Icr 3200 Configuration Manual 20230303

Download as pdf or txt
Download as pdf or txt
You are on page 1of 196

Industrial Cellular Router

ICR-3200
CONFIGURATION MANUAL
ICR-3200

Used Symbols
Danger – Information regarding user safety or potential damage to the router.

Attention – Problems that can arise in specific situations.

Information, notice – Useful tips or information of special interest.

Example – Example of function, command or script.

Firmware Version
Current version of firmware is 6.3.9 (January 4, 2023).

Advantech Czech s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic
Document No. MAN-0042-EN, revision from March 3, 2023. Released in the Czech Republic.

i
ICR-3200

Contents
1 Basic Information 1
1.1 Document Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Product Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 Standard Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.4 Optional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.5 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.6 WebAccess/DMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.7 Router Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.8 IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.9 Supported Certificate File Types . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.10 IEEE 802.1X (RADIUS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Web Configuration GUI 6


2.1 Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 HTTPS Certificate for the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Valid Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 Status 9
3.1 General Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.1 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.2 Ethernet Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.4 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.5 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Mobile WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.5 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.6 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.7 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.8 WireGuard Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.9 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.10 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Configuration 27
4.1 Ethernet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.1.2 IPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.1.3 802.1X Authentication to RADIUS Server . . . . . . . . . . . . . . . . . 31

ii
ICR-3200

4.1.4 LAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . 32


4.2 VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.3 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.1 Connection to Mobile Network . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.2 DNS Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.3.3 Check Connection to Mobile Network . . . . . . . . . . . . . . . . . . . 44
4.3.4 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.3.5 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.3.6 Switch between SIM Cards Configuration . . . . . . . . . . . . . . . . . 45
4.3.7 Examples of SIM Card Switching Configuration . . . . . . . . . . . . . . 49
4.3.8 PPPoE Bridge Mode Configuration . . . . . . . . . . . . . . . . . . . . . 50
4.4 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.5 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.6 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.7 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.7.1 Default Priorities for Backup Routes . . . . . . . . . . . . . . . . . . . . 66
4.8 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.9 Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.9.1 Example of the IPv4 Firewall Configuration . . . . . . . . . . . . . . . . 73
4.10 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.10.1 Examples of NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . 78
4.11 OpenVPN Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.11.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network . . . . 87
4.12 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.12.1 Route-based Configuration Scenarios . . . . . . . . . . . . . . . . . . . 88
4.12.2 IPsec Authentication Scenarios . . . . . . . . . . . . . . . . . . . . . . . 89
4.12.3 Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . 91
4.12.4 Basic IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . 97
4.13 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.13.1 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . 101
4.14 GRE Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.14.1 Example of the GRE Tunnel Configuration . . . . . . . . . . . . . . . . . 104
4.15 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.15.1 Example of the L2TP Tunnel Configuration . . . . . . . . . . . . . . . . 108
4.16 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.16.1 Example of the PPTP Tunnel Configuration . . . . . . . . . . . . . . . . 111
4.17 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.17.1 DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.17.2 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.17.3 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
4.17.4 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.17.5 PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.17.6 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.17.7 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

iii
ICR-3200

4.17.8 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126


4.17.9 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.17.10 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.17.11 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.18 Expansion Port – SERIAL I/O Configuration . . . . . . . . . . . . . . . . . . . . 138
4.18.1 Examples of the Expansion Port Configuration . . . . . . . . . . . . . . 142
4.19 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4.19.1 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4.19.2 Example of Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4.19.3 Up/Down Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.19.4 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . 144
4.20 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.20.1 Example of Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . 147
4.20.2 Example of Automatic Update Based on MAC . . . . . . . . . . . . . . . 148

5 Administration 149
5.1 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
5.2 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
5.3 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
5.4 Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.5 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.6 Set SMS Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.7 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.8 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.9 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.10 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.11 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.12 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
5.13 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.14 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

6 Typical Situations 164


6.1 Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 164
6.2 Backup Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . 166
6.3 Secure Networks Interconnection or Using VPN . . . . . . . . . . . . . . . . . . 170
6.4 Serial Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

7 Customization 174
7.1 Router Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
7.2 FirstNet Router App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Appendix A: Open Source Software License 176

iv
ICR-3200

Appendix B: Glossary and Acronyms 177

Appendix C: Index 182

Appendix D: Related Documents 185

v
ICR-3200

List of Figures
1 IEEE 802.1X Functional Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Mobile WAN status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
9 WireGuard Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
10 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
11 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
12 Example program syslogd start with the parameter -R . . . . . . . . . . . . . . 26
13 LAN Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
14 IPv6 Address with Prefix Example . . . . . . . . . . . . . . . . . . . . . . . . . 30
15 Network Topology for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 32
16 LAN Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 33
17 Network Topology for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 34
18 LAN Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 35
19 Network Topology for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
20 LAN Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 37
21 Topology of VRRP configuration example . . . . . . . . . . . . . . . . . . . . . 39
22 Example of VRRP configuration – main router . . . . . . . . . . . . . . . . . . . 39
23 Example of VRRP configuration – backup router . . . . . . . . . . . . . . . . . 40
24 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
25 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
26 Configuration for SIM card switching Example 1 . . . . . . . . . . . . . . . . . . 49
27 Configuration for SIM card switching Example 2 . . . . . . . . . . . . . . . . . . 50
28 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
29 WiFi Access Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 59
30 WiFi Station Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
31 Backup Routes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
32 Static Routes Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
33 Firewall Configuration – IPv6 Firewall . . . . . . . . . . . . . . . . . . . . . . . . 70
34 Topology for the IPv4 Firewall Configuration Example . . . . . . . . . . . . . . 73
35 IPv4 Firewall Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 74
36 NAT – IPv6 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
37 Topology for NAT Configuration Example 1 . . . . . . . . . . . . . . . . . . . . 78
38 NAT Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 79
39 Topology for NAT Configuration Example 2 . . . . . . . . . . . . . . . . . . . . 80
40 NAT Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 81

vi
ICR-3200

41 OpenVPN tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 86


42 Topology of OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . 87
43 IPsec Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
44 Topology of IPsec Configuration Example . . . . . . . . . . . . . . . . . . . . . 97
45 WireGuard Tunnels Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 99
46 Topology of WireGuard Configuration Example . . . . . . . . . . . . . . . . . . 101
47 Router A – WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 102
48 Router B – WireGuard Status Page and Route Table . . . . . . . . . . . . . . . 102
49 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
50 Topology of GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . 104
51 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
52 Topology of L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . 108
53 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
54 Topology of PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . 111
55 DynDNS Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 112
56 Configuration of FTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
57 Configuration of HTTP and HTTPS services . . . . . . . . . . . . . . . . . . . . 114
58 Example of NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
59 Configuration of Local User Database . . . . . . . . . . . . . . . . . . . . . . . 116
60 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
61 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
62 Enabling Two-Factor Authentication Service . . . . . . . . . . . . . . . . . . . . 119
63 OID Basic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
64 SNMP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
65 MIB Browser Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
66 SMTP Client Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 124
67 SMS Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 131
68 SMS Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 132
69 SMS Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . 133
70 SMS Configuration for Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . 134
71 Configuration of HTTP service . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
72 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
73 Configuration of Telnet service . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
74 SERIAL I/O configuration pages overview . . . . . . . . . . . . . . . . . . . . . 138
75 Expansion Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
76 Example of Ethernet to serial communication configuration . . . . . . . . . . . 142
77 Example of serial interface configuration . . . . . . . . . . . . . . . . . . . . . . 142
78 Example of a Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
79 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . . . . . 144
80 Example of Automatic Update 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
81 Example of Automatic Update 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
82 Users Administration Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
83 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
84 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

vii
ICR-3200

85 Two-factor User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154


86 Secret Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
87 Links for Google Authenticator Application . . . . . . . . . . . . . . . . . . . . . 155
88 Links for Authenticator-Extension . . . . . . . . . . . . . . . . . . . . . . . . . . 155
89 Standard Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
90 Verification Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
91 SSH Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
92 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
93 Set SMS Service Center Address . . . . . . . . . . . . . . . . . . . . . . . . . . 158
94 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
95 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
96 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
97 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
98 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
99 Update Firmware Administration Page . . . . . . . . . . . . . . . . . . . . . . . 162
100 Process of Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
101 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
102 Access to the Internet from LAN – sample topology . . . . . . . . . . . . . . . . 164
103 Access to the Internet from LAN – Ethernet configuration . . . . . . . . . . . . 165
104 Access to the Internet from LAN – Mobile WAN configuration . . . . . . . . . . 165
105 Backup access to the Internet – sample topology . . . . . . . . . . . . . . . . . 166
106 Backup access to the Internet – Ethernet configuration . . . . . . . . . . . . . . 166
107 Backup access to the Internet – WiFi configuration . . . . . . . . . . . . . . . . 167
108 Backup access to the Internet – Mobile WAN configuration . . . . . . . . . . . . 168
109 Backup access to the Internet – Backup Routes configuration . . . . . . . . . . 169
110 Secure networks interconnection – sample topology . . . . . . . . . . . . . . . 170
111 Secure networks interconnection – OpenVPN configuration . . . . . . . . . . . 171
112 Serial Gateway – sample topology . . . . . . . . . . . . . . . . . . . . . . . . . 172
113 Serial Gateway – konfigurace Expansion Port 1 . . . . . . . . . . . . . . . . . . 173
114 Router Apps GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
115 Router Apps Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
116 FirstNet Router App – Global Status . . . . . . . . . . . . . . . . . . . . . . . . 175

viii
ICR-3200

List of Tables
1 Supported Roles of the IEEE 802.1X Authentication . . . . . . . . . . . . . . . 5
2 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5 Mobile Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 Value ranges of signal strength for different technologies. . . . . . . . . . . . . 13
7 Description of Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8 Mobile Network Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9 Information about Neighbouring WiFi Networks . . . . . . . . . . . . . . . . . . 16
10 Description of Interfaces in Network Status . . . . . . . . . . . . . . . . . . . . 18
11 Description of Information in Network Status . . . . . . . . . . . . . . . . . . . . 19
12 DHCP Status Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
13 Configuration of the Network Interface – IPv4 and IPv6 . . . . . . . . . . . . . . 28
14 Configuration of the Network Interface – global items . . . . . . . . . . . . . . . 29
15 Configuration of Dynamic DHCP Server . . . . . . . . . . . . . . . . . . . . . . 30
16 Configuration of Static DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . 30
17 IPv6 prefix delegation configuration . . . . . . . . . . . . . . . . . . . . . . . . . 31
18 Configuration of 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . 31
19 VRRP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
20 Check connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
21 Mobile WAN Connection Configuration . . . . . . . . . . . . . . . . . . . . . . . 43
22 Check Connection to Mobile Network Configuration . . . . . . . . . . . . . . . . 45
23 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
24 Switch between SIM cards configuration . . . . . . . . . . . . . . . . . . . . . . 47
25 Parameters for SIM card switching . . . . . . . . . . . . . . . . . . . . . . . . . 48
26 PPPoE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
27 WiFi Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
28 WLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
29 Backup Route Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
30 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
31 Static Routes Configuration for IPv4 . . . . . . . . . . . . . . . . . . . . . . . . 69
32 Filtering of Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
33 Forwarding filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
34 NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
35 Remote Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
36 Configuration of Send all incoming packets to server . . . . . . . . . . . . . . . 77
37 OpenVPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
38 OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 87
39 IPsec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
40 Simple IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . 97

ix
ICR-3200

41 WireGuard Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 100


42 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . 101
43 GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
44 GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 105
45 L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
46 L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 108
47 PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
48 PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . 111
49 DynDNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
50 Parameters for FTP service configuration . . . . . . . . . . . . . . . . . . . . . 113
51 Parameters for HTTP and HTTPS services configuration . . . . . . . . . . . . . 114
52 NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
53 Available Modes of PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
54 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
55 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
56 SNMP Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
57 SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
58 SNMP Configuration (R-SeeNet) . . . . . . . . . . . . . . . . . . . . . . . . . . 121
59 Object identifier for binary inputs and output . . . . . . . . . . . . . . . . . . . . 122
60 SMTP client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
61 SMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
62 Control via SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
63 Control SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
64 Send SMS on the serial Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
65 Send SMS on the serial Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
66 Sending/receiving of SMS on TCP port specified . . . . . . . . . . . . . . . . . 129
67 List of AT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
68 Parameters for SSH service configuration . . . . . . . . . . . . . . . . . . . . . 135
69 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
70 Parameters for Telnet service configuration . . . . . . . . . . . . . . . . . . . . 137
71 Expansion Port Configuration – serial interface . . . . . . . . . . . . . . . . . . 140
72 Expansion Port Configuration – Check TCP connection . . . . . . . . . . . . . 140
73 CD Signal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
74 DTR Signal Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
75 Automatic Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 145
76 Button Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
77 User Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

x
ICR-3200

1. Basic Information
1.1 Document Content
This configuration manual contains the following information:

• Configuration of the router item by item according to the web interface (Chapters 3 to 5).
• Configuration in typical situations examples (Chapter 6):

◦ Access to the Internet from LAN (Local Area Network) via mobile network.
◦ Backed up access to the Internet (from LAN).
◦ Secure networks interconnection or using VPN (Virtual Private Network).
◦ Serial Gateway (connection of serial devices to the Internet).

1.2 Product Introduction


ICR-3200 routers are designed for communication across cellular networks using either
LTE technology Category 4 (theoretically 150 Mbps downlink and 50 Mbps uplink), or LTE
Category M1 (CAT-M1 for IoT and M2M communications). The router is an ideal solution for
industrial wireless connection of traffic and security camera systems, individual computers,
LANs, automatic teller machines (ATM), other self-service terminals, and many other devices.

1.3 Standard Equipment


Standard features include the LTE cellular module (with two antenna connectors – for main
and diversity antenna), two Ethernet 10/100 ports, one binary input, one binary output, RS-
232 serial interface, RS-485 serial interface (single 10-pin connector for serial and binary
interfaces), and two SIM card readers for 3 V and 1.8 V SIM cards. The router is supplied in
a metal casing.

1.4 Optional Features


If desired, the router can be ordered as an extended version with the WiFi and the GPS
module. This version is equipped with two WiFi antenna connectors on the right side and
one GNSS antenna connector between them. Note that routers cannot be retrofitted with an
interface in the future. See the router’s technical manual for details on versions and possible
combinations of interfaces.

1
ICR-3200

1.5 Web Configuration GUI


Configuring ICR-3200 routers is made easy by name and password-protected web inter-
face. The interface provides detailed statistics about router activities, signal strength, system
logs and more. The router supports both IPv4 and IPv6 protocols, the creation of secure
VPN tunnels using technologies IPsec, OpenVPN and L2TP. The router also supports DHCP,
NAT, NAT-T, DynDNS client, NTP, VRRP, control by SMS, backup of the primary connection,
multiple WANs, RADIUS authentication on Ethernet and WiFi, and many other functions.
Additional diagnostic features designed to ensure continuous communication include auto-
matic inspection of Mobile WAN connections, an automatic restart feature in case a connection
is lost, and a hardware watchdog that monitors the status of the router. Using a start up script
window, users can insert Linux scripts for various actions. Users may insert multiple scripts,
and the router can switch between configurations as needed. Examples would include using
SMS or checking the status of the binary input. ICR-3200 routers can automatically update
their configurations and firmware from a central server, allowing for mass reconfiguration of
multiple routers simultaneously.

1.6 WebAccess/DMP Configuration


WebAccess/DMP is an advanced enterprise-grade platform solution for provisioning, mon-
itoring, managing, and configuring Advantech’s routers and IoT gateways. It provides a zero-
touch enablement platform for each remote device. See the application note [3] for more
information of visit the WebAccess/DMP webpage.
New routers have been pre-installed with the WebAccess/DMP client, which has activated
the connection to the WebAccess/DMP server by default. You can disable this connection on
the Welcome page when logging into the router’s web interface or on the (Customization ->
Router Apps -> WebAccess/DMP Client) configuration page.

The activated client periodically uploads router identifiers and configuration to the Web-
Access/DMP server.

1.7 Router Configuration Options


Routers can be configured via a web browser or Secure Shell (SSH). Configuration via
Web Browser is described in this Configuration Manual. Commands and scripts applicable
in the configuration using SSH are described in Commands and Scripts Application Note [1].
Technical parameters and a full description of the router can be found in the User Manual
of your router. You can also use additional software – WebAccess/VPN [2] and software for
router monitoring R-SeeNet [3].

2
ICR-3200

1.8 IPv6 Support


There is an independent IPv4 and IPv6 dual-stack configuration implemented in the
router’s firmware. This means that you can configure traffic through both IP protocols inde-
pendently and both are supported. Additional EUI-64 IPv6 addresses of network interfaces
are generated automatically by standard methods. In addition, there is a NAT64 internal gate-
way network interface for automatic translation between IPv6 and IPv4 (see Chapter 3.5 for
more information). This gateway works together with DNS64 seamlessly (for domain names
translation).
For cellular IPv6 connection, see Mobile WAN Configuration in Chapter 4.3.1. For IPv6
LAN configuration, see LAN Configuration in Chapter 4.1. DHCPv6 server/client is also sup-
ported. IPv4 is the default, but IPv6 can be enabled or used with all features and protocols
in the router, except for non-secured tunnels GRE, L2TP and PPTP, and VRRP. Using the
secured tunnels OpenVPN and IPsec, it is possible to run IPv6 traffic through an IPv4 tunnel
and vice versa. The configuration forms for NAT, Firewall and Up/Down Scripts are completely
separate for the IPv4 and IPv6 stacks. ICMPv6 protocol is also supported. IPv6 configuration
is covered in each following Chapter when possible.

1.9 Supported Certificate File Types


All the GUI forms supporting the uploading of a certificate file support these file types:

• CA, Local/Remote Certificate: *.pem; *.crt; *.p12


• Private Key: *.pem; *.key; *.p12

3
ICR-3200

1.10 IEEE 802.1X (RADIUS) Support


IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is
part of the IEEE 802.1 group of networking protocols. It provides an authentication mecha-
nism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines the encapsulation
of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as "EAP
over LAN" or EAPoL.

802.1X authentication involves three parties: a supplicant, an authenticator, and an


authentication server (see Figure 1).

Figure 1: IEEE 802.1X Functional Diagram

• The supplicant is a client device (such as a laptop) that wishes to attach to the
LAN/WLAN. The term ’supplicant’ is also used interchangeably to refer to the software
running on the client that provides credentials to the authenticator.

• The authenticator is a network device which provides a data link between the client
(supplicant) and the network (LAN/WAN) and can allow or block network traffic between
the two, such as an Ethernet switch or wireless access point. The authtenticator commu-
nicates with the authentication server to determine if the network access for a supplicant
will be granted or not.

• The authentication server is typically a trusted server that can receive and respond
to requests for network access, and can tell the authenticator if the connection is to be
allowed, and various settings that should apply to that client’s connection or setting. Au-
thentication servers typically run software supporting the RADIUS and EAP protocols.

4
ICR-3200

Table 1 summarizes all the supported cases and roles when the IEEE 802.1X authentica-
tion can be used on Advantech routers.

Please note that the role of the authentication server is not supported by Advantech routers.

Interface Supplicant Role Authenticator Role


LAN Built-in feature, just configure Not built-in feature, but can be
the LAN with 802.1X authentica- implemented by the UM 802.1X
tion, see Chapter 4.1.3. Authenticator. For more infor-
mation about this module see
[RA].
WiFi Supported for the Station (STA) Supported for the Access Point
mode, see Chapter 4.6. (AP) mode, see Chapter 4.5.
Table 1: Supported Roles of the IEEE 802.1X Authentication

5
ICR-3200

2. Web Configuration GUI

Figure 2: Web Configuration GUI

6
ICR-3200

The cellular router will not operate unless the cellular carrier has been correctly config-
ured and the account activated and provisioned for data communications. For UMTS
and LTE carriers, a SIM card must be inserted into the router. Do not insert the SIM card
when the router is powered up.

You may use the web interface to monitor, configure and manage the router. To access the
router over the web interface enter the router’s IP address in your browser. The default address
is 192.168.1.1. Only access via secured HTTPS protocol is permitted. So the syntax for the IP
address must be https://192.168.1.1. When accessing the router for the first time you will need
to install a security certificate if you don’t want the browser to show you a domain disagreement
message. To avoid receiving domain disagreement messages, follow the procedure described
in the following subchapter.
The default username is root1 . The default password is printed on the router’s label.2
Change the default password as soon as possible!

For increased security of the network connected to the router, change the default router
password. When the default password of the router is still active, the Change password
title is highlighted in red.

After three unsuccessful login attempts, any HTTP(S) access from an IP address is
blocked for one minute.

When you successfully enter login information on the login page, the web interface will be
displayed, see Figure 2. The left side of the web interface contains a menu tree with sections
for Status monitoring, Configuration, Customization, and Administration of the router.

The Name and Location fields, identifying the router, can be displayed in the right upper corner
of the web interface. It can be configured in the SNMP configuration (see 4.17.6).

2.1 Factory Reset


After the PWR LED starts to blink you may restore the initial router settings by pressing the
reset (RST ) button for a given time, see the technical manual of the router for more information.
This action will revert all the configuration settings to the factory defaults and the router will
reboot (the PWR LED will be on during the reboot).
1
ICR-3241(W)-1ND models have the defaul username "admin".
2
If the router’s label does not contain a unique password, use the password "root".

7
ICR-3200

2.2 HTTPS Certificate for the GUI


There is the self-signed HTTPS certificate in the router. Because the identity of this cer-
tificate cannot be validated, a message can appear in the web browser. To solve this, upload
your own certificate, signed by Certification Authority, to the router. If you want to use your
own certificate (e.g. in combination with the dynamic DNS service), you need to replace the
/etc/certs/https_cert and /etc/certs/https_key files in the router. This can be done easily in the
GUI on HTTP configuration page, see Chapter 4.17.3.
If you decide to use the self-signed certificate in the router to prevent the security mes-
sage (domain disagreement) from pop up every time you log into the router, you can take the
following steps:

• Add the DNS record to your DNS system: Edit /etc/hosts (Linux/Unix OS) or
C:\WINDOWS\system32\drivers\etc\hosts (Windows OS) or configure your own DNS
server. Add a new record with the IP address of your router and the domain name
based of the MAC address of the router (MAC address of the first network interface seen
in Network Status in the Web interface of the router.) Use dash separators instead of
colons. Example: A router with the MAC address 00:11:22:33:44:55 will have a domain
name 00-11-22-33-44-55.
• Access the router via the new domain name address (E.g. https://00-11-22-33-44-55).
If you see the security message, add an exception so the next time the message will
not pop up (E.g. in Firefox Web browser). If there is no possibility to add an exception,
export the certificate to the file and import it to your browser or operating system.

Note: You will have to use the domain name based on the MAC address of the router and
it is not guaranteed to work with every combination of an operating system and a browser.

2.3 Valid Characters


If the router is configured through the web interface, avoid entering forbidden characters
into any of the input forms (not just for password). Valid and forbidden characters are specified
below. Please note that the "space" character may not be allowed for some forms as well.
Valid characters are: 0-9 a-z A-Z * , + - . / : = ? ! # % @ [ ] _ { } ~
Forbidden characters are: “ $ & ’ ( ) ; < > \ ^ ‘ |

8
ICR-3200

3. Status
All status pages can display live data. To enable this feature, click on the refresh button in the
top right corner on the status page. To stop the data update and to limit the amount of data
transferred, disable automatic data updates by clicking the pause button again.

3.1 General Status


You can reach a summary of basic router information and its activities by opening the
General status page. This page is displayed when you log in to the device by default. The
information displayed on this page is divided into several sections, based upon the type of the
router and its hardware configuration. Typically, there are sections for the mobile connection,
LAN, system information, system information, and eventually for the WiFi and peripheral ports,
if the device is equipped with.

IPv6 Address item can show multiple different addresses for one network interface. This is
standard behavior since an IPv6 interface uses more addresses. The second IPv6 Address
showed after pressing More Information is automatically generated EUI-64 format link local
IPv6 address derived from MAC address of the interface. It is generated and assigned the first
time the interface is used (e.g. cable is connected, Mobile WAN connecting, etc.).

3.1.1 Mobile Connection


Item Description
SIM Card Identification of the SIM card
Interface Defines the interface
Flags Displays network interface flags:
None - no flags
Up - the interface is administratively enabled
Running - the interface is in operational state (cable detected)
Multicast - the interface is capable of multicast transmission
IP Address IP address of the interface
MTU Maximum packet size that the equipment is able to transmit
Rx Data Total number of received bytes
Rx Packets Received packets
Rx Errors Erroneous received packets
Rx Dropped Dropped received packets
Rx Overruns Lost received packets because of overload
Tx Data Total number of sent bytes
Tx Packets Sent packets
Tx Errors Erroneous sent packets
Tx Dropped Dropped sent packets
Tx Overruns Lost sent packets because of overload
Uptime Indicates how long the connection to the cellular network has been established
Table 2: Mobile Connection

9
ICR-3200

3.1.2 Ethernet Status


Every Ethernet interface has its separate section on the General status page. Items dis-
played here have the same meaning as items in the previous part. Moreover, the MAC Address
item shows the MAC address of the corresponding router’s interface. Visible information de-
pends on the Ethernet configuration, see Chapter 4.1.

3.1.3 WiFi Status


Items displayed in this part have the same meaning as items in the previous part. WiFi
AP part displays information for the WiFi interface (wlan0) working in access point mode, for
the configuration see Chapter 4.5. WiFi STA part displays information for the WiFi interface
(wlan1) working in station mode, for the configuration description see Chapter 4.6.

3.1.4 Peripheral Ports


Information about available peripheral ports and status of binary interfaces is displayed in
the Peripheral Ports section.

Item Description
Expansion Port 1 An interface detected on the first expansion port.
Expansion Port 2 An interface detected on the second expansion port.
Binary Input State of the binary input.
Binary Output State of the binary output.

Table 3: Peripheral Ports

3.1.5 System Information


System information about the device is displayed in the System Information section.

Item Description
Firmware Version Information about the firmware version.
Serial Number Serial number of the router (in case of N/A is not available).
Hardware UUID1 Unique HW identifier for the device.
1
Product Revision Manufactured product revision number.
Profile Current profile – standard or alternative profiles (profiles are used for example
to switch between different modes of operation).
RTC Battery RTC battery state.
Supply Voltage Supply voltage of the router.
Temperature Temperature in the router.
Time Current date and time.
Uptime Indicates how long the router is used.
Continued on next page

10
ICR-3200

Continued from previous page

Item Description
Licenses Link to the list of open source software components of the firmware together
with their license type. Click on the license type to see the license text.
Table 4: System Information

1
It may not be available for some models.
2
Only for models with PoE. The router’s power supply voltage must meet the required voltage.

11
ICR-3200

3.2 Mobile WAN Status

The ICR-3201 (LAN version) has no the Mobile WAN status menu option.

The Mobile WAN menu item contains current information about connections to the mobile
network. The first part of this page (Mobile Network Information) displays basic information
about mobile network the router operates in. There is also information about the module,
which is mounted in the router.
Item Description
Registration State of the network registration
Operator Specifies the operator’s network the router operates in.
Technology Transmission technology
PLMN Code of operator
Cell Cell the router is connected to (in hexadecimal format).
LAC/TAC Unique number (in hexadecimal format) assigned to each location area. LAC (Lo-
cation Area Code) is for 2G/3G networks and TAC (Tracking Area Code) is for 4G
networks.
Channel Channel the router communicates on
• ARFCN in case of GPRS/EDGE technology,
• UARFCN in case of UMTS/HSPA technology,
• EARFCN in case of LTE technology.
Band Cellular band abbreviation.
Signal Strength Signal strength (in dBm) of the selected cell, for details see Table 6.
Signal Quality Signal quality of the selected cell:
• EC/IO for UMTS (it’s the ratio of the signal received from the pilot
channel – EC – to the overall level of the spectral density, ie the
sum of the signals of other cells – IO).
• RSRQ for LTE technology (Defined as the ratio N ×RSRP
RSSI ).
• The value is not available for the EDGE technology.
RSSI, RSRP, Other parameters reporting signal strength or quality. Please note, that some of them
RSRQ, SINR, may not be available, depending on the cellular module or cellular technology.
RSCP or Ec/Io
CSQ Cell signal strength with following value ranges:
• 2 – 9 = Marginal,
• 10 – 14 = OK,
• 15 – 19 = Good,
• 20 – 30 = Excelent.
Neighbours Signal strength of neighboring hearing cells (GPRS only)1 .
Manufacturer Module manufacturer
Model Type of module
Revision Revision of module
IMEI IMEI (International Mobile Equipment Identity) number of module
Continued on next page

1
If a neighboring cell for GPRS is highlighted in red, router may repeatedly switch between the neighboring and the
primary cell affecting the router’s performance. To prevent this, re-orient the antenna or use a directional antenna.

12
ICR-3200

Continued from previous page

Item Description
MEID MEID number of module
ICCID Integrated Circuit Card Identifier is international and unique serial number of the SIM
card.
Table 5: Mobile Network Information

The value of signal strength is displayed in different color: in black for good, in orange for
fair and in red for poor signal strength.

Signal strength GPRS/EDGE/CDMA UMTS/HSPA LTE


(RSSI) (RSCP) (RSRP)
good > -70 dBm > -75 dBm > -90 dBm
fair -70 dBm to -89 dBm -75 dBm to -94 dBm -90 dBm to -109 dBm
poor < -89 dBm < -94 dBm < -109 dBm

Table 6: Value ranges of signal strength for different technologies.

The middle part of this page, called Statistics, displays information about mobile signal
quality, transferred data and number of connections for all the SIM cards (for each period).
The router has standard intervals, such as the previous 24 hours and last week, and also
period starting with Accounting Start defined for the MWAN module.

Period Description
Today Today from 0:00 to 23:59
Yesterday Yesterday from 0:00 to 23:59
This week This week from Monday 0:00 to Sunday 23:59
Last week Last week from Monday 0:00 to Sunday 23:59
This period This accounting period
Last period Last accounting period

Table 7: Description of Periods

Item Description
RX data Total volume of received data
TX data Total volume of sent data
Connections Number of connection to mobile network establishment
Signal Min Minimal signal strength
Signal Avg Average signal strength
Signal Max Maximal signal strength
Cells Number of switch between cells
Availability Availability of the router via the mobile network (expressed as a percentage)

Table 8: Mobile Network Statistics

13
ICR-3200

Tips for Mobile Network Statistics table:

• Availability is expressed as a percentage. It is the ratio of time connection to the mobile


network has been established to the time that router has been is turned on.

• Placing your cursor over the maximum or minimum signal strength will display the last
time the router reached that signal strength.

Figure 3: Mobile WAN status

The last part (Connection Log) displays information about the mobile network connections
and any problems that occurred while establishing them.

14
ICR-3200

3.3 WiFi Status

This item is available only if the router is equipped with a WiFi module.

Selecting the Status -> WiFi -> Status item in the main menu of the web interface will
display information about the WiFi access point (AP) and the WiFi station (STA). Information
about all stations connected to the AP are listed as well. Examle of the output for the Wifi
status is shown on the following figure.

Figure 4: WiFi Status

15
ICR-3200

3.4 WiFi Scan

This item is available only if the router is equipped with a WiFi module.

Selecting the Status -> WiFi -> Scan item scans for neighboring WiFi networks and displays
the results. In the table below is the description of some items in the output of the WiFi
scanning.

Item Description
BSS MAC address of access point (AP)
TSF A Timing Synchronization Function (TSF) keeps the timers for
all stations in the same Basic Service Set (BSS) synchronized.
All stations shall maintain a local TSF timer.
freq Frequency band of WiFi network [MHz]
beacon interval Period of time synchronization
capability List of access point (AP) properties
signal Signal level of access point (AP)
last seen Last response time of access point (AP)
SSID Identifier of access point (AP)
Supported rates Supported rates of access point (AP)
DS Parameter set The channel on which access point (AP) broadcasts
ERP Extended Rate PHY – information element providing backward
compatibility
Extended supported Supported rates of access point (AP) that are beyond the scope
rates of eight rates mentioned in Supported rates item
RSN Robust Secure Network – The protocol for establishing a se-
cure communication through wireless network 802.11
Table 9: Information about Neighbouring WiFi Networks

16
ICR-3200

WiFi Scan output may look like this:

Figure 5: WiFi Scan

17
ICR-3200

3.5 Network Status


To view information about the interfaces and the routing table, open the Network item in
the Status menu. The upper part of the window displays detailed information about the active
interfaces only:

Interface Description
eth0, eth1 Network interfaces (Ethernet connection)
usbx Active connection to the mobile network – wireless module is connected
via USB interface.
wlan0 WiFi interface – if configured
pppx PPP interface (e.g. PPPoE tunnel – if configured)
tunx OpenVPN tunnel interface – if configured
ipsecx IPSec tunnel interface – if configured
gre1 GRE tunnel interface – if configured
wg1 WireGuard tunnel interface – if configured
lo Local loopback interface
nat64 Network interface of internal translator gateway between IPv6 and IPv4
addresses.
Table 10: Description of Interfaces in Network Status

The following information can be displayed for network interfaces:

Item Description
HWaddr Hardware (unique, MAC) address of a network interface.
inet addr IPv4 address of interface
inet6 addr IPv6 address of interface. There can be more of them for single network
interface.
P-t-P IP address of the opposite end (in case of point-to-point connection).
Bcast Broadcast address
Mask Mask of network
MTU Maximum packet size that the equipment is able to transmit.
Metric Number of routers the packet must go through.
Continued on next page

18
ICR-3200

Continued from previous page

Item Description
RX • packets – received packets
• errors – number of errors
• dropped – dropped packets
• overruns – incoming packets lost because of overload.
• frame – wrong incoming packets because of incorrect packet
size.

TX • packets – transmit packets


• errors – number of errors
• dropped – dropped packets
• overruns – outgoing packets lost because of overload.
• carrier – wrong outgoing packets with errors resulting from the
physical layer.

collisions Number of collisions on physical layer.


txqueuelen Length of buffer (queue) of the network interface.
RX bytes Total number of received bytes.
TX bytes Total number of transmitted bytes.
Table 11: Description of Information in Network Status

You may view the status of the mobile network connection on the network status screen.
If the connection to the mobile network is active, it will appear in the system information as an
usb0 interface.
The Route Table is displayed at the bottom of the Network Status page. There is IPv4
Route Table and IPv6 Route Table below.
If the router is connected to the Internet (a default route is defined), the nat64 network inter-
face is created automatically. This is the NAT64 internal gateway for translating the IPv6 and
IPv4 communication. It is used automatically when connected via IPv6 and communicating
with IPv4 device or network. It works together with DNS64 running in the router automatically
(translation of domain names to IP addresses). The default NAT64 prefix 64:ff9b::/96 is used
as you can see in Figure 6 below in the IPv6 Route Table section.

19
ICR-3200

Figure 6: Network Status

20
ICR-3200

3.6 DHCP Status


Information about the DHCP server activity is accessible via the DHCP item. The DHCP
server automatically configures the client devices connected to the router. The DHCP server
assigns each device an IP address, subnet mask, and default gateway (IP address of the
router) and DNS server (IP address of the router). DHCPv6 server is supported.
See Figure 7 for the DHCP Status example. Records in the DHCP Status window are
divided into two parts based on the interface.

Figure 7: DHCP Status

The DHCP status window displays the following information on a row for each client in the
list. All items are described in Table 12.

Item Description
IPv4 Address IPv4 address assigned to a client.
IPv6 Address IPv6 address assigned to a client.
Lease Starts The time the IP address lease started.
Lease Ends The time the IP address lease expires.
MAC MAC address of the client.
Hostname Client hostname.
IA-NA IPv6 unique identifier.
Table 12: DHCP Status Description

The DHCP status may occasionally display two records for one IP address. It may be caused
by resetting the client network interface.

21
ICR-3200

3.7 IPsec Status


Selecting the IPsec option in the Status menu of the web page will bring up the information
for any IPsec Tunnels that have been established. If the tunnel has been built correctly, the
screen will display ESTABLISHED and the number of running IPsec connections 1 up (orange
highlighted in the figure below.) If there is no such text in log (e.g. "0 up"), the tunnel was not
created!

Figure 8: IPsec Status

22
ICR-3200

3.8 WireGuard Status


Selecting the WireGuard option in the Status menu of the web page will bring up the
information for any WireGuard Tunnels established. In the figure below is an example of the
first WireGuard tunnel running.

Figure 9: WireGuard Status Page

The Latest handshake time is the time left from the latest successful communication
with the opposite tunnel side. This item will not be shown here until there is a tunnel
communication (data sent by the client-side or the keepalive data sent when NAT/Firewall
Traversal is set to yes).

23
ICR-3200

3.9 DynDNS Status


The router supports DynamicDNS using a DNS server on www.dyndns.org. If Dynamic
DNS is configured, the status can be displayed by selecting menu option DynDNS. Refer to
www.dyndns.org for more information on how to configure a Dynamic DNS client.

You can use the following listed servers for the Dynamic DNS service. It is possible to use the
DynDNSv6 service with IP Mode switched to IPv6 on DynDNS Configuration page.

• www.dyndns.org
• www.spdns.de
• www.dnsdynamic.org
• www.noip.com

Figure 10: DynDNS Status

When the router detects a DynDNS record update, the dialog displays one or more of the
following messages:

• DynDNS client is disabled.


• Invalid username or password.
• Specified hostname doesn’t exist.
• Invalid hostname format.
• Hostname exists, but not under specified username.
• No update performed yet.
• DynDNS record is already up to date.
• DynDNS record successfully update.
• DNS error encountered.
• DynDNS server failure.

The router’s SIM card must have public IP address assigned or DynDNS will not function
correctly.

24
ICR-3200

3.10 System Log


If there are any connection problems you may view the system log by selecting the System
Log menu item. Detailed reports from individual applications running in the router will be dis-
played. Use the Save Log button to save the system log to a connected computer. (It will be
saved as a text file with the .log extension.) The Save Report button is used for creating de-
tailed reports. (It will be saved as a text file with the .txt extension. The file will include statistical
data, routing and process tables, system log, and configuration.)

Sensitive data from the report are filtered out for security reasons.

The default length of the system log is 1000 lines. After reaching 1000 lines a new file is
created for storing the system log. After completion of 1000 lines in the second file, the first
file is overwritten with a new file.
The Syslogd program will output the system log. It can be started with two options to modify
its behavior. Option "-S" followed by decimal number sets the maximal number of lines in one
log file. Option "-R" followed by hostname or IP address enables logging to a remote syslog
daemon. (If the remote syslog deamon is Linux OS, there has to be remote logging enabled
(typically running "syslogd -R"). If it’s the Windows OS, there has to be syslog server installed,
e.g. Syslog Watcher). To start syslogd with these options, the "/etc/init.d/syslog" script can
be modified via SSH or lines can be added into Startup Script (accessible in Configuration
section) according to figure 12.

Figure 11: System Log

25
ICR-3200

The following example (figure) shows how to send syslog information to a remote server at
192.168.2.115 on startup.

Figure 12: Example program syslogd start with the parameter -R

26
ICR-3200

4. Configuration
4.1 Ethernet Configuration
To enter the Local Area Network configuration, select the Ethernet menu item in the Con-
figuration section. The Ethernet item will expand in the menu on the left, so you can choose
the proper Ethernet interface to configure: ETH0 for the first Ethernet interface and ETH1 for
the second Ethernet interface .
LAN Configuration page is divided into IPv4 and IPv6 columns, see Figure 13. There is
dual stack support of IPv4 and IPv6 protocols – they can run alongside, you can configure
either one of them or both. If you configure both IPv4 and IPv6, other network devices will
choose the communication protocol. Configuration items and IPv6 to IPv4 differences are
described in the tables below.

Figure 13: LAN Configuration page

27
ICR-3200

Item Description
DHCP Client Enables/disables the DHCP client function. If in IPv6 column, the
DHCPv6 client is enabled. DHCPv6 client supports all three meth-
ods of getting an IPv6 address – SLAAC, stateless DHCPv6 and
statefull DHCPv6.

• disabled – The router does not allow automatic allocation of


an IP address from a DHCP server in LAN network.
• enabled – The router allows automatic allocation of an IP
address from a DHCP server in LAN network.

IP Address A fixed IP address of the Ethernet interface. Use IPv4 notation in


IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6
notation is supported.
Subnet Mask / Prefix Specifies a Subnet Mask for the IPv4 address. In the IPv6 column,
fill in the Prefix for the IPv6 address – number in range 0 to 128.
Default Gateway Specifies the IP address of a default gateway. If filled-in, every
packet with the destination not found in the routing table is sent to
this IP address. Use proper IP address notation in IPv4 and IPv6
column.
DNS Server Specifies the IP address of the DNS server. When the IP address
is not found in the Routing Table, the router forwards the request
to DNS server specified here. Use proper IP address notation in
IPv4 and IPv6 column.

Table 13: Configuration of the Network Interface – IPv4 and IPv6

The Default Gateway and DNS Server items are only used if the DHCP Client item is set
to disabled and if the ETH0 or ETH1 LAN is selected by the Backup Routes system as the
default route. (The selection algorithm is described in section 4.7). Since FW 5.3.0, Default
Gateway and DNS Server are also supported on bridged interfaces (e.g. eth0 + eth1).

The following three items (in the table below) are global for the configured Ethernet inter-
face. Only one bridge can be active on the router at a time. The DHCP Client, IP Address
and Subnet Mask / Prefix parameters of the only one of the interfaces are used to for the
bridge. ETH0 LAN has higher priority when both interfaces (ETH0, ETH1) are added to the
bridge. Other interfaces can be added to or deleted from an existing bridge at any time. The
bridge can be created on demand for such interfaces, but not if it is configured by their respec-
tive parameters.

28
ICR-3200

Item Description
Bridged Activates/deactivates the bridging function on the router.

• no – The bridging function is inactive (default).


• yes – The bridging function is active.

Media Type Specifies the type of duplex and speed used in the network.

• Auto-negation – The router automatically sets the best speed


and duplex mode of communication according to the network’s
possibilities.
• 100 Mbps Full Duplex – The router communicates at
100 Mbps, in the full duplex mode.
• 100 Mbps Half Duplex – The router communicates at
100 Mbps, in the half duplex mode.
• 10 Mbps Full Duplex – The router communicates at 10 Mbps,
in the full duplex mode.
• 10 Mbps Half Duplex – The router communicates at 10 Mbps,
in the half duplex mode.

MTU Maximum Transmission Unit value. Default value is 1500 bytes.


Table 14: Configuration of the Network Interface – global items

4.1.1 DHCP Server


The DHCP server assigns the IP address, gateway IP address (IP address of the router)
and IP address of the DNS server (IP address of the router) to the connected clients. If these
values are filled in by the user in the configuration form, they will be preferred.
The DHCP server supports static and dynamic assignment of IP addresses. Dynamic
DHCP assigns clients IP addresses from a defined address space. Static DHCP assigns IP
addresses that correspond to the MAC addresses of connected clients.
If IPv6 column is filled in, the DHCPv6 server is used. DHCPv6 server offers stateful ad-
dress configuration to connected clients. Only when the Subnet Prefix above is set to 64,
the DHCPv6 server offers both – the stateful address configuration and SLAAC (Stateless
Address Autoconfiguration).

Do not to overlap ranges of static allocated IP addresses with addresses allocated by the
dynamic DHCP server. IP address conflicts and incorrect network function can occur if
you overlap the ranges.

1
Available only on models equipped with the PoE PSE functionality.

29
ICR-3200

Item Description
Enable dynamic DHCP leases Select this option to enable a dynamic DHCP server.
IP Pool Start Starting IP addresses allocated to the DHCP clients.
Use proper notation in IPv4 and IPv6 column.
IP Pool End End of IP addresses allocated to the DHCP clients. Use
proper IP address notation in IPv4 and IPv6 column.
Lease time Time in seconds that the IP address is reserved before
it can be re-used.
Table 15: Configuration of Dynamic DHCP Server

Item Description
Enable static DHCP leases Select this option to enable a static DHCP server.
MAC Address MAC address of a DHCP client.
IPv4 Address Assigned IPv4 address. Use proper notation.
IPv6 Address Assigned IPv6 address. Use proper notation.
Table 16: Configuration of Static DHCP Server

4.1.2 IPv6 Prefix Delegation

This is an advanced configuration option. IPv6 prefix delegation works automatically


with DHCPv6 – use only if different configuration is desired and if you know the con-
sequences.

If you want to override the automatic IPv6 prefix delegation, you can configure it in this
form. You have to know your Subnet ID Width (part of IPv6 address), see Figure below for
the calculation help – it is an example: 48 bits is Site Prefix, 16 bits is Subnet ID (Subnet ID
Width) and 64 bits is Interface ID.

Figure 14: IPv6 Address with Prefix Example

30
ICR-3200

Item Description
Enable IPv6 prefix delegation Enables prefix delegation configuration filled-in below.
Subnet ID The decimal value of the Subnet ID of the Ethernet inter-
face. Maximum value depends on the Subnet ID Width.
Subnet ID Width The maximum Subnet ID Width depends on your Site
Prefix – it is the remainder to 64 bits.
Table 17: IPv6 prefix delegation configuration

4.1.3 802.1X Authentication to RADIUS Server

Authentication (802.1X) to RADIUS server can be enabled in next configuration section.


This functionality requires additional setting of identity and certificates as described in the
following table.

Item Description
Enable IEEE Select this option to enable 802.1X Authentication.
802.1X Authenti-
cation
Authentication Select authentication method (EAP-PEAPMSCHAPv2 or EAP-TLS).
Method
CA Certificate Definition of CA certificate for EAP-TLS authentication protocol.
Local Certificate Definition of local certificate for EAP-TLS authentication protocol.
Local Private Key Definition of local private key for EAP-TLS authentication protocol.
Identity User name – identity.
Password Access password. This item is available for EAP-PEAPMSCHAPv2
protocol only. Enter valid characters only, see chap. 2.3!
Local Private Key Definition of password for private key of EAP-TLS protocol. This item
Password is available for EAP-TLS protocol only. Enter valid characters only,
see chap. 2.3!
Table 18: Configuration of 802.1X Authentication

31
ICR-3200

4.1.4 LAN Configuration Examples


Example 1: IPv4 Dynamic DHCP Server, Default Gateway and DNS Server

• The range of dynamic allocated IPv4 addresses is from 192.168.1.2 to 192.168.1.4.


• The address is allocated for 600 second (10 minutes).
• Default gateway IP address is 192.168.1.20
• DNS server IP address is 192.168.1.20

Figure 15: Network Topology for Example 1

32
ICR-3200

Figure 16: LAN Configuration for Example 1

33
ICR-3200

Example 2: IPv4 Dynamic and Static DHCP server

• The range of allocated addresses is from 192.168.1.2 to 192.168.1.4.


• The address is allocated for 600 seconds (10 minutes).
• The client with the MAC address 01:23:45:67:89:ab has the IP address 192.168.1.10.
• The client with the MAC address 01:54:68:18:ba:7e has the IP address 192.168.1.11.

Figure 17: Network Topology for Example 2

34
ICR-3200

Figure 18: LAN Configuration for Example 2

35
ICR-3200

Example 3: IPv6 Dynamic DHCP Server

• The range of dynamic allocated IPv6 addresses is from 2001:db8::1 to 2001:db8::ffff.


• The address is allocated for 600 second (10 minutes).
• The router is still accessible via IPv4 (192.168.1.1).

Figure 19: Network Topology for Example 3

36
ICR-3200

Figure 20: LAN Configuration for Example 3

37
ICR-3200

4.2 VRRP Configuration


Select the VRRP menu item to enter the VRRP configuration. There are two submenus
which allows to configure up to two instances of VRRP. VRRP protocol (Virtual Router Redun-
dancy Protocol) allows you to transfer packet routing from the main router to a backup router in
case the main router fails. (This can be used to provide a wireless cellular backup to a primary
wired router in critical applications.) If the Enable VRRP is checked, you may set the following
parameters.

Item Description
Protocol Version Choose version of the VRRP (VRRPv2 or VRRPv3).
Virtual Server IP Address This parameter sets the virtual server IP address. This ad-
dress must be the same for both the primary and backup
routers. Devices on the LAN will use this address as their
default gateway IP address.
Virtual Server ID This parameter distinguishes one virtual router on the net-
work from another. The main and backup routers must use
the same value for this parameter.
Host Priority The active router with highest priority set by the parameter
Host Priority, is the main router. According to RFC 2338, the
main router should have the highest possible priority – 255.
The backup router(s) have a priority in the range 1 – 254
(default value is 100). A priority value of 0 is not allowed.
Table 19: VRRP configuration

You may set the Check connection flag in the second part of the window to enable au-
tomatic test messages for the cellular network. In some cases, the mobile WAN connection
could still be active but the router will not be able to send data over the cellular network. This
feature is used to verify that data can be sent over the PPP connection and supplements
the normal VRRP message handling. The currently active router (main/backup) will send test
messages to the defined Ping IP Address at periodic time intervals (Ping Interval) and wait for
a reply (Ping Timeout). If the router does not receive a response to the Ping command, it will
retry up to the number of times specified by the Ping Probes parameter. After that time, it will
switch itself to a backup router until the PPP connection is restored.
You may use the DNS server of the mobile carrier as the destination IP address for the test
messages (Pings).
The Enable traffic monitoring option can be used to reduce the number of messages that
are sent to test the PPP connection. When this parameter is set, the router will monitor the
interface for any packets different from a ping. If a response to the packet is received within the
timeout specified by the Ping Timeout parameter, then the router knows that the connection is
still active. If the router does not receive a response within the timeout period, it will attempt to
test the mobile WAN connection using standard Ping commands.

38
ICR-3200

Item Description
Ping IP Address Destinations IP address for the Ping commands. IP Address can
not be specified as a domain name.
Ping Interval Interval in seconds between the outgoing Pings.
Ping Timeout Time in seconds to wait for a response to the Ping.
Ping Probes Maximum number of failed ping requests.
Table 20: Check connection

Example of the VRRP protocol:

Figure 21: Topology of VRRP configuration example

Figure 22: Example of VRRP configuration – main router

39
ICR-3200

Figure 23: Example of VRRP configuration – backup router

40
ICR-3200

4.3 Mobile WAN Configuration

The ICR-3201 (LAN version) has no the Mobile WAN configuration menu option.

Select the Mobile WAN item in the Configuration menu section to enter the cellular network
configuration page. See Mobile WAN Configuration page in Figure 24.

Figure 24: Mobile WAN Configuration


41
ICR-3200

4.3.1 Connection to Mobile Network


If the Create connection to mobile network checkbox is checked, then the router will au-
tomatically attempt to establish a connection after booting up. You can specify the following
parameters for each SIM card separately.

Item Description
Carrier Available For NAM routers only. Network carrier selection. Provides
either automatic detection option, or manual selection of AT&T, Rogers
or Verizon.
APN Network identifier (Access Point Name).
Username The user name used for logging on to the GSM network.
Password The password used for logging on to the GSM network. Enter valid
characters only, see chap. 2.3!
Authentication Authentication protocol used in the GSM network:

• PAP or CHAP – The router selects the authentication method.


• PAP – The router uses the PAP authentication method.
• CHAP – The router uses the CHAP authentication method.

IP Mode Specifies the version of IP protocol used:

• IPv4 – IPv4 protocol is used only (default).


• IPv6 – IPv6 protocol is used only.
• IPv4/IPv6 – IPv4 and IPv6 independent dual stack is enabled.

IP Address For use in IPv4 and IPv4/IPv6 mode only. Specifies the IPv4 address
of the SIM card. You manually enter the IP address only when mobile
network carrier has assigned the IP address.
Dial Number Specifies the telephone number which the router dials for GPRS or
a CSD connection. The router uses the default telephone number
*99***1 #.
Operator Specifies the carrier code. You can specify this parameter as the PLNM
preferred carrier code.
Network type Specifies the type of protocol used in the mobile network.

Automatic selection - The router automatically selects the transmis-


sion method according to the availability of transmission technologies.
Automatic selection never selects NB-IoT networks. Use NB-IoT in the
selection for NB-IoT networks.
Continued on next page

42
ICR-3200

Continued from previous page

Item Description
PIN Specifies the PIN used to unlock the SIM card. Use only if this is re-
quired by a given SIM card. The SIM card will be blocked after several
failed attempts to enter the PIN.
MRU Maximum Receive Unit – maximum size of packet that the router can
receive via Mobile WAN. The default value is 1500 B. Other settings
may cause the router to receive data incorrectly. Minimal value in IPv4
and IPv4/IPv6 mode: 128 B. Minimal value in IPv6 mode: 1280 B.
MTU Maximum Transmission Unit – maximum size of packet that the router
can transmit via Mobile WAN. The default value is 1500 B. Other set-
tings may cause the router to transmit data incorrectly. Minimal value in
IPv4 and IPv4/IPv6 mode: 128 B. Minimal value in IPv6 mode: 1280 B.
Table 21: Mobile WAN Connection Configuration

The following list contains tips for working with the Mobile WAN configuration form:

• If the MTU size is set incorrectly, then the router will not exceed the data transfer. If the
MTU value is set too low, more frequent fragmentation of data will occur. More frequent
fragmentation will mean a higher overhead and also the possibility of packet damage
during defragmentation. In contrast, a higher MTU value can cause the network to drop
the packet.

• If the IP address field is left blank, when the router establishes a connection, the mobile
network carrier will automatically assign an IP address. If you assign an IP address
manually, then the router will access the network quicker.

• If the APN field is left blank, the router automatically selects the APN using the IMSI
code of the SIM card. The name of the chosen APN can be found in the System Log.

• If you enter the word blank in the APN field, then the router interprets the APN as blank.

The correct PIN must be filled in. An incorrect PIN may block the SIM card.

Parameters identified with an asterisk require you to enter the appropriate information only
if this information is required by the mobile network carrier.
When the router is unsuccessful in establishing a connection to mobile network, you should
verify accuracy of the entered data. Alternatively, you could try a different authentication
method or network type.

43
ICR-3200

4.3.2 DNS Address Configuration


The DNS Settings parameter is designed for easier configuration on the client’s side. When
this value is set to get from operator the router will attempt to automatically obtain an IP
address from the primary and secondary DNS server of the mobile network carrier. To specify
the IP addresses of the Primary DNS servers manually, on the DNS Server pull down list
select the value set manually. You can also fill-in the IPv4 or IPv6 address of the DNS server
(or both) based on the IP Mode option.

4.3.3 Check Connection to Mobile Network

Enabling the Check Connection function for mobile networks is necessary for uninter-
rupted and continuous operation of the router.

If the Check Connection item is set to enabled or enabled + bind, the router will be sending
the ping requests to the specified domain or IP address configured in Ping IP Address or Ping
IPv6 Address at regular time intervals set up in the Ping Interval.
In case of an unsuccessful ping, a new ping will be sent after the Ping Timeout. If the ping
is unsuccessful three times in a row, the router will terminate the cellular connection and will
attempt to establish a new one.
This monitoring function can be set for both SIM cards separately, but running on the active
SIM at given time only. Be sure, you configure a functional address as the destination for the
ping, for example an IP address of the operator’s DNS server.
If the Check Connection item is set to the enabled, the ping requests are being sent on
the basis of the routing table. Therefore, the requests may be sent through any available
interface. If you require each ping request to be sent through the network interface, which was
created when establishing a connection to the mobile operator, it is necessary to set the Check
Connection to enabled + bind. The disabled option deactivates checking of the connection to
the mobile network.

A note for routers connected to the Verizon carrier (detected by the router):
The retry interval for connecting to the mobile network prolongs with more retries. First
two retries are done after 1 minute. Then the interval prolongs to 2, 8 and 15 minutes.
The ninth and every other retry is done in 90 minutes interval.

If Enable Traffic Monitoring item is checked, the router will monitor the Mobile WAN traffic
without sending the ping requests. If there is no traffic, the router will start sending the ping
requests.

4.3.4 Check Connection Example


The figure below displays the following scenario: the connection to the mobile network in
IPv4 IP Mode is controlled on the address 8.8.8.8 with a time interval of 60 seconds for the

44
ICR-3200

Item Description
Ping IP Address Specifies the ping queries destination IPv4 address or domain
name. Available in IPv4 and IPv4/IPv6 IP Mode.
Ping IPv6 Address Specifies the ping queries destination IPv6 address or domain
name. Available in IPv6 and IPv4/IPv6 IP Mode.
Ping Interval Specifies the time interval between outgoing pings.
Ping Timeout Time in seconds to wait for a Ping response.
Table 22: Check Connection to Mobile Network Configuration

first SIM card and on the address www.google.com with the time interval 80 seconds for the
second SIM card (for an active SIM only). Because the Enable traffic monitoring option is
enabled, the control pings are not sent, but the data stream is monitored. The ping will be
sent, if the data stream is interrupted.

Figure 25: Check Connection Example

4.3.5 Data Limit Configuration


If the parameter Data Limit State (see below) is set to not applicable or Send SMS when data
limit is exceeded in SMS Configuration is not selected, the Data Limit set here will be ignored.

4.3.6 Switch between SIM Cards Configuration


In the lower part of the configuration form you can specify the rules for toggling between
the two SIM cards.
The router will automatically toggle between the SIM cards and their individual setups depend-
ing on the configuration settings specified here (manual permission, roaming, data limit, binary
input state). Note that the SIM card selected for connection establishment is the result of the
logical product (AND) of the configuration here (table below).

45
ICR-3200

Item Description
Data Limit Specifies the maximum expected amount of data transmitted (sent
and received) over mobile interface in one billing period (one
month). Maximum value is 2 TB (2097152 MB).
Warning Threshold Specifies a percentage of the "Data Limit" in the range of 50 % to
99 %. If the given percentage data limit is exceeded, the router will
send an SMS in the following form; Router has exceeded (value
of Warning Threshold) of data limit.
Accounting Start Specifies the day of the month in which the billing cycle starts for
a given SIM card. When the service provider that issued the SIM
card specifies the start of the billing period, the router will begin to
count the amount of data transferred starting on this day.
Table 23: Data Limit Configuration

Item Description
SIM Card Enable or disable the use of a SIM card. If you set all the SIM
cards to disabled, this means that the entire cellular module is
disabled.

• enabled – It is possible to use the SIM card.


• disabled – Never use the SIM card, the usage of this SIM
is forbidden.

Roaming State Configure the use of SIM cards based on roaming. This roaming
feature has to be activated for the SIM card on which it is enabled!

• not applicable – It is possible to use the SIM card every-


where.
• home network only – Only use the SIM card if roaming is
not detected.

Data Limit State Configure the use of SIM cards based on the Data Limit set
above:

• not applicable – It is possible to use the SIM regardless of


the limit.
• not exceeded – Use the SIM card only if the Data Limit (set
above) has not been exceeded.

Continued on next page

46
ICR-3200

Continued from previous page

Item Description
BINx State Configure the use of SIM cards based on binary input x state,
where x is the input number:

• not applicable – It is possible to use the SIM regardless of


BINx state.
• on – Only use the SIM card if the BINx state is logical 0 –
voltage present.
• off – Only use the SIM card if the BINx state is logical 1 –
no voltage.

Table 24: Switch between SIM cards configuration

Use the following parameters to specify the decision making of SIM card switching in the
cellular module.

Item Description
Default SIM Card Specifies the modules’ default SIM card. The router will attempt
to establish a connection to mobile network using this default.

• 1st – The 1st SIM card is the default one.


• 2nd – The 2nd SIM card is the default one.

Initial State Specifies the action of the cellular module after the SIM card has
been selected.

• online – establish connection to the mobile network after


the SIM card has been selected (default).
• offline – go to the off-line mode after the SIM card has been
selected.

Note: If offline, you can change this initial state by SMS message
only – see SMS Configuration. The cellular module will also go
into off-line mode if none of the SIM cards are not selected.
Switch to other SIM Applicable only when connection is established on the default
card when connec- SIM card and then fails. If the connection failure is detected by
tion fails Check Connection feature above, the router will switch to the
backup SIM card.
Continued on next page

47
ICR-3200

Continued from previous page

Item Description
Switch to default SIM If enabled, after timeout, the router will attempt to switch back
card after timeout to the default SIM card. This applies only when there is default
SIM card defined and the backup SIM is selected beacuse of a
failure of the default one or if roaming settings cause the switch.
This feature is available only when Switch to other SIM card when
connection fails is enabled.
Initial Timeout Specifies the length of time that the router waits before the first at-
tempt to revert to the default SIM card, the range of this parameter
is from 1 to 10000 minutes.
Subsequent Timeout Specifies the length of time that the router waits after an unsuc-
cessful attempt to revert to the default SIM card, the range is from
1 to 10000 min.
Additive Constant Specifies the length of time that the router waits for any further
attempts to revert to the default SIM card. This length time is the
sum of the time specified in the "Subsequent Timeout" param-
eter and the time specified in this parameter. The range in this
parameter is from 1 to 10000 minutes.
Table 25: Parameters for SIM card switching

48
ICR-3200

4.3.7 Examples of SIM Card Switching Configuration


Example 1: Timeout Configuration

Mark the Switch to default SIM card after timeout check box, and fill-in the following values:

Figure 26: Configuration for SIM card switching Example 1

The first attempt to change to the default SIM card is carried out after 60 minutes. When
the first attempt fails, a second attempt is made after 30 minutes. A third attempt is made after
50 minutes (30+20). A fourth attempt is made after 70 minutes (30+20+20).

49
ICR-3200

Example 2: Data Limit Switching

The following configuration illustrates a scenario in which the router changes to the second
SIM card after exceeding the data limit of 800 MB on the first (default) SIM card. The router
sends a SMS upon reaching 400 MB (this settings has to be enabled on the SMS Configuration
page). The accounting period starts on the 18th day of the month.

Figure 27: Configuration for SIM card switching Example 2

4.3.8 PPPoE Bridge Mode Configuration


If you mark the Enable PPPoE bridge mode check box, the router activates the PPPoE
bridge protocol. PPPoE (point-to-point over ethernet) is a network protocol for encapsulating
Point-to-Point Protocol (PPP) frames inside Ethernet frames. The bridge mode allows you to
create a PPPoE connection from a device behind the router. For example, a PC connected to
the ETH port of the router. You assign the IP address of the SIM card to the PC. The changes
in settings will apply after clicking the Apply button.

50
ICR-3200

4.4 PPPoE Configuration


PPPoE (Point-to-Point over Ethernet) is a network protocol which encapsulates PPP
frames into Ethernet frames. The router uses the PPPoE client to connect to devices sup-
porting a PPPoE bridge or server. The bridge or server is typically an ADSL router.
To open the PPPoE Configuration page, select the PPPoE menu item. If you mark the
Create PPPoE connection check box, then the router attempts to establish a PPPoE connec-
tion after boot up. After connecting, the router obtains the IP address of the device to which
it is connected. The communications from a device behind the PPPoE server is forwarded to
the router.

Figure 28: PPPoE Configuration

Item Description
Username Username for secure access to PPPoE.
Password Password for secure access to PPPoE. Enter valid characters only,
see chap. 2.3!
Continued on next page

51
ICR-3200

Continued from previous page

Item Description
Authentication Authentication protocol in GSM network.

• PAP or CHAP – The router selects the authentication method.


• PAP – The router uses the PAP authentication method.
• CHAP – The router uses the CHAP authentication method.

IP Mode Specifies the version of IP protocol:

• IPv4 – IPv4 protocol is used only (default).


• IPv6 – IPv6 protocol is used only.
• IPv4/IPv6 – IPv4 and IPv6 dual stack is enabled.

MRU Specifies the Maximum Receiving Unit. The MRU identifies the max-
imum packet size, that the router can receive via PPPoE. The default
value is 1492 B (bytes). Other settings can cause incorrect data trans-
mission. Minimal value in IPv4 and IPv4/IPv6 mode is 128 B. Minimal
value in IPv6 mode is 1280 B.
MTU Specifies the Maximum Transmission Unit. The MTU identifies the
maximum packet size, that the router can transfer in a given environ-
ment. The default value is 1492 B (bytes). Other settings can cause
incorrect data transmission. Minimal value in IPv4 and IPv4/IPv6
mode is 128 B. Minimal value in IPv6 mode is 1280 B.
DNS Settings Can be set to obtain the DNS address from the server or to set it
manually.
DNS IP Address Manual setting of DNS address.
DNS IP Address Manual setting of IPv6 DNS address.
Interface Select an Ethernet interface.
VLAN Tagging Select yes to turn on the VLAN tagging.
VLAN ID Set the ID for VLAN tagging. The range is from 1 to 1000.
Table 26: PPPoE configuration

Setting an incorrect packet size value (MRU, MTU) can cause unsuccessful transmission.

52
ICR-3200

4.5 WiFi Access Point Configuration

This item is available only if the router is equipped with a WiFi module.

ICR-3241(W)-1ND models may have some default configurations different or restricted.

Configuration of two separated WLANs (Multiple SSIDs) is supported.

Multi-role mode, which allows to operate as access point (AP) and station (STA) simultane-
ously, is supported. The multichannel mode is not supported, so the AP and the STA must
operate on the same channel only. Please note, that only one AP can be activated together
with the STA in operation.

RADIUS (Remote Authentication Dial-In User Service) networking protocol that provides cen-
tralized Authentication, Authorization, and Accounting (AAA) management for users is sup-
ported on WiFi. The router can be RADIUS client only (not the server) – typically as a WiFi
AP (Access Point) negotiating with the RADIUS server.

Activate WiFi access point mode by checking Enable WiFi AP box at the top of the Con-
figuration -> WiFi -> Access Point 1 or Access Point 2 configuration pages. In this mode the
router becomes an access point to which other devices in station (STA) mode can connect.
You may set the following properties listed in the table below.

Item Description
Enable WiFi AP Enable WiFi access point (AP).
IP Address A fixed IP address of the WiFi interface. Use IPv4 notation in IPv4
column and IPv6 notation in IPv6 column. Shortened IPv6 notation
is supported.
Subnet Mask / Pre- Specifies a Subnet Mask for the IPv4 address. In the IPv6 column,
fix fill in the Prefix for the IPv6 address – number in range 0 to 128.
Bridged Activates bridge mode:

• no – Bridged mode is not allowed (default value). WLAN net-


work is not connected with LAN network of the router.
• yes – Bridged mode is allowed. WLAN network is connected
with one or more LAN networks of the router. In this case,
the setting of most items in this table are ignored. Instead,
the router uses the settings of the selected network interface
(LAN).

Enable dynamic Enable dynamic allocation of IP addresses using the DHCP


DHCP leases (DHCPv6) server.
Continued on next page

53
ICR-3200

Continued from previous page

Item Description
IP Pool Start Beginning of the range of IP addresses which will be assigned to
DHCP clients. Use proper notation in IPv4 and IPv6 column.
IP Pool End End of the range of IP addresses which will be assigned to DHCP
clients. Use proper notation in IPv4 and IPv6 column.
Lease Time Time in seconds for which the client may use the IP address.
Enable IPv6 prefix Enables prefix delegation configuration filled-in below.
delegation
Subnet ID The decimal value of the Subnet ID of the Ethernet inter face. Max-
imum value depends on the Subnet ID Width.
Subnet ID Width The maximum Subnet ID Width depends on your Site.
Prefix – it is the remainder to 64 bits.
SSID The unique identifier of WiFi network.
Broadcast SSID Method of broadcasting the unique identifier of SSID network in bea-
con frame and type of response to a request for sending the beacon
frame.

• Enabled – SSID is broadcasted in beacon frame


• Zero length – Beacon frame does not include SSID. Requests
for sending beacon frame are ignored.
• Clear – All SSID characters in beacon frames are replaced
by 0. Original length is kept. Requests for sending beacon
frames are ignored.

SSID Isolation When enabled, by choosing a zone, a WiFi client connected to this
Access Point is not able to communicate with another WiFi client
connected to another Access Point, having another zone selected.
This client still can communicate with a client connected to the same
Access Point, unless the Client Isolation is not enabled.
Client Isolation If checked, the access point will isolate every connected client so
they do not see each other (they are in different networks, they can-
not PING between each other). If unchecked, the access point be-
havior is like a switch, but wireless – the clients are in the same LAN
and can see each other.
WMM Basic QoS for WiFi networks is enabled by checking this item. This
version doesn’t guarantee network throughput. It is suitable for sim-
ple applications that require QoS.
Continued on next page

54
ICR-3200

Continued from previous page

Item Description
Country Code This option is not available for NAM routers – the "US" country
code is set by default on these versions of router.
Code of the country where the router is installed. This code must be
entered in ISO 3166-1 alpha-2 format. If a country code isn’t speci-
fied and the router has not implemented a system to determine this
code, it will use "US" as the default country code.
If no country code is specified or if the wrong country code is en-
tered, the router may violate country-specific regulations for the use
of WiFi frequency bands.
HW Mode HW mode of WiFi standard that will be supported by WiFi access
point.

• IEEE 802.11b (2.4 GHz)


• IEEE 802.11b+g (2.4 GHz)
• IEEE 802.11b+g+n (2.4 GHz)
• IEEE 802.11a (5 GHz)
• IEEE 802.11a+n (5 GHz)
• IEEE 802.11ac (5 GHz)

Channel The channel, where the WiFi AP is transmitting.


Supported 2.4 GHz channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13.
On NAM routers only channels 1 to 11 are supported!
Supported 5 GHz channels: 36, 38, 40, 42, 44, 46, 48, 149, 153,
157, 161, 165.
Bandwidth The option for HW mode 802.11n which allows to choose the band-
width. If the 40 MHz channel is occupied, for 802.11bgn mode, the
20 MHz channel is used instead.
Short GI The option for HW mode 802.11n which allows to enable the short
guard interval (GI) of 400 ns instead of 800 ns.
Continued on next page

55
ICR-3200

Continued from previous page

Item Description
Authentication Access control and authorization of users in the WiFi network.

• Open – Authentication is not required (free access point).


• Shared – Basic authentication using WEP key.
• WPA-PSK – Authentication using higher authentication meth-
ods PSK-PSK.
• WPA2-PSK – WPA2-PSK using newer AES encryption.
• WPA3-PSK – WPA3-PSK using newer AES encryption.
• WPA-Enterprise – RADIUS authentication done by external
server via username and password.
• WPA2-Enterprise – RADIUS authentication with better en-
cryption.
• WPA3-Enterprise – RADIUS authentication with better en-
cryption.
• 802.1X – RADIUS authentication with port-based Network Ac-
cess Control (PNAC) using encapsulation of the Extensible
Authentication Protocol (EAP) over LAN – EAPOL.

Encryption Type of data encryption in the WiFi network:

• None – No data encryption.


• WEP – Encryption using static WEP keys. This encryption can
be used for Shared authentication.
• TKIP – Dynamic encryption key management that can be
used for WPA-PSK and WPA2-PSK authentication.
• AES – Improved encryption used for WPA2-PSK authentica-
tion.

WEP Key Type Type of WEP key for WEP encryption:

• ASCII – WEP key in ASCII format.


• HEX – WEP key in hexadecimal format.

WEP Default Key This specifies the default WEP key.


Continued on next page

56
ICR-3200

Continued from previous page

Item Description
WEP Key 1–4 Allows entry of four different WEP keys:

• WEP key in ASCII format must be entered in quotes. This key


can be specified in the following lengths.

– 5 ASCII characters (40b WEP key)


– 13 ASCII characters (104b WEP key)
– 16 ASCII characters (128b WEP key)

• WEP key in hexadecimal format must be entered in hexadeci-


mal digits. This key can be specified in the following lengths.

– 10 hexadecimal digits (40b WEP key)


– 26 hexadecimal digits (104b WEP key)
– 32 hexadecimal digits (128b WEP key)

WPA PSK Type The possible key options for WPA-PSK authentication.

• 256-bit secret
• ASCII passphrase
• PSK File

WPA PSK Key for WPA-PSK authentication. This key must be entered accord-
ing to the selected WPA PSK type as follows:

• 256-bit secret – 64 hexadecimal digits


• ASCII passphrase – 8 to 63 characters
• PSK File – absolute path to the file containing the list of pairs
(PSK key, MAC address)

RADIUS Auth IPv4 or IPv6 address of the RADIUS server. Only with one of RA-
Server IP DIUS authentications selected.
RADIUS Auth RADIUS server access password. Only with one of RADIUS au-
Password thentications selected.
RADIUS Auth Port RADIUS server port. The default is 1812. Only with one of RADIUS
authentications selected.
RADIUS Acct IPv4 or IPv6 address of the RADIUS accounting server. Define only
Server IP if different from the authentication and authorization server. Only
with one of RADIUS authentications selected.
Continued on next page

57
ICR-3200

Continued from previous page

Item Description
RADIUS Acct Access password of RADIUS accounting server. Define only if dif-
Password ferent from the authentication and authorization server. Only with
one of RADIUS authentications selected.
RADIUS Acct Port RADIUS accounting server port. The default is 1813. Define only if
different from the authentication and authorization server. Only with
one of RADIUS authentications selected.
Access List Mode of Access/Deny list.

• Disabled – Access/Deny list is not used.


• Accept – Clients in Accept/Deny list can access the network.
• Deny – Clients in Access/Deny list cannot access the network.

Accept/Deny List Accept or Denny list of client MAC addresses that set network ac-
cess. Each MAC address is separated by new line.
Syslog Level Logging level, when system writes to the system log.

• Verbose debugging – The highest level of logging.


• Debugging
• Informational – Default level of logging.
• Notification
• Warning – The lowest level of system communication.

Extra options Allows the user to define additional parameters.


Table 27: WiFi Configuration

58
ICR-3200

Figure 29: WiFi Access Point Configuration

59
ICR-3200

4.6 WiFi Station Configuration

This item is available only if the router is equipped with a WiFi module.

ICR-3241(W)-1ND models may have some default configurations different or restricted.

The WiFi module supports multi-role mode which allows to operate as access point (AP) and
station (STA) simultaneously. The multichannel mode is not supported, so the AP and the STA
must operate on the same channel only.

Activate WiFi station mode by checking Enable WiFi STA box at the top of the Configuration
-> WiFi -> Station configuration page. In this mode the router becomes a client station. It will
receive data packets from the available access point (AP) and send data from cable connection
via the WiFi network. You may set the following properties listed in the table below.

In WiFi STA mode, only the authentication method EAP-PEAP/MSCHAPv2 (both PEAPv0 and
PEAPv1) and EAP-TLS are supported.

Item Description
Enable WiFi STA Enable WiFi station (STA).
DHCP Client Activates/deactivates DHCP client. If in IPv6 column, the DHCPv6
client is enabled.
IP Address A fixed IP address of the WiFi interface. Use IPv4 notation in
IPv4 column and IPv6 notation in IPv6 column. Shortened IPv6
notation is supported.
Subnet Mask / Prefix Specifies a Subnet Mask for the IPv4 address. In the IPv6 column,
fill in the Prefix for the IPv6 address – number in range 0 to 128.
Default Gateway Specifies the IP address of a default gateway. If filled-in, every
packet with the destination not found in the routing table is sent
there. Use proper IP address notation in IPv4 and IPv6 column.
DNS Server Specifies the IP address of the DNS server. When the IP address
is not found in the Routing Table, the this DNS server is requested.
Use proper IP address notation in IPv4 and IPv6 column.
SSID The unique identifier of WiFi network.
Probe Hidden Probes hidden SSID
SSID
Country Code This option is not available for NAM routers – the "US" country
code is set by default on these versions of router.
Code of the country where the router is installed. This code must
be entered in ISO 3166-1 alpha-2 format. If a country code isn’t
specified and the router has not implemented a system to deter-
mine this code, it will use "US" as the default country code.
If no country code is specified or if the wrong country code is en-
tered, the router may violate country-specific regulations for the
use of WiFi frequency60 bands.
Continued on next page
ICR-3200

Continued from previous page

Item Description
Authentication Access control and authorization of users in the WiFi network.

• Open – Authentication is not required (free access point).


• Shared – Basic authentication using WEP key.
• WPA-PSK – Authentication using higher authentication
methods PSK-PSK.
• WPA2-PSK – WPA2-PSK using newer AES encryption.
• WPA3-PSK – WPA3-PSK using newer AES encryption.
• WPA-Enterprise – RADIUS authentication done by external
server via username and password.
• WPA2-Enterprise – RADIUS authentication with better en-
cryption.
• WPA3-Enterprise – RADIUS authentication with better en-
cryption.
• 802.1X – RADIUS authentication with port-based Network
Access Control (PNAC) using encapsulation of the Extensi-
ble Authentication Protocol (EAP) over LAN – EAPOL.

Encryption Type of data encryption in the WiFi network:

• None – No data encryption.


• WEP – Encryption using static WEP keys. This encryption
can be used for Shared authentication.
• TKIP – Dynamic encryption key management that can be
used for WPA-PSK and WPA2-PSK authentication.
• AES – Improved encryption used for WPA2-PSK authenti-
cation.

WEP Key Type Type of WEP key for WEP encryption:

• ASCII – WEP key in ASCII format.


• HEX – WEP key in hexadecimal format.

WEP Default Key This specifies the default WEP key.


Continued on next page

61
ICR-3200

Continued from previous page

Item Description
WEP Key 1–4 Allows entry of four different WEP keys:

• WEP key in ASCII format must be entered in quotes. This


key can be specified in the following lengths.

– 5 ASCII characters (40b WEP key)


– 13 ASCII characters (104b WEP key)
– 16 ASCII characters (128b WEP key)

• WEP key in hexadecimal format must be entered in hex-


adecimal digits. This key can be specified in the following
lengths.

– 10 hexadecimal digits (40b WEP key)


– 26 hexadecimal digits (104b WEP key)
– 32 hexadecimal digits (128b WEP key)

WPA PSK Type The possible key options for WPA-PSK authentication.

• 256-bit secret
• ASCII passphrase
• PSK File

WPA PSK Key for WPA-PSK authentication. This key must be entered ac-
cording to the selected WPA PSK type as follows:

• 256-bit secret – 64 hexadecimal digits


• ASCII passphrase – 8 to 63 characters
• PSK File – absolute path to the file containing the list of pairs
(PSK key, MAC address)

RADIUS EAP Type of authentication protocol (EAP-PEAP/MSCHAPv2 or EAP-


Authentication TLS).
RADIUS CA Definition of CA certificate for EAP-TLS authentication protocol.
Certificate
RADIUS Local Definition of local certificate for EAP-TLS authentication protocol.
Certificate
RADIUS Local Definition of local private key for EAP-TLS authentication protocol.
Private Key
Continued on next page

62
ICR-3200

Continued from previous page

Item Description
RADIUS Identity RADIUS user name – identity. Only with one of RADIUS authenti-
cations selected.
RADIUS Password RADIUS access password. Only with one of RADIUS authentica-
tions selected.
Syslog Level Logging level, when system writes to the system log.

• Verbose debugging – The highest level of logging.


• Debugging
• Informational – Default level of logging.
• Notification
• Warning – The lowest level of system communication.

Extra options Allows the user to define additional parameters.


Table 28: WLAN Configuration

All changes in settings will apply after pressing the Apply button.

63
ICR-3200

Figure 30: WiFi Station Configuration

64
ICR-3200

4.7 Backup Routes


Using the configuration form on the Backup Routes page (see Figure 31), you can back
up the primary connection with alternative connections to the Internet (mobile network) or
enable Multiple WANs mode. It is also possible to prioritize each backup connection option.
Switching between connections is carried out according to the order of priority and the state
of the connections.

Item Description
Enable backup The default route is selected according to the settings below. If dis-
routes switching abled (unchecked), the backup routes system operates in the back-
ward compatibility mode based on the default priorities of the network
interfaces (listed below).
Mode • Single WAN – The default mode. Only one interface is used for
WAN communication at a time. Other interfaces are used for
WAN when the preferred interface fails, based on the priorities
set.
• Multiple WANs – Multiple interfaces can be used for WAN con-
nection. When WAN communication via multiple interfaces is
received, the same interface is used in reply, therefor; the traf-
fic will stay on the given interface. The set priorities are used
when transmitting data from the router or from the network be-
hind the router. The highest priority interface is used for these
transmissions.
• Load Balancing – In this mode, the weight for every interface
can be set. This setting determines the relative number of data
streams going through the interfaces. Please note that this may
not exactly match the amount of data, it very depends on the
number of streams and the structure of the data.

Table 29: Backup Route Modes

Please note that the weight setting for load balancing may not exactly match the amount
of balanced data. It depends on the number of data flows and the structure of the data.
The best result of the balancing is achieved for a high amount of data flows.

To add the network interfaces to the backup routes system, mark the checkbox(s) for some
of the following interface options: Enable backup routes switching for Mobile WAN, Enable
backup routes switching for PPPoE, Enable backup routes switching for WiFi STA, Enable
backup routes switching for ETH0, Enable backup routes switching for ETH1. Enabled inter-
faces are then used for WAN access either in Single WAN mode (only one interface at a time)
or in Multiple WANs mode (multiple interfaces at a time), based on the priorities set.

65
ICR-3200

If you want to use a mobile WAN connection as a backup route, you must choose the
enable + bind option in the Check Connection item on the Mobile WAN page and fill in
the ping address. See chapter 4.3.1.

Settings, which can be made for an interface, is described in the table below.

Item Description
Priority Priority for the type of connection (network interface).
Ping IP Address Destination IPv4 address or domain name of ping queries to check
the connection.
Ping IPv6 Address Destination IPv6 address or domain name of ping queries to check
the connection.
Ping Interval The time interval between consecutive ping queries.
Ping Timeout Time in seconds to wait for a response to the Ping.
Weight Weight for the Load Balancing mode only. The number from 1 to
256 determines the ratio for load balancing of the interface.
For example, if two interfaces have set up the weight to 1, the ratio
is 50% to 50%. If they have set up the weight to 1 and 4, the ratio
is 20% to 80%.
Table 30: Backup Routes

Network interfaces belonging to individual backup routes are also checked before use for
flags which indicate the state of the interface. (E.g. RUNNING on the Network Status page.)
This prevents, for example, the disconnection of an Ethernet cable. You can fill-in one or both
Ping IP Addresses (IPv4 and IPv6) – based on IP protocol used on particular network interface
and WAN connection settings. IPv4 and IPv6 are dual stack implemented in the router. Any
changes made to settings will be applied after pressing the Apply button.

4.7.1 Default Priorities for Backup Routes


If the Enable backup routes switching check box is unchecked, the backup routes system
will operate in the backward compatibility mode. The router selects the route based on the de-
fault priorities of the enabled settings for each of the network interfaces, enabling appropriate
services that comply with these network interfaces. The following list contains the names of
backup routes and corresponding network interfaces in order of default priorities:
• Mobile WAN (pppX, usbX)
• PPPoE (ppp0)
• WiFi STA (wlan0)
• ETH1 (eth1)
• ETH0 (eth0)

66
ICR-3200

Example of default priorities: Backup Routes function is disabled. The router selects the
ETH1 as the default route only if you unmark the Create connection to mobile network check
box on the Mobile WAN page, unmark the Create PPPoE connection check box on the PPPoE
page and unmark the Enable WiFi STA on the WiFi -> Station page. To select the ETH0, delete
the IP address from the ETH1 page and disable the DHCP Client for the ETH1.

Note: Consider there is a concept of variable WAN and LAN interfaces even if the Backup
Routes are not enabled. The situation may occur, that LAN intended interface becomes WAN
interface (because of specified or default priorities). Communication from WAN interface to
LAN interface can then be blocked depending on the NAT and Firewall Configuration.

67
ICR-3200

Figure 31: Backup Routes Configuration

68
ICR-3200

4.8 Static Routes


Static routes can be specified on the Static Routes configuration page. A static route
provide fixed routing path through the network. It is manually configured on the router and
must be updated if the network topology was changed recently. Static routes are private
routers unless they are redistributed by a routing protocol. There are two forms, one for IPv4
and the second for IPv6 configuration. Static routes configuration form for IPv4 is shown on
Figure 32.

Figure 32: Static Routes Configuration

The description of all items is listed in Table 31.

Item Description
Enable IPv4 static If checked, static routing functionality is enabled. Active are only
routes routes enabled by the checkbox in the first column of the table.
Destination Network The destination IP address of the remote network or host to which
you want to assign a static route.
Mask or Prefix The subnet mask of the remote network or host IP address.
Length
Gateway IP address of the gateway device that allows for contact between
the router and the remote network or host.
Metric Metric definition, means number rating of the priority for the route
in the routing table. Routes with lower metrics have higher priority.
Interface Select an interface the remote network or host is on.
Table 31: Static Routes Configuration for IPv4

69
ICR-3200

4.9 Firewall Configuration

ICR-3241(W)-1ND models may have some default configurations different or restricted.

The first security element for incoming packets is a check of the enabled source IP ad-
dresses and destination ports. There is an independent IPv4 and IPv6 firewall since there is
dual stack IPv4 and IPv6 implemented in the router. If you click the Firewall item in the Con-
figuration menu on the left, it will expand to IPv4 and IPv6 optionsm and you can click IPv6 to
enable and configure the IPv6 firewall – see Figure below. The configuration fields have the
same meaning in the IPv4 Firewall Configuration and IPv6 Firewall Configuration forms.

Figure 33: Firewall Configuration – IPv6 Firewall

The first section of the configuration form specifies the incoming firewall policy. If the En-
able filtering of incoming packets check box is unchecked, all incoming packets are accepted.

70
ICR-3200

If checked, and a packet comes from the WAN interface, then the router forwards this packet
to the INPUT iptable chain. When the INPUT chain accepts the packet, and there is a rule
matching this packet with the Action set to allow, the router accepts the packet. The packet
is dropped if an INPUT rule is unavailable or the Action is set to deny. You can specify the
rules for IP addresses, protocols, and ports to allow or deny access to the router and internal
network behind the router. It is possible to specify up to sixteen rules when each rule can
be enabled/disabled by ticking the checkbox on the left of the rule row. Please note that the
incoming rules are applied to the WAN interface only. See Chapter 4.7.1 to see the priority
rules for the WAN interfaces. See Table 32 for the incoming definition table description.

Item Description
Source IP address the rule applies to. Use IPv4 address in IPv4 Firewall
Configuration and IPv6 address in IPv6 Firewall Configuration.
Protocol Specifies the protocol the rule applies to:
• all – The rule applies to all protocols.
• TCP – The rule applies to TCP protocol.
• UDP – The rule applies to UDP protocol.
• GRE – The rule applies to GRE protocol.
• ESP – The rule applies to ESP protocol.
• ICMP/ICMPv6 – The rule applies to ICMP protocol. In IPv6
Firewall Configuration there is the ICMPv6 option.

Target Port(s) The port numbers range allowing access to the router. Enter the
initial and final port numbers separated by the hyphen mark. One
static port is allowed as well.
Action Specifies the rule – the type of action the router performs:
• allow – The router allows the packets to enter the network.
• deny – The router denies the packets from entering the net-
work.

Description Description of the rule.


Table 32: Filtering of Incoming Packets

The next section of the configuration form specifies the forwarding firewall policy. If the
Enabled filtering of forwarded packets check box is unchecked, all incoming packets are ac-
cepted. If checked, and a packet is addressed to another network interface, then the router
forwards this packet to the FORWARD iptable chain. When the FORWARD chain accepts the
packet, and there is a rule for forwarding it, the router forwards the packet. If a forwarding rule
is unavailable, then the packet is dropped. It is possible to specify up to sixteen rules when

71
ICR-3200

each rule can be enabled/disabled by ticking the checkbox on the left of the rule row. The for-
warding setting is applied to all interfaces, regardless of whether it is the WAN interface. The
configuration form also contains a table for specifying the filter rules. It is possible to create
a rule to allow data with the selected protocol specifying only the protocol or to create stricter
rules by specifying values for source IP addresses, destination IP addresses, and ports. See
Table 33 for the forwarding definition table description.

Item Description
Source IP address the rule applies to. Use IPv4 address in IPv4 Firewall
Configuration and IPv6 address in IPv6 Firewall Configuration.
Destination Destination IP address the rule applies to. Use IPv4 address in IPv4
Firewall Configuration and IPv6 address in IPv6 Firewall Configura-
tion.
Protocol Specifies the protocol the rule applies to:
• all – The rule applies to all protocols.
• TCP – The rule applies to TCP protocol.
• UDP – The rule applies to UDP protocol.
• GRE – The rule applies to GRE protocol.
• ESP – The rule applies to ESP protocol.
• ICMP/ICMPv6 – The rule applies to ICMP protocol. In IPv6
Firewall Configuration there is the ICMPv6 option.

Target Port(s) The target port numbers. Enter the initial and final port numbers
separated by the hyphen mark. One static port is allowed as well.
Action Specifies the rule – the type of action the router performs:
• allow – The router allows the packets to enter the network.
• deny – The router denies the packets from entering the net-
work.

Description Description of the rule.


Table 33: Forwarding filtering

When you enable the Enable filtering of locally destined packets function, the router drops
the packets requesting an unsupported service. The packet is dropped automatically without
any information.
As a protection against DoS attacks, the Enable protection against DoS attacks limits the
number of allowed connections per second to five. The DoS attack floods the target system
with meaningless requirements.

72
ICR-3200

4.9.1 Example of the IPv4 Firewall Configuration


The router allows the following access:

• From IP address 171.92.5.45 using any protocol.


• From IP address 10.0.2.123 using the TCP protocol on port 1000.
• From IP address 142.2.26.54 using the ICMP protocol.
• from IP address 142.2.26.54 using the TCMP protocol on target ports from 1020 to 1040

See the network topology and configuration form in the figures below.

Figure 34: Topology for the IPv4 Firewall Configuration Example

73
ICR-3200

Figure 35: IPv4 Firewall Configuration Example

74
ICR-3200

4.10 NAT Configuration


To configure the address translation function, click on NAT in the Configuration section of
the main menu. There is independent IPv4 and IPv6 NAT configuration since there is dual
stack IPv4 and IPv6 implemented in the router. The NAT item in the menu on the left will
expand to IPv4 and IPv6 options and you can click IPv6 to enable and configure the IPv6
NAT – see Figure below. The configuration fields have the same meaning in the IPv4 NAT
Configuration and IPv6 NAT Configuration forms.
The router actually uses Port Address Translation (PAT), which is a method of mapping
a TCP/UDP port to another TCP/UDP port. The router modifies the information in the packet
header as the packets traverse a router. This configuration form allows you to specify up to 16
PAT rules.

Item Description
Public Port(s) The public port numbers range for NAT. Enter the initial and final
port numbers separated by the hyphen mark. One static port is
allowed as well.
Private Port(s) The private port numbers range for NAT. Enter the initial and final
port numbers separated by the hyphen mark. One static port is
allowed as well.
Type Protocol type – TCP or UDP.
Server IPv4 address In IPv4 NAT Configuration only. IPv4 address where the router
forwards incoming data.
Server IPv6 address In IPv6 NAT Configuration only. IPv6 address where the router
forwards incoming data.
Description Description of the rule.
Table 34: NAT Configuration

If you require more than sixteen NAT rules, insert the remaining rules into the Startup
Script. The Startup Script dialog is located on Scripts page in the Configuration section of the
menu. When creating your rules in the Startup Script, use this command for IPv4 NAT:

iptables -t nat -A pre_nat -p tcp --dport [PORT_PUBLIC] -j DNAT


--to-destination [IPADDR]:[PORT_PRIVATE]

Enter the IP address [IPADDR], the public ports numbers [PORT_PUBLIC], and private
[PORT_PRIVATE] in place of square brackets.
For IPv6 NAT use ip6tables command with same options.:

ip6tables -t nat -A napt -p tcp --dport [PORT_PUBLIC] -j DNAT


--to-destination [IP6ADDR]:[PORT_PRIVATE]

If you enable the following options and enter the port number, the router allows you to
remotely access to the router from WAN (Mobile WAN) interface.
75
ICR-3200

Figure 36: NAT – IPv6 NAT Configuration

76
ICR-3200

Item Description
Enable remote HTTP access on port This option sets the redirect from HTTP to
HTTPS only (disabled in default configuration).
Enable remote HTTPS access on port If field and port number are filled in, configura-
tion of the router over web interface is allowed
(disabled in default configuration).
Enable remote FTP access on port Select this option to allow access to the router
using FTP (disabled in default configuration).
Enable remote SSH access on port Select this option to allow access to the router
using SSH (disabled in default configuration).
Enable remote Telnet access on port Select this option to allow access to the router
using Telnet (disabled in default configuration).
Enable remote SNMP access on port Select this option to allow access to the router
using SNMP (disabled in default configuration).
Masquerade outgoing packets Activates/deactivates the network address tran-
slation function.
Table 35: Remote Access Configuration

Enable remote HTTP access on port activates the redirect from HTTP to HTTPS proto-
col only. The router doesn’t allow unsecured HTTP protocol to access the web configu-
ration. To access the web configuration, always check the Enable remote HTTPS access
on port item. Never enable the HTTP item only to access the web configuration from
the Internet (configuration would not be accessible from the Internet). Always check the
HTTPS item or HTTPS and HTTP items together (to set the redirect from HTTP).

Use the following parameters to set the routing of incoming data from the WAN (Mobile
WAN) to a connected computer.

Item Description
Send all remaining incoming Activates/deactivates forwarding unmatched incoming
packets to default server packets to the default server. The prerequisite for the
function is that you specify a default server in the Default
Server IPv4/IPv6 Address field. The router can forward
incoming data from a mobile WAN to a computer with
the assigned IP address.
Default Server IP Address In IPv4 NAT Configuration only. The IPv4 address.
Default Server IPv6 Address In IPv6 NAT Configuration only. The IPv6 address.
Table 36: Configuration of Send all incoming packets to server

77
ICR-3200

4.10.1 Examples of NAT Configuration


Example 1: IPv4 NAT Configuration with Single Device Connected

It is important to mark the Send all remaining incoming packets to default server check
box for this configuration. The IP address in this example is the address of the device behind
the router. The default gateway of the devices in the subnetwork connected to router is the
same IP address as displayed in the Default Server IPv4 Address field. The connected device
replies if a PING is sent to the IP address of the SIM card.

Figure 37: Topology for NAT Configuration Example 1

78
ICR-3200

Figure 38: NAT Configuration for Example 1

79
ICR-3200

Example 2: IPv4 NAT Configuration with More Equipment Connected

In this example, using the switch you can connect more devices behind the router. Every
device connected behind the router has its own IP address. Enter the address in the Server
IPv Address field in the NAT dialog. The devices are communicating on port 80, but you
can set port forwarding using the Public Port and Private Port fields in the NAT dialog. You
have now configured the router to access the 192.168.1.2:80 socket behind the router when
accessing the IP address 10.0.0.1:81 from the Internet. If you send a ping request to the
public IP address of the router (10.0.0.1), the router responds as usual (not forwarding). And
since the Send all remaining incoming packets to default server is inactive, the router denies
connection attempts.

Figure 39: Topology for NAT Configuration Example 2

80
ICR-3200

Figure 40: NAT Configuration for Example 2

81
ICR-3200

4.11 OpenVPN Tunnel Configuration


Select the OpenVPN item to configure an OpenVPN tunnel. The menu item will expand
and you will see four separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and
4th Tunnel. The OpenVPN tunnel function allows you to create a secure connection between
two separate LAN networks. The router allows you to create up to four OpenVPN tunnels. IPv4
and IPv6 dual stack is supported.

Item Description
Description Specifies the description or name of tunnel.
Interface Type TAP is basically at the Ethernet level (layer 2) and acts as
a switch, whereas TUN works at the network level (layer 3) and
routes packets on the VPN. TAP is bridging, whereas TUN is
routing.

• TUN – Choose the TUN mode.


• TAP – Choose the TAP mode, but remember first to con-
figure the bridge on the ethernet interface.

Protocol Specifies the communication protocol.

• UDP – The OpenVPN communicates using UDP.


• TCP server – The OpenVPN communicates using TCP in
server mode.
• TCP client – The OpenVPN communicates using TCP in
client mode.
• UDPv6 – The OpenVPN communicates using UDP over
IPv6.
• TCPv6 server – The OpenVPN communicates using TCP
over IPv6 in server mode.
• TCPv6 client – The OpenVPN communicates using TCP
over IPv6 in client mode.

UDP/TCP port Specifies the port of the relevant protocol (UDP or TCP).
1st Remote IP Specifies the first IPv4, IPv6 address or domain name of the op-
Address posite side of the tunnel.
2nd Remote IP Specifies the second IPv4, IPv6 address or domain name of the
Address opposite side of the tunnel.
Remote Subnet IPv4 address of a network behind opposite side of the tunnel.
Remote Subnet Mask IPv4 subnet mask of a network behind opposite tunnel’s side.
Continued on next page

82
ICR-3200

Continued from previous page

Item Description
Redirect Gateway Adds (rewrites) the default gateway. All the packets are then sent
to this gateway via tunnel, if there is no other specified default
gateway inside them.
Local Interface IP Specifies the IPv4 address of a local interface. For proper rout-
Address ing it is recommended to fill-in any IPv4 address from local
range even if you are using IPv6 tunnel only.
Remote Interface Specifies the IPv4 address of the interface of opposite side of
IP Address the tunnel. For proper routing it is recommended to fill-in
any IPv4 address from local range even if you are using IPv6
tunnel only.
Remote IPv6 Subnet IPv6 address of the remote IPv6 network. Equivalent of the Re-
mote Subnet in IPv4 section.
Remote IPv6 Prefix IPv6 prefix of the remote IPv6 network. Equivalent of the Remote
Subnet Mask in IPv4 section.
Local Interface Specifies the IPv6 address of a local interface.
IPv6 Address
Remote Interface Specifies the IPv6 address of the interface of opposite side of the
IPv6 Address tunnel.
Ping Interval Time interval after which the router sends a message to opposite
side of tunnel to verify the existence of the tunnel.
Ping Timeout Specifies the time interval the router waits for a message sent by
the opposite side. For proper verification of the OpenVPN tunnel,
set the Ping Timeout to greater than the Ping Interval.
Renegotiate Interval Specifies the renegotiate period (reauthorization) of the Open-
VPN tunnel. You can only set this parameter when the Authen-
ticate Mode is set to username/password or X.509 certificate.
After this time period, the router changes the tunnel encryption
to keep the tunnel secure.
Max Fragment Size Maximum size of a sent packet.
Compression Compression of the data sent:

• none – No compression is used.


• LZO – A lossless compression is used, use the same set-
ting on both sides of the tunnel.

Continued on next page

83
ICR-3200

Continued from previous page

Item Description
NAT Rules Activates/deactivates the NAT rules for the OpenVPN tunnel:

• not applied – NAT rules are not applied to the tunnel.


• applied – NAT rules are applied to the OpenVPN tunnel.

Authenticate Mode Specifies the authentication mode:

• none – No authentication is set.


• Pre-shared secret – Specifies the shared key function for
both sides of the tunnel.
• Username/password – Specifies authentication using a
CA Certificate, Username and Password.
• X.509 Certificate (multiclient) – Activates the X.509 au-
thentication in multi-client mode.
• X.509 Certificate (client) – Activates the X.509 authenti-
cation in client mode.
• X.509 Certificate (server) – Activates the X.509 authenti-
cation in server mode.

Security Mode Choose the security mode, tls-auth or tls-crypt. We recommend


to use the tls-crypt mode for the security reasons. In this mode,
all the data is encrypted with a pre-shared key. Moreover, this
mode is more robust against the TLS denial of service attacks.
Pre-shared Secret Specifies the pre-shared secret which you can use for every au-
thentication mode.
CA Certificate Specifies the CA Certificate which you can use for the user-
name/password and X.509 Certificate authentication modes.
DH Parameters Specifies the protocol for the DH parameters key exchange which
you can use for X.509 Certificate authentication in the server
mode.
Local Certificate Specifies the certificate used in the local device. You can use this
authentication certificate for the X.509 Certificate authentication
mode.
Local Private Key Specifies the key used in the local device. You can use the key
for the X.509 Certificate authentication mode.
Local Passphrase Passphrase used during private key generation.
Continued on next page

84
ICR-3200

Continued from previous page

Item Description
Username Specifies a login name which you can use for authentication in
the username/password mode.
Password Specifies a password which you can use for authentication in
the username/password mode. Enter valid characters only, see
chap. 2.3!
User’s Up Script1 Custom script, executed when the OpenVPN tunnel is estab-
lished. Not available for ICR-3241(W)-1ND routers.
User’s Down Script1 Custom script, executed when the OpenVPN tunnel is closed.
Not available for ICR-3241(W)-1ND routers.
Extra Options Specifies additional parameters for the OpenVPN tunnel, such as
DHCP options. The parameters are proceeded by two dashes.
For possible parameters see the help text in the router using SSH
– run the openvpnd --help command.
Table 37: OpenVPN Configuration

There is a condition for tunnel to be established: WAN route has to be active (for example
mobile connection established) even if the tunnel does not go through the WAN.

The changes in settings will apply after pressing the Apply button.

1
Parameters passed to the script are cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remo-
te_ip [ init | restart ], see Reference manual for OpenVPN, option –up cmd.

85
ICR-3200

Figure 41: OpenVPN tunnel configuration

86
ICR-3200

4.11.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network

Figure 42: Topology of OpenVPN Configuration Example

OpenVPN tunnel configuration:

Configuration A B
Protocol UDP UDP
UDP Port 1194 1194
Remote IP Address 10.0.0.2 10.0.0.1
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Local Interface IP Address 19.16.1.0 19.16.2.0
Remote Interface IP Address 19.16.2.0 19.16.1.0
Compression LZO LZO
Authenticate mode none none

Table 38: OpenVPN Configuration Example

Examples of different options for configuration and authentication of OpenVPN tunnel can be
found in the application note OpenVPN Tunnel [5].

87
ICR-3200

4.12 IPsec Tunnel Configuration


The IPsec tunnel function allows you to create a secured connection between two separate
LAN networks. Advantech routers allows you to create up to four IPsec tunnels.
To open the IPsec tunnel configuration page, click IPsec in the Configuration section of the
main menu. The menu item will expand and you will see four separate configuration pages:
1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. Supported are both, policy-based and
route-based VPN approaches, see the different configuration scenarios in Chapter 4.12.1.
IPv4 and IPv6 tunnels are supported (dual stack), you can transport IPv6 traffic through
IPv4 tunnel and vice versa. For different IPsec authentication scenarios, see Chapter 4.12.2.

To encrypt data between the local and remote subnets, specify the appropriate values in
the subnet fields on both routers. To encrypt the data stream between the routers only,
leave the local and remote subnets fields blank.

If you specify the protocol and port information in the Local Protocol/Port field, then the
router encapsulates only the packets matching the settings.

For optimal an secure setup, we recommend to follow instructions on the Security Rec-
ommendations strongSwan web page.

Detailed information and more examples of IPsec tunnel configuration and authentication can
be found in the application note IPsec Tunnel [6].

FRRouting (FRR) router app is an Internet routing protocol suite for Advantech routers. This
UM includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.

4.12.1 Route-based Configuration Scenarios


There are more different route-based configuration options which can be configured and
used in Advantech routers. Below are listed the most common cases which can be used (for
more details see Route-based VPNs strongSwan web page):

1. Enabled Installing Routes


• Remote (local) subnets are used as traffic selectors (routes).
• It results to the same outcome as a policy-based VPN.
• One benefit of this approach is the possibility to verify non-encrypted traffic passed
through an IPsec tunnel number X by tcdump tool: tcpdump -i ipsecX.
• Set up the Install Routes to yes option.

88
ICR-3200

2. Static Routes
• Routes are installed statically by an application as soon as the IPsec tunnel is up.
• As an application for static routes installation can be used for example FRR/STATICD
application.
• Set up the Install Routes to no option.
3. Dynamic Routing
• Routes are installed dynamically while running by an application using a dynamic pro-
tocol.
• As an application for dynamic routes installation can be used for example FRR/BGP
or FRR/OSPF application. This application gains the routes dynamically from an (BGP,
OSPF) server.
• Set up the Install Routes to no option.
4. Multiple Clients
• Allows to create VPN network with multiple clients. One Advantech router acts as the
server and assigns IP address to all the clients on the network.
• The server has Remote Virtual Network and Remote Virtual Mask items configured
and the client has Local Virtual Address item configured.
• Set up the Install Routes to yes option.

4.12.2 IPsec Authentication Scenarios


There are four basic authentication options which can be configured and used in Advantech
routers:
1. Pre-shared Key
• Set Authenticate Mode to pre-shared key option.
• Enter the shared key to the Pre-shared key field.
2. Public Key
• Set Authenticate Mode to X.509 certificate option.
• Enter the public key to the Local Certificate / PubKey field.
• CA certificate is not required.
3. Peer Certificate
• Set Authenticate Mode to X.509 certificate option.
• Enter the remote key to the Remote Certificate / PubKey field. Users with this certificate
will be allowed.
• CA certificate is not required.
4. CA Certificate
• Set Authenticate Mode to X.509 certificate option.
• Enter the CA certificate or a list of CA certificates to the CA Certificate field. Any
certificate signed by the CA will be accepted.
• Remote certificate is not required.

89
ICR-3200

Notes:
• The Peer and CA Certificate (options 3 and 4) can be configured and used simultane-
ously – authentication can be done by one of this method.
• The Local ID is significant. When using certificate authentication, the IKE identity must
be contained in the certificate, either as subject or as subjectAltName.

90
ICR-3200

4.12.3 Configuration Items Description


The configuration GUI for IPsec is shown in Figure 43 and the description of all items,
which can be configured for an IPsec tunnel, are described in Table 39.

Figure 43: IPsec Tunnels Configuration

91
ICR-3200

Item Description
Description Name or description of the tunnel.
Type • policy-based – Choose for the policy-based VPN approach.
• route-based – Choose for the route-based VPN approach.
Note: Data throughput via route-based VPN is slightly lower in
comparison with policy-based VPN.
Host IP Mode • IPv4 – The router communicates via IPv4 with the opposite side
of the tunnel.
• IPv6 – The router communicates via IPv6 with the opposite side
of the tunnel.
1st Remote IP First IPv4, IPv6 address or domain name of the remote side of
Address the tunnel, based on selected Host IP Mode above.
2nd Remote IP Second IPv4, IPv6 address or domain name of the remote side
Address of the tunnel, based on selected Host IP Mode above.
Tunnel IP Mode • IPv4 – The IPv4 communication runs inside the tunnel.
• IPv6 – The IPv6 communication runs inside the tunnel.
Remote ID Identifier (ID) of remote side of the tunnel. It consists of two parts:
a hostname and a domain-name.
Local ID Identifier (ID) of local side of the tunnel. It consists of two parts:
a hostname and a domain-name.
Install Routers For route-based type only. Choose yes to use traffic selectors as
route(s).
First Remote Subnet IPv4 or IPv6 address of a network behind remote side of the
tunnel, based on Tunnel IP Mode above.
First Remote Subnet IPv4 subnet mask of a network behind remote side of the tunnel,
Mask/Prefix or IPv6 prefix (single number 0 to 128).
Second Remote IPv4 or IPv6 address of the second network behind remote side
Subnet of the tunnel, based on Tunnel IP Mode above. For IKE Protocol
= IKEv2 only.
Second Remote IPv4 subnet mask of the second network behind remote side of
Subnet Mask/Prefix the tunnel, or IPv6 prefix (single number 0 to 128). For IKE Pro-
tocol = IKEv2 only.
Remote Protocol/Port Specifies Protocol/Port of remote side of the tunnel. The general
form is protocol/port, for example 17/1701 for UDP (protocol 17)
and port 1701. It is also possible to enter only the number of
protocol, however, the above mentioned format is preferred.
First Local Subnet IPv4 or IPv6 address of a local network, based on Tunnel IP
Mode above.
Continued on next page

92
ICR-3200

Continued from previous page

Item Description
First Local Subnet IPv4 subnet mask of a local network, or IPv6 prefix (single num-
Mask/Prefix ber 0 to 128).
Second Local Subnet IPv4 or IPv6 address of the second local network, based on Tun-
nel IP Mode above. For IKE Protocol = IKEv2 only.
Second Local Subnet IPv4 subnet mask of the second local network, or IPv6 prefix
Mask/Prefix (single number 0 to 128). For IKE Protocol = IKEv2 only.
Local Protocol/Port Specifies Protocol/Port of a local network. The general form is
protocol/port, for example 17/1701 for UDP (protocol 17) and
port 1701. It is also possible to enter only the number of protocol,
however, the above mentioned format is preferred.
MTU Maximum Transmission Unit value (for route-based mode only).
Default value is 1426 bytes.
Remote Virtual Specifies virtual remote network for server (responder).
Network
Remote Virtual Mask Specifies virtual remote network mask for server (responder).
Local Virtual Address Specifies virtual local network address for client. To get address
from server set up the address to 0.0.0.0.
Cisco FlexVPN Enable to support the Cisco FlexVPN functionality. The route-
based type must be chossen. For more information, see
strongswan.conf page.
Encapsulation Mode Specifies the IPsec mode, according to the method of encapsu-
lation.
• tunnel – entire IP datagram is encapsulated.
• transport – only IP header is encapsulated. Not supported by
route-based VPN.
• beet – the ESP packet is formatted as a transport mode packet,
but the semantics of the connection are the same as for tunnel
mode.
Force NAT Traversal Enable NAT traversal enforcement (UDP encapsulation of ESP
packets).
IKE Protocol Specifies the version of IKE (IKEv1/IKEv2, IKEv1 or IKEv2).
IKE Mode Specifies the mode for establishing a connection (main or ag-
gressive). If you select the aggressive mode, then the router es-
tablishes the IPsec tunnel faster, but the encryption is perma-
nently set to 3DES-MD5. We recommend that you not use the
aggressive mode due to lower security!
Continued on next page

93
ICR-3200

Continued from previous page

Item Description
IKE Algorithm Specifies the means by which the router selects the algorithm:
• auto – The encryption and hash algorithm are selected auto-
matically.
• manual – The encryption and hash algorithm are defined by
the user.
IKE Encryption Encryption algorithm – 3DES, AES128, AES192, AES256,
AES128GCM128, AES192GCM128, AES256GCM128.
IKE Hash Hash algorithm – MD5, SHA1, SHA256, SHA384 or SHA512.
IKE DH Group Specifies the Diffie-Hellman groups which determine the strength
of the key used in the key exchange process. Higher group num-
bers are more secure, but require more time to compute the key.
IKE Reauthentication Enable or disable IKE reauthentication (for IKEv2 only).
XAUTH Enabled Enable extended authentication (for IKEv1 only).
XAUTH Mode Select XAUTH mode (client or server).
XAUTH Username XAUTH username.
XAUTH Password XAUTH password.
ESP Algorithm Specifies the means by which the router selects the algorithm:
• auto – The encryption and hash algorithm are selected auto-
matically.
• manual – The encryption and hash algorithm are defined by
the user.
ESP Encryption Encryption algorithm – 3DES, AES128, AES192, AES256,
AES128GCM128, AES192GCM128, AES256GCM128.
ESP Hash Hash algorithm – MD5, SHA1, SHA256, SHA384 or SHA512.
PFS Enables/disables the Perfect Forward Secrecy function. The
function ensures that derived session keys are not compromised
if one of the private keys is compromised in the future.
PFS DH Group Specifies the Diffie-Hellman group number (see IKE DH Group).
Key Lifetime Lifetime key data part of tunnel. The minimum value of this pa-
rameter is 60 s. The maximum value is 86400 s.
IKE Lifetime Lifetime key service part of tunnel. The minimum value of this
parameter is 60 s. The maximum value is 86400 s.
Rekey Margin Specifies how long before a connection expires that the router
attempts to negotiate a replacement. Specify a maximum value
that is less than half of IKE and Key Lifetime parameters.
Rekey Fuzz Percentage of time for the Rekey Margin extension.
Continued on next page

94
ICR-3200

Continued from previous page

Item Description
DPD Delay Time after which the IPsec tunnel functionality is tested.
DPD Timeout The period during which device waits for a response.
Authenticate Mode Specifies the means by which the router authenticates:
• Pre-shared key – Sets the shared key for both sides of the
tunnel.
• X.509 Certificate – Allows X.509 authentication in multiclient
mode.
(Local) Pre-shared Specifies the shared key (local for IKEv2) for both sides of the
Key tunnel. The prerequisite for entering a key is that you select pre-
shared key as the authentication mode.
Remote Pre-shared Specifies the remote shared key (for IKEv2) for both sides of the
Key tunnel. The prerequisite for entering a key is that you select pre-
shared key as the authentication mode.
CA Certificate Certificate for X.509 authentication.
Remote Certificate \ Certificate for X.509 authentication or PubKey for public key sig-
PubKey nature authentication.
Local Certificate \ Certificate for X.509 authentication or PubKey for public key sig-
PubKey nature authentication.
Local Private Key Private key for X.509 authentication.
Local Passphrase Passphrase used during private key generation.
Revocation Check Certificate revocation policy:
• if possible – Fails only if a certificate is revoked, i.e. it is ex-
plicitly known that it is bad.
• if URI defined – Fails only if a CRL/OCSP URI is available, but
certificate revocation checking fails, i.e. there should be revoca-
tion information available, but it could not be obtained.
• always – Fails if no revocation information is available, i.e. the
certificate is not known to be unrevoked.
User’s Up Script1 Custom script, executed when the IPSec tunnel is established.
Not available for ICR-3241(W)-1ND routers.
User’s Down Script1 Custom script, executed when the IPSec tunnel is closed. Not
available for ICR-3241(W)-1ND routers.
Debug Choose the level of logging verbosity from: silent, audit, control
(default), control-more, raw, private (most verbose including
the private keys). See Logger Configuration in strongSwan web
page for more details.
Continued on next page

95
ICR-3200

Continued from previous page

Item Description
Table 39: IPsec Tunnel Configuration

We recommend that you keep up the default settings. When you set key exchange times
higher, the tunnel produces lower operating costs, but the setting also provides less security.
Conversely, when you reducing the time, the tunnel produces higher operating costs, but
provides for higher security. The changes in settings will apply after clicking the Apply button.

Do not miss:
• If local and remote subnets are not configured then only packets between local and
remote IP address are encapsulated, so only communication between two routers
is encrypted.
• If protocol/port fields are configured then only packets matching these settings are
encapsulated.

1
Parameters passed to the script:
for policy-based type: one parameter: connection name, returns e.g. ipsec1-1,
for route-based type: two parameters: connection name and interface name, returns e.g. ipsec1-1 and ipsec0.

96
ICR-3200

4.12.4 Basic IPv4 IPSec Tunnel Configuration

Figure 44: Topology of IPsec Configuration Example

Configuration of Router A and Router B is as follows:

Configuration A B
Host IP Mode IPv4 IPv4
1st Remote IP Address 10.0.0.2 10.0.0.1
Tunnel IP Mode IPv4 IPv4
First Remote Subnet 192.168.2.0 192.168.1.0
First Remote Subnet Mask 255.255.255.0 255.255.255.0
First Local Subnet 192.168.1.0 192.168.2.0
First Local Subnet Mask 255.255.255.0 255.255.255.0
Authenticate mode pre-shared key pre-shared key
Pre-shared key test test

Table 40: Simple IPv4 IPSec Tunnel Configuration

97
ICR-3200

4.13 WireGuard Tunnel Configuration


WireGuard is a communication protocol and free open-source software that implements
encrypted virtual private networks (VPNs), and was designed with the goals of ease of use,
high speed performance, and low attack surface. It aims for better performance and more
power than IPsec and OpenVPN, two common tunneling protocols. The WireGuard proto-
col passes traffic over UDP. Advantech routers allows you to create up to four WireGuard
tunnels.
To open the WireGuard tunnel configuration page, click WireGuard in the Configuration
section of the main menu. The menu item will expand and you will see four separate configu-
ration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel.
IPv4 and IPv6 tunnels are supported (dual stack), you can transport IPv6 traffic through
IPv4 tunnel and vice versa.
FRRouting (FRR) router app is an Internet routing protocol suite for Advantech routers. This
UM includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.

Detailed information and more examples of WireGuard tunnel configuration and authentication
can be found in the application note WireGuard Tunnel [8].

The configuration GUI for WireGuard is shown in Figure 45 and the description of all items,
which can be configured for an WireGuard tunnel, are described in Table 41.

98
ICR-3200

Figure 45: WireGuard Tunnels Configuration

Item Description
Description Name or description of the tunnel.
Host IP Mode • IPv4 – The router communicates via IPv4 with the opposite side
of the tunnel.
• IPv6 – The router communicates via IPv6 with the opposite side
of the tunnel.
Remote IP Address IPv4, IPv6 address or domain name of the remote side of the
tunnel to connect to. The address must match with the selected
Host IP Mode above.
Remote Port Port of the remote side of the tunnel.
Continued on next page

99
ICR-3200

Continued from previous page

Item Description
Local Port Port of the local side of the tunnel (default port is 51820).
NAT/Firewall If set up to yes, keepalive communication (every 25 seconds)
Traversal is running to preserve the tunnel established. It is useful when
a client is running behind the NAT.
Interface IPv4 Local IPv4 tunnel interface address.
Address
Interface IPv4 Local IPv4 tunnel interface prefix.
Prefix Length
Interface IPv6 Local IPv6 tunnel interface address.
Address
Interface IPv6 Local IPv6 tunnel interface prefix.
Prefix Length
Install Routes • no – Do not install routes. Use when a dynamic routing protocol
is configured.
• yes – Install routes.
Traffic Selector • all traffic – Procced all the packets to the WireGuard tunnel.
• subnets – Route based on the subnets listed below.
Remote Subnets If the Traffic Selector is set to subnets, then other subnets
(routes) can be routed through the wire tunnel.
Pre-shared Key The optional key for additional encryption layer and security
strengthening. You can use the Generate button to generate a
random key.
Local Private Key The private key of the local side. You can use the Generate
button to generate a random key.
Local Public Key The public key of the local tunnel side.
Remote Public Key The public key of the remote tunnel side.
Table 41: WireGuard Tunnel Configuration

The changes in settings will apply after clicking the Apply button.

100
ICR-3200

4.13.1 WireGuard IPv4 Tunnel Configuration Example


There is an example of WireGuard IPv4 tunnel configuration between Router A and
Router B.

Figure 46: Topology of WireGuard Configuration Example

Router B is configured to listen, and Router A is the side initiating the tunnel connection.
Configuration of Router A and Router B from the topology above is as follows:

Configuration Router A Router B


Host IP Mode IPv4 IPv4
Remote IP Address 10.0.6.60 –
Remote Port 51820 –
Local Port 51820 51820
NAT/Firewall Traversal yes no
Interface IPv4 Address 172.16.24.1 172.16.24.2
Interface IPv4 Prefix Length 30 30
Install Routes yes yes
Traffic Selector subnets subnets
Remote Subnets 192.168.2.0/24 192.168.1.0/24
Local Private Key a local private key a local private key
Local Public Key a local public key a local public key
Remote Public Key a public key of the opposite a public key of the opposite
side side

Table 42: WireGuard IPv4 Tunnel Configuration Example


101
ICR-3200

In the figure below is the WireGuard status page of Router A. If the tunnel connection is
established successfully, the Latest handshake time is shown here. This value is the time left
from the latest successful communication with the opposite tunnel side. This item will not be
shown here until there is a tunnel communication (data sent by the Router A or the keepalive
data sent when NAT/Firewall Traversal is set to yes).

Figure 47: Router A – WireGuard Status Page and Route Table

Figure 48: Router B – WireGuard Status Page and Route Table

102
ICR-3200

4.14 GRE Tunnels Configuration

GRE is an unencrypted protocol. GRE via IPv6 is not supported.

To open the GRE Tunnel Configuration page, click GRE in the Configuration section of the
main menu. The menu item will expand and you will see four separate configuration pages:
1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. The GRE tunnel function allows you to
create an unencrypted connection between two separate LAN networks. The router allows
you to create four GRE tunnels.

Item Description
Description Description of the GRE tunnel.
Remote IP Address IP address of the remote side of the tunnel.
Local IP Address IP address of the local side of the tunnel.
Remote Subnet IP address of the network behind the remote side of the tunnel.
Remote Subnet Mask Specifies the mask of the network behind the remote side of the
tunnel.
Local Interface IP IP address of the local side of the tunnel.
Address
Remote Interface IP IP address of the remote side of the tunnel.
Address
Multicasts Activates/deactivates sending multicast into the GRE tunnel:

• disabled – Sending multicast into the tunnel is inactive.


• enabled – Sending multicast into the tunnel is active.

Pre-shared Key Specifies an optional value for the 32 bit shared key in numeric
format, with this key the router sends the filtered data through
the tunnel. Specify the same key on both routers, otherwise the
router drops received packets.
Table 43: GRE Tunnel Configuration

The GRE tunnel cannot pass through the NAT.

The changes in settings will apply after pressing the Apply button.

103
ICR-3200

Figure 49: GRE Tunnel Configuration

4.14.1 Example of the GRE Tunnel Configuration

Figure 50: Topology of GRE Tunnel Configuration Example

104
ICR-3200

GRE tunnel configuration:

Configuration A B
Remote IP Address 10.0.0.2 10.0.0.1
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Table 44: GRE Tunnel Configuration Example

Examples of different options for configuration of GRE tunnel can be found in the application
note GRE Tunnel [7].

105
ICR-3200

4.15 L2TP Tunnel Configuration

L2TP is an unencrypted protocol. L2TP via IPv6 is not supported.

To open the L2TP Tunnel Configuration page, click L2TP in the Configuration section of the
main menu. The L2TP tunnel function allows you to create a password-protected connection
between two different LAN networks. Enable the Create L2TP tunnel checkbox to activate the
tunnel.

Figure 51: L2TP Tunnel Configuration

Item Description
Mode Specifies the L2TP tunnel mode on the router side:

• L2TP server – Specify an IP address range offered by


the server.
• L2TP client – Specify the IP address of the server.

Server IP Address IP address of the server.


Client Start IP Address IP address to start with in the address range. The range is
offered by the server to the clients.
Continued on next page

106
ICR-3200

Continued from previous page

Item Description
Client End IP Address The last IP address in the address range. The range is offered
by the server to the clients.
Local IP Address IP address of the local side of the tunnel.
Remote IP Address IP address of the remote side of the tunnel.
Remote Subnet Address of the network behind the remote side of the tunnel.
Remote Subnet Mask The mask of the network behind the remote side of the tunnel.
MRU Maximum Receive Unit value. Default value is 1400 bytes.
MTU Maximum Transmission Unit value. Default value is 1400 bytes.
Username Username for the L2TP tunnel login.
Password Password for the L2TP tunnel login. Enter valid characters only.
Table 45: L2TP Tunnel Configuration

107
ICR-3200

4.15.1 Example of the L2TP Tunnel Configuration

Figure 52: Topology of L2TP Tunnel Configuration Example

Configuration of the L2TP tunnel:

Configuration A B
Mode L2TP Server L2TP Client
Server IP Address — 10.0.0.1
Client Start IP Address 192.168.2.5 —
Client End IP Address 192.168.2.254 —
Local IP Address 192.168.1.1 —
Remote IP Address — —
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Username username username
Password password password
Table 46: L2TP Tunnel Configuration Example

108
ICR-3200

4.16 PPTP Tunnel Configuration

PPTP is an unencrypted protocol. PPTP via IPv6 is not supported.

Select the PPTP item in the menu to configure a PPTP tunnel. PPTP tunnel allows
password-protected connections between two LANs. It is similar to L2TP. The tunnels are
active after selecting Create PPTP tunnel.

Figure 53: PPTP Tunnel Configuration

Item Description
Mode Specifies the L2TP tunnel mode on the router side:

• PPTP server – Specify an IP address range offered by


the server.
• PPTP client – Specify the IP address of the server.

Server IP Address IP address of the server.


Local IP Address IP address of the local side of the tunnel.
Remote IP Address IP address of the remote side of the tunnel.
Continued on next page

109
ICR-3200

Continued from previous page

Item Description
Remote Subnet Address of the network behind the remote side of the tunnel.
Remote Subnet Mask The mask of the network behind the remote side of the tunnel
MRU Maximum Receive Unit value. Default value is 1460 bytes to
avoid fragmented packets.
MTU Maximum Transmission Unit value. Default value is 1460 bytes
to avoid fragmented packets.
Username Username for the PPTP tunnel login.
Password Password for the PPTP tunnel login. Enter valid characters
only.
Table 47: PPTP Tunnel Configuration

The changes in settings will apply after pressing the Apply button.

The firmware also supports PPTP passthrough, which means that it is possible to create
a tunnel through the router.

110
ICR-3200

4.16.1 Example of the PPTP Tunnel Configuration

Figure 54: Topology of PPTP Tunnel Configuration Example

Configuration of the PPTP tunnel:

Configuration A B
Mode PPTP Server PPTP Client
Server IP Address — 10.0.0.1
Local IP Address 192.168.1.1 —
Remote IP Address 192.168.2.1 —
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Username username username
Password password password
Table 48: PPTP Tunnel Configuration Example

111
ICR-3200

4.17 Services
4.17.1 DynDNS
The DynDNS function allows you to access the router remotely using an easy to remem-
ber custom hostname. This DynDNS client monitors the IP address of the router and up-
dates the address whenever it changes. In order for DynDNS to function, you require a pub-
lic IP address, either static or dynamic, and an active Remote Access service account at
www.dyndns.org. Register the custom domain (third-level) and account information specified
in the configuration form. You can use other services, too – see the table below, Server item.
To open the DynDNS Configuration page, click DynDNS in the main menu.

Item Description
Hostname The third order domain registered on the www.dyndns.org server.
Username Username for logging into the DynDNS server.
Password Password for logging into the DynDNS server. Enter valid characters
only, see chap. 2.3!
IP Mode Specifies the version of IP protocol:

• IPv4 – IPv4 protocol is used only (default).


• IPv6 – IPv6 protocol is used only.
• IPv4/IPv6 – IPv4 and IPv6 dual stack is enabled.

Server Specifies a DynDNS service other than the www.dyndns.org. Possible


other services: www.spdns.de, www.dnsdynamic.org, www.noip.com
Enter the update server service information in this field. If you leave this
field blank, the default server members.dyndns.org will be used.
Table 49: DynDNS Configuration

Example of the DynDNS client configuration with the domain company.dyndns.org:

Figure 55: DynDNS Configuration Example

To access the router’s configuration remotely, you will need to have enabled this option in the
NAT configuration (bottom part of the form), see Chapter 4.10.
112
ICR-3200

4.17.2 FTP

Not available for ICR-3241(W)-1ND routers.

FTP protocol (File Transfer Protocol) can be used to transfer files between the router and
another device on the computer network. Configuration form of TP server can be done in FTP
configuration page under Services menu item.

Item Description
Enable FTP service Enabling of FTP server.
Maximum Sessions Indicates how many concurrent connections shall the FTP
server accept. Once the maximum is reached, additional
connections will be rejected until some of the existing con-
nections are terminated. The range is from 1 to 500.
Session Timeout Is used to close inactive sessions. The server will termi-
nate a FTP session after it has not been used for the given
amount of seconds. The range is from 60 to 7200.
Table 50: Parameters for FTP service configuration

Figure 56: Configuration of FTP server

113
ICR-3200

4.17.3 HTTP
HTTP protocol (Hypertext Transfer Protocol) is internet protocol used for exchange of hy-
pertext documents in HTML format. This protocol is used for accessing the web server used
for user’s configuration of the router. Recommended usage however is of HTTPS protocol,
which used encryption for secure exchange of transferred data. Configuration form of HTTP
and HTTPS service can be done in HTTP configuration page under Services menu item. By
default, HTTP service is disabled and preferred is using of HTTPS service. For this default
setting, a request for communication with HTTP protocol is redirected to HTTPS protocol au-
tomatically.

Item Description
Enable HTTP service Enabling of HTTP service.
Enable HTTPS Enabling of HTTPS service.
service
Minimum TLS Version If specified, the router will disable TLS versions lower than the
specified minimum. For better security choose the highest ver-
sion of TLS protocol, unless you need to use an older web
browser.
Session Timeout Inactivity timeout when the session is closed.
Login Banner The text specified in this field will be displayed on the login page
just above the credentials fields.
Keep the current certificate Left the current one certificate in the router.
Generate a new certificate Generate a new self-signed certificate to the router.
Upload a new certificate Upload custom PEM certificate, which can be signed by Certifi-
cate Authority.
Certificate Choose a file with the PEM certificate.
Private Key Choose a file with the certificate private key.
Table 51: Parameters for HTTP and HTTPS services configuration

Figure 57: Configuration of HTTP and HTTPS services


114
ICR-3200

4.17.4 NTP
The NTP configuration form allows you to configure the NTP client. To open the NTP page,
click NTP in the Configuration section of the main menu. NTP (Network Time Protocol) allows
you to periodically set the internal clock of the router. The time is set from servers that provide
the exact time to network devices. IPv6 Time Servers are supported.

• If you mark the Enable local NTP service check box, then the router acts as a NTP server
for other devices in the local network (LAN).
• If you mark the Synchronize clock with NTP server check box, then the router acts as a
NTP client. This means that the router automatically adjusts the internal clock every 24
hours.

Item Description
Primary NTP Server IPv4 address, IPv6 address or domain name of primary NTP
Address server.
Secondary NTP IPv4 address, IPv6 address or domain name of secondary NTP
Server Address server.
Timezone Specifies the time zone where you installed the router.
Daylight Saving Time Activates/deactivates the DST shift.

• No – The time shift is inactive.


• Yes – The time shift is active.

Table 52: NTP Configuration

The figure below displays an example of a NTP configuration with the primary server set
to ntp.cesnet.cz and the secondary server set to tik.cesnet.cz and with the automatic change
for daylight saving time enabled.

Figure 58: Example of NTP Configuration

115
ICR-3200

4.17.5 PAM
A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level
authentication schemes into a high-level application programming interface (API). The confi-
guration made on this configuration page will affect all the router’s authentication mechanisms.
As the first option, choose the PAM Mode.

PAM Modes

The PAM modes available and their description are listed in Table 53.

Item Description
PAM Mode
• local user database – Authenticate against the local user database
only, see Chapter 5.1.
• RADIUS with fallback – Authenticate against the RADIUS server
first and then against the local database in case the RADIUS server
is not accessible.
• RADIUS only – Authenticate only against the RADIUS server. Note
that you will not be able to authenticate to the router in case the
RADIUS server is not accessible!
• TACACS+ with fallback – Authenticate against the TACACS+ server
first and then against the local database in case the TACACS+ server
is not accessible.
• TACACS+ only – Authenticate only against the TACACS+ server.
Note that you will not be able to authenticate to the router in case the
TACACS+ server is not accessible!
Table 53: Available Modes of PAM

Local User Database

To configure the authentication against the local user database, choose local user
database and enable the debug mode eventually, see Figure 59.

Figure 59: Configuration of Local User Database

116
ICR-3200

RADIUS Mode

When authenticate against the RADIUS server, user with the same name must exist
locally. It can be created manually (see Chapter 5.1) or can be created automatically
based on data from RADIUS server, if the Take Over Server Users option is enabled as
described hereunder.

To configure the authentication against a RADIUS server, choose RADIUS with fallback
or RADIUS only as the PAM mode and set up all required items, see Figure 60. Table 54
describes all the configuration options for the RADIUS PAM modes.

Figure 60: Configuration of RADIUS

Item Description
Server Address of the RADIUS server. Up to two servers can be configured.
Port Port of the RADIUS server.
Secret The secret For authentication to the RADIUS server.
Timeout Timeout for authentication to the RADIUS server.
Take Over If enabled, a new user account is created during the login, in case the
Server Users RADIUS authentication is successful and appropriate local account does
not exist. New accounts are created without the password. An existing
user account with a password is never modified by this feature.
Default User Choose the user role (Admin or User). This role corresponds with router’s
Role user roles, see Chapter 5.1.
Selected role will be used for a user in case the option Take Over Server
Users is enabled and if the user’s Service-Type set on the RADIUS server
is missing or is not set up to NAS-Prompt-User or Administrative-User.
When Service-Type is set to NAS-Prompt-User, the User role will be used.
When Service-Type is set to Administrative-User, the Admin role is used.

Table 54: Configuration of RADIUS


117
ICR-3200

TACACS+ Mode

When authenticate against the TACACS+ server, user with the same name must exist
locally. It can be created manually (see Chapter 5.1) or can be created automatically
based on data from TACACS+ server, if the Take Over Server Users option is enabled as
described hereunder.

To configure the authentication against a TACACS+ server, choose TACACS+ with fallback
or TACACS+ only as the PAM mode and set up all required items, see Figure 61. Table 55
describes all the configuration options for the TACACS PAM modes.

Figure 61: Configuration of TACACS+

Item Description
Authentication Choose ASCII, PAP or CHAP as authentication type.
Type
Timeout Timeout for authentication to the TACACS+ server.
Server Address of the TACACS+ server. Up to two servers can be configured.
Port Port of the TACACS+ server.
Secret The secret For authentication to the TACACS+ server.
Take Over If enabled, a new user account is created during the login, in case the
Server Users TACACS+ authentication is successful and appropriate local account does
not exist. New accounts are created without the password. An existing
user account with a password is never modified by this feature.
Default User Choose the user role (Admin or User). This role corresponds with router’s
Role user roles, see Chapter 5.1.
Selected role will be used for a new user when Take Over Server Users is
used.

Table 55: Configuration of TACACS+


118
ICR-3200

Two-Factor Authentication Service

To enable the two-factor authentication service, choose the service type you want to use
from Google Authenticator or OATH Toolkit in the Two-Factor Authentication box, as shown in
Figure 62. Click the Apply button.
To configure the two-factor authentication for a user, see Chapter 5.4 Two-Factor Authen-
tication.

Figure 62: Enabling Two-Factor Authentication Service

119
ICR-3200

4.17.6 SNMP
The SNMP page allows you to configure the SNMP v1/v2 or v3 agent which sends informa-
tion about the router (and about its expansion ports eventually) to a management station. To
open the SNMP page, click SNMP in the Configuration section of the main menu. SNMP (Sim-
ple Network Management Protocol) provides status information about the network elements
such as routers or endpoint computers. In the version v3, the communication is secured (en-
crypted). To enable the SNMP service, mark the Enable the SNMP agent check box. Sending
SNMP traps to IPv6 address is supported.

Item Description
Name Designation of the router.
Location Location of where you installed the router.
Contact Person who manages the router together with information how to contact
this person.
Table 56: SNMP Agent Configuration

To enable the SNMPv1/v2 function, mark the Enable SNMPv1/v2 access check box. It is
also necessary to specify a password for access to the Community SNMP agent. The default
setting is public.

You can define a different password for the Read community (read only) and the Write
community (read and write) for SNMPv1/v2. You can also define 2 SNMP users for SNMPv3.
You can define a user as read only (Read), and another as read and write (Write). The router
allows you to configure the parameters in the following table for every user separately. The
router uses the parameters for SNMP access only.

To enable the SNMPv3 function, mark the Enable SNMPv3 access check box, then specify
the following parameters:

Item Description
Username User name
Authentication Encryption algorithm on the Authentication Protocol that is
used to verify the identity of the users.
Authentication Password Password used to generate the key used for authentication.
Enter valid characters only, see chap. 2.3!
Privacy Encryption algorithm on the Privacy Protocol that is used to
ensure confidentiality of data.
Privacy Password Password for encryption on the Privacy Protocol. Enter valid
characters only, see chap. 2.3!
Table 57: SNMPv3 Configuration

120
ICR-3200

Activating the Enable I/O extension function allows you monitor the binary I/O inputs on
the router.
Selecting Enable M-BUS extension and entering the Baudrate, Parity and Stop Bits lets you
monitor the meter status connected via MBUS interface. MBUS expansion port is not currently
supported, but it is possible to use an external RS232/MBUS converter.
Selecting Enable reporting to supervisory system and entering the IP Address and Period
lets you send statistical information to the monitoring system, R-SeeNet.

Item Description
IP Address IPv4 or IPv6 address.
Period Period of sending statistical information (in minutes).
Table 58: SNMP Configuration (R-SeeNet)

Each monitored value is uniquely identified using a numerical identifier OID – Object Iden-
tifier. This identifier consists of a progression of numbers separated by a point. The shape
of each OID is determined by the identifier value of the parent element and then this value is
complemented by a point and current number. So it is obvious that there is a tree structure.
The following figure displays the basic tree structure that is used for creating the OIDs.

Figure 63: OID Basic Structure

The SNMP values that are specific for Advantech routers create the tree starting at
OID = .1.3.6.1.4.1.30140. You interpret the OID in the following manner:

iso.org.dod.internet.private.enterprises.conel

121
ICR-3200

This means that the router provides for example, information about the internal tempera-
ture (OID 1.3.6.1.4.1.30140.3.3) or about the power voltage (OID 1.3.6.1.4.1.30140.3.4). For
binary inputs and output, the following range of OID is used:

OID Description
.1.3.6.1.4.1.30140.2.3.1.0 Binary input BIN0 (values 0,1)
.1.3.6.1.4.1.30140.2.3.2.0 Binary output OUT0 (values 0,1)
.1.3.6.1.4.1.30140.2.3.3.0 Binary input BIN1 (values 0,1)
Table 59: Object identifier for binary inputs and output

The list of available and supported OIDs and other details can be found in the application note
SNMP Object Identifiers [11].

Figure 64: SNMP Configuration Example


122
ICR-3200

Figure 65: MIB Browser Example

In order to access a particular device enter the IP address of the SNMP agent which is
the router, in the Remote SNMP agent field. The dialog displayed the internal variables in the
MIB tree after entering the IP address. Furthermore, you can find the status of the internal
variables by entering their OID.

The path to the objects is:

iso → org → dod → internet → private → enterprises → Conel → protocols

The path to information about the router is:

iso → org → dod → internet → mgmt → mib-2 → system

123
ICR-3200

4.17.7 SMTP
Use the SMTP form to configure the Simple Mail Transfer Protocol client (SMTP) for send-
ing e-mails. IPv6 e-mail servers are supported.

Item Description
SMTP Server Address IPv4 address, IPv6 address or domain name of the mail server.
SMTP Port Port the SMTP server is listening on.
Secure Method none, SSL/TLS, or STARTTLS. Secure method has to be sup-
ported by the SMTP server.
Username Name for the e-mail account.
Password Password for the e-mail account. Enter valid characters only,
see chap. 2.3!
Own E-mail Address Address of the sender.
Table 60: SMTP client configuration

The mobile service provider can block other SMTP servers, then you can only use the SMTP
server of the service provider.

Figure 66: SMTP Client Configuration Example

You can send e-mails from the Startup script. The Startup Script dialog is located in Scripts
in the Configuration section of the main menu. The router also allows you to send e-mails using
an SSH connection. Use the email command with the following parameters:
-t e-mail address of the receiver
-s subject, enter the subject in quotation marks
-m message, enter the subject in quotation marks
-a attachment file
-r number of attempts to send e-mail (default setting: 2)

124
ICR-3200

Commands and parameters can be entered only in lowercase.

Example of sending an e-mail:

email –t [email protected] –s "System Log" -m "Attached" -a /var/log/messages

The command above sends an e-mail to address [email protected] with the subject "System
Log", body message "Attached" and attachment messages file with System Log of the router
directly from the directory /var/log/.

125
ICR-3200

4.17.8 SMS

The SMS Configuration page is not available for the ICR-3201 routers (LAN version).

Open the SMS page in the Services submenu of the Configuration section of the main
menu. The router can automatically send SMS messages to a cell phone or SMS message
server when certain events occur. The format allows you to select which events generate an
SMS message.

Item Description
Send SMS on power up Activates/deactivates the sending of an SMS mes-
sage automatically on power up.
Send SMS on connect to mobile Activates/deactivates the sending of an SMS mes-
network sage automatically when the router is connected to
a mobile network.
Send SMS on disconnect to mo- Activates/deactivates the sending of an SMS mes-
bile network sage automatically when the router is disconnection
from a mobile network.
Send SMS when datalimit Activates/deactivates the sending of an SMS mes-
exceeded sage automatically when the data limit exceeded.
Send SMS when binary input on Automatic sending SMS message after binary input
I/O port (BIN0) is active on I/O port (BIN0) is active. Text of message is in-
tended parameter BIN0.
Add timestamp to SMS Activates/deactivates the adding a time stamp to the
SMS messages. This time stamp has a fixed format
YYYY-MM-DD hh:mm:ss.
Phone Number 1 Specifies the phone number to which the router sends
the generated SMS.
Phone Number 2 Specifies the phone number to which the router sends
the generated SMS.
Phone Number 3 Specifies the phone number to which the router sends
the generated SMS.
Unit ID The name of the router. The router sends the name
in the SMS.
BIN0 – SMS Text of the SMS message when the first binary input
is activated.
Table 61: SMS Configuration

126
ICR-3200

Remote Control via SMS

After you enter a phone number in the Phone Number 1 field, the router allows you to
configure the control of the device using an SMS message. You can configure up to three
numbers for incoming SMS messages. To enable the function, mark the Enable remote control
via SMS check box. The default setting of the remote control function is active.

Item Description
Phone Number 1 Specifies the first phone number allowed to access the router us-
ing an SMS.
Phone Number 2 Specifies the second phone number allowed to access the router
using an SMS.
Phone Number 3 Specifies the third phone number allowed to access the router
using an SMS.
Table 62: Control via SMS

If you enter one or more phone numbers, then you can control the router using SMS
messages sent only from the specified phone numbers.
If you enter the wild card character ∗, then you can control the router using SMS mes-
sages sent from any phone number.

Most of the control SMS messages do not change the router configuration. For example,
if the router is changed to the off line mode using an SMS message, the router remains in this
mode, but it will return back to the on-line mode after reboot. The only exception is set profile
command that changes the configuration permanently, see the table below.
To control the router using an SMS, send only message text containing the control com-
mand. You can send control SMS messages in the following format:

SMS Description
go online sim 1 Switch the mobile WAN to the SIM1.
go online sim 2 Switch the mobile WAN to the SIM2.
go online Switch the router to the online mode.
go offline Switch the router to the off line mode.
set out0=0 Set the binary output to 0.
set out0=1 Set the binary output to 1.
set profile std Set the standard profile. This change is permanent.
set profile alt1 Set the alternative profile 1. This change is permanent.
set profile alt2 Set the alternative profile 2. This change is permanent.
set profile alt3 Set the alternative profile 3. This change is permanent.
Continued on next page

127
ICR-3200

Continued from previous page

SMS Description
reboot Reboot the router.
get ip Respond with the IP address of the SIM card.
Table 63: Control SMS

Note: Every received control SMS is processed and then deleted from the router! This
may cause a confusion when you want to use AT-SMS protocol for reading received SMS
(see section below).

Advanced SMS control: If there is unknown command in received SMS and remote control
via SMS is enabled, the script located in "/var/scripts/sms" is run before the SMS is deleted.
It is possible to define your own additional SMS commands using this script. Maximum of
7 words can be used in such SMS. Since the script file is located in RAM of the router, it is
possible to add creation of such file to Startup Script. See example in Commands and Scripts
Application Note [1].

AT-SMS Protocol

AT-SMS protocol is a private set of AT commands supported by the routers. It can be used to
access the cellular module in the router directly via commonly used AT commands, work with
short messages (send SMS) and cellular module state information and settings.

Choosing Enable AT-SMS protocol on expansion port 1 and Baudrate makes it possible to
use AT-SMS protocol on the serial Port 1.

Item Description
Baudrate Communication speed on the expansion port 1
Table 64: Send SMS on the serial Port 1

Choosing Enable AT-SMS protocol on expansion port 2 and Baudrate makes it possible to
use AT-SMS protocol on the serial Port 2.

Item Description
Baudrate Communication speed on the expansion port 2
Table 65: Send SMS on the serial Port 2

128
ICR-3200

Setting the parameters in the Enable AT-SMS protocol over TCP frame, you can enable
the router to use AT-SMS protocol on a TCP port. This function requires you to specify a TCP
port number.

Item Description
TCP Port TCP port on which will be allowed to send/receive SMS messages.
Table 66: Sending/receiving of SMS on TCP port specified

If you establish a connection to the router through a serial interface or interface using the
TCP protocol, then you can use AT commands to manage SMS messages.
Only the commands supported by the routers are listed in the following table. For other AT
commands the OK response is always sent. There is no support for treatment of complex AT
commands, so in such a case the router sends ERROR response.

AT Command Description
AT+CGMI Returns the manufacturer specific identity
AT+CGMM Returns the manufacturer specific model identity
AT+CGMR Returns the manufacturer specific model revision identity
AT+CGPADDR Displays the IP address of the Mobile WAN interface
AT+CGSN Returns the product serial number
AT+CIMI Returns the International Mobile Subscriber Identity number (IMSI)
AT+CMGD Deletes a message from the location
AT+CMGF Sets the presentation format of short messages
AT+CMGL Lists messages of a certain status from a message storage area
AT+CMGR Reads a message from a message storage area
AT+CMGS Sends a short message from the device to entered tel. number
AT+CMGW Writes a short message to SIM storage
AT+CMSS Sends a message from SIM storage location value
AT+CNUM Returns the phone number, if available (stored on SIM card)
AT+COPS? Identifies the available mobile networks
AT+CPIN Is used to find out the SIM card state and enter a PIN code
AT+CPMS Selects SMS memory storage types, to be used for short message
operations
AT+CREG Displays network registration status
AT+CSCA Sets the short message service centre (SMSC) number
AT+CSCS Selects the character set
Continued on next page

129
ICR-3200

Continued from previous page

AT Command Description
AT+CSQ Returns the signal strength of the registered network
AT+GMI Returns the manufacturer specific identity
AT+GMM Returns the manufacturer specific model identity
AT+GMR Returns the manufacturer specific model revision identity
AT+GSN Returns the product serial number
ATE Determines whether or not the device echoes characters
ATI Transmits the manufacturer specific information about the device
Table 67: List of AT Commands

A detailed description and examples of these AT commands can be found in the application
note AT Commands (AT-SMS) [12].

Sending SMS from Router

There are more ways how to send your own SMS from the router:

• Using AT-SMS protocol described above – if you establish a connection to the router
through a serial interface or interface using the TCP protocol, then you can use AT
commands to manage SMS messages. See application note AT Commands (AT-SMS)
[12].

• Using HTTP POST method for a remote execution, calling CGI scripts in the router. See
Commands and Scripts Application Note [1] for more details and example.

• From Web interface of the router, in Administration section, Send SMS item, see Chapter
5.9.

• Using gsmsms command e.g. in terminal when connected to the router via SSH. See
Commands and Scripts Application Note [1].

130
ICR-3200

Examples of SMS Configuration

Example 1 Sending SMS Configuration

After powering up the router, the phone with the number entered in the dialog receives an SMS
in the following format:
Router (Unit ID) has been powered up. Signal strength –xx dBm.
After connecting to mobile network, the phone with the number entered in the dialog receives
an SMS in the following format:
Router (Unit ID) has established connection to mobile network. IP address xxx.xxx.xxx.xxx
After disconnecting from the mobile network, the phone with the number entered in the dialog
receives an SMS in the following format:
Router (Unit ID) has lost connection to mobile network. IP address xxx.xxx.xxx.xxx

Figure 67: SMS Configuration for Example 1


131
ICR-3200

Example 2 Sending SMS via Serial Interface on the Port 1

Figure 68: SMS Configuration for Example 2

132
ICR-3200

Example 3 Control the Router Sending SMS from any Phone Number

Figure 69: SMS Configuration for Example 3

133
ICR-3200

Example 4 Control the Router Sending SMS from Two Phone Numbers

Figure 70: SMS Configuration for Example 4

134
ICR-3200

4.17.9 SSH
SSH protocol (Secure Shell) allows to carry out a secure remote login to the router. Con-
figuration form of SSH service can be done in SSH configuration page under Services menu
item. By ticking Enable SSH service item the SSH server on the router is enabled.

Item Description
Enable SSH service Enabling of SSH service.
Session Timeout Inactivity timeout when the session is closed.
Login Banner The text specified in this field will be displayed in the con-
sole during the SSH login just after the login name entry.
Keep the current SSH key Choose to keep current key.
Generate a new SSH key Choose to generate new key.
Key Length Choose the key length to be generated.
Table 68: Parameters for SSH service configuration

Figure 71: Configuration of HTTP service

135
ICR-3200

4.17.10 Syslog
Configuration of system log, called syslog, can be done on this configuration page. Size of
this log can be restricted by maximal number of its rows. Optionally, the IP address and UDP
port can be configured for the real-time log distribution.
You can see this log in the router’s GUI (Status -> System Log) or in the console using
slog command.

Položka Popis
Log Size Log size restriction by maximal number of its rows.
Log Persistent Set to yes to log to the file stored in non-volatile memory, so the
log is not lost after shutting down the router. It is supported only
by routers having the eMMC memory.
Remote IP Address Optional setting of IP address for real-time log distribution.
Remote UDP Port Optional setting of UDP port for real-time log distribution.
Device ID Optional setting ofthe device identification string for remote log-
ging. If empty, Router string is used.
Table 69: Syslog configuration

Figure 72: Syslog configuration

136
ICR-3200

4.17.11 Telnet

Not available for ICR-3241(W)-1ND routers.

Telnet is a protocol used to provide a bidirectional interactive text-oriented communication


facility with the router. Configuration form of Telnet service can be done in Telnet configuration
page under Services menu item.

Item Description
Enable Telnet service Enabling of Telnet service.
Maximum Sessions Is used to close inactive sessions. The server will terminate
a Telnet session after it has not been used for the given
amount of seconds. The range is from 1 to 500.
Table 70: Parameters for Telnet service configuration

Figure 73: Configuration of Telnet service

137
ICR-3200

4.18 Expansion Port – SERIAL I/O Configuration


Configuration of the SERIAL I/O interface can be done via Expansion Port 1 and Expan-
sion Port 2 menu items. SERIAL I/O connector combines RS232 and RS485 serial interfaces
with Binary Input and Binary Output on single 10-pin connector.
Configuration of RS232 interface is accessible on Expansion Port 1 page, configuration of
RS485 is accessible on Expansion Port 2 page. See the self-explanation Figure below:

Figure 74: SERIAL I/O configuration pages overview

Binary input and output can be used multiple ways accross the router’s configuration
pages: SMS can be sent from router on binary input, binary output can be set by SMS (Chap.
4.17.8). State of binary I/O can be read by SNMP (Chap. 4.17.6). SIM cards can be switched
on binary input (Chap. 4.3.1). Binary I/O can be read or set by commands in Scripts (see
more in Chap. 4.19 and Application Note Commands and Scripts [1]).

Expansion Port 1 page configuration options are described below. Same configuration options
are accessible at the Expansion Port 2 page.

In the upper part of the configuration window, the port can be enabled and the type of the
connected port is shown in the Port Type item. Other items are described in the table below.
IPv6 TCP/UDP client/server are supported.

138
ICR-3200

Figure 75: Expansion Port Configuration

139
ICR-3200

Item Description
Baudrate Applied communication speed: 300, 600, 1200, 2400, 4800, 9600
(default), 19200, 38400, 57600, 115200, 230400.
Data Bits Number of data bits: 5, 6, 7, 8 (default).
Parity Control parity bit:
• none – data will be sent without parity.
• even – data will be sent with even parity.
• odd – data will be sent with odd parity.
Stop Bits Number of stop bits: 1 (default), 2.
Flow Control Set the flow control to none or hardware.
Split Timeout Time to rupture reports. If the gap between two characters exceeds
the parameter in milliseconds, any buffered characters will be sent
over the Ethernet port.
Protocol Protocol:
• TCP – communication using a linked protocol TCP.
• UDP – communication using a unlinked protocol UDP.
Mode Mode of connection:
• TCP server – The router will listen for incoming TCP connection
requests.
• TCP client – The router will connect to a TCP server on the
specified IP address and TCP port.
Server Address When set to TCP client above, it is necessary to enter the Server ad-
dress and TCP port. IPv4 and IPv6 addresses are allowed.
TCP Port TCP/UDP port used for communications. The router uses the value for
both the server and client modes.
Inactivity Timeout Time period after which the TCP/UDP connection is interrupted in case
of inactivity.
Table 71: Expansion Port Configuration – serial interface

If you mark the Reject new connections check box, then the router rejects any other con-
nection attempt. This means that the router no longer supports multiple connections.
If you mark the Check TCP connection check box, the router verifies the TCP connection.
Item Description
Keepalive Time Time after which the router verifies the connection.
Keepalive Interval Length of time that the router waits on an answer.
Keepalive Probes Number of tests that the router performs.
Table 72: Expansion Port Configuration – Check TCP connection

When you mark the Use CD as indicator of the TCP connection check box, the router uses

140
ICR-3200

CD Description
Active TCP connection is enabled
Nonactive TCP connection is disabled
Table 73: CD Signal Description

the carrier detection (CD) signal to verify the status of the TCP connection. The CD signal
verifies that another device is connected to the other side of the cable.
When you mark the Use DTR as control of TCP connection check box, the router uses
the data terminal ready (DTR) single to control the TCP connection. The remote device sends
a DTR single to the router indicating that the remote device is ready for communications.

DTR Description server Description client


Active The router allows the establishment of The router initiates a TCP connec-
TCP connections. tion.
Nonactive The router denies the establishment of The router terminates the TCP con-
TCP connections. nection.
Table 74: DTR Signal Description

The changes in settings will apply after pressing the Apply button.

141
ICR-3200

4.18.1 Examples of the Expansion Port Configuration

Figure 76: Example of Ethernet to serial communication configuration

Figure 77: Example of serial interface configuration

142
ICR-3200

4.19 Scripts

Not available for ICR-3241(W)-1ND routers.

There is possibility to create your own shell scripts executed in the specific situations. Go
to the Scripts page in the Configuration section in the menu. The menu item will expand and
there are Startup Script, Up/Down IPv4 and Up/Down IPv6 scripts you can use – there is IPv4
and IPv6 independent dual stack. For more examples of Scripts and possible commands see
the Application Note Commands and Scripts [1].

4.19.1 Startup Script


Use the Startup Script window to create your own scripts which will be executed after all
of the initialization scripts are run – right after the router is turned on or rebooted. To save the
script press the Apply button.

Any changes made to a startup script will take effect next time the router is power cycled
or rebooted. This can be done with the Reboot button in the Administration section, or
by SMS message.

4.19.2 Example of Startup Script

Figure 78: Example of a Startup Script

When the router starts up, stop syslogd program and start syslogd with remote logging
on address 192.168.2.115 and limited to 100 entries. Add these lines to the startup script:

killall syslogd
syslogd -R 192.168.2.115 -S 100

143
ICR-3200

4.19.3 Up/Down Scripts


Use the Up/Down IPv4 and Up/Down IPv6 page to create scripts executed when the WAN
connection is established (up) or lost (down). There is an independent IPv4 and IPv6 dual-
stack implemented in the router, so there is independent IPv4 and IPv6 Up/Down script. IPv4
Up/Down Script runs only on the IPv4 WAN connection established/lost, IPv6 Up/Down Script
runs only on the IPv6 WAN connection established/lost. Any scripts entered into the Up Script
window will run after a WAN connection is established. Script commands entered into the
Down Script window will run when the WAN connection is lost.

The changes in settings will apply after pressing the Apply button. Also you need to reboot
the router to make Up/Down Script work.

4.19.4 Example of IPv6 Up/Down Script

Figure 79: Example of IPv6 Up/Down Script

After establishing or losing an IPv6 WAN connection, the router sends an email with infor-
mation about the connection state. It is necessary to configure SMTP before.

Add this line to the Up Script field:

email -t [email protected] -s "Router" -m "Connection up."

Add this line to the Down Script field:

email -t [email protected] -s "Router" -m "Connection down."

144
ICR-3200

4.20 Automatic Update Configuration


Use the Automatic Update menu to configure the automatic update settings. The router can
be configured to automatically check for firmware and configuration updates from a HTTP(S)
or FTP(S) server. IPv6 sites/servers are supported. Used protocol is specified by an address
in Base URL field: HTTP, HTTPS, FTP or FTPS. To prevent possible unwanted manipulation
of the files, the router verifies that the downloaded file is in the tar.gz format. At first, the format
of the downloaded file is checked. Then the type of architecture and each file in the archive
(tar.gz file) is checked.

If the Enable automatic update of configuration option is selected, the router will check if
there is a configuration file on the remote server, and if the configuration in the file is different
than its current configuration, it will update its configuration to the new settings and reboot.

If the Enable automatic update of firmware option is checked, the router will look for a new
firmware file and update its firmware if necessary.

Item Description
Base URL Base URL, IPv4 or IPv6 address from which the configuration file will
be downloaded. This option also specifies the communication protocol
(HTTP, HTTPS, FTP or FTPS (only implicit mode is supported)), see
examples below.
Unit ID Name of configuration (name of the file without extension). If the Unit
ID is not filled, the MAC address of the router is used as the filename
(the delimiter colon is used instead of a dot.)
Update Hour Use this item to set the hour (range 1-24) when the automatic update
will be performed every day. If the time is not specified, automatic up-
date is performed five minutes after turning on the router and then
every 24 hours. If the detected configuration file is different from the
running one, it is downloaded and the router is restarted automatically.
Decryption Password for decryption of crypted configuration file. This is required
Password only in case the configuration is encrypted.
Update Window Choose an hour (range from 1 to 24) when the automatic update will
Start be performed on a daily basis.
If the time is not specified (set to dynamic), the automatic update is
performed five minutes after router boots up and then regularly every
24 hours.
Update Window This value defines the period within the update will be done.
Length This period starts at the time set in the Update Window Start field.
The exact time, when the update will be done, is generated randomly.
Table 75: Automatic Update Configuration

145
ICR-3200

The configuration file name consists of Base URL, hardware MAC address of ETH0
interface and cfg extension. Hardware MAC address and cfg extension are added to the
file name automatically and it isn’t necessary to enter them. When the parameter Unit ID is
enabled, it defines the concrete configuration name which will be downloaded to the router,
and the hardware MAC address in the configuration name will not be used.

The firmware file name consists of Base URL, type of router and bin extension. For the
proper firmware filename, see the Update Firmware page in Administration section – it us
written out there, see Chapter 5.12.

It is necessary to load two files (*.bin and *.ver) to the HTTP/FTP server. If only the *.bin
file is uploaded and the HTTP server sends the incorrect answer of 200 OK (instead of
the expected 404 Not Found) when the device tries to download the nonexistent *.ver
file, then it can happen that the router will download the *.bin file over and over again.

Firmware update can cause incompatibility with the router apps. It is recommended that
you update router apps to the most recent version. Information about the router apps and
the firmware compatibility is at the beginning of the router app’s Application Note.

The automatic update feature is also executed five minutes after the firmware upgrade,
regardless of the scheduled time.

146
ICR-3200

4.20.1 Example of Automatic Update


The following example the router checks for new firmware or configuration file each day at
1:00 a.m. This example is given for the SmartStart router.

• Firmware file: https://example.com/SPECTRE-v3L-LTE.bin


• Configuration file: https://example.com/test.cfg

Figure 80: Example of Automatic Update 1

147
ICR-3200

4.20.2 Example of Automatic Update Based on MAC


The following example checks for new firmware or configurations each day between
1:00 a.m. and 3:00 a.m. The configuratin file is encrypted, therefore the decryption pass-
word was configured. This example is given for the SmartStart router with MAC address
00:11:22:33:44:55.

• Firmware file: https://example.com/SPECTRE-v3L-LTE.bin


• Configuration file: https://example.com/00.11.22.33.44.55.cfg

Figure 81: Example of Automatic Update 2

148
ICR-3200

5. Administration
5.1 Users

This configuration menu is only available for users with the admin role!

Be careful not to lock all users of the Admin role. In this state, any user has access rights
to configure the users!

To manage the users, open the Users form in the Administration section of the main menu,
see Figure 82.

Figure 82: Users Administration Form

The first part of this configuration form contains an overview of all existing users. Table 76
describes the meaning of the buttons on every user’s right.

Button Description
Lock Locks the user account. This user is not allowed to log in to the
router, neither to the web interface nor to SSH.
Change Password Allows you to change the password for the corresponding user.
Valid characters are not restricted.
Delete Deletes the user account.
Table 76: Button Description

149
ICR-3200

The second part of the configuration form allows adding a new user. All items are described
in Table 77.

Item Description
Role • User
◦ User with basic permissions.
◦ Read-only access to the web GUI.
◦ Some menu items are hidden in the web GUI.
◦ Full access to Router Apps GUI.
◦ No access to the router via Telnet, SSH or SFTP.
◦ Read-only access to the FTP server.
• Admin
◦ User with enhanced permissions.
◦ Full access to all items in the web GUI.
◦ Access to the router via Telnet, SSH or SFTP.
◦ Not the same rights as the superuser on a Linux-based sys-
tem.
Username Specifies the name of the user having access to log in to the device.
Password Specifies the password for the user. Valid characters are not re-
stricted.
Confirm Password Confirms the password.
Table 77: User Parameters

150
ICR-3200

5.2 Change Profile


In addition to the standard profile, up to three alternate router configurations or profiles can
be stored in router’s non-volatile memory. You can save the current configuration to a router
profile through the Change Profile menu item. Select the alternate profile to store the settings to
and ensure that the Copy settings from current profile to selected profile box is checked. The
current settings will be stored in the alternate profile after the Apply button is pressed. Any
changes will take effect after restarting router through the Reboot menu in the web adminis-
trator or using an SMS message.

Example of using profiles: Profiles can be used to switch between different modes of op-
eration of the router such as PPP connection, VPN tunnels, etc. It is then possible to switch
between these settings using the front panel binary input, an SMS message, or Web interface
of the router.

Figure 83: Change Profile

151
ICR-3200

5.3 Change Password


Use the Change Password configuration form in the Administration section of the main
menu for changing your password used to log on the device. Enter the new password in the
New Password field, confirm the password using the Confirm Password field, and press the
Apply button. Characters for the password are not restricted.

The default password for the root user is printed out on the router’s label.12 To maintain
the security of your network change the default password. You can not enable remote
access to the router for example, in NAT, until you change the password.

Figure 84: Change Password

1
If the router’s label does not contain a unique password, use the password "root".
2
ICR-3241(W)-1ND models have the defaul username "admin".

152
ICR-3200

5.4 Two-Factor Authentication

If the configuration of two-factor authentication fails or does not complete properly, you
will no longer be able to log in to the router under that user. The only solution is to perform
the factory reset. To avoid the factory reset, consider setting up a backup account to log
in to the router in case of problems during configuration. You can delete this backup
account after successfully configuring two-factor authentication.

For a successful login, using two-factor authentication, the correct system time must be
set on the router. Therefore, it is strongly recommended to enable Synchronize clock with
NTP server option, see chapter 4.17.4 NTP.

Implementation Notes

• Two different two-factor implementations are supported:


◦ Google Authenticator,
◦ OATH Toolkit.
• Implemented for the following services only:
◦ the router’s web server logging,
◦ SSH logging,
◦ TELNET logging.
• Two-factor authentication is disabled by default.
• Two-factor authentication data are backed up/restored during user backup/restore.
• All private two-factor authentication data are removed when the corresponding user is
deleted.
• No internet or mobile connection is required to use two-factor authentication, but keep in
mind the need to synchronize the system time.

Configuration Steps

1. Enable the two-factor authentication service as described in chapter 4.17.5 PAM -> Two-
Factor Authentication Service.
2. Enable the two-factor authentication for currently logged users as described in this chap-
ter, section User Configuration.
3. Use an application or service to perform the two-factor authentication to the router as
described in this chapter, section Authenticator.

153
ICR-3200

User Configuration

Configuration of the two-factor authentication made in this chapter is valid for a user
logged in to the router. However, once the user logs out, the next time the user logs in,
two-factor authentication will be required, without which the user will no longer log in to
the router.

If you have enabled one of the two-factor authentication services, as mentioned above,
you should see the Enabled state as shown in Figure 85 for the Google Authenticator service.

Figure 85: Two-factor User Configuration

A secret key is required to activate the two-factor authentication. You can generate this key
by choosing the Generate a new secret key option, as shown in Figure 85. You can upload
the key from a file using Upload a new secret key and choose the file. Click the Apply button,
and the secret key will be saved. Next, click the Show button, located at right from the secret
key, and write down the secret key, see Figure 86.

Write down the secret key carefully before you log out. Otherwise, you will not be able to
log in again.

Figure 86: Secret Key

Similarly, you can configure the secret key for the OATH service.

154
ICR-3200

Authenticator

To log in with a user with two-factor authentication, you need an Authenticator applica-
tion. Both Google Authenticator and OATH use TOTP (Time-based one-time password, RFC
6238) mode by default. You can use any compatible authenticator. For information about
authenticator usage, see the corresponding manual.

You can use the Google Authenticator application; see Figure 87 for the download links.

Figure 87: Links for Google Authenticator Application

Authenticator-Extension is available as an extension for all popular browsers; see Figure 88


for the download links.

Figure 88: Links for Authenticator-Extension

In an Authenticator application, you enter a new entry and enter the secret key you have
written down, see Figure 86.

155
ICR-3200

Router Web Login

When logging to the router web, enter the Username and Password, just as you log in
standardly; see Figure 89.

Figure 89: Standard Logging

Now you are prompted to enter the Verification Code; see Figure 90. This code you need
to get from your Authenticator. Note that there is a limited time for code usage. This time
should be within five minutes, assuming the system time is correct.

Figure 90: Verification Code

After entering the correct code, you are successfully logged in to the router’s web interface.

SSH and Telnet Logging

Logging by the SSH and Telnet with the two-factor authentication is similar. Enter your
username, password, and generated verification code. For an example of SSH login, see
Figure 91.

Figure 91: SSH Logging

156
ICR-3200

5.5 Set Real Time Clock


You can set the internal clock directly using the Set Real Time Clock dialog in the Ad-
ministration section of in the main menu. You can set the Date and Time manually. When
entering the values manually use the format yyyy-mm-dd as seen in the figure below. You can
also adjust the clock using the specified NTP server. IPv4, IPv6 address or domain name is
supported. After you enter the appropriate values, click the Apply button.

Figure 92: Set Real Time Clock

157
ICR-3200

5.6 Set SMS Service Center

The ICR-3201 (LAN version) has no the Set SMS Service Center administration menu
option.

The function requires you to enter the phone number of the SMS service center to send
SMS messages. To specify the SMS service center phone number use the Set SMS Ser-
vice Center configuration form in the Administration section of the main menu. You can leave
the field blank if your SIM card contains the phone number of the SMS service center by
default. This phone number can have a value without an international prefix (xxx-xxx-xxx)
or with an international prefix (+420-xxx-xxx-xxx). If you are unable to send or receive SMS
messages, contact your carrier to find out if this parameter is required.

Figure 93: Set SMS Service Center Address

5.7 Unlock SIM Card

The ICR-3201 (LAN version) has no the Unlock SIM Card administration menu option.

It is possible to use the SIM card protected by PIN number in the router – just fill in the PIN
on the Mobile WAN Configuration page. Here you can remove the PIN protection (4–8 digit
Personal Identification Number) from the SIM card, if your SIM card is protected by one. Open
the Unlock SIM Card form in the Administration section of the main menu and enter the PIN
number in the SIM PIN field, then click the Apply button. It is applied on the currently enabled
SIM card, or on the first SIM card if there is no SIM card enabled at the moment.

The SIM card is blocked after three failed attempts to enter the PIN code. Unblocking of
SIM card by PUK number is described in next chapter.

Figure 94: Unlock SIM Card

158
ICR-3200

5.8 Unblock SIM Card

The ICR-3201 (LAN version) has no the Unblock SIM Card administration menu option.

On this page you can unblock the SIM card after 3 wrong PIN attempts or change the PIN
code of the SIM card. To unblock the SIM card, go to Unblock SIM Card administration page.
In both cases enter the PUK code into SIM PUK field and new SIM PIN code into New SIM
PIN field. To proceed click on Apply button. It is applied on the currently enabled SIM card, or
on the first SIM card if there is no SIM card enabled at the moment.

The SIM card will be permanently blocked after the three unsuccessful attempts of the
PUK code entering.

Figure 95: Unblock SIM Card

5.9 Send SMS

The ICR-3201 (LAN version) has no the Send SMS administration menu option.

You can send an SMS message from the router to test the cellular network. Use the Send
SMS dialog in the Administration section of the main menu to send SMS messages. Enter the
Phone number and text of your message in the Message field, then click the Send button. The
router limits the maximum length of an SMS to 160 characters. (To send longer messages,
install the pduSMS router app).

Figure 96: Send SMS

It is also possible to send an SMS message using CGI script. For details of this method.
See the application note Commands and Scripts [1].

159
ICR-3200

5.10 Backup Configuration

Keep in mind potential security issues when creating backup, especially for user ac-
counts. Encrypted configuration or secured connection to the router should be used.

You can save actual configuration of the router using the Backup Configuration item in
the Administration menu section. If you click on this item a configuration pane will open, see
Figure 97. Here you can choose what will be backed up. You can back up configuration of
the router (item Configuration) or configuration of all user accounts (item Users). Both types
of the configuration can be backed up separately or at once into one configuration file.

It is recommended to save the configuration into an encrypted file. If the encryption


password is not configured, the configuration is stored into an unencrypted file.

Click on Apply button and the configuration will be stored into configuration file (file with
cfg extension) into a directory according the settings of the web browser. Stored configuration
can be later used for its restoration, see Chapter 5.11 for more information.

Figure 97: Backup Configuration

160
ICR-3200

5.11 Restore Configuration


You can restore a router configuration stored in a file. You have created the file as shown
in the previous chapter.
To restore the configuration from this file, use the Restore Configuration form. Next, click
the Browse button to navigate the directory containing the configuration file you wish to load to
the router. If the configuration was stored in an encrypted file, the decryption password must
be set to decrypt the file successfully. To start the restoration process, click on Apply button.

Figure 98: Restore Configuration

161
ICR-3200

5.12 Update Firmware

For security reasons, we highly recommend updating the router’s firmware to the latest
version regularly. Downgrading the firmware to an older version than the production
version or uploading firmware intended for a different device may cause the device’s
malfunction.

The firmware update can cause an incompatibility issue with a router app. It is recom-
mended to update all router apps to the most recent version together with the firmware
of the router. Information about the router apps compatibility is available at the beginning
of the app’s Application Note.

Firmware for the routers can be obtained on the product page on Engineering Portal, which is
available at https://icr.advantech.cz/support/router-models.

Update Firmware administration page shows the current router’s firmware version and cu-
rrent firmware name, see Figure 99. On this page, the firmware of the router can be updated
as well.

Figure 99: Update Firmware Administration Page

To load new firmware to the router, click on Choose File button, choose the firmware file
and press the Update button to start the firmware update.

162
ICR-3200

During the firmware update, the router will display messages, as shown in Figure 100.
When done, the router will reboot automatically. When rebooted, click the here link to re-open
the web interface.

Figure 100: Process of Firmware Update

5.13 Reboot
To reboot the router select the Reboot menu item and then press the Reboot button.

Figure 101: Reboot

5.14 Logout
By clicking the Logout menu item, the user is logged out from the web interface.

163
ICR-3200

6. Configuration in Typical Situations


Although Advantech routers have wide variety of uses, they are commonly used in the
following ways. All the examples below are for IPv4 networks.

6.1 Access to the Internet from LAN

Figure 102: Access to the Internet from LAN – sample topology

In this example, a LAN connecting to the Internet via a mobile network, the SIM card with
a data tariff has to be provided by the mobile network operator. This requires no initial con-
figuration. You only need to place the SIM card in the SIM1 slot (Primary SIM card), attach
the antenna to the ANT connector and connect the computer (or switch and computers) to
the router’s ETH0 interface (LAN). Wait a moment after turning on the router. The router will
connect to the mobile network and the Internet. This will be indicated by the LEDs on the front
panel of the router (WAN and DAT ).
Additional configuration can be done in the Ethernet and Mobile WAN items in the Config-
uration section of the web interface.

Ethernet configuration: The factory default IP address of the router’s ETH0 interface is in
the form of 192.168.1.1. This can be changed (after login to the router) in the Ethernet item
in the Configuration section, see Figure 103. In this case there is no need of any additional
configuration. The DHCP server is also enabled by factory default (so the first connected
computer will get the 192.168.1.2 IP address etc.). Other configuration options are described
in Chapter 4.1.

164
ICR-3200

Figure 103: Access to the Internet from LAN – Ethernet configuration

Mobile WAN Configuration: Use the Mobile WAN item in the Configuration section to con-
figure the connection to the mobile network, see Figure 104. In this case (depending on the
SIM card) the configuration form can be blank. But make sure that Create connection to mobile
network is checked (this is the factory default). For more details, see Chapter 4.3.1.

Figure 104: Access to the Internet from LAN – Mobile WAN configuration

To check whether the connection is working properly, go to the Mobile WAN item in the
Status section. You will see information about operator, signal strength etc. At the bottom,
you should see the message: Connection successfully established. The Network item should
display information about the newly created network interface, usb0 (mobile connection). You
should also see the IP address provided by the network operator, as well as the route table
etc. The LAN now has Internet access.

165
ICR-3200

6.2 Backup Access to the Internet from LAN

Figure 105: Backup access to the Internet – sample topology

The configuration form on the Backup Routes page lets you back up the primary connection
with alternative connections to the Internet/mobile network. Each backup connection can be
assigned a priority.

Figure 106: Backup access to the Internet – Ethernet configuration

166
ICR-3200

Ethernet configuration: In the Ethernet –> ETH0 item, you can use the factory default
configuration as in the previous situation. The ETH1 interface on the front panel of the router
is used for connection to the Internet. It can be configured in ETH1 menu item. Connect the
cable to the router and set the appropriate values as in Figure 106. You may configure the
static IP address, default gateway and DNS server. Changes will take effect after you click on
the Apply button. Detailed Ethernet configuration is described in Chapter 4.1.

WLAN configuration: To use the WLAN you will need to configure the WiFi station in the
WiFi - > Station item, as shown in Figure 107. Check the Enable WiFi STA, enable the DHCP
client and fill in the adresses of the default gateway and DNS server. Next, fill in the data for
the connection (SSID, authentication, encryption, WPA PSK Type and password). For details
see Chapter 4.6. Click the Apply button to confirm the changes.
To verify that the WiFi connection is successful, check the WiFi item in the Status section.
If the connection is successful you should see the following message: wpa_state=COMPLETED.

Figure 107: Backup access to the Internet – WiFi configuration

Mobile WAN configuration: To configure the mobile connection it should be sufficient to in-
sert the SIM card into the SIM1 slot and attach the antenna to the ANT connector. (Depending
on the SIM card you are using).
To set up backup routes you will need to enable Check Connection in the Mobile WAN
item. (See Figure 108.) Set the Check connection option to enabled + bind and fill in an IP
address of the mobile operator’s DNS server or any other reliably available server and enter
the time interval of the check. For detailed configuration, see Chapter 4.3.1.

167
ICR-3200

Figure 108: Backup access to the Internet – Mobile WAN configuration

Backup Routes configuration: After setting up the backup routes you will need to set their
priorities. In Figure 109, the ETH1 wired connection has the highest priority. If that connection
fails, the second choice will be the WiFi wlan0 network interface. The third choice will be the
mobile connection – usb0 network interface.
The backup routes system must be activated by checking the Enable backup routes switch-
ing item for each of the routes. Click the Apply button to confirm the changes. For detailed
configuration see Chapter 4.7.
You can verify the configured network interfaces in the Status section in the Network item.
You will see the active network interfaces: eth0 (connection to LAN), eth1 (wired connection
to the Internet), wlan0 (WiFi connection to the Internet) and usb0 (mobile connection to the
Internet). IP addresses and other data are included.
At the bottom of the page you will see the Route Table and corresponding changes if
a wired connection fails or a cable is disconnected (the default route changes to wlan0). Sim-
ilarly, if a WiFi connection is not available, the mobile connection will be used.
Backup routes work even if they are not activated in the Backup Routes item, but the router
will use the factory defaults.

168
ICR-3200

Figure 109: Backup access to the Internet – Backup Routes configuration

169
ICR-3200

6.3 Secure Networks Interconnection or Using VPN

Figure 110: Secure networks interconnection – sample topology

VPN (Virtual Private Network) is a protocol used to create a secure connection between two
LANs, allowing them to function as a single network. The connection is secured (encrypted)
and authenticated (verified). It is used over public, untrusted networks, see fig. 110. You may
use several different secure protocols.

• OpenVPN (it is a configuration item in the web interface of the router), see Chapter 4.11
or Application Note [5],

• IPsec (it is also configuration item in the web interface of the router), see Chapter 4.12
or Application Note [6].

You can also create non-encrypted tunnels: GRE, PPTP and L2TP. You can use GRE or
L2TP tunnel in combination with IPsec to create VPNs.
There is an example of an OpenVPN tunnel in Figure 110. To establish this tunnel you will
need the opposite router’s IP address, the opposite router’s network IP address (not neces-
sary) and the pre-shared secret (key). Create the OpenVPN tunnel by configuring the Mobile
WAN and OpenVPN items in the Configuration section.

Mobile WAN configuration: The mobile connection can be configured as described in the
previous situations. (The router connects itself after a SIM card is inserted into SIM1 slot and
an antenna is attached to the ANT connector.)
Configuration is accessible via the Mobile WAN item the Configuration section, see Chap-
ter 4.3.1). The mobile connection has to be enabled.

170
ICR-3200

OpenVPN configuration: OpenVPN configuration is done with the OpenVPN item in the
Configuration section. Choose one of the two possible tunnels and enable it by checking
the Create 1st OpenVPN tunnel. You will need to fill in the protocol and the port (according
to the settings on the opposite side of the tunnel or Open VPN server). You may fill in the
public IP address of the opposite side of the tunnel including the remote subnet and mask
(not necessary). The important items are Local and Remote Interface IP Address where the
information regarding the interfaces of the tunnel’s end must be filled in. In the example shown,
the pre-shared secret is known, so you would choose this option in the Authentication Mode
item and insert the secret (key) into the field. Confirm the configuration clicking the Apply
button. For detailed configuration see Chapter 4.11 or Application Note [5].

Figure 111: Secure networks interconnection – OpenVPN configuration

The Network item in the Status section will let you verify the activated network interface
tun0 for the tunnel with the IP addresses of the tunnel’s ends set. Successful connection can
be verified in the System Log where you should see the message: Initialization Sequence
Completed. The networks are now interconnected. This can also be verified by using the ping
program. (Ping between tunnel’s endpoint IP addresses from one of the routers. The console
is accessible via SSH).

171
ICR-3200

6.4 Serial Gateway

Figure 112: Serial Gateway – sample topology

The router’s serial gateway function lets you establish serial connectivity across the Internet
or with another network. Serial devices (meters, PLC, etc.) can then upload and download
data, see Figure 112.
Configuration is done in the Configuration section, Mobile WAN, with the Expansion Port 1
item for RS232, or Expansion Port 2 for RS485. In this example, the RS232 interface of the
router is used.

Mobile WAN configuration: Mobile WAN configuration is the same as in the previous ex-
amples. Just insert the SIM card into the SIM1 slot at the back of the router and attach the
antenna to the ANT connector at the front. No extra configuration is needed (depending on
the SIM card used). For more details see Chapter 4.3.1.

172
ICR-3200

Expansion Port 1 configuration: The RS232 interface (port) can be configured in the Con-
figuration section, via the Expansion Port 1 item, see Figure 113.) You will need to enable
the RS232 port by checking Enable expansion port 1 access over TCP/UDP. You may edit
the serial communication parameters (not needed in this example). The important items are
Protocol, Mode and Port. These set the parameters of communication out to the network and
the Internet. In this example the TCP protocol is chosen, and the router will work as a server
listening on the 2345 TCP port. Confirm the configuration clicking the Apply button.

Figure 113: Serial Gateway – konfigurace Expansion Port 1

To communicate with the serial device (PLC), connect from the PC (Labeled as SCADA
in Figure 112) as a TCP client to the IP address 10.0.6.238, port 2345 (the public IP address
of the SIM card used in the router, corresponding to the usb0 network interface). The devices
can now communicate. To check the connection, go to System Log (Status section) and look
for the TCP connection established message.

173
ICR-3200

7. Customization
7.1 Router Apps

Installing other than the FirstNet Router App may invalidate the FirtstNet certification.

You may run custom software programs, called Router Apps (formerly User Modules), in
the router to enhance the router’s features. Use the Router Apps menu item, see Figure 114,
to add a new application to the router, remove them, or change its configuration. First, use the
Choose File button to select the app (compiled application has *.tgz extension). Next, use
the Add or Update button to add an application to the router.

Figure 114: Router Apps GUI

The new application appears in the list of router apps on the same page; see Figure 115.
If the application contains an index.html or index.cgi page, the router app name serves as
a link to this page. The router app can be deleted using the Delete button.
Updating a router app is done the same way. Click the Add or Update button, and the
application with the higher (newer) version will replace the existing application. The current
application configuration is left in the same state.

Figure 115: Router Apps Added

Advantech has prepared many Router Apps in Connectivity, Routing, Services, Admin-
istration, Protocol Conversion, Node-RED, Integration, and Development categories. These
programs are available for free on the Router Apps webpage.

The programming and compiling of router applications is described in the Application Note
Programming of Router Apps [14].

174
ICR-3200

7.2 FirstNet Router App

The FirstNet router app is preinstalled for ICR-3241(W)-1ND models only.

Installing other than the FirstNet Router App may invalidate the FirtstNet certification.

The FirstNet router app, which can be located in the Customization -> Router Apps ->
FirstNet, display the global security status as shown in the picture below.

Figure 116: FirstNet Router App – Global Status

175
ICR-3200

Appendix A: Open Source Software License


The software in this device uses various pieces of open-source software governed by the
following licenses:

• GPL versions 2 and 3


• LGPL version 2
• BSD-style licenses
• MIT-style licenses

The list of components and complete license texts can be found on the device itself. See
the Licenses link at the bottom of the router’s main Web page (General Status) or point your
browser to this address (replace the DEVICE_IP string with the actual router’s IP address):

https://DEVICE_IP/licenses.cgi

This is a written offer valid for three years since the device purchase, offering any third party
for a charge no more than the cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code on a flash drive medium. If you are
interested in obtaining the source, please get in touch with us at:

[email protected]

Modifications and debugging of LGPL-linked executables:

The device manufacturer, with this, grants the right to use debugging techniques (e.g.,
decompilation) and make customer modifications of any executable linked with an LGPL library
for its purposes. Note these rights are limited to the customer’s usage. No further distribution
of such modified executables and no transmission of the information obtained during these
actions may be done.

Source codes under the GPL license are available at the following address:

https://icr.advantech.cz/source-code

176
ICR-3200

Appendix B: Glossary and Acronyms

Backup Routes Allows user to back up the pri- GRE Generic Routing Encapsulation (GRE) is
mary connection with alternative connections to a tunneling protocol that can encapsulate a wide
the Internet/mobile network. Each backup con- variety of network layer protocols inside virtual
nection can have assigned a priority. Switching point-to-point links over an Internet Protocol net-
between connections is done based upon set pri- work. It is possible to create four different tun-
orities and the state of the connections. nels.

DHCP The Dynamic Host Configuration Proto- HTTP The Hypertext Transfer Protocol (HTTP)
col (DHCP) is a network protocol used to con- is an application protocol for distributed, collab-
figure devices that are connected to a network orative, hypermedia information systems. HTTP
so they can communicate on that network using is the foundation of data communication for the
the Internet Protocol (IP). The protocol is imple- World Wide Web.
mented in a client-server model, in which DHCP Hypertext is structured text that uses logi-
clients request configuration data, such as an IP cal links (hyperlinks) between nodes containing
address, a default route, and one or more DNS text. HTTP is the protocol to exchange or transfer
server addresses from a DHCP server. hypertext.

DHCP client Requests network configuration HTTPS The Hypertext Transfer Protocol Secure
from DHCP server. (HTTPS) is a communications protocol for se-
cure communication over a computer network,
DHCP server Answers configuration request by with especially wide deployment on the Inter-
DHCP clients and sends network configuration net. Technically, it is not a protocol in and of it-
details. self; rather, it is the result of simply layering the
Hypertext Transfer Protocol (HTTP) on top of the
DNS The Domain Name System (DNS) is a hi-
SSL/TLS protocol, thus adding the security ca-
erarchical distributed naming system for comput-
pabilities of SSL/TLS to standard HTTP commu-
ers, services, or any resource connected to the
nications.
Internet or a private network. It associates var-
ious information with domain names assigned IP address An Internet Protocol address (IP
to each of the participating entities. Most promi- address) is a numerical label assigned to each
nently, it translates easily memorized domain device (e.g., computer, printer) participating in
names to the numerical IP addresses needed a computer network that uses the Internet Pro-
for the purpose of locating computer services tocol for communication. An IP address serves
and devices worldwide. By providing a world- two principal functions: host or network inter-
wide, distributed keyword-based redirection ser- face identification and location addressing. Its
vice, the Domain Name System is an essential role has been characterized as follows: A name
component of the functionality of the Internet. indicates what we seek. An address indicates
where it is. A route indicates how to get there
DynDNS client DynDNS service lets you ac-
The designers of the Internet Protocol defined an
cess the router remotely using an easy to re-
IP address as a 32-bit number and this system,
member custom hostname. This client monitors
known as Internet Protocol Version 4 (IPv4), is
the router’s IP address and updates it whenever
still in use today. However, due to the enormous
it changes.
growth of the Internet and the predicted deple-

177
ICR-3200

tion of available addresses, a new version of IP but methods of abbreviation of this full notation
(IPv6), using 128 bits for the address, was de- exist.
veloped in 1995.
L2TP Layer 2 Tunnelling Protocol (L2TP) is a
IP masquerade Kind of NAT. tunnelling protocol used to support virtual private
networks (VPNs) or as part of the delivery of ser-
IP masquerading see NAT. vices by ISPs. It does not provide any encryption
or confidentiality by itself. Rather, it relies on an
IPsec Internet Protocol Security (IPsec) is a
encryption protocol that it passes within the tun-
protocol suite for securing Internet Protocol (IP)
nel to provide privacy.
communications by authenticating and encrypt-
ing each IP packet of a communication ses- LAN A local area network (LAN) is a com-
sion. The router allows user to select encap- puter network that interconnects computers in
sulation mode (tunnel or transport), IKE mode a limited area such as a home, school, com-
(main or aggressive), IKE Algorithm, IKE En- puter laboratory, or office building using network
cryption, ESP Algorithm, ESP Encryption and media. The defining characteristics of LANs, in
much more. It is possible to create four different contrast to wide area networks (WANs), include
tunnels. their usually higher data-transfer rates, smaller
geographic area, and lack of a need for leased
IPv4 The Internet Protocol version 4 (IPv4) is
telecommunication lines.
the fourth version in the development of the In-
ternet Protocol (IP) and the first version of the NAT In computer networking, Network Address
protocol to be widely deployed. It is one of the Translation (NAT) is the process of modifying
core protocols of standards-based internetwork- IP address information in IPv4 headers while in
ing methods of the Internet, and routes most traf- transit across a traffic routing device.
fic in the Internet. However, a successor proto- The simplest type of NAT provides a one-to-one
col, IPv6, has been defined and is in various translation of IP addresses. RFC 2663 refers to
stages of production deployment. IPv4 is de- this type of NAT as basic NAT, which is often also
scribed in IETF publication RFC 791 (September called a one-to-one NAT. In this type of NAT only
1981), replacing an earlier definition (RFC 760, the IP addresses, IP header checksum and any
January 1980). higher level checksums that include the IP ad-
dress are changed. The rest of the packet is left
IPv6 The Internet Protocol version 6 (IPv6) is
untouched (at least for basic TCP/UDP function-
the latest revision of the Internet Protocol (IP),
ality; some higher level protocols may need fur-
the communications protocol that provides an
ther translation). Basic NATs can be used to in-
identification and location system for computers
terconnect two IP networks that have incompati-
on networks and routes traffic across the Inter-
ble addressing.
net. IPv6 was developed by the Internet Engi-
neering Task Force (IETF) to deal with the long- NAT-T NAT traversal (NAT-T) is a computer
anticipated problem of IPv4 address exhaustion. networking methodology with the goal to es-
IPv6 is intended to replace IPv4, which still car- tablish and maintain Internet protocol connec-
ries the vast majority of Internet traffic as of tions across gateways that implement network
2013. As of late November 2012, IPv6 traffic address translation (NAT).
share was reported to be approaching 1%.
IPv6 addresses are represented as eight groups NTP Network Time Protocol (NTP) is a net-
of four hexadecimal digits separated by colons working protocol for clock synchronization be-
(2001:0db8:85a3:0042:1000:8a2e:0370:7334), tween computer systems over packet-switched,

178
ICR-3200

variable-latency data networks. infrastructure scheme. The most common com-


mercial variety is based on the ITU-T X.509 stan-
OpenVPN OpenVPN implements virtual pri- dard, which normally includes a digital signature
vate network (VPN) techniques for creating se- from a certificate authority (CA).
cure point-to-point or site-to-site connections. It Digital certificates are verified using a chain of
is possible to create four different tunnels. trust. The trust anchor for the digital certificate is
the Root Certificate Authority (CA). See X.509.
PAT Port and Address Translation (PAT) or Net-
work Address Port Translation (NAPT) see NAT. Router A router is a device that forwards data
packets between computer networks, creating
Port In computer networking, a Port is an
an overlay internetwork. A router is connected
application-specific or process-specific software
to two or more data lines from different net-
construct serving as a communications endpoint
works. When a data packet comes in one of the
in a computer’s host operating system. A port is
lines, the router reads the address information
associated with an IP address of the host, as
in the packet to determine its ultimate destina-
well as the type of protocol used for communi-
tion. Then, using information in its routing ta-
cation. The purpose of ports is to uniquely iden-
ble or routing policy, it directs the packet to the
tify different applications or processes running
next network on its journey. Routers perform the
on a single computer and thereby enable them
traffic directing functions on the Internet. A data
to share a single physical connection to a packet-
packet is typically forwarded from one router to
switched network like the Internet.
another through the networks that constitute the
PPTP The Point-to-Point Tunneling Protocol internetwork until it reaches its destination node.
(PPTP) is a tunneling protocol that operates at
SFTP Secure File Transfer Protocol (SFTP) is
the Data Link Layer (Layer 2) of the OSI Ref-
a secure version of File Transfer Protocol (FTP),
erence Model. PPTP is a proprietary technique
which facilitates data access and data transfer
that encapsulates Point-to-Point Protocol (PPP)
over a Secure Shell (SSH) data stream. It is part
frames in Internet Protocol (IP) packets using
of the SSH Protocol. This term is also known as
the Generic Routing Encapsulation (GRE) pro-
SSH File Transfer Protocol.
tocol. Packet filters provide access control, end-
to-end and server-to-server. SMTP The SMTP (Simple Mail Transfer Proto-
col) is a standard e-mail protocol on the Internet
RADIUS Remote Authentication Dial-In User
and part of the TCP/IP protocol suite, as defined
Service (RADIUS) is a networking protocol that
by IETF RFC 2821. SMTP defines the message
provides centralized Authentication, Authoriza-
format and the message transfer agent (MTA),
tion, and Accounting (AAA or Triple A) manage-
which stores and forwards the mail. SMTP by de-
ment for users who connect and use a network
fault uses TCP port 25. The protocol for mail sub-
service. Because of the broad support and the
mission is the same, but uses port 587. SMTP
ubiquitous nature of the RADIUS protocol, it is
connections secured by SSL, known as SMTPS,
often used by ISPs and enterprises to manage
default to port 465.
access to the Internet or internal networks, wire-
less networks, and integrated e-mail services. SMTPS SMTPS (Simple Mail Transfer Protocol
Secure) refers to a method for securing SMTP
Root certificate In cryptography and com-
with transport layer security. For more informa-
puter security, a root certificate is either an un-
tion about SMTP, see description of the SMTP.
signed public key certificate or a self-signed cer-
tificate that identifies the Root Certificate Author- SNMP The Simple Network Management Pro-
ity (CA). A root certificate is part of a public key

179
ICR-3200

tocol (SNMP) is an Internet-standard protocol to other hosts on an Internet Protocol (IP) net-
for managing devices on IP networks. Devices work without prior communications to set up spe-
that typically support SNMP include routers, cial transmission channels or data paths. The
switches, servers, workstations, printers, mo- protocol was designed by David P. Reed in 1980
dem racks, and more. It is used mostly in net- and formally defined in RFC 768.
work management systems to monitor network-
attached devices for conditions that warrant ad- URL A uniform resource locator, abbreviated
ministrative attention. SNMP is a component of URL, also known as web address, is a spe-
the Internet Protocol Suite as defined by the In- cific character string that constitutes a refer-
ternet Engineering Task Force (IETF). It con- ence to a resource. In most web browsers, the
sists of a set of standards for network manage- URL of a web page is displayed on top in-
ment, including an application layer protocol, a side an address bar. An example of a typi-
database schema, and a set of data objects. cal URL would be http://www.example.com/
index.html, which indicates a protocol (http), a
SSH Secure Shell (SSH), sometimes known hostname (www.example.com), and a file name
as Secure Socket Shell, is a UNIX-based com- (index.html). A URL is technically a type of uni-
mand interface and protocol for securely getting form resource identifier (URI), but in many tech-
access to a remote computer. It is widely used nical documents and verbal discussions, URL is
by network administrators to control Web and often used as a synonym for URI, and this is not
other kinds of servers remotely. SSH is actually considered a problem.
a suite of three utilities – slogin, ssh, and scp
– that are secure versions of the earlier UNIX VPN A virtual private network (VPN) extends a
utilities, rlogin, rsh, and rcp. SSH commands private network across a public network, such as
are encrypted and secure in several ways. Both the Internet. It enables a computer to send and
ends of the client/server connection are authen- receive data across shared or public networks
ticated using a digital certificate, and passwords as if it were directly connected to the private net-
are protected by being encrypted. work, while benefiting from the functionality, se-
curity and management policies of the private
TCP The Transmission Control Protocol (TCP) network. This is done by establishing a virtual
is one of the core protocols of the Internet proto- point-to-point connection through the use of ded-
col suite (IP), and is so common that the entire icated connections, encryption, or a combination
suite is often called TCP/IP. TCP provides reli- of the two.
able, ordered, error-checked delivery of a stream A VPN connection across the Internet is similar
of octets between programs running on comput- to a wide area network (WAN) link between the
ers connected to a local area network, intranet sites. From a user perspective, the extended net-
or the public Internet. It resides at the transport work resources are accessed in the same way as
layer. resources available from the private network.
Web browsers use TCP when they connect to
servers on the World Wide Web, and it is used VPN server see VPN.
to deliver email and transfer files from one loca-
VPN tunnel see VPN.
tion to another.
VRRP VRRP protocol (Virtual Router Redun-
UDP The User Datagram Protocol (UDP) is one
dancy Protocol) allows you to transfer packet
of the core members of the Internet protocol suite
routing from the main router to a backup router
(the set of network protocols used for the Inter-
in case the main router fails. (This can be used
net). With UDP, computer applications can send
to provide a wireless cellular backup to a primary
messages, in this case referred to as datagrams,

180
ICR-3200

wired router in critical applications). uring Advantech’s routers and IoT gateways. It
provides a zero-touch enablement platform for
WAN A wide area network (WAN) is a network each remote device.
that covers a broad area (i.e., any telecommu-
nications network that links across metropolitan, WebAccess/VPN WebAccess/VPN is an ad-
regional, or national boundaries) using private or vanced VPN management solution for safe in-
public network transports. Business and govern- terconnection of Advantech routers and LAN net-
ment entities utilize WANs to relay data among works in public Internet. Connection among de-
employees, clients, buyers, and suppliers from vices and networks can be regional or global and
various geographical locations. In essence, this can combine different technology platforms and
mode of telecommunication allows a business various wireless, LTE, fixed and satellite connec-
to effectively carry out its daily function regard- tivities.
less of location. The Internet can be considered
a WAN as well, and is used by businesses, gov- X.509 In cryptography, X.509 is an ITU-T
ernments, organizations, and individuals for al- standard for a public key infrastructure (PKI)
most any purpose imaginable. and Privilege Management Infrastructure (PMI).
X.509 specifies, amongst other things, standard
WebAccess/DMP WebAccess/DMP is an ad- formats for public key certificates, certificate re-
vanced Enterprise-Grade platform solution for vocation lists, attribute certificates, and a certifi-
provisioning, monitoring, managing and config- cation path validation algorithm.

181
ICR-3200

Appendix C: Index

A DNS64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Domain Name System . . . . . . . . . . . . . . see DNS
Access Point DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 53 Dynamic Host Configuration Protocol . . . . . see
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 DHCP
Accessing the router . . . . . . . . . . . . . . . . . . . . . . . . 7 DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24, 112
Add User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 DynDNSv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 24, 112
APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
AT commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
E
B Expansion Port
RS232 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Backup Configuration. . . . . . . . . . . . . . . . . . . . . 160 RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Binary I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 F
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
C Filtering of Forwarded Packets . . . . . . . . 71
Filtering of Incoming Packets . . . . . . . . . . 71
Change Password . . . . . . . . . . . . . . . . . . . . . . . . 152 Protection against DoS attacks . . . . . . . . 72
Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Firmware update . . . . . . . . . . . . . . . . . . . . 145, 162
Clock synchronization . . . . . . . . . . . . . . . . . . . . 115 Firmware version . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configuration update . . . . . . . . . . . . . . . . . . . . . 145 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Control SMS messages . . . . . . . . . . . . . . . . . . 127

G
D
GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103, 177
Data limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Default Gateway . . . . . . . . . . . . . . . . . . . . . . . 28, 60
Default IP address . . . . . . . . . . . . . . . . . . . . . . . . . . 7 H
Default password . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Default SIM card . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Default username . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
DHCP . . . . . . . . . . . . . . . . . . . . . . . . 21, 28, 60, 177
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 I
Dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 28, 60 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88, 178
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Authenticate Mode . . . . . . . . . . . . . . . . . . . . 95
DNS server . . . . . . . . . . . . . . . . . . . . . . . . 28, 44, 60 Encapsulation Mode . . . . . . . . . . . . . . . . . . 93

182
ICR-3200

IKE Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179


IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
IPv6 9, 19, 27, 30, 42, 44, 70, 75, 82, 88, 112, PPPoE Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . 50
144 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109, 179
Prefix delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
PUK number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
L
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106, 178
LAN R
ETH0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
ETH1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 31, 53, 57
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Location Area Code . . . . . . . . . . . . . . . . . . . . . . . 12 Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Restore Configuration . . . . . . . . . . . . . . . . . . . . 161
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Accessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
M
Optional Features . . . . . . . . . . . . . . . . . . . . . . 1
Mobile network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Router Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Multiple WANs . . . . . . . . . . . . . . . . . . . . . . . . . 65, 69

S
N
Save Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75, 178
Save Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Neighbouring WiFi Networks . . . . . . . . . . . . . . . 16
SERIAL I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Network Address Translation . . . . . . . . see NAT
Serial line
NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115, 178
RS232 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Serial number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Set internal clock . . . . . . . . . . . . . . . . . . . . . . . . . 157
O
Signal Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Object Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Simple Network Management Protocol . . . . see
OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82, 179 SNMP
Authenticate Mode . . . . . . . . . . . . . . . . . . . . 84 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
SMS Service Center . . . . . . . . . . . . . . . . . . . . . . 158
SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124, 179
P SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120, 180
SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Switch between SIM Cards . . . . . . . . . . . . . . . . 45
PIN number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
PLMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 System Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

183
ICR-3200

T V
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Virtual private network. . . . . . . . . . . . . . . see VPN
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Transfer speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38, 180
Transmission Control Protocol . . . . . . . see TCP
Two-Factor Authentication . . . . . . . . . . . 119, 153

W
U
Web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
WiFi
Unblock SIM card . . . . . . . . . . . . . . . . . . . . . . . . 159
Uniform resource locator . . . . . . . . . . . . see URL Authentication . . . . . . . . . . . . . . . . . . . . . 56, 61
Unlock SIM card. . . . . . . . . . . . . . . . . . . . . . . . . . 158 HW Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Up/Down script . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 WiFi AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 WiFi STA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Usage Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 WiFi Station
User Datagram Protocol . . . . . . . . . . . . . see UDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 60
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 WireGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

184
ICR-3200

Appendix D: Related Documents

[1] Commands and Scripts


[2] Remote Monitoring
[3] WebAccess/VPN
[4] R-SeeNet
[5] OpenVPN Tunnel
[6] IPsec Tunnel
[7] GRE Tunnel
[8] WireGuard Tunnel
[9] FlexVPN
[10] VLAN
[11] SNMP Object Identifiers
[12] AT Commands (AT-SMS)
[13] Quality of Service (QoS)
[14] Programming of Router Apps
[15] Security Guidelines

[EP] Product-related documents and applications can be obtained on Engineering Portal at


https://icr.advantech.cz/download address.

[RA] Router Apps (formerly User modules) and related documents can be obtained on Engineering
Portal at https://icr.advantech.cz/products/router-apps address.

185

You might also like