advertisement
Issue:
Date:
GW1000 Series User Manual
2.4
19 May 2015
Table of Contents
_______________________________________________________________________________________________________
GW1000 Series router model variants ................................................. 10
RS232 mode pin-out on the GW1000......................................................... 11
RS485 mode pin-out on the GW1000......................................................... 11
Operating temperature range ................................................................... 12
Power and configuration LED .................................................................... 15
Ethernet port LED behaviour .................................................................... 16
4 Factory configuration extraction from SIM card ......................................... 17
Upgrading firmware using the web interface ............................................... 19
Upgrading firmware using CLI .................................................................. 21
High level configuration commands ..................................................... 22
Configuration file syntax .................................................................... 23
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 2 of 255
Table of Contents
_______________________________________________________________________________________________________
Command line utility ......................................................................... 24
Configuration copying and deleting ..................................................... 27
Processes and jobs ............................................................................ 29
System information ........................................................................... 29
Unified Configuration Interface (UCI) ......................................................... 33
Export an entire configuration ............................................................ 39
Display just the value of an option ...................................................... 39
9 Management configuration settings ........................................................... 40
Httpclient - Activator configuration ............................................................ 42
Configuring a router’s host name ........................................................ 45
Configuration file: config user ............................................................. 48
UCI export and UCI show commands ................................................... 50
Options valid for all protocol types ...................................................... 52
Protocol "dhcp" ................................................................................. 53
Protocol "3g" (PPP over EV-DO, CDMA, UMTS or GRPS) ......................... 53
Protocol "l2tp" (layer 2 tunneling protocol) ........................................... 54
10 DHCP server and DNS configuration ........................................................... 57
Common options section .......................................................................... 57
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 3 of 255
Table of Contents
_______________________________________________________________________________________________________
Config nat vlan ................................................................................. 68
Configuring the BGP web interface ............................................................ 72
Optionally configure BGP route map .......................................................... 73
Configure BGP neighbours ........................................................................ 74
Configuring WiFi through the web interface ................................................ 78
Configuring WiFi in AP mode on an existing Ethernet interface ...................... 78
Configuring WiFi in AP mode on a new interface .......................................... 82
Configuring WiFi in client mode ................................................................. 87
Configuring Wi-Fi in AP mode on an existing Ethernet interface .............. 91
Configuring WiFI on a new interface .................................................... 93
Configuring WiFi in client mode ................................................................. 95
Multi-WAN web interface ........................................................................ 102
Multi-WAN UCI interface ........................................................................ 105
Introduction to automatic operator selection ............................................ 108
Configuring automatic operator selection ................................................. 108
Configuring automatic operator selection via the web interface ................... 108
PMP + roaming: pre-empt enabled .................................................... 108
18.3.1.2 Setting multi-WAN options for primary predefined interface ............................ 111
PMP + roaming: pre-empt disabled ................................................... 118
Roaming: no PMP defined ................................................................ 119
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 4 of 255
Table of Contents
_______________________________________________________________________________________________________
Disable roaming .............................................................................. 120
Implications of DROP vs. REJECT ............................................................ 134
Note on connection tracking ................................................................... 135
Firewall examples .............................................................................. 135
Opening ports ............................................................................. 135
Forwarding ports (destination NAT/DNAT) ....................................... 135
Source NAT (SNAT) ...................................................................... 136
True destination port forwarding .................................................... 137
Block access to a specific host ....................................................... 137
Block access to the internet using MAC ........................................... 137
Block access to the internet for specific IP on certain times ............... 137
Restricted forwarding rule ............................................................. 138
Transparent proxy rule (same host) ............................................... 138
Transparent proxy rule (external) .................................................. 138
Simple DMZ rule .......................................................................... 139
IPSec passthrough ....................................................................... 139
Manual iptables rules .................................................................... 140
Firewall management ......................................................................... 140
Debug generated rule set .................................................................... 141
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 5 of 255
Table of Contents
_______________________________________________________________________________________________________
HTTPS certificate settings and creation .................................................... 150
Basic authentication (httpd.conf) ............................................................ 151
SSH server configuration ....................................................................... 152
23 Virtual Router Redundancy Protocol (VRRP) ............................................ 153
Configuring VRRP using UCI ................................................................... 157
24 Multicasting using PIM and IGMP interfaces ............................................. 159
Configuring PIM and IGMP via the web interface ....................................... 159
PIM and IGMP UCI interface ................................................................... 161
25 Dynamic Multipoint Virtual Private Network (DMVPN) ............................. 163
The advantage of using DMVPN .............................................................. 163
Configuring DMVPN via the web interface ................................................. 165
Configuring IPSec for DMVPN ........................................................... 166
IPSec configuration using CLI ........................................................... 173
Configuring DMVPN using CLI ................................................................. 175
Terminal Server interfaces ..................................................................... 177
Configuring Terminal Server ................................................................... 177
Configuring Terminal Server using the web interface ........................... 177
Configuring Terminal Server using UCI .................................................... 184
Terminal Server operation ...................................................................... 194
Starting Terminal Server .................................................................. 194
Checking the status of Terminal Server ............................................. 194
Stopping Terminal Server ................................................................ 195
Coova-chilli Command Line Interface ....................................................... 196
Main UCI configuration file ............................................................... 196
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 6 of 255
Table of Contents
_______________________________________________________________________________________________________
Configuring Coova-chilli using UCI ........................................................... 198
Implementation of the event system ....................................................... 201
Supported connection testers ................................................................. 202
Configuring the event system via the web interface ................................... 202
Configuring the event system via UCI ...................................................... 202
Main section ................................................................................... 202
Forwardings ................................................................................... 203
Connection testers .......................................................................... 203
Supported targets ........................................................................... 205
Example and export ........................................................................ 208
29 Configuring SLA reporting on Monitor ....................................................... 214
Configuring SLA reporting ...................................................................... 214
Configuring a content template ......................................................... 214
Viewing automated SLA reports .............................................................. 220
Configuring router upload protocol .......................................................... 221
Configuring SLA for a router via the web interface ..................................... 222
Configuring SLA for a router via UCI interface ........................................... 224
ADSL PPPoA connections .................................................................. 227
ADSL PPPoEoA connections .............................................................. 227
ADSL bridge connections ................................................................. 228
Automatic operator selection diagnostics via the web interface ................... 230
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 7 of 255
Table of Contents
_______________________________________________________________________________________________________
Checking the status of the Multi-WAN package ................................... 230
Automatic operator selection diagnostics via UCI ...................................... 231
cesop show config ........................................................................... 233
cesop show status ........................................................................... 235
cesop show stats ............................................................................ 235
cesop clear stats ............................................................................. 236
GPS diagnostic commands ..................................................................... 244
Interfaces diagnostics ......................................................................... 244
Interfaces status .......................................................................... 244
Route status................................................................................ 245
Mobile status ............................................................................... 245
ADSL status ................................................................................ 246
ISDN pseudowire diagnostics ............................................................... 247
Packages .................................................................................... 247
Asterisk CLI diagnostics ................................................................ 248
ISDN LED status .......................................................................... 249
Multi-WAN diagnostics ........................................................................ 250
Showing Log ............................................................................... 251
Debugging guidelines ................................................................... 252
Terminal Server diagnostics ................................................................ 253
VRRP diagnostics ............................................................................... 254
VRRP diagnostics web interface ..................................................... 254
VRRP diagnostics using the command line interface ......................... 254
Diagnostics for WiFi AP mode .............................................................. 255
Diagnostics for WiFi client mode .......................................................... 255
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 8 of 255
_______________________________________________________________________________________________________
1 Introduction
This user manual describes the features and how to configure Virtual Access
GW1000 Series routers.
Designed for managed network providers, GW1000 Series routers provide secure
WAN connectivity for internet and private networking environments over 3G or
4G broadband paths and incorporate optional 802.11n WiFi connectivity.
1.1 Document scope
This document covers the following models in the GW1000 Series.
GW1031-W: Single Ethernet, 3G, Dual SIM, Optional WiFi
GW1031-S Single Ethernet, 3G, Dual SIM, Serial, Optional WiFi
GW1032-W: Dual Ethernet, 3G, Dual SIM, Optional WiFi
GW1041-W: Single Ethernet, 4G, Dual SIM, Optional WiFi
GW1042-W: Dual Ethernet, 4G, Dual SIM, Optional WiFi
Throughout this document we refer to the GW1000 and use the host name
‘VA_router’.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 9 of 255
_______________________________________________________________________________________________________
2 GW1000 Series hardware
2.1 Hardware specification
2.1.1 GW1000 Series router model variants
GW1031-W: Single Ethernet, 3G, Dual SIM, Optional WiFi
GW1031-S Single Ethernet, 3G, Dual SIM, Serial, Optional WiFi
GW1032-W: Dual Ethernet, 3G, Dual SIM, Optional WiFi
GW1041-W: Single Ethernet, 4G, Dual SIM, Optional WiFi
GW1042-W: Dual Ethernet, 4G, Dual SIM, Optional WiFi
2.2 Hardware features
• Dual SIM sockets
• Dual antenna SMA connectors for 3G/4G main and aux
• GPS antenna
• One or two 10/100 Mbps Ethernet ports
• Optional serial port
• WiFi with internal antennas on WiFi models
• Optional SIM cover
• Serial port
The asynchronous serial port is named ‘/dev/ttyUSB0’.
The serial port has a number of configurable settings, such as baud rate, word size, parity, flow control mode, etc.
Figure 1: Serial port position on the GW1000
The serial port is configurable to operate in either RS232 or RS485 mode. The default mode is RS232.
For more information on using the port in RS485 mode, read the Terminal
Server section of this manual.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 10 of 255
_______________________________________________________________________________________________________
2.3 RS232 mode pin-out on the GW1000
Direction
6
7
8
3
4
5
RJ45
Pin
1
2
Name
RTS
DTR
TX Data
GND
GND
RX Data
DSR
CTS
In
In
In
Out
Out
Out
-
-
Table 1: RS232 mode pin-out on the GW1000
2.4 RS485 mode pin-out on the GW1000
4
5
6
7
8
RJ45
Pin
1
2
3
4-wire mode
Signal
RXD+
RXD-
TXD-
TXD+
2-wire mode
Direction
Input to the GW1000
Input to the GW1000
Output from GW1000
Output from GW1000
D-
D+
Signal
Table 2: RS485 mode pin-out on the GW1000
Direction
In/Out
In/Out
2.5 GSM technology
• HSPA+
• EDGE/GPRS
• GPS
• Download up to 21 Mbps
• Upload up to 5.76 Mbps
• 2100/1900/900/850 MHz Bands
2.6 WiFi technology
• 802.11 a.b/g/n
• Dual band 2.4GHz and 5GHz
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 11 of 255
_______________________________________________________________________________________________________
• 802.11g data rate to 54Mbps
• Up to 15dBm output power
2.7 Power supply
The GW1000W Series router has three power supply options:
• 100V-240V AC PSU (standard)
• 100V-240V AC PSU with extended temperature support -20°C to +70°C
• 10V-30V DC power lead
2.8 Dimensions
Unit size:
Unit weight:
113W 113D 28H mm
500g
2.9 Compliance
The GW1000 Series router is compliant and tested to the following standards:
Safety
EMC
EN60950-1: 2001
EN55022:1998 Class B and EN55024:1998 Class B
Environmental ETSI 300 019-1-3 Sinusoidal Vibration and Shock ETSI 300 019-2-3 Random
Vibration.
2.10 Operating temperature range
The operating temperature range depends on the router’s type of power supply.
GW1030-W 0°C to 40°C
GW1030-W-ET -20°C to 70°C
GW1030-W-DC -20°C to 70°C
GW1031-S 0°C to 40°C
GW1040-W 0°C to 40°C
GW1040-W-ET -20°C to 70°C
GW1040-W-DC -20°C to 70°C
Standard AC PSU
Extended temperature AC PSU
DC power cable
Standard AC PSU
Standard AC PSU
Extended temperature AC PSU
DC power cable
2.11 Antenna
The GW1000 Series router has two SMA connectors for connection of two antennas for antenna diversity. Antenna diversity helps improve the quality of a wireless link by mitigating problems associated with multipath interference.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 12 of 255
_______________________________________________________________________________________________________
2.12 Components
To enable and configure connections on your router, it must be correctly installed.
The GW1000 Series router contains an internal web server that you use for configurations. Before you can access the internal web server and start the configuration, ensure the components are correctly connected and that your PC has the correct networking setup.
The GW1000 Series router comes with the following components as standard:
1 x GW1000 Series router
1 x Ethernet cable. RJ45 connector at both ends.
1 x power supply unit.
1 x right angle antenna.
Table 3: GW1000 Series router standard components
Optional components include:
1 x lockable SIM cover
1 x extra antenna Virtual Access supplies a wide range of antennas. Please visit our website: www.virtualaccess.com
or contact Virtual Access for more information.
Table 4: GW1000 Series router optional components
2.13 Inserting the SIM cards
1. Ensure the unit is powered off.
2. Hold the SIM 1 card with the chip side facing down and the cut corner front left.
3. Gently push the SIM card into SIM slot 1 until it clicks in.
4. If using SIM 2 then hold the SIM with the cut corner front right
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 13 of 255
_______________________________________________________________________________________________________
5. Gently push the SIM card into SIM slot 2 until it clicks in.
2.14 Connecting the SIM lock
Connect the SIM lock using the Allen key provided.
2.15 Connecting cables
Connect one end of the Ethernet cable into port A and the other end to your PC or switch.
2.16 Connecting the antenna
If only connecting one antenna, screw the antenna into the MAIN SMA connector.
If using two antennas, screw the main antenna into the MAIN SMA connector and the secondary antenna into the AUX SMA connector.
2.17 Powering up
The GW6600 takes approximately 2 minutes to boot up. During this time, the power LED flashes.
Other LEDs display different diagnostic patterns during boot up.
Booting is complete when the power LED stops flashing and stays on steady.
2.18 Reset button
The reset button is used to request a system reset.
When you press the reset button all LEDs turn on simultaneously. The length of time you hold the reset button will determine its behaviour.
Press Duration
Less than 3 seconds
Behaviour
Normal reset.
Between 3 and 5 seconds The router resets to factory configuration.
Between 20 seconds and 25 seconds Recovery mode.
Over 25 seconds Normal reset
Table 5: GW1000 Series router reset behaviour
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 14 of 255
3: GW1000 Series LED behaviour
_______________________________________________________________________________________________________
3 GW1000 Series LED behaviour
3.1 Main LED behaviour
There are five LEDs on the GW1000.
Figure 2: LEDs on the GW1000
3.2 Power and configuration LED
The power and configuration LED is either flashing or solid depending on the router’s status.
The GW1000 Series takes approximately 2 minutes to boot up. During this time, the power LED flashes.
Other LEDs display different diagnostic patterns during boot up.
Booting is complete when the power LED stops flashing and stays on steady.
LED Colour Status
Green flashing quickly Unit is booting from power on.
Green flashing slowly Unit is in recovery mode.
Green flashing quickly Unit is in factory config.
Green on Unit has completed booting up process and is in either config 1 or config2
Table 6: Power/config LED colours and status descriptions
3.3 SIM LED
The SIM LED is either flashing or solid depending on which SIM is in use and its status.
LED Colour
Green on
Green flashing
Status
Using SIM connected to network.
Using SIM attempting to connect to network.
Table 7: SIM LED colours and status descriptions
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 15 of 255
3: GW1000 Series LED behaviour
_______________________________________________________________________________________________________
3.4 Signal strength LEDs
There are two signal strength LEDs. They are both green.
LEDs Colour
Green Off/off
Green flashing Off/on
Green flashing On/off
Green On/on
Status
No signal detected.
Low signal strength.
Medium signal strength.
Good signal strength.
Table 8: Signal strength LED status descriptions
3.5 WiFi LED
The WiFi LED indicator is blue.
LED Colour
On
Flashing
Status
WiFi is enabled.
Data activity on WiFi interface.
Table 9: WiFi LED status description
3.6 Ethernet port LED behaviour
The Ethernet port has two LEDs: a LINK LED (green) and an ACT LED (amber).
When looking at the port, the LED on the left hand side is the LINK LED, and the
ACT LED is on the right hand side.
Link LED
(green)
ACT LED
(amber)
Off
On
Off
Flashing
Figure 3: Ethernet LED
No physical Ethernet link detected.
Physical Ethernet link detected.
No data is being transmitted/received over the link.
Data is being transmitted/ received over the link.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 16 of 255
4: Factory configuration extraction from SIM card
_______________________________________________________________________________________________________
4 Factory configuration extraction from SIM card
Virtual Access routers have a feature to update the factory configuration from a
SIM card. This allows you to change the factory configuration of a router when installing the SIM.
6. Make sure the SIM card you are inserting has the required configuration written on it.
7. Ensure the router is powered off.
8. Hold the SIM 1 card with the chip side facing down and the cut corner front left.
9. Gently push the SIM card into SIM slot 1 until it clicks in.
10. Power up the router.
Depending on the model, the power LED and/or the configuration LED flash as usual.
The SIM LED starts flashing. This indicates the application responsible for 3G and configuration extraction management is running. It also means the update of the configuration is happening.
When the update is finished, depending on the model, the power LED and/or the configuration LED blink alternatively and very fast for 20 seconds.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 17 of 255
_______________________________________________________________________________________________________
5 Accessing the router
Access the router using either Ethernet or the 3G/4G interface.
5.1 Over Ethernet
The CLI can also be accessed over Ethernet, by default using Secure Shell (SSH) and optionally over Telnet
To access CLI over Ethernet start an SSH client and connect to the router’s management IP address, on port 22: 192.168.100.1/24. Then enter the default username and password.
Username: Root
Password: Admin
Figure 4: SSH CLI logon screen
5.2 Over a 3G or 4G interface
You can also access the CLI over the router’s 3G or 4G interface using Secure
Shell (SSH) and optionally over Telnet.
To access CLI start an SSH client and connect to the router’s 3G or 4G IP interface on port 22: 192.168.100.1/24. Then enter the default username and password.
Username: Root
Password: Admin
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 18 of 255
_______________________________________________________________________________________________________
6 Upgrading router firmware
6.1 Upgrading firmware using the web interface
Copy the new firmware issued by Virtual Access to a PC connected to the router.
In the top menu, select System tab > Backup/Flash Firmware.
Figure 5: The system menu
The Flash operations page appears.
Figure 6: The flash operations page
Under Flash new firmware image, click Choose File or Browse.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 19 of 255
_______________________________________________________________________________________________________
Note: the button will vary depending on the browser you are using.
Select the appropriate image and then click Flash Image. The Flash Firmware –
Verify page appears.
Figure 7: The flash firmware - verify page
Click Proceed. The System – Flashing… page appears.
Figure 8: The system – flashing…page
When the ‘waiting for router’ icon disappears, the upgrade is complete, and the login homepage appears.
To verify that the router has been upgraded successfully, click Status in the top menu. The Firmware Version shows in the system list.
Figure 9: The status page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 20 of 255
_______________________________________________________________________________________________________
6.2 Upgrading firmware using CLI
To upgrade firmware using CLI, you will need a TFTP server on a connected PC.
Open up an SSH or Telnet session to the router.
Enter in the relevant username and password.
To change into the temp folder, enter: cd /tmp
To connect to your TFTP server, enter: atftp x.x.x.x
(where x.x.x.x is the IP of your PC).
Press Enter.
While in the TFTP application, to get the image, enter: get GIG-15.00.38.image
Note: this is an example, substitute the correct file name.
When the image has downloaded, to leave TFPT and get back into the command line, enter: quit
To write the image into the alternative image, enter: mtd write GIG-15.00.38.image altimage
Note: this is an example, substitute the correct file name.
To set the next image to boot to the alternative image, enter: vacmd set next image altimage.
For your configuration changes to apply, you must reboot your router. Enter: reboot
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 21 of 255
_______________________________________________________________________________________________________
7 File system
7.1 Configurations
Configurations are stored in folders at:
/etc/conf/factconf,
/etc/conf/config1 and
/etc/conf/config2
Multiple configuration files exist in each folder. Each file contains configuration parameters for different areas of functionality in the system.
A symbolic link exists at:
/etc/conf/config, which always points to one of factconf, config1 or config2.
Files that appear to be in /etc/conf/config are actually in
/etc/conf/factconf|config1|config2 depending on which configuration is active.
If /etc/conf is missing on start-up, for example on first boot, the links and directories are created with configuration files copied from
/overlay/etc/config/.
At any given time, only one of the configurations is the active configuration.
To show the active configuration file, enter: root@VA_router:~# vacmd show current config
To set the boot configuration to run on next reboot, enter: root@VA_router:~# vacmd set next config [factconf|config1|config2]
7.1.1 High level configuration commands
To show the configuration currently running, enter: root@VA_router:~# vacmd show current config
To show the configuration to run after the next reboot, enter: root@VA_router:~# vacmd show next config
To set the configuration to run after the next reboot, enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 22 of 255
_______________________________________________________________________________________________________ root@VA_router:~# vacmd set next config [factconf|config1|config2]
Image files
The system allows for two firmware image files named image1 and image2.
One is the current image that is running and the other is the alternate image.
7.1.2 Configuration file syntax
The configuration files consist of sections that contain one or more config statements. These optional statements define the actual values.
Below is an example of a simple configuration file. package 'example' config 'example' 'test'
option 'string' 'some value'
option 'boolean' '1'
list 'collection' 'first item'
list 'collection' 'second item'
The config 'example' 'test' statement defines the start of a section with the type example and the name test. There can also be so called anonymous sections with only a type, but no name identifier. The type is important so the processing programs can decide how to treat the enclosed options.
The option 'string' 'some value' and option 'boolean' '1' lines define simple values within the section.
Note: there are no syntactical differences between text and boolean options.
Boolean options may have one of the values '0', 'no', 'off' or 'false' to specify a false value or '1', 'yes', 'on' or 'true' to specify a true value.
In the lines starting with a list keyword, an option with multiple values is defined. All list statements that share the same name, collection in this example, will be combined into a single list of values with the same order as in the configuration file.
The indentation of the option and list statements is a convention to improve the readability of the configuration file but it is not syntactically required.
Usually, you do not need to enclose identifiers or values in quotes. Quotes are only required if the enclosed value contains spaces or tabs. Also, it is legal to use double instead of single quotes when typing configuration options.
All of the examples below are valid syntax: option example value option 'example' value
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 23 of 255
_______________________________________________________________________________________________________ option example “value” option “example” 'value' option 'example' “value”
In contrast, the following examples are not valid syntax: option ‘example’ value Missing quotes around the value. option 'example” “value' Quotes are unbalanced.
It is important to know that identifiers and config file names may only contain the characters a-z, 0-9 and _. Option values may contain any character, as long they are properly quoted.
7.1.3 Command line utility
For configuration, the system emulates a subset of the Unified Configuration
Interface (UCI). This section describes the usage guide for the UCI command line.
When there are multiple rules next to each other, UCI uses array-like references for them. If there are 8 NTP servers, UCI will let you reference their sections as timeserver.@timeserver[0] for the first rule or timeserver.@timeserver[7] for the last one. root@VA_router:~# uci
Usage: uci [<options>] <command> [<arguments>]
Commands:
batch
list
export [<config>]
import [<config>]
changes [<config>]
commit [<config>]
add <config> <section-type>
add_list <config>.<section>.<option>=<string>
show [<config>[.<section>[.<option>]]]
get <config>.<section>[.<option>]
set <config>.<section>[.<option>]=<value>
delete <config>[.<section[.<option>]]
rename <config>.<section>[.<option>]=<name>
revert <config>[.<section>[.<option>]]
reorder <config>.<section>=<position>
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 24 of 255
_______________________________________________________________________________________________________
Options:
-c <path> set the search path for config files (default:
/etc/config)
-d <str> set the delimiter for list values in uci show
-f <file> use <file> as input instead of stdin
-L do not load any plugins
-m when importing, merge data into an existing package
-n name unnamed sections on export (default)
-N don't name unnamed sections
-p <path> add a search path for config change files
-P <path> add a search path for config change files and use as default
-q quiet mode (don't print error messages)
-s force strict mode (stop on parser errors, default)
-S disable strict mode
-X do not use extended syntax on 'show'
Command export import add add_list show get
Set delete
Target
[<config>]
[<config>]
<config> <section-type>
<config>.<section>.<option>=<string
>
[<config>[.<section>[.<option>]]]
<config>.<section>[.<option>]
<config>.<section>[.<option>]=<valu e>
<config>[.<section[.<option>]]
Description
Exports the configuration in a machine readable format. It is used internally to evaluate configuration files as shell scripts.
Imports configuration files in UCI syntax.
Adds an anonymous section of typesection type to the given configuration.
Adds the given string to an existing list option.
Shows the given option, section or configuration in compressed notation.
Gets the value of the given option or the type of the given section.
Sets the value of the given option, or adds a new section with the type set to the given value.
Deletes the given section or option.
Table 1: Commands, target and their descriptions
Note: all operations do not act directly on the configuration files. A commit command is required after you have finished your configuration.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 25 of 255
_______________________________________________________________________________________________________ root@VA_router:~# uci commit
7.1.3.1 Command line utility examples
To export an entire configuration, enter: root@VA_router:~# uci export
To export the configuration for a single package, enter: uci export <package>. root@VA_router:~# uci export system package system config system 'main'
option hostname 'VA_router'
option zonename 'Europe/Dublin'
option timezone 'GMT0IST,M3.5.0/1,M10.5.0'
option cronloglevel '9'
option log_ip '0.0.0.0'
option log_port '514' config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
To show an alternate view of a configuration file, enter uci show: root@VA_router:~# uci show system system.main=system system.main.hostname=VA_router system.main.zonename=Europe/Dublin system.main.timezone=GMT0IST,M3.5.0/1,M10.5.0 system.main.cronloglevel=9 system.main.log_ip=0.0.0.0 system.main.log_port=514 system.ntp=timeserver system.ntp.server=0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org
2.openwrt.pool.ntp.org 3.openwrt.pool.ntp.org
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 26 of 255
_______________________________________________________________________________________________________
To display just the value of an option, enter: root@VA_router:~# uci get system.main.hostname
VA_router
7.1.4 Configuration copying and deleting
Manage configurations using directory manipulation.
To remove the contents of the current folder, enter: root@VA_router:/etc/config1# rm –f *
To remove the contents of a specific folder regardless of the current folder
(config2), enter: root@VA_router:/ # rm –f /etc/config1/*
To copy the contents of one folder into another (config2 into config1), enter: root@VA_router:/etc/config1# cp /etc/config2/* /etc/config1
7.1.5 Image files
The system allows for two firmware image files:
• image1, and
• image2
Two firmware images are supported to enable the system to rollback to a previous firmware version if the upgrade of one fails.
The image names (image1, image2) themselves are symbols that point to different partitions in the overall file system. A special image name “altimage” exists which always points to the image that is not running.
The firmware upgrade system always downloads firmware to “altimage”.
7.1.6 Viewing files
To view a text or configuration file in the system, enter the cat command:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 27 of 255
_______________________________________________________________________________________________________ root@VA_router:~# cat /etc/config/dropbear config dropbear
option PasswordAuth 'on'
option BannerFile '/etc/banner'
option RootPasswordAuth 'yes'
option IdleTimeout '1800'
option Port '22'
To view files in the current folder, enter ls: root@VA_router:/# ls bin etc lib opt sbin usr bkrepos home linuxrc proc sys var dev init mnt root tmp www
Other common Linux commands are available such as: top, grep, tail, head, more, less
.
Typical pipe and redirect operators are available: >, >>, <, |
7.1.7 Copying files
To change current folder, enter cd: root@VA_router:~# cd /etc/config1 root@VA_router:/etc/config1#
Note: if the specified directory is actually a link to a directory, the real directory will be shown in the prompt.
To remove the contents of the current folder, use: root@VA_router:/etc/config1# rm –f *
Warning: the above command makes irreversible changes.
To remove the contents of a specific folder regardless of the current folder, use: root@VA_router:~# rm –f /etc/config1/*
To copy the contents of one folder into another, for example config2 into config1, use:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 28 of 255
_______________________________________________________________________________________________________ root@VA_router:~# cp /etc/config2/* /etc/config1/*
7.1.8 Editing files
The config can be edited using uci commands or via the web GUI.
7.1.9 Processes and jobs
To view scheduled jobs, enter: root@VA_router:~# crontab -l
Note: currently there are no scheduled jobs.
To view running processes, enter: root@VA_router:~# ps
PID USER VSZ STAT COMMAND
1 root 1536 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW [kworker/u:0]
6 root 0 SW< [khelper]
... 1796 root 1540 S /usr/bin/ifplugd -i eth0 -I -l -x lan2
1879 root 7352 S /sbin/dsl_cpe_control -i -n /sbin/dsl_notify.sh a /tmp/dsl.scr
2017 root 1540 S /usr/bin/ifplugd -i eth1 -I -l -x lan
2178 root 1540 S /usr/bin/ifplugd -i eth2 -I -l -x lan3
2297 root 2256 S {va_hdl.lua} /usr/bin/lua /usr/sbin/va_hdl.lua
$.ip ip
To kill a process, enter the PID: root@VA_router:~# kill 2297
7.1.10 System information
General information about software and configuration used by the router is displayed just after login or is available if you enter the following commands.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 29 of 255
_______________________________________________________________________________________________________ root@VA__router:~# vacmd show vars
VA_SERIAL: 00E0C8121215
VA_MODEL: GW6610-ALL
VA_ACTIVEIMAGE: image2
VA_ACTIVECONFIG: config1
VA_IMAGE1VER: VIE-16.00.44
VA_IMAGE2VER: VIE-16.00.44
VA_BLDREV: 91a7f87ed61ca919e78f1c8e3cb840264f4887bb
VA_REGION: EU
VA_WEBVER: 00.00.00
VA_HWREV: a
VA_TOPVER: 16.00.44
Shows the general software and configuration details of the router.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 30 of 255
_______________________________________________________________________________________________________
8 Command Line Interface
8.1 Basics
The system has an SSH server typically running on port 22.
The system provides a Unix command line. Common Unix commands are available such as ls, cd, cat, top, grep, tail, head, more. Typical pipe and redirect operators are available: >, >>, <, |
For configuration, the system uses the “Unified Configuration Interface” (UCI).
See the next section for more detail.
The factconf default password for the root user is ‘admin’.
To change the factconf default password, enter: root@VA_router:/# passwd
Current Password: ******
New Password: **********
Confirm New Password: **********
To reboot the system, enter: root@VA_router:/# reboot
The system log can be viewed as follows: root@VA_router:/# logread root@VA_router:/# logread | tail root@VA_router:/# logread | more root@VA_router:/# logread –f
These commands will show the full log, end of the log, paged log and continuously. Use Ctrl-C to stop the continuous output.
To view a text or configuration file in the system, enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 31 of 255
_______________________________________________________________________________________________________ root@VA_router:/# cat /etc/ppp/options logfile /dev/null nocrtscts lock debug refuse-chap kdebug 7 record /tmp/ppp.log
To view files in the current folder, enter: root@VA_router:/# ls -1 drwxrwxr-x 2 root root 642 Jul 16 2012 bin drwxr-xr-x 5 root root 1020 Jul 4 01:27 dev drwxrwxr-x 1 root root 0 Jul 3 18:41 etc drwxr-xr-x 1 root root 0 Jul 9 2012 lib drwxr-xr-x 2 root root 3 Jul 16 2012 mnt drwxr-xr-x 7 root root 0 Jan 1 1970 overlay dr-xr-xr-x 58 root root 0 Jan 1 1970 proc drwxr-xr-x 16 root root 223 Jul 16 2012 rom drwxr-xr-x 1 root root 0 Jul 3 22:53 root drwxrwxr-x 2 root root 612 Jul 16 2012 sbin drwxr-xr-x 11 root root 0 Jan 1 1970 sys drwxrwxrwt 10 root root 300 Jul 4 01:27 tmp drwxr-xr-x 1 root root 0 Jul 3 11:37 usr lrwxrwxrwx 1 root root 4 Jul 16 2012 var -> /tmp drwxr-xr-x 4 root root 67 Jul 16 2012 www
To change current folder, enter: root@VA_router:/# cd /etc/ppp root@VA_router:/etc/ppp#
To view scheduled jobs: root@VA_router:/# crontab –l
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 32 of 255
_______________________________________________________________________________________________________
To view currently running processes: root@VA_router:/# ps
PID Uid VmSize Stat Command
1 root 356 S init
2 root DW [keventd]
3 root RWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
8 root SW [mtdblockd]
89 root 344 S logger -s -p 6 -t
92 root 356 S init
93 root 348 S syslogd -C 16
94 root 300 S klogd
424 root 320 S wifi up
549 root 364 S httpd -p 80 -h /www -r VA_router
563 root 336 S crond -c /etc/crontabs
6712 root 392 S /usr/sbin/dropbear
6824 root 588 S /usr/sbin/dropbear
7296 root 444 S -ash
374 root 344 R ps ax
375 root 400 S /bin/sh /sbin/hotplug button
384 root 396 R /bin/sh /sbin/hotplug button
385 root RW [keventd]
8.2 Unified Configuration Interface (UCI)
The system uses Unified Configuration Interface (UCI) for central configuration management. All the most common and useful configuration settings can be accessed and configured using the uci system.
UCI consists of a command line utility 'uci', the files containing the actual configuration data, and scripts that take the configuration data and apply it to the proper parts of the system, such as the networking interfaces, or the web server.
The uci command is the preferred way of managing the configuration. Currently, you can directly access files, but this is not guaranteed for the future.
A simple example of using the uci utility is shown below.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 33 of 255
_______________________________________________________________________________________________________ root@VA_router:/# uci show network network.loopback=interface network.loopback.ifname=lo network.loopback.proto=static network.loopback.ipaddr=127.0.0.1 network.loopback.netmask=255.0.0.0 network.lan=interface network.lan.ifname=eth0 network.lan.proto=dhcp network.wan=interface network.wan.username=foo network.wan.password=bar network.wan.proto=3g network.wan.device=/dev/ttyACM0 network.wan.service=umts network.wan.auto=0 network.wan.apn=arkessa.com network.@va_switch[0]=va_switch network.@va_switch[0].eth0=A B C network.@va_switch[0].eth1=D root@VA_router:/# uci set network.wan.apn=hs.vodafone.ie root@VA_router:/# uci commit root@VA_router:/# uci show network.wan network.wan=interface network.wan.username=foo network.wan.password=bar network.wan.proto=3g network.wan.device=/dev/ttyACM0 network.wan.service=umts network.wan.auto=0 network.wan.apn=hs.vodafone.ie root@VA_router:/#
Below is a guide for the UCI command line and some further examples of how to use this powerful utility.
When there are multiple rules next to each other, UCI uses array-like references for them. If there are 8 NTP servers, UCI will let you reference their sections as
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 34 of 255
_______________________________________________________________________________________________________ timeserver.@timeserver[0] for the first or timeserver.@timeserver[7] for the last one.
You can also use negative indexes, such as timeserver.@timeserver[-1]. "-1" means "the last one, and "-2" means the second-to-last one. This is useful when appending new rules to the end of a list. See examples below. root@VA_router:/lib/config# uci
Usage: uci [<options>] <command> [<arguments>]
Commands: export [<config>] import [<config>] changes [<config>] commit [<config>] add <config> <section-type> add_list <config>.<section>.<option>=<string> show [<config>[.<section>[.<option>]]] get <config>.<section>[.<option>] set <config>.<section>[.<option>]=<value> delete <config>[.<section[.<option>]] rename <config>.<section>[.<option>]=<name> revert <config>[.<section>[.<option>]]
Options:
-c <path> set the search path for config files (default:
/etc/config)
-d <str> set the delimiter for list values in uci show
-f <file> use <file> as input instead of stdin
-m when importing, merge data into an existing package
-n name unnamed sections on export (default)
-N don't name unnamed sections
-p <path> add a search path for config change files
-P <path> add a search path for config change files and use as default
-q quiet mode (don't print error messages)
-s force strict mode (stop on parser errors, default)
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 35 of 255
_______________________________________________________________________________________________________
-S disable strict mode
-X do not use extended syntax on 'show'
Command Target commit export import changes
Add add_list show get
Set delete
[<config>]
[<config>]
[<config>]
[<config>]
<config> <section-type>
<config>.<section>.<option>=<string>
[<config>[.<section>[.<option>]]]
<config>.<section>[.<option>]
<config>.<section>[.<option>]=<value>
<config>[.<section[.<option>]]
Description
Writes changes of the given configuration file, or if none is given, all configuration files, to the filesystem. All "uci set", "uci add", "uci rename" and "uci delete" commands are staged into a temporary location and written to flash at once with "uci commit". This is not needed after editing configuration files with a text editor, but for scripts, GUIs and other programs working directly with UCI files.
Exports the configuration in a machine readable format. It is used internally to evaluate configuration files as shell scripts.
Imports configuration files in UCI syntax.
Lists staged changes to the given configuration file or if none given, all configuration files.
Adds an anonymous section of type section-type to the given configuration.
Adds the given string to an existing list option.
Shows the given option, section or configuration in compressed notation.
Gets the value of the given option or the type of the given section.
Sets the value of the given option, or add a new section with the type set to the given value.
Deletes the given section or option. rename revert
<config>.<section>[.<option>]=<name>
<config>[.<section>[.<option>]]
Renames the given option or section to the given name.
Reverts the given option, section or configuration file.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 36 of 255
_______________________________________________________________________________________________________
8.3 Configuration files
File
Management
/etc/config/autoload
/etc/config/httpclient
/etc/config/monitor
Description
Boot up Activation behaviour (typically used in factconf)
Activator addresses and urls
Monitor details
Basic
/etc/config/dropbear
/etc/config/dhcp
/etc/config/firewall
/etc/config/network
/etc/config/system
Other
/etc/config/snmpd
/etc/config/uhttpd
SSH server options
Dnsmasq configuration and DHCP settings
NAT, packet filter, port forwarding, etc.
Switch, interface, L2TP and route configuration
Misc. system settings including syslog
SNMPd settings
Web server options (uHTTPd)
/etc/config/strongswan IPSec settings
8.4 Configuration file syntax
The configuration files usually consist of one or more config statements, so called sections with one or more option statements defining the actual values.
Below is an example of a simple configuration file: package 'example' config 'example' 'test'
option 'string' 'some value'
option 'boolean' '1'
list 'collection' 'first item'
list 'collection' 'second item'
The config 'example' 'test' statement defines the start of a section with the type example and the name test. There can also be so called anonymous sections with only a type, but no name identifier. The type is important for the processing programs to decide how to treat the enclosed options.
The option 'string' 'some value' and option 'boolean' '1' lines define simple values within the section. Note that there are no syntactical differences between text- and boolean options. Per convention, boolean options may have one of the values '0', 'no', 'off' or 'false' to specify a false value or '1' , 'yes', 'on' or 'true' to specify a true value.
In the lines starting with a list keyword, an option with multiple values is defined. All list statements that share the same name, collection in our example,
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 37 of 255
_______________________________________________________________________________________________________ will be combined into a single list of values with the same order as in the configuration file.
The indentation of the option and list statements is a convention to improve the readability of the configuration file but it is not syntactically required.
Usually you do not need to enclose identifiers or values in quotes. Quotes are only required if the enclosed value contains spaces or tabs. Also it's legal to use double- instead of single-quotes when typing configuration options.
All of the examples below are valid syntax. option example value option 'example' value option example "value" option "example" 'value' option 'example' "value"
In contrast, the following examples are not valid syntax. option 'example" "value'
(quotes are unbalanced) option example some value with space
(note the missing quotes around the value).
It is important to know that identifiers and config file names may only contain the characters a-z, 0-9 and _. Option values may contain any character, as long they are properly quoted.
8.5 Examples
No need to reboot.
After changing the port, uhttpd listens on from 80 to 8080 in the file
/etc/config/uhttpd, save it. Then enter: root@VA_router:~# uci commit uhttpd then enter: root@VA_router:~# /etc/init.d/uhttpd restart
Done. No reboot needed.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 38 of 255
_______________________________________________________________________________________________________
8.5.1 Export an entire configuration
root@VA_router:~# uci export httpd package 'httpd' config 'httpd' option 'port' '80' option 'home' '/www' root@VA_router:~#
To show the configuration ‘tree’ for a given config, enter: root@VA_router:~# uci show httpd httpd.@httpd[0]=httpd httpd.@httpd[0].port=80 httpd.@httpd[0].home=/www root@VA_router:~#
8.5.2 Display just the value of an option
root@VA_router:~# uci get httpd.@httpd[0].port
80 root@VA_router:~#
High level image commands
The image running at present can be shown using the command: root@VA_router:~# vacmd show current image
The image to run on next reboot can be set using the command: root@VA_router:~# vacmd set next image [image1|image2|altimage] root@VA_router:~# reboot
To retrieve new firmware from Activator, enter: root@VA_router:~# vacmd hdl $$.img altimage root@VA_router:~# vacmd set next image altimage root@VA_router:~# reboot
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 39 of 255
9: Management configuration settings
_______________________________________________________________________________________________________
9 Management configuration settings
This section details the configuration sections and parameters which are required to manage and monitor the device using Activator and Monitor.
Activator is a Virtual Access proprietary provisioning system, where specific router configurations and firmware can be stored.
Monitor is a Virtual Access proprietary tool, based on SNMP protocol, to monitor wide networks of deployed routers.
9.1 Autoload - boot up activation
This section contains the settings that specify how the device should behave with respect to Activation when it boots up. You can change the settings either directly in the configuration file or via appropriate uci set commands.
The autoload core section configures the basic functionality of the module which orchestrates the Activation process. It contains these settings:
Name
Enabled
StartTimer
RetryTimer
BackoffTimer
Type Required Default boolean yes integer yes integer yes
NumberOfRetries integer yes integer yes
BootUsingConfig string
BootUsingImage string yes yes no
10
30
5
15 altconfig altimage
Description
Enables autoload. Set to yes to activate at system boot.
Defines how long to wait after the boot up completes before starting activation.
Defines how many seconds to wait between retries if a download of a particular autoload entry (see next table) fails.
Defines how many retries to attempt before failing the overall activation sequence, backing off and trying the whole activation sequence again.
Defines how many minutes to back off for if a download and all retries fail. After the backoff period, the entire autoload sequence will start again.
Specifies which configuration to boot up with after the activation sequence completes successfully.
Specifies which image to boot up with after the activation sequence completes successfully.
The Autoload entry sections specify which files, and in which order they are downloaded when the autoload sequence executes.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 40 of 255
9: Management configuration settings
_______________________________________________________________________________________________________
Name
Configured
SegmentName
Type Required Default boolean yes string
RemoteFilename string yes yes no
(none)
(none)
A sample autoload configuration is show below.
Description
Set to yes to make the autoload sequence process this entry.
Where the downloaded file should be stored (config1 | config2 | altconfig | image1 | image2 | altimage). Typically only altconfig and altimage are used.
$$.ini – request configuration
$$.img – request firmware
$$.vas – notify activator sequence is complete. $$.vas should always be requested last.
Note: as some values are exceptional (like $) they need to be appropriately escaped using uci set and show commands. This removes the need to know the correct escape sequences. root@VA_router:/# uci show autoload autoload.main=core autoload.main.Enabled=yes autoload.main.StartTimer=10 autoload.main.RetryTimer=30 autoload.main.NumberOfRetries=5 autoload.main.BackoffTimer=15 autoload.main.BootUsingConfig=altconfig autoload.main.BootUsingImage=altimage autoload.@entry[0]=entry autoload.@entry[0].Configured=yes autoload.@entry[0].SegmentName=altconfig autoload.@entry[0].RemoteFilename=$$.ini autoload.@entry[1]=entry autoload.@entry[1].Configured=yes autoload.@entry[1].SegmentName=altimage autoload.@entry[1].RemoteFilename=$$.img autoload.@entry[2]=entry autoload.@entry[2].Configured=yes autoload.@entry[2].SegmentName=config1 autoload.@entry[2].RemoteFilename=$$.vas
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 41 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ root@VA_router:/# uci export autoload package 'autoload' config 'core' 'main' option 'Enabled' "yes" option 'StartTimer' "10" option 'RetryTimer' "30" option 'NumberOfRetries' "5" option 'BackoffTimer' "15" option 'BootUsingConfig' "altconfig" option 'BootUsingImage' "altimage" config 'entry' option 'Configured' "yes" option 'SegmentName' "altconfig" option 'RemoteFilename' "\$\$.ini" config 'entry' option 'Configured' "yes" option 'SegmentName' "altimage" option 'RemoteFilename' "\$\$.img" config 'entry' option 'Configured' "yes" option 'SegmentName' "config1" option 'RemoteFilename' "\$\$.vas"
9.2 Httpclient - Activator configuration
This section contains the settings for the http client used during activation and active updates of the device.
The httpclient core section configures the basic functionality of the module used for retrieving files from Activator during the Activation process. It contains the following settings.
Name
Enabled
Type boolean
Required Default Description yes yes Enables the http client. list FileServer integer yes none
Specifies the IP address of
Activator that uses http port 80.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 42 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ list SecureFileServer
ActivatorDownloadPath
SecureDownload
PresentCertificate Enabled
ValidateServer Certificate
FieldEnabled
ServerCertificate Field integer string boolean boolean boolean string no yes no no no no
ServerCertificate
FieldValueCertificateFormat string no
A sample httpclient configuration is shown below.
PEM no
(none) no no no
CN
Specifies the IP address of
Secure Activator that uses port 443.
Specifies the url on
Activator to which the client should send requests.
Enables Secure Download
(port 443).
Specifies if the client presents its certificate to the server to identify itself.
Specifies if the client validates the server certificate as per
ServerCertificateField and
FieldValueCertificateFormat
Defines the field in the server certificate that the client should check.
Specifies the value the client expects to see in the specified field in the server certificate. root@VA_router:~# uci show httpclient httpclient.default=core httpclient.default.Enabled=yes httpclient.default.FileServer=10.1.83.36:80 10.1.83.37:80 httpclient.default.SecureFileServer=10.1.83.36:443 10.1.83.37:443 httpclient.default.ActivatorDownloadPath=/Activator/Sessionless/Httpserver.
asp httpclient.default.SecureDownload=no httpclient.default.PresentCertificateEnabled=no httpclient.default.ValidateServerCertificateEnabled=no httpclient.default.CertificateFile=/etc/httpclient.crt httpclient.default.CertificateFormat=PEM httpclient.default.CertificateKey=/etc/httpclient.key root@VA_router:~# uci export httpclient
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 43 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ package httpclient config core 'default'
option Enabled 'yes'
list FileServer '10.1.83.36:80'
list FileServer '10.1.83.37:80'
list SecureFileServer '10.1.83.36:443'
list SecureFileServer '10.1.83.37:443'
option ActivatorDownloadPath
'/Activator/Sessionless/Httpserver.asp'
option SecureDownload 'no'
option PresentCertificateEnabled 'no'
option ValidateServerCertificateEnabled 'no'
option CertificateFile '/etc/httpclient.crt'
option CertificateFormat 'PEM'
option CertificateKey '/etc/httpclient.key'
This sample contains the settings to enable the device to report its status to
Monitor. To allow Monitor to track the IP address and ongoing presence of the device, a heartbeat SNMP trap is sent by default every minute.
Use the following settings to configure this feature.
Name
Enable monitor_ip
Type boolean interval_min boolean dev_reference String string
Required Default yes no
No yes yes
1
(none)
(none)
A sample Monitor configuration is shown below.
Description
Enables Monitor to send heartbeats.
Specifies the interval at which traps are sent.
Sets a unique identification for this device known to monitor.
Defines the IP address of Monitor. It is possible to specify multiple addresses to which SNMP heartbeat traps will be sent.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 44 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ root@VA_router:~# uci show monitor monitor.main=keepalive monitor.main.enable=yes monitor.main.interval_min=1 monitor.main.dev_reference=mikesamazondev monitor.main.monitor_ip=10.1.83.36 root@VA_router:~# uci export monitor package 'monitor' config 'keepalive' 'main' option 'enable' "yes" option interval_min "1" option 'dev_reference' "mikesamazondev" list 'monitor_ip' "10.1.83.36"
9.3 System settings
The system section contains settings that apply to the most basic operation of the system, such as the host name, time zone, logging details, NTP server and language and web style.
This section details the configuration sections and parameters in various configuration files which are required to have the device perform basic routing activities on a network.
The system configuration contains basic settings for the whole router. Larger subsystems such as the network configuration, the DHCP and DNS server, and similar, have their own configuration file.
9.3.1 Configuring a router’s host name
The host name appears in the top left hand of the menu of the interface. It also appears when you open a Telnet or SSH session.
Note: this document uses the hostname ‘VA_router’ throughout.
You can set your system setting options in the system section.
To configure the router’s hostname, in the top menu, select System -> system.
The System page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 45 of 255
9: Management configuration settings
_______________________________________________________________________________________________________
Figure 10: The system page
In the Hostname field, type a relevant host name.
In the Timezone dropdown menu, select the relevant time zone.
Click Save.
Name hostname buffersize conloglevel
Type string integer integer
Required Default no no no
(none) kernel specific
7
Description
Enables the hostname for this system.
Specifies the size of the kernel message buffer.
Sets the maximum log level for kernel messages to be logged to the console. Only messages with a level lower than this will be printed to the console. cronloglevel integer no 5
Specifies the minimum level for cron messages to be logged to syslog. 0 prints all debug messages;
8 will log command executions; and 9 or higher will only log error messages.
Klogconloglevel integer no 7
Specifies the maximum log level for kernel messages to be logged to the console. Only messages with a level lower than this will be printed to the console. Identical to
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 46 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ log_file log_ip log_port log_size log_type timezone string
IP address integer no integer no string string no no no no time_save_interval_min integer no
/var/log/messages
(none)
514
16 circular
UTC
10 conloglevel and will override it.
Defines which file to write log messages to (type file).
Specifies IP address of a syslog server to which the log messages should be sent in addition to the local destination.
Specifies port number of the remote syslog server specified with log_ip.
Sets size of the file or circular memory buffer in
KiB.
Specifies either a circular or file log type.
Specifies the time zone that date and time should be rendered in by default.
Stores local time every N minutes so it will be used on the next boot.
The table below describes the fields in the Time Synchronization section.
Name Type
Enable builtin
NTP server
Boolean
NTP update interval
Dropdown menu
Required Default
No
No
0
2
Description
Enables NTP server
Specifies interval of NTP requests server list of hostnames no (none)
Defines the pool of NTP servers to poll the time from. If the list is empty, the built in
NTP daemon is not started.
A sample system configuration is shown below. root@VA_router:~# uci show system system.main=system system.main.hostname=VA_router system.main.timezone=UTC system.main.log_ip=10.1.83.36
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 47 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ system.main.log_port=514 system.main.password=admin system.main.time_save_interval_min=10system.ntp=timeserver system.ntp.interval_hours=2 system.ntp.server=0.openwrt.pool.ntp.org package 'system' config 'system' 'main' option 'hostname' "VA_router" option 'timezone' "UTC" option 'log_ip' "10.1.83.36" option 'log_port' "514" option 'password' "admin" option time_save_interval_min "10" config 'timeserver' 'ntp' option interval_hours '2' list 'server' "0.VA_router.pool.ntp.org"
9.4 User management
9.4.1 Configuration file: config user
You can create different users on the system by defining them in the user management configuration file:
/etc/config/management_users
The following table describes the user’s management configuration options.
Name enabled username password webuser chapuser
Papuser srpuser
Type
Text
Text
Boolean
Boolean
Boolean
Boolean
Required Default
Boolean Yes
Yes
Yes
No
No
No
No
0
None
None
Yes
No
No
No
Description
Enables/creates the user.
Defines username for the user.
Defines password for the user.
Specifies web access permissions for the user.
Specifies CHAP access permissions for the PPP connection.
Specifies PAP access permissions for the PPP connection.
Specifies SRP access permissions for the PPP connection.
Specifies SMS access permissions smsuser Boolean No No
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 48 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ linuxuser
Note:
Boolean No Yes for the user.
Specifies if access permissions for the user.
• webuser will only work if linuxuser is set to 'yes'
• chapuser will only work if linuxuser is set to 'no'
This first example shows a defined user called ‘test’. The user has a defined password ‘password’. They are also granted web access to the box. root@VA_router:~# cat /etc/config/management_users config user
option enabled '1'
option username 'test'
option password 'password'
option webuser 'yes' option linuxuser 'yes'
This second example shows a user called ‘srptest’. The user has a defined password ‘srptest’. config user
option enabled '1'
option username 'srptest'
option password 'srptest'
option srpuser '1'
option chapuser '0'
option webuser '0'
option smsuser '0'
option linuxuser 'no'
When the new user is defined, you must reboot the system for the changes to take effect.
After the reboot, the password option is replaced by a hash of the password. The hash password is now defined by the ‘hashpassword’ option.
For srpuser password will be defined by the ‘srphash’ option.
Note: when a new user is created on the system and given web access, they will no longer be able to login to the router web interface with the default root user details. The user must use the new login details.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 49 of 255
9: Management configuration settings
_______________________________________________________________________________________________________
9.4.2 UCI export and UCI show commands
Run UCI export or show commands to see management user UCI configuration settings. root@VA_router:~# uci export management_users package management_users config user
option enabled '1'
option username 'test'
option webuser 'yes'
option linuxuser 'yes' config user
option enabled '1'
option username 'srptest'
option srpuser '1'
option chapuser '0'
option webuser '0'
option smsuser '0'
option linuxuser 'no'
option srphash
'0:2de6Dk6D4tFo8oVfb2iuY6aRj2cAoPeo2DAdCRcReBUc.9Px56rNmamtaBx7BiQIzNisYFJF
VdhH6H0Z/Ys9RzU1SJrMVpmQZkJwqlB1tA.F7O.tf1VkGnXyiTLSCN68iJ.SltDDqeOprmLo/IW
9Ub7.qop44Ml3g6S5QJxpu.N5sLzpSvER.kAFNPR/DmK9D/.3SQzTtEZNYypmkgP9O2ihw/4uDU
NIFGMzd3dBs0VdF1AaFWNNqpAx7qP1JC4R5KeM/iGdo7lmKFyOTkvTIZbhXnWTRrQD5Q6nQv.UX
QrUmM4t3ztabT3gN.dibG3kNpMWl/DMLMBSghkXu7QosC:1uPbR5BbICQJFx' root@VA_router:~# uci show management_users management_users.@user[0]=user management_users.@user[0].enabled=1 management_users.@user[0].username=test management_users.@user[0].webuser=yes management_users.@user[0].linuxuser=yes management_users.@user[1]=user management_users.@user[1].enabled=1 management_users.@user[1].username=srptest management_users.@user[1].srpuser=1 management_users.@user[1].chapuser=0 management_users.@user[1].webuser=0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 50 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ management_users.@user[1].smsuser=0 management_users.@user[1].linuxuser=no management_users.@user[1].srphash=0:2de6Dk6D4tFo8oVfb2iuY6aRj2cAoPeo2DAdCRc
ReBUc.9Px56rNmamtaBx7BiQIzNisYFJFVdhH6H0Z/Ys9RzU1SJrMVpmQZkJwqlB1tA.F7O.tf1
VkGnXyiTLSCN68iJ.SltDDqeOprmLo/IW9Ub7.qop44Ml3g6S5QJxpu.N5sLzpSvER.kAFNPR/D mK9D/.3SQzTtEZNYypmkgP9O2ihw/4uDUNIFGMzd3dBs0VdF1AaFWNNqpAx7qP1JC4R5KeM/iGd o7lmKFyOTkvTIZbhXnWTRrQD5Q6nQv.UXQrUmM4t3ztabT3gN.dibG3kNpMWl/DMLMBSghkXu7Q osC:1uPbR5BbICQJFx
Modify these settings by running uci set <parameter> command.
9.5 Interfaces configuration
This configuration is responsible for defining switch port groups, interface configurations and network routes.
Note: after changing the network configuration, to make your new configuration take effect, you need to execute the following:
/etc/init.d/network restart
There is no need to reboot the router.
Below is an overview of the section types that may be defined in the network configuration. A minimal network configuration for a router usually consists of at least two interfaces (LAN and WAN) and routes.
9.5.1 Interfaces
Sections of the type interface declare logical networks serving as container for IP address settings, aliases, routes, physical interface names and firewall rules, they play a central role within the overall configuration concept.
A minimal interface declaration consists of the following lines: root@VA_router:~# uci show network.wan network.wan=interface network.wan.proto=dhcp network.wan.ifname='eth0.1' config 'interface' 'wan'
option 'proto' 'dhcp'
option 'ifname' 'eth0.1'
Wan
is a unique logical interface name.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 51 of 255
9: Management configuration settings
_______________________________________________________________________________________________________
DHCP specifies the interface protocol, DHCP in this example eth0.1 is the physical interface associated with this section
The interface protocol may be one of the following shown in the table below.
Protocol Description static Static configuration with fixed address and netmask. dhcp
3g
Address and netmask are assigned by DHCP.
CDMA, UMTS or GPRS connection using an AT-style 3G modem.
L2tp none
Layer 2 Tunneling Protocol.
Unspecified protocol.
Program ip/ifconfig udhcpc comgt xl2tpd
-
Depending on the interface protocol used, several other options may be required for a complete interface declaration. The corresponding options for each protocol are listed below. Options marked as "yes" in the "Required" column must be defined in the interface section if the corresponding protocol is used, options marked as "no" may be defined but can be omitted as well.
9.5.2 Options valid for all protocol types
Name ifname type stp macaddr mtu auto send_rs
Type interface name(s) string boolean mac address no number boolean accept_ra boolean boolean monitored Boolean
Required Default yes no no no no no no
No
(none)
(none)
0
(none)
(none)
Description
Defines physical interface name to assign to this section, list of interfaces if type bridge is set.
If set to "bridge", a bridge containing the given ifnames is created.
Only valid for type "bridge", enables the
Spanning Tree Protocol.
Overrides MAC address of this interface.
Overrides the default MTU on this interface.
Specifies whether to bring up interface on boot.
0 for proto none, else
1
1 for protocol dhcp, else
1
1 for protocol static, else
0
0
Specifies whether to accept IPv6 Router
Advertisements on this interface.
Specifies whether to send Router
Solicitations on this interface.
Specifies whether to send Interface status to Monitor.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 52 of 255
9: Management configuration settings
_______________________________________________________________________________________________________
9.5.3 Protocol "static"
Name ipaddr netmask gateway
Type ip address netmask ip address
Required Default yes, if no ip6addr is set
(none) yes, if no ip6addr is set no
(none)
(none)
(none) broadcast ip address ip6addr ipv6 address no yes, if no ipaddr is set
(none) ip6gw dns metric ipv6 address no list of ip addresses integer no no
(none)
(none)
0
Description
Defines the IP address.
Specifies Netmask.
Defines the default gateway.
Defines broadcast address. Will be auto generated if not set.
Assign given IPv6 address to this interface
(CIDR notation).
Assign given IPv6 default gateway to this interface.
Defines DNS server(s)’
Specifies the default route metric to use.
9.5.4 Protocol "dhcp"
Name gateway broadcast hostname clientid
Type string boolean string string vendorclass string dns metric reqopts no list of ip addresses integer no no list of strings no
Required Default no (none)
0 no no no
(none) system default system default
(none)
0
(none)
Description
Supresses DHCP-assigned default gateway if set to 0.0.0.0.
Enables the broadcast flag in DHCP requests, required for certain ISPs.
Specifies the hostname to include in
DHCP requests.
Overrides client identifier in DHCP requests.
Overrides the vendor class in DHCP requests.
Overrides DHCP-assigned DNS server(s).
Specifies the default route metric to use.
Specifies a list of additional DHCP options to request.
9.5.5 Protocol "3g" (PPP over EV-DO, CDMA, UMTS or GRPS)
Name device service
Type file path string
Required Default yes yes
(none) umts
Description
Specifies the modem device node
/dev/ttyACM0.
Specifies the 3G service type:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 53 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ apn pincode maxwait username password keepalive demand defaultroute boolean peerdns dns ipv6 string number number string string number number boolean list of ip addresses boolean yes no no no(?) no(?) no no no no no no
(none)
(none)
20
(none)
(none)
(none)
(none)
1
1
(none)
0 cdma/evdo, umts, gprs.
Sets the APN to use.
Sets the PIN code to unlock SIM card.
Specifies the number of seconds to wait for modem to become ready.
Sets the username for PAP/CHAP authentication.
Sets the password for PAP/CHAP authentication.
Specifies the number of connection failures before reconnect.
Specifies the number of seconds to wait before closing the connection due to inactivity.
Replaces the existing default route on a
PPP connect.
Uses peer-assigned DNS server(s).
Overrides peer-assigned DNS server(s).
Enables IPv6 on the PPP link.
9.5.6 Protocol "l2tp" (layer 2 tunneling protocol)
Name Type Required Default src_ipaddr IPv4 address yes (none) server IPv4 address yes user string password string yes yes
(none)
(none)
(none) auth_mode string secret string persist boolean host_name string yes no no yes
(none)
(none) no
(none)
Description
Defines the local IPv4 endpoint address.
Defines the remote IPv4 endpoint address.
Sets the PPP user name.
Sets the PPP password.
Specifies Tunnel Authentication Mode: none: no authentication, unless secret is specified. simple: check peer hostname. challenge: require tunnel secret.
Defines optional secret which is shared with tunnel peer.
Recreates automatically if tunnel fails.
Sets name to advertise to peer when setting up the tunnel.
9.5.7 Aliases
Use the Alias section to define further IPv4 and IPv6 addresses for interfaces.
Alias sections also allow combinations like DHCP on the main interface and a static IPv6 address in the alias, for example to deploy IPv6 on WAN while
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 54 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ keeping normal internet connectivity. Each interface can have multiple aliases attached to it.
A minimal alias declaration consists of the following lines: network.@alias[0]=alias network.@alias[0].interface=lan network.@alias[0].proto=static network.@alias[0].ipaddr=10.0.0.1 network.@alias[0].netmask=255.255.255.0 config 'alias'
option 'interface' 'lan'
option 'proto' 'static'
option 'ipaddr' '10.0.0.1'
option 'netmask' '255.255.255.0'
Lan
is the logical interface name of the parent interface.
Static
is the alias interface protocol.
10.0.0.1
specifies the alias IP address.
255.255.255.0
specifies the alias netmask.
Only the static protocol type is allowed for aliases. Defined options for alias sections are listed below:
Name interface proto
Type string string
Required Default yes yes
(none)
(none)
Description
Specifies the logical interface name of the parent (or master) interface this alias is belonging to, must refer to one of the defined interface sections.
Specifies the alias interface protocol must be static. ipaddr netmask ip address netmask yes, if no ip6addr is set yes, if no ip6addr is set no
(none)
(none)
Defines IP address.
Defines Netmask. gateway ip address broadcast ip address no
(none)
(none)
Specifies the default gateway.
Sets the broadcast address. This is auto generated if not set. ip6addr ipv6 address yes, if noipaddr is set ipv6 address no
(none) IPv6 address (CIDR notation). ip6gw (none) IPv6 default gateway. dns list of ip no (none) DNS server(s)
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 55 of 255
9: Management configuration settings
_______________________________________________________________________________________________________ addresses layer integer no 3
Selects the interface to attach to for stacked protocols (tun over bridge over eth, ppp over eth or similar).
3: attach to layer 3 interface (tun*, ppp* if parent is layer 3 else fallback to 2).
2: attach to layer 2 interface (br-* if parent is bridge else fallback to layer 1).
1: attach to layer 1 interface (eth*, wlan*).
*any interface number, i.e 1, 2.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 56 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________
10 DHCP server and DNS configuration
Dynamic Host Configuration Protocol (DHCP) server is responsible for giving out
IP addresses to hosts. IPs can be given out on different interfaces and different subnets. You can manually configure lease time as well as setting static IP to host mappings.
Domain Name Server (DNS) is responsible for resolution of IP addresses to domain names on the internet.
The dnsmasq program provides DHCP and DNS services. In the default configuration it contains one common section to specify DNS and daemon related options and one or more DHCP pools to define DHCP serving on network interfaces.
Possible section types of the DHCP configuration file are defined below. Not all types may appear in the file and most of them are only needed for special configurations. Common configurations are Common Options, DHCP Pools and
Static Leases.
10.1 Common options section
The configuration section type dnsmasq determines values and options relevant to the overall operation of dnsmasq and the DHCP options on all interfaces served. The following table lists all available options, their default value, as well as the corresponding dnsmasq command line option.
These are the default settings for the common options: root@VA_router:~# uci show dhcp dhcp.@dnsmasq[0]=dnsmasq dhcp.@dnsmasq[0].domainneeded=1 dhcp.@dnsmasq[0].boguspriv=1 dhcp.@dnsmasq[0].filterwin2k=0 dhcp.@dnsmasq[0].localise_queries=1 dhcp.@dnsmasq[0].rebind_protection=1 dhcp.@dnsmasq[0].rebind_localhost=1 dhcp.@dnsmasq[0].local=/lan/ dhcp.@dnsmasq[0].domain=lan dhcp.@dnsmasq[0].expandhosts=1 dhcp.@dnsmasq[0].nonegcache=0 dhcp.@dnsmasq[0].authoritative=1 dhcp.@dnsmasq[0].readethers=1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 57 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________ dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto dhcp.@dnsmasq[0].interface=lan config 'dnsmasq' option domainneeded option boguspriv 1 option filterwin2k
1
0 option localise_queries 1 option rebind_protection 1 option rebind_localhost 0 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache option authoritative
0
1 option readethers 1 option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto'
list interface 'lan'
Options local and domain enable dnsmasq to serve entries in /etc/hosts as well as the DHCP client's names as if they were entered into the lan DNS domain.
Options domainneeded, boguspriv, localise_queries, and expandhosts make sure that requests for these local host names (and the reverse lookup) never get forwarded to the upstream DNS servers.
Option authoritative makes the router the only DHCP server on this network.
This allows clients to get their IP lease a lot faster.
Name addnhosts authoritative
Boguspriv
Type list of file paths boolean boolean
Required no no no
Default
(none)
0
0
Description
Specifies additional host files to read for serving DNS responses.
Forces dnsmasq into authoritative mode, this speeds up DHCP leasing. Used if this is the only server in the network.
Rejects reverse lookups to private IP ranges where no corresponding entry exists in
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 58 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________
Cachelocal cachesize dhcp_boot dhcphostsfile dhcpleasemax dnsforwardmax domain domainneeded boolean integer string file path integer integer domain name boolean no no no no no no no no
1
150
(none)
(none)
150
150
(none)
0
/etc/hosts.
When set to 0, uses each network interface's dns address in the local
/etc/resolv.conf. Normally, only the loopback address is used, and all queries go through dnsmasq.
Sets the size of dnsmasq query cache.
Specifies BOOTP options, in most cases just the file name.
Specifies an external file with per host DHCP options.
Specifies the maximum number of DHCP leases.
Specifies the maximum number of concurrent connections.
Specifies the DNS domain handed out to DHCP clients.
Tells dnsmasq to never forward queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc/hosts or
DHCP then a "not found" answer is returned.
Option leasefile stores the leases in a file, so that they can be picked up again if dnsmasq is restarted.
Option resolvfile tells dnsmasq to use this file to find upstream name servers; it is created by the WAN DHCP client or the PPP client.
Name ednspacket_max enable_tftp expandhosts filterwin2k interface
Type integer boolean boolean boolean list of interface names
Required Default no no no no no
1280
0
0
0
(all interfaces
)
Description
Specifies the largest EDNS.0
UDP packet which is supported by the DNS forwarder.
Enables the built in TFTP server.
Adds the local domain part to names found in /etc/hosts
Does not forward requests that cannot be answered by public name servers.
Specifies a list of interfaces to listen on. If unspecified, dnsmasq will listen to all interfaces except those listed in
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 59 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________ leasefile
Local localise_queries logqueries nodaemon
Nohosts nonegcache noresolv notinterface nonwildcard
Port queryport readethers file path string boolean boolean boolean boolean boolean boolean list of interface names boolean port number integer boolean no no no no no no no no no no no no no
(none)
(none)
0
0
0
0
0
0
(none)
0
53
(none)
0 not interface.
Stores DHCP leases in this file.
Looks up DNS entries for this domain from /etc/hosts. This follows the same syntax as server entries, see the man page.
Chooses IP address to match the incoming interface if multiple addresses are assigned to a host name in /etc/hosts.
Logs the results of DNS queries, dump cache on SIGUSR1.
Does not daemonize the dnsmasq process.
Does not read DNS names from
/etc/hosts.
Disables caching of negative "no such domain" responses.
Does not read upstream servers from /etc/resolv.conf.
Interfaces dnsmasq should not listen on. Note: individual interface sections will be appended if ignore is set there.
Only listens on configured interfaces, instead of on the wildcard address.
Defines listening port for DNS queries, disables DNS server functionality if set to 0.
Uses a fixed port for outbound
DNS queries.
Reads static lease entries from
/etc/ethers, re-read on SIGHUP.
Resolvfile file path no
/etc/ resolv. conf
Specifies an alternative resolv file. server strictorder tftp_root list of strings boolean directory path rebind_protection boolean no no no no
(none)
0
(none)
1
Specifies list of DNS servers to forward requests to. See the dnsmasq man page for syntax details.
Obeys order of DNS servers in
/etc/resolv.conf.
Specifies the TFTP root directory.
Enables DNS rebind attack protection by discarding upstream RFC1918 responses.
Allows upstream 127.0.0.0/8 rebind_localhost boolean no 0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 60 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________ rebind_domain list of domain names no (none) responses, required for DNS based blacklist services, only takes effect if rebind protection is enabled.
Specifies a list of domains to allow RFC1918 responses for, only takes effect if rebind protection is enabled.
10.2 DHCP pools
Sections of the type dhcp specify per interface lease pools and settings for serving DHCP requests. Typically there is at least one section of this type present in the/etc/config/dhcp file to cover the LAN interface.
You can disable a lease pool for a specific interface by specifying the ignore option in the corresponding section.
A minimal example of a dhcp section is shown below. root@VA_router:~# uci show dhcp.lan dhcp.lan=dhcp dhcp.lan.interface=lan dhcp.lan.start=100 dhcp.lan.limit=150 dhcp.lan.leasetime=12h dhcp.lan.ignore=1 config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '12h'
Lan specifies the VA_router interface that is served by this DHCP pool.
100 is the offset from the network address, in the default configuration
192.168.1.100.
150 is the maximum number of addresses that may be leased, in the default configuration 192.168.1.250.
12h specifies the time to live for handed out leases, twelve hours in the example below.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 61 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________
Name dhcp_option dynamicdhcp force ignore
Interface
Leasetime
Limit networkid start
Type list of strings boolean boolean boolean logical interface name string integer string integer
Required no no no no yes yes yes no yes
Default
(none)
1
0
0
(none)
12h
150
(value of interface)
100
Description
Enables additional options to be added for this network-id.
For example with
'26,1470' or
'option:mtu, 1470' you can assign an
MTU per DHCP. Your client must accept
MTU by DHCP for this to work.
Dynamically allocates client addresses, if set to 0 only clients present in the ethers files are served.
Forces DHCP serving on the specified interface even if another DHCP server is detected on the same network segment.
Specifies whether dnsmasq should ignore this pool if set to 1.
Specifies the interface associated with this
DHCP address pool, must be one of the defined interfaces in/etc/config/network.
Specifies the lease time of addresses handed out to clients, for example 12h or30m.
Specifies the maximum allowable address that may be leased to clients. It is calculated as network address + "start" +
"limit".
Assigns a network-id to all clients that obtain an IP address from this pool.
Specifies the offset from the network
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 62 of 255
10: DHCP server and DNS configuration
_______________________________________________________________________________________________________ address of the underlying interface to calculate the minimum address that may be leased to clients. It may be greater 255 to span subnets.
10.3 Static leases
You can assign fixed IP addresses to hosts on your network, based on their MAC
(hardware) address.
The configuration options in this section are used to construct a –G option for dnsmasq. root@VA_router:~# uci show dhcp.mypc dhcp.mypc=host dhcp.mypc.ip=192.168.1.2 dhcp.mypc.mac=00:11:22:33:44:55 dhcp.mypc.name=mypc config host 'mypc'
option ip '192.168.1.2'
option mac '00:11:22:33:44:55'
option name 'mypc'
This adds the fixed IP address 192.168.1.2 and the name "mypc" for a machine with the (Ethernet) hardware address 00:11:22:33:44:55 ip mac name
Type string string string
Required Default yes (none) yes no
(none)
(none)
Description
Specifies the IP address to be used for this host.
Specifies the hardware address of this host.
Sets the optional hostname to assign.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 63 of 255
_______________________________________________________________________________________________________
11 VLAN configuration
11.1 VLAN web interface
You can configure VLANs through three sections:
• Native VLAN
• VLAN Definition
• Port Description
• Native VLAN
Figure 11: The native VLAN section
The Native VLAN section specifies the native VLAN to be used. This VLAN will be sent untagged across the trunk link.
Note: you must create the VLAN before setting it as native.
Name
802.1Q VLAN ID
Type
Numeric value
Required Default
No Blank
Description
VLAN ID number defines VLAN that will be sent across the trunk untagged. NO 802.IQ tag will be applied to the packets on that
VLAN.
Table 10: Native VLAN field name and description
11.2 VLAN definition
Use the VLAN definition section to define VLANs and assign them with VLAN ID, name and required network configurations.
Figure 12: The VLAN definition section
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 64 of 255
_______________________________________________________________________________________________________
Name
802.1Q VLAN ID
VLAN Priority
Isolate From
Trunk
VLAN Name
IP Address
Netmask
Default Gateway
Type
Numeric value
Numeric value
Required Default
No
No
Boolean No
Text
IP
Address
IP
Address
IP
Address
Yes
Yes
Yes
No
Blank
Blank
Blank
Blank
Blank
Blank
Blank
Description
Defines VLAN number. The VLAN will be referred to using this number.
Specifies 802.1p VLAN priority tag on trunk links.
Defines whether to isolate hosts from each other within the same
VLAN. Hosts will still be able to communicate with the router.
Configures VLAN name.
Configures network mask address to be used on this VLAN.
Configures network mask address to be used on this VLAN.
Configures default gateway address to be used on this VLAN.
Table 11: VLAN definition fields and their descriptions
11.3 Port description
The port description section is used to segment the switch accordingly to your
VLAN requirements. You can specify what physical ports you want to assign to which VLANs, or whether you want to configure a trunk port instead.
Figure 13: The port description section
Name
Switch Port
Is Trunk Port
VLAN IDs
Type
Text
Boolean
Required Default
Yes
NO
Numeric value/text
Yes
Blank
Blank
Blank
Description
Specifies which physical port on the front panel of the router will be assigned to which VLAN.
Configures the port as a trunk port.
Specifies what VLANs will be assigned to a physical port on the router. You must use VLAN ID to specify which VLANs or ‘all’ to configure a port as trunk interface.
Table 12: The port description fields and their descriptions
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 65 of 255
_______________________________________________________________________________________________________
11.4 VLANs UCI interface
You can configure VLANs through CLI.
The VLAN configuration file is stored at:
/etc/config/portvlan
~# uci export portvlan package portvlan config vlan
option vlanid '1'
option name 'vlan1'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option isolate 'no' config vlan
option vlanid '2'
option name 'vlan2'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option vlanprio '5'
option isolate 'yes' config port
option port 'A'
option vlans '1' config port
option port 'B'
option vlans '2' config port
option port 'C'
option trunk 'yes'
option vlans 'all' config nat_vlan 'nat_vlan'
option nat_vlanid '1'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 66 of 255
_______________________________________________________________________________________________________ root@VA_router:~# uci show portvlan portvlan.@vlan[0]=vlan portvlan.@vlan[0].vlanid=1 portvlan.@vlan[0].name=vlan1 portvlan.@vlan[0].ipaddr=192.168.1.1 portvlan.@vlan[0].netmask=255.255.255.0 portvlan.@vlan[0].isolate=no portvlan.@vlan[1]=vlan portvlan.@vlan[1].vlanid=2 portvlan.@vlan[1].name=vlan2 portvlan.@vlan[1].ipaddr=192.168.2.1 portvlan.@vlan[1].netmask=255.255.255.0 portvlan.@vlan[1].vlanprio=5 portvlan.@vlan[1].isolate=yes portvlan.@port[0]=port portvlan.@port[0].port=A portvlan.@port[0].vlans=1 portvlan.@port[1]=port portvlan.@port[1].port=B portvlan.@port[1].vlans=2 portvlan.@port[2].port=C portvlan.@port[2].trunk=yes portvlan.@port[2].vlans=all portvlan.nat_vlan=nat_vlan portvlan.nat_vlan.nat_vlanid=1
Modify these settings by running uci set <parameter> command.
The following tables describe the UCI parameters for each section.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 67 of 255
_______________________________________________________________________________________________________
11.4.1 config port
Name port trunk vlans
Type
Text
Boolean
Required Default
Yes Blank
No
Numeric value/text
Yes
Blank
Blank
Description
Specifies which physical port on the front panel of the router will be assigned to which VLAN
Configures the port as a trunk port.
Specifies what VLANs will be assigned to a physical port on the router. You must use VLAN ID to specify which VLANs or ‘all’ to configure a port as trunk interface.
11.4.2 config vlan
Name vlanid vlanprio
Isolate name ipaddr netmask
Type
Numeric value
Numeric value
Required Default
No
No
Blank
Blank
Boolean No
Text
IP
Address
IP
Address
Yes
Yes
Yes
Blank
Blank
Blank
Blank
11.4.3 Config nat vlan
Name
Nat vlanid
Type
Numeric value
Required Default
No Blank
Description
Defines VLAN number. The VLAN will be referred to using this number.
Specifies 802.1p VLAN priority tag on trunk links.
Defines whether to isolate hosts from each other within the same
VLAN. Hosts will still be able to communicate with the router.
Configures VLAN name.
Configures network mask address to be used on this VLAN.
Configures network mask address to be used on this VLAN.
Description
VLAN ID number. Defines VLAN that will be sent across the trunk untag
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 68 of 255
12: Static routes configuration
_______________________________________________________________________________________________________
12 Static routes configuration
Static routes can be added to the routing table to forward traffic to specific subnets when dynamic routing protocols are not used or they are not configured for such subnets. They can be created based on outgoing interface or next hop
IP address.
12.1 IPv4 routes
It is possible to define arbitary IPv4 routes on specific interfaces using route sections. As for aliases, multiple sections can be attached to an interface. These kind or routes are most commonly known as static routes.
A minimal example is shown below: network.name_your_route=route network.name_your_route.interface=lan network.name_your_route.target=172.16.123.0 network.name_your_route.netmask=255.255.255.0 network.name_your_route.gateway=172.16.123.100 config 'route' 'name_your_route'
option 'interface' 'lan'
option 'target' '172.16.123.0'
option 'netmask' '255.255.255.0'
option 'gateway' '172.16.123.100'
Lan
is the logical interface name of the parent interface.
172.16.123.0
is the network address of the route.
255.255.255.0
specifies the route netmask.
Legal options for IPv4 routes are described in the table below.
Name target
Type interface string ip address netmask netmask
Gateway ip address
Required Default yes yes no no
(none)
(none)
(none)
(none)
Description
Specifies the logical interface name of the parent (or master) interface this route is belonging to, must refer to one of the defined interface sections.
Specifies the network address.
Defines route netmask. If omitted,
255.255.255.255 is assumed which makes the target a host address.
Network gateway. If omitted, the gateway from the parent interface is taken. If set to
0.0.0.0 no gateway will be specified for the
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 69 of 255
12: Static routes configuration
_______________________________________________________________________________________________________ metric mtu number number no no
0 interface
MTU route.
Specifies the route metric to use.
Defines a specific MTU for this route.
12.2 IPv6 routes
IPv6 routes can be specified as well by defining one or more route6 sections.
A minimal example is shown below. network.@route6[0]=route6 network.@route6[0].interface=lan network.@route6[0].target=2001:0DB8:100:F00:BA3::1/64 network.@route6[0].gateway=2001:0DB8:99::1 config 'route6'
option 'interface' 'lan'
option 'target' '2001:0DB8:100:F00:BA3::1/64'
option 'gateway' '2001:0DB8:99::1'
Lan
is the logical interface name of the parent interface.
2001:0DB8:100:F00:BA3::1/64
is the routed IPv6 subnet in CIDR notation.
2001:0DB8:99::1
specifies the IPv6 gateway for this route.
Legal options for IPv6 routes are:
Name Type Required Default interface string metric mtu yes target ipv6 address yes gateway ipv6 address no number number no no
(none)
(none)
(none)
0 interface
MTU
Description
Specifies the logical interface name of the parent (or master) interface this route is belonging to, must refer to one of the defined interface sections.
Sets the IPv6 network address.
Sets the IPv6 gateway. If omitted, the gateway from the parent interface is taken.
Specifies the route metric to use.
Defines a specific MTU for this route.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 70 of 255
12: Static routes configuration
_______________________________________________________________________________________________________
Dropbear is the software module that implements ssh on the system. The dropbear section contains these settings:
Name Type enable verbose
BannerFile
PasswordAuth
Port boolean boolean string boolean integer
RootPasswordAuth boolean
RootLogin
GatewayPorts
Interface
Identity boolean boolean string string
Required Default no no no no no no no no no no
1
0
(none)
1
22
1
1
(none)
(none)
SSH-2.0dropbear_2013.60
Description
Enables dropbear.Set to 0 to disable starting dropbear at system boot.
Enables verbose. Set to 1 to enable verbose output by the start script.
Specifies the name of a file to be printed before the user has authenticated successfully.
Specifies password authentication. Set to 0 to disable authenticating with passwords.
Specifies the port number to listen on.
Enables root password authentication. Set to 0 to disable authenticating as root with passwords.
Enables root logins. Set to 0 to disable SSH logins as root.
Enables gateway ports. Set to 1 to allow remote hosts to connect to forwarded ports.
Tells dropbear to listen only on the specified interface.
Sets alternative name that appears for dropbear version
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 71 of 255
13: BGP (Border Gateway Protocol)
_______________________________________________________________________________________________________
13 BGP (Border Gateway Protocol)
13.1 Configuring the BGP web interface
In the top menu, select Network -> BGP. BGP configuration page appears.
Figure 14: BGP page
To configure global BGP settings, click Add.
Figure 15: BGP global settings page
Name
BGP Enabled
Type
Check box
Integer
Required Default
Yes
Description
Unchecked Enables BGP protocol.
Router ID Yes None Sets Unique Router ID in format 4
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 72 of 255
13: BGP (Border Gateway Protocol)
_______________________________________________________________________________________________________
Autonomous
System Number
Network
Integer
Integer
Yes
Yes
None
None
When you have made your changes, click Save. byte format 0.0.0.0.
Defines ASN for local router.
Sets network that will be advertised to neighbours in prefix format 0.0.0.0/0. Ensure network prefix matches the one shown in routing table. See Routes section below.
13.2 Optionally configure BGP route map
To configure the BGP route map, on the Global Settings page scroll down to the
BG Route Map section.
Figure 16: The BGP route map section
Type in a name for the BGP Route map Name and then click Add. The
ROUTEMAP configuration section appears.
Figure 17: The routemap section
Name
Order
Policy Type
Match Type
Type
Integer
Dropdown
Menu
Dropdown
Menu
Required Default
Yes None
Yes Permit
Yes
Yes
IP address
None
Description
Route Map sequence number
Permits or denies matched values
Available options are:
IP Address, IP Next-Hop, AS-Path,
Route Metric, BGP Community
Format depends on Match Type. In Match Value
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 73 of 255
13: BGP (Border Gateway Protocol)
_______________________________________________________________________________________________________
Set Option
Set Value
Dropdown
Menu
No None
When you have made your changes, click Save. case of IP address and BGP
Community values is parsed as list of items to match.
Available options are:
None, IP Next Hop, Local
Preference, MED, Route Weight,
BGP MED, AS path to Prepend,
BGP Community.
Format depends on the Set Option chosen.
13.3 Configure BGP neighbours
In the BGP neighbours section, click Add to configure BGP neighbours.
Name
IP Address
Figure 18: The BGP neighbours section
Type
Integer
Required Default
Yes None
None
Description
Sets the IP address of the neighbour.
Sets the ASN of the remote peer. Autonomous
System Number
Route Map
Route Map
Direction
Integer Yes
String
Dropdown
Menu
No
No
Click Save & Apply.
None
None
Sets the route map name.
Tells in which direction the route map should be applied. Available options are: in or out.
13.4 Routes statistics
To view routes statistics, in the top menu click Status -> Routes. The routing table appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 74 of 255
13: BGP (Border Gateway Protocol)
_______________________________________________________________________________________________________
Figure 19: The routing table
13.5 BGP UCI interface
You can also configure BGP UCI through CLI using the UCI command suite.
The configuration file is stored at:
/etc/config/bgpd
To view the configuration file, use the commands: uci export bgpd or uci show bgpd
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 75 of 255
13: BGP (Border Gateway Protocol)
_______________________________________________________________________________________________________ package bgpd config routing 'bgpd'
option enabled 'yes'
option router_id '3.3.3.3'
option asn '1'
list network '11.11.11.0/29'
list network '192.168.103.1/32' config peer
option route_map_in 'yes'
option ipaddr '11.11.11.1'
option asn '1'
option route_map 'ROUTEMAP' config routemap 'ROUTEMAP'
option order '10'
option permit 'yes'
option match_type 'ip address'
option match '192.168.101.1/32'
option set_type 'ip next-hop'
option set '150' root@VA_router:~# uci show bgpd bgpd.bgpd=routing bgpd.bgpd.enabled=yes bgpd.bgpd.router_id=3.3.3.3 bgpd.bgpd.asn=1 bgpd.bgpd.network=11.11.11.0/29 192.168.103.1/32 bgpd.@peer[0]=peer bgpd.@peer[0].route_map_in=yes bgpd.@peer[0].ipaddr=11.11.11.1 bgpd.@peer[0].asn=1 bgpd.@peer[0].route_map=ROUTEMAP bgpd.ROUTEMAP=routemap bgpd.ROUTEMAP.order=10
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 76 of 255
13: BGP (Border Gateway Protocol)
_______________________________________________________________________________________________________ bgpd.ROUTEMAP.permit=yes bgpd.ROUTEMAP.match_type=ip address bgpd.ROUTEMAP.match=192.168.101.1/32 bgpd.ROUTEMAP.set_type=ip next-hop bgpd.ROUTEMAP.set=150
To change any of the above values use uci set command
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 77 of 255
_______________________________________________________________________________________________________
14 Configuring WiFi
This section explains how to configure WiFi on a Virtual Access router using the web interface or via UCI.
14.1 Configuring WiFi through the web interface
WiFi can act as an Access Point (AP) to another device in the network or it can act as a client to an existing AP.
You can configure WiFi in AP mode in two different ways:
• on an existing interface, or
• on a new interface.
14.2 Configuring WiFi in AP mode on an existing Ethernet interface
In the top menu, select Network ->Interfaces. The Interface Overview page appears.
Figure 20: The interface overview page
In the interface overview page, click Edit to select the Ethernet interface that will be bridged into the router’s WiFi AP. The Common Configuration page appears.
In the Common Configuration page select the Physical Settings tab.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 78 of 255
_______________________________________________________________________________________________________
Figure 21: The common configuration physical settings page
Select Bridge Interfaces.
In the Interface fields, you will see the interface that you are working on is already selected.
Name
Bridge Interfaces
Enable STP
Interface
Type
Check box
Check box
Check box
Required Default
Yes
Yes
N/A
Unchecked
Description
Creates a bridge over specified interfaces.
Unchecked Enables STP
Unchecked Selects the interface for WiFi.
Scroll to the bottom of the page and click Save.
In the top menu, select Network -> WiFi. The Wireless Overview page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 79 of 255
_______________________________________________________________________________________________________
Figure 22: The wireless overview page
To create a new WiFi interface, click Add. The Wireless Network page appears.
Figure 23: The wireless network page
In the Device Configuration section, ensure you have selected the General
Setup tab.
In the Channel drop down menu, select the channel you require.
In the Transmit Power drop down menu, select the power rating you require.
Name
Channel
Transmit Power
Type
Drop down menu
Drop down menu
Required Default
Yes
Yes
11(2.462 GHz)
17 dBm (50 mW)
Scroll down to the Interface Configuration section.
Description
Available channels are within range 1-11
Available range 0 dBm(1 mW) – 17dBm(50 mW)
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 80 of 255
_______________________________________________________________________________________________________
Figure 24: The interface configuration page
Ensure you have selected the General Setup tab.
In the ESSID field, type [name of the wireless local area network].
In the Mode drop down menu, select Access Point.
Select one of the Ethernet interfaces to which the WiFi AP mode will be bridged.
Name
ESSID
Mode
Type
Drop down menu
Drop down menu
Required Default
Yes
Yes
Click Save.
Select the Wireless Security tab.
Blank
Access
Point
Description
Extended Service Set
Identification. The name of the wireless local area network
Selects Access Point mode.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 81 of 255
_______________________________________________________________________________________________________
Figure 25: The interface configuration page
In the Encryption drop down menu, select the encryption key.
In the Cipher drop down menu, select the cipher type.
Create an encryption key.
Click Save & Apply.
14.3 Configuring WiFi in AP mode on a new interface
In the top menu, select Network -> Wifi. The Wireless Overview page appears.
Figure 26: The wireless overview page
Click Add to create a new WiFi interface.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 82 of 255
_______________________________________________________________________________________________________
Figure 27: The wireless network page
In the Device Configuration section, ensure the General Setup tab is selected.
In the Channel drop down menu, select the channel you require.
In the Transmit Power drop down menu, select the power rating you require.
Name
Channel
Transmit Power
Type
Drop down menu
Drop down menu
Required Default
Yes
Yes
11 (2.462 GHz)
17 dBm (50 mW)
Description
Available channels are within range 1-11
Available range 0 dBm(1 mW) – 17dBm(50 mW)
In the Interface Configuration section, make sure you have selected the
General Setup tab.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 83 of 255
_______________________________________________________________________________________________________
Figure 28: The general set up tab
In the ESSID field, type [name of the wireless local area network].
In the Mode drop down menu, select Access Point.
In the unspecified –or- create: field, type the name of the new WiFi
interface.
Name
ESSID
Mode
Type
Drop down menu
Drop down menu
Required Default
Yes
Yes
Select the Wireless Security tab.
Blank
Access
Point
Description
Extended Service Set
Identification. The name of the wireless local area network
Selects Access Point mode.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 84 of 255
_______________________________________________________________________________________________________
Figure 29: The wireless security tab
In the Encryption drop down menu, select the encryption key. When you have entered the encryption type, the Cipher and Key fields appear.
In the Cipher drop down menu, select the cipher type.
Create an encryption key.
Click Save.
In the top menu, select Network -> Interfaces. The Interfaces Overview page appears.
Figure 30: The interface overview page showing the newly created interface
Click Edit on the newly created interface.
Ensure you have selected the General Setup tab.
In the Protocol drop down menu, select Static Address. A ‘Switch Protocol’ button appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 85 of 255
_______________________________________________________________________________________________________
Figure 31: The new interface page showing protocol button
Click Switch Protocol. The new interface configuration page appears.
Figure 32: The new interface page
Name
Protocol
IPv4 address
IPv4 netmask
Type
Drop down menu
Numeric
Value
Numeric
Value
Required Default
Yes
Yes
Yes
Static
Address
N/A
N/A
Description
IP address assigned to this interface
IP netmask assigned to this interface
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 86 of 255
_______________________________________________________________________________________________________
IPv4 gateway
IPv4 broadcast
Numeric
Value
Numeric
Value
No
No
Use custom DNS servers
Accept router advertisements
Send router solicitations
String
Check box
Check box
No
No
No
Type in the Static IP address.
Type in the Network Mask.
Click Save & Apply.
N/A
N/A
N/A
N/A
N/A
DNS server IP address
Note: The router will now start the network package. It may take up to one minute for connectivity to the router to be restored.
14.4 Configuring WiFi in client mode
In the top menu, select Network ->Wifi. The Wireless Overview page appears.
Figure 33: The wireless overview page
Click Add to create a new WiFi Client interface. The Wireless Network page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 87 of 255
_______________________________________________________________________________________________________
Figure 34: The wireless network page
In the Device Configuration section, ensure you have selected the General
Setup tab.
In the Channel drop down menu, select the channel you require.
In the Transmit Power drop down menu, select the power rating you require.
Name
Channel
Transmit Power
Type
Drop down menu
Drop down menu
Required Default
Yes
Yes
11 (2.462 GHz)
17 dBm (50 mW)
Description
Available channels are within range 1-11
Available range 0 dBm(1 mW) – 17dBm(50 mW)
In the Interface Configuration section, make sure you have selected the
General Setup tab.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 88 of 255
_______________________________________________________________________________________________________
In the ESSID field, type [name of the wireless local area network].
In the Mode drop down menu, select Client.
In the unspecified –or- create: field, type the name of the new WiFi interface.
Name
ESSID
Mode
Type
Drop down menu
Drop down menu
Required Default
Yes
Yes
Select the Wireless Security tab.
Blank
Access
Point
Description
Extended Service Set
Identification. The name of the wireless local area network
Selects mode.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 89 of 255
_______________________________________________________________________________________________________
Figure 35: The wireless page interface configuration section
In the Encryption drop down menu, select the encryption key. When you have entered the encryption type, the Cipher and Key fields appear.
In the Cipher drop down menu, select the cipher type.
Create an encryption key.
Click Save.
In the top menu, select Network -> Interfaces. The Interfaces Overview page appears.
Figure 36: The interface overview page showing the newly created interface
Click Edit on the newly created interface. The Interfaces - WCLIENT page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 90 of 255
_______________________________________________________________________________________________________
Figure 37: The WClient interfaces page
In the Protocol drop down menu, select DHCP client. A ‘Switch Protocol’ button appears.
Click Switch Protocol.
Click Save & Apply.
Note: The router will now restart the network package. It may take up to one minute for connectivity to the router to be restored.
14.5 Configuring WiFi via UCI
14.5.1 Configuring Wi-Fi in AP mode on an existing Ethernet interface
The configuration files are stored on:
• Network file /etc/config/network
• Wireless file /etc/config/wireless
To view the configuration file, use the command: uci export network
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 91 of 255
_______________________________________________________________________________________________________ package network config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option type 'bridge' or uci export wireless package wireless config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option phy 'phy0'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option txpower '17'
option country 'US' config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '1'
option ssid 'Test_AP'
option network 'lan'
option encryption 'psk'
option key 'secretkey'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 92 of 255
_______________________________________________________________________________________________________
To view UCI commands, enter: uci show network network.lan=interface network.lan.ifname=eth0 network.lan.proto=static network.lan.ipaddr=192.168.6.1 network.lan.netmask=255.255.255.0 network.lan.type=bridge uci show wireless wireless.radio0=wifi-device wireless.radio0.type=mac80211 wireless.radio0.channel=11 wireless.radio0.phy=phy0 wireless.radio0.hwmode=11ng wireless.radio0.htmode=HT20 wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40 wireless.radio0.txpower=17 wireless.radio0.country=US wireless.@wifi-iface[0]=wifi-iface wireless.@wifi-iface[0].device=radio0 wireless.@wifi-iface[0].mode=ap wireless.@wifi-iface[0].disabled=1 wireless.@wifi-iface[0].ssid=Test_AP wireless.@wifi-iface[0].network=lan wireless.@wifi-iface[0].encryption=psk wireless.@wifi-iface[0].key=secretkey
14.5.2 Configuring WiFI on a new interface
uci export network package network config interface 'newlan'
option proto 'static'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 93 of 255
_______________________________________________________________________________________________________ uci export wireless package wireless config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option phy 'phy0'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option txpower '17'
option country 'US' config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '1'
option ssid 'Test_AP'
option network 'newlan'
option encryption 'psk'
option key 'secretkey'
To view UCI commands, enter: uci show network network.newlan=interface network.newlan.proto=static network.newlan.ipaddr=192.168.111.1 network.newlan.netmask=255.255.255.0 uci show wireless wireless.radio0=wifi-device wireless.radio0.type=mac80211
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 94 of 255
_______________________________________________________________________________________________________ wireless.radio0.channel=11 wireless.radio0.phy=phy0 wireless.radio0.hwmode=11ng wireless.radio0.htmode=HT20 wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40 wireless.radio0.txpower=17 wireless.radio0.country=US wireless.@wifi-iface[0]=wifi-iface wireless.@wifi-iface[0].device=radio0 wireless.@wifi-iface[0].mode=ap wireless.@wifi-iface[0].disabled=1 wireless.@wifi-iface[0].ssid=Test_AP wireless.@wifi-iface[0].network=newlan wireless.@wifi-iface[0].encryption=psk wireless.@wifi-iface[0].key=secretkey
14.6 Configuring WiFi in client mode
uci export network package network config interface 'WCLIENT'
option proto 'dhcp' uci export wireless package wireless config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option phy 'phy0'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 95 of 255
_______________________________________________________________________________________________________
option txpower '17'
option country 'US' config wifi-iface
option device 'radio0'
option ssid 'Remote-AP'
option mode 'sta'
option network 'WCLIENT'
option encryption 'psk2'
option key 'testtest'
To view UCI commands, enter: uci show network network.WCLIENT=interface network.WCLIENT.proto=dhcp uci show wireless wireless.radio0=wifi-device wireless.radio0.type=mac80211 wireless.radio0.channel=11 wireless.radio0.phy=phy0 wireless.radio0.hwmode=11ng wireless.radio0.htmode=HT20 wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40 wireless.radio0.txpower=17 wireless.radio0.country=US wireless.@wifi-iface[0]=wifi-iface wireless.@wifi-iface[0].device=radio0 wireless.@wifi-iface[0].ssid=Remote-AP wireless.@wifi-iface[0].mode=sta wireless.@wifi-iface[0].network=WCLIENT wireless.@wifi-iface[0].encryption=psk2 wireless.@wifi-iface[0].key=testtest
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 96 of 255
15: Configuring a 3G/4G connection
_______________________________________________________________________________________________________
15 Configuring a 3G/4G connection
In the top menu, select Network -> Interfaces.
Figure 38: The interfaces menu on a VA router
The Interfaces Overview page appears.
Figure 39: The interfaces overview page.
Click Edit on WAN or LAN to make your changes.
For WAN connectivity, the Common Configuration page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 97 of 255
15: Configuring a 3G/4G connection
_______________________________________________________________________________________________________
Figure 40: The common connectivity page
Ensure the General Setup tab is selected.
For single SIM implementation, in the SIM drop down menu, select SIM 1.
Enter the APN information and the PAP/CHAP username and password.
Click Save & Apply.
To enable 3G/4G connection to connect on boot up, select the Advanced
Settings tab.
Select Bring up on boot.
Click Save & Apply.
To check for connectivity, return to the top menu, and under Network ->
Interfaces, the WAN interface will show receive and transmit packets and an IP address.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 98 of 255
15: Configuring a 3G/4G connection
_______________________________________________________________________________________________________
Figure 41: The interfaces overview page
To view 3G/4G connectivity information, browse to Status -> 3G Stats.
Figure 42: The 3G information page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 99 of 255
_______________________________________________________________________________________________________
16 Configuring SMS
Browse to the router’s IP address and login.
Select Service tab > Mobile Manager. The Mobile Manager page appears.
Figure 43: The mobile manager page
In the Basic Settings section, check the box beside SMS Enable.
In the Callers section, click Add to add caller numbers.
Add in specific caller numbers or use the wildcard symbol * as shown below.
Click Enable.
Select Respond if you want the router to reply.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 100 of 255
_______________________________________________________________________________________________________
Parameter
Name
Number
Enable
Respond
Description
Name assigned to caller.
Number of caller allowed to SMS the router.
Enables or disables caller.
If checked, the router will return an SMS.
Table 13: Scripting commands and their descriptions
When you have made your changes, click Save & Apply and then reboot.
16.1 Monitoring SMS
You can monitor inbound SMS messages using the router’s web browser or via an SSH session.
To monitor via SSH, login and enter logread –f&. An outgoing SMS message appears.
Figure 44: Output from the command logread –f&
To monitor via the web browser, login and select Status >system log.
Scroll to the bottom of the log to view the SMS message.
Figure 45: Output from system log
16.2 Outgoing messages
You can send an outgoing message via the command line using the following syntax. sendsms 353872243909 ‘hello’
Figure 46: Output from the syntax sendsms 353872243909 ‘hello
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 101 of 255
_______________________________________________________________________________________________________
17 Configuring Multi-WAN
Multi-WAN is used for managing WAN interfaces on the router, for example, 3G interfaces to ensure high-availability. You can customise Multi-WAN to various needs, but its main use is to ensure WAN connectivity and provide a failover system in the event of failure or poor coverage.
17.1 Multi-WAN web interface
You can configure Multi-WAN through the web interface. In the navigation menu browse to Network -> Multi-Wan. The Multi-WAN page appears.
Figure 47: The multi-WAN page
Name
Enable
Preempt
Alternate Mode
Type Required Default
Boolean Yes No
Boolean No
Boolean No
No
No
Description
Enables or disables Multi-WAN.
Enables or disables pre-emption for Multi-WAN. If enables the router will keep trying to connect to a higher priority interface depending on timer set.
Enables or disables alternate mode for Multi-WAN. If enabled the router will use an alternate interface after reboot.
Table 14: The multi-WAN fields and their descriptions
When you have enabled Multi-WAN, you can add the interfaces that will be managed by Multi-WAN, for example 3G interfaces.
Note: the name used for multi-WAN must be identical, including upper and lowercases, to the actual 3G interface name defined in your network configuration. To check the names and settings are correct, browse to Network
- > interfaces or alternatively, run: cat/etc/config/network through CLI.
Enter the name of the WAN interface to configure, and then click Add. The new section for configuring specific parameters will appear.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 102 of 255
_______________________________________________________________________________________________________
Figure 48: Example interface showing failover traffic destination as the added multi-WAN interface
Name
Load Balancer
Distribution
Health Monitor
Interval
Health Monitor
ICMP Host(s)
Health Monitor
ICMP Timeout
Type
Dropdown list No
Dropdown list No
Dropdown list/IP address
Required Default
No
Dropdown list No
10
10
DNS Server(s)
3 secs
Description
Configures weight for loadbalancing. It is not applicable if you are using 2 SIM cards.
Sets the period to check health status of interface.
Sends Health ICMPs to configured value DNS servers by default.
Configure to any address.
Sets Ping timeout in seconds.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 103 of 255
_______________________________________________________________________________________________________
Attempts Before
WAN Failover
Attempts Before
WAN Recovery
Failover Traffic
Destination
DNS Server(s)
Priority
Manage Interface
State (Up/Down)
Exclusive Group
Minimum ifup interval
Interface Start
Timeout
Signal Threshold
(dBm)
RSCP Threshold
(dBm)
ECIO Threshold
(dBm)
Dropdown list No
Dropdown list Yes
Dropdown list Yes
Dropdown list No
Numeric value Yes
Boolean
Dropdown list/Numeric value
Dropdown list/Numeric value
Dropdown list/Numeric value
Dropdown list/Numeric value
Yes
Numeric value No
Dropdown list/Numeric value
Yes
Yes
Yes
Yes
Yes
3
5
Load Balancer
(Compatibility)
Auto
0
Yes
0
300 secs
40 secs
-150
-150
-35
Sets the amount of retries before interface is considered a failure.
Sets the number of healthy pings before the interface is considered healthy.
This field is not applicable unless you have 2 WAN interfaces connected simultaneously and want to forward traffic to a specific interface after the failover.
Specifies DNS for the interface.
Specifies the priority of the interface, a higher value is better.
1 is better than 0, therefore the interface with priority of 1 will connect first.
Sets the interface start/stop by
Multi-WAN.
Defines the interface within the group, only one interface can be active: SIM 1 or SIM 2.
Specifies the time for interface to start up. If it is not up after this period, it will be considered a fail.
Specifies the minimum interval between two successive interface start attempts.
Specifies the minimum dBm signal strength before considering if the interface fails signal health check.
Specifies the minimum RSCP signal strength before considering if the interface fails signal health check.
Specifies the minimum ECIO signal strength before considering if the interface fails signal health check.
Table 15: Multi-WAN interface fields and their descriptions
You can also set up traffic rules, to forward specific traffic out of the right WAN interface, based on source, destination address, protocol or port. This is useful to force traffic on specific interfaces when using multiple WAN interfaces simultaneously.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 104 of 255
_______________________________________________________________________________________________________
Figure 49: The multi-WAN traffic rules page
17.2 Multi-WAN UCI interface
Multi-WAN UCI configuration settings are stored in the following file:
/etc/config/multiwan
Run UCI export or show commands to see Multi-WAN UCI configuration settings.
A sample is shown below.
~# uci export multiwan package multiwan config multiwan 'config'
option preempt 'yes'
option alt_mode 'no'
option enabled 'yes' config interface 'wan'
option disabled '0'
option health_interval '10'
option timeout '3'
option health_fail_retries '3'
option health_recovery_retries '5'
option priority '2'
option manage_state 'yes'
option exclusive_group '3g'
option ifup_retry_sec '36000'
option icmp_hosts 'disable'
option signal_threshold '-111'
option rscp_threshold '-90'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 105 of 255
_______________________________________________________________________________________________________
option ecio_threshold '-15'
option ifup_timeout_sec '120'
~# uci show multiwan multiwan.config=multiwan multiwan.config.preempt=yes multiwan.config.alt_mode=no multiwan.config.enabled=yes multiwan.wan=interface multiwan.wan.disabled=0 multiwan.wan.health_interval=10 multiwan.wan.timeout=3 multiwan.wan.health_fail_retries=3 multiwan.wan.health_recovery_retries=5 multiwan.wan.priority=2 multiwan.wan.manage_state=yes multiwan.wan.exclusive_group=3g multiwan.wan.ifup_retry_sec=36000 multiwan.wan.icmp_hosts=disable multiwan.wan.signal_threshold=-111 multiwan.wan.rscp_threshold=-90 multiwan.wan.ecio_threshold=-15
Config multiwan
Name Required Default Description
Enabled Yes No Enables or disables Multi-WAN.
Preempt alt mode
No
No
No
No
Enables or disables pre-emption for Multi-WAN. If enabled, the router will keep trying to connect to a higher priority interface depending on timer set.
Enables or disables alternate mode for Multi-WAN. If enabled the router will use an alternate interface after reboot.
Config interface
Name
Disabled
Weight
Health interval
Required Default
No
No
No
0
10
10
Description
Disables the Multi-WAN interface.
Configures weight for load-balancing. Not relevant when two SIM cards are being used.
Sets the period to check health status of interface.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 106 of 255
_______________________________________________________________________________________________________
Icmp hosts timeout
No
No
Health fail retries Yes
Health recovery retries failover to dns priority manage state exclusive group ifup retry sec
Yes
Yes
No
Yes
Yes
No
Yes ifup timeout sec Yes
Yes signal threshold
RSCP Threshold for 3G (dBm)
ECIO Threshold for 3G (dBm)
Yes
Yes
3 secs
3 secs
3
5
Load Balancer
(Compatibility)
Auto
0
Yes
0
300 secs
40 secs
-150
-150
-35
Sets Ping timeout.
Sets Ping timeout.
Specifies the amount of retries before the interface is considered a failure.
Specifies the number of healthy pings before the interface is considered healthy.
This field is not applicable unless you have two
WAN interfaces connected simultaneously and want to forward traffic to a specific interface after the failover.
Defines DNS for the interface.
Specifies the priority of the interface, a higher value is better.
1 is better than 0, therefore the interface with priority of 1 will connect first.
Specifies interface start/stop by Multi-WAN.
Specifies which interface within the group is active. Only one interface can be active: SIM 1 or SIM 2.
Specifies the time for interface to start up. If it is not up after this period, it will be considered a fail.
Specifies the minimum interval between two successive interface start attempts.
Specifies the minimum dBm signal strength before considering the interface as fail.
Specifies the minimum RSCP signal strength before considering the interface as fail.
Specifies the minimum ECIO signal strength before considering the interface as fail.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 107 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
18 Automatic operator selection
18.1 Introduction to automatic operator selection
This section describes how to configure and operate the Automatic Operator
Selection feature of a Virtual Access router.
When the roaming SIM is connected, the 3G module has the ability to scan available 3G networks. The router, using mobile and multi-WAN packages, finds available networks to create and sort interfaces according to their signal strength. These interfaces are used for failover purposes.
18.2 Configuring automatic operator selection
While the router boots up it checks for 3G networks. Based on available networks, the router creates network and multi-WAN package failover interfaces.
Details for these interfaces are provided in the mobile package. When you have created the interfaces, multi-WAN manages the operation of primary
(predefined) and failover (auto created) interfaces.
There are four PMP (Primary Mobile Provider) scenarios:
• PMP + roaming: pre-empt enabled
• PMP + roaming: pre-empt disabled
• No PMP + roaming
• Disable roaming
18.3 Configuring automatic operator selection via the web interface
18.3.1 PMP + roaming: pre-empt enabled
In this scenario, the primary interface is used whenever possible.
Software operations
11. Connect the PMP interface.
12. Wait until the signal level on the PMP interface goes under sig_dbm option value.
13. Disconnect the PMP interface.
14. Connect the first auto-generated interface.
15. Wait until the signal level on the first auto-generated interface goes under the sig_dbm option in the mobile package, or until the primary interface is available to connect after it was disconnected in step 3. ifup_retry_sec option value of primary interface in multi-WAN package.
16. Disconnect auto-generated interface. If the interface was disconnected due to low signal level then connect the next auto-generated interface and repeat step 5. If the
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 108 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________ interface was disconnected because ifup_retry_sec of Primary interface timed out then go back to step 1 and repeat the process.
The primary predefined interface is defined in the network package. Ensure the interface name matches the interface name defined in the multi-WAN package.
18.3.1.1 Creating primary predefined interface
On the web interface go to Network ->Interfaces. The Interfaces page appears.
Figure 50: The interface overview page
Click Add new interface… The Create Interface page appears.
Figure 51: The create interface page
Type in the name of the interface in Name of the new interface field.
Type the Interface Name in following format: 3g_s<sim-number>_<short-
operator-name>. Where <sim-number> is number of roaming SIM (1 or 2)
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 109 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________ and <short-operator-name> is first four alphanumeric characters of operator name (as reported by 'AT+COPS=?' command).
Type the short operator name in lower case, for example:
Operator name
Vodafone UK
O2 – UK
Orange
First four alphanumeric numbers voda o2uk oran
Table 16: Examples of operator names
From the Protocol dropdown menu, select UMTS/GPRS/EV-DO.
Click Submit. The Common Configuration page appears
Figure 52: The common configuration page
Name
Protocol
Type Required Default
Dropdown menu Yes UMTS/GPRS/EV-
DO
Service Type Dropdown menu Yes None
Description
Protocol type
SIM
PIN
PAP/CHAP username
PAP/CHAP password
Dropdown menu
Numeric value
String
String
Yes
No
No
No
None
None
None
None
Service type that will be used to connect to the network
APN name of Mobile Network
Operator
SIM Card’s PIN number
Username used to connect to
APN
Password used to connect to
APN
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 110 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Click Save & Apply.
18.3.1.2 Setting multi-WAN options for primary predefined interface
On the web interface go to Network ->Multi-Wan. The Multi-WAN page appears.
Figure 53: The multi-WAN page
In the Multi-WAN page, click Add. The Multi-WAN page appears.
Figure 54: The multi-wan page
Check Enable.
Check Preempt.
Name
Enable
Preempt
Alternate Mode
Type
Boolean
Boolean
Boolean
Required
Yes
No
No
Default
0
0
0
Description
Enables Multi-
Wan
Enables Preempt mode
Enables Alternate
Mode
In the WAN Interfaces section, type in the name of the Multi-WAN Interface.
Note: this name should match the name specified in the previous section.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 111 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Click Add. The Multi-WAN page appears.
Figure 55: The multi-WAN page
From the Health Monitor Interval dropdown menu, choose the interval that will be used to monitor signal strength value.
From the Attempts Before WAN Failover dropdown menu, select the number of fail attempts of Health Monitor checks that will cause the interface to be disconnected.
In the Priority field, type in the priority number. The Multi-Wan interface priority must be higher than one specified in package mobile ‘Setting options for
Automatically Created interfaces’ section below.
Ensure you have selected the Manage Interface State (Up/Down) option.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 112 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
In the Exclusive Group field type in 3g.
From the dropdown menu, select the Choose Minimum ifup Interval option.
From dropdown menu, select the Interface Start Timeout option.
From dropdown menu, select the Signal Threshold option.
All available WAN interface options are described in the table below.
Name
Health Monitor
Interval
Health Monitor
ICMP Host(s)
Type Required
Dropdown menu Yes
Dropdown menu No
Dropdown menu Yes
Default
10 sec none
3 sec
Description
Interval used to monitor Signal strength
Target IP address for ICMCP packets
ICMP timeout Health Monitor
ICMP Timeout
Attempts Before
WAN Failover
Dropdown menu Yes
N/A N/A
3
N/A
Number of fail attempts of
Health Monitor before interface is torn down
N/A Attempts Before
WAN Recovery
Priority Number Yes 0
Minimum ifup
Interval
Interface Start
Timeout
Signal Threshold
(dBm)
Dropdown menu Yes
Dropdown menu Yes
Dropdown menu Yes
300 sec
40 sec
-115
Higher value is higher priority
Minimum interval between two successive interface start attempts
Time for interface to startup if signal is lower than this then is marked as fail
18.3.1.3 Setting options for automatically created interfaces
From the top menu on the web interface page, select Services ->Mobile
Manager. The Mobile Manager page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 113 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Figure 56: The mobile manager page
Under Basic Settings, click Add. The Basic settings for Mobile Manager page appears.
Figure 57: Basic settings field in the mobile manager page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 114 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Name
SMS Enable
Roaming SIM
Collect ICCIDs
Type
Boolean
Dropdown list
Boolean
Required
No
Yes
No
Default
1 none
0
Description
Enables SMS
In which slot roaming sim-card is inserted
Collect ICCIDs on startup from one
(when 0) or from two SIMs (1)
Under Roaming Template Interface click Add. The Roaming Interface Template page appears.
Figure 58: The roaming interface template page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 115 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Check the Interface Signal Sort checkbox, so auto created interfaces are sorted in priority, based on signal strength value.
From the Roaming SIM dropdown menu, select the slot that the roaming SIM card should be inserted in to.
Click the Firewall zone radio button to select the zone that the auto created interface will belong to.
Type in the CHAP username and password.
Type in APN and PIN details.
From the Health Monitor Interval dropdown menu, select the interval that will be used to monitor signal strength value.
From the Attempts Before WAN Failover dropdown menu, select the number of fail attempts of Health Monitor checks that will cause the interface to be disconnected.
From the Minimum ifup Interval dropdown menu, select the minimum interval between two successive interface start attempts.
From the Interface Start Timeout dropdown menu, select the time for the interface to start up.
From the Choose Signal Threshold dropdown menu, select the fail number point.
Name
Interface Signal
Sort
Roaming SIM
Firewall Zone
Type
Boolean
Dropdown menu
Radio button menu
Required
No
No
Default
0
1
None
Description
Sorts interfaces by signal strength so those having better signal strength at the startup will be tried first
Specifies which slot roaming SIMcard is inserted.
Adds all generated interfaces to this zone.
Service Type
APN
PIN
PAP/CHAP username
Dropdown menu
String
Number
String
Yes
Yes
No
No
UMTS/GPRS
None
None
None
Specifies technology type.
Sets APN settings.
Sets SIM card
PIN number.
Sets username used to connect to APN.
PAP/CHAP password
String No None Sets password used to connect
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 116 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Health Monitor
Interval
Health Monitor
ICMP Host(s)
Health Monitor
ICMP Timeout
Attempts Before
WAN Failover
Dropdown menu Yes
Dropdown menu No
Dropdown menu Yes
Dropdown menu Yes
10 sec none
3 sec
3 to APN.
Sets interval used to monitor signal strength.
Specifies target
IP address for
ICMCP packets.
Specifies ICMP timeout.
Specifies number of fail attempts of
Health Monitor before interface is torn down.
N/A Attempts Before
WAN Recovery
Priority
N/A N/A N/A
Minimum ifup
Interval
Interface Start
Timeout
Signal Threshold
(dBm)
Number Yes
Dropdown menu Yes
Dropdown menu Yes
Dropdown menu Yes
0
300 sec
40 sec
-115
Defines that the higher value is higher priority.
Specifies minimum interval between two successive interface start attempts.
Sets time for interface to startup.
Specifies the threshold where if the signal is lower than this then it is marked as fail.
When you have configured your settings, click Save & Apply.
In the top menu, select System -> Reboot. The System page appears.
Figure 59: The reboot page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 117 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
Check the Reboot now check box and then click Reboot.
18.3.2 PMP + roaming: pre-empt disabled
As in the previous section, multi-WAN connects the primary predefined interface and uses auto created interfaces. However, in this scenario, the auto created interface will not be disconnected as soon as the primary interface is available.
The primary interface will be reconnected when auto created interface is down and when the ifup_retry_sec timeout expires.
The only change in configuration compared to the PMP + roaming: pre-empt enabled example above, is that the pre-empt option in the multi-WAN package must be disabled.
To disable PMP + roaming pre-empt, in the top menu, select Network -> Multi-
Wan.
In the Multi-WAN page, ensure Preempt is not selected.
Figure 60: The multi-wan page, pre-empt not selected
Click Save & Apply.
In the top menu, select System -> Reboot. The System Reboot page appears.
Figure 61: The system reboot page
Check the Reboot now check box and then click Reboot.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 118 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
18.3.3 Roaming: no PMP defined
There is no primary interface that can be used for a connection. The router uses the network that offers the best signal threshold.
Multi-WAN operation
17. Connect to the first roaming operator interface.
18. Check for signal strength every 'health_interval'. If the signal goes down below
'signal_threshold'
19. Disconnect from first roaming interface
20. Connect to second roaming operator interface.
21. Check for signal strength every 'health_interval'. Stays there until signal goes below
'signal_threshold'
22. Disconnect from second roaming interface. Go to 1.
From the top menu, select Network -> Multi-Wan. The Multi-WAN page appears.
Figure 62: The multi-WAN page
Scroll to the WAN Interfaces section, and click Delete to delete predefined
Interface.
Click Save & Apply.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 119 of 255
18: Automatic operator selection
_______________________________________________________________________________________________________
18.3.4 Disable roaming
There may be occasion where it is desirable to disable roaming. Use UCI on the command line to set the operator option value. cd/etc/config uci set network.Wan2.operator=’foobar’ uci commit
Note: your changes will not take effect without the uci commit command.
To check the settings, enter: cat network config interface ‘wan’
option proto '3g'
option service 'umts'
option apn '3ireland.ie’
option device /dev/ttyACM0’
option sim '1'
option pincode '9999'
option username 'root'
option password 'admin'
option operator '3ireland’ config interface ‘Wan2’
option proto '3g'
option device /dev/ttyACM1’
option service 'umts'
option sim '2'
option apn ‘foobar’
option username 'root'
option password 'admin'
option operator 'foobar’ root@VA_router:/etc/config1#
Apply the ‘operator’ option to both interfaces where both SIMs are used.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 120 of 255
_______________________________________________________________________________________________________
19 Configuring IPSec
IPSec tunnels are handled by strongSwan.
You must configure three sections:
• Common settings
• Connection settings
• Secret settings
Common settings control the overall behaviour of strongSwan. Together, the connection and secret sections define the required parameters for a two way
IKEv1 tunnel.
19.1 Common settings
These settings control the overall behaviour of strongSwan. This behaviour is common across all tunnels.
Name
Enable
StongSwan
IPSec
Type
Boolean
Required Default
Yes No
Description
Enables or disables IPSec. strictcrlpolicy cachecrls
Uniqueids boolean boolean boolean yes yes yes no no yes
Defines if a fresh CRL must be available for the peer authentication based on RSA signatures to succeed.
Shows Certificate Revocation Lists
(CRLs) fetched via http or ldap will be cached in /etc/ipsec.d/crls/ under a unique file name derived from the certification authority's public key.
Defines whether a particular participant ID should be kept unique, with any new (automatically keyed) connection using an ID from a different IP address deemed to replace all old ones using that ID.
Participant IDs normally are unique, so a new (automatically-keyed) connection using the same ID is almost invariably intended to replace an old one.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 121 of 255
_______________________________________________________________________________________________________
An example of a typical set of common settings for strongSwan is shown below. root@VA_router:~# uci show Strongswan.general
Strongswan.general=general
Strongswan.general.strictcrlpolicy=no
Strongswan.general.cachecrls=no
Strongswan.general.uniqueids=yes
Strongswan.general.ikev1enabled=yes config 'general' 'general' option 'strictcrlpolicy' 'no' option 'cachecrls' 'no' option 'uniqueids' 'yes'
19.2 Connection settings
Use this section to define the parameters for an IPSec tunnel.
Name type name waniface xauth_identity authby
Aggressive localid locallan locallanmask remotelan
Ike
Type string string string string
String
String string string string string string
Required yes yes yes
No
No
No
Yes
Yes
Yes remoteid string Yes remoteaddress string
Yes
Yes remotelanmask string Yes
Yes
Default tunnel none none none psk
No
None
None
None
None
None
None
None aes128-sha1modp2048,3des-
Description
Defines whether the connection is tunnel or transport mode.
Specifies a name for the tunnel.
Defines the wan interface used by this tunnel.
Defines Xauth ID.
Defines authentication method.
Available options, psk, xauthpsk.
Enables aggressive mode
Defines the local peer identifier.
Defines the local IP of LAN.
Defines the subnet of local LAN.
Sets the remote peer identifier.
Sets the public IP address of remote peer.
Sets the IP address of LAN serviced by remote peer.
Sets the Subnet of remote LAN.
Specifies the IKE algorithm to use.
The format is: encAlgo-authAlgo-DHGroup encAlgo: 3des, aes, serpent, twofish, blowfish authAlgo: md5, sha, sha2
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 122 of 255
_______________________________________________________________________________________________________ esp auto ikelifetime string string string
Yes
Yes yes sha1-modp1536 aes128sha1,3des-sha1 ignore
3h
DHGroup: modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, modp8192
For example: aes128-shamodp1536.
Specifies the esp algorithm to use.
The format is: encAlgo-authAlgo-PFSGroup encAlgo: 3des, aes, serpent, twofish, blowfish authAlgo: md5, sha, sha2
DHGroup: modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, modp8192
For example: aes128-sha1modp1536.
If no DH group is defined then
PFS is disabled.
Specifies how the tunnel is initiated: start: on startup route: when traffic routes this way.
Add: loads a connection without starting it. ignore: ignores the connection.
Specifies how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.
Syntax: timespec: 1d, 2h, 25m,
10s. keylife string yes 1h
Specifies how long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry.
Normally, the connection is renegotiated (via the keying channel) before it expires (see rekeymargin).
Syntax: timespec: 1d, 2h, 25m,
10s. rekeymargin string
Specifies how long before connection expiry or keyingchannel expiry should attempt to
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 123 of 255
_______________________________________________________________________________________________________ keyingtries dpdaction dpddelay dpdtimeout string yes integer yes string string yes string yes
9m
3 none
30s
150s negotiate a replacement begin.
Relevant only locally, other end need not agree on it Syntax: timespec: 1d, 2h, 25m, 10s.
Specifies how many attempts (a positive integer or %forever) should be made to negotiate a connection, or a replacement for one, before giving up. The value
%forever means 'never give up'.
Relevant only locally, other end need not agree on it.
Valid values are none, hold and clear.
None: Disables dead peer detection
Clear: Clear down the tunnel if peer does not respond.
Reconnect when traffic brings the tunnel up.
Hold: Clear down the tunnel and bring up as soon as the peer is available.
Restart: restarts DPD when no activity is detected
Defines the period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
These are only sent if no other traffic is received.
Syntax: timespec: 1d, 2h, 25m,
10s.
Defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
Syntax: timespec: 1d, 2h, 25m,
10s.
A typical tunnel configuration is shown below.
Strongswan.@connection[0]=connection
Strongswan.@connection[0].type=tunnel
Strongswan.@connection[0].name=test
Strongswan.@connection[0].waniface=wan
Strongswan.@connection[0].localid=10.1.1.1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 124 of 255
_______________________________________________________________________________________________________
Strongswan.@connection[0].locallan=10.1.1.0
Strongswan.@connection[0].locallanmask=255.255.255.0
Strongswan.@connection[0].remoteid=10.2.2.2
Strongswan.@connection[0].remoteaddress=10.2.2.2
Strongswan.@connection[0].remotelan=10.2.2.2
Strongswan.@connection[0].remotelanmask=255.255.255.0
Strongswan.@connection[0].ike=3des-md5-modp1024
Strongswan.@connection[0].esp=3des-md5
Strongswan.@connection[0].auto=start
Strongswan.@connection[0].ikelifetime=8h
Strongswan.@connection[0].keylife=1h
Strongswan.@connection[0].rekeymargin=9m
Strongswan.@connection[0].keyingtries=3
Strongswan.@connection[0].dpdaction=hol
Strongswan.@connection[0].dpddelay=30s
Strongswan.@connection[0].dpdtimeout=120s
Strongswan.@connection[0].enabled=yes config 'connection' option enabled 'yes' option 'type' 'tunnel' option 'name' "test" option 'waniface' 'wan'option 'localid' "10.1.1.1" option 'locallan' "10.1.1.1" option 'locallanmask' "255.255.255.0" option 'remoteid' "10.2.2.2" option 'remoteaddress' "10.2.2.2" option 'remotelan' "10.2.2.2" option 'remotelanmask' "255.255.255.0" option 'ike' "3des-md5-modp1024" option 'esp' "3des-md5" option 'auto' 'start' option 'ikelifetime' "8h" option 'keylife' "1h" option 'rekeymargin' "9m" option 'keyingtries' "3" option 'dpdaction' "hold"
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 125 of 255
_______________________________________________________________________________________________________ option 'dpddelay' "30s" option 'dpdtimeout' "120s"
19.3 Shunt connection
If the remote LAN network is 0.0.0.0/0 then all traffic generated on the local LAN will be sent via the IPSec tunnel. This includes the traffic destined to the router’s
IP address. To avoid this situation you must include an additional config connection section. strongswan.@connection[1]=connection strongswan.@connection[1].name=local strongswan.@connection[1].enabled=yes strongswan.@connection[1].locallan=10.1.1.1 strongswan.@connection[1].locallanmask=255.255.255.255 strongswan.@connection[1].remotelan=10.1.1.0 strongswan.@connection[1].remotelanmask=255.255.255.0 strongswan.@connection[1].type=pass strongswan.@connection[1].auto=route config connection
option name 'local'
option enabled 'yes'
option locallan '10.1.1.1'
option locallanmask '255.255.255.255'
option remotelan '10.1.1.0'
option remotelanmask '255.255.255.0'
option type 'pass'
option auto 'route'
Traffic originated on remotelan and destined to locallan address is excluded from
VPN IPSec policy.
19.4 Secret settings
Each tunnel also requires settings for how the local end point of the tunnel proves its identity to the remote end point.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 126 of 255
_______________________________________________________________________________________________________
Name enabled
Idtype
Userfqdn
Type Required
Yes string
String
No
String
No localaddress string Yes remoteaddress string Yes secrettype string Yes
Default
No ipaddress
None
None
None psk
Description
Defines whether this set of credentials is to be used or not.
Defines whether IP address or userfqdn is used.
FQDN or Xauth name. This must match xauth_identity from the config ‘connection’ section.
Sets the local ID address.
Sets the remote ID address.
Specifies different mechanisms to allow the two peers to authenticate one another. psk: pre-shared secret pubkey: public key signatures rsasig: RSA digital signatures ecdsasig: Elliptic Curve DSA signatures xauth: extended authentication
Sets preshared key. secret string
A sample secret section which could be used with the connection section in
‘Connection Settings’, is shown below:
Strongswan.@secret[0]=secret
Strongswan.@secret[0].enabled=yes
Strongswan.@secret[0].localaddress=10.1.1.1
Strongswan.@secret[0].remoteaddress=10.2.2.2
Strongswan.@secret[0].secrettype=psk
Strongswan.@secret[0].secret=secret config 'secret' option 'enabled' "yes" option 'localaddress' "10.1.1.1" option 'remoteaddress' "10.2.2.2" option 'secrettype' 'psk' option 'secret' "secret"
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 127 of 255
_______________________________________________________________________________________________________
If xauth is defined as the authentication method then you must include an additional config secret section, as shown in the example below. strongswan.@secret[1].enabled=yes strongswan.@secret[1].idtype=userfqdn strongswan.@secret[1].userfqdn=testxauth strongswan.@secret[1].remoteaddress=10.2.2.2 strongswan.@secret[1].secret=xauth strongswan.@secret[1].secrettype=XAUTH config secret
option enabled 'yes'
option idtype 'userfqdn'
option userfqdn 'testxauth'
option remoteaddress '10.2.2.2'
option secret 'xauth'
option secrettype 'XAUTH'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 128 of 255
_______________________________________________________________________________________________________
20 Configuring firewall
The firewall itself is not required. It is a set of scripts which configure netfilter. If preferred, you can use netfilter directly to achieve the desired firewall behaviour.
Note: the UCI firewall exists to simplify the configuration of netfilter (for many scenarios) without requiring the knowledge to deal with the complexity of netfilter.
The firewall configuration consists of several zones covering one or more interfaces. Allowed traffic flow between the zones is controlled by forwardings.
Each zone can include multiple rules and redirects.
Below is an overview of the section types that may be defined in the firewall configuration. A minimal firewall configuration for a router usually consists of one defaults section, at least two zones (LAN and WAN) and one forwarding to allow traffic from LAN to WAN. Other sections that exist are redirects, rules and includes.
20.1 Defaults section
The defaults section declares global firewall settings which do not belong to any specific zones. The following options are defined within this section:
Name syn_flood
Type boolean drop_invalid boolean disable_ipv6 boolean input string forward output string string
Required Default no 1 no no no
1
0
DROP no no
DROP
DROP
Description
Enables SYN flood protection.
Drops packets not matching any active connection.
Disables IPv6 firewall rules if set to 1.
Default policy (ACCEPT, REJECT, DROP) for the INPUT chain.
Default policy (ACCEPT, REJECT, DROP) for the FORWARD chain.
Default policy (ACCEPT, REJECT, DROP) for the FORWARD chain.
20.2 Zones section
A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis.
The options below are defined within zone sections:
Name name network
Type zone name list
Required Default yes no
(none)
(none)
Description
Sets the unique zone name.
Defines a list of interfaces attached to this
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 129 of 255
_______________________________________________________________________________________________________ masq masq_src masq_dest conntrack mtu_fix input forward output family log log_limit boolean list of subnets list of subnets boolean boolean string string string string boolean string no no no no no no no no no no no
0
0.0.0.0/0
0.0.0.0/0
0
DROP
DROP
DROP any
0
10/minute zone, if omitted, the value of name is used by default.
Specifies whether outgoing zone traffic should be masqueraded (NATTED) - this is typically enabled on the wan zone.
Limits masquerading to the given source subnets. Negation is possible by prefixing the subnet with !, multiple subnets are allowed.
Limits masquerading to the given destination subnets. Negation is possible by prefixing the subnet with!, multiple subnets are allowed.
1if masquerading is used, 0 otherwise
Forces connection tracking for this zone.
Enables MSS clamping for outgoing zone traffic.
Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic.
Default policy (ACCEPT REJECT, DROP) for forwarded zone traffic.
Default policy (ACCEPT REJECT, DROP) for outgoing zone traffic.
Defines protocol family (ipv4, ipv6 or any) to generate iptables rules for.
Creates log rules for rejected and dropped traffic in this zone.
Limits the amount of log messages per interval.
20.3 Forwarding sections
The forwarding sections control the traffic flow between zones and can enable
MSS clamping for specific directions. Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, you need two forwardings, with src and dest reversed in each.
The table below shows allowed options within forwarding sections:
Name src dest family
Type zone name zone name string
Required Default yes yes no
(none)
(none) any
Description
Specifies the traffic source zone, must refer to one of the defined zone names.
Specifies the traffic destination zone, must refer to one of the defined zone names.
Defines protocol family (ipv4, ipv6 or any) to generate iptables rules for.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 130 of 255
_______________________________________________________________________________________________________
The iptables rules generated for this section rely on the state match which needs connection tracking to work. At least one of the src or dest zones needs to have connection tracking enabled through either the masq or the conntrack option.
20.4 Redirects
Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on the specified source zone which matches the given rules will be directed to the specified internal host.
The options described in the table below are valid for redirects:
Name Type Required Default Description src rc_ip src_dip src_mac src_port src_dport zone name ip address ip address mac address port or range port or range yes for
DNAT target no yes for
SNAT target no no no
(none)
(none)
(none)
(none)
(none)
(none)
Specifies the traffic source zone, must refer to one of the defined zone names. For typical port forwards, this is usually wan.
Matches incoming traffic from the specified source IP address.
For DNAT, matches incoming traffic directed at the given destination ip address. For SNAT rewrites the source address to the given address.
Matches incoming traffic from the specified mac address.
Matches incoming traffic originating from the given source port or port range on the client host.
For DNAT, matches incoming traffic directed at the given destination port or port range on this host. For SNAT rewrites the source ports to the given value. proto protocol name or number yes tcpudp
Matches incoming traffic using the given protocol. dest dest_ip dest_port zone name ip address port or range yes for
SNAT target yes for
DNAT target no
(none)
(none)
(none)
Specifies the traffic destination zone, must refer to one of the defined zone names.
For DNAT, redirects matched incoming traffic to the specified internal host. For SNAT, matches traffic directed at the given address.
For DNAT, redirects matched incoming traffic to the given port on the internal host. For
SNAT, matches traffic directed at the given ports. target family string string no no
DNAT any
NAT target (DNAT or SNAT) to use when generating the rule.
Protocol family (ipv4, ipv6 or any) to generate iptables rules for. reflection boolean no 1
Disables NAT reflection for this redirect if set to 0 - applicable to DNAT targets.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 131 of 255
_______________________________________________________________________________________________________ limit extra string limit_burst integer string no no no
(none)
5
(none)
Sets maximum average matching rate; specified as a number, with an optional
/second, /minute, /hour or /day suffix.
Example 3/hour.
Sets maximum initial number of packets to match. This number gets recharged by one every time the limit specified above is not reached, up to this number.
Extra arguments to pass to iptables, this is useful to specify additional match options, like-m policy --dir in for IPSec.
20.5 Rules
Sections of the type rule can be used to define basic accept or reject rules to allow or restrict access to specific ports or hosts. Like redirects the rules are tied to the given source zone and match incoming traffic occurring there.
Valid options for this section are:
Name src src_ip src_mac src_port proto
Dest dest_ip dest_port target family
Type zone name ip address mac address port or range protocol name or number zone name ip address port or range string string
Required Default yes no no no no no no no yes no
(none)
(none)
(none)
(none) tcpudp
(none)
(none)
(none)
DROP any
Description
Specifies the traffic source zone, must refer to one of the defined zone names.
Match incoming traffic from the specified source IP address.
Match incoming traffic from the specified mac address.
Match incoming traffic originating from the given source port or port range on the client host if tcp or udp is specified as protocol.
Match incoming traffic using the given protocol. Can be one of tcp, udp, tcpudp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
Specifies the traffic destination zone, must refer to one of the defined zone names. If specified, the rule applies to forwarded traffic else it is treated as input rule.
Match incoming traffic directed to the specified destination IP address.
Match incoming traffic directed at the given destination port or port range on this host if tcp or udp is specified as protocol.
Firewall action (ACCEPT, REJECT, DROP) for matched traffic.
Protocol family (ipv4, ipv6 or any) to generate iptables rules for.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 132 of 255
_______________________________________________________________________________________________________ limit extra string limit_burst integer string no no no
(none)
5
(none)
Maximum average matching rate; specified as a number, with an optional /second,
/minute, /hour or /day suffix.
Example3/hour.
Maximum initial number of packets to match; this number gets recharged by one every time the limit specified above is not reached, up to this number.
Extra arguments to pass to iptables, this is mainly useful to specify additional match options, like -m policy --dir in for IPSec.
20.6 Includes
It is possible to include custom firewall scripts by specifying one or more include sections in the firewall configuration.
There is only one possible parameter for includes:
Name path
Type Required Default file name yes /etc/firewall.user
Description
Specifies a shell script to execute on boot or firewall restarts.
Included scripts may contain arbitrary commands, for example advanced iptables rules or tc commands required for traffic shaping.
When writing custom iptables rules use –I (insert) instead of –A (append) to ensure that the created rules appear before the generic ones.
20.7 IPv6 notes
As described above, the option family is used for distinguishing between IPv4,
IPv6 and both protocols. However, the family is inferred automatically if IPv6 addresses are used, for example is automatically treated as IPv6 only rule: config rule
option src wan
option src_ip fdca:f00:ba3::/64
option target ACCEPT
Similarly, such a rule is automatically treated as IPv4 only.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 133 of 255
_______________________________________________________________________________________________________ config rule
option src wan
option dest_ip 88.77.66.55
option target REJECT
Rules without IP addresses are automatically added to iptables and ip6tables, unless overridden by the family option. Redirect rules (port forwards) are always
IPv4 since there is no IPv6 DNAT support at present.
20.8 Implications of DROP vs. REJECT
The decision whether to drop or to reject traffic should be done on a case-bycase basis. Many people see dropping traffic as a security advantage over rejecting it because it exposes less information to a hypothetical attacker. While dropping slightly increases security, it can also complicate the debugging of network issues or cause unwanted side-effects on client programs.
If traffic is rejected, the router will respond with an icmp error message
("destination port unreachable") causing the connection attempt to fail immediately. This also means that for each connection attempt a certain amount of response traffic is generated. This can actually harm if the firewall is attacked with many simultaneous connection attempts, the resulting backfire of icmp responses can clog up all available upload and make the connection unusable
(DoS).
When connection attempts are dropped the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.
DROP
• less information is exposed
• less attack surface
• client software may not cope well with it (hangs until connection times out)
• may complicate network debugging (where was traffic dropped and why)
REJECT
• may expose information (like the IP at which traffic was actually blocked)
• client software can recover faster from rejected connection attempts
• network debugging easier (routing and firewall issues clearly distinguishable)
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 134 of 255
_______________________________________________________________________________________________________
20.9 Note on connection tracking
By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating NOTRACK firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of NOTRACK is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing iptables -t raw -vnL, it will list all rules, check for NOTRACK target.
NOTRACK will render certain iptables extensions unusable, for example the
MASQUERADE target or the state match will not work.
If connection tracking is required, for example by custom rules in
/etc/firewall.user, the conntrack option must be enabled in the corresponding zone to disable NOTRACK. It should appear as option 'conntrack' '1' in the right zone in /etc/config/firewall.
20.10 Firewall examples
20.10.1 Opening ports
The default configuration accepts all LAN traffic, but blocks all incoming WAN traffic on ports not currently used for connections or NAT. To open a port for a service, add a rule section: config rule
option src wan
option dest_port 22
option target ACCEPT
option proto tcp
This example enables machines on the Internet to use SSH to access your router.
20.10.2 Forwarding ports (destination NAT/DNAT)
This example forwards http, but not HTTPS, traffic to the web server running on
192.168.1.10:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 135 of 255
_______________________________________________________________________________________________________ config redirect
option src wan
option src_dport 80
option proto tcp
option dest_ip 192.168.1.10
The next example forwards one arbitrary port that you define to a box running ssh behind the firewall in a more secure manner because it is not using default port 22. config 'redirect'
option 'name' 'ssh'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'src_dport' '5555'
option 'dest_ip' '192.168.1.100'
option 'dest_port' '22'
option 'target' 'DNAT'
option 'dest' 'lan'
20.10.3 Source NAT (SNAT)
Source NAT changes an outgoing packet destined for the system so that is looks as though the system is the source of the packet.
Define source NAT for UDP and TCP traffic directed to port 123 originating from the host with the IP address 10.55.34.85. The source address is rewritten to
63.240.161.99. config redirect
option src lan
option dest wan
option src_ip 10.55.34.85
option src_dip 63.240.161.99
option dest_port 123
option target SNAT
When used alone, Source NAT is used to restrict a computer's access to the
Internet, but allows it to access a few services by manually forwarding what appear to be a few local services; for example, NTP to the Internet. While DNAT
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 136 of 255
_______________________________________________________________________________________________________ hides the local network from the Internet, SNAT hides the Internet from the local network.
Source NAT and destination NAT are combined and used dynamically in IP masquerading to make computers with private (192.168.x.x, etc.) IP addresses appear on the Internet with the system's public WAN IP address.
20.10.4 True destination port forwarding
This usage is similar to SNAT, but as the destination IP address is not changed, machines on the destination network need to be aware that they'll receive and answer requests from a public IP address that is not necessarily theirs. Port forwarding in this fashion is typically used for load balancing. config redirect
option src wan
option src_dport 80
option dest lan
option dest_port 80
option proto tcp
20.10.5 Block access to a specific host
The following rule blocks all connection attempts to the specified host address. config rule
option src lan
option dest wan
option dest_ip 123.45.67.89
option target REJECT
20.10.6 Block access to the internet using MAC
The following rule blocks all connection attempts from the client to the internet. config rule
option src lan
option dest wan
option src_mac 00:00:00:00:00:00
option target REJECT
20.10.7 Block access to the internet for specific IP on certain times
The following rule blocks all connection attempts to the internet from
192.168.1.27 on weekdays between 21:00pm and 09:00am.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 137 of 255
_______________________________________________________________________________________________________ config rule
option src lan
option dest wan
option src_ip 192.168.1.27
option extra '-m time --weekdays Mon,Tue,Wed,Thu,Fri -timestart 21:00 --timestop 09:00'
option target REJECT
20.10.8 Restricted forwarding rule
The example below creates a forward rule rejecting traffic from LAN to WAN on the ports 1000-1100. config rule
option src lan
option dest wan
option dest_port 1000-1100
option proto tcpudp
option target REJECT
20.10.9 Transparent proxy rule (same host)
The rule below redirects all outgoing HTTP traffic from LAN through a proxy server listening at port 3128 on the router itself. config redirect option src lan option proto tcp option src_dport 80 option dest_port 3128
20.10.10 Transparent proxy rule (external)
The following rule redirects all outgoing HTTP traffic from LAN through an external proxy at 192.168.1.100 listening on port 3128. It assumes the router
LAN address to be 192.168.1.1 - this is needed to masquerade redirected traffic towards the proxy.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 138 of 255
_______________________________________________________________________________________________________ config redirect
option src lan
option proto tcp
option src_ip !192.168.1.100
option src_dport 80
option dest_ip 192.168.1.100
option dest_port 3128
option target DNAT config redirect
option dest lan
option proto tcp
option src_dip 192.168.1.1
option dest_ip 192.168.1.100
option dest_port 3128
option target SNAT
20.10.11 Simple DMZ rule
The following rule redirects all WAN ports for all protocols to the internal host
192.168.1.2. config redirect option src wan option proto all option dest_ip 192.168.1.2
20.10.12 IPSec passthrough
This example enables proper forwarding of IPSec traffic through the WAN.
# AH protocol config rule
option src wan
option dest lan
option proto ah
option target ACCEPT
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 139 of 255
_______________________________________________________________________________________________________
# ESP protocol config rule
option src wan
option dest lan
option proto esp
option target ACCEPT
For some configurations you also have to open port 500/UDP.
# ISAKMP protocol config rule
option src wan
option dest lan
option proto udp
option src_port 500
option dest_port 500
option target ACCEPT
20.10.13 Manual iptables rules
You can specify traditional iptables rules, in the standard iptables unix command form, in an external file and included in the firewall config file. It is possible to use this process to include multiple files. config include
option path /etc/firewall.user config include
option path /etc/firewall.vpn
The syntax for the includes is Linux standard and therefore different from UCIs.
The syntax documentation can be found in netfilter.
20.11 Firewall management
After a configuration change, firewall rules are rebuilt by entering: root@VA_router:/# /etc/init.d/firewall restart
Executing the following command will flush all rules and set the policies to
ACCEPT on all standard chains: root@VA_router:/# /etc/init.d/firewall stop
To manually start the firewall, enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 140 of 255
_______________________________________________________________________________________________________ root@VA_router:/# /etc/init.d/firewall start
The firewall can be permanently disabled by enter: root@VA_router:/# /etc/init.d/firewall disable
Note: disable does not flush the rules, so you might be required to issue a stop before.
To enable the firewall again enter: root@VA_router:/# /etc/init.d/firewall enable
20.12 Debug generated rule set
It is possible to observe the iptables commands generated by the firewall programme. This is useful to track down iptables errors during firewall restarts or to verify the outcome of certain UCI rules.
To see the rules as they are executed, run the fw command with the FW_TRACE environment variable set to 1 (one): root@VA_router:/# FW_TRACE=1 fw reload
To direct the output to a file for later inspection, enter: root@VA_router:/# FW_TRACE=1 fw reload 2>/tmp/iptables.lo
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 141 of 255
_______________________________________________________________________________________________________
21 Configuring SNMP
The SNMP daemon has several configuration sections that configure the agent itself (agent and system sections), assignment of community names and which
SNMP protocols are in use to groups (com2sec and group sections), creation of views and subviews (access section) of the whole available SNMP tree and finally, granting specific access to those views on a group by group basis (access section).
21.1 agent
The options defined for this section are outlined below.
Name agentaddress authtrapenabled
Type string boolean yes|no
Required Description yes no
Specifies the address(es) and port(s) on which the agent should listen.
[(udp|tcp):]port[@address][,...] yes: enables SNMP authentication trap no: disables SNMP authentication trap no
Note this is the SNMP poll authentication trap, to be sent when there is a community mismatch when enabled the router sends a trap notifying link up/down link_updown_notify boolean yes|no
A typical sample agent configuration is shown below. It causes the agent to listen on udp port 161, with authentication traps and notify link up/down enabled. uci set snmpd.@agent[0].agentaddress=UDP:161 uci set snmpd.@agent[0].authtrapenabled=1 uci set snmpd.@agent[0].link_updown_notify=yes config 'agent' option agentaddress 'UDP:161' option authtrapenabled '1'
option link_updown_notify 'yes'
Another sample agent configuration shown below causes the agent to listen on udp port 161, tcp port 161 and udp port 9161 on only the interface associated with the localhost address.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 142 of 255
_______________________________________________________________________________________________________ config 'agent' option agentaddress 'UDP:161,tcp:161,9161@localhost'
21.2 system
The options defined for this section are shown in the table below.
Name agentaddress string sysLocation sysContact sysName
Type string string string
Required Description yes
Specifies the address(es) and port(s) on which the agent should listen.
[(udp|tcp):]port[@address][,...] yes yes yes
Sets the system location, system contact or system name for the agent. This information is reported in the
'system' group the mibII tree.
Ordinarily these objects (sysLocation.0, sysContact.0 and sysName.0) are read-write.
However, specifying the value for one of these objects by giving the appropriate token makes the corresponding object read-only, and attempts to set the value of the object will result in a notWritable error response.
A possible system configuration section is shown below: config 'system' option sysLocation 'Office 123' option sysContact 'Mr White' option sysName 'Backup Access 4'
21.3 com2sec
This section is used to map SNMP community names into an arbitrary security name. Mapping of community names into security names is done based on the community name and the source subnet. The first source/community combination that matches the incoming packet is used.
The options defined for this section are outlined below.
Name secname source
Type string string
Required Description yes Specifies an arbitrary security name for the user. yes yes
A hostname, localhost or a subnet specified as a.b.c.d/mask or a.b.c.d/bits.
The community string being presented in the request. community string
The following sample specifies that a request from any source using “public” as the community string will be dealt with using the security name “ro”. However,
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 143 of 255
_______________________________________________________________________________________________________ any request from the localhost itself using “private” as the community string will be dealt with using the security name “rw”.
Note: the security names of “ro” and “rw” here are simply names – the fact of a security name having read only or read-write permissions is handled in the access section and dealt with at a group granularity. config 'com2sec' 'public' option secname 'ro' option source 'default' option community 'public' config 'com2sec' 'private' option secname 'rw' option source 'localhost' option community 'private' group
The options defined for this section are outlined below.
Name group
Type string version string secname string
Required Description yes Specifies an arbitrary group name. yes yes
Specifies the SNMP version number being used in the request: v1, v2c and usm are supported.
An already defined security name that is being included in this group.
The following example specifies that a request from the security name “ro” using snmp v1, v2c or USM (User Based Security Model for SNM P v3) are all mapped to the “public” group. Similarly, requests from the security name “rw” in all protocols are mapped to the “private” group. config 'group' 'public_v1' option group 'public' option version 'v1' option secname 'ro' config 'group' 'public_v2c' option group 'public' option version 'v2c' option secname 'ro'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 144 of 255
_______________________________________________________________________________________________________ config 'group' 'public_usm' option group 'public' option version 'usm' option secname 'ro' config 'group' 'private_v1' option group 'private' option version 'v1' option secname 'rw' config 'group' 'private_v2c' option group 'private' option version 'v2c' option secname 'rw' config 'group' 'private_usm' option group 'private' option version 'usm' option secname 'rw'
The options defined for this section are outlined below.
Name Type viewname string type oid string string
Required Description yes yes yes
Specifies an arbitrary view name. Typically it describes what the view shows.
Specifies whether the view lists oids that are included in the view or lists oids to be excluded from the view (in which case all other oids are visible apart from those ones listed).
Values: included, excluded
An oid:
1: is everything
.iso.org.dod.Internet.mgmt.mib-2: mib2
Any other valid oid
The following example defines two views, one for the entire system and another for only mib2.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 145 of 255
_______________________________________________________________________________________________________ config 'view' 'all' option viewname 'all' option type 'included' option oid '.1' config 'view' 'mib2' option viewname 'mib2' option type 'included' option oid '.iso.org.dod.Internet.mgmt.mib-2'
21.4 access
The options defined for this section are outlined below.
Name group
Type string context string version string level
Prefix string string
Required Description yes Specifies the group to which access is being granted. yes yes
For SNMP v1 and SNMP v2c context must be none.
Specifies the SNMP version number being used in the request: any, v1, v2c and usm are supported. yes yes
The security level: noauth, auth or priv. For SNMP v1 and
SNMP v2c level must be noauth.
Prefix specifies how context (above) should be matched against the context of the incoming pdu, either exact or prefix.
Read
Write
Notify
A valid view or none
A valid view or none
A valid view or none yes yes yes
Specifies the view to be used for read access.
Specifies the view to be used for write access.
Specifies the view to be used for notify access.
The following example shows the “public” group being granted read access on the “all” view and the “private” group being granted read and write access on the “all” view. config 'access' 'public_access' option group 'public' option context 'none' option version 'any' option level 'noauth'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 146 of 255
_______________________________________________________________________________________________________ option prefix 'exact' option read 'all' option write 'none' option notify 'none' config 'access' 'private_access' option group 'private' option context 'none' option version 'any' option level 'noauth' option prefix 'exact' option read 'all' option write 'all' option notify 'all'
21.5 SNMP traps
The options defined for this section are outlined below.
# for SNMPv1 or v2c trap receivers config trapreceiver
option host 'IPADDR[:PORT]'
option version 'v1|v2c'
option community 'COMMUNITY STRING'
# for SNMPv2c inform request receiver config informreceiver
option host 'IPADDR[:PORT]'
option community 'COMMUNITY STRING'
An additional option was added to the 'agent' subsection:
option authtrapenabled '0|1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 147 of 255
_______________________________________________________________________________________________________
22 Configuring HTTP server
The uhttpd configuration is used by the uhttpd web server package. This file defines the behaviour of the server and default values for certificates generated for SSL operation. uhttpd supports multiple instances, that is, multiple listen ports, each with its own document root and other features, as well as cgi, and lua.
There are two sections defined, the section of type uhttpd contains general server settings while the cert section defines the default values for SSL certificates.
22.1 Server settings
The options defined for this section are outlined below.
Name listen_http listen_https
Home
Cert key
Type list of port numbers or address:port pairs
Required Default yes list of port numbers or address:port pairs no directory path file path file path yes yes if listen_ https is given, else no yes if listen_ https is given, else no
(none)
(none)
/www
/etc/ uhttpd.crt
/etc/ uhttpd.key
Description
Specifies the ports and addresses to listen on for plain HTTP access.
If only a port number is given, the server will attempt to serve both
IPv4 and IPv6 requests. Use
0.0.0.0.:80 to bind at port 80 only on IPv4 interfaces or [::] : 80 to serve only IPv6.
Specifies the ports and addresses to listen on for encrypted HTTPS access. The format is the same as for listen_http. Read below for extra details.
Defines the server document root.
ASN.1/DER certificate used to serve HTTPS connections
ASN.1/DER private key used to serve HTTPS connections. cgi_prefix lua_prefix string string no no
/cgi-bin
(none)
Defines the prefix for CGI scripts, relative to the document root. CGI support is disabled if this option is missing.
Defines the prefix for dispatching requests to the embedded Lua interpreter, relative to the
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 148 of 255
_______________________________________________________________________________________________________ document root. Lua support is disabled if this option is missing. lua_handler file path yes if lua_ prefix is given, else no
(none)
Specifies Lua handler script used to initialize the Lua runtime on server start. script_timeout network_timeout integer realm config integer string file path no no no no
60
30 local hostname
/etc/ httpd.conf
Sets maximum wait time for CGI or Lua requests in seconds.
Requested executables are terminated if no output was generated until the timeout expired.
Sets maximum wait time for network activity. Requested executables are terminated and connection is shut down if no network activity occurred for the specified number of seconds.
Defines basic authentication realm when prompting the client for credentials (HTTP 400).
Config file in Busybox httpd format for additional settings (currently only used to specify Basic Auth areas). index_page file name no index.html, index.htm, default.html, default.htm
Index file to use for directories, e.g. add index.php when using php. error_page no_symlinks no_dirlists string boolean boolean no no no
(none)
0
0
Virtual URL of file or CGI script to handle 404 request. Must begin with '/'
Do not follow symbolic links if enabled.
Do not generate directory listings if enabled.
Multiple sections of the type uhttpd may exist - the init script will launch one webserver instance per section.
A standard uhttpd configuration is shown below.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 149 of 255
_______________________________________________________________________________________________________ root@VA_router:~# uci show uhttpd.main uhttpd.main=uhttpd uhttpd.main.listen_http=0.0.0.0:80 uhttpd.main.listen_https=0.0.0.0:443 uhttpd.main.home=/www uhttpd.main.rfc1918_filter=1 uhttpd.main.cert=/etc/uhttpd.crt uhttpd.main.key=/etc/uhttpd.key uhttpd.main.cgi_prefix=/cgi-bin uhttpd.main.script_timeout=60 uhttpd.main.network_timeout=30 config 'uhttpd' 'main' list 'listen_http' '0.0.0.0:80' list 'listen_https' '0.0.0.0:443' option 'home' '/www' option 'rfc1918_filter' '1' option 'cert' '/etc/uhttpd.crt' option 'key' '/etc/uhttpd.key' option 'cgi_prefix' '/cgi-bin' option 'script_timeout' '60' option 'network_timeout' '30'
22.2 HTTPS certificate settings and creation
If listen_https is defined in the server configuration and the certificate and private key is missing, the web server init script will generate the appropriate certificate and key files when the server is started for the first time, either by reboot or by manual restart.
The uhttpd configuration contains a section detailing the certificate and key files creation parameters.
Name days bits country state
Type integer integer string string
Required Default no no no
No
730
1024
DE
Berlin
Description
Validity time of the generated certificates in days.
Size of the generated RSA key in bits.
ISO country code of the certificate issuer.
State of the certificate issuer.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 150 of 255
_______________________________________________________________________________________________________
Location string commonname string no no
Berlin
(none)
Location/city of the certificate issuer.
Common name covered by the certificate.
For the purposes of secure Activation this
MUST be set to the serial number (eth0 mac address) of the device.
A standard uhttp certificate section is shown below. root@VA_router:~# uci show uhttpd.px5g uhttpd.px5g=cert uhttpd.px5g.days=3650 uhttpd.px5g.bits=1024 uhttpd.px5g.country=IE uhttpd.px5g.state=Dublin uhttpd.px5g.location=Dublin uhttpd.px5g.commonname=00E0C8000000 config 'cert' 'px5g' option 'days' '3650' option 'bits' '1024' option 'country' 'IE' option 'state' 'Dublin' option 'location' 'Dublin' option 'commonname' '00E0C8000000'
22.3 Basic authentication (httpd.conf)
For backward compatibility reasons, uhttpd uses the file /etc/httpd.conf to define authentication areas and the associated usernames and passwords. This configuration file is not in UCI format.
Authentication realms are defined in the format prefix:username:password with one entry and a line break.
Prefix is the URL part covered by the realm, for example, cgi-bin to request basic auth for any CGI program.
Username specifies the username a client has to login with.
Password defines the secret password required to authenticate.
The password can be either in plain text format, MD5 encoded or in the form
$p$user where the user refers to an account in /etc/shadow or /etc/passwd.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 151 of 255
_______________________________________________________________________________________________________
If the $p$… format is used, uhttpd will compare the client provided password against the one stored in the shadow or passwd database.
22.4 Securing uHTTPd
By default, uHTTPd binds to 0.0.0.0 which also includes the WAN port of your router. To bind uHTTPd to the LAN port only you have to change the listen_http and listen_https options to your LAN IP address.
To get your current LAN IP address, enter: uci get network.lan.ipaddr then, modify the configuration appropriately: uci set uhttpd.main.listen_http='192.168.1.1:80' uci set uhttpd.main.listen_https='192.168.1.1:443' config 'uhttpd' 'main'
# HTTP listen addresses, multiple allowed
list listen_http 192.168.1.1:80
# list listen_http [::]:80
# HTTPS listen addresses, multiple allowed
list listen_https 192.168.1.1:443
# list listen_https [::]:443
22.5 SSH server configuration
A sample SSH Server configuration is shown below. root@VA_router:~# uci show dropbear dropbear.@dropbear[0]=dropbear dropbear.@dropbear[0].PasswordAuth=on dropbear.@dropbear[0].RootPasswordAuth=on dropbear.@dropbear[0].Port=22 root@VA_router:~# uci export dropbear package 'dropbear' config 'dropbear' option 'PasswordAuth' 'on' option 'RootPasswordAuth' 'on' option 'Port' '22'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 152 of 255
23: Virtual Router Redundancy Protocol (VRRP)
_______________________________________________________________________________________________________
23 Virtual Router Redundancy Protocol (VRRP)
The Virtual Router Redundancy Protocol (VRRP) is a networking protocol designed to eliminate the single point of failure inherent in the static default routed environment.
VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP router on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic failover in the forwarding responsibility from the Master to a Backup router should the Master become unavailable.
This process allows the virtual router IP address(es) on the LAN to be used as the default first hop router by end-hosts. The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host.
Two or more routers forming the redundancy cluster are configures with the same Router ID and Virtual IP address. A VRRP router group operates within the scope of the single LAN.
Additionally, the VRRP routers are configured with its initial role (Master or
Backup) and the router priority, which is a factor in the master router election process.
A password authentication may also be configured to protect VRRP protocol messages against spoofing.
The VRRP protocol is implemented according to Internet standard RFC2338.
23.1 Software versions
VRRP is available on VIE, ARN, LIS and GIG software versions.
To check which software your router is running, SSH to a router and the following information is shown.
Figure 63: Example output after accessing the router via SSH
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 153 of 255
23: Virtual Router Redundancy Protocol (VRRP)
_______________________________________________________________________________________________________
When you are logged in via an SSH session, run the command, vacmd show vars
Figure 64: Output from the command vacmd show vars
Alternatively, when you are connected via the web interface, the software version currently being used is presented at the bottom of the screen
Figure 65: The login screen showing the current software version
23.2 VRRP web interface
To configure VRRP through the web interface, in the top menu, select Network -
> VRRP. The VRRP page appears.
Figure 66: The VRRP page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 154 of 255
23: Virtual Router Redundancy Protocol (VRRP)
_______________________________________________________________________________________________________
In the VRRP page, you can enable or disable VRRP and add, edit or delete VRRP groups.
Under the Global Settings title, click Add.
Figure 67: The VRRP global settings section
Check the VRRP Enabled checkbox.
Name
VRRP Enabled
Type Required Default
Checkbox yes
Description
Unchecked Globally enables VRRP on the router.
Under the VRRP Group Configuration title, click Add.
Figure 68: The VRRP group configuration section
Check the Group enabled option check box.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 155 of 255
23: Virtual Router Redundancy Protocol (VRRP)
_______________________________________________________________________________________________________
In the Interface field, type the name of the interface where VRRP should run.
Note: take the interface name from the interface section.
In the Track interfaces field, optionally provide the name of the interface that should be tracked.
In the Router id field, type the VRRP ID.
In the Priority field, set the router’s VRRP priority.
In the Advert Intvl field, type the VRRP hello value.
In the Virtual IP field, provide the VRRP IP address.
Click Save & Apply.
Name
Group enabled
Interface
Track interfaces
IPSec connection String
Start role
Router ID
Priority
Advert intvl
Type Required Default
Checkbox yes
Description
Unchecked Enables a VRRP group on the router.
String
List
Yes
Yes
Blank
Blank
Sets the local LAN interface name in which the VRRP cluster is to operate, for example ‘lan’.
Sets one or more WAN interfaces VRRP should monitor. If a monitored interface goes down on the Master VRRP router, it goes into ‘Fault’ state and the Backup
VRRP router becomes the Master.
Drop down list
Integer
Integer
Integer
No
Yes
Yes
Yes
Yes
Blank
Master
Blank
Blank
Blank
Sets which IPSec connection to bring up or down when VRRP enters
‘Backup/Master’ state.
Sets the initial role in which a VRRP router starts up. In a cluster of VRRP routes, set one as a Master and the others as Backup.
Sets the VRRP router ID (1 to 255). All co-operating VRRP routers serving the same LAN must be configured with the same router ID.
Sets the VRRP router’s priority. Higher values equal higher priority. The VRRP routers must use priority values between 1-254. The Master router uses a higher priority.
Sets the VRRP advertisement message sending interface in seconds.
Password
Virtual IP
String
String
No
Yes
Blank
Blank
Sets the password to use in the VRRP authentication (simple password authentication method). This field may be left blank if no authentication is required.
Sets the virtual IP address and mask in prefix format. For example,
’11.1.1.99/24’. All co-operating VRRP
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 156 of 255
23: Virtual Router Redundancy Protocol (VRRP)
_______________________________________________________________________________________________________
GARP delay Integer Yes Blank routers serving the same LAN must be configured with the same virtual IP address.
Sets the gratuitous ARP message sending delay in seconds.
Figure 69: The VRRP group configuration fields and their descriptions
23.3 Configuring VRRP using UCI
You can configure VRRP through CLI using UCI commands.
The configuration file is stored at:
/etc/config/vrrp
To view the configuration in UCI format, use the commands: uci export vrrp or uci show vrrp
~# uci export vrrp config vrrp 'main'
option enabled 'yes' config vrrp_group 'g1'
option enabled 'yes'
option interface 'lan1'
list track_iface 'lan'
option init_state 'BACKUP'
option router_id '1'
option priority '115'
option advert_int_sec '2'
option password 'secret'
option virtual_ipaddr '10.1.10.150/16'
option garp_delay_sec '5'
option ipsec_connection 'Test'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 157 of 255
23: Virtual Router Redundancy Protocol (VRRP)
_______________________________________________________________________________________________________
~# uci show vrrp vrrp.main=vrrp vrrp.main.enabled=yes vrrp.g1=vrrp_group vrrp.g1.enabled=yes vrrp.g1.interface=lan1 vrrp.g1.track_iface=lan vrrp.g1.init_state=BACKUP vrrp.g1.router_id=1 vrrp.g1.priority=115 vrrp.g1.advert_int_sec=2 vrrp.g1.password=secret vrrp.g1.virtual_ipaddr=10.1.10.150/16 vrrp.g1.garp_delay_sec=5 vrrp.g1.ipsec_connection=Test
Name enabled vrrp_group enabled interface
Type
Text text track_iface text init_state priority advert_int_sec text
Numeric value
Numeric value
Text password virtual_ipaddr garp_delay_sec ipsec_connection
IP address
Numeric value
Ipsec connection text
Required Default yes Blank
Yes yes
Blank
Blank yes yes
Yes yes yes
No
Yes
No yes
Blank
Blank
BACKUP
Blank
Blank
Blank
Blank
Blank
Blank
Description
Enables VRRP
VRRP GROUP ID number
Enables VRRP Group
Interface name where VRRP should run. Interface name taken from package network
Interface name that should be tracked/monitored
Initial VRRP state
VRRP Priority number. Available values 0-255
VRRP hello value. This value needs to match what is set on a peer.
VRRP clear text password
VRRP IP address
Delay for gratuitous ARP messages
IPsec connection name to bring down/up when VRRP entering
BACKUP/MASTER state
Table 2: Config interface fields and their descriptions
To change any of the above values use uci set command.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 158 of 255
24: Multicasting using PIM and IGMP interfaces
_______________________________________________________________________________________________________
24 Multicasting using PIM and IGMP interfaces
IP multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to potentially thousands of corporate recipients. Applications that take advantage of multicast include video conferencing and corporate communications.
IP multicast delivers application source traffic to multiple receivers without burdening the source or the receivers while using a minimum of network bandwidth.
PIM (Protocol Independent Multicast) and IGMP (Internet Group Management
Protocol) are protocols used to create multicasting networks within a regular IP network.
A multicast group is an arbitrary group of receivers that expresses an interest in receiving a particular data stream. The receivers (the designated multicast group) are interested in receiving a data stream from the source. They indicate this by sending an Internet Group Management Protocol (IGMP) host report to their closest router in the network. The routers are then responsible for delivering the data from the source to the receivers. The routers use Protocol
Independent Multicast (PIM) between themselves to dynamically create a multicast distribution tree. The data stream will then be delivered only to the network segments that are in the path between the source and the receivers.
To summarize: PIM is used between routers while IGMP is used between a receiver and its router only. As a result, PIM must be enabled on all the interfaces on the route from the multicast source to the multicast client while
IGMP must be enabled on the interface to the multicast client only.
24.1 Configuring PIM and IGMP via the web interface
To configure PIM through the web interface, in the top menu, select Network ->
PIM. The PIM page appears.
Figure 70: The PIM page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 159 of 255
24: Multicasting using PIM and IGMP interfaces
_______________________________________________________________________________________________________
In the PIM page, click Add. The Global Settings section appears.
Figure 71: The global settings interface
Enable PIM by checking PIM Enabled.
Name
PIM Enabled
SSM Ping
Enabled
Type Required Default
Checkbox yes
Description
Unchecked Globally enable PIM on the router
Checkbox yes Unchecked Enable answers to SSM pings
Table 17: The PIM global settings description
Scroll down to the Interfaces Configuration section and click Add.
Figure 72: The interfaces configuration section
In the interface drop down list, choose the interface you wish to enable PIM on.
Check Enabled to allow the interface to be managed by the PIM application.
Check either Enable SSM and/or Enable IGMP depending on your requirements.
Note: you must enable PIM SSM on all the interfaces on the route from the multicast source to the multicast client
IGMP must be enabled on the interface to the multicast client only.
Name
Enabled
Interface
Enable IGMP
Enable SSM
Type
Checkbox yes
Drop down list
Required Default yes
Checkbox yes
Checkbox yes
Unchecked
Description
Enable management of the given interface by the PIM application.
Blank
Select the interface to apply the settings to.
Unchecked Enable IGMP on given interface.
Unchecked Enable SSM on given interface.
Table 18: The PIM global settings description
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 160 of 255
24: Multicasting using PIM and IGMP interfaces
_______________________________________________________________________________________________________
To save your configuration updates, click Save & Apply.
24.2 PIM and IGMP UCI interface
You can configure PIM and IGMP through CLI using UCI.
The configuration file is stored at:
/etc/config/pimd
To view the configuration file, use commands: uci export pimd or uci show pimd root@VA_router:/etc/config1# uci export pimd package pimd config routing 'pimd'
option enabled 'yes' config interface
option enabled 'yes'
option interface 'lan'
option ssm 'yes'
option igmp 'yes' config interface
option enabled 'yes'
option interface 'wan'
option ssm 'yes'
option igmp 'no' root@VA_router:/etc/config1# uci show pimd pimd.pimd=routing pimd.pimd.enabled=yes pimd.@interface[0]=interface pimd.@interface[0].enabled=yes pimd.@interface[0].interface=lan pimd.@interface[0].ssm=yes pimd.@interface[0].igmp=yes pimd.@interface[1]=interface
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 161 of 255
24: Multicasting using PIM and IGMP interfaces
_______________________________________________________________________________________________________ pimd.@interface[1].enabled=yes pimd.@interface[1].interface=wan pimd.@interface[1].ssm=yes pimd.@interface[1].igmp=no
Name enabled enabled interface ssm igmp
Type Required Default
Boolean Yes
Boolean Yes
Interface Yes
Boolean Yes
Boolean Yes
No
No
Blank
No
No
Description
Enable PIM and IGMP operation globally.
Enable PIM and IGMP on interface
Specify which interface to apply the settings on
Enable PIM SSM on interface
Enable IGMP on interface
To change any of the above values use uci set command
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 162 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
25 Dynamic Multipoint Virtual Private Network (DMVPN)
Dynamic Multipoint Virtual Private Network (DMVPN) is a scalable method of creating VPN IPSec Networks. DMVPN is a suite of three protocols: NHRP, mGRE and IPSec, used to dynamically create VPN tunnels between different endpoints in the network without having to pre-configure each device with VPN details of the rest of endpoints in the network.
25.1 The advantage of using DMVPN
• Using DMVPN eliminates the need of IPSec configuration to the physical interface. This reduces the number of lines of configuration required for a
VPN development. For example, for a 1000-site deployment, DMVPN reduces the configuration effort at the HUB from 3900 lines to 13.
• Adding new peers (spokes) to the VPN requires no changes at the HUB.
• Better scalability of the network.
• Dynamic IP addresses can be used at the peers’ site.
• Spokes can be connected in private or public network.
• NHRP NAT extension allows spoke-to-spoke tunnels to be built, even if one or more spokes is behind a Network Address Translation (NAT) device.
• New HUBs can be added to the network to improve the performances and reliability.
• Ability to carry multicast and main routing protocols traffic (RIP, OSPF,
BGP).
• DMVPN can be deployed using Activator, the Virtual Access automated provisioning system.
• Simplifies branch communications by enabling direct branch to branch connectivity.
• Simplifies configuration on the spoke routers. The same IPSec template configuration is used to create spoke-to-hub and spoke-to-spoke VPN
IPSec tunnel.
• Improves business resiliency by preventing disruption of business-critical applications and services by incorporating routing with standards-based
IPsec technology.
25.2 DMVPN scenarios
Scenario 1: Spoke1, Spoke2 and a hub are in the same public or private network
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 163 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Figure 73: Network diagram for DMVPN spoke to spoke
• Spoke1 and Spoke2 connect on their WAN interface: ADSL, 3G and initiate main mode IPSec in transport mode to the hub.
• After an IPSec tunnel is established, spokes register their NHRP membership with the hub.
• GRE tunnels come up.
• Hub cache the GRE tunnel and real IP addresses of each spoke.
• When Spoke1 wants to talk to Spoke2, it sends an NHRP Resolution
Request to the hub.
• The hub checks its cache table and forwards that request to Spoke2.
• Spoke2 caches Spoke1’s GRE and real IP address and sends an NHRP
Resolution Reply via the hub.
• Spoke1 receives an NHRP resolution reply and updates its NHRP table with
Spoke2 information. Then it initiates VPN IPsec connection to Spoke2.
• When an IPsec tunnel is established, Spoke1 and Spoke2 can send traffic directly to each other.
Scenario 2: Spoke1 is in a private (NAT-ed) network, Spoke2 and hub are in public network
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 164 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Figure 74: Network diagram for DMVPN spoke behind NAT
• Spoke1 sends an NHRP registration request to the Hub.
• Hub receives this request and compares the source tunnel address of the
Spoke with the source of the packet.
• Hub sends an NHRP registration reply with a NAT extension to Spoke1.
• The NAT extension informs Spoke1 that it is behind the NAT-ed device.
• Spoke1 registers its pre- and post-NAT address.
• When Spoke1 wants to talk to Spoke2, it sends an NHRP Resolution
Request to the hub.
• Hub checks its cache table and forwards that request to Spoke2.
• Spoke2 caches Spoke1’s GRE pre- and post-NAT IP address and sends an
NHRP Resolution Reply via the hub.
• Spoke1 receives the NHRP resolution reply and updates its NHRP table with Spoke2 information. It initiates a VPN IPSec connection to Spoke2.
• When the IPSec tunnel is established, Spoke1 and Spoke2 can send traffic directly to each other.
• Note: If an IPSec tunnel fails to be established between the Spokes then packets between the Spokes are sent via the hub.
25.3 Configuring DMVPN via the web interface
Before configuring DMVPN, you must first configure a GRE interface. Read the previous section,’GRE interfaces’.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 165 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
25.3.1 Configuring IPSec for DMVPN
This section explains how to configure VPN IPSec specifically for DMVPN. For more information on general VPN IPSec configuration, read ‘Configuring IPSec’ in the GW6600 User Manual.
Access the router’s web Interface by typing 192.168.100.1 into your browser.
Type in the username: root
Type in the password: admin. The Status page appears.
In the top menu click Services -> IPSec. The strongSwan IPSec VPN page appears.
Figure 75: The strongSwan IPSec VPN page
Click the first Add button. The strongSwan status now shows an Enabled field that is checked.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 166 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Figure 76: strongSwan IPSec enabled
Name
Enable
Strongswan IPsec
Type
Boolean
Strict CRL Policy
Required Default
Yes
Dropdown menu
Yes
Blank
No
Unique IDs
Cache CRLs
Debug
Dropdown menu
Yes
Boolean No
Dropdown menu
No
Yes
Blank
None
Description
Enable Strongswan IPsec
Defines if fresh certificate revocation list (CRL) must be available.
Whether a particular participant ID should be kept unique.
CRLs fetched via HTTP or LDAP will be cached.
Specifies if IPsec debug should be enabled
Table 19: strongSwan IPSec VPN fields and their descriptions
In the Unique IDs drop down menu, select Yes. The Connections settings fields appear.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 167 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Figure 77: The strongSwan IPSec VPN page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 168 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Name
Enabled
Type
Dropdown
Menu
Required
Checkbox yes
Aggressive mode Checkbox yes
Name
Autostart Action
Connection Type
Remote GW address
Local Id
Remote Id
Local LAN IP
Address
Local LAN IP
Address Mask
Remote LAN IP
Address
Remote LAN IP
Address Mask
String
Dropdown
Menu
IP address string
String
String
String
String
String
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Default
Unchecked
Unchecked
Blank
Ignore tunnel
None
None
None
None
None
None
None
Description
Globally enables IPSec on the router.
Globally enables Aggressive mode on a router.
Specifies a name for the tunnel.
Specifies how the tunnel is initiated.
Start On startup
Route When traffic routes this way.
Add Loads a connection without starting it.
Ignore Ignores the connection.
Defines whether the connection is in tunnel or transport mode.
Sets the public IP address of a remote peer.
Defines the local peer identifier.
Sets the remote peer identifier.
Defines the local IP of LAN.
Defines the local Mask of LAN.
Defines the Remote IP of LAN.
Defines the Remote Mask of LAN.
Authby
XAuth identity
Dropdown
Menu
String
Yes
No psk
None
Defines authentication method.
Available options, psk, xauthpsk.
Defines the identity/username the client uses to reply to an XAuth request. If not defined, the IKEv1 identity will be used as XAuth identity.
Specifies the IKE algorithm to use.
IKE algorithm
Dropdown
Menu
Yes aes128sha1modp2048,
3des-sha1modp1536
The format is: encAlgo-authAlgo-DHGroup encAlgo: 3des, aes, serpent, twofish, blowfish authAlgo: md5, sha, sha2
DHGroup: modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, modp8192
ESP algorithm
Dropdown
Menu
Yes aes128sha1,
3des-sha1
Specifies the esp algorithm to use.
The format is:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 169 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
WAN interface
IKE life time
Key life
Rekey margin
Keyring tries
DPD Action
Dropdown
Menu
Integer
Integer
Integer
String
Dropdown
Menu
Yes
Yes
Yes
Yes
Yes
Yes
None
3h
1h
9m
3
None encAlgo-authAlgo-PFSGroup encAlgo: 3des, aes, serpent, twofish, blowfish authAlgo: md5, sha, sha2
DHGroup: modp1024, modp1536, modp2048, modp3072, modp4096, modp6144, modp8192
For example: aes128-sha1- modp1536.
If no DH group is defined then
PFS is disabled.
Defines the WAN interface used by this tunnel.
Specifies how long the keying channel of a connection (ISAKMP or
IKE SA) should last before being renegotiated. Syntax: timespec: 1d,
2h, 25m, 10s.
Specifies how long a particular instance of a connection, a set of encryption/authentication keys for user packets, should last, from successful negotiation to expiry.
Normally, the connection is renegotiated, via the keying channel, before it expires (see rekeymargin).
Syntax: timespec: 1d, 2h, 25m,
10s.
Margintime. Defines how long before a connection expiry or keyingchannel expiry should begin to attempt to negotiate a replacement.
Specifies how many attempts a positive integer or %forever should be made to negotiate a connection, or a replacement for one, before giving up. The value %forever means ‘never give up’. It is only relevant locally; the other end does not need to agree on it.
Valid values are none, clear, hold and restart.
None Disables dead peer detection.
Clear Clears down the tunnel if a peer does not respond. Reconnects
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 170 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
DPD Delay
DPD Timeout
Integer
Integer
Yes
Yes
None
150s
Hold when traffic brings the tunnel up.
Clears down the tunnel and bring up as soon as the peer is available.
Restart Restarts DPD when no activity is detected.
Defines the period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
These are only sent if no other traffic is received.
Syntax: timespec: 1d, 2h, 25m,
10s.
Defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
Syntax: timespec: 1d, 2h, 25m,
10s.
Table 20: Connections fields for strongSwan IPSec VPN
From the Name field, type the Connection Name.
From the Autostart Action drop down menu, select Ignore.
From the Connection Type drop down menu, select transport.
From the Authby dropdown menu, select psk.
From the IKE algorithm dropdown menu, select the encryption, hash
algorithm and DH group.
From the ESP algorithm dropdown menu, select the encryption and hash
algorithm.
From the WAN Interface dropdown menu select the interface that is used to transmit IPSec packets.
In the IKE life time field, type the Ike life time value.
In the Key life field, type the Key life value.
In the Keying tries field, type a %forever value.
From the DPD Action drop down menu, select clear.
In the DPD Delay field, type a DPD delay value.
In the DPD Timeout field, type a relevant value.
At the bottom of the Secrets section, click Add.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 171 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Figure 78: The secrets section
Select Enabled.
From the dropdown menu under Secret Type, select psk.
In the field beneath Secret, type the psk password.
Click Save.
25.4 DMVPN hub settings
In the top menu, select Network -> DMVPN. The DMVPN page appears.
Figure 79: The DMVPN page
Under DMVPN General, click Add. The following page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 172 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Figure 80: The DMVPN general section
Check Enable DMVPN.
From the IPSec template connection drop down menu, provide the name of the
IPsec connection.
In the DMVPN Hub Settings section, click Add. The fields required to configure the parameters relative to the DMVPN Hub appear. These are used for the
DMVPN tunnels, such as GRE tunnels, GRE tunnel remote IP, DMVPN Hub IP and password.
Name
GRE Interface
Type Required Default
Dropdown list
Yes Blank
Description
Specifies which GRE interface will be used with this DMVPN configuration.
GRE Remote
Endpoint IP
Address
DMVPN Hub IP
Address
NHRP
Authentication
NHRP Holding
Time
IP address
Yes Blank
Configures the GRE IP address of the hub.
IP address
Numeric value
Integer
Yes
Yes
Yes
Blank
Blank
Blank
Configures the physical IP address for the DMVPN hub.
Enables authentication on NHRP.
The password will be applied in plaintext to the outgoing NHRP packets. Maximum length is 8 characters.
Timeout for cached NHRP requests.
Table 21: DMVPN hub fields and their descriptions
25.5 UCI interface
25.5.1 IPSec configuration using CLI
You can configure IPSec (strongSwan package) through CLI using the UCI command suite.
Configuration files are stored at:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 173 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
/etc/config/strongswan
To view the configuration file, use uci show strongswan or uci export strongswan
commands. root@GWxxxx:~# uci show strongswan strongswan.general=general strongswan.general.enabled=yes strongswan.general.strictcrlpolicy=no strongswan.general.uniqueids=yes strongswan.general.cachecrls=yes strongswan.general.nattraversal=yes strongswan.@connection[0]=connection strongswan.@connection[0].enabled=yes strongswan.@connection[0].name=DMVPN strongswan.@connection[0].type=transport strongswan.@connection[0].localproto=gre strongswan.@connection[0].remoteproto=gre strongswan.@connection[0].ike=3des-md5-modp1024 strongswan.@connection[0].esp=aes128-sha1 strongswan.@connection[0].waniface=wan strongswan.@connection[0].auto=ignore strongswan.@connection[0].ikelifetime=28800s strongswan.@connection[0].keylife=300s strongswan.@connection[0].rekeymargin=30s strongswan.@connection[0].keyingtries=%forever strongswan.@connection[0].dpdaction=hold strongswan.@connection[0].dpddelay=30s strongswan.@connection[0].dpdtimeout=150s strongswan.@secret[0]=secret strongswan.@secret[0].enabled=yes strongswan.@secret[0].secrettype=psk strongswan.@secret[0].secret=secret
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 174 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________ uci export strongswan package strongswan config general 'general'
option enabled 'yes'
option strictcrlpolicy 'no'
option uniqueids 'yes'
option cachecrls 'yes'
option nattraversal 'yes' config connection
option enabled 'yes'
option name 'DMVPN'
option type 'transport'
option localproto 'gre'
option remoteproto 'gre'
option ike '3des-md5-modp1024'
option esp 'aes128-sha1'
option waniface 'wan'
option auto 'ignore'
option ikelifetime '28800s'
option keylife '300s'
option rekeymargin '30s'
option keyingtries '%forever'
option dpdaction 'hold'
option dpddelay '30s'
option dpdtimeout '150s' config secret
option enabled 'yes'
option secrettype 'psk'
option secret 'secret'
25.6 Configuring DMVPN using CLI
You can configure DMVPN through CLI using the UCI command suite.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 175 of 255
25: Dynamic Multipoint Virtual Private Network (DMVPN)
_______________________________________________________________________________________________________
Configuration files are stored at:
/etc/config/dmvpn
To view the configuration file, use uci show dmvpn or uci export dmvpn commands. uci export dmvpn package dmvpn config general-settings 'common'
option enabled 'yes'
option ipsec_template_name 'DMVPN' config interface
option holding_time '60'
option gre_interface 'GRE'
option gre_endpoint_ip '11.11.11.1'
option gre_endpoint_mask_length '29'
option nhs_ip '192.168.100.1'
option cisco_auth 'test' uci show dmvpn dmvpn.common=general-settings dmvpn.common.enabled=yes dmvpn.common.ipsec_template_name=DMVPN dmvpn.@interface[0]=interface dmvpn.@interface[0].holding_time=60 dmvpn.@interface[0].gre_interface=GRE dmvpn.@interface[0].gre_endpoint_ip=11.11.11.1 dmvpn.@interface[0].gre_endpoint_mask_length=29 dmvpn.@interface[0].nhs_ip=192.168.100.1 dmvpn.@interface[0].cisco_auth=test
To change any of the above values, use uci set command.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 176 of 255
_______________________________________________________________________________________________________
26 Terminal Server
26.1 Introduction
Terminal Server is a background application (a daemon) whose main task is to forward data between TCP connections or UDP streams and asynchronous serial ports.
Terminal Server application serves up to 4 sessions simultaneously one for each async serial port, depending on the device. Each Terminal Server session has an
IP endpoint and an associated specific serial port.
26.2 Terminal Server interfaces
You can configure the IP endpoint of each Terminal Server session to be:
• TCP server: each session is listening on a unique port.
• TCP client: Terminal Server makes a TCP connection to external TCP server.
• UDP endpoint: Terminal Server forwards data between a UDP stream and a serial port.
26.3 Configuring Terminal Server
26.3.1 Configuring Terminal Server using the web interface
To access the Terminal Server configuration web interface, click Services ->
Terminal Server. The Terminal Server Configuration page appears. You must configure two main sections: Main Settings and Port Settings.
26.3.1.1 Main settings
Figure 81: The terminal server main settings page
In the Main Settings section, click the Enable check box to enable the Terminal
Server.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 177 of 255
_______________________________________________________________________________________________________
Name
Enable
Debug Enable
Syslog severity
Log Rx - Tx
Type Required Default
Checkbox Yes
Checkbox No
Dropdown list
Yes
Checkbox No
Disabled
Disabled
Notice
Disabled
Description
Enables the Terminal Server application.
Enables detailed debug logging.
Determines the syslog level.
Events up to this priority will be logged.
Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Info: 6
Debug: 7
Enable logging data transfers.
Table 22: The main settings and their descriptions
26.3.1.2 Port settings
The Port Settings section is divided into 3 sub-sections:
• General
• Serial
• Network
26.3.1.3 Port settings: general section
Figure 82: The General tab fields part 1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 178 of 255
_______________________________________________________________________________________________________
Figure 83: The general tab fields part 2
Name
Enable
Network
Fowrarding Buffer
Size
Network
Forwarding Timeout
Network forwarding timer mode
Serial Fowrarding
Buffer Size
Serial Forwarding
Timeout (ms)
Serial forwarding timer mode
Proxy mode
Disable remote client's local echo
(Telnet option)
Telnet COM port control (RFC2217)
Enable HDLC
Pseudowire over
UDP (RFC4618)
Type Required Default
Checkbox Yes
Numeric value
Numeric value
Dropdown list
Numeric value
Numeric value
Dropdown list
Yes
Yes
Yes
No
No
Yes
Checkbox No
Checkbox No
Checkbox No
Checkbox No
Disabled
256
30 idle
0
20 idle
Disabled
Disbled
Disbled
Disabled
Description
Enabled port.
Forwarding buffer size (serial to network).
Forwarding timeout in milliseconds
(serial to network).
Forwarding timer mode (serial to network), 'idle'=timer re-started on each received data, 'aging'=timer started on first rx.
Forwarding buffer size (network to serial), 0=use maximum possible network rx buffer size.
Forwarding timeout in milliseconds
(network to serial), 0=forward to serial immediately.
Forwarding timer mode (network to serial), 'idle'=timer re-started on each received data, 'aging'=timer started on first rx.
Enable proxy mode.
1=send IAC WILL ECHO Telnet option to remote client forcing it to disable local echo (for server mode only).
1=enable support for Telnet COM port control (RFC2217).
Enables HDLC Pseudowire over UDP support (based on RFC4618), if set to 1, also set udpMode 1.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 179 of 255
_______________________________________________________________________________________________________
Serial receive debug log size
Serial transmit debug log size
Numeric value
Numeric value
No
No
Disabled
Disabled
Configures serial receive log size in bytes and enables receive data logging. 0=disabled.
Configures serial transmit log size in bytes and enables transmit data logging. 0=disabled.
Table 23: The general fields descriptions
26.3.1.4 Port settings: serial section
Figure 84: The serial tab fields part 1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 180 of 255
_______________________________________________________________________________________________________
Figure 85: The serial tab fields part 2
Name
Device
Type
String
Required Default
Yes
'/dev/ttySC0'
'/dev/ttySC1'
Description
Serial device name.
Portmode
Dropdown list
Yes rs232 rs232 - RS-232 mode, rs485hdx - rs485 2 wire half duplex mode in which transmitter drives RTS. rs485fdx - RS485 4 wire full duplex mode. 'v23' - using V.23 leased line card driver. x21 - use USB serial card in sync mode.
Speed (bps)
Word size
Parity
Stop bits
Flow Control
RS485 termination
Auto RTS Invert
Dropdown list
Dropdown list
Dropdown list
Dropdown list
Dropdown list
Yes
Yes
No
Yes
No
Checkbox No
Checkbox No
9600
8
0
1
0
0
0
Serial device speed in baud.
Serial device word size (5,6,7,8).
Serial device parity (0=none,
1=even, 2=odd).
Serial device number of stop bits (1 or 2).
Serial flow control mode (0=none,
1=RTS CTS, 2=XONXOFF).
Enables or disables RS485 line termination (applies only if portmode is 'rs485').
Invert RTS in auto-RTS mode (if portmode is 'rs485').
Keep serial port always open (if option not present, default is 0).
Keep serial port always open
Checkbox No 0
RS232 Half Duplex Checkbox No 0 1=half duplex mode; 0=full duplex
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 181 of 255
_______________________________________________________________________________________________________
RTS timeout
POST RTS timeout
Numeric value
Numeric value
No
No
Atmel USB serial card
Dual X.21 card bit reverse
Dual X.21 card DTE
TT Invert
Dual X.21 card DCE
TCLK Invert
Dual X.21 card DCE
RCLK Invert
Dual X.21 card CLK
Invert
Dual X.21 card RX data delay
Checkbox No
Checkbox No
Checkbox No
Checkbox No
Checkbox No
Checkbox No
Numeric value
No
30
20
0
0
0
0
0
0
0 mode.
In RS232 half duplex mode, time in milliseconds between raising RTS and enabling the transmitter.
In RS232 half duplex mode, time in milliseconds between dropping RTS
(transmission finished) and enabling the receiver.
This configures the use of tservd with the Atmel USB serial card.
Enables bit reversal of all bits in 8 byte word during transmission.
Enables X.21 TT clock signal inversion.
Enables X.21 DCE TCLK signal inversion.
Enables X.21 DCE RCLK signal inversion.
Enables X.21 DCE CLK signal inversion.
Sets X.21 card RX data delay in number of bit positions.
Table 22: The general fields descriptions
26.3.1.5 Port settings: network section
Figure 86: The Network tab fields part 1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 182 of 255
_______________________________________________________________________________________________________
Figure 871: The Network tab fields part 2
Name
Transport mode
Local IP
TCP mode
TCP listen port
Remote IP 1
Remote IP 2
Remote TCP Port 1
Remote TCP Port 2
Type
Dropdown list
IP address
Dropdown list
Numeric value
IP address
IP address
Numeric value
Numeric value
Required Default
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
TCP
0.0.0.0
Server
999
0.0.0.0
0.0.0.0
951
951
Description
Select between TCP/UDP.
Local IP address to listen on
(0.0.0.0=listen on any interface).
Select between server and client modes of TCP.
TCP listen port for server mode.
Destination peer IP 1address
Destination peer IP 2 address(for failover).
Destination peer port IP 1 number.
Destination peer port IP 2 number(for failover).
Enable TCP keepalives
TCP Keepalive interval
TCP Keepalive timeout
TCP Keepalive count
TCP User timeout
Checkbox No
Numeric value
Numeric value
Numeric value
Numeric value
No
No
No
No
Enabled
5
2
1
0
Enable or disable TCP keep alives.
Interval in seconds between TCP keep alive probes.
Time in seconds to wait for reponse to a TCP keep alive probe.
Number of TCP keep alive probes to send before connection closed.
Maximum time in milliseconds for
TCP to wait for transmitted data to be acked before closing connection in established state. Set to 0 to use kernel defaults (about 15-20 minutes).
1=disable TCP nagle algorithm; TCP nodelay Checkbox No Disabled
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 183 of 255
_______________________________________________________________________________________________________
TCP always on
Close TCP on DSR
Reconnect time
(ms)
Checkbox No
Checkbox No
Numeric value
No
Disabled
Disabled
5000
0=normal operation.
Keep TCP session always connected.
Close TCP session on detection of
DSR signal low.
Time in milliseconds to start reconnecting after setting DTR low.
Table 24: The Network fields descriptions
26.4 Configuring Terminal Server using UCI
You can also configure Terminal Server through CLI using UCI command suite.
The configuration file is stored at:
/etc/config/tservd
To view the configuration file, use commands: uci export or uci show
The global configuration section contains two parameters. The meaning of the parameters is explained in the embedded comments: config tservd main
# set to 1 to enable Terminal Server
option enable 1
# enables detailed debug logging (state transitions, data transfer etc)
option debug_ev_enable 1
Following the global section there are four port specific sections. Below is an example configuration with the embedded comments explaining each parameter.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 184 of 255
_______________________________________________________________________________________________________ config tservd main
# set to 1 to enable terminal server
option enable 0
# enables detailed debug logging (state transisions, data transfer etc)
option debug_ev_enable 0
# sets syslog level (0 to 7), default is 6
option log_severity 6 config port 'port1'
# enables this port
option enable 0
# serial device name
option devName '/dev/ttySC0'
# destination peer port IP number (two number for failover)
option ip_port1 951
option ip_port2 951
# destination peer ip address (two addresses for failover)
option remote_ip1 '0.0.0.0'
option remote_ip2 '0.0.0.0'
# keep TCP session always connected
option tcp_always_on 1
# close TCP session on detection of DSR signal low
option close_tcp_on_dsr 0
# keep serial port always open (if option not present, default is 0)
option tty_always_open 0
# Forwarding timeout in milliseconds (serial to network)
option fwd_timeout 30
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 185 of 255
_______________________________________________________________________________________________________
# Forwarding timer mode (serial to network), 'idle'=timer re-started on each received data, 'aging'=timer started on first rx
option fwd_timer_mode 'idle'
# Forwarding buffer size (serial to network)
option fwd_buffer_size 256
# Forwarding buffer size (network to serial), 0=use maximum possible network rx buffer size
option sfwd_buffer_size 0
# Forwarding timeout in milliseconds (network to serial), 0=forward to serial immediately
option sfwd_timeout 20
# Forwarding timer mode (network to serial), 'idle'=timer re-started on each received data, 'aging'=timer started on first rx
option sfwd_timer_mode 'idle'
# serial device speed in baud
option speed 115200
# serial device word size (5,6,7,8)
option wsize 8
# serial device parity (0=none, 1=even, 2=odd)
option parity 0
# serial device number of stop bits (1 or 2)
option stops 1
# serial flow control mode (0=none, 1=RTS CTS, 2=XONXOFF)
option fc_mode 0
# time in milliseconds to start re-connecting after setting DTR low
option disc_time_ms 5000
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 186 of 255
_______________________________________________________________________________________________________
# TCP server mode
option server_mode 1
# Proxy mode (off by default)
option proxy_mode 0
# Local IP address to listen on (0.0.0.0=listen on any interface)
option local_ip '0.0.0.0'
# TCP listen port for server mode
option listen_port 999
# UDP mode
option udpMode 0
# UDP local port UDP mode
option udpLocalPort 0
# UDP port for UDP mode
option udpRemotePort 0
# If set to non zero, send empty UDP packets every this many milliseconds to remote peer
option udpKaIntervalMs 0
# Max number of consecutive remote UDP keepalive missed (not received) before UDP session considered broken
option udpKaCount 3
# Enable or disable TCP keep alives
option tcp_keepalive_enabled 1
# Interval in seconds between TCP keep alive probes
option tcp_keepalive_interval 5
# Time in seconds to wait for reponse to a TCP keep alive probe
option tcp_keepalive_timeout 2
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 187 of 255
_______________________________________________________________________________________________________
# Number of TCP keep alive probes to send before connection closed
option tcp_keepalive_count 1
# Maximum time in milliseconds for TCP to wait for transmitted data to be acked
# before closing connection in established state. Set to 0 to use kernel defaults (about 15-20 minutes)
option tcp_user_timeout 20000
# 1=disable TCP nagle algorithm; 0=normal operation
option tcp_nodelay 0
# rs232 - RS-232 mode, rs485hdx - rs485 2 wire half duplex mode in which transmitter drives RTS. rs485fdx - RS485 4 wire full duplex mode.
'v23' - using V.23 leased line card driver. x21 - use USB serial card in sync mode
option portmode 'rs232'
# On newer GW202x boards, the serial mode (RS232, RS485) for the second physical port is set with GPIOs, while on older boards it is set with the dip switches
# 1=On this port, the serial mode is set using GPIO; 0=Default, serial mode is set with dip switches
option serial_mode_gpio_control 0
# Driver DTR and RTS line control modes. 'auto' - set ON when the port is open, OFF when the port is closed, 'on' - always on, 'off' - always off,
'app' - controlled by the application, 'ontx' - in HDLC mode, RTS ON during frame TX
option dtr_control_mode 'auto'
option rts_control_mode 'auto'
# enables or disables RS485 line termination (applies only if portmode is 'rs485')
option rs485_line_termination '0'
# 1=use USB serial card. if portmode is x.21 it is used in synchronous mode, if portmode is 'rs232' it is used in asynchronous mode
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 188 of 255
_______________________________________________________________________________________________________
option is_usb_serial 0
# Used for USB serial card. 'hdlc' = synchronous HDLC framed mode;
'transp' = transparent mode
option sync_mode 'hdlc'
# Used for USB serial card. 1= in HDLC mode use CRC32; 0= use CRC16
option sync_crc32 0
# Used for USB serial card. Synchronous speed, If not 0, use internal clock, example speeds: 9600, 19200, 64000, 128000, 256000, 384000, 512000,
768000, 1024000, 2048000, 0=use external clock
option sync_speed '64000'
# Used for USB serial card. Enables receive clock inversion. 0=data sampled on clock falling edge; 1=data sampled on clock rising edge
option sync_invert_rxclk 0
# Used for USB serial card. Enables transmit clock inversion. 0=data out on clock falling edge; 1=data out on clock rising edge
option sync_invert_txclk 0
# Used for USB serial card. 1=receive most significant bit first;
0=receive least significant bit first
option sync_rx_msbf 0
# Used for USB serial card. 1=transmit most significant bit first;
0=transmit least significant bit first
option sync_tx_msbf 0
# Used for USB serial card. Number of bit positions to delay sampling the data from detecting clock edge
option sync_rxdata_dly 0
# Used for USB serial card. Number of bit positions to delay output of the data from detecting clock edge
option sync_txdata_dly 0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 189 of 255
_______________________________________________________________________________________________________
# Used for USB serial card. Value of idle character (decimal) to transmit in case of TX underrun (0 to 255)
# in HDLC mode configures inter-frame fill: set to 0 to transmit 0s,
255 to transmit 1s, 126 to transmit flags
option sync_tx_idle 126
# Invert RTS in auto-RTS mode (if portmode is 'rs485')
option rtsinvert '0'
# 1=send IAC WILL ECHO Telnet option to remote client forcing it to disable local echo (for server mode only)
option disable_echo 0
# 1=enable support for Telnet COM port control (RFC2217)
option com_port_control 0
# 1=half duplex mode; 0=full duplex mode
option hd_mode 0
# in RS232 half duplex mode, time in milliseconds between raising RTS and enabling the transmitter
option rts_timeout 30
# in RS232 half duplex mode, time in milliseconds between dropping RTS
(transmission finished) and enabling the receiver
option post_rts_timeout 20
# when used with V.23 modem driver, (set portmode 'v23'), transmit samples are multiplied by this value
option v23_tx_gain '2'
# when used with V.23 modem driver, (set portmode 'v23'), received samples are divided by this value
option v23_rx_loss '1'
# when used with V.23 modem driver, (set portmode 'v23') V.23 modem's
RTS to CTS delay in milliseconds
option v23_rts_to_cts_delay '20'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 190 of 255
_______________________________________________________________________________________________________
# when used with V.23 modem driver, (set portmode 'v23') LIM operation:
0=2wire; 1=4wire
option v23_is_four_wire '0'
# when used with V.23 modem driver, (set portmode 'v23'), sets the receive echo suppression timeout in milliseconds
option v23_tx_timeout '20'
# when used with V.23 modem driver, (set portmode 'v23'), time in milliseconds it takes V.23 transmitter to rampdown carrier from peak to zero
option v23_tx_rampdown '30'
# when used with V.23 modem driver, (set portmode 'v23'), sets the maximum transmit fifo fill level in bytes
option v23_tx_maxfill '127'
# when used with V.23 modem driver, (set portmode 'v23'), enables signalling of carrier by sending special characters
option v23_inband_carrier_signalling '0'
# when used with V.23 modem driver, (set portmode 'v23'), this character decimal value signalls remote carrier on
option v23_inband_carrier_on_char '255'
# enables HDLC Pseudowire over UDP support (based on RFC4618), if set to 1, also set udpMode 1
option hdlc_pw_enabled 0
# Configures serial transmit log size in bytes and enables transmit data logging. 0=disabled
option serialTxLogSize 0
# Configures serial receive log size in bytes and enables receive data logging. 0=disabled
option serialRxLogSize 0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 191 of 255
_______________________________________________________________________________________________________
# bit reverse: 0=normal; 1=reverse
option bit_reverse 0
# v24 dte tt clock invert: 0=normal; 1=invert
option dte_tt_inv 0
# v24 dce tx clock invert: 0=normal; 1=invert
option dce_tclk_inv 0
# v24 dce rx clock invert: 0=normal; 1=invert
option dce_rclk_inv 0
# x21 clock invert: 0=normal; 1=invert
option x21_clk_invert 0
# x21 data delay: 0-7 - delay in local clk or VCO clock cycles
option x21_data_delay 0
# destination peer ip address (two addresses for failover)
option remote_ip1 '10.1.10.211'
option remote_ip2 '0.0.0.0'
# keep TCP session always connected
option tcp_always_on 0
# close TCP session on detection of DSR signal low
option close_tcp_on_dsr 1
# Forwarding timeout in milliseconds (serial to network)
option fwd_timeout 30
# Forwarding buffer size (serial to network)
option fwd_buffer_size 256
# Receive control characters that cause buffer to be forwarded
option rcc_string ''
# serial device speed in baud
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 192 of 255
_______________________________________________________________________________________________________
option speed 115200
# serial device word size (5,6,7,8)
option wsize 8
# serial device parity (0=none, 1=even, 2=odd)
option parity 0
# serial device number of stop bits (1 or 2)
option stops 1
# serial from control mode (0=none, 1=RTS CTS, 2=XONXOFF)
option fc_mode 1
# time in milliseconds to start re-connecting after setting DTR low
option disc_time_ms 5000
# TCP server mode
option server_mode 1
# TCP listen port for server mode
option listen_port 999
# UDP mode
option udpMode 0
# UDP port for UDP mode
option udpPort 0
Each Terminal Server port must be associated with a specific serial port device.
For example, you can configure port 1 as:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 193 of 255
_______________________________________________________________________________________________________ config tservd port1
# enables this port
option enable 1
# serial device name
option devName '/dev/ttySC1'
….. other options follow ….
26.5 Terminal Server operation
26.5.1 General
The Terminal Server package consists of two binaries:
• tservd – Terminal Server deamon, full path at /usr/sbin/tservd
• tserv – Terminal Server command line interface, path at /usr/sbin/tserv
26.5.2 Starting Terminal Server
By default, if Terminal Server is enabled in /etc/config/tservd, it is started on boot up automatically. To start Terminal Server manually, enter:
/usr/sbin/tservd
26.5.3 Checking the status of Terminal Server
To check if Terminal Server is running, enter: ps | grep tservd.
If Terminal Server is running there it will be shown with its process ID, in the following example, the process ID (PID) is 1264:
Figure 88: Output from the command line ps | grep tservd
Alternatively, run: /usr/bin/tserv show stats
If the Terminal Server is running, this command will show the status of each session. If the Terminal Server is not loaded it will return an error.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 194 of 255
_______________________________________________________________________________________________________
26.5.4 Stopping Terminal Server
Sometimes it may be necessary to stop Terminal Server, for example if the configuration is changed and it is not desirable to reboot the router.
To stop Terminal Server, enter one of the following:
/usr/bin/tserv quit
Kill PID. You can obtain the PID by running: ps | grep tser
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 195 of 255
_______________________________________________________________________________________________________
27 Coova-chilli captive portal
Coova-chilli is an access controller application typically used in Wireless LAN
HotSpot, but it can also be used to manage subscriber access via wired LAN.
The captive portal technique forces an HTTP client, such as a user’s web browser on a network to see a special web page, for authentication purposes, before using the internet normally.
This is done by intercepting all packets, regardless of address or port, until the user opens a browser and tries to access the internet. At that point, the browser is redirected to a web page which requires authentication, displays acceptable use policy and requires the user to agree to terms and conditions.
Coova-chilli supports two different access methods for a Wireless LAN HotSpot:
• Universal Access Method (UAM)
• Wireless Protected Access (WPA)
Client’s authentication is performed by an external radius server or, in a simple setup, by checking against the user’s file stored internally on the gateway.
27.1 Coova-chilli Command Line Interface
27.1.1 Main UCI configuration file
Configure Coova-chilli from the command line by editing file
/etc/config/coovachilli.
You must restart the Coova-chilli daemon after saving changes in this configuration file or reboot the rooter for the changes to take effect.
The configuration options are explained below.
27.1.1.1 Section ‘main’
Name enable log_severity
Type decimal decimal
Range
0 or 1
0 to 7
Default
0
4
Description
Globally enables Coova-chilli on the router.
Sets the severity level of messages logged by the coova-chilli into the router’s syslog.
The decimal values correspond to:
0=Emergency
1=Alert
2=Critical
3=Error
4=Warning
5=Notice
6=Info
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 196 of 255
_______________________________________________________________________________________________________ lanif network uamlisten uamport uamuiport dns1 dns2 nasid radius radius2 radauth radacct string string string integer
Integer string string string string string integer integer
Max 63 bytes
Max 63 bytes
Max 63 bytes
0 to
65535
0 to
65535
Max 63 bytes
Max 63 bytes
Max 63 bytes
Max 63 bytes
Max 63 bytes
0 to
65535
0 to
65535
‘ath0’
‘11.1.0.0’
‘11.1.0.1’
3990
4990
‘8.8.8.8’
'208.67.220.220'
'nas01'
‘localhost’
‘localhost’
1812
1813
7=Debug
The default setting of 4 enables logging of any messages with severity from 0
(Emergency) to 4 (Warnings).
Subscriber interface for client devices.
Hotspot network
Hotspot IP address (on subscriber network).
Hotspot UAM port (on subscriber network).
Hotspot UI port (on subscriber network, for embedded portal).
DNS server 1
DNS server 2
Radius NAS ID (network access server identifier).
IP adress of radius server 1
IP adress of radius server 1
Radius authentication port
Radius accounting port uamallow uamallow2 string string
Max 255 bytes
Max 255 bytes
'www.coova.org'
‘’
Comma separated list of resources the client can access without authenticating
(max 255 characters). The values can be domain names, IP addresses or network segments. Example: www.chillispot.org:80,icmp:coova.org
Continuation of the above list of allowed sites, the format is the same as uamallow. radsecret uamsecret string string
Max 63 bytes
Max 63 bytes
'testing123'
'change-me'
Radius shared secret for both radius servers.
Shared secret between uamserver and chilli.
UAM aliasname. uamaliasname uamserver string string
Max 63 bytes
Max 63 bytes
'chilli'
'11.1.0.1' The server to be used in combination with uamformat to create final url configuration.
Defines the actual captive portal URL. uamformat string Max 127 bytes
'http://11.1.0.1:
4990
/www/login.chi'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 197 of 255
_______________________________________________________________________________________________________ uamhomepage string uselocalusers loc_name string string
Max 127 bytes
'http://11.1.0.1
:3990
/www/coova.html'
‘on’ ‘on’ or
‘off’
Max 63 bytes
'My HotSpot'
UAM home page url to redirect unauthenticated users to. If not specified this deafults to uamserver.
Use file /etc/chilli/localusers for authentication of clients.
WISPr location name used in portal.
27.2 Configuring Coova-chilli using UCI
You can configure Coova-chilli through CLI using UCI command suite.
The configuration file is stored at:
/etc/config/coovachilli
To view the configuration in UCI format, use commands: uci export coovachilli or uci show coovachilli
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 198 of 255
_______________________________________________________________________________________________________ root@VA_router :~# uci export coovachilli package coovachilli config coova-chilli 'main'
option enable '0'
option log_severity '7'
option lanif 'ath0'
option network '11.1.0.0'
option netmask '255.255.255.0'
option uamlisten '11.1.0.1'
option uamport '3990'
option uamuiport '4990'
option dns1 '8.8.8.8'
option dns2 '208.67.220.220'
option nasid 'nas01'
option radius 'localhost'
option radius2 'localhost'
option radauth '1234'
option radacct '4321'
option uamallow 'www.coova.org'
option radsecret 'testing123'
option uamsecret 'change-me'
option uamaliasname 'chilli'
option uamserver '11.1.0.1'
option uamformat 'http://11.1.0.1:4990/www/login.chi'
option uamhomepage 'http://11.1.0.1:3990/www/coova.html'
option uselocalusers 'off'
option mode 'hotspot'
option type 'chillispot'
option wwwdir '/etc/chilli/www'
option wwwbin '/etc/chilli/wwwsh'
option provider 'Coova'
option provider_link 'http://www.coova.org'
option loc_name 'My HotSpot' root@VA_router:~#
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 199 of 255
_______________________________________________________________________________________________________
Coova-chilli UCI configuration interface fields and their descriptions are given in the ‘UCI configuration file, ‘Main’’ section.
To change any of the configuration values enter uci set command, for example: uci set coovachilli.main.enable=1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 200 of 255
_______________________________________________________________________________________________________
28 Event system
Virtual Access routers feature an event system.
The event system allows you to configure the router’s information for efficient control and management of devices.
This section explains how the event system works and how to configure it using via UCI.
28.1 Implementation of the event system
The event system is implemented by the va_eventd application.
The va_eventd application defines three types of object:
Forwardings Rules that define what kind of events should be generated. For example you might want an event to be created when an IPSec tunnel comes up or down.
Targets Define the targets to send the event to. The event may be sent to a target via a syslog message, a snmp trap or email.
Connection testers
Define methods to test the target is reachable. IP connectivity to a server and link state may be checked prior to sending events.
For example, if you want to configure a snmp trap to be sent when an IPSec tunnel comes up, you will need to:
• Define a forwarding rule for IPSec tunnel up events
• Set an SNMP manager as the target
• Optionally using a connection tester to ensure the SNMP manager is reachable
28.2 Supported events
Events have a class, a name and a severity. These three properties are used to fine tune which events to report.
28.3 Supported targets
The table below describes the targets currently supported.
Target
Syslog
Description
Event sent to syslog server
Event sent via email
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 201 of 255
_______________________________________________________________________________________________________
SNMP
Exec
Event sent via SNMP trap
Command executed when event occurs
Table 25: Event system - supported targets
The attributes of a target vary significantly depending on its type.
28.4 Supported connection testers
The table below describes the methods to test a connection that are currently supported:
Type link ping
Description
Checks if the interface used to reach the target is up
Pings the target.
It then assumes there is connectivity during a configurable amount of time
Table 26: Event system - supported connection tester methods
28.5 Configuring the event system via the web interface
Configuring the event system via the web interface is not currently supported.
28.6 Configuring the event system via UCI
The event system configuration files are stored on:
/etc/config/va_eventd
The configuration is composed of a main section and as many forwardings, targets and connection testers as required.
28.6.1 Main section
config va_eventd main
option enabled yes
option event_queue_file '/tmp/event_buffer'
option event_queue_size 128K
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 202 of 255
_______________________________________________________________________________________________________
The table below describes main event system parameters:
Name enabled
Type
Boolean event_queue_file Filename event_queue_size String
Required Default
Yes
Yes
Yes
Yes
/tmp/event_buffer
128K
Description
Enable the event system
File where the events will be stored before being processed
Maximum size of the event queue
Table 27: Event system - global settings description
28.6.2 Forwardings
config forwarding
option enabled no
option className ethernet
option eventName LinkUp
option severity warning-critical
option target syslog1
The table below describes event system forwarding parameters.
Name enabled className eventName severity target
Type
Boolean
String
String
String
String
Required Default
Yes Yes
No None
No
No
Yes
None
None
None
Description
Enable the event generation
Only generate events with the given className
Only generate events with the given className and the given eventName
Only generate events with a severity in the severity range
Target to send the event to
Table 28: Event system - forwarding rules settings description
Severity must be a range in the form severity1-severity2. Severity1 and severity2 are a level among debug, info, notice, warning, error, critical, alert, and emergency.
28.6.3 Connection testers
There are two types of connection testers:
• ping connection tester, and
• link connection tester.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 203 of 255
_______________________________________________________________________________________________________
28.6.3.1 Ping connection tester
A ping connection tester tests that a connection can be established by sending pings.
If successful, the event system assumed the connection is valid for a configurable amount of time. config conn_tester
option name pinger
option enabled yes
option type ping
option ping_dest_addr 192.168.0.1
option ping_source eth0
option ping_success_duration_sec 60
The table below describes ping connection tester parameters.
Name name enabled type
Type
String
Boolean
String
Required Default
Yes
Yes
Yes ping_dest_addr ping_source ping_success_duration_sec
IP Address Yes
IP Address or String
No
Time in secs
Yes
None
Yes
Ping
None
None
None
Description
Name of the target to be used in the target section
Enable this connection tester
Must be ping for a ping connection tester
IP Address to ping
Source IP Address of the pings
It can also be an interface name
Time the target is considered up for after a successful ping
Table 29: Event system – ping connection tester settings description
28.6.3.2 Link connection tester
A link connection tester tests a connection by checking the status of the interface being used. config conn_tester
option name t1
option enabled 1
option type link
option link_iface eth0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 204 of 255
_______________________________________________________________________________________________________
The table below describes link connection tester parameters.
Name name enabled type link_iface
Type
String
Boolean
String
String
Required Default
Yes
Yes
Yes
Yes
None
Yes
Link
None
Description
Name of the target to be used in the target section
Enable this connection tester
Must be link for a link connection tester
Interface name to check
Table 30: Event system – link connection tester settings description
28.6.4 Supported targets
There are four possible targets.
• Syslog target
• Email target
• SNMP target
• Exec target
28.6.4.1 Syslog target
When a syslog target receives an event, it sends it to the configured syslog server. config target
option name syslog1
option enabled yes
option type syslog
option target_addr "192.168.0.1:514"
option conn_tester t1
The table below describes syslog target parameters.
Name name enabled type target_addr conn_tester
Type
String
Boolean
String
IP
Address:Port
Yes
String
Required Default
Yes
Yes
Yes
No
None
Yes
Syslog
None
None
Description
Name of the target to be used in the forwarding section
Enable this target
Must be syslog for a syslog target
IP Address and Port number to send the syslog message to. If no port is given, 514 is assumed
Name of the connection tester to use for this target
Table 31: Event system – syslog target settings description
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 205 of 255
_______________________________________________________________________________________________________
28.6.4.2 Email target
When an email target receives an event, it sends it to the configured email address. config target
option name email
option enabled yes
option type email
option conn_tester pinger
option smtp_addr "smtp.site.com:587"
option smtp_user '[email protected]'
option smtp_password 'secret word'
option use_tls 'yes'
option tls_starttls 'yes'
option tls_forcessl3 'yes'
option timeout_sec "10"
option from [email protected]
option to [email protected]
option subject_template "%{severityName} %{eventName}!!!"
option body_template "%{eventName} (%{class}.%{subclass}) happened!"
option conn_tester 'smtp_server'
The table below describes email target parameters.
Name name enabled type smtp_addr smtp_user smtp_password use_tls tls_starttls
Type
String
Boolean
String
IP
Address:Port
String
String
Boolean
Boolean
Required Default
Yes
Yes
Yes
Yes
No
No
No
No
None
Yes
None
None
None
No
No
Description
Name of the target to be used in the forwarding section
Enable this target
Must be email for a syslog target
IP Address and port of the SMTP server to use.
Username for smtp authentication
Password for smtp authentication
Enable tls support
Enable starttls support tls_forcessl3 timeout_sec
Boolean No
Time in secs No
No
No
Force SSLv3 for TLS
Email send timeout from
Email address
Yes No Source email address to
Email address
Yes No Destination email address
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 206 of 255
_______________________________________________________________________________________________________ subject_template body_template conn_tester
String
String
String
No
No
No
None
None
None
Template to use for the email subject
Template to use for the email body
Name of the connection tester to use for this target
Table 32: Event system – email target settings description
28.6.4.3 SNMP target
When a SNMP target receives an event, it sends it in a trap to the configured
SNMP manager. config target
option name snmp
option enabled yes
option type snmptrap
option community public
option target_addr 192.168.0.1
option agent_addr 192.168.0.4
option conn_tester pinger
The table below describes SNMP target parameters.
Name name enabled type
Community target_addr agent_addr conn_tester
Type
String
Boolean
String
String
Required Default
Yes
Yes
Yes
Yes
IP Address Yes
IP Address No
String No
None
Yes snmptrap
None
None
None
None
Description
Name of the target to be used in the forwarding section
Enable this target
Must be snmptrap for a snmp target
Community name to use to send the trap
IP Address of a the SNMP Manager
IP Address to use as the trap source IP address
Name of the connection tester to use for this target
Table 33: Event system – snmp target settings description
28.6.4.4 Exec target
When an exec target receives an event, it executes a shell command.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 207 of 255
_______________________________________________________________________________________________________ config target
option name logit
option enabled yes
option type exec
option cmd_template "logger -t eventer %{eventName}"
The table below describes exec target parameters.
Name name enabled type cmd_template
Type
String
Boolean
String
String
Required Default
Yes
Yes
Yes
Yes
None
Yes exec
None
Description
Name of the target to be used in the forwarding section
Enable this target
Must be exec for a exec target
Template of the command to execute
Table 34: Event system – exec target settings description
28.6.5 Example and export
As an example, the event system is configured to:
• Forward the “l2tp” event “CannotFindTunnel” with a severity between debug and critical to a syslog server
• Forward all “mobile” events with a severity between notice and critical to a SNMP trap manager
• Execute “logger -t eventer %{eventName}” when an “Ethernet” event occurs
• Forward all “auth” events via email
• Connection to the SNMP and syslog server is checked by sending pings
• Connection to the smtp server is verified by checking the state of “eth0”
To view the configuration file, enter: uci export va_eventd root@test:~# uci export va_eventd package va_eventd config va_eventd 'main'
option enabled 'yes'
option event_queue_file '/tmp/event_buffer'
option event_queue_size '128K'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 208 of 255
_______________________________________________________________________________________________________ config forwarding
option enabled 'yes'
option className 'l2tp'
option eventName 'CannotFindTunnel'
option severity 'debug-critical'
option target 'syslog' config forwarding
option enabled 'yes'
option className 'mobile'
option severity 'notice-critical'
option target 'snmp' config forwarding
option enabled 'yes'
option className 'ethernet'
option target 'logit' config forwarding
option enabled 'yes'
option className 'auth'
option target 'email' config conn_tester
option name 'mon_server'
option enabled '1'
option type 'ping'
option ping_dest_addr '192.168.100.254'
option ping_source 'eth0'
option ping_success_duration_sec '10' config conn_tester
option name 'smtp_server'
option enabled '1'
option type 'link'
option link_iface 'eth0'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 209 of 255
_______________________________________________________________________________________________________ config target
option name 'syslog'
option enabled 'yes'
option type 'syslog'
option target_addr '192.168.100.254:514'
option conn_tester 'mon_server' config target
option name 'email'
option enabled 'yes'
option type 'email'
option smtp_addr '89.101.154.148:465'
option smtp_user '[email protected]'
option smtp_password '******'
option use_tls 'yes'
option tls_starttls 'no'
option tls_forcessl3 'no'
option timeout_sec '10'
option from '[email protected]'
option to '[email protected]'
option subject_template '%{severityName} %{eventName}!!!'
option body_template '%{eventName} (%{class}.%{subclass}) happened!'
option conn_tester 'smtp_server' config target
option name 'snmp'
option enabled 'yes'
option type 'snmptrap'
option community 'public'
option target_addr '192.168.100.254'
option agent_addr '192.168.100.1'
option conn_tester 'mon_server' config target
option name 'logit'
option enabled 'yes'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 210 of 255
_______________________________________________________________________________________________________
option type 'exec'
option cmd_template 'logger -t eventer %{eventName}'
To view UCI commands, enter: uci show va_eventd root@test:~# uci show va_eventd va_eventd.main=va_eventd va_eventd.main.enabled=yes va_eventd.main.event_queue_file=/tmp/event_buffer va_eventd.main.event_queue_size=128K va_eventd.@forwarding[0]=forwarding va_eventd.@forwarding[0].enabled=yes va_eventd.@forwarding[0].className=l2tp va_eventd.@forwarding[0].eventName=CannotFindTunnel va_eventd.@forwarding[0].severity=debug-critical va_eventd.@forwarding[0].target=syslog va_eventd.@forwarding[1]=forwarding va_eventd.@forwarding[1].enabled=yes va_eventd.@forwarding[1].className=mobile va_eventd.@forwarding[1].severity=notice-critical va_eventd.@forwarding[1].target=snmp va_eventd.@forwarding[2]=forwarding va_eventd.@forwarding[2].enabled=yes va_eventd.@forwarding[2].className=ethernet va_eventd.@forwarding[2].target=logit va_eventd.@forwarding[3]=forwarding va_eventd.@forwarding[3].enabled=yes va_eventd.@forwarding[3].className=auth va_eventd.@forwarding[3].target=email va_eventd.@conn_tester[0]=conn_tester va_eventd.@conn_tester[0].name=mon_server va_eventd.@conn_tester[0].enabled=1 va_eventd.@conn_tester[0].type=ping va_eventd.@conn_tester[0].ping_dest_addr=192.168.100.254 va_eventd.@conn_tester[0].ping_source=eth0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 211 of 255
_______________________________________________________________________________________________________ va_eventd.@conn_tester[0].ping_success_duration_sec=10 va_eventd.@conn_tester[1]=conn_tester va_eventd.@conn_tester[1].name=smtp_server va_eventd.@conn_tester[1].enabled=1 va_eventd.@conn_tester[1].type=link va_eventd.@conn_tester[1].link_iface=eth0 va_eventd.@target[0]=target va_eventd.@target[0].name=syslog va_eventd.@target[0].enabled=yes va_eventd.@target[0].type=syslog va_eventd.@target[0].target_addr=192.168.100.254:514 va_eventd.@target[0].conn_tester=mon_server va_eventd.@target[1]=target va_eventd.@target[1].name=email va_eventd.@target[1].enabled=yes va_eventd.@target[1].type=email va_eventd.@target[1].smtp_addr=89.101.154.148:465 va_eventd.@target[1][email protected] va_eventd.@target[1].smtp_password=****** va_eventd.@target[1].use_tls=yes va_eventd.@target[1].tls_starttls=no va_eventd.@target[1].tls_forcessl3=no va_eventd.@target[1].timeout_sec=10 va_eventd.@target[1][email protected] va_eventd.@target[1][email protected] va_eventd.@target[1].subject_template=%{severityName} %{eventName}!!! va_eventd.@target[1].body_template=%{eventName} (%{class}.%{subclass}) happened! va_eventd.@target[1].conn_tester=smtp_server va_eventd.@target[2]=target va_eventd.@target[2].name=snmp va_eventd.@target[2].enabled=yes va_eventd.@target[2].type=snmptrap va_eventd.@target[2].community=public va_eventd.@target[2].target_addr=192.168.100.254 va_eventd.@target[2].agent_addr=192.168.100.1 va_eventd.@target[2].conn_tester=mon_server
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 212 of 255
_______________________________________________________________________________________________________ va_eventd.@target[3]=target va_eventd.@target[3].name=logit va_eventd.@target[3].enabled=yes va_eventd.@target[3].type=exec va_eventd.@target[3].cmd_template=logger -t eventer %{eventName}
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 213 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
29 Configuring SLA reporting on Monitor
29.1 Introduction
This section describes how to configure and view SLA reporting on Monitor, the
Virtual Access monitoring system. It also explains how to configure scheduler task that is placed on the router to upload SLA statistics.
The Virtual Access Monitor system provides:
• centralised access to router connectivity status,
• access to advanced router diagnostic tools, and
• access to SLA Report Management.
The SLA Report Manager can build reports from a list of selected routers presenting a range of statistics over extended periods of time, including:
• Availability
• Latency
• Packet loss
• 3G signal strength
29.2 Configuring SLA reporting
To configure SLA reporting on Monitor, you must first add a content template and then build an SLA report based on it. A content template allows you to enable and configure report elements that you can then add to an SLA report.
When you have added a content template, you can then add an SLA report.
29.2.1 Configuring a content template
Click Settings on the Monitor home page. The settings page appears.
Figure 89: The settings page on Monitor
In the top menu, select SLA Reporting ->Content Templates. Then click
Create. The Add/Edit Content Template page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 214 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
Figure 90: The add/edit content template
Enter a relevant name and description and then add values from the drop-down menu or enter values for the parameters shown in the table below.
Parameter Description/Default
Select data Report element to display data on.
Select roll up scope
Scope rollup period
Select range scope
Range of scope
Year
Month
Week
Day
Hour
Minute
Second
Year
Month
Week
Day
Hour
Minute
Second
Options
Average Latency
Average Packet Loss
Average Latency
Average Availability
Average Connection Strength
Max Latency
Max Packet Loss
Max Latency
Max Availability
Max Connection Strength
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 215 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
Is this data to be graphical?
Upper data value limit
Lower data value limit
Present data per site?
Present data as a percentage?
To display elements as graphs
Infinity
-Infinity
Tick or no tick
Integer
Integer
Tick or no tick
Tick or no tick
Table 35: Parameters for content template
If you want the data to be displayed as graphical, click the Is this data to be
graphical? checkbox.
Enter relevant parameters for upper and lower data limits. The default is + and
– infinity.
If you require, click the Present data per site? checkbox and the Present
data as a percentage? checkbox.
You must add the content template parameters for each report element.
The figure below details the settings required for Avg Latency data.
Figure 91: Example of Avg latency parameters
When you have entered all the parameters you require, click Add data set.
Repeat the process for Avg Connection strength, Avg Packetloss and Avg
Latency.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 216 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
The template will build as shown in the figure below. The example graphs average latency, connection strength, and packet loss, with a roll up period set per hour and a range scope set per day.
Figure 92: Example content template
29.3 Adding an SLA report
When you have configured a content template, you can add an SLA report.
In the top menu, click SLA Reporting -> REPORTS. Then click Create. The
Add SLA Report page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 217 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
Figure 93: The add SLA report page
Enter the relevant parameters.
Parameter
Report Name
Frequency of report
Initial print time
Valid statistic time
Description
Name of report
Options
How often a report is generated once off, hourly, daily or weekly
Initial start time
Window of time to report
Reseller & devices available To select resellers and devices
Reseller & devices included Display added resellers or devices
Content template Content template that report is based on
0 – 24 hours
From Monitor database
Table 36: Parameters for adding an SLA report
The figure below shows an example of a SLA report with two devices.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 218 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
Figure 94: An example SLA report showing two devices
Note: for this report two routers have been added. When you have configured the SLA Report, Monitor will periodically access the router, every hour, and initiate a ‘create scheduled task’ on a router. This task tells a router to upload
SLA statistics to Monitor. If Monitor is unable to schedule a task a due to an outage, it will attempt to connect again to a router when the connection is back up.
29.4 Viewing an SLA report
To view an SLA report, access any router on Monitor that has been added to the
SLA report.
Click SLA Reporting.
Select the relevant report in the drop down menu and select a date.
Figure 95: The generate SLA report page
Click Generate and the report will open.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 219 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
Report: SLA_Test_Report1
(Date 18/7/2012 Hours of operation: 08:00 - 19:00)
Figure 96: Example of SLA report output
29.5 Viewing automated SLA reports
An automated version of this report is stored in the database and you can access it through any router assigned to the report.
To view these reports access any router assigned to the report.
Select the relevant report. A list of downloadable PDFs appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 220 of 255
29: Configuring SLA reporting on Monitor
_______________________________________________________________________________________________________
Figure 97: Example of an automated report
To view a report, click Download in the report’s row. A PDF version of the report appears.
29.6 Configuring router upload protocol
The protocol the router uses to upload the files is set for each device on Monitor.
Edit a device and from the Activator upload protocol drop-down menu, select the desired protocol and enter in the relevant TFTP Server Address and then enter the TFTP Server Port number to match.
Figure 98: The upload protocol parameters
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 221 of 255
30:Configuring SLA for a router
_______________________________________________________________________________________________________
30 Configuring SLA for a router
SLA reporting works in two parts:
• The Virtual Access Monitor system server connects via SSH into the router and schedules the task of uploading statistics to Monitor.
• The Virtual Access router monitors UDP keepalive packets. It creates and stores statistics in bins. These statistics are uploaded every hour to the
Monitor server.
Figure 99: The SLA function
This section describes how to configure SLA on a router. For information on how to configure Monitor for SLA reporting read the previous section ‘Configuring SLA on Monitor’.
30.1 Configuring SLA for a router via the web interface
Login to the web interface using your login credentials.
In the top menu, select Services -> SLA Daemon. The SLA Daemon page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 222 of 255
30:Configuring SLA for a router
_______________________________________________________________________________________________________
Figure 100: The SLA daemon page
In the Basic Settings section, click Add. The basic settings section for SLA
Daemon appears.
Figure 101: The SLA daemon page
Check Enable.
In the Timeout for Roundtrip Timeout field, type in a time.
Select an interface on which traffic should be monitored.
Specify a destination IP address for the keepalive packets that are originated on the LAN.
Specify a destination UDP port for the keepalive packets that are originated on the LAN.
Scroll down to the Advanced Settings section.
In the Bin Restart Period field, type in a bin collection time.
In the Max Bin count field, type the maximum number of Bins stored on a router.
Name
Enable
Type
Check box
Required Default Description
Yes none Enables SLAD daemon.
Roundtrip
Timeout (ms) integer Yes None
Specifies the time in milliseconds that a packet is not replied before this timeout
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 223 of 255
30:Configuring SLA for a router
_______________________________________________________________________________________________________ expires it is considered as lost.
Interface
Radio button menu
Yes None
Specifies the interface on which traffic should be monitored.
Destination Host
IP Address
IPv4 address
Yes None
Specifies the destination IP address for the keepalive packets that are originated on the LAN.
Destination UDP port
Bin Restart
Period (ms)
Max Bin Count
Integer
Integer
Integer
Yes
Yes
Yes
None
None
None
Specifies the destination UDP port.
Specifies how long one bin is collecting information.
Specifies how many bins are in the queue. After all empty bins are used, new information is put in the oldest bin.
When you have made all your configuration changes, click Save & Apply.
30.2 Configuring SLA for a router via UCI interface
You can also configure SLA UCI through CLI using UCI command suite.
The configuration file is stored at:
/etc/config/slad
To view the configuration file, enter: uci export slad or uci show slad uci export slad package slad config slad 'main'
option enable 'yes'
option roundtrip_timeout_msec '5000'
option interface 'lan'
option destination_host_ip_address '10.1.1.2'
option destination_udp_port '53'
option bin_restart_period_msec '3600000'
option max_bin_count '73' uci show slad slad.main=slad
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 224 of 255
30:Configuring SLA for a router
_______________________________________________________________________________________________________ slad.main.enable=yes slad.main.roundtrip_timeout_msec=5000 slad.main.interface=lan slad.main.destination_host_ip_address=10.1.1.2 slad.main.destination_udp_port=53 slad.main.bin_restart_period_msec=3600000 slad.main.max_bin_count=73
30.3 SLA statistics
Type the command line sla to show all available statistic options.
Figure 102: Output from the command line sla
Option current all oldest newest newest N range YYYYMMDDHH-YYYYMMDDHH
Description
Shows current sla bin
Shows all bin stored on the router
Shows the oldest sla bin stored
Shows two newest valid bins
Shows the newest valid bin
Shows all bins that match specified time range
Type the command sla current to show current statistics.
Figure 103: Output from the command line sla current
Type the command sla newest to show the newest statistics.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 225 of 255
30:Configuring SLA for a router
_______________________________________________________________________________________________________
Figure 104: Output from the command line sla newest
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 226 of 255
_______________________________________________________________________________________________________
31 Diagnostics
31.1 ADSL diagnostics
31.1.1 ADSL PPPoA connections
To check the status of an ADSL line, in the top menu, select Status -> ADSL
Status. The ADSL Status page appears.
Figure 105: The ADSL status page
To check an IP address, transmit and received counter on an ADSL interface, in the top menu, select Network -> Interfaces. The Interface Overview page appears.
Figure 106: The interfaces overview page
31.1.2 ADSL PPPoEoA connections
To check the status of an ADSL line, in the top menu, select Status -> ADSL
Status. The ADSL Status page appears.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 227 of 255
_______________________________________________________________________________________________________
Figure 107: The ADSL status page
To check an IP address, transmit and received counter on an ADSL interface, in the top menu, select Network -> Interfaces. The Interface Overview page appears.
Figure 108: The interfaces overview page
31.1.3 ADSL bridge connections
To check the status of an ADSL line, in the top menu, select Status -> ADSL
Status. The ADSL Status page appears.
Figure 109: The ADSL status page
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 228 of 255
_______________________________________________________________________________________________________
To check an IP address, transmit and received counter on an ADSL interface, in the top menu, select Network -> Interfaces. The Interface Overview page appears.
Figure 110: The interfaces overview page
31.2 ALL diagnostics
The ‘va5420_stats /dev/ttyLC0’ command provides statistical information about the operation of the interface. Here an example: root@VA_router:~# va5420_stats /dev/ttyLC0
TRANSMIT STATS
tx bytes 566600
tx buffer full counts 0
tx underruns 0
tx discards 0
RECEIVE STATS
rx bytes 566988
rx overruns 0
rx discards 0
V.23 MODE STATS
rx bytes 0
tx bytes 0
rx samples 0
tx samples 0
rx carrier on 0
tx carrier on 0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 229 of 255
_______________________________________________________________________________________________________
You can set the statistical information using ‘va5420_stats_reset
/dev/ttyLC0’
.
The example below shows the command ‘va5420_status /dev/ttyLC0’; it displays status information about the device. root@VA_router:~# va5420_status /dev/ttyLC0
Mode: Transparent
Wire mode: 2-wire
PCM Encoding: A-Law
31.3 Automatic operator selection diagnostics via the web interface
31.3.1 Checking the status of the Multi-WAN package
When interfaces are auto created they are presented in the network and in the
Multi-WAN package.
To check interfaces created in the Multi-WAN package, from the top menu, select
Network -> Multi-WAN.
To check interfaces that have been created in the network package, from the top menu, select Network -> Interfaces.
Figure 111: The interface overview page
To check the status of the interface you are currently using, in the top menu, click Status. The Interface Status page appears.
Scroll down to the bottom of the page to view Multi-WAN Stats.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 230 of 255
_______________________________________________________________________________________________________
Figure 112: The status page: multi-WAN status section page
31.4 Automatic operator selection diagnostics via UCI
To check interfaces created in the multi-WAN package, enter: cat /var/const_state/multiwan
Figure 113: Output from the command: cat /var/const_stat/multiwan
To check interfaces created in the network package, enter: cat /var/const_state/network
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 231 of 255
_______________________________________________________________________________________________________
To check the status of the interface you are currently using, enter: cat /var/const_state_/mobile
Figure 114: Output from the command cat /vat/const_state_/mobile
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 232 of 255
_______________________________________________________________________________________________________
31.5 CESoPSN diagnostics
CESoPSN uses one package - cesopd. To view the CESoPSN configuration: root@VA_router:~# # uci export cesopd package cesopd config cesopd 'main'
option log_severity '5'
option enable '1' config port 'Port1'
option enable '1'
option devname 'ttyLC0'
…..
The cesop command provides several options to investigate the operation of the
CESoPSN service. The output provided by these commands will allow the Virtual
Access support team to assist you. cesop show all - show all cesop show config - show configuration cesop show status - show status cesop show stats - show statistics cesop clear stats - clear statistics
31.5.1 cesop show config
To show the currently running configuration, enter: root@VA_router:~# cesop show config
Main Config
----------- enable : 1 nodaemon : 0 debug_enabled : 0 log_severity : 5 schedule_mode : 1
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 233 of 255
_______________________________________________________________________________________________________ schedule_priority : 10
Port 1 config
-------------------- cardType : Single AAL card enable : 1 clock_recovery_enabled : 1 clock_recovery_debug : 0 remote_loopback : 0 udp_local_ipaddr : 0.0.0.0 udp_local_port : 5152 udp_remote_ipaddr : 10.1.42.63 udp_remote_port : 5152 rtp_payload_type : 96 packetization_latency : 5 rx_jitter_buffer_enabled : 0 rx_jitter_buffer_size_ms : 24 app_bit_reverse : 0 app_rx_shift : 0 devname : ttyLC0 bypass : 0 local_loopback : 0 dce : 1 rate : 64000 ext_clock : 0 fifo_irq_level : 1 bit_reverse : 0 dte_tt_inv : 0 dce_tclk_inv : 0 dce_rclk_inv : 0 x21_clk_invert : 0 x21_data_delay : 0 x21_use_vco : 0 all_four_wire_mode : 0 all_pcm_encoding : alaw all_rx_attenuator_enabled : 1 all_rx_analogue_gain_enabled : 0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 234 of 255
_______________________________________________________________________________________________________ all_tx_analogue_loss_enabled : 0 all_rx_digital_gain : 0 all_tx_digital_loss : 0 tdm_intvl_ms : 2
31.5.2 cesop show status
To show the current operating configuration, enter: root@VA_router:~# cesop show status
Clock status
------------ clockRecHwPresent 1 dacOutputVoltage 1661174 lastFscCount 14195832
Port 1 protocol status
---------------------- remoteIpAddress 10.1.42.63 remotePort 5152 rxPayloadType 96 rxSegmentSize 40 rxSsrc 451d rxLBit 0 rxRBit 0 rxMBits 0 rxTdmPayload [D5][D5]... txPayloadType 96 txSegmentSize 40 txSsrc 89298337 txLBit 0 txRBit 0 txMBits 0 txTdmPayload [D5][D5]...
31.5.3 cesop show stats
To view statistical information about the CESoPSN service, enter cesop show stats.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 235 of 255
_______________________________________________________________________________________________________ root@VA_router:~# cesop show stats
Port 1 serial statistics
------------------------ reads 476840 readEmpties 0 readFails 0 writes 476889 writeFails 0 writeShorts 0 txBytes 19075560 rxBytes 19075560
Port 1 UDP statistics
--------------------- txFrames 476889 txBytes 26705784 txFails 0 rxFrames 476889 rxBytes 26705784 rxFails 0 rxAddressErrs 0
Port 1 Protocol statistics
-------------------------- rxHeaderErrs 0 rxOutOfOrder 0 rxTdmLenErrs 0 txTdmLenErrs 0
Clock recovery statistics
------------------------- packetLossCount 0 clockChanges 90
31.5.4 cesop clear stats
To reset the statistical counters, enter cesop clear stats
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 236 of 255
_______________________________________________________________________________________________________ root@VA_router:~# cesop clear stats cesopd stats cleared.
31.6 DMVPN diagnostics
In the top menu, click Status -> IPSec. The IPSec Connections page appears.
Figure 115: The IPSec connections page
In the Name column, the syntax contains the IPSec Name defined in package dmvpn and the remote IP address of the hub, or the spoke separated by an underscore; for example, dmvpn_213.233.148.2.
To check the status of DMVPN, in the top menu, click Status -> DMVPN.
Figure 116: The NBMA peers page
NBMA Address
Public IP address of the peer.
Interface
Interface name
Address
Tunnel IP address of remote node.
Type
Spoke is presented if it is reachable. Hub is known regardless of its reachability. There are two hub statuses
‘hub’ and ‘dead hub’.
Table 37: NBMA peers columns and their descriptions
You can check IPSec status using uci commands.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 237 of 255
_______________________________________________________________________________________________________ root@GW202x:~# ipsec status
Security Associations (1 up, 0 connecting): dmvpn_89_101_154_151[1]: ESTABLISHED 2 hours ago,
10.68.234.133[10.68.234.133]...89.101.154.151[89.101.154.151] dmvpn_89_101_154_151{1}: REKEYING, TRANSPORT, expires in 55 seconds dmvpn_89_101_154_151{1}: 10.68.234.133/32[gre] === 192.168./32[gre] dmvpn_89_101_154_151{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: cca7b970_i d874dc90_o dmvpn_89_101_154_151{1}: 10.68.234.133/32[gre] === 89.101.154.151/32[gre]
You can check DMVPN status using uci commands.
:~# opennhrpctl show
Status: ok
Interface: gre-GRE
Type: local
Protocol-Address: 11.11.11.7/32
Alias-Address: 11.11.11.3
Flags: up
Interface: gre-GRE
Type: local
Protocol-Address: 11.11.11.3/32
Flags: up
Interface: gre-GRE
Type: cached
Protocol-Address: 11.11.11.2/32
NBMA-Address: 178.237.115.129
NBMA-NAT-OA-Address: 172.20.38.129
Flags: used up
Expires-In: 0:18
Interface: gre-GRE
Type: static
Protocol-Address: 11.11.11.1/29
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 238 of 255
_______________________________________________________________________________________________________
NBMA-Address: 89.101.154.151
Expires-In
Flags: up
The above command output is explained in the table below.
Interface
Type
Protocol-Address
NBMA-Address
NBMA-NAT-OA-Address
Flags
Interface name taken from package network incomplete negative
Resolution request sent.
Negative cached. cached Received/relayed resolution reply. shortcut_route Received/relayed resolution for route. dynamic dynamic_nhs
NHC registration.
Dynamic NHS from dns-map. static dynamic_map local_route local_addr
Static mapping from config file.
Static dns-map from config file.
Non-local destination, with local route.
Local destination (IP or off-NBMA subnet)
Tunnel IP address
Pre-NAT IP address if NBMA-NAT-OA-Address is present or real address if NAT is not present.
Post NAT IP address. This field is present when Address is translated in the Network. up unique used lower-up
Expiration time.
Can send all packets (registration ok)
Peer is unique.
Peer is in kernel ARP table. opennhrp script executed successfully.
31.7 File system diagnostics
The standard Linux directories on such as /bin, /etc, /usr are in a ramdisk. Any changes you make to them will be lost on reboot.
Store anything that needs to survive reboot in flash.
There is a UBIFS (flash) file system mounted on /etc. Configuration files, keys and certificates are stored there so that they survive reboot. Normally it is not necessary to store any other files in flash. One exception, for example, is a banner file for logins.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 239 of 255
_______________________________________________________________________________________________________
31.8 Firewall diagnostics
The routers OS relies on netfilter for packet filtering, NAT and mangling. The UCI
Firewall provides a configuration interface that abstracts from the iptables system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed.
The firewall section is its own package located within /etc/config/firewall.
Below is an example of a firewall section. root@VA_router:~# uci export /etc/config/firewall package firewall config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT' config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option family 'any'
option conntrack '0' config zone
option name 'wan_interface'
option network ' wan_interface'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option output 'ACCEPT'
option family 'any'
option conntrack '0'
option input 'ACCEPT'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 240 of 255
_______________________________________________________________________________________________________ config forwarding
option src 'lan'
option dest 'wan_interface'
option family 'any' config rule
option name 'Allow-DHCP-Renew'
option src 'wan_interface'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4' config rule
option name 'allow dns'
option src 'wan_interface'
option proto 'tcp'
option dest_port '53'
option target ' ACCEPT'
option family 'ipv4' config rule
option name 'Allow-Ping'
option src 'wan_interface'
option proto 'icmp'
option target 'ACCEPT'
option family 'ipv4'
list icmp_type 'echo-request' config rule
option name 'SNMP-trap'
option src 'wan_interface'
option proto 'udp'
option dest_port '162'
option target 'ACCEPT'
option family 'ipv4'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 241 of 255
_______________________________________________________________________________________________________ config rule
option name 'Allow-DHCPv6'
option src 'wan_interface'
option src_ip 'fe80::/10'
option src_port '547'
option proto 'udp'
option dest_ip 'fe80::/10'
option dest_port '546'
option target 'ACCEPT'
option family 'ipv6' config rule
option name 'Allow-ICMPv6-Input'
option src 'wan_interface'
option proto 'icmp'
option target 'ACCEPT'
option family 'ipv6'
option limit '1000/sec'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation' config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan_interface'
option proto 'icmp'
option dest '*'
option target 'ACCEPT'
option family 'ipv6'
option limit '1000/sec'
list icmp_type 'echo-request'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 242 of 255
_______________________________________________________________________________________________________
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
To view the available firewall commands, enter: root@VA_router:~# /etc/init.d/firewall
Syntax: /etc/init.d/firewall [command]
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart
31.8.1 IP tables
To add a quick firewall rule for dropping packets to a specific IP, enter: root@VA_router:~# iptables -I OUTPUT -d 8.8.8.8/32 -p icmp -j DROP
To disable the rule, enter: root@VA_router:~# iptables -D OUTPUT 1
31.8.2 Debug
It is possible to view the iptables commands generated by the firewall program.
This is useful if you want to track down iptables errors during firewall restarts or to verify the outcome of certain UCI rules.
To see the rules as they are executed, run the fw command with the FW_TRACE environment variable set to 1: root@VA_router:~# FW_TRACE=1 fw reload
To direct the output to a file for later inspection, enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 243 of 255
_______________________________________________________________________________________________________ root@VA_router:~# FW_TRACE=1 fw reload 2>/tmp/iptables.log
31.9 GPS diagnostic commands
You can use the utility GPS to run diagnostic commands against the GPSD application.
When you run GPS at the command prompt without parameters, it prints the menu listing all available commands.
For example to view the last known router position, enter gpspeek: root@Demo:~# gpspeek
Fix: 3D,1423135517,53.342546,-6.241331,23.800000,223.700000,0.000000,nan
31.10 Interfaces diagnostics
31.10.1 Interfaces status
To show the current running interfaces, enter: root@VA_router:~# ifconfig
3g-CDMA Link encap:Point-to-Point Protocol
inet addr:10.33.152.100 P-t-P:178.72.0.237 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:428 (428.0 B) TX bytes:2986 (2.9 KiB) eth0 Link encap:Ethernet HWaddr 00:E0:C8:12:12:15
inet addr:192.168.100.1 Bcast:192.168.100.255
Mask:255.255.255.0
inet6 addr: fe80::2e0:c8ff:fe12:1215/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6645 errors:0 dropped:0 overruns:0 frame:0
TX packets:523 errors:0 dropped:0 overruns:0 carrier:0
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 244 of 255
_______________________________________________________________________________________________________
collisions:0 txqueuelen:1000
RX bytes:569453 (556.1 KiB) TX bytes:77306 (75.4 KiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:385585 errors:0 dropped:0 overruns:0 frame:0
TX packets:385585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:43205140 (41.2 MiB) TX bytes:43205140 (41.2 MiB)
To display a specific interface enter: ifconfig <name>: root@VA_router:~# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:E0:C8:12:12:15
inet addr:192.168.100.1 Bcast:192.168.100.255
Mask:255.255.255.0
inet6 addr: fe80::2e0:c8ff:fe12:1215/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7710 errors:0 dropped:0 overruns:0 frame:0
TX packets:535 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:647933 (632.7 KiB) TX bytes:80978 (79.0 KiB)
31.10.2 Route status
root@VA_router:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
A route will only be displayed in the routing table when the interface is up.
31.10.3 Mobile status
To display information and status of mobile interfaces like 4G or CDMA, enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 245 of 255
_______________________________________________________________________________________________________ root@VA_router:~# cat /var/state/mobile mobile.3g_1_1_1=status mobile.3g_1_1_1.auto_info=/etc/3g_1-1.1.auto mobile.3g_1_1_2=status mobile.3g_1_1_2.auto_info=/etc/3g_1-1.2.auto mobile.3g_1_1_1.sim_slot=1 mobile.3g_1_1_1.sim_in=yes mobile.3g_1_1_1.imsi=240016005892879 mobile.3g_1_1_1.registered=1, Home network mobile.3g_1_1_1.reg_code=1 mobile.3g_1_1_1.registered_pkt=1, Home network mobile.3g_1_1_1.reg_code_pkt=1 mobile.3g_1_1_1.area=FFFE mobile.3g_1_1_1.cell=189150A mobile.3g_1_1_1.tech=7 mobile.3g_1_1_1.technology=E-UTRAN mobile.3g_1_1_1.operator=0,0,"Vodafone",7 mobile.3g_1_1_1.sim1_iccid=89460127120912066226 mobile.3g_1_1_2.sim_slot=1 mobile.3g_1_1_2.sim_in=yes mobile.3g_1_1_2.operator="Vodafone" mobile.3g_1_1_2.cdma_roaming=Not Roaming mobile.3g_1_1_2.cdma_roaming_code=0 mobile.3g_1_1_2.cdma_srvmode=EVDO Rev B mobile.3g_1_1_2.cdma_srvmode_code=5 mobile.3g_1_1_2.cdma_total_drc=0.0 kbps mobile.3g_1_1_2.cdma_carr_cnt=2 mobile.3g_1_1_2.cdma_rx0=78 mobile.3g_1_1_2.sig_dbm=nan mobile.3g_1_1_2.cdma_rx1=105
31.10.4 ADSL status
The ADSL chipset has its own subset of commands. root@VA_router:~# /etc/init.d/dsl_control
Syntax: /etc/init.d/dsl_control [command]
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 246 of 255
_______________________________________________________________________________________________________
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart
status Get DSL status information
lucistat Get status information in lua friendly format
To view the current status of the ADSL interface, enter: root@VA_router:~# /etc/init.d/dsl_control status
Chipset: Lantiq-Danube 1.5
Line State: UP [0x801: showtime_tc_sync]
Data Rate: 2.280 Mb/s / 291 Kb/s
Line Attenuation: 6.3dB / 3.3dB
Noise Margin: 31.1dB / 35.9dB
Line Uptime: 2d 18h 8m 30s
To restart the ADSL interface, enter: root@VA_router:~# /etc/init.d/dsl_control restart
31.11 ISDN pseudowire diagnostics
31.11.1 Packages
ISDN pseudowire uses two packages: Asterisk and LCR.
To view configuration of the LCR package, enter: root@VA_router:~# uci export lcr package lcr config lcr 'main'
option enable '1'
list msn '384740'
list msn '384741'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 247 of 255
_______________________________________________________________________________________________________
To view configuration of the asterisk package, enter: root@VA_router:~# uci export asterisk package asterisk config provider
option host '10.1.183.20'
option hostport '5060'
option username 'username'
option secret 'secret' config client
option username 'username'
option secret 'secret'
option msn '384720' config client
option username 'username'
option secret 'secret'
option 384721
31.11.2 Asterisk CLI diagnostics
You can use Asterisk CLI to view diagnostics. To enter asterisk CLI: root@VA_router:~# asterisk -r
To view configured SIP peers when in asterisk CLI, enter: root@VA_router:~# sip show peers
Name/username Host Dyn Forcerport ACL Port Status
VA_username 10.1.23.15 N 5060 Unmonitored
1 sip peers [Monitored: 0 online, 0 offline Unmonitored: 1 online, 0 offline]
To view current call diagnostics when in asterisk CLI, enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 248 of 255
_______________________________________________________________________________________________________ root@VA_router:~# sip show channels stats
Peer Call ID Duration Recv: Pack Lost ( %) Jitter
Send: Pack Lost ( %) Jitter
10.1.23.15 4abaa449705 00:00:08 0000000426 0000000000 ( 0.00%) 0.0000
0000000391 0000000000 ( 0.00%) 0.0002
1 active SIP channel
To exit asterisk CLI, enter:
~# exit
31.11.3 ISDN LED status
The ISDN port has two LEDs indicating the status of the audio channels in use.
ISDN top LED
ISDN bottom
LED
On
Off
On
Off
Audio channel is up (dial tone or call in progress)
Audio channel is inactive
Audio channel is up (dial tone or call in progress)
Audio channel is inactive
31.12 IPSec diagnostics
Virtual Access routers use the strongSwan package for IPSec.
To view IPSEC configuration on the router, enter: root@VA_router:~# uci export strongswan
To restart strongSwan, enter: root@VA_router:~# etc/init.d/strongswan restart
To view IPSEC status, enter: root@VA_router:~# ipsec statusall
To view a list of IPSEC commands, enter: root@VA_router:~# ipsec –help
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 249 of 255
_______________________________________________________________________________________________________
31.13 Multi-WAN diagnostics
The multi-WAN package is an agent script that makes multi-WAN configuration simple, easy to use and manageable. It comes complete with load balancing, failover and an easy to manage traffic ruleset. The uci configuration file/etc/config/multiwan is provided as part of the multi-WAN package.
The multi-WAN package is linked to the network interfaces within
/etc/config/network.
Note: multi-WAN will not work if the WAN connections are on the same subnet and share the same default gateway.
To view the multi-WAN package, enter: root@VA_router:~# uci export /etc/config/multiwan package multiwan config multiwan 'config'
option enabled 'yes'
option preempt 'yes'
option alt_mode 'no' config interface 'ADSL'
option health_interval '10'
option icmp_hosts 'dns'
option timeout '3'
option health_fail_retries '3'
option health_recovery_retries '5'
option priority '1'
option manage_state 'yes'
option exclusive_group '0'
option ifup_retry_sec '300'
option ifup_timeout_sec '40' config interface 'Ethernet'
option health_interval '10'
option icmp_hosts 'dns'
option timeout '3'
option health_fail_retries '3'
option health_recovery_retries '5'
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 250 of 255
_______________________________________________________________________________________________________
option priority '2'
option manage_state 'yes'
option exclusive_group '0'
option ifup_retry_sec '300'
option ifup_timeout_sec '40'
The following output shows the multi-WAN standard stop/start commands for troubleshooting. root@VA_router:~# /etc/init.d/multiwan
Syntax: /etc/init.d/multiwan [command]
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart
When troubleshooting, make sure that the routing table is correct using route –n.
Ensure all parameters in the multi-WAN package are correct. The name used for multi-WAN must be identical, including upper and lowercases, to the actual ADSL interface name defined in your network configuration.
To check the names and settings are correct, browse to Network - >
interfaces or alternatively, run: cat/etc/config/network through CLI.
Enter the name of the WAN interface to configure, and then click Add. The new section for configuring specific parameters will appear.
31.14 PAD diagnostics
31.14.1 Showing Log
The modules will write events to the log if they are configured to do so.
To see the event that are already logged, type the following at the command prompt: logread.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 251 of 255
_______________________________________________________________________________________________________
The log contains the events of many modules. To filter a specific module, type
logread | grep module_name, for example, if you want to see the vald events enter: logread -f | grep vald
Note: the vald module has a command that enables the logging of the payload.When enabled, vald will additionally log the payload of all received and sent packets.
To enable payload logging, enter: root@VA_router:~# val trace on val trace enabled
Logread as a ‘-f’ option that output the events as the log grows. It is very useful when you want to live trace. You may use it this way: root@VA_router:~# logread –f or root@VA_router:~# logread -f
31.14.2 Debugging guidelines
If you are having trouble configuring PAD, use the list below to debug.
Is the router receiving calls?
Is data being received on the asynchronous serial?
Are the vald, padd and tservd modules running?
To check the router is receiving calls, look at the log and search for an event similar to the following:
Nov 28 13:05:40 VA_router user.debug vald: (1): Incoming VC,
TCP accepted, VC id 0, LCN 4095
To check data is being received on the asynchronous serial, enter: tserv show stats.
TERMINAL 4, Dev: /dev/ttySC3
State: CONNECTED
TxErrs (0) Serial Bytes Rx (2036) Tx (26624)
TCP Packets Rx (23) Tx (16) TxErrs (0)
TCP Bytes Rx (26624) Tx (2036)
UDP Datagrams Rx (0) Tx (0) TxErrs (0)
UDP Bytes Rx (0) Tx (0)
DSR Up (0) Down (0)
Uptime 0 hrs 0 mins 22 secs
For more details refer to section 6, ‘Terminal Server’.
To check if the modules are running, follow the instructions described in the PAD section.
For more details refer to the ‘Terminal Server’ section in this manual.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 252 of 255
_______________________________________________________________________________________________________
Is the Terminal Server connected to padd?
Is the Terminal Server detecting the serial cable?
Is the padd port connected to the good vald?
Is the vald port used correctly configured?
To check if the Terminal Server is connected to padd, look at the log and check the Terminal Server status.
For more details refer to the ‘Terminal Server’ section in this manual.
To check if the Terminal Server is detecting the serial cable, enter: tserv show serial.
For more details refer to the ‘Terminal Server’ section in this manual.
Check in the configuration that the padd port to be used is connected to the good vald port.
The connection is created by the link_id parameter of the padd configuration file.
Check the configuration of the port in the vald configuration file.
Check that the IP address and TCP port match the ones used by the VAL peer.
31.15 Terminal Server diagnostics
You can check Terminal server application diagnostics by using the commands described below. root@VA_router:~# tserv
=== Termserv disgnostics. Command syntax: === tserv show stats - show statistics tserv clear stats - clear statistics tserv show serial - show serial interface status tserv send serial0 <data>- send data to serial port 0 tserv start capture N, N=port number (0 to 3) - start capturing rx serial data tserv print capture N, N=port number (0 to 3) - print captured rx serial data tserv show serial txlog-hex <Port> [length], Port=port cfg index (0 to 3), length=length to show tserv show serial rxlog-hex <Port> [length], Port=port cfg index (0 to 3), length=length to show tserv show serial txlog-asc <Port> [length], Port=port cfg index (0 to 3), length=length to show tserv show serial rxlog-asc <Port> [length], Port=port cfg index (0 to 3), length=length to show tserv show debug - show debug info
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 253 of 255
_______________________________________________________________________________________________________ tserv show userial stats - show USB serial card statistics tserv clear userial stats - clear USB serial card statistics tserv start userial rxlog <Port> - start USB serial card rx log tserv show userial rxlog <Port> <offs> <length> - show USB serial card rx log tserv show userial version <Port> - show USB serial card firmware version tserv show userial cpld status <Port> - show USB serial card CPLD programming status tserv upgrade userial - initiate upgrade of the USB serial card tserv quit - terminate termserv process
Note: tservd process has to be running otherwise diagnostics options for terminal server will not be available.
31.16 VRRP diagnostics
Two available diagnostic options exist: via web interface and command line.
31.16.1 VRRP diagnostics web interface
To see VRRP through the web interface, in the top menu, select Status ->
Status. The VRRP status settings appear.
Figure 117: The VRRP status settings
31.16.2 VRRP diagnostics using the command line interface
To view VRRP using the CLI interface, SSH into the router and enter:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 254 of 255
_______________________________________________________________________________________________________ cat /var/state/vrrp command vrrp.g1.state=BACKUP vrrp.g1.masterip=10.1.10.83 vrrp.g1.timestamp=1425489022
31.17 Diagnostics for WiFi AP mode
To check for any hosts associated with WiFi AP, in the top menu, select
Network -> WiFi. The Wireless Overview page appears.
Figure 118: The wireless overview page showing associated hosts
31.18 Diagnostics for WiFi client mode
To check for connectivity, in the top menu, select Network -> Interfaces. The
WCLIENT interface will show receive and transmit packets and an IP address.
Figure 119: The interface overview page showing WClient stats
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 255 of 255
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 9 Introduction
- 9 Document scope
- 10 GW1000 Series hardware
- 10 Hardware specification
- 10 GW1000 Series router model variants
- 10 Hardware features
- 11 RS232 mode pin-out on the GW
- 11 RS485 mode pin-out on the GW
- 11 GSM technology
- 11 WiFi technology
- 12 Power supply
- 12 Dimensions
- 12 Compliance
- 12 Operating temperature range
- 12 Antenna
- 13 Components
- 13 Inserting the SIM cards
- 14 Connecting the SIM lock
- 14 Connecting cables
- 14 Connecting the antenna
- 14 Powering up
- 14 Reset button
- 15 GW1000 Series LED behaviour
- 15 Main LED behaviour
- 15 Power and configuration LED
- 15 SIM LED
- 16 Signal strength LEDs
- 16 WiFi LED
- 16 Ethernet port LED behaviour
- 17 Factory configuration extraction from SIM card
- 18 Accessing the router
- 18 Over Ethernet
- 18 Over a 3G or 4G interface
- 19 Upgrading router firmware
- 19 Upgrading firmware using the web interface
- 21 Upgrading firmware using CLI
- 22 File system
- 22 Configurations
- 22 High level configuration commands
- 23 Configuration file syntax
- 24 Command line utility
- 27 Configuration copying and deleting
- 27 Image files
- 27 Viewing files
- 28 Copying files
- 29 Editing files
- 29 Processes and jobs
- 29 System information
- 31 Command Line Interface
- 31 Basics
- 33 Unified Configuration Interface (UCI)
- 37 Configuration files
- 37 Configuration file syntax
- 38 Examples
- 39 Export an entire configuration
- 39 Display just the value of an option
- 40 Management configuration settings
- 40 Autoload - boot up activation
- 42 Httpclient - Activator configuration
- 45 System settings
- 45 Configuring a router’s host name
- 48 User management
- 48 Configuration file: config user
- 50 UCI export and UCI show commands
- 51 Interfaces configuration
- 51 Interfaces
- 52 Options valid for all protocol types
- 53 Protocol "static
- 53 Protocol "dhcp
- 53 Protocol "3g" (PPP over EV-DO, CDMA, UMTS or GRPS)
- 54 Protocol "l2tp" (layer 2 tunneling protocol)
- 54 Aliases
- 57 DHCP server and DNS configuration
- 57 Common options section
- 61 DHCP pools
- 63 Static leases
- 64 VLAN configuration
- 64 VLAN web interface
- 64 VLAN definition
- 65 Port description
- 66 VLANs UCI interface
- 68 config port
- 68 config vlan
- 68 Config nat vlan
- 69 Static routes configuration
- 69 IPv4 routes
- 70 IPv6 routes
- 72 BGP (Border Gateway Protocol)
- 72 Configuring the BGP web interface
- 73 Optionally configure BGP route map
- 74 Configure BGP neighbours
- 74 Routes statistics
- 75 BGP UCI interface
- 78 Configuring WiFi
- 78 Configuring WiFi through the web interface
- 78 Configuring WiFi in AP mode on an existing Ethernet interface
- 82 Configuring WiFi in AP mode on a new interface
- 87 Configuring WiFi in client mode
- 91 Configuring WiFi via UCI
- 91 Configuring Wi-Fi in AP mode on an existing Ethernet interface
- 93 Configuring WiFI on a new interface
- 95 Configuring WiFi in client mode
- 97 Configuring a 3G/4G connection
- 100 Configuring SMS
- 101 Monitoring SMS
- 101 Outgoing messages
- 102 Configuring Multi-WAN
- 102 Multi-WAN web interface
- 105 Multi-WAN UCI interface
- 108 Automatic operator selection
- 108 Introduction to automatic operator selection
- 108 Configuring automatic operator selection
- 108 Configuring automatic operator selection via the web interface
- 108 PMP + roaming: pre-empt enabled
- 118 PMP + roaming: pre-empt disabled
- 119 Roaming: no PMP defined
- 120 Disable roaming
- 121 Configuring IPSec
- 121 Common settings
- 122 Connection settings
- 126 Shunt connection
- 126 Secret settings
- 129 Configuring firewall
- 129 Defaults section
- 129 Zones section
- 130 Forwarding sections
- 131 Redirects
- 132 Rules
- 133 Includes
- 133 IPv6 notes
- 134 Implications of DROP vs. REJECT
- 135 Note on connection tracking
- 135 Firewall examples
- 135 Opening ports
- 135 Forwarding ports (destination NAT/DNAT)
- 136 Source NAT (SNAT)
- 137 True destination port forwarding
- 137 Block access to a specific host
- 137 Block access to the internet using MAC
- 137 Block access to the internet for specific IP on certain times
- 138 Restricted forwarding rule
- 138 Transparent proxy rule (same host)
- 138 Transparent proxy rule (external)
- 139 Simple DMZ rule
- 139 IPSec passthrough
- 140 Manual iptables rules
- 140 Firewall management
- 141 Debug generated rule set
- 142 Configuring SNMP
- 142 agent
- 143 system
- 143 com2sec
- 146 access
- 147 SNMP traps
- 148 Configuring HTTP server
- 148 Server settings
- 150 HTTPS certificate settings and creation
- 151 Basic authentication (httpd.conf)
- 152 Securing uHTTPd
- 152 SSH server configuration
- 153 Virtual Router Redundancy Protocol (VRRP)
- 153 Software versions
- 154 VRRP web interface
- 157 Configuring VRRP using UCI
- 159 Multicasting using PIM and IGMP interfaces
- 159 Configuring PIM and IGMP via the web interface
- 161 PIM and IGMP UCI interface
- 163 Dynamic Multipoint Virtual Private Network (DMVPN)
- 163 The advantage of using DMVPN
- 163 DMVPN scenarios
- 165 Configuring DMVPN via the web interface
- 166 Configuring IPSec for DMVPN
- 172 DMVPN hub settings
- 173 UCI interface
- 173 IPSec configuration using CLI
- 175 Configuring DMVPN using CLI
- 177 Terminal Server
- 177 Introduction
- 177 Terminal Server interfaces
- 177 Configuring Terminal Server
- 177 Configuring Terminal Server using the web interface
- 184 Configuring Terminal Server using UCI
- 194 Terminal Server operation
- 194 General
- 194 Starting Terminal Server
- 194 Checking the status of Terminal Server
- 195 Stopping Terminal Server
- 196 Coova-chilli captive portal
- 196 Coova-chilli Command Line Interface
- 196 Main UCI configuration file
- 198 Configuring Coova-chilli using UCI
- 201 Event system
- 201 Implementation of the event system
- 201 Supported events
- 201 Supported targets
- 202 Supported connection testers
- 202 Configuring the event system via the web interface
- 202 Configuring the event system via UCI
- 202 Main section
- 203 Forwardings
- 203 Connection testers
- 205 Supported targets
- 208 Example and export
- 214 Configuring SLA reporting on Monitor
- 214 Introduction
- 214 Configuring SLA reporting
- 214 Configuring a content template
- 217 Adding an SLA report
- 219 Viewing an SLA report
- 220 Viewing automated SLA reports
- 221 Configuring router upload protocol
- 222 Configuring SLA for a router
- 222 Configuring SLA for a router via the web interface
- 224 Configuring SLA for a router via UCI interface
- 225 SLA statistics
- 227 Diagnostics
- 227 ADSL diagnostics
- 227 ADSL PPPoA connections
- 227 ADSL PPPoEoA connections
- 228 ADSL bridge connections
- 229 ALL diagnostics
- 230 Automatic operator selection diagnostics via the web interface
- 230 Checking the status of the Multi-WAN package
- 231 Automatic operator selection diagnostics via UCI
- 233 CESoPSN diagnostics
- 233 cesop show config
- 235 cesop show status
- 235 cesop show stats
- 236 cesop clear stats
- 237 DMVPN diagnostics
- 239 File system diagnostics
- 240 Firewall diagnostics
- 243 IP tables
- 243 Debug
- 244 GPS diagnostic commands
- 244 Interfaces diagnostics
- 244 Interfaces status
- 245 Route status
- 245 Mobile status
- 246 ADSL status
- 247 ISDN pseudowire diagnostics
- 247 Packages
- 248 Asterisk CLI diagnostics
- 249 ISDN LED status
- 249 IPSec diagnostics
- 250 Multi-WAN diagnostics
- 251 PAD diagnostics
- 251 Showing Log
- 252 Debugging guidelines
- 253 Terminal Server diagnostics
- 254 VRRP diagnostics
- 254 VRRP diagnostics web interface
- 254 VRRP diagnostics using the command line interface
- 255 Diagnostics for WiFi AP mode
- 255 Diagnostics for WiFi client mode