Cradlepoint AER3100 – Manual The All-in-One, Cloud-Managed Networking Platform for the Distributed Enterprise Cradlepoint’s AER3100 is the industry’s most robust cellular WAN management application system, and is the only 4G LTE networking platform to offer dual-modem multi-carrier support and Unified Threat Management (UTM) capabilities to meet the growing needs of small and micro branch networks.
Introduction Package Contents System Requirements Specifications Hardware LEDs Quick Start Basic Setup Accessing the Administration Pages First Time Setup Wizard Using Enterprise Cloud Manager Administration Pages The AER3100 administration pages include the following five tabs: See Navigating the Administration Pages for helpful information about how to use the device's GUI-based management interface.
Internet Connections Routing Statistics System Logs Network Settings Content Filtering DHCP Server DNS Firewall Local Networks MAC Filter / Logging Routing Internet Connection Manager Data Usage WAN Affinity / Load Balancing System Settings Administration Device Alerts Enterprise Cloud Manager Serial Redirector SNMP Configuration System Control System Software Introduction Package Contents System Requirements Specifications Hardware LEDs 3
Package Contents AER3100 or AER3150 with integrated MC400 4G LTE modem External 3G/4G mobile broadband modem antennas (2) (SMA); finger tighten only External dual-band high-gain WiFi antennas (3) reverse SMA (5 dBi, 2.4 GHz, 5 dBi 5 GHz, VSWR ≤ 2); finger tighten only 54V 2.
WAN Port Speed Control WAN/LAN Affinity IP Passthrough LAN 13 10/100/1000 Ethernet ports (WAN/LAN switchable); Supports four ports of PoE (9-12) for class I, II, or III devices (up to 15W) or two ports high power PoE for class IV devices (up to 30W) LLDP support VLAN 802.1Q DHCP Server, Client, Relay DNS and DNS Proxy DynDNS Split DNS UPnP DMZ Multicast/Multicast Proxy QoS (DSCP and Priority Queuing) MAC Address Filtering WiFi (only on AER3100) Dual-Band Dual-Concurrent (3×3 MIMO) 802.
OpenVPN (SSL VPN)1 L2TP1 GRE Tunnel OSPF/BGP/RIP1 Per-Interface Routing Static Routing NAT-less Routing Virtual Server/Port Forwarding VTI Tunnel Support NEMO/DMNR1 IPv6 VRRP1 STP1 NHRP1 Security RADIUS and TACACS+ 802.
2 – Enterprise Cloud Manager requires a subscription 3 – Requires a CP Secure Threat Management license 4 – Requires Zscaler Internet Security License 5 - Requires CradleCare Support Technical Specifications WAN: Integrated 4G LTE (one modem included; dual-modem option) Multi-Carrier Software-Defined radio, 13 10/100/1000 Ethernet ports (cable/DSL/T1/satellite/Metro Ethernet; WAN/LAN switchable), WiFi* (as WAN; Metro WiFi) 3x3 MIMO 2.4 GHz or 5 GHz (802.
External 3G/4G mobile broadband modem antennas (2) (SMA); finger tighten only External dual-band high-gain WiFi antennas (3) reverse SMA (5 dBi, 2.4 GHz, 5 dBi 5 GHz, VSWR ≤ 2); finger tighten only 54V 2.
, and 5-year options One-year limited hardware warranty available in the US and Canada; two-year limited hardware warranty for integrated EU products when purchased from an authorized EU distributor – extend warranty to 2, 3, or 5 years Accessories Second integrated 4G LTE modem MC400LPE-VZ (Verizon) MC400LPE-AT (AT&T) MC400LPE-SP (Sprint) MC400LPE-GN (generic – for use on T-Mobile in the U.S.
Technology: LTE, HSPA+, EVDO Rev A Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical) Uplink Rates: LTE 50 Mbps, HSPA+ 5.76 Mbps, EVDO 1.8 Mbps (theoretical) Frequency Bands: LTE Band 2 (1900 MHz), Band 4 – AWS (1700/2100 MHz), Band 5 (850 MHz), Band 13 (700 MHz), Band 17 (700 MHz), Band 25 (1900 MHz) HSPA+/UMTS (850/900/1900/2100 MHz, AWS) GSM/GPRS/EDGE (850/900/1800/1900 MHz) CDMA EVDO Rev A/1xRTT (800/1900 MHz) Power: LTE 23 dBm +/− 1, HSPA+ 23 dBm +/− 1, EVDO 24 dBm +0.
CDMA EVDO Rev A/1xRTT (800/1900 MHz) Power: LTE 23 dBm +/− 1, HSPA+ 23 dBm +/− 1, EVDO 24 dBm +0.5/−1 (typical conducted) Antennas: two SMA male (plug), 1 dBi (LTE), 2 dBi (Cellular/PCS) gain; finger tighten only (maximum torque spec is 7 kgf-cm) GPS: active GPS support Industry Standards & Certs: PTCRB, FCC, IC, AT&T Modem Part Number: MC400LPE AER3100LPE-SP – 4G LTE/HSPA+/EVDO for Sprint Technology: LTE, HSPA+, EVDO Rev A Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.
AER3100LP3-EU (3100LP3-UK*) – 4G LTE/HSPA+ for Europe (United Kingdom) Technology: LTE, HSPA+ Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps (theoretical) Uplink Rates: LTE 50 Mbps, HSPA+ 5.
CDMA EVDO Rev A/1xRTT (800/1900 MHz) Power: LTE 23 dBm +/− 1, HSPA+ 23 dBm +/− 1, EVDO 24 dBm +0.5/−1 (typical conducted) Antennas: two SMA male (plug), 1 dBi (LTE), 2 dBi (Cellular/PCS) gain; finger tighten only (maximum torque spec is 7 kgf-cm) GPS: active GPS support Industry Standards & Certs: PTCRB, FCC, IC Modem Part Number: MC400LPE AER3150LPE-GN – 4G LTE/HSPA+/EVDO (generic – for use on T-Mobile in the U.S.
Hardware Front Panel Modems Removed Back Panel 14
Antennas When connecting the provided antennas, review the connection points: WiFi antennas have flat circular bases (RSMA). Modem antennas have protruding pins (SMA). LEDs – POWER The Cradlepoint AER3100 must be powered using an approved 54V DC power source. Green = Powered ON. No Light = Not receiving power. Check the power switch and the power source connection. Flashing Amber = Attention. Open the administration pages and check the router status.
– VPN Indicates information about a VPN data source. Green = Active VPN tunnel. - WiFi BROADCAST (only on AER3100) These two LEDs indicate activity on the WiFi broadcast for both the 2.4 GHz and 5 GHz bands. 2.4GHz (green) = 2.4 GHz WiFi is on and operating normally. 5GHz (blue) = 5 GHz WiFi is on and operating normally. – SIGNAL STRENGTH Blue LED bars indicate the active modem’s signal strength. 4 Solid Bars = Strongest signal. 1 Blinking Bar = Weakest signal. (A blinking bar indicates half of a bar.
Quick Start Basic Setup Accessing the Administration Pages First Time Setup Wizard Using Enterprise Cloud Manager Basic Setup 1. Insert an activated SIM. A wireless broadband data plan must be added to your Cradlepoint AER3100. Wireless broadband data plans are available from wireless carriers such as Verizon, AT&T, Sprint, EE, and Vodafone. The SIM must be provisioned with the carrier. Contact your carrier for details about selecting a data plan and about the process for provisioning your SIM.
2. Attach the internal modem. Follow these steps to attach the internal modem(s): 1) On front of router, press two tabs on modem cover together and pull cover straight out. Remove Main, Aux, and GPS plugs. 2) Slide modem(s) into USB port(s). 3) Reattach the modem cover.
router near the front. 3. Attach the WiFi and modem antennas. Attach the three WiFi antennas (included) and two modem antennas to the connectors. Antennas are jointed, which enables you to position them for optimal signal. To attach, hold the antenna straight and twist the base of the antenna to connect, folding the joint if needed. Examples of suggested antenna orientations: Ensure that the router antennas are not near metal or other RF reflective surfaces. 4. Connect the power source.
Ensure power is switched on: O = OFF I = ON When you set the power switch to the ON ( I ) position, watch for the power LED to illuminate. 5. Connect to a computer or other network equipment. Connect wirelessly to the WiFi broadcast or with an Ethernet cable connected to your computer and then plugged into one of the Ethernet LAN ports (numbered 1–12).
Accessing the Administration Pages Once you are connected, open the Cradlepoint AER3100’s GUI-based administration pages to make configuration changes to your router. 1. Open a browser window and type “cp/” or “192.168.0.1” in the address bar. Press ENTER/RETURN. 2. When prompted for your password, type the eight character DEFAULT PASSWORD found on the product label.
Getting Started ECM on the Knowledge Base 22
Navigating the Administration Pages To access the administration pages, open a web browser and type the hostname “cp/” or IP address “http://192.168.0.1” into the address bar. The Administrator Login page appears. NOTE: The hostname and IP address are editable; “cp” and “192.168.0.1” are the defaults. If you have changed these, input your customized hostname or IP address into the web browser to access the administration pages. Log in using your administrator password.
The Cradlepoint logo in the top left corner of all the administration pages is a link to the Dashboard (Status → Dashboard), which displays fundamental information about the router. The bar across the top provides quick access to important information and controls: Internet Connections – This links to Status → Internet Connections where you can view in-depth information about your Internet sources. – Click on this dot to link to Internet → Connection Manager where you can manage your WAN interfaces.
– Click on the green image of signal strength bars to open a "Modem Connection Quality" popup window that shows the strength of your Internet signal: WiFi Clients – Click to view a signal strength indicator for your network, "WiFi Connection Strength": – The number listed in the orange block shows the number of attached clients. Click this to go to the Client List page (Status → Client List). ECM Managed – Click here to open the System Settings → Enterprise Cloud Manager page.
Enterprise Client List Content Connection Administration Cloud CP Secure Filtering Manager Certificate Manager VPN DHCP Server Client Data Management Registration Dashboard DNS Usage Device Alerts First Time Firewall Firewall / QoS CP Secure Enterprise Setup GPS MAC Filter / VPN Cloud IP GRE Tunnels Logging Data Usage Manager Passthrough Hotspot Routing GRE Tunnels Feature Setup Clients Routing L2TP Tunnels Licenses Internet Protocols Network Hotspot Connecti
GETTING STARTED Enterprise Cloud Manager Registration First Time Setup IP Passthrough Setup Enterprise Cloud Manager Registration Cradlepoint Enterprise Cloud Manager is Cradlepoint’s network management and application platform. Enterprise Cloud Manager (ECM) integrates cloud management with your Cradlepoint devices to improve productivity, increase reliability, reduce costs, and enhance the intelligence of your network and business operations.
For more information about how to use Cradlepoint Enterprise Cloud Manager, see the following: Getting Started ECM on the Knowledge Base First Time Setup When you log in for the first time, you will be automatically directed to the FIRST TIME SETUP WIZARD, which will walk you through the steps to customize your Cradlepoint AER3100.
newly established wireless network name and password. NOTE: To return to the First Time Setup Wizard after your initial login, select GETTING STARTED on the top navigation bar and FIRST TIME SETUP in the dropdown menu. Administrator Password Cradlepoint recommends that you change the router’s ADMINISTRATOR PASSWORD, which is used to log into the administration pages. The administrator password is separate from the WiFi security password, although initially the Default Password is used for both.
WiFi Security Mode Choose the WiFi SECURITY MODE that best fits your needs: BEST (WPA2): Select this option if your wireless adapters support WPA2-only mode. This will connect to most new devices and is the most secure, but may not connect to older devices or some handheld devices such as a PSP. GOOD (WPA1 & WPA2): Select this option if your wireless adapters support WPA or WPA2. This is the most compatible with modern devices and PCs.
If you are using a SIM-based modem (LTE/GSM/HSPA) with your Cradlepoint router, you may need to configure the APN before it will properly connect to your carrier. Wireless carriers offer several APNs, so check with your carrier to confirm the appropriate one to use. Some examples include: AT&T: "broadband" T-Mobile: "epc.tmobile.com" Rogers LTE: "lteinternet.apn" Bell: "inet.bell.ca" TELUS: "isp.telus.com" You can either leave this on the Default setting or select Manual and input a specific APN.
Configuring Failure Check It is possible for a WAN interface to go down without the router recognizing the failure. (For example: the carrier for a cellular modem goes dormant, or your Ethernet connection is properly attached to a modem but the modem becomes disconnected from its Internet source.) Enable Failure Check to ensure that you can get out to the Internet via your primary WAN connection. This option is disabled by default because it may use data unnecessarily. Use this in combination with failover.
Please record these settings for future access. You may need this information to configure other wireless devices. NOTE: If you are currently using the device's WiFi network, reconnect to the network using the new wireless network name and security password. Click APPLY to save the settings and update them to your router. IP Passthrough Setup You can quickly enable IP passthrough with the IP Passthrough Setup Wizard available under Getting Started → IP Passthrough Setup.
All router-based VPN and GRE services will be disabled. The Routing Mode will be set to IP Passthrough. (Network Settings → WiFi / Local Networks in the “Local Network Editor” under “IP Settings”) The Subnet Selection Mode will be set to "Automatically Create Subnet" (Network Settings → WiFi / Local Networks in the “Local Network Editor” under “IP Settings” – this shows once IP Passthrough is set as the Routing Mode).
STATUS The Status section of the Administration Pages displays information about many different aspects of the router. The Status tab has the following dropdown menu items: Client List CP Secure VPN Dashboard Firewall GPS GRE Tunnels Hotspot Clients Internet Connections LLDP OpenVPN Tunnels QoS Routing Statistics System Logs VPN Tunnels Client List The Client List displays the specifications of each device connected to your router, including wireless and wired clients.
Wired Clients For each device using a wired connection to your router, the following information is displayed: Hostname, IP, and MAC. Client List Fields Hostname: The name by which each computer or device in a network is known. IP: The “IP address,” or “Internet Protocol address,” specifies a location for each device. MAC: This is the "MAC address", a factory-assigned identifier used to identify a specific attached computer or device. Connection: Summary of the wireless connection. For example: 802.
Dashboard The Dashboard shows fundamental information about your router, divided into the following basic categories: Router Information Internet Local Networks WiFi Networks For more in-depth information and/or configuration options, click on the Detailed Info link beside the category title.
Router Information "Detailed Info" links to System Settings → Administration.
Access – Admin Access, LAN Isolation, UPnP (Universal Plug and Play), and/or DHCP To configure a network, see: Network Settings → WiFi / Local Networks. WiFi Networks “Detailed Info” links to Network Settings → WiFi / Local Networks. For each enabled WiFi radio (2.4 GHz and 5 GHz if available), the following information is displayed: WiFi Radio: Channel – 1-11 for 2.
GPS If a modem capable of providing GPS coordinates is connected and GPS support is enabled, this page will show a graphical view of your router's location. See the GPS section in System Settings → Administration to enable GPS support.
GPS information is only displayed if 1) the modem supports GPS, 2) your carrier allows the GPS functionality, and 3) the modem has sufficient GPS signal strength. If no information is displayed, check that both the modem and your carrier support GPS. If GPS is supported, make sure the modem is in an area where it can receive a signal from the GPS satellites. GRE Tunnels View the status of configured GRE Tunnels. To set up or edit a GRE tunnel, go to Internet → GRE Tunnels.
Hotspot Clients View the status of the clients that have logged in through the Hotspot/Captive Portal. View: Hostname IP address MAC address Data Usage (both IN and OUT) Time Online You may revoke a client's access to the Internet by clicking the 'Revoke' button. Internet Connections The Internet Connections submenu option provides a list of attached WAN devices used as the Internet source for the router.
Select one of these devices to see detailed information about that particular device. Possible devices include: Ethernet 3G/4G modem WiFi as WAN The information displayed varies greatly depending on the technology, especially for 3G/4G modems. Cradlepoint passes on the information provided by the modems, which is specific to the carrier (e.g. Verizon) and technology (e.g. LTE).
WiFi as WAN example: 44
LLDP View a list of devices connected by Ethernet that have LLDP enabled. Double-click on a device to view details for that device. The information displayed in this popup window varies significantly for different types of devices with different LLDP implementations.
To enable LLDP for Ethernet on the WAN and/or LAN side, go to System Settings → Administration and select the LLDP tab. OpenVPN Tunnels Provides status of the router's OpenVPN Tunnels. To add an OpenVPN Tunnel, go to Internet → OpenVPN Tunnels.
To add an OpenVPN tunnel, click Add. QoS View the breakdown of packets and bytes sent and received associated with each QoS rule. To set up or edit a QoS rule, go to Network Settings → QoS.
Routing System Routes displays routes associated with networks connected to the router as well as routes learned from routing protocols (such as RIP or BGP). Static Routes displays user-specified routes configured in Network Settings → Routing. There are also tables displaying information for GRE Routes, VPN Routes, and NEMO Routes. Configure the settings for these routes under the Internet tab. Statistics The Statistics submenu option displays basic traffic statistics.
Data Usage: A measure of the amount of information that is currently being sent or received through the network. Sample rate and size can be adjusted from the dropdown boxes. Failover/Failback/Load Balance: An easy way to view current connective states of the devices plugged into the router as compared to the past. Sample rate and size can be adjusted from the dropdown boxes.
System Logs The router automatically logs (records) events of possible interest in its internal memory. If there is not enough internal memory for all events, logs of older events are deleted, but logs of the latest events are retained. The log options allow you to filter the router logs so you can easily find relevant messages. This router also has external Syslog Server support so you can send the log files to a computer on your network that is running a Syslog utility.
NOTE: The logs are erased whenever the router is rebooted or loses power. VPN Tunnels View the status of configured VPN tunnels. Included information: Name Connections Status Protocols Transferred Direction Time Online Control To set up or edit a VPN tunnel, go to Internet → VPN Tunnels.
NETWORK SETTINGS The Network Settings section of the Administration Pages provides access to tools for controlling the LAN (Local Area Networks). The Network Settings tab has the following dropdown menu items: Content Filtering DHCP Server DNS Firewall / QoS MAC Filter / Logging Routing Routing Protocols Threat Management WiFi / Local Networks Content Filtering You have two main options for filtering content for local networks. 1.
produce the desired behavior. NOTE: Websites that use HTTPS will not be blocked by these rules. You will need to use OpenDNS to block HTTPS websites. Click Add or Edit to open the Filter Rule Editor. Assigned Network: Select either “All Networks” or one of your LAN networks from the dropdown list. Domain/URL/IP: Enter the Domain Name or URL (address) of the website you wish to control access for, e.g. www.google.com. To make sure the full domain is blocked, enter the most inclusive domain (e.g. google.
Default Action: Select from the following dropdown options: Allow Access (default) Block Access When a network is set to Allow Access, it will allow access to sites not specifically blocked in the WebFilter Rules. When a network is set to Block Access, it will block access to sites not specifically allowed in the WebFilter Rules.
See the Network WebFilter Rules section (above) for more configuration details. MAC Address WebFilter Defaults Use MAC Address WebFilter Defaults together with MAC Address WebFilter Rules to control website access for specific MAC addresses. By default, each MAC address is allowed website access. Click Add/Edit to change this setting for a MAC address. Input the MAC address and default action you would like to apply to that MAC address.
When a network is set to Allow Access, it will allow access to sites not specifically blocked in the WebFilter Rules. When a network is set to Block Access, it will block access to sites not specifically allowed in the WebFilter Rules. Cloud Based Filtering/Security Select a third-party Cloud Provider from the dropdown list. Umbrella by OpenDNS Zscaler Umbrella by OpenDNS Umbrella by OpenDNS is a cloud-based web filtering and security solution that protects you online by filtering websites.
Data Loss Prevention Bandwidth Management Web Access Control And more… NOTE: Zscaler requires a feature license. Go to System Settings → Feature Licenses to enable this feature. Enter your Zscaler account information to enable these settings. Input local network information (Network Address and Netmask) to assign your Zscaler implementation to one or more local network(s). DHCP Server DHCP stands for Dynamic Host Configuration Protocol.
Reservations: This is a list of devices with reserved IP addresses. This reservation is almost the same as when a device has a static IP address except that the device must still request an IP address from the router. The router will provide the device the same IP address every time. DHCP reservations are helpful for server computers on the local network that are hosting applications such as Web and FTP. Servers on your network should either use a static IP address or a reservation.
Automatic Config: Automatic or Static (default: Automatic). Switching to “Static” enables you to set specific DNS servers in the Primary DNS and Secondary DNS fields. Primary DNS and Secondary DNS: If you choose to specify your DNS servers, then enter the IP addresses of the servers you want as your primary and secondary DNS servers in these fields. The DNS server settings will be prepopulated with public DNS server IP addresses.
Enable Dynamic DNS: Enable this option only if you have purchased your own domain name and registered with a Dynamic DNS service provider. Server Type. Select a dynamic DNS service provider from the dropdown list: DynDNS DNS-O-Matic ChangeIP NO-IP Custom Server (DynDNS clone) Custom Server Address. Only available if you select Custom Server from the Server Address dropdown list. Enter your custom DynDNS clone server address here. For example: www.mydyndns.org. Use HTTPS: Use the more secure HTTPS protocol.
You may find out what your external IP address is by going to http://myip.dnsomatic.com/ in a web browser. Known Hosts Configuration The Known Hosts Configuration feature allows you to map a name (printer, scanner, laptop, etc.) to an IP address of a device on the network. This assigns a new hostname that can be used to conveniently identify a device within the network, such as an office printer. Click Add to name a device in your network.
Select from the following tabs to edit your firewall configuration: Application Gateways Application Sets DMZ (Demilitarized Zone) Firewall Options Network Prefix Translation Port Forwarding Rules Port Proxying Rules QoS Remote Admin. Restriction Zone Firewall Zone NAT Application Gateways Enabling an application gateway makes pinholes through the firewall. This may be required for some applications to function, or for an application to improve functionality or add features.
Enable any of the following types of application gateways: PPTP: For virtual private network access using Point-to-Point Tunneling Protocol. This is enabled by default. SIP: For VoIP (voice over IP) using Session Initiation Protocol. TFTP: Enables file transfer using Trivial File Transfer Protocol. FTP: To allow normal mode when using File Transfer Protocol. This is not needed for passive mode. This is enabled by default. IRC: For Direct Client to Client (DCC) transfer when using Internet Relay Chat.
Use caution when enabling the DMZ feature, as it can threaten the security of your network. Only use DMZ as a last resort. Firewall Options Anti-Spoof: Anti-Spoof checks help protect against malicious users faking the source address in packets they transmit in order to either hide themselves or to impersonate someone else.
First – Use the first IPv6 prefix found Static – Always use a static IPv6 translation (input the prefix here) Transitioning from short prefix to a longer prefix (such as from /48 to /64) is not without problems, as some of the LANs may lose IPv6 connectivity. Port Forwarding Rules A port forwarding rule allows traffic from the Internet to reach a computer on the inside of your network. For example, a port forwarding rule might be used to run a Web server.
will be used across the Internet to access your Web server. If you choose a number other than 80 for the Internet Port, connections to that number will be mapped to 80 – and therefore the Web server – within your network. Protocol: Select from the following options in the dropdown menu: TCP UDP TCP & UDP Click Submit to save your completed port forwarding rule. Port Proxying Rules A port proxy rule allows traffic from the local LAN to be redirected to a specific computer/IP address on the Internet.
QoS When QoS (Quality of Service, also known as “Traffic Shaping”) is enabled, the router will control the flow of Internet traffic according to the user-defined rules. In other words, Traffic Shaping improves performance by allowing the user to prioritize applications. Enable QoS: Click on this box to open options for controlling Internet traffic. You can assign maximum Upload Speed and Download Speed values and define your own Traffic Shaping rules.
data can be transferred to you from your ISP. You can test your connection speeds with a service such as speedtest.net. Queues Queues and rules work in conjunction to prioritize bandwidth for the most critical operations. Multiple rules can be associated with one queue. Use rules to associate your more critical operations with queues that have higher bandwidth settings. For example, you might have two queues, one for “critical” and one for “secondary” with critical having most of the bandwidth percentage.
Upload Bandwidth: This is the percentage of the connected WAN upload bandwidth that will be reserved for the specified traffic. The maximum value is adjusted to the remaining percentage after other rules receive their share. Upload Priority: The priority value has two different effects on traffic. Higher priority traffic is handled before lower priority traffic, which can lead to shorter response times. Also, when spare bandwidth is available it is offered to higher priority queues first.
priority queues first. Move the slider to select from the following options (Default: Normal): Lowest Lower Below Normal Normal Above Normal High Higher Highest DSCP (DiffServ) Tag: Differentiated Services Code Point (DSCP) is the successor to TOS (Type of Service). Use this field to 'tag' the traffic by putting the value in the DSCP header of each IP packet that flows through this queue. Use the value of '0' to clear the existing DSCP value in the packet header.
Rule Enabled: (Default: Enabled.) Deselect this to disable this rule. This can be useful for quickly changing configurations. If both upload QoS and download QoS are disabled then the rule will disable automatically. Rule Name: Create a name for the rule that is meaningful to you. Protocol: The protocol used by the messages: TCP/UDP, TCP, UDP, or ICMP. Select “Any” if your rule does not control a specific type of message that uses a specific protocol. Queue Name: Select a queue to associate this rule with.
input the number into the left box. To enter a range of ports, fill in both boxes separated by the colon. For example "80:90" would represent all ports between 80 and 90 including 80 and 90 themselves. Source IP Address, Source Netmask, Destination IP Address, and Destination Netmask: Specify an IP address or range of IP addresses by combining an IP address with a netmask for either “source” or “destination” (or both). Source vs. destination is defined by traffic flow.
IP Address: The IP address that will be allowed to access administrative services through the WAN. Netmask (Optional): The netmask allows you to specify what IP address sets will be allowed access. If this field is left empty a netmask of 255.255.255.255 is used, which means that only the single specified IP address has remote administration access. Zone Firewall A zone is a group of network interfaces.
Choose a Name meaningful to you and then click on the Add button to reveal options for attaching interfaces (WAN, LAN, or GRE) to this zone. LAN and GRE Interfaces Attach LAN and GRE interfaces to a zone by selecting the Config Name for those interfaces. For LANs, these names are defined in Network Settings → WiFi / Local Networks; for GRE tunnels, these names are defined in Internet → GRE Tunnels.
WAN Interfaces Attaching WAN interfaces to a zone includes many more options. Select “WAN” in the first field, and then select from each of the following fields to create a statement that defines which WAN interfaces to attach to this zone. Field 2: Choose one of the following: Port – Select by the physical port on the router (e.g., "Modem 1"). Manufacturer – Select by the modem manufacturer (e.g., "Cradlepoint Inc."). Model – Select according to the specific model of modem.
Name: Create a name meaningful to you. Default Action: Choose either Allow or Deny. This is the action taken by the firewall if none of the filter policy rules match the traffic being filtered. Click Add to create a new rule for this filter policy.
Log: When checked each packet matching this filter rule will be logged in the System Logs. Action: “Allow” or “Deny.” Protocol: Any, ICMPv4, TCP, UDP, GRE, ESP, ICMPv6, or SCTP. IP Version: Any, IPv4, or IPv6. IP Source / IP Destination IP Negation: Match on any IP address that is NOT in the specified IP network range. Network IP: Optional field to specify a matching network IP address for this rule to match against. Netmask: Use this to define a subnet size this rule will match against.
Click Add to create a new Forwarding, or select an existing Forwarding and click Edit to open the Forwardings editor. Enabled: Selected by default. Click to deselect. Source Zone: Select from the dropdown list of your defined zones. Destination Zone: Select from the dropdown list of your defined zones. Filter Policy: Select from the dropdown list of your filter policies. Zone NAT The router provides a firewall by virtue of the way NAT (Network Address Translation) works.
your router. Filter Configuration The MAC Filter allows you to create a list of devices that have either exclusive access (whitelist) or no access (blacklist) to your local network. Enabled: Click to allow MAC Filter options. Whitelist: Select either “Whitelist” or “Blacklist” from a dropdown menu. In "Whitelist" mode, the router will restrict LAN access to all computers except those contained in the "MAC Filter List" panel.
Ignored MAC Addresses: This is the list of MAC addresses that will not produce an alert or a log entry when they are connected to the router. These should be MAC addresses that you expect to be connected to the router. To add MAC addresses to this list, simply select devices shown in the MAC Address Log and click “Ignore.” You can also add addresses manually. MAC Address Log: This shows the last 64 MAC addresses that have connected to the router, as well as which interface was used to connect.
IP Version: Select IPv4 or IPv6. Depending on your selection, you have different options for defining the address range. IP/Network Address or IPv6 Address: The IP address of the target network or host. The IPv6 address field includes CIDR notation to declare a range of addresses. Netmask: The Netmask, along with the IPv4 address, defines the network the computer belongs to and which other IP addresses the computer can see in the same LAN. An IP address of 192.168.0.1 along with a Netmask of 255.255.255.
Each router has a prior knowledge only of networks attached to it directly. A routing protocol shares this information first among immediate neighbors, and then throughout the network. This way, routers gain knowledge of the topology of the network. Choose from the following tabs to configure routing protocols: BGP Routing OSPF Routing RIP Routing RIPNG Routing BGP Routing The latest version of BGP (Border Gateway Protocol) is version 4.
Networks Associated with ASN or IPv6 Networks Associated with ASN: To configure a BGP router, you need an AS number. An AS number is an identification of autonomous system. BGP protocol uses the AS number for detecting whether the BGP connection is internal one or external one. Use the IPv4 address and netmask or IPv6 address with a CIDR notation prefix length to define the address range. Neighbor Options or IPv6 Neighbor Options: Creates a new neighbor identified by remote ASN and IP address.
Area: Areas are identified by an ID. Default Cost: Set the cost of default-summary LSAs announced to stubby areas. Stub Area: Configure area to be stub area. No-Summary: Prevents ABR from injecting inter-area summaries into the specified stub area OSPF Editor Router ID: This sets the router-ID of the OSPF process. The router-ID may be an IP address of the router, but need not be – it can be any arbitrary 32-bit number. However it MUST be unique within the entire OSPF domain to the OSPF speaker.
Redistribute Routes: Redistribute routes of the specified protocol or kind into BGP, with the metric type and metric set (if specified), filtering the routes using the given route map (if specified). Redistributed routes may also be filtered with distribute lists. Type: The type is the source of the route. Select from: Main, Connected, Static, RIP, OSPF. Metric: Numerical priority of the route.
Password: RIPv2 allows packets to be authenticated via either an insecure plain text password, included with the packet, or a more secure MD5 based HMAC (keyed-Hashing for Message AuthentiCation). RIPv1 cannot be authenticated at all, so when authentication is configured RIP will discard routing updates received via RIPv1 packets. Plain text password: Select to use a plain text password instead of an MD5 HMAC. A plain text password is insecure! Enabled: Click to enable/disable the policy. (Default: enabled.
routes. RIPNG Routing RIPng (RIP next generation) extends RIPv2 to support IPv6. See RIPng on Wikipedia and RFC 2080 for details. RIPNG Editor Name: Unique name of the policy. Metric: RIPng metric is a value for distance for the network. Usually the RIP service increments the metric when the network information is received. The metric for redistributed routes is set to 1. Enabled: Click to enable/disable the policy. (Default: enabled.
Redistribute Routes: Redistribute routes of the specified protocol or kind into RIPng, with the metric type and metric set if specified, filtering the routes using the given route-map if specified. Type: The type is the source of the route. Select from: Main, Connected, Static, OSPF, BGP. Metric: RIPng metric is a value for distance for the network. Usually the RIP service increments the metric when the network information is received. The metric for redistributed routes is set to 1.
4. Set up regularly scheduled signature updates in the configuration pages, or update manually in ECM via the Devices or Groups page (click on Commands in the top toolbar and select Update IPS Signatures from the dropdown options). NOTE: Updating the signature database version causes a network disruption for a few seconds. You can schedule these updates to occur during days/times when you expect less traffic on your network. Status The Status section shows if Threat Management is enabled.
of data to the system logs. We recommend enabling a syslog server to manage this information. To view the logs, go to Status → System Logs. For configuration options, including syslog server setup, go to System Settings → Administration and select the System Logging tab. Signature Update Schedule You can choose to have a different signature update schedule for modems than for other WANs. This is intended to protect against overages when data usage limits for 3G/4G modems are restricted.
Local IP Networks Local IP Networks displays the following information for each network: Network Name and IP address/Netmask (along the top bar) Enabled: Yes/No Multicast Proxy (Enabled/Disabled) DHCP Server (Enabled/Disabled) Schedule (Enabled/Disabled – See the Schedule tab in the Local Network Editor) VRRP Failover State (Disabled, Backup, or Master) IPv4 Routing Mode (NAT, Standard, IP Passthrough, Hotspot, Disabled) IPv6 Addressing Mode (SLAAC Only, SLAAC with DHCP, Disable SLAAC and DHCP) Access Cont
Network Editor contains the following tabs: General Settings, IPv4 Settings, IPv6 Settings, Interfaces, Access Control, IPv4 DHCP, IPv6 Addressing, Multicast Proxy, Schedule, VRRP, STP, and Wired 802.1X. General Settings Enabled: Click to manually disable a network. Also, some settings could cause a network to be automatically disabled: click here to re-enable the network. Name: This primarily helps to identify this network during other administration tasks.
IP Address: This is the address used by the router for local area network communication. Changes to this parameter may require a restart to computers on this network. Each network must have a distinct IP address. Most users will want an address from one of the following private IP ranges: 10.0.0.1 - 10.255.255.1 172.16.0.1 - 172.31.255.1 192.168.0.1 - 192.168.255.
disabled. Any wireless interfaces must be removed from this network in order to enable IP Passthrough. The easiest way to enable IP Passthrough mode is with the IP Passthrough Setup Wizard (see Getting Started → IP Passthrough Setup). Hotspot: Provide Hotspot Services on this network, requiring Terms of Service or RADIUS/UAM authentication before WAN access will occur on both wireless and wired LAN connections.
Select network interfaces to attach to this network. Choose from WiFi, Ethernet ports, and VLAN interfaces. Double-click on any of the interfaces shown on the left in the Available section to move them to the Selected section on the right (or highlight an interface and click the “+” button). To deselect an interface, double-click on an interface in the Selected section (or highlight the interface and click the “–“ button).
Tune the access control settings of this network to match the intended use. Simply select or deselect any of the following: LAN Isolation: When checked, this network will NOT be allowed to communicate with other local networks. UPnP Gateway: Select the UPnP (Universal Plug and Play) option if you want to enable the UPnP Gateway service for computers on this network. Admin Access: When enabled, users may access these administration pages on this network.
Changing settings for the IPv4 DHCP server is optional. The default selections are almost always sufficient. DHCP Server: (Default: Enabled) When the DHCP server is enabled, users of your network will be able to automatically connect to the Internet without any special configuration. It is recommended that you leave this enabled. Disabling the DHCP server is only recommended if you have another DHCP server on your network and it is configured properly.
Option: Select an option from the dropdown list or manually enter the number of an option. A complete list of options is available from IANA. Value: Generally this field should be a string, IP address, or numeric value. Some fields can accept both IP addresses and hostnames – in these cases you may need to wrap this value in quotes. For example, option 66 (Server name) requires quotes around IP addresses.
SLAAC Only – SLAAC stands for stateless address autoconfiguration. The router regularly generates a router advertisement that includes network prefix and routing information, allowing clients to autogenerate an address and start communicating on the network. Clients utilize neighbor discovery protocols to ensure multiple clients on the subnet have not chosen an identical address.
Quick Leave Mode: Disable quick leave mode if it's vital that the daemon should act exactly as a real multicast client on the upstream interface. However, disabling this function increases the risk of bandwidth saturation. By default, enabling multicast proxy enables a multicast connection with devices within the LAN. In rare cases, additional IP address ranges need access to the multicast streams. Click Add and input the IP Address and Netmask for an additional IP address range.
Each hour of the week is represented by a black or gray square. Black represents disabled, while gray represents enabled. Hover over a square to reveal the hour it represents. Click on the squares to toggle between black and gray. In the example shown, the network is enabled from 8-5 on Monday through Friday, but disabled at all other times. VRRP NOTE: VRRP requires a feature license. Go to System Settings → Feature Licenses to enable this feature. VRRP is included with an ECM Prime subscription.
WAN Fault Priority: This optional value sets the failover priority of this router when no WAN connection is available. If the value matches the normal router priority, WAN connection state will not be considered. If the value is empty (the default), the router will always give up ownership of the virtual IP and let a new master take over when no WAN connection is available. Advertisement Interval: Sets the amount of time (in seconds) between VRRP advertisements, which communicate the router status.
Spanning Tree Protocol (STP) allows a network design to include redundant paths while preventing broadcast radiation from bridge loops. Enable STP: Enable Spanning Tree Protocol loop detection. Bridge Priority: Set the priority of the bridge. When determining the root bridge of the spanning tree topology, the bridge priority is compared first. The bridge with the lowest priority value will have priority. If you want this router to be the root bridge, then set it to a value less than the default of 32768.
you don’t know the MAC address for the RADIUS server, enter 00:00:00:00:00:00 and the service will try to find the MAC address from the given IP address. Port: 1812 is common for the authentication port. Password: Assigned by the RADIUS server. Accounting settings: Most of the accounting settings often match the authentication settings, depending on whether the RADIUS server is the same for both authentication and accounting.
Wireless Radio: Enable/Disable. (Default: Enabled). Leave enabled unless you don’t want any WiFi networks broadcast from your router. Select a WiFi network and click Edit to change the settings. Wireless Network Editor WiFi Name (SSID): When users browse for available wireless networks, this is the name that they will see. This name is referred to as the SSID (service set identifier). For security purposes, Cradlepoint highly recommends that you change this from the pre-configured name.
Hidden: This shows whether the router broadcasts its SSID. It is somewhat harder for hackers to find and attack a router that is not broadcasting its SSID, which adds to the wireless security, but it is also more difficult for friendly users to attach to a WiFi network with a hidden SSID. Isolate: Select this to isolate all wireless clients so they cannot directly communicate with each other on the wireless network. WMM: WiFi Multimedia.
Ethernet Port Configuration Ethernet Port Configuration provides controls for your router’s Ethernet ports. There are five total ports: by default, one WAN port and four numbered LAN ports. While default settings will be sufficient in most circumstances, you have the ability to control: Mode (WAN or LAN) and Link Speed. Additional controls for WAN ports are available in Internet → Ethernet Settings. Mode: WAN or LAN.
Port Group ID: The Group ID field provides a reference to this grouping of ports to be used in other parts of the router configuration. For example, this ID is referenced in the Local IP Networks configuration to attach this logical group of Ethernet ports with a network configuration. Use a simple short text phrase to describe this group, such as "main," "guestports," "backup_wan," etc. This must be unique.
VID: An integer value that is the Virtual LAN ID. Ethernet Group: Select the LAN port(s) with which you want to associate the VLAN ID from a dropdown list. Your Ethernet group must be created separately under Ethernet Port Configuration. Click Submit to save your configured VLAN. PSE Configuration The AER3100 is compatible with the IEEE802.
WiFi Settings (Advanced) When you select either of the WiFi tabs (2.4 GHz or 5 GHz) in the Local Network Interfaces section, you have several additional options for configuring your wireless LANs under the WiFi Settings heading. Channel Selection Method: This controls how a WiFi channel is selected. User Selection – Manually set the channel. Random Selection – The router randomly sets the channel. Smart Selection (Default) – Scans to determine the lowest interference WiFi channel.
a WiMAX modem is attached to the router when the WiFi is enabled, the WiFi channel and transmit power will be set to levels that optimize the performance of the WiMAX modem. If no WiMAX modem is attached, then default channel and power settings will be used even if this is selected. Channel: (Shows if User Selection is selected.) The WiFi channel corresponds to a frequency the router uses to communicate with other devices. For 2.4 GHz, the range is 1 to 11, and 1, 6, and 11 do not overlap each other.
greater than the Fragmentation Threshold. This setting should remain at its default value. Setting the Fragmentation value too low may result in poor performance. DTIM: A DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages. When the wireless router has buffered broadcast or multicast messages for associated clients, it sends the next DTIM with a DTIM Interval value.
Extended Channel: When operating in 40 MHz mode the access point will use an extended channel either below or above the current channel. Optimal selection will depend on the channels of other networks in the area. MCS: 802.11n uses multiple Modulation Coding Schemes to enable higher throughput in various environments. Since clients can dynamically change rates depending on environment, selecting Auto is generally best. Short GI: Short GI is an optimization for shortening the interval between transmissions.
INTERNET The Internet section of the Administration Pages provides access to tools for controlling the WAN (Wide Area Networks). The Internet tab has the following dropdown menu items: Connection Manager Client Data Usage CP Secure VPN Data Usage GRE Tunnels L2TP Tunnels Network Mobility (NEMO) NHRP Interfaces OpenVPN Tunnels VPN Tunnels WAN Affinity / Load Balancing WiFi as WAN Connection Manager The router can establish an uplink via Ethernet, WiFi as WAN, or 3G/4G modems (integrated or external USB).
Load Balance: If this is enabled, the router will use multiple WAN interfaces to increase the data transfer throughput by using any connected WAN interface consecutively. Selecting Load Balance will automatically start the WAN interface and add it to the pool of WAN interfaces to use for data transfer. Turning off Load Balance for an active WAN interface may require the user to restart any current browsing session. Enabled: Selected by default. Deselect to disable an interface.
General Settings Device Settings Enabled: Select/deselect to enable/disable. Force NAT: Normally NAT is part of the Routing Mode setting which is selected on the LAN side in Network Settings → WiFi / Local Networks. Select this option to force NAT whenever this WAN device is being used. Priority: This number controls failover and failback order. The lower the number, the higher the priority and the more use the device will get.
Idle Check Interval: The amount of time between each check. (Default: 30 seconds. Range: 10-3600 seconds.) Monitor while connected: (Default: Off) Select from the following dropdown options: Passive DNS (modem only): The router will take no action until data is detected that is destined for the WAN. When this data is detected, the data will be sent and the router will check for received data for two seconds. If no data is received the router behaves as described below under Active DNS.
Select the Failback Mode from the following options: Usage Time Disabled Usage: Fail back based on the amount of data passed over time. This is a good setting for when you have a dual-mode EVDO/WiMAX modem and you are going in and out of WiMAX coverage. If the router has failed over to EVDO it will wait until you have low data usage before bringing down the EVDO connection to check if a WiMAX connection can be made. High (Rate: 80 KB/s. Time Period: 30 seconds.) Normal (Rate: 20 KB/s.
Only the fields that you fill out will be overridden. Override any of the following fields: IP Address Subnet Mask Gateway IP Primary DNS Server Secondary DNS Server IPv6 Settings The IPv6 configuration allows you to enable and configure IPv6 for a WAN device. These settings should be configured in combination with the IPv6 LAN settings (go to Network Settings → WiFi / Local Networks, select the LAN under Local IP Networks, and click Edit) to achieve the desired result.
Enable IPv6 and select the desired IPv6 connection method for this WAN interface. Disabled (default) – IPv6 disabled on this interface. Auto – IPv6 will use automatic connection settings (if available). Static – Input a specific IPv6 address for your WAN connection. This is provided by the ISP if it is supported. 6to4 Tunnel – Encapsulates the IPv6 data and transfers it to an automatic tunnel provider (if your ISP supports it).
Static As with IPv4, static configuration is available for situations where the WAN IPv6 topology is fixed. IPv6 Address/CIDR – Input the IPv6 static IP address and mask length provided by your ISP (see the Wikipedia explanation of CIDR). IPv6 Gateway IP – Input the IPv6 remote gateway IP address provided by your ISP. Primary IPv6 DNS Server – (optional) Depending on your provider/setup, this may be required.
may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs. Delegated IPv6 Network – Additional network available for delegation to LANs. Example Configuration: 6in4 Tunnel The 6in4 tunnel mode utilizes explicit IPv4 tunnel endpoints and encapsulates IPv6 packets using 41 as the specified protocol type in the IP header.
IPv6 Rapid Deployment (6rd) is a method of IPv6 site configuration derived from 6to4. It is different from 6to4 in that the ISP provides explicit 6rd infrastructure that handles the IPv4 ↔ IPv6 translation within the ISP network. 6rd is considered more reliable than 6to4 as the ISP explicitly maintains infrastructure to support tunneled IPv6 traffic over their IPv4 network. 6rd Prefix – The 6rd prefix and prefix length should be supplied by your ISP.
Connect Method Select the connection type that you need for this WAN connection. You may need to check with your ISP or system administrator for this information. DHCP (Dynamic Host Configuration Protocol) is the most common configuration. Your router’s Ethernet ports are automatically configured for DHCP connection. DHCP automatically assigns dynamic IP addresses to devices in your networks. This is preferable in most circumstances.
Username Password Password Confirm Service Auth Type: None, PAP, or CHAP Modem Settings Not all modems will have all of the options shown below; the available options are specific to the modem type. On Demand: When this mode is selected a connection to the Internet is made as needed. When this mode is not selected a connection to the Internet is always maintained. IP WAN Subnet Filter: This feature will filter out any packets going to the modem that do not match the network (address and netmask).
Aggressive Reset: When Aggressive Reset is enabled the system will attempt to maintain a good modem connection. If the Internet has been unreachable for a period of time, a reset of the modem will occur in attempt to re-establish the connection. Automatically check for new firmware: (Default: selected) The modem will automatically check for firmware updates by default. Enable Aux Antenna: (Default: selected) Enable or disable the modem's auxiliary diversity antenna. This should normally be left enabled.
such as for PRL, modem firmware, or configuration events. These activities do not change any router settings, but the modem connection may be unavailable for periods of time while these updates occur. The modem may also require a reset after a modem firmware update is complete. Disabled: The request to update will be refused. When Disconnected: The request to update will only be performed when the modem is either in a disconnected state or dormant state.
TTLS Username: Username for TTLS authentication. TTLS Password: Password for TTLS authentication. WiMAX Authentication Identity: User ID on the network. Leave this blank unless your provider tells you otherwise. CDMA Settings These settings are usually specific to your wireless carrier’s private networks. You should not set these unless directed to by a carrier representative. If a field below is left blank, that particular setting will not be changed in the modem.
SIM/APN/Auth Settings SIM PIN: PIN number for a GSM modem with a locked SIM. Authentication Protocol: Set this only if your service provider requires a specific protocol and the Auto option chooses the wrong one. Choose from Auto, PAP, and CHAP and then input your username and password. Access Point Configuration: Some wireless carriers provide multiple Access Point configurations that a modem can connect to. Some APN examples are ‘isp.cingular” and “vpn.com.
by modem model and service provider. Possible methods are: PRL Update, Activation, and FUMO. All supported methods will be displayed when you select your modem and click “Control” to open the “Update/Activate” window. If no methods are displayed for your device then you will need to update and activate your device externally. To update or activate a modem, select the modem in the WAN Interfaces table and click “Control.
NOTE: Only one operation is supported at a time. If you try to start the same operation on the same modem twice the UI will not report failure and the request will finish normally when the original request is done. However if you try to start a different operation or use a different modem, this second request will fail without interfering with the pending operation. Process Timeout: If the process fails an error message will display.
The Configuration Rules list shows all rules that you have created, as well as all of the default rules. These are listed in the order they will be applied. The most general rules are listed at the top, and the most specific rules are at the bottom. The router goes down the list and applies all rules that fit for attached Internet sources. Configuration settings farther down the list will override previous settings. Select any of these rules and click “Edit” to change the settings for a rule.
Filter Criteria If you are creating a new rule, begin by setting the Filter Criteria. Create a name for your rule and the condition for which the rule applies: Rule Name: Create a name meaningful to you. This name is optional. Make a selection for "When," "Condition," and "Value" to create a condition for your rule.
value. Once you have established the condition for your configuration rule, choose from the other tabs to set the desired configuration. All of the tabs have the same configuration options shown above in the WAN Configuration section (i.e., the options for Configuration Rules are the same as they are for individual devices). Client Data Usage Client Data Usage displays upload and download traffic for each LAN client. Click Enable Client Data Usage Monitoring Service to begin tracking this information.
creating data usage rules. Warning: You should set your data limits lower than your carrier data allowance and regularly compare the numbers provided by the router with the numbers from your carrier. Data Usage Rules The Date Usage Rule display shows basic information for each rule you have created (including rules created with a template). The following information is displayed: Rule Name Enabled: True/False Date for Rule Reset Cycle Type: Daily, Weekly, or Monthly Cap: Amount in MB.
Rule Name: Give your rule a name for later recognition. WAN Selection: Select from the dropdown list of currently attached WAN devices. Assigned Usage in MB: Enter a cap amount in megabytes. 1024 megabytes equals 1 gigabyte. Rule Enabled: (Default: Enabled.) Click to disable. Use with Load Balancing: When checked, the Load Balancing feature is allowed to use the thresholds and metrics of this rule when making balance decisions.
Daily Weekly Monthly Cycle Start Date: Select the date you wish the rule to begin. This date will be used to track when the rule will reset. Shutdown WAN on Cap: If selected, the WAN device will shut down when the assigned usage is reached. A cycle reset or a rule deletion will re-enable the device. Send Alert on Cap: An email alert will be generated and sent when the assigned usage is reached. WARNING: The SMTP mail server must be configured in System Settings → Device Alerts.
All Ethernet All Modems Select one of these types. The rest of the rule settings options match those in the Data Usage Rules. See the section above for additional information about how to configure your template usage rules. Historical Data If you have a Data Usage Rule enabled for an active WAN device, the Historical Data graph displays. This graph shows the MB/sec trend for the last day.
In order to set up a tunnel you must configure the following: Local Network and Remote Network addresses for the “Glue Network,” the network that is created by the administrator that serves as the “glue” between the networks of the tunnel. Each address must be a different IP address from the same private network, and these addresses together form the endpoints of the tunnel. Remote Gateway, the public facing WAN IP address that the local gateway is going to connect to.
10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Remote Network: This is the remote side of the “Glue Network.” Again, the user must create an IP address that is distinct from the IP addresses of the networks that are being glued together. The Remote Network and Local Network values will be flipped when inputted for the other side of the tunnel configuration. Subnet Mask: This is the subnet mask for the Glue Network.
Tunnel Enabled: Select to activate the tunnel. Add/Edit Tunnel – Routes Adding routes allows you to configure what types of network traffic from the local host or hosts will be allowed through the tunnel. Click Add Route to configure a new route. You will need to input the following information, defined by the remote network: Network Address – This is the network address that is the destination of the route. This should be set to the network address at the remote side of the tunnel.
Enabled: Select to enable GRE Keep Alive to continually send keep-alive packets to the remote peer. Rate: Choose the length of time in seconds for each check (Default: 10 seconds. Range: 2 – 3600 seconds). Retry: Select the number of attempts before the GRE tunnel is considered down or up (Default: 3. Range: 1 – 255). Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels – one as the primary tunnel and one as the backup tunnel.
Once you have a valid feature license, click Add to create a new L2TP tunnel. Click Edit to make changes to an existing tunnel. Add/Edit Tunnel – General Tunnel Name – Enter a name to uniquely identify this tunnel. LNS address – Enter the IP Address of the LNS (tunnel server) peer. MTU – Set the maximum transmission unit (MTU) for the L2TP tunnel. MRU – Set the maximum receive unit (MRU) to request from the tunnel peer.
Add/Edit Tunnel – Authentication Remote Name – Authorization name specified by and to the remote system as its identity, sometimes a username or hostname. Leave blank to match any. Local Name – Authorization name specified by and to the remote system as the local system identity; sometimes a username or hostname. Leave blank to match any. Secret – Shared secret (or password) used to authenticate the associated Local and Remote names. Overrides Override Authentication methods/parameters.
Network Address – This is the network address that is the destination of the route. This should be set to the network address at the remote side of the tunnel. Netmask – This is the corresponding subnet mask of the network being defined. Network Mobility (NEMO) NOTE: NEMO requires a feature license not included with ECM Prime. Go to System Settings → Feature Licenses to enable this feature. Network Mobility (NEMO) is an Internet standards track protocol defined in RFC 5177.
Network Mobility (NEMO) Settings Home IP Address and Home Netmask – These may be provided by your NEMO service provider. The IP address is a placeholder, “dummy” address; any IP address can be used (1.2.3.4 is common). Home Agent IP Address, Home Agent Password, and Home Agent SPI – Your home agent will be defined by your NEMO service provider. Renew Registration – The NEMO network regularly re-registers with the home agent (e.g., every 30 seconds). Specify the number of seconds between each check-in.
Licenses to enable this feature. Next Hop Resolution Protocol is a protocol used to discover addresses of clients on Non-Broadcast Multiple Access (NBMA) networks. It is used to create next-generation VPN technologies that allow shortcutting between spokes. With NHRP, systems attached to an NBMA network dynamically learn the NBMA address of the other systems that are part of that network, allowing these systems to directly communicate without requiring an intermediate hop.
Holding Time: Specifies the holding time for NHRP registration requests and resolution replies. Shortcut-Destination: Reply with authoritative answers on NHRP resolution requests destined to addresses in this interface (instead of forwarding the packets). Non-Caching: Disables caching of peer information from forwarded NHRP resolution reply packets. Shortcut: Enable creation of shortcut routes. Redirect: Enable sending of proprietary enterprise-style NHRP traffic indication packets.
Once you have a valid feature license, click Add to create a new OpenVPN tunnel. Click Edit to make changes to an existing tunnel. Add/Edit Tunnel – General Tunnel Enabled – Click to enable/disable this tunnel. Tunnel Name – Enter a name to uniquely identify this tunnel. Tunnel Mode – Select which mode this tunnel endpoint is required to be. Choose from the following: Client Server Local Tunnel Address – Enter the IP Address of the LNS (tunnel server) peer.
IPv6 Tunnel Address and Tunnel Prefix Length for IPv6. Tunnel Protocol – Choose UDP or TCP. Configuration Mode – Simple configuration requires the least amount of configuration for the tunnel, while advanced allows for a more detailed setup. Ping – (Displays if the Configuration Mode is Advanced) If no packets have been sent in the amount of time entered, a ping is sent to the remote endpoint.
If the Configuration Mode is set to Simple, you have the option to set the TLS-Auth Key. If the Configuration Mode is set to Advanced, set any of the following: Root Certificate Client Certificate Client Key TLS-Auth Key DH Parameters VPN Tunnels VPN (virtual private network) tunnels are used to establish a secure connection to a remote network over a public network.
Add/Edit Tunnel – General Tunnel Name: Give the tunnel a name that uniquely identifies it. Anonymous Mode: Select to allow remote connections from any IP address. Responder Mode: When enabled, the router will not initiate negotiation with peers, otherwise start negotiations as soon as possible. Local Identity: Specifies the identifier sent to the remote host during phase 1 negotiation. If left blank it will default to the IP address of the WAN connection.
Pre-Shared Key: Create a password or key. The routers on both sides of the tunnel must use this same key. Mode: Tunnel or Transport. Tunnel Mode is used for protecting traffic between different networks, when traffic must pass through an intermediate, untrusted network. Transport Mode is used for end-to-end communications (for example, for communications between a client and a server). Initiation Mode: Always On or On Demand.
Unique ID – Select by ID. This is generated by the router and displayed when the device is connected to the router. Condition: Select “is,” “is not,” “starts with,” “contains,” or “ends with” to create your condition’s statement. Value: If the correct values are available, select from the dropdown list. You may need to manually input the value. Invert WAN Binding: Advanced option that inverts the meaning of WAN Binding to only establish this tunnel when the specified WAN Binding device(s) are NOT connected.
The Network Address and the Netmask define the remote network address range that local devices will have access to via the VPN tunnel. NOTE: the remote network IP address MUST be different from the local network IP address. Optionally: A Port can be defined that will limit the traffic going through the VPN tunnel to only that port. If the field is left blank, any port will be accepted by the tunnel. Add/Edit Tunnel – IKE Phase 1 IKE security has two phases, phase 1 and phase 2.
Exchange Mode: The IKE protocol has two modes of negotiating phase 1 – Main (also called Identity Protection) and Aggressive. In Main mode, IKE separates the key information from the identities, allowing for the identities of peers to be secure at the expense of extra packet exchanges. In Aggressive mode, IKE tries to combine as much information into fewer packets while maintaining security. Aggressive mode is slightly faster but less secure.
SHA1 SHA2 256 SHA2 384 SHA2 512 Note that some Encryption/Hash combinations (e.g., 3DES with SHA2 384/512) are computationally expensive, impacting WAN performance. AES is as strong an encryption and performs much better than 3DES. DH Groups: The DH (Diffie-Hellman) Group is a property of IKE and is used to determine the length of prime numbers associated with key generation. The strength of the key generated is partially determined by the strength of the DH Group.
Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in phase 2 rather than using the same key generated in phase 1. Additionally, with this option enabled the new keys generated in phase 2 are exchanged in an encrypted session. Enabling this feature affords the policy greater security. Key Lifetime: The lifetime of the generated keys of phase 2 of the IPsec negotiation from IKE. After the time has expired, IKE will renegotiate a new set of phase 2 keys.
Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels – one as the primary tunnel and one as the backup tunnel. To configure tunnel failover/failback, complete the following steps: 1. Create two tunnels: one for primary and one for backup. Make sure that both tunnels have the same Remote Network and that both have Dead Peer Detection enabled. 2. Choose one to be the primary tunnel. Open the editor for this tunnel and make sure Tunnel Enabled is selected.
the other side: The Local Identity must match the Remote Identity on the other side of the tunnel, and vice versa. In this case, these identities can each be a simple word. 2. The Tunnel Name for the side of the tunnel that is not behind the NAT firewall must be “anonymous.” 3. The VPN tunnel must be initiated from the side that is behind the NAT firewall.
Name: Give a name for your rule that is meaningful to you. DSCP (DiffServ): Differentiated Services Code Point is the successor to TOS (Type of Service). Use this field to select traffic based on the DSCP header in each IP packet. This field is sometimes set by latency sensitive equipment such as VoIP phones. If you know specific DSCP values, you can input one here. DSCP Negate: When checked this rule will match on any packet that does NOT match the DSCP field.
Source IP Address: 192.168.10.0 Source Netmask: 255.255.255.0 Failover: (Default: Selected.) When this is selected and traffic from the chosen WAN device for this rule is interrupted, the router will fail over to another available WAN device. Deselect this option to restrict this traffic to only the selected WAN interface. WAN Binding Type: You have several options for specifying the type of WAN interface(s) you want associated with your rule.
WiFi as WAN uses an outside WiFi network as its Internet source. When WiFi as WAN is enabled, the router will find other WiFi networks that you can select and connect to. Unless a selected WiFi source is on an unprotected network, you will need to know its password or key. To enable WiFi as WAN, first select the desired WiFi radio: WiFi Radio #1 (2.4 GHz) WiFi Radio #2 (5 GHz) All Cradlepoint routers and some other routers use the same default IP address for the primary network: 192.168.0.1.
to a hidden network using WiFi as WAN. It is optional when connecting to a visible network. If it is set in a profile, both the SSID and BSSID must match to connect to an access point. If the BSSID is not set in a profile, then the router will connect to any access point that matches the given SSID. Auth Mode: The type of encryption that is used by the network.
SYSTEM SETTINGS The System Settings section of the Administration Pages provides access to tools for broad administrative control of the router.
Advanced Security Mode – Select to enable the following additional security features and options: TACACS+ and RADIUS server authentication options Option for multiple users Increase password security: minimum 7 characters at least 1 alpha and 1 numeric character 30-minute lockout after 6 failed login attempts Admin Password – Enter a password for the administrator who will have full access to the router's management interface.
In TACACS+ and RADIUS modes, if the servers cannot be reached, either because the WAN is down or a response is not received within the selected Server Timeout, the router will automatically fall back to using Local Users mode to prevent any potential of being locked out. TACACS+ TACACS+ stands for “Terminal Access Controller Access-Control System plus”. The router will use a TACACS+ server (or two, optionally) to authorize administration.
Server Timeout – If the servers are not reached within the set time (possibly because the WAN is down), the router will automatically fall back to using Local Users mode to prevent users from being locked out. Server Address – This can be either an IP address in the form of "1.2.3.4", or a DNS name in form of "host.domain.com". Only lower case letters are allowed for a DNS name. Port – Port 1812 is common for RADIUS servers.
Daylight Savings Time – Select this checkbox if your location observes daylight saving time. Local Management Enable Internet Bounce Pages – Bounce pages show up in your web browser when the router is not connected to the Internet. They inform you that you are not connected and try to explain why. If you disable bounce pages then you will just get the usual browser timeout. In the normal case when the router is connected to the Internet you don't see them at all.
Allow WAN pings – When enabled the functionality allows an external WAN client to ping the router. Allow Remote Web Administration – When remote administration is enabled it allows access to these administration web pages from the Internet. With it disabled, you must be a client on the local network to access the administration website. For security, remote access is usually done via a non-standard http port. Additionally, encrypted connections can be required for an added level of security.
General Settings Enable GPS – Enable support for querying GPS information from capable modems. TAIP Vehicle ID # – Assign a 4-character ID (default ID is 0000) to use with TAIP. TAIP options are available for the COR IBR1100 Series only. See the TAIP section below for more information. GPS Servers and GPS Clients GPS reporting requires separate software to listen/query for NMEA (or TAIP) sentences.
Enable this Server – Select to enable. Server Name – Create a name for this server. Only letters, numerals, and underscores are allowed. Enable GPS server on LAN – Enables a TCP server on the LAN side of the firewall, which will periodically send GPS sentences to connected clients. Enable GPS server on WAN – Enables a TCP server on the WAN side of the firewall, which will periodically send GPS sentences to connected clients. Port – Choose a port between 1 and 65535.
Prepend System ID – Include the router's "System ID" sentence with every GPS message. This can be useful when a single remote client is handling GPS position reports from multiple routers. This simply prepends the system id and a comma ahead of the GPS sentence. Report NMEA GGA sentences – Report GPS fix using NMEA GGA sentence format (if available). Report NMEA RMC sentences – Report GPS fix using NMEA RMC sentence format (if available).
Report TAIP PV sentences – Position/Velocity Solution Reporting Intervals The device sends GPS sentence reports at either a specified time interval or specified distance interval for: Default Time Interval (seconds) – Set the interval in seconds between periodic GPS sentence reports. Select the longest interval practical for your application. A shorter interval uses more router resources and bandwidth; frequent reports may cause performance and/or availability issues. (Disable by setting this value to 0.
Enable this Server – Select to enable. Keep GPS Active – Keep the GPS receiver active at all times, even if no destination exists for position messages. This will place additional load on the router similar to sending reports to a remote server, but without consuming the network bandwidth. Client Name – Create a name for this client. Only letters, numerals, and underscores are allowed. Server – This client must have a remote server to report to. Enter a hostname or IP address.
Some devices report GPS information with multiple NMEA (National Marine Electronics Association) sentence formats: GGA, RMC, and VTG. See the examples below. For more examples and information about NMEA sentences, see the following websites: http://aprs.gids.nl/nmea/ http://www.gpsinformation.org/dale/nmea.htm#nmea GGA $GPGGA – Essential fix data including 3D location and accuracy information Example: $GPGGA,1753405,4916.450,N,12311.127,W,2,06,1.5,117.3,M,−26.574,M,6.
A Navigation receiver warning A = OK, V = warning 4916.45,N Latitude 49 deg. 16.45 min North 12311.12,W Longitude 123 deg. 11.12 min West 000.5 Speed over ground, knots 054.7 Course made good, true 191194 Date of fix – 19 November 1994 020.3,E Magnetic variation: 20.3 degrees East *68 Checksum is mandatory for RMC VTG $GPVTG – Vector track and speed over ground Example: $GPVTG,054.7,T,034.4,M,005.5,N,010.2,K Sample Data Description 054.7,T Track, degrees relative to true north 034.
SMS is a slow protocol. It can take seconds or up to a few minutes for messages to be delivered. SMS messages are not encrypted; they are sent in full readable text over the network. Enable SMS support – SMS support is enabled by default on the router. Deselect this to disable. Password – By default, the password is the last eight characters of the router’s MAC address (i.e., the Default Password on the product label). You can change this password to anything between 1 and 16 characters.
How to Text from an Email Account NOTE: There are limitations with sending texts via email. The SMS engine is currently only compatible with GSM-based carrier operators. 1. Start a new email message. 2. In the To field, enter the modem’s MDN plus the modem’s carrier domain name (e.g., 2085555555@txt.att.net). 3. Enter the password and command in either the Subject field or Body of the email message. If you use the subject field, leave the body blank, and if you use the body, leave the subject blank.
Example: 1234,restore, rstatus – Get router status Syntax: ,rstatus, Example: 1234,rstatus, mstatus – Get modem status (port parameter optional) Syntax: ,mstatus,[port,] Examples: 1234,mstatus, //return status of highest priority modem 1234,mstatus,usb1, //return status of modem plugged into port usb1 This command returns info about the indicated modem’s status. The resulting data reflects the modem model number, service type, and connection status and values.
1234,mreboot, //reboot the highest priority modem 1234,mreboot,usb1, //reboot the modem plugged into port usb1 apn – Reboot the modem (port parameter optional) Syntax: ,apn,,[port,] Examples: 1234,apn,myapn@apn.com, //set APN of highest priority modem 1234,apn,myapn@apn.
Sending log information via SMS messages likely results in several resulting texts. Please be aware of the costs of text messages on the modem’s account, and use this command only if necessary. *The “port” parameter is optional. It specifies which port – and therefore which modem – to perform the action on. If not given, the action will happen on the highest priority modem. Sample Debug Session The following is an example of a debug session to discover a modem’s APN is misconfigured and needs to be set.
System Logging Logging Level: Setting the log level controls which messages are stored or filtered out. A log level of Debug will record the most information while a log level of Critical will only record the most urgent messages. Each level includes all messages from all of the levels below it on the list (e.g. “Warning” includes all “Error” and “Critical” messages as well).
verbose log file to the root level of an attached USB stick. Please disable the feature before removing the USB stick, or you may lose some logging data. Verbose modem logging: Only enable this option if instructed by a Cradlepoint support agent. Create support log: This functionality allows for a quick collection of system logging. Create this log file when instructed by a Cradlepoint support agent. Router Services By default, router services (Enterprise Cloud Manager, NTP, etc.
degrees Celsius. To convert these values to Fahrenheit, multiply by 9, divide by 5, and then add 32 (i.e, F = 9⁄5C + 32). You can also use an online conversion tool. The table below gives a few reference points: °C °F Description 100 212 Boiling point of water 37 98.6 Body temperature 21 70 Approximate room temperature 0 32 Freezing point of water Minimum Temperature: (Default: 10 °C.) If the device drops to this temperature, an alert will automatically be generated.
Certificate Management Through the Cradlepoint administration pages you now have the ability to create, manage, sign, and import/export X.509 certificates – frequently referred to as SSL certificates – under Network Settings → Certificate Management. Our implementation integrates an OpenSSL toolkit solution. It includes the abiility to create your own CA certificates and selfsigned certificates.
Not all Certificate Management options displayed here are currently available via the Enterprise Cloud Manager configuration pages. Create Certificates Complete the following fields to create certificates locally, including CA (certificate authority) certificates. To create local certificates without sending signature requests to a third-party CA, first create a CA certificate with this interface and then create additional certificates that you sign with your CA: Step 1: Create a CA certificate.
General Description Name: Choose a name meaningful to you. Issuer Set as CA certificate: Select if the certificate you are creating is intended to be a CA. Sign with CA certificate: Select to sign this certificate with a CA you created previously. Certificate Name: Select your CA certificate from the dropdown list of local certificates.
Country Name: 2-letter country code (e.g., AU, UK, US) State or Province Name: The name of your state or region Local Name: Generally the city or town Organization Name: Company name Organization Unit: Company division name Common Name: Must be unique; if used for authentication, this must match the configured Common Name (CN) on the third-party authenticator Email Address Validity Days: Input the number of days the certificate should remain valid (999 days maximum).
security. More security requires more router resources. MD5 SHA-128 SHA-256 Local Certificates This is a table of local certificates, including certificate details. Remove a local certificate by selecting the certificate and clicking the Remove button. Name: Friendly description of the certificate. Country: (C) The certificate owner’s country of residence. State or Province: (ST) the certificate owner’s state or province of residence Location: (L) The certificate issuer’s locality (city, town, etc.). Org.
a name that is meaningful to you. Export Select a local certificate from the dropdown list and download it to your computer or local device in PEM format. Import/Export PKCS #12 Format Certificates PKCS #12 is one of the public-key cryptography standards. PKCS #12 files bundle public and private certificate keys in an archive file format. The PKCS #12 container format is more secure than the PEM container format because it is protected by an encryption key.
NOTE: This article may contain links that direct you to non-Cradlepoint, Inc. owned websites, and these links are not under the control of Cradlepoint, Inc. or any of its representatives. Cradlepoint, Inc. is not responsible for the content of any linked site or any link contained in a linked site or any changes or updates to such sites outside of cradlepoint.com. Cradlepoint is providing these links as a convenience, and the inclusion of any link does not imply endorsement of the site by Cradlepoint, Inc.
System Reboot Occurred: This router has rebooted. This depends on NTP being enabled and available to report the correct time. Unrecognized MAC Address: Used with the MAC monitoring lists. An alert is sent when a new unrecognized MAC address is connected to the router. WAN Device Status Change: An attached WAN device has changed status. The possible statuses are plugged, unplugged, connected, and disconnected. Configuration Change: A change to the router configuration.
To Address: Your email address Once you have filled in the information for the SMTP server, click on the “Verify SMTP Settings” button. You should receive a test email at your account. Delivery Options (Advanced) Email Subject Prefix: This optional string is prefixed to the alert subject. It can be customized to help you identify alerts from specific routers. Retry Attempts: The number of attempts made to send an alert to the mail server. After the attempts are exhausted, the alert is discarded.
Suspending the ECM Client – Click on the Suspend Client button to stop communication between the device and ECM. Suspending the client will make it stop any current activity and go dormant. It will not attempt to contact the server while suspended. This is a temporary setting that will not survive a router reboot; to disable the client altogether use the Advanced Enterprise Cloud Manager Settings panel (below).
Hotspot Mode: Choose from the following dropdown options: Simple: Allows “Terms of Use” page and timeout settings controlled within the router. RADIUS/UAM: Allows you to set up external authentication servers. Local IP Network: A single LAN Group – including both WiFi and Ethernet – can be configured as your hotspot.
Display: This section allows you to choose if a "Terms of Use" page will be given to the user connecting to the hotspot. Internal Terms of Use. Fill in your own terms of use. External Terms of Use. Specify a URL that has the Terms of Use page. Users will automatically be directed to this page. No Terms of Use. Redirect Only. Redirection on Successful Authentication: Depending on your choice for the “Terms of Use” page, your have further options for where the user will be directed.
Allowed Hosts Prior to Authentication Adding hostnames to this list will allow access from your network to any external domain or website prior to being authenticated. For example, a hotel might allow access to its own website prior to authentication. Click Add to enter new hostnames you wish to allow. Enter the hostname or domain name of the website you wish to allow, e.g. www.company.com or company.com. To allow all domain and sub-domain options, use a wildcard, e.g. *.company.com.
Enabling this service is not necessary when accessing serial through SSH. LAN: Enable serial redirector for LAN connections. Authenticated LAN: Enable serial redirector for Authenticated LAN connections. You must be logged into the router to use the redirector. WAN: Enable serial redirector for WAN connections. Server Port: Enter a port number for the redirector to use. (Default: 7218) SNMP Configuration SNMP, or Simple Network Management Protocol, is an Internet standard protocol for remote management.
Get community string: The “Get community string” is used to read SNMP information from the router. This string is like a password that is transmitted in regular text with no protection. Set community string: The “Set community string” is used when writing SNMP settings to the router. This string is like a password. It is a good idea to make it different than the “Get community string.” SNMPv3 If you select SNMPv3, you have several additional configuration options for added security.
System Name: Input the router’s hostname. System Location: Input the physical location of the router. This is simply a string for your own information. System Control Restore to Factory Defaults: This changes all settings back to their default values. Reboot The Device: This causes the router to restart. Advanced Control: System Automatic Reboot, Ping Test Scheduled Reboot: This causes the router to restart at a user-determined time.
System Software This allows the administrator to load new firmware onto the router to add new features or fix defects. If you are happy with the operation of the router, you may not want to upgrade just because a new version is available. Check the firmware release notes (cradlepoint.com/firmware) for information to decide if you should upgrade. Current Firmware Version: Shows the number of the current firmware and the date it was updated.
Backup Current Settings: Click on “Save to disk” to save your current settings to a file on a computer. Restore Settings: Click on “Upload from file” to restore your previous settings from a file on a computer. Firmware Upgrade and System Config Restore Load new firmware and restore your previous settings from a file on a computer without rebooting between steps.
