GW1000 Series User Manual Issue: 2.
Table of Contents _______________________________________________________________________________________________________ 1 Introduction ................................................................................................. 9 1.1 2 Document scope ....................................................................................... 9 GW1000 Series hardware ........................................................................... 10 2.1 Hardware specification .............................
Table of Contents _______________________________________________________________________________________________________ 7.1.3 7.1.3.1 8 9 Command line utility ......................................................................... 24 Command line utility examples................................................................................. 26 7.1.4 Configuration copying and deleting ..................................................... 27 7.1.5 Image files ..................................
Table of Contents _______________________________________________________________________________________________________ 11.3 Port description ...................................................................................... 65 11.4 VLANs UCI interface ................................................................................ 66 11.4.1 config port ....................................................................................... 68 11.4.2 config vlan ................................
Table of Contents _______________________________________________________________________________________________________ 18.3.4 Disable roaming.............................................................................. 120 19 Configuring IPSec ..................................................................................... 121 19.1 Common settings .................................................................................. 121 19.2 Connection settings ...................................
Table of Contents _______________________________________________________________________________________________________ 22.2 HTTPS certificate settings and creation .................................................... 150 22.3 Basic authentication (httpd.conf) ............................................................ 151 22.4 Securing uHTTPd .................................................................................. 152 22.5 SSH server configuration ......................................
Table of Contents _______________________________________________________________________________________________________ 27.1.1.1 27.2 Section ‘main’...................................................................................................... 196 Configuring Coova-chilli using UCI........................................................... 198 28 Event system ............................................................................................ 201 28.
Table of Contents _______________________________________________________________________________________________________ 31.3.1 Checking the status of the Multi-WAN package ................................... 230 31.4 Automatic operator selection diagnostics via UCI ...................................... 231 31.5 CESoPSN diagnostics ............................................................................. 233 31.5.1 cesop show config .............................................................
1: Introduction _______________________________________________________________________________________________________ 1 Introduction This user manual describes the features and how to configure Virtual Access GW1000 Series routers. Designed for managed network providers, GW1000 Series routers provide secure WAN connectivity for internet and private networking environments over 3G or 4G broadband paths and incorporate optional 802.11n WiFi connectivity. 1.
2: GW1000 Series hardware _______________________________________________________________________________________________________ 2 GW1000 Series hardware 2.1 Hardware specification 2.1.
2: GW1000 Series hardware _______________________________________________________________________________________________________ 2.3 RS232 mode pin-out on the GW1000 RJ45 Pin Name Direction 1 RTS Out 2 DTR Out 3 TX Data Out 4 GND - 5 GND - 6 RX Data In 7 DSR In 8 CTS In Table 1: RS232 mode pin-out on the GW1000 2.
2: GW1000 Series hardware _______________________________________________________________________________________________________ • 802.11g data rate to 54Mbps • Up to 15dBm output power 2.7 Power supply The GW1000W Series router has three power supply options: • 100V-240V AC PSU (standard) • 100V-240V AC PSU with extended temperature support -20°C to +70°C • 10V-30V DC power lead 2.8 Dimensions Unit size: 113W 113D 28H mm Unit weight: 500g 2.
2: GW1000 Series hardware _______________________________________________________________________________________________________ 2.12 Components To enable and configure connections on your router, it must be correctly installed. The GW1000 Series router contains an internal web server that you use for configurations. Before you can access the internal web server and start the configuration, ensure the components are correctly connected and that your PC has the correct networking setup.
2: GW1000 Series hardware _______________________________________________________________________________________________________ 5. Gently push the SIM card into SIM slot 2 until it clicks in. 2.14 Connecting the SIM lock Connect the SIM lock using the Allen key provided. 2.15 Connecting cables Connect one end of the Ethernet cable into port A and the other end to your PC or switch. 2.16 Connecting the antenna If only connecting one antenna, screw the antenna into the MAIN SMA connector.
3: GW1000 Series LED behaviour _______________________________________________________________________________________________________ 3 GW1000 Series LED behaviour 3.1 Main LED behaviour There are five LEDs on the GW1000. Figure 2: LEDs on the GW1000 3.2 Power and configuration LED The power and configuration LED is either flashing or solid depending on the router’s status. The GW1000 Series takes approximately 2 minutes to boot up. During this time, the power LED flashes.
3: GW1000 Series LED behaviour _______________________________________________________________________________________________________ 3.4 Signal strength LEDs There are two signal strength LEDs. They are both green. LEDs Colour Status Green Off/off No signal detected. Green flashing Off/on Low signal strength. Green flashing On/off Medium signal strength. Green On/on Good signal strength. Table 8: Signal strength LED status descriptions 3.5 WiFi LED The WiFi LED indicator is blue.
4: Factory configuration extraction from SIM card _______________________________________________________________________________________________________ 4 Factory configuration extraction from SIM card Virtual Access routers have a feature to update the factory configuration from a SIM card. This allows you to change the factory configuration of a router when installing the SIM. 6. Make sure the SIM card you are inserting has the required configuration written on it. 7. Ensure the router is powered off.
5: Accessing the router _______________________________________________________________________________________________________ 5 Accessing the router Access the router using either Ethernet or the 3G/4G interface. 5.1 Over Ethernet The CLI can also be accessed over Ethernet, by default using Secure Shell (SSH) and optionally over Telnet To access CLI over Ethernet start an SSH client and connect to the router’s management IP address, on port 22: 192.168.100.1/24.
6: Upgrading router firmware _______________________________________________________________________________________________________ 6 Upgrading router firmware 6.1 Upgrading firmware using the web interface Copy the new firmware issued by Virtual Access to a PC connected to the router. In the top menu, select System tab > Backup/Flash Firmware. Figure 5: The system menu The Flash operations page appears. Figure 6: The flash operations page Under Flash new firmware image, click Choose File or Browse.
6: Upgrading router firmware _______________________________________________________________________________________________________ Note: the button will vary depending on the browser you are using. Select the appropriate image and then click Flash Image. The Flash Firmware – Verify page appears. Figure 7: The flash firmware - verify page Click Proceed. The System – Flashing… page appears.
6: Upgrading router firmware _______________________________________________________________________________________________________ 6.2 Upgrading firmware using CLI To upgrade firmware using CLI, you will need a TFTP server on a connected PC. Open up an SSH or Telnet session to the router. Enter in the relevant username and password. To change into the temp folder, enter: cd /tmp To connect to your TFTP server, enter: atftp x.x.x.x (where x.x.x.x is the IP of your PC). Press Enter.
7:File system _______________________________________________________________________________________________________ 7 File system 7.1 Configurations Configurations are stored in folders at: /etc/conf/factconf, /etc/conf/config1 and /etc/conf/config2 Multiple configuration files exist in each folder. Each file contains configuration parameters for different areas of functionality in the system. A symbolic link exists at: /etc/conf/config, which always points to one of factconf, config1 or config2.
7:File system _______________________________________________________________________________________________________ root@VA_router:~# vacmd set next config [factconf|config1|config2] Image files The system allows for two firmware image files named image1 and image2. One is the current image that is running and the other is the alternate image. 7.1.2 Configuration file syntax The configuration files consist of sections that contain one or more config statements.
7:File system _______________________________________________________________________________________________________ option example “value” option “example” option 'value' 'example' “value” In contrast, the following examples are not valid syntax: option ‘example’ value Missing quotes around the value. option 'example” “value' Quotes are unbalanced. It is important to know that identifiers and config file names may only contain the characters a-z, 0-9 and _.
7:File system _______________________________________________________________________________________________________ Options: -c set the search path for config files (default: /etc/config) -d set the delimiter for list values in uci show -f use as input instead of stdin -L do not load any plugins -m when importing, merge data into an existing package -n name unnamed sections on export (default) -N don't name unnamed sections -p add a search path for config
7:File system _______________________________________________________________________________________________________ root@VA_router:~# uci commit 7.1.3.1 Command line utility examples To export an entire configuration, enter: root@VA_router:~# uci export To export the configuration for a single package, enter: uci export . root@VA_router:~# uci export system package system config system 'main' option hostname 'VA_router' option zonename 'Europe/Dublin' option timezone 'GMT0IST,M3.5.0/1,M10.5.
7:File system _______________________________________________________________________________________________________ To display just the value of an option, enter: root@VA_router:~# uci get system.main.hostname VA_router 7.1.4 Configuration copying and deleting Manage configurations using directory manipulation.
7:File system _______________________________________________________________________________________________________ root@VA_router:~# cat /etc/config/dropbear config dropbear option PasswordAuth 'on' option BannerFile '/etc/banner' option RootPasswordAuth 'yes' option IdleTimeout '1800' option Port '22' To view files in the current folder, enter ls: root@VA_router:/# ls bin etc lib opt sbin usr bkrepos home linuxrc proc sys var dev init mnt root tmp www Other common Linux commands are
7:File system _______________________________________________________________________________________________________ root@VA_router:~# cp /etc/config2/* /etc/config1/* 7.1.8 Editing files The config can be edited using uci commands or via the web GUI. 7.1.9 Processes and jobs To view scheduled jobs, enter: root@VA_router:~# crontab -l Note: currently there are no scheduled jobs.
7:File system _______________________________________________________________________________________________________ root@VA__router:~# vacmd show vars VA_SERIAL: 00E0C8121215 VA_MODEL: GW6610-ALL VA_ACTIVEIMAGE: image2 VA_ACTIVECONFIG: config1 VA_IMAGE1VER: VIE-16.00.44 VA_IMAGE2VER: VIE-16.00.44 VA_BLDREV: 91a7f87ed61ca919e78f1c8e3cb840264f4887bb VA_REGION: EU VA_WEBVER: 00.00.00 VA_HWREV: VA_TOPVER: a 16.00.44 Shows the general software and configuration details of the router.
8: Command Line Interface _______________________________________________________________________________________________________ 8 Command Line Interface 8.1 Basics The system has an SSH server typically running on port 22. The system provides a Unix command line. Common Unix commands are available such as ls, cd, cat, top, grep, tail, head, more. Typical pipe and redirect operators are available: >, >>, <, | For configuration, the system uses the “Unified Configuration Interface” (UCI).
8: Command Line Interface _______________________________________________________________________________________________________ root@VA_router:/# cat /etc/ppp/options logfile /dev/null nocrtscts lock debug refuse-chap kdebug 7 record /tmp/ppp.
8: Command Line Interface _______________________________________________________________________________________________________ To view currently running processes: root@VA_router:/# ps PID Uid 1 root VmSize Stat Command 356 S init 2 root DW 3 root RWN [ksoftirqd_CPU0] 4 root SW [kswapd] 5 root SW [bdflush] 6 root SW [kupdated] SW [mtdblockd] 8 root [keventd] 89 root 344 S logger -s -p 6 -t 92 root 356 S init 93 root 348 S syslogd -C 16 94 root 300 S klogd 424 root 320 S
8: Command Line Interface _______________________________________________________________________________________________________ root@VA_router:/# uci show network network.loopback=interface network.loopback.ifname=lo network.loopback.proto=static network.loopback.ipaddr=127.0.0.1 network.loopback.netmask=255.0.0.0 network.lan=interface network.lan.ifname=eth0 network.lan.proto=dhcp network.wan=interface network.wan.username=foo network.wan.password=bar network.wan.proto=3g network.wan.
8: Command Line Interface _______________________________________________________________________________________________________ timeserver.@timeserver[0] for the first or timeserver.@timeserver[7] for the last one. You can also use negative indexes, such as timeserver.@timeserver[-1]. "-1" means "the last one, and "-2" means the second-to-last one. This is useful when appending new rules to the end of a list. See examples below.
8: Command Line Interface _______________________________________________________________________________________________________ -S disable strict mode -X do not use extended syntax on 'show' Command Target Description [] Writes changes of the given configuration file, or if none is given, all configuration files, to the filesystem. All "uci set", "uci add", "uci rename" and "uci delete" commands are staged into a temporary location and written to flash at once with "uci commit".
8: Command Line Interface _______________________________________________________________________________________________________ 8.
8: Command Line Interface _______________________________________________________________________________________________________ will be combined into a single list of values with the same order as in the configuration file. The indentation of the option and list statements is a convention to improve the readability of the configuration file but it is not syntactically required. Usually you do not need to enclose identifiers or values in quotes.
8: Command Line Interface _______________________________________________________________________________________________________ 8.5.1 Export an entire configuration root@VA_router:~# uci export httpd package 'httpd' config 'httpd' option 'port' '80' option 'home' '/www' root@VA_router:~# To show the configuration ‘tree’ for a given config, enter: root@VA_router:~# uci show httpd httpd.@httpd[0]=httpd httpd.@httpd[0].port=80 httpd.@httpd[0].home=/www root@VA_router:~# 8.5.
9: Management configuration settings _______________________________________________________________________________________________________ 9 Management configuration settings This section details the configuration sections and parameters which are required to manage and monitor the device using Activator and Monitor. Activator is a Virtual Access proprietary provisioning system, where specific router configurations and firmware can be stored.
9: Management configuration settings _______________________________________________________________________________________________________ Name Type Required Default Description Configured boolean yes no Set to yes to make the autoload sequence process this entry. (none) Where the downloaded file should be stored (config1 | config2 | altconfig | image1 | image2 | altimage). Typically only altconfig and altimage are used. SegmentName string yes $$.ini – request configuration $$.
9: Management configuration settings _______________________________________________________________________________________________________ root@VA_router:/# uci export autoload package 'autoload' config 'core' 'main' option 'Enabled' "yes" option 'StartTimer' "10" option 'RetryTimer' "30" option 'NumberOfRetries' "5" option 'BackoffTimer' "15" option 'BootUsingConfig' "altconfig" option 'BootUsingImage' "altimage" config 'entry' option 'Configured' "yes" option 'SegmentName' "altconfig" option 'RemoteF
9: Management configuration settings _______________________________________________________________________________________________________ list SecureFileServer integer no no Specifies the IP address of Secure Activator that uses port 443. ActivatorDownloadPath string yes (none) Specifies the url on Activator to which the client should send requests. SecureDownload boolean no no Enables Secure Download (port 443).
9: Management configuration settings _______________________________________________________________________________________________________ package httpclient config core 'default' option Enabled 'yes' list FileServer '10.1.83.36:80' list FileServer '10.1.83.37:80' list SecureFileServer '10.1.83.36:443' list SecureFileServer '10.1.83.37:443' option ActivatorDownloadPath '/Activator/Sessionless/Httpserver.
9: Management configuration settings _______________________________________________________________________________________________________ root@VA_router:~# uci show monitor monitor.main=keepalive monitor.main.enable=yes monitor.main.interval_min=1 monitor.main.dev_reference=mikesamazondev monitor.main.monitor_ip=10.1.83.
9: Management configuration settings _______________________________________________________________________________________________________ Figure 10: The system page In the Hostname field, type a relevant host name. In the Timezone dropdown menu, select the relevant time zone. Click Save. Name Type Required Default Description hostname string no (none) Enables the hostname for this system. buffersize integer no kernel specific Specifies the size of the kernel message buffer.
9: Management configuration settings _______________________________________________________________________________________________________ conloglevel and will override it. log_file string no /var/log/messages Defines which file to write log messages to (type file). log_ip IP address no (none) Specifies IP address of a syslog server to which the log messages should be sent in addition to the local destination.
9: Management configuration settings _______________________________________________________________________________________________________ system.main.log_port=514 system.main.password=admin system.main.time_save_interval_min=10system.ntp=timeserver system.ntp.interval_hours=2 system.ntp.server=0.openwrt.pool.ntp.org package 'system' config 'system' 'main' option 'hostname' "VA_router" option 'timezone' "UTC" option 'log_ip' "10.1.83.
9: Management configuration settings _______________________________________________________________________________________________________ for the user. linuxuser Boolean No Yes Specifies if access permissions for the user. Note: • webuser will only work if linuxuser is set to 'yes' • chapuser will only work if linuxuser is set to 'no' This first example shows a defined user called ‘test’. The user has a defined password ‘password’. They are also granted web access to the box.
9: Management configuration settings _______________________________________________________________________________________________________ 9.4.2 UCI export and UCI show commands Run UCI export or show commands to see management user UCI configuration settings.
9: Management configuration settings _______________________________________________________________________________________________________ management_users.@user[1].smsuser=0 management_users.@user[1].linuxuser=no management_users.@user[1].srphash=0:2de6Dk6D4tFo8oVfb2iuY6aRj2cAoPeo2DAdCRc ReBUc.9Px56rNmamtaBx7BiQIzNisYFJFVdhH6H0Z/Ys9RzU1SJrMVpmQZkJwqlB1tA.F7O.tf1 VkGnXyiTLSCN68iJ.SltDDqeOprmLo/IW9Ub7.qop44Ml3g6S5QJxpu.N5sLzpSvER.kAFNPR/D mK9D/.
9: Management configuration settings _______________________________________________________________________________________________________ DHCP specifies the interface protocol, DHCP in this example eth0.1 is the physical interface associated with this section The interface protocol may be one of the following shown in the table below. Protocol Description Program static Static configuration with fixed address and netmask. ip/ifconfig dhcp Address and netmask are assigned by DHCP.
9: Management configuration settings _______________________________________________________________________________________________________ 9.5.3 9.5.4 9.5.5 Protocol "static" Name Type Required Default Description ipaddr ip address yes, if no ip6addr is set (none) Defines the IP address. netmask netmask yes, if no ip6addr is set (none) Specifies Netmask. gateway ip address no (none) Defines the default gateway. broadcast ip address no (none) Defines broadcast address.
9: Management configuration settings _______________________________________________________________________________________________________ cdma/evdo, umts, gprs. 9.5.6 apn string yes (none) Sets the APN to use. pincode number no (none) Sets the PIN code to unlock SIM card. maxwait number no 20 Specifies the number of seconds to wait for modem to become ready. username string no(?) (none) Sets the username for PAP/CHAP authentication.
9: Management configuration settings _______________________________________________________________________________________________________ keeping normal internet connectivity. Each interface can have multiple aliases attached to it. A minimal alias declaration consists of the following lines: network.@alias[0]=alias network.@alias[0].interface=lan network.@alias[0].proto=static network.@alias[0].ipaddr=10.0.0.1 network.@alias[0].netmask=255.255.255.
9: Management configuration settings _______________________________________________________________________________________________________ addresses Selects the interface to attach to for stacked protocols (tun over bridge over eth, ppp over eth or similar). layer integer no 3 3: attach to layer 3 interface (tun*, ppp* if parent is layer 3 else fallback to 2). 2: attach to layer 2 interface (br-* if parent is bridge else fallback to layer 1). 1: attach to layer 1 interface (eth*, wlan*).
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ 10 DHCP server and DNS configuration Dynamic Host Configuration Protocol (DHCP) server is responsible for giving out IP addresses to hosts. IPs can be given out on different interfaces and different subnets. You can manually configure lease time as well as setting static IP to host mappings.
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto dhcp.@dnsmasq[0].
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ /etc/hosts. Cachelocal boolean no 1 When set to 0, uses each network interface's dns address in the local /etc/resolv.conf. Normally, only the loopback address is used, and all queries go through dnsmasq. cachesize integer no 150 Sets the size of dnsmasq query cache. dhcp_boot string no (none) Specifies BOOTP options, in most cases just the file name.
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ not interface. leasefile Local file path string no no (none) Stores DHCP leases in this file. (none) Looks up DNS entries for this domain from /etc/hosts. This follows the same syntax as server entries, see the man page.
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled. rebind_domain 10.2 list of domain names no (none) Specifies a list of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled.
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ Name dhcp_option dynamicdhcp force ignore Interface Leasetime Limit Type list of strings boolean boolean boolean logical interface name string integer Required Default Description (none) Enables additional options to be added for this network-id. For example with '26,1470' or 'option:mtu, 1470' you can assign an MTU per DHCP.
10: DHCP server and DNS configuration _______________________________________________________________________________________________________ address of the underlying interface to calculate the minimum address that may be leased to clients. It may be greater 255 to span subnets. 10.3 Static leases You can assign fixed IP addresses to hosts on your network, based on their MAC (hardware) address. The configuration options in this section are used to construct a –G option for dnsmasq.
11: VLAN configuration _______________________________________________________________________________________________________ 11 VLAN configuration 11.1 VLAN web interface You can configure VLANs through three sections: • Native VLAN • VLAN Definition • Port Description • Native VLAN Figure 11: The native VLAN section The Native VLAN section specifies the native VLAN to be used. This VLAN will be sent untagged across the trunk link. Note: you must create the VLAN before setting it as native.
11: VLAN configuration _______________________________________________________________________________________________________ Name Type Required Default Description 802.1Q VLAN ID Numeric value No Blank Defines VLAN number. The VLAN will be referred to using this number. VLAN Priority Numeric value No Blank Specifies 802.1p VLAN priority tag on trunk links. Isolate From Trunk Boolean No Blank Defines whether to isolate hosts from each other within the same VLAN.
11: VLAN configuration _______________________________________________________________________________________________________ 11.4 VLANs UCI interface You can configure VLANs through CLI. The VLAN configuration file is stored at: /etc/config/portvlan ~# uci export portvlan package portvlan config vlan option vlanid '1' option name 'vlan1' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option isolate 'no' config vlan option vlanid '2' option name 'vlan2' option ipaddr '192.168.2.
11: VLAN configuration _______________________________________________________________________________________________________ root@VA_router:~# uci show portvlan portvlan.@vlan[0]=vlan portvlan.@vlan[0].vlanid=1 portvlan.@vlan[0].name=vlan1 portvlan.@vlan[0].ipaddr=192.168.1.1 portvlan.@vlan[0].netmask=255.255.255.0 portvlan.@vlan[0].isolate=no portvlan.@vlan[1]=vlan portvlan.@vlan[1].vlanid=2 portvlan.@vlan[1].name=vlan2 portvlan.@vlan[1].ipaddr=192.168.2.1 portvlan.@vlan[1].netmask=255.255.255.
11: VLAN configuration _______________________________________________________________________________________________________ 11.4.1 config port Name Type Required Default Description port Text Yes Blank Specifies which physical port on the front panel of the router will be assigned to which VLAN trunk Boolean No Blank Configures the port as a trunk port. Numeric value/text Yes Blank Specifies what VLANs will be assigned to a physical port on the router.
12: Static routes configuration _______________________________________________________________________________________________________ 12 Static routes configuration Static routes can be added to the routing table to forward traffic to specific subnets when dynamic routing protocols are not used or they are not configured for such subnets. They can be created based on outgoing interface or next hop IP address. 12.
12: Static routes configuration _______________________________________________________________________________________________________ route. 12.2 metric number no 0 Specifies the route metric to use. mtu number no interface MTU Defines a specific MTU for this route. IPv6 routes IPv6 routes can be specified as well by defining one or more route6 sections. A minimal example is shown below. network.@route6[0]=route6 network.@route6[0].interface=lan network.@route6[0].
12: Static routes configuration _______________________________________________________________________________________________________ Dropbear is the software module that implements ssh on the system. The dropbear section contains these settings: Name Type Required Default Description enable boolean no 1 Enables dropbear.Set to 0 to disable starting dropbear at system boot. verbose boolean no 0 Enables verbose. Set to 1 to enable verbose output by the start script.
13: BGP (Border Gateway Protocol) _______________________________________________________________________________________________________ 13 BGP (Border Gateway Protocol) 13.1 Configuring the BGP web interface In the top menu, select Network -> BGP. BGP configuration page appears. Figure 14: BGP page To configure global BGP settings, click Add. Figure 15: BGP global settings page Name Type Required Default Description BGP Enabled Check box Yes Unchecked Enables BGP protocol.
13: BGP (Border Gateway Protocol) _______________________________________________________________________________________________________ byte format 0.0.0.0. Autonomous System Number Network Integer Yes Integer Yes None Defines ASN for local router. None Sets network that will be advertised to neighbours in prefix format 0.0.0.0/0. Ensure network prefix matches the one shown in routing table. See Routes section below. When you have made your changes, click Save. 13.
13: BGP (Border Gateway Protocol) _______________________________________________________________________________________________________ case of IP address and BGP Community values is parsed as list of items to match. Set Option Dropdown Menu No None Available options are: None, IP Next Hop, Local Preference, MED, Route Weight, BGP MED, AS path to Prepend, BGP Community. Set Value Format depends on the Set Option chosen. When you have made your changes, click Save. 13.
13: BGP (Border Gateway Protocol) _______________________________________________________________________________________________________ Figure 19: The routing table 13.5 BGP UCI interface You can also configure BGP UCI through CLI using the UCI command suite.
13: BGP (Border Gateway Protocol) _______________________________________________________________________________________________________ package bgpd config routing 'bgpd' option enabled 'yes' option router_id '3.3.3.3' option asn '1' list network '11.11.11.0/29' list network '192.168.103.1/32' config peer option route_map_in 'yes' option ipaddr '11.11.11.
13: BGP (Border Gateway Protocol) _______________________________________________________________________________________________________ bgpd.ROUTEMAP.permit=yes bgpd.ROUTEMAP.match_type=ip address bgpd.ROUTEMAP.match=192.168.101.1/32 bgpd.ROUTEMAP.set_type=ip next-hop bgpd.ROUTEMAP.set=150 To change any of the above values use uci set command _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
14: Configuring WiFi _______________________________________________________________________________________________________ 14 Configuring WiFi This section explains how to configure WiFi on a Virtual Access router using the web interface or via UCI. 14.1 Configuring WiFi through the web interface WiFi can act as an Access Point (AP) to another device in the network or it can act as a client to an existing AP. You can configure WiFi in AP mode in two different ways: 14.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 21: The common configuration physical settings page Select Bridge Interfaces. In the Interface fields, you will see the interface that you are working on is already selected. Name Type Required Default Description Bridge Interfaces Check box Yes Unchecked Creates a bridge over specified interfaces.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 22: The wireless overview page To create a new WiFi interface, click Add. The Wireless Network page appears. Figure 23: The wireless network page In the Device Configuration section, ensure you have selected the General Setup tab. In the Channel drop down menu, select the channel you require. In the Transmit Power drop down menu, select the power rating you require.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 24: The interface configuration page Ensure you have selected the General Setup tab. In the ESSID field, type [name of the wireless local area network]. In the Mode drop down menu, select Access Point. Select one of the Ethernet interfaces to which the WiFi AP mode will be bridged.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 25: The interface configuration page In the Encryption drop down menu, select the encryption key. In the Cipher drop down menu, select the cipher type. Create an encryption key. Click Save & Apply. 14.3 Configuring WiFi in AP mode on a new interface In the top menu, select Network -> Wifi. The Wireless Overview page appears.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 27: The wireless network page In the Device Configuration section, ensure the General Setup tab is selected. In the Channel drop down menu, select the channel you require. In the Transmit Power drop down menu, select the power rating you require. Name Type Required Default Description Channel Drop down menu Yes 11 (2.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 28: The general set up tab In the ESSID field, type [name of the wireless local area network]. In the Mode drop down menu, select Access Point. In the unspecified –or- create: field, type the name of the new WiFi interface. Name Type Required Default Description ESSID Drop down menu Yes Blank Extended Service Set Identification.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 29: The wireless security tab In the Encryption drop down menu, select the encryption key. When you have entered the encryption type, the Cipher and Key fields appear. In the Cipher drop down menu, select the cipher type. Create an encryption key. Click Save. In the top menu, select Network -> Interfaces. The Interfaces Overview page appears.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 31: The new interface page showing protocol button Click Switch Protocol. The new interface configuration page appears.
14: Configuring WiFi _______________________________________________________________________________________________________ IPv4 gateway Numeric Value No N/A IPv4 broadcast Numeric Value No N/A Use custom DNS servers String No N/A Accept router advertisements Check box No N/A Send router solicitations Check box No N/A DNS server IP address Type in the Static IP address. Type in the Network Mask. Click Save & Apply. Note: The router will now start the network package.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 34: The wireless network page In the Device Configuration section, ensure you have selected the General Setup tab. In the Channel drop down menu, select the channel you require. In the Transmit Power drop down menu, select the power rating you require. Name Type Required Default Description Channel Drop down menu Yes 11 (2.
14: Configuring WiFi _______________________________________________________________________________________________________ In the ESSID field, type [name of the wireless local area network]. In the Mode drop down menu, select Client. In the unspecified –or- create: field, type the name of the new WiFi interface. Name Type Required Default Description ESSID Drop down menu Yes Blank Extended Service Set Identification.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 35: The wireless page interface configuration section In the Encryption drop down menu, select the encryption key. When you have entered the encryption type, the Cipher and Key fields appear. In the Cipher drop down menu, select the cipher type. Create an encryption key. Click Save. In the top menu, select Network -> Interfaces. The Interfaces Overview page appears.
14: Configuring WiFi _______________________________________________________________________________________________________ Figure 37: The WClient interfaces page In the Protocol drop down menu, select DHCP client. A ‘Switch Protocol’ button appears. Click Switch Protocol. Click Save & Apply. Note: The router will now restart the network package. It may take up to one minute for connectivity to the router to be restored. 14.5 Configuring WiFi via UCI 14.5.
14: Configuring WiFi _______________________________________________________________________________________________________ package network config interface 'lan' option ifname 'eth0' option proto 'static' option ipaddr '192.168.100.1' option netmask '255.255.255.
14: Configuring WiFi _______________________________________________________________________________________________________ To view UCI commands, enter: uci show network network.lan=interface network.lan.ifname=eth0 network.lan.proto=static network.lan.ipaddr=192.168.6.1 network.lan.netmask=255.255.255.0 network.lan.type=bridge uci show wireless wireless.radio0=wifi-device wireless.radio0.type=mac80211 wireless.radio0.channel=11 wireless.radio0.phy=phy0 wireless.radio0.hwmode=11ng wireless.radio0.
14: Configuring WiFi _______________________________________________________________________________________________________ uci export wireless package wireless config wifi-device 'radio0' option type 'mac80211' option channel '11' option phy 'phy0' option hwmode '11ng' option htmode 'HT20' list ht_capab 'SHORT-GI-40' list ht_capab 'TX-STBC' list ht_capab 'RX-STBC1' list ht_capab 'DSSS_CCK-40' option txpower '17' option country 'US' config wifi-iface option device 'radio0' option mode 'ap' option disabl
14: Configuring WiFi _______________________________________________________________________________________________________ wireless.radio0.channel=11 wireless.radio0.phy=phy0 wireless.radio0.hwmode=11ng wireless.radio0.htmode=HT20 wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40 wireless.radio0.txpower=17 wireless.radio0.country=US wireless.@wifi-iface[0]=wifi-iface wireless.@wifi-iface[0].device=radio0 wireless.@wifi-iface[0].mode=ap wireless.@wifi-iface[0].disabled=1 wireless.
14: Configuring WiFi _______________________________________________________________________________________________________ option txpower '17' option country 'US' config wifi-iface option device 'radio0' option ssid 'Remote-AP' option mode 'sta' option network 'WCLIENT' option encryption 'psk2' option key 'testtest' To view UCI commands, enter: uci show network network.WCLIENT=interface network.WCLIENT.proto=dhcp uci show wireless wireless.radio0=wifi-device wireless.radio0.type=mac80211 wireless.
15: Configuring a 3G/4G connection _______________________________________________________________________________________________________ 15 Configuring a 3G/4G connection In the top menu, select Network -> Interfaces. Figure 38: The interfaces menu on a VA router The Interfaces Overview page appears. Figure 39: The interfaces overview page. Click Edit on WAN or LAN to make your changes. For WAN connectivity, the Common Configuration page appears.
15: Configuring a 3G/4G connection _______________________________________________________________________________________________________ Figure 40: The common connectivity page Ensure the General Setup tab is selected. For single SIM implementation, in the SIM drop down menu, select SIM 1. Enter the APN information and the PAP/CHAP username and password. Click Save & Apply. To enable 3G/4G connection to connect on boot up, select the Advanced Settings tab. Select Bring up on boot. Click Save & Apply.
15: Configuring a 3G/4G connection _______________________________________________________________________________________________________ Figure 41: The interfaces overview page To view 3G/4G connectivity information, browse to Status -> 3G Stats. Figure 42: The 3G information page _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
16: Configuring SMS _______________________________________________________________________________________________________ 16 Configuring SMS Browse to the router’s IP address and login. Select Service tab > Mobile Manager. The Mobile Manager page appears. Figure 43: The mobile manager page In the Basic Settings section, check the box beside SMS Enable. In the Callers section, click Add to add caller numbers. Add in specific caller numbers or use the wildcard symbol * as shown below. Click Enable.
16: Configuring SMS _______________________________________________________________________________________________________ Parameter Description Name Name assigned to caller. Number Number of caller allowed to SMS the router. Enable Enables or disables caller. Respond If checked, the router will return an SMS. Table 13: Scripting commands and their descriptions When you have made your changes, click Save & Apply and then reboot. 16.
17: Configuring Multi-WAN _______________________________________________________________________________________________________ 17 Configuring Multi-WAN Multi-WAN is used for managing WAN interfaces on the router, for example, 3G interfaces to ensure high-availability. You can customise Multi-WAN to various needs, but its main use is to ensure WAN connectivity and provide a failover system in the event of failure or poor coverage. 17.
17: Configuring Multi-WAN _______________________________________________________________________________________________________ Figure 48: Example interface showing failover traffic destination as the added multi-WAN interface Name Type Required Default Description Load Balancer Distribution Dropdown list No 10 Configures weight for loadbalancing. It is not applicable if you are using 2 SIM cards.
17: Configuring Multi-WAN _______________________________________________________________________________________________________ Attempts Before WAN Failover Dropdown list No 3 Sets the amount of retries before interface is considered a failure. Attempts Before WAN Recovery Dropdown list Yes 5 Sets the number of healthy pings before the interface is considered healthy.
17: Configuring Multi-WAN _______________________________________________________________________________________________________ Figure 49: The multi-WAN traffic rules page 17.2 Multi-WAN UCI interface Multi-WAN UCI configuration settings are stored in the following file: /etc/config/multiwan Run UCI export or show commands to see Multi-WAN UCI configuration settings. A sample is shown below.
17: Configuring Multi-WAN _______________________________________________________________________________________________________ option ecio_threshold '-15' option ifup_timeout_sec '120' ~# uci show multiwan multiwan.config=multiwan multiwan.config.preempt=yes multiwan.config.alt_mode=no multiwan.config.enabled=yes multiwan.wan=interface multiwan.wan.disabled=0 multiwan.wan.health_interval=10 multiwan.wan.timeout=3 multiwan.wan.health_fail_retries=3 multiwan.wan.health_recovery_retries=5 multiwan.wan.
17: Configuring Multi-WAN _______________________________________________________________________________________________________ Icmp hosts No 3 secs Sets Ping timeout. timeout No 3 secs Sets Ping timeout. Health fail retries Yes 3 Specifies the amount of retries before the interface is considered a failure. Health recovery retries Yes 5 Specifies the number of healthy pings before the interface is considered healthy.
18: Automatic operator selection _______________________________________________________________________________________________________ 18 Automatic operator selection 18.1 Introduction to automatic operator selection This section describes how to configure and operate the Automatic Operator Selection feature of a Virtual Access router. When the roaming SIM is connected, the 3G module has the ability to scan available 3G networks.
18: Automatic operator selection _______________________________________________________________________________________________________ interface was disconnected because ifup_retry_sec of Primary interface timed out then go back to step 1 and repeat the process. The primary predefined interface is defined in the network package. Ensure the interface name matches the interface name defined in the multi-WAN package. 18.3.1.
18: Automatic operator selection _______________________________________________________________________________________________________ and is first four alphanumeric characters of operator name (as reported by 'AT+COPS=?' command). Type the short operator name in lower case, for example: Operator name First four alphanumeric numbers Vodafone UK voda O2 – UK o2uk Orange oran Table 16: Examples of operator names From the Protocol dropdown menu, select UMTS/GPRS/EV-DO.
18: Automatic operator selection _______________________________________________________________________________________________________ Click Save & Apply. 18.3.1.2 Setting multi-WAN options for primary predefined interface On the web interface go to Network ->Multi-Wan. The Multi-WAN page appears. Figure 53: The multi-WAN page In the Multi-WAN page, click Add. The Multi-WAN page appears. Figure 54: The multi-wan page Check Enable. Check Preempt.
18: Automatic operator selection _______________________________________________________________________________________________________ Click Add. The Multi-WAN page appears. Figure 55: The multi-WAN page From the Health Monitor Interval dropdown menu, choose the interval that will be used to monitor signal strength value. From the Attempts Before WAN Failover dropdown menu, select the number of fail attempts of Health Monitor checks that will cause the interface to be disconnected.
18: Automatic operator selection _______________________________________________________________________________________________________ In the Exclusive Group field type in 3g. From the dropdown menu, select the Choose Minimum ifup Interval option. From dropdown menu, select the Interface Start Timeout option. From dropdown menu, select the Signal Threshold option. All available WAN interface options are described in the table below.
18: Automatic operator selection _______________________________________________________________________________________________________ Figure 56: The mobile manager page Under Basic Settings, click Add. The Basic settings for Mobile Manager page appears. Figure 57: Basic settings field in the mobile manager page _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
18: Automatic operator selection _______________________________________________________________________________________________________ Name Type Required Default Description SMS Enable Boolean No 1 Enables SMS Roaming SIM Dropdown list Yes none In which slot roaming sim-card is inserted Collect ICCIDs Boolean No 0 Collect ICCIDs on startup from one (when 0) or from two SIMs (1) Under Roaming Template Interface click Add. The Roaming Interface Template page appears.
18: Automatic operator selection _______________________________________________________________________________________________________ Check the Interface Signal Sort checkbox, so auto created interfaces are sorted in priority, based on signal strength value. From the Roaming SIM dropdown menu, select the slot that the roaming SIM card should be inserted in to. Click the Firewall zone radio button to select the zone that the auto created interface will belong to. Type in the CHAP username and password.
18: Automatic operator selection _______________________________________________________________________________________________________ to APN. Health Monitor Interval Dropdown menu Yes 10 sec Sets interval used to monitor signal strength. Health Monitor ICMP Host(s) Dropdown menu No none Specifies target IP address for ICMCP packets. Health Monitor ICMP Timeout Dropdown menu Yes 3 sec Specifies ICMP timeout.
18: Automatic operator selection _______________________________________________________________________________________________________ Check the Reboot now check box and then click Reboot. 18.3.2 PMP + roaming: pre-empt disabled As in the previous section, multi-WAN connects the primary predefined interface and uses auto created interfaces. However, in this scenario, the auto created interface will not be disconnected as soon as the primary interface is available.
18: Automatic operator selection _______________________________________________________________________________________________________ 18.3.3 Roaming: no PMP defined There is no primary interface that can be used for a connection. The router uses the network that offers the best signal threshold. Multi-WAN operation 17. Connect to the first roaming operator interface. 18. Check for signal strength every 'health_interval'. If the signal goes down below 'signal_threshold' 19.
18: Automatic operator selection _______________________________________________________________________________________________________ 18.3.4 Disable roaming There may be occasion where it is desirable to disable roaming. Use UCI on the command line to set the operator option value. cd/etc/config uci set network.Wan2.operator=’foobar’ uci commit Note: your changes will not take effect without the uci commit command.
19: Configuring IPSec _______________________________________________________________________________________________________ 19 Configuring IPSec IPSec tunnels are handled by strongSwan. You must configure three sections: • Common settings • Connection settings • Secret settings Common settings control the overall behaviour of strongSwan. Together, the connection and secret sections define the required parameters for a two way IKEv1 tunnel. 19.
19: Configuring IPSec _______________________________________________________________________________________________________ An example of a typical set of common settings for strongSwan is shown below. root@VA_router:~# uci show Strongswan.general Strongswan.general=general Strongswan.general.strictcrlpolicy=no Strongswan.general.cachecrls=no Strongswan.general.uniqueids=yes Strongswan.general.
19: Configuring IPSec _______________________________________________________________________________________________________ sha1-modp1536 DHGroup: modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, modp8192 For example: aes128-shamodp1536. Specifies the esp algorithm to use.
19: Configuring IPSec _______________________________________________________________________________________________________ negotiate a replacement begin. yes keyingtries integer yes 9m 3 Relevant only locally, other end need not agree on it Syntax: timespec: 1d, 2h, 25m, 10s. Specifies how many attempts (a positive integer or %forever) should be made to negotiate a connection, or a replacement for one, before giving up. The value %forever means 'never give up'.
19: Configuring IPSec _______________________________________________________________________________________________________ Strongswan.@connection[0].locallan=10.1.1.0 Strongswan.@connection[0].locallanmask=255.255.255.0 Strongswan.@connection[0].remoteid=10.2.2.2 Strongswan.@connection[0].remoteaddress=10.2.2.2 Strongswan.@connection[0].remotelan=10.2.2.2 Strongswan.@connection[0].remotelanmask=255.255.255.0 Strongswan.@connection[0].ike=3des-md5-modp1024 Strongswan.@connection[0].
19: Configuring IPSec _______________________________________________________________________________________________________ option 'dpddelay' "30s" option 'dpdtimeout' "120s" 19.3 Shunt connection If the remote LAN network is 0.0.0.0/0 then all traffic generated on the local LAN will be sent via the IPSec tunnel. This includes the traffic destined to the router’s IP address. To avoid this situation you must include an additional config connection section. strongswan.
19: Configuring IPSec _______________________________________________________________________________________________________ Name Type enabled string Idtype String Required Default Description Yes No Defines whether this set of credentials is to be used or not. No ipaddress Defines whether IP address or userfqdn is used. No None FQDN or Xauth name. This must match xauth_identity from the config ‘connection’ section.
19: Configuring IPSec _______________________________________________________________________________________________________ If xauth is defined as the authentication method then you must include an additional config secret section, as shown in the example below. strongswan.@secret[1].enabled=yes strongswan.@secret[1].idtype=userfqdn strongswan.@secret[1].userfqdn=testxauth strongswan.@secret[1].remoteaddress=10.2.2.2 strongswan.@secret[1].secret=xauth strongswan.@secret[1].
20: Configuring firewall _______________________________________________________________________________________________________ 20 Configuring firewall The firewall itself is not required. It is a set of scripts which configure netfilter. If preferred, you can use netfilter directly to achieve the desired firewall behaviour. Note: the UCI firewall exists to simplify the configuration of netfilter (for many scenarios) without requiring the knowledge to deal with the complexity of netfilter.
20: Configuring firewall _______________________________________________________________________________________________________ zone, if omitted, the value of name is used by default. 20.3 masq boolean masq_src list of subnets masq_dest list of subnets 0 Specifies whether outgoing zone traffic should be masqueraded (NATTED) - this is typically enabled on the wan zone. 0.0.0.0/0 Limits masquerading to the given source subnets.
20: Configuring firewall _______________________________________________________________________________________________________ The iptables rules generated for this section rely on the state match which needs connection tracking to work. At least one of the src or dest zones needs to have connection tracking enabled through either the masq or the conntrack option. 20.4 Redirects Port forwardings (DNAT) are defined by redirect sections.
20: Configuring firewall _______________________________________________________________________________________________________ limit 20.5 string no (none) Sets maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Example 3/hour. limit_burst integer no 5 Sets maximum initial number of packets to match. This number gets recharged by one every time the limit specified above is not reached, up to this number.
20: Configuring firewall _______________________________________________________________________________________________________ limit 20.6 string no (none) Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Example3/hour. limit_burst integer no 5 Maximum initial number of packets to match; this number gets recharged by one every time the limit specified above is not reached, up to this number.
20: Configuring firewall _______________________________________________________________________________________________________ config rule option src wan option dest_ip 88.77.66.55 option target REJECT Rules without IP addresses are automatically added to iptables and ip6tables, unless overridden by the family option. Redirect rules (port forwards) are always IPv4 since there is no IPv6 DNAT support at present. 20.8 Implications of DROP vs.
20: Configuring firewall _______________________________________________________________________________________________________ 20.9 Note on connection tracking By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating NOTRACK firewall rules matching all traffic passing via interfaces referenced by the firewall zone.
20: Configuring firewall _______________________________________________________________________________________________________ config redirect option src wan option src_dport 80 option proto tcp option dest_ip 192.168.1.10 The next example forwards one arbitrary port that you define to a box running ssh behind the firewall in a more secure manner because it is not using default port 22.
20: Configuring firewall _______________________________________________________________________________________________________ hides the local network from the Internet, SNAT hides the Internet from the local network. Source NAT and destination NAT are combined and used dynamically in IP masquerading to make computers with private (192.168.x.x, etc.) IP addresses appear on the Internet with the system's public WAN IP address. 20.10.
20: Configuring firewall _______________________________________________________________________________________________________ config rule option src lan option dest wan option src_ip 192.168.1.27 option extra '-m time --weekdays Mon,Tue,Wed,Thu,Fri -- timestart 21:00 --timestop 09:00' option target REJECT 20.10.8 Restricted forwarding rule The example below creates a forward rule rejecting traffic from LAN to WAN on the ports 1000-1100.
20: Configuring firewall _______________________________________________________________________________________________________ config redirect option src lan option proto tcp option src_ip !192.168.1.100 option src_dport 80 option dest_ip 192.168.1.100 option dest_port 3128 option target DNAT config redirect 20.10.11 option dest lan option proto tcp option src_dip 192.168.1.1 option dest_ip 192.168.1.
20: Configuring firewall _______________________________________________________________________________________________________ # ESP protocol config rule option src wan option dest lan option proto esp option target ACCEPT For some configurations you also have to open port 500/UDP. # ISAKMP protocol config rule 20.10.
20: Configuring firewall _______________________________________________________________________________________________________ root@VA_router:/# /etc/init.d/firewall start The firewall can be permanently disabled by enter: root@VA_router:/# /etc/init.d/firewall disable Note: disable does not flush the rules, so you might be required to issue a stop before. To enable the firewall again enter: root@VA_router:/# /etc/init.d/firewall enable 20.
21: Configuring SNMP _______________________________________________________________________________________________________ 21 Configuring SNMP The SNMP daemon has several configuration sections that configure the agent itself (agent and system sections), assignment of community names and which SNMP protocols are in use to groups (com2sec and group sections), creation of views and subviews (access section) of the whole available SNMP tree and finally, granting specific access to those views on a group by
21: Configuring SNMP _______________________________________________________________________________________________________ config 'agent' option agentaddress 'UDP:161,tcp:161,9161@localhost' 21.2 system The options defined for this section are shown in the table below. Name Type Required Description agentaddress string yes Specifies the address(es) and port(s) on which the agent should listen. [(udp|tcp):]port[@address][,...
21: Configuring SNMP _______________________________________________________________________________________________________ any request from the localhost itself using “private” as the community string will be dealt with using the security name “rw”. Note: the security names of “ro” and “rw” here are simply names – the fact of a security name having read only or read-write permissions is handled in the access section and dealt with at a group granularity.
21: Configuring SNMP _______________________________________________________________________________________________________ config 'group' 'public_usm' option group 'public' option version 'usm' option secname 'ro' config 'group' 'private_v1' option group 'private' option version 'v1' option secname 'rw' config 'group' 'private_v2c' option group 'private' option version 'v2c' option secname 'rw' config 'group' 'private_usm' option group 'private' option version 'usm' option secname 'rw' The options de
21: Configuring SNMP _______________________________________________________________________________________________________ config 'view' 'all' option viewname 'all' option type 'included' option oid '.1' config 'view' 'mib2' option viewname 'mib2' option type 'included' option oid '.iso.org.dod.Internet.mgmt.mib-2' 21.4 access The options defined for this section are outlined below. Name Type Required Description group string yes Specifies the group to which access is being granted.
21: Configuring SNMP _______________________________________________________________________________________________________ option prefix 'exact' option read 'all' option write 'none' option notify 'none' config 'access' 'private_access' option group 'private' option context 'none' option version 'any' option level 'noauth' option prefix 'exact' option read 'all' option write 'all' option notify 'all' 21.5 SNMP traps The options defined for this section are outlined below.
22: Configuring HTTP server _______________________________________________________________________________________________________ 22 Configuring HTTP server The uhttpd configuration is used by the uhttpd web server package. This file defines the behaviour of the server and default values for certificates generated for SSL operation. uhttpd supports multiple instances, that is, multiple listen ports, each with its own document root and other features, as well as cgi, and lua.
22: Configuring HTTP server _______________________________________________________________________________________________________ document root. Lua support is disabled if this option is missing. yes if lua_ lua_handler script_timeout file path integer prefix is given, else no no (none) Specifies Lua handler script used to initialize the Lua runtime on server start. 60 Sets maximum wait time for CGI or Lua requests in seconds.
22: Configuring HTTP server _______________________________________________________________________________________________________ root@VA_router:~# uci show uhttpd.main uhttpd.main=uhttpd uhttpd.main.listen_http=0.0.0.0:80 uhttpd.main.listen_https=0.0.0.0:443 uhttpd.main.home=/www uhttpd.main.rfc1918_filter=1 uhttpd.main.cert=/etc/uhttpd.crt uhttpd.main.key=/etc/uhttpd.key uhttpd.main.cgi_prefix=/cgi-bin uhttpd.main.script_timeout=60 uhttpd.main.
22: Configuring HTTP server _______________________________________________________________________________________________________ Location commonname string string no no Berlin Location/city of the certificate issuer. (none) Common name covered by the certificate. For the purposes of secure Activation this MUST be set to the serial number (eth0 mac address) of the device. A standard uhttp certificate section is shown below. root@VA_router:~# uci show uhttpd.px5g uhttpd.px5g=cert uhttpd.px5g.
22: Configuring HTTP server _______________________________________________________________________________________________________ If the $p$… format is used, uhttpd will compare the client provided password against the one stored in the shadow or passwd database. 22.4 Securing uHTTPd By default, uHTTPd binds to 0.0.0.0 which also includes the WAN port of your router. To bind uHTTPd to the LAN port only you have to change the listen_http and listen_https options to your LAN IP address.
23: Virtual Router Redundancy Protocol (VRRP) _______________________________________________________________________________________________________ 23 Virtual Router Redundancy Protocol (VRRP) The Virtual Router Redundancy Protocol (VRRP) is a networking protocol designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP router on a LAN.
23: Virtual Router Redundancy Protocol (VRRP) _______________________________________________________________________________________________________ When you are logged in via an SSH session, run the command, vacmd show vars Figure 64: Output from the command vacmd show vars Alternatively, when you are connected via the web interface, the software version currently being used is presented at the bottom of the screen Figure 65: The login screen showing the current software version 23.
23: Virtual Router Redundancy Protocol (VRRP) _______________________________________________________________________________________________________ In the VRRP page, you can enable or disable VRRP and add, edit or delete VRRP groups. Under the Global Settings title, click Add. Figure 67: The VRRP global settings section Check the VRRP Enabled checkbox. Name Type Required Default Description VRRP Enabled Checkbox yes Unchecked Globally enables VRRP on the router.
23: Virtual Router Redundancy Protocol (VRRP) _______________________________________________________________________________________________________ In the Interface field, type the name of the interface where VRRP should run. Note: take the interface name from the interface section. In the Track interfaces field, optionally provide the name of the interface that should be tracked. In the Router id field, type the VRRP ID. In the Priority field, set the router’s VRRP priority.
23: Virtual Router Redundancy Protocol (VRRP) _______________________________________________________________________________________________________ routers serving the same LAN must be configured with the same virtual IP address. GARP delay Integer Yes Blank Sets the gratuitous ARP message sending delay in seconds. Figure 69: The VRRP group configuration fields and their descriptions 23.3 Configuring VRRP using UCI You can configure VRRP through CLI using UCI commands.
23: Virtual Router Redundancy Protocol (VRRP) _______________________________________________________________________________________________________ ~# uci show vrrp vrrp.main=vrrp vrrp.main.enabled=yes vrrp.g1=vrrp_group vrrp.g1.enabled=yes vrrp.g1.interface=lan1 vrrp.g1.track_iface=lan vrrp.g1.init_state=BACKUP vrrp.g1.router_id=1 vrrp.g1.priority=115 vrrp.g1.advert_int_sec=2 vrrp.g1.password=secret vrrp.g1.virtual_ipaddr=10.1.10.150/16 vrrp.g1.garp_delay_sec=5 vrrp.g1.
24: Multicasting using PIM and IGMP interfaces _______________________________________________________________________________________________________ 24 Multicasting using PIM and IGMP interfaces IP multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to potentially thousands of corporate recipients. Applications that take advantage of multicast include video conferencing and corporate communications.
24: Multicasting using PIM and IGMP interfaces _______________________________________________________________________________________________________ In the PIM page, click Add. The Global Settings section appears. Figure 71: The global settings interface Enable PIM by checking PIM Enabled.
24: Multicasting using PIM and IGMP interfaces _______________________________________________________________________________________________________ To save your configuration updates, click Save & Apply. 24.2 PIM and IGMP UCI interface You can configure PIM and IGMP through CLI using UCI.
24: Multicasting using PIM and IGMP interfaces _______________________________________________________________________________________________________ pimd.@interface[1].enabled=yes pimd.@interface[1].interface=wan pimd.@interface[1].ssm=yes pimd.@interface[1].igmp=no Name Type Required Default Description enabled Boolean Yes No Enable PIM and IGMP operation globally.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ 25 Dynamic Multipoint Virtual Private Network (DMVPN) Dynamic Multipoint Virtual Private Network (DMVPN) is a scalable method of creating VPN IPSec Networks.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Figure 73: Network diagram for DMVPN spoke to spoke • Spoke1 and Spoke2 connect on their WAN interface: ADSL, 3G and initiate main mode IPSec in transport mode to the hub. • After an IPSec tunnel is established, spokes register their NHRP membership with the hub. • GRE tunnels come up.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Figure 74: Network diagram for DMVPN spoke behind NAT 25.3 • Spoke1 sends an NHRP registration request to the Hub. • Hub receives this request and compares the source tunnel address of the Spoke with the source of the packet. • Hub sends an NHRP registration reply with a NAT extension to Spoke1.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ 25.3.1 Configuring IPSec for DMVPN This section explains how to configure VPN IPSec specifically for DMVPN. For more information on general VPN IPSec configuration, read ‘Configuring IPSec’ in the GW6600 User Manual. Access the router’s web Interface by typing 192.168.100.1 into your browser. Type in the username: root Type in the password: admin.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Figure 76: strongSwan IPSec enabled Name Type Required Default Description Enable Strongswan IPsec Boolean Yes Blank Enable Strongswan IPsec Strict CRL Policy Dropdown menu Yes No Defines if fresh certificate revocation list (CRL) must be available.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Figure 77: The strongSwan IPSec VPN page _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Name Type Required Default Description Enabled Checkbox yes Unchecked Globally enables IPSec on the router. Aggressive mode Checkbox yes Unchecked Globally enables Aggressive mode on a router. Name String Yes Blank Specifies a name for the tunnel. Specifies how the tunnel is initiated.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ encAlgo-authAlgo-PFSGroup encAlgo: 3des, aes, serpent, twofish, blowfish authAlgo: md5, sha, sha2 DHGroup: modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, modp8192 For example: aes128-sha1modp1536. If no DH group is defined then PFS is disabled.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ when traffic brings the tunnel up. DPD Delay Integer Yes None Hold Clears down the tunnel and bring up as soon as the peer is available. Restart Restarts DPD when no activity is detected. Defines the period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Figure 78: The secrets section Select Enabled. From the dropdown menu under Secret Type, select psk. In the field beneath Secret, type the psk password. Click Save. 25.4 DMVPN hub settings In the top menu, select Network -> DMVPN. The DMVPN page appears. Figure 79: The DMVPN page Under DMVPN General, click Add. The following page appears.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Figure 80: The DMVPN general section Check Enable DMVPN. From the IPSec template connection drop down menu, provide the name of the IPsec connection. In the DMVPN Hub Settings section, click Add. The fields required to configure the parameters relative to the DMVPN Hub appear.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ /etc/config/strongswan To view the configuration file, use uci show strongswan or uci export strongswan commands. root@GWxxxx:~# uci show strongswan strongswan.general=general strongswan.general.enabled=yes strongswan.general.strictcrlpolicy=no strongswan.general.uniqueids=yes strongswan.general.cachecrls=yes strongswan.general.
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ uci export strongswan package strongswan config general 'general' option enabled 'yes' option strictcrlpolicy 'no' option uniqueids 'yes' option cachecrls 'yes' option nattraversal 'yes' config connection option enabled 'yes' option name 'DMVPN' option type 'transport' option localproto 'gre' option remoteproto 'gre' option ike '3des-md5-modp1024'
25: Dynamic Multipoint Virtual Private Network (DMVPN) _______________________________________________________________________________________________________ Configuration files are stored at: /etc/config/dmvpn To view the configuration file, use uci show dmvpn or uci export dmvpn commands.
26: Terminal Server _______________________________________________________________________________________________________ 26 Terminal Server 26.1 Introduction Terminal Server is a background application (a daemon) whose main task is to forward data between TCP connections or UDP streams and asynchronous serial ports. Terminal Server application serves up to 4 sessions simultaneously one for each async serial port, depending on the device.
26: Terminal Server _______________________________________________________________________________________________________ Name Type Required Default Description Enable Checkbox Yes Disabled Enables the Terminal Server application. Debug Enable Checkbox No Disabled Enables detailed debug logging. Determines the syslog level. Events up to this priority will be logged.
26: Terminal Server _______________________________________________________________________________________________________ Figure 83: The general tab fields part 2 Name Type Required Default Description Enable Checkbox Yes Disabled Enabled port. Network Fowrarding Buffer Size Numeric value Yes 256 Forwarding buffer size (serial to network). Network Forwarding Timeout Numeric value Yes 30 Forwarding timeout in milliseconds (serial to network).
26: Terminal Server _______________________________________________________________________________________________________ Serial receive debug log size Numeric value No Disabled Configures serial receive log size in bytes and enables receive data logging. 0=disabled. Serial transmit debug log size Numeric value No Disabled Configures serial transmit log size in bytes and enables transmit data logging. 0=disabled. Table 23: The general fields descriptions 26.3.1.
26: Terminal Server _______________________________________________________________________________________________________ Figure 85: The serial tab fields part 2 Name Type Required Device String Yes Default '/dev/ttySC0' '/dev/ttySC1' Description Serial device name. Portmode Dropdown list Yes rs232 rs232 - RS-232 mode, rs485hdx rs485 2 wire half duplex mode in which transmitter drives RTS. rs485fdx - RS485 4 wire full duplex mode. 'v23' - using V.23 leased line card driver.
26: Terminal Server _______________________________________________________________________________________________________ mode. 30 In RS232 half duplex mode, time in milliseconds between raising RTS and enabling the transmitter. No 20 In RS232 half duplex mode, time in milliseconds between dropping RTS (transmission finished) and enabling the receiver. Checkbox No 0 This configures the use of tservd with the Atmel USB serial card. Dual X.
26: Terminal Server _______________________________________________________________________________________________________ Figure 871: The Network tab fields part 2 Name Type Required Default Description Transport mode Dropdown list Yes TCP Select between TCP/UDP. Local IP IP address Yes 0.0.0.0 Local IP address to listen on (0.0.0.0=listen on any interface). TCP mode Dropdown list Yes Server Select between server and client modes of TCP.
26: Terminal Server _______________________________________________________________________________________________________ 0=normal operation. TCP always on Checkbox No Disabled Keep TCP session always connected. Close TCP on DSR Checkbox No Disabled Close TCP session on detection of DSR signal low. Reconnect time (ms) Numeric value No 5000 Time in milliseconds to start reconnecting after setting DTR low. Table 24: The Network fields descriptions 26.
26: Terminal Server _______________________________________________________________________________________________________ config tservd main # set to 1 to enable terminal server option enable 0 # enables detailed debug logging (state transisions, data transfer etc) option debug_ev_enable 0 # sets syslog level (0 to 7), default is 6 option log_severity 6 config port 'port1' # enables this port option enable 0 # serial device name option devName '/dev/ttySC0' # destination peer port IP number (two num
26: Terminal Server _______________________________________________________________________________________________________ # Forwarding timer mode (serial to network), 'idle'=timer re-started on each received data, 'aging'=timer started on first rx option fwd_timer_mode 'idle' # Forwarding buffer size (serial to network) option fwd_buffer_size 256 # Forwarding buffer size (network to serial), 0=use maximum possible network rx buffer size option sfwd_buffer_size 0 # Forwarding timeout in milliseconds (n
26: Terminal Server _______________________________________________________________________________________________________ # TCP server mode option server_mode 1 # Proxy mode (off by default) option proxy_mode 0 # Local IP address to listen on (0.0.0.0=listen on any interface) option local_ip '0.0.0.
26: Terminal Server _______________________________________________________________________________________________________ # Number of TCP keep alive probes to send before connection closed option tcp_keepalive_count 1 # Maximum time in milliseconds for TCP to wait for transmitted data to be acked # before closing connection in established state.
26: Terminal Server _______________________________________________________________________________________________________ option is_usb_serial 0 # Used for USB serial card. 'hdlc' = synchronous HDLC framed mode; 'transp' = transparent mode option sync_mode 'hdlc' # Used for USB serial card. 1= in HDLC mode use CRC32; 0= use CRC16 option sync_crc32 0 # Used for USB serial card.
26: Terminal Server _______________________________________________________________________________________________________ # Used for USB serial card.
26: Terminal Server _______________________________________________________________________________________________________ # when used with V.23 modem driver, (set portmode 'v23') LIM operation: 0=2wire; 1=4wire option v23_is_four_wire '0' # when used with V.23 modem driver, (set portmode 'v23'), sets the receive echo suppression timeout in milliseconds option v23_tx_timeout '20' # when used with V.23 modem driver, (set portmode 'v23'), time in milliseconds it takes V.
26: Terminal Server _______________________________________________________________________________________________________ # bit reverse: 0=normal; 1=reverse option bit_reverse 0 # v24 dte tt clock invert: 0=normal; 1=invert option dte_tt_inv 0 # v24 dce tx clock invert: 0=normal; 1=invert option dce_tclk_inv 0 # v24 dce rx clock invert: 0=normal; 1=invert option dce_rclk_inv 0 # x21 clock invert: 0=normal; 1=invert option x21_clk_invert 0 # x21 data delay: 0-7 - delay in local clk or VCO clock cycle
26: Terminal Server _______________________________________________________________________________________________________ option speed 115200 # serial device word size (5,6,7,8) option wsize 8 # serial device parity (0=none, 1=even, 2=odd) option parity 0 # serial device number of stop bits (1 or 2) option stops 1 # serial from control mode (0=none, 1=RTS CTS, 2=XONXOFF) option fc_mode 1 # time in milliseconds to start re-connecting after setting DTR low option disc_time_ms 5000 # TCP server mode o
26: Terminal Server _______________________________________________________________________________________________________ config tservd port1 # enables this port option enable 1 # serial device name option devName '/dev/ttySC1' ….. other options follow …. 26.5 Terminal Server operation 26.5.1 General The Terminal Server package consists of two binaries: • tservd – Terminal Server deamon, full path at /usr/sbin/tservd • tserv – Terminal Server command line interface, path at /usr/sbin/tserv 26.5.
26: Terminal Server _______________________________________________________________________________________________________ 26.5.4 Stopping Terminal Server Sometimes it may be necessary to stop Terminal Server, for example if the configuration is changed and it is not desirable to reboot the router. To stop Terminal Server, enter one of the following: /usr/bin/tserv quit Kill PID.
Coova-chilli captive portal _______________________________________________________________________________________________________ 27 Coova-chilli captive portal Coova-chilli is an access controller application typically used in Wireless LAN HotSpot, but it can also be used to manage subscriber access via wired LAN. The captive portal technique forces an HTTP client, such as a user’s web browser on a network to see a special web page, for authentication purposes, before using the internet normally.
Coova-chilli captive portal _______________________________________________________________________________________________________ 7=Debug The default setting of 4 enables logging of any messages with severity from 0 (Emergency) to 4 (Warnings). lanif string Max 63 bytes ‘ath0’ Subscriber interface for client devices. network string Max 63 bytes ‘11.1.0.0’ Hotspot network uamlisten string Max 63 bytes ‘11.1.0.1’ Hotspot IP address (on subscriber network).
Coova-chilli captive portal _______________________________________________________________________________________________________ uamhomepage string Max 127 bytes 'http://11.1.0.1 :3990 /www/coova.html' 27.2 UAM home page url to redirect unauthenticated users to. If not specified this deafults to uamserver. uselocalusers string ‘on’ or ‘off’ ‘on’ Use file /etc/chilli/localusers for authentication of clients. loc_name string Max 63 bytes 'My HotSpot' WISPr location name used in portal.
Coova-chilli captive portal _______________________________________________________________________________________________________ root@VA_router :~# uci export coovachilli package coovachilli config coova-chilli 'main' option enable '0' option log_severity '7' option lanif 'ath0' option network '11.1.0.0' option netmask '255.255.255.0' option uamlisten '11.1.0.1' option uamport '3990' option uamuiport '4990' option dns1 '8.8.8.8' option dns2 '208.67.220.
Coova-chilli captive portal _______________________________________________________________________________________________________ Coova-chilli UCI configuration interface fields and their descriptions are given in the ‘UCI configuration file, ‘Main’’ section. To change any of the configuration values enter uci set command, for example: uci set coovachilli.main.
28: Event system _______________________________________________________________________________________________________ 28 Event system Virtual Access routers feature an event system. The event system allows you to configure the router’s information for efficient control and management of devices. This section explains how the event system works and how to configure it using via UCI. 28.1 Implementation of the event system The event system is implemented by the va_eventd application.
28: Event system _______________________________________________________________________________________________________ SNMP Event sent via SNMP trap Exec Command executed when event occurs Table 25: Event system - supported targets The attributes of a target vary significantly depending on its type. 28.
28: Event system _______________________________________________________________________________________________________ The table below describes main event system parameters: Name Type Required Default Description enabled Boolean Yes Yes Enable the event system event_queue_file Filename Yes /tmp/event_buffer File where the events will be stored before being processed event_queue_size String Yes 128K Maximum size of the event queue Table 27: Event system - global settings description
28: Event system _______________________________________________________________________________________________________ 28.6.3.1 Ping connection tester A ping connection tester tests that a connection can be established by sending pings. If successful, the event system assumed the connection is valid for a configurable amount of time. config conn_tester option name pinger option enabled yes option type ping option ping_dest_addr 192.168.0.
28: Event system _______________________________________________________________________________________________________ The table below describes link connection tester parameters.
28: Event system _______________________________________________________________________________________________________ 28.6.4.2 Email target When an email target receives an event, it sends it to the configured email address. config target option name email option enabled yes option type email option conn_tester pinger option smtp_addr "smtp.site.com:587" option smtp_user 'john_smith@site.
28: Event system _______________________________________________________________________________________________________ subject_template String No None Template to use for the email subject body_template String No None Template to use for the email body conn_tester String No None Name of the connection tester to use for this target Table 32: Event system – email target settings description 28.6.4.
28: Event system _______________________________________________________________________________________________________ config target option name logit option enabled yes option type exec option cmd_template "logger -t eventer %{eventName}" The table below describes exec target parameters.
28: Event system _______________________________________________________________________________________________________ config forwarding option enabled 'yes' option className 'l2tp' option eventName 'CannotFindTunnel' option severity 'debug-critical' option target 'syslog' config forwarding option enabled 'yes' option className 'mobile' option severity 'notice-critical' option target 'snmp' config forwarding option enabled 'yes' option className 'ethernet' option target 'logit' config forwarding optio
28: Event system _______________________________________________________________________________________________________ config target option name 'syslog' option enabled 'yes' option type 'syslog' option target_addr '192.168.100.254:514' option conn_tester 'mon_server' config target option name 'email' option enabled 'yes' option type 'email' option smtp_addr '89.101.154.148:465' option smtp_user 'x@example.
28: Event system _______________________________________________________________________________________________________ option type 'exec' option cmd_template 'logger -t eventer %{eventName}' To view UCI commands, enter: uci show va_eventd root@test:~# uci show va_eventd va_eventd.main=va_eventd va_eventd.main.enabled=yes va_eventd.main.event_queue_file=/tmp/event_buffer va_eventd.main.event_queue_size=128K va_eventd.@forwarding[0]=forwarding va_eventd.@forwarding[0].enabled=yes va_eventd.@forwarding[0].
28: Event system _______________________________________________________________________________________________________ va_eventd.@conn_tester[0].ping_success_duration_sec=10 va_eventd.@conn_tester[1]=conn_tester va_eventd.@conn_tester[1].name=smtp_server va_eventd.@conn_tester[1].enabled=1 va_eventd.@conn_tester[1].type=link va_eventd.@conn_tester[1].link_iface=eth0 va_eventd.@target[0]=target va_eventd.@target[0].name=syslog va_eventd.@target[0].enabled=yes va_eventd.@target[0].type=syslog va_eventd.
28: Event system _______________________________________________________________________________________________________ va_eventd.@target[3]=target va_eventd.@target[3].name=logit va_eventd.@target[3].enabled=yes va_eventd.@target[3].type=exec va_eventd.@target[3].cmd_template=logger -t eventer %{eventName} _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ 29 Configuring SLA reporting on Monitor 29.1 Introduction This section describes how to configure and view SLA reporting on Monitor, the Virtual Access monitoring system. It also explains how to configure scheduler task that is placed on the router to upload SLA statistics.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ Figure 90: The add/edit content template Enter a relevant name and description and then add values from the drop-down menu or enter values for the parameters shown in the table below. Parameter Description/Default Options Select data Report element to display data on.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ Is this data to be graphical? To display elements as graphs Tick or no tick Upper data value limit Infinity Integer Lower data value limit -Infinity Integer Present data per site? Tick or no tick Present data as a percentage? Tick or no tick Table 35: Parameters for content template If you want the data to be displayed as graphical, click the Is this
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ The template will build as shown in the figure below. The example graphs average latency, connection strength, and packet loss, with a roll up period set per hour and a range scope set per day. Figure 92: Example content template 29.3 Adding an SLA report When you have configured a content template, you can add an SLA report.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ Figure 93: The add SLA report page Enter the relevant parameters.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ Figure 94: An example SLA report showing two devices Note: for this report two routers have been added. When you have configured the SLA Report, Monitor will periodically access the router, every hour, and initiate a ‘create scheduled task’ on a router. This task tells a router to upload SLA statistics to Monitor.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ Report: SLA_Test_Report1 (Date 18/7/2012 Hours of operation: 08:00 - 19:00) Figure 96: Example of SLA report output 29.5 Viewing automated SLA reports An automated version of this report is stored in the database and you can access it through any router assigned to the report. To view these reports access any router assigned to the report.
29: Configuring SLA reporting on Monitor _______________________________________________________________________________________________________ Figure 97: Example of an automated report To view a report, click Download in the report’s row. A PDF version of the report appears. 29.6 Configuring router upload protocol The protocol the router uses to upload the files is set for each device on Monitor.
30:Configuring SLA for a router _______________________________________________________________________________________________________ 30 Configuring SLA for a router SLA reporting works in two parts: • The Virtual Access Monitor system server connects via SSH into the router and schedules the task of uploading statistics to Monitor. • The Virtual Access router monitors UDP keepalive packets. It creates and stores statistics in bins. These statistics are uploaded every hour to the Monitor server.
30:Configuring SLA for a router _______________________________________________________________________________________________________ Figure 100: The SLA daemon page In the Basic Settings section, click Add. The basic settings section for SLA Daemon appears. Figure 101: The SLA daemon page Check Enable. In the Timeout for Roundtrip Timeout field, type in a time. Select an interface on which traffic should be monitored.
30:Configuring SLA for a router _______________________________________________________________________________________________________ expires it is considered as lost. Interface Radio button menu Yes None Specifies the interface on which traffic should be monitored. Destination Host IP Address IPv4 address Yes None Specifies the destination IP address for the keepalive packets that are originated on the LAN. Destination UDP port Integer Yes None Specifies the destination UDP port.
30:Configuring SLA for a router _______________________________________________________________________________________________________ slad.main.enable=yes slad.main.roundtrip_timeout_msec=5000 slad.main.interface=lan slad.main.destination_host_ip_address=10.1.1.2 slad.main.destination_udp_port=53 slad.main.bin_restart_period_msec=3600000 slad.main.max_bin_count=73 30.3 SLA statistics Type the command line sla to show all available statistic options.
30:Configuring SLA for a router _______________________________________________________________________________________________________ Figure 104: Output from the command line sla newest _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
31: Diagnostics _______________________________________________________________________________________________________ 31 Diagnostics 31.1 ADSL diagnostics 31.1.1 ADSL PPPoA connections To check the status of an ADSL line, in the top menu, select Status -> ADSL Status. The ADSL Status page appears. Figure 105: The ADSL status page To check an IP address, transmit and received counter on an ADSL interface, in the top menu, select Network -> Interfaces. The Interface Overview page appears.
31: Diagnostics _______________________________________________________________________________________________________ Figure 107: The ADSL status page To check an IP address, transmit and received counter on an ADSL interface, in the top menu, select Network -> Interfaces. The Interface Overview page appears. Figure 108: The interfaces overview page 31.1.3 ADSL bridge connections To check the status of an ADSL line, in the top menu, select Status -> ADSL Status. The ADSL Status page appears.
31: Diagnostics _______________________________________________________________________________________________________ To check an IP address, transmit and received counter on an ADSL interface, in the top menu, select Network -> Interfaces. The Interface Overview page appears. Figure 110: The interfaces overview page 31.2 ALL diagnostics The ‘va5420_stats /dev/ttyLC0’ command provides statistical information about the operation of the interface.
31: Diagnostics _______________________________________________________________________________________________________ You can set the statistical information using ‘va5420_stats_reset /dev/ttyLC0’. The example below shows the command ‘va5420_status /dev/ttyLC0’; it displays status information about the device. root@VA_router:~# va5420_status /dev/ttyLC0 31.3 Mode: Transparent Wire mode: 2-wire PCM Encoding: A-Law Automatic operator selection diagnostics via the web interface 31.3.
31: Diagnostics _______________________________________________________________________________________________________ Figure 112: The status page: multi-WAN status section page 31.
31: Diagnostics _______________________________________________________________________________________________________ To check the status of the interface you are currently using, enter: cat /var/const_state_/mobile Figure 114: Output from the command cat /vat/const_state_/mobile _______________________________________________________________________________________________________ © Virtual Access 2015 GW1000 Series User Manual Issue: 2.
31: Diagnostics _______________________________________________________________________________________________________ 31.5 CESoPSN diagnostics CESoPSN uses one package - cesopd. To view the CESoPSN configuration: root@VA_router:~# # uci export cesopd package cesopd config cesopd 'main' option log_severity '5' option enable '1' config port 'Port1' option enable '1' option devname 'ttyLC0' ….. The cesop command provides several options to investigate the operation of the CESoPSN service.
31: Diagnostics _______________________________________________________________________________________________________ schedule_priority : 10 Port 1 config -------------------cardType : Single AAL card enable : 1 clock_recovery_enabled : 1 clock_recovery_debug : 0 remote_loopback : 0 udp_local_ipaddr : 0.0.0.0 udp_local_port : 5152 udp_remote_ipaddr : 10.1.42.
31: Diagnostics _______________________________________________________________________________________________________ all_tx_analogue_loss_enabled : 0 all_rx_digital_gain : 0 all_tx_digital_loss : 0 tdm_intvl_ms : 2 31.5.2 cesop show status To show the current operating configuration, enter: root@VA_router:~# cesop show status Clock status -----------clockRecHwPresent 1 dacOutputVoltage 1661174 lastFscCount 14195832 Port 1 protocol status ---------------------remoteIpAddress 10.1.42.
31: Diagnostics _______________________________________________________________________________________________________ root@VA_router:~# cesop show stats Port 1 serial statistics -----------------------reads 476840 readEmpties 0 readFails 0 writes 476889 writeFails 0 writeShorts 0 txBytes 19075560 rxBytes 19075560 Port 1 UDP statistics --------------------txFrames 476889 txBytes 26705784 txFails 0 rxFrames 476889 rxBytes 26705784 rxFails 0 rxAddressErrs 0 Port 1 Protocol stati
31: Diagnostics _______________________________________________________________________________________________________ root@VA_router:~# cesop clear stats cesopd stats cleared. 31.6 DMVPN diagnostics In the top menu, click Status -> IPSec. The IPSec Connections page appears. Figure 115: The IPSec connections page In the Name column, the syntax contains the IPSec Name defined in package dmvpn and the remote IP address of the hub, or the spoke separated by an underscore; for example, dmvpn_213.233.148.
31: Diagnostics _______________________________________________________________________________________________________ root@GW202x:~# ipsec status Security Associations (1 up, 0 connecting): dmvpn_89_101_154_151[1]: ESTABLISHED 2 hours ago, 10.68.234.133[10.68.234.133]...89.101.154.151[89.101.154.151] dmvpn_89_101_154_151{1}: dmvpn_89_101_154_151{1}: dmvpn_89_101_154_151{1}: REKEYING, TRANSPORT, expires in 55 seconds 10.68.234.133/32[gre] === 192.168.
31: Diagnostics _______________________________________________________________________________________________________ NBMA-Address: 89.101.154.151 Flags: up The above command output is explained in the table below. Interface Type incomplete Resolution request sent. negative Negative cached. cached Received/relayed resolution reply. shortcut_route Received/relayed resolution for route. dynamic NHC registration. dynamic_nhs Dynamic NHS from dns-map. static Static mapping from config file.
31: Diagnostics _______________________________________________________________________________________________________ 31.8 Firewall diagnostics The routers OS relies on netfilter for packet filtering, NAT and mangling. The UCI Firewall provides a configuration interface that abstracts from the iptables system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed.
31: Diagnostics _______________________________________________________________________________________________________ config forwarding option src 'lan' option dest 'wan_interface' option family 'any' config rule option name 'Allow-DHCP-Renew' option src 'wan_interface' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'allow dns' option src 'wan_interface' option proto 'tcp' option dest_port '53' option target ' ACCEPT' option family 'ipv4' c
31: Diagnostics _______________________________________________________________________________________________________ config rule option name 'Allow-DHCPv6' option src 'wan_interface' option src_ip 'fe80::/10' option src_port '547' option proto 'udp' option dest_ip 'fe80::/10' option dest_port '546' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-ICMPv6-Input' option src 'wan_interface' option proto 'icmp' option target 'ACCEPT' option family 'ipv6' option limit '1000/sec' lis
31: Diagnostics _______________________________________________________________________________________________________ list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' To view the available firewall commands, enter: root@VA_router:~# /etc/init.d/firewall Syntax: /etc/init.
31: Diagnostics _______________________________________________________________________________________________________ root@VA_router:~# FW_TRACE=1 fw reload 2>/tmp/iptables.log 31.9 GPS diagnostic commands You can use the utility GPS to run diagnostic commands against the GPSD application. When you run GPS at the command prompt without parameters, it prints the menu listing all available commands.
31: Diagnostics _______________________________________________________________________________________________________ collisions:0 txqueuelen:1000 RX bytes:569453 (556.1 KiB) lo TX bytes:77306 (75.4 KiB) Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:385585 errors:0 dropped:0 overruns:0 frame:0 TX packets:385585 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:43205140 (41.
31: Diagnostics _______________________________________________________________________________________________________ root@VA_router:~# cat /var/state/mobile mobile.3g_1_1_1=status mobile.3g_1_1_1.auto_info=/etc/3g_1-1.1.auto mobile.3g_1_1_2=status mobile.3g_1_1_2.auto_info=/etc/3g_1-1.2.auto mobile.3g_1_1_1.sim_slot=1 mobile.3g_1_1_1.sim_in=yes mobile.3g_1_1_1.imsi=240016005892879 mobile.3g_1_1_1.registered=1, Home network mobile.3g_1_1_1.reg_code=1 mobile.3g_1_1_1.registered_pkt=1, Home network mobile.
31: Diagnostics _______________________________________________________________________________________________________ Available commands: start Start the service stop Stop the service restart Restart the service reload Reload configuration files (or restart if that fails) enable Enable service autostart disable Disable service autostart status Get DSL status information lucistat Get status information in lua friendly format To view the current status of the ADSL interface, enter: root@VA_rout
31: Diagnostics _______________________________________________________________________________________________________ To view configuration of the asterisk package, enter: root@VA_router:~# uci export asterisk package asterisk config provider option host '10.1.183.
31: Diagnostics _______________________________________________________________________________________________________ root@VA_router:~# sip show channels stats Peer Call ID Send: Pack Lost ( 10.1.23.15 4abaa449705 Duration %) Recv: Pack Lost ( %) Jitter Jitter 00:00:08 0000000426 0000000000 ( 0.00%) 0.0000 0000000391 0000000000 ( 0.00%) 0.0002 1 active SIP channel To exit asterisk CLI, enter: ~# exit 31.11.
31: Diagnostics _______________________________________________________________________________________________________ 31.13 Multi-WAN diagnostics The multi-WAN package is an agent script that makes multi-WAN configuration simple, easy to use and manageable. It comes complete with load balancing, failover and an easy to manage traffic ruleset. The uci configuration file/etc/config/multiwan is provided as part of the multi-WAN package.
31: Diagnostics _______________________________________________________________________________________________________ option priority '2' option manage_state 'yes' option exclusive_group '0' option ifup_retry_sec '300' option ifup_timeout_sec '40' The following output shows the multi-WAN standard stop/start commands for troubleshooting. root@VA_router:~# /etc/init.d/multiwan Syntax: /etc/init.
31: Diagnostics _______________________________________________________________________________________________________ The log contains the events of many modules. To filter a specific module, type logread | grep module_name, for example, if you want to see the vald events enter: logread -f | grep vald Note: the vald module has a command that enables the logging of the payload.When enabled, vald will additionally log the payload of all received and sent packets.
31: Diagnostics _______________________________________________________________________________________________________ Is the Terminal Server connected to padd? To check if the Terminal Server is connected to padd, look at the log and check the Terminal Server status. For more details refer to the ‘Terminal Server’ section in this manual. Is the Terminal Server detecting the serial cable? To check if the Terminal Server is detecting the serial cable, enter: tserv show serial.
31: Diagnostics _______________________________________________________________________________________________________ tserv show userial stats - show USB serial card statistics tserv clear userial stats - clear USB serial card statistics tserv start userial rxlog - start USB serial card rx log tserv show userial rxlog - show USB serial card rx log tserv show userial version - show USB serial card firmware version tserv show userial cpld status - show USB serial
31: Diagnostics _______________________________________________________________________________________________________ cat /var/state/vrrp command vrrp.g1.state=BACKUP vrrp.g1.masterip=10.1.10.83 vrrp.g1.timestamp=1425489022 31.17 Diagnostics for WiFi AP mode To check for any hosts associated with WiFi AP, in the top menu, select Network -> WiFi. The Wireless Overview page appears. Figure 118: The wireless overview page showing associated hosts 31.
