In-Vehicle Hotspot Gateway

 In‐Vehicle Hotspot Gateway VHG87BAM‐0T001 User Manual In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 1 Introduction ............................................................................................................................... 7 1.1 Introduction .................................................................................................................................. 7 1.2 Contents List ................................................................................................................................ 8 1.2.1 Package Contents ............................................................................................................... 8 1.3 Hardware Configuration .............................................................................................................. 9 1.4 LED Indication........................................................................................................................... 11 1.5 Installation & Maintenance Notice ............................................................................................ 12 1.5.1 SYSTEM REQUIREMENTS ......................................................................................... 12 1.5.2 WARNING ...................................................................................................................... 12 1.5.3 HOT SURFACE CAUTION ........................................................................................... 13 1.6 Hardware Installation ................................................................................................................. 14 1.6.1 Mount the Unit ................................................................................................................ 14 1.6.2 Insert the SIM Card ......................................................................................................... 14 1.6.3 Connecting Power ........................................................................................................... 15 1.6.4 Connecting DI/DO and IGN Devices ............................................................................. 15 1.6.5 Connecting Serial Devices .............................................................................................. 16 1.6.6 Connecting to the Network or a Host ............................................................................. 16 1.6.7 Setup by Configuring WEB UI ....................................................................................... 17 Chapter 2 Status ....................................................................................................................................... 18 2.1 Dashboard .................................................................................................................................. 18 2.1.1 Device Dashboard ........................................................................................................... 18 2.3 Basic Network ............................................................................................................................ 20 2.3.1 WAN & Uplink Status .................................................................................................... 20 2.3.3 LAN & VLAN Status ..................................................................................................... 27 2.3.5 WiFi Status ...................................................................................................................... 28 2.3.7 DDNS Status ................................................................................................................... 31 2.5 Security ...................................................................................................................................... 32 2.5.1 VPN Status ...................................................................................................................... 32 2.5.3 Firewall Status ................................................................................................................ 37 2.7 Administration............................................................................................................................ 41 2.7.1 Configure & Manage Status............................................................................................ 41 2
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.7.3 Log Storage Status .......................................................................................................... 43 2.7.5 GNSS Information .......................................................................................................... 44 2.9 Statistics & Report ..................................................................................................................... 45 2.9.1 Connection Session ......................................................................................................... 45 2.9.3 Network Traffic ............................................................................................................... 46 2.9.5 Device Administration .................................................................................................... 47 2.9.7 Portal Usage .................................................................................................................... 48 2.9.9 Cellular Usage ................................................................................................................. 49 Chapter 3 Basic Network ......................................................................................................................... 50 3.1 WAN & Uplink .......................................................................................................................... 50 3.1.1 Physical Interface ............................................................................................................ 51 3.1.3 Internet Setup .................................................................................................................. 65 3.1.5 Load Balance .................................................................................................................. 97 3.3 LAN & VLAN ......................................................................................................................... 105 3.3.1 Ethernet LAN ................................................................................................................. 105 3.3.3 VLAN ........................................................................................................................... 107 3.3.7 DHCP Server................................................................................................................. 119 3.5 WiFi.......................................................................................................................................... 127 3.5.1 WiFi Configuration ....................................................................................................... 130 3.5.3 Wireless Client List ....................................................................................................... 140 3.5.5 Uplink Profile................................................................................................................ 142 3.5.7 Advanced Configuration ............................................................................................... 146 3.7 IPv6 .......................................................................................................................................... 149 3.7.1 IPv6 Configuration........................................................................................................ 153 3.9 Port Forwarding ...................................................................................................................... 160 3.9.1 Configuration ................................................................................................................ 160 3.9.3 Virtual Server & Virtual Computer ............................................................................... 164 3.9.7 Special AP & ALG ........................................................................................................ 173 3.9.9 DMZ & Pass Through ................................................................................................... 179 3.b Routing..................................................................................................................................... 182 3.b.1 Static Routing................................................................................................................ 182 3
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.b.3 Dynamic Routing .......................................................................................................... 187 3.b.5 Routing Information...................................................................................................... 197 3.d DNS & DDNS......................................................................................................................... 198 3.d.1 DNS & DDNS Configuration ....................................................................................... 198 3.f QoS ......................................................................................................................................... 203 3.f.1 QoS Configuration......................................................................................................... 203 Chapter 5 Object Definition ................................................................................................................... 214 5.1 Scheduling................................................................................................................................ 214 5.3 User .......................................................................................................................................... 216 5.3.1 User List ........................................................................................................................ 216 5.3.3 User Profile ................................................................................................................... 218 5.3.5 User Group .................................................................................................................... 220 5.5 Grouping .................................................................................................................................. 222 5.5.1 Host Grouping............................................................................................................... 222 5.7 External Server......................................................................................................................... 224 5.9 Certificate ................................................................................................................................. 227 5.9.1 Configuration ................................................................................................................ 227 5.9.3 My Certificate ............................................................................................................... 230 5.9.5 Trusted Certificate......................................................................................................... 237 5.9.7 Issue Certificate ............................................................................................................ 244 Chapter 7 Field Communication ............................................................................................................ 247 7.1 Bus & Protocol......................................................................................................................... 247 7.1.1 Port Configuration ........................................................................................................ 247 7.1.3 Virtual COM ................................................................................................................. 249 Chapter 9 Security.................................................................................................................................. 262 9.1 VPN.......................................................................................................................................... 262 9.1.1 Configuration ................................................................................................................ 263 9.1.3 IPSec ............................................................................................................................. 264 9.1.5 PPTP ............................................................................................................................. 288 9.1.7 L2TP ............................................................................................................................. 299 9.1.9 GRE............................................................................................................................... 311 9.1.b OpenVPN ...................................................................................................................... 319 4
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3 Firewall .................................................................................................................................... 332 9.3.1 Firewall Configuration .................................................................................................. 332 9.3.3 Packet Filter .................................................................................................................. 333 9.3.5 URL Blocking ............................................................................................................... 339 9.3.7 Content Filter ................................................................................................................ 344 9.3.9 MAC Control ................................................................................................................ 349 9.3.b Application Filter .......................................................................................................... 353 9.3.d IPS ................................................................................................................................. 358 9.3.f Options........................................................................................................................... 363 9.5 Authentication .......................................................................................................................... 369 9.5.1 Captive Portal................................................................................................................ 369 9.5.3 MAC Authentication ..................................................................................................... 376 Chapter b Administration ....................................................................................................................... 378 b.1 Configure & Manage ............................................................................................................... 378 b.1.1 Command Script ........................................................................................................... 378 b.1.3 TR-069 .......................................................................................................................... 382 b.1.5 SNMP............................................................................................................................ 386 b.1.7 Telnet with CLI ............................................................................................................. 396 b.3 System Operation ..................................................................................................................... 400 b.3.1 Password & MMI.......................................................................................................... 400 b.3.3 System Information ....................................................................................................... 402 b.3.5 System Time.................................................................................................................. 403 b.3.7 System Log ................................................................................................................... 405 b.3.9 Backup & Restore ......................................................................................................... 409 b.3.b Reboot & Reset ............................................................................................................ 410 b.5 FTP........................................................................................................................................... 411 b.5.1 Server Configuration ..................................................................................................... 412 b.5.3 User Account................................................................................................................. 414 b.7 Diagnostic ................................................................................................................................ 415 b.7.1 Packet Analyzer ............................................................................................................ 415 b.7.3 Diagnostic Tools ........................................................................................................... 418 5
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter d Service ................................................................................................................................... 419 d.1 Cellular Toolkit ........................................................................................................................ 419 d.1.1 Data Usage .................................................................................................................... 419 d.1.3 SMS............................................................................................................................... 421 d.1.5 SIM PIN ........................................................................................................................ 424 d.1.7 USSD ............................................................................................................................ 431 d.1.9 Network Scan ................................................................................................................ 436 d.3 Event Handling ........................................................................................................................ 438 d.3.1 Configuration ................................................................................................................ 440 d.3.3 Managing Events .......................................................................................................... 449 d.3.5 Notifying Events ........................................................................................................... 451 d.5 Location Tracking ..................................................................................................................... 453 d.5.1 GNSS ............................................................................................................................ 454 d.5.3 Track Viewer ................................................................................................................. 460 d.9 Power Control ........................................................................................................................... 465 d.9.1 Ignition Sense................................................................................................................ 465 6
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 1 Introduction 1.1 Introduction Congratulations on your purchase of this outstanding product: In‐Vehicle Hotspot Gateway. For In‐vehicle WiFi hotspot, In‐vheicle telematics, and M2M (machine‐to‐Machine) applications, AMIT In‐
Vehicle Hotspot Gateway is absolutely the right choice. With built‐in world‐class 4G LTE modules, you just need to insert SIM card from local mobile carrier to get to Internet. The dual LTE module design provides a more reliable WAN connection for critical applications. By VPN tunneling technology, remote sites easily become a part of Intranet, and all data are transmitted in a secure (256‐bit AES encryption) link. The feature of DI/DO allows gateway to have real‐time response whenever events are detected by sensors. This VHG87B series products are loaded with luxuriant security features including VPN, firewall, NAT, port forwarding, DHCP server and many other powerful features for complex and demanding in‐
vehicle and M2M‐IoT applications. DC 9‐36V wide‐range power design allows overcoming transient power in vehicles. Terminal block also secures power lines from falling out while vehicles are moving on the road. Main Features: 
Built‐in high speed LTE modem with dual SIMs for uplink traffic failover. 
Equips gigabit Ethernet ports to connect other IP‐based devices in vehicle. 
RS232 serial port for controlling legacy serial devices, such as ticketing/payment device or other control unit. 
Digital I/O ports for integrating sensors (door sensor, passenger counting), panic button, switch, or other alarm devices. 
Equips 802.11b/g/n/ac concurrent dualband Wi‐Fi access point especially suitable for WiFi hotspot service in vehicle. 
Work with internal / external portal and RADIUS server for user authentication or push advertisements. 
Global positioning with multiple GNSS systems, including GPS, and optional for GLONASS, Galileo, or BeiDou. Before you install and use this product, please read this manual in detail for fully exploiting the functions of this product. 7
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.2 Contents List 1.2.1 Package Contents #Standard Package Items Description Contents Quantity 1
VHG87BAM‐0T001 In‐Vehicle Hotspoot Gateway 1pcs 2
Cellular Antenna 2pcs 3
2.4G/5G WiFi Antenna 2pcs 4
GPS Antenna (*1) 1pcs 5
CD (Manual) 1pcs 6
Mounting Bracket 2pcs 1 Active GPS antenna.
8
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.3 Hardware Configuration  Front View LED
Indicators
USB Port
SIM A Slot
SIM B Slot
Reset
Button
※Reset Button The RESET button provides user with a quick and easy way to resort the default setting. Press the RESET button continuously for 6 seconds, and then release it. The device will reset settings to factory default. 9
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Rear View 2.4G/5G
WiFi Ant.
3G/LTE(Main)
Antenna
3G/LTE(Aux)
Antenna
Auto MDI/MDIX RJ45 Ports
2(3)xGE LAN to connect local
devices
2.4G/5G
WiFi Ant.
GPS Antenna
Power Terminal Block
RX
TX DO DI‐2 DI‐1 IGN GND PWR 10
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.4 LED Indication LED Icon GPS
Indication GPS
LED Color Green
Description OFF: GNSS function is disabled. Steady ON: Location is fixed. Fast Flashing: Location is fixing. OFF: Device is powered OFF or in standby mode. Steady ON: Device is powered ON. Flash once a second: Device is at “Delay OFF” mode. Fast Flashing: Firmware is upgrading or Device is in recovery mode.
OFF: 2.4G WiFi is disabled.
Steady ON: 2.4G WiFi is enabled. Fast Flashing: Data is transmited/received thru 2.4G Wi‐Fi. OFF: 5G WiFi is disabled.
Steady ON: 5G WiFi is enabled. Fast Flashing: Data is transmited/received thru 5G Wi‐Fi. Steady ON: SIM Card A is inserted and used for 3G/4G connection. OFF: SIM card is not inserted or not used for 3G/4G connection. Steady ON: SIM Card B is inserted and used for 3G/4G connection. OFF: SIM card is not inserted or not used for 3G/4G connection. PWR
Power Source
Green
2.4G
2.4G
Green
5G
Green
SIM A
SIM A (*2)
Green
SIM B
SIM B
Green
HIGH
High LTE Signal
Green
Steady ON: 3G/4G signal strength is at high level. LOW
Low LTE Signal
Green
Steady ON: 3G/4G signal strength is at low level. 5G
WAN/LAN1~3 WAN/LAN 1/LAN 3 Green
Steady ON: Ethernet connection of LAN or WAN is established.
Flash: Data packets are transfering. 2 The SIM LED indicates which SIM socket will be chosen for connection by system setting, no matter SIM card is inserted
or not.
11
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.5 Installation & Maintenance Notice 1.5.1 SYSTEM REQUIREMENTS




Network Requirements
Web-based Configuration Utility
Requirements
An Ethernet RJ45 cable or DSL modem 3G/4G cellular service subscription IEEE 802.11b/g/n/ac wireless clients 10/100/1000 Ethernet adapter on PC Computer with the following: 
Windows®, Macintosh, or Linux‐based operating system 
An installed Ethernet adapter Browser Requirements: 
Internet Explorer 6.0 or higher 
Chrome 2.0 or higher 
Firefox 3.0 or higher 
Safari 3.0 or higher 1.5.2 WARNING 
This gateway can be powered by DC12V or DC24V
car system. If this gateway is not installed in vehicle,
a DC12V/2A power adapter is recommended.

Do not open or repair the case yourself. If the
product is too hot, turn off the power immediately
Attention
and have it repaired at a qualified service center.
12
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.5.3 HOT SURFACE CAUTION CAUTION: The surface temperature for the metallic enclosure can be very high! Especially after operating for a long time, installed at a close cabinet without air conditioning support, or in a high ambient temperature space. DO NOT touch the hot surface with your fingers while servicing!! 13
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.6 Hardware Installation This chapter describes how to install and configure the hardware 1.6.1 Mount the Unit The VHG87B series products can be mounted on a wall, or horizontal plane with the mounting accessories (brackets). The mounting accessories are not screwed on the product when out of factory. Please screw the mounting brackets on the product first. 1.6.2 Insert the SIM Card WARNING: BEFORE INSERTING OR CHANGING THE SIM CARD, PLEASE MAKE SURE THE GATEWAY IS POWERED OFF. The SIM card slots are located at the front side of VHG87B series housing. You need to unscrew and remove the outer SIM card cover before installing or removing the SIM card. Please follow the instructions to insert or eject a SIM card. After SIM card is well placed, screw back the outer SIM card cover. Step 1:
Loosten the screws as
below and remove the
SIM cover.
Step 2:
Push the SIM card into the
SIM slot A or slot B.
Step 3:
Push the inserted SIM card
again to eject it from the
SIM slot.
14
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.6.3 Connecting Power The VHG887B series product can be powered by connecting a power source to the terminal block . It supports 9V to 36V DC power input. Following picture is the power terminal block pin assignments. Please check carefully and connect to the right power requirements and polarity. GND
PWR-
1.6.4 Connecting DI/DO and IGN Devices There are one DI, one DO, and one IGN (Ignition Sense) ports together with power terminal block. Please refer to following specification to connect DI and DO devices. Digital Output DO
Digital Input DI -2+
Mode DI -1-
IGN
Specification Trigger Voltage (high) Normal Voltage (low) Voltage (Relay Mode) Maximum Current Logic level 1: 5V~30V Logic level 0: 0V~2.0V Depends on external device maximum voltage is 30V 1A
15
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Example of Connection Diagram 1.6.5 Connecting Serial Devices The VHG87B series products provide one RS‐232 port with TX and RX signals located in the terminal block connector, as shown below. Connect the serial device to the unit TX/RX ports with the right pin assignments of a RS‐232 cable. RX
TX
1.6.6 Connecting to the Network or a Host The VHG87B series products provide three RJ45 ports to connect 10/100/1000Mbps Ethernet. It can auto detect the transmission speed on the network and configure itself automatically. Connect one Ethernet cable to the RJ45 port (LAN) of the device and plug another end of the Ethernet cable into your computer’s network port. In this way, you can use the RJ45 Ethernet cable to connect to the host PC’s Ethernet port for configuring the device. 16
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 1.6.7 Setup by Configuring WEB UI You can browse web UI to configure the device. Type in the IP Address (http://192.168.123.254)3 When you see the login page, enter the password ‘admin’ 4 and then click ‘Login’ button. 3 The default LAN IP address of this gateway is 192.168.123.254. If you change it, you need to login by using the new IP address. 4 It’s strongly recommending you to change this login password from default value. 17
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 2 Status 2.1 Dashboard 2.1.1 Device Dashboard The Device Dashboard window shows the current status in graph or tables for quickly understanding the operation status for the gateway. They are the System Information, System Information History, and Network Interface Status. From the menu on the left, select Status > Dashboard > Device Dashboard tab. System Information Status The System Information screen shows the device Up‐time and the resource utilization for the CPU, Memory, and Connection Sessions. 18
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. System Information History The System Information History screen shows the statistic graphs for the CPU and memory. Network Interface Status The Network Interface Status screen shows the statistic information for each network interface of the gateway. The statistic information includes the Interface Type, Upload Traffic, Download Traffic, and Current Upload / Download Traffic. 19
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.3 Basic Network 2.3.1 WAN & Uplink Status The WAN & Uplink Status window shows the current status for different network type, including network configuration, connecting information, modem status and traffic statistics. From the menu on the left, select Status > Basic Network > WAN & Uplink Status WAN interface IPv4 Network Status WAN interface IPv4 Network Status screen shows status information for IPv4 network. WAN interface IPv4 Network Status Item Value setting Description ID It displays corresponding WAN interface WAN IDs. N/A 20
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Interface N/A WAN Type N/A IP Addr. N/A Subnet Mask N/A Gateway N/A DNS N/A MAC Address N/A Conn. Status N/A Action N/A It displays the type of WAN physical interface. Depending on the model purchased, it can be Ethernet, 3G/4G, USB 3G/4G. It displays the method which public IP address is obtained from your ISP. Depending on the model purchased, it can be Static IP, Dynamic IP, PPPoE, PPTP, L2TP, 3G/4G. It displays the public IP address obtained from your ISP for Internet connection. Default value is 0.0.0.0 if left un‐configured. It displays the Subnet Mask for public IP address obtained from your ISP for Internet connection. Default value is 0.0.0.0 if left un‐configured. It displays the Gateway IP address obtained from your ISP for Internet connection. Default value is 0.0.0.0 if left un‐configured. It displays the IP address of DNS server obtained from your ISP for Internet connection. Default value is 0.0.0.0 if left un‐configured. It displays the MAC Address for your ISP to allow you for Internet access. Note: Not all ISP may require this field. It displays the connection status of the device to your ISP. Status are Connected or disconnected. This area provides functional buttons. Renew button allows user to force the device to request an IP address from the DHCP server. Note: Renew button is available when DHCP WAN Type is used and WAN connection is disconnected. Release button allows user to force the device to clear its IP address setting to disconnect from DHCP server. Note: Release button is available when DHCP WAN Type is used and WAN connection is connected. Connect button allows user to manually connect the device to the Internet. Note: Connect button is available when Connection Control in WAN Type setting is set to Connect Manually (Refer to Edit button in Basic Network > WAN & Uplink > Internet Setup) and WAN connection status is disconnected. Disconnect button allows user to manually disconnect the device from the Internet. Note: Connect button is available when Connection Control in WAN Type setting is set to Connect Manually (Refer to Edit button in Basic Network > WAN & Uplink > Internet Setup) and WAN connection status is connected. 21
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. WAN interface IPv6 Network Status WAN interface IPv6 Network Status screen shows status information for IPv6 network. WAN interface IPv6 Network Status Item Value setting ID N/A Interface N/A WAN Type N/A Link‐local IP Address N/A Global IP Address N/A Conn. Status N/A Action N/A Description It displays corresponding WAN interface WAN IDs. It displays the type of WAN physical interface. Depending on the model purchased, it can be Ethernet, 3G/4G, USB 3G/4G. It displays the method which public IP address is obtained from your ISP. WAN type setting can be changed from Basic Network > IPv6 > Configuration. It displays the LAN IPv6 Link‐Local address. It displays the IPv6 global IP address assigned by your ISP for your Internet connection. It displays the connection status. The status can be connected, disconnected and connecting. This area provides functional buttons. Edit Button when pressed, web‐based utility will take you to the IPv6 configuration page. (Basic Network > IPv6 > Configuration.) LAN Interface Network Status LAN Interface Network Status screen shows IPv4 and IPv6 information of LAN network. LAN Interface Network Status Item Value setting IPv4 Address N/A IPv4 Subnet Mask N/A IPv6 Link‐local Address N/A Description
It displays the current IPv4 IP Address of the gateway This is also the IP Address user use to access Router’s Web‐based Utility. It displays the current mask of the subnet. It displays the current LAN IPv6 Link‐Local address. This is also the IPv6 IP Address user use to access Router’s Web‐based 22
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IPv6 Global Address N/A Action N/A Utility. It displays the current IPv6 global IP address assigned by your ISP for your Internet connection. This area provides functional buttons. Edit IPv4 Button when press, web‐based utility will take you to the Ethernet LAN configuration page. (Basic Network > LAN & VLAN > Ethernet LAN tab). Edit IPv6 Button when press, web‐based utility will take you to the IPv6 configuration page. (Basic Network > IPv6 > Configuration.) 3G/4G Modem Status 3G/4G Modem Status screen shows status information for 3G/4G WAN network. 3G/4G Modem Status Item Value setting Description Physical Interface N/A It displays the type of WAN physical interface. Depending on the model you purchased, it can be 3G/4G and USB 3G/4G. Note: Some device model may support two 3G/4G modules. Their physical interface name will be 3G/4G‐1 and 3G/4G‐2. Card Information N/A It displays the vendor’s 3G/4G modem model name. Link Status N/A It displays the 3G/4G connection status. The status can be Connecting, Connected, Disconnecting, and Disconnected. N/A It displays the 3G/4G wireless signal level. N/A It displays the name of the service network carrier. N/A Click the Refresh button to renew the information. N/A This area provides functional buttons. Detail Button when press, windows of detail information will appear. They are the Modem Information, SIM Status, and Service Information. Refer to next page for more. Note: Currently USB 3G/4G doesn’t support this feature. Signal Strength Network Name Refresh Action When the Detail button is pressed, 3G/4G modem information windows such as Modem Information, SIM Status, and Service Information will appear. These windows are explained below. 23
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Modem Information (Detail Button) Modem Information (after Detail button)
Item Value setting Description
Interface Module Name IMEI/MEID HW Version FW Version N/A N/A N/A N/A N/A It displays the type of WAN physical interface. It displays the vendor’s 3G/4G modem model name. It displays the device IMEI code of the module. It displays the hardware version of the 3G/4G module. It displays the firmware version of the 3G/4G module. SIM Status SIM Status (after Detail button) Item Value setting Description
SIM N/A PIN Code Status N/A PIN Code Remaining Times N/A It displays the operating SIM card. The display can be SIM‐A or SIM‐B. Note: Some device just supports one SIM slot and only SIM‐A is available. It displays the status of whether the SIM is required to be unlocked and absent of SIM card. The display can be Ready, SIM card not inserted, incorrect PIN code, PIN is required, Blocked. Ready* the PIN code is entered correctly and the SIM is unlocked. SIM card not insert* the SIM card is not detected. Check if SIM card is inserted properly. PIN code incorrect* the PIN code entered is incorrect. PIN is required* the PIN code is required to unlock the SIM card. Blocked* the SIM card is locked and need PUK code to unlock. It is probably due to the device had exceeded the allowed number of times to unlock. Refer to PIN Code Remaining Times This displays the remaining time of the counter that you are allowed to try to unlock SIM card with the PIN code*. Once the number of unlocking tries has been exhausted the counter will display zero then the SIM card is locked. You are not allowed to unlock with the PIN code and would need to enter the PUK code to unlock instead. 24
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PUK Code Remaining Times N/A Note: You will need to enquire the telecom carrier for the PUK code to unlock or further technical services. This displays the remaining time of the counter that you are allowed to try to unlock SIM card with the PUK code*. Once the number of unlocking tries has been exhausted the counter will display zero then the SIM card is locked. Note: When the counter has reached zero, you will need to enquire the telecom carrier for further technical services. *To enter or re‐enter PIN code, please go to Basic Network > WAN & Uplink > Internet Setup > Connection with SIM‐A Card. Service Information Service Information (after Detail button)
Item Value setting Description
Operator N/A Cell Broadcast N/A MCC N/A MNC N/A LAC N/A TAC N/A Cell ID N/A Service Type N/A Band RSSI N/A N/A CS Register Status N/A EcIo N/A PS Register Status N/A It displays the name of the carrier. It displays the cell messaging information. This is only available in GSM network and that your carrier provides this information. It displays the MCC (Mobile Country Code) information that obtains from the current registered network. It displays the MNC (Mobile Network Code) information that obtains from the current registered network. It displays the LAC (Location Area Code) information in hexadecimal format, only available in GSM/UMTS networks. It displays the TAC (Tracking Area Code) information in hexadecimal format, only available in LTE network. It displays the Cell ID (CID) information in hexadecimal format. It displays the service type of the network that currently registered. It can be GSM, WCDMA or LTE. It displays the band currently used. It displays the RSSI (Received Signal Strength Indicator) in unit dBm of the signal.
It displays the Circuit Switched (CS) registration status to the circuit domain service. The status can be Registered or Unregistered. It displays the Ec/Io information, the ratio of the signal to the interference. Note: the value is taken logarithmically and usually is negative. It displays the registration status to the packet domain service. The possible value will be Registered or Unregistered. 25
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PS Attached Status Roaming Status N/A It shows the PS attached status. It can be Attached or Detached. It displays the registration status to the network, at roaming or at home network. It can be Roaming or Not Roaming. It displays the IMSI (International Mobile Subscriber Identity) information, which usually is composed of 15 digits. It displays the SMSC (Short Message Service Center) information, which is necessary for SMS service. It displays the MSISDN (Mobile Station International Subscriber Directory Number) information. The information is available if the SIM card supports it. N/A IMSI N/A SMSC N/A MSISDN N/A Interface Traffic Statistics Interface Traffic Statistics screen displays the Interface’s total transmitted packets. Interface Traffic Statistics
Item Value setting Description
ID N/A Interface N/A Received Packets Transmitted Packets N/A It displays corresponding WAN interface WAN IDs. It displays the type of WAN physical interface. Depending on the model purchased, it can be Ethernet, 3G/4G, USB 3G/4G. It displays the downstream packets. It is reset when the device is rebooted.
N/A It displays the upstream packets. It is reset when the device is rebooted. 26
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.3.3 LAN & VLAN Status Go to Status > Basic Network > LAN & VLAN. Client List The Client List shows you the LAN Interface, IP address, Host Name, MAC Address, and Remaining Lease Time of each device that is connected to this router. LAN Client List Item Value setting Description
LAN Interface N/A IP Address N/A Host Name MAC Address Remaining Lease Time N/A Client record of LAN Interface. String Format. Client record of IP Address Type and the IP Address. Type is String Format and the IP Address is IPv4 Format. Client record of Host Name. String Format. N/A Client record of MAC Address. MAC Address Format. N/A Client record of Remaining Lease Time. Time Format. 27
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.3.5 WiFi Status The WiFi Status window shows the overall statistics of WiFi VAP entries. Go to Status > Basic Network > DDNS tab. WiFi Virtual AP List The WiFi Virtual AP List shows all of the virtual AP information. The Edit button allows for quick configuration changes. WiFi Virtual AP List Item Value setting Op. Band ID WiFi Enable N/A N/A N/A Op. Mode N/A SSID Channel WiFi System Auth. & Security MAC Address N/A N/A N/A N/A N/A Action N/A Description It displays the Wi‐Fi Operation Band (2.4G or 5G) of VAP. It displays the ID of VAP. It displays whether the VAP wireless signal is enabled or disabled. The Wi‐Fi Operation Mode of VAP. Depends of device model, modes are AP Router, WDS Only and WDS Hybrid, Universal Repeater and Client. It displays the network ID of VAP. It displays the wireless channel used. The WiFi System of VAP. It displays the authentication and encryption type used. It displays MAC Address of VAP. Click the Edit button to make a quick access to the WiFi configuration page. (Basic Network > WiFi > Configuration tab) The QR Code button allow you to generate QR code for quick connect to the VAP by scanning the QR code. 28
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. WiFi WDS Status The WiFi Traffic Statistic shows all the received and transmitted packets on WiFi network.
WiFi IDS Status Item Value setting SSID Remote AP MAC Channel N/A N/A N/A Security N/A RSSI0, RSSI1 N/A Action N/A Description It displays the network ID of VAP. It displays the the Remote AP MAC list for the WDS peers. It displays the wireless channel used. It displays the authentication and encryption setting for the WDS connection. It displays the Rx sensitivity on each radio path.. Click the Edit button to make a quick access to the WiFi configuration page. (Basic Network > WiFi > Configuration tab) WiFi IDS Status The WiFi Traffic Statistic shows all the received and transmitted packets on WiFi network.
WiFi IDS Status Item Authentication Frame Association Request Frame Re‐association Request Frame Probe Request Frame Disassociation Frame Deauthentication Frame EAP Request Frame Malicious Data Frame Value setting N/A N/A N/A N/A N/A N/A N/A N/A Description It displays the receiving Authentication Frame count. It displays the receiving Association Request Frame count. It displays the receiving Re‐association Request Frame count. It displays the receiving Probe Request Frame count. It displays the receiving Disassociation Frame count. It displays the receiving Deauthentication Frame count. It displays the receiving EAP Request Frame count. It displays the number of receiving unauthorized wireless packets. 29
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Action N/A Click the Reset button to clear the entire statistic and reset counter to 0. Ensure WIDS function is enabled Go to Basic Network > WiFi > Advanced Configuration tab Note that the WIDS of 2.4G or 5G should be configured separately. WiFi Traffic Statistic The WiFi Traffic Statistic shows all the received and transmitted packets on WiFi network. WiFi Traffic Statistic Item Value setting Op. Band ID Received Packets Transmitted Packet Action Refresh Button N/A N/A N/A N/A N/A N/A Description It displays the Wi‐Fi Operation Band (2.4G or 5G) of VAP. It displays the VAP ID. It displays the number of reveived packets. It displays the number of transmitted packets. Click the Reset button to clear individual VAP statistics. Click the Refresh button to update the entire VAP Traffic Statistic instantly.
30
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.3.7 DDNS Status The DDNS Status window shows the current DDNS service in use, the last update status, and the last update time to the DDNS service server. Go to Status > Basic Network > DDNS. DDNS Status DDNS Status Item Value Setting Description
Host Name Provider Effective IP N/A N/A N/A Last Update Status N/A Last Update Time N/A Refresh button N/A It displays the name you entered to identify DDNS service provider It displays the DDNS server of DDNS service provider It displays the public IP address of the device updated to the DDNS server It displays whether the last update of the device public IP address to the
DDNS server has been successful (Ok) or failed (Fail). It displays time stamp of the last update of public IP address to the DDNS
server. The refresh button allows user to force the display to refresh information. 31
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.5 Security 2.5.1 VPN Status The VPN Status widow shows the overall VPN tunnel status. From the menu on the left, select Status > Security > VPN Status. Dynamic VPN Server Status Dynamic VPN Server Status windows show the configuration for establishing Dynamic VPN connection and current connection status. Dynamic Server Status Item Value setting Description
Tunnel Name Tunnel Scenario Local Subnets Remote IP/FQDN Remote Subnets Conn. Time Status It displays the tunnel name you have entered to identify. It displays the Dynamic VPN as the tunnel scenario. It displays the Local Subnets specified. It displays the Remote IP/FQDN specified. It displays the Remote Subnets specified. It displays the connection time for the Dynamic VPN connection. It displays the Status of the Dynamic VPN connection. The status N/A N/A N/A N/A N/A N/A N/A 32
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Edit Button N/A displays are Connected, Disconnected, Wait for traffic, and Connecting.
Click on Edit Button to change Dynamic VPN setting, web‐based utility will take you to the IPSec configuration page. (Security > VPN > IPSec tab) Static IPSec Status Static IPSec Status shows the configuration for establishing IPSec tunnel and current connection status. Static IPSec Status Item Value setting Tunnel Name Tunnel Scenario Local Subnets Remote IP/FQDN Remote Subnets Conn. Time N/A N/A N/A N/A N/A N/A Status N/A Edit Button N/A Description
It displays the tunnel name you have entered to identify. It displays the Tunnel Scenario specified. It displays the Local Subnets specified. It displays the Remote IP/FQDN specified. It displays the Remote Subnets specified. It displays the connection time for the IPSec tunnel. It displays the Status of the VPN connection. The status displays are Connected, Disconnected, Wait for traffic, and Connecting. Click on Edit Button to change IPSec setting, web‐based utility will take you to the IPSec configuration page. (Security > VPN > IPSec tab) PPTP Server/Client Status PPTP Server/Client Status shows the configuration for establishing PPTP tunnel and current connection status. PPTP Server Status Item Value setting Description
User Name N/A It displays the login name of the user used for the connection. Remote IP N/A It displays the public IP address (the WAN IP address) of the connected PPTP client. Remote Virtual IP Remote Call ID Conn. Time N/A N/A N/A Status N/A It displays the IP address assigned to the connected PPTP client. It displays the PPTP client Call ID. It displays the connection time for the PPTP tunnel. It displays the Status of each of the PPTP client connection. The status displays Connected, Disconnect, and Connecting. 33
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Edit Button Click on Edit Button to change PPTP server setting, web‐based utility will take you to the PPTP server configuration page. (Security > VPN > PPTP tab) N/A PPTP Client Status Item Value setting Client Name N/A Interface N/A Virtual IP N/A Remote IP/FQDN N/A Default Gateway / Remote Subnet N/A Conn. Time N/A Status N/A Edit Button N/A Description
It displays Name for the PPTP Client specified. It displays the WAN interface with which the gateway will use to request PPTP tunneling connection to the PPTP server. It displays the IP address assigned by Virtual IP server of PPTP server. It displays the PPTP Server’s Public IP address (the WAN IP address) or FQDN. It displays the specified IP address of the gateway device used to connect to the internet to connect to the PPTP server –the default gateway. Or other specified subnet if the default gateway is not used to connect to the PPTP server –the remote subnet. It displays the connection time for the PPTP tunnel. It displays the Status of the VPN connection. The status displays Connected, Disconnect, and Connecting. Click on Edit Button to change PPTP client setting, web‐based utility will take you to the PPTP server configuration page. (Security > VPN > PPTP tab) 34
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. L2TP Server/Client Status LT2TP Server/Client Status shows the configuration for establishing LT2TP tunnel and current connection status. L2TP Server Status Item Value setting User Name N/A Remote IP N/A Remote Virtual IP Remote Call ID Conn. Time N/A N/A N/A Status N/A Edit Button N/A Description
It displays the login name of the user used for the connection. It displays the public IP address (the WAN IP address) of the connected L2TP client. It displays the IP address assigned to the connected L2TP client. It displays the L2TP client Call ID. It displays the connection time for the L2TP tunnel. It displays the Status of each of the L2TP client connection. The status displays Connected, Disconnect, Connecting Click on Edit Button to change L2TP server setting, web‐based utility will take you to the L2TP server configuration page. (Security > VPN > L2TP tab) L2TP Client Status Item Value setting Client Name N/A Interface N/A Virtual IP N/A Remote IP/FQDN N/A Default Gateway/Remote Subnet N/A Conn. Time N/A Status N/A Edit Button N/A Description
It displays Name for the L2TP Client specified. It displays the WAN interface with which the gateway will use to request PPTP tunneling connection to the PPTP server. It displays the IP address assigned by Virtual IP server of L2TP server. It displays the L2TP Server’s Public IP address (the WAN IP address) or FQDN. It displays the specified IP address of the gateway device used to connect to the internet to connect to the L2TP server –the default gateway. Or other specified subnet if the default gateway is not used to connect to the L2TP server –the remote subnet. It displays the connection time for the L2TP tunnel. It displays the Status of the VPN connection. The status displays Connected, Disconnect, and Connecting. Click on Edit Button to change L2TP client setting, web‐based utility will take you to the L2TP client configuration page. (Security > VPN > L2TP tab) 35
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. OpenVPN Server Status According to OpenVPN configuration, the OpenVPN Server/Client Status shows the status and statistics for the OpenVPN connection from the server side or client side. OpenVPN Server Status Item Value setting User Name Remote IP/FQDN Virtual IP/MAC N/A N/A Conn. Time Status N/A N/A Description It displays the Client name you have entered for identification. It displays the public IP address (the WAN IP address) of the connected OpenVPN Client It displays the virtual IP/MAC address assigned to the connected OpenVPN
client. It displays the connection time for the corresponding OpenVPN tunnel.
It displays the connection status of the corresponding OpenVPN tunnel.
The status can be Connected, or Disconnected. N/A OpenVPN Server Status OpenVPN Client Status Item Value setting OpenVPN Client Name Interface Remote IP/FQDN Remote Subnet TUN/TAP Read(bytes) TUN/TAP Write(bytes) TCP/UDP Read(bytes) TCP/UDP Write(bytes) Conn. Time Conn. Status Description N/A It displays the Client name you have entered for identification. N/A N/A N/A N/A It displays the WAN interface specified for the OpenVPN client connection.
It displays the peer OpenVPN Server’s Public IP address (the WAN IP address) or FQDN. It displays the Remote Subnet specified. It displays the TUN/TAP Read Bytes of OpenVPN Client. N/A It displays the TUN/TAP Write Bytes of OpenVPN Client. N/A It displays the TCP/UDP Read Bytes of OpenVPN Client. N/A It displays the TCP/UDP Write Bytes of OpenVPN Client. Connection It displays the connection time for the corresponding OpenVPN tunnel.
It displays the connection status of the corresponding OpenVPN tunnel.
The status can be Connected, or Disconnected. N/A N/A 36
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.5.3 Firewall Status From the menu on the left, select Status > Security > Firewall Status Tab. The Firewall Status provides user a quick view of the firewall status and current firewall settings. It also keeps the log history of the dropped packets by the firewall rule policies, and includes the administrator remote login settings specified in the Firewall Options. By clicking the icon [+], the status table will be expanded to display log history. Clicking the Edit button the screen will be switched to the configuration page. Packet Filter Status Packet Filter Status Item Value setting Activated Filter N/A Rule Detected Contents N/A IP N/A Time N/A Description
This is the Packet Filter Rule name. This is the logged packet information, including the source IP, destination IP, protocol, and destination port –the TCP or UDP. String format: Source IP to Destination IP : Destination Protocol (TCP or UDP) The Source IP (IPv4) of the logged packet. The Date and Time stamp of the logged packet. Date & time format. ("Month" "Day" "Hours":"Minutes":"Seconds") Note: Ensure Packet Filter Log Alert is enabled. Refer to Security > Firewall > Packet Filter tab. Check Log Alert and save the setting. URL Blocking Status URL Blocking Status Item Value setting Activated N/A Blocking Rule Blocked URL N/A Description
This is the URL Blocking Rule name. This is the logged packet information. 37
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IP N/A Time N/A The Source IP (IPv4) of the logged packet. The Date and Time stamp of the logged packet. Date & time format. ("Month" "Day" "Hours":"Minutes":"Seconds") Note: Ensure URL Blocking Log Alert is enabled. Refer to Security > Firewall > URL Blocking tab. Check Log Alert and save the setting. Web Content Filter Status Web Content Filter Status Item Value setting Activated Filter N/A Rule Detected N/A Contents IP N/A Time Description
Logged packet of the rule name. String format. Logged packet of the filter rule. String format. Logged packet of the Source IP. IPv4 format. Logged packet of the Date Time. Date time format ("Month" "Day" "Hours":"Minutes":"Seconds") N/A Note: Ensure Web Content Filter Log Alert is enabled. Refer to Security > Firewall > Web Content Filter tab. Check Log Alert and save the setting. 38
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. MAC Control Status MAC Control Status Item Activated Control Rule Blocked MAC Addresses IP Time Value setting N/A This is the MAC Control Rule name. N/A This is the MAC address of the logged packet. N/A The Source IP (IPv4) of the logged packet. The Date and Time stamp of the logged packet. Date & time format. ("Month" "Day" "Hours":"Minutes":"Seconds") N/A Description
Note: Ensure MAC Control Log Alert is enabled. Refer to Security > Firewall > MAC Control tab. Check Log Alert and save the setting. Application Filters Status Application Filters Status
Item Value setting Filtered Application Category Filtered Application Name IP Time Description
N/A The name of the Application Category being blocked. N/A The name of the Application being blocked. N/A The Source IP (IPv4) of the logged packet. The Date and Time stamp of the logged packet. Date & time format. ("Month" "Day" "Hours":"Minutes":"Seconds") N/A Note: Ensure Application Filter Log Alert is enabled. Refer to Security > Firewall > Application Filter tab. Check Log Alert and save the setting. 39
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IPS Status IPS Firewall Status Item Value setting Detected Intrusion IP Time Description
N/A This is the intrusion type of the packets being blocked. N/A The Source IP (IPv4) of the logged packet. The Date and Time stamp of the logged packet. Date & time format. ("Month" "Day" "Hours":"Minutes":"Seconds") N/A Note: Ensure IPS Log Alert is enabled. Refer to Security > Firewall > IPS tab. Check Log Alert and save the setting. Firewall Options Status Firewall Options Status Item Value setting Stealth Mode N/A SPI N/A Discard Ping from N/A WAN Remote Administrator Management N/A Description
Enable or Disable setting status of Stealth Mode on Firewall Options. String Format: Disable or Enable Enable or Disable setting status of SPI on Firewall Options. String Format : Disable or Enable Enable or Disable setting status of Discard Ping from WAN on Firewall Options. String Format: Disable or Enable Enable or Disable setting status of Remote Administrator. If Remote Administrator is enabled, it shows the currently logged in administrator’s source IP address and login user name and the login time. Format: IP : "Source IP", User Name: "Login User Name", Time: "Date time" Example: IP: 192.168.127.39, User Name: admin, Time: Mar 3 01:34:13 Note: Ensure Firewall Options Log Alert is enabled. Refer to Security > Firewall > Options tab. Check Log Alert and save the setting. 40
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.7 Administration 2.7.1 Configure & Manage Status The Configure & Manage Status window shows the status for managing remote network devices. The type of management available in your device is depended on the device model purchased. The commonly used ones are the SNMP, TR‐069, and UPnP. From the menu on the left, select Status > Administration > Configure & Manage tab. SNMP Linking Status SNMP Link Status screen shows the status of current active SNMP connections. SNMP Link Status Item Value setting User Name N/A Description
It displays the user name for authentication. This is only available for SNMP version 3. 41
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IP Address N/A Port N/A Community Auth. Mode Privacy Mode SNMP Version N/A N/A N/A N/A It displays the IP address of SNMP manager. It displays the port number used to maintain connection with the SNMP manager. It displays the community for SNMP version 1 or version 2c only. It displays the authentication method for SNMP version 3 only. It displays the privacy mode for version 3 only. It displays the SNMP Version employed. SNMP Trap Information SNMP Trap Information screen shows the status of current received SNMP traps. SNMP Trap Information Item Value setting Description
Trap Level Time Trap Event It displays the trap level. It displays the timestamp of trap event. It displays the IP address of the trap sender and event type. N/A N/A N/A TR‐069 Status TR‐069 Status screen shows the current connection status with the TR‐068 server. TR‐069 Status Item Link Status Value setting Description
N/A It displays the current connection status with the TR‐068 server. The connection status is either On when the device is connected with the TR‐
068 server or Off when disconnected. 42
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.7.3 Log Storage Status The Log Storage Status window shows the status for selected device storage. From the menu on the left, select Status > Administration > Log Storage tab. Log Storage Status Log Storage Status screen shows the status of current the selected device storage. The status includes Device Select, Device Description, Usage, File System, Speed, and status . 43
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.7.5 GNSS Information The GNSS Information screen shows the status for current GNSS positioning information for the gateway. From the menu on the left, select Status > Administtration > GNSS tab. The available GNSS information includes GNSS Condition, No. of Satellites, Satellites ID / Signal Strength, Position (Lat., Long.), Altitude (meters), True Course, and the equivalent Ground Speed (km/h). 44
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.9 Statistics & Report 2.9.1 Connection Session Go to Status > Statistics & Reports > Connection Session tab. Internet Surfing Statistic shows the connection tracks on this router. Internet Surfing Statistic
Item Value setting Previous Next First Last Export (.xml) Export (.csv) Refresh Description
N/A N/A Click the Previous button; you will see the previous page of track list. Click the Next button; you will see the next page of track list. N/A N/A N/A N/A N/A Click the First button; you will see the first page of track list. Click the Last button; you will see the last page of track list. Click the Export (.xml) button to export the list to xml file. Click the Export (.csv) button to export the list to csv file. Click the Refresh button to refresh the list. 45
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.9.3 Network Traffic Go to Status > Statistics & Reports > Network Traffic tab. Network Traffic Statistics screen shows the historical graph for the selected network interface. You can change the interface drop list and select the interface you want to monitor. . 46
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.9.5 Device Administration Go to Status > Statistics & Reports > Device Administration tab. Device Administration shows the login information. Device Manager Login Statistic Item Value setting Previous Next First Last Export (.xml) Export (.csv) Refresh Description
N/A N/A N/A Click the Previous button; you will see the previous page of login statistics.
Click the Next button; you will see the next page of login statistics Click the First button; you will see the first page of login statistics N/A N/A N/A N/A Click the Last button; you will see the last page of login statistics Click the Export (.xml) button to export the login statistics to xml file. Click the Export (.csv) button to export the login statistics to csv file. Click the Refresh button to refresh the login statistics 47
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.9.7 Portal Usage Go to Status > Statistics & Reports > Portal Usage tab. Portal Usage shows the information about internal Captive Portal user login statistics. Device Manager Login Statistic Item Value setting User Name N/A Status N/A Create Time N/A Remaining Lease Time N/A Time Used N/A Expiration Time N/A User Leve Previous Next N/A N/A N/A N/A N/A First Last Refresh Description
It displays the User Name of user account created in Object Define > User > User Profile. It displays the Status of user account about logging captive portal. Online for the user logined to the captive portal; Offline for the user already logouted. It displays the Create Time that user account created. It displays the Remaining Lease Time of the user account. If the remaining time is zero, the corresponding user account can’t be use for login captive portal anymore. If the Lease Time of user account is empty, the remaining lease time field is shown empty. It means that the user account can be used all the time. It displays the Time Used since the user login to the captive portal.
It displays the Expiration Time of the user account. Tell user that what time the user account will be useless. If the Lease Time of user account is empty, the expiration time field is also empty. It means that the user account can be used all the time. It displays the User Level of the user account. It can be Admin, Staff, Guest, and Passenger. Click the Previous button; you will see the previous page of login statistics.
Click the Next button; you will see the next page of login statistics Click the First button; you will see the first page of login statistics Click the Last button; you will see the last page of login statistics Click the Refresh button to refresh the login statistics 48
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2.9.9 Cellular Usage Go to Status > Statistics & Reports > Cellular Usage tab. Cellular Usage screen shows data usage statistics for the selected cellular interface. The cellular data usage can be accumulated per hour or per day. 49
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 3 Basic Network 3.1 WAN & Uplink The gateway provides one or more WAN interfaces to let all client hosts in Intranet of the gateway access the Internet via ISP. But ISPs in the world apply various connection protocols to let gateways or user's devices dial in ISPs and then link to the Internet via different kinds of transmit media. So, the WAN Connection lets you specify the WAN Physical Interface, WAN Internet Setup and WAN Load Balance for Intranet to access Internet. For each WAN interface, you must specify its physical interface first and then its Internet setup to connect to ISP. If the gateway has multiple WAN interfaces, you also can assign physical interface to participate in the Load Balance function. In Physical Interface, you can choose “Ethernet”, “3G/4G”, “WiFi Module” or “ADSL” based on the supported interfaces of the gateway. In Internet Setup, you can choose adequate WAN type for different kind of WAN interface. When the gateway has multiple WAN interfaces, load balance function operates between these interfaces to maximize the WAN bandwidth utilization. 50
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.1.1 Physical Interface The first step to configure one WAN interface is to specify which kind of connection media to be used for the WAN connection, as shown in "Physical Interface" page. In "Physical Interface" page, there are two configuration windows, "Physical Interface List" and "Interface Configuration". "Physical Interface List" window shows all the available physical interfaces. After clicking on the "Edit" button for the interface in "Physical Interface List" window the "Interface Configuration" window will appear to let you configure a WAN interface. Physical Interface List The Physical Interface List shows all WAN interfaces of the gateway device, including their name, what kinds of physical interface, their operation mode and line speed. There is one "Edit" button for each WAN interface, which can let you configure the interface. Please see "Interface Configuration" section beneath. Following are some "Physical Interface List" window examples for different gateway products. 51
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. An example of a SDE852AM‐00001 device An example of an IOG761AM‐0TDA1 device An example of an ODG761AM‐0T1 device An example of a BDG761AM‐0T1 device The contents of "Physical Interface List" in above example windows are just some examples. They vary from model to model. It depends on the model you purchased. 
Interface Name The logic name of WAN interfaces is identified by “WAN‐1”, “WAN‐2”, …, and so on. 
Physical Interface This device is equipped with some kinds of WAN interfaces to support different WAN types of connections. You can configure one by one to get proper internet connection setup. Refer to the product specification for the available WAN interfaces for the model you purchased. 52
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Operation Mode There are three option items “Always‐on”, “Failover”, and “Disable” for the operation mode setting. It decides whether the corresponding WAN interface functions as the main access, as a failover access connection or disable the interface. 
Line Speed Specify the correct line speed (bandwidth) of uploading and downloading for each WAN interface allow the device to operate its QoS and WAN Load Balance functions normally. It is necessary to configure the parameters if you want to use QoS and WAN Load Balance functions on the gateway device. 
VLAN Tagging Sometimes, your ISP required a VLAN tag to be inserted into the WAN packets from Gateway for specific services. You must specify it in the WAN physical interface. Please note that only Ethernet and ADSL physical interfaces support the feature. Interface Configuration The configuration of a WAN interface includes the settings of interface type, operation mode, line speed of upload and download, and VLAN tagging. The WAN interface name at the end of window caption indicates which interface that you are configuring. The content in above diagram is an example for Ethernet WAN interface. 
Physical Interface This device is equipped with some kinds of WAN interfaces to support different WAN types of connections. You can configure one by one to get proper internet connection setup. Refer to the product specification for the available WAN interfaces for the model you purchased. Following are some physical interface configuration examples and their illustration diagrams. Please be noted that the primary connection is WAN‐1 and its operation mode must be "Always on". 53
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. [Physical Interface]‐[Interface Configuration (WAN‐n)], n=1, 2, ...
Configuration Path Physical Interface Operation Mode Line Speed Ethernet 3G/4G
Always on 100Mbps 100Mbps Always on
/ 50Mbps 150Mbps USB 3G/4G
ADSL Failover
Always on / 5Mbps / 21Mbps
2Mbps / 22Mbps WAN Physical Interface
Ethernet WAN
ISP
DSLAM
Gateway
Firewall
or
xDSL Modem
Cellular Network 3G/4G WAN
Gateway
USB 3G/4G WAN
Cellular Network Gateway
ISP
DSLAM
Gateway
ADSL WAN
Ethernet WAN: The gateway has one or more RJ45 WAN ports that can be configured to be WAN connections. For each Ethernet WAN port, please plug in RJ45 cable from your external DSL modem to the port and follow UI setting to setup. If the gateway is setup behind a firewall device, plug in RJ45 cable from one Ethernet port of firewall device instead. 3G/4G WAN: The gateway has one or more built‐in 3G/4G5 modems that can be configured to be WAN connections. For each built‐in modem, there are 1 or 2 SIM cards to be inserted into the modem, please insert the SIM card and follow UI setting to setup. 
Please MUST POWER OFF the gateway before
you insert or remove SIM card.

Caution
The SIM card can be damaged if you insert or
remove SIM card while the gateway is in operation.
5 The specification of embedded module depends on respective model.
54
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. WiFi Uplink WAN: For the product with WiFi Uplink function, one or two WiFi modules can be configured to be WAN connections. For the WiFi module with Uplink function activated, you can further create some uplink profiles for ease of connecting to an uplink network. ADSL WAN: The gateway has one ADSL modem built‐in that can be configured to be a WAN connection, please plug in RJ11 cable (normally the landline phone cable) in DSL port and follow UI setting to setup. 
Operation Mode There are three option items “Always on”, “Failover”, and “Disable” for the operation mode setting. Always on: Set this WAN interface to be active all the time. Only the interfaces with "Always on" operation mode can share their bandwidth for load balance function. That means when two or more Internet connections are established simultaneously at "Always on" mode, outgoing data will be transferred through these WAN connections base on load balance policies. This mode is especially suitable for high bandwidth requirement, such as video stream transmission. Failover: A failover interface is a backup connection to the primary. That means only when its primary WAN connection is broken, the backup connection will be started up to substitute the primary connection. In addition, there is a "Seamless" option for Failover operation mode. When seamless option is activated by checking on the "Seamless" box in configuration window, both the primary connection and the failover connection are started up after system rebooting. But only the primary connection executes the data transfer, while the failover one just keeps alive of connection line. As soon as the primary connection is broken, the system will switch, meaning failover, the routing path to the failover connection to save the dial up time of failover connection since it has been alive. Disable: Set this WAN interface to be inactive. 
Failover Scenario without Seamless: As an example, you can set the operation mode of WAN‐2 interface to be a backup WAN connection. WAN‐1 interface serves as the primary connection of WAN‐2 and its operation mode is "Always on". But the "Seamless" box is unchecked. That means WAN‐2 failover from WAN‐1 and it won’t be activated until primary WAN connection (WAN‐1) has failed. When the primary interface is recovered back with a connection, primary interface will take over data transfer again. Following 4 tables list the parameter configuration for these two WAN interfaces. 55
In‐Vehicle Hotspot Gateway
Configuration Path Interface Name Physical Interface Operation Mode Line Speed Index skipping is used to reserve slots for new function insertion, when required. [Physical Interface]‐[Interface Configuration (WAN‐n)], n=1, 2 WAN‐1 WAN‐2
ADSL USB 3G/4G
Always on Failover WAN‐1 □Seamless 2Mbps / 22Mbps
5Mbps / 21Mbps
Configuration Path Interface Name WAN Type [Internet Setup]‐[Internet Connection Configuration (WAN‐n)], n=1, 2 WAN‐1 WAN‐2
Ethernet over ATM with NAT
3G/4G
Configuration Path Interface Name Connection Control Data Encryption VPI Number VCI Number Schedule Type [Internet Setup]‐[Ethernet over ATM with NAT WAN Type Configuration] WAN‐1 Auto‐reconnect (Always on)
LLC 0 33 UBR Configuration Path Interface Name Dial‐up Profile Connection Control [Internet Setup]‐[3G/4G WAN Type Configuration]
WAN‐2 Auto‐detection Auto‐reconnect (Always on)
So, the initial status of two WAN connections is shown in following diagram. ISP
DSLAM
Connected
Gateway
WAN‐1: ADSL
WAN‐2: 3G/4G
Initial Status
Not Connected
Cellular Network Next, Failover and Failback processes are shown in following diagram. Their steps are: S 1: When system discovers the primary WAN connection is failed. S 2: System starts the failover process. S 3: System tries to create the WAN connection by using Failover WAN interface, and use it for incoming data transmitting mission. S 4: System keeps trying to recover the failed primary WAN connection. Once it is recovered, system starts the failback process. 56
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. S 5: When failback process starts, system terminates the current WAN connection via Failover WAN interface. S 6: System changes the data routing path back to the primary WAN interface as same state as at the beginning of system normal operation. ISP
DSLAM
① Disconnected
Gateway
WAN‐1: ADSL
② Failover
Failover
WAN‐2: 3G/4G
③ Start Connecting
Cellular Network ISP
Gateway
DSLAM
④ Connection Back
WAN‐1: ADSL
⑥ Failback
WAN‐2: 3G/4G
Failback
⑤ Terminate Connection
Cellular Network 
Seamless Failover Scenario: As another example, all parameter configuration for WAN‐1 and WAN‐2 is same as above example except the "Seamless" box is checked as bellow (in red color). Configuration Path Interface Name Physical Interface Operation Mode Line Speed [Physical Interface]‐[Interface Configuration (WAN‐n)], n=1, 2
WAN‐1 WAN‐2
ADSL USB 3G/4G
Always on Failover WAN‐1 ■Seamless
2Mbps / 22Mbps 5Mbps / 21Mbps
When the “Seamless” enable checkbox is activated, it can allow the Failover interface to be connected continuously after system booting up. The Failover interface just keeps connecting but without data transfer. The purpose is to aim at the shortening of switch time during failover process. So, when primary connection is disconnected, failover interface will take over the data transfer mission instantly by only changing routing path to failover interface. The dialing‐up time of failover connection is saved since it has been connected beforehand. 57
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. So, the initial status of two WAN connections for Seamless Failover is shown in following diagram. ISP
Gateway
DSLAM
Connected and
Data TransferringWAN‐1: ADSL
WAN‐2: 3G/4G
Initial Status
Connected but just
Keep Alive
Cellular Network Next, Failover and Failback processes are shown in following diagram. Their steps are: S 1: When system discovers the primary WAN connection is failed. S 2: System starts the failover process. S 3: System changes the data routing path to the failover WAN interface for further data transmitting. It is faster than the one in the normal mode of failover since routing change is simpler than dialing up a new WAN connection. S 4: System keeps trying to recover the failed primary WAN connection. Once it is recovered, system starts the failback process. S 5: When failback process starts, system will leave alive the current WAN connection via Failover WAN interface, but no more data transmitting. S 6: System changes the data routing path back to the primary WAN interface as same state as at the beginning of system normal operation. 58
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. ISP
DSLAM
① Disconnected
Gateway
WAN‐1: ADSL
② Failover
Failover
WAN‐2: 3G/4G
③ Change Routing via WAN-2
Cellular Network ISP
Gateway
DSLAM
④ Connection Back
WAN‐1: ADSL
⑥ Failback: Change
WAN‐2: 3G/4G
Routing back via WAN-1
Failback
⑤ Leave it Keep Alive
Cellular Network 
Dual SIM Failover Scenario: If your purchased product has one or more embedded 3G/LTE module, and they have dual SIMs to be used as connection profiles to connect to mobile system for each 3G/LTE module. But please be noted, only one SIM card is used for a 3G/LTE module. Failover and Seamless Failover scenarios mentioned above are interacted between multiple interfaces. One embedded 3G/LTE module creates only one WAN interface, even it has dual SIMs. A special failover mechanism between using both SIM cards to connect to mobile system is presented here. It is called as Dual SIM Failover. In this Dual SIM Failover, there are four kinds of SIM card usage scenarios, including "SIM‐A First", "SIM‐B First“, and “SIM‐A Only and “SIM‐B Only”. By default, “SIM‐A First” scenario is used to connect to mobile system for data transfer. So in the case when “SIM‐A Only” or “SIM‐B Only” is used, the specified SIM slot card is the only one to be used for negotiation parameters between gateway device and mobile base station. However, in the case of “SIM‐A First” or “SIM‐B First” scenario, the gateway will try to connect to the Internet by using SIM‐A or SIM‐B card first. And when the connection is broken, gateway system will switch to use the other SIM card for an alternate automatically and will not switch back to use original SIM card except current SIM connection is also broken. That is, SIM‐A and SIM‐B are used iteratively, but either one will keep being used for data transfer when current connection is still alive. Following 3 tables list the parameter configuration for the Dual SIM failover scenario. Other settings that don't show out in the tables, please leave them as default values. 59
In‐Vehicle Hotspot Gateway
Configuration Path Interface Name Physical Interface Operation Mode Line Speed Index skipping is used to reserve slots for new function insertion, when required. [Physical Interface]‐[Interface Configuration (WAN‐1)]
WAN‐1 3G/4G Always on 50Mbps / 150Mbps
Configuration Path Interface Name WAN Type [Internet Setup]‐[Internet Connection Configuration (WAN‐1)] WAN‐1 3G/4G Configuration Path Interface Name Preferred SIM Card [Internet Setup]‐[3G/4G WAN Type Configuration]
WAN‐1 SIM‐A First So, the initial status of two WAN connections using different SIM card is shown in the following diagram. Cellular Network #1 Connected and
Data Transferring SIM‐A
SIM‐B
Not Connected
Gateway
Initial Status
(SIM-A First)
Cellular Network #2 Next, Dual SIM Failover process with SIM‐A First scenario is shown in the following diagram. The steps are: Pre‐state: System tries to connect to mobile system for an Internet connection by using connection profile in SIM‐A (for SIM‐A First scenario) after system rebooting. If the connection is successful, data transfer from Intranet to Internet will be executed in this WAN connection. Call the connection as SIM‐A connection. But if SIM‐A connection failed, system will try to connect to mobile system by using connection profile in SIM‐B. If it is successful, call it as SIM‐B connection. In this way, use SIM‐A and SIM‐B alternately for a successful WAN connection. At last, assume it is SIM‐m connection here for a successful connection, m can be 'A' or 'B'. S 1: When system discovers the SIM‐m connection is failed, system starts the failover process. S 2: System tries to create another WAN connection by using connection profile in SIM‐n, and use it for incoming data transmitting mission, where n can be 'A' or 'B'. 60
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. S 3: System keeps executing data transfer via SIM‐n connection until the connection failed. Once the SIM‐n connection failed, system starts the failover process again and goes back to S2 step. Cellular Network #1 ① When Disconnected
Gateway
SIM‐A
② Failover
Failover
SIM‐B
③ Start Connecting
Cellular Network #2 Cellular Network #1 ⑥ Start Connecting SIM‐A
⑤ Failover
Gateway
SIM‐B
Failover
④ When Disconnected
Cellular Network #2 
Line Speed To declare correct line speed of uploading and downloading for each WAN interface can let the device operate its QoS and WAN Load Balance functions normally. If you don't know accurate line speed of your subscribed Internet service, following are some suggestions: 





High Speed Ethernet WAN: Upload 100Mbps, Download 100Mbps; Gigabit Ethernet WAN: Upload 1000Mbps, Download 1000Mbps; CAT4 Built‐in LTE Module: Upload 50Mbps, Download 150Mbps; CAT3 LTE USB Dongle: Upload 50Mbps, Download 100Mbps; 3G USB Dongle: Upload 5Mbps, Download 21Mbps; ADSL2+: Upload 2Mbps, Download 22Mbps. 
VLAN Tagging Sometimes, your ISP required a VLAN tag to be inserted into the WAN packets from Gateway for specific services. Ensure to specify it in the WAN physical interface. Please be noted that only Ethernet and ADSL physical interfaces support the feature. As an example (just for an example, your device may not have an ADSL WAN), you can setup WAN‐1 without VLAN Tagging by using Ethernet WAN interface for your Intranet to access the Internet. 61
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. In addition, you also can setup WAN‐2 with VLAN Tagging (Tag ID 12) using ADSL WAN interface for your Intranet to access specific service in ISP. Following table list the physical interface configuration for these two WAN interfaces, and their scenarios are shown in the following diagram. [Physical Interface]‐[Interface Configuration (WAN‐n)], n=1, 2 Configuration Path Interface Name Physical Interface Operation Mode Line Speed VLAN Tagging WAN‐1 WAN‐2 Ethernet ADSL
Always on Always on 100Mbps / 100Mbps
2Mbps / 22Mbps □Enable ■Enable 12 Ethernet WAN
ISP
DSLAM
Gateway
w/o Tag
xDSL Modem
Specific Service
ADSL WAN
ISP
Gateway
DSLAM
w/ Tag 12
Specific Service
P.s. 3G/4G or USB 3G/4G can’t carry any VLAN tag in communication packets
62
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Physical Interface Setting The Physical Interface allows user to setup the physical WAN interface and to adjust WAN’s behavior. Note: Numbers of available WAN Interfaces can be different for the purchased gateway. Go to Basic Network>WAN > Physical Interface tab. Configure Physical Interface Setting When Edit button is applied, an Interface Configuration screen will appear. WAN‐1 interface is used in this example. 63
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Interface Configuration Item Value setting Physical Interface 1. A Must fill setting 2. WAN‐1 is the primary interface and is factory set to Always on. Operation Mode A Must fill setting Line Speed A Must fill setting VLAN Tagging Optional setting Description
Select one expected interface from the available interface dropdown list. Depending on the router model, Disable and Failover options will be available only to multiple WAN gateway. WAN‐2 and WAN‐3 interfaces are only available to multiple WAN gateway. Define the operation mode of the interface. Select Always on to make this WAN always active. Select Disable to disable this WAN interface. Select Failover to make this WAN a Failover WAN when the primary or the secondary WAN link failed. Then select the primary or the existed secondary WAN interface to switch Failover from. To failover seamlessly, check Seamless box. This failover WAN will keep connected to the network (i.e. 3G/4G network) but no traffic will be transmitted through it until failover happens. If Seamless box is unchecked, failover WAN will begin to initiate a connection request to the network (i.e. the nearest 3G/4G base station) when failover occurs. During failover period, users may notice a period of connection time. (Note: for WAN‐1, only Always on option is available.) Define the upload and download bandwidth for the WAN. The actual bandwidth will also be affected if the Priority is specified in Load Balance Strategy. Refer to Basic Network > WAN & Uplink > Load Balance tab if your device supports Load Balance function. Check Enable box to enter tag value provided by your ISP. Otherwise uncheck the box. 64
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.1.3 Internet Setup After specifying the physical interface for each WAN connection, administrator must configure their connection profiles one after one to meet the dial in process of ISPs, so that all client hosts in the Intranet of the gateway can access the Internet. In "Internet Setup" page, there are some configuration windows: "Internet Connection List", "Internet Connection Configuration", "WAN Type Configuration" and related configuration windows for each WAN type. For the Internet setup of each WAN interface, you must specify its WAN type of physical interface first and then its related parameter configuration for that WAN type. After clicking on the "Edit" button of a physical interface in "Internet Setup List" window, the "Internet Connection Configuration" window will appear to let you specify which kind of WAN type that you will use for that physical interface to make an Internet connection. Based on your chosen WAN type, you can configure necessary parameters in each corresponding configuration window. The contents, as shown in above screenshot, may vary depending on the model you purchased. 65
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Internet Connection List The Internet Connection List shows the WAN connection profiles of all WAN interfaces in the gateway device, including interface name, the kinds of physical interface, their operation mode and WAN connection type. There is one "Edit" button for each WAN interface to let you configure its Internet connection. Please see "Internet Connection Configuration" section beneath. Following are some "Internet Connection List" window examples for different gateway products. SDE852AM‐00001 example IOG761AM‐0TDA1 example ODG761AM‐0T1 example BDG761AM‐0T1 example The contents of "Physical Interface List", as shown in above screenshot, may vary depending on the model you purchased. 66
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Interface Name The logic name of WAN interfaces is identified by “WAN‐1”, “WAN‐2”, …, and so on. 
Physical Interface This device is equipped with some kinds of WAN Interfaces. Please refer to [Basic Network]‐
[WAN & Uplink]‐[Physical Interface] section. 
Operation Mode It is "Always on", "Failover" or "Disable". Please refer to [Basic Network]‐[WAN & Uplink]‐
[Physical Interface] section. 
WAN Type The supported WAN types for each WAN interface depend on the kind of interface. Following are all kinds of physical interfaces and their supported WAN types. 

Ethernet interface: A fixed line ISP that provides xDSL or cable modem for you to setup the WAN connection. 
Static IP Address WAN type: Select this option if ISP provides a fixed IP address to you. You will need to enter in the IP address, subnet mask, and gateway address, provided to you by your ISP. 
Dynamic IP Address WAN type: You may choose this WAN type if you connects a cable modem or a fiber (VDSL modem) for Internet connection. The assigned IP address for the WAN interface by a DHCP server may be different every time. 
PPP over Ethernet WAN type: As known as PPPoE. This WAN type is widely used for ADSL connection. 
PPTP WAN type: This WAN type is more popular in Russia. 
L2TP WAN type: This WAN type is more popular in Israel. 3G/4G interface6: The ISP is a mobile operator that can provide LTE, HSPA+, HSPA, WCDMA, EDGE, GPRS data services. 
3G/4G WAN type: If you have subscribed 3G/4G data services from a mobile operator. You can setup a 3G/4G WAN connection by using the gateway device. This gateway can support LTE/3G/2G data connection based on mobile system specifications that mobile operator provides. In addition, if your 3G data plan is not with a flat rate, it’s 7 Please check the product specification for the supporting of 3G/4G capability in WAN & Uplink section.
67
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. recommended to set Connection Control mode to Connect‐on‐Demand or Manually. 
WiFi Uplink interface: The Uplink network is a wireless network, and the gateway can connect to the Uplink network through WiFi connection. 

WiFi Uplink WAN type: If you have the access permission to a certain wireless network, you can setup a WiFi Uplink connection by using the gateway device. This gateway can support 802.11ac/n/g/b data connection, and it can connect to a wireless network (access point) under the regular infrastrature mode . ADSL interface: Asymmetric digital subscriber line (ADSL) is a type of digital subscriber line (DSL) technology, a data communications technology that enables faster data transmission over copper telephone lines than a conventional voiceband modem can provide. Use a RJ11 cable to connect the ADSL port of gateway device to the DSLAM at ISP, and connect further to a conventional Internet Protocol network. 
Ethernet over ATM with NAT WAN type: The option is intended to be used in implementations which use ATM networks to carry multiprotocol traffic among hosts, routers and bridges which are ATM end systems. 
IP over ATM WAN type: Select this option if ISP provides VPI/VCI, VC‐based/LLC‐based multiplexing, IP address, subnet mask, gateway address and DNS to you to setup an ADSL Internet connection. 
PPPoE (ADSL) WAN type: Select this option if your ISP requires you to use a PPPoE connection for accessing Internet. This option is typically used for DSL services. 
PPP over ATM WAN type: The Point‐to‐Point Protocol over ATM (PPPoA) is a network protocol for encapsulating PPP frames in AAL5. It is used mainly with DSL carrier. 
RFC 1483 Bridged WAN type: RFC1483 Bridged is for carrying connectionless network interconnected traffic over an ATM network. Bridging performs higher‐layer protocol multiplexing implicitly by ATM virtual circuits. Internet Connection Configuration To setup the Internet connection profile for each physical WAN interface, you must specify its WAN Type for the interface and then define related parameters for the WAN type. So the gateway will connect to ISP that you subscribe to, and ISP further links the connection to the Internet. WAN Type varies from interface to interface. Based on physical interface, the supported WAN 68
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Types and related settings are shown as below. In the example bellow, the IOG761AM‐0TDA1 is used to show the Internet connection configurations as it includes most kinds of physical interfaces. 

Ethernet interface: there are Static IP, Dynamic IP, PPPoE, PPTP and L2TP WAN types. 
Static IP Address WAN Type: Settings include WAN IP Address, WAN Subnet Mask, WAN Gateway, Primary DNS, Secondary DNS, MTU, NAT, Network Monitoring, IGMP and WAN IP Alias. 
Dynamic IP Address WAN Type: Settings include Host Name, ISP registered MAC Address, Connection Control, Maximum Idle Time, MTU, NAT, Network Monitoring, IGMP and WAN IP Alias. 
PPPoE WAN Type: Settings include IPv6 Dual Stack, PPPoE Account & Password, Primary DNS / Secondary DNS, Connection Control, Maximum Idle Time, Service Name / Assigned IP Address, MTU, NAT, Network Monitoring, IGMP and WAN IP Alias. 
PPTP WAN Type: Settings include IP Mode, Server IP / Name, PPTP Account & Password, Connection ID, Connection Control, Maximum Idle Time, Service Name / Assigned IP Address, MTU, MPPE, NAT, Network Monitoring, IGMP and WAN IP Alias. 
L2TP WAN Type: Settings include IP Mode, Server IP / Name, L2TP Account & Password, Connection Control, Maximum Idle Time, MTU, MPPE, NAT, Network Monitoring, IGMP and WAN IP Alias. 3G/4G or USB 3G/4G interface: there is only 3G/4G WAN type. 

3G/4G WAN Type: Settings include Dial‐up Profile, APN, PIN Code, Dialed Number, Account & Password, Authentication, Primary DNS, Secondary DNS, Connection Control, Maximum Idle Time, Time Schedule, MTU, NAT, Network Monitoring and IGMP. ADSL interface: there are Ethernet over ATM with NAT, IP over ATM, PPPoE (ADSL), PPP over ATM and RFC 1483 Bridged WAN types. 
Ethernet over ATM with NAT and IP over ATM WAN Types: Settings include IP Mode, Host Name, ISP Registered MAC Address, Connection Control, MTU, NAT, Data Encapsulation, VPI Number, VCI Number, Schedule Type, Network Monitoring, IGMP and WAN IP Alias. 69
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
PPPoE (ADSL) and PPP over ATM WAN Types: Settings include PPPoE Account & Password, Primary DNS, Secondary DNS, Connection Control, Service Name, Assigned IP Address, MTU, NAT, Data Encapsulation, VPI Number, VCI Number, Schedule Type, Network Monitoring, IGMP and WAN IP Alias. 
RFC 1483 Bridged WAN type: Settings include Data Encapsulation, VPI Number, VCI Number, Schedule Type, Network Monitoring, IGMP and WAN IP Alias. There are some common and important configuration parameters common to all WAN Type as listed below. 
Network Monitoring The gateway supports failover function and the function must depend on the correct decision when a connection is down. Some parameters are used in the decision process. 
DNS Query / ICMP Checking: either one is used to check alive for a WAN connection. 
Loading Checking: The response time of replied keep‐alive packets may increase when WAN bandwidth is fully occupied. To avoid keep‐alive feature work abnormally, enable this option will stop sending keep‐alive packets when there are continuous incoming and outgoing data packets passing through WAN connection. 
Check Interval: Indicate how often to send keep‐alive packet. 
Check Timeout: Set allowance of time period to receive response of keep‐alive packet. If this gateway doesn’t receive response within this time period, this gateway will acknowledge this keep alive is failed. 
Latency Threshold: Set acceptance of response time. This gateway will record this keep‐alive check is failed if the response time of replied packet is longer than this setting. 
Fail Threshold: Times of failed checking. This WAN connection will be recognized as broken if the times of continuous failed keep‐alive checking equals to this value. 
Target1/Target2: Set host that is used for keep alive checking. It can be DNS1, DNS2, default Gateway, or other host that you need to input IP address manually. 70
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. The decision flow chart of keep‐alive checking for a WAN connection is shown as below. Start
N: the count of fails
N = 0
No
“Loading Check” enable?
Sleep for “Check Interval”
Yes
Enough traffic
existed?
Sleep for “Check Interval”
Yes
No
“DNS Query”
“ICMP Checking”
Checking Method
FQDN Query
(Target1, Target2)
No
Reply time > “Latency Threshold”
Yes
ICMP Check
(Target1, Target2)
Yes
Success?
No, or “Check
Timeout” occurs
N = N+1
N < “Fail Threshold”
No
Yes
Connection is Broken
End

Try to reconnect
Connection Control There are three ways for connection control, “Auto‐reconnect (Always on)”, “Dial‐on‐demand” and “Manually”. Auto‐reconnect (Always on): This gateway will establish Internet connection automatically once it has been booted up, and try to reconnect once the connection is down. It’s recommended to choose this scheme if for mission critical applications to ensure full‐time Internet connection. Dial‐on‐demand: This gateway won’t start to establish Internet connection until local data is going 71
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. to be sent to WAN side. After normal data transferring between LAN and WAN sides, this gateway will disconnect WAN connection if idle time reaches value of Maximum Idle Time. Manually: This gateway won’t start to establish WAN connection until you press “Connect” button on web UI. After normal data transferring between LAN and WAN sides, this gateway will disconnect WAN connection if idle time reaches value of Maximum Idle Time. Please be noted, if the WAN interface serves as the primary one for another WAN interface in Failover role, the Connection Control parameter will not be available to you to configure as the system must set it to “Auto‐reconnect (Always on)”. 
Auto‐reconnect / Dial‐on‐demand / Manually Scenario: As an example, WAN‐1, WAN‐2 and WAN‐3 are all Ethernet interfaces with "Always on" operation mode. Their WAN Type is set to "Dynamic IP" but with different Connection Control approaches. WAN‐1 uses "Auto‐reconnect (Always on)", WAN‐2 uses "Dial‐on‐demand" and WAN‐3 uses "Manually". Following 3 tables list the parameter configuration for these three WAN interfaces. Configuration Path Interface Name Physical Interface Operation Mode Line Speed [Physical Interface]‐[Interface Configuration (WAN‐n)] , n=1,2,3
WAN‐1 WAN‐2
WAN‐3 Ethernet Ethernet
Ethernet Always on Always on
Always on 100Mbps / 100Mbps
100Mbps / 100Mbps
100Mbps / 100Mbps
Configuration Path Interface Name WAN Type [Internet Setup]‐[Internet Connection Configuration (WAN‐n)], n=1, 2, 3 WAN‐1 WAN‐2
WAN‐3 Dynamic IP Dynamic IP
Dynamic IP Configuration Path Interface Name Connection Control [Internet Setup]‐[Dynamic IP WAN Type Configuration]
WAN‐1 WAN‐2
WAN‐3 Auto‐reconnect (Always on)
Dial‐on‐demand
Manually System keeps alive the WAN connection whose connection control is "Auto‐reconnect (Always on)". After system booting up, the connection will be alive and once the connection is down, system will re‐connect it. The scenario is shown in following diagram. 72
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. ISP
DSLAM
Gateway
① Disconnected
Dynamic IP, G ateway, Subnet Mas k, Primary DN S,
Secondary DN S
xDSL Modem
② Re-connecting
Primary DNS,
Auto-reconnect
(Alw ays on)
Secondary DNS,
DHCP Servers
Intranet
Its steps are: Pre‐state: After system booting up, system tries to let the WAN connection be alive. S 1: When system discovers the WAN connection is failed. S 2: System starts to re‐connect the WAN connection till connect successfully as same as Pre‐
state. In the "Dial‐on‐demand" scenario, system will not make the WAN connection until gateway receives an Internet accessing request from Intranet. And then the connection will keep alive only when there still is data transfer. If there is no data transfer for a period that is longer than the Maximum Idle Time, system will disconnect it and let the WAN connection go back to its initial state –disconnected. The scenario is shown in following diagram. ISP
DSLAM
② Start Connecting
Gateway
xDSL Modem
10110110001100 01
Primary DNS,
③ Disconnect when
idle timeout
Dial-ondemand
① Request Coming
Secondary DNS,
DHCP Servers
Intranet
Its steps are: Pre‐state: After system booting up, the WAN connection is disconnected. S 1: When an Internet accessing request is fed into the gateway from the Intranet. S 2: System starts to make the WAN connection till connect successfully. Keep the connection alive only when there still is data transfer to the Internet. S 3: If the WAN connection timeout, system will disconnect it and let it go back to Pre‐state. 73
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. At last, for "Manually" scenario, system will not make the WAN connection until administrator click on the "Connect" button on the "Network Status" configuration window. Please refer to [System]‐[Network Status] section. And then the connection will keep alive only when there still is data transfer. If there is no data transfer for a period that is longer than the Maximum Idle Time, system will disconnect it and let the WAN connection go back to its initial state –disconnected. The scenario is shown in following diagram. ISP
DSLAM
② Start Connecting
Gateway
Manually
xDSL Modem
Primary DNS,
③ Disconnect when
idle timeout
① Connect Button
Secondary DNS,
DHCP Servers
Intranet
Its steps are: Pre‐state: After system booting up, the WAN connection is disconnected. S 1: When administrator click on the "Connect" button on the "Network Status" configuration window. S 2: System starts to make the WAN connection till connect successfully. Keep the connection alive only when there still is data transfer to the Internet. S 3: If the WAN connection timeout, system will disconnect it and return to its Pre‐state. 74
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Internet Setup Setting Internet Setup allows user to setup WAN connection of the gateway. Depending on the model of the device, there are Ethernet, ADSL, 3G/4G WAN, and WiFi Uplink interfaces. This section shows the type of WAN and the numbers of WAN interfaces are supported by your device. Note: Numbers of available WAN Interfaces can be different for the purchased gateway. Go to Basic Network>WAN > Internet Setup tab Internet Connection List shows the basic information of each WAN. Click Edit button to configure. Then follow the following pages for detail settings. Internet Connection List Item Value setting Interface Name N/A Physical Interface N/A Operation Mode N/A WAN Type N/A Description
Shows the name of WAN interface.
Physical Interfaces (i.e. Ethernet, 3G, 4G) shows the type of interface configured to map with Interface Name (WAN‐1, WAN‐2, WAN‐3, and etc.). Operation Mode shows the current setting of Connection Control mode of WAN interface to keep WAN connection.  Auto‐reconnect (Always on)  Connect‐on‐demand  Connect Manually WAN Type shows the type of connection method to your SERVICE PROVIDER. Depending on the device model, the following WAN connection types are supported.  Ethernet: Static IP | Dynamic IP |PPPoE | PPTP | L2TP  ADSL: Ethernet over ATM with NAT | IP over ATM | PPPoE (ADSL) | PPP over ATM  3G/4G Note: If Edit button is disabled for the Interface, you will need to enable the Interface first by going to Basic Network > WAN & Uplink > Physical Interface page. Then Click Edit button then select Always on or Failover. 75
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Internet Setup – Ethernet WAN If the device connects to Internet through Ethernet WAN port, this section will help you to complete Ethernet WAN connection setup. Go to Basic Network > WAN & Uplink > Internet Setup tab. Configure Ethernet WAN Setting When Edit button is applied, Internet Connection Configuration screen will appear. WAN‐1 interface is used in this example. Internet Connection Configuration Item Value setting WAN Type 1. A Must filled setting
2. Dynamic IP is set by
default
Description
From the dropdown box, select Internet connection method for Ethernet WAN Connection. Detail settings are described in the next few pages.  Dynamic IP  Static IP  PPPoE  PPTP  L2TP 76
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Dynamic IP (Ethernet WAN)
Dynamic IP WAN Type Configuration Item Value setting Host Name An optional setting
ISP Registered MAC Address An optional setting Connection Control A Must filled setting
1.
MTU 2.
3.
A Must filled
setting
Auto (value zero)
is set by default
Manual set range
1200~1500
Description
Enter the host name provided by your Service Provider. Enter the MAC address that you have registered with your service provider. Or Click the Clone button to clone your PC’s MAC to this field. Usually this is the PC’s MAC address assigned to allow you to connect to Internet. There are three connection modes.

Auto‐reconnect (Always on) enables the router to always keep the Internet connection on. 
Connect‐on‐demand enables the router to automatically re‐
establish Internet connection as soon as user attempts to access the Internet. Internet connection will be disconnected when it has been inactive for a specified idle time. 
Connect Manually allows user to connect to Internet manually. Internet connection will be inactive after it has been inactive for specified idle time. MTU refers to Maximum Transmission Unit. It specifies the largest packet size permitted for Internet transmission. When set to Auto (value ‘0’), the router selects the best MTU for best Internet connection performance. 77
In‐Vehicle Hotspot Gateway
NAT Network Monitoring IGMP WAN IP Alias Save Undo Index skipping is used to reserve slots for new function insertion, when required. An optional setting Enable NAT to apply NAT on the WAN connection. Uncheck the box to NAT is enabled by disable NAT function. default
When the Network Monitoring feature is enabled, the gateway will use DNS Query or ICMP to periodically check Internet connection –
connected or disconnected. 
Choose either DNS Query or ICMP Checking to detect WAN link.
With DNS Query, the system checks the connection by sending DNS Query packets to the destination specified in Target 1 and Target 2. With ICMP Checking, the system will check connection by sending ICMP request packets to the destination specified in Target 1 and Target 2. 
Loading Check Enable Loading Check allows the router to ignore unreturned DNS Queries or ICMP requests when WAN bandwidth is fully occupied. This is to prevent false link‐down status. 
Check Interval defines the transmitting interval between two DNS Query or ICMP checking packets. 
Check Timeout defines the timeout of each DNS query/ICMP. Latency Threshold defines the tolerance threshold of 1. An optional setting 
2. Enabled by default
responding time. 
Fail Threshold specifies the detected disconnection before the router recognize the WAN link down status. Enter a number of detecting disconnection times to be the threshold before disconnection is acknowledged. Target1 (DNS1 set by default) specifies the first target of 
sending DNS query/ICMP request. 
DNS1: set the primary DNS to be the target. 
DNS2: set the secondary DNS to be the target. 
Gateway: set the Current gateway to be the target. 
Other Host: enter an IP address to be the target. 
Target2 (None set by default) specifies the second target of sending DNS query/ICMP request. 
None: to disable Target2. 
DNS1: set the primary DNS to be the target. 
DNS2: set the secondary DNS to be the target. 
Gateway: set the Current gateway to be the target. 
Other Host: enter an IP address to be the target. Enable IGMP (Internet Group Management Protocol) would enable 1. A Must filled setting the router to listen to IGMP packets to discover which interfaces are connected to which device. The router uses the interface information 2. Disable is set by
default
generated by IGMP to reduce bandwidth consumption in a multi‐
access network environment to avoid flooding the entire network. Enable WAN IP Alias then enter the IP address provided by your 1. An optional setting
service provider. 2. Box is unchecked by
WAN IP Alias is used by the device router and is treated as a second default
set of WAN IP to provide dual WAN IP address to your LAN network. N/A Click Save to save the settings.
N/A Click Undo to cancel the settings.
1.
2.
78
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Static IP (Ethernet WAN)
Static IP WAN Type Configuration Item Value setting WAN IP Address WAN Subnet Mask WAN Gateway Primary DNS A Must filled setting A Must filled setting A Must filled setting A Must filled setting Secondary DNS An optional setting MTU 1. A Must filled setting
2. Auto (value zero) is
set by default
NAT Network Monitoring 1. An optional setting
2. Box is checked by
default
1. An optional setting
2. Box is checked by
Description
Enter the WAN IP address given by your Service Provider Enter the WAN subnet mask given by your Service Provider Enter the WAN gateway IP address given by your Service Provider
Enter the primary WAN DNS IP address given by your Service Provider
Enter the secondary WAN DNS IP address given by your Service Provider MTU refers to Maximum Transmission Unit. It specifies the largest packet size permitted for Internet transmission. When set to Auto (value ‘0’), the router selects the best MTU for best Internet connection performance. Enable NAT to apply NAT on the WAN connection. Uncheck the box to disable. When the Network Monitoring feature is enabled, the router will use DNS Query or ICMP to periodically check Internet connection –
79
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. connected or disconnected.
For the configuration details, please refer to the description stated in Dynamic Ethernet WAN section. Enable IGMP (Internet Group Management Protocol) would enable the router to listen to IGMP packets to discover which interfaces are 1. A Must filled setting
connected to which device. The router uses the interface information 2. Disable is set by
default
generated by IGMP to reduce bandwidth consumption in a multi‐
access network environment to avoid flooding the entire network. Enable WAN IP Alias then enter the IP address provided by your 1. An optional setting
Service Provider. 2. Box is unchecked by
WAN IP Alias is used by the device router and is treated as a second default
set of WAN IP to provide dual WAN IP address to your LAN network. N/A Click Save to save the settings.
N/A Click Undo to cancel the settings.
default
IGMP WAN IP Alias Save Undo 80
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPPoE (Ethernet WAN)
PPPoE WAN Type Configuration Item Value setting PPPoE Account PPPoE Password Primary DNS Secondary DNS A Must filled setting A Must filled setting An optional setting An optional setting Connection Control 1. A Must filled setting
2. Auto-reconnect is set
by default
3. Default idle time is
600s
Description
Enter the PPPoE User Name provided by your Service Provider.
Enter the PPPoE password provided by your Service Provider.
Enter the IP address of Primary DNS server. Enter the IP address of Secondary DNS server. There are three connection modes.

Auto‐reconnect (Always on) enables the router to always keep the Internet connection on. 
Connect‐on‐demand enables the router to automatically re‐
establish Internet connection as soon as user attempts to access the Internet. Internet connection will be disconnected when it has been inactive for a specified idle time. 81
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Service Name Assigned IP Address An optional setting An optional setting MTU 1. A Must filled setting
2. Auto (value zero) is
set by default
NAT 1. An optional setting
2. Box is checked by
default
Network Monitoring 1. An optional setting
2. Box is checked by
default
IGMP 1. A Must filled setting
2. Disable is set by
default
WAN IP Alias 1. An optional setting
2. Box is unchecked by
default
Save Undo N/A N/A Connect Manually allows user to connect to Internet manually. Internet connection will be inactive after it has been inactive for specified idle time. Enter the service name if your ISP requires it Enter the IP address assigned by your Service Provider. MTU refers to Maximum Transmission Unit. It specifies the largest packet size permitted for Internet transmission. When set to Auto (value ‘0’), the router selects the best MTU for best Internet connection performance. Enable NAT to apply NAT on the WAN connection. Uncheck the box to disable. When the Network Monitoring feature is enabled, the router will use DNS Query or ICMP to periodically check Internet connection –
connected or disconnected. For the configuration details, please refer to the description stated in Dynamic Ethernet WAN section. Enable IGMP (Internet Group Management Protocol) would enable the router to listen to IGMP packets to discover which interfaces are connected to which device. The router uses the interface information generated by IGMP to reduce bandwidth consumption in a multi‐
access network environment to avoid flooding the entire network. Enable WAN IP Alias then enter the IP address provided by your Service Provider. WAN IP Alias is used by the device router and is treated as a second set of WAN IP to provide dual WAN IP address to your LAN network. Click Save to save the settings.
Click Undo to cancel the settings.
82
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPTP (Ethernet WAN)
PPTP WAN Type Configuration Item Value setting IP Mode A Must filled setting
Description
Select either Static or Dynamic IP address for PPTP Internet connection. 
When Static IP Address is selected, you will need to enter the WAN IP Address, WAN Subnet Mask, and WAN Gateway. 
WAN IP Address (A Must filled setting): Enter the WAN IP address given by your Service Provider. 
WAN Subnet Mask (A Must filled setting): Enter the WAN subnet mask given by your Service Provider. 
WAN Gateway (A Must filled setting): Enter the WAN gateway IP address given by your Service Provider. 
When Dynamic IP is selected, there are no above settings required. 83
In‐Vehicle Hotspot Gateway
Server IP Address/Name PPTP Account Index skipping is used to reserve slots for new function insertion, when required. Enter the PPTP server name or IP Address. A Must filled setting
A Must filled setting PPTP Password A Must filled setting Connection ID An optional setting Connection Control A Must filled setting
MTU 1. A Must filled setting
2. Auto (value zero) is
set by default
MPPE An optional setting NAT 1. An optional setting
2. Box is checked by
default
Network Monitoring 1. An optional setting
2. Box is checked by
default
IGMP 1. A Must filled setting
2. Disable is set by
default
WAN IP Alias 1. An optional setting
2. Box is unchecked by
default
Save Undo N/A N/A Enter the PPTP username provided by your Service Provider.
Enter the PPTP connection password provided by your Service Provider. Enter a name to identify the PPTP connection. There are three connection modes.

Auto‐reconnect (Always on) enables the router to always keep the Internet connection on. 
Connect‐on‐demand enables the router to automatically re‐
establish Internet connection as soon as user attempts to access the Internet. Internet connection will be disconnected when it has been inactive for a specified idle time. 
Connect Manually allows user to connect to Internet manually. Internet connection will be inactive after it has been inactive for specified idle time. MTU refers to Maximum Transmission Unit. It specifies the largest packet size permitted for Internet transmission. When set to Auto (value ‘0’), the router selects the best MTU for best Internet connection performance. Select Enable to enable MPPE (Microsoft Point‐to‐Point Encryption) security for PPTP connection. Enable NAT to apply NAT on the WAN connection. Uncheck the box to disable NAT function. When the Network Monitoring feature is enabled, the router will use DNS Query or ICMP to periodically check Internet connection –
connected or disconnected. For the configuration details, please refer to the description stated in Dynamic Ethernet WAN section. Enable IGMP (Internet Group Management Protocol) would enable the router to listen to IGMP packets to discover which interfaces are connected to which device. The router uses the interface information generated by IGMP to reduce bandwidth consumption in a multi‐
access network environment to avoid flooding the entire network. Enable WAN IP Alias then enter the IP address provided by your Service Provider. WAN IP Alias is used by the device router and is treated as a second set of WAN IP to provide dual WAN IP address to your LAN network. Click Save to save the settings.
Click Undo to cancel the settings.
84
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. L2TP (Ethernet WAN)
L2TP WAN Type Configuration Item Value setting IP Mode A Must filled setting
Description
Select either Static or Dynamic IP address for L2TP Internet connection. 
When Static IP Address is selected, you will need to enter the WAN IP Address, WAN Subnet Mask, and WAN Gateway. 
WAN IP Address (A Must filled setting): Enter the WAN IP address given by your Service Provider. 
WAN Subnet Mask (A Must filled setting): Enter the WAN subnet mask given by your Service Provider. 
WAN Gateway (A Must filled setting): Enter the WAN gateway IP address given by your Service Provider. 
When Dynamic IP is selected, there are no above settings required. 85
In‐Vehicle Hotspot Gateway
Server IP Address/Name L2TP Account Index skipping is used to reserve slots for new function insertion, when required. Enter the L2TP server name or IP Address. A Must filled setting
A Must filled setting L2TP Password A Must filled setting Connection Control A Must filled setting
MTU 1. A Must filled setting
2. Auto (value zero) is
set by default
Service Port A Must filled setting
MPPE An optional setting NAT 1. An optional setting
2. Box is checked by
default
Network Monitoring 1. An optional setting
2. Box is checked by
default
IGMP 1. A Must filled setting
2. Disable is set by
default
WAN IP Alias 1. An optional setting
2. Box is unchecked by
default
Save Undo N/A N/A Enter the L2TP username provided by your Service Provider.
Enter the L2TP connection password provided by your Service Provider. There are three connection modes.

Auto‐reconnect (Always on) enables the router to always keep the Internet connection on. 
Connect‐on‐demand enables the router to automatically re‐
establish Internet connection as soon as user attempts to access the Internet. Internet connection will be disconnected when it has been inactive for a specified idle time. 
Connect Manually allows user to connect to Internet manually. Internet connection will be inactive after it has been inactive for specified idle time. MTU refers to Maximum Transmission Unit. It specifies the largest packet size permitted for Internet transmission. When set to Auto (value ‘0’), the router selects the best MTU for best Internet connection performance. Enter the service port that the Internet service. There are three options can be selected : 
Auto: Port will be automatically assigned. 
1701 (For Cisco): Set service port to port 1701 to connect to CISCO server. 
User‐defined: enter a service port provided by your Service Provider. Select Enable to enable MPPE (Microsoft Point‐to‐Point Encryption) security for PPTP connection. Enable NAT to apply NAT on the WAN connection. Uncheck the box to disable NAT function. When the Network Monitoring feature is enabled, the router will use DNS Query or ICMP to periodically check Internet connection –
connected or disconnected. For the configuration details, please refer to the description stated in Dynamic Ethernet WAN section. Enable IGMP (Internet Group Management Protocol) would enable the router to listen to IGMP packets to discover which interfaces are connected to which device. The router uses the interface information generated by IGMP to reduce bandwidth consumption in a multi‐
access network environment to avoid flooding the entire network. Enable WAN IP Alias then enter the IP address provided by your Service Provider. WAN IP Alias is used by the device router and is treated as a second set of WAN IP to provide dual WAN IP address to your LAN network. Click Save to save the settings.
Click Undo to cancel the settings.
86
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Internet Setup – 3G/4G WAN If the device connects to Internet through 3G/4G network, this section will help you to complete 3G/4G connection setup. Go to Basic Network > WAN & Uplink > Internet Setup tab. Configure 3G/4G WAN Setting When Edit button is applied, Internet Connection Configuration, 3G/4G WAN Configuration screens will appear. WAN‐2 interface is used in this example. 3G/4G Connection Configuration Item Value setting WAN Type Preferred SIM Card 3. A Must filled setting
4. 3G/4G is set by
default.
1. A Must filled setting 2. By default SIM‐A First is selected 3. Failback is unchecked by default Description
From the dropdown box, select Internet connection method for 3G/4G
WAN Connection. Only 3G/4G is available. Choose which SIM card you want to use for the connection. When SIM‐A First or SIM‐B First is selected, it means the connection is built first by using SIM A/SIM B. And if the connection is failed, it will change to the other SIM card and try to dial again, until the connection is up. When SIM‐A only or SIM‐B only is selected, it will try to dial up only using the SIM card you selected. 87
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. When Failback is checked, it means if the connection is dialed‐up not using the main SIM you selected, it will failback to the main SIM and try to establish the connection periodically. Note_1: In some AMIT’s products, only SIM‐A can be chose. Note_2: Failback is available only when SIM‐A First or SIM‐B First is selected. Configure SIM‐A / SIM‐B Card Here you can set configurations for the cellular connection according to your situation or requirement. Note_1: Configurations of SIM‐B Card follows the same rule of Configurations of SIM‐A Card, here we list SIM‐A as the example. Note_2: Both Connection with SIM‐A Card and Connection with SIM‐B Card will pop up only when the SIM‐A First or SIM‐B First is selected, otherwise it only pops out one of them. 88
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3G/4G Connection Configuration Item Value setting Network Type 1. A Must filled setting 2. By default Auto is selected Band Selection 1. A Must filled setting 2. By default Auto is selected Band List 1. A Must filled setting 2. The box is all checked by default Dial‐Up Profile 1. A Must filled setting 2. By default Auto‐
Detection is selected PIN code String format : interger Authentication 1. A Must filled setting 2. By default Auto is selected IP Mode 1. A Must filled setting 2. By default Dynamic IP is selected Primary DNS String format : IP Description
Select Auto to register a network automatically, regardless of the network type. Select 2G Only to register the 2G network only. Select 2G Prefer to register the 2G network first if it is available. Select 3G only to register the 3G network only. Select 3G Prefer to register the 3G network first if it is available. Select LTE only to register the LTE network only. Note_1: Options may be different due to the specification of the module. Select Auto to register a network automatically, regardless of the band. Select Manual to choose specific bands you want to appoint to. Note_1: USB 3G/4G doesn’t support this function. When Band Selection > Auto is selected, all bands are enabled and can’t be unchecked. When Band Selection > Manual is selected, at least one band needs to be checked in each network type. Note_1: USB 3G/4G doesn’t support this function. Select Auto‐Detection to automatically bring out all configurations needed while dialing‐up, by comparing the IMSI of the SIM card to the record listed in the manufacture’s database. Select Manual‐configuration to set APN (Access Point Name), Dial Number, Account, and Password to what your carrier provides. Select APN Profile List to set more than one profile to dial up in turn, until the connection is established. It will pop up a new filed, please go to Basic Network > WAN & Uplink > Internet Setup > SIM‐A APN Profile List for details. Enter the PIN (Personal Identification Number) code if it needs to unlock your SIM card. Select PAP (Password Authentication Protocol) and use such protocol to be authenticated with the carrier’s server. Select CHAP (Challenge Handshake Authentication Protocol) and use such protocol to be authenticated with the carrier’s server. When Auto is selected, it means it will authenticate with the server either PAP or CHAP. When Dynamic IP is selected, it means it will get all IP configurations from the carrier’s server and set to the device directly. If you have specific application provided by the carrier, and want to set IP configurations on your own, you can switch to Static IP mode and fill in all parameters that required, such as IP address, subnet mask and gateway. Note_1: IP Subnet Mask is a must filled setting, make sure you have the right configuration. Otherwise, the connection may get issues. Enter the IP address to change the primary DNS (Domain Name 89
In‐Vehicle Hotspot Gateway
Secondary DNS Roaming Index skipping is used to reserve slots for new function insertion, when required. address (IPv4 type) Server) setting. If it is not filled‐in, the server address is given by the carrier while dialing‐up. Enter the IP address to change the secondary DNS (Domain Name String format : IP Server) setting. If it is not filled‐in, the server address is given by the address (IPv4 type) carrier while dialing‐up. Check the box to establish the connection even the registration status is roaming, not in home network. The box is unchecked by default Note_1: It may cost additional charges if the connection is under roaming. Create/Edit SIM‐A / SIM‐B APN Profile List You can add a new APN profile for the connection, or modify the content of the APN profile you added. It is available only when you select Dial‐Up Profile as APN Profile List. List all the APN profile you created, easily for you to check and modify. It is available only when you select Dial‐Up Profile as APN Profile List. When Add button is applied, an APN Profile Configuration screen will appear. 3G/4G Connection Configuration Item Value setting Profile Name 1. By default Profile‐x is listed 2. String format : any text MCC String format : integer Description
Enter the profile name you want to describe for this profile.
Enter the MCC (Mobile Country Code) you want to use for this profile.
90
In‐Vehicle Hotspot Gateway
MNC APN Dial Number Account Password Priority Profile Index skipping is used to reserve slots for new function insertion, when required. Note_1: the MCC should be related to the MNC, this filed can’t be invalid value if MNC is filled‐in. Enter the MNC (Mobile Network Code) you want to use for this profile. String format : integer Note_1: the MNC should be related to the MCC, this filed can’t be invalid value if MCC is filled‐in. String format : any text Enter the APN you want to use to establish the connection. String format : integer, Enter the Dial Number you want to use to establish the connection.
asterisk and number sign String format : any text Enter the Account you want to use for the authentication. String format : any text Enter the Password you want to use for the authentication. 1. A Must filled setting Enter the value for the dialing‐up order. The valid value is from 1 to 16. 2. String format : It will start to dial up with the profile that assigned with the smallest integer number. The box is checked by Check the box to enable this profile.
default Uncheck the box to disable this profile in dialing‐up action. Setup 3G/4G Connection Common Configuration Here you can change common configurations for 3G/4G WAN. 3G/4G Connection Configuration 91
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Item Connection Control Time Schedule MTU Value setting By default Auto‐
reconnect (Always on) is selected 1. A Must filled setting 2. By default (0) Always is selected 1. A Must filled setting 2. By default 0 is filled‐
in 3. String format : integer IP Pass‐through (Cellular Bridge) 1. The box is unchecked by default 2. String format for Fixed MAC: MAC address, e.g. 00:50:18:aa:bb:cc NAT The box is checked by default Network Monitoring 1. An optional setting
2. Enabled by default Description
When Auto‐reconnect (Always on) is selected, it means it will keep the connection on all the time. When Connect‐on‐demand is selected, it means the connection will be established only when detecting data traffic. When Connect Manually is selected, it means you need to click the Connect button to dial up the connection manually. Please go to Status > Network Status for details. Note_1: This field is available only when Basic Network > WAN > Physical Interface > Operation Mode is selected to Always on. When (0) Always is selected, it means this WAN is under operation all the time. Once you have set other schedule rules, there will be other options to select. Please go to System > Scheduling for details. Enter the MTU (Maximum Transmission Unit) you want to set the configuration. When Enable box is checked, it means the device will directly assign the WAN IP to the first connected local LAN client. However, when an optional Fixed MAC is filled‐in a non‐zero value, it means only the client with this MAC address can get the WAN IP address. Note_1: This field is only available when 3G/4G‐n is set to WAN‐1. Note_2: When the IP Pass‐through is enabled, it will disable other WAN (exclude 3G/4G WAN) if they are set. But if there are other 3G/4G WANs, the IP Pass‐through will be enabled automatically when the one in WAN1 is checked. Note_3: When the IP Pass‐through is on, NAT and WAN IP Alias will be unavailable until the function is disabled again. Uncheck the box to disable NAT (Network Address Translation) function. When the Network Monitoring feature is enabled, the gateway will use DNS Query or ICMP to periodically check Internet connection –
connected or disconnected. 
Choose either DNS Query or ICMP Checking to detect WAN link.
With DNS Query, the system checks the connection by sending DNS Query packets to the destination specified in Target 1 and Target 2. With ICMP Checking, the system will check connection by sending ICMP request packets to the destination specified in Target 1 and Target 2. 
Loading Check Enable Loading Check allows the router to ignore unreturned DNS Queries or ICMP requests when WAN bandwidth is fully occupied. This is to prevent false link‐down status. 
Check Interval defines the transmitting interval between two DNS Query or ICMP checking packets. 
Check Timeout defines the timeout of each DNS query/ICMP. 92
In‐Vehicle Hotspot Gateway
IGMP WAN IP Alias Index skipping is used to reserve slots for new function insertion, when required. 
Latency Threshold defines the tolerance threshold of responding time. 
Fail Threshold specifies the detected disconnection before the router recognize the WAN link down status. Enter a number of detecting disconnection times to be the threshold before disconnection is acknowledged. Target1 (DNS1 set by default) specifies the first target of 
sending DNS query/ICMP request. 
DNS1: set the primary DNS to be the target. 
DNS2: set the secondary DNS to be the target. 
Gateway: set the Current gateway to be the target. 
Other Host: enter an IP address to be the target. 
Target2 (None set by default) specifies the second target of sending DNS query/ICMP request. 
None: to disable Target2. 
DNS1: set the primary DNS to be the target. 
DNS2: set the secondary DNS to be the target. 
Gateway: set the Current gateway to be the target. Other Host: enter an IP address to be the target. Select Auto to enable IGMP (Internet Group Management Protocol) By default Disable is function. selected Check the Enable box to enable IGMP Proxy. 1. The box is Check the box to enable WAN IP Alias, and fill in the IP address you unchecked by default want to assign. 2. String format: IP address (IPv4 type) 93
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Internet Setup – WiFi Uplink If the device connects to Internet through WiFi Uplink, this section will help you to complete WiFi Uplink connection setup. Go to Basic Network > WAN & Uplink > Internet Setup tab. Configure Ethernet WAN Setting When Edit button is applied, Internet Connection Configuration screen will appear. WAN‐2 interface is used in this example. Internet Connection Configuration Item Value setting WAN Type 1. A Must filled setting.
2. Uplink is selected
by default.
Description
From the dropdown box, select Internet connection method for WiFi Uplink Connection. Only Uplink is available. 94
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. WiFi Uplink
WiFi Uplink WAN Type Configuration Item Value setting Connect to AP N/A Network Type 1. A Must filled setting 2. NAT Mode is selected by default. IP Mode 1. A Must filled setting 2. Dynamic IP is selected by default. Connection Control A Must filled setting Description
Display the information of AP for connecting. You can Click the Scan button and select a AP for the uplink network. Besides, you can also create uplink profile(s) for ease of connecting to an available Uplink network. Refer to Basic Network > WiFi > Uplink Profile tab. Select the expected network type for the WiFi Uplink connection. It can be NAT Mode, Bridge Mode, or NAT Disable. When NAT Mode is selected, the NAT function is activated on the Wireless Uplink connection; When Bridge Mode is selected, the bridge function is activated on the Wireless Uplink connection; The supporting of bridge mode depends on the product specification, if the purchased device doesn’t support the bridge mode, it will be greyed out from selection. When NAT Disable is selected, the NAT function is deactivated on the Wireless Uplink connection, and it can function as a router with manually configured routing setting. Specify the IP mode for the wireless uplink Interface. It can be Dynamic IP or Static IP. When Dynamic IP is selected, the device will request a IP from the Uplink Network as the IP for the uplink interface ; When Static IP is selected, you have to manually configure the IP address settings for the uplink interface. The settings include IP address, subnet mask, gateway, and primary/secondary DNS. There are three connection modes.

Auto‐reconnect (Always on) enables the router to always keep the Internet connection on. 95
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Network Monitoring 1. An optional setting 2. Enabled by default. Save Undo N/A N/A Connect‐on‐demand enables the router to automatically re‐
establish Internet connection as soon as user attempts to access the Internet. Internet connection will be disconnected when it has been inactive for a specified idle time. 
Connect Manually allows user to connect to Internet manually. Internet connection will be inactive after it has been inactive for specified idle time. When the Network Monitoring feature is enabled, the gateway will use DNS Query or ICMP to periodically check Internet connection –
connected or disconnected. 
Choose either DNS Query or ICMP Checking to detect WAN link.
With DNS Query, the system checks the connection by sending DNS Query packets to the destination specified in Target 1 and Target 2. With ICMP Checking, the system will check connection by sending ICMP request packets to the destination specified in Target 1 and Target 2. 
Loading Check Enable Loading Check allows the router to ignore unreturned DNS Queries or ICMP requests when WAN bandwidth is fully occupied. This is to prevent false link‐down status. 
Check Interval defines the transmitting interval between two DNS Query or ICMP checking packets. 
Check Timeout defines the timeout of each DNS query/ICMP. 
Latency Threshold defines the tolerance threshold of responding time. Fail Threshold specifies the detected disconnection before the 
router recognize the WAN link down status. Enter a number of detecting disconnection times to be the threshold before disconnection is acknowledged. Target1 (DNS1 set by default) specifies the first target of 
sending DNS query/ICMP request. 
DNS1: set the primary DNS to be the target. 
DNS2: set the secondary DNS to be the target. 
Gateway: set the Current gateway to be the target. 
Other Host: enter an IP address to be the target. 
Target2 (None set by default) specifies the second target of sending DNS query/ICMP request. 
None: to disable Target2. 
DNS1: set the primary DNS to be the target. 
DNS2: set the secondary DNS to be the target. 
Gateway: set the Current gateway to be the target. 
Other Host: enter an IP address to be the target. Click Save to save the settings.
Click Undo to cancel the settings.
96
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.1.5 Load Balance When there are more than one WAN interfaces, and when the bandwidth of one WAN connection is not enough for the traffic loads from the Intranet to the Internet, the gateway device needs the WAN load balance function to enlarge the total WAN bandwidth. The multi‐WAN "Load Balance" function provides three optional strategies: By Smart Weight, By Specific Weight, and By User Policy. Administrator can choose strategy based on his immediate need and environment consideration. When you choose "By Smart Weight" strategy, system will operate load balance function automatically based on the embedded Smart Weight algorithm. However, when you choose "By Specific Weight" strategy, you can define the ratio of transferred sessions between all WAN interfaces for data transfer. At last, when you choose "By User Policy" strategy, you can define or select one user policy for routing dedicated packet flow via one WAN interface. By Smart Weight Load Balance Strategy For "By Smart Weight" load balance strategy, the gateway will operate the function automatically without additional parameters, except the available bandwidth (Line Speed) of each WAN interface, which is configured in [Basic Network]‐[WAN & Uplink]‐[Physical Interface] section. The gateway decides further routing ratio of connection flow to all WAN interfaces based on current traffic flow loads (in bytes) on all WAN interfaces. Administrator may take it as a fast approach to maximize the bandwidth utilization of multiple WAN interfaces in gateway. That is, the gateway will take the line speed settings of all WAN interfaces specified in "Physical Interface" configuration page, as the default ratio among WAN interfaces for data transfer. Based on the ratio of packet bytes via these WAN interfaces in past period (maybe 5 minutes), system decides how many sessions will be transferred via each WAN interface for current period of traffic loadings as shown in the following illustration diagram. 97
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. ①
ISP
Gateway
DSLAM
WAN‐1: ADSL
② m
:
n
WAN‐2: 3G/4G
LAN
Session Requests
Cellular Network Intranet
Following 2 tables list the parameter configuration for the above example diagram of load balance function. The ratio m:n in this example is 22:11. Configuration Path Interface Name Physical Interface Operation Mode Line Speed [Physical Interface]‐[Interface Configuration (WAN‐n)] , n=1,2 WAN‐1 WAN‐2
ADSL 3G/4G
Always on Always on
2Mbps / 22Mbps
1Mbps / 11Mbps Configuration Path Load Balance Load Balance Strategy [Load Balance]‐[Configuration]
■ Enable By Smart Weight
The steps of the Smart Weight algorithm are: Pre‐state: System takes the line speed settings of all WAN interfaces as the initial ratio between all WAN interfaces for load balance. S 1: Count the transferred packet bytes for all WAN interfaces in current time period, for example 5 minutes. At the end of time period, the new transferring ratio for each WAN interface will be changed to the ratio for the counted transferred data among all interfaces for next time period. S 2: Based on the new ratio that is obtained at S1, system decides how many sessions will be transferred via each WAN interface for another time period. Loop S1 and S2 steps forever until administrator changes the load balance strategy. 98
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. By Specific Weight Load Balance Strategy However, when you choose "By Specific Weight" load balance strategy, there is a list of two parameter pairs that is used for the load balance strategy: WAN Interface & Weight (%). The line speed of each WAN interface serves as its default weight whose value is the ratio of its line speed to total line speed of all WAN interfaces. Certainly, administrator also can fine tune the weight list based on the default one. The gateway's traffic control process will operate routing adequately based on the dedicated weights on all WAN interfaces. Following is another example diagram to illustrate the scenario. At the beginning, gateway has two WAN interfaces and their download line speed are 22Mbps (m Mbps) for WAN‐1 interface and 11Mbps (n Mbps) for WAN‐2. That comes from administrator subscribes ADSL ISP for a 22 Mbps WAN connection and 3G/4G ISP for another 11 Mbps WAN connection. Administrator fills these values in the line speed field for each WAN interface. Please refer to section [Basic Network]‐[WAN & Uplink]‐
[Physical Interface]. So, the default routing ratio for these both interfaces is 2:1 (=22:11) in load balance function as shown in following illustration diagram. The value of m is 22 and n is 11. ①
ISP
Gateway
DSLAM
WAN‐1: ADSL
② m
:
n
WAN‐2: 3G/4G
LAN
Session Requests
Cellular Network Intranet
Following 3 tables list the parameter configuration for the above example diagram of load balance function. The ration m:n in this example is 22:11. Configuration Path Interface Name [Physical Interface]‐[Interface Configuration (WAN‐n)] , n=1,2 WAN‐1 WAN‐2
99
In‐Vehicle Hotspot Gateway
Physical Interface Operation Mode Line Speed Index skipping is used to reserve slots for new function insertion, when required. 3G/4G
ADSL Always on Always on
2Mbps / 22Mbps
1Mbps / 11Mbps Configuration Path Load Balance Load Balance Strategy [Load Balance]‐[Configuration]
Configuration Path WAN ID Priority (%) [Load Balance]‐[Priority Definition]
■ Enable By Priority
WAN‐1 WAN‐2
67% 33%
By User Policy Load Balance Strategy Finally, when you choose "By User Policy" load balance strategy, there are two more configuration windows: "User Policy List" and "User Policy Configuration". "User Policy List" shows all your defined user policy entries, and the "User Policy Configuration" window will let you configure one user policy for routing dedicated packet flow via one WAN interface. They are shown in following diagrams. ① Google: ‐> WAN‐1
Yahoo: ‐> WAN‐2
ISP
Gateway
DSLAM
WAN‐1: ADSL
② Google
WAN‐2: 3G/4G LAN
Cellular Network Session Requests
Yahoo
100
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Above example shows that administrator hopes the packet flow whose destination is "www.google.com", "www.yahoo.com" will be transferred via WAN‐1, and WAN‐2 respectively. For other un‐specified packet flows will be routed by default via different WAN interfaces by "Smart Weight" load balance strategy. To meet the load balance requirement as in the above example diagram, administrator need configure the device based on following configuration table contents. Configuration Path Interface Name Physical Interface Operation Mode Line Speed [Physical Interface]‐[Interface Configuration (WAN‐n)] , n=1,2 WAN‐1 WAN‐2
ADSL 3G/4G
Always on Always on
2Mbps / 22Mbps
1Mbps / 11Mbps Configuration Path Load Balance Load Balance Strategy [Load Balance]‐[Configuration]
Configuration Path ID Source IP Address Destination IP Address Destination Port Protocol WAN Interface Policy [Load Balance]‐[User Policy Configuration]
■ Enable By User Policy
1 2
Any Any
Domain Name www.google.com
Domain Name www.yahoo.com
All All
Both Both
WAN‐1 WAN‐2
■ Enable ■ Enable
101
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Load Balance Setting The Load Balance function is used to manage balance bandwidth usage among multiple WAN connections. Go to Basic Network > WAN & Uplink > Load Balance Tab. The "Configuration" window is to enable the load balance function and specify the strategy. When you choose "By Smart Weight" strategy, system will operate load balance function automatically based on the embedded Smart Weight algorithm. However, when you choose "By Specific Weight" strategy, the further "Weight Definition" configuration window will let you define the ratio of transferred sessions between all WAN interfaces for data transfer. At last, when you choose "By User Policy" strategy, the further "User Policy List" shows all defined user policy entries, and the "User Policy Configuration" window will let you create and define one user policy for routing dedicated packet flow via one WAN interface. Enable/Select Load Balance Strategy Configuration Item Value setting Load Balance Unchecked by default Load Balance Strategy 1. A Must filled setting 2. By Smart Weight is selected by default. Save NA Undo NA Description
Check the Enable box to activate Load Balance function. There are three load balance strategies:. By Smart Weight: System will operate load balance function automatically based on the embedded Smart Weight algorithm. By Specific Weight: System will adjust the ratio of transferred sessions among all WANs based on the specified weights for each WAN. By User Policy: System will route traffics through available WAN interface based on user defined rules. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. When By Specific Weight is selected, user needs to adjust the percentage of WAN loading. System will give a value according to the bandwidth ratio of each WAN at first time and keep the value after 102
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. clicking Save button. Weight Definition Item Value setting Save NA 1. A Must filled setting 2. Set with bandwidth ratio of each WAN by default. NA Undo NA WAN ID Weight Description
The Identifier for each available WAN interface.. Enter the weight ratio for each WAN interface. Initially, the bandwidth ratio of each WAN is set by default. Note: The sum of all weights can’t be greater than 100%. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. When By User Policy is selected, a User Policy List screen will appear. With properly configured your policy rules, system will route traffics through available WAN interface based on user defined rules Create User Policy When Add button is applied, User Policy Configuration screen will appear. 103
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. User Policy Configuration
Item Value setting Description
Source IP Address 1. A Must filled setting 2. Any is selected by default. Destination IP Address 1. A Must filled setting 2. Any is selected by default. Destination Port 1. A Must filled setting 2. All is selected by default. Policy Save 1. A Must filled setting 2. Both is selected by default. 1. A Must filled setting 2. WAN‐1 is selected by default. Unchecked by default NA Undo NA Protocol WAN Interface There are four options can be selected :
Any: No specific Source IP is provided. The traffic may come from any source Subnet: Specify the Subnet for the traffics come from the subnet. Input format is : xxx.xxx.xxx.xxx/xx e.g. 192.168.123.0/24. IP Range: Specify the IP Range for the traffics come from the IPs Single IP: Specify a unique IP Address for the traffics come from the IP. Input format is : xxx.xxx.xxx.xxx e.g. 192.168.123.101. There are five options can be selected :
Any: No specific destination IP is provided. The traffic may come to any destination. Subnet: Specify the Subnet for the traffics come to the subnet. Input format is : xxx.xxx.xxx.xxx/xx e.g. 192.168.123.0/24. IP Range: Specify the IP Range for the traffics come to the IPs Single IP: Specify a unique IP Address for the traffics come to the IP. Input format is : xxx.xxx.xxx.xxx e.g. 192.168.123.101. Domain Name: Specify the domain name for the traffics come to the domain There are four options can be selected :
All: No specific destination port is provided. Port Range: Specify the Destination Port Range for the traffics Single Port: Specify a unique destination Port for the traffics Well‐known Applications: Select the service port of well‐known application defined in dropdown list. There are three options can be selected. They are Both, TCP, and UDP.
User can select the interface that traffic should go. Note that the WAN interface dropdown list will only show the available WAN interfaces. Check the Enable checkbox to activate the policy rule. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. 104
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.3 LAN & VLAN This section provides a brief description of LAN and VLAN. It also explains how to create and modify virtual LANs which are more commonly known as VLANs. 3.3.1 Ethernet LAN The Local Area Network (LAN) can be used to share data or files among computers attached to a network. Following diagram illustrates the network that wired and interconnects computers. Please follow the following instructions to do IPv4 Ethernet LAN Setup. 105
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. LAN IP Address: The local IP address of this device. The computer on your network must use the LAN IP address of this device as their Default Gateway. You can change it if necessary. It’s also the IP address of web UI. If you change it, you need to type new IP address in the browser to see web UI. Subnet Mask: Input your Subnet mask. Subnet mask defines how many clients are allowed in one network or subnet. The default subnet mask is 255.255.255.0 (/24), and it means maximum 254 IP addresses are allowed in this subnet. However, one of them is occupied by LAN IP address of this gateway, so there are maximum 253 clients allowed in LAN network. Hereafter are the available options for subnet mask. 106
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.3.3 VLAN This section provides a brief description of LAN and VLAN (Virtual LAN). It also explains how to create and modify virtual LANs which are more commonly known as VLANs.  Ethernet LAN The Local Area Network (LAN) can be used to share data or files among computers or devices attached to a network. Following diagram illustrates the network that wired and interconnects computers.  VLAN The VLAN is a logical network under a certain switch or router device to group lots of client hosts with a specific VLAN ID. This device supports both Port‐based VLAN and Tag‐based VLAN. In Port‐based VLAN, all client hosts belong to the same group by transferring data via some physical ports that are tagged with same VLAN ID in the device. The ports of a VLAN form an independent traffic domain in which the traffic generated by the nodes remains within the VLAN. However, in Tag‐based VLAN, all packets with same VLAN ID will be treated as the same group of them and own same access property and QoS property. It is especially useful when individuals of a VLAN group are located at different floor location. The VLAN function allows you to divide local network into different “virtual LANs”. In some cases, ISP may need router to support “VLAN tag” for certain kinds of services (e.g. IPTV) to work properly. In some cases, SMB departments are separated and located at any floor of building. All client hosts in the same department should own common access property and QoS property. You can select either one operation mode, port‐based VLAN or tag‐based VLAN, and then configure according to your network configuration. Please be noted, for some gateway with only one physical Ethernet LAN port, only very limited 107
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. configuration are available if you enable the Port‐based VLAN. There are some common VLAN scenarios for the device as follows:  Port‐based VLAN Port‐based VLAN function can group Ethernet ports, Port‐1 ~ Port‐4, and WiFi Virtual Access Points, VAP‐1 ~ VAP‐8, together for differentiated services like Internet surfing, multimedia enjoyment, VoIP talking, and so on. Two operation modes, NAT and Bridge, can be applied to each VLAN group. One DHCP server can be allocated for a NAT VLAN group to let group host member get its IP address. Thus, each host can surf Internet via the NAT mechanism of business access gateway. In bridge mode, Intranet packet flow is delivered out WAN trunk port with VLAN tag to upper link for different services. A port‐based VLAN is a group of ports on an Ethernet or Virtual APs of Wired or Wireless Gateway that form a logical LAN segment. Following is an example. For example, in a company, administrator schemes out 3 network segments, Lobby/Meeting Room, Office, and Data Center. In a Wireless Gateway, administrator can configure Lobby/Meeting Room segment with VLAN ID 3. The VLAN group includes Port‐3 and VAP‐8 (SSID: Guest) with NAT mode and DHCP‐3 server equipped. He also configure Office segment with VLAN ID 2. The VLAN group includes Port‐2 and VAP‐1 (SSID: Staff) with NAT mode and DHCP‐2 server equipped. At last, administrator also configure Data Center segment with VLAN ID 1. The VLAN group includes Port‐1 with NAT mode to WAN interface as shown in following diagram. 108
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Above is the general case for 3 Ethernet LAN ports in the gateway. But if the device just has one Ethernet LAN port, there will be only one VLAN group for the device. Under such situation, it still supports both the NAT and Bridge mode for the Port‐based VLAN configuration.  Tag‐based VLAN Tag‐based VLAN function can group Ethernet ports, Port‐1 ~ Port‐4, and WiFi Virtual Access Points, VAP‐1 ~ VAP‐8, together with different VLAN tags for deploying subnets in Intranet. All packet flows can carry with different VLAN tags even at the same physical Ethernet port for Intranet. These flows can be directed to different destination because they have differentiated tags. The approach is very useful to group some hosts at different geographic location to be in the same workgroup. Tag‐based VLAN is also called a VLAN Trunk. The VLAN Trunk collects all packet flows with different VLAN IDs from Router device and delivers them in the Intranet. VLAN membership in a tagged VLAN is determined by VLAN ID information within the packet frames that are received on a port. Administrator can further use a VLAN switch to separate the VLAN trunk to different groups based on VLAN ID. Following is an example. 109
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. For example, in a company, administrator schemes out 3 network segments, Lab, Meeting Rooms, and Office. In a Security VPN Gateway, administrator can configure Office segment with VLAN ID 12. The VLAN group is equipped with DHCP‐3 server to construct a 192.168.12.x subnet. He also configure Meeting Rooms segment with VLAN ID 11. The VLAN group is equipped with DHCP‐2 server to construct a 192.168.11.x subnet for Intranet only. That is, any client host in VLAN 11 group can’t access the Internet. At last, he configures Lab segment with VLAN ID 10. The VLAN group is equipped with DHCP‐1 server to construct a 192.168.10.x subnet. 110
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required.  VLAN Groups Access Control Administrator can specify the Internet access permission for all VLAN groups. He can also configure which VLAN groups are allowed to communicate with each other. VLAN Group Internet Access Administrator can specify members of one VLAN group to be able to access Internet or not. Following is an example that VLAN groups of VID is 2 and 3 can access Internet but the one with VID is 1 cannot access Internet. That is, visitors in meeting room and staffs in office network can access Internet. But the computers/servers in data center cannot access Internet since security consideration. Servers in data center only for trusted staffs or are accessed in secure tunnels. 111
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Inter VLAN Group Routing: In Port‐based tagging, administrator can specify member hosts of one VLAN group to be able to communicate with the ones of another VLAN group or not. This is a communication pair, and one VLAN group can join many communication pairs. But communication pair doesn’t have the transitive property. That is, A can communicate with B, and B can communicate with C, it doesn’t imply that A can communicate with C. An example is shown at following diagram. VLAN groups of VID is 1 and 2 can access each other but the ones between VID 1 and VID 3 and between VID 2 and VID 3 can’t. 112
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. VLAN Setting The VLAN function allows you to divide local network into different virtual LANs. There are Port‐
based and Tag‐based VLAN types. Select one that applies. Go to Basic Network > LAN & VLAN > VLAN Tab. Configuration Item Value setting VLAN Type Save Port‐based is selected by default NA Description
Select the VLAN type that you want to adopt for organizing you local subnets. Port‐based: Port‐based VLAN allows you to add rule for each LAN port, and you can do advanced control with its VLAN ID. Tag‐based: Tag‐based VLAN allows you to add VLAN ID, and select member and DHCP Server for this VLAN ID. Go to Tag‐based VLAN List table. Click the Save button to save the configuration Port‐based VLAN – Create/Edit VLAN Rules The port‐based VLAN allows you to custom each LAN port. There is a default rule shows the configuration of all LAN ports. Also, if your device has a DMZ port, you will see DMZ configuration, too. The maxima rule numbers is based on LAN port numbers. When Add button is applied, Port‐based VLAN Configuration screen will appear, which is including 3 sections: Port‐based VLAN Configuration, IP Fixed Mapping Rule List, and Inter VLAN Group Routing (enter through a button) 113
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Port‐based VLAN – Configuration Port‐based VLAN Configuration Item Value setting Name VLAN ID 1. A Must filled setting 2. String format: already have default texts A Must filled setting Description
Define the Name of this rule. It has a default text and can not be modified.
Define the VLAN ID number, range is 1~4094.
The rule is activated according to VLAN ID and Port Members configuration when Enable is selected. Disable is selected by VLAN Tagging default. The rule is activated according Port Members configuration when Disable is selected. NAT / Bridge NAT is selected by default. Select NAT mode or Bridge mode for the rule. 114
In‐Vehicle Hotspot Gateway
Port Members WAN & WAN VID to Join LAN IP Address Subnet Mask DHCP Server /Relay DHCP Server IP Address (for DHCP Relay only) DHCP Server Name Index skipping is used to reserve slots for new function insertion, when required. Select which LAN port(s) and VAP(s) that you want to add to the rule.
These box is unchecked by Note: The available member list can be different for the purchased default. product. Select which WAN or All WANs that allow accessing Internet. All WANs is selected by Note: If Bridge mode is selected, you need to select a WAN and enter a default. VID. Assign an IP Address for the DHCP Server that the rule used, this IP A Must filled setting address is a gateway IP. 255.255.255.0(/24) is Select a Subnet Mask for the DHCP Server.
selected by default. Define the DHCP Server type.
There are three types you can select: Server, Relay, and Disable. Relay: Select Relay to enable DHCP Relay function for the VLAN group, and Server is selected by you only need to fill the DHCP Server IP Address field. default. Server: Select Server to enable DHCP Server function for the VLAN group, and you need to specify the DHCP Server settings. Disable: Select Disable to disable the DHCP Server function for the VLAN group. If you select Relay type of DHCP Server, assign a DHCP Server IP Address
that the gateway will relay the DHCP requests to the assigned DHCP A Must filled setting server. A Must filled setting IP Pool A Must filled setting Lease Time A Must filled setting Domain Name String format can be any text IPv4 format Primary DNS Secondary DNS Primary WINS Secondary WINS Gateway Define name of the DHCP Server.
Define the IP Pool range.
There are Starting Address and Ending Address fields. If a client requests an IP address from this DHCP Server, it will assign an IP address in the range of IP pool. Define a period of time for an IP Address that the DHCP Server leases to a new device. By default, the lease time is 86400 seconds. The Domain Name of this DHCP Server. The Primary DNS of this DHCP Server. IPv4 format The Secondary DNS of this DHCP Server. IPv4 format The Primary WINS of this DHCP Server. IPv4 format The Secondary WINS of this DHCP Server. The Gateway of this DHCP Server. Click Enable box to activate this rule.
Save IPv4 format The box is unchecked by default. NA Undo NA Enable Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. 115
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Besides, you can add some IP rules in the IP Fixed Mapping Rule List if DHCP Server for the VLAN groups is required. When Add button is applied, Mapping Rule Configuration screen will appear. Mapping Rule Configuration Item Value setting Description
MAC Address A Must filled setting IP Address Enable Save A Must filled setting The box is unchecked by default. NA Define the MAC Address target that the DHCP Server wants to match.
Define the IP Address that the DHCP Server will assign. If there is a request from the MAC Address filled in the above field, the DHCP Server will assign this IP Address to the client whose MAC Address matched the rule. Click Enable box to activate this rule.
Click the Save button to save the configuration Note: ensure to always click on Apply button to apply the changes after the web browser refreshed taken you back to the VLAN page. 116
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Port‐based VLAN – Inter VLAN Group Routing Click VLAN Group Routing button, the VLAN Group Internet Access Definition and Inter VLAN Group Routing screen will appear. When Edit button is applied, a screen similar to this will appear. Inter VLAN Group Routing
Item Value setting VALN Group Internet Access Definition All boxes are checked by default. Inter VLAN Group Routing The box is unchecked by default. Save N/A Description
By default, all boxes are checked means all VLAN ID members are allow to access WAN interface. If uncheck a certain VLAN ID box, it means the VLAN ID member can’t access Internet anymore. Note: VLAN ID 1 is available always, it is the default VLAN ID of LAN rule. The other VLAN IDs are available only when they are enabled. Click the expected VLAN IDs box to enable the Inter VLAN access function.
By default, members in different VLAN IDs can’t access each other. The gateway supports up to 4 rules for Inter VLAN Group Routing. For example, if ID_1 and ID_2 are checked, it means members in VLAN ID_1 can access members of VLAN ID_2, and vice versa. Click the Save button to save the configuration 117
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Tag‐based VLAN – Create/Edit VLAN Rules The Tag‐based VLAN allows you to customize each LAN port according to VLAN ID. There is a default rule shows the configuration of all LAN ports and all VAPs. Also, if your device has a DMZ port, you will see DMZ configuration, too. The router supports up to a maximum of 128 tag‐based VLAN rule sets. When Add button is applied, Tag‐based VLAN Configuration screen will appear. Tag‐based VLAN Configuration Item Value setting VALN ID Internet Access Port VAP A Must filled setting The box is checked by default. The box is unchecked by default. The box is unchecked by default. DHCP Server DHCP 1 is selected by default. Save N/A Description
Define the VLAN ID number, range is 6~4094. Click Enable box to allow the members in the VLAN group access to internet. Check the LAN port box(es) to join the VLAN group. Check the VAP box(es) to join the VLAN group. Note: Only the wireless gateway has the VAP list. Select a DHCP Server to these members of this VLAN group. To create or edit DHCP server for VLAN, refer to Basic Network > LAN & VLAN > DHCP Server. Click Save button to save the configuration
Note: After clicking Save button, always click Apply button to apply the settings. 118
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.3.7 DHCP Server  DHCP Server The gateway supports up to 4 DHCP servers to fulfill the DHCP requests from different VLAN groups (please refer to VLAN section for getting more usage details). And there is one default setting for whose LAN IP Address is the same one of gateway LAN interface, with its default Subnet Mask setting as “255.255.255.0”, and its default IP Pool ranges is from “.100” to “.200” as shown at the DHCP Server List page on gateway’s WEB UI. User can add more DHCP server configurations by clicking on the “Add” button behind “DHCP Server List”, or clicking on the “Edit” button at the end of each DHCP Server on list to edit its current settings. Besides, user can select a DHCP Server and delete it by clicking on the “Select” check‐box and the “Delete” button. 119
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required.  Fixed Mapping User can assign fixed IP address to map the specific client MAC address by select them then copy, when targets were already existed in the DHCP Client List, or to add some other Mapping Rules by manually in advance, once the target's MAC address was not ready to connect. 120
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. DHCP Server Setting The DHCP Server setting allows user to create and customize DHCP Server policies to assign IP Addresses to the devices on the local area network (LAN). Go to Basic Network > LAN & VLAN > DHCP Server Tab. Create/Edit DHCP Server Policy The router allows you to custom your DHCP Server Policy. It supports up to a maximum of 4 policy sets. When Add button is applied, DHCP Server Configuration screen will appear. 121
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. DHCP Server Configuration Item Value setting DHCP Server Name LAN IP Address Subnet Mask IP Pool Lease Time Domain Name Primary DNS Secondary DNS Primary WINS Secondary WINS Gateway Description
1. String format can be any text 2. A Must filled setting 1. IPv4 format. 2. A Must filled setting 255.0.0.0 (/8) is set by default 1. IPv4 format. 2. A Must filled setting 1. Numberic string format. 2. A Must filled setting String format can be any text IPv4 format Enter a DHCP Server name. Enter a name that is easy for you to understand. The LAN IP Address of this DHCP Server. The Subnet Mask of this DHCP Server. The IP Pool of this DHCP Server. It composed of Starting Address entered in this field and Ending Address entered in this field. The Lease Time of this DHCP Server. The Domain Name of this DHCP Server. The Primary DNS of this DHCP Server. IPv4 format The Secondary DNS of this DHCP Server. IPv4 format The Primary WINS of this DHCP Server. IPv4 format The Secondary WINS of this DHCP Server. The Gateway of this DHCP Server. Save IPv4 format The box is unchecked by default. NA Undo NA Back NA Server Click Enable box to activate this DHCP Server. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. Please note that the restored setting may not be the factory default setting but a retrieve of what was saved in the memory. When the Back button is clicked the screen will return to the DHCP Server Configuration page. 122
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Mapping Rule List on DHCP Server The router allows you to custom your Mapping Rule List on DHCP Server. It supports up to a maximum of 64 rule sets. When Fix Mapping button is applied, the Mapping Rule List screen will appear. When Add button is applied, Mapping Rule Configuration screen will appear. Mapping Rule Configuration Item Value setting 1. MAC Address string MAC Address format 2. A Must filled setting 1. IPv4 format. IP Address 2. A Must filled setting Enabling the The box is unchecked by Rule default. Save N/A Undo N/A Back N/A Description
The MAC Address of this mapping rule. The IP Address of this mapping rule. Click Enable box to activate this rule. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. Please note that the restored setting may not be the factory default setting but a retrieve of what was saved in the memory. When the Back button is clicked the screen will return to the DHCP Server Configuration page. 123
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. View/Copy DHCP Client List When DHCP Client List button is applied, DHCP Client List screen will appear. When the DHCP Client is selected and Copy to Fixed Mapping button is applied. The IP and MAC address of DHCP Client will apply to the Mapping Rule List on specific DHCP Server automatically. Enable/Disable DHCP Server Options The DHCP Server Options setting allows user to set DHCP OPTIONS 66, 72, or 114. Click the Enable button to activate the DHCP option function, and the DHCP Server will add the expected options in its sending out DHCPOFFER DHCPACK packages. Option Meaning RFC 66 72 114 TFTP server name Default World Wide Web Server
URL [RFC 2132] [RFC 2132] [RFC 3679] Create/Edit DHCP Server Options The router supports up to a maximum of 99 option settings. When Add/Edit button is applied, DHCP Server Option Configuration screen will appear. 124
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. DHCP Server Option Configuration Item Value setting 1. String format can be Option Name any text 2. A Must filled setting DHCP Server Dropdown list of all Select available DHCP servers. Dropdown list
66 ‐ tftp Option Select 72 – www 114 ‐ url Description Enter a DHCP Server Option name. Enter a name that is easy for you to understand. Choose the DHCP server this option should apply to. Choose the specific option you want to set. Each different options has different value types. Single IP Address 66 Type Single FQDN Dropdown list of DHCP server option value’s type 72 IP Addresses List, separated by “,” 114 Single URL Should conform to Type : Value 1. IPv4 format 2. FQDN format 3. IP list 4. URL format 5. A Must filled setting Type Value Single IP Address IPv4 format Single FQDN FQDN format 66 72 IP Addresses List, separated by IPv4 format, separated by “,” “,” 125
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 114 Enable Save Undo Single URL URL format The box is unchecked by Click Enable box to activate this setting. default. NA Click the Save button to save the setting.
When the Undo button is clicked the screen will return back with nothing NA changed. 126
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.5 WiFi The device may provide WiFi interface for mobile devices or BYOD devices to connect for Internet accessing. The WiFi system in the device complies with 802.11ac/11n/11g/11b standard in 2.4GHz single band or 2.4G/5GHz concurrent dual bands of operation. There are several wireless operation modes provided by this device. They are: “AP Router Mode”, “WDS Only Mode”, and “WDS Hybrid Mode”. You can choose the expected mode from the wireless operation mode list. There are some sub‐sections for you to configure the WiFi function. In the first WiFi Configuration section, you have to finish almost all the settings for using the WiFi function, including the operation mode, optional VAP settings, Channel, WiFi System, Authentication & Encryption key, and Station / VAP isolation settings. In Wireless Client List section, it provides a quick solution for you to know the information of connected wireless clients. And the Advanced Configuration section provides more parameters for advanced user to fine tune the connectivity performance for the WiFi function. Besides, there is one more optional subsection, called Uplink profile, for some special models that provide WiFi uplink function. Hereunder is the scenarios for each wireless operation mode, you can get how it works, and what is the difference among them. To connect your wireless devices with the wireless gateway, make sure your application scenario for WiFi network and choose the most adequate operation mode.  AP Router Mode This mode allows you to get your wired and wireless devices connected to form the Intranet of the wireless gateway, and the Intranet will link to the Internet with NAT mechanism of the gateway. So, this gateway is working as a WiFi AP, but also a WiFi hotspot for Internet accessing service. It means local WiFi clients can associate to it, and go to Internet. With its NAT mechanism, all of wireless clients don’t need to get public IP addresses from ISP. Following diagram illustrates the wireless gateway that is running at AP Router operation mode. 127
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required.  WDS Only Mode & WDS Hybrid Mode WDS (Wireless Distributed System) Only mode drives a wireless gateway to be a WiFi repeater for its wired Intranet. But WDS Hybrid mode drives it act as an access point for its WiFi Intranet and a WiFi repeater for its wired and WiFi Intranets at the same time. Users can thus use the features to build up a large wireless network in a large space like airports, hotels and schools …etc. While acting as a wireless bridge, multiple wireless gateways running at "WDS Only" or "WDS Hybrid" mode link together so that they can communicate with each other through wireless interface (with WDS). Thus all client hosts in their wired Intranets or WiFi Intranets can also communicate each other in the scenario. Following diagram illustrates that there are two remote wireless gateways running at "WDS Only" operation mode. They both use channel 3 to link to the local Wireless Gateway 1 through WDS approach, but the local gateway is running at "WDS Hybrid" mode and has an Internet connection. And their wired Intranets can thus access the Internet through the Wireless Gateway 1 since these three wireless gateways have been linked together by WDS. Please be noted that the gateways running at "WDS Only" mode will disable any DHCP server by default, so the client hosts under the gateways will request their IP address from the Wireless Gateway 1 that has at least one DHCP server working. Besides, the Wireless Gateway 1 also execute the NAT mechanism for Internet accessing. That is, the gateway at "WDS Only" mode provides WiFi bridge to other gateways without embedded DHCP server 128
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. and NAT. However, the gateway at "WDS Hybrid" mode joins in a WDS link network, provides DHCP servers for IP assigning and executes NAT function for Internet accessing. 129
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.5.1 WiFi Configuration The Wi‐Fi configuration allows user to configure 2.4G or 5G Wi‐Fi setting, such as SSID or pre‐
shared key. Go to Basic Network > WiFi > WiFi Module One Tab. If the gateway is equipped with two WiFi module, there will be another WiFi Module Two. You can do the similar configurations on both WiFi modules. Basic Configuration Basic Configuration Item Value setting Operation Band A Must filled setting WPS N/A Description
Specify the intended operation band for the WiFi module. Basically, this setting is fixed and cannot be changed once the module is integrated into the gaye product. However, there are some module with selectable band for user to choose according to his network environment. Under such situation, you can specify which operation band is suitable for the application. Press 2.4G or 5G button will lead user to Wi‐Fi Protected Setup page.
Refer to the next sub‐section Wi‐Fi Protected Setup for more details. When WPS Setup button is clicked, a screen similar to this will appear Wi‐Fi Protected Setup Item Value setting Description 130
In‐Vehicle Hotspot Gateway
WPS The box is checked by default. Configuration Status N/A Configuration Mode A Must filled setting WPS Status N/A Undo N/A Back N/A Index skipping is used to reserve slots for new function insertion, when required. Check the Enable box to activate WPS function. The configuration status of AP is displayed here. Press Set/Release button to change the configuration status. 
UNCONFIGURED It means the AP settings is not configured by WPS. The status will change to CONFIGURED after WPS. 
CONFIGURED It means the AP settings has been configured by WPS.
Select WPS configuration mode from Registrar or Enrollee. When Registrar is selected
It means the AP will play a role of Registrar in WPS process. 
Allowed STA PIN Code Enter the PIN code which client given. 
Press Save button to save the current configuration. 
WPS Trigger Start WPS action. (Make sure Save configuration before Triggering WPS.)  Press Save button to save the current configuration. When Enrollee is selected
It means the AP will play a role of Enrollee in WPS process. 
AP PIN Code & New Generate The AP PIN Code provides external Registrar to enter. New Generate button will generate a new PIN code. 
Press Save button to save the current configuration. It shows the current WPS status of progress.

NOUSED : WPS function is disabled. 
IDLE : WPS function is ready. 
STARTPROCESS : WPS function is starting and processing now. 
CONFIGURED : WPS finished process successfully. 
PROCESSFAIL : WPS process failed. Press the Undo button to restore configuration to previous setting before saving. Note that some settings would not take effect from Undo button, such as New Generate or Set/Release. Press the Back button to return to the Wi‐Fi Configuration page. Basic Configuration 131
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Configuring Wi‐Fi Settings Item Value setting WiFi Module WiFi Operation Mode The box is checked by default Description Check the Enable box to activate Wi‐Fi function. Specify the WiFi Operation Mode accroding to your application.
Go to the following table for AP Router Mode, WDS Only Mode, WDS Hybrid Mode, Universal Repeater Mode, AP Only Mode, and CLient Mode settings. The available operation modes are depend on the product specification. In the following, the specific configuration description for each WiFi operation mode is given. AP Router Mode For the AP Router mode, the device not only supports stations connection but also the router function. The WAN port and the NAT function are enabled. AP Router Mode Item Value setting Green AP The box is unchecked by default. VAP Isolation The box is checked by default. Multiple AP Names 1. A Must filled setting 2. VAP1 and VAP8 are activated by default. Description Check the Enable box to activate Green AP function. Check the Enable box to activate this function. By default, the box is checked, it means that stations which associated to different VAPs cannot communicate with each other. 
Multiple AP Names (VAP)
It means multiple SSID feature and the device support up to 8 virtual SSIDs. Select one of VAP to configure its setting at a time. 
Enable Check the enable box to activate the selected VAP. 132
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Time Schedule A Must filled setting Network ID (SSID) 1. String format : Any text 2. The box is checked by default. STA Isolation The box is checked by default. Channel 1. A Must filled setting. 2. Auto is selected be default. WiFi System A Must filled setting Authentication 1. A Must filled setting 2. Auto is selected be default. Max. STA
Limit the maximum number of client station. Check this box and enter a limitation. The box is unchecked (unlimited) by default. Apply a specific Time Schedule to this rule, otherwise leave it as (0) Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Enter the SSID for the VAP, and decide whether to broadcast the SSID or not. The SSID is used for identifying from another AP, and client stations will associate with AP according to SSID. If the broadcast SSID option is enabled, it means the SSID will be broadcasted, and the stations can associate with this device by scanning SSID. Check the Enable box to activate this function. By default, the box is checked, it means that stations which associated to the same VAP cannot communicate with each other. Select a radio channel for the VAP. Each channel is corresponding to different radio band. The permissible channels depend on the Regulatory Domain. There are two available options when Auto is selected: 
By AP Numbers The channel will be selected according to AP numbers (The less, the better). 
By Less Interference The channel will be selected according to interference. (The lower, the better). Specify the preferred WiFi System. The dropdown list of Wi‐Fi system is
based on IEEE 802.11 standard. 
2.4G Wi‐Fi can select b, g and n only or mixed with each other. 
5G Wi‐Fi can select a, n and ac only or mixed with each other. For security, there are several authentication methods supported. Client stations should provide the key when associate with this device. When Open is selected
The check box named 802.1x shows up next to the dropdown list. 
802.1x (The box is unchecked by default) When 802.1x is enabled, it means the client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) RADIUS Shared Key When Shared is selected
The preshared WEP key should be set for authenticating. When Auto is selected
The device will select Open or Shared by requesting of client automatically. The check box named 802.1x shows up next to the dropdown list. 
802.1x (The box is unchecked by default) When 802.1x is enabled, it means the client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) 133
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Encryption 1. A Must filled setting. 2. None is selected be default. Save N/A Undo N/A Apply N/A RADIUS Shared Key
When WPA or WPA2 is selected
They are implementation of IEEE 802.11i. WPA only had implemented part of IEEE 802.11i, but owns the better compatibility. WPA2 had fully implemented 802.11i standard, and owns the highest security. 
RADIUS Server The client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) RADIUS Shared Key When WPA / WPA2 is selected
It owns the same setting as WPA or WPA2. The client stations can associate with this device via WPA or WPA2. When WPA‐PSK or WPA2‐PSK is selected
It owns the same encryption system as WPA or WPA2. The authentication uses pre‐shared key instead of RADIUS server. When WPA‐PSK / WPA2‐PSK is selected
It owns the same setting as WPA‐PSK or WPA2‐PSK. The client stations can associate with this device via WPA‐PSK or WPA2‐PSK. Select a suitable encryption method and enter the required key(s).
The available method in the dropdown list depends on the Authentication you selected. None It means that the device is open system without encrypting. WEP Up to 4 WEP keys can be set, and you have to select one as current key. The key type can set to HEX or ASCII. If HEX is selected, the key should consist of (0 to 9) and (A to F). If ASCII is selected, the key should consist of ASCII table. TKIP TKIP was proposed instead of WEP without upgrading hardware. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. AES The newest encryption system in WiFi, it also designed for the fast 802.11n high bitrates schemes. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. You are recommended to use AES encryption instead of any others for security. TKIP / AES TKIP / AES mixed mode. It means that the client stations can associate with this device via TKIP or AES. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. Click the Save button to save the current configuration. Click the Undo button to restore configuration to previous setting before saving. Click the Apply button to apply the saved configuration. WDS Only Mode 134
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. For the WDS Only mode, the device only bridges the connected wired clients to another WDS‐enabled Wi‐Fi device which the device associated with. That is, it also means the no wireless clients stat can connect to this device while WDS Only Mode is selected. WDS Only Mode Item Green AP Value setting The box is unchecked by default. Channel 1. A Must filled setting. 2. Auto is selected be default. Authentication 1. A Must filled setting 2. Auto is selected be default. Description Check the Enable box to activate Green AP function. Select a radio channel for the VAP. Each channel is corresponding to different radio band. The permissible channels depend on the Regulatory Domain. There are two available options when Auto is selected: 
By AP Numbers The channel will be selected according to AP numbers (The less, the better). 
By Less Interference The channel will be selected according to interference. (The lower, the better). For security, there are several authentication methods supported. Client stations should provide the key when associate with this device. When Open is selected
The check box named 802.1x shows up next to the dropdown list. 
802.1x (The box is unchecked by default) When 802.1x is enabled, it means the client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) RADIUS Shared Key When Shared is selected
The preshared WEP key should be set for authenticating. When Auto is selected
The device will select Open or Shared by requesting of client automatically. 135
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Encryption 1. A Must filled setting. 2. None is selected be default. Scan Remote AP’s MAC List N/A Remote AP MAC 1~4 A Must filled setting Save N/A Undo N/A Apply N/A The check box named 802.1x shows up next to the dropdown list.

802.1x (The box is unchecked by default) When 802.1x is enabled, it means the client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) RADIUS Shared Key When WPA‐PSK is selected
It owns the same encryption system as WPA. The authentication uses pre‐shared key instead of RADIUS server. When WPA2‐PSK is selected
It owns the same encryption system as WPA2. The authentication uses pre‐shared key instead of RADIUS server. Select a suitable encryption method and enter the required key(s).
The available method in the dropdown list depends on the Authentication you selected. None It means that the device is open system without encrypting. WEP Up to 4 WEP keys can be set, and you have to select one as current key. The key type can set to HEX or ASCII. If HEX is selected, the key should consist of (0 to 9) and (A to F). If ASCII is selected, the key should consist of ASCII table. TKIP TKIP was proposed instead of WEP without upgrading hardware. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. AES The newest encryption system in WiFi, it also designed for the fast 802.11n high bitrates schemes. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. You are recommended to use AES encryption instead of any others for security. Press the Scan button to scan the spatial AP information, and then select one from the AP list, the MAC of selected AP will be auto filled in the following Remote AP MAC table. Enter the remote AP’s MAC manually, or via auto‐scan approach, The device will bridge the traffic to the remote AP when associated successfully. Click the Save button to save the current configuration. Click the Undo button to restore configuration to previous setting before saving. Click the Apply button to apply the saved configuration. WDS Hybrid Mode For the WDS Hybrid mode, the device bridges all the wired LAN and WLAN clients to another WDS or WDS hybrid enabled Wi‐Fi devices which the device associated with. 136
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. WDS Hybrid Mode Item Value setting Lazy Mode The box is checked by default. Green AP The box is unchecked by default. VAP Isolation The box is checked by default. Multiple AP Names 1. A Must filled setting 2. VAP1 and VAP8 are activated by default. Time Schedule A Must filled setting Network ID (SSID) 1. String format : Any text 2. The box is checked by default. STA Isolation The box is checked by Description Check the Enable box to activate this function. With the function been enabled, the device can auto‐learn WDS peers without manually entering other AP’s MAC address. But at least one of the APs has to fill remote AP MAC addresses. Check the Enable box to activate Green AP function. Check the Enable box to activate this function. By default, the box is checked, it means that stations which associated to different VAPs cannot communicate with each other. 
Multiple AP Names (VAP)
It means multiple SSID feature and the device support up to 8 virtual SSIDs. Select one of VAP to configure its setting at a time. 
Enable Check the enable box to activate the selected VAP. 
Max. STA Limit the maximum number of client station. Check this box and enter a limitation. The box is unchecked (unlimited) by default. Apply a specific Time Schedule to this rule, otherwise leave it as (0) Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Enter the SSID for the VAP, and decide whether to broadcast the SSID or not. The SSID is used for identifying from another AP, and client stations will associate with AP according to SSID. If the broadcast SSID option is enabled, it means the SSID will be broadcasted, and the stations can associate with this device by scanning SSID. Check the Enable box to activate this function. 137
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. default. Channel 1. A Must filled setting. 2. Auto is selected be default. WiFi System A Must filled setting Authentication 1. A Must filled setting 2. Auto is selected be default. Encryption 1. A Must filled setting. 2. None is selected be default. By default, the box is checked, it means that stations which associated to the same VAP cannot communicate with each other. Select a radio channel for the VAP. Each channel is corresponding to different radio band. The permissible channels depend on the Regulatory Domain. There are two available options when Auto is selected: 
By AP Numbers The channel will be selected according to AP numbers (The less, the better). 
By Less Interference The channel will be selected according to interference. (The lower, the better). Specify the preferred WiFi System. The dropdown list of Wi‐Fi system is
based on IEEE 802.11 standard. 
2.4G Wi‐Fi can select b, g and n only or mixed with each other. 
5G Wi‐Fi can select a, n and ac only or mixed with each other. For security, there are several authentication methods supported. Client stations should provide the key when associate with this device. When Open is selected
The check box named 802.1x shows up next to the dropdown list. 
802.1x (The box is unchecked by default) When 802.1x is enabled, it means the client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) RADIUS Shared Key When Shared is selected
The preshared WEP key should be set for authenticating. When Auto is selected
The device will select Open or Shared by requesting of client automatically. The check box named 802.1x shows up next to the dropdown list. 
802.1x (The box is unchecked by default) When 802.1x is enabled, it means the client stations will be authenticated by RADIUS server. RADIUS Server IP (The default IP is 0.0.0.0) RADIUS Server Port (The default value is 1812) RADIUS Shared Key When WPA‐PSK is selected
It owns the same encryption system as WPA. The authentication uses pre‐
shared key instead of RADIUS server. When WPA2‐PSK is selected
It owns the same encryption system as WPA2. The authentication uses pre‐shared key instead of RADIUS server. Select a suitable encryption method and enter the required key(s).
The available method in the dropdown list depends on the Authentication you selected. None It means that the device is open system without encrypting. WEP Up to 4 WEP keys can be set, and you have to select one as current key. 138
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Save N/A Undo N/A Apply N/A The key type can set to HEX or ASCII.
If HEX is selected, the key should consist of (0 to 9) and (A to F). If ASCII is selected, the key should consist of ASCII table. TKIP TKIP was proposed instead of WEP without upgrading hardware. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. AES The newest encryption system in WiFi, it also designed for the fast 802.11n high bitrates schemes. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. You are recommended to use AES encryption instead of any others for security. Click the Save button to save the current configuration. Click the Undo button to restore configuration to previous setting before saving. Click the Apply button to apply the saved configuration. 139
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.5.3 Wireless Client List The Wireless Client List page shows the information of wireless clients which are associated with this device. Go to Basic Network > WiFi > Wireless Client List Tab. Select Target WiFi Target Configuration Item Value setting Module Select A Must filled setting. Operation Band A Must filled setting. Multiple AP Names 1. A Must filled setting. 2. All is selected by default. Description
Select the WiFi module to check the information of connected clients.
For those single WiFi module products, this option is hidden. Specify the intended operation band for the WiFi module. Basically, this setting is fixed and cannot be changed once the module is integrated into the gaye product. However, there are some module with selectable band for user to choose according to his network environment. Under such situation, you can specify which operation band is suitable for the application. Specify the VAP to show the associated clients information in the following Client List. By default, All VAP is selected. Show Client List The following Client List shows the information for wireless clients that is associated with the selected VAP(s). Target Configuration Item Value setting Description
IP Address Configuration & It shows the Client’s IP address and the deriving method. Dynamic means the IP address is derived from a DHCP server. N/A 140
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Address Host Name MAC Address N/A N/A Mode N/A Rate RSSI0, RSSI1 Signal Interface Refresh N/A N/A N/A N/A N/A Static means the IP address is a fixed one that is self‐filled by client.
It shows the host name of client.
It shows the MAC address of client.
It shows what kind of Wi‐Fi system the client used to associate with this device. It shows the data rate between client and this device. It shows the RX sensitivity (RSSI) value for each radio path. The signal strength between client and this device. It shows the VAP ID that the client associated with. Click the Refresh button to update the Client List immediately. 141
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.5.5 Uplink Profile This device provides WiFi Uplink function for connecting to a wireless access point just like a connected to a wired WAN or cellular WAN connection. It can operate as a NAT gateway and link the devices wirelessly to the uplink network or hosts. To connect to the wireless access point, user has to enable the wireless Uplink function for a certain WiFi Module (refer to Basic Network > WAN & Uplink > Physical Interface, Internet Setup tabs) first, and then configure the Uplink profile(s) for the access point to be connected to in the Uplink Profile page. Go to Basic Network > WiFi > Uplink Profile tab for configuring the Uplink Profile page. Uplink Profile Setting Setting Item Value setting Module Select A Must filled setting. Operation Band A Must filled setting. Priority 1. A Must filled setting. 2. By Signal Strength is selected by default. Description
Select the WiFi module to check or configure the expected uplink profile(s). For those single WiFi module products, this option is hidden. Specify the intended operation band for the WiFi module. Basically, this setting is fixed and cannot be changed once the module is integrated into the gaye product. However, there are some module with selectable band for user to choose according to his network environment. Under such situation, you can specify which operation band is suitable for the application. Specify the network selection methodology for connectin to an available wireless uplink network. It can be By Signal Strength or By User‐defined priority. When By Signal Strength is selected, the gateway will try to connect to the available uplink network whose wireless signal strength is the strongest. When By User‐defined is selected, the gateway will try to connect to the available uplink network whose priority is the highest (1 is the highest priority, and 16 is the lowest priority).
Note: to apply the defined Uplink profile(s) for the gateway to find a best fit profile for connecting to a certain uplink network, user has to Enable the Profile auto‐connect function (Refer to Basic Network > WiFi > (Module 1/ Module 2) WiFi Configuration tab. 142
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Uplink Profile The Profile List shows the settings for the created uplink profiles. The information includes Profile Name, SSID, Channel, Authentication, Encryption, MAC Address, Signal Strength, Priority, and Enable. When Add button is applied, Profile Configuration screen will appear. Profile Configuration Item Value setting Profile Name Network ID (SSID) Channel 1. String format can be any text 2. A Must filled setting Description
Enter a profile name for the uplink network specified below. It is a name that is easy for you to understand. Enter the SSID for the VAP, and decide whether to broadcast the SSID or not. The SSID is used for identifying from another AP, and client stations will associate with AP according to SSID. If the broadcast SSID option is enabled, it means the SSID will be broadcasted, and the stations can associate with this device by scanning SSID. Select a radio channel for the VAP. Each channel is corresponding to different radio band. The permissible channels depend on the Regulatory Domain. 1. A Must filled There are two available options when Auto is selected: setting. 
By AP Numbers 2. Auto is selected by The channel will be selected according to AP numbers (The less, the default. better). 
By Less Interference The channel will be selected according to interference. (The lower, 1. String format : Any text 2. The box is checked by default. 143
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Authentication 1. A Must filled setting 2. Open is selected by default. Encryption 1. A Must filled setting. 2. None is selected by default. MAC Address Priority Enable 1. MAC Address string Format 2. A Must fill setting 1. An Optional filled setting. 2. 16 is set by default. The box is checked by default. Save N/A Undo N/A Back N/A the better).
Specify the authentication method for connecting with the uplink network. It can be Open, Shared, WPA‐SPK, or WPA2‐PSK. When Open is selected, the preshared WEP key could be set for authentication; When Shared is selected, the preshared WEP key should be set for authentication; When WPA‐PSK or WPA2‐PSK is selected, The the TKIP or AES preshared key should be set for authentication; Select a suitable encryption method and enter the required key(s).
The available method in the dropdown list depends on the Authentication you selected. None It means that the device is open system without encrypting. WEP Up to 4 WEP keys can be set, and you have to select one as current key. The key type can set to HEX or ASCII. If HEX is selected, the key should consist of (0 to 9) and (A to F). If ASCII is selected, the key should consist of ASCII table. TKIP TKIP was proposed instead of WEP without upgrading hardware. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. AES The newest encryption system in WiFi, it also designed for the fast 802.11n high bitrates schemes. Enter a Preshared Key for it. The length of key is from 8 to 63 characters. You are recommended to use AES encryption instead of any others for security. Specify the MAC Address of the access point (with the Network ID) to be connected to. Specify a priority setting for the uplink profile when the By User‐defined
methodology is selected. The priority value can be 1 ~ 16. 1 is the highest priority, and 16 is the lowest priority). Click the Enable box to activate this profile. Click the Save button to save the configuration. Click the Undo button to restore what you just configured back to the previous setting. When the Back button is clicked, the screen will return to the Profile List page. Instead of manually enter the information for the uplink network, you can alslo click the Scan button to get the available wireless networks around the device, and select one as the uplink network. When the Scan button is applied, Wireless AP List will appear after few seconds. 144
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Once you selected an AP from the AP list, the channel, SSID, Authentication, Encryption, and MAC address will be automatically filled into the profile, you just have to enter a key for the uplink connection, if required. 145
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.5.7 Advanced Configuration This device provides advanced wireless configuration for professional user to optimize the wireless performance under the specific installation environment. Please note that if you are not familiar with the WiFi technology, just leave the advanced configuration with its default values, or the connectivity and performance may get worse with improper settings. Go to Basic Network > WiFi > Advanced Configuration Tab. Select Target WiFi Target Configuration Item Value setting Module Select A Must filled setting. Operation Band A Must filled setting. Description
Select the WiFi module to check the information of connected clients.
For those single WiFi module products, this option is hidden. Specify the intended operation band for the WiFi module. Basically, this setting is fixed and cannot be changed once the module is integrated into the gaye product. However, there are some module with selectable band for user to choose according to his network environment. Under such situation, you can specify which operation band is suitable for the application. Setup Advacned Configuration 146
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Advanced Configuration
Item Value setting Regulatory Domain The default setting is according to where the product sale to Beacon Interval 100 DTIM Interval 3 RTS Threshold 2347 Fragmentation 2346 WMM The box is checked by default Short GI By default 400ns is selected TX Rate RF Bandwidth Transmit Power 5G Band Steering By default Best is selected By default Auto is selected By default 100% is selected The box is Description
It limits the available radio channel of this device. The permissible channels depend on the Regulatory Domain. It shows the time interval between each beacon packet broadcasted.
The beacon packet contains SSID, Channel ID and Security setting. A DTIM (Delivery Traffic Indication Message) is a countdown informing clients of the next window for listening to broadcast message. When the device has buffered broadcast message for associated client, it sends the next DTIM with a DTIM value. RTS (Request to send) Threshold means when the packet size is over the setting value, then active RTS technique. RTS/CTS is a collision avoidance technique. It means RTS never activated when the threshold is set to 2347. Wireless frames can be divided into smaller units (fragments) to improve performance in the presence of RF interference at the limits of RF coverage. WMM (Wi‐Fi Multimedia) can help control latency and jitter when transmitting multimedia content over a wireless connection. Short GI (Guard Interval) is defined to set the sending interval between each packet. Note that lower Short GI could increase not only the transition rate but also error rate. It means the data transition rate. When Best is selected, the device will choice a proper data rate according to signal strength. The setting of RF bandwidth limits the maximum data rate. Normally the wireless transmitter operates at 100% power. By setting the transmit power to control the Wi‐Fi coverage. When the client station associate with 2.4G Wi‐Fi, the device will send 147
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. unchecked by default Save The box is unchecked by default N/A Undo N/A WIDS the client to 5G Wi‐Fi automatically if the client is available on accessing this 5G Wi‐Fi band. This option is only available on the module that supports 5GHz band. The WIDS (Wireless Intrusion Detection System) will analyze all the packet and make a statistic table in Wi‐Fi status. Go to Status > Basic Network > WiFi tab for detailed WIDS status. Click the Save button to save the current configuration. Click the Undo button to restore configuration to previous setting before saving. 148
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.7 IPv6 The growth of the Internet has created a need for more addresses than are possible with IPv4. IPv6 (Internet Protocol version 6) is a version of the Internet Protocol (IP) intended to succeed IPv4, which is the protocol currently used to direct almost all Internet traffic. IPv6 also implements additional features not present in IPv4. It simplifies aspects of address assignment (stateless address auto‐configuration), network renumbering and router announcements when changing Internet connectivity providers. This gateway supports various types of IPv6 connection (Static IPv6 / DHCPv6 / PPPoEv6 / 6to4 / 6in4). Please contact your ISP the type of IPv6 is supported before you proceed with IPv6 setup. Static IPv6 Static IPv6 does the same function as static IPv4. The static IPv6 provides manual setting of IPv6 address, IPv6 default gateway address, and IPv6 DNS. Above diagram depicts the IPv6 IP addressing, type in the information provided by your ISP to setup the IPv6 network. DHCPv6 DHCP in IPv6 does the same function as DHCP in IPv4. The DHCP server sends IP address, DNS server addresses and other possible data to the DHCP client to configure automatically. The server also sends a lease time of the address and time to re‐contact the server for IPv6 address renewal. The client has then to resend a request to renew the IPv6 address. 149
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Above diagram depicts DHCP IPv6 IP addressing, the DHCPv6 server on the ISP side assigns IPv6 address, IPv6 default gateway address, and IPv6 DNS to client host’s automatically. PPPoEv6 PPPoEv6 in IPv6 does the same function as PPPoE in IPv4. The PPPoEv6 server provides configuration parameters based on PPPoEv6 client request. When PPPoEv6 server gets client request and successfully authenticates it, the server sends IP address, DNS server addresses and other required parameters to automatically configure the client. 150
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. The diagram above depicts the IPv6 addressing through PPPoE, PPPoEv6 server (DSLAM) on the ISP side provides IPv6 configuration upon receiving PPPoEv6 client request. When PPPoEv6 server gets client request and successfully authenticates it, the server sends IP address, DNS server addresses and other required parameters to automatically configure the client. 6to4 6to4 is one mechanism to establish automatic IPv6 in IPv4 tunnels and to enable complete IPv6 sites communication. The only thing a 6to4 user needs is a global IPv4 address. 6to4 may be used by an individual host, or by a local IPv6 network. When used by a host, it must have a global IPv4 address connected, and the host is responsible for encapsulation of outgoing IPv6 packets and decapsulation of incoming 6to4 packets. If the host is configured to forward packets for other clients, often a local network, it is then a router. In above diagram, the 6to4 means no need to set gateway address "automatic" tunneling solution. The automatic mean have relay server, as defined in RFC 3068 has included segments draw 192.88.99.0/24 used as 6to4 relay of any‐cast address to complete 6in4 setting. 6in4 6in4 is an Internet transition mechanism for Internet IPv4 to IPv6 migration. 6in4 uses tunneling to encapsulate IPv6 traffic over explicitly‐configured IPv4 links. As defined in RFC 4213, the 6in4 traffic is sent over the IPv4 Internet inside IPv4 packets whose IP headers have the IP protocol number set to 41. This protocol number is specifically designated for IPv6 encapsulation. 151
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. In above diagram, the 6in4 usually needs to register to a 6in4 tunnel service, known as Tunnel Broker, in order to use. It also need end point global IPv4 address as 114.39.16.49 to complete 6in4 setting. 152
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.7.1 IPv6 Configuration The IPv6 Configuration setting allows user to set the IPv6 connection type to access the IPv6 network. Go to Basic Network > IPv6 > Configuration Tab. IPv6 Configuration Item Value setting IPv6 WAN Connection Type Description
The box is unchecked Check the Enable box to activate the IPv6 function. by default, Define the selected IPv6 WAN Connection Type to establish the IPv6 connectivity. 1. Only can be Select Static IPv6 when your ISP provides you with a set IPv6 addresses. selected when IPv6 Then go to Static IPv6 WAN Type Configuration. Enable Select DHCPv6 when your ISP provides you with DHCPv6 services. 2. A Must filled Select PPPoEv6 when your ISP provides you with PPPoEv6 account setting settings. Select 6to4 when you want to user IPv6 connection over IPv4. Select 6in4 when you want to user IPv6 connection over IPv4. 153
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Static IPv6 WAN Type Configuration Static IPv6 WAN Type Configuration Item Value setting Description
IPv6 Address Subnet Prefix Length Default Gateway Primary DNS Secondary DNS MLD Snooping A Must filled setting Enter the WAN IPv6 Address for the router.
A Must filled setting Enter the WAN Subnet Prefix Length for the router. A Must filled setting An optional setting An optional setting The box is unchecked by default Enter the WAN Default Gateway IPv6 address. Enter the WAN primary DNS Server.
Enter the WAN secondary DNS Server.
Enable/Disable the MLD Snooping function LAN Configuration LAN Configuration Item Value setting Description
Global Address Link‐local Address Enter the LAN IPv6 Address for the router.
Show the link‐local address for LAN interface of router. A Must filled setting Value auto‐created Then go to Address Auto‐configuration (summary) for setting LAN environment. If above setting is configured, click the Save button to save the configuration, and click the Reboot button to reboot the router. 154
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. DHCPv6 WAN Type Configuration DHCPv6 WAN Type Configuration Item Value setting DNS Primary DNS Secondary DNS MLD The option [From Server] is selected by default Can not modified by default Can not modified by default The box is unchecked by default Description Select the [Specific DNS] option to active Primary DNS and Secondary DNS. Then fill the DNS information. Enter the WAN primary DNS Server. Enter the WAN secondary DNS Server. Enable/Disable the MLD Snooping function LAN Configuration LAN Configuration Item Value setting Description
Global Address Link‐local Address Enter the LAN IPv6 Address for the router.
Show the link‐local address for LAN interface of router. Value auto‐created Value auto‐created Then go to Address Auto‐configuration (summary) for setting LAN environment. If above setting is configured, click the Save button to save the configuration, and click Reboot button to reboot the router. 155
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPPoEv6 WAN Type Configuration PPPoEv6 WAN Type Configuration Item Value setting Description
Account A Must filled setting Password A Must filled setting Service Name A Must filled setting/Option Enter the Account for setting up PPPoEv6 connection. If you want more information, please contact your ISP. Enter the Password for setting up PPPoEv6 connection. If you want more information, please contact your ISP. Enter the Service Name for setting up PPPoEv6 connection. If you want more information, please contact your ISP. Connection Control Fixed value The value is Auto‐reconnect(Always on). MTU A Must filled setting Enter the MTU for setting up PPPoEv6 connection. If you want more information, please contact your ISP. MLD Snooping The box is unchecked Enable/Disable the MLD Snooping function by default LAN Configuration LAN Configuration Item Value setting Description
Global Address Link‐local Address The LAN IPv6 Address for the router. Show the link‐local address for LAN interface of router. Value auto‐created Value auto‐created Then go to Address Auto‐configuration (summary) for setting LAN environment. If above setting is configured, click the save button to save the configuration and click reboot button to reboot the router. 156
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 6to4 WAN Type Configuration 6to4 WAN Type Configuration Item Value setting Description
6to4 Address Primary DNS Secondary DNS IPv6 address for access the IPv6 network. Enter the WAN primary DNS Server. Enter the WAN secondary DNS Server. MLD Value auto‐created An optional setting An optional setting The box is unchecked by default Enable/Disable the MLD Snooping function LAN Configuration LAN Configuration Item Value setting Description
Global Address Link‐local Address Enter the LAN IPv6 Address for the router. Show the link‐local address for LAN interface of router. An optional setting Value auto‐created Then go to Address Auto‐configuration (summary) for setting LAN environment. If above setting is configured, click the save button to save the configuration and click reboot button to reboot the router. 157
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 6in4 WAN Type Configuration Please go to find IPv6 tunnel brokers to establish 6in4 tunnel. (You can find List of IPv6 tunnel brokers that support 6in4 service from wiki.) Then enter the Local IPv4 address of router into Client IPv4 Address field in IPv6 tunnel broker setting page. 6in4 WAN Type Configuration Item Value setting Remote IPv4 Address Local IPv4 Address Local IPv6 Address Primary DNS Secondary DNS MLD Description
A Must filled setting Filled Server IPv4 Address gotten from tunnel broker in this field. Value auto‐created A Must filled setting An optional setting An optional setting The box is unchecked by default IPv4 address of this router. Filled Client IPv6 Address gotten from tunnel broker in this field. Enter the WAN primary DNS Server. Enter the WAN secondary DNS Server. Enable/Disable the MLD Snooping function LAN Configuration LAN Configuration Item Value setting Description
Global Address Link‐local Address Filled Routed /64 gotten from tunnel broker in this field. Show the link‐local address for LAN interface of router. A Must filled setting Value auto‐created 158
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Then go to Address Auto‐configuration (summary) for setting LAN environment. If above setting is configured, click the save button to save the configuration and click reboot button to reboot the router. Address Auto‐configuration Address Auto‐configuration Item Value setting Description
The box is unchecked Check to enable the Auto configuration feature. by default Define the selected IPv6 WAN Connection Type to establish the IPv6 connectivity. Select Stateless to manage the Local Area Network to be SLAAC + RDNSS Router Advertisement Lifetime (A Must filled setting): Enter the Router 1. Only can be Advertisement Lifetime (in seconds). 200 is setted by default. selected when Auto‐ Select Stateful to manage the Local Area Network to be Stateful (DHCPv6).
IPv6 Address Range (Start) (A Must filled setting) : Enter the start IPv6 Auto‐configuration configuration Type enabled Address for the DHCPv6 range for your local computers. 0100 is setted by 2. Stateless is default. selected by default IPv6 Address Range (End) (A Must filled setting): Enter the end IPv6 Address for the DHCPv6 range for your local computers. 0200 is setted by default. IPv6 Address Lifetime (A Must filled setting) : Enter the DHCPv6 lifetime for your local computers. 36000 is setted by default. Auto‐configuration 159
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.9 Port Forwarding Network address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. The technique was originally used for ease of rerouting traffic in IP networks without renumbering every host. It has become a popular and essential tool in conserving global address space allocations in face of IPv4 address exhaustion. The product you purchased embeds and activates the NAT function. You also can disable the NAT function in [Basic Network]‐[WAN & Uplink]‐[Internet Setup]‐[WAN Type Configuration] page. In addition to native NAT function, you can also configure further NAT related functions in the Port Forwarding page. They are NAT Loopback, Virtual Server, Virtual Computer, IP Translation, Special AP & ALG, DMZ and Pass Through, etc.. Normally, with global IP address or FQDN of WAN interface in the gateway, employees who travel outside the office can access various servers behind the office gateway. You can set up those servers by using "Virtual Server" feature of the gateway (refer to next section) to forward all server accessing requests to local LAN servers for traveling employees for remote access. But most often, employees are to reconfigure their PC to access to those servers from inside the LAN network each time after their trip. NAT Loopback can be enabled to overcome. With "Virtual Server" feature, traveling employees may thus access office servers using the FQDN or IP address of WAN interface in the gateway, and the accessing request packets will be delivered to the WAN interface of gateway after NAT translation. Gateway forwards the inbound request packets to the local LAN servers and LAN servers make a reply to these request packets by connection tracking back. But if the NAT Loopback feature in the gateway is enabled, these packets will not flow to the WAN interface, but only loopback to the local LAN servers. And LAN servers make a reply. 3.9.1 Configuration NAT Loopback This feature allows you to access the WAN global IP address from your inside NAT local network. It is useful when you run a server inside your network. For example, if you set a mail server at LAN side, your local devices can access this mail server through gateway’s global IP address when enable NAT loopback feature. On either side are you in accessing the email server, at the LAN side or at the WAN side, you don’t need to change the IP address of the mail server, as shown in scenario ① of following diagram. 160
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing Without the need of reconfigure their PC each time, the employee from inside or outside the office can access enterprise servers. So network administrator must activate the "NAT Loopback" feature to do that. Scenario Description Local user can access mail server by FQDN or global IP when NAT loop back is enable. Global user can access mail server only when mail server is set as virtual server of the gateway. Parameter Setup Example Following 2 tables list the parameter configuration as an example for above diagram of gateway with "NAT Loopback" feature activated. Use default value for those parameters that are not mentioned in these tables. Configuration Path [Configuration]‐[NAT Loopback]
161
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. ■ Enable
NAT Loopback [Virtual Server & Virtual Computer]‐[Virtual Server List] Configuration Path ID Public Port Server IP Private Port Rule 1
2
25 (SMTP)
110 (POP3) 10.0.75.101
10.0.75.101 25 (SMTP)
110 (POP3) ■ Enable
■ Enable Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A, and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a NAT router. Activate the NAT Loopback feature on the Gateway. Define the E‐mail virtual server to be located at a server with IP address 10.0.75.101 in the Intranet of Network‐A, including SMTP service port 25 and POP3 service port 110. So, the local user at host with IP address 10.0.75.100 can access the E‐mail server by using the global IP 118.18.81.33. But in reality the E‐mail request packets from the local host will not reach the WAN interface, but just loop back to the E‐mail server in the Intranet. 162
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Configuration Setting Go to Basic Network > Port Forwarding > Configuration tab. The NAT Loopback allows user to access the WAN IP address from inside your local network. Enable NAT Loopback Configuration Item NAT Loopback Save Undo Value setting The box is checked by default N/A N/A Description
Check the Enable box to activate this NAT function Click the Save button to save the settings. Click Undo to cancel the settings 163
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.9.3 Virtual Server & Virtual Computer Virtual server is another name for port forwarding used by some routers. In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host. Port forwarding allows remote computers (a computers on the Internet) to connect to a specific computer or service within a private local‐area network (LAN). So you can deploy some servers in your Intranet with the firewall protection by your gateway. This device’s NAT firewall filters out unrecognized packets to protect your Intranet, so all hosts behind this device gateway are invisible to the outside world. If you wish, you can make some of them accessible by enabling the Virtual Server Mapping. However, a virtual computer is a host in the Intranet whose IP address is global and is visible to the outside world. Since it is in the Intranet, it is protected by the firewall gateway when it acts like a node in the Internet. In "Virtual Server & Virtual Computer" page, there are two list windows for all virtual servers and virtual computer. "Virtual Server List" window lists the public port used in the Internet, server IP at LAN side, private port used in the Intranet, used protocol for the service on the server and the integrated time schedule rule for all virtual servers. There is an "Add" button for you to add and create new virtual server, and the "Edit" button to modify the existed virtual server settings. On "Virtual Computer List" window, the mapping of the global IP address and the local IP address for all virtual computers are listed. There is also an "Add" button for you to add and create new virtual computer, and the "Edit" button to modify the existed virtual computer. 164
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Virtual Server "Virtual Server" feature allows you to define some servers with the global IP address or FQDN of the gateway as if they are servers existed in the Internet. But in fact, these servers are located in the Intranet and are physically behind the gateway. The gateway serves the service requests by port forwarding the requests to the LAN servers and transfers the replies from LAN servers to the requester on the WAN side. For example, if you set an E‐mail server on the LAN side with IP address 10.0.75.101, a remote user can access the gateway for E‐mail service if you defined a virtual E‐mail server for the gateway by using the real E‐mail server on the LAN side, as shown in scenario ② in following diagram. Scenario Application Timing Set up some application servers in the Intranet of deployed network for services and are protected by the gateway firewall. In a way that the gateway appears to be the physical server to the remote users, while the real server is, in reality, operating and providing service at the LAN side behind the gateway. Scenario Description The gateway serves as an E‐mail server for remote users E‐mail services from the gateway. 165
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. The gateway executes port forwarding transferring the E‐mail service requests to the LAN servers and sends the replies from LAN servers to the requester. The E‐mail server at LAN side is the server for E‐mail service. Parameter Setup Example Following table list the parameter configuration as an example for scenario ② in above diagram. Please be noted that the E‐mail service includes SMTP and POP3 service ports. Use default value for those parameters that are not mentioned in the table. Configuration Path ID Public Port Server IP Private Port Rule [Virtual Server & Virtual Computer]‐[Virtual Server List] 1
2
25 (SMTP)
110 (POP3) 10.0.75.101
10.0.75.101 25 (SMTP)
110 (POP3) ■ Enable
■ Enable Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a NAT router. Define the E‐mail virtual server to be located at a server with IP address 10.0.75.101 in the Intranet of Network‐A, including SMTP service port 25 and POP3 service port 110. So, the remote user can access the E‐mail server in the gateway that has the global IP 118.18.81.33 at its WAN side. But the real E‐mail server is located at LAN side and the gateway is the port forwarder for E‐mail service. A virtual server rule can be integrated with a schedule rule. That means, the virtual server rule can be activated only at the pre‐defined time schedule. Virtual Computer "Virtual Computer" feature allows you to assign LAN hosts to global IP addresses, so that they can be visible to outside world. While so, they are also protected by the gateway firewall as same as they are protected when being client hosts in the Intranet. For example, if you set an FTP file server at LAN side with local IP address 10.0.75.102 and global IP address 118.18.82.44, a remote user can access the file server while it is hidden behind the NAT gateway. That is because the gateway takes care of all accessing to the IP address 118.18.82.44, including to forward the access requests to the file server and to send the replies from the server to outside world, as shown in scenario ③ of following diagram. 166
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing To setup some hosts in the Intranet of deployed networking to be visible to outside world but also be protected by the NAT gateway firewall, use the "Virtual Computer" feature in the gateway to implement the application scenario. Scenario Description A LAN host is assigned with a global IP address to be visible to outside world. The host has an embedded FTP file server and is protected by the gateway firewall. The gateway acts as the media between the LAN host and outside world to allow remote access. Parameter Setup Example Following table list the parameter configuration as an example for scenario ③ in above diagram. Use default value for those parameters that are not mentioned in the table. 167
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. [Virtual Server & Virtual Computer]‐[Virtual Computer List] Configuration Path ID Global IP Local IP Rule 1
118.18.81.44
10.0.75.102
■ Enable
Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a NAT router. A LAN host with private IP address 10.0.75.102 has an embedded FTP file server in it. The host is expected to be visible to the outside world with global IP address 118.18.81.44, but also be protected by the gateway firewall. Configure a virtual computer in the gateway for the mapping between the global IP address 118.18.81.44 and the local IP address 10.0.75.102. The gateway will take care of all accessing to the FTP file server by server's global IP address, and it acts as a media between the LAN host and the outside world by using its "Virtual Computer" feature. So remote users can request for file services from the FTP file server, even it is existed in a LAN host. 168
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Virtual Server & Virtual Computer Setting Go to Basic Network > Port Forwarding > Virtual Server & Virtual Computer tab. Enable Virtual Server and Virtual Computer Configuration Item Virtual Server Virtual Computer Save Undo Value setting The box is unchecked by default The box is checked by default N/A N/A Description
Check the Enable box to activate this port forwarding function Check the Enable box to activate this port forwarding function Click the Save button to save the settings. Click Undo to cancel the settings. Create/Edit Virtual Server The router allows you to custom your Virtual Server rules. The router supports up to a maximum of 20 rule‐based Virtual Server sets. When Add button is applied, Virtual Server Rule Configuration screen will appear. 169
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Virtual Server Rule Configuration Item Value setting Description
WAN Interface Define the selected interface to be the packet‐entering interface of the router. 1. A Must filled setting 2. If the packets to be filtered are coming from WAN‐x then select WAN‐x for Default is ALL. this field. Select ALL for packets coming into the router from any interfaces. It can be selected WAN‐x box when WAN‐x enabled. Server IP A Must filled setting Protocol A Must filled setting This field is to specify the IP address of the interface selected in the WAN Interface setting above. When “ICMPv4” is selected It means the option “Protocol” of packet filter rule is ICMPv4. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. When “TCP” is selected It means the option “Protocol” of packet filter rule is TCP. Public Port selected a predefined port from Well‐known Service, and Private Port is the same with Public Port number. Public Port is selected Single Port and specify a port number, and Private Port can be set a Single Port number. Public Port is selected Port Range and specify a port range, and Private Port can be selected Single Port or Port Range. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. When “UDP” is selected It means the option “Protocol” of packet filter rule is UDP. Public Port selected a predefined port from Well‐known Service, and Private Port is the same with Public Port number. Public Port is selected Single Port and specify a port number, and Private 170
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Port can be set a Single Port number. Public Port is selected Port Range and specify a port range, and Private Port can be selected Single Port or Port Range. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. Save Undo N/A When “TCP & UDP” is selected It means the option “Protocol” of packet filter rule is TCP and UDP. Public Port selected a predefined port from Well‐known Service, and Private Port is the same with Public Port number. Public Port is selected Single Port and specify a port number, and Private Port can be set a Single Port number. Public Port is selected Port Range and specify a port range, and Private Port can be selected Single Port or Port Range. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. When “GRE” is selected It means the option “Protocol” of packet filter rule is GRE. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. When “ESP” is selected It means the option “Protocol” of packet filter rule is ESP. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. Click the Save button to save the settings. When “SCTP” is selected It means the option “Protocol” of packet filter rule is SCTP. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. When “User‐defined” is selected It means the option “Protocol” of packet filter rule is User‐defined. For Protocol Number, enter a port number. Apply Time Schedule to this rule, otherwise leave it as Always. (refer to Scheduling setting under Object Definition) Then check Enable box to enable this rule. Click the Save button to save the settings. N/A Click Undo to cancel the settings. Back N/A When the Back button is clicked the screen will return to the Packet Filters Configuration page. 171
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Virtual Computer The router allows you to custom your Virtual Computer rules. The router supports up to a maximum of 20 rule‐based Virtual Computer sets. When Add button is applied, Virtual Computer Rule Configuration screen will appear. Virtual Computer Rule Configuration Item Value setting Description
Global IP Local IP Enable Save A Must filled setting A Must filled setting N/A N/A This field is to specify the IP address of the WAN IP. This field is to specify the IP address of the LAN IP. Then check Enable box to enable this rule. Click the Save button to save the settings. 172
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.9.7 Special AP & ALG As a NAT gateway, it doesn't allow an active connection request from outside world. All this kind of requests will be ignored by the NAT gateway. But at the client hosts in the Intranet, users may use applications that need more service ports to be allowed for passing through the NAT gateway. The "Special AP (application)" feature in the gateway can solve this problem. That is, some applications require multiple connections, like Internet games, Video conferencing, Internet telephony, etc. Because of the firewall function, these applications cannot work with a pure NAT gateway. The Special AP feature allows some of these applications to work with this product. Besides, application‐level gateway (ALG) allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications, etc. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings (firewall pinhole) dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria. Special AP The Special AP feature allows you to request the gateway open a pre‐defined set range service ports for incoming packets to pass through once the trigger port is toggled in the gateway by the Intranet packets. As shown in following diagram, one defined special application rule is that the trigger port is pa and the activated ports are pb and pc once the pa port is toggled at LAN interface of gateway. 173
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required.  Scenario Application Timing When local user wants to run an application to access the server in the Internet and the application need more than one connection session with different service ports to finish its function. You can define one special application rule for it. The rule can be integrated with one schedule rule. That is, the special application rule can be activated only at the pre‐defined schedule.  Scenario Description 
Local user runs an application to access the Internet server by a trigger packet with the dedicated destination port. 
Gateway opens more service ports for incoming packets to pass through the gateway into the Intranet from the Internet if the application requires.  Parameter Setup Example 
Following table lists the parameter configuration as an example for the gateway in above diagram with one special application rule to be defined. 
Use default value for those parameters that are not mentioned in the table. Configuration Path
ID Trigger Port Incoming Ports Rule [Special AP & ALG]‐[Special AP List]
1
554 (Quick Time 4)
6970‐6999
■ Enable
 Scenario Operation Procedure  In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a NAT router.  Define a special application rule with the trigger port 554 (Quick Time 4) and incoming ports 6970‐6999, and activate the rule.  So, the local user at host with IP address 10.0.75.100 can enjoy the music by using Quick Time 4 application. The media server is in the Internet. SIP ALG This gateway supports the SIP ALG feature to allow one SIP phone behind the NAT gateway can call another SIP phone in the Internet, even the gateway executes its NAT mechanism between the Intranet and the Internet. The NAT gateway monitors the control traffic and open up port mappings (firewall pinhole) dynamically as required to know about an address/port number combination that 174
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. allows incoming packets, so it will support address and port translation for SIP application layer "control/data" protocols as shown in following diagram. The NAT Gateway enables the SIP ALG feature, so it will monitor the SIP Phone #1 actions, open up the required ports and make the address and port translation in a SIP voice communication.  Scenario Application Timing When a SIP phone is behind a NAT gateway, and it is expected to make a call to or receive a call from the Internet. The "SIP ALG" feature must be activated in the NAT gateway.  Scenario Description 
The "SIP ALG" feature in the NAT Gateway is enabled to monitor, open up ports and make the address and port translation for the voice communication of the SIP phone behind the gateway. 
A SIP phone behind a NAT gateway can call another SIP phone with the help of the SIP server in the Internet.  Parameter Setup Example 
Following table lists the parameter configuration for the NAT gateway in above diagram. Configuration Path ALG [Special AP & ALG]‐[Configuration]
SIP ALG ■ Enable
 Scenario Operation Procedure  In above diagram, the NAT Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 175
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 118.18.81.33 for WAN interface. It serves as a NAT router.  Configure the NAT gateway with SIP ALG being enabled.  When the SIP Phone #1 behind the NAT gateway has booted up, it will register to the SIP server in the Internet. So, the SIP server knows where the SIP Phone #1 is. In the same way, the SIP Phone #2 also registers to the SIP server.  A local user wants to make one call to the SIP Phone #2 by using the SIP Phone #1, the NAT Gateway will monitor the calling process, open up required service ports for incoming packets and make the address and port translation for the voice communication. First, the calling starts from the SIP Phone #1 to the SIP server. Then the SIP server invites the SIP Phone #2 and finally, the SIP Phone #1 talks to the SIP Phone #2, as shown in above diagram. 176
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Special AP & ALG Setting The Special AP setting allows some applications require multiple connections. The ALG setting allows user to Support some SIP ALG, like STUN. Go to Basic Network > Port Forwarding > Special AP & ALG tab. Enable Special AP & ALG Configuration Item Special AP ALG Enable Save Undo Value setting Description
The box is checked by default The box is checked by default N/A N/A Check the Enable box to activate the Special AP function. Check the Enable box to activate the SIP ALG function. Click the Save button to save the settings. Click the Undo button to cancel the settings Create/Edit Special AP Rule The gateway allows you to custom your Special AP rules. It supports up to a maximum of 8 rule‐based Special AP sets. When Add button is applied, Special AP Rule Configuration screen will appear. 177
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IP Translation Configuration Item Value setting WAN Interface Description
1. A Must filled setting 2.All is checked by default. 1. A Must filled setting 2.User‐defined is selected by default. Check the interface box(es) to apply the Special AP rule. By default, All is checked, and the Special AP rule will be applied to all WAN interfaces. Enter the expected trigger port (or port range) if User‐defined is selected in the dropdown list. If you select other popular application from the dropdown list, the corresponding trigger port(s) and incoming ports will be defined automatically. Incoming Ports 1. A Must filled setting Time Schedule 1. An Must filled setting 2.(0) Always is selected by default. The box is unchecked by default N/A Enter the expected Incoming ports if User‐defined is selected in the Trigger Port dropdown list. If you select other popular application from the dropdown list, the corresponding incoming ports will be defined automatically. Apply Time Schedule to this rule, otherwise leave it as Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Check the Enable box to activate the special AP rule. Trigger Port Rule Save Undo N/A Click the Save button to save the settings. Click the Undo button to cancel the settings 178
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.9.9 DMZ & Pass Through DMZ (De Militarized Zone) Host is a host that is exposed to the Internet cyberspace but still within the protection of firewall by gateway device. So, the function allows a computer to execute 2‐way communication for Internet games, Video conferencing, Internet telephony and other special applications. In some cases when a specific application is blocked by NAT mechanism, you can indicate that LAN computer as a DMZ host to solve this problem. In "DMZ" page, there is only one configuration window for "DMZ" feature. The window lets you activate the DMZ function and specify the IP address in the Intranet to be DMZ host so that the host under DMZ function can run applications freely that would, otherwise, blocked by NAT mechanism of the gateway with DMZ feature disabled. That is, the incoming packets issued by an active application in the Internet are usually blocked outside of the NAT gateway. But the DMZ host can receive those packets and make replies. That is, it is reactive to outside world. In the meantime, it is also protected by the gateway firewall. The DMZ function allows you to ask the gateway pass through all normal packets to the DMZ host behind the NAT gateway only when these packets are not expected to receive by applications in the gateway or by other client hosts in the Intranet. Certainly, the DMZ host is also protected by the gateway firewall. Activate the feature and specify the DMZ host with a host in the Intranet when needed. DMZ Scenario 179
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing When the administrator of the gateway wants to set up some service daemons in a host that is in the Intranet to allow remote users request for services from the host actively, even the host is behind a NAT gateway. But remote users think the gateway provides those services, so users use the global IP of the gateway to request their services. Apply the DMZ feature in the NAT gateway to meet the application scenario. In addition, please also be noted that the client host is still protected by the gateway firewall. Scenario Description The DMZ host is behind a NAT gateway and receives all normal and active packets from the Internet. Remote user can access the DMZ host by using the IP address of the gateway, and the gateway will skip the NAT checking on the DMZ host. DMZ host is still protected by the gateway firewall. Parameter Setup Example Following table lists the parameter configuration as an example for the gateway in above diagram with DMZ enabling. Use default value for those parameters that are not mentioned in the table. [DMZ]‐[Configuration]
Configuration Path DMZ IP Address of DMZ Host: 10.0.75.100 ■ Enable Scenario Operation Procedure In above diagram, the NAT Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a NAT router. Configure a host in the Intranet to be the DMZ Host and activate the rule, whose IP address is 10.0.75.100. Assume there is an X server installed in the DMZ host. Then, the remote user can request services from the X server in the DMZ host by skipping the NAT checking by the gateway. 180
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. DMZ & Pass Through Setting The DMZ host is a host that is exposed to the Internet cyberspace but still within the protection of firewall by gateway device. Go to Basic Network > Port Forwarding > DMZ & Pass Through tab. Enable DMZ and Pass Through Configuration Item Value setting Description
DMZ 1. A Must filled setting 2. Check the Enable box to activate this SDMZ function Default is ALL. Define the selected interface to be the packet‐entering interface of the router. If the packets to be filtered are coming from WAN‐x then select WAN‐
x for this field. Select ALL for packets coming into the router from any interfaces. It can be selected WAN‐x box when WAN‐x enabled. This field of DMZ Host is to specify the IP address of Host LAN IP. Pass Through Enable The boxes are checked by default Save Undo N/A Check the box to enable the pass through function for the IPSec, PPTP, and L2TP. With the pass through function enabled, the VPN hosts behind the gateway still can connect to remote VPN servers. Click the Save button to save the settings. N/A Click Undo to cancel the settings 181
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.b Routing If you have more than one router and subnet, you will need to enable routing function to allow packets to find proper routing path and allow different subnets to communicate with each other. Routing is the process of selecting best paths in a network. It is performed for many kinds of networks, like electronic data networks (such as the Internet), by using packet switching technology. The routing process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various network destinations. Thus, constructing routing tables, which are held in the router's memory, is very important for efficient routing. Most routing algorithms use only one network path at a time. The routing tables record your pre‐defined routing paths for some specific destination subnets. It is static routing. However, if the contents of routing tables record the obtained routing paths from neighbor routers by using some protocols, such as RIP, OSPF and BGP. It is dynamic routing. These both routing approaches will be illustrated one after one. 3.b.1 Static Routing "Static Routing" function lets you define the routing paths for some dedicated hosts/servers or subnets to store in the routing table of the gateway. The gateway system will route incoming packets to different peer gateways based on the routing table. You define the static routing information in gateway system. Static Routing Scenario 182
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing When the administrator of the gateway wants to specify what kinds of packets to be transferred via which one gateway interface and which peer gateway to their destination. It can be carried out by the "Static Routing" feature. Scenario Description Dedicated packet flows from the Intranet will be routed to their destination via the pre‐
defined peer gateway and corresponding gateway interface that are defined in the system routing table by manual. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "Static Routing" enabling. Use default value for those parameters that are not mentioned in the tables. [Static Routing]‐[Configuration]
Configuration Path Static Routing Configuration Path ID Destination IP Subnet Mask Gateway Metric Rule ■ Enable
[Static Routing]‐[Static Routing Rule List]
1
2
173.194.72.94
188.125.73.108 255.255.255.255
255.255.255.255 118.18.81.1
203.95.80.1 255
255
■ Enable
■ Enable Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface, 118.18.81.33 for WAN‐1 interface and 203.95.80.22 for WAN‐2 interface. It serves as a NAT router. Configure two static routing rules for the gateway. The first one is to define the packets from the Intranet to the Google web site (173.194.72.94) will be routed via the WAN‐1 interface and the ADSL ISP's gateway. The second one is to define the packets to the Yahoo web site (188.125.73.108) will be routed via the WAN‐2 interface and the Cellular Network ISP's gateway. System will route the packets from the Intranet to Google site and Yahoo site based on above settings. 183
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Static Routing Setting In "Static Routing" page, there are three configuration windows for static routing feature. They are the "Configuration" window, "Static Routing Rule List" window and "Static Routing Rule Configuration" window. The "Configuration" window lets you activate the global static routing feature only. Even you have defined many static routing rules for the gateway, if you want to disable them temporarily, just uncheck the Enable box to disable it. The "Static Routing Rule List" window lists all your defined static routing rule entries. Using "Add" or "Edit" button to add and create one new static routing rule or to modify an existed one. When "Add" or "Edit" button is applied the "Static Routing Rule Configuration" window will appear to let you define a static routing rule. The parameters include the destination IP address and subnet mask of dedicated host/server or subnet, the IP address of peer gateway, the metric and the rule activation. Go to Basic Network > Routing > Static Routing Tab. Enable Static Routing Just check the "Enable" box to activate the "Static Routing" feature. Static Routing Item Value setting Static Routing The box is unchecked by default Description
Check the Enable box to activate this function 184
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Static Routing Rules The Static Routing Rule List shows the setup parameters of all static routing rule entries. To configure a static routing rule, you must specify related parameters including the destination IP address and subnet mask of dedicated host/server or subnet, the IP address of peer gateway, the metric and the rule activation. The router allows you to custom your static routing rules. It supports up to a maximum of 64 rule sets. When Add button is applied, Static Routing Rule Configuration screen will appear, while the "Edit" button at the end of each static routing rule can let you modify the rule. IPv4 Static Routing Item Value setting Destination IP Subnet Mask Gateway IP Interface Metric Rule Save 1. IPv4 Format 2. A Must filled setting 255.255.255.0 (/24) is set by default 1. IPv4 Format 2. A Must filled setting Auto is set by default 1. Numberic String Format 2. A Must filled setting The box is unchecked by default. NA Description
The Destination IP of this static routing rule. The Subnet Mask of this static routing rule. The Gateway IP of this static routing rule. The Interface of this static routing rule. The Metric of this static routing rule. Click Enable box to activate this rule. Click the Save button to save the configuration 185
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Undo NA Back NA Click the Undo button to restore what you just configured back to the previous setting. Please note that the restored setting may not be the factory default setting but a retrieve of what was saved in the memory. When the Back button is clicked the screen will return to the Static Routing Configuration page. 186
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.b.3 Dynamic Routing Dynamic Routing, also called adaptive routing, describes the capability of a system, through which routes are characterized by their destination, to alter the path that the route takes through the system in response to a change in network conditions. The adaptation is intended to allow as many routes as possible to remain valid (that is, have destinations that can be reached) in response to the change. This gateway supports dynamic routing protocols, including RIPv1/RIPv2 (Routing Information Protocol), OSPF (Open Shortest Path First), and BGP (Border Gateway Protocol), for you to establish routing table automatically. The feature of dynamic routing will be very useful when there are lots of subnets in your network. Generally speaking, RIP is suitable for small network. OSPF is more suitable for medium network. BGP is more used for big network infrastructure. The supported dynamic routing protocols are described as follows. RIP Scenario The Routing Information Protocol (RIP) is one of the oldest distance‐vector routing protocols, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance, in other words the route is considered unreachable. RIP implements the split horizon, route poisoning and hold‐down mechanisms to prevent incorrect routing information from being propagated. OSPF Scenario Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). OSPF is perhaps the most widely used interior gateway protocol (IGP) in large enterprise networks. IS‐IS, another link‐state dynamic routing protocol, is more common in large service provider networks. The most widely used exterior gateway protocol is the Border Gateway Protocol (BGP), the principal routing protocol between autonomous systems on the Internet. OSPF is an interior gateway protocol (IGP) for routing Internet Protocol (IP) packets solely within a single routing domain, such as an autonomous system. It gathers link state information from available routers and constructs a topology map of the network. The topology is presented as a routing table to the Internet Layer which routes datagrams based solely on the destination IP address found in IP packets. OSPF detects changes in the topology, such as link failures, and converges on a new loop‐free routing structure within seconds. It computes the shortest path tree for each route using a method based on 187
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Dijkstra's algorithm, a shortest path first algorithm. The OSPF routing policies for constructing a route table are governed by link cost factors (external metrics) associated with each routing interface. Cost factors may be the distance of a router (round‐
trip time), data throughput of a link, or link availability and reliability, expressed as simple unit‐less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost. An OSPF network may be structured, or subdivided, into routing areas to simplify administration and optimize traffic and resource utilization. Areas are identified by 32‐bit numbers, expressed either simply in decimal, or often in octet‐based dot‐decimal notation, familiar from IPv4 address notation. Scenario Application Timing When the administrator of the gateway wants to deploy one OSPF gateway in a large enterprise and expects the gateway to learn its routing table by using OSPF protocol from the enterprise backbone. The OSPF gateway will forward its routing information to other routers that are under the gateway and not linked to the enterprise backbone. Scenario Description The OSPF gateway gathers routing information from the backbone gateways in area 0 by 188
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. using OSPF dynamic routing protocol. The OSPF gateway will forward its routing information to other routers that are under the gateway and not linked to the enterprise backbone. Parameter Setup Example Following tables list the parameter configuration as an example for the OSPF gateway in above diagram. Use default value for those parameters that are not mentioned in the tables. [Dynamic Routing]‐[OSPF Configuration]
Configuration Path OSPF Backbone Subnet Configuration Path ID Area Subnet Area ID Area ■ Enable
10.0.0.0/16
[Dynamic Routing]‐[OSPF Area List]
1
2
10.0.75.0/24
10.0.76.0/24 10.0.75.254
10.0.76.254 ■ Enable
■ Enable Scenario Operation Procedure In above diagram, the OSPF Gateway is one gateway of the enterprise backbone (area code is 0.0.0.0 and area subnet is 10.0.0.0/16) and it links with other OSPF gateways in the backbone. It dominates two areas of subnets: area 1 with area code is 10.0.75.254 and area subnet is 10.0.75.0/24, and area 2 with area code is 10.0.76.254 and area subnet is 10.0.76.0/24. By operating with OSPF protocol, the OSPF gateway can gather the routing information from other OSPF gateways in the enterprise backbone. And then it forwards the routing information to the routers in its dominated areas. Finally, the routers in the dominated areas of the OSPF Gateway know the shortest routing path for each destination IP address of outgoing packets. 189
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. BGP Scenario Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems (AS) on the Internet. The protocol is often classified as a path vector protocol but is sometimes also classed as a distance‐vector routing protocol. The Border Gateway Protocol makes routing decisions based on paths, network policies, or rule‐sets configured by a network administrator, and is involved in making core routing decisions. BGP may be used for routing within an AS. In this application it is referred to as Interior Border Gateway Protocol, Internal BGP, or iBGP. In contrast, the Internet application of the protocol may be referred to as Exterior Border Gateway Protocol, External BGP, or eBGP. Scenario Application Timing Most Internet service providers (ISPs) must use BGP to establish routing between one another (especially if they are multi‐homed). Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPF (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multi‐homing a network for better redundancy, either to multiple access points of a single ISP or to multiple ISPs. 190
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Description The BGP gateway dominates an autonomous system (AS) of networking and links with some other border gateways for exchanging routing information. The BGP gateway will distribute the collected routing information in its dominated AS. Then all routers in the AS know how to route packets to other AS. Parameter Setup Example Following tables list the parameter configuration as an example for the BGP gateway in above diagram. Use default value for those parameters that are not mentioned in the tables. Configuration Path BGP Self ID Configuration Path ID Neighbor IP Neighbor ID Neighbor [Dynamic Routing]‐[BGP Configuration]
■ Enable 100 [Dynamic Routing]‐[BGP Neighbor List]
1 2
3
4 10.101.0.1 10.102.0.1
10.103.0.1
10.104.0.1
101 102
103
104 ■ Enable ■ Enable
■ Enable
■ Enable
Scenario Operation Procedure In above diagram, the BGP Gateway is one gateway of its dominated AS (self IP is 10.100.0.1 and self ID is 100) and it links with other BGP gateways in the Internet. The scenario is like the networking in one ISP to be linked with the ones in other ISPs. By operating with BGP protocol, the BGP gateway can gather the routing information from other BGP gateways in the Internet. And then it forwards the routing information to the routers in its dominated AS. Finally, the routers in the dominated AS of the BGP Gateway know how to route packets to other AS. 191
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Dynamic Routing Setting The dynamic routing setting allows user to customize RIP, OSPF, and BGP protocol through the router based on their office setting. In the "Dynamic Routing" page, there are seven configuration windows for dynamic routing feature. They are the "RIP Configuration" window, "OSPF Configuration" window, "OSPF Area List", "OSPF Area Configuration", "BGP Configuration", "BGP Neighbor List" and "BGP Neighbor Configuration" window. RIP, OSPF and BGP protocols can be configured individually. The "RIP Configuration" window lets you choose which version of RIP protocol to be activated or disable it. The "OSPF Configuration" window can let you activate the OSPF dynamic routing protocol and specify its backbone subnet. Moreover, the "OSPF Area List" window lists all defined areas in the OSPF network. However, the "BGP Configuration" window can let you activate the BGP dynamic routing protocol and specify its self ID. The "BGP Neighbor List" window lists all defined neighbors in the BGP network. Go to Basic Network > Routing > Dynamic Routing Tab. Enable Dynamic Routing Just check the "Enable" box to activate the "Dynamic Routing" feature. Configuration Item Value setting Dynamic Routing The box is unchecked by default Description
Check the Enable box to activate this function 192
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Enable RIP The RIP configuration setting allows user to customize RIP protocol through the router based on their office setting. RIP Configuration Item Value setting RIP Enable Disable is set by default Description
Select Disable will disable RIP protocol. Select RIP v1 will enable RIPv1 protocol. Select RIP v2 will enable RIPv2 protocol. Enable OSPF The OSPF configuration setting allows user to customize OSPF protocol through the router based on their office setting. OSPF Configuration Item Value setting Description
OSPF Click Enable box to activate the OSPF protocol. Router ID Authentication Disable is set by default 1. IPv4 Format 2. A Must filled setting None is set by default The Router ID of this router on OSPF protocol The Authentication method of this router on OSPF protocol. Select None will disable Authentication on OSPF protocol. Select Text will enable Text Authentication with entered the Key in this 193
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. field on OSPF protocol. Select MD5 will enable MD5 Authentication with entered the ID and Key in these fields on OSPF protocol. Backbone Subnet 1. Classless Inter Domain Routing (CIDR) Subnet Mask Notation. (Ex: The Backbone Subnet of this router on OSPF protocol. 192.168.1.0/24) 2. A Must filled setting Create/Edit OSPF Area Rules The router allows you to custom your OSPF Area List rules. It supports up to a maximum of 32 rule sets. When Add button is applied, OSPF Area Rule Configuration screen will appear. OSPF Area Configuration
Item Value setting Area Subnet Area ID Area Save 1. Classless Inter Domain Routing (CIDR) Subnet Mask Notation. (Ex: 192.168.1.0/24) 2. A Must filled setting 1. IPv4 Format 2. A Must filled setting The box is unchecked by default. N/A Description
The Area Subnet of this router on OSPF Area List. The Area ID of this router on OSPF Area List. Click Enable box to activate this rule. Click the Save button to save the configuration 194
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Enable BGP The BGP configuration setting allows user to customize BGP protocol through the router based on their office setting BGP Network Configuration Item Value setting Description
BGP Check the Enable box to activate the BGP protocol. ASN Router ID The box is unchecked by default 1. Numberic String Format 2. A Must filled setting 1. IPv4 Format 2. A Must filled setting The ASN Number of this router on BGP protocol. The Router ID of this router on BGP protocol. Create/Edit BGP Network Rules The router allows you to custom your BGP Network rules. It supports up to a maximum of 32 rule sets. When Add button is applied, BGP Network Rule Configuration screen will appear. 195
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Item Value setting Description
Network Subnet 1. IPv4 Format 2. A Must filled setting The box is unchecked by default. N/A The Network Subnet of this router on BGP Network List. It composes of entered the IP address in this field and the selected subnet mask. Network Save Click Enable box to activate this rule. Click the Save button to save the configuration Create/Edit BGP Neighbor Rules The router allows you to custom your BGP Neighbor rules. It supports up to a maximum of 32 rule sets. When Add button is applied, BGP Neighbor Rule Configuration screen will appear. BGP Neighbor Configuration Item Value setting Neighbor IP Remote ASN Neighbor Save 1. IPv4 Format 2. A Must filled setting 1. Numberic String Format 2. A Must filled setting The box is unchecked by default. N/A Description
The Neighbor IP of this router on BGP Neighbor List. The Remote ASN of this router on BGP Neighbor List. Click Enable box to activate this rule. Click the Save button to save the configuration 196
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.b.5 Routing Information The routing information allows user to view the routing table and policy routing information based on their office setting. Policy Routing Information is available when the Load Balance function is enabled and the Load Balance Strategy is By User Policy. Go to Basic Network > Routing > Routing Information Tab. Routing Table Item Value setting Description
Destination IP Subnet Mask Gateway IP Metric Interface N/A N/A N/A N/A N/A Routing record of Destination IP. IPv4 Format. Routing record of Subnet Mask. IPv4 Format. Routing record of Gateway IP. IPv4 Format. Routing record of Metric. Numeric String Format. Routing record of Interface Type. String Format. Policy Routing Information Item Value setting Policy Routing Source Source IP Destination IP Destination Port WAN Interface Description
N/A Policy Routing of Source. String Format. N/A N/A N/A N/A Policy Routing of Source IP. IPv4 Format. Policy Routing of Destination IP. IPv4 Format. Policy Routing of Destination Port. String Format. Policy Routing of WAN Interface. String Format. 197
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.d DNS & DDNS How does user access your server if your WAN IP address changes all the time? One way is to register a new domain name, and maintain your own DNS server. Another simpler way is to apply a domain name to a third‐party DDNS service provider. The service can be free or charged. If you want to understand the basic concepts of DNS and Dynamic DNS, you can refer to Wikipedia website7,8. 3.d.1 DNS & DDNS Configuration To host your server on a changing IP address, you have to use dynamic domain name service (DDNS). Therefore, anyone wishing to reach your host only needs to know the domain name. Dynamic DNS will map the name of your host to your current IP address, which changes each time you connect your Internet service provider. In short, the Dynamic DNS service allows the gateway to alias a public dynamic IP address to a static domain name, allowing the gateway to be more easily accessed from various locations on the Internet. The user has to register a domain name to a third‐party DDNS service provider to use DDNS function. Once the IP address of a WAN interface in the gateway has changed, the dynamic DNS agent in the gateway will inform the DDNS server with the new IP address. The server automatically re‐maps your domain name with the changed IP address. So, other hosts in the Internet world will be able to link to your gateway by using your domain name regardless of the changing global IP address. Dynamic DNS Scenario 7 http://en.wikipedia.org/wiki/Domain_Name_System 8 http://en.wikipedia.org/wiki/Dynamic_DNS
198
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing When the IP address of the Gateway is often changed by ISP, and other hosts in the Internet want to link to the gateway device by using its corresponding domain name, the gateway must provide the dynamic DNS function to carry out the requirement. Scenario Description Apply one account to the DDNS provider for DDNS service before DDNS function in the gateway can work. The gateway asks the DDNS server to re‐map the domain name and WAN's IP address of the gateway once the IP address has been changed. Parameter Setup Example Following table lists the parameter configuration as an example for the gateway in above diagram with "Dynamic DNS" enabling. Use default value for those parameters that are not mentioned in the table. Configuration Path DDNS Provider Host Name Username / E‐mail Password / Key [Dynamic DNS]‐[Dynamic DNS]
■ Enable
No‐IP.com
JP‐NB
Chinghuihsieh
ddnspassword
Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and gets a dynamic IP 118.18.81.33 for WAN‐1 interface. It serves as a NAT router. Configure the required parameters for DDNS function by referring to above setup example. When the gateway has booted up and has gotten a dynamic IP address for the WAN interface, the DDNS agent in the gateway tries to request the DDNS server with the mapping between the domain name and the obtained WAN IP address of the gateway. The DDNS server broadcasts the mapping to other DNS servers for DNS hosting service in the Internet world. So, other hosts in the Internet can link to the gateway by using the domain name. Once the gateway has dynamically changed its WAN IP address from ISP, the DDNS agent tries again to request the DDNS server with the re‐mapping between the domain name and 199
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. the new WAN IP address of the gateway. The DDNS server broadcasts again the new mapping to other DNS servers for DNS hosting service in the Internet world. Finally, other hosts in the Internet can still link to the gateway by using the domain name, even the WAN IP address of the gateway has changed. 200
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. DNS & DDNS Setting The DNS & DDNS setting allows user to create/modify pre‐defined domain name list and setup Dynamic DNS feature. Go to Basic Network > DNS & DDNS > Configuration Tab. Create/Edit Pre‐defined Domain Name List The router allows you to custom your pre‐defined domain name list. It supports up to a maximum of 128 sets. When Add button is applied, Pre‐defined Domain Name Configuration screen will appear. Pre‐defined Domain Name Configuration
Item Value setting Description
Domain Name IP Address Definition Enable 1. String format can be any text 2. A Must filled setting 1. IPv4 format 2. A Must filled setting Save Undo The box is unchecked by default. N/A N/A Back N/A Enter a domain name that mapping the IP Address. Enter a IP Address that mapping the Domain Name. Click Enable box to activate this rule. Click Save to save the settings Click Undo to cancel the settings When the Back button is clicked the screen will return to the Dynamic DNS configuration page. 201
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Setup Dynamic DNS The router allows you to custom your Dynamic DNS settings. DDNS (Dynamic DNS) Configuration Item Value setting Description
The box is unchecked by default WAN Interface WAN 1 is set by default DynDNS.org (Dynamic) is Provider set by default 1. String format can be Host Name any text 2. A Must filled setting 1. String format can be User Name / E‐
any text Mail 2. A Must filled setting 1. String format can be Password / Key any text 2. A Must filled setting Save N/A Undo N/A DDNS Check the Enable box to activate this function. Select the WAN Interface IP Address of the router. Your DDNS provider of Dynamic DNS. Your registered host name of Dynamic DNS. Your User name or E‐mail addresss of Dynamic DNS. Your Password or Key of Dynamic DNS. Click Save to save the settings Click Undo to cancel the settings 202
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 3.f QoS The total amount of data traffic increases nowadays as the higher demand of mobile applications, like Game / Chat / VoIP / P2P / Video / Web access. In order to pose new requirements for data transport, e.g. low latency, low data loss, the entire network must ensure them via a connection service guarantee. The main goal of QoS (Quality of Service) is prioritizing incoming data, and preventing data loss due to factors such as jitter, delay and dropping. Another important aspect of QoS is ensuring that prioritizing one data flow doesn’t interfere with other data flows. So, QoS helps to prioritize data as it enters your router. By attaching special identification marks or headers to incoming packets, QoS determines which queue the packets enter, based on priority. This is useful when there are certain types of data you want to give higher priority to, such as voice packets given higher priority than Web data packets. To utilize your network throughput completely, administrator must define bandwidth control rules carefully to balance the utilization of network bandwidth for all users to access. It is indeed required that an access gateway satisfies the requirements of latency‐critical applications, minimum access right guarantee, fair bandwidth usage for same subscribed condition and flexible bandwidth management. AMIT Security Gateway provides a Rule‐based QoS to carry out the requirements. 3.f.1 QoS Configuration This gateway provides lots of flexible rules for you to set QoS policies. Basically, you need to know three parts of information before you create your own policies. First, “who” needs to be managed? Second, “what” kind of service needs to be managed? The last part is “how” you prioritize. Once you have this information, you can continue to learn functions in this section in more detail. QoS Rule Configuration When you want to add a new QoS rule or edit one already existed, the "QoS Rule Configuration" window shows up for you to configure. The parameters in a rule include the applied WAN interfaces, the dedicated host group based on MAC address or IP address, the dedicated kind of service packets, the system resource to be distributed, the corresponding control function for your specified resource, the packet flow direction, the sharing method for the control function, the integrated time schedule rule and the rule activation. Following diagram illustrates how to organize an QoS rule. 203
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. In above diagram, a QoS rule is organized by the premise part and the conclusion part. In the premise part, you must specify the WAN interface, host group, service type in the packets, packet flow direction to be watched and the sharing method of group control or individual control. However, in the conclusion part, you must make sure which kind of system resource to distribute and the control function based on the chosen system resource for the rule. The Rule‐based QoS has following features. Multiple Group Categories Specify the group category in a QoS rule for the target objects to be applied on. Group Category can be based on VLAN ID, MAC Address, IP Address, Host Name or Packet Length. Differentiated Services Specify the service type in a QoS rule for the target packets to be applied on. Differentiated services can be based on 802.1p, DSCP, TOS, VLAN ID, User‐defined Services and Well‐
known Services. Well‐known services include FTP(21), SSH(TCP:22), Telnet(23), SMTP(25), DNS(53), TFTP(UDP:69), HTTP(TCP:80), POP3(110), Auth(113), SFTP(TCP:115), SNMP&Traps(UDP:161‐162), LDAP(TCP:389), HTTPS(TCP:443), SMTPs(TCP:465), ISAKMP(500), RTSP(TCP:554), POP3s(TCP:995), NetMeeting(1720), L2TP(UDP:1701) and PPTP(TCP:1723). Available Control Functions 204
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. There are 4 resources can be applied in a QoS rule: bandwidth, connection sessions, priority queues and DiffServ Code Point (DSCP). Control function that acts on target objects for specific services of packet flow is based on these resources. For bandwidth resource, control functions include guaranteeing bandwidth and limiting bandwidth. For priority queue resource, control function is setting priority. For DSCP resource, control function is DSCP marking. The last resource is Connection Sessions; the related control function is limiting connection sessions. Individual / Group Control One QoS rule can be applied to individual member or whole group in the target group. This feature depends on model. Outbound / Inbound Control One QoS rule can be applied to the outbound or inbound direction of packet flow, even them both. This feature depends on model. Two QoS rule examples are listed as below.  "DSCP" Type of QoS Rule Example Scenario Application Timing When the administrator of the gateway wants to convert the code point value, "IP Precedence 4(CS4)", in the packets from some client hosts (IP 10.0.75.196~199) to the code value, "AF Class2(High Drop)", he can use the "Rule‐based QoS" function to carry out this rule by defining an QoS rule as shown in above diagram. Scenario Description Convert the code point value from "IP Precedence 4(CS4)" to "AF Class2(High Drop)" for 205
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. incoming packets from some client hosts in the Intranet. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "Rule‐based QoS" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path Rule‐based QoS Flexible Bandwidth Management [Rule‐based QoS]‐[Configuration]
Configuration Path Interface Group Service Resource Control Function QoS Direction Sharing Method Time Schedule Rule Scenario Operation Procedure [Rule‐based QoS]‐[QoS Rule Configuration] ■ Enable
■ Enable
All WANs
IP 10.0.75.196 Subnet Mask: 255.255.255.252 (/30)
DSCP DiffServ Code Point IP Precedence 4(CS4) DiffServ Code Points
DSCP Marking AF Class2(High Drop) Inbound
Group Control
(0) Always
■ Enable
This rule means IP packets from all WAN interfaces to LAN IP address 10.0.75.196 ~ 10.0.75.199 which have DiffServ code points with “IP Precedence 4(CS4)” value will be modified by “DSCP Marking” control function with “AF Class 2(High Drop)” value at any time.  "Connection Sessions" Type of QoS Rule Example 206
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing When the administrator of the gateway wants to limit the connection sessions from some client hosts (IP 10.0.75.16~31) to 20000 sessions totally for accessing the Internet, he can use the "Rule‐based QoS" function to carry out it by defining an QoS rule as shown in above diagram. Scenario Description Specify the maximum connection sessions from some client hosts (IP 10.0.75.16~31) for accessing the Internet. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "Rule‐based QoS" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path Rule‐based QoS Flexible Bandwidth Management [Rule‐based QoS]‐[Configuration]
Configuration Path Interface Group Service Resource Control Function QoS Direction Sharing Method [Rule‐based QoS]‐[QoS Rule Configuration] ■ Enable
■ Enable
WAN‐1
IP 10.0.75.16 Subnet Mask: 255.255.255.240 (/28)
All
Connection Sessions
Set Session Limitation 20000
Outbound
Group Control
207
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. (0) Always
Time Schedule Rule Scenario Operation Procedure ■ Enable
This rule defines that all client hosts, whose IP address is in the range of 10.0.75.16~31, can access the Internet via "WAN‐1" interface under the limitation of the maximum 20000 connection sessions totally at any time 208
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. QoS Configuration Setting In "QoS Configuration" page, there are some configuration windows for QoS function. They are the "Configuration" window, “System Resource Configuration” window, "QoS Rule List" window, and "QoS Rule Configuration" window. The "Configuration" window can let you activate the Rule‐based QoS function. In addition, you can also enable the "Flexible Bandwidth Management" (FBM) feature for better utilization of system bandwidth by FBM algorithm. Second, the “System Configuration” window can let you configure the total bandwidth and session of each WAN. Third, the "QoS Rule List" window lists all your defined QoS rules. At last, the "QoS Rule Configuration" window can let you define one QoS rule. Go to Basic Network > QoS > Configuration tab. Enable QoS Function Configuration Item Value Setting QoS Type Flexible Bandwidth Management Save 1. Software is selected by default. 2. The box is unchecked by default. The box is unchecked by default N/A Description
Select the QoS Type from the dropdown list, and then click Enable box to activate the QoS function. The default QoS type is set to Software QoS. For some models, there is another option for Hardware QoS. Click Enable box to activate the Flexible Bandwidth Management function.
Click the Save button to save the settings.
Check the "Enable" box to activate the "Rule‐based QoS" function. Also enable the FBM feature when needed. When FBM is enabled, system adjusts the bandwidth distribution dynamically based on current bandwidth usage situation to reach maximum system network performance while transparent to all users. Certainly, the bandwidth subscription profiles of all current users are considered in system's automatic adjusting algorithm. Ensure QoS and Bandwidth are enabled and saved to further configure the detailed QoS settings. 209
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Setup System Resource System Resource Configuration Item Value Setting Total Priority Queues of All WANs 1. A Must filled setting. 2. 6 is set by default. WAN Interface WAN‐1 is selected by default. Save N/A Description
Define the total priority queues that are available for the QoS settings that required to specifying Priority Queues of Resource. It is also related to default banwidth of WANs. Select the WAN interface and then the following WAN Interface Resource
screen will show the related resources for configuration. 
Bandwidth of Upstream Specify total upload bandwidth of the selected WAN. 
Bandwidth of Downstream Specify total download bandwidth of the selected WAN. 
Total Connection Sessions Specify total connection sessions of the selected WAN. Click the Save button to save the settings.
Each WAN interface should be configured carefully for its upstream bandwidth, downstream bandwidth and maximum number of connection sessions. 210
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit QoS Rules After enabled the QoS function and configured the system resources, you have to further specify some QoS rules for provide better service on the interested traffics. The gateway supports up to a maximum of 128 rule‐based QoS rule sets. When Add button is applied, QoS Rule Configuration screen will appear. QoS Rule Configuration Item Value setting Interface Group 1. A Must filled setting. 2. All WANs is selected by default. 1. A Must filled setting. 2. Src. MAC Address is selected by default. Description Specify the WAN interface to apply the QoS rule. Select All WANs or a certain WAN‐n to filter the packets entering to or leaving from the interface(s). Specify the Group category for the QoS rule. It can be Src. MAC Address, IP, or Host Name. Select Src. MAC Address to prioritize packets based on MAC. Configure Service in the next line then go to Resource_1. Select IP to prioritize packets based on IP address and Subnet Mask. Configure Service in the next line, then go to Resource_2. Select Host Name to prioritize packets based on a group of a pre‐
configured group of host from the dropdown list. If the dropdown list is empty, ensure if any group is pre‐configured. Configure Service in the next line, then go to Resource_3. 211
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Service 1. A Must filled setting. 2. All is selected by default. Resource, and Control Function A Must filled setting QoS Direction 1. A Must filled setting. 2. Outbound is selected by default. Note: The required host groups must be created in advance and
corresponding QoS checkbox in the Multiple Bound Services field is checked before the Host Group option become available. Refer to Object Definition > Grouping > Host Grouping. Specify the service type of traffics that have to be applied with the QoS rule. It can be All, DSCP, TOS, User‐defined Service, or Well‐known Service. Select All for all packets. Select DSCP for DSCP type packets only. Select TOS for TOS type packets only. You have to select a service type (Minimize‐Cost, Maximize‐Reliability, Maximize‐Throughput, or Minimize‐Delay) from the dropdown list as well. Select User‐defined Service for user‐defined packets only. You have to define the port range and protocol as well. Select Well‐known Service for specific application packets only. You have to select the required service from the dropdown list as well. Specify the Resource Type and corresponding Control function for the QoS rule. The available Resource options are Bandwidth, Connection Sessions, Priority Queues, and DiffServ Codepoints. Bandwidth: Select Bandwidth as the resource type for the QoS Rule, and you have to assign the min rate, max rate and rate unit as the bandwidth settings in the Control Function / Set MINR & MAXR field. Connection Sessions: Select Connection Sessions as the resource type for the QoS Rule, and you have to assign supported session number in the Control Function / Set Session Limitation field. Priority Queues: Select Priority Queues as the resource type for the QoS Rule, and you have to specify a priority queue in the Control Function / Set Priority field. DiffServ Code Points: Select DiffServ Code Points as the resource type for the QoS Rule, and you have to select a DSCP marking from the Control Function / DSCP Marking dropdown list. Specify the traffic flow direction for the packets to apply the QoS rule.
It can be Outbound, Inbound, or Both. Outbound: Select Outbound to prioritize the traffics going to the Internet via the specified interface. Under such situation, the hosts specified in the Group field is a source group. Inbound: Select Inbound to prioritize the traffics coming from the Internet via the specified interface. Under such situation, the hosts specified in the Group field is a destination group. 212
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Sharing Method Time Schedule Rule Enable Save 1. A Must filled setting. 2. Group Control is selected by default. 1. A Must filled setting. 2. (0) Always is selected by default. The box is unchecked by default. N/A Both: Select both to prioritize the traffics passing through the specified interface, both Inbound and Outbound are considered. Under such situation, the hosts specified in the Group field can be a source or destination group. Specify the preferred sharing method for how to apply the QoS rule on the selected group. It can be Individual Control or Group Control. Individual Control: If Individual Control is selected, each host in the group will have his own QoS service resource as specified in the rule. Group Control: If Group Control is selected, all the group hosts share the same QoS service resource. Apply Time Schedule to this rule, otherwise leave it as (0) Always. (refer to Object Definition > Scheduling > Configuration settings) Click Enable box to activate this QoS rule.
Click the Save button to save the settings.
213
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 5 Object Definition 5.1 Scheduling Scheduling provides ability of adding/deleting time schedule rules, which can be applied to other functionality. Go to Object Definition > Scheduling > Configuration tab. Button description Item Value setting Description
Add Delete Click the Add button to configure time schedule rule Click the Delete button to delete selected rule(s) N/A N/A 214
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. When Add button is applied, Time Schedule Configuration and Time Period Definition screen will appear. Time Schedule Configuration Item Value Setting Description
Rule Name Rule Policy Set rule name Inactivate/activate the function been applied to in the time period below String: any text Default Inactivate Time Period Definition Item Value Setting Description
Week Day Start Time End Time Select everyday or one of weekday Start time in selected weekday End time in selected weekday Select from menu Time format (hh :mm) Time format (hh :mm) 215
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.3 User You can manage user account in this section, including user list, user profile and user group. User List shows out all user accounts, and User Profile can let you add one new account or edit it. User Group offers you to collect several user accounts to one group to own same properties and bound services. Certainly, one individual user account also can be a unique group, like “Administrator” group. User account database is embedded in the device and accessible by the AAA server, like RADIUS, for user authentication. So, it has the following feature set. 
Supports Multiple User Levels in User Management  One user account includes following information: name, password, user level, lease time, idle timeout and the group that it belongs to.  Support 4 different user levels: Admin, Staff, Guest and Passenger.  Remaining lease time and idle time are kept for each user account after they have logged in the gateway device successfully.  Each individual can be one group by itself or join other defined groups to own common properties.  Support the exporting and importing of user profiles.  User groups with their owned name can be bound with multiple services, like X‐Auth, NAS*, RADIUS, VPN, Accounting & Billing, SNMPv3 and CLI.  Administrator can define the access policy and bandwidth control in a flexible way for a user object in a rule. The user object can be an individual user or a user group. 5.3.1 User List User List can show the list of all user accounts and their status of on‐line or offline in this window. You can add one new rule by clicking on the “Add” command button. But also you can modify some existed user accounts by clicking corresponding “Edit” command buttons at the end of each account record in the User List. Besides, unnecessary accounts can be removed by checking the “Select” box for those accounts and then clicking on the “Delete” command button at the User List caption. The showing of user status can be refreshed in a period that is defined by you. Go to Object Definition > User > User List tab. User List displays the user name, user level, membership group name, IP address, on‐line status and activity status as following diagram. 216
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. There are some additional command buttons in the Actions field of User List table. Edit: Click on the button to edit the user profile. Disable: Click the button to disable the user account. Logout: Click the button to logout the user account. Detail: Click the button to show additional detail information except the ones in User List about the user account, including Last Login Time, Lease Time, Expired Time, Idle Timeout and current Idle Time. Select: Select the user account to delete. When the Add button is applied, User Profile Configuration screen will appear. For the detail about the configuration, please refer to the next section for User Profile. 217
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.3.3 User Profile User Profile supports the adding of one new user account or the editing of existed user profiles. There are some parameters need to be specified in one user profile. They are User Name, Password, User Level, Lease Time, Idle Timeout, Group to and finally, the user profile enable. Go to Object Definition > User > User Profile tab. User Profile Configuration
Item Value setting User Name Password 1. String format can be any text 2. A Must filled setting 1. String format can be any text 2. A Must filled setting User Level 1. Admin is selectedby default. 2. A Must filled setting Lease Time 1. Number format can be any integer number. Description
Enter the name of user account. Enter the password of user account. Select a User Level for the user account. There are 4 available user levels for you to select, including “Admin”, “Staff”, “Guest” and “Passenger”. Admin level of user account can let the user configure the device with fully control ability. Staff level of users can access both the Intranet resources and the Internet resources. Guest level of user account can use limited bandwidth to access Internet, but can’t access the Intranet. Passenger level of user account is for mobile users to use the device to access the Internet. He will use fair and average bandwidth utilization with other passengers. Specify the lease time (in seconds) for the user account to login the device.
The device will logout the user account if he has logined for the time longer than the Lease Timeout. 218
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Idle Time Group to Profile Save Undo 2. An Optional setting 1. Number format can be any integer number. 2. An Optional setting 1. String format can be any text 2. An Optional setting 1. The box is checked by default. 2. A Must filled setting N/A N/A Specify the idle time (in seconds) for the user account. The device will logout the user account if he is idle for the time longer than the Idle Timeout. Enter a group name if you would like to collect the user in a certain user group. Check the Enable box to activate the user profile. Click the Save button to save the settings Click the Undo button to cancel the settings 219
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.3.5 User Group User Group supports the grouping of several user accounts to be one user group with common properties. There are some parameters need to be specified in one user group. They are Group Name, Group Members, Bound Services, QoS&BWM Property, Policy Routing Property and finally, the user group enable. . Go to Object Definition > User > User Group tab. When the Add button is applied, User Group Configuration screen will appear.
User Profile Configuration
Item Value setting Description
Group Name 1. String format can be any text 2. A Must filled setting Enter the name of user group. Multiple User Members N/A Click the Choice button to select multiple user accounts to join the group. Multiple Bound Services N/A Check the available service box(es) to bound with the user group. So, the bound service can use the group object or all user account objects in the group. QoS & BWM Property 1. A Must filled setting. 2. Individual Control is selected by default. Specify the preferred sharing method for how to apply a QoS rule on the selected group, and define the guaranteed and limited bandwidth usage for the group It can be Individual Control or Group Control. Individual Control: If Individual Control is selected, each user in the group 220
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. will have his own QoS service resource as specified in the rule. Group Control: If Group Control is selected, all the user group share the same QoS service resource. Policy Routing Property Group Save Undo 1. A Must filled setting. 2. WAN‐1 is selected by default. 1. The box is checked by default. 2. A Must filled setting N/A N/A Specify the routing interface. All packets from the group members will be routed via the specified interface. Check the Enable box to activate the user group. Click the Save button to save the settings Click the Undo button to cancel the settings 221
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.5 Grouping The Grouping function allows user to make group for some services. 5.5.1 Host Grouping Go to Object Definition > Grouping > Host Grouping tab. The Host Grouping function allows user to make host group for some services, such as QoS, Firewall, and Communication Bus. The supported service types could be different for the purchased product. When Add button is applied, Host Group Configuration screen will appear. Host Group Configuration
Item Value setting Group Name Member List Multiple Bound Services 1. String format can be any text 2. A Must filled setting NA The boxes are unchecked by default Description
Enter a group name for the rule.It is a name that is easy for you to understand. This field will indicate the hosts (members) contained in the group. Binding the services that the host group can be applied. If you enable the Firewall, the produced group can be used in firewall service. Same as by enable Qos and Communication Bus. Note: The supported service type can be different for the purchased product. 222
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Member Type 1. IP Address‐based is selected by default. 2. A Must filled setting Member to Join N/A Group The box is unchecked by default Select the member type for the host group. It can be IP Address‐based, MAC Address‐based, or Host Namve‐based. When IP Address‐based is selected, only IP address can be added in Member to Join. When MAC Address‐based is selected, only MAC address can be added in Member to Join. When Host Name‐based is selected, only host name can be added in Member to Join. Add the members to the group in this field. You can enter the member information as specified in the Member Type above, and press the Join button to add. Only one member can be add at a time, so you have to add the members to the group one by one. Check the Enable checkbox to activate the host group rule. So that the group can be bound to selected service(s) for further configuration. 223
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.7 External Server The External Server setting allows user to add external server. Go to Object Definition > External Server > External Server tab. Create external server When Add button is applied, External Server Configuration screen will appear. 224
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. External Server Configuration Item Sever Name Server IP/FQDN Server Port Value setting 1. String format can be any text 2. A Must filled setting A Must filled setting A Must filled setting Description
Enter a server name. Enter a name that is easy for you to understand.. This field is to specify the external server IP. This field is to specify the external server port. Specify the Server Type of the external server, and enter the required settings for the accessing the server. Email Server (A Must filled setting) : When Email Server is selected, User Name, and Password are also required. User Name (String format: any text) Password (String format: any text) Server Type A Must filled setting RADIUS Server (A Must filled setting) : When RADIUS Server is selected, the following settings are also required. Accounting Port (A Must filled setting) Primary : Shared Key (String format: any text) Authentication Protocol (By default CHAP is selected) Session Timeout (By default 1) The values must be between 1 and 60. Idle Timeout: (By default 1) The values must be between 1 and 26. Secondary : Shared Key (String format: any text) Authentication Protocol (By default CHAP is selected) Session Timeout (By default 1) The values must be between 1 and 60. Idle Timeout: (By default 1) The values must be between 1 and 26. Active Directory Server (A Must filled setting) : When Active Directory Server is selected, Domain setting is also required. Domain (String format: any text) LDAP Server (A Must filled setting) : When LDAP Server is selected, the following settings are also required. Base DN (String format: any text) Identity (String format: any text) Password (String format: any text) UAM Server (A Must filled setting) : When UAM Server is selected, the following settings are also required. 225
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Server IP/FQDN A Must filled setting Server Port A Must filled setting Server Save Undo Refresh The box is checked by default N/A N/A N/A Login URL (String format: any text) Shared Secret (String format: any text) N/AS/Gateway ID (String format: any text) Location ID (String format: any text) Location Name (String format: any text) TACACS+ Server (A Must filled setting) : When TACACS+ Server is selected, the following settings are also required.
Shared Key (String format: any text) Session Timeout (String format: any number) The values must be between 1 and 60. SCEP Server (A Must filled setting) : When SCEP Server is selected, the following settings are also required. Path (String format: any text, By default cgi‐bin is filled) Application (String format: any text, By default pkiclient.exe is filled) Specify the IP address or FQDN used for the external server. Specify the Port used for the external server. If you selected a certain server type, the default server port number will be set. For Email Server 25 will be set by default; For Syslog Server, port 514 will be set by default; For RADIUS Server, port 1812 will be set by default; For Active Directory Server, port 389 will be set by default; For LDAP Server, port 389 will be set by default; For UAM Server, port 80 will be set by default; For TACACS+ Server, port 49 will be set by default; For SCEP Server, port 80 will be set by default; Click Enable to activate this External Server. Click the Save button to save the settings Click the Undo button to cancel the settings Click the Refresh button to refresh the external server list. 226
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.9 Certificate In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are genuine. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner9. In a typical public‐key infrastructure (PKI) scheme, the signer is a certificate authority (CA), usually a company such as VeriSign which charges customers to issue certificates for them. In a web of trust scheme, the signer is either the key's owner (a self‐signed certificate) or other users ("endorsements") whom the person examining the certificate might know and trust. The device also plays as a CA role. Certificates are an important component of Transport Layer Security (TLS, sometimes called by its older name SSL), where they prevent an attacker from impersonating a secure website or other server. They are also used in other important applications, such as email encryption and code signing. Here, it can be used in IPSec tunneling for user authentication. 5.9.1 Configuration The configuration setting allows user to create Root Certificate Authority (CA) certificate and configure to set enable of SCEP. Root CA is the top‐most certificate of the tree, the private key of which is used to "sign" other certificates. Go to Object Definition > Certificate > Configuration tab. Create root CA When Generate button is applied, Root CA Certificate Configuration screen will appear. The required
information to be filled for the root CA includes the name, key, subject name and validity. 9 http://en.wikipedia.org/wiki/Public_key_certificate.
227
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Root CA Certificate Configuration Item Value setting Name 1. String format can be any text 2. A Must filled setting Key A Must filled setting Subject Name A Must filled setting Validity Period A Must filled setting Description
Enter a Root CA Certificate name. It will be a certificate file name This field is to specify the key attribute of certificate. Key Type to set public‐key cryptosystems. It only supports RSA now. Key Length to set s the size measured in bits of the key used in a cryptographic algorithm. Digest Algorithm to set identifier in the signature algorithm identifier of certificates This field is to specify the information of certificate. Country(C) is the two‐letter ISO code for the country where your organization is located. State(ST) is the state where your organization is located. Location(L) is the location where your organization is located. Organization(O) is the name of your organization. Organization Unit(OU) is the name of your organization unit. Common Name(CN) is the name of your organization. Email is the email of your organization. It has to be email address style. This field is to specify the validity period of certificate. Setup SCEP 228
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. SCEP Configuration Item Value setting SCEP The box is unchecked by default Automatically re‐enroll The box is unchecked by aging default certificates Description
Check the Enable box to activate SCEP function. When SCEP is activated, check the Enable box to activate this function. It will be automatically check which certificate is aging. If certificate is aging, it will activate SCEP function to re‐enroll automatically. 229
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.9.3 My Certificate My Certificate includes a Local Certificate List. Local Certificate List shows all generated certificates by the root CA for the gateway. And it also stores the generated Certificate Signing Requests (CSR) which will be signed by other external CAs. The signed certificates can be imported as the local ones of the gateway. Self‐signed Certificate Usage Scenario Scenario Application Timing When the enterprise gateway owns the root CA and VPN tunneling function, it can generate its own local certificates by being signed by itself or import any local certificates that are signed by other external CAs. Also import the trusted certificates for other CAs and Clients. In addition, since it has the root CA, it also can sign Certificate Signing Requests (CSR) to form corresponding certificates for others. These certificates can be used for two remote peers to make sure their identity during establishing a VPN tunnel. Scenario Description Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1. Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT certificate. Import the certificate into the Gateway 2 as a local certificate. In addition, also import the certificates of the root CA of the Gateway 1 into the Gateway 2 as 230
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. the trusted ones. (Please also refer to following two sub‐sections) Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer, so that all client hosts in these both subnets can communicate with each other. Parameter Setup Example For Network‐A at HQ Following tables list the parameter configuration as an example for the "My Certificate" function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in following two sections to complete the whole user scenario. Use default value for those parameters that are not mentioned in the tables. Configuration Path Name Key Subject Name [My Certificate]‐[Root CA Certificate Configuration]
HQRootCA Key Type: RSA Key Length: 1024‐bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITHQ Organization Unit(OU): HQRD Common Name(CN): HQRootCA E‐mail: hqrootca@amit.com.tw Configuration Path Name Key Subject Name [My Certificate]‐[Local Certificate Configuration]
HQCRT Self‐signed: ■
Key Type: RSA Key Length: 1024‐bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITHQ Organization Unit(OU): HQRD Common Name(CN): HQCRT E‐mail: hqcrt@amit.com.tw Configuration Path IPSec [IPSec]‐[Configuration]
Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
Configuration Path Local Subnet Local Netmask Full Tunnel [IPSec]‐[Local & Remote Configuration]
■ Enable ■ Enable s2s‐101 WAN 1 Site to Site Always on 10.0.76.0 255.255.255.0 Disable 231
In‐Vehicle Hotspot Gateway
Remote Subnet Remote Netmask Remote Gateway Index skipping is used to reserve slots for new function insertion, when required. 10.0.75.0 255.255.255.0 118.18.81.33 Configuration Path Key Management Local ID Remote ID [IPSec]‐[Authentication]
Configuration Path Negotiation Mode X‐Auth [IPSec]‐[IKE Phase]
IKE+X.509 Local Certificate: HQCRT Remote Certificate: BranchCRT User Name Network‐A
User Name Network‐B
Main Mode None For Network‐B at Branch Office Following tables list the parameter configuration as an example for the "My Certificate" function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in following two sections to complete the whole user scenario. Use default value for those parameters that are not mentioned in the tables. Configuration Path Name Key Subject Name [My Certificate]‐[Local Certificate Configuration]
BranchCRT Self‐signed: □
Key Type: RSA Key Length: 1024‐bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITBranch Organization Unit(OU): BranchRD Common Name(CN): BranchCRT E‐mail: branchcrt@amit.com.tw Configuration Path IPSec [IPSec]‐[Configuration]
Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
Configuration Path [IPSec]‐[Local & Remote Configuration]
■ Enable ■ Enable s2s‐102 WAN 1 Site to Site Always on 232
In‐Vehicle Hotspot Gateway
Local Subnet Local Netmask Full Tunnel Remote Subnet Remote Netmask Remote Gateway Configuration Path Key Management Local ID Remote ID Configuration Path Negotiation Mode X‐Auth Index skipping is used to reserve slots for new function insertion, when required. 10.0.75.0 255.255.255.0 Disable 10.0.76.0 255.255.255.0 203.95.80.22 [IPSec]‐[Authentication]
IKE+X.509 Local Certificate: BranchCRT Remote Certificate: HQCRT User Name Network‐B
User Name Network‐A
[IPSec]‐[IKE Phase]
Main Mode None Scenario Operation Procedure In above diagram, "Gateway 1" is the gateway of Network‐A in headquarters and the subnet of its Intranet is 10.0.76.0/24. It has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN‐1 interface. "Gateway 2" is the gateway of Network‐B in branch office and the subnet of its Intranet is 10.0.75.0/24. It has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface. They both serve as the NAT security gateways. Gateway 1 generates the root CA and a local certificate (HQCRT) that is signed by itself. Import the certificates of the root CA and HQCRT into the "Trusted CA Certificate List" and "Trusted Client Certificate List" of Gateway 2. Gateway 2 generates a Certificate Signing Request (BranchCSR) for its own certificate (BranchCRT) (Please generate one not self‐signed certificate in the Gateway 2, and click on the "View" button for that CSR. Just downloads it). Take the CSR to be signed by the root CA of Gateway 1 and obtain the BranchCRT certificate (you need rename it). Import the certificate into the "Trusted Client Certificate List" of the Gateway 1 and the "Local Certificate List" of Gateway 2. Gateway 2 can establish an IPSec VPN tunnel with "Site to Site" scenario and IKE and X.509 protocols to Gateway 1. Finally, the client hosts in two subnets of 10.0.75.0/24 and 10.0.76.0/24 can communicate with each other. 233
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. My Certificate Setting The My Certificate setting allows user to create local certificates. In "My Certificate" page, there are two configuration windows for the "My Certificate" function. The "Local Certificate List" window shows the stored certificates or CSRs for representing the gateway. The "Local Certificate Configuration" window can let you fill required information necessary for corresponding certificate to be generated by itself, or corresponding CSR to be signed by other CAs. Go to Object Definition > Certificate > My Certificate tab. Create local certificate When Add button is applied, Local Certificate Configuration screen will appear. The required
information to be filled for the certificate or CSR includes the name, key and subject name. It is a
certificate if the "Self-signed" box is checked, otherwise, it is a CSR. 234
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Local Certificate Configuration Item Value setting Name Key 1. String format can be any text 2. A Must filled setting A Must filled setting Subject Name A Must filled setting Extra Attributes A Must filled setting SCEP Enrollment A Must filled setting Description Enter a certificate name. It will be a certificate file name If Self‐signed is checked, it will be signed by root CA. If Self‐signed is not checked, it will generate a certificate signing request (CSR). This field is to specify the key attributes of certificate. Key Type to set public‐key cryptosystems. Currently, only RSA is supported. Key Length to set the length in bits of the key used in a cryptographic algorithm. It can be 512/768/1024/1536/2048. Digest Algorithm to set identifier in the signature algorithm identifier of certificates. It can be MD5/SHA‐1. This field is to specify the information of certificate. Country(C) is the two‐letter ISO code for the country where your organization is located. State(ST) is the state where your organization is located. Location(L) is the location where your organization is located. Organization(O) is the name of your organization. Organization Unit(OU) is the name of your organization unit. Common Name(CN) is the name of your organization. Email is the email of your organization. It has to be email address setting only. This field is to specify the extra information for generating a certificate.
Challenge Password for the password you can use to request certificate revocation in the future. Unstructured Name for additional information. This field is to specify the information of SCEP. If user wants to generate a certificate signing request (CSR) and then signed by SCEP server online, user can check the Enable box. Select a SCEP Server to identify the SCEP server for use. The server detailed information could be specified in External Servers. Refer to Object Definition > External Server > External Server. You may click Add Object button to generate. Select a CA Certificate to identify which certificate could be accepted by SCEP server for authentication. It could be generated in Trusted Certificates. Select an optional CA Encryption Certificate, if it is required, to identify which certificate could be accepted by SCEP server for encryption data information. It could be generated in Trusted Certificates. Fill in optional CA Identifier to identify which CA could be used for signing certificates. When Import button is applied, an Import screen will appear. You can import a certificate from an existed certificate file, or directly paste a PEM encoded string as the certificate. 235
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Import Item Value setting Description Import A Must filled setting PEM Encoded 1. String format can be any text 2. A Must filled setting Apply Cancel N/A N/A Select a certificate file from user’s computer, and click the Apply button to import the specified certificate file to the gateway. This is an alternative approach to import a certificate. You can directly fill in (Copy and Paste) the PEM encoded certificate string, and click the Apply button to import the specified certificate to the gateway. Click the Apply button to import the certificate. Click the Cancel button to discard the import operation and the screen will return to the My Certificates page. 236
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.9.5 Trusted Certificate Trusted Certificate includes Trusted CA Certificate List, Trusted Client Certificate List, and Trusted Client Key List. The Trusted CA Certificate List places the certificates of external trusted CAs. The Trusted Client Certificate List places the others' certificates what you trust. And the Trusted Client Key List places the others’ keys what you trusted. Self‐signed Certificate Usage Scenario Scenario Application Timing (same as the one described in "My Certificate" section) When the enterprise gateway owns the root CA and VPN tunneling function, it can generate its own local certificates by being signed by itself. Also imports the trusted certificates for other CAs and Clients. These certificates can be used for two remote peers to make sure their identity during establishing a VPN tunnel. Scenario Description (same as the one described in "My Certificate" section) Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1. Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT certificate. Import the certificate into the Gateway 2 as a local certificate. In addition, also imports the certificates of the root CA of Gateway 1 into the Gateway 2 as the trusted ones. (Please also refer to "My Certificate" and "Issue Certificate" sections). Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer, so that all client hosts in these both subnets can communicate with each other. 237
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Parameter Setup Example (same as the one described in "My Certificate" section) For Network‐A at HQ Following tables list the parameter configuration as an example for the "Trusted Certificate" function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in "My Certificate" and "Issue Certificate" sections to complete the setup for the whole user scenario. Configuration Path Command Button [Trusted Certificate]‐[Trusted Client Certificate List]
Configuration Path File [Trusted Certificate]‐[Trusted Client Certificate Import from a File] Import BranchCRT.crt For Network‐B at Branch Office Following tables list the parameter configuration as an example for the "Trusted Certificate" function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in "My Certificate" and "Issued Certificate" sections to complete the setup for the whole user scenario. Configuration Path Command Button [Trusted Certificate]‐[Trusted CA Certificate List]
Configuration Path File [Trusted Certificate]‐[Trusted CA Certificate Import from a File] Configuration Path Command Button [Trusted Certificate]‐[Trusted Client Certificate List]
Configuration Path File [Trusted Certificate]‐[Trusted Client Certificate Import from a File] Import HQRootCA.crt Import HQCRT.crt Scenario Operation Procedure (same as the one described in "My Certificate" section) In above diagram, the "Gateway 1" is the gateway of Network‐A in headquarters and the subnet of its Intranet is 10.0.76.0/24. It has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN‐1 interface. The "Gateway 2" is the gateway of Network‐B in branch office and the subnet of its Intranet is 10.0.75.0/24. It has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface. They both serve as the NAT security 238
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. gateways. In Gateway 2 import the certificates of the root CA and HQCRT that were generated and signed by Gateway 1 into the "Trusted CA Certificate List" and "Trusted Client Certificate List" of Gateway 2. Import the obtained BranchCRT certificate (the derived BranchCSR certificate after Gateway 1’s root CA signature) into the "Trusted Client Certificate List" of the Gateway 1 and the "Local Certificate List" of the Gateway 2. For more details, refer to the Network‐B operation procedure in "My Certificate" section of this manual. Gateway 2 can establish an IPSec VPN tunnel with "Site to Site" scenario and IKE and X.509 protocols to Gateway 1. Finally, the client hosts in two subnets of 10.0.75.0/24 and 10.0.76.0/24 can communicate with each other. 239
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Trusted Certificate Setting The Trusted Certificate setting allows user to import trusted certificates and keys. Go to Object Definition > Certificate > Trusted Certificate tab. Import Trusted CA Certificate When Import button is applied, a Trusted CA import screen will appear. You can import a Trusted CA certificate from an existed certificate file, or directly paste a PEM encoded string as the certificate. Trusted CA Certificate List Item Value setting Import from a File Import from a PEM A Must filled setting Apply Cancel N/A N/A 1. String format can be any text 2. A Must filled setting Description Select a CA certificate file from user’s computer, and click the Apply button to import the specified CA certificate file to the gateway. This is an alternative approach to import a CA certificate. You can directly fill in (Copy and Paste) the PEM encoded CA certificate string, and click the Apply button to import the specified CA certificate to the gateway. Click the Apply button to import the certificate. Click the Cancel button to discard the import operation and the screen will return to the Trusted Certificates page. Instead of importing a Trusted CA certificate with mentioned approaches, you can also get the CA 240
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. certificate from the SECP server. If SCEP is enabled (Refer to Object Definition > Certificate > Configuration), you can click Get CA button, a Get CA Configuration screen will appear. Get CA Configuration Item Value setting SCEP Server A Must filled setting CA Identifier 1. String format can be any text N/A N/A Save Close Description Select a SCEP Server to identify the SCEP server for use. The server detailed information could be specified in External Servers. Refer to Object Definition > External Server > External Server. You may click Add Object button to generate. Fill in optional CA Identifier to identify which CA could be used for signing certificates. Click Save to save the settings.
Click the Close button to return to the Trusted Certificates page.
Import Trusted Client Certificate When Import button is applied, a Trusted Client Certificate Import screen will appear. You can import a Trusted Client Certificate from an existed certificate file, or directly paste a PEM encoded string as the certificate. 241
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Trusted Client Certificate List Item Value setting Description Import from a File Import from a PEM A Must filled setting Select a certificate file from user’s computer, and click the Apply button to import the specified certificate file to the gateway. 1. String format can be any text 2. A Must filled setting N/A N/A This is an alternative approach to import a certificate. You can directly fill in (Copy and Paste) the PEM encoded certificate string, and click the Apply button to import the specified certificate to the gateway. Apply Cancel Click the Apply button to import certificate. Click the Cancel button to discard the import operation and the screen will return to the Trusted Certificates page. Import Trusted Client Key When Import button is applied, a Trusted Client Key Import screen will appear. You can import a Trusted Client Key from an existed file, or directly paste a PEM encoded string as the key. 242
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Trusted Client Key List Item Value setting Description Import from a File Import from a PEM A Must filled setting Select a certificate key file from user’s computer, and click the Apply button to import the specified key file to the gateway. 1. String format can be any text 2. A Must filled setting N/A N/A This is an alternative approach to import a certificate key. You can directly fill in (Copy and Paste) the PEM encoded certificate key string, and click the Apply button to import the specified certificate key to the gateway. Apply Cancel Click the Apply button to import the certificate key. Click the Cancel button to discard the import operation and the screen will return to the Trusted Certificates page. 243
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 5.9.7 Issue Certificate When you have a Certificate Signing Request (CSR) that needs to be certificated by the root CA of the device, you can issue the request here and let Root CA sign it. There are two approaches to issue a certificate. One is from a CSR file importing from the managing PC and another is copy‐paste the CSR codes in gateway’s web‐based utility, and then click on the "Sign" button. If the gateway signs a CSR successfully, the "Signed Certificate View" window will show the resulted certificate contents. In addition, a "Download" button is available for you to download the certificate to a file in the managing PC. Self‐signed Certificate Usage Scenario Scenario Application Timing (same as the one described in "My Certificate" section) When the enterprise gateway owns the root CA and VPN tunneling function, it can generate its own local certificates by being signed by itself. Also imports the trusted certificates for other CAs and Clients. These certificates can be used for two remote peers to make sure their identity during establishing a VPN tunnel. Scenario Description (same as the one described in "My Certificate" section) Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Also imports a trusted certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1. Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT certificate. Import the certificate into the Gateway 2 as a local certificate. In addition, also imports the certificates of the root CA of the Gateway 1 into the Gateway 2 as the trusted ones. (Please also refer to "My Certificate" and "Trusted Certificate" sections). 244
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer, so that all client hosts in these both subnets can communicate with each other. Parameter Setup Example (same as the one described in "My Certificate" section) For Network‐A at HQ Following tables list the parameter configuration as an example for the "Issue Certificate" function used in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram. The configuration example must be combined with the ones in "My Certificate" and "Trusted Certificate" sections to complete the setup for whole user scenario. Configuration Path Browse Command Button [Issue Certificate]‐[Certificate Signing Request Import from a File] Configuration Path Command Button [Issue Certificate]‐[Signed Certificate View]
C:/BranchCSR Sign Download (default name is "issued.crt")
Scenario Operation Procedure (same as the one described in "My Certificate" section) In above diagram, the "Gateway 1" is the gateway of Network‐A in headquarters and the subnet of its Intranet is 10.0.76.0/24. It has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN‐1 interface. The "Gateway 2" is the gateway of Network‐B in branch office and the subnet of its Intranet is 10.0.75.0/24. It has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface. They both serve as the NAT security gateways. Gateway 1 generates the root CA and a local certificate (HQCRT) that is signed by itself. Import the certificates of the root CA and HQCRT into the "Trusted CA Certificate List" and "Trusted Client Certificate List" of Gateway 2. Gateway 2 generates a Certificate Signing Request (BranchCSR) for its own certificate BranchCRT to be signed by root CA (Please generate one not self‐signed certificate in the Gateway 2, and click on the "View" button for that CSR. Just downloads it). Take the CSR to be signed by the root CA of the Gateway 1 and obtain the BranchCRT certificate (you need rename it). Import the certificate into the "Trusted Client Certificate List" of the Gateway 1 and the "Local Certificate List" of the Gateway 2. Gateway 2 can establish an IPSec VPN tunnel with "Site to Site" scenario and IKE and X.509 protocols to Gateway 1. Finally, the client hosts in two subnets of 10.0.75.0/24 and 10.0.76.0/24 can communicate with each other. 245
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Issue Certificate Setting The Issue Certificate setting allows user to import Certificate Signing Request (CSR) to be signed by root CA. Go to Object Definition > Certificate > Issue Certificate tab. Import and Issue Certificate Certificate Signing Request (CSR) Import from a File
Item Value setting Description
Certificate Signing Request (CSR) Import from a File Certificate Signing Request (CSR) Import from a PEM A Must filled setting Select a certificate signing request file you’re your computer for importing to the gateway. 1. String format can be any text 2. A Must filled setting Enter (copy‐paste) the certificate signing request PEM encoded certificate to the gateway. Sign N/A When root CA is exist, click the Sign button sign and issue the imported certificate by root CA. 246
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 7 Field Communication 7.1 Bus & Protocol The gateway may equip a DB‐9 male port or other type of serial port for various serial communication use through connecting the RS‐232 or RS‐485 serial device to an IP‐based Ethernet LAN. These communication protocols make user access serial devices anywhere over a local LAN or the Internet easily. They include "Virtual COM" and "Modbus". 7.1.1 Port Configuration Before using the supported field communication function, like Virtual COM or Modbus, you need to configure the physical communication port first. In "Port Configuration" page, there is only one configuration window for the serial port settings. The "Configuration" window can let you specify serial port parameters including the operation mode being "Virtual COM", "Modbus" or disabled, the interface being "RS‐232" or "RS‐485", the baud rate, the data bit length, the stop bit length, the flow control being "RTS/CTS", "DTS/DSR" or "None", and the parity. The port configuration screen allows user to configure the operation mode and physical layer settings for each serial interface, and also can quick switch from one communication protocol to another for the serial port. The number of ports and type of the supported protocols could be different for the purchased gateway model. Go to Field Communication > Bus & Protocol > Port Configuration tab. Port Configuration Window Item Value setting Serial Port N/A Description It displays the serial port ID of the serial port.
The number of serial ports varies from the purchased model. 247
In‐Vehicle Hotspot Gateway
Data Bits Stop Bits Index skipping is used to reserve slots for new function insertion, when required. Disable is set by default It displays the current selected operation mode for the serial interface.
Depending on the purchase model, the available modes can be Virtual COM, Modbus, and IEC 60870‐5. RS-232 is set by default
Select RS‐232 or RS‐485 physical interface for connecting to the access device(s) with the same interface specification. 19200 is set by default
Select the appropriate baud rate for serial device communication.
RS-232: 1200 / 2400 / 4800 / 9600 / 19200 / 38400 / 57600 / 115200
RS-485 can use higher baud rate for 230400 and 460800. It depends on the
cable length and the installed environment. The longer cable, the lower
baud rate for it.
8 is set by default
Select 8 or 7 for data bits.
1 is set by default
Select 1 or 2 for stop bits.
Flow Control None is set by default
Parity Action None is set by default
N/A
Save N/A
Operation Mode Interface Baud Rate Select None / RTS,CTS / DTS, DSR for Flow Control in RS-232 mode.
The supporting of Flow Control depends on the purchased model.
Select None / Even / Odd for Parity bit.
Click Edit button to change the operation mode, or modify the parameters
mentioned above for the serial interface communication.
Click Save button to save the settings.
248
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 7.1.3 Virtual COM Create a virtual COM port on user’s PC/Host to provide access to serial device connected to the serial port on gateway. Therefore, users can access, control, and manage the connected serial device through Internet (fixed line, or cellular network) anywhere. This application is also known as Ethernet pass‐through communication. Virtual COM setting screen enables user to connect a Virtual COM port based device to the Internet. It allows user to access serial data remotely. There are TCP Client, TCP Server, UDP, and RFC2217 modes for remote accessing the connected serial device. These operation modes are illustrated as below. TCP Client Mode in On‐demand Control Scenario Scenario Application Timing When the administrator expects the gateway to actively establish a TCP connection to a pre‐
defined host computer when serial data arrives, the operation mode for the "Virtual COM" function is required to be "TCP Client" and the connection control is required to be "On‐
demand". Besides, after the data has been transferred, the TCP connection can be automatically disconnected from the host computer by using the TCP alive check timeout or idle timeout settings. 249
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Description When the connection control of virtual COM is "On‐demand", and once the IOG gateway receives data from the connected serial device, it will establish a TCP connection to transfer the received serial data to the remote host. After the data has been transferred, the gateway automatically disconnects the established TCP session from the host computer by using the TCP alive check timeout or idle timeout settings. Finally, the host computer can process the collected serial data and make further decisions. Parameter Setup Example Following tables list the parameter configuration as an example for "TCP Client" mode in "Virtual COM" function, as shown in above diagram. Use default value for those parameters that are not mentioned in the tables. Configuration Path Operation Mode Connection Control Connection Idle Timeout Alive Check Timeout [Virtual COM]‐[Virtual COM Serial Definition]
Configuration Path ID To Host Remote Port Serial Port Definition [Virtual COM]‐[Legal IP/FQDN Definition (TCP Client)]
TCP Client
On‐demand
1 (0‐60) min
1 (0‐60) min
1 140.116.82.98
4001 SPort‐0 ■ Enable TCP Server Mode 250
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing When the administrator expects the gateway to wait passively for the serial data requests from the host computer, and the host computer will establish a TCP connection to get data from the serial device, the operation mode for the "Virtual COM" function is required to be "TCP Server". In this mode, the gateway provides a unique "IP: Port" address on a TCP/IP network. It supports up to 4 simultaneous connections, so that multiple hosts can collect data from the same serial device at the same time. Scenario Description When the Internet Host Computer wants to get the serial data via the gateway, it will try to establish a TCP connection to the gateway if the connection is off. After the data has been transferred, the TCP connection will be automatically disconnected from the host computer by using the TCP alive check timeout or idle timeout settings. Finally, the host computer can process the collected serial data and make further decisions. Parameter Setup Example Following tables list the parameter configuration as an example for the "TCP Server" mode in "Virtual COM" function, as shown in above diagram. Use default value for those parameters that are not mentioned in the tables. Configuration Path Operation Mode Listen Port Trust Type Max Connection Connection Idle Timeout Alive Check Timeout [Virtual COM]‐[Virtual COM Serial Definition] Configuration Path ID Host Serial Port Definition [Virtual COM]‐[Trusted IP Definition]
TCP Server
4001
Specific IPs
4
1 (0‐60) min
1 (0‐60) min
1
140.116.82.98
■ Sport‐0
■ Enable
251
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. UDP Mode Scenario Application Timing If both the Internet Host Computer and the remote serial device are expected to initiate a data transfer when it require to do that, the operation mode for the "Virtual COM" function in the gateway is required to be "UDP". In this mode, the UDP data can be transferred between the gateway and multiple host computers from either peer, making this mode ideal for message display applications. It supports up to 4 legal host computers to connect to the serial device via the gateway. Scenario Description A remote Internet host computer whose IP address is 140.116.82.98 has a management system in it to collect the serial data from or send data to the serial device via the gateway. The Internet host computer can directly send UDP data to the serial device via the gateway, and also receive UDP data from the serial device via the gateway at the same time. The gateway supports up to 4 Internet host computers. Parameter Setup Example Following tables list the parameter configuration as an example for the "UDP" mode in "Virtual COM" function, as shown in above diagram. Use default value for those parameters that are not mentioned in the tables. Configuration Path Operation Mode Listen Port [Virtual COM]‐[Virtual COM Serial Definition]
UDP 4001 252
In‐Vehicle Hotspot Gateway
Configuration Path ID Host Remote Port Serial Port Definition Index skipping is used to reserve slots for new function insertion, when required. [Virtual COM]‐[Legal IP Definition (UDP)]
1 140.116.82.98
4001 Sport‐0 ■ Enable RFC‐2217 Mode Scenario Application Timing RFC‐2217 defines general COM port control options based on telnet protocol. A host computer with RFC‐2217 driver installed can monitor and manage the remote serial device attached to the gateway’s serial port, as though they were connected to the local serial port. When a virtual serial port on the local serial device is being created, it is required to specify the IP‐address of the host computers to establish connection with. Any 3rd party driver supporting RFC2217 can be used to install in the host computer, the driver establishes a transparent connection between host and serial device by mapping the IP:Port of the gateway’s serial port to a virtual local COM port on the host computer. Scenario Description A remote Internet host computer whose IP address is 140.116.82.98 has a RFC‐2217 Virtual COM driver installed in it, and also has some legacy serial application software in it to collect the serial data from or send data to the serial device via the gateway. The Internet host computer can directly send data to the serial device via the gateway, and also receive data from the serial device via the gateway at the same time. The gateway supports up to 4 Internet host computers. 253
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Parameter Setup Example Following tables list the parameter configuration as an example for the “RFC‐2217" mode in "Virtual COM" function, as shown in above diagram. Use default value for those parameters that are not mentioned in the tables. Configuration Path Operation Mode Listen Port Trust Type [Virtual COM]‐[Virtual COM Serial Definition]
Configuration Path ID Host Serial Port Enable [Virtual COM]‐[Trusted IP Definition (RFC‐2217)]
RFC‐2217 4001 Specific IPs
1 140.116.82.98
Sport‐0 ■ Enable 254
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Virtual COM Setting Virtual COM setting screen enables user to connect a Virtual COM port based device to the Internet. It allows user to access serial data remotely. There are TCP Client, TCP Server, UDP, and RFC2217 modes for remote accessing the connected serial device. To use the Virtual COM function, you have to specify the operation mode for the multi‐function serial port first. Go to Field Communication > Bus & Protocol > Port Configuration tab, select the Virtual COM as expected operation mode, and finish the related port configuration as well. After that, go to Field Communication > Bus & Protocol > Virtual COM tab for detailed configuration of Virtual COM setting. Enable TCP Client Mode Configure the gateway as the TCP (Transmission Control Protocol) Client. In TCP Client mode, device initiates a TCP connection with a TCP server when there is data to transmit. Device disconnects from the server when the connection is Idle for a specified period. You may also enable full time connection with the TCP server. Enable TCP Client Mode Window Item Value setting Operation Mode Connection Control A Must filled setting Always on is set by default Connection Idle Timeout 1. 0 is set by default 2. Range 0 to 60 min. Alive Check Timeout 1. 0 is set by default 2. Range 0 to 60 min. Enable The box is unchecked by default. N/A Save Description Select TCP Client.
Choose Always on for a TCP full time connection. Otherwise, choose On‐
Demand to initiate TCP connection only when required to transmit and disconnect at idle timeout. Enter the idle timeout in minutes.
The idle timeout is used to disconnect the TCP connection when idle time elapsed . Idle timeout is only available when On‐Demand is selected in the Connection Control field. Enter the time period of alive check timeout. The TCP connection will be terminated if it doesn’t receive response of alive‐check longer than this timeout setting Check the Enable box to activate the corresponding serial port in specified operation mode. Click the Save button to save the configuration 255
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Specify Remote TCP Server Specify TCP Server Window Item Value setting To Host A Must filled setting Remote Port 1.A Must filled setting 2.Default value is 4001 SPort‐0 is set by default Serial Port Enable Save The box is unchecked by default N/A Description Press Edit button to enter IP address or FQDN of the remote TCP server to transmit serial data. Enter the TCP port number. This is the listen port of the remote TCP server.
Apply the TCP server connection for a selected serial port. Up to 4 TCP servers can be configured at the same time for each serial port. Check the Enable box to enable the TCP server configuration. Click the Save button to save the configuration 256
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Enable TCP Server Mode Configure the gateway as the TCP (Transmission Control Protocol) Server. The TCP Server waits for connections to be initiated by a remote TCP client device to receive serial data. The setting allows user to specify specific TCP clients or allow any to send serial data for serial data transmission bandwidth control and access control. The TCP Server supports up to 4 simultaneous connections to receive serial data from multiple TCP clients. Enable TCP Server Mode Window Item Value setting Operation Mode Listen Port Trust Type Max Connection Connection Idle Timeout A Must filled setting 4001 is set by default Allow All is set by default 1. Max. 4 connections 2. 1 is set by default 0 is set by default Alive Check Timeout 0 is set by default Enable The box is unchecked by default. N/A Save Description
Select TCP Server mode.
Indicate the listening port of TCP connection. Choose Allow All to allow any TCP clients to connect. Otherwise choose Specific IP to limit certain TCP clients. Set the maximum number of concurrent TCP connections. Up to 4 simultaneous TCP connections can be established. Enter the idle timeout in minutes.
The idle timeout is used to disconnect the TCP connection when idle time elapsed . Idle timeout is only available when On‐Demand is selected in the Connection Control field. Input the time period of alive check timeout. The TCP connection will be terminated if it doesn’t receive response of alive‐check longer than this timeout setting. Check the Enable box to activate the corresponding serial port in specified operation mode. Click Save button to save the settings.
257
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Specify TCP Clients for TCP Server Access Specify TCP Clients Window Item Value setting Host A Must filled setting Serial Port The box is unchecked by default The box is unchecked by default N/A Enable Save Description Enter the IP address range of allowed TCP clients. Check the box to specify the rule for selected Serial Port. Check the Enable box to enable the rule.
Click Save button to save the settings.
Enable UDP Mode UDP (User Datagram Protocol) enables applications using UDP socket programs to communicate with the serial ports on the serial server. The UDP mode provides connectionless communications, which enable you to multicast data from the serial device to multiple host computers, and vice versa, making this mode ideal for message display applications. Enable UDP Mode Window Item Value setting Operation Mode Listen Port Enable Save A Must filled setting 4001 is set by default The box is unchecked by default. N/A Description Select UDP mode.
Indicate the listening port of UDP connection. Check the Enable box to activate the corresponding serial port in specified operation mode. Click Save button to save the settings.
258
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Specify Remote UDP Specify Remote UDP hosts Window Item Value setting Description Host A Must filled setting Press Edit button to enter IP address range of remote UDP hosts.
Remote Port 4001 is set by default Indicate the UDP port of peer UDP hosts. Serial Port SPort‐0 is set by default Enable The box is unchecked by default N/A Save Apply the UDP hosts for a selected serial port. Up to 4 UDP servers can be configured at the same time for each serial port. Check the Enable box to enable the rule.
Click Save button to save the settings. 259
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Enable RFC‐2217 Mode RFC‐2217 defines general COM port control options based on telnet protocol. With the RFC‐
2217 mode, remote host can monitor and manage remote serially attached devices, as though they were connected to the local serial port. When a virtual serial port on the local serial device is being created, it is required to specify the IP‐address of the remote hosts to establish connection with. Enable RFC‐2217 Mode Window Item Value setting Operation Mode Listen Port Trust Type Connection Idle Timeout A Must filled setting 4001 is set by default Allow All is set by default 0 is set by default Alive Check Timeout 0 is set by default Enable The box is unchecked by default. N/A Save Description Select RFC‐2217 mode.
Indicate the listening port of RFC‐2217 connection. Choose Allow All to allow any clients to connect. Otherwise choose Specific IP to limit certain clients. Enter the idle timeout in minutes.
The idle timeout is used to disconnect the connection when idle time elapsed . Input the time period of alive check timeout. The connection will be terminated if it doesn’t receive response of alive‐check longer than this timeout setting. Check the Enable box to activate the corresponding serial port in specified operation mode. Click Save button to save the settings.
260
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Specify Remote Host for Access Specify RFC‐2217 Clients for Access Window
Item Value setting Description Host A Must filled setting Enter the IP address range of allowed clients. Serial Port Enable Save The box is unchecked by default The box is unchecked by default N/A Check the box to specify the rule for selected Serial Port. Check the Enable box to enable the rule.
Click Save button to save the settings.
261
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter 9 Security 9.1 VPN A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefitting from the functionality, security and management policies of the private network. This is done by establishing a virtual point‐to‐point connection through the use of dedicated connections, encryption, or a combination of the two. The tunnel technology supports data confidentiality, data origin authentication and data integrity of network information by utilizing encapsulation protocols, encryption algorithms, and hashing algorithms. The product series supports different tunneling technologies to establish secure tunnels between multiple sites for data transferring, such as IPSec, OpenVPN, PPTP, L2TP (over IPSec) and GRE. Besides, some advanced functions, like Full Tunnel, Tunnel Failover, Tunnel Load Balance, NetBIOS over IPSec, NAT Traversal and Dynamic VPN, are also supported. 262
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.1.1 Configuration The VPN configuration allows user to enable or disable all the VPN functions of the gateway device. The VPN enables check box must be checked to enable to allow IPSec, PPTP, L2TP and GRE to function. Go to Security > VPN > Configuration tab VPN Configuration Enable VPN check box will activate all VPN related functions. VPN Configuration Item Value setting VPN Save Description
The box is unchecked Check the Enable box to enable all VPN functions by default N/A Click the Save button to save the settings 263
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.1.3 IPSec Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. An IPSec VPN tunnel is established between IPSec client and server. Sometimes, we call the IPSec VPN client as the initiator and the IPSec VPN server as the responder. There are two phases to negotiate between the initiator and responder during tunnel establishment, IKE phase and IPSec phase. At IKE phase, IKE authenticates IPSec peers and negotiates IKE SAs (Security Association) to set up a secure channel for negotiating IPSec SAs in phase 2. At IPSec phase, IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. After these both phases, data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. Before going to setup the VPN connections, you may need to decide the scenario type for the tunneling. The scenario can be "Site to Site", "Site to Host", "Host to Site", "Host to Host", or "Dynamic VPN". There are three commonly used IPSec VPN connection scenarios as follows. 264
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Site to Site Tunnel Scenario Scenario Application Timing The security gateway can be located at branch office or mobile office. When the client hosts behind the security gateway want to make a secure communication with the ones behind another security gateway in headquarters or another branch office, both security gateways need to establish a VPN tunnel first. Both Intranets of security gateways have their own subnet and the "Site to Site" tunnel scenario is used. "Site" means a subnet of client hosts. Scenario Description Both Initiator and Responder of IPSec tunnel must have a “Static IP” or a “FQDN” for "Site to Site" scenario. Any peer gateway can be worked as an Initiator or a Responder of the IPSec VPN tunnel. Two phases (IKE and IPSec) to negotiate for establishing an IPSec VPN tunnel with pre‐shared key and optional X‐Auth account / password. Parameter Setup Example For Network‐A at HQ Following 5 tables list the parameter configuration for above example diagram of IPSec VPN 265
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. tunnel in Network‐A. Use default value for those parameters that are not mentioned in these 5 tables. Configuration Path IPSec [IPSec]‐[Configuration]
■ Enable Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
■ Enable s2s‐101 WAN 1 Site to Site Always on Configuration Path Local Subnet Local Netmask Full Tunnel Remote Subnet Remote Netmask Remote Gateway [IPSec]‐[Local & Remote Configuration]
10.0.76.0 255.255.255.0
Disable 10.0.75.0 255.255.255.0
118.18.81.33
Configuration Path Key Management Local ID Remote ID [IPSec]‐[Authentication]
IKE+Pre‐shared Key 12345678
User Name Network‐A
User Name Network‐B
Configuration Path Negotiation Mode X‐Auth [IPSec]‐[IKE Phase]
Main Mode None For Network‐B at Branch Office Following 5 tables list the parameter configuration for above example diagram of IPSec VPN tunnel in Network‐B. Use default value for those parameters that are not mentioned in these 5 tables. Please also note that the authentication parameters of both peers must match each other to successfully establishing authentication process, and it is just for an example here. Besides, Negotiation Mode and X‐Auth in "IKE Phase" configuration window should be also matched in both peers. And there is at least one proposal entity in IKE Proposal Definition and at least one proposal 266
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. entity in IPSec Proposal Definition is same for both peers. Use the default ones in the setup example and they are not shown in followings. Configuration Path IPSec [IPSec]‐[Configuration]
■ Enable Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
■ Enable s2s‐201 WAN 1 Site to Site Always on Configuration Path Local Subnet Local Netmask Full Tunnel Remote Subnet Remote Netmask Remote Gateway [IPSec]‐[Local & Remote Configuration]
10.0.75.0 255.255.255.0
Disable 10.0.76.0 255.255.255.0
203.95.80.22
Configuration Path Key Management Local ID Remote ID [IPSec]‐[Authentication]
IKE+Pre‐shared Key 12345678
User Name Network‐B
User Name Network‐A
Configuration Path Negotiation Mode X‐Auth [IPSec]‐[IKE Phase]
Main Mode None Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. However, Network‐B is in the branch office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. Establish an IPSec VPN tunnel with "Site to Site" scenario by starting from either site. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, the client hosts in the Intranet of Network‐B at branch office can access the server or 267
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. database resources in the Intranet of Network‐A at HQ in a secured link. Dynamic VPN Tunnel Scenario Business Security Gateway can ignore IP information of clients when using Dynamic VPN, so it is suitable for users to build VPN tunnels with Business Security Gateway from a remote mobile site. Remote peer is a site will be indicated in the negotiation packets, including what remote subnet is. It must be noted that the remote peer has to initiate the tunnel establishing process first in this application scenario. Scenario Application Timing If the security gateway in headquarters wants to allow any traveling employees to securely access the enterprise operation systems to access office resources from outside, the Dynamic VPN connection can be setup up to meet the requirement. These mobile employees are carrying with their notebooks or security supporting gateways outsides, and use these devices to connect to the Internet and try to access the enterprise resources at headquarters. But the IP address that the devices get is dynamic, not fixed. When the security gateway of headquarters need to check the IP address of a remote device during establishing a secure VPN tunnel for data communication, mobile devices will fail since they have not fixed IP address. So, to activate the "Dynamic VPN" function on the headquarters gateway is a fast approach for the secure data communication between mobile devices and the headquarters gateway. You can follow the deployment steps as below. 268
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Description Dynamic VPN is suitable for the Initiator being a mobile site or a mobile device with a dynamic IP, only the Responder has a “Static IP” or a “FQDN”. Two phases (IKE and IPSec) to negotiate for establishing an IPSec VPN tunnel with pre‐shared key and optional X‐Auth account / password. Parameter Setup Example For Network‐A at HQ Following 5 tables list the parameter configuration for above example diagram of IPSec VPN tunnel in Network‐A. Use default value for those parameters that are not mentioned in these 5 tables. Configuration Path IPSec [IPSec]‐[Configuration]
■ Enable Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
■ Enable dvpn‐101 WAN 1 Dynamic VPN
Always on Configuration Path Local Subnet Local Netmask [IPSec]‐[Local & Remote Configuration]
10.0.76.0 255.255.255.0
Configuration Path Key Management Local ID [IPSec]‐[Authentication]
IKE+Pre‐shared Key 12345678
User Name Network‐B
Configuration Path Negotiation Mode X‐Auth [IPSec]‐[IKE Phase]
Main Mode None For Network‐B at Mobile Office Following 5 tables list the parameter configuration for above example diagram of IPSec VPN tunnel in Network‐B. 269
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Use default value for those parameters that are not mentioned in these 5 tables. Please also note that the authentication parameters of both peers must match each other to complete the authentication process successfully, and it is just for an example here. In addition, Negotiation Mode and X‐Auth in "IKE Phase" configuration window should be also matched on both peers. And there is at least one proposal entity in IKE Proposal Definition and at least one proposal entity in IPSec Proposal Definition are the same for both peers. Use the default ones in the setup example and they are not shown in followings. Configuration Path IPSec Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode Keep alive [IPSec]‐[Configuration]
■ Enable [IPSec]‐[Tunnel Configuration]
■ Enable dvpn‐201 WAN 1 Site to Site Always on ■ Enable Ping FQDN  www.abc.com , Interval 120 sec Configuration Path Local Subnet Local Netmask Full Tunnel Remote Subnet Remote Netmask Remote Gateway [IPSec]‐[Local & Remote Configuration]
10.0.75.0 255.255.255.0
Disable 10.0.76.0 255.255.255.0
203.95.80.22 or www.abc.com
PS : Some advanced users will use Dynamic DDS function to update Global IP address which is not fixed .We suggest enabling “Keep alive” item. Configuration Path Key Management Local ID [IPSec]‐[Authentication]
IKE+Pre‐shared Key 12345678
User Name Network‐B
Configuration Path Negotiation Mode X‐Auth [IPSec]‐[IKE Phase]
Main Mode None Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN 270
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. interface and 203.95.80.22 (or FQDN:www.abc.com) for WAN interface. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has a dynamic IP address of 118.18.81.33 for WAN interface or private IP address of 10.253.253.1 in Cellular Network Establish an IPSec VPN tunnel with "Dynamic VPN" scenario by starting from the mobile site. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, the client hosts in the Intranet of Network‐B at mobile office can access the server or database resources in the Intranet of Network‐A at HQ with a secured link. That means, the security gateway in headquarters supports "Dynamic VPN" function and then you, as a mobile user, can access its Intranet resources from remote side with a secured link; even your device is not on a fixed IP address. "Full Tunnel"‐enabled Site to Site Tunnel Scenario In "Site to Site" tunnel scenario, the client hosts of remote site can securely access the enterprise resources in the Intranet of headquarters gateway via an established VPN tunnel, as described above. But the regular Internet accessing at remote site still go through the WAN interface of remote gateway, not the VPN tunnel. If you want all packets to be transferred from the Network‐B at branch office via this VPN tunnel, including the enterprise resource accessing and the Internet accessing, you can refer to following scenario example. When Full Tunnel function of remote Business Security Gateway is enabled, all data traffic from remote clients behind remote Business Security Gateway will go over the VPN tunnel. That is, if a user is operating at a PC that is in the Intranet of remote Business Security Gateway, all application packets and private data packets from the PC will be transmitted securely in the VPN tunnel to access the resources behind HQ Business Security Gateway, including surfing the Internet. As a result, every time the user surfs the web for shopping or searching data on Internet, checking personal emails, or accessing HQ servers, all are done on a secured connection through HQ Business Security Gateway. Following diagram illustrates this application scenario. It is the same as the one for the "Site to Site" scenario with "Full Tunnel" disabled. But the "Full Tunnel" parameter in this scenario is enabled now. When the "Site to Site" IPSec VPN tunnel has been established by either peer, all client hosts in Network‐B at branch office can access the resources in HQ and the Internet by using the tunnel in a secure link since the "Full Tunnel" function is activated in Network‐B site. 271
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing The security gateway can be located at branch office or mobile office. When the client hosts behind the security gateway want to make a secure communication with the ones behind another security gateway in headquarters or another branch office, both security gateways need establish a VPN tunnel first. Both Intranets of security gateways have their own subnet and the "Site to Site" tunnel scenario is used. "Site" means a subnet of client hosts. Moreover, since the "Full Tunnel" feature is enabled at branch office site, all packet flows will go through the established VPN tunnel between both sites, including the HQ resource accessing and regular Internet accessing. Scenario Description Both Initiator and Responder of IPSec tunnel must have a “Static IP” or a “FQDN” for "Site to Site" scenario. Any peer gateway can be worked as an Initiator or a Responder of the IPSec VPN tunnel. Two phases (IKE and IPSec) to negotiate for establishing an IPSec VPN tunnel with pre‐shared key and optional X‐Auth account / password. “Full Tunnel” feature to be enabled drives all packet flows from local site will be transferred via the established VPN tunnel. Parameter Setup Example For Network‐A at HQ 272
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Following 5 tables list the parameter configuration for above example diagram of IPSec VPN tunnel in Network‐A. Use default value for those parameters that are not mentioned in these 5 tables. Configuration Path IPSec [IPSec]‐[Configuration]
■ Enable Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
■ Enable s2s‐101 WAN 1 Site to Site Always on Configuration Path Local Subnet Local Netmask Full Tunnel Remote Subnet Remote Netmask Remote Gateway [IPSec]‐[Local & Remote Configuration]
10.0.76.0 255.255.255.0
Disable 10.0.75.0 255.255.255.0
118.18.81.33
Configuration Path Key Management Local ID Remote ID [IPSec]‐[Authentication]
IKE+Pre‐shared Key 12345678
User Name Network‐A
User Name Network‐B
Configuration Path Negotiation Mode X‐Auth [IPSec]‐[IKE Phase]
Main Mode None For Network‐B at Branch Office Following 5 tables list the parameter configuration for above example diagram of IPSec VPN tunnel in Network‐B. Use default value for those parameters that are not mentioned in these 5 tables. Please be noted that the special parameter configuration in red color. Please also note that the authentication parameters of both peers must match each other to complete the authentication process successfully, and it is just for an example here. In addition, Negotiation Mode and X‐Auth in "IKE Phase" configuration window should be also matched in both peers. 273
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. And there is at least one proposal entity in IKE Proposal Definition and at least one proposal entity in IPSec Proposal Definition is same for both peers. Use the default ones in the setup example and they are not shown in followings. Configuration Path IPSec [IPSec]‐[Configuration]
■ Enable Configuration Path Tunnel Tunnel Name Interface Tunnel Scenario Operation Mode [IPSec]‐[Tunnel Configuration]
■ Enable s2s‐201 WAN 1 Site to Site Always on Configuration Path Local Subnet Local Netmask Full Tunnel Remote Subnet Remote Netmask Remote Gateway [IPSec]‐[Local & Remote Configuration]
10.0.75.0 255.255.255.0
■ Enable 10.0.76.0 255.255.255.0
203.95.80.22
Configuration Path Key Management Local ID Remote ID [IPSec]‐[Authentication]
IKE+Pre‐shared Key 12345678
User Name Network‐B
User Name Network‐A
[IPSec]‐[IKE Phase]
Configuration Path Main Mode Negotiation Mode None X‐Auth Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. However, Network‐B is in the branch office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. Establish an IPSec VPN tunnel with "Site to Site" scenario by starting from either site. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, all packet flows from the client hosts in the Intranet of Network‐B at branch office 274
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. will go through the established VPN tunnel. That means, the security gateway in branch office supports "Full Tunnel" feature and the client hosts behind it can access not only the server or database resources in the Intranet of Network‐A at HQ, but also the Internet in a secured connection. The HQ gateway controls and secures the IP networking request flows from the branch office. 275
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IPSec Setting The IPSec Setting allows user to create and configure IPSec tunnels. Before you proceed ensure that the VPN is enabled and saved. To enable VPN, go to Security > VPN > Configuration tab. Go to Security > VPN > IPSec tab. Enable IPSec Enable IPSec Window Item Value setting IPsec NetBIOS over IPSec Unchecked by default Unchecked by default NAT Traversal Unchecked by default Max. Concurrent IPSec Tunnels 32 is set by default Save Undo N/A N/A Description
Click the Enable box to enable IPSec function. Click the Enable box to enable NetBIOS over IPSec function. Click the Enable box to enable NAT Traversal function. The specified value will limit the maximum number of simultaneous IPSec tunnel connection. The default value can be different for the purchased model. Click Save to save the settings Click Undo to cancel the settings Create/Edit IPSec tunnel Ensure that the IPSec enable box is checked to enable before further configuring the IPSec tunnel settings. 276
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. When Add/Edit button is applied, a series of configuration screens will appear. They are Tunnel Configuration, Local & Remote Configuration, Authentication, IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec Proposal Definition. You have to configure the tunnel details for both local and remote VPN devices. Tunnel Configuration Window Item Value setting Tunnel Tunnel Name Interface Unchecked by default 1. A Must fill setting 2. String format can be any text 1. A Must fill setting 2. WAN 1 is selected by default Tunnel Scenario 1. A Must fill setting 2. Site to site is selected by default Hub and Spoke 1. An optional setting Description
Check the Enable box to activate the IPSec tunnel Enter a tunnel name. Enter a name that is easy for you to identify. Select WAN interface on which IPSec tunnel is to be established. Select an IPSec tunneling scenario from the dropdown box for your application. Select Site‐to‐Site, Site‐to‐Host, Host‐to‐Site, or Host‐to‐Host. With Site‐to‐Site or Site‐to‐Host or Host‐to‐Site, IPSec operates in tunnel mode. The difference among them is the number of subnets. With Host‐
to‐Host, IPSec operates in transport mode. Select from the dropdown box to setup your gateway for Hub‐and‐Spoke IPSec VPN Deployments. 277
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2. None is set by default Select None if your deployments will not support Hub or Spoke encryption. Select Hub for a Hub role in the IPSec design. Select Spoke for a Spoke role in the IPSec design. Note: Hub and Spoke are available only for Site‐to‐Site VPN tunneling specified in Tunnel Scenario. It is not available for Dynamic VPN tunneling application. There are three available operation modes. Always On, Failover, Load Balance. Failover/ Always Define whether the IPSec tunnel is a failover tunnel function or an Always on tunnel. Note: If this IPSec is a failover tunneling, you will need to select a primary IPSec tunnel from which to failover to. Load Balance Define whether the IPSec tunnel connection will take part in load balance function of the gateway. You will not need to select with WAN interface as the system will automatically utilize the available WAN interfaces to balance traffic loads. For more details on WAN Load Balance, refer to Load Balance Usage in this manual. On gateway’s web‐based utility, go to Basic Network > WAN > Load Balance tab. Note: Failover and Load Balance functions are not available for Dynamic VPN specified in Tunnel Scenario. Operation Mode 1. A Must fill setting 2. Alway on is selected by default Encapsulation Protocol 1. A Must fill setting 2. ESP is selected by default Select the Encapsulation Protocol from the dropdown box for this IPSec tunnel. Available encapsulations are ESP and AH. Keep alive 1. Unchecked by default 2. 30s is set by default Check the Enable box to enable Keep alive function. Select Ping IP to keep live and enter the IP address to ping. Enter the ping time interval in seconds. Note: Keep alive option is not available for Dynamic VPN specified in Tunnel Scenario. 278
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Local & Remote Configuration Window
Item Value setting Description
Local Subnet List A Must fill setting Full Tunnel Unchecked by default Remote Subnet List A Must fill setting Remote Gateway 1. A Must fill setting. 2. Format can be a ipv4 address or FQDN Specify the Local Subnet IP address and Subnet Mask. Click the Add or Delete button to add or delete a Local Subnet. Note_1: When Dynamic VPN option in Tunnel Scenario is selected, there will be only one subnet available. Note_2: When Host‐to‐Site or Host‐to‐Host option in Tunnel Scenario is selected, Local Subnet will not be available. Note_3: When Hub and Spoke option in Hub and Spoke is selected, there will be only one subnet available. Click Enable box to enable Full Tunnel. Note: Full tunnel is available only for Site‐to‐Site specified in Tunnel Scenario. Specify the Remote Subnet IP address and Subnet Mask. Click the Add or Delete button to add or delete Remote Subnet setting. Specify the Remote Gateway. 279
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Authentication Configuration Window Item Value setting Description
Key Management 1. A Must fill setting 2. Pre‐shared Key 8 to 32 characters. Local ID An optional setting Remote ID An optional setting Select Key Management from the dropdown box for this IPSec tunnel. IKE+Pre‐shared Key: user needs to set a key (Min. 8 characters). IKE+X.509: user needs Certificate to authenticate. IKE+X.509 will be available only when Certificate has been configured properly. Refer to Certificate section of this manual and also Object Definition > Certificate in web‐based utility. Manually: user needs to enter key ID to authenticate. Manual key configuration will be explained in the following Manual Key Management section. Specify the Local ID for this IPSec tunnel to authenticate. Select User Name for Local ID and enter the username. The username may include but can’t be all numbers. Select FQDN for Local ID and enter the FQDN. Select User@FQDN for Local ID and enter the User@FQDN. Select Key ID for Local ID and enter the Key ID (English alphabet or number). Specify the Remote ID for this IPSec tunnel to authenticate. Selected User Name for Remote ID and enter the username. The username may include but can’t be all numbers. Select FQDN for Local ID and enter the FQDN. Select User@FQDN for Remote ID and enter the User@FQDN. Select Key ID for Remote ID and enter the Key ID (English alphabet or number).. Note: Remote ID will be not available when Dynamic VPN option in Tunnel Scenario is selected. 280
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IKE Phase Window Item Value setting IKE Version 1. A must fill setting 2. v1 is selected by default Negotiation Mode Main Mode is set by default default X‐Auth None is selected by default Dead Peer Detection (DPD) Phase1 Key Life Time 1. Unchecked by default 2. Default Timeout 180s and Delay 30s 1. A Must fill setting 2. Default 3600s 3. Max. 86400s Description Specify the IKE version for this IPSec tunnel. Select v1 or v2 Note: IKE versions will not be available when Dynamic VPN option in Tunnel Scenario is selected, or AH option in Encapsulation Protocol is selected. Specify the Negotiation Mode for this IPSec tunnel. Select Main Mode or Aggressive Mode. Specify the X‐Auth role for this IPSec tunnel. Select Server, Client, or None.
Selected None no X‐Auth authentication is required. Selected Server this gateway will be an X‐Auth server. Click on the X‐Auth Account button to create remote X‐Auth client account. Selected Client this gateway will be a X‐Auth client. Enter User name and Password to be authenticated by the X‐Auth server gateway. Note: X‐Auth Client will not be available for Dynamic VPN option selected in Tunnel Scenario. Click Enable box to enable DPD function. Specify the Timeout and Delay time in seconds. Specify the Phase1 Key Life Time 281
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IKE Proposal Definition Window Item Value setting IKE Proposal Definition A Must fill setting Description Specify the Phase 1 Encryption method. AES‐
auto/AES128/AES192/AES256/DES/3DES Specify the Authentication method. None/MD5/SHA1/SHA2‐256/SHA2‐512 Specify the DH Group None/Group1/ Group2/ Group5/ Group14/ Group15/ Group16/ Group17/ Group18/ Check Enable box to enable this setting IPSec Phase Window Item Value setting Phase2 Key Life Time 1. A Must fill setting 2. 28800s is set by default 3. Max. 86400s Description
Specify the Phase2 Key Life Time in second. 282
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IPSec Proposal Definition Window Item Value setting IPSec Proposal Definition A Must fill setting Save Undo Back N/A N/A N/A Description
Specify the Encryption method None/AES‐auto/AES128/AES192/AES256/DES/3DES Specify Authentication method None/MD5/SHA1/SHA2‐256/SHA2‐512 Specify the PFS Group None/Group1/ Group2/ Group5/ Group14/ Group15/ Group16/ Group17/ Group18/ Click Enable to enable this setting Click Save to save the settings Click Undo button to cancel the settings Click Back button to return to the previous page. Manual Key Management When the Manually option is selected for Key Management as described in Authentication Configuration Window, a series of configuration windows for Manual IPSec Tunnel configuration will appear. The configuration windows are the Local & Remote Configuration, the Authentication, and the Manual Proposal. Authentication Configuration Window Item Value setting Description
Key Management A Must fill setting Local ID An optional setting Remote ID An optional setting Select Key Management from the dropdown box for this IPSec tunnel. In this section Manually is the option selected. For IKE+Pre‐shared Key and IKE+X.509 option, please refer to the table in previous 5 pages where key management is described. Specify the Local ID for this IPSec tunnel to authenticate. Select the Key ID for Local ID and enter the Key ID (English alphabet or number). Specify the Remote ID for this IPSec tunnel to authenticate. Select Key ID for Remote ID and enter the Key ID (English alphabet or number). 283
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Local & Remote Configuration Window
Item Value setting Description
Local Subnet Local Netmask Remote Subnet Remote Netmask Remote Gateway A Must fill setting A Must fill setting A Must fill setting A Must fill setting 1. A Must fill setting 2. An IPv4 address or FQDN format Specify the Local Subnet IP address and Subnet Mask. Specify the Local Subnet Mask. Specify the Remote Subnet IP address Specify the Remote Subnet Mask. Specify the Remote Gateway. The Remote Gateway Under the Manually Key Management authentication configuration, only one subnet is supported for both Local and Remote IPSec peer. Manual Proposal Window
Item Value setting Outbound SPI Inbound SPI Hexadecimal format Hexadecimal format Encryption 1. A Must fill setting 2. Hexadecimal format Authentication 1. A Must fill setting Description
Specify the Outbound SPI for this IPSec tunnel. Specify the Inbound SPI for this IPSec tunnel. Specify the Encryption Method and Encryption key Available encryption methods are DES/3DES/AES128/AES192/AES256 The key length for DES is 16, 3DES is 48, AES128 is 32, AES192 is 48, AES256 is 64. Note: When AH option in Encapsulation is selected, encryption will not be available. Specify the Authentication Method and Authentication key 284
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2. Hexadecimal format Save Undo Back N/A N/A N/A Available encryptions are None/MD5/SHA1/SHA2‐256 Enter the key string (String length by the method which choose) The key length for MD5 is 32, SHA1 is 40, SHA2‐256 is 64. Note: When AH option in Encapsulation Protocol is selected, None option in Authentication will not be available. Click Save to save the settings Click Undo button to cancel the settings Click Back button to return to the previous page. Create/Edit Dynamic VPN Server List Similar to create an IPSec VPN Tunnel for site/host to site/host scenario, when Edit button is applied a series of configuration screen will appear. They are Tunnel Configuration, Local & Remote Configuration, Authentication, IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec Proposal Definition. You have to configure the tunnel details for the gateway as a Dynamic VPN server. Tunnel Configuration Window Item Value setting Tunnel Tunnel Name Unchecked by default 1. A Must fill setting Description
Check the Enable box to activate the Dynamic IPSec VPN tunnel Enter a tunnel name. Enter a name that is easy for you to identify. 285
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Interface Tunnel Scenario Operation Mode Encapsulation Protocol 2. String format can be any text 1. A Must fill setting 2. WAN 1 is selected by default 1. A Must fill setting 2. Dynamic VPN is selected by default 1. A Must fill setting 2. Alway on is selected by default 1. A Must fill setting 2. ESP is selected by default Select WAN interface on which IPSec tunnel is to be established. The IPSec tunneling scenario is fixed to Dynamic VPN. The available operation mode is Always On. Failover and Load Balance options are not available for the Dynamic IPSec scenario. Select the Encapsulation Protocol from the dropdown box for this IPSec tunnel. Available encapsulations are ESP and AH. Local & Remote Configuration Window
Item Value setting Description
Local Subnet Local Netmask A Must fill setting A Must fill setting Specify the Local Subnet IP address. Specify the Local Subnet Mask. Authentication Configuration Window Item Value setting Description
Key Management Local ID 1. A Must fill setting 2. Pre‐shared Key 8 to 32 characters. An optional setting Select Key Management from the dropdown box for this IPSec tunnel. IKE+Pre‐shared Key: user needs to set a key (Min. 8 characters). Specify the Local ID for this IPSec tunnel to authenticate. 286
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Remote ID An optional setting Select User Name for Local ID and enter the username. The username may include but can’t be all numbers. Select FQDN for Local ID and enter the FQDN. Select User@FQDN for Local ID and enter the User@FQDN. Select Key ID for Local ID and enter the Key ID (English alphabet or number). Specify the Remote ID for this IPSec tunnel to authenticate. Selected User Name for Remote ID and enter the username. The username may include but can’t be all numbers. Select FQDN for Local ID and enter the FQDN. Select User@FQDN for Remote ID and enter the User@FQDN. Select Key ID for Remote ID and enter the Key ID (English alphabet or number).. Note: Remote ID will be not available when Dynamic VPN option in Tunnel Scenario is selected. For the rest IKE Phase, IKE Proposal Definition, IPSec Phase, and IPSec Proposal Definition settings, they are the same as that of creating an IPSec Tunnel described in previous section. Please refer to the related description. 287
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.1.5 PPTP The Point‐to‐Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. The PPTP specification does not describe encryption or authentication features and relies on the Point‐to‐Point Protocol being tunneled to implement security functionality. However, the most common PPTP implementation shipping with the Microsoft Windows product families implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide security levels and remote access levels comparable with typical VPN products. The security gateway can play either "PPTP Server" role or "PPTP Client" role for a PPTP VPN tunnel, or both at the same time for different tunnels. Deploy a security gateway for local office and establish a virtual private network with the remote gateway of another office by using PPTP tunneling. So, all client hosts behind local security gateway can make data communication with others behind remote gateway. Or when you are a mobile user with a notebook or carrying along a security gateway and you want to access the servers and database in company headquarters (HQ). In addition, the security gateway in HQ supports the PPTP VPN server function. So you can dial in the HQ gateway and access the HQ resources by establishing a PPTP VPN tunnel. It is a virtual private network between your device and HQ gateway for your resource accessing. 288
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPTP VPN Server Scenario Scenario Application Timing The Scenario diagram illustrates the security gateway 1 at headquarter playing the PPTP VPN server role. The PPTP tunnel is established by starting from PPTP client, the Security Gateway 2 in Network‐B or the mobile device, like notebook. All client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established PPTP tunnel. Usually, these hosts at PPTP client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the PPTP tunnel. Scenario Description PPTP Tunneling is a Client and Server based tunneling technology. The PPTP Server must have a Static IP or a FQDN and maintain a Client list (account / password). The Client may be a mobile user or mobile site and requesting the PPTP tunnel connection with its account / password. PPTP protocol is used for establishing a PPTP VPN tunnel. 289
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Parameter Setup Example For Network‐A at HQ, following 3 tables list the parameter configuration for above example diagram of PPTP VPN server in Network‐A. Use default value for those parameters that are not mentioned in these tables. Configuration Path PPTP Client/Server [PPTP]‐[Configuration]
Configuration Path PPTP Server Server Virtual IP IP Pool Starting Address IP Pool Ending Address Authentication Protocol MPPE Encryption [PPTP]‐[PPTP Server Configuration]
Configuration Path ID User Name Password Account [PPTP]‐[User Account Configuration]
■ Enable
Server
■ Enable
192.168.101.253
10 (that means 192.168.101.10) 50 (that means 192.168.101.50)
MS‐CHAP
■ Enable 128 bits
1 2
User‐1
User‐2 1234
4321 ■ Enable
■ Enable Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as a PPTP server. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a PPTP client. PPTP server provides two user accounts, User‐1 and User‐2, for PPTP clients dialing in. Establish a PPTP VPN tunnel by starting from the PPTP client site. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, the client hosts in the Intranet of Network‐B at mobile office can access the server or database resources in the Intranet of Network‐A at HQ in a secured link. 290
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPTP VPN Client Scenario Scenario Application Timing Above diagram illustrates the Security Gateway 2 or the mobile device playing the PPTP VPN client role. The PPTP tunnel is established by the PPTP client making the tunnel connection request initiation and the Security Gateway 1 in Network‐A of headquarters serves as the PPTP VPN server responding to the request. Once the tunnel has been established, all client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established PPTP tunnel. Usually, these hosts at PPTP client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the PPTP tunnel. But if PPTP client peer is configured to all packets are delivered via the PPTP tunnel, as shown in the diagram by configuring the PPTP tunnel is the default gateway at PPTP client peer, the Internet accessing packets will be also sent to the Security Gateway 1 in Network‐A and be re‐transferred to the Internet. That means the Internet accessing of PPTP Client peer is also controlled by the Security Gateway 1, the PPTP VPN server. 291
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Description PPTP Tunneling is a Client and Server based tunneling technology. The PPTP Server must have a Static IP or a FQDN, and maintain a Client list (account / password). The Client may be a mobile user or mobile site, and requesting the PPTP tunnel connection with its account / password. PPTP protocol is used for establishing a PPTP VPN tunnel. The PPTP Client’s “Default Gateway/Remote Subnet” setting determines how the Internet traffic from PPTP client site is handled. Parameter Setup Example For Network‐B at Mobile Office Following 3 tables list the parameter configuration for above example diagram of PPTP VPN client in Network‐B. Use default value for those parameters that are not mentioned in these tables. Configuration Path PPTP Client/Server [PPTP]‐[Configuration]
■ Enable
Client
Configuration Path PPTP Client [PPTP]‐[PPTP Client Configuration]
■ Enable
Configuration Path PPTP Client Name Interface Remote IP/FQDN User Name Password Default Gateway/Remote Subnet Authentication Protocol MPPE Encryption Tunnel [PPTP]‐[ Configuration for A PPTP Client]
PPTP #1
WAN 1
203.95.80.22
User‐1
1234
Default Gateway
MS‐CHAP
■ Enable
■ Enable
Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as a PPTP server. 292
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a PPTP client. The PPTP client uses "User‐1" user account to dial in the PPTP server at HQ for establishing a PPTP VPN tunnel. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, the client hosts in the Intranet of Network‐B at mobile office can access the server or database resources in the Intranet of Network‐A at HQ in a secured link. However, if the "Default Gateway/Remote Subnet" parameter in the Security Gateway 2 is configured to "Default Gateway", the Internet accessing of PPTP Client peer also go through the established PPTP VPN tunnel, and the Security Gateway 1 can control the accessing as same as the HQ resource accessing. Please be noted the "Default Gateway/Remote Subnet" configuration item. There are two options, "Default Gateway" and "Remote Subnet". When you choose "Remote Subnet", you need specify one more setting: the remote subnet. It is for the Intranet of PPTP VPN server. So, at PPTP client peer, the packets whose destination is in the dedicated subnet will be transferred via the PPTP VPN tunnel. Others will be transferred based on current routing policy of the security gateway at PPTP client peer. But, if you choose "Default Gateway" option for the PPTP client peer, all packets will be transferred via the PPTP VPN tunnel. That means the remote PPTP VPN server gateway controls the flowing of any packets from the PPTP client peer. Certainly, those packets come through the PPTP VPN tunnel. 293
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPTP Setting The PPTP setting allows user to create and configure PPTP tunnels. Before you proceed, ensure that the VPN is enabled and saved. To enable VPN, go to Security > VPN > Configuration tab. Go to Security > VPN > PPTP tab. Enable PPTP Enable PPTP Window Item Value setting PPTP Unchecked by default Client/Server A Must fill setting Save N/A Description Click the Enable box to activate PPTP function. Specify the role of PPTP. Select Server or Client role your gateway will take. Below are the configuration windows for PPTP Server and for Client. Click Save button to save the settings As a PPTP Server The gateway supports up to a maximum of 10 PPTP user accounts. When Server in the Client/Server field is selected, the PPTP server configuration window will appear. 294
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPTP Server Configuration Window Item Value setting Description
PPTP Server Server Virtual IP Unchecked by default 1. A Must fill setting 2. Default is 192.168.0.1 IP Pool Starting Address 1. A Must fill setting 2. Default is 10 IP Pool Ending Address 1. A Must fill setting 2. Default is 100 Authentication Protocol 1. A Must fill setting 2. Unchecked by default MPPE Encryption A Must fill setting Save Undo N/A N/A Check the Enable box to enable PPTP server role of the gateway. Specify the PPTP server Virtual IP address. The virtual IP address will serve as the virtual DHCP server for the PPTP clients. Clients will be assigned a virtual IP address from it after the PPTP tunnel has been established. This is the PPTP server’s Virtual IP DHCP server. User can specify the first IP address for the subnet from which the PPTP client’s IP address will be assigned. This is the PPTP server’s Virtual IP DHCP server. User can specify the last IP address for the subnet from which the PPTP client’s IP address will be assigned. Select single or multiple Authentication Protocols for the PPTP server with which to authenticate PPTP clients. Available authentication protocols are PAP/CHAP/MS‐CHAP/MS‐CHAPv2. Specify whether to support MPPE Protocol. Click the Enable box to enable MPPE and from dropdown box to select 40 bits/56 bits/128 bits. Note: when MPPE Encryption is enabled, the Authentication Protocol PAP/CHAP options will not be available. Click Save button to save the settings. Click Undo button to cancel the settings. PPTP Server Status Window Item Value setting PPTP Server Status N/A Description
It displays the User Name, Remote IP, Remote Virtual IP, and Remote Call ID of the connected PPTP clients. 295
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. User Account List Window Item Value setting User Account List Max.of 10 user accounts Description
This is the PPTP authentication user account entry. You can create and add accounts for remote clients to establish PPTP VPN connection to the gateway device. Click Add button to add user account. Enter User name and password. Then check the enable box to enable the user. Click Save button to save new user account. The selected user account can permanently be deleted by clicking the Delete button. As a PPTP Client When select Client in Client/Server, a series PPTP Client Configuration will appear. PPTP Client Configuration Item Value setting PPTP Client Save Undo Unchecked by default N/A N/A Description
Check the Enable box to enable PPTP client role of the gateway. Click Save button to save the settings. Click Undo button to cancel the settings. Create/Edit PPTP Client The gateway supports up to a maximum of 32 simultaneous PPTP tunnels. When Add/Edit button is applied a series PPTP Client Configuration will appear. 296
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. PPTP Client Configuration Window Item Value setting Tunnel Name Interface A Must fill setting 1. A Must fill setting 2. WAN1 is selected by default 1. A Must fill setting 2. Alwasy on is selected by default Operation Mode Remote IP/FQDN Username 1. A Must fill setting. 2. Format can be a ipv4 address or FQDN A Must fill setting Description
Enter a tunnel name. Enter a name that is easy for you to identify. Select WAN interface on which PPTP tunneling is to be established. There are three available operation modes. Always On, Failover, Load Balance. Failover/ Always Define whether the PPTP client is a failover tunnel function or an always on tunnel. Note: If this PPTP is a failover tunneling, you will need to select a primary IPSec tunnel from which to failover to. Load Balance Define whether the PPTP tunnel connection will take part in load balance function of the gateway. You will not need to select which WAN interface as the system will automatically utilize the available WAN interfaces to balance traffic loads. For more details on WAN Load Balance, refer to Load Balance Usage in this manual. On gateway’s web‐based utility, go to Basic Network > WAN & Uplink > Load Balance tab. Enter the public IP address or the FQDN of the PPTP server. Enter the Username for this PPTP tunnel to be authenticated when 297
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Password A Must fill setting A Must fill setting Default Gateway / Remote Subnet Authentication Protocol MPPE Encryption NAT before Tunneling LCP Echo Type Tunnel Save Undo Back connect to PPTP server. Enter the Password for this PPTP tunnel to be authenticated when connect to PPTP server. Specify a gateway for this PPTP tunnel to reach PPTP server. If the gateway uses its gateway IP address to connect to the internet to connect to the PPTP server then select Default Gateway, otherwise, specified a subnet and its netmask –the remote subnet, if the default gateway is not used to connect to the PPTP server. The Remote Subnet format must be IP address/netmask (e.g. 10.0.0.2/24).
Specify one ore multiple Authentication Protocol for this PPTP tunnel. Available authentication methods are PAP/CHAP/MS‐CHAP/MS‐CHAPv2 1. A Must fill setting 2. Unchecked by default Specify whether PPTP server supports MPPE Protocol. Click the Enable box 1. Unchecked by to enable MPPE. default 2. an optional setting Note: when MPPE Encryption is enabled, the Authentication Protocol PAP/CHAP options will not be available. 1. Unchecked by Check the Enable box to enable NAT function for this PPTP tunnel. default 2. an optional setting Auto is set by default Specify the LCP Echo Type for this PPTP tunnel. Auto, User‐defined, Disable. Auto the system sets the Interval and Max. Failure Time. User‐defined enter the Interval and Max. Failure Time. Disable disable the LCP Echo. Unchecked by Check the Enable box to enable this PPTP tunnel. default N/A Click Save button to save the settings. N/A Click Undo button to cancel the settings. N/A Click Back button to return to the previous page. 298
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.1.7 L2TP Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself. Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy. This Gateway can behave as a L2TP server and a L2TP client both at the same time. Deploy a security gateway for local office and establish a virtual private network with the remote gateway of another office by using L2TP tunneling. So, all client hosts behind local security gateway can make data communication with others behind remote gateway. Or when you are a mobile user with your notebook or carrying along a security gateway and you want to access the servers and database in company headquarters (HQ). Moreover, the security gateway in HQ supports the L2TP VPN server function. So you can dial in the HQ gateway and access the HQ resources by establishing an L2TP VPN tunnel. It is a virtual private network between your device and HQ gateway for your resource accessing. L2TP VPN Server Scenario 299
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing Above diagram illustrates the security gateway at headquarters playing the L2TP VPN server role. The L2TP tunnel is established by starting from L2TP client, the Security Gateway 2 in Network‐B or the mobile device, like notebook. All client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established L2TP tunnel. Usually, these hosts at L2TP client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the L2TP tunnel. Scenario Description L2TP Tunneling is a Client and Server based tunneling technology. The L2TP Server must have a Static IP or a FQDN, and maintain a Client list (account / password); The Client may be a mobile user or mobile site, and requesting the L2TP tunnel connection with its account / password. L2TP protocol is used for establishing an L2TP VPN tunnel. Parameter Setup Example For Network‐A at HQ Following 3 tables list the parameter configuration for above example diagram of L2TP VPN server in Network‐A. Use default value for those parameters that are not mentioned in these tables. Configuration Path L2TP Client/Server [L2TP]‐[Configuration]
Configuration Path L2TP Server L2TP over IPSec Server Virtual IP IP Pool Starting Address IP Pool Ending Address Authentication Protocol MPPE Encryption Service Port [L2TP]‐[L2TP Server Configuration]
■ Enable
Server
■ Enable
■ Enable Preshare Key 12345678
192.168.101.253
10 (that means 192.168.101.10) 50 (that means 192.168.101.50)
MS‐CHAP
■ Enable 128 bits
1701
300
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. [L2TP]‐[User Account Configuration]
Configuration Path ID User Name Password Account 1 2
User‐1
User‐2 1234
4321
■ Enable
■ Enable Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as a L2TP server. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a L2TP client. L2TP server provides two user accounts, User‐1 and User‐2, for L2TP clients dialing in. Establish a L2TP VPN tunnel by starting from the L2TP client site. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, the client hosts in the Intranet of Network‐B at mobile office can access the server or database resources in the Intranet of Network‐A at HQ in a secured link. 301
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. L2TP VPN Client Scenario Scenario Application Timing Above diagram illustrates the Security Gateway 2 or the mobile device playing the L2TP VPN client role. The L2TP tunnel is established by the L2TP client making the tunnel connection request initiation and the Security Gateway 1 in Network‐A of headquarters serves as the L2TP VPN server responding to the request. Once the tunnel has been established, all client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established L2TP tunnel. Usually, these hosts at L2TP client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the L2TP tunnel. But if L2TP client peer is configured to all packets are delivered via the L2TP tunnel, as shown in the diagram by configuring the L2TP tunnel is the default gateway at L2TP client peer, the Internet accessing packets will be also sent to the Security Gateway 1 in Network‐A and be re‐transferred to the Internet. That means the Internet accessing of L2TP Client peer is also controlled by the Security Gateway 1, the L2TP VPN server. 302
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Description L2TP Tunneling is a Client and Server based tunneling technology. The L2TP Server must have a Static IP or a FQDN, and maintain a Client list (account / password). The Client may be a mobile user or mobile site, and requesting the L2TP tunnel connection with its account / password. L2TP protocol is used for establishing a L2TP VPN tunnel. The L2TP Client’s “Default Gateway/Remote Subnet” setting determines how the Internet traffic from L2TP client site is handled. The L2TP over IPSec is usually used for BYOD devices to establish a secure VPN tunnel between mobile employees and company office. Parameter Setup Example For Network‐B at Mobile Office Following 3 tables list the parameter configuration for above example diagram of L2TP VPN client in Network‐B. Use default value for those parameters that are not mentioned in these tables. Configuration Path L2TP Client/Server [L2TP]‐[Configuration]
■ Enable
Client
Configuration Path L2TP Client [L2TP]‐[L2TP Client Configuration]
■ Enable
Configuration Path L2TP Client Name Interface L2TP over IPSec Remote LNS IP/FQDN Remote LNS Port User Name Password Default Gateway/Remote Subnet Authentication Protocol MPPE Encryption Service Port Tunnel [L2TP]‐[ Configuration for A L2TP Client]
L2TP #1
WAN 1
■ Enable Preshare Key: 12345678
203.95.80.22
1701
User‐1
1234
Default Gateway
MS‐CHAP
■ Enable
Auto
■ Enable
303
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as a L2TP server. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN interface. It serves as a L2TP client. The L2TP client uses "User‐1" user account to dial in the L2TP server at HQ for establishing a L2TP VPN tunnel. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can securely communicate each other. Finally, the client hosts in the Intranet of Network‐B at mobile office can access the server or database resources in the Intranet of Network‐A at HQ in a secured link. However, if the "Default Gateway/Remote Subnet" parameter in the Security Gateway 2 is configured to "Default Gateway", the Internet accessing of L2TP Client peer also go through the established L2TP VPN tunnel, and the Security Gateway 1 can control the accessing as same as the HQ resource accessing. Please be noted that "Default Gateway/Remote Subnet" configuration item. There are two options, "Default Gateway" and "Remote Subnet". When you choose "Remote Subnet", you need specify one more setting: the remote subnet. It is for the Intranet of L2TP VPN server. So, at L2TP client peer, the packets whose destination is in the dedicated subnet will be transferred via the L2TP VPN tunnel. Others will be transferred based on current routing policy of the security gateway at L2TP client peer. But, if you choose "Default Gateway" option for the L2TP client peer, all packets will be transferred via the L2TP VPN tunnel. That means the remote L2TP VPN server gateway controls the flowing of any packets from the L2TP client peer. Certainly, those packets come through the L2TP VPN tunnel. 304
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. L2TP Setting The L2TP setting allows user to create and configure L2TP tunnels. Before you proceed ensure that the VPN is enabled and saved. To enable VPN, go to Security > VPN > Configuration tab. Go to Security > VPN > L2TP tab. Enable L2TP Enable L2TP Window Item Value setting L2TP Unchecked by default Client/Server A Must fill setting Save N/A Description Click the Enable box to activate L2TP function. Specify the role of L2TP. Select Server or Client role your gateway will take. Below are the configuration windows for L2TP Server and for Client. Click Save button to save the settings As a L2TP Server When select Server in Client/Server, the L2TP server Configuration will appear. 305
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. L2TP Server Configuration
Item Value setting L2TP Server L2TP over IPSec The box is unchecked by default The box is unchecked by default Server Virtual IP A Must filled setting IP Pool Starting Address A Must filled setting IP Pool Ending Address A Must filled setting Authentication Protocol A Must filled setting MPPE Encryption A Must filled setting Service Port Save Undo A Must filled setting N/A N/A Description
When click the Enable box It will active L2TP server When click the Enable box. It will enable L2TP over IPSec and need to fill in the Pre‐shared Key. Specify the L2TP server Virtual IP It will set as this L2TP server local virtual IP Specify the L2TP server starting IP of virtual IP pool It will set as the starting IP which assign to L2TP client Specify the L2TP server ending IP of virtual IP pool It will set as the ending IP which assign to L2TP client Specify the Authentication Protocol which this L2TP server allowed. Selected PAP/CHAP/MS‐CHAP/MS‐CHAPv2 ‐>It will set as the authentication protocol which is checked. Specify the MPPE Protocol which this L2TP server allowed. When Click the Enable box ‐>It will enable MPPE Selected 40 bits/56 bits/128 bits ‐>It will set as the MPPE encryption which is chose. Note_1: If Enable box is be clock, Authentication Protocol PAP/CHAP will be available. Specify the Service Port which L2TP server use. Click the Save button to save the configuration. Click the Undo button to recovery the configuration. L2TP Server Status Item Value setting L2TP Server Status N/A Description
Show the L2TP client information which connect to this L2TP server. Click the Refresh button to renew the L2TP client information. 306
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. User Account List Item Value setting User Account List Description Specify the User Account which allow client to authenticate. Click Add button to add user account. Click Delete button to delete user account. Click Enable button to enable user account. Specify Username ‐>Fill in the username. Specify Password ‐>Fill in the password Click save button to save user account. N/A As a L2TP Client When select Client in Client/Server, a series L2TP Client Configuration will appear. L2TP Client Configuration
Item Setting Value setting L2TP Client Save Undo The box is unchecked by default N/A N/A Description When click the Enable box It will activate L2TP Client. Click the Save button to save the configuration. Click the Undo button to recovery the configuration. 307
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit L2TP Client When Add/Edit button is applied a series of configuration screen will appear. L2TP Client Configuration
Item Setting Value setting Tunnel Name A Must filled setting Interface A Must filled setting Operation Mode 1. A Must fill setting 2. Alwasy on is Description
When fill in the name It will be used to identify it in the tunnel list Define the selected interface to be the used for this L2TP tunnel Select WAN‐1 for this IPSec tunnel using. (WAN‐1 is available only when WAN‐1 interface is enabled) The same applies to other WAN interfaces (i.e. WAN‐2). There are three available operation modes. Always On, Failover, Load Balance. 308
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. selected by default L2TP over IPSec The box is unchecked by default Remote LNS IP/FQDN A Must filled setting Remote LNS Port A Must filled setting Username A Must filled setting Password A Must filled setting The box is Tunneling unchecked by Password(Optional) default Default Gateway / Remote Subnet A Must filled setting Authentication Protocol A Must filled setting MPPE Encryption The box is unchecked by default NAT before Tunneling The box is unchecked by default LCP Echo Type A Must filled setting Failover/ Always Define whether the L2TP client is a failover tunnel function or an always on tunnel. Note: If this L2TP is a failover tunneling, you will need to select a primary IPSec tunnel from which to failover to. Load Balance Define whether the L2TP tunnel connection will take part in load balance function of the gateway. You will not need to select which WAN interface as the system will automatically utilize the available WAN interfaces to balance traffic loads. For more details on WAN Load Balance, refer to Load Balance Usage in this manual. On gateway’s web‐based utility, go to Basic Network > WAN & Uplink > Load Balance tab. When click the Enable box. It will enable L2TP over IPSec and need to fill in the Pre‐shared Key. Specify the Remote LNS IP/FQDN for this L2TP tunnel. Fill in the IP address or FQDN. Specify the Remote LNS Port for this L2TP tunnel. Fill in the value for LNS port. Specify the Username for this L2TP tunnel to authenticate when connect to server. Fill in the string as username. Specify the Password for this L2TP tunnel to authenticate when connect to server. Specify the Tunneling Password for this L2TP tunnel to authenticate. Specify Default Gateway/Remote Subnet for this L2TP tunnel. Selected Default Gateway ‐>The IP address box will not be available. Selected the Remote Subnet ‐>Filled the remote subnet address/remote subnet mask. Specify Authentication Protocol for this L2TP tunnel will can be used. Click the PAP/CHAP/MS‐CHAP/MS‐CHAP v2 ‐>The protocol will be enable which box is click. When click the Enable box ‐>It will enable MPPE for this L2TP tunnel. Note_1: If Enable box is be click, Authentication Protocol PAP/CHAP will be not available. When click the Enable box ‐>It will enable NAT for this L2TP tunnel. Specify the LCP Echo Type for this L2TP tunnel. Select Auto ‐>Auto setting the Interval and Max. Failure Time. Selected User‐defined ‐>Fill in the Interval and Max. Failure Time for LCP. 309
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Service Port Tunnel Save Undo Back A Must filled setting The box is unchecked by default N/A N/A N/A Selected Disable ‐>Disable LCP Echo and it will be not available. Specify the Service Port for this L2TP tunnel to use. When click Enable It will enable this L2TP tunnel Click the Save button to save the configuration. Click the Undo button to recovery the configuration. Click the Back button to return the last page. 310
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.1.9 GRE Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that encapsulate a wide variety of network layer protocols inside virtual point‐to‐point links over an Internet Protocol internetwork. Deploy a security gateway for local office and establish a virtual private network with the remote gateway of another office by using GRE tunneling. So, all client hosts behind local security gateway can make data communication with others behind remote gateway. The most popular scenario is the security gateway is located at a branch office. Employees in the branch office want to use their client hosts or devices behind the security gateway to access the resources in headquarters. These resources are located in the Intranet of headquarters, and the security gateway in headquarters supports the GRE tunneling function. Then local security gateway can establish a GRE VPN tunnel with remote gateway in headquarters. Client hosts in these both Intranets of branch office and headquarters can make data communication each other. GRE Tunnel at HQ Peer Scenario Application Timing Above diagram illustrates the security gateway in headquarters playing the GRE server role. In fact, the GRE tunnel establishment can be started from either site. The GRE tunnel is established by starting from GRE client, the Security Gateway 2 in Network‐B. All client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established GRE tunnel. Usually, these hosts at GRE 311
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the GRE tunnel. Scenario Description GRE Tunneling is similar to IPSec Tunneling, client requesting the tunnel establishment with the server. Both the client and the server must have a Static IP or a FQDN. Any peer gateway can be worked as either a client or a server, even using the same set of configuration rule. GRE Tunneling protocol is used for establishing a GRE VPN tunnel. Parameter Setup Example For Network‐A at HQ Following 2 tables list the parameter configuration for above example diagram of GRE VPN server in Network‐A. Use default value for those parameters that are not mentioned in these tables. Configuration Path GRE [GRE]‐[Configuration]
■ Enable
Configuration Path Tunnel Name Interface Operation Mode Tunnel IP Remote IP Key TTL Default Gateway/Remote Subnet Tunnel [GRE]‐[GRE Rule Configuration]
GRE HQ
WAN 1
Always on
203.95.80.22 118.18.81.33
1234
255
Remote Subnet 10.0.75.0/24
■ Enable
Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as a GRE server. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 312
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 118.18.81.33 for WAN interface. It serves as a GRE client. Establish a GRE VPN tunnel by starting from the GRE client site. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can communicate each other. Finally, the client hosts in the Intranet of Network‐B at mobile office can access the server or database resources in the Intranet of Network‐A at HQ in a tunnel. GRE Tunnel at Branch Office Scenario Application Timing Above diagram illustrates the security gateway in headquarters playing the GRE client role. In fact, the GRE tunnel establishment can be started from either site. The GRE tunnel is established by starting from GRE client, the Security Gateway 2 in Network‐B. All client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established GRE tunnel. Usually, these hosts at GRE client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the GRE tunnel. But if GRE client peer is configured to all packets are delivered via the GRE tunnel, as shown in the diagram by configuring the GRE tunnel is the default gateway at GRE client peer, the Internet accessing packets will be also sent to the Security Gateway 1 in Network‐A and be re‐transferred to the Internet. That means the Internet accessing of GRE Client peer is also controlled by the Security Gateway 1, the LGRE VPN server. Scenario Description 313
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. GRE Tunneling is similar to IPSec Tunneling, client requesting the tunnel establishment with the server. Both the client and the server must have a Static IP or a FQDN. Any peer gateway can be worked as either a client or a server, even using the same set of configuration. GRE Tunneling protocol is used for establishing a GRE VPN tunnel. If the GRE server at HQ supports DMVPN Hub function, like Cisco router as the VPN concentrator, the GRE client at branch office can activate the DMVPN spoke function here since it is implemented by GRE over IPSec tunneling. The GRE Client’s “Default Gateway/Remote Subnet” setting determines how the Internet traffic from GRE client site is handled. Parameter Setup Example For Network‐B at Branch Office Following 2 tables list the parameter configuration for above example diagram of GRE VPN server in Network‐B. Use default value for those parameters that are not mentioned in these tables. Configuration Path GRE [GRE]‐[Configuration]
■ Enable
Configuration Path Tunnel Name Interface Operation Mode Tunnel IP Remote IP Key TTL Default Gateway/Remote Subnet Tunnel [GRE]‐[GRE Rule Configuration]
GRE BO
WAN 1
Always on
118.18.81.33 203.95.80.22
1234
255
Default Gateway
■ Enable
Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as a GRE server. However, Network‐B is in the branch office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 10.0.75.2 for LAN interface and 314
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 118.18.81.33 for WAN interface. It serves as a GRE client. The GRE client in the Security Gateway 2 establishes a GRE VPN tunnel with the GRE server in the Security Gateway 1. So both Intranets of 10.0.75.0/24 and 10.0.76.0/24 can communicate each other. Finally, the client hosts in the Intranet of Network‐B at branch office can access the server or database resources in the Intranet of Network‐A at HQ in a tunnel. However, if the "Default Gateway/Remote Subnet" parameter in the Security Gateway 2 is configured to "Default Gateway", the Internet accessing of GRE Client peer also go through the established GRE VPN tunnel, and the Security Gateway 1 can control the accessing as same as the HQ resource accessing. 315
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. GRE Setting The GRE setting allows user to create and configure GRE tunnels. Before you proceed, ensure that the VPN is enabled and saved. To enable VPN, go to Security > VPN > Configuration tab. Go to Security > VPN > GRE tab. Enable GRE Enable GRE Window Item Value setting GRE Tunnel Max. Concurrent GRE Tunnels Save Undo Unchecked by default Description
Click the Enable box to enable GRE function. It specifies the maximum number of simultaneous GRE tunnel 1. 32 is set by default connections. 2. Max. of 32 Note: The maximum supported tunnels can be different for the purchased connections gateway. N/A Click Save button to save the settings N/A Click Undo button to cancel the settings Create/Edit GRE tunnel When Add/Edit button is applied, a GRE Rule Configuration screen will appear. 316
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. GRE Rule Configuration Window Item Value setting Description
Tunnel Name Enter a tunnel name. Enter a name that is easy for you to identify. Interface Operation Mode A Must fill setting 1. A Must fill setting 2. WAN 1 is selected by default 1. A Must fill setting 2. Alway on is selected by default Select WAN interface on which GRE tunnel is to be established. There are three available operation modes. Always On, Failover, Load Balance. Failover/ Always Define whether the GRE tunnel is a failover tunnel function or an Always on tunnel. Note: If this GRE is a failover tunneling, you will need to select a primary GRE tunnel from which to failover to. Load Balance Define whether the GRE tunnel connection will take part in load balance function of the gateway. You will not need to select with WAN interface as the system will automatically utilize the available WAN interfaces to balance traffic loads. For more details on WAN Load Balance, refer to Load Balance Usage in this manual. On gateway’s web‐based utility, go to Basic Network > WAN & Uplink > Load Balance tab. Note: Failover and Load Balance functions are not available for Dynamic VPN specified in Tunnel Scenario. 317
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Tunnel IP An Optional setting Remote IP A Must fill setting Key An Optional setting 1. A Must fill setting 2. 1 to 255 range 1. Unchecked by default 2. 5s is set by default TTL Keep alive Default Gateway / Remote Subnet DMVPN Spoke IPSec Pre‐shared Key A Must fill setting Unchecked by default 2. Pre‐shared Key 8 to 32 character length IPSec NAT Traversal Unchecked by default IPSec Encapsulation Mode Unchecked by default Tunnel Save Undo Back Unchecked by default N/A N/A N/A Enter the Tunnel IP address. Enter the Remote IP address of remote GRE tunnel gateway. Normally this is the public IP address of the remote GRE gateway. Enter the Key for the GRE connection. Specify TTL hop‐count value for this GRE tunnel. Check the Enable box to enable Keep alive function. Select Ping IP to keep live and enter the IP address to ping. Enter the ping time interval in seconds. Specify a gateway for this GRE tunnel to reach GRE server. If the gateway uses its gateway IP address to connect to the internet to connect to the GRE server then select Default Gateway, otherwise, specified a subnet and its netmask –the remote subnet, if the default gateway is not used to connect to the GRE server. The Remote Subnet format must be IP address/netmask (e.g. 10.0.0.2/24).
Specify whether the gateway will support DMVPN Spoke for this GRE tunnel. Check Enable box to enable DMVPN Spoke. Enter a DMVPN spoke authentication Pre‐shared Key. Note: Pre‐shared Key will not be available when DMVPN Spoke is not enabled. Check Enable box to enable NAT‐Traversal. Note: IPSec NAT Traversal will not be available when DMVPN is not enabled. Specify IPSec Encapsulation Mode from the dropdown box. There are Transport mode and Tunnel mode supported. Note: IPSec Encapsulation Mode will not be available when DMVPN is not enabled. Check Enable box to enable this GRE tunnel. Click Save button to save the settings. Click Undo button to cancel the settings. Click Back button to return to the previous page. 318
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.1.b OpenVPN OpenVPN is an application that implements virtual private network (VPN) techniques for creating secure point‐to‐point or site‐to‐site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. OpenVPN allows peers to authenticate each other using a Static key or certificates.When used in a multi‐client‐server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. Deploy a security gateway for local office and establish a virtual private network with the remote gateway of another office by using OpenVPN. So, all client hosts behind local security gateway can make data communication with others behind remote gateway. In the case when you are a mobile user with your notebook or carrying along a security gateway to access the servers and database in company headquarters (HQ). And that the security gateway in HQ supports the OpenVPN server function. You can dial in the HQ gateway and access the HQ resources by establishing an OpenVPN tunneling. It is a virtual private network between your device and HQ gateway for your resource accessing. OpenVPN Server Scenario 319
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing Above diagram illustrates the security gateway at headquarters playing the OpenVPN server role. The OpenVPN tunnel is established by starting from OpenVPN client, the Security Gateway 2 in Network‐B or the mobile device, like notebook. All client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established OpenVPN tunnel. Usually, these hosts at OpenVPN client peer access the Internet directly via the WAN interface of Security Gateway 2. Only the packets whose destination is in the dedicated subnet to Network‐A will be transferred via the OpenVPN tunnel. Scenario Description OpenVPN Tunneling is a Client and Server based tunneling technology. The OpenVPN Server must have a Static IP or a FQDN, and maintain a Client list. The Client may be a mobile user or mobile site, and requesting the OpenVPN tunnel connection. Parameter Setup Example For Network‐A at HQ, following tables list the parameter configuration for above example diagram of OpenVPN server in Network‐A. Use default value for those parameters that are not mentioned in these tables. [OpenVPN]‐[Configuration]
Configuration Path OpenVPN Server/Client Configuration Path OpenVPN Server Protocol Port Tunnel Device Authorization Mode IP Pool Starting Address ■ Enable
Server Configuration
[OpenVPN]‐[OpenVPN Server Configuration]
■ Enable TCP 443 TAP PS: TAP also called “Bridging” behaves like a real network adapter and Broadcast traffic can transport. TUN called “Routing” transports only layer 3 IP packets. The user has to add routing rule according to the environment so that packets transfer smoothly. TLS CA Cert: RootCA, Server Cert: Local.crt DH PEM : Default ‐‐‐‐‐BEGIN DH PARAMETERS‐‐‐‐‐ MIGHAoGBAMq4z88pL8X1dzmDmnr7nyV3w3L1rDU4Q+4SJiGQjR6b2nb4tf9jw/
QJ W/ENgduKKXsltYSAzOZ9gXoNxwFGc9nKd4LfGpjQl9lIoHTp0eTdb9b5EKeR6B7h QxkfLBwVv1YZh9oUXm6pdewpg2QdZ2KtiOlMpgsJyaqRMQ3MlNB7AgEC ‐‐‐‐‐END DH PARAMETERS‐‐‐‐‐ PS: Security Gateway 1 is the role of RootCA and trusted CA. 10.0.76.100 320
In‐Vehicle Hotspot Gateway
IP Pool Ending Address Gateway Netmask Encryption Cipher Hash Algorithm Index skipping is used to reserve slots for new function insertion, when required. 10.0.76.150 10.0.76.253 255.255.255.0/24
Blowfish SHA‐1 Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as an OpenVPN server. Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 192.168.1.253 for LAN interface and 118.18.81.33 for WAN interface. It serves as an OpenVPN client. Establish an OpenVPN VPN tunnel by starting from the OpenVPN client site. So hosts in Network‐B can access hosts or servers in Network‐A. But can’t access from Network‐A to Network‐B. To communicate each other securely between Intranets of 10.0.75.0/24 and 192.168.1.0/24, please add route policy according to the environment by checking the "Enable" box of Advanced Configuration. OpenVPN Client Scenario 321
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing Above diagram illustrates the Security Gateway 2 or the mobile device playing the OpenVPN VPN client role. The OpenVPN tunnel is established by the OpenVPN client making the tunnel connection request initiation and the Security Gateway 1 in Network‐A of headquarters serves as the OpenVPN server responding to the request. Once the tunnel has been established, all client hosts behind the Security Gateway 2 or the mobile device can access the resources in the Intranet of Network‐A at headquarters via this established OpenVPN tunnel. Moreover, these hosts at OpenVPN client peer access the Internet directly via the WAN interface of Security Gateway 1. As shown in the diagram by configuring the OpenVPN tunnel set “TAP” for OpenVPN client peer, the Internet accessing packets will be also sent to the Security Gateway 1 in Network‐A and be re‐transferred to the Internet. That means the Internet accessing of OpenVPN Client peer is also controlled by the Security Gateway 1, the OpenVPN VPN server. Scenario Description OpenVPN Tunneling is a Client and Server based tunneling technology. The OpenVPN Server must have a Static IP or a FQDN, and maintain a Client list; The Client may be a mobile user or mobile site, and requesting the OpenVPN tunnel connection. OpenVPN protocol is used for establishing an OpenVPN tunnel. Parameter Setup Example For Network‐B at Mobile Office, following 3 tables list the parameter configuration for above example diagram of OpenVPN VPN client in Network‐B. Use default value for those parameters that are not mentioned in these tables. Configuration Path OpenVPN Server/Client [OpenVPN]‐[Configuration]
Configuration Path OpenVPN Client Name Interface Protocol Port Tunnel Device [OpenVPN]‐[OpenVPN Client Configuration]
■ Enable
Client Configuration
Client1 WAN1
TCP
443
TAP
PS: TAP also called “Bridging” behaves like a real network adapter and Broadcast traffic can transport. TUN called “Routing” transports only layer 3 IP packets. The user has to 322
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. add routing rule according to the environment so that packets transfer smoothly. 203.95.80.22
Remote IP/FQDN Authorization Mode 10.0.76.0/24
TLS
CA Cert: RootCA, Client Cert: Remote.crt Blowfish
Encryption Cipher Hash Algorithm SHA‐1
Scenario Operation Procedure In above diagram, Network‐A is in the headquarters, and the subnet of its Intranet is 10.0.76.0/24. The security gateway for Network‐A has the IP address of 10.0.76.2 for LAN interface and 203.95.80.22 for WAN interface. It serves as an OpenVPN server. However, Network‐B is in the mobile office and the subnet of its Intranet is 10.0.75.0/24. The security gateway for Network‐B has the IP address of 192.168.1.253 for LAN interface and 118.18.81.33 for WAN interface. It serves as an OpenVPN client. The OpenVPN client dials in the OpenVPN server at HQ for establishing an OpenVPN tunnel. So hosts in Network‐B can access hosts or servers in Network‐A. But can’t access from Network‐A to Network‐B. However, if the "Default Gateway/Remote Subnet" parameter in the Security Gateway 2 is configured to "Default Gateway", the Internet accessing of OpenVPN Client peer also go through the established OpenVPN VPN tunnel, and the Security Gateway 1 can control the accessing as same as the HQ resource accessing. 323
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Open VPN Setting The OpenVPN setting allows user to create and configure OpenVPN tunnels. Before you proceed ensure that the VPN is enabled and saved. To enable VPN, go to Security > VPN > Configuration tab. Go to Security > VPN > OVPN tab. Enable OpenVPN Enable OpenVPN and select an expected configuration, either server or client, for the gateway to operate. Configuration Item Value setting Description OpenVPN Check the Enable box to activate the OpenVPN function. Server/ Client The box is unchecked by default Server Configuration is selected by default. When Server Configuration is selected, as the name indicated, server configuration will be displayed below for further setup. When Client Configuration is selected, you can specify the client settings in another client configuration window. As an OpenVPN Server If Server Configuration is selected, an OpenVPN Server Configuration screen will appear. 324
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. OpenVPN Server Configuration Item Value setting OpenVPN Server Protocol The box is unchecked by default. 1. A Must filled setting 2. By default TCP is selected. Port 1.
2.
Tunnel Device 1.
2.
Authorization Mode 1.
2.
A Must filled setting By default 4430 is set. A Must filled setting By default TUN is selected. A Must filled setting By default Static Key is selected. Description
Click the Enable to activate OpenVPN Server functions. Define the selected Protocol for connecting to the OpenVPN Server.

Select TCP , or TCP /UDP ‐> The TCP protocol will be used to access the OpenVPN Server, and Port will be set as 443 automatically. 
Select UDP ‐> The UDP protocol will be used to access the OpenVPN Server, and Port will be set as 1194 automatically. Specify the Port for connecting to the OpenVPN Server. Specify the type of Tunnel Device for connecting to the OpenVPN Server. It can be TUN for TUN tunnel device, or TAP for TAP tunnel device. Specify the authorization mode for the OpenVPN Server. 
Static Key ‐>The OpenVPN will use static key authorization mode, and the following items Local Endpoint IP Address, Remote Endpoint IP Address and Static 325
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Local Endpoint IP Address A Must filled setting Remote Endpoint IP Address Static Key A Must filled setting Server Virtual IP A Must filled setting DHCP‐Proxy Mode 1.
2.
A Must filled setting IP Pool A Must filled setting The box is checked by default. A Must filled setting Gateway A Must filled setting Netmask By default ‐ select one ‐ is selected. Encryption By default Blowfish is Cipher selected. Hash Algorithm By default SHA‐1 is selected. LZO By default Adaptive is Compression selected. Advanced The box is unchecked by Configuration default. Save N/A Undo N/A Key will be displayed.

TLS ‐>The OpenVPN will use TLS authorization mode, and the following items CA Cert., Server Cert. and DH PEM will be displayed. CA Cert. could be generated in Certificate. Refer to Object Definition > Certificate > Trusted Certificate. Server Cert. could be generated in Certificate. Refer to Object Definition > Certificate > My Certificate. DH PEM should let user enter the content. Specify the Local Endpoint IP Address.
Note_1: Local Endpoint IP Address will be available only when Static Key is chosen in Authorization Mode. Specify the Remote Endpoint IP Address.
Note_1: Remote Endpoint IP Address will be available only when Static Key is chosen in Authorization Mode. Specify the Static Key.
Note_1: Static Key will be available only when Static Key is chosen in Authorization Mode. Specify the Server Virtual IP.
Note_1: Server Virtual IP will be available only when TLS is chosen in Authorization Mode. Specify the DHCP‐Proxy Mode.
Note_1: DHCP‐Proxy Mode will be available only when TAP is chosen in Tunnel Device. Specify the virtual IP pool for the OpenVPN server. You have to specify the Starting Address and Ending Address as the IP address pool for the OpenVPN clients. Note_1: IP Pool will be available only when TAP is chosen in Tunnel Device and DHCP‐Proxy Mode is unchecked. Specify the Gateway for the OpenVPN server.
Note_1: Gateway will be available only when TAP is chosen in Tunnel Device and DHCP‐Proxy Mode is unchecked. Specify the Netmask for the OpenVPN server.
Note_1: Netmask will be available when TAP is chosen in Tunnel Device and DHCP‐Proxy Mode is unchecked. Note_2: Netmask will be available when TUN is chosen in Tunnel Device. Specify the Encryption Cipher.
It can be Blowfish/AES‐256/AES‐192/AES‐128/None. Specify the Hash Algorithm
It can be SHA‐1/MD5/MD4/SHA2‐256/SHA2‐512/None. Specify the LZO Compression scheme.
It can be Adaptive/YES/NO/NO Adaptive. Specify the Advanced Configuration setting for the OpenVPN server.
If it is checked, Advanced Configuration will be displayed below. Click Save to save the settings.
Click Undo to cancel the changes.
326
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. When selected Advanced Configuration in OpenVPN Server Configuration ‐ OpenVPN Server Advanced Configuration Item Value setting Description TLS Auth. Key String format: any text Redirect Default Gateway Tunnel MTU The box is checked by default 1.
2.
Specify the TLS Auth. Key.
Note_1: TLS Auth. Key will be available only when TLS is chosen in Authorization Mode. Check the box to enable the Redirect Default Gateway. Tunnel UDP Fragment A Must filled setting The value is 1500 by default The value is 1500 by default Specify the Tunnel MTU.
Tunnel UDP MSS‐Fix The box is unchecked by default. CCD‐Dir Default File Client Connection Script Additional Configuration String format: any text Specify the Tunnel UDP Fragment.
Note_1: Tunnel UDP Fragment will be available only when UDP is chosen in Protocol. Check the box to enable the Tunnel UDP MSS‐Fix. Note_1: Tunnel UDP MSS‐Fix will be available only when UDP is chosen in Protocol. Specify the CCD‐Dir Default File.
String format: any text Specify the Client Connection Script.
String format: any text Specify the Additional Configuration.
327
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. As an OpenVPN Client If Client Configuration is selected, an OpenVPN Client List screen will appear. When Add/Edit button is applied, a series of OpenVPN Client Configuration will appear. OpenVPN Client Configuration Item Value setting Description
OpenVPN Client Name Interface The OpenVPN Client Name will be used to identify the client in the tunnel list. Define the physical interface to be used for this OpenVPN Client tunnel.
A Must filled setting 1.
2.
Protocol 3.
4.
A Must filled setting By default WAN‐
1 is selected. A Must filled setting By default TCP is selected. Define the Protocol for the OpenVPN Client.

Select TCP or TCP /UDP ‐>The OpenVPN will use TCP protocol, and Port will be set as 443 automatically. 328
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Port Tunnel Device Remote IP/FQDN Remote Subnet Authorization Mode Local Endpoint IP Address Remote Endpoint IP Address Static Key Encryption Cipher Hash Algorithm LZO Compression Advanced Configuration Tunnel 1.
A Must filled setting 2. By default 443 is set. 1. A Must filled setting 2. By default TUN is selected. A Must filled setting 
Select UDP ‐> The OpenVPN will use UDP protocol, and Port will be set as 1194 automatically. Specify the Port for the OpenVPN Client to use. Specify the type of Tunnel Device for the OpenVPN Client to use. It can be TUN for TUN tunnel device, or TAP for TAP tunnel device. Specify the Remote IP/FQDN of the peer OpenVPN Server for this OpenVPN Client tunnel. Fill in the IP address or FQDN. A Must filled setting Specify Remote Subnet of the peer OpenVPN Server for this OpenVPN Client tunnel. Fill in the remote subnet address and remote subnet mask. 1. A Must filled Specify the authorization mode for the OpenVPN Server. setting 
Static Key 2. By default TLS is ‐>The OpenVPN will use static key authorization mode, and the following selected. items Local Endpoint IP Address, Remote Endpoint IP Address and Static Key will be displayed. TLS 
‐>The OpenVPN will use TLS authorization mode, and the following items CA Cert., Client Cert. and Client Key will be displayed. CA Cert. could be selected in Trusted CA Certificate List. Refer to Object Definition > Certificate > Trusted Certificate. Client Cert. could be selected in Local Certificate List. Refer to Object Definition > Certificate > My Certificate. Client Key could be selected in Trusted Client key List. Refer to Object Definition > Certificate > Trusted Certificate. A Must filled setting Specify the Local Endpoint IP Address.
Note_1: Local Endpoint IP Address will be available only when Static Key is chosen in Authorization Mode. A Must filled setting Specify the Remote Endpoint IP Address.
Note_1: Remote Endpoint IP Address will be available only when Static Key is chosen in Authorization Mode. A Must filled setting Specify the Static Key.
Note_1: Static Key will be available only when Static Key is chosen in Authorization Mode. By default Blowfish Specify the Encryption Cipher.
is selected. It can be Blowfish/AES‐256/AES‐192/AES‐128/None. By default SHA‐1 is Specify the Hash Algorithm.
selected. It can be SHA‐1/MD5/MD4/SHA2‐256/SHA2‐512/None. By default Adaptive Specify the LZO Compression scheme.
is selected. It can be Adaptive/YES/NO/NO Adaptive. The box is unchecked Check the box to enable the Advanced Configuration setting. by default. If it is checked, Advanced Configuration will be displayed below. The box is unchecked Check the box to enable this OpenVPN tunnel. by default 329
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Save Undo Back N/A N/A N/A Click Save to save the settings.
Click Undo to cancel the changes.
Click Back to return to last page.
When Advanced Configuration is selected, an OpenVPN Client Advanced Configuration screen will appear. OpenVPN Advanced Client Configuration Item Value setting Description
NAT Bridge TAP to Firewall Protection Client IP Address The box is unchecked by default. By default VLAN1 is selected Tunnel UDP Fragment The box is unchecked by default. By default Dynamic IP is selected 1. A Must filled setting 2. The value is 1500 by default The value is 1500 by default Tunnel UDP MSS‐
Fix The box is unchecked by default. Tunnel MTU Check the box to enable NAT.
Specify the setting of Bridge TAP to.
Note_1: Bridge TAP to will be available only when TAP is chosen in Tunnel Device and NAT is unchecked. Check the box to enable Firewall Protection. Note_1: Firewall Protection will be available only when NAT is checked. Specify the Client IP Address.
It can be Dynamic IP/Static IP. Specify the value of Tunnel MTU.
Specify the value of Tunnel UDP Fragment.
Note_1: Tunnel UDP Fragment will be available only when UDP is chosen in Protocol. Check the box to enable Tunnel UDP MSS‐Fix. Note_1: Tunnel UDP MSS‐Fix will be available only when UDP is chosen in Protocol. 330
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Redirect Internet Traffic Connection Retry(seconds) DNS The box is checked by default. The value is ‐1 by default By default
Automatically is selected Check the box to enable Redirect Internet Traffic. Specify the time interval of Connection Retry. The default ‐1 means that it is no need to execute connection retry. Specify the setting of DNS.
It can be Automatically/Manually. 331
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3 Firewall The firewall functions include Packet Filters, URL Blocking, Web Content Filters, MAC Control, Application Filters, IPS and some firewall options. The supported function can be different for the purchased gateway. 9.3.1 Firewall Configuration Enable Firewall check box will activate all firewall functions. The firewall configuration allows user to enable or disable all functions including Packet Filters, URL Blocking, Web Content Filters, MAC Control, Application Filters, IPS, and Firewall Options. Go to Security > Firewall > Configuration Tab. Enable Global Firewall Function Firewall Configuration Setting Item Value setting Description
Enable Firewall function Save Check the Enable box to activate all firewall functions Click Save to save the settings The box is checked by default N/A 332
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.3 Packet Filter "Packet Filter" function can let you define some filtering rules for incoming and outgoing packets. So the gateway can control what packets are allowed or blocked to pass through it. A packet filter rule should indicate from and to which interface the packet enters and leaves the gateway, the source and destination IP addresses, and destination service port type and port number. In addition, the time schedule to which the rule will be active. Packet Filter with White List Scenario Scenario Application Timing When the administrator of the gateway wants to allow only specific packets through the gateway, he can use the "Packet Filters" function to carry out to allow specific packets by defining the white list as shown in above diagram. Certainly, when the administrator wants to deny only specific packets from going through, he can use the "Packet Filters" function by defining the black list to carry out to meet the requirement. It is contrasting to above diagram. Scenario Description To only allow dedicated packets that match to one packet filtering rule to flow through the 333
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. gateway and block other packets that are not defined in the “Packet Filter Rule List” entry. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "Packet Filters" enabling. Use default value for those parameters that are not mentioned in the tables. [Packet Filter]‐[Configuration]
Configuration Path Packet Filters Black List / White List Configuration Path ID Rule Name Source IP Destination IP Destination Port Protocol Rule ■ Enable Deny all to pass except those match the following rules. [Packet Filter]‐[Packet Filter Rule List]
1 2
Access 80 Access 443
IP Range: 10.0.75.200 ~ 10.0.75.250
IP Range: 10.0.75.200 ~ 10.0.75.250
Specific IP Address: 0.0.0.0
Specific IP Address: 0.0.0.0 User‐defined Service: 80 ~ 80
User‐defined Service: 443 ~ 443
TCP TCP
■ Enable ■ Enable
Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface, 118.18.81.33 for WAN‐1 interface. It serves as a NAT router. Enable the packet filter function and specify the "Packet Filter Rule List" is a white list and configure two packet filtering rules for the gateway. Create one rule to allow HTTP packets and the other rule to allow HTTPS packets to pass through the gateway. System will allow only HTTP and HTTPS packet to pass through the gateway for those hosts in the Intranet and their IP addresses are in the range from .200 to .250. 334
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Packet Filter Setting The packet filter setting allows user to create and customize packet filter policies to allow or reject specific inbound/outbound packets through the router based on their office setting. Go to Security > Firewall > Packet Filter Tab. Enable Packet Filter Enabling Packet Filters Item Name Value setting Description
Packet Filter The box is unchecked by default Check the Enable box to activate Packet Filter function Black List / White List Deny those match the following rules is set by default When Deny those match the following rules is selected, as the name suggest, packets specified in the rules will be blocked –black listed. In contrast, with Allow those match the following rules, you can specifically white list the packets to pass and the rest will be blocked. Log Alert Save Undo The box is unchecked by default N/A N/A Check the Enable box to activate Event Log. Click Save to save the settings Click Undo to cancel the settings Note: Packet Filter function is only available when Firewall feature is enabled. Refer to section 9.3.1 Firewall 335
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Packet Filter Rules The gateway allows you to customize your packet filtering rules. It supports up to a maximum of 20 filter rule sets. When Add button is applied, Packet Filter Rule Configuration screen will appear. Packet Filter Rule Configuration Item Name Value setting Rule Name 1. String format can be any text 2. A Must filled setting From Interface 1. A Must filled setting 2. By default Any is selected To Interface 1. A Must filled setting Description
Enter a packet filter rule name. Enter a name that is easy for you to remember. Define the selected interface to be the packet‐entering interface of the router. If the packets to be filtered are coming from LAN to WAN then select LAN for this field. Or VLAN‐1 to WAN then select VLAN‐1 for this field. Other examples are VLAN‐1 to VLAN‐2. VLAN‐1 to WAN. Select Any to filter packets coming into the router from any interfaces. Please note that two identical interfaces are not accepted by the router. i.e. VLAN‐1 to VLAN‐1. Define the selected interface to be the packet‐leaving interface of the 336
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 2. By default Any is selected Source IP 1. A Must filled setting 2. By default Any is selected Destination IP 1. A Must filled setting 2. By default Any is selected Source MAC 1. A Must filled setting 2. By default Any is selected Protocol 1. A Must filled setting 2. By default Any(0) is selected router. If the packets to be filtered are entering from LAN to WAN then select WAN for this field. Or VLAN‐1 to WAN then select WAN for this field. Other examples are VLAN‐1 to VLAN‐2. VLAN‐1 to WAN. Select Any to filter packets leaving the router from any interfaces. Please note that two identical interfaces are not accepted by the router. i.e. VLAN‐1 to VLAN‐1. This field is to specify the Source IP address. Select Any to filter packets coming from any IP addresses. Select Specific IP Address to filter packets coming from an IP address. Select IP Range to filter packets coming from a specified range of IP address. Select IP Address‐based Group to filter packets coming from a pre‐defined group. Note: group must be pre‐defined before this option become available. Refer to Object Definition > Grouping > Host grouping. You may also access to create a group by the Add Rule shortcut button. This field is to specify the Destination IP address. Select Any to filter packets that are entering to any IP addresses. Select Specific IP Address to filter packets entering to an IP address entered in this field. Select IP Range to filter packets entering to a specified range of IP address entered in this field. Select IP Address‐based Group to filter packets entering to a pre‐defined group selected. Note: group must be pre‐defined before this selection become available. Refer to Object Definition > Grouping > Host grouping. You may also access to create a group by the Add Rule shortcut button. Setting done through the Add Rule button will also appear in the Host grouping setting screen. This field is to specify the Source MAC address. Select Any to filter packets coming from any MAC addresses. Select Specific MAC Address to filter packets coming from a MAC address.
Select MAC Address‐based Group to filter packets coming from a pre‐
defined group selected. Note: group must be pre‐defined before this selection become available. Refer to Object Definition > Grouping > Host grouping. You may also access to create a group by the Add Rule shortcut button. For Protocol, select Any to filter any protocol packets Then for Source Port, select a predefined port dropdown box when Well‐
known Service is selected, otherwise select User‐defined Service and specify a port range. Then for Destination Port, select a predefined port dropdown box when Well‐known Service is selected, otherwise select User‐defined Service and specify a port range. For Protocol, select ICMPv4 to filter ICMPv4 packets For Protocol, select TCP to filter TCP packets Then for Source Port, select a predefined port dropdown box when Well‐
337
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Time Schedule A Must filled setting Save Undo The box is unchecked by default. N/A N/A Back N/A Rule known Service is selected, otherwise select User‐defined Service and specify a port range. Then for Destination Port, select a predefined port dropdown box when Well‐known Service is selected, otherwise select User‐defined Service and specify a port range. For Protocol, select UDP to filter UDP packets Then for Source Port, select a predefined port dropdown box when Well‐
known Service is selected, otherwise select User‐defined Service and specify a port range. Then for Destination Port, select a predefined port dropdown box when Well‐known Service is selected, otherwise select User‐defined Service and specify a port range. For Protocol, select GRE to filter GRE packets For Protocol, select ESP to filter ESP packets For Protocol, select SCTP to filter SCTP packets For Protocol, select User‐defined to filter packets with specified port number. Then enter a pot number in Protocol Number box. Apply Time Schedule to this rule, otherwise leave it as Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab Click Enable box to activate this rule then save the settings. Click Save to save the settings Click Undo to cancel the settings When the Back button is clicked the screen will return to the Packet Filters Configuration page. 338
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.5 URL Blocking "URL Blocking" function can let you define blocking or allowing rules for incoming and outgoing Web request packets. With defined rules, gateway can control the Web requests containing the complete URL, partial domain name, or pre‐defined keywords. For example, one can filter out or allow only the Web requests based on domain input suffixes like .com or .org or keywords like “bct” or “mpe”. An URL blocking rule should specify the URL, partial domain name, or included keywords in the Web requests from and to the gateway and also the destination service port. Besides, a certain time schedule can be applied to activate the URL Blocking rules during pre‐defined time interval(s). The gateway will logs and displays the disallowed web accessing requests that matched the defined URL blocking rule in the black‐list or in the exclusion of the white‐list. When you choose "Allow all to pass except those match the following rules" for the "URL Blocking Rule List", you are setting the defined URL blocking rules to belong to the black list. The packets, listed in the rule list, will be blocked if one pattern in the requests matches to one rule. Other Web requests can pass through the gateway. In contrast, when you choose "Deny all to pass except those match the following rules" for the "URL Blocking Rule List", you are setting the defined packet filtering rules to belong to the white list. The Web requests, listed in the rule, will be allowed if one pattern in the requests matches to one rule. Other Web requests will be blocked.  URL Blocking with Black List Scenario 339
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Application Timing When the administrator of the gateway wants to block the Web requests with some dedicated patterns, he can use the "URL Blocking" function to block specific Web requests by defining the black list as shown in above diagram. Certainly, when the administrator wants to allow only the Web requests with some dedicated patterns to go through the gateway, he can use the "URL Blocking" function by defining the white list to meet the requirement. It is contrasting to above diagram. Scenario Description Web requests with dedicated patterns in the black list will be blocked by the gateway. The others can pass through the gateway. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "URL Blocking" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path URL Blocking Black List / White List [URL Blocking]‐[Configuration]
Configuration Path ID Rule Name URL/Domain Name/Keyword Rule Scenario Operation Procedure [URL Blocking]‐[URL Blocking Rule List]
■ Enable
Allow all to pass except those match the following rules. 1
2
Block sex & sexygirl
Block playboy sex; sexygirl
playboy ■ Enable
■ Enable In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface, 118.18.81.33 for WAN‐1 interface. It serves as a NAT router. Enable the URL blocking function and specify the "URL Blocking Rule List" with a black list and configure two URL blocking rules for it. Create the first rule to deny the Web requests with "sex" or "sexygirl" patterns and the other to deny the Web requests with "playboy" pattern to go through the gateway. System will block the Web requests with "sex", "sexygirl" or "playboy" patterns to pass through the gateway. 340
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. URL Blocking Setting The URL Blocking setting allows user to create and customize URL blocking policies to allow or reject http packets with specific keyword, domain name, or URL. In "URL Blocking" page, there are three configuration windows. They are the "Configuration" window, "URL Blocking Rule List" window, and "URL Blocking Rule Configuration" window. The "Configuration" window can let you activate the URL blocking function and specify to black listing or to white listing the packets defined in the "URL Blocking Rule List" entry. In addition, log alerting can be enabled to record on‐going events for any disallowed Web request packets. Refer to "System Status" in "6.1.1 System Related" section in this user manual for how to view recorded log. The "URL Blocking Rule List" window lists all your defined URL blocking rule entry. And finally, the "URL Blocking Rule Configuration" window can let you define URL blocking rules. The parameters in a rule include the rule name, the Source IP or MAC, the URL/Domain Name/Keyword, the destination service ports, the integrated time schedule rule and the rule activation. Go to Security > Firewall > URL Blocking Tab. Enable URL Blocking Configuration Item URL Blocking Black List / White List Log Alert Save Undo Value setting The box is unchecked by default Deny those match the following rules is set by default The box is unchecked by default NA NA Description Check the Enable box to activate URL Blocking function. Specify the URL Blocking Policy, either Black List or White List. Black List: When Deny those match the following rules is selected, as the name suggest, the matched Web request packets will be blocked. White List: When Allow those match the following rules is selected, the matched Web request packets can pass through the Gateway, and the others that don’t match the rules will be blocked. Check the Enable box to activate Event Log.
Click Save button to save the settings
Click Undo button to cancel the settings
341
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit URL Blocking Rules The Gateway supports up to a maximum of 20 URL blocking rule sets. Ensure that the URL Blocking is enabled before we can create blocking rules. When Add button is applied, the URL Blocking Rule Configuration screen will appear. URL Blocking Rules Configuration Item Rule Name Source IP Source MAC Value setting Description 1. String format can be any Specify an URL Blocking rule name. Enter a name that is easy for you to text understand. 2. A Must filled setting This field is to specify the Source IP address.
 Select Any to filter packets coming from any IP addresses.  Select Specific IP Address to filter packets coming from an IP address entered in this field. 1. A Must filled setting  Select IP Range to filter packets coming from a specified range of IP 2. Any is set by default address entered in this field.  Select IP Address‐based Group to filter packets coming from a pre‐
defined group selected. Note: group must be pre‐defined before this option become available. Refer to Object Definition > Grouping > Host grouping. This field is to specify the Source MAC address.  Select Any to filter packets coming from any MAC addresses. 1. A Must filled setting  Select Specific MAC Address to filter packets coming from a MAC 2. Any is set by default address entered in this field.  Select MAC Address‐based Group to filter packets coming from a pre‐
defined group selected. Note: group must be pre‐defined before this 342
In‐Vehicle Hotspot Gateway
URL / Domain Name / Keyword Index skipping is used to reserve slots for new function insertion, when required. selection become available. Refer to Object Definition > Grouping > Host grouping. Specify URL, Domain Name, or Keyword list for URL checking. 1. A Must filled setting 2. Supports up to a  In the Black List mode, if a matched rule is found, the packets will be maximum of 10 Keywords dropped. in a rule by using the  In the White List mode, if a matched rule is found, the packets will be delimiter “;”. accepted and the others which don’t match any rule will be dropped. Destination Port 1.
2.
Time Schedule Rule A Must filled setting Rule Save Undo Back A Must filled setting Any is set by default The box is unchecked by default. NA NA NA This field is to specify the Destination Port number.  Select Any to filter packets going to any Port.  Select Specific Service Port to filter packets going to a specific Port entered in this field.  Select Port Range to filter packets going to a specific range of Ports entered in this field. Apply a specific Time Schedule to this rule, otherwise leave it as (0) Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Click the Enable box to activate this rule. Click the Save button to save the settings.
Click the Undo button to cancel the changes. Click the Back button to return to the URL Blocking Configuration page.
343
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.7 Content Filter "Content Filter" function can block HTML requests with some specific extension file names, like ".exe", ".bat" (applications), "mpeg” (video), and so on. It also blocks HTML requests with some script types, like Java Applet, Java Scripts, cookies and Active X. Content Filter Scenario Scenario Application Timing When the administrator of the gateway wants to block the Web requests for dedicated contents or objects, he can use the "Web Content Filters" function to carry out such request blocking. Scenario Description Web requests for dedicated contents or objects in the defined list will be blocked by the gateway. Other ones can pass through the gateway. Parameter Setup Example 344
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Following tables list the parameter configuration as an example for the gateway in above diagram with "Web Content Filters" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path Web Content Filter Popular File Extension List Log Alert Configuration Path ID Rule Name User‐defined File Extension List Rule [Content Filter]‐[Configuration]
■ Enable
■ Cookie ■ Java ■ ActiveX
■ Enable
[Content Filter]‐[Web Content Filter List]
1
execution files
.exe; .com
■ Enable
Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface, 118.18.81.33 for WAN‐1 interface. It serves as a NAT router. Enable the Web content filters function to check and filter out Web requests on Cookie, Java and ActiveX objects then define further with objects in the “Web Content Filter List” that may include extension ".exe" and ".com". System will block requests containing objects with extension ".exe" or ".com". 345
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Content Filter Setting The Content Filter setting allows user to create and customize blocking policies to allow or reject http packets with specific file extension list through the router based on their office setting. Go to Security > Firewall > Content Filter Tab. There are three configuration windows for the filtering function. They are the "Configuration" window, "Content Filter List" window, and "Content Filter Configuration" window. The "Configuration" window can let you activate the web content filtering function. Besides, some popular script types, like Java Applet, Java Scripts, cookies and Active X are in the window and you can check their boxes to enable the gateway to filter out the web requests with corresponding patterns. Web Content Filters Tab
Item Value setting Web Content Filter The box is unchecked by default. Popular File Extension List 1. A Must filled setting. 2. The boxes are unchecked by default Log Alert The box is unchecked by default. Description
Check the Enable box to activate this content filter function. Check the Cookie box to activate this filter function, as the name suggests, this pattern matching rule define as the packet with the keyword “Cookie:”. Check the Java box to activate this filter function, as the name suggests, this pattern matching rule define as the packet with the keyword “.js”, “.class”, “.jar”, “.jsp”, “ .java”, “.jse”, “.jcm”, “.jtk” , or ”.jad”. Check the ActiveX box to activate this filter function, as the name suggests, this pattern matching rule define as the packet with the keyword “.ocx”, “.cab”, “.ole”, “.olb”, “.com”, “.vbs”, “.vrm”, or “.viv”. If one of the matching rules is found, the packets with http header will be dropped. Check the Enable box to activate Event Log. 346
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Content Filter Rule The gateway supports up to a maximum of 20 filter rule sets. Ensure that the Content Filer is enabled before we can create filter rules. The "Web Content Filter List" window lists all your defined file extension lists that are used by the gateway to filter out unwanted Web requests, and the "Content Filter Configuration" window can let you define one web Content Filter rule. When Add button is applied, Content Filter Configuration screen will appear. Content Filter Configuration Item Value setting Rule Name Source IP 1. String format can be any text. 2. A Must filled setting. 1. A Must filled setting. 2. Any is selected by default. Description Enter a content filter rule name that is easy for you to understand. Specify the Source IP address to apply with the content filter rule. It can be Any, Specific IP Address, IP Range, or IP Address‐based Group. Select Any to filter packets coming from any IP addresses. Select Specific IP Address to filter packets coming from an IP address entered in this field. Select IP Range to filter packets coming from a specified range of IP address entered in this field. Select IP Address‐based Group to filter packets coming from a pre‐defined group selected. Note: Group must be pre‐defined before this selection become available. Refer to Object Definition > Grouping > Host Grouping Tab. You may also access to create a group by the Add Rule shortcut button. Setting done 347
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Source MAC 1. A Must filled setting. 2. Any is selected by default. User‐defined File Extension List A Must filled setting (Use ; to Concatenate) Time Schedule 1. A Must filled setting. 2. (0) Always is selected by default Save The box is unchecked by default. N/A Undo N/A Back N/A Rule through the Add Rule button will also appear in the Host grouping setting screen. Specify the Source MAC address to apply with the content filter rule. Select Any to filter packets coming from any MAC addresses. Select Specific MAC Address to filter packets coming from a MAC address entered in this field. Select MAC Address‐based Group to filter packets coming from a pre‐
defined group selected. Note: Group must be pre‐defined before this selection become available. Refer to Object Definition > Grouping > Host Grouping Tab. You may also access to create a group by the Add Rule shortcut button. Setting done through the Add Rule button will also appear in the Host grouping setting screen. Specify file extension list for the content filter rule. It supports up to a maximum of 10 file extensions in a rule by using the delimiter “;”. If a matching rule is found, the packets with http header will be dropped. Apply Time Schedule to this rule, otherwise leave it as Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Click the Enable box to activate this rule. Click the Save button to save the configuration. Click the Undo button to restore what you just configured back to the previous setting. When the Back button is clicked, the screen will return to the Content Filter Configuration page. 348
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.9 MAC Control "MAC Control" function allows you to assign the accessibility to the gateway for different users based on device’s MAC address, including wired hosts or WiFi stations. MAC Control with Black List Scenario Scenario Application Timing When the administrator of the gateway wants to reject some client hosts with specific MAC addresses in the Intranet to connect to the gateway, he can use the "MAC Control" function to carry out to reject by defining the black list as shown in above diagram. Certainly, when the administrator wants to allow only the client hosts with dedicated MAC addresses to connect to the gateway, he can use the "MAC Control" function by defining the white list to carry out to meet the requirement. It is contrasting to above diagram. Scenario Description To only reject client hosts with dedicated MAC addresses in the black list to connect to the gateway and block other hosts that are not defined in the “MAC Control Rule List” entry. 349
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "MAC Control" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path MAC Control Black List / White List Log Alert [MAC Control]‐[Configuration]
Configuration Path ID Rule Name MAC Address Rule [MAC Control]‐[MAC Control Rule List]
■ Enable
Allow all to pass except those match the following rules. ■ Enable
1
Block JP NB
20:6A:6A:6A:6A:6B
■ Enable
Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface, 118.18.81.33 for WAN‐1 interface. It serves as a NAT router. Enable the MAC control function and specify the "MAC Control Rule List" is a black list, and configure one MAC control rule for the gateway to deny the connection request from the "JP NB" with its own MAC address. System will block the connecting from the "JP NB" to the gateway but allow others. 350
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. MAC Control Setting The MAC control setting allows user to create and customize MAC address policies to allow or reject packets with specific source MAC address. Before you proceed, ensure that the Firewall is enabled and saved. Go to Security > Firewall > Configuration tab. Go to Security > Firewall > MAC Control Tab. Enable MAC Control Enabling MAC Control Item Value setting Description
MAC Control The box is unchecked by default Check the Enable box to activate the MAC filter function Black List / White List Deny MAC Address Below is set by default When Deny MAC Address Below is selected, as the name suggest, packets specified in the rules will be blocked –black listed. In contrast, with Allow MAC Address Below, you can specifically white list the packets to pass and the rest will be blocked. Log Alert The box is unchecked by default Check the Enable box to activate Event Log. N/A Select a MAC Address from LAN Client List. Click the Copy to to copy the selected MAC Address to the filter rule. N/A N/A Click Save to save the settings Click Undo to cancel the settings Known MAC from LAN PC List Save Undo 351
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit MAC Control Rules The gateway supports up to a maximum of 20 filter rule sets. Ensure that the MAC Control is enabled before we can create control rules. When Add button is applied, Filter Rule Configuration screen will appear. MAC Control Rule Configuration Item Value setting 1. String format can be Rule Name any text 2. A Must fill setting MAC Address 1. MAC Address string (Use: to Format Compose) 2. A Must fill setting Time Schedule 1. A Must filled setting. 2. (0) Always is selected by default Save The box is unchecked by default. N/A Undo N/A Back N/A Enable Description
Enter a MAC Control rule name. Enter a name that is easy for you to remember. Specify the Source MAC Address to filter rule. Apply Time Schedule to this rule, otherwise leave it as Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Click the Enable box to activate this rule. Click the Save button to save the configuration. Click the Undo button to restore what you just configured back to the previous setting. When the Back button is clicked, the screen will return to the MAC Control Configuration page. 352
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.b Application Filter Application Filter function can categorize Internet Protocol packets based on their application layer data and allow or deny their passing of gateway. It supports the application filters for various Internet chat software, P2P download, Proxy, and A/V streaming. You can select the applications to be blocked after the function is enabled, and may also specify schedule rule to apply. Application Filter Scenario Scenario Application Timing When the administrator of the gateway wants to block some P2P or Stream applications, he can use the "Application Filters" function to activate by checking the "Enable" box. Scenario Description Applications, by checking the "Enable" box, will be rejected or limited connection sessions to access the Internet. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "Application Filters" enabling. Use default value for those parameters that are not mentioned in the tables. 353
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Configuration Path Application Filter Log Alert [Application Filters]‐[Configuration]
Configuration Path
Rule Name Source IP P2P Software [Application Filters]‐[Application Filter List] ■ Enable
■ Enable
Rule 1
IP Range : 192.168.123.200 ‐ 192.168.123.250 ■BT(BitTorrent, BitSpirit, BitComet)
■eDonkey/eMule/Shareaza ■MMS
■RTSP ■PPStream ■PPSLive ■Qvcd ■ Enable
Streaming Rule Scenario Operation Procedure In above diagram, the Gateway is the gateway as a NAT router. The subnet of Gateway is 192.168.123.0/24. Select IP Range and entry IP Address 192.168.123.200 ‐ 192.168.123.250 Enable the Application filters function and activate “BT(BitTorrent, BitSpirit, BitComet)”, “eDonkey/eMule/Shareaza”, “MMS”, “RTSP”, “PPStream”, “PPSLive” and “Qvcd” by checking the "Enable" box. 354
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Application Filter Setting The Application Filter setting allows user to create and customize Application Filter policies to reject packets related to specific applications through the router based on their office setting. Go to Security > Firewall > Application Filter Tab. Application Filters Item Setting Value setting Application Filter Log Alert The box is unchecked by default. The box is unchecked by default. Description
Check the Enable box to activate this application filter function. Check the Enable box to activate Event Log. Create/Edit Application Filter Rules The gateway supports up to a maximum of 20 filter rule sets. Ensure that the Application Filers is enabled before we can create filter rules. When Add button is applied, Filter Rule Configuration screen will appear. 355
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Application Filter Rule Configuration Item Value setting Description
Rule Name Source IP 1. String format can be any text. 2. A Must filled setting. 1. A Must filled setting. 2. Any is selected by default. Enter an application filter rule name that is easy for you to understand. Specify the Source IP address to apply with the application filter rule. It can be Any, Specific IP Address, IP Range, or IP Address‐based Group. Select Any to filter packets coming from any IP addresses. Select Specific IP Address to filter packets coming from an IP address entered in this field. Select IP Range to filter packets coming from a specified range of IP address entered in this field. Select IP Address‐based Group to filter packets coming from a pre‐defined group selected. Note: Group must be pre‐defined before this selection become available. Refer to Object Definition > Grouping > Host Grouping Tab. You may also access to create a group by the Add Rule shortcut button. Setting done through the Add Rule button will also appear in the Host grouping setting screen. 356
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Source MAC 1. A Must filled setting. 2. Any is selected by default. Chat Software All boxes are unchecked by default. P2P Software All boxes are unchecked by default. Proxy All boxes are unchecked by default. Streaming All boxes are unchecked by default. Time Schedule 1. A Must filled setting. 2. (0) Always is selected by default Save The box is unchecked by default. N/A Undo N/A Back N/A Rule Specify the Source MAC address to apply with the application filter rule. Select Any to filter packets coming from any MAC addresses. Select Specific MAC Address to filter packets coming from a MAC address entered in this field. Select MAC Address‐based Group to filter packets coming from a pre‐
defined group selected. Note: Group must be pre‐defined before this selection become available. Refer to Object Definition > Grouping > Host Grouping Tab. You may also access to create a group by the Add Rule shortcut button. Setting done through the Add Rule button will also appear in the Host grouping setting screen. Check the box(es) to activate the application filter function you want on this rule. The available chat applications include QQ, Skype, Facebook, Aliww, and Line. Check the box(es) to activate the application filter function you want on this rule. The available P2P applications include BT, eDonkey/eMule, HTTP Multiple Thread Download, Thunder, and Baofeng. Check the box(es) to activate the application filter function you want on this rule. The available proxy applications include HTTP proxy, and SOCKS 4/5 proxy. Check the box(es) to activate the application filter function you want on this rule. The available streaming applications include MMS, RTSP, PPStream, PPLive(PPTV), and Qvod. Apply Time Schedule to this rule, otherwise leave it as Always. If the dropdown list is empty ensure Time Schedule is pre‐configured. Refer to Object Definition > Scheduling > Configuration tab. Click the Enable box to activate this rule. Click the Save button to save the configuration. Click the Undo button to restore what you just configured back to the previous setting. When the Back button is clicked, the screen will return to the Application Filter Configuration page. 357
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.d IPS Intrusion Prevention System (IPS) is network security appliances that monitor network and/or system activities for malicious activity. The main functions of IPS are to identify malicious activity, log information about this activity, attempt to block/stop it and report it. You can enable the IPS function and check the listed intrusion activities when needed. There are some intrusion prevention items need a further Threshold parameter to work properly for intrusion detection. You can enable the log alerting so that system will record Intrusion events when corresponding intrusions are detected. IPS Scenario Scenario Application Timing The administrator provides some application servers in the Intranet of deployed networking and has to open specific ports to make services for employees oversea or Internet users. There are some risks to always open service ports in the internet for admin users. In order to avoid such attacked risks, please enable IPS functions. Scenario Description The gateway serves as an E‐mail server, Web Server and open TCP‐Port 8080 allowing user to access web‐based utility of Gateway, so remote users or unknown users can request 358
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. those services from the gateway. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "IPS" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path ISP Log Alert [IPS]‐[Configuration]
Configuration Path
SYN Flood Defense
Port Scan Detection
Block IP Spoof Block TCP Flag Scan [IPS]‐[Intrusion Prevention]
■ Enable
■ Enable
■ Enable 300 Packets/second
■ Enable 200 Packets/second
■ Enable
■ Enable
Scenario Operation Procedure In above diagram, the gateway detects incoming packets which TCP ports are 25, 80,110,443 and 8080 then forward to transfer the E‐mail service requests to the LAN servers and send the replies from LAN servers back to the requester. System will block lots of packets in seconds. 359
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. IPS Setting The Intrusion Prevention System (IPS) setting allows user to customize intrusion prevention rules to prevent malicious packets. Go to Security > Firewall > IPS Tab. Enable IPS Firewall Configuration Item Value setting IPS Log Alert Save Undo The box is unchecked by default The box is unchecked by default N/A N/A Description
Check the Enable box to activate IPS function Check the Enable box to activate Event Log. Click Save to save the settings Click Undo to cancel the settings Setup Intrusion Prevention Rules The router allows you to select intrusion prevention rules you may want to enable. Ensure that the IPS is enabled before we can enable the defense function. 360
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Intrusion Prevention Item Value setting SYN Flood Defense UDP Flood Defense ICMP Flood Defense Port Scan Defection Block Land Attack Block Ping of Death Block IP Spoof Block TCP Flag Scan Block Smurf Description
1. A Must filled setting 2. The box is unchecked by default. 3. Traffic threshold is set to 300 by default 4. The value range can be from 10 to 10000. 1. A Must filled setting 2. The box is unchecked by default. 3. Traffic threshold is set to 200 by default 4. The value range can be from 10 to 10000. Click Enable box to activate this intrusion prevention rule and enter the traffic threshold in this field. Click Enable box to activate this intrusion prevention rule and enter the traffic threshold in this field. Click Enable box to activate this intrusion prevention rule and enter the traffic threshold in this field. The box is unchecked by default. Click Enable box to activate this intrusion prevention rule. Click Enable box to activate this intrusion prevention rule and enter the traffic threshold in this field. 361
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Block Traceroute Block Fraggle Attack 1. A Must filled setting 2. The box is unchecked by default. ARP Spoofing 3. Traffic threshold is set to 300 by Defence default 4. The value range can be from 10 to 10000. Save NA Undo NA Click Enable box to activate this intrusion prevention rule and enter the traffic threshold in this field. Click Save to save the settings Click Undo to cancel the settings 362
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.3.f Options There are some useful functions in this page. First, “Stealth Mode” lets gateway not to respond to port scans from the WAN so that makes it less susceptible to discovery and attacks on the Internet. Second, ”SPI” enables gateway to record the packet information like IP address, port address, ACK, SEQ number and so on while they pass through the router. And the gateway checks every incoming packet to detect if this packet is valid. Third, “Discard Ping from WAN” makes any host on the WAN side can`t ping this product. It means this device won`t reply any ICMP packet from Internet. And finally, “Remote Administrator Hosts” enables only the LAN users to browse the web‐based utility to perform administration task locally. This feature also enables you to perform administration task also from a remote host. If this feature is enabled, only the specified IP address can perform remote administration. If the specified IP address is 0.0.0.0, any host can access web‐based utility to perform administration task. You can use subnet mask bits '/nn' notation to specified a group of trusted IP addresses for example, '10.1.2.0/24'. SPI Scenario Scenario Application Timing Users in Network‐A initiate to access cloud server through Gateway which records connected sessions. Sometimes, unknown users will simulate the Packet but use different Src IP to masquerade. Scenario Description 363
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Enable the SPI function to prevent security leak when local users surf the internet. Parameter Setup Example Following tables list the parameter configuration as an example for the gateway in above diagram with "SPI" enabling. Configuration Path SPI [Options]‐[Firewall Options]
■ Enable
Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.200 for WAN interface. It serves as a NAT router. Activate the SPI feature at the Gateway. Users in Network‐A initiate to access cloud server through Gateway. Sometimes, unknown users will simulate the Packet but use different Src IP to masquerade. System will block such packets from unknown users. Discard Ping from WAN and Remote Administrator Hosts Scenario Scenario Application Timing “Discard Ping from WAN” makes any host on the WAN side can`t ping this gateway reply any ICMP packet from Internet while with “Remote Administrator Hosts” allowing to browse the 364
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. web‐based utility to perform administration task remotely. Scenario Description Enable the Discard Ping from WAN function to prevent security leak when local users surf the internet. Following tables list the parameter configuration as an example for the gateway in above diagram. Configuration Path Discard Ping from WAN Remote Administrator Hosts [Options]‐[Firewall Options]
■ Enable
■ Enable HTTPS , ANY : 8080
Please disable “SPI” Function. Scenario Operation Procedure In above diagram, the Gateway is the gateway of Network‐A and the subnet of its Intranet is 10.0.75.0/24. The gateway has the IP address of 10.0.75.2 for LAN interface and 118.18.81.200 for WAN interface. It serves as a NAT router. Activate the features at the Gateway. Remote users can’t get response via Ping Utility, but can access the web‐based utility of Gateway via port 8080 of TCP. 365
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Firewall Options Setting The firewall options setting allows network administrator to modify the behavior of the firewall and to enable Remote Router Access Control. Go to Security > Firewall > Options Tab. Enable Firewall Options Firewall Options Item Value setting Stealth Mode SPI Discard Ping from WAN The box is unchecked by default. The box is checked by default. The box is unchecked by default. Description
Check the Enable box to activate the Stealth Mode function Check the Enable box to activate the SPI function Check the Enable box to activate the Discard Ping from WAN function Define Remote Administrator Host The router allows network administrator to manage router remotely. The network administrator can assign specific IP address and service port to allow accessing the router. 366
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Remote Administrator Host Definition Item Value setting Description Protocol HTTP is set by default Select HTTP or HTTPS method for router access. A Must filled setting This field is to specify the remote host to assign access right for remote access. Select Any IP to allow any remote hosts Select Specific IP to allow the remote host coming from a specific subnet. An IP address entered in this field and a selected Subnet Mask to compose the subnet. IP Service Port Enabling the rule Save Undo 1. 80 for HTTP by default 2. 443 for HTTPS by default The box is unchecked by default. N/A N/A This field is to specify a Service Port to HTTP or HTTPS connection. Click Enable box to activate this rule. Click Enable box to activate this rule then save the settings. Click Undo to cancel the settings 367
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 368
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.5 Authentication To approve or confirm the truth of a certain object, you have to configure the required settings in the Authentication page. The supported functions could be Captive Portal and MAC Authentication, and the available function might be different for the purchased gateway. With proper configuration, whenever a certain object is accessing the portal or is asked for authentication to get access to internet, the specified authentication server is responsible for the authentication. 9.5.1 Captive Portal A captive portal is a portal web page that is displayed before a user can browse Internet. The portal is often used to present a login page. This is done by intercepting most packets, regardless of address or port, until the user opens a browser and tries to access the web. At that time the browser is redirected to a web page which may require authentication and/or payment, or simply display an acceptable use policy and require the user to agree. Captive portals are used at many Wi‐Fi hotspot services, and can be used to control wired access (e.g. apartment houses, hotel rooms, business centers, "open" Ethernet jacks) as well.10 Since the login page itself must be presented to the client, either that login page is locally stored in the gateway, or the web server hosting that page must be "whitelisted" via a walled garden to bypass the authentication process. Depending on the feature set of the gateway, multiple web servers can be whitelisted (say for iframes or links within the login page). In addition to whitelisting the URLs of web hosts, some gateways can whitelist TCP ports. The MAC address of attached clients can also be set to bypass the login process. This technique has occasionally been referred to as UAM (Universal Access Method) in implementations and standards forums. The gateway supports the Captive Portal function to ask guests or passengers to pass the authentication process before they can surf the Internet via the gateway. There are two approaches, including internal captive portal and external captive portal. For external captive portal, you must specify external RADIUS (Remote Authentication Dial In User Service) server and external UAM (Universal Access Method) server. In contrast, for internal captive portal, you will only select “Internal RADIUS Server” option for user authentication. The user account database can be an embedded database, an external AD database or an external LDAP database. However, the UAM server is not necessary for this case and that the captive portal Web site is embedded in the device. External Captive Portal 10 http://en.wikipedia.org/wiki/Captive_portal
369
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. For external captive portal, you must specify external RADIUS (Remote Authentication Dial In User Service) server and external UAM (Universal Access Method) server. Before enabling the external Captive Portal function, please go to [Object Definition]‐[External Server] to setup external server objects, like RADIUS server and UAM server. Then return to configure Captive Portal function back in this page to specific WAN Interface, select external Authentication Server and UAM Server from the pre‐defined external server object list. Internal Captive Portal In contrast, for internal captive portal, you will only select “Internal RADIUS Server” option for user authentication. The user account database can be an embedded database, an external AD database or an external LDAP database. However, the UAM server is not necessary for this case and that the captive portal Web site is embedded in the device. Before enabling internal Captive Portal function, please go to [Object Definition]‐[External Server] to define some external server objects, like LDAP server or AD server if necessary. Then return to configure Captive Portal function back in this page to specific WAN Interface, select “Internal RADIUS Server” option for user authentication and specify its user database to be the embedded one, an external LDAP server or an external AD server from the pre‐defined external server object list. NOTE: All Internet Packets will be forwarded to Captive Portal Web site of the gateway when Captive portal feature is enabled. Please make sure that at least one user account is created.  Internal Captive Portal Scenario 370
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required.  Scenario Application Timing When your purchased gateway has the "Captive Portal" function and the administrator wants to ask specific users to execute an authentication process before their Internet surfing via the gateway. The Captive Portal function in the gateway includes the internal one and the administrator of gateway can create user accounts for users in the [Object Definition]‐[User] for user authentication. Then the scenario is adequate to be adopted in the situation.  Scenario Description  Client hosts in the Guest group must pass the authentication process in the embedded UAM page of the Gateway before surfing Internet.  Client hosts can access the Internet via the Gateway once they passed the user authentication.  Parameter Setup Example  Following tables list the parameter configuration as an example for "Internal Captive Portal" function, as shown in above diagram.  Use default value for those parameters that are not mentioned in the tables. Configuration Path DHCP Server Name LAN IP Address Subnet Mask IP Pool Server [DHCP Server]‐[DHCP Server Configuration] DHCP 2 10.0.76.2 255.255.255.0 (/24) 10.0.76.100 ~ 10.0.76.200 ■ Enable Configuration Path VLAN Type [VLAN]‐[Configuration]
Port‐based
Configuration Path Port NAT/Bridge DHCP Server [VLAN]‐[Port‐based VLAN List] Port‐4 NAT DHCP 2 371
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Configuration Path User Name Password User Level Lease Time Idle Timeout Profile [User Profile]‐[User List Configuration] GuestAccount GuestPassword Guest 10000 (seconds) 60 (seconds) ■ Enable Configuration Path Captive Portal
WAN Interface
LAN Subnet Authentication Server [Captive Portal]‐[Captive Portal Configuration]
■ Enable
WAN‐1
DHCP‐2 Internal RADIUS Server Embedded Database  Scenario Operation Procedure  In above diagram, the "Gateway" serves as the gateway integrating with internal captive portal function and an embedded user account database. There are two VLAN groups in its Intranet. The first one is VLAN‐1 and the IP address of the virtual LAN interface is 10.0.75.2. There is one DHCP server, DHCP‐1, acting for the VLAN‐1 group, and it is adequate for the Staff group of users. The Staff can surf the Internet normally without user authentication. But, the second VLAN group is VLAN‐2 and the IP address of the virtual LAN interface is 10.0.76.2. There is another DHCP server, DHCP‐2, acting for the VLAN‐2 group, and it is for the Guest group of users. The Guest can surf the Internet only when they can pass the authentication process in the embedded UAM web page.  One client host under the Guest group wants to surf the Internet by using its browser.  The gateway checks out that the Internet surfing request comes from the Guest group and the client host in the Guest group hasn't been authenticated by the gateway. So, the gateway redirects the request to the UAM web page and asks the user to input correct account and password.  Once the user authentication process completes successfully, the gateway redirects the web page to the requested one. Furthermore, the gateway also records the MAC address of guest client host and allows its incoming Internet access requests.  Each account has its own lease time and it will not be reused for authentication once the lease time has run out. The client host with that account will be rejected to surf the Internet.  However, there is a timeout setting for each account. When the client host with that account has been idle at the Internet surfing for a while that reaches the timeout setting, the gateway will re‐authenticate the client host for further Internet connection. 372
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Captive Portal Setting The gateway supports the Captive Portal function to ask connecting users to pass the authentication process before they can surf the Internet via the gateway. The Captive Portal will re‐direct user to a login page when user try to access the Internet. Go to Security > Authentication > Captive Portal tab. Captive Portal Configuration Item Value setting Description Captive Portal Check the Enable box to activate the Captive Portal function. WAN Interface LAN Subnet The box is unchecked by default 1. A Must filled setting. 2. WAN‐1 is selected by default. 1. A Must filled setting. 2. DHCP‐1 is selected by Specify a WAN Interface for the authenticated clients or hosts. All the traffics coming from the hosts will be directed to the specified WAN interface. Specify the LAN subnet which is to be bound with captive portal function.
It can be DHCP‐1 ~ DHCP‐4, if you configured the corresponding DHCP 373
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. servers in Basic Network > LAN & VLAN > DHCP Server. If DHCP‐1 is selected, it means that users connected to the physical LAN port which bound the DHCP‐1 server, he will be re‐directed to a login page when accessing the Internet. Specify which kind of authentication server is to be used for captive portal Web Portal 1. A Must filled setting. function. It can be Internal or External, and depends on the product 2. The default setting depends on the product specification. Not all products with internal option, some model only has specification. It can be external option. Internal or External. When External is selected, there is no Customize login page to be configured, but user must specify external UAM Server and Authentication Server for authentication. When Internal is selected, user just need to specify an Authentication Server and the portal login page can be edited in Customize login page. Customize N/A Click the Download Default CSS and Logo button to download the default login page CSS file and Logo of login page for the internal authentication server. Click the Download Current CSS and Logo button to download the current CSS file and Logo of login page for the internal authentication server. User can edit the CSS file or Logo downloaded from above buttons and upload them by Upload CSS and Logo files button. MAC Whitelist Optional setting Specify a MAC whitelist for the client devices that will not be subjected to (Separated by,) the captive portal authentication function. The MAC(s) filled in this field can access Internet directly, instead of been re‐direct to the login page. Walled‐Garden Optional setting Specify the host IP(s) for the devices that will not be subjected to the Hosts captive portal authentication function. (Separated by;) The IP(s) filled in this field can access Internet directly, instead of been re‐
direct to the login page. Walled‐Garden Optional setting Specify the domain name(s) for the devices that will not be subjected to domains the captive portal authentication function. (Separated by;) The domain names(s) filled in this field can access Internet directly, instead of been re‐direct to the login page. Authentication A Must filled setting Select the type of authentication server and corresponding user database.
Server If Web Portal is Internal, the Internal RADIUS Server is used to authentication by default, and there are three databases you can choose. When Embedded DataBase is selected, the login IDs and Passwords are created in Object Definition > User > User Profile tab. When External LDAP is selected, the login IDs and passwords are from an external LDAP server. Please specify it as well. When External AD is selected, the login IDs and passwords are from an external AD server. Please specify it as well. If Web Portal is External, the External RADIUS Server is used to authentication by default, user need to specify the external RADIUS server. The external radius server can be added by pressing AddObject button directly or added in Object Definition > External Server > External Server tab. UAM Server A Must filled setting UAM Server is available only when External in Web Portal dropdown box is selected. Click the Enable box an specify an external UAM server from the external server list. default. 374
In‐Vehicle Hotspot Gateway
Save Refresh Index skipping is used to reserve slots for new function insertion, when required. The UAM Server can be added by pressing AddObject button directly or added in Object Definition > External Server > External Server tab. Click the Save button to save changes
Click the Refresh button to refresh current page
N/A
N/A
375
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 9.5.3 MAC Authentication For some application, a RADIUS server is used to authenticate the Internet accessing permission. For those authorized devices (MACs), they are allowed to access internet, and on the other hand, for those not authorized devices, the internet accessing traffics will be blocked. This gateway supports such MAC authentication function, the administrator has to configure the settings and create a permissible user account list for those authorized devices. When the MAC Authentication function is enabled, the traffics from the specified interface(s) will be applied with the MAC Authentication process transperantly. The gateway will interact with the RADIUS server, and provide the corresponding user information for authentication process. Go to Security > Authentication > MAC Authentication tab. Enable MAC Authentication Configuration Item Value setting MAC Authentication Radius Server The box is unchecked by default. A Must filled setting. LAN Interface A Must filled setting. Client Connection Idle Time Save Refresh A Must filled setting. N/A
N/A
Description Check the Enable box to activate the MAC Authentication function.
Specify an external RADIUS server for authentication. When the MAC Authentication is enabled, the gateway sends out the connecting client’s information to the RADIUS server for authentication. Select the network interface(s) to apply the MAC Authentication function.
It can be LAN or VLAN(s) (port‐based). At least, one interface should be selected. Note: DON’T choose the interface which RADIUS server in it. Specify the idle time (in seconds) for a client connection. If a client didn’t access network for the specified ilde time period, its authentication will be invalided consequently. Click the Save button to save changes
Click the Refresh button to refresh current page
Create/Edit User List There is a User List for lising the information of the available users. Administrator can create, edit,
delete, or even search with a certain key and filter function to quick access to the information you are
looking for.
376
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. User List Item Value setting Description Nickname User Name Password Add Delete Filter Previous Next N/A N/A N/A N/A N/A N/A N/A N/A It displays the nickname for a user. It displays the MAC address for a user.
It display the password for a user.
Add information of new device authentication Delete information of exists device authentication Search information of exists device authentication Navigation Button of authentication list
Navigation Button of authentication list
When Add button is applied, User Configuration screen will appear. User List Item Nickname User Name Password Save Value setting Description
1. A Must filled setting. 2. String format can be any text (max. 64 characters). 1.A Must filled setting. 2. MAC address format. 1. A Must filled setting. 2. String format can be any text (max. 64 characters). N/A
Enter a nickname for the user that is easy for you to understand. Enter the MAC address for the user.
Enter the password for the user.
Click the Save button to save changes.
To make sure the MAC authentication function can work properly on those authorized users (MACs),
administrator has to create the corresponding user information in the User List. Otherwise, even for
those authorized users, the authentication result will be false, and there will be no internet access for the
users.
377
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter b Administration b.1 Configure & Manage Configure & Manage refers to enterprise‐wide administration of distributed systems including (and commonly in practice) computer systems. Centralized management has a time and effort trade‐off that is related to the size of the company, the expertise of the IT staff, and the amount of technology being used. This device supports many system management protocols, such as Command Script, TR‐069, SNMP, and Telnet with CLI. You can setup those configurations in the "Configure & Manage" section. b.1.1 Command Script Command script configuration is the application that allows administrator to setup the pre‐
defined configuration in plain text style and apply configuration on startup. Go to Administration > Command Script > Configuration Tab. Enable Command Script Configuration 378
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Configuration Item Value setting Configuration The box is unchecked by default Description
Check the Enable box to activate the Command Script function. Edit/Backup Plain Text Command Script You can edit the plain text configuration settings in the configuration screen as above. Plain Text Configuration Item Value setting Description Clean NA Backup Save NA NA Clean text area. (You should click Save button to further clean the configuration already saved in the system.) Backup and download configuration.
Save configuration
379
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. The supported plain text configuration items are shown in the following list. For the settings that can be executed with standard Linux commands, you can put them in a script file, and apply to the system configure with STARTUP command. For those configurations without corresponding Linux command set to configure, you can configure them with proprietary command set. Configuration Content Key Value Description setting OPENVPN_ENABLED OPENVPN_DESCRIPTION OPENVPN_PROTO OPENVPN_PORT 1 : enable 0 : disable A Must filled Setting udp tcp OPENVPN_REMOTE_IPADDR A Must filled Setting IP or FQDN
OPENVPN_PING_INTVL OPENVPN_PING_TOUT seconds seconds OPENVPN_COMP OPENVPN_AUTH Adaptive Static Key/TLS
OPENVPN_CA_CERT A Must filled Setting A Must filled Setting A Must filled Setting Options Ip Net mask 1 : enable 0 : disable OPENVPN_LOCAL_CERT OPENVPN_LOCAL_KEY OPENVPN_EXTRA_OPTS IP_ADDR1 IP_NETM1 PPP_MONITORING PPP_PING 0 : DNS Query
1 : ICMP Query
Enable or disable OpenVPN Client function. Specify the tunnel name for the OpenVPN Client connection.
Define the Protocol for the OpenVPN Client. 
Select TCP or TCP /UDP ‐>The OpenVPN will use TCP protocol, and Port will be set as 443 automatically. 
Select UDP ‐> The OpenVPN will use UDP protocol, and Port will be set as 1194 automatically. Specify the Port for the OpenVPN Client to use. Specify the Remote IP/FQDN of the peer OpenVPN Server for this OpenVPN Client tunnel. Fill in the IP address or FQDN. Specify the time interval for OpenVPN keep‐alive checking.
Specify the timeout value for OpenVPN Client keep‐alive checking. Specify the LZO Compression algorithm for OpenVPN client.
Specify the authorization mode for the OpenVPN tunnel.

TLS ‐>The OpenVPN will use TLS authorization mode, and the following items CA Cert., Client Cert. and Client Key need to specify as well. Specify the Trusted CA certificate for the OpenVPN client. It will go through Base64 Conversion. Specify the local certificate for OpenVPN client. It will go through Base64 Conversion. Specify the local key for the OpenVPN client. It will go through Base64 Conversion. Specify the extra options setting for the OpenVPN client.
Ethernet LAN IP
Ethernet LAN MASK
When the Network Monitoring feature is enabled, the router will use DNS Query or ICMP to periodically check Internet connection –connected or disconnected. With DNS Query, the system checks the connection by sending DNS Query packets to the destination specified in PPP_PING_IPADDR. With ICMP Query, the system will check connection by sending 380
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. ICMP request packets to the destination specified in PPP_PING_IPADDR. IP Specify an IP address as the target for sending DNS query/ICMP request. seconds Specify the time interval for between two DNS Query or ICMP checking packets. Script file For the configurations that can be configured with standard Linux commands, you can put them in a script file, and apply the script file with STARTUP command. For example, STARTUP=#!/bin/sh STARTUP=echo “startup done” > /tmp/demo PPP_PING_IPADDR PPP_PING_INTVL STARTUP Plain Text System Configuration with Telnet In addition to the web‐style plain text configuration as mentioned above, the gateway system also allow the configuration via Telnet CLI. Administrator can use the proprietary telnet command “txtConfig” and related action items to perform the plain system configuration. The command format is: txtConfig (action) [option] Action Option Description clone Output file commit a existing file enable NA disable NA Duplicate the configuration content from database and stored as a configuration file. (ex: txtConfig clone /tmp/config) The contents in the configuration file are the same as the plain text commands mentioned above. This action is exactly the same as performing the “Backup” plain text configuration. Commit the configuration content to database. (ex: txtConfig commit /tmp/config) Enable plain text system config.
(ex: txtConfig enable) Disable plain text system config.
(ex: txtConfig disable) Apply the configuration content that has been committed in database.
(ex: txtConfig run_immediately) Assign a configuration file to apply.
(ex: txtConfig run_immediately /tmp/config) run_immediately NA run_immediately a existing file 381
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.1.3 TR‐069 TR‐069 (Technical Report 069) is a Broadband Forum technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end‐user devices, like this gateway device. As a bidirectional SOAP/HTTP‐based protocol, it provides the communication between customer‐premises equipment (CPE) and Auto Configuration Servers (ACS). The Security Gateway is such CPE. TR‐069 is a customized feature for ISP. It is not recommend that you change the configuration for this. If you have any problem in using this feature for device management, please contact with your ISP or the ACS provider for help. At the right upper corner of TR‐069 Setting screen, one “[Help]” command let you see the same message about that. Scenario ‐ Managing deployed gateways through an ACS Server Scenario Application Timing When the enterprise data center wants to use an ACS server to manage remote gateways geographically distributed elsewhere in the world, the gateways in all branch offices must have an embedded TR‐069 agent to communicate with the ACS server. So that the ACS server can configure, FW upgrade and monitor these gateways and their corresponding Intranets. 382
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Description The ACS server can configure, upgrade with latest FW and monitor these gateways. Remote gateways inquire the ACS server for jobs to do in each time period. The ACS server can ask the gateways to execute some urgent jobs. Parameter Setup Example Following tables list the parameter configuration as an example for the Gateway 1 in above diagram with "TR‐069" enabling. Use default value for those parameters that are not mentioned in the tables. Configuration Path TR‐069 [TR‐069]‐[Configuration]
ACS URL http://qaamit.acslite.com/cpe.php
ACSUserName
■ Enable
ACS User Name ACS Password ConnectionRequest Port
ConnectionRequest User Name ConnectionRequest Password Inform ACSPassword
8099
ConnReqUserName
ConnReqPassword
■ Enable Interval 900
Scenario Operation Procedure In above diagram, the ACS server can manage multiple gateways in the Internet. The "Gateway 1" is one of them and has 118.18.81.33 IP address for its WAN‐1 interface. When all remote gateways have booted up, they will try to connect to the ACS server. Once the connections are established successfully, the ACS server can configure, upgrade with latest FW and monitor these gateways. Remote gateways inquire the ACS server for jobs to do in each time period. If the ACS server needs some urgent jobs to be done by the gateways, it will issue the "Connection Request" command to those gateways. And those gateways make immediate connections in response to the ACS server’s immediate connection request for executing the urgent jobs. 383
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. TR‐069 Setting In "TR‐069" page, there is only one configuration window for TR‐069 function. In the window, you must specify the related information for your security gateway to connect to the ACS. Drive the function to work by specifying the URL of the ACS server, the account information to login the ACS server, the service port and the account information for connection requesting from the ACS server, and the time interval for job inquiry. Except the inquiry time, there are no activities between the ACS server and the gateways until the next inquiry cycle. But if the ACS server has new jobs that are expected to do by the gateways urgently, it will ask these gateways by using connection request related information for immediate connection for inquiring jobs and executing. Go to Administration > Configure & Manage > TR‐069 tab. TR‐069 Item Value setting Description
TR‐069 The box is unchecked by default Check the Enable box for activate TR‐069 Interface WAN‐1 is selected by default. When you finish set basic network wan 1~wan n, you can choose wan 1~wan n When you finish set Security > VPN > IPSec/PPTP/L2TP/GRE, you can choose IPSec/PPTP/L2TP/GRE tunnel, the interface like “IPSec #1” Data Model Standard is selected Select the TR‐069 dat model for the remote management. 384
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. by default. ACS URL ACS Username ACS Password A Must filled setting A Must filled setting A Must filled setting 1. A Must filled setting ConnectionRequest 2. By default 8099 is Port set ConnectionRequest A Must filled setting UserName ConnectionRequest A Must filled setting Password Inform Inform Interval Save The box is checked by default The value is 900 by default N/A Standard : the ACS Server is a standard one, which is fully comply with TR‐069. AMIT’s ACS Data Model : Select this data model if you intend to use AMIT’s Cloud ACS Server to managing the deployed gateways. You can ask ACS manager provide ACS URL and manually set You can ask ACS manager provide ACS username and manually set You can ask ACS manager provide ACS password and manually set You can ask ACS manager provide ACS ConnectionRequest Port and manually set You can ask ACS manager provide ACS ConnectionRequest Username and manually set You can ask ACS manager provide ACS ConnectionRequest Password and manually set When the Enable box is checked, the gateway (CPE) will periodicly send inform message to ACS Server. This value is decide how long send inform to ACS Click Save to save the settings When you finish set ACS URL ACS Username ACS Password, your gateway (CPE, Client Premium Equipment) can send inform to ACS Server. When you finish set ConnectionRequest Port ConnectionRequest Username ConnectionRequest Password, ACS Server can ask the gateway (CPE) to send inform to ACS Server. 385
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.1.5 SNMP In brief, SNMP, the Simple Network Management Protocol, is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. In typical SNMP uses, one or more administrative computers, called managers, have the task of monitoring or managing a group of hosts or devices on a computer network. Each managed system executes, at all times, a software component called an agent which reports information via SNMP to the manager. SNMP agents expose management data on the managed systems as variables. The protocol also permits active management tasks, such as modifying and applying a new configuration through remote modification of these variables. The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Information Bases (MIBs). The device supports several public MIBs and one private MIB for the SNMP agent. The supported MIBs are as follow: MIB-II (RFC 1213, Include IPv6), IF-MIB, IP-MIB, TCP-MIB, UDP-MIB, SMIv1
and SMIv2, SNMPv2-TM and SNMPv2-MIB, and AMIB (AMIT Private MIB)
SNMP Management Scenario Scenario Application Timing 386
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. There are two application scenarios of SNMP Network Management Systems (NMS). Local NMS is in the Intranet and manage all devices that support SNMP protocol in the Intranet. Another one is the Remote NMS to manage some devices whose WAN interfaces are connected together by using a switch or a router with UDP forwarding. If you want to manage some devices and they all have supported SNMP protocol, use either one application scenario, especially the management of devices in the Intranet. In managing devices in the Internet, the TR‐069 is the better solution. Please refer to last sub‐section. Scenario Description The NMS server can monitor and configure the managed devices by using SNMP protocol, and those devices are located at where UDP packets can reach from NMS. The managed devices report urgent trap events to the NMS servers. Use SNMPv3 version of protocol can protected the transmitting of SNMP commands and responses. The remote NMS with privilege IP address can manage the devices, but other remote NMS can't. Parameter Setup Example Following tables list the parameter configuration as an example for the Gateway 1 in above diagram with "SNMP" enabling at LAN and WAN interfaces. Use default value for those parameters that are not mentioned in the tables. Configuration Path SNMP Enable Supported Versions Get / Set Community Trap Event Receiver 1 WAN Access IP Address Configuration Path ID User Name Password Authentication Encryption Privacy Mode Privacy Key Authority Enable [SNMP]‐[Configuration]
■ LAN ■ WAN
■ v1 ■ v2c ■ v3
ReadCommunity / WriteCommunity
118.18.81.11
118.18.81.11
[SNMP]‐[User Privacy Definition]
1 2
3 UserName1 UserName2
UserName3 Password1 Password2
Disable MD5 SHA‐1
Disable DES Disable
Disable authPriv authNoPriv
noAuthNoPriv 12345678 Disable
Disable Read/Write Read
Read ■ Enable ■ Enable
■ Enable 387
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Scenario Operation Procedure In above diagram, the NMS server can manage multiple devices in the Intranet or a UDP‐
reachable network. The "Gateway 1" is one of the managed devices, and it has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface. It serves as a NAT router. At first stage, the NMS manager prepares related information for all managed devices and records them in the NMS system. Then NMS system gets the status of all managed devices by using SNMP get commands. When the manager wants to configure the managed devices, the NMS system allows him to do that by using SNMP set commands. The "UserName1" account is used if the manager uses SNMPv3 protocol for configuring the "Gateway 1". Only the "UserName1" account can let the "Gateway 1" accept the configuration from the NMS since the authority of the account is "Read/Write". Once a managed device has an urgent event to send, the device will issue a trap to the Trap Event Receivers. The NMS itself could be one among them. If you want to secure the transmitted SNMP commands and responses between the NMS and the managed devices, use SNMPv3 version of protocol. The remote NMS without privilege IP address can't manage the "Gateway 1", since "Gateway 1" allows only the NMS with privilege IP address can manage it via its WAN interface. 388
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. SNMP Setting The SNMP allows user to configure SNMP relevant setting which includes interface, version, access control and trap receiver. Go to Administration > Configure & Manage > SNMP tab. Enable SNMP SNMP Item Value setting SNMP Enable 1.The LAN box is checked by default Supported Versions 1.The v1 box is checked by default 2.The v2c box is checked by default Remote Aceess IP SNMP Port Save 1. String format: any Ipv4 address 2. It is an optional item. 1. String format: any port number 2. The default SNMP port is 161 3. A Must filled setting N/A Description
Select the interface for the SNMP and enable SNMP functions. When Check the LAN box. It will activate SNMP functions and you can access SNMP from LAN side. When Check the WAN box. It will activate SNMP functions and you can access SNMP from WAN side. Select the version for the SNMP When Check the v1 box. It means you can access SNMP by version 1. When Check the v2c box. It means you can access SNMP by version 2c. When Check the v3 box. It means you can access SNMP by version 3. Specify the Remote Access IP for WAN. If you filled in the IP address. It means only this IP address can access SNMP from WAN side. If you not filled. It means any IP address can access SNMP from WAN side. Specify the SNMP Port. You can fill in any port number. But you must ensure the port number is not to be used. Click Save to save the settings 389
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Undo N/A Click Undo to cancel the settings Create/Edit Multiple Community The SNMP allows you to custom your access control for version 1 and version 2 user. The router supports up to a maximum of 10 community sets. When Add button is applied, Multiple Community Rule Configuration screen will appear. Multiple Community Rule Configuration
Item Value setting Description
Community Enable 1. Read Only is selected by default 2. A Must filled setting 3. String format: any text 1.The box is checked by default Save N/A Undo Back N/A N/A Specify this version 1 or version v2c user’s community that will be allowed Read Only (GET and GETNEXT) or Read‐Write (GET, GETNEXT and SET) access respectively. The maximum length of the community is 32. Click the Enable button to enable this version 1 or version v2c user. Click the Save button to save the configuration. But it does not apply to SNMP functions. When you return to the SNMP main page. It will show “Click on save button to apply your changes” remind user to click main page Save button. Click the Undo button to cancel the settings. Click the Back button to return to last page. 390
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit User Privacy The SNMP allows you to custom your access control for version 3 user. The router supports up to a maximum of 128 User Privacy sets. When Add button is applied, User Privacy Rule Configuration screen will appear. User Privacy Rule Configuration Item Value setting User Name Password 1. A Must filled setting 2. String format: any text 1. String format: any text Authentication 1. None is selected by default Encryption 1. None is selected by default Description
Specify the User Name for this version 3 user. The maximum length of the user name is 32. When your Privacy Mode is authNoPriv or authPriv, you must specify the Password for this version 3 user. The minimum length of the password is 8. The maximum length of the password is 64. When your Privacy Mode is authNoPriv or authPriv, you must specify the Authentication types for this version 3 user. Selected the authentication types MD5/ SHA‐1 to use. When your Privacy Mode is authPriv, you must specify the Encryption protocols for this version 3 user. Selected the encryption protocols DES / AES to use. 391
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Privacy Mode 1. noAuthNoPriv is selected by default Privacy Key 1. String format: any text Authority Save 1. Read is selected by default 1. The default value is 1 2. A Must filled setting 3. String format: any legal OID 1.The box is checked by default N/A Undo Back N/A N/A OID Filter Prefix Enable Specify the Privacy Mode for this version 3 user. Selected the noAuthNoPriv. You do not use any authentication types and encryption protocols. Selected the authNoPriv. You must specify the Authentication and Password. Selected the authPriv. You must specify the Authentication, Password, Encryption and Privacy Key. When your Privacy Mode is authPriv, you must specify the Privacy Key for this version 3 user. The minimum length of the privacy key is 8. The maximum length of the privacy key is 64. Specify this version 3 user’s Authority that will be allowed Read Only (GET and GETNEXT) or Read‐Write (GET, GETNEXT and SET) access respectively. The OID Filter Prefix restricts access for this version 3 user to the sub‐tree rooted at the given OID. The range of the each OID number is 1‐2080768. Click Enable to enable this version 3 user. Click the Save button to save the configuration. But it does not apply to SNMP functions. When you return to the SNMP main page. It will show “Click on save button to apply your changes” remind user to click main page Save button. Click Undo to cancel the settings Click the Back button to return the last page. Create/Edit Trap Event Receiver The SNMP allows you to custom your trap event receiver. The router supports up to a maximum of 4 Trap Event Receiver sets. When Add button is applied, Trap Event Receiver Rule Configuration screen will appear. The default SNMP Version is v1. The configuration screen will provide the version 1 must filled items. 392
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. When you selected v2c, the configuration screen is exactly the same as that of v1, except the version. When you selected v3, the configuration screen will provide more setting items for the version 3 Trap. Trap Event Receiver Rule Configuration
Item Value setting Description
Server IP Server Port 1. A Must filled setting 2. String format: any Ipv4 address 1. String format: any port number 2. The default SNMP trap port is 162 3. A Must filled setting Specify the trap Server IP. The DUT will send trap to the server IP. Specify the trap Server Port. You can fill in any port number. But you must ensure the port number is not to be used. 393
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. SNMP Version Community Name User Name Password Privacy Mode Authentication Encryption Privacy Key Enable Save 1. v1 is selected by default 1. A v1 and v2c Must filled setting 2. String format: any text 1. A v3 Must filled setting 2. String format: any text 1. A v3 Must filled setting 2. String format: any text 1. A v3 Must filled setting 2. noAuthNoPriv is selected by default 1. A v3 Must filled setting 2. None is selected by default 1. A v3 Must filled setting 2. None is selected by default 1. A v3 Must filled setting 2. String format: any text 1.The box is checked by default N/A Select the version for the trap Selected the v1. The configuration screen will provide the version 1 must filled items. Selected the v2c. The configuration screen will provide the version 2c must filled items. Selected the v3. The configuration screen will provide the version 3 must filled items. Specify the Community Name for this version 1 or version v2c trap. The maximum length of the community name is 32. Specify the User Name for this version 3 trap. The maximum length of the user name is 32. When your Privacy Mode is authNoPriv or authPriv, you must specify the Password for this version 3 trap. The minimum length of the password is 8. The maximum length of the password is 64. Specify the Privacy Mode for this version 3 trap. Selected the noAuthNoPriv. You do not use any authentication types and encryption protocols. Selected the authNoPriv. You must specify the Authentication and Password. Selected the authPriv. You must specify the Authentication, Password, Encryption and Privacy Key. When your Privacy Mode is authNoPriv or authPriv, you must specify the Authentication types for this version 3 trap. Selected the authentication types MD5/ SHA‐1 to use. When your Privacy Mode is authPriv, you must specify the Encryption protocols for this version 3 trap. Selected the encryption protocols DES / AES to use. When your Privacy Mode is authPriv, you must specify the Privacy Key for this version 3 trap. The minimum length of the privacy key is 8. The maximum length of the privacy key is 64. Click Enable to enable this trap receiver. Click the Save button to save the configuration. But it does not apply to SNMP functions. When you return to the SNMP main page. It will show “Click on save button to apply your changes” remind user to click main page Save button. 394
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Undo Back N/A N/A Click Undo to cancel the settings. Click the Back button to return the last page. Edit SNMP Options If you use some particular private MIB, you must fill the enterprise name, number and OID. Options Item Enterprise Name Enterprise Number Enterprise OID Value setting 1. The default value is AMIT 2. A Must filled setting 3. String format: any text The default value is 12823 (AMIT Enterprise Number) 2. A Must filled setting 3. String format: any number 1. The default value is 1.3.6.1.4.1.12823.4.4.9 (AMIT Enterprise OID) 2. A Must filled setting 3. String format: any legal OID Save N/A Undo N/A Description Specify the Enterprise Name for the particular private MIB. The maximum length of the enterprise name is 10. Specify the Enterprise Number for the particular private MIB. The range of the enterprise number is 1‐2080768. Specify the Enterprise OID for the particular private MIB. The range of the each OID number is 1‐2080768. The maximum length of the enterprise OID is 31. The seventh number must be identical with the enterprise number. Click the Save button to save the configuration and apply your changes to SNMP functions. Click Undo to cancel the settings. 395
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.1.7 Telnet with CLI A command‐line interface (CLI), also known as command‐line user interface, and console user interface are means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines). The interface is usually implemented with a command line shell, which is a program that accepts commands as text input and converts commands to appropriate operating system functions. Programs with command‐
line interfaces are generally easier to automate via scripting. The device supports both Telnet and SSH (Secure Shell) CLI with default service port 23 and 22, respectively. Telnet & SSH Scenario Scenario Application Timing When the administrator of the gateway wants to manage it from remote site in the Intranet or Internet, he may use "Telnet with CLI" function to do that by using "Telnet" or "SSH" utility. Scenario Description 396
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. The Local Admin or the Remote Admin can manage the Gateway by using "Telnet" or "SSH" utility with privileged user name and password. The data packets between the Local Admin and the Gateway or between the Remote Admin and the Gateway can be plain texts or encrypted texts. Suggest they are plain texts in the Intranet for Local Admin to use "Telnet" utility, and encrypted texts in the Internet for Remote Admin to use "SSH" utility. Parameter Setup Example Following table lists the parameter configuration as an example for the Gateway in above diagram with "Telnet with CLI" enabling at LAN and WAN interfaces. Use default value for those parameters that are not mentioned in the table. [Telnet with CLI]‐[Configuration]
Configuration Path Telnet with CLI Connection Type LAN: ■ Enable WAN: ■ Enable
Telnet: Service Port 23 ■ Enable
SSH: Service Port 22 ■ Enable Scenario Operation Procedure In above diagram, "Local Admin" or "Remote Admin" can manage the "Gateway" in the Intranet or Internet. The "Gateway" is the gateway of Network‐A, and the subnet of its Intranet is 10.0.75.0/24. It has the IP address of 10.0.75.2 for LAN interface and 118.18.81.33 for WAN‐1 interface. It serves as a NAT gateway. The "Local Admin" in the Intranet uses "Telnet" utility with privileged account to login the Gateway. Or the "Remote Admin" in the Internet uses "SSH" utility with privileged account to login the Gateway. The administrator of the gateway can control the device as like he is in front of the gateway. 397
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Telnet with CLI Setting The Telnet with CLI setting allows administrator to access this device through the traditional Telnet program. Before you can telnet (login) to the device, please configure the related settings and password with care. The password management part allows you to set root password for logging telnet and SSH. Go to Administration > Configure & Manage > Telnet with CLI tab. Configuration Item Value setting Telnet with CLI Connection Type Save Undo 1.
The LAN Enable box is checked by default. 2. The WAN Enable box is unchecked by default. 1. The Telnet Enable box is checked by default. By default Service Port is 23. 2. The SSH Enable box is unchecked by default. By default Service Port is 22. N/A N/A Description Check the Enable box to activate the Telnet with CLI function for connecting from WAN/LAN interfaces. Check the Telnet Enable box to activate telnet service. Check the SSH Enable box to activate SSH service. You can set which number of Service Port you want to provide for the corresponding service. Click Save to save the settings Click Undo to cancel the settings 398
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Configuration Item Value setting root Save Undo 1. String: any text but no blank character 2. The default password for telnet is ‘m2mamit’. N/A N/A Description Type old password and specify new password to change root password. Note: You are highly recommended to change the default telnet password with yours before the device is deployed. Click Save to save the settings Click Undo to cancel the settings 399
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.3 System Operation System Operation allows the network administrator to manage system, settings such as web‐
based utility access password change, system information, system time, system log, firmware/configuration backup & restore, and reset & reboot. b.3.1 Password & MMI Go to Administration > System Operation > Password & MMI tab. Change Password Change password screen allows network administrator to change the web‐based MMI login password to access gateway. Change Password Item Value Setting 1. String: any text 2. The default Old Password password for web‐
based MMI is ‘admin’. New Password String: any text New Password String: any text Confirmation Description Enter the current password to enable you unlock to change password. Enter new password. Enter new password again to confirm. Change MMI Setting for Accessing This is the gateway’s web‐based MMI access which allows administrator to access the gateway for management. The gateway’s web‐based MMI will automatically logout when the idle time has elapsed. The setting allows administrator to enable automatic logout and set the logout idle time. When the 400
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. login timeout is disabled, the system won’t logout the administrator automatically. Web UI Item Login Value Setting 3 times is set by default GUI Access Protocol The Enable box is unchecked by default http/https is selected by default. Save Undo N/A N/A Login Timeout Description Enter the login trial counting value. If someone tried to login the web GUI with incorrect password for more than the counting value, an warning message “Already reaching maximum Password‐Guessing times, please wait a few seconds!” will be displayed and ignore the following login trials. Check the Enable box to activate the auto logout function, and specify the maximum idle time as well. Select the protocol that will be used for GUI access. It can be http/https,
http only, or https only.
Click Save button to save the settings Click Undo button to cancel the settings 401
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.3.3 System Information System Information screen gives network administrator a quick look up on the type of WAN connection being used. The display also shows the current System time. It is particularly useful when firmware has been upgraded and system configuration file has been loaded. Go to Administration > System Operation > System Information tab. System Name Item System Name Value Setting 1. an optional item 2. AMIT is set by default. Description Enter the system name for identification purpose. It can be the manufacture, or any name for a device deployment. System Information Item Value Setting WAN Type N/A Display Time N/A 1. It is an optional item 2. Wireless_Router is set by default. N/A N/A Host Name Save Refresh Description It displays the WAN Type of WAN‐1 Interface Internet connection configured. It displays the current system time that you browsed this web page. Enter the host name for the gateway. It can be used to interact with external network servers for identifying the name of requesting device.
Click Save button to save the settings. Click Refresh button to update the system Information immediately. 402
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.3.5 System Time The gateway provides manually setup and auto‐synchronized approaches for the administrator to setup the system time for the gateway. Go to Administration > System Operation > System Time tab. System Time Information
Item Value Setting Time Zone Auto‐
synchronization Daylight Saving Time Set Date & Time Save Refresh Description
1. It is an optional item. 2. Not yet configured is Select a time zone where this device locates. selected by default. Check the Enable button to activate the time auto‐synchronization 1. Checked by default. function with a certain NTP server. 2. Auto is selected by You can enter the IP or FQDN for the NTP server you expected, or leave it default. as auto mode so that the available server will be used for time synchronization one by one.
1. It is an optional item. Check the Enable button to activate the daylight saving function. 2. Un‐checked by When you enabled this function, you have to specify the start date and end
default date for the daylight saving time duration.
If you do not enable the time auto-synchronization function, you can also
1. It is an optional item. manually set the date (Year/Month/Day( and time (Hour:Minute:Second).
N/A Click Save button to save the settings. N/A Click Refresh button to update the system time immediately. Instead of manually configuring the system time for the gateway, there are two simple and quick solutions for you to set the correct time information and set it as the system time for the gateway. 403
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. The first one is “Sync with Timer Server”. Based on your selection of time zone and time server in above time information configuration window, system will communicate with time server by NTP Protocol to get system date and time after you click on the Sync with Timer Server button. Note: Remember to select a correct time zone for the device, otherwise, you will just get the UTC (Coordinated Universal Time) time, not the local time for the device. The second one is “Sync with my PC”. Click on the Sync with my PC button to let system synchronize its date and time to the time of the administration PC. 404
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.3.7 System Log System Log screen contains various event log tools facilitating network administrator to perform local event logging and remote reporting. Go to Administration > System Operation > System Log tab. View & Email Log History View button is provided for network administrator to view log history on the gateway. Email Now button enables administrator to send instant Email for analysis. View & Email Log History
Item Value setting Description
View button Email Now button N/A Click the View button to view Log History in Web Log List Window. N/A Click the Email Now button to send Log History via Email instantly. 405
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Web Log List Window Item Value Setting Description
Time column Log column It displays event time stamps It displays Log messages N/A N/A Web Log List Button Description Item Value setting Description
Previous Next First Last Download Clear Back Click the Previous button to move to the previous page. Click the Next button to move to the next page. Click the First button to jump to the first page. Click the Last button to jump to the last page. Click the Download button to download log to your PC in tar file format. Click the Clear button to clear all log. Click Back button to return to the previous page. N/A N/A N/A N/A N/A N/A N/A Web Log Type Category Web Log Type Category screen allows network administrator to select the type of events to log and be displayed in the Web Log List Window as described in the previous section. Click on the View button to view Log History in the Web Log List window. 406
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Web Log Type Category Setting Window
Item Value Setting Description
System Attacks Drop Checked by default Checked by default Checked by default Login message Checked by default Debug Un‐checked by default Check to log system events and to display in the Web Log List window. Check to log attack events and to display in the Web Log List window. Check to log packet drop events and to display in the Web Log List window.
Check to log system login events and to display in the Web Log List window. Check to log debug events and to display in the Web Log List window. Email Alert Email Alert screen allows network administrator to select the type of event to log and be sent to the destined Email account. Email Alert Setting Window Item Value Setting Enable Un‐checked by default Server N/A E‐mail address String : email format Subject String : any text Log type category Default unchecked Description
Check Enable box to enable sending event log messages to destined Email account defined in the E‐mail Addresses blank space. Select one email server from the Server dropdown box to send Email. If none has been available, click the Add Object button to create an outgoing Email server. You may also add an outgoing Email server from Object Definition >
External Server > External Server tab. Enter the recipient’s Email address. Separate Email addresses with comma ‘,’ or semicolon ‘ ;’ Enter the Email address in the format of ‘myemail@domain.com’ Enter an Email subject that is easy for you to identify on the Email client. Select the type of events to log and be sent to the designated Email account. Available events are System, Attacks, Drop, Login message, and Debug. 407
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Syslogd Syslogd screen allows network administrator to select the type of event to log and be sent to the designated Syslog server. Syslogd Setting Window
Item Value Setting Enable Un‐checked by default Server N/A Log type category Un‐checked by default Description
Check Enable box to activate the Syslogd function, and send event logs to a syslog server Select one syslog server from the Server dropdown box to sent event log to. If none has been available, click the Add Object button to create a system log server. You may also add an system log server from the Object Definition > External Server >
External Server tab. Select the type of event to log and be sent to the destined syslog server. Available events are System, Attacks, Drop, Login message, and Debug. Log to Storage Log to Storage screen allows network administrator to select the type of events to log and be stored at an internal or an external storage. Log to Storage Setting Window Item Value Setting Description
Enable Check to enable sending log to storage. Select Device Log file name Split file Enable Split file Size Log type category Un‐checked by default Internal is selected by default Un‐checked by default Un‐checked by default 200 KB is set by default Un‐checked by default Select internal or external storage. Enter log file name to save logs in designated storage. Check enable box to split file whenever log file reaching the specified limit.
Enter the file size limit for each split log file. Check which type of logs to send: System, Attacks, Drop, Login message, Debug Log to Storage Button Description Item Value setting Download log file N/A Description
Click the Download log file button to download log files to a log.tar file. 408
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.3.9 Backup & Restore In the Backup & Restore window, you can upgrade the device firmware when new firmware is available, and also backup / restore the device configuration. In addition to the factory default settings, you can also customize a special configuration setting as a customized default value. With this customized default value, you can reset the device to the expected default setting if needed. Go to Administration > System Operation > Backup & Restore tab. Log to Storage Setting Window Item Value Setting FW Upgrade Via Web UI is selected by default Backup Configuration Settings Download is selected by default Auto Restore Configuration The Enable box is unchecked by default Description
If new firmware is available, click the FW Upgrade button to upgrade the device firmware via Web UI, or Via Storage. After clicking on the “FW Upgrade” command button, you need to specify
the file name of new firmware by using “Browse” button, and then click
“Upgrade” button to start the FW upgrading process on this device. If you
want to upgrade a firmware which is from GPL policy, please check
“Accept unofficial firmware” You can backup or restore the device configuration settings by clicking the
Via Web UI or Via Storage button.
Download: for backup the device configuration to a config.bin file.
Upload: for restore a designated configuration file to the device.
Via Web UI: to retrieve the configuration file via Web GUI.
Via Storage: to retrieve the configuration file via local attached storage.
Chick the Enable button to activate the customized default setting function. Once the function is activated, you can save the expected setting as a customized default setting by clicking the Save Conf. button, or clicking the Clean Conf. button to erase the stored customized configuration. 409
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.3.b Reboot & Reset For some special reason or situation, you may need to reboot the gateway or reset the device configuration to its default value. In addition to perform these operations through the Power ON/OFF, or pressing the reset button on the device panel, you can do it through the web GUI too. In the Reboot & Reset window, you can reboot this device by clicking the “Reboot” button, and reset this device to default settings by clicking the “Reset” button. Go to Administration > System Operation > Reboot & Reset tab. System Operation Window Item Value Setting Reboot Now is selected by default Reset to Default N/A Description
Chick the Reboot button to reboot the gateway immediately or on a pre‐
defined time schedule. Now: Reboot immediately Time Schedule: Select a pre‐defined auto‐reboot time schedule rule to reboot the auto device on a designated tim. To define a time schedule rule, go to Object Definition > Scheduling > Configuration tab. Click the Reset button to reset the device configuration to its default value.
410
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.5 FTP The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network. FTP is built on a client‐server model architecture and uses separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear‐text sign‐in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS). Besides, SSH File Transfer Protocol (SFTP) is sometimes also used instead, but is technologically different. This gateway embedded FTP / SFTP server for administrator to download the log files to his computer or database. In the following two sections, you can configure the FTP server and create the user accounts that can login to the server. After login to the FTP server, you can browse the log directory and have the permission to download the stored log files and delete the files you have downloaded to make more storage space for further data logs. The available log files can be system logs (refer to Administration > System Operation > System Log), Network Packets (refer to Administrator > Diagnostic > Packet Analyzer), Data Log (refer to Field Communication > Data Logging > Log File Management), and GNSS Log (refer to Service > Location Tracking > GNSS). With proper configuration for the various log functions that supported on your purchased product, you can download the log via FTP / SFTP connections. 411
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.5.1 Server Configuration This section allows user to setup the embedded FTP and SFTP server for retrieving the interested fog files. Go to Administration > FTP > Server Configuration tab. Enable FTP Server Configuration Item Value setting FTP The box is unchecked by default. FTP Port Port 21 is set by default Timeout 300 seconds is set by default. Max. Connections per IP Max. FTP Clients 2 Clients are set by default. 5 Clients are set by default. Description
Check Enable box to activate the embedded FTP Server function.
With the FTP Server enabled, you can retrieve or delete the stored log files via FTP connection. Note: The embedded FTP Server is only for log downloading, so no any write permission is implemented for user file upload to the storage. Specify a port number for FTP connection. The gateway will listen for incoming FTP connections on the specified port. Specify the maximum timeout interval for the FTP connection. Supported range is 60 to 7200 seconds. Specify the maximum number of clients from the same IP address for the FTP connection. Up to 5 clients from the same IP address is supported. Specify the maximum number of clients for the FTP connection. Up to 32 clients is supported. 412
In‐Vehicle Hotspot Gateway
PASV Mode Port Range of PASV Mode Auto Report External IP in PASV Mode ASCII Transfer Mode FTPS (FTP over SSL/TLS) Index skipping is used to reserve slots for new function insertion, when required. Check the Enable box to activate the support of PASV mode for a FTP Optional setting connection from FTP clients. Port 50000 ~ 50031 is Specify the port range to allocate for PASV style data connection.
set by default. Check the Enable box to activate the support of overriding the IP address Optional setting advertising in response to the PASV command. Optional setting Optional setting Check the Enable box to activate the support of ASCII mode data transfers.
Binary mode is supported by default. Check the Enable box to activate the support of secure connections via SSL/TLS. Enable SFTP Server Configuration Item Value setting SFTP SFTP Port The box is unchecked by default. Default 22
Description Check Enable box to activate the embedded SFTP Server function.
With the SFTP Server enabled, you can retrieve or delete the stored log files via secure SFTP connection. Specify a port number for SFTP connection. The gateway will listen for incoming SFTP connections on the specified port. 413
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.5.3 User Account This section allows user to setup user accounts for logging to the embedded FTP and SFTP server to retrieve the interested fog files. Go to Administration > FTP > User Account tab. Create/Edit FTP User Accounts When Add button is applied, User Account Configuration screen will appear.
Configuration Item Value setting User Name Password Directory Permission String : non‐blank string String : no blank N/A Read/Write is selected by default. Enable The box is checked by default. Description Enter the user account for login to the FTP server. Enter the user password for login to the FTP server. Select a root directory after user login. Select the Read/write permission. Note: The embedded FTP Server is only for log downloading, so no any write permission is implemented for user file upload to the storage, even Read/Write option is selected. Check the box to activate the FTP user account. 414
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.7 Diagnostic This gateway supports simple network diagnosis tools for the administrator to troubleshoot and find the root cause of the abnormal behavior or traffics passing through the gateway. There can be a Packet Analyzer to help record the packets for a designated interface or specific source/destination host, and another Ping and Tracert tools for testing the network connectivity issues. b.7.1 Packet Analyzer The Packet Analyzer can capture packets depend on user settings. User can specify interfaces to capture packets and filter by setting rule. Ensure the log storage is available (either embedded SD‐Card or external USB Storage), otherwise Packet Analyzer can not be enabled. Go to Administration > Diagnostic > Packet Analyzer tab. Configuration Item Packet Analyzer File Name Split Files Value setting The box is unchecked by default. 1. An optional setting 2. Blank is set by default, and the default file name is <Interface>_<Date>_<index>.
1. An optional setting 2. The default value of File Size is 200 KB. 3. NOTE that File Size can not be less than 4 KB Description Check Enable box to activate the Packet Analyzer function.
If you can not enable the checkbox, please check if the storage is available or not. Plug in the USB storage and then enable the Package Analyzer function. Enter the file name to save the captured packets in log storage.
If Split Files option is also enabled, the file name will be appended with an index code “_<index>”. The extension file name is .pcap. Check enable box to split file whenever log file reaching the specified limit. If the Split Files option is enabled, you can further specify the File Size and Unit for the split files. 415
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Packet Interfaces An optional setting Save N/A Undo N/A Define the interface(s) that Packet Analyzer should work on.
At least, one interface is required, but multiple selections are also accepted. The supported interfaces can be: 
WAN: When the WAN is enabled at Physical Interface, it can be selected here. 
ASY: This means the serial communication interface. It is used to capture packets appearing in the Field Communication. Therefore, it can only be selected when specific field communication protocol, like Modbus, is enabled. 
VAP: This means the virtual AP. When WiFi and VAP are enabled, it can be selected here. Click the Save button to save the configuration. Click the Undo button to restore what you just configured back to the previous setting. Once you enabled the Packet Analyzer function on specific Interface(s), you can further specify some filter rules to capture the packets which matched the rules. 416
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Capture Fitters Item Value setting Filter Source MACs Optional setting Optional setting Source IPs Optional setting Source Ports Optional setting Destination MACs Optional setting Destination IPs Optional setting Destination Ports Optional setting Description Check Enable box to activate the Capture Filter function. Define the filter rule with Source MACs, which means the source MAC address of packets. Packets which match the rule will be captured. Up to 10 MACs are supported, but they must be separated with “;”, e.g. AA:BB:CC:DD:EE:FF; 11:22:33:44:55:66 The packets will be captured when match any one MAC in the rule. Define the filter rule with Source IPs, which means the source IP address of packets. Packets which match the rule will be captured. Up to 10 IPs are supported, but they must be separated with “;”, e.g. 192.168.1.1; 192.168.1.2 The packets will be captured when match any one IP in the rule. Define the filter rule with Source Ports, which means the source port of packets. Packets which match the rule will be captured. Up to 10 IPs are supported, but they must be separated with “;”, e.g. 80; 53 The packets will be captured when match any port in the rule. Define the filter rule with Destination MACs, which means the destination MAC address of packets. Packets which match the rule will be captured. Up to 10 MACs are supported, but they must be separated with “;”, e.g. AA:BB:CC:DD:EE:FF; 11:22:33:44:55:66 The packets will be captured when match any one MAC in the rule. Define the filter rule with Destination IPs, which means the destination IP address of packets. Packets which match the rule will be captured. Up to 10 IPs are supported, but they must be separated with “;”, e.g. 192.168.1.1; 192.168.1.2 The packets will be captured when match any one IP in the rule. Define the filter rule with Destination Ports, which means the destination
port of packets. Packets which match the rule will be captured. Up to 10 IPs are supported, but they must be separated with “;”, e.g. 80; 53 The packets will be captured when match any port in the rule. 417
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. b.7.3 Diagnostic Tools The Diagnostic Tools provide some frequently used network connectivity diagnostic tools (approaches) for the network administrator to check the device connectivity. Go to Administration > Diagnostic > Diagnostic Tools tab. Diagnostic Tools Item Value setting Ping Test Optional Setting Tracert Test Optional setting Wake on LAN Optional setting Save N/A Description
This allows you to specify an IP / FQDN and the test interface, so system will try to ping the specified device to test whether it is alive after clicking on the Ping button. A test result window will appear beneath it.
Trace route (tracert) command is a network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an IP network. Trace route proceeds until all (three) sent packets are lost for more than twice, then the connection is lost and the route cannot be evaluated. First, you need to specify an IP / FQDN, the test interface and the protocol (UDP or ICMP), and by default, it is UDP. Then, system will try to trace the specified host to test whether it is alive after clicking on the Tracert button. A test result window will appear beneath it. Wake on LAN (WOL) is an Ethernet networking standard that allows a computer to be turned on or awakened by a network message. You can specify the MAC address of the computer, in your LAN network, to be remotely turned on by clicking on the Wake up command button. Click the Save button to save the configuration. 418
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Chapter d Service d.1 Cellular Toolkit In Cellular Toolkit Service section, the device supports Data Usage, SMS, SIM PIN, USSD, and Network Scan. You can setup these aspects of cellular applications by using embedded 3G/LTE module in the device. d.1.1 Data Usage Most mobile phone users have no unlimited data plan so the telecom charges may exceed the bill upper limit. Data Usage feature can monitor the network traffic and show a simple chart so that users can easily control the condition. Go to System > System Related > Data Usage tab. Create / Edit 3G/4G Data Usage Profile 419
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. When Add button is applied, 3G/4G Data Usage Profile Configuration screen will appear. You can create up to four data usage profiles, one profile for each SIM card used in the Gateway. 3G/4G Data Usage Profile Configuration Item Setting Value setting Description SIM Select Carrier Name Cycle Period Start Date Data Limitation Connection Restrict Enable 3G/4G‐1 and SIM A by default. It is an optional item. Days by default Choose a cellular interface (3G/4G‐1 or 3G/4G‐2), and a SIM card bound to the selected cellular interface to configure its data usage profile. Fill in the Carrier Name for the selected SIM card for identification.
The first box has three types for cycle period. They are Days, Weekly and Monthly. Days: For per Days cycle periods, you have to further specify the number of days in the second box. Its range is from 1 to 90 days. Weekly, Monthly: The cycle period is one week or one month. N/A Specify the date to start measure network traffic. Please don’t select the day before now, otherwise, the traffic statistics will be incorrect. N/A Specify the allowable data limitation for the defined cycle period.
Un‐Checked by default. Check the Enable box to activate the connection restriction function.
During the specified cycle period, if the actual data usage exceeds the allowable data limitation, the cellular connection will be forced to disconnect. Un‐Checked by default. Check the Enable box to activate the data usage profile. 420
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.1.3 SMS Short Message Service (SMS) is a text messaging service component of phone, Web, or mobile communication systems. It uses standardized communications protocols to allow fixed line or mobile phone devices to exchange short text messages. 11 SMS as used on modern handsets originated from radio telegraphy in radio memo pagers using standardized phone protocols. These were defined in 1985 as part of the Global System for Mobile Communications (GSM) series of standards as a means of sending messages of up to 160 characters to and from GSM mobile handsets. Though most SMS messages are mobile‐to‐mobile text messages, support for the service has expanded to include other mobile technologies, such as ANSI CDMA networks and Digital AMPS, as well as satellite and landline networks.11 The SMS function allows user to send SMS, read and delete SMS from SIM Card.
Go to Service > Cellular Toolkit > SMS tab Setup SMS Configuration Configuration Item Value setting Physical Interface SMS SIM Status SMS Storage Save The box is 3G/4G‐1 by default The box is checked by default N/A The box is SIM Card Only by default N/A Description
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) for the following SMS function configuration. This is the SMS switch. If the box checked that the SMS function enable, if the box unchecked that the SMS function disable. Depend on currently SIM status. The possible value will be SIM_A or SIM_B. This is the SMS storage location. Currently the option only SIM Card Only. Click Save to save the settings 11 http://en.wikipedia.org/wiki/Short_Message_Service.
421
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. SMS Summary Show Unread SMS, Received SMS, Remaining SMS, and edit SMS context to send, read SMS from SIM card. SMS Summary Item Value setting Unread SMS N/A Received SMS N/A Remaining SMS N/A New SMS N/A SMS Inbox N/A Description If SIM card insert to router first time, unread SMS value is zero. When received the new SMS but didn’t read, this value plus one. This value record the existing SMS numbers from SIM card, When received the new SMS, this value plus one. This value is SMS capacity minus received SMS, When received the new SMS, this value minus one. Click New SMS button, a New SMS screen appears. User can set the SMS setting from this screen. Refer to New SMS in the next page. Click SMS Inbox button, a SMS Inbox List screen appears. User can read or delete SMS, reply SMS or forward SMS from this screen. Refer to SMS Inbox List in the next page. New SMS You can set the SMS setting from this screen. 422
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. New SMS Item Value setting Receivers N/A Text Message N/A Result N/A Send N/A Description
Write the receivers to send SMS. User need to add the semicolon and compose multiple receivers that can group send SMS. Write the SMS context to send SMS. The router supports up to a maximum of 1023 character for SMS context length. If send SMS OK, result will show Send OK, otherwise Send Failed will be displayed. Click Send button, SMS will send. SMS Inbox List You can read or delete SMS, reply SMS or forward SMS from this screen. SMS Inbox List Item Value setting ID From Phone Number Timestamp SMS Text Preview Description
N/A The number or SMS. N/A What the phone number from SMS N/A What time receive SMS N/A Preview the SMS text. Click the Detail button to read a certain message. Action The box is unchecked by default Refresh Delete Close N/A N/A N/A Click the Detail button to read the SMS detail; Click the Reply / Forward button to reply/forward SMS. Besides, you can check the box(es), and then click the Delete button to delete the checked SMS(s). Refresh the SMS Inbox List. Delete the SMS for all checked box from Action. Close the Detail SMS Message screen. 423
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.1.5 SIM PIN Sometimes we will activate a password on mobile phones to prevent other people accessing our phones when phones get lost or stolen. Generally speaking, this password setting can be applied on end devices (e.g. mobile phone) or SIM card. The later one is what we are going to focus at this section. With most cases in the world, users need to insert a SIM card (a.k.a. UICC) into end devices to get on cellular network for voice service or data surfing. The SIM card is usually released by mobile operators or service providers. Each SIM card has a unique number (so‐called ICCID) for network owners or service providers to identify each subscriber. As SIM card plays an important role between service providers and subscribers, some security mechanisms are required on SIM card to prevent any unauthorized access. Imagining you are not aware that your SIM card was lost, but somehow you got an unexpected bill from subscribed Telecom the next month that included fees for hundreds of international calls. Fortunately, a simple way is available to prevent this disaster happened. Just needs to activate a PIN (Personal Identification Number) code on SIM card! If PIN code is activated on a SIM card, you can always see the similar message (as the snapshot below) when devices are powered on. It means you have to enter the correct PIN code to unlock SIM card. Otherwise, there is no way to use cellular‐related functions, such as GSM voice service, SMS text, 3G or LTE Internet surfing …etc. Following steps show typical procedures for unlocking a SIM card on mobile phone. 424
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. [Step 1] [Step 2] [Step 3] Step 1: Pres “Unlock” button to unlock a SIM card. Step 2: Enter the correct PIN code, and then press “OK”. Please note an important message “3 attempts remaining” on top of screen. The maximum times of failure trial are 3. If you enter incorrect PIN code for three times, this SIM card will be locked and you can’t try your PIN code anymore. In this situation, you need to request a PUK (PIN unlock Key) code from your service provider to reset PIN code on SIM card. Step 3: If the PIN code is correct, you can see a successful message on screen. Then mobile phone will start to connect to cellular tower nearby and start to provide cellular‐related services. After understanding the potential risk and purpose of SIM lock, you should know how important and easy to finish this job. Speaking of the purchased cellular gateway, similar to mobile phones, users also need to insert SIM cards into gateway’s SIM slot to get cellular‐related functions. Although there is always a metal SIM cover with screws fastened to protect SIM cards from being taken away, it still strongly recommended activating PIN code on SIM card. Especially most of M2M‐IoT gateways are installed at remote sites, and usually there is no dedicated guard to take care of these devices. How to activate and manage PIN code on a SIM card through gateway’s web GUI? It is as easy as what you have done on a mobile phone. Let’s check it out. 425
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. SIM PIN Setting With the SIM PIN Function window, it allows you to enable or disable SIM lock (which means protected by PIN code), or change PIN code. You can also see the information of remaining times of failure trials as we mentioned earlier. If you run out of these failure trials, you need to get a PUK code to unlock SIM card. Go to Applications > Mobile Application > SIM PIN Tab Select a SIM Card Configuration Window Item Value setting Physical Interface The box is 3G/4G‐1 by default SIM Status N/A SIM Selection N/A Description Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) to change the SIM PIN setting for the selected SIM Card. The number of physical modems depends on the gateway model you purchased. Indication for the selected SIM card and the SIM card status. The status could be Ready, Not Insert, or SIM PIN.
Ready -- SIM card is inserted and ready to use. It can be a SIM card
without PIN protection or that SIM card is already unlocked by correct PIN
code.
Not Insert -- No SIM card is inserted in that SIM slot.
SIM PIN -- SIM card is protected by PIN code, and it’s not unlocked by a
correct PIN code yet. That SIM card is still at locked status.
Select the SIM card for further SIM PIN configuration. Press the Switch button, then the Gateway will switch SIM card to another one. After that, you can configure the SIM card. 426
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Enable / Change PIN Code Enable or Disable PIN code (password) function, and even change PIN code function.
SIM function Window Item Setting Value setting SIM lock Depend on SIM card Remaining times Depend on SIM card Save NA Change PIN NA Code Description Click the Enable button to activate the SIM lock function. For the first time you want to enable the SIM lock function, you have to fill in the PIN code as well, and then click Save button to apply the setting.
Represent the remaining trial times for the SIM PIN unlocking. Click the Save button to apply the setting.
Click the Change PIN code button to change the PIN code (password).
If the SIM Lock function is not enabled, the Change PIN code button is disabled. In the case, if you still want to change the PIN code, you have to enable the SIM Lock function first, fill in the PIN code, and then click the Save button to enable. After that, You can click the Change PIN code button to change the PIN code. When Change PIN Code button is clicked, the following screen will appear. Item
Setting
Current PIN Code New PIN Code Verified New PIN Code Apply Cancel Value setting
Description
A Must filled setting Fill in the current (old) PIN code of the SIM card.
A Must filled setting A Must filled setting Fill in the new PIN Code you want to change.
Confirm the new PIN Code again.
N/A N/A Click the Apply button to change the PIN code with specified new PIN code.
Click the Cancel button to cancel the changes and keep current PIN code.
427
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Note: If you changed the PIN code for a certain SIM card, you must also change the corresponding PIN code specified in the Basic Network > WAN & Uplink > Internet Setup > Connection with SIM Card page. Otherwise, it may result in wrong SIM PIN trials with invalid (old) PIN code. Unlock with a PUK Code The PUK Function window is only available for configuration if that SIM card is locked by PUK code. It means that SIM card is locked and needs additional PUK code to unlock. Usually it happens after too many trials of incorrect PIN code, and the remaining times in SIM Function table turns to 0. In this situation, you need to contact your service provider and request a PUK code for your SIM card, and try to unlock the locked SIM card with the provided PUK code. After unlocking a SIM card by PUK code successfully, the SIM lock function will be activated automatically. PUK Function Window Item Value setting PUK status PUK Unlock / PUK Lock Remaining times Depend on SIM card PUK Code A Must filled setting New PIN Code A Must filled setting Save N/A Description Indication for the PUK status.
The status could be PUK Lock or PUK Unlock. As mentioned earlier, the SIM card will be locked by PUK code after too many trials of failure PIN code. In this case, the PUK Status will turns to PUK Lock. In a normal situation, it will display PUK Unlock. Represent the remaining trial times for the PUK unlocking. Note : DO NOT make the remaining times down to zero, it will damage the SIM card FOREVER ! Call for your ISP’s help to get a correct PUK and unlock the SIM if you don’t have the PUK code. Fill in the PUK code (8 digits) that can unlock the SIM card in PUK unlock status. Fill in the New PIN Code (4~8 digits) for the SIM card. You have to determine your new PIN code to replace the old, forgotten one. Keep the PIN code (password) in mind with care. Click the Save button to apply the setting.
Note: If you changed the PUK code and PIN code for a certain SIM card, you must also change the corresponding PIN code specified in the Basic Network > WAN & Uplink > Internet Setup > Connection with SIM Card page. Otherwise, it may result in wrong SIM PIN trials with invalid (old) PIN code. 428
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Scenario of activating PIN code on SIM card An operation owner would like to enable SIM lock function with a default PIN code “0000” on a new SIM card. This SIM card was inserted in SIM‐A slot for 3G/4G‐1 WAN connection. Configuration: Configuration Path Physical Interface SIM Status SIM Selection [Cellular Toolkit]‐[SIM PIN]‐[Configuration]
3G/4G‐1 Ready SIM‐A SIM Function Configuration Path SIM Lock Remaining Times [Cellular Toolkit]‐[SIM PIN]‐[SIM Function]
Enable, PIN Code: 0000
[Display Remaining Times]

Scenario of changing PIN code on SIM card An operation owner would like to change PIN code from default “0000” to “1234” on a SIM card. This SIM card was inserted in SIM‐A slot for 3G/4G‐1 WAN connection. Configuration: Configuration Path Physical Interface SIM Status SIM Selection [Cellular Toolkit]‐[SIM PIN]‐[Configuration]
3G/4G‐1 SIM PIN SIM‐A SIM Function Configuration Path Current PIN Code New PIN Code Verified New PIN Code [Cellular Toolkit]‐[SIM PIN]‐[SIM Function]‐[Change PIN Code] 0000 1234 1234 
Scenario of unlocking SIM card by PUK code An operation owner entered incorrect PIN code at configuration page for 3G/4G‐1 WAN, and then it caused that SIM card was locked by PUK code. He called service number, and he was informed the PUK code for his SIM card is “12345678”. Then he tried to unlock that SIM card with that PUK code, 429
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. and set a new PIN code “5678”. Configuration: Configuration Path Physical Interface SIM Status SIM Selection [Cellular Toolkit]‐[SIM PIN]‐[Configuration]
3G/4G‐1 SIM PIN SIM‐A PUK Function [Service]‐[SIM PIN]‐[PUK Function]
Configuration Path PUK Status Remaining Times PUK Code New PIN Code PUK Lock [Display Remaining Times]
12345678 5678 430
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.1.7 USSD Unstructured Supplementary Service Data (USSD) is a protocol used by GSM cellular telephones to communicate with the service provider's computers. USSD can be used for WAP browsing, prepaid callback service, mobile‐money services, location‐based content services, menu‐based information services, and as part of configuring the phone on the network. 12 An USSD message is up to 182 alphanumeric characters in length. Unlike Short Message Service (SMS) messages, USSD messages create a real‐time connection during an USSD session. The connection remains open, allowing a two‐way exchange of a sequence of data. This makes USSD more responsive than services that use SMS.13 In "USSD" page, there are four windows for the USSD function. The "Configuration" window can let you specify which 3G/4G module (physical interface) is used for the USSD function, and system will show which SIM card in the module is the current used one. The second window is the "USSD Profile List" and it shows all your defined USSD profiles that store pre‐commands for activating an USSD session. An "Add" button in the window can let you add one new USSD profile and define the command for the profile in the third window, the "USSD Profile Configuration". When you want to start 12 http://en.wikipedia.org/wiki/Unstructured_Supplementary_Service_Data
431
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. the activation of an USSD connection session to the USSD server, select the USSD profile or type in the correct pre‐command, and then click on the "Send" button for the session. The responses from the USSD server will be displayed beneath the "USSD Command" line. When commands typed in the "USSD Command" field are sent, received responses will be displayed in the "USSD Response" blank space. User can communicate with the USSD server by sending USSD commands and getting USSD responses via the gateway. An USSD Session Scenario Scenario Application Timing When the administrator wants to uses the Voice Gateway to ask for some ISP's services through an USSD session, the scenario is adequate for the application. Following example is the roaming subscription for Hinet service in Taiwan. Scenario Description An USSD session can be established from the voice Vo3G Gateway to ask for services that are provided by ISP. Parameter Setup Example Following tables list the parameter configuration as an example for "USSD" function, as shown in above diagram. Use default value for those parameters that are not mentioned in the tables. 432
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. [USSD]‐[Configuration]
Configuration Path Physical Interface 3G/4G‐1 SIM Status: SIM_A
Configuration Path Profile Name USSD Command Comments [USSD]‐[USSD Profile Configuration]
Configuration Path Profile Name USSD Command USSD Response [USSD]‐[USSD Request]
roaming setting
*135#
Roaming function
roaming setting
*135#
Scenario Operation Procedure In above diagram, the "Vo3G Gateway" is the initiator of an USSD session requesting for data roaming services in ChungHwa mobile operator. First, administrator selects one 3G/4G module as the physical interface of the USSD session. And then, he defines an USSD profile named as "roaming setting" with command "*135#" for further use. In the "USSD Request" window, from the USSD Profile dropdown box select the "roaming setting" profile and the "USSD Command" field shows "*135#". Click on the "Send" button to send out the USSD request via the gateway, and the received response will appear at "USSD Response" line. As you type in more commands in the "USSD Command" line, you will get more responses from the USSD server. It is an interactive communication session for the administrator to request for available services from ISP via USSD sessions. 433
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. USSD Setting The USSD function allow user to send USSD to ISP, then ISP will provide some service for user. Go to Service > Cellular Toolkit > USSD tab. USSD Configuration Configuration Item Value setting Physical Interface The box is 3G/4G‐1 by default. SIM Status N/A Description
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) to configure the USSD setting for the connoted cellular service (identified with SIM_A or SIM_B). Show the connoted cellular service (identified with SIM_A or SIM_B). Create / Edit USSD Profile The cellular gateway allows you to custom your USSD profile. It supports up to a maximum of 35 USSD profiles. When Add button is applied, USSD Profile List Configuration screen will appear. 434
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. USSD Profile List Item Value setting Profile Name N/A USSD Command N/A Comments N/A Description
Enter a name for the USSD profile. Enter the USSD command defined for the profile. Normally, it is a command string composed with numeric keypad “0~9”, “*”, and “#”. The USSD commands are highly related to the cellular service, please check with your service provider for the details. Enter a brief comment for the profile. Send USSD Request When send the USSD command, the USSD Response screen will appear. When click the Clear button, the USSD Response will disappear. USSD Request Item Value setting USSD Profile USSD Command Description
N/A Select a USSD profile name from the dropdown list. N/A The USSD Command string of the selected profile will be shown here. Click the Send button to send the USSD command, and the USSD Response screen will appear. You will see the response message of the corresponding service, receive the service SMS. USSD Response N/A 435
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.1.9 Network Scan "Network Scan" function can let administrator specify the device how to connect to the mobile system for data communication in each 3G/4G interface. For example, administrator can specify which generation of mobile system is used for connection, 2G, 3G or LTE. Moreover, he can define their connection sequence for the gateway device to connect to the mobile system automatically. Administrator also can scan the mobile systems in the air manually, select the target operator system and apply it. The manual scanning approach is used for problem diagnosis; however, the gateway system will scan the mobile system automatically during normal operation. Go to Service > Cellular Toolkit > Network Scan tab. Network Scan Configuration In "Network Scan" page, there are two windows for the Network Scan function. The "Configuration" window can let you select which 3G/4G module (physical interface) is used to perform Network Scan, and system will show the current used SIM card in the module. You can configure each 3G/4G WAN interface by executing the network scanning one after another. You can also specify the connection sequence of the targeted generation of mobile system, 2G/3G/LTE. The second window is 436
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. the "Network Provider List" window and it appears when the Manually Scan Approach is selected in the Configuration window. By clicking on the "Scan" button and wait for 1 to 3 minutes, the found mobile operator system will be displayed for you to choose. Click again on the "Apply" button to drive system to connect to that mobile operator system for the dedicated 3G/4G interface. Configuration Item Value setting Physical Interface SIM Status The box is 3G/4G‐1 by default N/A Network Type Auto is selected by default. Band Selection Auto is selected by default. Band List All box is checked by default. Scan Approach Auto is selected by default. Save N/A Description
Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) for the network scan function. Show the connoted cellular service (identified with SIM_A or SIM_B). When Auto selected, the network will be register automatically. If the prefer option selected, network will be register for your option first. If the only option selected, network will be register for your option only. When Auto selected, Band List all box checked, and user can’t select any option. If the Manual option is selected, you can change the Band List setting. The Band List’s options depend on the embedded cellular module, and user need to select option at least one for all network type. When Auto selected, cellular module register automatically. If the Manually option is selected, a Network Provider List screen appears. Press Scan button to scan for the nearest base stations. Select (check the box) the preferred base stations then click Apply button to apply settings. Click Save to save the settings 437
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.3 Event Handling Event handling is the application that allows administrator to setup the pre‐defined events, handlers, or response behavior with individual profiles. With properly configuring the event management function, administrator can easily and remotely obtain the status and information via the purchased gateway. Moreover, he can also handle and manage some important system related functions, even to the field bus devices and D/O devices which are already well connected to. The supported events are categorized into two groups: the managing events and notifying events. The managing events are the events that are used to manage the gateway or change the setting / status of the specific functionality of the gateway. On receiving the managing event, the gateway will take action to change the functionality, collect the required status for administration, and also change the status of a certain connected field bus device simultaneously. The notifying events are the events that some related objects have been triggered and take corresponding actions on the occurrence of the events. It could be an event generated from the connected sensor, or a certain connected field bus device for alerting the administrator something happened with SMS message, Email, and SNMP Trap, etc.. For ease of configuration, administrator can create and edit the common pre‐defined managing / notifying event profiles for taking instant reaction on a certain event or managing the devices for some 438
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. advanced useful purposes. For example, sending/receiving remote managing SMS for the gateway’s routine maintaining, the field bus device status monitoring, digital sensors detection controlling, and so on. All of such management and notification function can be realized effectively via the Event Handling feature. The following is the summary lists for the provided profiles, and events:  Profiles (Rules): • SMS Configuration and Accounts • Email Accounts • Digital Input (DI) profiles • Digital Output (DO) profiles • Modbus Managing Event profiles • Modbus Notifying Event profiles  Managing Events: • Trigger Type: SMS, SNMP Trap, and Digital Input (DI). • Actions: Get the Network Status; or Configure the LAN/VLAN behavior, WIFI behavior, NAT behavior, Firewall behavior, VPN behavior, System Management, Administration, Digital Output behavior, and connected Modbus devices.  Notifying Events: • Trigger Type: Digital Input, Power Change, Connection Change (WAN, LAN & VLAN, WiFi, DDNS), Administration, Modbus, and Data Usage. • Actions: Notify the administrator with SMS, Syslog, SNMP Trap or Email Alert; Change the status of connected Digital Output or Modbus devices. To use the event handling function, First of all, you have to enable the event management setting and configure the event details with the provided profile settings. You can create or edit pre‐defined profiles for individual managing / notifying events. The profile settings are separated into several items, they are the SMS Account Definition, Email Service Definition, Digital Input (DI) Profile Configuration, Digital Output (DO) Profile Configuration, and Modbus Definition. Then, you have to configure each managing / notifying event with identifying the event’s trigger condition, and the corresponding actions (reaction for the event) for the event. For each event, more than one actions can be activated simultaneously. 439
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.3.1 Configuration Event handling is the service that allows administrator to setup the pre‐defined events, handlers, or response behavior with individual profiles. Go to Service > Event Handling > Configuration Tab. Enable Event Management Configuration Item Value setting Event Management The box is unchecked by default Description Check the Enable box to activate the Event Management function.
Enable SMS Management To use the SMS management function, you have to configure some important settings first. SMS Configuration Item Value setting Description Message Prefix The box is unchecked by default Click the Enable box to enable the SMS prefix for validating the received SMS. Once the function is enabled, you have to enter the prefix behind the checkbox. The received managing events SMS must have the designated prefix as an initial identifier, then corresponding handlers will become effective for further processing. Physical Interface The box is 3G/4G‐1 by Choose a cellular interface (3G/4G‐1 or 3G/4G‐2) to configure the SMS default. management setting. 440
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. SIM Status N/A Show the connoted cellular service (identified with SIM_A or SIM_B). Delete Managed The box is unchecked SMS after by default Processing Check the Enable box to delete the received managing event SMS after it has been processed. Create / Edit SMS Account Setup the SMS Account for managing the gateway through the SMS. It supports up to a maximum of 5 accounts. You can click the Add / Edit button to configure the SMS account. SMS Account Configuration Item Phone Number Phone Description Application Enable Save Value setting 1. Mobile phone number format 2. A Must filled setting 1. Any text 2. An Optional setting A Must filled setting The box is unchecked by default. NA Description
Specify a mobile phone number as the SMS account identifier. Specify a brief description for the SMS account. Specify the application type. It could be Event Trigger, Notify Handle, or
both. Click Enable box to activate this account.
Click the Save button to save the configuration. 441
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create / Edit Email Service Account Setup the Email Service Account for event notification. It supports up to a maximum of 5 accounts. You can click the Add / Edit button to configure the Email account. Email Service Configuration Item Value setting Email Server ‐‐‐ Option ‐‐‐ Email Addresses 1. Internet E‐mail address format 2. A Must filled setting The box is unchecked by default. NA Enable Save Description Select an Email Server profile from External Server setting for the email account setting. Specify the Destination Email Addresses.
Click Enable box to activate this account.
Click the Save button to save the configuration 442
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Digital Input (DI) Profile Rule (DI/DO support required) Setup the Digital Input (DI) Profile rules. It supports up to a maximum of 10 profiles. When Add button is applied, the Digital Input (DI) Profile Configuration screen will appear. Digital Input (DI) Profile Configuration Item Value setting Description
DI Profile Name Description DI Source Normal Level Signal Active Time Profile Save 1. String format 2. A Must filled setting 1. Any text 2. An Optional setting ID1 by default
Low by default
1. Numberic String format 2. A Must filled setting The box is unchecked by default. NA Specify the DI Profile Name.
Specify a brief description for the profile.
Specify the DI Source. It could be ID1 or ID2.
The number of available DI source could be different for the purchased product. Specify the Normal Level. It could be Low or High. Specify the Signal Active Time. It could be from 1 to 10 seconds.
Click Enable box to activate this profile setting. Click the Save button to save the configuration. 443
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Digital Output (DI) Profile Rule (DI/DO support required) Setup the Digital Output (DO) Profile rules. It supports up to a maximum of 10 profiles. When Add button is applied, the Digital Output (DO) Profile Configuration screen will appear. Digital Output (DO) Profile Configuration Item Value setting Description DO Profile Name Description DO Source Normal Level Total Signal Period Repeat & Counter Duty Cycle Profile Save 1. String format 2. A Must filled setting 1. Any text 2. An Optional setting ID1 by default
Low by default
1. Numberic String format 2. A Must filled setting The box is unchecked by default. 1. Numberic String format 2. A Must filled setting The box is unchecked by default. NA Specify the DO Profile Name.
Specify a brief description for the profile.
Specify the DO Source. It could be ID1.
Specify the Normal Level. It could be Low or High. Specify the Total Signal Period. It could be from 10 to 10000 milliseconds.
Check the Enable box to activate the repeated Digital Output, and specify the Repeat times. The Repeat Counter could be from 0 to 9999. Specify the Duty Cycle for the Digital Output. It could be from 1 to 100 %.
Click Enable box to activate this profile setting. Click the Save button to save the configuration. 444
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Modbus Notifying Events Profile (Modbus support required) Setup the Modbus Notifying Events Profile. It supports up to a maximum of 10 profiles. You can click the Add / Edit button to configure the profile. Modbus Notifying Events Profile Item Value setting Description
Modbus Name Description 1. String format 2. A Must filled setting 1. Any text 2. An Optional setting Read Holding Registers by default Serial by default Specify the Modbus profile name.
Read Function Modbus Specify a brief description for the profile.
Specify the Read Function for Notifying Events. Specify the Modbus Mode. It could be Serial or TCP. 445
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Mode IP Port Device ID Register Logic Comparator Value Enable Save Undo 1. NA for Serial on Modbus Mode. 2. A Must filled setting for TCP on Modbus Mode. 1. NA for Serial on Modbus Mode. 2. A Must filled setting for TCP on Modbus Mode. 1. Numberic String format 2. A Must filled setting 1. Numberic String format 2. A Must filled setting Logic Comparator ‘>’ by default. 1. Numberic String format 2. A Must filled setting The box is unchecked by default. NA NA Specify the IP for TCP on Modbus Mode. IPv4 Format. Specify the Port for TCP on Modbus Mode. It could be from 1 to 65535.
Specify the Device ID of the modbus device. It could be from 1 to 247.
Specify the Register number of the modbus device. It could be from 0 to 65535. Specify the Logic Comparator for Notifying Events. It could be ‘>’, ‘<’, ‘=’, ‘>=’, or ‘<=’. Specify the Value. It could be from 0 to 65535. Click Enable box to activate this profile setting. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. 446
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Create/Edit Modbus Managing Events Profile (Modbus support required) Setup the Modbus Managing Events Profile. It supports up to a maximum of 10 profiles. You can click the Add / Edit button to configure the profile. Modbus Managing Events Profile Item Value setting Description Modbus Name Description 1. String format 2. A Must filled setting 1. Any text 2. An Optional setting Write Single Registers by default Serial by default Specify the Modbus profile name.
Write Function Modbus Mode IP 1. NA for Serial on Specify a brief description for the profile.
Specify the Write Function for Managing Events. Specify the Modbus Mode. It could be Serial or TCP. Specify the IP for TCP on Modbus Mode. IPv4 Format. 447
In‐Vehicle Hotspot Gateway
Port Device ID Register Value Enable Save Undo Index skipping is used to reserve slots for new function insertion, when required. Modbus Mode.
2. A Must filled setting for TCP on Modbus Mode. 1. NA for Serial on Specify the Port for TCP on Modbus Mode. It could be from 1 to 65535.
Modbus Mode. 2. A Must filled setting for TCP on Modbus Mode. 1. Numberic String format Specify the Device ID of the modbus device. It could be from 1 to 247.
2. A Must filled setting 1. Numberic String format Specify the Register number of the modbus device. It could be from 0 to 2. A Must filled setting 65535. 1. Numberic String format Specify the Value. It could be from 0 to 65535. 2. A Must filled setting The box is unchecked by Click Enable box to activate this profile setting. default. NA Click the Save button to save the configuration NA Click the Undo button to restore what you just configured back to the previous setting. 448
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.3.3 Managing Events Managing Events allow administrator to define the relationship (rule) among event trigger, handlers and response. Go to Service > Event Handling > Managing Events Tab. Enable Managing Events Configuration Item Value setting Managing Events The box is unchecked by default Description Check the Enable box to activate the Managing Events function.
Create/Edit Managing Events Rules Setup the Managing Event rules. It supports up to a maximum of 128 rules. When Add button is applied, the Managing Event Configuration screen will appear. Managing Event Configuration Item Value setting Event SMS (or SNMP Trap) by default Description
Specify the Event type (SMS, SNMP Trap, or DI) and an event identifier / profile. SMS: Select SMS and fill the message in the textbox to as the trigger condition for the event; SNMP: Select SNMP Trap and fill the message in the textbox to specify SNMP Trap Event; Digital Input: Select Digital Input and a DI profile you defined to specify a 449
In‐Vehicle Hotspot Gateway
Description Action Managing Event Save Undo Index skipping is used to reserve slots for new function insertion, when required. certain Digital Input Event;
Note: The available Event Type could be different for the purchased product. String format : any text. Enter a brief description for the Managing Event. All box is unchecked by Specify Network Status, or at least one rest action to take when the default. expected event is triggered. Network Status: Select Network Status Checkbox to get the network status as the action for the event; LAN&VLAN: Select LAN&VLAN Checkbox and the interested sub‐items (Port link On/Off), the gateway will to change the settings as the action for the event; WiFi: Select WiFi Checkbox and the interested sub‐items (WiFi radio On/Off), the gateway will to change the settings as the action for the event; NAT: Select NAT Checkbox and the interested sub‐items (Virtual Server Rule On/Off, DMZ On/Off), the gateway will to change the settings as the action for the event; Firewall: Select Firewall Checkbox and the interested sub‐items (Remote Administrator Host ID On/Off), the gateway will to change the settings as the action for the event; VPN: Select VPN Checkbox and the interested sub‐items (IPSec Tunnel ON/Off, PPTP Client On/Off, L2TP Client On/Off, OpenVPN Client On/Off), the gateway will to change the settings as the action for the event; GRE: Select GRE Checkbox and the interested sub‐items (GRE Tunnel On/Off), the gateway will to change the settings as the action for the event; System Manage: Select System Manage Checkbox and the interested sub‐
items (WAN SSH Service On/Off, TR‐069 On/Off), the gateway will to change the settings as the action for the event; Administration: Select Administration Checkbox and the interested sub‐
items (Backup Configuration, Restore Configuration, Reboot, Save Current Setting as Default), the gateway will to change the settings as the action for the event; Digital Output: Select Digital Output checkbox and a DO profile you defined as the action for the event; Modbus: Select Modbus checkbox and a Modbus Managing Event profile you defined as the action for the event; Note: The available Event Type could be different for the purchased product. The box is unchecked by Click Enable box to activate this Managing Event setting. default. NA Click the Save button to save the configuration NA Click the Undo button to restore what you just configured back to the previous setting. 450
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.3.5 Notifying Events Notifying Events Setting allows administrator to define the relationship (rule) between event trigger and handlers. Go to Service > Event Handling > Notifying Events Tab. Enable Notifying Events Notifying Events Item Value setting Description Notifying Events The box is unchecked by default Check the Enable box to activate the Notifying Events function.
Create/Edit Notifying Events Rules Setup your Notifying Event rules. It supports up to a maximum of 128 rules. When Add button is applied, the Notifying Event Configuration screen will appear. Notifying Event Configuration Item Value setting Event Digital Input (or WAN) by default Description Specify the Event type and corresponding event configuration. The supported Event Type could be: Digital Input: Select Digital Input and a DI profile you defined to specify a certain Digital Input Event; 451
In‐Vehicle Hotspot Gateway
Description Action Time Schedule Notifying Events Save Undo Index skipping is used to reserve slots for new function insertion, when required. WAN: Select WAN and a trigger condition to specify a certain WAN Event; LAN&VLAN: Select LAN&VLAN and a trigger condition to specify a certain LAN&VLAN Event; WiFi: Select WiFi and a trigger condition to specify a certain WiFi Event; DDNS: Select DDNS and a trigger condition to specify a certain DDNS Event; Administration: Select Administration and a trigger condition to specify a certain Administration Event; Modbus: Select Modbus and a Modbus Notifying Event profile you defined to specify a certain Modbus Event; Data Usage: Select Data Usage, the SIM Card (Cellular Service) and a trigger condition to specify a certain Data Usage Event; Note: The available Event Type could be different for the purchased product. String format : any text. Enter a brief description for the Notifying Event. All box is unchecked by Specify at least one action to take when the expected event is triggered.
default. Digital Output: Select Digital Output checkbox and a DO profile you defined as the action for the event; SMS: Select SMS, and the gateway will send out a SMS to all the defined SMS accounts as the action for the event; Syslog: Select Syslog and select/unselect the Enable Checkbox to as the action for the event; SNMP Trap: Select SNMP Trap, and the gateway will send out SNMP Trap to the defined SNMP Event Receivers as the action for the event; Email Alert: Select Email Alert, and the gateway will send out an Email to the defined Email accounts as the action for the event; Note: The available Event Type could be different for the purchased product. (0) Always is selected by Select a time scheduling rule for the Notifying Event. default The box is unchecked by Click Enable box to activate this Notifying Event setting. default. NA Click the Save button to save the configuration NA Click the Undo button to restore what you just configured back to the previous setting. 452
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.5 Location Tracking Location tracking applications are usually referred to applications that take benefits from Global Navigation Satellite System (GNSS). GNSS is the infrastructure that allows devices to determine its position, velocity, and time by processing satellites signals from outer space. GNSS includes varieties of satellite systems and Satellite‐Based Augmentation Systems (SBAS). SBAS is usually used for improving positioning accuracy. The tables below show 4 major GNSS system in the world, and SBAS system in different areas. Major GNSS System in the world GNSS System GPS GLONASS Galileo BeiDou (COMPASS) Owner USA Russia European Union China
Satellite‐Based Augmentation System (SBAS) SBAS EGNOS WAAS GAGAN MSAS Area Coverage
Europe North America India Japan Position applications are widely‐used by varieties of industrial applications, including Location‐
Based Services (LBS), Automatic Vehicle Location (AVL), Fleet Management, or assets tracking. However, in most case, GNSS is a one‐way communication. That means GNSS‐compatible device can only locate its location by receiving GNSS signal, but it can’t forward its location data to any other identity through GNSS system. According to this limitation by GNSS system, devices usually need to equip other technology to transmit their location data to back‐end server for track or further analysis. Furthermore, as the position applications are more applied on moving objects, a kind of wireless technology would be more suitable to be adopted to transmit location data. Nowadays, thanks to popularity and wide coverage of cellular technology (GSM, 3G, 4G/LTE), transmitting location data to remote center in real time is no longer a hurdle. In addition, the data format of location data is NMEA 0183 compatible, so the back‐end server will be easy to interpret the collected location data. Hereunder are the main features of GNSS function in the VxG In‐Vehicle Gateway. 453
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. ‧ Retrieve GNSS data from satellites and send to remote operation center periodically or save in local storage. ‧ Global positioning with multiple GNSS systems, including GPS, and optional for GLONASS, Galileo, or BeiDou. ‧ Mandatory for varieties of LBS (Location‐Based Service) applications, such as advertisement, emergent call. ‧ Easy integration with AVL (Automatic Vehicle Location) applications, for managing fleet of service vehicles. ‧ Other value‐added applications, such as asset tracking, electronic toll collection, intelligent transport system. d.5.1 GNSS With GNSS configuration page, you can configure those functions that are mentioned above. Please note the available GNSS features on different models may be different. Please check product datasheet for details. The configuration steps include following items. ‧ Activate GNSS feature in gateway and finish settings of cellular WAN. ‧ Support NMEA 0183 (compatible to 3.0) protocol, and allow customized prefix and suffix. ‧ Configurable GPS data logging on local microSD card storage for route record tracking. ‧ Indicate remote host, time interval, TCP/UDP, and type of GPS data that would be sent. 
GPS Message Type This item shows all supported types of NMEA 0183 data format. NMEA 0183 data format was defined and maintained by National Marine Electronics Association (NMEA). Select one or more types that you want to use for transmitting GPS data. In most case, this configuration depends on which data format that your central server can recognize. Only select the type you need, otherwise it will consume unnecessary network bandwidth. The table below shows more information for different types of NMEA 0183 message. 454
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Type Description Example GGA GLL GSA $GPGGA,123519,4807.038,N,01131.000,E,1,08,0.9,545.4,M,46.9,M,,*47 $GPGLL,4916.45,N,12311.12,W,225444,A,*1D
$GPGSA,A,3,04,05,,09,12,,,24,,,,,2.5,1.3,2.1*39
GSV RMC VTG Fix Information Lat/Lon Data Overall Satellite Data Detailed Satellite Data Recommended Minimum Data Vector Track and Speed Over the Ground $GPGSV,2,1,08,01,40,083,46,02,17,308,41,12,07,344,39,14,22,228,45*75 $GPRMC,123519,A,4807.038,N,01131.000,E,022.4,084.4,230394,003.1,W*6A
$GPVTG,054.7,T,034.4,M,005.5,N,010.2,K*48
Please note this option is hardware dependent. The available options of GPS message type show on this page is according to product specification. You may not see all options if your product doesn’t support all of them. 
SBAS SBAS is Satellite‐Based Augmentation Systems that is used to improve accuracy of location data. There are several SBAS systems for different areas in the world. SBAS Area Coverage EGNOS Europe WAAS North America GAGAN India MSAS Japan Please note this option is hardware dependent. You may not see this option if your product doesn’t support it. 
Assisted GPS Assisted GPS (as known as A‐GPS) is used for speeding up location fix, especially when satellite signal is weak. If activating this option, gateway will download almanac data from A‐GPS server through IP network instead of from satellite. You can also choose different valid period of almanac data. The shorter almanac data will get higher accuracy. However, the almanac data with shorter valid period needs to be updated more frequently. It will consume more network bandwidth. Please note this option is hardware dependent. You may not see this option if your product doesn’t support it. 
Data to Storage Besides transmitting location data to remote server, you can also store location data into internal storage (e.g. microSD card) or external storage (e.g. USB drive) if any. Regarding to data format, either can be NMEA 0183 raw data format or save it as GPX file format. The location data will be saved to a new file if the original file size is bigger than the pre‐defined file size. The “Download log file” button allows you to browse all saved log files and download to your personal devices. 455
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Scenario of location tracking for fleet management A fleet owner would like to see the locations of his trucks in real time. He also likes to know where his trucks have been passed through with time information. In his operation office, there is a server (IP: 100.100.100.1) which can interpret NMEA RMC data format and shows truck’s location and track on map. This server is listening on TCP port 888 to receive NMEA RMC packet from trucks. IMEI number will be added before NMEA RMC data for identification of each truck. Hereunder is the configuration on each truck. Basic Settings: Configuration Path GNSS GNSS Type GPS Message Types SBAS Assisted GPS Data to Storage [GNSS]‐[Configuration]
Enable GPS RMC Enable Enable, 1 Disable Settings for Remote Host: Configuration Path Host Name Host IP Protocol Type Port Number Interval(s) Prefix Message Suffix Message Enable Checkbox [GNSS]‐[Remote Host Configuration]
Truck‐1 100.100.100.1 TCP 888 15 123456789012345
[blank] [Checked] 456
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. GNSS Setting The GNSS allows user to set the configuration of GNSS, log NMEA data to storage, and send data to remote host. Ensure GNSS is enabled and saved Go to Service > Location Tracking > GNSS Tab. Setup GNSS Configuration GNSS Item GNSS Enable GNSS Type GNSS Message Types Value setting Description
The box is unchecked by default GPS is selected by default Check Enable box to activate GNSS functions. These box is unchecked by default. Select a GNSS Type (GNSS System) that you want to use. Please note this option is hardware dependent. The available options of GNSS type show on this page is according to product specification. You may not see all of these four options if your product doesn’t support all of them. Select one or more GNSS Message Types that you want to use for transmitting or recording GPS data. There are many sentences in the NMEA standard for selecting, GGA, GLL, GSA, GSV, RMC and VTG. ALL Other includes DTM, GNS, GRS, GST, ZDA, and GBS sentences. Only select the type you need, otherwise it will consume unnecessary network bandwidth. 457
In‐Vehicle Hotspot Gateway
SBAS Assisted GPS Index skipping is used to reserve slots for new function insertion, when required. The box is Check Enable box to activate satellite‐based augmentation system unchecked by (SBAS). default Note: Some devices do not support this function. The box is checked Check Enable box to activate Assisted GPS (A‐GPS). by default Select the duration for downloading the Differential Almanac Corrections data from A‐GPS server through IP network. Data to Storage The box is unchecked by default Save NA Note: Some devices may not support this function. 
Enable (The box is unchecked by default) Check Enable box to activate data to storage function. 
Select Device (A Must filled setting) Select Internal or External device to store log data. 
Data Format (A Must filled setting) Select data format (RAW, or GPX) to store. 
Data file name(A Must filled setting) Define file name to store. 
Split Enable Check Enable box to activate file splitting function. 
Split Size& Unit Define file size and unit for log file. 
Download log file Select a log file and Click Download log file to download through Web GUI. If the log format which is specified to download is GPX, we will convert standard GPX format for used. Click the Save button to save the configuration Create/Edit Remote Host The Remote Host allows you to customize your rules for sending NMEA data to specific IP address and Port. The router supports up to a maximum of 10 rule sets. When Add button is applied, Remote Host Configuration screen will appear. 458
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Remote Host Configuration Item Value setting Description Host Name Enter the host name for the designated remote host. Host IP Protocol Type Port Number Interval(s) Prefix Message Suffix Message Enable Save String format: any text A Must filled setting TCP is selected by default A Must filled setting A Must filled setting String format: any text Specify the IP Address of remote host. It will be use as destination IP for sending NMEA packets. Specify the Protocol (TCP or UDP) to use for sending NMEA packets.
Specify a Port Number as destination port for sending NMEA packets.
Specify the time interval (seconds) between two NMEA packets.
Specify optional prefix string with specific information if your backend
server can recognize. For example, you can input the IMEI code of this device here, and then your backend server can recognize this GPS data is sent from this device. You can also leave this field blank. String format: any Specify optional suffix string with specific information if your backend text server can recognize. The box is unchecked Check Enable box to activate this remote host rule. by default NA Click the Save button to save the configuration 459
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.5.3 Track Viewer Track Viewer allows user to see the track in Google Map from GPX file recorded by GNSS. In addition, when GNSS is enabled, current position will also be displayed in Track Viewer. Go to Service > Location Tracking > Track Viewer Tab. Setup Google Maps API Key When user uses Track Viewer for the first time, UI will request Google Maps API key from user. Google Maps API key Item Value setting Google Maps API Key An Optional setting. Save N/A Description
The Track Viewer function is implemented with Google Maps JavaScript API, and it requires authentication for further operation. If you don’t have Google Maps API key, click the link at [Get a key] to get a key from Google. Paste API key on the text box, and then click Save. You can choose to remain it empty and then click X directly. It can let you use the map temporarily. The key icon on the right top will appear until you input the API key. Click the Save button to use the API key and reload the page immediately.
If user enters the right key, the key input window and key icon on the right top side will disappear. If user enters an invalid key, UI will prompt the message and request user to change the value of the API key. If user remains empty in the field of Google Maps API key and clicks “Save”, user can load and use 460
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Google map normally. However, we can’t guarantee the number of loading times user can reach if you don’t input the API key. General Functions Track Viewer lists following items in the side bar. General Functions Item Value setting Current Track Show from GPX file Advanced setting Detail N/A N/A N/A N/A Description Show current position and current track on the map. Update interval is 5 seconds. If GNSS is disabled, Current Track button will be hidden. Show the track from the GPX file. It can choose the file from either internal or external storage. User can set track color, line width, minimum distance, and API key here.
Select the Detail function to show a time‐speed graph and information of the track. Show Current Track When Current Track button is clicked, then the following screen will appear. The bus icon indicates the current position of the device (or the vehicle that equipped with the device). Current track is drawn from the time page was loaded to current time. 461
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Show from GPX File When Show from GPX file button is clicked, then the following screen will appear. Show from GPX file Item From GPX file Apply Close Value setting
1. A Must filled setting. 2. Internal is selected by default. 1. A Must filled setting. N/A N/A Description
Specify the storage where the GPX file located. It can be Internal or External, it depends on the storage setting in GNSS page. Note: External is disabled when no USB flash drive is detected. Select the expected GPX file from the dropdown list. Click the Apply button to load the GPX file.
Click the Close button and the Show from GPX file screen will disappear.
Configure Advanced Setting When Advanced setting button is clicked then applied screen will appear. Advanced Setting Item Value setting Track color Minimum Distance 1. A Must filled setting. 2. #0000FF is set by default. 1. A Must filled setting. 2. 5 is set by default. 1. A Must filled setting. 2. 10 is set by default. API key Apply Close N/A N/A N/A Line width Description Change the color of the track. The default value is #0000FF (Blue).
Format: #□□□□□□ / #□□□ / color names e.g. #0000FF, #00F, blue Change the line width of the track. Range is from 1 to 32. Set the minimum distance between two continuous points. Range is from 0 to 100. When the number is larger, the redundant points are eliminated and the number of points on the map becomes less. Click the Change button to modify Google Maps API key. Click the Apply button to apply the setting.
Click the Close button and the Advanced Setting screen will disappear..
462
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Show Detail When Detail button is clicked, then the following screen will appear. Detail Item Value setting Description File name N/A Start time End time Duration N/A N/A N/A Refresh N/A Time‐speed graph N/A Show the file name of current used GPX file. Showing the text Current Track if the map loads current track instead of GPX file. Show the time of the start position. Time format depends on locale.
Show the time of the end position. Time format depends on locale.
Show the time difference between Start time and End time. Format: ? years ? months ? days ? hours ? minutes ? seconds, hide the unit when '?'==0 Only showing the button when the map loads current track. Click Refresh button to refresh the information of the track and update the time‐speed graph immediately. When mouse is over the curve in time‐speed graph, the small text box will show the locale time and speed in that point and the yellow car icon will locate on the position at that timestamp in the map. When user clicks the mouse on the point of curve in time‐speed graph, it will set the center point of the map to that position. 463
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 464
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. d.9 Power Control In Power Control section, the device may support Ignition Sense function for In‐vehicle gateway products, or Power Outlet control function for the products supporting external PDU function. With such kind of power control function, you can easily setup the gateway to properly operate with the external power source supplying from a vehicle battery, or manage the external device’s ON/OFF with a remote PDU. d.9.1 Ignition Sense The power source in vehicle is not as stable and constant as regular power source in the building. It definitely becomes a big challenge to the electronic devices that needs to work and operate well in any vehicles. To stand the unstable and power transient is one topic for in‐vehicle electronic devices. Usually, these issues will be resolved by choosing qualified hardware components. Another topic is how devices continue to work to support specific application requirements no matter in which conditions. An obvious problem is how devices can continue to work when car engine is shut off. With most of car design, the power supply to almost all in‐vehicle devices will be terminated when car engine is off. This is because car battery is charged by engine and alternator when engine is running. If car battery keeps supply power to in‐vehicle devices when engine if off, it’s highly possible to drain out battery power very soon by in‐vehicle devices. It also means you can’t start your car (engine) again when battery is empty. But somehow the in‐vehicle devices need to continue to work even car engine is shut off. Imagining some application scenarios in real life: 
There is usually a surveillance system installed on buses. Those image files will be stored temporarily at storage on bus, but usually those files need to be sent to server in management center to store for a long period of time. With the latest solution, people will install some kinds of Wi‐Fi gateway and start to transmit these image files through Wi‐Fi when bus is close to depot. In this case, as we mentioned in the beginning, that Wi‐Fi gateway will be powered off once bus engine is shut off. How bus driver knows when image files will be transmitted completely and then he/she can turn bus off and leave? 
A police car is on patrol, and the policeman found a suspicious car stopped at the side of road. To keep silent and avoid causing any notice, that policeman needs to pull car over earlier and stops engine. Then the policeman wants to check if that car is a stolen car. He inputs the number of license plate to police system and wait for the result. In this case, that police system needs to forward that plate number to remote server to check, so an Internet or uplink connectivity is required to make things done. Although cellular technology is becoming popular and widely used for building connectivity, how that cellular gateway can keep operate if power source is terminated when car engine is shut down? 
For an express company, there are hundreds of express cars running at a given time. A system of fleet management has been adopted to make daily operation more efficiently. The company installs a cellular gateway in each car to transmit real‐time location data back to 465
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. server. Then managers can see all the express cars on a monitor through this system. But somehow the manager found some cars disappeared from monitor temporarily. After looking into the problem, they realized that cellular gateway is powered off when the driver wants to leave the car for goods delivery and turn the car off temporarily. According to these examples, we can understand sometimes it’s important to let in‐vehicle electronic devices keep operate even when the engine is off. But it’s also important to avoid electronic devices consuming all the power from car battery. To have a solution for this situation, the In‐Vehicle Cellular Gateway has been equipped with Ignition Sense function. The main advantages of this feature are: 
Cellular gateway can continue to operate when car engine is shut down. 
Cellular gateway will enter standby mode automatically when a pre‐set timer is due. If in standby mode, gateway would stop consuming battery power to prevent draining power out. 
Cellular gateway would enter standby mode automatically if lower input power voltage is detected. 
Cellular gateway will be back from standby mode to operation mode when car is started. 466
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. 
Scenario of surveillance application on buses Per the first example mentioned above, the surveillance system on buses will transmit image files back to back‐end server when buses are back to depot. Driver will shut the bus off and leave bus once bus is parked in depot, but the uplink connection for surveillance still needs to be available until all image files are completely uploaded. Usually, image files on each bus can be uploaded completely within 10 minutes, and bus owner wants to have extra 5 minute for buffer. In this case, the configuration will be set as table below. Basic Settings: Configuration Path Ignition Sense Shutdown Timer Voltage Sense Shutdown Voltage Threshold [Power Control]‐[Ignition Sense]
Enable 15 Disable N/A 
Scenario of surveillance application on buses Per the third example mentioned above, the owner wants to see locations of all moving express trucks through fleet management system. The location data on each truck is sent to fleet management server through a cellular gateway. The cellular gateway needs to keep working even if truck is stopped (engine off) on road temporarily. Usually, a truck on duty won’t stop at a location over 30 minutes. Another concern is some truck batteries (12 voltage) are already used for long time, and the quality may poor. It’s also important to prevent cellular gateway from draining out battery power. In this case, the feature of low power voltage needs to be activated as well. The configuration will be set as table below. Basic Settings: Configuration Path Ignition Sense Shutdown Timer Voltage Sense Shutdown Voltage Threshold [Power Control]‐[Ignition Sense]
Enable 30 Enable 11 467
In‐Vehicle Hotspot Gateway
Index skipping is used to reserve slots for new function insertion, when required. Ignition Sense Setting With Ignition Sense configuration page, you can configure those functions that are mentioned above. Please note this feature is only available on specific models. Please check product datasheet for details. Go to Service > Power Control > Ignition Sense Tab. Configuration Item Value setting Ignition Sense The box is unchecked by default. Shutdown Timer 1.Number format : any number between 0 and 240. 2. 0 is set by default. Voltage Sense The box is unchecked by default. Shutdown Voltage Threshold Save Undo An optional setting. NA NA Description Click Enable box to activate this Ignition Sense function. By default, the function is disabled, and the gateway will be always ON when Power Source is attached. Enter a shutdown timer (0~240 minutes) to shutdown the power of the gateway after the engine has been stopped ‘0’ means the gateway will never been shutdown even if ignition is removed (ACC OFF). Click Enable box to activate this Voltage Sense function. If the function is enabled, when input voltage is under the specified threshold value, the gateway will be shut down when ACC is OFF, no matter shutdown timer is due or not. Specify a threshold voltage to shut down the gateway when low battery power situation happens. Click the Save button to save the configuration Click the Undo button to restore what you just configured back to the previous setting. 468