save Undo Back BydefaultAutomatically isselected AnOptionalsetting. N/A N/A N/A Enter the User account for connecting to an OpenVPN server, if the server requiredit. Note:UserNamewillbeavailableonlywhenTLSischoseninAuthorization Mode. Enter the Password for connecting to an OpenVPN server, if the server requiredit. Note:UserNamewillbeavailableonlywhenTLSischoseninAuthorization Mode. Specifythe settingofBridgeTAPto tobridgetheTAPinterfacetoacertain localnetworkinterfaceorVLAN. Note: Bridge TAP to will be available only when TAP is chosen in Tunnel ScenarioandNATisunchecked. Checktheboxtoactivatethe FirewallProtectionfunction. Note:FirewallProtectionwillbeavailableonlywhenNATisenabled. Specifythe virtualIPAddress fortheOpenVPNClient. ItcanbeDynamicIP/StaticIP. SpecifythevalueofTunnelMTU. ValueRange:0~1500. SpecifythevalueofTunnelUDPFragment. ValueRange:0~1500. Note: Tunnel UDP Fragment will be available only when UDP is chosen in Protocol. ChecktheEnable boxto activate theTunnelUDPMSSFixfunction. Note: Tunnel UDP MSSFix will be available only when UDP is chosen in Protocol. ChecktheEnable boxtoactivatethensCerTypeVerificationfunction. Note: nsCerType Verification will be available only when TLS is chosen in AuthorizationMode. SpecifythetimeintervalofTLSRenegotiationTime. ValueRange:1~86400. SpecifythetimeintervalofConnectionRetry. Thedefault1meansthatitisnoneedtoexecuteconnectionretry. ValueRange:1~86400,and1meansnoretryisrequired. Specifythe settingof DNS. ItcanbeAutomatically/Manually. Enteroptionalconfigurationstringhere.Upto256charactersisallowable. ValueRange:0~256characters. Click Savetosavethesettings. Click Undo tocancelthechanges. ClickBack toreturntolastpage. 143 M2MCellularGateway 5.1.3L2TP Layer2TunnelingProtocol(L2TP)isatunnelingprotocolusedtosupportvirtualprivatenetworks(VPNs)oras partofthedeliveryofservicesbyISPs.Itdoesnotprovideanyencryptionorconfidentialitybyitself.Rather,it reliesonanencryptionprotocolthatitpasseswithinthetunneltoprovideprivacy.ThisGatewaycanonly behaveasaL2TPclientforaL2TPVPNtunel. L2TPClient:ItcanbemobileusersorgatewaysinremoteofficeswithdynamicIP.Tosetuptunnel,itshould getusername,passwordandserversglobalIP.Inaddition,itisrequiredtoidentifytheoperationmode foreachtunnelasmainconnection,failoverforanothertunnel, or load balance tunnel to increase overall bandwidth.ItneedstodecideDefaultGatewayorRemoteSubnetforpacketflow.Moreover,youcanalso define what kind of traffics will pass through the L2TP tunnel in the Default Gateway / Remote Subnet parameter. Besides, for the L2TP client peer, a Remote Subnetitemisrequired.ItisfortheIntranetof L2TP server peer. So, at L2TP client peer, the packetswhosedestinationisinthededicated subnetwillbetransferredviatheL2TPtunnel. Others will be transferred based on current routing policy of the gateway at L2TP client peer. But, if you entered 0.0.0.0/0 in the Remote Subnet field, it will be treated as a

"Default Gateway" setting for the L2TP client peer, all packets, Internet accessing of L2TP client peer, will go through the established L2TP tunnel. That means the 144 including the M2MCellularGateway remoteL2TPserverpeercontrolstheflowofanypacketsfromtheL2TPclientpeer.Certainly,thosepackets comethroughtheL2TPtunnel. L2TPSetting GotoSecurity>VPN>L2TPtab. TheL2TPsettingallowsusertocreateandconfigureL2TPtunnels. EnableL2TP EnableL2TPWindow Item L2TP Valuesetting Uncheckedbydefault AMustfilledsetting N/A Client Save AsaL2TPClient Description ClicktheEnableboxtoactivateL2TPfunction. SpecifytheroleofL2TP.OnlyClientroleisavailableforthisgateway.Beloware theconfigurationwindowsforL2TPClient. ClickSavebuttontosavethesettings L2TPClientConfiguration ItemSetting L2TPClient Valuesetting Theboxisunchecked bydefault N/A N/A Save Undo Description ChecktheEnableboxtoenableL2TPclientroleofthegateway. ClickSavebuttontosavethesettings. ClickUndobuttontocancelthesettings. 145 M2MCellularGateway 146 M2MCellularGateway Create/EditL2TPClient When Add/Edit button is applied, a series of configuration screen will appear. You can add up to 8 L2TP Clients. L2TPClientConfiguration ItemSetting TunnelName Valuesetting AMustfilledsetting Interface AMustfilledsetting Description Enteratunnelname.Enteranamethatiseasyforyoutoidentify. ValueRange:1~32characters. DefinetheselectedinterfacetobetheusedforthisL2TPtunnel

(WAN1isavailableonlywhenWAN1interfaceisenabled) 147 M2MCellularGateway OperationMode L2TPoverIPSec RemoteLNS IP/FQDN RemoteLNSPort 1.AMustfilledsetting 2.Alwasyonis selectedbydefault Theboxisunchecked bydefault AMustfilledsetting 1.AMustfilledsetting 2.1701issetby default UserName AMustfilledsetting Password AMustfilledsetting Tunneling Password(Optional) Theboxisunchecked bydefault RemoteSubnet AMustfilledsetting Authentication Protocol MPPEEncryption LCPEchoType 1.AMustfilledsetting 2.Uncheckedby default 1.Uncheckedby default 2.anoptionalsetting 1.Autoissetby default ServicePort AMustfilledsetting ThesameappliestootherWANinterfaces(e.g.WAN2). DefineoperationmodefortheL2TPTunnel.ItcanbeAlwaysOn,orFailover. Ifthistunnelissetasafailovertunnel,youneedtofurtherselectaprimary tunnelfromwhichtofailoverto. Note:FailovermodeisnotavailableforthegatewaywithsingleWAN. ChecktheEnableboxtoactivateL2TPoverIPSec,andfurtherspecifyaPre sharedKey(8~32characters). EnterthepublicIPaddressortheFQDNoftheL2TPserver. EntertheRemoteLNSPortforthisL2TPtunnel. ValueRange:1~65535. EntertheUserNameforthisL2TPtunneltobeauthenticatedwhenconnectto L2TPserver. ValueRange:1~32characters. EnterthePasswordforthisL2TPtunneltobeauthenticatedwhenconnectto L2TPserver. EntertheTunnelingPasswordforthisL2TPtunneltoauthenticate. SpecifytheremotesubnetforthisL2TPtunneltoreachL2TPserver. TheRemoteSubnetformatmustbeIPaddress/netmask(e.g.10.0.0.2/24). ItisfortheIntranetofL2TPVPNserver.So,atL2TPclientpeer,thepackets whosedestinationisinthededicatedsubnetwillbetransferredviatheL2TP VPNtunnel.Otherswillbetransferredbasedoncurrentroutingpolicyofthe securitygatewayatL2TPclientpeer. Ifyouentered0.0.0.0/0intheRemoteSubnetfield,itwillbetreatedasa defaultgatewaysettingfortheL2TPclientpeer,allpackets,includingthe InternetaccessingofL2TPClientpeer,willgothroughtheestablishedL2TPVPN tunnel.ThatmeanstheremoteL2TPVPNservercontrolstheflowofany packetsfromtheL2TPclientpeer.Certainly,thosepacketscomethroughthe L2TPVPNtunnel. SpecifyoneoremultipleAuthenticationProtocolforthisL2TPtunnel. AvailableauthenticationmethodsarePAP/CHAP/MSCHAP/MSCHAPv2. SpecifywhetherL2TPserversupportsMPPEProtocol.ClicktheEnableboxto enableMPPE. Note:whenMPPEEncryptionisenabled,theAuthenticationProtocolPAP/

CHAPoptionswillnotbeavailable. SpecifytheLCPEchoTypeforthisL2TPtunnel.ItcanbeAuto,Userdefined,or Disable. Auto:thesystemsetstheIntervalandMax.FailureTime. Userdefined:entertheIntervalandMax.FailureTime.Thedefaultvaluefor Intervalis30seconds,andMaximumFailureTimesis6Times. Disable:disabletheLCPEcho. ValueRange:1~99999forIntervalTime,1~999forFailureTime. SpecifytheServicePortforthisL2TPtunneltouse.ItcanbeAuto,(1701)for 148 M2MCellularGateway Cisco),orUserdefined. Auto:Thesystemdeterminestheserviceport. 1701(forCisco):Thesystemuseport1701forconnectingwithCISCOL2TP Server. Userdefined:Entertheserviceport.Thedefaultvalueis0. ValueRange:0~65535. ChecktheEnableboxtoenablethisL2TPtunnel. ClickSavebuttontosavethesettings. ClickUndobuttontocancelthesettings. Tunnel Save Undo Uncheckedbydefault N/A N/A 149 M2MCellularGateway 5.1.4PPTP PointtoPointTunnelingProtocol(PPTP)isamethodforimplementingvirtualprivatenetworks.PPTPusesa controlchanneloverTCPandaGREtunneloperatingtoencapsulatePPPpackets.Itisaclientserverbased technology.TherearevariouslevelsofauthenticationandencryptionforPPTPtunneling,usuallynativelyas standardfeaturesoftheWindowsPPTPstack.Thesecuritygatewaycanonlyplay"PPTPClient"roleforaPPTP VPNtunnel.PPTPtunnelprocessisnearlythesameasL2TP. PPTPClient:ItcanbemobileusersorgatewaysinremoteofficeswithdynamicIP.Tosetuptunnel,itshould getusername,passwordandserversglobalIP.Inaddition,itisrequiredtoidentifytheoperationmode foreachtunnelasmainconnection,failoverforanothertunnel, or load balance tunnel to increase overall bandwidth.ItneedstodecideDefaultGatewayorRemoteSubnetforpacketflow.Moreover,youcanalso define what kind of traffics will pass through the PPTP tunnel in the Default Gateway / Remote Subnet parameter. Besides, for the PPTP client peer, a Remote Subnetitemisrequired.ItisfortheIntranetof PPTP server peer. So, at PPTP client peer, the packets whose destination is in the dedicated subnetwillbetransferredviathePPTPtunnel. Others will be transferred based on current routing policy of the gateway at PPTP client peer. But, if you entered 0.0.0.0/0 in the Remote Subnet field, it will be treated as a

"Default Gateway" setting for the PPTP client peer, all packets, Internet 150 including the M2MCellularGateway accessingofPPTPclientpeer,willgothroughtheestablishedPPTPtunnel.ThatmeanstheremotePPTPserver peercontrolstheflowofanypacketsfromthePPTPclientpeer.Certainly,thosepacketscomethroughthe PPTPtunnel. PPTPSetting GotoSecurity>VPN>PPTPtab. ThePPTPsettingallowsusertocreateandconfigurePPTPtunnels. EnablePPTP EnablePPTPWindow Item PPTP Valuesetting Uncheckedbydefault Client AMustfillsetting N/A Save AsaPPTPClient Description ClicktheEnableboxtoactivatePPTPfunction. SpecifytheroleofPPTP.OnlyClientroleisavailableforthisgateway.Beloware theconfigurationwindowsforPPTPClient. ClickSavebuttontosavethesettings. PPTPClientConfiguration Item PPTPClient Save Undo Valuesetting Uncheckedbydefault N/A N/A Description ChecktheEnableboxtoenablePPTPclientroleofthegateway. ClickSavebuttontosavethesettings. ClickUndobuttontocancelthesettings. 151 M2MCellularGateway Create/EditPPTPClient WhenAdd/Editbuttonisapplied,aseriesPPTPClientConfigurationwillappear. PPTPClientConfigurationWindow Item TunnelName Valuesetting AMustfillsetting Interface OperationMode 1.AMustfillsetting 2.WAN1isselectedby default 1.AMustfillsetting 2.Alwasyonis selectedbydefault Description Enteratunnelname.Enteranamethatiseasyforyoutoidentify. ValueRange:1~32characters. DefinetheselectedinterfacetobetheusedforthisPPTPtunnel

(WAN1isavailableonlywhenWAN1interfaceisenabled) ThesameappliestootherWANinterfaces(e.g.WAN2). DefineoperationmodeforthePPTPTunnel.ItcanbeAlwaysOn,orFailover. Ifthistunnelissetasafailovertunnel,youneedtofurtherselectaprimary tunnelfromwhichtofailoverto. Note:FailovermodeisnotavailableforthegatewaywithsingleWAN. 152 M2MCellularGateway RemoteIP/FQDN UserName Password 1.AMustfillsetting. 2.Formatcanbea ipv4addressorFQDN AMustfillsetting AMustfillsetting AMustfillsetting RemoteSubnet Authentication Protocol MPPEEncryption LCPEchoType Tunnel Save Undo Back 1.AMustfillsetting 2.Uncheckedby default 1.Uncheckedby default 2.anoptionalsetting Autoissetbydefault Uncheckedbydefault N/A N/A N/A EnterthepublicIPaddressortheFQDNofthePPTPserver. EntertheUserNameforthisPPTPtunneltobeauthenticatedwhenconnectto PPTPserver. ValueRange:1~32characters. EnterthePasswordforthisPPTPtunneltobeauthenticatedwhenconnectto PPTPserver. SpecifytheremotesubnetforthisPPTPtunneltoreachPPTPserver. TheRemoteSubnetformatmustbeIPaddress/netmask(e.g.10.0.0.2/24). ItisfortheIntranetofPPTPVPNserver.So,atPPTPclientpeer,thepackets whosedestinationisinthededicatedsubnetwillbetransferredviathePPTP VPNtunnel.Otherswillbetransferredbasedoncurrentroutingpolicyofthe securitygatewayatPPTPclientpeer. Ifyouentered0.0.0.0/0intheRemoteSubnetfield,itwillbetreatedasa defaultgatewaysettingforthePPTPclientpeer,allpackets,includingthe InternetaccessingofPPTPClientpeer,willgothroughtheestablishedPPTPVPN tunnel.ThatmeanstheremotePPTPVPNservercontrolstheflowofany packetsfromthePPTPclientpeer.Certainly,thosepacketscomethroughthe PPTPVPNtunnel. SpecifyoneoremultipleAuthenticationProtocolforthisPPTPtunnel. AvailableauthenticationmethodsarePAP/CHAP/MSCHAP/MSCHAPv2. SpecifywhetherPPTPserversupportsMPPEProtocol.ClicktheEnableboxto enableMPPE. Note:whenMPPEEncryptionisenabled,theAuthenticationProtocolPAP/

CHAPoptionswillnotbeavailable. SpecifytheLCPEchoTypeforthisPPTPtunnel.ItcanbeAuto,Userdefined,or Disable. Auto:thesystemsetstheIntervalandMax.FailureTime. Userdefined:entertheIntervalandMax.FailureTime.Thedefaultvaluefor Intervalis30seconds,andMaximumFailureTimesis6Times. Disable:disabletheLCPEcho. ValueRange:1~99999forIntervalTime,1~999forFailureTime. ChecktheEnableboxtoenablethisPPTPtunnel. ClickSavebuttontosavethesettings. ClickUndobuttontocancelthesettings. ClickBackbuttontoreturntothepreviouspage. 153 M2MCellularGateway 5.1.5GRE GenericRoutingEncapsulation(GRE)isatunnelingprotocoldevelopedbyCiscoSystemsthatencapsulatesa wide variety of network layer protocols inside virtual pointtopoint links over an Internet Protocol internetwork. DeployaM2Mgatewayforremotesiteandestablishavirtualprivatenetworkwithcontrolcenterbyusing GRE tunneling. So, all client hosts behind M2M gateway can make data communication with server hosts behindcontrolcentergateway. GRETunnelingissimilartoIPSecTunneling,clientrequestingthetunnelestablishmentwiththeserver.Both theclientandtheservermusthaveaStaticIPoraFQDN.Anypeergatewaycanbeworkedaseitheraclient oraserver,evenusingthesamesetofconfigurationrule. GRETunnelScenario To setup a GRE tunnel, each peer needs to setup its global IP as tunnel IP and fill in the other'sglobalIPasremoteIP. Besides, each peer must further specify the Remote Subnet item. It is for the Intranet of GRE server peer. So, at GRE client peer, the packets whose destination is in the dedicated subnet will be transferred via the GRE tunnel. Others will be transferred based on current routingpolicyofthegatewayatGREclientpeer. But, if you entered 0.0.0.0/0 in the Remote Subnet field, it will be treated as a "Default Gateway" setting for the GRE client peer, all packets,includingtheInternetaccessingofGRE clientpeer,willgothroughtheestablishedGRE tunnel.ThatmeanstheremoteGREserverpeercontrolstheflowofanypacketsfromtheGREclientpeer. Certainly,thosepacketscomethroughtheGREtunnel. 154 M2MCellularGateway IftheGREserversupportsDMVPNHubfunction,likeCiscorouterastheVPNconcentrator,theGREclientcan activetheDMVPNspokefunctionheresinceitisimplementedbyGREoverIPSectunneling. GRESetting GotoSecurity>VPN>GREtab. TheGREsettingallowsusertocreateandconfigureGREtunnels. EnableGRE EnableGREWindow Item GRETunnel Max.Concurrent GRETunnels Save Undo Valuesetting Uncheckedbydefault DependsonProduct specification. N/A N/A Create/EditGREtunnel Description ClicktheEnableboxtoenableGREfunction. ThespecifiedvaluewilllimitthemaximumnumberofsimultaneousGREtunnel connection.Thedefaultvaluecanbedifferentforthepurchasedmodel. ClickSavebuttontosavethesettings ClickUndobuttontocancelthesettings WhenAdd/Editbuttonisapplied,aGRERuleConfigurationscreenwillappear. 155 M2MCellularGateway GRERuleConfigurationWindow Item Valuesetting TunnelName AMustfillsetting Description Enteratunnelname.Enteranamethatiseasyforyoutoidentify. ValueRange:1~9characters. Interface OperationMode TunnelIP RemoteIP MTU 1.AMustfillsetting 2.WAN1isselected bydefault 1.AMustfillsetting 2.Alwayonisselected bydefault AnOptionalsetting AMustfillsetting 1.AMustfilledsetting 2.Auto(valuezero)is setbydefault SelecttheinterfaceonwhichGREtunnelistobeestablished.Itcanbethe availableWANandLANinterfaces. DefineoperationmodefortheGRETunnel.ItcanbeAlwaysOn,orFailover. Ifthistunnelissetasafailovertunnel,youneedtofurtherselectaprimary tunnelfromwhichtofailoverto. Note:FailovermodeisnotavailableforthegatewaywithsingleWAN. EntertheTunnelIPaddressandcorrespondingsubnetmask. EntertheRemoteIPaddressofremoteGREtunnelgateway.Normallythisisthe publicIPaddressoftheremoteGREgateway. MTUreferstoMaximumTransmissionUnit.Itspecifiesthelargestpacketsize permittedforInternettransmission. WhensettoAuto(value0),therouterselectsthebestMTUforbestInternet 156 M2MCellularGateway Key TTL Keepalive AnOptionalsetting 1.AMustfillsetting 2.1to255range 1.Uncheckedby default 2.5sissetbydefault RemoteSubnet AMustfillsetting DMVPNSpoke Uncheckedbydefault IPSecPreshared Key AMustfillsetting IPSecNATTraversal Uncheckedbydefault IPSecEncapsulation Mode Uncheckedbydefault Uncheckedbydefault N/A N/A N/A Tunnel Save Undo Back connectionperformance. ValueRange:0~1500. EntertheKeyfortheGREconnection. ValueRange:0~9999999999. SpecifyTTLhopcountvalueforthisGREtunnel. ValueRange:1~255. ChecktheEnableboxtoenableKeepalivefunction. SelectPingIPtokeepliveandentertheIPaddresstoping. Enterthepingtimeintervalinseconds. ValueRange:5~999seconds. SpecifytheremotesubnetforthisGREtunnel. TheRemoteSubnetformatmustbeIPaddress/netmask(e.g.10.0.0.2/24). ItisfortheIntranetofGREserverpeer.So,atGREclientpeer,thepackets whosedestinationisinthededicatedsubnetwillbetransferredviatheGRE tunnel.Otherswillbetransferredbasedoncurrentroutingpolicyofthesecurity gatewayatGREclientpeer. Ifyouentered0.0.0.0/0intheRemoteSubnetfield,itwillbetreatedasa defaultgatewaysettingfortheGREclientpeer,allpackets,includingthe InternetaccessingofGREclientpeer,willgothroughtheestablishedGRE tunnel.ThatmeanstheremoteGREserverpeercontrolstheflowofanypackets fromtheGREclientpeer.Certainly,thosepacketscomethroughtheGRE tunnel. SpecifywhetherthegatewaywillsupportDMVPNSpokeforthisGREtunnel. CheckEnableboxtoenableDMVPNSpoke. EnteraDMVPNspokeauthenticationPresharedKey(8~32characters). Note:PresharedKeyisavailableonlywhenDMVPNSpokeisenabled. CheckEnableboxtoenableNATTraversal. Note:IPSecNATTraversalwillnotbeavailablewhenDMVPNisnotenabled. SpecifyIPSecEncapsulationModefromthedropdownbox.ThereareTransport modeandTunnelmodesupported. Note:IPSecEncapsulationModewillnotbeavailablewhenDMVPNisnot enabled. CheckEnableboxtoenablethisGREtunnel. ClickSavebuttontosavethesettings. ClickUndobuttontocancelthesettings. ClickBackbuttontoreturntothepreviouspage. 157 M2MCellularGateway 5.2Firewall ThefirewallfunctionsincludePacketFilter,URLBlocking,ContentFilter,MACControl,ApplicationFilter,IPS andsomefirewalloptions.Thesupportedfunctioncanbedifferentforthepurchasedgateway. 5.2.1PacketFilter 158 M2MCellularGateway

"Packet Filter" function can let you define some filtering rules for incoming and outgoing packets. So the gateway can control what packets are allowed or blocked to pass through it. A packet filter rule should indicatefromandtowhichinterfacethepacketentersandleavesthegateway,thesourceanddestinationIP addresses,anddestinationserviceporttypeandportnumber.Inaddition,thetimescheduletowhichtherule willbeactive. PacketFilterwithWhiteListScenario As shown in the diagram, specify "Packet Filter Rule List" as white list (Allow those match the following rules) and define the rules. Rule1 is to allow HTTP packetstopass,andRule2istoallowHTTPSpackets topass. Undersuchconfiguration,thegatewaywillallowonly HTTP and HTTPS packets, issued from the IP range 192.168.123.200 to 250, which are targeted to TCP port80or443topasstheWANinterface. PacketFilterSetting GotoSecurity>Firewall>PacketFilterTab. Thepacketfiltersettingallowsusertocreateandcustomizepacketfilterpoliciestoalloworrejectspecific inbound/outboundpacketsthroughtherouterbasedontheirofficesetting. EnablePacketFilter ConfigurationWindow ItemName PacketFilter Valuesetting Theboxisuncheckedby Description ChecktheEnableboxtoactivatePacketFilterfunction 159 M2MCellularGateway default Denythosematchthe followingrulesissetby default Theboxisuncheckedby default N/A N/A BlackList/

WhiteList LogAlert Save Undo WhenDenythosematchthefollowingrulesisselected,asthenamesuggest, packetsspecifiedintheruleswillbeblockedblacklisted.Incontrast,with Allowthosematchthefollowingrules,youcanspecificallywhitelistthe packetstopassandtherestwillbeblocked. ChecktheEnableboxtoactivateEventLog. ClickSavetosavethesettings ClickUndotocancelthesettings Create/EditPacketFilterRules Thegatewayallowsyoutocustomizeyourpacketfilteringrules.Itsupportsuptoamaximumof20filterrule sets. WhenAddbuttonisapplied,PacketFilterRuleConfigurationscreenwillappear. PacketFilterRuleConfiguration ItemName RuleName Valuesetting 1.Stringformatcanbe Description Enterapacketfilterrulename.Enteranamethatiseasyforyoutoremember. 160 M2MCellularGateway anytext 2.AMustfilledsetting ValueRange:1~30characters. FromInterface 1.AMustfilledsetting 2.BydefaultAnyis selected ToInterface 1.AMustfilledsetting 2.BydefaultAnyis selected SourceIP DestinationIP SourceMAC 1.AMustfilledsetting 2.BydefaultAnyis selected 1.AMustfilledsetting 2.BydefaultAnyis selected 1.AMustfilledsetting 2.BydefaultAnyis selected Protocol 1.AMustfilledsetting 2.BydefaultAny(0)is selected Definetheselectedinterfacetobethepacketenteringinterfaceoftherouter. IfthepacketstobefilteredarecomingfromLANtoWANthenselectLANfor thisfield.OrVLAN1toWANthenselectVLAN1forthisfield.Otherexamples areVLAN1toVLAN2.VLAN1toWAN. SelectAnytofilterpacketscomingintotherouterfromanyinterfaces. Pleasenotethattwoidenticalinterfacesarenotacceptedbytherouter.e.g., VLAN1toVLAN1. Definetheselectedinterfacetobethepacketleavinginterfaceoftherouter.If thepacketstobefilteredareenteringfromLANtoWANthenselectWANfor thisfield.OrVLAN1toWANthenselectWANforthisfield.Otherexamplesare VLAN1toVLAN2.VLAN1toWAN. SelectAnytofilterpacketsleavingtherouterfromanyinterfaces. Pleasenotethattwoidenticalinterfacesarenotacceptedbytherouter.e.g., VLAN1toVLAN1. ThisfieldistospecifytheSourceIPaddress. SelectAnytofilterpacketscomingfromanyIPaddresses. SelectSpecificIPAddresstofilterpacketscomingfromanIPaddress. SelectIPRangetofilterpacketscomingfromaspecifiedrangeofIPaddress. ThisfieldistospecifytheDestinationIPaddress. SelectAnytofilterpacketsthatareenteringtoanyIPaddresses. SelectSpecificIPAddresstofilterpacketsenteringtoanIPaddressenteredin thisfield. SelectIPRangetofilterpacketsenteringtoaspecifiedrangeofIPaddress enteredinthisfield. ThisfieldistospecifytheSourceMACaddress. SelectAnytofilterpacketscomingfromanyMACaddresses. SelectSpecificMACAddresstofilterpacketscomingfromaMACaddress. ForProtocol,selectAnytofilteranyprotocolpackets ThenforSourcePort,selectapredefinedportdropdownboxwhenWellknown Serviceisselected,otherwiseselectUserdefinedServiceandspecifyaport range. ThenforDestinationPort,selectapredefinedportdropdownboxwhenWell knownServiceisselected,otherwiseselectUserdefinedServiceandspecifya portrange. ValueRange:1~65535forSourcePort,DestinationPort. ForProtocol,selectICMPv4tofilterICMPv4packets ForProtocol,selectTCPtofilterTCPpackets ThenforSourcePort,selectapredefinedportdropdownboxwhenWellknown Serviceisselected,otherwiseselectUserdefinedServiceandspecifyaport range. ThenforDestinationPort,selectapredefinedportdropdownboxwhenWell knownServiceisselected,otherwiseselectUserdefinedServiceandspecifya portrange. ValueRange:1~65535forSourcePort,DestinationPort. 161 M2MCellularGateway TimeSchedule AMustfilledsetting ForProtocol,selectUDPtofilterUDPpackets ThenforSourcePort,selectapredefinedportdropdownboxwhenWellknown Serviceisselected,otherwiseselectUserdefinedServiceandspecifyaport range. ThenforDestinationPort,selectapredefinedportdropdownboxwhenWell knownServiceisselected,otherwiseselectUserdefinedServiceandspecifya portrange. ValueRange:1~65535forSourcePort,DestinationPort. ForProtocol,selectGREtofilterGREpackets ForProtocol,selectESPtofilterESPpackets ForProtocol,selectSCTPtofilterSCTPpackets ForProtocol,selectUserdefinedtofilterpacketswithspecifiedportnumber. ThenenterapotnumberinProtocolNumberbox. ApplyTimeScheduletothisrule,otherwiseleaveitasAlways. IfthedropdownlistisemptyensureTimeScheduleispreconfigured.Referto ObjectDefinition>Scheduling>Configurationtab. Rule Save Undo Back Theboxisuncheckedby default. N/A N/A N/A ClickEnableboxtoactivatethisrulethensavethesettings. ClickSavetosavethesettings ClickUndotocancelthesettings WhentheBackbuttonisclickedthescreenwillreturntothePacketFilter Configurationpage. 162 M2MCellularGateway 5.2.2URLBlocking

"URLBlocking"functioncanletyoudefineblockingorallowingrulesforincomingandoutgoingWebrequest packets. With defined rules, gateway can control the Web requests containing the complete URL, partial domainname,orpredefinedkeywords.Forexample,onecanfilteroutorallowonlytheWebrequestsbased ondomaininputsuffixeslike.comor.orgorkeywordslikebctormpe. AnURLblockingruleshouldspecifytheURL,partialdomainname,orincludedkeywordsintheWebrequests fromandtothegatewayandalsothedestinationserviceport.Besides,acertaintimeschedulecanbeapplied toactivatetheURLBlockingrulesduringpredefinedtimeinterval(s). The gateway will logs and displays the disallowed web accessing requests that matched the defined URL blockingruleintheblacklistorintheexclusionofthewhitelist. Whenyouchoose"Allowalltopassexceptthosematchthefollowingrules"forthe"URLBlockingRuleList", youaresettingthedefinedURLblockingrulestobelongtotheblacklist.Thepackets,listedintherulelist,will be blocked if one pattern in the requests matches to one rule. Other Web requests can pass through the gateway.Incontrast,whenyouchoose"Denyalltopassexceptthosematchthefollowingrules"forthe"URL Blocking Rule List", you are setting the defined packet filtering rules to belong to the white list. The Web requests,listedintherule,willbeallowedifonepatternintherequestsmatchestoonerule.OtherWeb requestswillbeblocked. URLBlockingRulewithBlackList Whentheadministratorofthegatewaywantsto block the Web requests with some dedicated patterns,hecanusethe"URLBlocking"function to block specific Web requests by defining the blacklistasshowninabovediagram.Certainly, whentheadministratorwantstoallowonlythe Webrequestswithsomededicatedpatternsto go through the gateway, he can also use the

"URL Blocking" function by defining the white listtomeettherequirement. As shown in the diagram, enable the URL blocking function and create the first rule to deny the Web requests with "sex" or "sexygirl" patterns and the other to deny the Web requests with

"playboy"patterntogothroughthegateway.SystemwillblocktheWebrequestswith"sex","sexygirl"or

"playboy"patternstopassthroughthegateway. 163 M2MCellularGateway URLBlockingSetting GotoSecurity>Firewall>URLBlockingTab. In"URLBlocking"page,therearethreeconfigurationwindows.Theyarethe"Configuration"window,"URL BlockingRuleList"window,and"URLBlockingRuleConfiguration"window. The"Configuration"windowcanletyouactivatetheURLblockingfunctionandspecifytoblacklistingorto whitelistingthepacketsdefinedinthe"URLBlockingRuleList"entry.Inaddition,logalertingcanbeenabled torecordongoingeventsforanydisallowedWebrequestpackets.Referto"SystemStatus"in"6.1.1System Related"sectioninthisusermanualforhowtoviewrecordedlog. The "URL Blocking Rule List" window lists all your defined URL blocking rule entry. And finally, the "URL BlockingRuleConfiguration"windowcanletyoudefineURLblockingrules.Theparametersinaruleinclude the rule name, the Source IP or MAC, the URL/Domain Name/Keyword, the destination service ports, the integratedtimescheduleruleandtheruleactivation. EnableURLBlocking Configuration Item URLBlocking Valuesetting Theboxisunchecked bydefault BlackList/

WhiteList Denythosematchthe followingrulesisset bydefault LogAlert Save Undo Theboxisunchecked bydefault NA NA ChecktheEnable boxtoactivateURLBlockingfunction. Description SpecifytheURLBlockingPolicy,eitherBlackListorWhiteList. BlackList:WhenDenythosematchthefollowingrulesisselected,asthename suggest,thematchedWebrequestpacketswillbeblocked. WhiteList:WhenAllowthosematchthefollowingrulesisselected,thematched WebrequestpacketscanpassthroughtheGateway,andtheothersthatdontmatch theruleswillbeblocked. ChecktheEnable boxtoactivateEventLog. ClickSave buttontosavethesettings ClickUndo buttontocancelthesettings Create/EditURLBlockingRules TheGatewaysupportsuptoamaximumof20URLblockingrulesets.EnsurethattheURLBlockingisenabledbeforewe cancreateblockingrules. 164 M2MCellularGateway WhenAddbuttonisapplied,theURLBlockingRuleConfigurationscreenwillappear. URLBlockingRulesConfiguration Valuesetting Item RuleName 1.Stringformatcanbeany text 2.AMustfilledsetting SourceIP 1. AMustfilledsetting 2. Anyissetbydefault SourceMAC 1. AMustfilledsetting 2. Anyissetbydefault URL/Domain Name/

Keyword 1.AMustfilledsetting 2.Supportsuptoa maximumof10Keywords inarulebyusingthe delimiter;. Destination Port 1. AMustfilledsetting 2. Anyissetbydefault Time AMustfilledsetting SpecifyanURLBlocking rulename.Enteranamethatiseasyforyouto understand. Description ThisfieldistospecifytheSourceIPaddress. SelectAnytofilterpacketscomingfromanyIPaddresses. SelectSpecificIPAddresstofilterpacketscomingfromanIPaddressenteredin thisfield. enteredinthisfield. SelectIPRangetofilterpacketscomingfromaspecifiedrangeofIPaddress ThisfieldistospecifytheSourceMAC address. SelectAnytofilterpacketscomingfromanyMACaddresses. SelectSpecificMACAddresstofilterpacketscomingfromaMACaddress enteredinthisfield. SpecifyURL,DomainName,orKeywordlistforURLchecking. IntheBlackListmode,ifamatchedruleisfound,thepacketswillbedropped. IntheWhiteListmode,ifamatchedruleisfound,thepacketswillbeaccepted andtheotherswhichdontmatchanyrulewillbedropped. ThisfieldistospecifytheDestinationPortnumber. SelectAnytofilterpacketsgoingtoanyPort. SelectSpecificServicePorttofilterpacketsgoingtoaspecificPortenteredinthisfield. SelectPortRangetofilterpacketsgoingtoaspecificrangeofPortsenteredinthisfield. ApplyaspecificTimeScheduletothisrule;otherwiseleaveitas(0)Always. IfthedropdownlistisemptyensureTimeScheduleispreconfigured.RefertoObject 165 M2MCellularGateway ScheduleRule Rule Save Undo Back Theboxisuncheckedby default. NA NA NA Definition>Scheduling>Configuration tab. ClicktheEnableboxtoactivatethisrule. ClicktheSave buttontosavethesettings. ClicktheUndo buttontocancelthechanges. ClicktheBackbuttontoreturntotheURLBlockingConfigurationpage. 166 M2MCellularGateway 5.2.3MACControl

"MAC Control" function allows you to assign the accessibility to the gateway for different users based on devices MAC address. When the administrator wants to reject the traffics from some client hosts with specific MAC addresses, he can use the "MAC Control" function to reject with the black list configuration. MACControlwithBlackListScenario Asshowninthediagram,enabletheMACcontrol functionandspecifythe"MACControlRuleList"is ablacklist,andconfigureoneMACcontrolrulefor thegatewaytodenytheconnectionrequestfrom the "JP NB" with its own MAC address 20:6A:6A:6A:6A:6B. Systemwillblocktheconnectingfromthe"JPNB"

tothegatewaybutallowothers. 167 M2MCellularGateway MACControlSetting GotoSecurity>Firewall>MACControlTab. TheMACcontrolsettingallowsusertocreateandcustomizeMACaddresspoliciestoalloworrejectpackets withspecificsourceMACaddress. EnableMACControl ConfigurationWindow Item MACControl Valuesetting Theboxisuncheckedby default BlackList/

WhiteList DenyMACAddressBelow issetbydefault LogAlert Theboxisuncheckedby default KnownMAC fromLANPCList N/A Save N/A Undo N/A Description ChecktheEnableboxtoactivatetheMACfilterfunction WhenDenyMACAddressBelowisselected,asthenamesuggest,packets specifiedintheruleswillbeblockedblacklisted.Incontrast,withAllowMAC AddressBelow,youcanspecificallywhitelistthepacketstopassandtherest willbeblocked. ChecktheEnableboxtoactivatetoactivateEventLog. SelectaMACAddressfromLANClientList.ClicktheCopytotocopythe selectedMACAddresstothefilterrule. ClickSavetosavethesettings ClickUndotocancelthesettings 168 M2MCellularGateway Create/EditMACControlRules Thegatewaysupportsuptoamaximumof20filterrulesets.EnsurethattheMACControlisenabledbefore wecancreatecontrolrules. WhenAddbuttonisapplied,FilterRuleConfigurationscreenwillappear. MACControlRuleConfiguration Item Valuesetting 1.Stringformatcanbeany text 2.AMustfillsetting 1.MACAddressstring Format 2.AMustfillsetting RuleName MACAddress

(Use:to Compose) TimeSchedule AMustfillsetting Enable Save Undo Back Theboxisuncheckedby default. N/A N/A N/A Description EnteraMACControlrulename.Enteranamethatiseasyforyoutoremember. SpecifytheSourceMACAddresstofilterrule. ApplyTimeScheduletothisrule;otherwiseleaveitas(0)Always. Ifthedropdownlistisempty,ensureTimeScheduleispreconfigured.Referto ObjectDefinition>Scheduling>Configurationtab ClickEnableboxtoactivatethisrule,andthensavethesettings. ClickSavetosavethesettings ClickUndotocancelthesettings ClickBacktoreturntotheMACControlConfigurationpage. 169 M2MCellularGateway 5.2.4ContentFilter(notsupported) Not supported feature for the purchased product, leave it as blank. 170 M2MCellularGateway 5.2.5ApplicationFilter(notsupported) Not supported feature for the purchased product, leave it as blank. 171 M2MCellularGateway 5.2.6IPS ToprovideapplicationserversintheInternet,administratormayneedtoopenspecificportsfortheservices. However,therearesomeriskstoalwaysopenserviceportsintheInternet.Inordertoavoidsuchattackrisks, itisimportanttoenableIPSfunctions. Intrusion Prevention System (IPS) is network security appliances that monitor network and/or system activitiesformaliciousactivity.ThemainfunctionsofIPSaretoidentifymaliciousactivity,loginformation aboutthisactivity,attempttoblock/stopitandreportit.YoucanenabletheIPSfunctionandcheckthelisted intrusion activities when needed. You can also enable the log alerting so that system will record Intrusion eventswhencorrespondingintrusionsaredetected. IPSScenario for Asshowninthediagram,thegatewayserves as an Email server, Web Server and also provides TCP port 8080 remote administration.So,remoteusersorunknown userscanrequestthoseservicesfromInternet. With IPS enabled, the gateway can detect incoming attack packets, including the TCP ports(25,80,110,443and8080)withservices. It will block the attack packets and let the normalaccesstopassthroughthegateway 172 M2MCellularGateway IPSSetting GotoSecurity>Firewall>IPSTab. TheIntrusionPreventionSystem(IPS)settingallowsusertocustomizeintrusionpreventionrulestoprevent maliciouspackets. EnableIPSFirewall ConfigurationWindow Item IPS LogAlert Save Undo Valuesetting Theboxisuncheckedby default Theboxisuncheckedby default N/A N/A Description ChecktheEnableboxtoactivateIPSfunction ChecktheEnableboxtoactivatetoactivateEventLog. ClickSavetosavethesettings ClickUndotocancelthesettings SetupIntrusionPreventionRules Therouterallowsyoutoselectintrusionpreventionrulesyoumaywanttoenable.EnsurethattheIPSis enabledbeforewecanenablethedefensefunction. 173 M2MCellularGateway 174 Valuesetting SetupIntrusionPreventionRules ItemName SYNFlood Defense UDPFlood Defense 1.AMustfilledsetting 2.Theboxisuncheckedbydefault. 3.Trafficthresholdissetto300bydefault 4.Thevaluerangecanbefrom10to 10000. 1.AMustfilledsetting 2.Theboxisuncheckedbydefault. 3.Trafficthresholdissetto200bydefault 4.Thevaluerangecanbefrom10to 10000. Description ClickEnableboxtoactivatethisintrusionpreventionruleand enterthetrafficthresholdinthisfield. ClickEnableboxtoactivatethisintrusionpreventionruleand enterthetrafficthresholdinthisfield. ClickEnableboxtoactivatethisintrusionpreventionruleand enterthetrafficthresholdinthisfield. ValueRange:10~10000. ClickEnableboxtoactivatethisintrusionpreventionruleand enterthetrafficthresholdinthisfield. ValueRange:10~10000. Theboxisuncheckedbydefault. ClickEnableboxtoactivatethisintrusionpreventionrule. ICMPFlood Defense PortScan Defection BlockLand Attack BlockPingof Death BlockIPSpoof BlockTCPFlag Scan BlockSmurf M2MCellularGateway Block Traceroute BlockFraggle Attack ARPSpoofing Defence Save Undo 1.AMustfilledsetting 2.Theboxisuncheckedbydefault. 3.Trafficthresholdissetto300bydefault 4.Thevaluerangecanbefrom10to 10000. NA NA ClickEnableboxtoactivatethisintrusionpreventionruleand enterthetrafficthresholdinthisfield. ValueRange:10~10000. ClickSavetosavethesettings ClickUndotocancelthesettings 175 M2MCellularGateway 5.2.7Options Therearesomeadditionalusefulfirewalloptionsinthispage. StealthModeletsgatewaynottorespondtoportscansfromtheWANsothatmakesitlesssusceptibleto discoveryandattacksontheInternet.SPIenablesgatewaytorecordthepacketinformationlikeIPaddress, portaddress,ACK,SEQnumberandsoonwhiletheypassthroughthegateway,andthegatewaychecksevery incomingpackettodetectifthispacketisvalid. Discard Ping from WAN makes any host on the WAN side can`t ping this gateway. And finally, Remote AdministratorHostsenablesyoutoperformadministrationtaskfromaremotehost.Ifthisfeatureisenabled, onlyspecifiedIPaddress(es)canperformremoteadministration. 176 M2MCellularGateway EnableSPIScenario As shown in the diagram, Gateway has the IP address of 118.18.81.200 for WAN interface and 192.168.1.253forLANinterface.ItservesasaNAT gateway. Users in NetworkA initiate to access cloud server through the gateway. Sometimes, unknown users will simulate the packets butuse different source IP to masquerade. With the SPI featurebeenenabledatthegateway,itwillblock suchpacketsfromunknownusers. DiscardPingfromWAN&RemoteAdministratorHostsScenario Discard Ping from WAN makes any host on the WAN side can`t ping this gateway reply any ICMP packets.EnabletheDiscardPingfromWANfunction to prevent security leak when local users surf the internet. RemoteadministratorknowsthegatewaysglobalIP, and he can access the Gateway GUI via TCP port 8080. FirewallOptionsSetting GotoSecurity>Firewall>OptionsTab. Thefirewalloptionssettingallowsnetworkadministratortomodifythebehaviorofthefirewallandtoenable RemoteRouterAccessControl. EnableFirewallOptions 177 M2MCellularGateway FirewallOptions Item StealthMode SPI DiscardPing fromWAN Valuesetting Theboxisuncheckedby default Theboxischeckedby default Theboxisuncheckedby default Description ChecktheEnableboxtoactivatetheStealthModefunction ChecktheEnableboxtoactivatetheSPIfunction ChecktheEnableboxtoactivatetheDiscardPingfromWANfunction DefineRemoteAdministratorHost Therouterallowsnetworkadministratortomanagerouterremotely.Thenetworkadministratorcanassign specificIPaddressandserviceporttoallowaccessingtherouter. RemoteAdministratorHostDefinition Item Protocol Valuesetting HTTPissetbydefault AMustfilledsetting IP Description SelectHTTPorHTTPSmethodforrouteraccess. Thisfieldistospecifytheremotehosttoassignaccessrightforremoteaccess. SelectAnyIPtoallowanyremotehosts SelectSpecificIPtoallowtheremotehostcomingfromaspecificsubnet.AnIP addressenteredinthisfieldandaselectedSubnetMasktocomposethe subnet. 178 M2MCellularGateway ServicePort Enablingthe rule Save Undo 1.80forHTTPbydefault 2.443forHTTPSby default Theboxisuncheckedby default. N/A N/A ThisfieldistospecifyaServicePorttoHTTPorHTTPSconnection. ValueRange:1~65535. ClickEnableboxtoactivatethisrule. ClickEnableboxtoactivatethisrulethensavethesettings. ClickUndotocancelthesettings 179 M2MCellularGateway Chapter6Administration 6.1Configure&Manage Configure&Managereferstoenterprisewideadministrationofdistributedsystemsincluding(andcommonly inpractice)computersystems.Centralizedmanagementhasatimeandefforttradeoffthatisrelatedtothe size of the company, the expertise of the IT staff, and the amount of technology being used. This device supportsmanysystemmanagementprotocols,suchasCommandScript,TR069,SNMP,andTelnetwithCLI. Youcansetupthoseconfigurationsinthe"Configure&Manage"section. 180 M2MCellularGateway 6.1.1CommandScript Command script configuration is the application that allows administrator to setup the predefined configurationinplaintextstyleandapplyconfigurationonstartup. GotoAdministration>CommandScript>ConfigurationTab. EnableCommandScriptConfiguration Configuration Item Configuration Valuesetting Theboxisuncheckedby default BackupScript UploadScript N/A N/A ScriptName Version Description Updatetime 1.AnOptionalsetting 2.Anyvalidfilename 1.AnOptionalsetting 2.Anystring 1.AnOptionalsetting 2.Anystring N/A Description ChecktheEnableboxtoactivatetheCommandScriptfunction. ClicktheViaWebUIorViaStoragebuttontobackuptheexistedcommand scriptina.txtfile.YoucanspecifythescriptfilenameinScriptNamebelow. ClicktheViaWebUIorViaStoragebuttontoUploadtheexistedcommand scriptfromaspecified.txtfile. Specifyascriptfilenameforscriptbackup,ordisplaytheselecteduploadscript filename. ValueRange:0~32characters. SpecifytheversionnumberfortheappliedCommandscript. ValueRange:0~32characters. EnterashortdescriptionfortheappliedCommandscript. Itrecordstheuploadtimeforlastcommadscriptupload. 181 M2MCellularGateway Edit/BackupPlainTextCommandScript Youcanedittheplaintextconfigurationsettingsintheconfigurationscreenasabove. PlainTextConfiguration Item Clean Valuesetting NA Description Cleantextarea.(YoushouldclickSave buttontofurthercleantheconfiguration alreadysavedinthesystem.) Backupanddownloadconfiguration. Saveconfiguration Backup Save NA NA The supported plain text configuration items are shown in the following list. For the settings that can be executedwithstandardLinuxcommands,youcanputtheminascriptfile,andapplytothesystemconfigure with STARTUP command. For those configurations without corresponding Linux command set to configure, youcanconfigurethemwithproprietarycommandset. ConfigurationContent Key OPENVPN_ENABLED EnableordisableOpenVPNClientfunction. OPENVPN_DESCRIPTION OPENVPN_PROTO Valuesetting Description 1:enable 0:disable AMustfilled Setting udp tcp SpecifythetunnelnamefortheOpenVPNClientconnection. DefinetheProtocol fortheOpenVPNClient. SelectTCPorTCP/UDP

>TheOpenVPNwilluseTCPprotocol,andPortwillbesetas443 automatically. SelectUDP

>TheOpenVPNwilluseUDPprotocol,andPortwillbesetas1194 automatically. SpecifythePort fortheOpenVPNClienttouse. SpecifytheRemoteIP/FQDN ofthepeerOpenVPNServerforthis OpenVPNClienttunnel. FillintheIPaddressorFQDN. SpecifythetimeintervalforOpenVPNkeepalivechecking. SpecifythetimeoutvalueforOpenVPNClientkeepalivechecking. SpecifytheLZOCompression algorithmforOpenVPNclient. Specifytheauthorizationmode fortheOpenVPNtunnel. 182 OPENVPN_PORT OPENVPN_REMOTE_IPADDR OPENVPN_PING_INTVL OPENVPN_PING_TOUT OPENVPN_COMP OPENVPN_AUTH AMustfilled Setting IPorFQDN seconds seconds Adaptive StaticKey/TLS M2MCellularGateway OPENVPN_CA_CERT OPENVPN_LOCAL_CERT OPENVPN_LOCAL_KEY OPENVPN_EXTRA_OPTS IP_ADDR1 IP_NETM1 PPP_MONITORING PPP_PING PPP_PING_IPADDR PPP_PING_INTVL STARTUP AMustfilled Setting AMustfilled Setting AMustfilled Setting Options Ip Netmask 1:enable 0:disable 0:DNSQuery 1:ICMPQuery IP seconds Scriptfile TLS

>TheOpenVPNwilluseTLSauthorizationmode,andthefollowing itemsCACert.,ClientCert.andClientKeyneedtospecifyaswell. SpecifytheTrustedCAcertificatefortheOpenVPNclient.Itwillgo throughBase64Conversion. SpecifythelocalcertificateforOpenVPNclient.Itwillgothrough Base64Conversion. SpecifythelocalkeyfortheOpenVPNclient.ItwillgothroughBase64 Conversion. SpecifytheextraoptionssettingfortheOpenVPNclient. EthernetLANIP EthernetLANMASK WhentheNetworkMonitoringfeatureisenabled,therouterwilluse DNSQueryorICMPtoperiodicallycheckInternetconnection connectedordisconnected. With DNSQuery,thesystemcheckstheconnectionbysendingDNS QuerypacketstothedestinationspecifiedinPPP_PING_IPADDR. WithICMPQuery,thesystemwillcheckconnectionbysendingICMP requestpacketstothedestinationspecifiedinPPP_PING_IPADDR. SpecifyanIPaddressasthetargetforsendingDNSquery/ICMP request. Specifythetimeintervalfor betweentwoDNSQueryorICMP checkingpackets. FortheconfigurationsthatcanbeconfiguredwithstandardLinux commands,youcanputtheminascriptfile,andapplythescriptfile withSTARTUPcommand. Forexample, STARTUP=#!/bin/sh STARTUP=echostartupdone>/tmp/demo PlainTextSystemConfigurationwithTelnet Inadditiontothewebstyleplaintextconfigurationasmentionedabove,thegatewaysystemalsoallowthe configurationviaTelnetCLI.AdministratorcanusetheproprietarytelnetcommandtxtConfigandrelated actionitemstoperformtheplainsystemconfiguration. Thecommandformatis:txtConfig(action)[option]

Action clone Option Outputfile commit enable aexistingfile NA Description Duplicatetheconfigurationcontentfromdatabaseandstoredasa configurationfile.

(ex:txtConfigclone/tmp/config) Thecontentsintheconfigurationfilearethesameastheplaintextcommands mentionedabove.ThisactionisexactlythesameasperformingtheBackup plaintextconfiguration. Committheconfigurationcontenttodatabase.

(ex:txtConfigcommit/tmp/config) Enableplaintextsystemconfig. 183 M2MCellularGateway disable run_immediately NA NA run_immediately aexistingfile

(ex:txtConfigenable) Disableplaintextsystemconfig.

(ex:txtConfigdisable) Applytheconfigurationcontentthathasbeencommittedindatabase.

(ex:txtConfigrun_immediately) Assignaconfigurationfiletoapply.

(ex:txtConfigrun_immediately/tmp/config) 184 M2MCellularGateway 6.1.2TR069 TR069(TechnicalReport069)isaBroadbandForumtechnicalspecificationentitledCPEWANManagement Protocol(CWMP).Itdefinesanapplicationlayerprotocolforremotemanagementofenduserdevices,likethis gateway device. As a bidirectional SOAP/HTTPbased protocol, it provides the communication between customerpremisesequipment(CPE)andAutoConfigurationServers(ACS).TheSecurityGatewayissuchCPE. TR069isacustomizedfeatureforISP.Itisnotrecommendthatyouchangetheconfigurationforthis.Ifyou have any problem in using this feature for device management, please contact with your ISP or the ACS providerforhelp.AttherightuppercornerofTR069Settingscreen,one[Help]commandletyouseethe samemessageaboutthat. ScenarioManagingdeployedgatewaysthroughanACSServer ScenarioApplicationTiming When the enterprise data center wants to use an ACS server to manage remote gateways geographically distributed elsewhere in the world, the gateways in all branch offices must have an embeddedTR069agenttocommunicatewiththeACSserver.SothattheACSservercanconfigure, FWupgradeandmonitorthesegatewaysandtheircorrespondingIntranets. ScenarioDescription TheACSservercanconfigure,upgradewithlatestFWandmonitorthesegateways. RemotegatewaysinquiretheACSserverforjobstodoineachtimeperiod. TheACSservercanaskthegatewaystoexecutesomeurgentjobs. ParameterSetupExample 185 M2MCellularGateway FollowingtableslisttheparameterconfigurationasanexamplefortheGateway1inabovediagram with"TR069"enabling. Usedefaultvalueforthoseparametersthatarenotmentionedinthetables.

[TR069][Configuration]

Enable http://qa.acslite.com/cpe.php ACSUserName ACSPassword 8099 ConnReqUserName ConnReqPassword EnableInterval900 ConfigurationPath TR069 ACSURL ACSUserName ACSPassword ConnectionRequestPort ConnectionRequestUserName ConnectionRequestPassword Inform ScenarioOperationProcedure Inabovediagram,theACSservercanmanagemultiplegatewaysintheInternet.The"Gateway1"is oneofthemandhas118.18.81.33IPaddressforitsWAN1interface. Whenallremotegatewayshavebootedup,theywilltrytoconnecttotheACSserver. Oncetheconnectionsareestablishedsuccessfully,theACSservercanconfigure,upgradewithlatest FWandmonitorthesegateways. RemotegatewaysinquiretheACSserverforjobstodoineachtimeperiod. IftheACSserverneedssomeurgentjobstobedonebythegateways,itwillissuethe"Connection Request"commandtothosegateways.Andthosegatewaysmakeimmediateconnectionsinresponse totheACSserversimmediateconnectionrequestforexecutingtheurgentjobs. 186 M2MCellularGateway TR069Setting GotoAdministration>Configure&Manage>TR069tab. In "TR069" page, there is only one configuration window for TR069 function. In the window, you must specifytherelatedinformationforyoursecuritygatewaytoconnecttotheACS.Drivethefunctiontoworkby specifyingtheURLoftheACSserver,theaccountinformationtologintheACSserver,theserviceportandthe account information for connection requesting from the ACS server, and the time interval for job inquiry. Excepttheinquirytime,therearenoactivitiesbetweentheACSserverandthegatewaysuntilthenextinquiry cycle.ButiftheACSserverhasnewjobsthatareexpectedtodobythegatewaysurgently,itwillaskthese gatewaysbyusingconnectionrequestrelatedinformationforimmediateconnectionforinquiringjobsand executing. EnableTR069 TR069 Item Valuesetting Description 187 Theboxisuncheckedby default ChecktheEnableboxtoactivateTR069function. M2MCellularGateway TR069 Interface WAN1isselectedby default. DataModel ACSCloudDataModel isselectedbydefault. ACSURL ACSUsername ACSPassword AMustfilledsetting AMustfilledsetting AMustfilledsetting ConnectionRequest Port 1.AMustfilledsetting. 2.Bydefault8099isset. ConnectionRequest UserName ConnectionRequest Password Inform AMustfilledsetting AMustfilledsetting 1.Theboxischeckedby default. 2.TheIntervalvalueis 300bydefault. CertificationSetup Thedefaultboxis selectedbydefault Save Undo N/A N/A WhenyoufinishsetbasicnetworkWAN1~WANn,youcanchooseWAN1~

WANn WhenyoufinishsetSecurity>VPN>IPSec/OpenVPN/PPTP/L2TP/GRE,you canchooseIPSec/OpenVPN/PPTP/L2TP/GREtunnel,theinterfacejustlike IPSec#1 SelecttheTR069datmodelfortheremotemanagement. Standard:theACSServerisastandardone,whichisfullycomplywithTR 069. ACSCloudDataModel:SelectthisdatamodelifyouintendtouseCloudACS Servertomanagingthedeployedgateways. YoucanaskACSmanagerprovideACSURLandmanuallyset YoucanaskACSmanagerprovideACSusernameandmanuallyset YoucanaskACSmanagerprovideACSpasswordandmanuallyset YoucanaskACSmanagerprovideACSConnectionRequestPortandmanually set ValueRange:0~65535. YoucanaskACSmanagerprovideACSConnectionRequestUsernameand manuallyset YoucanaskACSmanagerprovideACSConnectionRequestPasswordand manuallyset WhentheEnableboxischecked,thegateway(CPE)willperiodiclysend informmessagetoACSServeraccordingtotheIntervalsetting. ValueRange:0~86400forInformInterval. Youcanleaveitasdefaultorselectanexpectedcertificateandkeyfromthe dropdownlist. RefertoObjectDefinition>CertificateSectionfortheCertificate configuration. ClickSavetosavethesettings. ClickUndotocancelthemodifications. WhenyoufinishsetACSURLACSUsernameACSPassword,yourgateway(CPE,ClientPremiumEquipment) cansendinformtoACSServer. WhenyoufinishsetConnectionRequestPortConnectionRequestUsernameConnectionRequestPassword, ACSServercanaskthegateway(CPE)tosendinformtoACSServer. EnableSTUNServer 188 M2MCellularGateway STUNSettingsConfiguration Valuesetting Description Item STUN ServerAddress ServerPort Theboxischeckedby default 1.Stringformat:any IPv4address 2.Itisanoptionalitem. 1.Anoptionalsetting 2.3478issetbydefault KeepAlivePeriod 1.Anoptionalsetting 2.0issetbydefault Save Undo N/A N/A ChecktheEnableboxtoactivateSTUNfunction. SpecifytheIPaddressfortheexpectedSTUNServer. SpecifytheportnumberfortheexpectedSTUNServer. ValueRange:1~65535. SpecifythekeepalivetimeperiodfortheconnectionwithSTUNServer. ValueRange:0~65535. ClickSavetosavethesettings. ClickUndotocancelthemodifications. 189 M2MCellularGateway 6.1.3SNMP Inbrief,SNMP,theSimpleNetworkManagementProtocol,isaprotocoldesignedtogiveauserthecapability to remotely manage a computer network by polling and setting terminal values and monitoring network events. IntypicalSNMPuses,oneormoreadministrativecomputers,calledmanagers,havethetaskofmonitoringor managingagroupofhostsordevicesonacomputernetwork.Eachmanagedsystemexecutes,atalltimes,a softwarecomponentcalledanagentwhichreportsinformationviaSNMPtothemanager. SNMPagentsexposemanagementdataonthemanagedsystemsasvariables.Theprotocolalsopermitsactive managementtasks,suchasmodifyingandapplyinganewconfigurationthroughremotemodificationofthese variables. The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Information Bases

(MIBs). ThedevicesupportsseveralpublicMIBsandoneprivateMIBfortheSNMPagent.ThesupportedMIBsareas follow: MIB-II (RFC 1213, Include IPv6), IF-MIB, IP-MIB, TCP-MIB, UDP-MIB, SMIv1 and SMIv2, SNMPv2-TM and SNMPv2-MIB, and AMIB (a Proprietary MIB) SNMPManagementScenario ScenarioApplicationTiming TherearetwoapplicationscenariosofSNMPNetworkManagementSystems(NMS).LocalNMSisin 190 M2MCellularGateway theIntranetandmanagealldevicesthatsupportSNMPprotocolintheIntranet.Anotheroneisthe Remote NMS to manage some devices whose WAN interfaces are connected together by using a switch or a router with UDP forwarding. If you want to manage some devices and they all have supportedSNMPprotocol,useeitheroneapplicationscenario,especiallythemanagementofdevices intheIntranet.InmanagingdevicesintheInternet,theTR069isthebettersolution.Pleasereferto lastsubsection. ScenarioDescription TheNMSservercanmonitorandconfigurethemanageddevicesbyusingSNMPprotocol,andthose devicesarelocatedatwhereUDPpacketscanreachfromNMS. ThemanageddevicesreporturgenttrapeventstotheNMSservers. UseSNMPv3versionofprotocolcanprotectedthetransmittingofSNMPcommandsandresponses. TheremoteNMSwithprivilegeIPaddresscanmanagethedevices,butotherremoteNMScan't. ParameterSetupExample FollowingtableslisttheparameterconfigurationasanexamplefortheGateway1inabovediagram with"SNMP"enablingatLANandWANinterfaces. Usedefaultvalueforthoseparametersthatarenotmentionedinthetables. ConfigurationPath SNMPEnable SupportedVersions Get/SetCommunity TrapEventReceiver1 WANAccessIPAddress

[SNMP][Configuration]

LAN WAN v1 v2c v3 ReadCommunity/WriteCommunity 118.18.81.11 118.18.81.11

[SNMP][UserPrivacyDefinition]

1 UserName1 Password1 MD5 DES authPriv 12345678 Read/Write Enable ConfigurationPath ID UserName Password Authentication Encryption PrivacyMode PrivacyKey Authority Enable ScenarioOperationProcedure Inabovediagram,theNMSservercanmanagemultipledevicesintheIntranetoraUDPreachable network.The"Gateway1"isoneofthemanageddevices,andithastheIPaddressof10.0.75.2for LANinterfaceand118.18.81.33forWAN1interface.ItservesasaNATrouter. 3 UserName3 Disable Disable Disable noAuthNoPriv Disable Read Enable 2 UserName2 Password2 SHA1 Disable authNoPriv Disable Read Enable 191 M2MCellularGateway At first stage, the NMS manager prepares related information for all managed devices and records themintheNMSsystem.ThenNMSsystemgetsthestatusofallmanageddevicesbyusingSNMPget commands. Whenthemanagerwantstoconfigurethemanageddevices,theNMSsystemallowshimtodothatby usingSNMPsetcommands.The"UserName1"accountisusedifthemanagerusesSNMPv3protocol forconfiguringthe"Gateway1".Onlythe"UserName1"accountcanletthe"Gateway1"acceptthe configurationfromtheNMSsincetheauthorityoftheaccountis"Read/Write". Onceamanageddevicehasanurgenteventtosend,thedevicewillissueatraptotheTrapEvent Receivers.TheNMSitselfcouldbeoneamongthem. If you want to secure the transmitted SNMP commands and responses between the NMS and the manageddevices,useSNMPv3versionofprotocol. TheremoteNMSwithoutprivilegeIPaddresscan'tmanagethe"Gateway1",since"Gateway1"allows onlytheNMSwithprivilegeIPaddresscanmanageitviaitsWANinterface. 192 M2MCellularGateway SNMPSetting GotoAdministration>Configure&Manage>SNMPtab. TheSNMPallowsusertoconfigureSNMPrelevantsettingwhichincludesinterface,version,accesscontrol andtrapreceiver. EnableSNMP SNMP Item Valuesetting SNMPEnable 1.Theboxesare uncheckedbydefault WANInterface 1.AMustfilledsetting 2.ALLWANsis selectedbydefault SupportedVersions 1.AMustfilledsetting 2.Theboxesare uncheckedbydefault RemoteAceessIP 1.Stringformat:any IPv4address 2.Itisanoptional item. Description SelecttheinterfacefortheSNMPandenableSNMPfunctions. WhenChecktheLANbox,itwillactivateSNMPfunctionsandyoucanaccess SNMPfromLANside;

WhenChecktheWANbox,itwillactivateSNMPfunctionsandyoucanaccess SNMPfromWANside. SpecifytheWANinterfacethataremoteSNMPhostcanaccesstothedevice. Bydefault,AllWANsisselected,andthereisnolimitationfortheWAN inferface. SelecttheversionfortheSNMP WhenCheckthev1box. ItmeansyoucanaccessSNMPbyversion1. WhenCheckthev2cbox. ItmeansyoucanaccessSNMPbyversion2c. WhenCheckthev3box. ItmeansyoucanaccessSNMPbyversion3. SpecifytheRemoteAccessIPforWAN. SelectSpecificIPAddress,andfillinacertainIPaddress.ItmeansonlythisIP addresscanaccessSNMPfromLAN/WANside. SelectIPRange,andfillinarangeofIPaddresses.ItmeanstheIPaddress withinspecifiedrangecanaccessSNMPfromLAN/WANside. Ifyouleftitasblank,itmeansanyIPaddresscanaccessSNMPfromWANside. 193 M2MCellularGateway SNMPPort Save Undo 1.Stringformat:any portnumber 2.ThedefaultSNMP portis161. 3.AMustfilledsetting N/A N/A SpecifytheSNMPPort. Youcanfillinanyportnumber.Butyoumustensuretheportnumberisnotto beused. ValueRange:1~65535. ClickSavetosavethesettings ClickUndotocancelthesettings Create/EditMultipleCommunity TheSNMPallowsyoutocustomyouraccesscontrolforversion1andversion2user.Theroutersupportsupto amaximumof10communitysets. WhenAddbuttonisapplied,MultipleCommunityRuleConfigurationscreenwillappear. MultipleCommunityRuleConfiguration Item Valuesetting 1.ReadOnlyis selectedbydefault 2.AMustfilledsetting 3.Stringformat:any text 1.Theboxischecked bydefault N/A N/A N/A Description Specifythisversion1orversionv2cuserscommunitythatwillbeallowedRead Only(GETandGETNEXT)orReadWrite(GET,GETNEXTandSET)access respectively. Themaximumlengthofthecommunityis32. ClickEnabletoenablethisversion1orversionv2cuser. ClicktheSavebuttontosavetheconfiguration.ButitdoesnotapplytoSNMP functions.WhenyoureturntotheSNMPmainpage.ItwillshowClickonsave buttontoapplyyourchangesremindusertoclickmainpageSavebutton. ClicktheUndobuttontocancelthesettings. ClicktheBackbuttontoreturntolastpage. 194 Community Enable Save Undo Back M2MCellularGateway Create/EditUserPrivacy TheSNMPallowsyoutocustomyouraccesscontrolforversion3user.Theroutersupportsuptoamaximum of128UserPrivacysets. WhenAddbuttonisapplied,UserPrivacyRuleConfigurationscreenwillappear. UserPrivacyRuleConfiguration Valuesetting Item UserName 1.AMustfilledsetting 2.Stringformat:any text 1.Stringformat:any text Password Authentication Encryption 1.Noneisselectedby default 1.Noneisselectedby default Description SpecifytheUserNameforthisversion3user. ValueRange:1~32characters. WhenyourPrivacyModeisauthNoPrivorauthPriv,youmustspecifythe Passwordforthisversion3user. ValueRange:8~64characters. WhenyourPrivacyModeisauthNoPrivorauthPriv,youmustspecifythe Authenticationtypesforthisversion3user. SelectedtheauthenticationtypesMD5/SHA1touse. WhenyourPrivacyModeisauthPriv,youmustspecifytheEncryption protocolsforthisversion3user. SelectedtheencryptionprotocolsDES/AEStouse. 195 M2MCellularGateway PrivacyMode 1.noAuthNoPrivis selectedbydefault PrivacyKey Authority OIDFilterPrefix Enable Save Undo Back 1.Stringformat:any text 1.Readisselectedby default 1.Thedefaultvalueis 1 2.AMustfilledsetting 3.Stringformat:any legalOID 1.Theboxischecked bydefault N/A N/A N/A SpecifythePrivacyModeforthisversion3user. SelectedthenoAuthNoPriv. Youdonotuseanyauthenticationtypesandencryptionprotocols. SelectedtheauthNoPriv. YoumustspecifytheAuthenticationandPassword. SelectedtheauthPriv. YoumustspecifytheAuthentication,Password,EncryptionandPrivacyKey. WhenyourPrivacyModeisauthPriv,youmustspecifythePrivacyKey(8~64 characters)forthisversion3user. Specifythisversion3usersAuthoritythatwillbeallowedReadOnly(GETand GETNEXT)orReadWrite(GET,GETNEXTandSET)accessrespectively. TheOIDFilterPrefixrestrictsaccessforthisversion3usertothesubtree rootedatthegivenOID. ValueRange:1~2080768. ClickEnabletoenablethisversion3user. ClicktheSavebuttontosavetheconfiguration.ButitdoesnotapplytoSNMP functions.WhenyoureturntotheSNMPmainpage.ItwillshowClickonsave buttontoapplyyourchangesremindusertoclickmainpageSavebutton. ClicktheUndobuttontocancelthesettings ClicktheBackbuttontoreturnthelastpage. Create/EditTrapEventReceiver TheSNMPallowsyoutocustom yourtrapeventreceiver.Theroutersupportsuptoamaximumof4Trap EventReceiversets. WhenAddbuttonisapplied,TrapEventReceiverRuleConfigurationscreenwillappear.ThedefaultSNMP Versionisv1.Theconfigurationscreenwillprovidetheversion1mustfilleditems. 196 M2MCellularGateway Whenyouselectedv2c,theconfigurationscreenisexactlythesameasthatofv1,excepttheversion. Whenyouselectedv3,theconfigurationscreenwillprovidemoresettingitemsfortheversion3Trap. TrapEventReceiverRuleConfiguration Item Valuesetting 1.AMustfilledsetting 2.Stringformat:any IPv4addressorFQDN 1.Stringformat:any portnumber 2.ThedefaultSNMP trapportis162 3.AMustfilledsetting Description SpecifythetrapServerIPorFQDN. TheDUTwillsendtraptotheserverIP/FQDN. SpecifythetrapServerPort. Youcanfillinanyportnumber.Butyoumustensuretheportnumberisnotto beused. ValueRange:1~65535. 197 ServerIP ServerPort M2MCellularGateway SNMPVersion 1.v1isselectedby default 1.Av1andv2cMust filledsetting 2.Stringformat:any text 1.Av3Mustfilled setting 2.Stringformat:any text 1.Av3Mustfilled setting 2.Stringformat:any text 1.Av3Mustfilled setting 2.noAuthNoPrivis selectedbydefault 1.Av3Mustfilled setting 2.Noneisselectedby default 1.Av3Mustfilled setting 2.Noneisselectedby default 1.Av3Mustfilled setting 2.Stringformat:any text 1.Theboxischecked bydefault N/A N/A N/A CommunityName UserName Password PrivacyMode Authentication Encryption PrivacyKey Enable Save Undo Back Selecttheversionforthetrap Selectedthev1. Theconfigurationscreenwillprovidetheversion1mustfilleditems. Selectedthev2c. Theconfigurationscreenwillprovidetheversion2cmustfilleditems. Selectedthev3. Theconfigurationscreenwillprovidetheversion3mustfilleditems. SpecifytheCommunityNameforthisversion1orversionv2ctrap. ValueRange:1~32characters. SpecifytheUserNameforthisversion3trap. ValueRange:1~32characters. WhenyourPrivacyModeisauthNoPrivorauthPriv,youmustspecifythe Passwordforthisversion3trap. ValueRange:8~64characters. SpecifythePrivacyModeforthisversion3trap. SelectedthenoAuthNoPriv. Youdonotuseanyauthenticationtypesandencryptionprotocols. SelectedtheauthNoPriv. YoumustspecifytheAuthenticationandPassword. SelectedtheauthPriv. YoumustspecifytheAuthentication,Password,EncryptionandPrivacyKey. WhenyourPrivacyModeisauthNoPrivorauthPriv,youmustspecifythe Authenticationtypesforthisversion3trap. SelectedtheauthenticationtypesMD5/SHA1touse. WhenyourPrivacyModeisauthPriv,youmustspecifytheEncryption protocolsforthisversion3trap. SelectedtheencryptionprotocolsDES/AEStouse. WhenyourPrivacyModeisauthPriv,youmustspecifythePrivacyKey(8~64 characters)forthisversion3trap. ClickEnabletoenablethistrapreceiver. ClicktheSavebuttontosavetheconfiguration.ButitdoesnotapplytoSNMP functions.WhenyoureturntotheSNMPmainpage.ItwillshowClickonsave buttontoapplyyourchangesremindusertoclickmainpageSavebutton. ClicktheUndobuttontocancelthesettings. ClicktheBackbuttontoreturnthelastpage. 198 M2MCellularGateway SpecifySNMPMIB2System Ifrequired,youcanalsospecifytherequiredonformationthetheMIB2System. SNMPMIB2SystemConfiguration Item sysContact Valuesetting 1.AnOptionalfilled setting 2.Stringformat:any text 1.AnOptionalfilled setting 2.Stringformat:any text sysLocation Description SpecifythecontactinformationforMIB2system. ValueRange:0~64characters. SpecifythelocationinformationforMIB2system. ValueRange:0~64characters. EditSNMPOptions IfyouusesomeparticularprivateMIB,youmustfilltheenterprisename,numberandOID. Options 199 M2MCellularGateway Item EnterpriseName EnterpriseNumber EnterpriseOID Valuesetting 1.Thedefaultvalueis Default 2.AMustfilledsetting 3.Stringformat:any text Thedefaultvalueis 12823

(DefaultEnterprise Number) 2.AMustfilledsetting 3.Stringformat:any number 1.Thedefaultvalueis 1.3.6.1.4.1.12823.4.4.9

(DefaultEnterpriseOID) 2.AMustfilledsetting 3.Stringformat:any legalOID Description SpecifytheEnterpriseNamefortheparticularprivateMIB. ValueRange:1~10characters,andonlystringwithA~Z,a~z,0~9,,_. SpecifytheEnterpriseNumberfortheparticularprivateMIB. ValueRange:1~2080768. SpecifytheEnterpriseOIDfortheparticularprivateMIB. TherangeoftheeachOIDnumberis12080768. ThemaximumlengthoftheenterpriseOIDis31. Theseventhnumbermustbeidenticalwiththeenterprisenumber. Save Undo N/A N/A ClicktheSavebuttontosavetheconfigurationandapplyyourchangesto SNMPfunctions. ClicktheUndobuttontocancelthesettings. 200 M2MCellularGateway 6.1.4Telnet&SSH Acommandlineinterface(CLI),alsoknownascommandlineuserinterface,andconsoleuserinterfaceare meansofinteractingwithacomputerprogramwheretheuser(orclient)issuescommandstotheprogramin theformofsuccessivelinesoftext(commandlines).Theinterfaceisusuallyimplementedwithacommand lineshell,whichisaprogramthatacceptscommandsastextinputandconvertscommandstoappropriate operating system functions. Programs with commandline interfaces are generally easier to automate via scripting. The device supports both Telnet and SSH (Secure Shell) CLI with default service port 23 and 22, respectively. Telnet&SSHScenario ScenarioApplicationTiming WhentheadministratorofthegatewaywantstomanageitfromremotesiteintheIntranetorInternet, hemayuse"TelnetwithCLI"functiontodothatbyusing"Telnet"or"SSH"utility. ScenarioDescription TheLocalAdminortheRemoteAdmincanmanagetheGatewaybyusing"Telnet"or"SSH"utilitywith privilegedusernameandpassword. ThedatapacketsbetweentheLocalAdminandtheGatewayorbetweentheRemoteAdminandthe Gatewaycanbeplaintextsorencryptedtexts.SuggesttheyareplaintextsintheIntranetforLocal Admintouse"Telnet"utility,andencryptedtextsintheInternetforRemoteAdmintouse"SSH"utility. 201 M2MCellularGateway ParameterSetupExample FollowingtableliststheparameterconfigurationasanexamplefortheGatewayinabovediagramwith

"TelnetwithCLI"enablingatLANandWANinterfaces. Usedefaultvalueforthoseparametersthatarenotmentionedinthetable. ConfigurationPath Telnet SSH

[Telnet&SSH][Configuration]

LAN: EnableWAN: Enable ServicePort:23 LAN: EnableWAN: Enable ServicePort:22 ScenarioOperationProcedure Inabovediagram,"LocalAdmin"or"RemoteAdmin"canmanagethe"Gateway"intheIntranetor Internet.The"Gateway"isthegatewayofNetworkA,andthesubnetofitsIntranetis10.0.75.0/24.It hastheIPaddressof10.0.75.2forLANinterfaceand118.18.81.33forWAN1interface.Itservesasa NATgateway. The"LocalAdmin"intheIntranetuses"Telnet"utilitywithprivilegedaccounttologintheGateway. Orthe"RemoteAdmin"intheInternetuses"SSH"utilitywithprivilegedaccounttologintheGateway. Theadministratorofthegatewaycancontrolthedeviceaslikeheisinfrontofthegateway. 202 M2MCellularGateway Telnet&SSHSetting GotoAdministration>Configure&Manage>Telnet&SSHtab. The Telnet & SSH setting allows administrator to access this device through the traditional Telnet or SSH Telnet program. Before you can telnet (login) to the device, please configure the related settings and passwordwithcare.Thepasswordmanagementpartallowsyoutosetrootpasswordforloggingtelnetand SSH. Configuration Item Telnet SSH Save Undo Valuesetting 1. TheLANEnableboxis checkedbydefault. 2. BydefaultService Portis23. 3. TheLANEnableboxis checkedbydefault. 4. BydefaultService Portis22. N/A N/A Description ChecktheEnableboxtoactivatetheTelnetfunctionforconnectingfromLANorWAN interfaces. YoucansetwhichnumberofServicePortyouwanttoprovideforthecorresponding service. ValueRange:1~65535. ChecktheEnableboxtoactivatetheSSHTelnetfunctionforconnectingfromLANor WANinterfaces. YoucansetwhichnumberofServicePortyouwanttoprovideforthecorresponding service. ValueRange:1~65535. ClickSavetosavethesettings ClickUndotocancelthesettings 203 M2MCellularGateway Configuration Item root Save Undo Valuesetting 1.String:anytextbutno blankcharacter 2.Thedefaultpassword fortelnetis wirelessm2m. N/A N/A Description Typeoldpasswordandspecifynewpasswordtochangerootpassword. Note_1:Youarehighlyrecommendedtochangethedefaulttelnetpasswordwith yoursbeforethedeviceisdeployed. Note_2:IfyouhavetroubleforthedefaultpasswordforpreviousFWversion,please checkthecorrespondingUserManualtogetthecorrectone. ClickSavetosavethesettings ClickUndotocancelthesettings 204 M2MCellularGateway 6.2SystemOperation System Operation allows the network administrator to manage system, settings such as webbased utility access password change, system information, system time, system log, firmware/configuration backup &

restore,andreset&reboot. 6.2.1Password&MMI GotoAdministration>SystemOperation>Password&MMItab. ChangeUserName ChangeUsernamescreenallowsnetworkadministratortochangethewebbasedMMIloginaccounttoaccess gateway.ClicktheModifybuttonandprovidethenewusernamesetting. UsernameConfiguration Item Username NewUsername Password Save Undo Description DisplaythecurrentMMIloginaccount(Username). EnternewUsernametoreplacethecurrentsetting. Entercurrentpasswordtoverifyifyouhavethepermissiontochangethe usernamesetting. ClickSavebuttontosavethesettings ClickUndobuttontocancelthesettings Valuesetting 1.ThedefaultUsername forwebbasedMMIis admin. String:anytext String:anytext N/A N/A ChangePassword Change password screen allows network administrator to change the webbased MMI login password to accessgateway. 205 M2MCellularGateway PasswordConfiguration Item OldPassword NewPassword NewPassword Confirmation Save Undo Valuesetting 1.String:anytext 2.Thedefaultpassword forwebbasedMMIis admin. String:anytext String:anytext N/A N/A Description Enterthecurrentpasswordtoenableyouunlocktochangepassword. Enternewpassword Enternewpasswordagaintoconfirm ClickSavebuttontosavethesettings ClickUndobuttontocancelthesettings ChangeMMISettingforAccessing This is the gateways webbased MMI access which allows administrator to access the gateway for management.ThegatewayswebbasedMMIwillautomaticallylogoutwhentheidletimehaselapsed.The settingallowsadministratortoenableautomaticlogoutandsetthelogoutidletime.Whenthelogintimeout isdisabled,thesystemwontlogouttheadministratorautomatically. 206 M2MCellularGateway MMIConfiguration Item Valuesetting Login 3timesissetbydefault LoginTimeout GUIAccessProtocol TheEnableboxis checked,and300isset bydefault. http/httpsis selectedbydefault. HTTPsCertificate Setup Thedefaultboxis selectedbydefault httpCompression Theboxisuncheckedby default. SystemBootMode NormalModeisselected bydefault. Save Undo N/A N/A Description Enterthelogintrialcountingvalue. ValueRange:3~10. IfsomeonetriedtologinthewebGUIwithincorrectpasswordformore thanthecountingvalue,anwarningmessageAlreadyreachingmaximum PasswordGuessingtimes,pleasewaitafewseconds!willbedisplayed andignorethefollowinglogintrials. ChecktheEnableboxtoactivatetheautologoutfunction,andspecifythe maximumidletimeaswell. ValueRange:30~65535. SelecttheprotocolthatwillbeusedforGUIaccess.Itcanbehttp/https, httponly,orhttpsonly. IfthehttpsAccessProtocolisselected,theHTTPsCertificateSetupoption willbeavailableforfurtherconfiguration. Youcanleaveitasdefaultorselectaexpectedcertificateandkeyfromthe dropdownlist. RefertoObjectDefinition>CertificateSectionfortheCertificate configuration. Checkthebox(gzip,ordeflate)ifanycomprerssionmethodispreferred. Selectthesystembootmodethatwillbeadoptedtobootupthedevice. NormalMode:Ittakeslongerbootuptime,about200seconds,with completefirmwareimagecheckduringthedevicebooting. FastMode:Ittakesshorterbootuptime,about120seconds,without checkingthefirmwareimageduringthedevicebooting. QuickMode:Ittakesshorterbootuptime,about90seconds,without checkingthefirmwareimageandcreatetheinternaldatabasefor User/Group/CaptivePortalfunctions. Note:UseQuickModewithcare,onceselected,theUser/Group/Captive Portalfunctionwillbecomenonfunctional. ClickSavebuttontosavethesettings ClickUndobuttontocancelthesettings 207 M2MCellularGateway 6.2.2SystemInformation System Information screen gives network administrator a quick look up on the device information for the purchadesgateway. GotoAdministration>SystemOperation>SystemInformationtab. SystemInformation Item ModelName DeviceSerial Number KernelVersion FWVersion CPUUsage MemoryUsage SystemTime DeviceUpTime Refresh ValueSetting N/A N/A N/A N/A N/A N/A N/A N/A N/A Description Itdisplaysthemodelnameofthisproduct. Itdisplaystheserialnumberofthisproduct. ItdisplaystheLinuxkernelversionoftheproduct Itdisplaysthefirmwareversionoftheproduct ItdisplaysthepercentageofCPUutilization. Itdisplaysthepercentageofdevicememoryutilization. Itdisplaysthecurrentsystemtimethatyoubrowsedthiswebpage. Itdisplaysthestatisticsforthedeviceuptimesincelastbootup. ClicktheRefreshbuttontoupdatethesystemInformationimmediately. 208 M2MCellularGateway 6.2.3SystemTime Thegatewayprovidesmanuallysetupandautosynchronizedapproachesfortheadministratortosetupthe systemtimeforthegateway. GotoAdministration>SystemOperation>SystemTimetab. SystemTimeInformation Item TimeZone ValueSetting 1.Itisanoptionalitem. 2.GMT+00:00is selectedbydefault. Auto synchronization 1.Checkedbydefault. 2.Autoisselectedby default. DaylightSaving Time 1.Itisanoptionalitem. 2.Uncheckedbydefault SetDate&Time 1.Itisanoptionalitem. Save Refresh N/A N/A Description Select a time zone where this device locates. ChecktheEnablebuttontoactivatethetimeautosynchronizationfunctionwith acertainNTPserver. YoucanentertheIPorFQDNfortheNTPserveryouexpected,orleaveitas automodesothattheavailableserverwillbeusedfortimesynchronizationone byone. ChecktheEnablebuttontoactivatethedaylightsavingfunction. When you enabled this function, you have to specify the start date and end date for the daylight saving time duration. If you do not enable the time auto-synchronization function, you can also manually set the date (Year/Month/Day) and time (Hour:Minute:Second). ClicktheSavebuttontosavethesettings. ClicktheRefreshbuttontoupdatethesystemtimeimmediately. Insteadofmanuallyconfiguringthesystemtimeforthegateway,therearetwosimpleandquicksolutionsfor youtosetthecorrecttimeinformationandsetitasthesystemtimeforthegateway. 209 M2MCellularGateway ThefirstoneisSyncwithTimerServer.Basedonyourselectionoftimezoneandtimeserverinabovetime informationconfigurationwindow,systemwillcommunicatewithtimeserverbyNTPProtocoltogetsystem dateandtimeafteryouclickontheSyncwithTimerServerbutton. Note: Remember to select a correct time zone for the device, otherwise, you will just get the UTC

(CoordinatedUniversalTime)time,notthelocaltimeforthedevice. ThesecondoneisSyncwithmyPC.ClickontheSyncwithmyPCbuttontoletsystemsynchronizeitsdate andtimetothetimeoftheadministrationPC. 210 M2MCellularGateway 6.2.4SystemLog SystemLogscreencontainsvariouseventlogtoolsfacilitatingnetworkadministratortoperformlocalevent loggingandremotereporting. GotoAdministration>SystemOperation>SystemLogtab. View&EmailLogHistory View button is provided for networkadministrator to view log history on the gateway.Email Now button enablesadministratortosendinstantEmailforanalysis. View&EmailLogHistory Item Viewbutton EmailNow button Valuesetting N/A N/A Description ClicktheViewbuttontoviewLogHistoryinWebLogListWindow. ClicktheEmailNowbuttontosendLogHistoryviaEmailinstantly. 211 M2MCellularGateway WebLogListWindow Item Timecolumn Logcolumn ValueSetting N/A N/A Description Itdisplayseventtimestamps ItdisplaysLogmessages WebLogListButtonDescription Item Previous Next First Last Download Clear Back Valuesetting N/A N/A N/A N/A N/A N/A N/A Description ClickthePreviousbuttontomovetothepreviouspage. ClicktheNextbuttontomovetothenextpage. ClicktheFirstbuttontojumptothefirstpage. ClicktheLastbuttontojumptothelastpage. ClicktheDownloadbuttontodownloadlogtoyourPCintarfileformat. ClicktheClearbuttontoclearalllog. ClicktheBackbuttontoreturntothepreviouspage. WebLogTypeCategory Web Log Type Category screen allows network administrator to select the type of events to log and be displayedintheWebLogListWindowasdescribedintheprevioussection.ClickontheViewbuttontoview LogHistoryintheWebLogListwindow. 212 M2MCellularGateway WebLogTypeCategorySettingWindow Item System Attacks Drop Loginmessage Debug ValueSetting Checkedbydefault Checkedbydefault Checkedbydefault Checkedbydefault Uncheckedbydefault Description ChecktologsystemeventsandtodisplayintheWebLogListwindow. ChecktologattackeventsandtodisplayintheWebLogListwindow. ChecktologpacketdropeventsandtodisplayintheWebLogListwindow. ChecktologsystemlogineventsandtodisplayintheWebLogListwindow. ChecktologdebugeventsandtodisplayintheWebLogListwindow. EmailAlert EmailAlertscreenallowsnetworkadministratortoselectthetypeofeventtologandbesenttothedestined Emailaccount. EmailAlertSettingWindow Item Enable ValueSetting Uncheckedbydefault Server N/A Emailaddress String:emailformat Subject String:anytext Logtypecategory Defaultunchecked Description CheckEnableboxtoenablesendingeventlogmessagestodestinedEmail accountdefinedintheEmailAddressesblankspace. SelectoneemailserverfromtheServerdropdownboxtosendEmail.Ifnone hasbeenavailable,clicktheAddObjectbuttontocreateanoutgoingEmail server. You may also add an outgoing Email server from Object Definition > External Server > External Server tab. EntertherecipientsEmailaddress.SeparateEmailaddresseswithcomma,or semicolon;

EntertheEmailaddressintheformatofmyemail@domain.com EnteranEmailsubjectthatiseasyforyoutoidentifyontheEmailclient. Select the type of events to log and be sent to the designated Email account. AvailableeventsareSystem,Attacks,Drop,Loginmessage,andDebug. 213 M2MCellularGateway Syslogd Syslogdscreenallowsnetworkadministratortoselectthetypeofeventtologandbesenttothedesignated Syslogserver. SyslogdSettingWindow Item Enable ValueSetting Uncheckedbydefault CheckEnableboxtoactivatetheSyslogdfunction,andsendeventlogstoasyslogserver Description Server N/A Logtype category Uncheckedbydefault SelectonesyslogserverfromtheServerdropdownboxtosenteventlogto. Ifnonehasbeenavailable,clicktheAddObjectbuttontocreateasystemlogserver. You may also add an system log server from the Object Definition > External Server >

External Server tab. Selectthetypeofeventtologandbesenttothedestinedsyslogserver.Available eventsareSystem,Attacks,Drop,Loginmessage,andDebug. LogtoStorage LogtoStoragescreenallowsnetworkadministratortoselectthetypeofeventstologandbestoredatan internaloranexternalstorage. LogtoStorageSettingWindow ValueSetting Item Enable Uncheckedbydefault Internalisselectedby default Uncheckedbydefault Uncheckedbydefault Logfilename SplitfileEnable SelectDevice SplitfileSize 200KBissetbydefault Logtypecategory Uncheckedbydefault LogtoStorageButtonDescription Item Downloadlog file Valuesetting N/A Description Checktoenablesendinglogtostorage. Selectinternalorexternalstorage. Enterlogfilenametosavelogsindesignatedstorage. Checkenableboxtosplitfilewheneverlogfilereachingthespecifiedlimit. Enterthefilesizelimitforeachsplitlogfile. ValueRange:10~1000. Checkwhichtypeoflogstosend:System,Attacks,Drop,Loginmessage,Debug Description ClicktheDownloadlogfilebuttontodownloadlogfilestoalog.tarfile. 214 M2MCellularGateway 6.2.5Backup&Restore IntheBackup&Restorewindow,youcanupgradethedevicefirmwarewhennewfirmwareisavailableand alsobackup/restorethedeviceconfiguration. In addition to the factory default settings, you can also customize a special configuration setting as a customizeddefaultvalue.Withthiscustomizeddefaultvalue,youcanresetthedevicetotheexpecteddefault settingifneeded. GotoAdministration>SystemOperation>Backup&Restoretab. FWBackup&Restore Item ValueSetting FWUpgrade ViaWebUIisselectedby default Backup Configuration Settings Downloadisselectedby default AutoRestore Configuration TheEnableboxis uncheckedbydefault Description Ifnewfirmwareisavailable,clicktheFWUpgradebuttontoupgradethedevice firmwareviaWebUI,orViaStorage. AfterclickingontheFWUpgradecommandbutton,youneedtospecifythe filenameofnewfirmwarebyusingBrowsebutton,andthenclickUpgrade buttontostarttheFWupgradingprocessonthisdevice.Ifyouwanttoupgrade afirmwarewhichisfromGPLpolicy,pleasecheckAcceptunofficialfirmware YoucanbackuporrestorethedeviceconfigurationsettingsbyclickingtheVia WebUIbutton. Download:forbackupthedeviceconfigurationtoaconfig.binfile. Upload:forrestoreadesignatedconfigurationfiletothedevice. ViaWebUI:toretrievetheconfigurationfileviaWebGUI. ChicktheEnablebuttontoactivatethecustomizeddefaultsettingfunction. Oncethefunctionisactivated,youcansavetheexpectedsettingasa customizeddefaultsettingbyclickingtheSaveConf.button,orclickingthe CleanConf.buttontoerasethestoredcustomizedconfiguration. 215 M2MCellularGateway 6.2.6Reboot&Reset Forsomespecialreasonorsituation,youmayneedtorebootthegatewayorresetthedeviceconfigurationto itsdefaultvalue.InadditiontoperformtheseoperationsthroughthePowerON/OFF,orpressingthereset buttononthedevicepanel,youcandoitthroughthewebGUItoo. GotoAdministration>SystemOperation>Reboot&Resettab. IntheReboot&Resetwindow,youcanrebootthisdevicebyclickingtheRebootbutton,andresetthis devicetodefaultsettingsbyclickingtheResetbutton. SystemOperationWindow Item ValueSetting Reboot Nowisselectedby default ResettoDefault N/A Description ChicktheRebootbuttontorebootthegatewayimmediatelyoronapredefined timeschedule. Now:Rebootimmediately TimeSchedule:Selectapredefinedautoreboottimescheduleruletoreboot theautodeviceonadesignatedtim.Todefineatimeschedulerule,goto ObjectDefinition>Scheduling>Configurationtab. ClicktheResetbuttontoresetthedeviceconfigurationtoitsdefaultvalue. 216 M2MCellularGateway 6.3FTP(notsupported) Not supported feature for the purchased product, leave it as blank. 217 M2MCellularGateway 6.4Diagnostic Thisgatewaysupportssimplenetworkdiagnosistoolsfortheadministratortotroubleshootandfindtheroot causeoftheabnormalbehaviorortrafficspassingthroughthegateway.TherecanbeaPacketAnalyzerto helprecordthepacketsforadesignatedinterfaceorspecificsource/destinationhost,andanotherPingand Tracerttoolsfortestingthenetworkconnectivityissues. 6.4.1DiagnosticTools TheDiagnosticToolsprovidesomefrequentlyusednetworkconnectivitydiagnostictools(approaches)forthe networkadministratortocheckthedeviceconnectivity. GotoAdministration>Diagnostic>DiagnosticToolstab. DiagnosticTools Item Valuesetting PingTest OptionalSetting TracertTest Optionalsetting WakeonLAN Optionalsetting Save N/A Description ThisallowsyoutospecifyanIP/FQDNandthetestinterface(LAN,WAN,or Auto),sosystemwilltrytopingthespecifieddevicetotestwhetheritisalive afterclickingonthePingbutton.Atestresultwindowwillappearbeneathit. Traceroute(tracert)commandisanetworkdiagnostictoolfordisplayingthe route(path)andmeasuringtransitdelaysofpacketsacrossanIPnetwork. Tracerouteproceedsuntilall(three)sentpacketsarelostformorethan twice,thentheconnectionislostandtheroutecannotbeevaluated. First,youneedtospecifyanIP/FQDN,thetestinterface(LAN,WAN,or Auto)andtheprotocol(UDPorICMP),andbydefault,itisUDP. Then,systemwilltrytotracethespecifiedhosttotestwhetheritisalive afterclickingonTracertbutton.Atestresultwindowwillappearbeneathit. WakeonLAN(WOL)isanEthernetnetworkingstandardthatallowsa computertobeturnedonorawakenedbyanetworkmessage.Youcan specifytheMACaddressofthecomputer,inyourLANnetwork,tobe remotelyturnedonbyclickingontheWakeupcommandbutton. ClicktheSavebuttontosavetheconfiguration. 218 M2MCellularGateway Chapter7Service 7.1 CellularToolkit Besides cellular data connection, you may also like to monitor data usage of cellular WAN, sending text message through SMS, changing card, communicating with carrier/ISP by USSD command, or doing a cellular network scan fordiagnosticpurpose. code SIM PIN of insertedtodevicebeforeyoucontinuesettingsinthissection. InCellularToolkitsection,itincludesseveral useful features that are related to cellular configuration or application. You can configure settings of Data Usage, SMS, SIM PIN, USSD, and Network Scan here. Please noteatleastavalidSIMcardisrequiredtobe 219 M2MCellularGateway 7.1.1DataUsage Mostofdataplanforcellularconnectioniswithalimitedamountofdatausage.Ifdatausagehasbeenover limitedquota,eitheryouwillgetmuchlowerdatathroughputthatmayaffectyourdailyoperation,oryouwill getabillshockinthenextmonthbecausecarrier/ISPchargesalotfortheoverquotadatausage. WithhelpfromDataUsagefeature,devicewillmonitorcellulardatausagecontinuouslyandtakeactions.If datausagereacheslimitedquota,devicecanbesettodropthecellulardataconnectionrightaway.Otherwise, if secondary SIM card is inserted, device will switch to secondary SIM and establish another cellular data connectionwithsecondarySIMautomatically. If Data Usage feature is enabled, all history of cellular data usage can be viewed at Status >Statistics &

Reports>CellularUsagetab. 3G/4GDataUsage Data Usage feature enabling gateway device to continuouslymonitorcellulardatausageandtake actions.Inthediagram,quotalimitofSIMAis1Gb permonthandbillstartdateis20thofeverymonth. The device is smart to start a new calculation of data usage on every 20th of month. Enable Connection Restrict will force gateway device to dropcellularconnectionofSIMAwhendatausage reaches quota limit (1Gb in this case). If SIM failover feature is configured in Internet Setup, thengatewaywillswitchtoSIMBandestablisha newcellulardataconnectionautomatically. 220 M2MCellularGateway DataUsageSetting GotoService>CellularToolkit>DataUsagetab. BeforefinishedsettingsforDataUsage,youneedtoknowbillstartdate,billperiod,andquotalimitofdata usageaccordingtoyourdataplan.YoucanaskthisinformationfromyourcarrierorISP. Create/Edit3G/4GDataUsageProfile WhenAddbuttonisapplied,3G/4GDataUsageProfileConfigurationscreenwillappear.Youcancreateupto fourdatausageprofiles,oneprofileforeachSIMcardusedintheGateway. 3G/4GDataUsageProfileConfiguration ItemSetting Valuesetting SIMSelect CarrierName CyclePeriod 3G/4G1andSIMAby default. Itisanoptionalitem. Daysbydefault StartDate N/A Description Chooseacellularinterface (3G/4G1or3G/4G2),andaSIMcardboundtothe selectedcellularinterfacetoconfigureitsdatausageprofile. FillintheCarrierNamefortheselectedSIMcardforidentification. Thefirstboxhas threetypes forcycleperiod.TheyareDays,WeeklyandMonthly. Days:ForperDayscycleperiods,youhavetofurtherspecifythenumberofdaysin thesecondbox. ValueRange:1~90days. Weekly,Monthly:Thecycleperiodisoneweekoronemonth. Specifythedateto startmeasurenetworktraffic. Pleasedontselectthedaybeforenow,otherwise,thetrafficstatisticswillbe incorrect. 221 M2MCellularGateway DataLimitation N/A Connection Restrict UnCheckedbydefault. ChecktheEnable boxtoactivate theconnectionrestrictionfunction. Specifytheallowabledatalimitationforthedefinedcycleperiod. Duringthespecifiedcycleperiod,iftheactualdatausageexceedstheallowabledata limitation,thecellularconnectionwillbeforcedtodisconnect. UnCheckedbydefault. ChecktheEnable boxtoactivate thedatausageprofile. Enable 222 M2MCellularGateway 7.1.2SMS ShortMessageService(SMS)isatextmessagingservice,whichisusedtobewidelyusedonmobilephones.It usesstandardizedcommunicationsprotocolstoallowmobilephonesorcellulardevicestoexchangeshorttext messagesinaninstantandconvenientway. SMSSetting GotoService>CellularToolkit>SMStab Withthisgatewaydevice,youcansendSMStextmessagesorbrowsereceivedSMSmessagesasyouusually doonacellularphone. SetupSMSConfiguration Configuration Item Physical Interface SMS SIMStatus SMSStorage Save Valuesetting Theboxis3G/4G1by default Theboxischeckedby default N/A TheboxisSIMCardOnly bydefault N/A Description Chooseacellularinterface(3G/4G1or3G/4G2)forthefollowingSMSfunction configuration. ThisistheSMSswitch.IftheboxcheckedthattheSMSfunctionenable,ifthe boxuncheckedthattheSMSfunctiondisable. DependoncurrentlySIMstatus.ThepossiblevaluewillbeSIM_AorSIM_B. ThisistheSMSstoragelocation.CurrentlytheoptiononlySIMCardOnly. ClicktheSavebuttontosavethesettings 223 M2MCellularGateway SMSSummary ShowUnreadSMS,ReceivedSMS,RemainingSMS,andeditSMScontexttosend,readSMSfromSIMcard. SMSSummary Item UnreadSMS Valuesetting N/A ReceivedSMS N/A RemainingSMS N/A NewSMS SMSInbox N/A N/A Refresh N/A NewSMS YoucansettheSMSsettingfromthisscreen. Description IfSIMcardinserttorouterfirsttime,unreadSMSvalueiszero.Whenreceivedthe newSMSbutdidntread,thisvalueplusone. ThisvaluerecordtheexistingSMSnumbersfromSIMcard,Whenreceivedthenew SMS,thisvalueplusone. ThisvalueisSMScapacityminusreceivedSMS,WhenreceivedthenewSMS,this valueminusone. ClickNewSMSbutton,aNewSMSscreenappears.UsercansettheSMSsetting fromthisscreen.RefertoNewSMSinthenextpage. ClickSMSInboxbutton,aSMSInboxListscreenappears.Usercanreadordelete SMS,replySMSorforwardSMSfromthisscreen.RefertoSMSInboxListinthe nextpage. ClicktheRefreshbuttontoupdatetheSMSsummaryimmediately. 224 M2MCellularGateway NewSMS Item Receivers TextMessage Send Result Valuesetting N/A N/A N/A N/A Description WritethereceiverstosendSMS.Userneedtoaddthesemicolonandcompose multiplereceiversthatcangroupsendSMS. WritetheSMScontexttosendSMS.Theroutersupportsuptoamaximumof 1023characterforSMScontextlength. ClicktheSendbutton,abovetextmessagewillbesentasaSMS. IfSMShasbeensentsuccessfully,itwillshowSendOK,otherwiseSendFailed willbedisplayed. SMSInboxList YoucanreadordeleteSMS,replySMSorforwardSMSfromthisscreen. SMSInboxList Item ID FromPhone Number Timestamp SMSText Preview Valuesetting N/A N/A N/A N/A Action Refresh Delete Close Theboxisuncheckedby default N/A N/A N/A Description ThenumberorSMS. WhatthephonenumberfromSMS WhattimereceiveSMS PreviewtheSMStext.ClicktheDetailbuttontoreadacertainmessage. ClicktheDetailbuttontoreadtheSMSdetail;ClicktheReply/Forwardbutton toreply/forwardSMS. Besides,youcancheckthebox(es),andthenclicktheDeletebuttontodelete thecheckedSMS(s). RefreshtheSMSInboxList. DeletetheSMSforallcheckedboxfromAction. ClosetheDetailSMSMessagescreen. 225 M2MCellularGateway 7.1.3SIMPIN Withmostcasesintheworld,usersneedtoinsertaSIMcard(a.k.a.UICC)intoenddevicestogetoncellular network for voice service or data surfing. The SIM card is usually released by mobile operators or service providers.EachSIMcardhasauniquenumber(socalledICCID)fornetworkownersorserviceprovidersto identifyeachsubscriber.AsSIMcardplaysanimportantrolebetweenserviceprovidersandsubscribers,some securitymechanismsarerequiredonSIMcardtopreventanyunauthorizedaccess. EnablingaPINcodeinSIMcardisaneasyandeffectivewayofprotectingcellulardevicesfromunauthorized access.ThisgatewaydeviceallowsyoutoactivateandmanagePINcodeonaSIMcardthroughitswebGUI. ActivatePINcodeonSIMCard ThisgatewaydeviceallowsyoutoactivatePINcodeonSIMcard.This exampleshowshowtoactivatePINcodeonSIMAfor3G/4G1with defaultPINcode0000. ChangePINcodeonSIMCard This gateway device allows you to change PIN code on SIM card. Following the example above, you need to type original PIN code 0000,andthentypenewPINcodewith1234ifyouliketosetnew PINcodeas1234.ToconfirmthenewPINcodeyoutypeiswhatyou want,youneedtotypenewPINcode1234inVerifiedNewPINCode again. UnlockSIMcardbyPUKCode IfyouenteredincorrectPINcodeatconfigurationpagefor3G/4G1 WANoverthreetimes,andthenitwillcauseSIMcardtobelockedby PUKcode.ThenyouhavetocallservicenumbertogetaPUKcodeto unlockSIMcard.Inthediagram,thePUKcodeis12345678andnew PINcodeis5678. 226 M2MCellularGateway SIMPINSetting GotoService>CellularToolkit>SIMPINTab WiththeSIMPINFunctionwindow,itallowsyoutoenableordisableSIMlock(whichmeansprotectedbyPIN code), or change PIN code. You can also see the information of remaining times of failure trials as we mentionedearlier.Ifyourunoutofthesefailuretrials,youneedtogetaPUKcodetounlockSIMcard. SelectaSIMCard ConfigurationWindow Item Physical Interface Valuesetting Theboxis3G/4G1by default SIMStatus N/A SIMSelection N/A Description Chooseacellularinterface(3G/4G1or3G/4G2)tochangetheSIMPINsetting fortheselectedSIMCard. Thenumberofphysicalmodemsdependsonthegatewaymodelyou purchased. IndicationfortheselectedSIMcardandtheSIMcardstatus. The status could be Ready, Not Insert, or SIM PIN. Ready -- SIM card is inserted and ready to use. It can be a SIM card without PIN protection or that SIM card is already unlocked by correct PIN code. Not Insert -- No SIM card is inserted in that SIM slot. SIM PIN -- SIM card is protected by PIN code, and its not unlocked by a correct PIN code yet. That SIM card is still at locked status. SelecttheSIMcardforfurtherSIMPINconfiguration. PresstheSwitchbutton,thentheGatewaywillswitchSIMcardtoanotherone. Afterthat,youcanconfiguretheSIMcard. 227 M2MCellularGateway Enable/ChangePINCode Enable or Disable PIN code (password) function, and even change PIN code function. SIMfunctionWindow ItemSetting SIMlock Valuesetting DependonSIMcard Remainingtimes Save ChangePINCode DependonSIMcard N/A N/A Description ClicktheEnable buttontoactivatetheSIMlockfunction. ForthefirsttimeyouwanttoenabletheSIMlockfunction,youhaveto fillinthePINcodeaswell,andthenclickSavebuttontoapplythesetting. RepresenttheremainingtrialtimesfortheSIMPINunlocking. ClicktheSavebuttontoapplythesetting. ClicktheChangePINcodebuttontochangethePINcode(password). IftheSIMLockfunctionisnotenabled,theChangePINcodebuttonis disabled.Inthecase,ifyoustillwanttochangethePINcode,youhaveto enabletheSIMLockfunctionfirst,fillinthePINcode,andthenclicktheSave buttontoenable.Afterthat,YoucanclicktheChangePINcodebuttonto changethePINcode. WhenChangePINCodebuttonisclicked,thefollowingscreenwillappear. ValueSetting AMustfilledsetting Description Fillinthecurrent (old)PINcodeoftheSIMcard. AMustfilledsetting AMustfilledsetting FillinthenewPINCodeyouwanttochange. ConfirmthenewPINCodeagain. N/A N/A ClicktheApplybuttontochangethePINcodewithspecifiednewPINcode. ClicktheCancel buttontocancelthechangesandkeepcurrentPINcode. Note:IfyouchangedthePINcodeforacertainSIMcard,youmustalsochangethecorrespondingPINcode 228 Item CurrentPIN Code NewPINCode VerifiedNew PINCode Apply Cancel M2MCellularGateway specified in the Basic Network >WAN & Uplink > Internet Setup >Connection with SIM Card page. Otherwise,itmayresultinwrongSIMPINtrialswithinvalid(old)PINcode. UnlockwithaPUKCode ThePUKFunctionwindowisonlyavailableforconfigurationifthatSIMcardislockedbyPUKcode.Itmeans thatSIMcardislockedandneedsadditionalPUKcodetounlock.Usuallyithappensaftertoomanytrialsof incorrectPINcode,andtheremainingtimesinSIMFunctiontableturnsto0.Inthissituation,youneedto contactyourserviceproviderandrequestaPUKcodeforyourSIMcard,andtrytounlockthelockedSIMcard withtheprovidedPUKcode.AfterunlockingaSIMcardbyPUKcodesuccessfully,theSIMlockfunctionwillbe activatedautomatically. PUKFunctionWindow Item PUKstatus Valuesetting PUKUnlock

/PUKLock Remainingtimes DependonSIMcard PUKCode NewPINCode AMustfilledsetting AMustfilledsetting Description IndicationforthePUKstatus. ThestatuscouldbePUKLockorPUKUnlock.Asmentionedearlier,theSIMcard willbelockedbyPUKcodeaftertoomanytrialsoffailurePINcode.Inthiscase, thePUKStatuswillturnstoPUKLock.Inanormalsituation,itwilldisplayPUK Unlock. Represent theremainingtrialtimesforthePUKunlocking. Note:DONOTmaketheremainingtimesdowntozero,itwilldamagetheSIM cardFOREVER!CallforyourISPshelptogetacorrectPUKandunlocktheSIMif youdonthavethePUKcode. FillinthePUKcode(8digits)thatcanunlocktheSIMcardinPUKunlockstatus. FillintheNewPINCode(4~8digits)fortheSIMcard. YouhavetodetermineyournewPINcodetoreplacetheold,forgottenone. KeepthePINcode(password)inmindwithcare. ClicktheSavebuttontoapplythesetting. Save N/A Note: If you changed the PUK code and PIN code for a certain SIM card, you must also change the correspondingPINcodespecifiedintheBasicNetwork>WAN&Uplink>InternetSetup>Connectionwith SIMCardpage.Otherwise,itmayresultinwrongSIMPINtrialswithinvalid(old)PINcode. 229 M2MCellularGateway 7.1.4USSD Unstructured Supplementary Service Data (USSD) is a protocol used by GSM cellular telephones to communicatewiththeserviceprovider'scomputers.USSDcanbeusedforWAPbrowsing,prepaidcallback service, mobilemoney services, locationbased content services, menubased information services, and as partofconfiguringthephoneonthenetwork. An USSD message is up to 182 alphanumeric characters in length. Unlike Short Message Service (SMS) messages, USSD messages create a realtime connection during an USSD session. The connection remains open,allowingatwowayexchangeofasequenceofdata.ThismakesUSSDmoreresponsivethanservices thatuseSMS. USSDScenario USSD allows you to have an instant bidirectional communicationwithcarrier/ISP.Inthediagram,theUSSD command *135# is referred to data roaming services. AftersendingthatUSSDcommandtocarrier,youcanget a response at window USSD Response. Please note the USSDcommandvariesfordifferentcarriers/ISP. 230 M2MCellularGateway USSDSetting GotoService>CellularToolkit>USSDtab. In"USSD"page,therearefourwindowsfortheUSSDfunction.The"Configuration"windowcanletyouspecify which3G/4Gmodule(physicalinterface)isusedfortheUSSDfunction,andsystemwillshowwhichSIMcardin themoduleisthecurrentusedone.Thesecondwindowisthe"USSDProfileList"anditshowsallyourdefined USSDprofilesthatstoreprecommandsforactivatinganUSSDsession.An"Add"buttoninthewindowcanlet youaddonenewUSSDprofileanddefinethecommandfortheprofileinthethirdwindow,the"USSDProfile Configuration". When you want to start the activation of an USSD connection session to the USSD server, select the USSD profile or type in the correct precommand, and then click on the "Send" button for the session. The responses from the USSD server will be displayed beneath the "USSD Command" line. When commandstypedinthe"USSDCommand"fieldaresent,receivedresponseswillbedisplayedinthe"USSD Response"blankspace.UsercancommunicatewiththeUSSDserverbysendingUSSDcommandsandgetting USSDresponsesviathegateway. USSDConfiguration Configuration Item PhysicalInterface SIMStatus Valuesetting Theboxis3G/4G1by default. N/A Description Chooseacellularinterface(3G/4G1or3G/4G2)toconfiguretheUSSDsetting fortheconnectedcellularservice(identifiedwithSIM_AorSIM_B). Showtheconnectedcellularservice(identifiedwithSIM_AorSIM_B). Create/EditUSSDProfile ThecellulargatewayallowsyoutocustomyourUSSDprofile.Itsupportsuptoamaximumof35USSDprofiles. WhenAddbuttonisapplied,USSDProfileConfigurationscreenwillappear. 231 M2MCellularGateway USSDProfileConfiguration Item ProfileName Valuesetting N/A USSDCommand N/A Description EnteranamefortheUSSDprofile. EntertheUSSDcommanddefinedfortheprofile. Normally,itisacommandstringcomposedwithnumerickeypad0~9,*, and#.TheUSSDcommandsarehighlyrelatedtothecellularservice,please checkwithyourserviceproviderforthedetails. Enterabriefcommentfortheprofile. Comments N/A SendUSSDRequest WhensendtheUSSDcommand,theUSSDResponsescreenwillappear. WhenclicktheClearbutton,theUSSDResponsewilldisappear. USSDRequest Item Valuesetting USSDProfile N/A USSDCommand N/A USSDResponse N/A Description SelectaUSSDprofilenamefromthedropdownlist. TheUSSDCommandstringoftheselectedprofilewillbeshownhere. ClicktheSendbuttontosendtheUSSDcommand,andtheUSSDResponse screenwillappear.Youwillseetheresponsemessageofthecorresponding service,receivetheserviceSMS. 232 M2MCellularGateway 7.1.5NetworkScan

"NetworkScan"functioncanletadministratorspecifythedevicehowtoconnecttothemobilesystemfor data communication in each 3G/4G interface. For example, administrator can specify which generation of mobilesystemisusedforconnection,2G,3GorLTE.Moreover,hecandefinetheirconnectionsequencefor thegatewaydevicetoconnecttothemobilesystemautomatically.Administratoralsocanscanthemobile systemsintheairmanually,selectthetargetoperatorsystemandapplyit.Themanualscanningapproachis usedforproblemdiagnosis. NetworkScanSetting GotoService>CellularToolkit>NetworkScantab. In"NetworkScan"page,therearetwowindowsfortheNetworkScanfunction.The"Configuration"window canletyouselectwhich3G/4Gmodule(physicalinterface)isusedtoperformNetworkScan,andsystemwill showthecurrentusedSIMcardinthemodule.Youcanconfigureeach3G/4GWANinterfacebyexecutingthe networkscanningoneafteranother.Youcanalsospecifytheconnectionsequenceofthetargetedgeneration ofmobilesystem,2G/3G/LTE. NetworkScanConfiguration Configuration Item Physical Interface SIMStatus Valuesetting Theboxis3G/4G1by default N/A NetworkType Autoisselectedby default. ScanApproach Autoisselectedby default. Description Chooseacellularinterface(3G/4G1or3G/4G2)forthenetworkscanfunction. Note:3G/4G2isonlyavailableforfortheproductwithdualcellularmodule. Showtheconnectedcellularservice(identifiedwithSIM_AorSIM_B). Specifythenetworktypeforthenetworkscanfunction. ItcanbeAuto,2GOnly,2Gprefer,3GOnly,3Gprefer,orLTEOnly. WhenAutoisselected,thenetworkwillberegisterautomatically;

Ifthepreferoptionisselected,networkwillberegisterforyouroptionfirst;

Iftheonlyoptionisselected,networkwillberegisterforyouroptiononly. WhenAutoselected,cellularmoduleregisterautomatically. IftheManuallyoptionisselected,aNetworkProviderListscreenappears. PressScanbuttontoscanforthenearestbasestations.Select(checkthebox) thepreferredbasestationsthenclickApplybuttontoapplysettings. 233 M2MCellularGateway Save N/A ClickSavetosavethesettings Thesecondwindowisthe"NetworkProviderList"windowanditappearswhentheManuallyScanApproach isselectedintheConfigurationwindow.Byclickingonthe"Scan"buttonandwaitfor1to3minutes,thefound mobileoperatorsystemwillbedisplayedforyoutochoose.Clickagainonthe"Apply"buttontodrivesystem toconnecttothatmobileoperatorsystemforthededicated3G/4Ginterface. 234 M2MCellularGateway Chapter8Status 8.1Dashboard(notsupported) Not supported feature for the purchased product, leave it as blank. 235 M2MCellularGateway 8.2BasicNetwork 8.2.1WAN&UplinkStatus GotoStatus>BasicNetwork>WAN&Uplinktab. TheWAN & Uplink Statuswindowshowsthecurrentstatus fordifferentnetworktype,includingnetwork configuration,connectinginformation,modemstatusandtrafficstatistics.Thedisplaywillberefreshedon everyfiveseconds. WANinterfaceIPv4NetworkStatus WANinterfaceIPv4NetworkStatusscreenshowsstatusinformationforIPv4network. WANinterfaceIPv4NetworkStatus Item ID Valuesetting N/A Interface WANType NetworkType IPAddr. SubnetMask Gateway DNS MACAddress Conn.Status N/A N/A N/A N/A N/A N/A N/A N/A N/A Description ItdisplayscorrespondingWANinterfaceWANIDs. ItdisplaysthetypeofWANphysicalinterface. Dependingonthemodelpurchased,itcanbeEthernet,3G/4G,etc... ItdisplaysthemethodwhichpublicIPaddressisobtainedfromyourISP. Dependingonthemodelpurchased,itcanbeStaticIP,DynamicIP,PPPoE, PPTP,L2TP,3G/4G. ItdisplaysthenetworktypefortheWANinterface(s). Dependingonthemodelpurchased,itcanbeNAT,Routing,Bridge,orIPPass through. ItdisplaysthepublicIPaddressobtainedfromyourISPforInternet connection.Defaultvalueis0.0.0.0ifleftunconfigured. ItdisplaystheSubnetMaskforpublicIPaddressobtainedfromyourISPfor Internetconnection.Defaultvalueis0.0.0.0ifleftunconfigured. ItdisplaystheGatewayIPaddressobtainedfromyourISPforInternet connection.Defaultvalueis0.0.0.0ifleftunconfigured. ItdisplaystheIPaddressofDNSserverobtainedfromyourISPforInternet connection.Defaultvalueis0.0.0.0ifleftunconfigured. ItdisplaystheMACAddressforyourISPtoallowyouforInternetaccess.Note:

NotallISPmayrequirethisfield. ItdisplaystheconnectionstatusofthedevicetoyourISP. 236 M2MCellularGateway Action N/A StatusareConnectedordisconnected. Thisareaprovidesfunctionalbuttons. RenewbuttonallowsusertoforcethedevicetorequestanIPaddressfrom theDHCPserver.Note:RenewbuttonisavailablewhenDHCPWANTypeis usedandWANconnectionisdisconnected. ReleasebuttonallowsusertoforcethedevicetoclearitsIPaddresssettingto disconnectfromDHCPserver.Note:ReleasebuttonisavailablewhenDHCP WANTypeisusedandWANconnectionisconnected. ConnectbuttonallowsusertomanuallyconnectthedevicetotheInternet. Note:ConnectbuttonisavailablewhenConnectionControlinWANType settingissettoConnectManually(RefertoEditbuttoninBasicNetwork>

WAN&Uplink>InternetSetup)andWANconnectionstatusisdisconnected. Disconnectbuttonallowsusertomanuallydisconnectthedevicefromthe Internet.Note:ConnectbuttonisavailablewhenConnectionControlinWAN TypesettingissettoConnectManually(RefertoEditbuttoninBasicNetwork

>WAN&Uplink>InternetSetup)andWANconnectionstatusisconnected. WANinterfaceIPv6NetworkStatus WANinterfaceIPv6NetworkStatusscreenshowsstatusinformationforIPv6network. WANinterfaceIPv6NetworkStatus Item ID Valuesetting N/A Interface WANType LinklocalIPAddress GlobalIPAddress Conn.Status Action N/A N/A N/A N/A N/A N/A Description ItdisplayscorrespondingWANinterfaceWANIDs. ItdisplaysthetypeofWANphysicalinterface. Dependingonthemodelpurchased,itcanbeEthernet,3G/4G,etc... ItdisplaysthemethodwhichpublicIPaddressisobtainedfromyourISP.WAN typesettingcanbechangedfromBasicNetwork>IPv6>Configuration. ItdisplaystheLANIPv6LinkLocaladdress. ItdisplaystheIPv6globalIPaddressassignedbyyourISPforyourInternet connection. Itdisplaystheconnectionstatus.Thestatuscanbeconnected,disconnected andconnecting. Thisareaprovidesfunctionalbuttons. 237 M2MCellularGateway EditButtonwhenpressed,webbasedutilitywilltakeyoutotheIPv6 configurationpage.(BasicNetwork>IPv6>Configuration.) LANInterfaceNetworkStatus LANInterfaceNetworkStatusscreenshowsIPv4andIPv6informationofLANnetwork. LANInterfaceNetworkStatus Item IPv4Address Valuesetting N/A IPv4SubnetMask IPv6Linklocal Address N/A N/A IPv6GlobalAddress N/A MACAddress N/A Action N/A Description ItdisplaysthecurrentIPv4IPAddressofthegateway ThisisalsotheIPAddressuserusetoaccessRoutersWebbasedUtility. Itdisplaysthecurrentmaskofthesubnet. ItdisplaysthecurrentLANIPv6LinkLocaladdress. ThisisalsotheIPv6IPAddressuserusetoaccessRoutersWebbasedUtility. ItdisplaysthecurrentIPv6globalIPaddressassignedbyyourISPforyour Internetconnection. ItdisplaystheLANMACAddressofthegateway Thisareaprovidesfunctionalbuttons. EditIPv4Buttonwhenpress,webbasedutilitywilltakeyoutotheEthernet LANconfigurationpage.(BasicNetwork>LAN&VLAN>EthernetLANtab). EditIPv6Buttonwhenpress,webbasedutilitywilltakeyoutotheIPv6 configurationpage.(BasicNetwork>IPv6>Configuration.) 3G/4GModemStatus 3G/4GModemStatusListscreenshowsstatusinformationfor3G/4GWANnetwork(s). 3G/4GModemStatusList Item Valuesetting Physical Interface N/A Description ItdisplaysthetypeofWANphysicalinterface. Note:Somedevicemodelmaysupporttwo3G/4Gmodules.Theirphysicalinterface 238 M2MCellularGateway Card Information LinkStatus Signal Strength Network Name Refresh Action N/A N/A N/A N/A N/A N/A namewillbe3G/4G1and3G/4G2. Itdisplaysthevendors3G/4Gmodemmodelname. Itdisplaysthe3G/4Gconnectionstatus.ThestatuscanbeConnecting,Connected, Disconnecting,andDisconnected. Itdisplaysthe3G/4Gwirelesssignallevel. Itdisplaysthenameoftheservicenetworkcarrier. ClicktheRefreshbuttontorenewtheinformation. Thisareaprovidesfunctionalbuttons. DetailButtonwhenpress,windowsofdetailinformationwillappear.Theyarethe ModemInformation,SIMStatus,andServiceInformation.Refertonextpagefor more. WhentheDetailbuttonis pressed,3G/4Gmodeminformationwindowssuchas ModemInformation,SIM Status,ServiceInformation,SignalStrength/Quality,andErrorMessagewillappear. InterfaceTrafficStatistics InterfaceTrafficStatisticsscreendisplaystheInterfacestotaltransmittedpackets. InterfaceTrafficStatistics Item ID Valuesetting N/A Interface ReceivedPackets

(Mb) TransmittedPackets

(Mb) N/A N/A N/A Description ItdisplayscorrespondingWANinterfaceWANIDs. ItdisplaysthetypeofWANphysicalinterface. Dependingonthemodelpurchased,itcanbeEthernet,3G/4G,etc Itdisplaysthedownstreampackets(Mb).Itisresetwhenthedeviceis rebooted. Itdisplaystheupstreampackets(Mb).Itisresetwhenthedeviceisrebooted. 239 M2MCellularGateway 8.2.2LAN&VLANStatus GotoStatus> BasicNetwork>LAN&VLANtab. ClientList TheClientListshowsyoutheLANInterface,IPaddress,HostName,MACAddress,andRemainingLeaseTime ofeachdevicethatisconnectedtothisgateway. LANClientList Item LANInterface IPAddress HostName MACAddress RemainingLease Time Valuesetting N/A N/A N/A N/A N/A Description ClientrecordofLANInterface.StringFormat. ClientrecordofIPAddressTypeandtheIPAddress.TypeisStringFormatand theIPAddressisIPv4Format. ClientrecordofHostName.StringFormat. ClientrecordofMACAddress.MACAddressFormat. ClientrecordofRemainingLeaseTime.TimeFormat. 240 M2MCellularGateway 8.2.3WiFiStatus(notsupported) Not supported feature for the purchased product, leave it as blank. 241 M2MCellularGateway 8.2.4DDNSStatus GotoStatus> BasicNetwork>DDNStab. TheDDNSStatuswindowshowsthecurrentDDNSserviceinuse,thelastupdatestatus,andthelastupdate timetotheDDNSserviceserver. DDNSStatus Description It displays the name you entered to identifyDDNSserviceprovider It displays the DDNS server of DDNSserviceprovider It displays the public IP address of the device updated to the DDNS server It displays whether the last update of the device public IP address to the DDNS server has been successful (Ok) or failed (Fail). It displays time stamp of the last update of public IP address to the DDNS server. Therefreshbuttonallowsusertoforcethedisplaytorefreshinformation. ValueSetting N/A N/A N/A DDNSStatus Item HostName Provider EffectiveIP LastUpdate N/A Status LastUpdateTime N/A Refresh N/A 242 M2MCellularGateway 8.3Security 8.3.1VPNStatus GotoStatus> Security>VPNtab. The VPN Status widow shows the overall VPN tunnel status. The display will be refreshed on every five seconds. IPSecTunnelStatus IPSec Tunnel Status windows show the configuration for establishing IPSec VPN connection and current connectionstatus. IPSecTunnelStatus Item TunnelName TunnelScenario LocalSubnets RemoteIP/FQDN RemoteSubnets Conn.Time Status Valuesetting N/A N/A N/A N/A N/A N/A N/A Description Itdisplaysthetunnelnameyouhaveenteredtoidentify. ItdisplaystheTunnelScenariospecified. ItdisplaystheLocalSubnetsspecified. ItdisplaystheRemoteIP/FQDNspecified. ItdisplaystheRemoteSubnetsspecified. ItdisplaystheconnectiontimefortheIPSectunnel. ItdisplaystheStatusoftheVPNconnection.Thestatusdisplaysare 243 M2MCellularGateway EditButton N/A OpenVPNClientStatus Valuesetting N/A OpenVPNClientStatus Item OpenVPNClient Name Interface Remote IP/FQDN RemoteSubnet TUN/TAP Read(bytes) TUN/TAP Write(bytes) TCP/UDP Read(bytes) TCP/UDP Write(bytes) Conn.Time Conn.Status N/A N/A N/A N/A N/A N/A N/A N/A N/A Connected,Disconnected,Waitfortraffic,andConnecting. ClickonEditButtontochangeIPSecsetting,webbasedutilitywilltakeyou totheIPSecconfigurationpage.(Security>VPN>IPSectab) Description Itdisplaysthe Client nameyouhaveenteredforidentification. ItdisplaystheWANinterfacespecifiedfortheOpenVPNclientconnection. Itdisplaysthe peer OpenVPN ServersPublicIPaddress(theWANIPaddress)or FQDN. ItdisplaystheRemoteSubnetspecified. ItdisplaystheTUN/TAPReadBytesofOpenVPNClient. Itdisplaysthe TUN/TAPWriteBytesofOpenVPNClient. ItdisplaystheTCP/UDPReadBytesofOpenVPNClient. ItdisplaystheTCP/UDPWriteBytesofOpenVPNClient. Connection Itdisplays the connectiontimeforthecorrespondingOpenVPNtunnel. ItdisplaystheconnectionstatusofthecorrespondingOpenVPNtunnel. ThestatuscanbeConnected,orDisconnected. 244 M2MCellularGateway L2TPClientStatus LT2TPClientStatusshowstheconfigurationforestablishingLT2TPtunnelandcurrentconnectionstatus. L2TPClientStatus Item ClientName Valuesetting N/A Interface VirtualIP RemoteIP/FQDN Default Gateway/Remote Subnet Conn.Time Status Edit N/A N/A N/A N/A N/A N/A N/A Description ItdisplaysNamefortheL2TPClientspecified. ItdisplaystheWANinterfacewithwhichthegatewaywillusetorequest PPTPtunnelingconnectiontothePPTPserver. ItdisplaystheIPaddressassignedbyVirtualIPserverofL2TPserver. ItdisplaystheL2TPServersPublicIPaddress(theWANIPaddress)or FQDN. ItdisplaysthespecifiedIPaddressofthegatewaydeviceusedtoconnectto theinternettoconnecttotheL2TPserverthedefaultgateway.Orother specifiedsubnetifthedefaultgatewayisnotusedtoconnecttotheL2TP servertheremotesubnet. ItdisplaystheconnectiontimefortheL2TPtunnel. ItdisplaystheStatusoftheVPNconnection.ThestatusdisplaysConnected, Disconnect,andConnecting. ClickonEditButtontochangeL2TPclientsetting,webbasedutilitywilltake youtotheL2TPclientpage.(Security>VPN>L2TPtab) 245 M2MCellularGateway PPTPClientStatus PPTPClientStatusshowstheconfigurationforestablishingPPTPtunnelandcurrentconnectionstatus. PPTPClientStatus Item ClientName Valuesetting N/A Interface VirtualIP RemoteIP/FQDN DefaultGateway/

RemoteSubnet Conn.Time Status EditButton N/A N/A N/A N/A N/A N/A N/A Description ItdisplaysNameforthePPTPClientspecified. ItdisplaystheWANinterfacewithwhichthegatewaywillusetorequest PPTPtunnelingconnectiontothePPTPserver. ItdisplaystheIPaddressassignedbyVirtualIPserverofPPTPserver. ItdisplaysthePPTPServersPublicIPaddress(theWANIPaddress)or FQDN. ItdisplaysthespecifiedIPaddressofthegatewaydeviceusedtoconnectto theinternettoconnecttothePPTPserverthedefaultgateway.Orother specifiedsubnetifthedefaultgatewayisnotusedtoconnecttothePPTP servertheremotesubnet. ItdisplaystheconnectiontimeforthePPTPtunnel. ItdisplaystheStatusoftheVPNconnection.ThestatusdisplaysConnected, Disconnect,andConnecting. ClickonEditButtontochangePPTPclientsetting,webbasedutilitywill takeyoutothePPTPserverpage.(Security>VPN>PPTPtab) 246 M2MCellularGateway 8.3.2FirewallStatus GotoStatus>Security>FirewallStatusTab. TheFirewallStatusprovidesuseraquickviewofthefirewallstatusandcurrentfirewallsettings.Italsokeeps theloghistoryofthedroppedpacketsbythe firewallrulepolicies,andincludestheadministratorremote loginsettingsspecifiedintheFirewallOptions. Byclickingtheicon[+],thestatustablewillbeexpandedtodisplayloghistory.ClickingtheEditbuttonthe screenwillbeswitchedtotheconfigurationpage. PacketFilterStatus PacketFilterStatus Item ActivatedFilter Rule Valuesetting N/A Detected Contents IP N/A N/A Description ThisisthePacketFilterRulename. Thisistheloggedpacketinformation,includingthesourceIP,destinationIP, protocol,anddestinationporttheTCPorUDP. Stringformat:

SourceIPtoDestinationIP:DestinationProtocol(TCPorUDP) TheSourceIP(IPv4)oftheloggedpacket. TheDateandTimestampoftheloggedpacket.Date&timeformat.("Month"

"Day""Hours":"Minutes":"Seconds") N/A Time Note:EnsurePacketFilterLogAlertisenabled. RefertoSecurity>Firewall>PacketFiltertab.CheckLogAlertandsavethesetting. URLBlockingStatus URLBlockingStatus Item Activated BlockingRule BlockedURL Valuesetting N/A N/A Description ThisistheURLBlockingRulename. Thisistheloggedpacketinformation. 247 M2MCellularGateway IP N/A TheSourceIP(IPv4)oftheloggedpacket. TheDateandTimestampoftheloggedpacket.Date&timeformat.("Month"

"Day""Hours":"Minutes":"Seconds") N/A Time Note:EnsureURLBlockingLogAlertisenabled. RefertoSecurity>Firewall>URLBlockingtab.CheckLogAlertandsavethesetting. WebContentFilterStatus Description Loggedpacketoftherulename.Stringformat. Valuesetting N/A WebContentFilterStatus Item ActivatedFilter Rule Detected Contents IP N/A N/A Loggedpacketofthefilterrule.Stringformat. LoggedpacketoftheSourceIP.IPv4format. LoggedpacketoftheDateTime.Datetimeformat("Month""Day"

"Hours":"Minutes":"Seconds") N/A Time Note:EnsureWebContentFilterLogAlertisenabled. RefertoSecurity>Firewall>WebContentFiltertab.CheckLogAlertandsavethesetting. 248 M2MCellularGateway MACControlStatus Valuesetting N/A MACControlStatus Item Activated ControlRule BlockedMAC Addresses IP N/A N/A ThisistheMACControlRulename. Description ThisistheMACaddressoftheloggedpacket. TheSourceIP(IPv4)oftheloggedpacket. TheDateandTimestampoftheloggedpacket.Date&timeformat.("Month"

"Day""Hours":"Minutes":"Seconds") N/A Time Note:EnsureMACControlLogAlertisenabled. RefertoSecurity>Firewall>MACControltab.CheckLogAlertandsavethesetting. ApplicationFiltersStatus ApplicationFiltersStatus Item FilteredApplication Category FilteredApplication Name IP N/A N/A Valuesetting N/A Description ThenameoftheApplicationCategorybeingblocked. ThenameoftheApplicationbeingblocked. TheSourceIP(IPv4)oftheloggedpacket. TheDateandTimestampoftheloggedpacket.Date&timeformat.("Month"

"Day""Hours":"Minutes":"Seconds") N/A Time Note:EnsureApplicationFilterLogAlertisenabled. RefertoSecurity>Firewall>ApplicationFiltertab.CheckLogAlertandsavethesetting. 249 M2MCellularGateway IPSStatus IPSFirewallStatus Item Detected Intrusion IP Valuesetting N/A N/A Description Thisistheintrusiontypeofthepacketsbeingblocked. TheSourceIP(IPv4)oftheloggedpacket. TheDateandTimestampoftheloggedpacket.Date&timeformat.("Month""Day"

"Hours":"Minutes":"Seconds") N/A Time Note:EnsureIPSLogAlertisenabled. RefertoSecurity>Firewall>IPStab.CheckLogAlertandsavethesetting. FirewallOptionsStatus FirewallOptionsStatus Item StealthMode Valuesetting N/A SPI Discard Ping from WAN Remote Administrator Management N/A N/A N/A Description EnableorDisablesettingstatusofStealthModeonFirewallOptions. StringFormat:DisableorEnable EnableorDisablesettingstatusofSPIonFirewallOptions. StringFormat:DisableorEnable EnableorDisablesettingstatusofDiscardPingfromWANonFirewall Options. StringFormat:DisableorEnable EnableorDisablesettingstatusofRemoteAdministrator. IfRemoteAdministratorisenabled,itshowsthecurrentlyloggedin administratorssourceIPaddressandloginusernameandthelogintime. Format:

IP:"SourceIP",UserName:"LoginUserName",Time:"Datetime"

Example:

IP:192.168.127.39,UserName:admin,Time:Mar301:34:13 Note:EnsureFirewallOptionsLogAlertisenabled. RefertoSecurity>Firewall>Optionstab.CheckLogAlertandsavethesetting. 250 M2MCellularGateway 8.4Administration 8.4.1Configure&ManageStatus GotoStatus>Administration>Configure&Managetab. TheConfigure&ManageStatuswindowshowsthestatusformanagingremotenetworkdevices.Thetypeof managementavailableinyourdeviceisdependedonthedevicemodelpurchased.Thecommonlyusedones aretheSNMP,TR069,andUPnP. SNMPLinkingStatus SNMPLinkStatusscreenshowsthestatusofcurrentactiveSNMPconnections. SNMPLinkStatus Item UserName Valuesetting N/A IPAddress Port N/A N/A Community Auth.Mode PrivacyMode SNMPVersion N/A N/A N/A N/A Description Itdisplaystheusernameforauthentication.ThisisonlyavailableforSNMP version3. ItdisplaystheIPaddressofSNMPmanager. ItdisplaystheportnumberusedtomaintainconnectionwiththeSNMP manager. ItdisplaysthecommunityforSNMPversion1orversion2conly. ItdisplaystheauthenticationmethodforSNMPversion3only. Itdisplaystheprivacymodeforversion3only. ItdisplaystheSNMPVersionemployed. SNMPTrapInformation SNMPTrapInformationscreenshowsthestatusofcurrentreceivedSNMPtraps. SNMPTrapInformation Item TrapLevel Time TrapEvent Valuesetting N/A N/A N/A Description Itdisplaysthetraplevel. Itdisplaysthetimestampoftrapevent. ItdisplaystheIPaddressofthetrapsenderandeventtype. 251 M2MCellularGateway TR069Status TR069StatusscreenshowsthecurrentconnectionstatuswiththeTR068server. TR069Status Item Valuesetting LinkStatus N/A Description ItdisplaysthecurrentconnectionstatuswiththeTR068server.Theconnection statusiseitherOnwhenthedeviceisconnectedwiththeTR068serverorOff whendisconnected. 252 M2MCellularGateway 8.5Statistics&Report 8.5.1ConnectionSession GotoStatus>Statistics&Reports>ConnectionSessiontab. InternetSurfingStatisticshowstheconnectiontracksonthisrouter. InternetSurfingStatistic Item Previous Next First Last Export(.xml) Export(.csv) Refresh Valuesetting N/A N/A N/A N/A N/A N/A N/A Description ClickthePreviousbutton;youwillseethepreviouspageoftracklist. ClicktheNextbutton;youwillseethenextpageoftracklist. ClicktheFirstbutton;youwillseethefirstpageoftracklist. ClicktheLastbutton;youwillseethelastpageoftracklist. ClicktheExport(.xml)buttontoexportthelisttoxmlfile. ClicktheExport(.csv)buttontoexportthelisttocsvfile. ClicktheRefreshbuttontorefreshthelist. 253 M2MCellularGateway 8.5.2NetworkTraffic(notsupported) Not supported feature for the purchased product, leave it as blank. 254 M2MCellularGateway 8.5.3DeviceAdministration GotoStatus>Statistics&Reports>DeviceAdministrationtab. DeviceAdministrationshowsthelogininformation. DeviceManagerLoginStatistic Item Previous Next First Last Export(.xml) Export(.csv) Refresh Valuesetting N/A N/A N/A N/A N/A N/A N/A Description ClickthePreviousbutton;youwillseethepreviouspageofloginstatistics. ClicktheNextbutton;youwillseethenextpageofloginstatistics. ClicktheFirstbutton;youwillseethefirstpageofloginstatistics. ClicktheLastbutton;youwillseethelastpageofloginstatistics. ClicktheExport(.xml)buttontoexporttheloginstatisticstoxmlfile. ClicktheExport(.csv)buttontoexporttheloginstatisticstocsvfile. ClicktheRefreshbuttontorefreshtheloginstatistics. 255 M2MCellularGateway 8.5.4CellularUsage GotoStatus>Statistics&Reports>CellularUsagetab. CellularUsagescreenshowsdatausagestatisticsfortheselectedcellularinterface.Thecellulardatausage canbeaccumulatedperhourorperday. 256 M2MCellularGateway AppendixAGPLWRITTENOFFER This product incorporates open source software components covered by the terms of third party copyright notices and license agreements contained below. GPSBabel Version 1.4.4 Copyright (C) 2002-2005 Robert Lipe<robertlipe@usa.net>

GPL License: https://www.gpsbabel.org/

brctl - ethernet bridge administration Stephen Hemminger <shemminger@osdl.org>

Lennert Buytenhek <buytenh@gnu.org>

version 1.1 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 tc - show / manipulate traffic control settings Stephen Hemminger<shemminger@osdl.org>

Alexey Kuznetsov<kuznet@ms2.inr.ac.ru>

version iproute2-ss050330 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 dhcp-fwd starts the DHCP forwarding agent Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>

version 0.7 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 lftp - Sophisticated file transfer program Alexander V. Lukyanov <lav@yars.free.net>

LibModbus Version: 3.0.3 LGPL v2 http://libmodbus.org/news/

1307 USA https://sourceforge.net/projects/mrts/

1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. https://www.openswan.org/

Opennhrp Version: v0.14.1 OpenNHRP is an NHRP implementation for Linux. It has most of the RFC2332 and Cisco IOS extensions. Project homepage: http://sourceforge.net/projects/opennhrp Git repository: git://opennhrp.git.sourceforge.net/gitroot/opennhrp LICENSE OpenNHRP is licensed under the MIT License. See MIT-LICENSE.txt for additional details. OpenNHRP embeds libev. libev is dual licensed with 2-clause BSD and GPLv2+ licenses. See libev/LICENSE for additional details. OpenNHRP links to c-ares. c-ares is licensed under the MIT License. https://sourceforge.net/projects/opennhrp/

IPSec-tools Version: v0.8 No GPL be written http://ipsec-tools.sourceforge.net/

PPTP Version: pptp-1.7.1 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 258 M2MCellularGateway Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. http://pptpclient.sourceforge.net/

PPTPServ Version: 1.3.4 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. http://poptop.sourceforge.net/

L2TP Version: 0.4 Copying All software included in this package is Copyright 2002 Roaring Penguin Software Inc. You may distribute it under the terms of the GNU General Public License (the "GPL"), Version 2, or (at your option) any later version. http://www.roaringpenguin.com/

1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. http://www.xelerance.com/software/xl2tpd/

Mpstat: from sysstat, system performance tools for Linux Version: 10.1.6 Copyright: (C) 1999-2013 by Sebastien Godard (sysstat <at> orange.fr) SSHD: dropbear, a SSH2 server Version: 0.53.1 Copyright: (c) 2002-2008 Matt Johnston Libncurses: The ncurses (new curses) library is a free software emulation of curses in System V Release 4.0

(SVr4), and more. Version: 5.9 Copyright: (c) 1998,2000,2004,2005,2006,2008,2011,2015 Free Software Foundation, Inc., 51 Franklin Street, Boston, MA 02110-1301, USA MiniUPnP: The miniUPnP daemon is an UPnP IGD (internet gateway device) which provide NAT traversal services to any UPnP enabled client on the network. Version: 1.7 Copyright: (c) 2006-2011, Thomas BERNARD 259 M2MCellularGateway CoovaChilli is an open-source software access controller for captive portal (UAM) and 802.1X access provisioning. Version: 1.3.0 Copyright: (C) 2007-2012 David Bird (Coova Technologies) <support@coova.com>

Krb5: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Version: 1.11.3 Copyright: (C) 1985-2013 by the Massachusetts Institute of Technology and its contributors OpenLDAP: a suite of the Lightweight Directory Access Protocol (v3) servers, clients, utilities, and development tools. Version: 2.4 Copyright: 1998-2014 The OpenLDAP Foundation Samba3311: the free SMB and CIFS client and server for UNIX and other operating systems Version: 3.3.11 Copyright: (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>

NTPClient: an NTP (RFC-1305, RFC-4330) client for unix-alike computers Version: 2007_365 Copyright: 1997, 1999, 2000, 2003, 2006, 2007 Larry Doolittle exFAT: FUSE-based exFAT implementation Version: 0.9.8 Copyright: (C) 2010-2012 Andrew Nayenko ONTFS_3G: The NTFS-3G driver is an open source, freely available read/write NTFS driver for Linux, FreeBSD, Mac OS X, NetBSD, Solaris and Haiku. Version: 2009.4.4 Copyright: (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-

1301 USA mysql-5_1_72: a release of MySQL, a dual-license SQL database server Version: 5.1.72 Copyright: (c) 2000, 2013, Oracle and/or its affiliates FreeRadius: a high performance and highly configurable RADIUS server Version: 2.1.12 Copyright: (C) 1999-2011 The FreeRADIUS server project and contributors Linux IPv6 Router Advertisement Daemon radvd Version: V 1.15 Copyright (c) 1996,1997 by Lars Fenneberg<lf@elemental.net>

BSD License: http://www.litech.org/radvd/

WIDE-DHCPv6 Dynamic Host Configuration Protocol for IPv6 (DHCPv6) clients, servers, and relay agents. 260 M2MCellularGateway Federal Communication Commission Interference Statement Version: 20080615 Copyright (C) 1998-2004 WIDE Project. BSD License: https://sourceforge.net/projects/wide-dhcpv6/

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

- Reorient or relocate the receiving antenna.

- Increase the separation between the equipment and receiver.

- Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

- Consult the dealer or an experienced radio/TV technician for help. FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. 261 M2MCellularGateway FOR MOBILE DEVICE USAGE (>20cm/low power) Radiation Exposure Statement:

This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.

exhibit
download
text

Internal Photos

Internal Photos

pdf

2.41 MiB

July 08 2018

exhibit
download
text

External Photos rev 3

External Photos

pdf

1012.99 KiB

July 08 2018

exhibit
download
text

Label Sample & Label Location

ID Label/Location Info

pdf

150.47 KiB

July 08 2018

exhibit
download
text

Attestation (Channel and Mode Declaration)

Attestation Statements

pdf

208.99 KiB

July 08 2018

exhibit
download
text

Confidentiality Request

Cover Letter(s)

pdf

285.05 KiB

July 08 2018

exhibit
download
text

Cover Letter (Agent Authorization)

Cover Letter(s)

pdf

297.66 KiB

July 08 2018

		frequency	equipment class	purpose
1	2018-08-07	2412 ~ 2462	DTS - Digital Transmission System	Original Equipment

Application Forms

app s	Applicant Information
1	Effective	2018-08-07
1	Applicant's complete, legal business name	Advance Multimedia Internet Technology Inc.
1	FCC Registration Number (FRN)	0009723586
1	Physical Address	No.28, Lane 31, Sec. 1, Huandong Rd.
1		Tainan City, 74146
1		Taiwan

app s	TCB Information
1	TCB Application Email Address	t******@us.bureauveritas.com
1	TCB Scope	A4: UNII devices & low power transmitters using spread spectrum techniques

app s	FCC ID
1	Grantee Code	PBL
1	Equipment Product Code	ISL500001

app s	Person at the applicant's address to receive grant or for contact
1	Name	F** L******
1	Title	Engineer
1	Telephone Number	886-6********
1	Fax Number	886-6********
1	E-mail	F******@amit.com.tw

app s	Technical Contact
		n/a

app s	Non Technical Contact
		n/a

app s	Confidentiality (long or short term)
1	Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	Yes
1	Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	No
	if no date is supplied, the release date will be set to 45 calendar days past the date of grant.

app s	Cognitive Radio & Software Defined Radio, Class, etc
1	Is this application for software defined/cognitive radio authorization?	No
1	Equipment Class	DTS - Digital Transmission System
1	Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant)	IIoT 4G
1	Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application?	No
1	Modular Equipment Type	Does not apply
1	Purpose / Application is for	Original Equipment
1	Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization?	No
1	Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization?	No
1	Grant Comments	Power listed is the maximum combined conducted output power. End-users and responsible parties must be provided with operating and installation instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter, except the collocation as described in this filing or in accordance with FCC multi-transmitter product guidelines. This device has 20 MHz and 40 MHz bandwidth modes.
1	Is there an equipment authorization waiver associated with this application?	No
1	If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded?	No

app s	Test Firm Name and Contact Information
1	Firm Name	Bureau Veritas CPS (H.K.) Ltd., Taoyuan Branch
1	Name	R** C******
1	Telephone Number	+886-******** Extension:
1	Fax Number	+886-********
1	E-mail	r******@tw.bureauveritas.com

Equipment Specifications
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
1	1	15C		2412.00000000	2462.00000000	0.0990000

some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details