Page 1
Digi TransPort® WR Routers
for models LR54, WR54, and WR64
User Guide
Page 2
Revision history—90002282
Revision Date Description
B April 2018
C May 2018
Updated to support Digi TransPort firmware version 4.2.0.22.
This release focuses on support for using a TransPort router in
transit scenarios. Feature enhancements include:
n Wi-Fi client and access point mode support and
enhancements. See Wi-Fi interfaces.
n Hotspot configuration enhancements, including support
for HotspotSystem. See Hotspot.
n IPv6 support.
n Health reporting enhancements. See Enable health
reporting and set sample interval.
n Location (GNSS) enhancements. See location and show
location.
n Power configuration support. See Configure power
delays for power ignition sensor and Configure Power
button power down behavior.
DigiTransPort version 4.2.1 includes the following:
n Hotspot configuration enhancements, including support
setting the DHCP lease time. See Hotspot.
n Support for creating policy-based rules. See routing-rule
and show routing-rule.
D September 2018
DigiTransPort version 4.3 includes the following new features
and enhancements:
n Support for the DigiTransPort LR54
n Support for Dynamic Mobile Network Routing (DMNR)
n Support for Generic Routing Encapsulation (GRE)
n Support for cellular SIM pin management
n Support for DHCP relay
n Support for IPsec XAuth authentication
Digi TransPort WR Routers User Guide
2
Page 3
Revision Date Description
E October 2018
F December 2018
Digi TransPort version 4.4 includes the following new features
and enhancements:
n Support for Network Time Protocol (NTP) server
n Enhanced location information:
l Support for receiving NMEA and TAIP messages from
external location information sources
l Support for forwarding NMEAand TAIP messages to
an external host
n IPsec updates:
l IKEv2 support
l Multiple subnet support
l SHA384 ESP and IKE support (WR64 only)
l AES GCM ESP and IKE support (WR64 only)
l Diffie-Hellman group 20 ESP and IKE support
Digi TransPort version 4.5 includes the following new features
and enhancements:
n Support for the Digi TransPort WR54.
n Support for PySerial.
n Support for DHCP static IP mapping.
n Support for configuration of DHCP options.
Applicable models
Digi TransPort version 4.5 supports the following Digi TransPort routers:
n Digi TransPort LR54
See Digi TransPort LR54 Hardware Reference
n Digi TransPort WR54
See Digi TransPort WR54 Hardware Reference
n Digi TransPort WR64
See Digi TransPort WR64 Hardware Reference
Trademarks and copyright
Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United
States and other countries worldwide. All other trademarks mentioned in this document are the
property of their respective owners.
© 2018 Digi International Inc. All rights reserved.
Disclaimers
Information in this document is subject to change without notice and does not represent a
commitment on the part of Digi International. Digi provides this document “as is,” without warranty of
Digi TransPort WR Routers User Guide
3
Page 4
any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or
merchantability for a particular purpose. Digi may make improvements and/or changes in this manual
or in the product(s) and/or the program(s) described in this manual at any time.
Warranty
To view product warranty information, go to the following website:
www.digi.com/howtobuy/terms
Customer support
Gather support information: Before contacting Digi technical support for help, gather the following
information:
Product name and model
Product serial number (s)
Firmware version
Operating system/browser (if applicable)
Logs (from time of reported issue)
Trace (if possible)
Description of issue
Steps to reproduce
Contact Digi technical support: Digi offers multiple technical support plans and service packages.
Contact us at +1 952.912.3444 or visit us at www.digi.com/support.
Feedback
To provide feedback on this document, email your comments to
Include the document title and part number (Digi TransPort WR Routers User Guide, 90002282 F) in
the subject line of your email.
techcomm@digi.com
Digi TransPort WR Routers User Guide
4
Page 5
Contents
Applicable models 3
What's new in Digi TransPort version 4.5
Configuration and management
Using the web interface 16
Log in to the web interface 16
Log out of the web interface 16
Using the command line 17
Access the command line interface 17
Log in to the command line interface 17
Exit the command line interface 17
Execute a command from the web interface 18
Display command and parameter help using the ? character 18
Revert command settings using the ! character 19
Auto-complete commands and parameters 19
Enter configuration commands 19
Display status and statistics using show commands 20
Enter strings in configuration commands 20
Interfaces
Ethernet interfaces 22
Configure Ethernet interfaces 22
Show Ethernet status and statistics 23
Cellular interfaces 26
Configure cellular interfaces 26
Show cellular status and statistics 27
Unlock a SIM card 29
Signal strength for 4G cellular connections 29
Signal strength for 3G and 2G cellular connections 29
Tips for improving cellular signal strength 30
Wi-Fi interfaces 31
Configure the Wi-Fi module channel 32
Configure the Wi-Fi module band and protocol 32
Configure a Wi-Fi access point with no security 33
Configure a Wi-Fi access point with enterprise security 34
Show Wi-Fi access point status and statistics 36
Configure a Wi-Fi client and add client networks 37
Digi TransPort WR Routers User Guide
5
Page 6
Show Wi-Fi client status and statistics 39
Serial interface 40
Configure the serial interface 40
Show serial status and statistics 42
Local Area Networks (LANs)
About Local Area Networks (LANs) 44
Configure a LAN 45
Show LAN status and statistics 46
Delete a LAN 48
DHCP servers 48
Configure a DHCP server 48
Show DHCP server settings 53
DHCP relay 53
Wide Area Networks (WANs)
Using Ethernet interfaces in a WAN 56
Using cellular interfaces in a WAN 56
WAN priority and default route metrics 57
WAN failover 57
Active vs. passive failure detection 58
Configure a Wide Area Network (WAN) 61
Assigning priority to WANs 61
Configuring a WANfor IPv6 61
Show WAN status and statistics 64
Delete a WAN 66
IPv6
Common IPv6 address types 67
Auto address assignment 68
Prefix delegation 69
More information on IPv6 69
Configure a LAN for IPv6 69
Enable IPv6 on a LAN 69
Show LAN IPv6 status 70
Configure a WAN for IPv6 71
Enable IPv6 on a WAN 71
Configure prefix delegation on a WAN 71
Show WAN IPv6 status 72
Security
Local users 74
User access levels 74
Configure a user 75
Delete a user 77
Change a user's password 77
Firewall management with IP filters 79
IPfilter source and destination options 79
IP filter criteria options 80
Digi TransPort WR Routers User Guide
6
Page 7
IP filter rule priority 80
Add an IP filter rule 80
Delete an IP filter rule 81
Edit an IP filter rule 81
Enable or disable an IP filter rule 82
Show IP filter rules 82
IP filter examples 84
Certificate and key management 88
Create a private key file 88
Create a Diffie Hellman key file 88
List private key files 88
Upload a private key file 89
Delete a private key file 89
Create a certificate signing request (CSR) 89
Remote Authentication Dial-In User Service (RADIUS) 90
Set up a RADIUS server 90
Set up a RADIUS backup server 90
Use the local-auth parameter 90
Configure a RADIUS server 91
Hotspot
Hotspot authentication modes 95
Selecting a LAN to be used by the hotspot 96
Hotspot DHCP server 96
Hotspot security 96
Hotspot configuration 97
Enable the hotspot using the default configuration 98
Configure the hotspot with click-through authentication 102
Configure the hotspot with a local shared password 108
Configure the hotspot with a RADIUSshared password 114
Configure the hotspot with RADIUS users authentication 122
Configure the hotspot to use HotspotSystem 130
Show hotspot status and statistics 135
Show current hotspot configuration 135
Customize the hotspot login page 136
Edit sample hotspot html pages 137
Upload custom hotspot HTML pages 137
Use a remote webserver 139
Hotspot RADIUS attributes 139
Services and applications
Location information 142
Enable the GNSS module 142
Configure the device to accept location messages from external sources 142
Forward location information to a remote host 145
Show location information 149
Auto-run commands 151
Python 152
Run a Python application at the command line 152
Show running Python applications 152
Stop a Python application 152
Run an interactive Python session 153
Digi TransPort WR Routers User Guide
7
Page 8
Configure a Python application to run automatically at startup 153
Digidevice module 155
Log messages for Python applications 157
Port forwarding 158
Add a port forwarding rule 158
Delete a port forwarding rule 159
Enable or disable a port forwarding rule 159
Show port forwarding rules 160
Using an SSH server 160
Configure a Secure Shell (SSH) server 160
Use SSHto connect to the TransPort command-line interface 160
Terminate an SSH connection 161
Using SSH with key authentication 161
Using SSH with certificate authentication 162
Example: Use an SSL certificate authentication 164
Example: Use an SSL certificate authentication with shared account 165
Remote management
Remote Manager 168
Configure Digi Remote Manager 168
Show Digi Remote Manager connection status 170
Enable health reporting and set sample interval 170
Using Simple Network Management Protocol (SNMP) 171
Configure SNMPv1 and SNMPv2 172
Configure SNMPv3 172
Routing
IP routing 175
Configure general IP settings 175
Configure a static route 176
Show the IPv4 routing table 177
Delete a static route 177
Routing rules 178
Dynamic DNS 180
Configure dynamic DNS 180
Web filtering (OpenDNS) 181
Configure web filtering using Cisco Umbrella 181
Clear device ID 182
Dynamic Mobile Network Routing (DMNR) 182
Configure Verizon DMNR 182
Show DMNR status 183
Quality of Service (QoS) 184
Configure QoS 184
Show QoS configuration and status 186
Virtual Router Redundancy Protocol (VRRP) 187
Configure VRRP protocol 187
Show VRRP status and statistics 189
Virtual Private Networks (VPN)
IPsec 191
Digi TransPort WR Routers User Guide
8
Page 9
Configure an IPsec tunnel 192
Example: IPsec tunnel between a TransPort LR54 and TransPort WR44 196
Debug an IPsec configuration 198
Show IPsec status and statistics 199
IPsec XAuth authentication 199
OpenVPN 203
Configure an OpenVPN server for routing mode and certificate authentication 204
Configure an OpenVPN server to use username and password authentication 207
Configure an OpenVPN server to use RADIUS authentication 208
Configure an OpenVPN client for routing mode and certificate authentication 209
Configure an OpenVPN client to use username and password authentication 211
Configure ciphers and digests for use on the OpenVPN tunnel 212
Configure keepalives on the OpenVPN tunnels 213
Configure renegotiation on the OpenVPN tunnels 214
Configure pushing routes to OpenVPN clients 215
Configure an OpenVPN client and server for bridge mode 216
Show OpenVPN server status and statistics 217
Show OpenVPN client status and statistics 217
Debug an OpenVPN tunnel 218
Example: OpenVPN tunnel in routing mode with username and password authentication 219
Example: OpenVPN tunnel in bridging mode using certificate authentication 220
Generic Routing Encapsulation (GRE) 221
Configuring a GREtunnel 221
Show GRE tunnels 224
Example: GRE tunnel over an IPSec tunnel 225
System settings
Configure system settings 231
Show system information 233
System date and time 233
Network Time Protocol 234
Set the date and time manually 238
Set the time zone and Daylight Saving Time 238
Show system date and time 238
Configure Power button power down behavior 239
Configure power delays for power ignition sensor 239
Update system firmware 240
Certificate management for firmware images 241
Manage firmware updates using Digi Remote Manager 242
Failover and recovery during system update 242
How to recover a WR54, LR54, or LR54-FIPS that will not boot 243
Update cellular module firmware 244
Reboot the device 244
Reset the device to factory defaults 246
Configuration files
Default configuration files 248
Configuration file sections 248
Shared configuration files and device-specific passwords 249
Save configuration settings to a file 249
Switch configuration files 249
Use multiple configuration files to test configurations on remote devices 250
Digi TransPort WR Routers User Guide
9
Page 10
File system
File system 253
Create a directory 253
Display directory contents 254
Change the current directory 254
Delete a directory 255
Display file contents 256
Copy a file 256
Rename a file 257
Delete a file 258
Upload and download files 259
Diagnostics and troubleshooting
Logs 262
Configure options for event and system logs 262
Configure syslog servers 263
Display logs 264
Find and filter log file entries 265
Save logs to a file 265
Download log files 266
Clear logs 266
Event log levels 266
Analyze traffic 267
Capture data traffic 267
Example filters for capturing data traffic 268
Show captured data traffic 269
Clear captured data traffic 270
Save captured data traffic to a file 270
Use the "ping" command to troubleshoot network connections 271
Stop ping commands 271
Ping to check internet connection 271
Use the "traceroute" command to diagnose IProuting problems 271
Use the "show tech-support" command 272
Troubleshooting 274
Ethernet LED does not illuminate 274
Device cannot communicate on WAN/ETH1 port 275
Device cannot communicate on ETH2, ETH3, or ETH4 ports 277
Verify cellular connectivity 279
Check cellular signal strength 283
Verify serial connectivity 283
Web reference
Dashboard 288
DMNR page 289
File system page 290
Firewall page 291
GRE page 293
Cellular locked pin page 294
Device preferences page 296
Hotspot page 297
Interfaces—cellular page 300
Digi TransPort WR Routers User Guide
10
Page 11
Interfaces—Ethernet page 302
Interfaces—Wi-Fi page 303
IPsec Tunnels page 307
IPsec XAuth Users page 309
Local Networks page 310
Location page 312
Location Client page 312
Log configuration page 314
Log viewer page 315
New GRE tunnel page 316
New Wide Area Network (WAN) page 317
OpenVPN client page 321
OpenVPN route management page 324
OpenVPN server page 325
OpenVPN user management page 328
Port forwarding page 329
Python autostart page 330
Quality of Service (QoS) queues page 331
Quality of Service (QoS) WANs page 333
RADIUS page 334
Digi Remote Manager page 336
Syslog server configuration page 337
User Management page 338
VRRP page 339
Wide Area Network (WAN) page—Cellular 341
Wide Area Network (WAN) page—Ethernet 343
Wide Area Network (WAN) page 345
Command reference
? (Display command help) 349
! (Revert command settings) 350
analyzer 351
atcommand 352
autorun 353
cd 354
cellular 355
clear 358
cloud 360
copy 362
date 363
defroute 364
del 365
dhcp-host 365
dhcp-option 365
dhcp-server 367
dir 369
dmnr 370
dsl 371
dynamic-dns 372
eth 373
exit 374
firewall 375
firewall6 376
gpio-analog 377
Digi TransPort WR Routers User Guide
11
Page 12
gpio-digital 378
gpio-calibrate 379
gre 380
hotspot 381
ip 384
ip-filter 385
ipsec 387
lan 391
location 393
location-client 394
mkdir 395
more 396
openvpn-client 397
openvpn-route 400
openvpn-server 401
openvpn-user 405
ping 406
pki 408
port-forward 410
power 412
pwd 413
python 414
python-autostart 415
qos-filter 416
qos-queue 418
radius 419
reboot 421
rename 422
rmdir 423
route 424
routing-rule 425
save 427
serial 428
show analyzer 429
show cellular 430
show cloud 433
show config 434
show dhcp 435
show dmnr 435
show eth 436
show firewall 439
show firewall6 440
show gre 441
show hotspot 442
show ip-filter 443
show ipsec 444
show ipstats 446
show lan 448
show location 450
show log 451
show openvpn-client 452
show openvpn-server 454
show port-forward 455
show python 456
show route 457
Digi TransPort WR Routers User Guide
12
Page 13
show routing-rule 458
show serial 459
show system 460
show tech-support 462
show usb 463
show vrrp 464
show wan 465
show web-filter 467
show wifi-ap 468
show wifi-client 471
snmp 474
snmp-community 475
snmp-user 476
sntp 477
ssh 478
syslog 479
system 480
traceroute 483
unlock 484
update 485
user 487
vrrp 488
wan 489
web-filter 492
wifi-ap 493
wifi-client 495
wifi-client-network 496
wifi-module 497
xauth-user 498
Advanced topics
Using firewall and firewall6 commands 500
Using the firewall command 500
TransPort firewalls based on iptables firewall 500
Tables and chains in firewall rules 500
Policy rules 501
Default firewall configuration 502
Allow SSH access on a WAN 503
Allow SSH access for only a specific source IP address 503
Allow HTTPS access on a WAN 504
Allow HTTPS access on a WAN from only a specific source IPaddress 504
Add a firewall rule 504
Update a firewall rule 506
Delete a firewall rule 506
Show firewall rules and counters 507
Understanding system firewall rules 510
Who should read this section 510
What are system firewall rules? 510
User priority chains 510
Testing new firewall rules 511
Using the autorun command to force firewall rule precedence 511
System chains 512
Migration of rules from older firmware 512
Future releases 512
Digi TransPort WR Routers User Guide
13
Page 14
What's new in Digi TransPort version 4.5
Digi TransPort version 4.5 includes the following new features and enhancements:
n Support for the Digi TransPort WR54.
n Support for PySerial.
n Support for DHCP static IP mapping.
n Support for configuration of DHCP options.
Digi TransPort WR Routers User Guide
14
Page 15
Configuration and management
Using the web interface 16
Using the command line 17
Digi TransPort WR Routers User Guide
15
Page 16
Configuration and management Using the web interface
Using the web interface
The first time you power on a TransPort device, the Getting Started Wizard steps you through the
process of initial configuration. After the wizard completes, the next time you access the device, a
login prompt appears. See Log in to the web interface for login instructions.
After you log in, the TransPort Dashboard appears. The Dashboard provides a snapshot of current
activity for the device. See Dashboard for details.
In this guide, task topics how how to perform tasks:
Web
Shows how to perform a task using the web interface.
Command line
Shows how to perform a task using the command line interface.
Log in to the web interface
The first time you access a TransPort device, the Getting Started Wizard runs. The wizard steps
through initial device configuration. After you run the Getting Started Wizard, the next time you access
the device, a login prompt for the web interface appears.
1. Open a browser and enter the default address for the TransPort device: http://192.168.1.1.
The Device Login prompt appears.
2. Enter your username and password, and click Login.
Note If you did not change the username or password during initial setup, use the default
username admin and the unique password printed on the device label. The device label is also
attached to the bottom of the device.
The TransPort Dashboard appears. See Dashboard.
Log out of the web interface
n Click the Logout button in the upper right corner of the web interface.
Digi TransPort WR Routers User Guide
16
Page 17
Configuration and management Using the command line
Using the command line
Digi TransPort provides a command-line interface you can use to configure the device, display status
and statistics, as well as update firmware and manage device files. See Command reference for
details on all available commands.
In this guide, task topics how how to perform tasks:
Web
Shows how to perform a task using the web interface.
Command line
Shows how to perform a task using the command line interface.
Access the command line interface
You can access the TransPort device using the serial1 interface or SSH connection. You can use opensource terminal software, such as PuTTY and TeraTerm.
Alternatively, you can open the command line interface in the web interface via the Device Console:
n On the menu, click System > Device Console. The Device Console appears.
Log in to the command line interface
1. Connect to the TransPort device via the Serial 1 interface or with a SSH connection.
n For Serial connections, the baud rate is 115200, 8 data bits, no parity, 1 stop bit, and no
flow control.
n For SSH connections, the default IP address of the device is 192.168.1.1.
2. At the login prompt, enter the username and password. The default username is admin. The
unique password for your device is printed on the device label.
Username: admin
Password: **********
A welcome message appears, followed by the current access permission level for your username and
the timeout for the command session, followed by the systemcommand prompt.
Welcome admin
Access Level: super
Timeout : 3600 seconds
digi.router>
Exit the command line interface
Enter the exit command.
Digi TransPort WR Routers User Guide
17
Page 18
Configuration and management Using the command line
Execute a command from the web interface
1. On the menu, click System > Device console. The device console appears.
digi.router>
2. To display the currently supported list of commands for the device, type the question mark (?)
character after the system prompt:
digi.router> ?
3. To display help for a specific command, enter the command followed by the question mark (?)
character.
For example, to get help for the pki command, enter:
digi.router> pki ?
Display command and parameter help using the ? character
The question mark (?) character can display help text for all commands, individual commands, and
command parameters. For example:
digi.router> eth ?
Configures an Ethernet interface
Syntax:
eth <1 - 4> <parameter> <value>
Available Parameters:
Parameter Description
---------------------------------------------------------------------------description Ethernet interface description
duplex Ethernet interface duplex mode
mtu Ethernet interface MTU
speed Ethernet interface speed
state Enables or disables Ethernet interface
digi.router> eth
To display help on parameters, enter the command, the interface number as needed, and parameter
name, followed by the ? character. For example, to display help for the eth command speed
parameter, enter:
digi.router> eth 1 speed ?
Syntax : eth 1 speed <value>
Description : Ethernet interface speed
Current Value : auto
Valid Values : auto, 10, 100, 1000
Default value : auto
digi.router> eth 1 speed
To use the ? character in a parameter value, enclose it within " characters. For example, to display the
help text for the system command's description parameter:
Digi TransPort WR Routers User Guide
18
Page 19
Configuration and management Using the command line
digi.router> system 1 description ?
To set the system command description parameter to ?:
digi.router> system 1 description "?"
Revert command settings using the ! character
To revert command settings to their defaults, use the exclamation mark (!) character.
To revert the default setting of the interfaces parameter on the lan command, enter:
digi.router> lan 1 interfaces !
To use the ! character in a parameter value, enclose it within " characters. For example, to reset the
Wi-Fi SSID to the default (blank):
wifi 1 ssid !
To set the Wi-Fi SSID to !abc:
wifi 1 ssid "!abc"
Auto-complete commands and parameters
When entering a command and parameter, pressing the Tab key causes the command-line interface
to auto-complete as much of the command and parameter as possible.
Auto-complete applies to these command elements only :
n Command names. For example, entering cell<Tab> auto-completes the command as cellular
n Parameter names. For example:
l ping int<Tab> auto-completes the parameter as interface
l system loc<Tab>auto-completes the parameter as location.
n Parameter values, where the value is one of an enumeration or an on|off type; for example, eth
1 duplex auto|full|half
Auto-complete does not function for:
n Parameter values that are string types
n Integer values
n File names
n Select parameters passed to commands that perform an action
Enter configuration commands
Configuration commands configure settings for various device features. Configuration commands
have the following format:
<command> <instance> <parameter> <value>
Where <instance> is the index number associated with the feature. For example, this command
configures the eth1 Ethernet interface:
Digi TransPort WR Routers User Guide
19
Page 20
Configuration and management Using the command line
digi.router> eth 1 ip-address 10.1.2.3
For commands with only one instance, you do not need to enter the instance. For example:
digi.router> system timeout 100
Display status and statistics using show commands
The TransPort show commands display status and statistics for various features.
For example:
n show config displays all the current configuration settings for the device. This is a particularly
useful during initial device startup after running the Getting Started Wizard, or when
troubleshooting the device.
n show system displays system information and statistics for the device, including CPU usage.
n show eth displays status and statistics for specific or all Ethernet interfaces.
n show cellular displays status and statistics for specific or all cellular interfaces.
Enter strings in configuration commands
For string parameters, if the string value contains a space, the value must be enclosed in quotation
marks; For example, to assign a descriptive name for the device using the system command, enter:
digi.router> system description "HQ router"
Digi TransPort WR Routers User Guide
20
Page 21
Interfaces Using the command line
Interfaces
TransPort devices have several physical communications interfaces. The available interfaces vary by
device model. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide
Area Network (WAN).
Ethernet interfaces 22
Cellular interfaces 26
Wi-Fi interfaces 31
Serial interface 40
Digi TransPort WR Routers User Guide
21
Page 22
Interfaces Ethernet interfaces
Ethernet interfaces
Ethernet interfaces can be used in LAN or WAN. There is no IP configuration set on the individual
Ethernet interfaces. Instead, the IP configuration is set as part of configuring the LANor WAN.
For more information on WANs, see Wide Area Networks (WANs).
For more information on LANs and their configuration, see About Local Area Networks (LANs).
Configure Ethernet interfaces
To configure an Ethernet interface, you must configure the following items:
Required configuration items
n Enable the Ethernet interface. The Ethernet interfaces are all enabled by default. You can set
the Ethernet interface to enabled or disabled.
n Once configured, the Ethernet interface must be assigned to a LAN or a WAN. For more
information, see About Local Area Networks (LANs) and Configure a LAN or Wide Area
Networks (WANs) and Configure a Wide Area Network (WAN).
Additional configuration items
The following items are not required to configure a working Ethernet interface, but can be configured
as needed:
n A description of the Ethernet interface.
n The duplex mode of the Ethernet interface. This defines how the Ethernet interface
communicates with the device to which it is connected. The duplex mode defaults to auto,
which means the TransPort device negotiates with the connected device on how to
communicate.
n The speed of the Ethernet interface. This defines the speed at which the Ethernet interface
communicates with the device to which it is connected. The Ethernet speed defaults to auto,
which means it negotiates with the connected device as to what speed should be used.
Web
1. On the menu, click Network > Interfaces > Ethernet.
2. Select the Ethernet interface to configure.
3. In the Edit Selected box, enter the configuration settings:
n State: Enable or disable the Ethernet interface. By default, all of the Ethernet interfaces
are enabled.
n Description: Optional: Enter a description for the Ethernet interface.
n Speed: Optional: Select the speed for the Ethernet interface.
n Duplex: Optional: Select the duplex mode for the Ethernet interface.
4. Click Apply.
Digi TransPort WR Routers User Guide
22
Page 23
Interfaces Ethernet interfaces
Command line
1. Enable the Ethernet interface. By default, all of the Ethernet interfaces are enabled.
digi.router> eth 1 state on
2. Optional: Set the description for the Ethernet interface. For example:
digi.router> eth 1 description “Connected to Ethernet WAN router”
3. Optional: Set the duplex mode.
digi.router> eth 1 duplex {auto | full | half}
4. Optional: Set the speed.
digi.router> eth 1 speed {auto | 1000 | 100 | 10}
5. Save the configuration.
digi.router> save config
Show Ethernet status and statistics
You can view the status and statistics of Ethernet interfaces from either the Dashboard of the web
interface, or from the command line:
Web
1. On the menu, click Dashboard.
The Interface section of the dashboard shows the status of all interfaces.
2. Click on an interface, or click Network > Interfaces > Ethernet to view detailed status and
statistics for each interface.
Command line
To show the status and statistics for the Ethernet interface, use the show eth command. For example:
digi.router> show eth
Eth Status and Statistics Port 1
------------------------------------Description : Factory default configuration for Ethernet 1
Admin Status : Up
Oper Status : Up
Up Time : 1 Day, 13 Hours, 30 Minutes, 23 Seconds
MAC Address : 00:50:18:21:E2:82
DHCP : off
IP Address : 10.52.19.242
Netmask : 255.255.255.0
DNS Server(s) :
Digi TransPort WR Routers User Guide
23
Page 24
Interfaces Ethernet interfaces
Link : 1000Base-T Full-Duplex
Received Sent
-------- ---Rx Unicast Packet : 6198 Tx Unicast Packet : 651
Rx Broadcast Packet : 316403 Tx Broadcast Packet : 2
Rx Multicast Packet : 442690 Tx Multicast Packet : 6
Rx CRC Error : 0 Tx CRC Error : 0
Rx Drop Packet : 0 Tx Drop Packet : 0
Rx Pause Packet : 0 Tx Pause Packet : 0
Rx Filtering Packet : 1 Tx Collision Event : 0
Rx Alignment Error : 0
Rx Undersize Error : 0
Rx Fragment Error : 0
Rx Oversize Error : 0
Rx Jabber Error : 0
Eth Status and Statistics Port 2
------------------------------------Description :
Admin Status : Up
Oper Status : Up
Up Time : 1 Day, 13 Hours, 30 Minutes, 23 Seconds
MAC Address : 00:50:18:21:E2:83
DHCP : off
IP Address : 10.2.4.20
Netmask : 255.255.255.0
DNS Server(s) :
Link : 100Base-T Full-Duplex
Received Sent
-------- ---Rx Unicast Packet : 5531 Tx Unicast Packet : 2
Rx Broadcast Packet : 316403 Tx Broadcast Packet : 2
Rx Multicast Packet : 442694 Tx Multicast Packet : 2
Rx CRC Error : 0 Tx CRC Error : 0
Rx Drop Packet : 0 Tx Drop Packet : 0
Rx Pause Packet : 0 Tx Pause Packet : 0
Rx Filtering Packet : 0 Tx Collision Event : 0
Rx Alignment Error : 0
Rx Undersize Error : 0
Rx Fragment Error : 0
Rx Oversize Error : 0
Rx Jabber Error : 0
Eth Status and Statistics Port 3
------------------------------------Description :
Admin Status : Up
Oper Status : Up
Up Time : 1 Day, 13 Hours, 30 Minutes, 23 Seconds
MAC Address : 00:50:18:21:E2:84
DHCP : on
IP Address : 82.68.87.20
Netmask : 255.255.255.0
DNS Server(s) :
Link : 100Base-T Full-Duplex
Digi TransPort WR Routers User Guide
24
Page 25
Interfaces Ethernet interfaces
Received Sent
-------- ---Rx Unicast Packet : 5530 Tx Unicast Packet : 2
Rx Broadcast Packet : 316405 Tx Broadcast Packet : 2
Rx Multicast Packet : 442699 Tx Multicast Packet : 4
Rx CRC Error : 0 Tx CRC Error : 0
Rx Drop Packet : 0 Tx Drop Packet : 0
Rx Pause Packet : 0 Tx Pause Packet : 0
Rx Filtering Packet : 0 Tx Collision Event : 0
Rx Alignment Error : 0
Rx Undersize Error : 0
Rx Fragment Error : 0
Rx Oversize Error : 0
Rx Jabber Error : 0
Eth Status and Statistics Port 4
------------------------------------Description :
Admin Status : Up
Oper Status : Down
Up Time : 0 Seconds
MAC Address : 00:50:18:21:E2:85
DHCP : on
IP Address : Not Assigned
Netmask : Not Assigned
DNS Server(s) :
Link : No connection
Received Sent
-------- ---Rx Unicast Packet : 0 Tx Unicast Packet : 0
Rx Broadcast Packet : 0 Tx Broadcast Packet : 0
Rx Multicast Packet : 0 Tx Multicast Packet : 0
Rx CRC Error : 0 Tx CRC Error : 0
Rx Drop Packet : 0 Tx Drop Packet : 0
Rx Pause Packet : 0 Tx Pause Packet : 0
Rx Filtering Packet : 0 Tx Collision Event : 0
Rx Alignment Error : 0
Rx Undersize Error : 0
Rx Fragment Error : 0
Rx Oversize Error : 0
Rx Jabber Error : 0
digi.router>
Digi TransPort WR Routers User Guide
25
Page 26
Interfaces Cellular interfaces
Cellular interfaces
Depending on the model, Digi TransPort devices can support one or two cellular modules, and each
module supports two SIMs. This means that a TransPort device can have either two or four cellular
interfaces:
n cellular1-sim1
n cellular1-sim2
n cellular2-sim1 (only on models with two cellular modules)
n cellular2-sim2 (only on models with two cellular modules)
Each cellular module can have only one interface up at any one time (for example, cellular module 1
can have either SIM1 or SIM2 up at one time). Cellular interface priority is determined by how the
cellular interfaces are assigned to the WAN interface.
Typically, an administrator would configure cellular1-sim1 as the primary cellular interface and
cellular1-sim2 as the backup cellular interface. In this way, if the TransPort device cannot connect to
the network using cellular1-sim1, it automatically fails over to cellular1-sim2. TransPort devices
automatically use the correct cellular module firmware for each carrier when switching SIMs.
A device that has two cellular modules can have two cellular interfaces up at one time—one for each
module. Typically, an administrator would route traffic to different destinations over a specific cellular
interface.
For more information on WAN interfaces and their configuration, see Wide Area Networks (WANs).
Configure cellular interfaces
Required configuration items
n Access Point Name (APN): The APN is specific to your cellular service.
n APN username and password: Depending on your cellular service, you may need to configure
an APN username and password. This information is provided by your cellular provider.
n WAN assignment: Once configured, if the cellular interface is not already assigned to a WAN
interface, assign it to a WAN interface. For more information, see Wide Area Networks (WANs).
Additional configuration items
See Interfaces—cellular page for a complete list of configuration options.
Digi TransPort WR Routers User Guide
26
Page 27
Interfaces Cellular interfaces
Web
1. On the menu, click Network > Interfaces > Cellular.
2. Select the cellular interface to edit (Cellular 1 or Cellular 2, and then select the SIM you want
to configure, for example SIM1 or SIM2.
3. In the Edit Selected box, provide configuration settings for the cellular interfaces. See
Interfaces—cellular page for details.
4. Click Apply.
Command line
1. Configure an APN.
digi.router> cellular 1 sim1-apn your-apn
2. If necessary, enter the APN username and password.
digi.router> cellular 1 sim1-apn-username your-apn-username
digi.router> cellular 1 sim1-apn-password your-apn-password
3. If necessary, enter the PIN for the SIM.
digi.router> cellular 1 sim1-pin your-sim-pin
4. Optional: Set the preferred mode.
digi.router> cellular 1 sim1-preferred-mode 3g
5. Optional: Set a description for the cellular interface.
digi.router> cellular 1 description “AT&T Connection”
6. Optional: Configure the number of connection attempts. For example, to set the number of
attempts to 10, enter:
digi.router> cellular 1 sim1-connection-attempts 10
7. Save the configuration.
digi.router> save config
Show cellular status and statistics
You can view a summary status for all cellular interfaces, or view detailed status and statistics for a
specific cellular interface, from either the web interface or the command line:
Web
1. On the menu, click Dashboard.
The Interface section of the dashboard shows the summary status of all interfaces.
2. Click on an interface, or click Network > Interfaces > Cellular to view detailed status and
statistics for each interface.
Digi TransPort WR Routers User Guide
27
Page 28
Interfaces Cellular interfaces
Command line
Show summary status for cellular interfaces
To show the status and statistics for a cellular interface, use the show cellular command. See show
cellular for a description of the output fields.
digi.router> show cellular
SIM Status APN Signal Quality PIN Status
-----------------------------------------------------------1-1 Up broadband Excellent (-67dB) No PIN required
1-2 Down No PIN required
2-1 Down 12655.mcs Good (-90dB) No PIN required
2-2 Down No PIN required
digi.router>
Show detailed status and statistics for a cellular interface
To show the status and statistics for a particular cellular interface, enter show cellular and specify the
cellular module for which you want to show status.
digi.router> show cellular 1
Cellular Status and Statistics
-----------------------------Oper status : Up
SIM status : Using SIM2 (Ready)
SIM1 PIN : PIN is OK
SIM2 PIN : PIN is OK
Signal strength : Fair (-108dB)
Signal quality : Fair to Poor (-14dB)
Module : Telit LM940
Firmware version : 24.01.501 / Verizon 24.01.521
Hardware version : 0.04
Temperature : 35C
IMEI : 354375090000272
IMSI : 311480264298668
ICCID : 89148000002636797356
Registration status : Registered
Attachment status : Attached
Phone number : 6122973200
Network provider : Verizon
PLMN : 311480
Location : TAC = 3802 CID = DACB03
Roaming Status : Home
Connection type : 4G
Radio Technology : LTE
Preferred Technology : Automatic
Band : B13
Channel : 5230
APN in use : Context 3: vzwinternet
IP address : 100.103.109.8
Mask : 255.255.255.240
Gateway : 100.103.109.9
DNS Servers : 198.224.186.135, 198.224.187.135
TX Bytes : 1440
RX Bytes : 890
digi.router>
Digi TransPort WR Routers User Guide
28
Page 29
Interfaces Cellular interfaces
Unlock a SIM card
A SIMcard can be locked if a user tries to set an invalid PINfor the SIMcard too many times. In
addition, some cellular carriers require a SIMPINto be added before the SIMcard can be used. If the
SIMcard is locked, the TransPort device cannot make a cellular connection.
Command line
To unlock a SIM card:
1. Use the show cellular command to see the status of a SIMcard. In the show cellular output,
look for the fields SIM1PIN status, SIM2 PINstatus, and SIMstatus.
2. Use the unlock command to set a new PINfor the SIM card using the following syntax:
unlock <sim1 | sim2> <puk code> <new sim pin>
For example, to unlock a SIMcard in SIMslot SIM1 with PUK code 12345678, and set the new
SIM PIN to 1234:
digi.router> unlock sim1 12345678 1234
3. Save the configuration.
digi.router> save config
Note If the SIMremains in a locked state after using the unlock command, contact your cellular
carrier.
Signal strength for 4G cellular connections
For 4G connections, the RSRP value determines signal strength. To view this value, enter the show
cellular command.
n Excellent: > -90 dBm
n Good: -90 dBm to -105 dBm
n Fair: -106 dBm to -115 dBm
n Poor: -116 dBm to -120 dBm:
n No service: < -120 dBm
Signal strength for 3G and 2G cellular connections
For 3G and 2G cellular connections, the current RSSI value determines signal strength. To view this
value, enter the show cellular command.
n Excellent: > -70 dBm
n Good: -70 dBm to -85 dBm
n Fair: -86 dBm to -100 dBm
n Poor: < -100 dBm to -109 dBm
n No service: -110 dBm
Digi TransPort WR Routers User Guide
29
Page 30
Interfaces Cellular interfaces
Tips for improving cellular signal strength
If the signal strength LEDs or the signal quality for your device indicate Poor or No service, try the
following things to improve signal strength:
n Move the TransPort device to another location.
n Try connecting a different set of antennas, if available.
n Purchase a Digi Antenna Extender Kit:
l Antenna Extender Kit, 1m
l Antenna Extender Kit, 3m
Digi TransPort WR Routers User Guide
30
Page 31
Interfaces Wi-Fi interfaces
Wi-Fi interfaces
Depending on the model, a Digi TransPort router has one or two Wi-Fi modules. You can configure a WiFi module for either Wi-Fi access point mode or Wi-Fi client mode. By default, both Wi-Fi modules are
configured as Access Points.
Typically, you configure one Wi-Fi module as one or multiple access points and configure the other
module, connected to a separate set of antennas, as a Wi-Fi client to be used as a WAN interface.
Access point mode
If you configure a Wi-Fi module in access point mode, the module can support up to four access points.
If both Wi-Fi modules are configured in access point mode, the router can support up to eight access
points assigned the following names:
Wi-Fi module Access point interfaces Client Supported protocols
Wi-Fi module 1
Wi-Fi module 2 wifi-ap5, wifi-ap6, wifi-ap7, wifi-ap8 wifi-client2 ac
See Configure a Wi-Fi access point with no security and Configure a Wi-Fi access point with enterprise
security
wifi-ap1, wifi-ap2, wifi-ap3, wifi-ap4
wifi-client1
bgn
ac
Client mode
If you configure a Wi-Fi module in client mode, you can configure one Wi-Fi client per module. The client
for module 1 is Wi-Fi client 1; the client for module 2 is Wi-Fi client 2.
Wi-Fi module Client
Wi-Fi module 1
Wi-Fi module 2 Wi-Fi client 2
To use one of the modules as a WAN interface, configure the module as a client, configure the SSIDs
for the Wi-Fi network(s) to which you would like the router to join, and then assign client to a WAN
interface. See Configure a Wi-Fi client and add client networks.
Wi-Fi client 1
Digi TransPort WR Routers User Guide
31
Page 32
Interfaces Wi-Fi interfaces
Configure the Wi-Fi module channel
By default, each Wi-Fi module is configured to automatically select the best channel to use with
respect to other Wi-Fi networks. Optionally, you can configure a specific channel to use for a Wi-Fi
module using the following steps.
Note For the 2.4 GHz band, only channels 1 to 11 are supported. Channels 12, 13, and 14 are not
supported.
Web
1. On the menu, click Network > Interfaces > Wi-Fi.
2. Select a Wi-Fi module to configure, and set the Mode to Access Point.
3. In the Edit Selected box, select the channel you want to configure. Only channels appropriate
for the band are displayed.
4. Click Apply.
Command line
To configure the channel used by a Wi-Fi module, use the wifi-module.
digi.router> wifi-module 1 mode access-point
digi.router> wifi-module 1 channel 8
digi.router> save config
Configure the Wi-Fi module band and protocol
For Wi-Fi modules that support both 2.4 GHz and 5 GHz modes, you can configure the band.
n On TransPort models with only one Wi-Fi module, the default protocol and band for the one
module is the 5 GHz ac.
n On TransPort models with two Wi-Fi modules, one module defaults to use 5 GHz ac and the
other defaults to 2.4 GHz bgn band.
Web
1. On the menu, click Network > Interfaces > Wi-Fi.
2. Select the Wi-Fi module you want to configure, and set the Mode to Access Point.
3. Click Apply.
4. In the Edit Selected box, select the band for the Wi-Fi module.
5. Click Apply.
Command line
To configure the band and/or protocol used by a Wi-Fi module, use the wifi-module command.
Digi TransPort WR Routers User Guide
32
Page 33
Interfaces Wi-Fi interfaces
digi.router> wifi-module 1 mode access-point
digi.router> wifi-module 1 protocol ac
digi.router> wifi-module 1 band 5g
digi.router> save config
Configure a Wi-Fi access point with no security
Required configuration items
n Wi-Fi module mode
Configure the Wi-Fi module Mode as Access point.
n Wi-Fi access point(s)
Configure up to four access points on each Wi-Fi module. Access points 1-4 belong to module 1;
access points 5-9 belong to module 2. For each access point:
SSID: You can configure the SSID to use the device's serial number by including %s in the SSID.
For example, an SSID parameter value of %s-1 on a WR64 would resolve to something like
WR64-123456-1.
Security: Configure security for the access point to None.
n LAN assignment
Once you configure a Wi-Fi access point, you must assign the Wi-Fi access point to a LAN
interface. For more information, see About Local Area Networks (LANs).
Additional configuration items
See Access point options for a complete list of configuration options.
Web
1. On the menu, click Network > Interfaces > Wi-Fi.
2. Select a Wi-Fi interface to configure and set the Mode to Access point.
3. Click New Access Point to create a new access point interface on the module.
4. Configure options for the access point . See Access point options for details.
5. Click Apply.
6. Assign the new Wi-Fi access point to a WAN interface. See About Local Area Networks (LANs).
Command line
n To configure a Wi-Fi module, use the wifi-module command.
n To configure Wi-Fi access points, use the wifi-ap command.
1. Configure the Wi-Fi module for access point mode.
digi.router> wifi-module 1 mode access-point
2. Enter the SSID for the Wi-Fi access point.
digi.router> wifi-ap 1 ssid WR64-AP1
Digi TransPort WR Routers User Guide
33
Page 34
Interfaces Wi-Fi interfaces
3. Enter the security for the Wi-Fi access point.
digi.router> wifi-ap 1 security none
4. Optional: Enter a description for the Wi-Fi access point.
digi.router> wifi-ap 1 description “Office AP”
5. Optional: Disable broadcasting the SSID in beacon packets.
digi.router> wifi-ap 1 broadcast-ssid off
6. Optional: Disable Wi-Fi client isolation mode.
digi.router> wifi-ap 1 isolate-clients off
7. Optional: Disable Wi-Fi access point isolation mode.
digi.router> wifi-ap 1 isolate-ap off
8. Save the configuration.
digi.router> save config
Configure a Wi-Fi access point with enterprise security
The WPA2-Enterprise and WPA-WPA2-Enterprise security modes allow a Wi-Fi access point to
authenticate connecting Wi-Fi clients using a RADIUS server.
When the Wi-Fi access point receives a connection request from a Wi-Fi client, it authenticates the
client with the RADIUS server before allowing the client to connect.
Using enterprise security modes allows each Wi-Fi client to have different usernames and passwords
configured in the RADIUS server rather than in the TransPort device.
Required configuration items
n Wi-Fi module mode
Configure the Wi-Fi module Mode as Access point.
n SSID (Service Set Identifier)
You can configure the SSID to use the device's serial number by including %s in the SSID. For
example, an SSID parameter value of %s-1 on a WR64 would resolve to something like WR64123456-1.
n Security
Configure WPA2 enterprise or WPA/WPA2 mixed mode enterprise
n RADIUS server IP address
n RADIUS password
n LAN assignment
Once you configure a Wi-Fi access point, you must assign the Wi-Fi access point to a LAN
interface. For more information, see About Local Area Networks (LANs).
Additional configuration items
See Access point options for a complete list of options.
Digi TransPort WR Routers User Guide
34
Page 35
Interfaces Wi-Fi interfaces
Web
1. On the menu, click Network > Interfaces > Wi-Fi.
2. Click on the Wi-Fi module you want to configure, and set the Wi-Fi Mode to Access point.
3. Click New Access Point or click on an existing access point.
4. Configure the access point as needed. Specifically, configure WPA2 Enterprise security and
provide the RADIUS server and password information. See Access point options for details.
5. Click Apply.
6. Assign each Wi-Fi access point to a LAN. See About Local Area Networks (LANs).
Command line
n To configure a Wi-Fi module, use the wifi-module command.
n To create Wi-Fi access points, use the wifi-ap command.
n To add the Wi-Fi client to a LAN, use the lan command.
1. Configure the Wi-Fi module mode to access point:
digi.router> wifi-module 1 mode access-point
2. Enter the SSID for the Wi-Fi access point.
digi.router> wifi-ap 1 ssid WR64-AP1
3. Enter the security for the Wi-Fi access point.
digi.router> wifi-ap 1 security wpa2-enterprise
4. Enter the RADIUS password.
digi.router> wifi-ap 1 radius-password your-radius-password
5. Optional: Enter the RADIUS server port.
digi.router> wifi-ap 1 radius-port 3001
6. Optional: Enter a description for the Wi-Fi access point.
digi.router> wifi-ap 1 description “Office AP”
7. Optional: Disable broadcasting the SSID in beacon packets.
digi.router> wifi-ap 1 broadcast-ssid off
8. Optional: Disable Wi-Fi client isolation mode.
digi.router> wifi-ap 1 isolate-clients off
9. Optional: Disable Wi-Fi access point isolation mode.
digi.router> wifi-ap 1 isolate-ap off
Digi TransPort WR Routers User Guide
35
Page 36
Interfaces Wi-Fi interfaces
10. Add the access point to a configured LAN:
digi.router> lan 1 interface wifi-ap1
11. Save the configuration.
digi.router> save config
Show Wi-Fi access point status and statistics
You can show summary status for all Wi-Fi access points, and detailed status and statistics for
individual Wi-Fi access points.
Web
n On the menu, click Dashboard. The Interface section of the dashboard shows the status of all
interfaces. Click on the interface names to get detailed status and statistics.
Command line
Show summary of Wi-Fi access points
To show the status and statistics for Wi-Fi access points, use the show wifi-ap command.
digi.router> show wifi-ap
Interface Module Status SSID Security
--------------------------------------------------------------------wifi-ap1 1 Up WR64-000073-1 WPA2-Personal
wifi-ap2 1 Down WPA2-Personal
wifi-ap3 1 Down WPA2-Personal
wifi-ap4 1 Down WPA2-Personal
wifi-ap5 2 Up WR64-000073-5 WPA2-Personal
wifi-ap6 2 Down WPA2-Personal
wifi-ap7 2 Down WPA2-Personal
wifi-ap8 2 Down WPA2-Personal
digi.router>
Show detailed status and statistics of a Wi-Fi access point
To show a detailed status and statistics of a Wi-Fi access point, enter show wifi-ap command.
digi.router> show wifi-ap 1
wifi-ap 1 Status and Statistics
------------------------------Description :
Admin Status : Up
Oper Status : Down
Channel : 1
Module : 1
SSID : WR64-000073-1
Security : WPA2-Personal
Received Sent
------------------------------------------------Rx Packets : 8501 Tx Packets : 7178
Rx Bytes : 1512218 Tx Bytes : 1454265
Digi TransPort WR Routers User Guide
36
Page 37
Interfaces Wi-Fi interfaces
Rx Compressed : 0 Tx Compressed : 0
Rx Multicasts : 0 Tx Collisions : 0
Rx Errors : 0 Tx Errors : 0
Rx Dropped : 0 Tx Dropped : 0
Rx FIFO Errors : 0 Tx FIFO Errors : 0
Rx CRC Errors : 0 Tx Aborted Errors : 0
Rx Frame Errors : 0 Tx Carrier Errors : 0
Rx Length Errors : 0 Tx Heartbeat Errors : 0
Rx Missed Errors : 0 Tx Window Errors : 0
Rx Over Errors : 0
Connected Clients
----------------MAC Address Connection Time RSSI Rate
------------------------------------------------------64:80:99:eb:72:d3 0h 2m 38s -75 dBm 81.0 Mbps
ec:9b:f3:bf:91:d2 0h 0m 20s -66 dBm 24.0 Mbps
digi.router>
Configure a Wi-Fi client and add client networks
Required configuration items
n Wi-Fi module mode
Configure the Wi-Fi module Mode as Client.
n Wi-Fi client networks
Add up to 16 client networks per router. For each client network:
SSID: Provide the SSID of the access point to which you want to connect.
Security: Provide the security type for the SSID. For personal security modes, you need to
enter only a password; for enterprise modes, you need to enter both the username and
password.
n WAN assignment
Once you configure a Wi-Fi client, you must assign the Wi-Fi client to a WAN. See Wide Area
Networks (WANs).
Additional configuration items
n Wi-Fi client: Using the command line only, you can configure custom values for RSSI thresholds
and other options. See wifi-client command.
n Wi-Fi client networks: Some access points hide (do not broadcast) their SSID. In this case,
enable the Hidden SSID option and the client will send out probes for the SSID when scanning.
In general, for both security and performance issues, Digi recommends you do not enable the
Hidden option.
See Interfaces—Wi-Fi page for a complete list of Wi-Fi interface configuration options.
Web
1. On the menu, click Network > Interfaces > Wi-Fi.
Digi TransPort WR Routers User Guide
37
Page 38
Interfaces Wi-Fi interfaces
2. Click on the Wi-Fi module you want to configure:
Set the Mode to Client.
Optional: Enter a description for the Wi-Fi module.
3. Click Apply.
4. Add or edit Wi-Fi client networks. For each:
SSID: Enter the SSID for the client network.
Optional: If needed, provide the SSID security type and then provide credentials for the SSID.
Optional: If you want to scan for a hidden SSID, enable the Hiden SSID under the Advanced
options.
See Client mode options for detailed option descriptions.
5. When you have finished adding Wi-Fi networks for the client, click Apply.
6. Assign the new Wi-Fi client to a WAN interface. See Wide Area Networks (WANs).
Command line
n To configure a Wi-Fi module, use the wifi-module command.
n To customize options for a Wi-Fi client, use the wifi-client command.
n To configure Wi-Fi client networks for a Wi-Fi client, use the wifi-client-network command.
n To add the Wi-Fi client to a WAN, use the wan command.
1. Configure the Wi-Fi module for client mode. For example, to set Wi-Fi module 1 to client mode:
digi.router> wifi-module 1 mode client
2. Optional: Customize options for the Wi-Fi client. For Wi-Fi module 1, the client is Wi-Fi client 1;
for Wi-Fi module 2, the client is Wi-Fi client 2.
digi.router> wifi-client <1 - 2> <parameter> <value>
3. Add Wi-Fi client networks to the Wi-Fi client. For example:
digi.router> wifi-client-network 1 wifi-client 1
digi.router> wifi-client-network 1 ssid <ssid>
digi.router> wifi-client-network 1 security wpa-wpa2-personal
digi.router> wifi-client-network 1 password <password>
digi.router> wifi-client-network 1 hidden-network on
digi.router> wifi-client-network 2 wifi-client 1
digi.router> wifi-client-network 2 ssid <ssid>
digi.router> wifi-client-network 2 security wpa-wpa2-enterprise
digi.router> wifi-client-network 2 enterprise-username <enterprise_
username>
digi.router> wifi-client-network 2 enterprise-password <enterprisepassword>
4. Add the Wi-Fi client to a configured WAN:
digi.router> wan 1 interface wifi-client1
5. Save the configuration.
digi.router> save config
Digi TransPort WR Routers User Guide
38
Page 39
Interfaces Wi-Fi interfaces
Show Wi-Fi client status and statistics
You can show summary status for all Wi-Fi clients, and detailed status and statistics for individual Wi-Fi
clients.
Web
n On the menu, click Dashboard. The Interface section of the dashboard shows the status of all
interfaces. Click on the interface names to get detailed status and statistics.
Command line
Show summary of Wi-Fi access points
To show the status and statistics for Wi-Fi clients, use the show wifi-client command.
digi.router> show wifi-client
Show detailed status and statistics of a Wi-Fi client
To show a detailed status and statistics of a Wi-Fi client, enter show wifi-client command along with
the interface you want to show.
digi.router> show wifi-client 1
Digi TransPort WR Routers User Guide
39
Page 40
Interfaces Serial interface
Serial interface
TransPort devices have a single serial port that provides access to the command-line interface.
Configure the serial interface
By default, the serial interface is enabled. To change serial configuration settings, use the serial
command.
Command line
Disable the serial interface
digi.router> serial state off
digi.router> save config
Enable CLI access for the serial interface
digi.router> serial state cli
digi.router> save config
Enable PySerial access for the serial interface
digi.router> serial state python
digi.router> save config
Enter a description for the serial interface
digi.router> serial description “Command line access”
digi.router> save config
Set the baud rate
For example, to set the baud rate to 9600, enter:
digi.router> serial baud 9600
digi.router> save config
Set the data bits
For example, to set the data bits to 7, enter:
digi.router> serial databits 7
digi.router> save config
Set the stop bits
For example, to set the stop bits to 2, enter:
digi.router> serial stopbits 2
digi.router> save config
Set the parity
For example, to set the parity to odd, enter:
digi.router> serial parity odd
digi.router> save config
Digi TransPort WR Routers User Guide
40
Page 41
Interfaces Serial interface
Set the flow control
For example, to set the flow control to hardware, enter:
digi.router> serial flowcontrol hardware
digi.router> save config
Digi TransPort WR Routers User Guide
41
Page 42
Interfaces Serial interface
Show serial status and statistics
To show the status and statistics for the serial interface, use the show serial command.
For example:
digi.router> show serial
Serial 1 Status
--------------Description :
Admin Status : CLI
Oper Status : up
Uptime : 0:07:05
Tx Bytes : 4038
Rx Bytes : 81
Overflows : 0
Overruns : 0
Line status : RTS|CTS|DTR|DSR|CD0
digi.router>
Digi TransPort WR Routers User Guide
42
Page 43
Local Area Networks (LANs)
About Local Area Networks (LANs) 44
Configure a LAN 45
Show LAN status and statistics 46
Delete a LAN 48
DHCP servers 48
Digi TransPort WR Routers User Guide
43
Page 44
Local Area Networks (LANs) About Local Area Networks (LANs)
About Local Area Networks (LANs)
A Local Area Network (LAN) connects network interfaces together, such as Ethernet or Wi-Fi, in a
logical Layer-2 network. You can configure up to 10 LANs.
The diagram shows a LAN connecting the eth2, eth3, and eth4 interfaces for a TransPortLR54 unit.
Once the LAN is configured and enabled, the devices connected to the network interfaces can
communicate with each other, as demonstrated by the ping commands.
Digi TransPort WR Routers User Guide
44
Page 45
Local Area Networks (LANs) Configure a LAN
Configure a LAN
Configuring a Local Area Network (LAN) involves configuring the following items:
Required configuration items
n Identifying which interfaces are in the LAN.
n Enabling the LAN. LANs are disabled by default.
n Setting an IPv4 address and subnet mask for the LAN. While it is not strictly necessary for a
LAN to have an IP address, if you want to send traffic from other networks to the LAN, you
must configure an IP address.
Note By default, LAN 1 is set to an IP address of 192.168.1.1 and uses the IP subnet of
192.168.1.0/24. If the WAN 1 Ethernet interfaces is being used by LAN1 and uses the same IP
subnet, you should change the IP address and subnet of LAN1.
n If you want to use IPv6 addressing for the LAN, you need to enable the LAN interface instance
for IPv6 and configure several other settings. See Configure a LAN for IPv6.
Additional configuration items
n Setting a descriptive name for the LAN.
n Setting the Maximum Transmission Unit (MTU), or packet size, for packets sent over the LAN.
For IPv6, the minimum MTU must be 1280.
Web
To create a new LAN:
1. On the menu, click Network > Networks > LANs. The LANs page appears.
2. Click New Network. See Local Networks page for field descriptions.
3. In the IPv4 group, set the IP address and netmask:
IP address: Enter the IPv4 address for the LAN.
Netmask: Enter the subnet mask for the LAN.
4. For Enable DHCP Server, select one of the following:
n Off — Disables all DCHP server functionality.
n Server — Enables the device's DHCP server. For IP Start and IP End, enter the range of
IP addresses for the IP addresses pool that the DHCP server will use. Also optionally
enter the amount of time in minutes that the DCHP lease will expire. See DHCP servers
for more information about DHCP server support.
n Relay — Disables the device's DHCP server and enables DHCP relay. For Primary and
Secondary Relay Server, enter the IP addresses of the primary and secondary DHCP
relay servers. See DHCP relay for more information.
5. In the IPv6 group, configure IPv6. See Configure a LAN for IPv6.
6. In the Advanced group, enter the Maximum Transmission Unit (MTU), or packet size, for
Digi TransPort WR Routers User Guide
45
Page 46
Local Area Networks (LANs) Show LAN status and statistics
packets sent over the LAN.
7. Click Apply. The new LANis added to the LAN page.
Command line
1. Set the interfaces in the LAN. For example, to include eth2, eth3, and eth4 interfaces in lan1,
enter:
digi.router> lan 1 interfaces eth2,eth3,eth4
2. Enable the LAN. For example, to enable lan1:
digi.router> lan 1 state on
3. Optional: Set an IPv4 address for the LAN.
digi.router> lan 1 ip-address 192.10.8.8
4. Optional: Set a subnet mask for the LAN.
digi.router> lan 1 mask 255.255.255.0
5. Optional: Give a descriptive name to the LAN.
digi.router> lan 1 description ethlan
6. Optional: Set the MTU for the LAN.
digi.router> lan 1 mtu 1500
7. Save the configuration.
digi.router> save config
Show LAN status and statistics
You can view status and statistics for all LANs from either the Dashboard of the web interface, or from
the command line:
Web
1. From the menu, click Dashboard. The Network Activity panel LAN section shows the total
bytes received and sent over all LANs, and the LAN panel shows the configured LANs and their
states.
2. Click a LANto display additional status information, or to configure a LAN.
Command line
To show the status and statistics for a LAN, use the show lan command. For example, here is show lan
output for a LANon which IPv6 is enabled:
Digi TransPort WR Routers User Guide
46
Page 47
Local Area Networks (LANs) Show LAN status and statistics
digi.router> show lan 1
LAN 1 Status and Statistics
--------------------------Admin Status : Up
Oper Status : Up
Description : Ethernet and Wi-Fi LAN network
Interfaces : eth3
MTU : 1500
IP Address : 192.168.1.1
Mask : 255.255.255.0
IPv6 Address(es) : fe80::47/64 (Link local)
2001::1234:23:47:1/64 (Global)
Received Sent
-------- ---Packets 0 137
Bytes 0 15026
digi.router>
If IPv6 were disabled on this LAN, the show lan output looks like this:
digi.router> show lan 1
LAN 1 Status and Statistics
--------------------------Admin Status : Up
Oper Status : Up
Description : Ethernet and Wi-Fi LAN network
Interfaces : eth3
MTU : 1500
IP Address : 192.168.1.1
Mask : 255.255.255.0
IPv6 is disabled on this interface
Received Sent
-------- ---Packets 0 209
Bytes 0 22946
digi.router>
Digi TransPort WR Routers User Guide
47
Page 48
Local Area Networks (LANs) Delete a LAN
Delete a LAN
Deleting a LAN involves removing the physical interface associations from the LAN, thereby disabling
the LAN. The definition for the LAN still exists in the device configuration, but it has no active physical
interface.
Web
1. On the menu, click Network > Networks > LANs. The LANs page appears.
2. On the LANs page, select the LAN to delete.
3. Click Delete.
Command line
Use the lan command and specify ! for the interfaces parameter value to set it to none:
lan <lan-number> interfaces !
DHCP servers
You can enable DHCP on a TransPort device to assign IPaddresses to clients, using either:
n The DHCP server for the device's local network, which assigns IP addresses to clients on the
device's local network. Addresses are assigned from a specified pool of IPaddresses. For a
local network, the device uses the DHCP server that has the IPaddress pool in the same
IPsubnet as the local network.
When a host receives an IPconfiguration, the configuration is valid for a particular amount of
time, known as the lease time. After this lease time expires, the configuration must be
renewed. The host renews the lease time automatically.
You can configure up to 10 DHCP servers, one for each local network.
n A DHCP relay server, which forwards DHCP requests from clients to a DHCP server that is
running on a separate device.
Configure a DHCP server
To configure a DHCP server, you need to configure the following:
Required configuration items
n Enable the DHCP server.
n DHCP method:
l Ifthe device is being configured to use its local DHCP server:
o
The IPaddress pool: the range of IPaddresses issued by the DHCPserver to clients.
Note If you set DHCP server values and find that they are not being served to your DHCP
clients, review the LANconfiguration in the Local Networks pageto make sure that the
specified IP Start and IP End values match the corresponding IPv4 and Netmask
settings for the interface.
l If the device is being configured to use a DHCP relay server, see DHCP relay.
Digi TransPort WR Routers User Guide
48
Page 49
Local Area Networks (LANs) DHCP servers
n The IPnetwork mask given to clients.
n The IPgateway address given to clients.
n The IPaddresses of the preferred and alternate Domain Name Server (DNS) given to clients.
Additional configuration items
n Lease time: The length, in minutes, of the leases issued by the DHCP server.
Web
In the web interface, the DHCP server is configured as part of configuring a LANon the Local
Networks page. See Configure a LAN.
Command line
Note This instructions assume you are configuring the device to use its local DHCP server. For
instructions about configuring the device to use a DHCP relay server, see DHCP relay.
1. Enable the DHCP server. By default, the DHCP server is disabled.
digi.router> dhcp-server 1 state server
2. Enter the starting address of the IPaddress pool:
digi.router> dhcp-server 1 ip-address-start 10.30.1.150
3. Enter the ending address of the IPaddress pool:
digi.router> dhcp-server 1 ip-address-end 10.30.1.195
4. Enter the network mask:
digi.router> dhcp-server 1 mask 255.255.225.0
5. Enter the IPgateway address given to clients:
digi.router> dhcp-server 1 gateway 10.30.1.1
6. Enter the preferred DNS server address given to clients:
digi.router> dhcp-server 1 dns1 10.30.1.1
7. Enter the alternate DNS server address given to clients:
digi.router> dhcp-server 1 dns2 209.183.48.11
8. Enter the lease time:
digi.router> dhcp-server 1 lease-time 60
9. Save the configuration.
digi.router> save config
Digi TransPort WR Routers User Guide
49
Page 50
Local Area Networks (LANs) DHCP servers
Map static IP addresses to hosts
Using the dhcp-host command, you can configure the DHCP server to assign static IP addresses to
specific hosts. Up to 32 static IP addresses can be assigned.
Required configuration items
n IP address that will be mapped to the device.
n MAC address of the device.
Command line
Static IP address mapping is available at the command line only.
1. Assign the MAC address of the host. For example:
digi.router> dhcp-host 1 mac-address 00:50:18:21:E2:82
2. Assign an IP address to the host. For example:
digi.router> dhcp-host 1 ip-address 192.168.1.2
3. Repeat for each additional host, using a unique number for the dhcp-host entry. Up to 32 hosts
can be configured. For example:
digi.router> dhcp-host 2 mac-address 00:50:18:21:E2:83
digi.router> dhcp-host 2 ip-address 192.168.1.3
4. Save the configuration:
digi.router> save config
View current static IP mapping
To view your current static IP mapping, type the dhcp-host command with no parameters:
digi.router> dhcp-host
dhcp-host 1:
ip-address 192.168.1.2
mac-address 00:50:18:21:E2:82
dhcp-host 2:
ip-address 192.168.1.3
mac-address 00:50:18:21:E2:83
dhcp-host 3:
ip-address
mac-address
dhcp-host 4:
ip-address
mac-address
--More--
Digi TransPort WR Routers User Guide
50
Page 51
Local Area Networks (LANs) DHCP servers
Delete static IP mapping entries
To delete a static IP entry, type the following:
digi.router> dhcp-host 1 ip-address !
digi.router> save config
Configure DHCP options
You can configure DHCP servers running on your TransPort device to send certain specified DHCP
options to DHCP clients. You can also set the user class, which enables you to specify which specific
DHCP clients will receive the option. You can also force the command to be sent to the clients.
DHCP options can be set on a per-LAN basis, or can be set for all LANs. A total of 32 DHCP options can
be configured.
Required configuration items
n DHCPoption number.
n Value for the DHCP option.
Additional configuration items
n The user class to specify the DHCP clients for the option.
n The LAN interface, which limits the DHCP option to the DHCP server running on the specified
LAN interface.
n Force the option to be sent to the DHCPclients.
Command line
DHCP option configuration is available at the command line only.
1. Set the DHCP option and value. For example, to create a static route for the client, use option
32:
digi.router> dhcp-option 1 option 33
2. Set the value for the DHCP option:
digi.router> dhcp-option 1 value 192.168.1.100,192.168.1.1
3. (Optional) Define the LAN to which this option applies. The default is "all."
digi.router> dhcp-option 1 lan lan1
4. (Optional) Set the user class to which this option applies:
digi.router> dhcp-option 1 user-class Engineering
5. (Optional) Force the option to be sent to the DHCP clients.
digi.router> dhcp-option 1 force on
6. Save the configuration:
digi.router> save config
Digi TransPort WR Routers User Guide
51
Page 52
Local Area Networks (LANs) DHCP servers
View current DHCP option configuration
To view your current DHCP option configuration, type the dhcp-option command with no parameters:
digi.router> dhcp-option
dhcp-option 1:
force on
lan lan1
option 33
user-class Engineering
value 192.168.1.100,192.168.1.1
dhcp-option 2:
force off
lan all
option 0
user-class
value
dhcp-option 3:
force off
lan all
option 0
user-class
value
--More--
Digi TransPort WR Routers User Guide
52
Page 53
Local Area Networks (LANs) DHCP servers
Show DHCP server settings
View DHCP status to monitor which devices have been given IP configuration by the TransPort device
and to diagnose DHCP issues.
Web
1. On the menu, click Network > Networks > LANs. The LANs page appears.
2. Select a LAN.
3. Expand the DHCP Server group to view the current DHCP configuration. The Enable DHCP
Server option indicates whether the DHCP server is Off, Server, or Relay.
Command line
To show the status of the DHCP server, use the show dhcp command. For example:
digi.router> show dhcp
DHCP Status
----------IP address Hostname MAC Address Lease Expires At
----------------------------------------------------------------------------
192.168.123.123 IKY-CMS-JPINKN1 38:ea:a7:fd:de:cd 16:32:16, 14 Sep 2016
192.168.123.124 IKY-CMS-BOB 38:ea:a7:fd:a3:22 18:21:06, 14 Sep 2016
digi.router>
DHCP relay
DHCP relay allows a router to forward DHCP requests from one LAN to a separate DHCP server,
typically connected to a different LAN.
For TransPort devices, DHCP relay is configured by providing the IP address of a DHCP relay server,
rather than an IP address range. If both the DHCP relay server and an IP address range are specified,
DHCP relay is used, and the specified IP address range is ignored.
Up to two DHCP relay servers can be provided for each LAN: a primary and secondary relay server. If
two relay servers are provided, DHCP requests are forwarded to both servers without waiting for a
response. Clients will typically use the IP address from the first DHCP response received.
Configure DHCP relay
Configuring DHCP relay involves the following items:
Required configuration items
n IP address of the primary DHCP relay server, to define the relay server that will respond to
DHCP requests.
Additional configuration items
n IP address of a secondary DHCP relay server.
Digi TransPort WR Routers User Guide
53
Page 54
Local Area Networks (LANs) DHCP servers
Define DHCP relay servers
Web
1. On the menu, click Network > Networks > LANs.
The Local Networks (LAN)page appears.
2. Click New Network or click an existing network to define DHCP relay servers for the network.
3. Expand the DHCP Server group.
4. For Enable DHCP Server, select Relay.
5. In Primary Relay Server, type the IP address of the DHCP server that will serve as the primary
DHCP relay server.
6. (Optional) In Secondary Relay Server, type the IP address of the secondary DHCP relay server.
7. Click Apply
Command line
To define DHCP relay servers, use the dhcp-server command. For example:
1. Configure the LAN that DHCP clients will connect to, if it is not already configured:
digi.router> lan 1 ip-address 10.251.99.1
digi.router> lan 1 state on
For more information, see Configure a LAN.
2. Enable DHCP relay server:
digi.router> dhcp-server 1 state relay
By enabling DHCP relay, you are disabling the device's local DHCP server, and any IP range that
is configured will be ignored.
3. Define the IP address of the DHCP server that will serve as the primary DHCP relay server:
digi.router> dhcp-server 1 relay-server1 192.168.1.1
4. (Optional) Define the IP address of the DHCP server that will serve as the primary DHCP relay
server:
digi.router> dhcp-server 1 relay-server2 192.168.1.2
5. Save the configuration:
digi.router> save config
Digi TransPort WR Routers User Guide
54
Page 55
Local Area Networks (LANs) DHCP servers
DHCP relay server failure
When a DHCP relay server is being used and connecting devices are unable to obtain an IP address
because the IP address is not accessible or there is a subnet conflict, a message will appear in the
system log similar to the following:
daemon.warning dnsmasq-dhcp[5446]: no address range available for DHCP request
via lan1
If the TransPort device successfully forwards a DHCP request but does not receive a reply from the
DHCP server, a static route may be required on the DHCP server's host to route the reply back to the
device.
Digi TransPort WR Routers User Guide
55
Page 56
Wide Area Networks (WANs)
A Wide Area Network (WAN) provides connectivity to the internet or a remote network. A WAN
configuration consists of the following:
n A physical interface, such as Ethernet or cellular
n Several networking parameters for the WAN, such as IPaddress, mask, and gateway
n Several parameters controlling failover
Using Ethernet interfaces in a WAN
Depending on model type, TransPort devices support several Ethernet interfaces. For example, a
TransPort LR54 device has four Ethernet interfaces, named eth1, eth2, eth3, and eth4. Other models
have fewer Ethernet interfaces, but the naming and numbering of interfaces is similar. You can use
Ethernet interfaces as a WAN when connecting to the Internet, through a device such as a cable
modem, as shown in the example.
By default, the eth1 interface is configured as a WAN with both DHCP and NAT enabled. This means
you should be able to connect to the Internet by connecting the wan/eth1 interface to a device that
already has an internet connection.
The eth2, eth3, and eth4 interfaces are by default configured as a Local Area Network (LAN). If
necessary, you can assign these Ethernet interfaces to a WAN. For more information on Ethernet
interfaces and their configuration, see Ethernet interfaces.
Using cellular interfaces in a WAN
Depending on the model, DigiTransPort devices can support one or two cellular modules, and each
module supports two SIMs. This means that a TransPort device can have either two or four cellular
interfaces:
n cellular1-sim1
n cellular1-sim2
Digi TransPort WR Routers User Guide
56
Page 57
Wide Area Networks (WANs) WAN priority and default route metrics
n cellular2-sim1 (only on models with two cellular modules)
n cellular2-sim2 (only on models with two cellular modules)
To use a cellular interface as a WAN, the cellular interface must be configured to connect to the
cellular network.
See Cellular interfaces.
WAN priority and default route metrics
You can configure up to 10 WANs, named wan1, wan2, wan3, and so on. The WAN number determines
the priority: wan1 is the highest priority, wan2 is the second highest priority, and so on.
When a WAN comes up, the TransPort device automatically adds a default IP route for the WAN. The
metric of the default route is based on the priority of the WAN. For example, because wan1 is the
highest priorityWAN, the default route for wan1 has a metric of 1, and the default route for wan2 has
a metric of 2., and so on.
WAN failover
If a connection to a WAN interface is lost for any reason, the TransPort device will immediately fail
over to the next WANinterface. Two parameters govern the behavior that occurs during the failover
operation:
n The WANinterface's Timeout parameter determines how long the TransPort device will
attempt to connect to the WANinterface before it assumes the interface is unavailable and
fails over to the next WAN interface. Note that once the device has successfully connected to
the WAN and then the connection is lost, it will immediately fail over to the next WAN,
regardless of the Timeout parameter.
n The WAN interface's Retry After parameter determines how long the TransPort device will
wait before attempting to connect to the interface again.
For example, if you configure the WAN1 interface to have a Timeout of 300 seconds and a Retry After
of 1500 seconds:
1. When the TransPort device is restarted, it will attempt to connect to WAN1. If the device fails
to connect to WAN1 after 300 seconds (the value of WAN1's Timeout parameter), it will stop
attempting to connect to WAN1 and attempt to connect to WAN2. The device will then wait for
1500 seconds (the value of WAN1's Retry After parameter) before attempting to connect to
WAN1 again.
Note that if the TransPort device is already connected to WAN1 and the connection fails, the
device will immediately attempt to connect to WAN2.
2. If the connection to WAN2 is not immediately successful, the device will continue to attempt to
connect to WAN2 based for the number of seconds defined for WAN2's Timeout parameter.
3. If the connection to WAN2 also fails, the device will fail over to WAN3. In this case, the device
will continue attempting to connect to WAN1 based on WAN1's Retry After parameter. It will
also continue attempting to connect to WAN2 based on WAN2's Retry After parameter, unless
and until the connection to WAN1 is successful.
The Timeout and Retry After parameters are configured in the Web UI by selecting Network >
Networks > WANs on the menu and expanding the Probing group. See Configure a Wide Area
Network (WAN) for information. The parameters are configured at the command line using the wan
<n> timeout and wan <n> retry-after commands. See the wan command for information.
Digi TransPort WR Routers User Guide
57
Page 58
Wide Area Networks (WANs) WAN failover
Active vs. passive failure detection
There are two ways to detect WAN failure: active detection and passive detection.
n Active detection involves sending out IP probe packets (ICMPecho requests) to a particular
host and waiting for a response. The WAN is considered to be down if there are no responses
for a configured amount of time. See Using IP probing to detect WAN failures.
n Passive detection involves detecting the WAN going down by monitoring its link status by some
means other than sending IPprobe packets. For example, if an Ethernet cable is disconnected
or the state of a cellular interface changes from on to off, the WAN is down.
Using IP probing to detect WAN failures
Problems can occur beyond the immediate WAN connection that prevent some IP traffic from
reaching its destination. Normally this kind of problem does not cause the WAN to fail, as the
connection continues to work while the core problem exists somewhere else in the network.
You can use IP probing to detect problems in an IP network. IPprobing involves configuring the
TransPort device to send out regular IP probe packets (ICMP echo requests) to a particular
destination. If there are no responses to the probe packets, the TransPort device can bring down the
WAN and switch to using another WAN until the problem is resolved.
IP probing includes the following options:
n probe-host: The IPv4 or fully qualified domain name (FQDN) of the address of the device itself.
The WAN failover feature sends probe packets over the WAN to the IPaddress of this device.
n probe-interval: The interval, in seconds, between sending probe packets. This value must be
more than the probe-timeout value.
n probe-size: The size of probe packets sent to detect WAN failures.
n probe-timeout: The time, in seconds, to wait for a response to a probe. This value must be less
than the probe-interval and timeout values.
n activate-after: The time, in seconds, that the primary interface needs to be up before
switching back to it as the active interface. If probing is active, no probes are permitted to be
lost during this period. Otherwise, the timer is restarted.
n retry-after: The time, in seconds, to wait before retrying this interface after failover. Use a
large retry timeout when both interfaces are cellular interfaces.
n timeout: The time, in seconds, to wait for this interface to connect before failing over to a
lower priority WAN. Note that once the device has successfully connected and then the
connection is lost, it will immediately fail over to the next WAN, regardless of the Timeout
parameter.
Example: WAN failover from Ethernet to cellular
In this example WAN, the eth1 interface associated with wan1 serves as the primary WAN, while
cellular1-sim1 and cellular1-sim2 are associated with wan2 and wan3, respectively, and serve as
backups.
Note The WR64 and some variants of the WR54 have a second modem with two additional sim slots.
On these devices, up to four cellular interfaces can be associated with WANs.
Digi TransPort WR Routers User Guide
58
Page 59
Wide Area Networks (WANs) WAN failover
To detect failover:
n The eth1 interface uses IPprobing to detect interface failure.
n The backup WANs, wan2 and wan3, use passive techniques to detect interface failure.
Using the IPprobing configured over the eth1 interface, the TransPort device sends a probe packet of
size 256 bytes to the IP host 43.66.93.111 every 10 seconds. If no responses are received for 60
seconds, the TransPort device brings the eth1 interface down and starts using the wan2 (cellular1)
interface.
If the TransPort device cannot get a connection on the wan2 (cellular1-sim1) interface, it attempts to
use the wan3 (cellular1-sim2) interface. It attempts to switch back to the wan2 (cellular1-sim1)
interface after 30 minutes (1800 seconds).
The TransPort device continues to send probes out of the eth1 interface. If it receives probe
responses for 120 seconds, it reactivates the wan1 interface and starts using it again as the primary
WAN.
To achieve this WAN failover from the eth1 to cellular1-sim1 and cellular1-sim2 interfaces, the
WANfailover configuration commands are:
digi.router> wan 1 interface eth1
digi.router> wan 1 timeout 60
digi.router> wan 1 probe-host 43.66.93.111
digi.router> wan 1 probe-interval 10
digi.router> wan 1 probe-size 256
digi.router> wan 1 activate-after 120
digi.router> wan 1 state on
digi.router> wan 2 interface cellular1-sim1
digi.router> wan 2 retry-after 1800
digi.router> wan 2 state on
digi.router> wan 3 interface cellular1-sim2
digi.router> wan 3 retry-after 1800
digi.router> wan 3 state on
digi.router> save config
SureLink probe options for cellular WANs with only one SIM
For WANs configured to use a cellular interface with only one SIM, you can configure additional probe
options to reset the cellular module and/or the router when a failure is detected:
Digi TransPort WR Routers User Guide
59
Page 60
Wide Area Networks (WANs) WAN failover
n Reboot cellular module: If probing fails after a specified amount of time, the TransPort device
reboots the cellular module. See the wan command probe-fail-reset-module option.
n Reboot router: If probing fails after a specified amount of time, the TransPort device reboots
the TransPort device. See the wan command probe-fail-reset-router option.
Digi TransPort WR Routers User Guide
60
Page 61
Wide Area Networks (WANs) Configure a Wide Area Network (WAN)
Configure a Wide Area Network (WAN)
You can configure up to 10 Wide Area Network (WANs). Configuring a WANconsists of the following:
n Associating a physical interface, such as Ethernet or cellular with the WAN
n Optionally configuring networking parameters for the WAN, such as IPaddress, mask, and
gateway
n Optionally configuring several parameters controlling failover
n Optionally configuring the WAN for IPv6 support
Assigning priority to WANs
You can assign priority to WANs based on the behavior you want to implement for primary and backup
WANinterfaces. For example, if you want Ethernet to be your primary WANwith a cellular interface as
backup, assign an Ethernet interface to wan1 and assign a cellular interface to wan2.
WANs have priorities associated with them, which is based on a metric parameter set for each WAN.
The TransPort device automatically adds a default IP route for the WAN when it comes up. The metric
of the route is based on the priority of the interface. For example, as wan1 is the highest priority, the
default route for wan1 has a metric of 1, and the default route for wan2 has a metric of 2.
Configuring a WANfor IPv6
You can enable IPv6 on a per-WAN-interface basis. See Configure a WAN for IPv6.
Required configuration items
n Assign an interface to the WAN. By default, WANs are assigned the following physical interfaces:
o
wan1: eth1
o
wan2: cellular1
o
wan3: cellular2
n Assign an interface to the WAN. By default, WANs are assigned the following physical interfaces:
l wan1: eth1
l wan2: cellular1-sim1
l wan3: cellular2-sim1
l wan4: cellular1-sim2
l wan5: cellular2-sim2
n If you want to use IPv6 addressing for the WAN, enable the WAN for IPv6 and configure prefix
delegation. See Configure a WAN for IPv6.
Additional configuration items
These additional configuration settings are not typically configured, but you can set them as needed.
For Ethernet interfaces:
n The IP configuration. WANs typically get their IP address configuration from the network to
which they connect (for example, cellular). However, you can manually set the IP configuration
Digi TransPort WR Routers User Guide
61
Page 62
Wide Area Networks (WANs) Configure a Wide Area Network (WAN)
as needed. The following manual configuration settings are available:
l IP address and mask.
l Gateway: Required for Ethernet WANs if setting IPaddress manually, to create a default
route over the WAN. If setting the IPaddress via DHCP, this setting is obtained
automatically and does not need to be set.
l Preferred and alternate DNS server.
n Disable the DHCP client. Ethernet interfaces use DHCP client to get an IP address from a DHCP
server (for example, from a cable modem). If you are manually configuring the IP address for
the Ethernet interface, disable the DHCP client.
n Network Address Translation (NAT). NAT translates IP addresses from a private LAN to a public
IP address. By default, NAT is enabled. Unless your LAN has a publicly-addressable IP address
range, do not disable NAT.
n The IPprobe settings. These settings control elements of the WAN failover feature, including
sending of probe packets over the WANinterface to a specified device to determine whether
the WAN is still up, timeouts, and switching between primary and backup interfaces. For more
information on these settings, see the discussion of IPprobing in Wide Area Networks (WANs).
Note A WAN configured for static IP takes precedence over a configuration derived via DHCP. This
allows you to configure alternative DNS servers from those given to you by your network provider.
For Cellular interfaces:
n The IPprobe settings. These settings control elements of the WAN failover feature, including
sending of probe packets over the WANinterface to a specified device to determine whether
the WAN is still up, timeouts, and switching between primary and backup interfaces. For more
information on these settings, see the discussion of IPprobing in Using IP probing to detect
WAN failures and SureLink probe options for cellular WANs with only one SIM.
Web
Create a new WAN
1. On the menu, click Network > Networks > WANs. The WANs page appears.
2. Click New WANConnection and enter the following:
Select WAN: Assign an index number to the WAN. This number sets the WANpriority for the
WAN.
Select interface: Select an interface to assign to the WAN.
Enable: Enable or disable the new WAN.
3. In the IPv4 group, configure IP address settings for IPv4 if you want to manually configure an
IPaddress for the WAN.
4. In the IPv6 group, enable and configure IPv6 if required for the WAN.
5. In the Security group, configure optional security settings for the WAN.
6. In the Probing group, configure optional probe host settings for the WAN.
7. Click Apply.
Command line
Configure basic WAN settings
Digi TransPort WR Routers User Guide
62
Page 63
Wide Area Networks (WANs) Configure a Wide Area Network (WAN)
1. Assign an interface to the WAN interface.
digi.router> wan 1 interface eth1
2. If using IPv6 addressing for the WAN, see Configure a WAN for IPv6.
3. Optional: Disable DHCP client mode.
digi.router> wan 1 dhcp off
4. Optional: Configure the IP address, mask, gateway, and DNS servers.
digi.router> wan 1 ip-address 10.1.2.2
digi.router> wan 1 mask 255.255.255.252
digi.router> wan 1 gateway 10.1.2.1
digi.router> wan 1 dns1 10.1.2.1
digi.router> wan 1 dns2 8.8.8.8
5. Optional: Set the speed.
digi.router> eth 1 speed {auto | 1000 | 100 | 10}
6. Save the configuration.
digi.router> save config
Configure IP probe settings
1. Optional: Configure the time, in seconds, to wait for this interface to connect and to receive a
probe response before failing over to a lower priority interface.
digi.router> wan 1 timeout 60
2. Configure the IP host to probe.
digi.router> wan 1 probe-host 192.168.47.1
3. Optional: Configure the time, in seconds, to wait for a response to a probe. This value must be
smaller than the probe-interval and timeout parameter values. If not, the configuration is
considered invalid, and an error message is written to the system log.
digi.router> wan 1 probe-timeout 5
4. Optional: Configure the interval, in seconds, between sending probe packets. This value must
be larger than the probe-timeout value. If not, the WAN failover configuration is considered
invalid, and an error message is written to the system log.
digi.router> wan 1 probe-interval 20
5. Optional: Configure the size of the IP probe packet.
digi.router> wan 1 probe-size 120
Digi TransPort WR Routers User Guide
63
Page 64
Wide Area Networks (WANs) Show WAN status and statistics
6. Optional: Configure the time, in seconds, that the primary interface needs to be up before
switching back to it as the active interface. If probing is active, no probes are permitted to be
lost during this period. Otherwise, the timer is restarted. Accepted value is any integer from 0
to 3600. The default value is 0.
digi.router> wan 1 activate-after 30
7. Optional: Configure the time, in seconds, to wait before retrying this interface after failing over
to a lower priority one. Use a large retry timeout when both interfaces are cellular interfaces.
Accepted value is any integer from 10 to 3600. The default value is 180.
digi.router> wan 1 retry-after 1200
8. Save the configuration.
digi.router> save config
Show WAN status and statistics
You can view status and statistics for all WANs from either Web UI or the command line.
Web
1. On the menu, click Network > Networks > WANs. The WANs page appears.
2. Select a WAN.
The WAN page shows configuration parameters, as well as status and statistics for the
interface assigned to the WAN.
Command line
Show WAN summary statistics
To show the status and statistics for a WAN, use the show wan command. For example:
digi.router> show wan
# WAN Interface Status IP Address
----------------------------------1 eth1 Up 192.168.0.25
2 cellular1 Up 172.20.1.7
digi.router>
Show status and statistics for the WAN physical interface
To view status and statistics for the physical interface for the WAN,enter the show command for that
physical interface; for example, show eth or show cellular.
Show detailed WAN status
To show detailed status for a WAN, enter the show wan command, specifying the WANinstance
number. For example, for a WAN on which IPv6 is enabled:
digi.router> show wan 1
WAN 1 Status and Statistics
Digi TransPort WR Routers User Guide
64
Page 65
Wide Area Networks (WANs) Show WAN status and statistics
--------------------------WAN Interface : eth1
Admin Status : Up
Oper Status : Up
IP Address : 47.0.0.101
Mask : 255.255.255.0
Gateway : 47.0.0.1
DNS Server(s) : 47.0.0.1, 8.8.8.8
IPv6 Address(es) : 2001:abcd:1234::1234:22:3/64 (Global)
fe80::20c:29ff:fef4:77fc/64 (Link local)
IPv6 DNS Server(s) : 2001:abcd:1200:11:e4ff:fe09:3de3, 2001:4860:4860::8888
Probes are not being used
Received Sent
-------- ---Packets 4 4
Bytes 836 796
When IP probing is enabled, the show wan output provides additional details, including how long it has
been since the device received a probe response from the probe host:
digi.router> show wan 1
WAN 1 Status and Statistics
--------------------------WAN Interface : eth1
Admin Status : Up
Oper Status : Up
IP Address : 10.52.18.120
Mask : 255.255.255.0
Gateway : 10.52.18.1
DNS Server(s) : 8.8.8.8
Probing : 10.52.18.1
Last Probe Response received : 5 seconds ago
Received Sent
-------- ---Packets 8356 640
Bytes 673351 64841
digi.router>
If IP probing is disabled because the configuration is invalid, the output is similar to the following:
digi.router> show wan 1
WAN 1 Status and Statistics
--------------------------WAN Interface : eth1
Admin Status : Up
Oper Status : Up
IP Address : 10.52.18.120
Digi TransPort WR Routers User Guide
65
Page 66
Wide Area Networks (WANs) Delete a WAN
Mask : 255.255.255.0
Gateway : 10.52.18.1
DNS Server(s) : 8.8.8.8
Probes are not being used
Received Sent
-------- ---Packets 8356 640
Bytes 673351 64841
digi.router>
If IP probing is on, but the device has not yet received any replies, the output is similar to the
following:
digi.router> show wan 1
WAN 1 Status and Statistics
--------------------------WAN Interface : eth1
Admin Status : Up
Oper Status : Up
IP Address : 10.52.18.120
Mask : 255.255.255.0
Gateway : 10.52.18.1
DNS Server(s) : 8.8.8.8
Probing : 10.52.18.1
Waiting for first response
Packets 8356 640
Bytes 673351 64841
Delete a WAN
Web
1. On the menu, click Network > Networks > WANs. The WANs page appears.
2. On the WAN page, select the WAN to delete.
3. Click Delete.
Command line
You cannot delete a WAN using the command line. Instead, disable the WAN using the wan n state off
command, for example:
Received Sent
-------- ----
wan 1 state off
Digi TransPort WR Routers User Guide
66
Page 67
IPv6
IPv6 is an updated version of the Internet Protocol (IP). Until recently, the Internet has used a
previous version, IPv4.
One of the reasons for IPv6 is the shortage of IPv4 addresses. Although Network Address Translation
(NAT), which allows users to use one public IPv4 address for a whole private network, has mitigated
this shortage to some extent, with more and more devices being connected to the internet, there are
not many IPv4 addresses left.
IPv4 addresses are 32 bits long. Over 4 billion addresses are available through IPv4, though not all the
addresses are usable. IPv6 addresses are 128 bits long. Taking into account the structure of the IPv6
address, there are 4.6x1018globally routable addresses available. This equates to approximately 650
million IP addresses for each person in the world.
Since every device can have a globally routable IPv6 address, there is no NAT with IPv6. This means it
is very important to properly configure IP filters and firewall rules to prevent direct attacks on hosts
on the LAN networks. By default, a TransPort device blocks any incoming IPv6 traffic not associated
with a connection established by a host on the LAN network.
IPv4 and IPv6 can co-exist on the same device. Each application can select the IP version to use. Some
services, such as web server or Simple Network Management Protocol (SNMP) can accept
connections on both IPv4 and IPv6.
TransPort devices support both IPv4 and IPv6 on WAN and LAN interfaces. Using IPv6 on WAN
interfaces requires an ISP that supports IPv6.
Common IPv6 address types
There are several common IPv6 address types, distinguished by their beginning characters:
Address type Beginning characters Description
Global routable addresses Either 2 or 3 Each device using IPv6
Digi TransPort WR Routers User Guide
on the Internet has a
globally unique
routable IPv6 address.
67
Page 68
IPv6 Auto address assignment
Address type Beginning characters Description
Link local addresses fe80 Each device auto-
generates a link-local
address on every
interface using IPv6.
The interfaces use
these addresses to
communicate with
other devices
connected on the link.
Multicast addresses ff Addresses for sending
packets to a group of
devices. There are a
number of well-known
defined addresses,
such as those for All
nodes and All routers.
Unique local addresses (ULA) fc or fd Addresses for creating
a site-specific network.
While these addresses
are globally unique, you
cannot use them for
routing on the Internet.
Auto address assignment
There are three modes in which a device can auto-configure itself with an IPv6 address and other
network configuration. The mode the device uses is controlled by the Router Advertisement messages
a router periodically sends out, or in response to a Router Solicitation message that a host sends.
Auto-configuration mode Description
Stateless auto-configuration (SLAAC) The device uses the prefix sent in the
DHCPv6 The device uses DHCPv6 to get an IPv6
Router Advertisement message to
generate a unique IPv6 usually by
appending the interface’s MAC address
with EUI-64 encoding. The device can
also learn gateway and DNS server
information from the Router
Advertisement message. The device
uses Duplicate Address Detection (DAD)
to ensure the auto-generated IPv6
address is unique.
address and other network
configuration.
Digi TransPort WR Routers User Guide
68
Page 69
IPv6 Prefix delegation
Auto-configuration mode Description
SLAAC + DHCPv6 The device uses a combination of SLAAC
and DHCPv6. It uses SLAAC to autoconfigures itself with an IPv6 address,
and DHCPv6 to get other network
configuration, such as DNS server
information. This configuration mode is
available because earlier versions of the
Router Advertisement did not include
any DNS server information. Therefore
the device had to use DHCPv6 to get this
information.
Prefix delegation
Prefix delegation is how a router asks for a prefix from the ISP that it can subnet and distribute
through its LAN interfaces. Prefix delegation is an extension of the DHCPv6 protocol.
Normally, a router gets a /64-bit prefix using Router Advertisements, which cannot normally be
subnetted. Therefore, a router uses prefix delegation to request a globally routable prefix it can
distribute.
When the TransPort device receives a delegated prefix, it appends a subnet ID and assigns it to the
LAN interfaces with IPv6 enabled. The subnet ID differs for each LAN. By default, the subnet ID is the
LAN instance.
For example, if the delegated prefix is 2001:1234:5678:9ab0::/60, the prefixes for LANs 1 to 4 are:
n LAN 1: 2001:1234:5678:9ab1/64
n LAN 2: 2001:1234:5678:9ab2/64
n LAN 3: 2001:1234:5678:9ab3/64
n LAN 4: 2001:1234:5678:9ab4/64
The router’s LAN interfaces then advertise these prefixes using Router Advertisements and DHCPv6.
More information on IPv6
For more information, including key differences between IPv4 and IPv6, see this Digi white paper on
IPv6.
Configure a LAN for IPv6
Currently, the only mode for auto-configuration of devices connected on the LAN is DHCPv6.
Configuring a LAN for IPv6 involves Enable IPv6 on a LAN.
Enable IPv6 on a LAN
You can enable IPv6 on a per-LAN interface basis.
Enabling IPv6 on a LAN does not affect IPv4 operation. When IPv6 is enabled for a LAN, you can have
IPv4 addresses on the LAN and hosts on the LAN can use IPv4 and IPv6 as required.
Digi TransPort WR Routers User Guide
69
Page 70
IPv6 Show LAN IPv6 status
Web
1. On the menu, click Network > Networks > LANs. The LANs page appears.
2. Select the LAN on which you want to enable IPv6.
3. Open the IPv6 group, and enable IPv6.
Command line
To enable IPv6 on a LAN, use the lan command ipv6-state parameter. For example:
digi.router> lan 1 ipv6-state on
digi.router> save config
Show LAN IPv6 status
You can view IPv6 status and statistics for LANs from either Web UI or the command line.
Web
1. On the menu, click Network > Networks > LANs. All configured LANs appear.
2. Select a LAN. The LAN display expands to show the configuration parameters and the status
and statistics for the interface assigned to the LAN. If IPv6 is enabled for the LAN and IPv6
addresses are assigned to it, the addresses display in the IPv6 Address field.
Command line
To show the IPv6 status on a LAN, use the show lan command. For example:
digi.router> show lan 1
LAN 1 Status and Statistics
--------------------------Admin Status : Up
Oper Status : Up
Description : Ethernet LAN network
Interfaces : eth2
MTU : 1500
DHCP client : Off
IP Address : 192.168.1.1
Mask : 255.255.255.0
DNS Server(s) : 8.8.8.8
IPv6 Address(es) : fe80::8473:dff:fe69:ab41/64 (Link Local)
2600:1000:b03e:7ae9:1000::1/68 (Global)
Received Sent
--------- ---Packets 167018 56253
Bytes 13487578 4608476
Digi TransPort WR Routers User Guide
70
Page 71
IPv6 Configure a WAN for IPv6
Configure a WAN for IPv6
Configuring a WANfor IPv6 involves these tasks:
n Enable IPv6 on a WAN
n Configure prefix delegation on a WAN
Enable IPv6 on a WAN
You can enable IPv6 on a per-WAN basis.
For IPv6 to work on a WAN interface, the ISP to which the WAN interface is connected must support
IPv6.
Web
1. From the menu, click Network > Networks > WANs. The WANs page appears.
2. Select the WAN on which you want to enable IPv6.
3. Open the IPv6 group, and enable IPv6.
Command line
To enable IPv6 on a WAN interface, use the wan command ipv6-state parameter. For example:
digi.router> wan 1 ipv6-state on
digi.router> save config
Configure prefix delegation on a WAN
When the WAN interface gets an IPv6 address, the TransPort device automatically sends a prefix
delegation request to the ISP. By default, the TransPort device requests a /60 prefix, which allows the
device to support up to 15 LANs. The number of LANs that can be supported is equal to 2 raised to the
power of ((64 - prefix-length) - 1). You can request a different prefix length from this default.
Note The TransPort is not guaranteed to receive a prefix of the requested length. For example, the
TransPort device may request a /60 prefix, but receive a /62 prefix. This means you might have more
LANs with IPv6 enabled than can be supported by the received prefix. In this case, the TransPort sets
the prefix on the first LAN interfaces as defined by the number of available LANs.
Web
1. From the menu, click Network > Networks > WANs. The WANs page appears.
2. Select the WAN on which you want to configure prefix delegation.
3. Enter the length of the requested prefix in the Requested Prefix Length field.
Command line
To change the length of the requested prefix, use the wan command ipv6-prefix-length parameter.
For example:
Digi TransPort WR Routers User Guide
71
Page 72
IPv6 Show WAN IPv6 status
digi.router> wan 1 ipv6-prefix-length 56
digi.router> save config
Show WAN IPv6 status
You can view IPv6 status WANs from either Web UI or the command line.
Web
1. On the menu, click Network > Networks > WANs. All configured WANs appear.
2. Select a WAN. The WAN display expands to show the configuration parameters and the status
and statistics for the interface assigned to the WAN. If IPv6 is enabled for the WAN and IPv6
addresses assigned to the WAN, the addresses display in the IPv6 Address field.
Command line
To show the IPv6 status on a WAN, use the show wan command. For example:
digi.router> show wan 2
WAN 2 Status and Statistics
--------------------------WAN Interface : cellular1
Admin Status : Up
Oper Status : Up
IP Address : 100.67.98.174
Mask : 255.255.255.252
Gateway :
DNS Server(s) : 198.224.186.135, 198.224.187.135
IPv6 Address(es) : 2600:1000:b03e:7ae9:3038:63ff:fe47:4158/64 (Global)
fe80::3038:63ff:fe47:4158/64 (Link Local)
IPv6 DNS Server(s) : 2001:4888:12:ff00:106:d::, 2001:4888:13:ff00:123:d::
Probes are not being used
Received Sent
-------- ---Packets 503 939
Bytes 104697 130536
Digi TransPort WR Routers User Guide
72
Page 73
Security
Local users 74
Firewall management with IP filters 79
Certificate and key management 88
Remote Authentication Dial-In User Service (RADIUS) 90
Digi TransPort WR Routers User Guide
73
Page 74
Security Local users
Local users
To access a TransPort device (via the command-line interface or web interface), users must log in as a
configured user of the device. This topic details the TransPortuser model, as well as how to create,
modify, and delete users.
Maximum number of users
TransPort allows you to configure up to 10 users for a device, user 1 through user 10. Each user has a
unique username, password, and access level.
Default user
As manufactured, each TransPort device comes with a default user 1 configured as follows:
Username: admin
Password: The default password is displayed on the label on the bottom of the device.
For example:
Access: super
Note The default password is a unique password for the device, and is the most critical
security feature for the device. Anytime you reset the device to factory defaults, you
should immediately change the password from the default to a custom password.
Before deploying or mounting the TransPort device, take a photo of or otherwise record
the default password, so you have the information available when you need it even if
you cannot physically access the label on the bottom of the device.
You can change the default user 1 configuration to match your site requirements.
User access levels
TransPort devices support three access levels: super, read-write, and read-only. These access levels
determine the level of control users have over device features and settings.
Digi TransPort WR Routers User Guide
74
Page 75
Security Local users
Access level Permissions allowed
super The user can manage all features on TransPort devices. Devices can have
multiple users with super access level.
At least one user on each device must have a super access level to allow
editing user access levels. If you or any other user deletes the only user
with super access level, you must restore the default user configuration
by resetting the device to factory defaults.
read-write The user can manage all device features except security-related features,
such as configuring user access, configuring firewalls, clearing logs, and
so on.
read-only The user can view device configuration and status, but cannot change the
configuration or status.
Configure a user
To add, modify, or delete a user, you must be assigned the super access level. See User access levels
for descriptions of user access levels.
To configure a user, you need to configure the following:
Required configuration items
n A username, up to 32 characters long.
n A password, from 1-128 characters long. For security reasons, passwords are stored in hash
form. There is no way to get or display passwords in clear-text form.
Additional configuration items
n User access level. The default access level for users is super. To restrict access for a user,
assign either read-write or read-only. See User access levels for descriptions of user access
levels.
Web
1. Click Security > Authentication > Local Users. The User Management page appears.
2. Click New User.
Note When you add a new user using the web interface, TransPort creates a new user with the
next available index number. When you create a new user using the command line, you cannot
set or change the user index number assigned to a user.
Digi TransPort WR Routers User Guide
75
Page 76
Security Local users
3. Enter user account information:
n Username: The username for the user. Usernames can be up to 32 characters long and
are case-insensitive. They:
l Must start with a letter (lowercase or uppercase) or underscore.
l Can contain letters (lowercase and uppercase), digits, underscore (_), or hyphen (-).
l Can end with a dollar sign ($).
l No other characters are allowed.
Examples of valid usernames: _Username1234$ and userName-1234.
Examples of invalid usernames: -Username, user/name, userName$1234
n Access:The user access permission for the user: super, read-write, or read-only. For
descriptions of these access permissions, see User access levels.
n Password/Confirm Password: Password for the user.
4. Click Apply.
Command line
The user command configures users.
1. Configure the username. Usernames can be up to 32 characters long and are case-insensitive.
They:
n Must start with a letter (lowercase or uppercase) or underscore.
n Can contain letters (lowercase and uppercase), digits, underscore (_), or hyphen (-).
n Can end with a dollar sign ($).
n No other characters are allowed.
Examples of valid usernames: _Username1234$ and userName-1234.
Examples of invalid usernames: -Username, user/name, userName$1234
For example:
digi.router> user 1 name joeuser
2. Configure the password. For example:
digi.router> user 1 password omnivers1031
3. Optional: Configure the access level. For example:
digi.router> user 1 access read-write
4. Save the configuration.
digi.router> save config
Digi TransPort WR Routers User Guide
76
Page 77
Security Local users
Delete a user
You can delete user definitions when they are no longer needed.
To add, modify, or delete a user, you must be assigned the super access level. See User access levels
for descriptions of user access levels.
Web
1. Click Security > Authentication > Local Users. The User Management page appears.
2. Select the user to delete.
3. Click Delete and respond to the confirmation prompt.
Command line
Enter the following command:
digi.router> user n name !
For example, to delete the user joeuser that was previously assigned to user 1, enter:
digi.router> user 1 name !
digi.router> save config
Change a user's password
To add, modify, or delete a user, you must be assigned the super access level. See User access levels
for descriptions of user access levels.
Web
1. Click Security > Authentication > Local Users. The User Management page appears.
2. Select the user.
3. Enter the new password.
4. Confirm the new password.
5. Click Apply.
Command line
1. Enter the user command, specifying the new password value:
digi.router> user <user number> password <password-value>
2. Save the configuration.
digi.router> save config
Digi TransPort WR Routers User Guide
77
Page 78
Security Local users
For example:
digi.router> user 6 password tester
digi.router> save config
Digi TransPort WR Routers User Guide
78
Page 79
Security Firewall management with IP filters
Firewall management with IP filters
TransPort secures your network by controlling network traffic using a variety of mechanisms, such as
Port forwarding (see Port forwarding) and allow-https-access/allow-ssh-access (see Wide Area
Networks (WANs)).
IP filter rules allow you to further control network traffic by allowing and restricting access based on
filter criteria.
For example, you can use an IPfilter rule to:
n IP filter example: Allow additional traffic into the device
n IP filter example: Restrict access by rejecting traffic from a LAN to a WAN
n IP filter example: Restrict access to an open service
n IP filter example: Restrict access to a router service from LAN devices
n IP filter example: Restrict LAN-to-LAN for all but one service
IPfilter source and destination options
Network traffic managed by IP filter rules can be categorized into three groups:
n Incoming traffic: Traffic destined to a service or application on the router.
n Forwarded traffic: Traffic flowing through the router from one network host to another.
n Outgoing traffic: Traffic originating from a service or application on the router.
If you want to create an IP filter rule that applies only to incoming traffic received using the source
LAN or WAN, specify only the source option. In this case, incoming network traffic refers only to
inbound traffic that is destined for a service on the router, not all traffic flowing through the router
destined for another host.
If you want to create an IPfilter rule that applies only to traffic flowing through the router received
using a source LAN or WAN, specify both the source and destination options. The source and
destination values must be different from each other or the rule is not applied.
Infrequently, you may need to create an IP filter rule that applies only to outgoing network traffic sent
using the destination LAN or WAN. To do so, specify only the destination option. In this case, outgoing
network traffic refers only to outbound traffic sent from a service on the router, not all traffic flowing
through the router from another host.
Note Invalid IPfilter rules are not applied. To be valid, a rule must include the Source, Destination, or
both the Source and Destination options. The Source and Destination options must be different from
each other.
Example: Incoming traffic rule
The following rule applies only to incoming traffic received from any configured WAN, regardless of
other specified parameters.
Note The destination None value is the default and need not be specified.
ip-filter 1 src any-wan
ip-filter 1 dst none
Digi TransPort WR Routers User Guide
79
Page 80
Security Firewall management with IP filters
IP filter criteria options
An IP filter rule applies only to network traffic (packets) matching the following set of filter criteria
options:
n Protocol
n Source IP address
n Source IPport
n Destination IP address
n Destination IPport
After determining if the network traffic is incoming, outgoing, or forwarded traffic, the filter criteria
are used to examine the network packet. If the packet matches the criteria, the rule action is applied
and the packet is accepted, dropped, or rejected.
Example: SSH criteria
The following rule applies only to packets coming from a host with a 10.20.x.y IP address that are for
the SSH server. SSH typically uses TCP protocol on port 22. The default values for source IP port and
destination IP address are not used because they are not relevant for this filter criteria.
ip-filter 1 protocol tcp
ip-filter 1 src-ip-address 10.20.0.0/16
ip-filter 1 dst-ip-port 22
IP filter rule priority
IP filter rules are higher priority than port forward rules, the WAN command allowing HTTPS or SSH
access, or rules that allow LAN access by default. Therefore, use IP filter rules to further filter traffic
by port, IP address, or protocol.
IPfilter rules are applied in order from 1 to the maximum number of rules. Use multiple rules to build
a more secure environment where some services are allowed, while others are rejected. See IP filter
examples.
Add an IP filter rule
Web
To add one or more IP filter rules:
1. On the menu, click Security > Firewall:
n Select Input IPFilters to add an input IPfilter.
n Select Routing IPFilters to add a routing IP filter.
2. Within the set of rules you want to add, click (Add Filter) to create a new filter. See Firewall
page for field descriptions.
3. When you have finished adding rules, click Apply.
Digi TransPort WR Routers User Guide
80
Page 81
Security Firewall management with IP filters
Command line
To add an IPfilter rule, use the ip-filter command.
For example, to create IPfilter rule 3:
digi.router> ip-filter 3 description Allow WAN SNMP only from 10.20 network
digi.router> ip-filter 3 action accept
digi.router> ip-filter 3 src any-wan
digi.router> ip-filter 3 protocol tcp,udp
digi.router> ip-filter 3 src-ip-address 10.20.0.0/16
digi.router> ip-filter 3 dst-ip-port 161,162
digi.router> ip-filter 3 state on
digi.router> save config
Delete an IP filter rule
Web
To delete one or more IP filter rules:
1. On the menu, click Security > Firewall:
n Select Input IPFilters to delete an input IPfilter.
n Select Routing IPFilters to delete a routing IP filter.
2. Select the rule you want to remove, and click .
3. Click Apply.
Command line
You cannot delete an IP filter rule using the command line, but you can disable a rule using the ip-filter
command.
For example:
digi.router> ip-filter 4 state off
digi.router> save config
Edit an IP filter rule
Web
To edit an IPfilter rule:
1. On the menu, click Security > Firewall:
n Select Input IPFilters to edit an input IPfilter.
n Select Routing IPFilters to edit a routing IP filter.
2. Select the rule you want to edit and click Edit Rule.
3. When you have finished editing the rule, click Apply.
Digi TransPort WR Routers User Guide
81
Page 82
Security Firewall management with IP filters
Command line
To edit an IPfilter rule, use the ip-filter command.
For example, to edit the description for IPfilter rule 3:
ip-filter 3 description Allow WAN SNMP only from 10.20 network
save config
Enable or disable an IP filter rule
Web
To enable or disable an IP filter rule:
1. On the menu, click Security > Firewall:
n Select Input IPFilters to edit an input IPfilter.
n Select Routing IPFilters to edit a routing IP filter.
2. Select the rule you want to change, and enable or disable the rule.
3. When you have finished, click Apply.
Command line
To enable or disable an IPfilter rule, use the ip-filter command state option.
For example, to enable IPfilter 1:
digi.router> ip-filter 1 state on
digi.router> save config
To disable IPfilter 1:
digi.router> ip-filter 1 state off
digi.router> save config
Show IP filter rules
Web
To show IP filter rules:
1. On the menu, click Security > Firewall. The Firewall page appears, displaying all configured
IPfilter rules.
2. Select Input IPFilters to view input IPfilters and select Routing IP Filters to view routing IP
filters.
Digi TransPort WR Routers User Guide
82
Page 83
Security Firewall management with IP filters
Command line
To show IPfilter rules, use the show ip-filter or ip-filter commands.
For example, to show a specific IPfilter:
digi.router> show ip-filter 1
IP Filter 1
----------Description : Allow WAN SSH only from 10.20 network
Action : Accept
State : On
Source : any-wan
Destination : none
Filter Criteria
--------------Protocol : tcp udp
Source IP Address : 10.20.0.0/16
Source IP Port : 0
Destination IP Address :
Destination IP Port : 22
digi.router> ip-filter 1
action accept
description Allow WAN SSH only from 10.20 network
dst none
dst-ip-address
dst-ip-port 22
protocol tcp,udp
src any-wan
src-ip-address 10.20.0.0/16
src-ip-port 0
state on
To show all IPfilters:
digi. route r> sh ow ip-filter
# State A ction Source Destination Protocol Descr iptio n
----- ----- ----- -------------- ----- ----- -------------- ----- ----- -------------- ---1 On Accept any-w an none tcp u dp A llow WAN SS H only from 10.20 n etwor k
2 On Drop any-lan none tcp udp Restr ict L AN fr om HTTP,HTTPS, SSH,S NMP
3 On Accept any-w an none tcp u dp A llow WAN SN MP only from 10.20 net work
4 On Reject any-l an any-wan tcp udp Re stric t LAN to WAN for various ema il se rvices
5 On Accept lan1 any-lan tcp Allow LAN1 SSH to Ot her L ANs
6 On Reject lan1 any-lan any Restrict LAN1 fro m Acc essing Other LANs
Digi TransPort WR Routers User Guide
83
Page 84
Security Firewall management with IP filters
IP filter examples
The following examples show typical ways to use IPfilters to control network traffic:
n IP filter example: Allow additional traffic into the device
n IP filter example: Restrict access by rejecting traffic from a LAN to a WAN
n IP filter example: Restrict access to an open service
n IP filter example: Restrict access to a router service from LAN devices
n IP filter example: Restrict LAN-to-LAN for all but one service
IP filter example: Allow additional traffic into the device
The following example shows how to allow SNMP access from a particular subnet on the WAN. Note
that by default WAN access does not allow SNMP access.
WARNING! The commands in the following example open up SNMP access to your device.
SNMP can be used to configure your device. Before allowing SNMP access, make sure you
first secure your SNMP configuration using the snmp, snmp-user and snmp-community
commands.
The example demonstrates that IP filter rules can override the default behavior for the firewall. By
default, WAN traffic into the TransPort router is dropped if no other configuration or rules explicitly
allow traffic in. That is, the default policy for the input chain in the firewall is to DROP traffic.
n Adds an IP filter Accept rule (the default) to allow incoming traffic on any WAN network
additional access.
n Restricts the accepted network traffic so that only traffic from hosts on the 10.20 network to
SNMP (ports 161 and 162) is allowed.
n Allows access to multiple protocols (the default). It allows both TCP and UDP access for the
SNMP service.
digi.router> ip-filter 3 description Allow WAN SNMP only from 10.20 network
digi.router> ip-filter 3 action accept
digi.router> ip-filter 3 src any-wan
digi.router> ip-filter 3 protocol tcp,udp
digi.router> ip-filter 3 src-ip-address 10.20.0.0/16
digi.router> ip-filter 3 dst-ip-port 161,162
digi.router> ip-filter 3 state on
digi.router> save config
IP filter example: Restrict access by rejecting traffic from a LAN to a WAN
The following example shows how to restrict LAN devices from accessing services on the WAN
(possibly the internet).
WARNING! The commands in the following example could remove your access to the
Internet. If you or your users are connected through the LAN to the WAN, using email, the
example rule prevents access.
The example demonstrates blocking access from a LAN device to a WAN network. By default, LAN
devices are allowed access via the WAN and traffic is forwarded through the router. The example
Digi TransPort WR Routers User Guide
84
Page 85
Security Firewall management with IP filters
blocks direct mail access to servers on the WAN from LAN devices. Examples like this might be used to
prevent access to common services that use a lot of bandwidth or are security risks to the LAN:
n Adds an IP filter Reject rule to reject traffic forwarded from any LAN host to any WAN host. The
reject rule immediately fails the connection.
n Restricts the rejected traffic to a set of commonly used mail ports.
n Rejects access using multiple protocols (the default). It rejects both TCP and UDP access.
digi.router> ip-filter 4 description Restrict LAN to WAN for various email
services
digi.router> ip-filter 4 action reject
digi.router> ip-filter 4 src any-lan
digi.router> ip-filter 4 dst any-wan
digi.router> ip-filter 4 protocol tcp,udp
digi.router> ip-filter 4 dst-ip-port 25,2525,265,587,110,995,143,993
digi.router> ip-filter 4 state on
digi.router> save config
IP filter example: Restrict access to an open service
The following example shows how to turn on SSH access for a WAN and restrict SSH access to only a
particular subnet of authorized hosts.
WARNING! The commands in the following example could prevent access to your device if
connected from the WAN. To safely modify and test ip filter rules, use a scheduled reboot
strategy.
The example demonstrates the following:
n Uses the reboot command to schedule a reboot of the device in case of accidental lockout. A
scheduled reboot discards any changes that have not been saved and restores access.
n Adds an ip filter Accept rule (the default) to allow incoming traffic on any WAN network
additional access.
n Restricts the accepted network traffic so that only traffic from hosts on the 10.20 network to
SSH (port 22) is allowed.
n Turns off the allow-ssh-access option for the two currently configured WAN networks. The
allow-ssh-access allows SSH access unrestricted by host or network.
# Schedule a reboot in 10 minutes in case we lock ourselves out of the
device
reboot in 10
# Add the ip filter rule. Be sure to include src-ip-address of at least your
current session (if connected with ssh)
ip-filter 1 description Allow WAN SSH only from 10.20 network
ip-filter 1 action accept
ip-filter 1 src any-wan
ip-filter 1 src-ip-address 10.20.0.0/16
ip-filter 1 dst-ip-port 22
ip-filter 1 state on
# Now turn off allow all ssh access on any WAN where it was turned on
previously
Digi TransPort WR Routers User Guide
85
Page 86
Security Firewall management with IP filters
wan 1 allow-ssh-access off
wan 2 allow-ssh-access off
# Test the configuration. If all is good, save the configuration and cancel
the reboot before 10 minutes
save config
reboot cancel
IP filter example: Restrict access to a router service from LAN devices
The following example shows how to remove HTTP, HTTPS, SSH, SNMP access from a LAN. Note that
by default, LAN traffic is allowed.
WARNING! The commands in the following example could prevent access to your device if
connected from the LAN. To safely modify and test ip filter rules, use a scheduled reboot
strategy.
The example demonstrates the following:
n IP filter rules have a higher precedence (priority) than many system firewall rules. By default
for LANs, traffic is allowed into the TransPort router by built-in system firewall rules. This
example changes the default allowed access, restricting LAN devices from access.
n Uses the reboot command to schedule a reboot of the device in case of accidental lockout. A
scheduled reboot discards any changes that have not been saved and restores access.
n Adds an IP filter Drop rule to drop incoming traffic on any LAN network, thereby restricting
additional access. A drop rule silently drops traffic, giving no indication to the connecting host.
n Restricts access to multiple protocols (the default) and multiple services (ports) to simplify
creation of rules. It blocks both TCP and UDP access for all services even though only the SNMP
service (ports 161 or 162) uses UDP.
# Schedule a reboot in 10 minutes in case we lock ourselves out of the
device
reboot in 10
# Add the ip filter rule. If you are connected from the LAN using SSH this
will remove your access.
ip-filter 2 description Restrict LAN from HTTP,HTTPS,SSH,SNMP
ip-filter 2 action drop
ip-filter 2 src any-lan
ip-filter 2 protocol tcp,udp
ip-filter 2 dst-ip-port 80,443,22,161,162
ip-filter 2 state on
# Test the configuration. If all is good, save the configuration and cancel
the reboot before 10 minutes
save config
reboot cancel
IP filter example: Restrict LAN-to-LAN for all but one service
The following example shows how to restrict devices on LAN 1 (perhaps a public LAN) from
communicating with devices on any other LAN (perhaps internal LANs) except for certain services. By
default, LAN devices can communicate with other LANs.
Digi TransPort WR Routers User Guide
86
Page 87
Security Firewall management with IP filters
On a Wi-Fi LAN, you can also configure client and access point isolation. These rules might typically be
used when partial isolation is desirable.
WARNING! The commands in the following example could remove access to services for
LAN devices. If you or your users are connected through the LAN, this example may prevent
access.
The example demonstrates that multiple IP filter rules have an order precedence. Use multiple
IPfilter rules to build more complex access control than a single rule could provide:
n Creates two IP filter rules, one at index 5, the other at index 6.
n Rule 5 is an Accept rule that allows LAN 1 to access any LAN for the SSH service (port 22). It is
executed before rule 6.
n Rule 6 is a Reject rule that restricts LAN 1 from accessing any protocol and any port on other
LANs. It is executed after rule 5.
digi.router> ip-filter 5 description Allow LAN1 SSH to Other LANs
digi.router> ip-filter 5 action accept
digi.router> ip-filter 5 src lan1
digi.router> ip-filter 5 dst any-lan
digi.router> ip-filter 5 protocol tcp
digi.router> ip-filter 5 dst-ip-port 22
digi.router> ip-filter 5 state on
digi.router> ip-filter 6 description Restrict LAN1 from Accessing Other LANs
digi.router> ip-filter 6 action Reject
digi.router> ip-filter 6 src lan1
digi.router> ip-filter 6 dst any-lan
digi.router> ip-filter 6 protocol any
digi.router> ip-filter 6 state on
digi.router> save config
Digi TransPort WR Routers User Guide
87
Page 88
Security Certificate and key management
Certificate and key management
This section covers concepts and tasks for managing certificates and private keys.
n Create a private key file
n Create a Diffie Hellman key file
n List private key files
n Create a certificate signing request (CSR)
n Upload a private key file
n Delete a private key file
Create a private key file
Command line
To create a private key file, use the pki command. For example:
digi.router> pki privkey testpriv.key 204
You can optionally encrypt the file using either the aes128 or aes256 options. If you choose to encrypt
the file, you must provide a password that must be at least four characters in length. For example:
digi.router> pki privkey testpriv.key 2048 aes128 hello
Create a Diffie Hellman key file
Command line
To create a Diffie Hellman key file, use the pki command. For example:
digi.router> pki dh-file openvpndh.pem 2048
Creating Diffie Hellman file openvpndh.pem, 2048 bits
Note Generating a Diffie Hellman file can take up to 40 minutes. Make sure the default for command
line timeout allows enough time to generate the file or the command will terminate. See the system
timeout parameter for details on changing the command line timeout default.
List private key files
Command line
To list private key files, use the pki command. For example:
digi.router> pki list
Private key files
-----------------------tespriv.key
anotherpriv.key
Digi TransPort WR Routers User Guide
88
Page 89
Security Certificate and key management
Upload a private key file
Command line
To upload an externally-generated private key file from the upload folder to the list of private key files,
use the pki command. For example:
digi.router> pki addkey mykeyfile.key
Delete a private key file
Command line
To delete a private key file, use the pki command. For example:
digi.router> pki list
Private key files
-----------------------testpriv.key
anotherpriv.key
digi.router> del testpriv.key
Create a certificate signing request (CSR)
Command line
To create a private key file, use the pki command. For example:
Note To show all pki csr command option settings within the page margin, the example shows the
settings on multiple lines. However, TransPort does not allow you to continue a command line—the
example is for display only.
digi. route r> pk i csr country GB sta te "N orth Yorkshire" locali ty Ri chmond
organ izati on Di gi organizatio nal-u nit " Digi Engineering" co mmon- name www.example.com
testp riv.k ey te stpriv.csr sha 256
Count ry Na me (l etter code): G B
State or Pr ovinc e Name: North Yorkshir e
Local ity N ame: Ric hmond
Organ izati on Na me: Digi
Organ izati on Un it Name: Digi Eng ineer ing
Commo n Nam e: ww w.example.com
Email ad dress :
testp riv.c sr ha s been created
Digi TransPort WR Routers User Guide
89
Page 90
Security Remote Authentication Dial-In User Service (RADIUS)
Remote Authentication Dial-In User Service (RADIUS)
TransPort supports Remote Authentication Dial-In User Service (RADIUS), a networking protocol that
provides centralized authentication and authorization management for users who connect to the
device.
With RADIUS support, the TransPort acts as a RADIUS client, which sends user credentials and
connection parameters to a RADIUS server over UDP. The RADIUS server then authenticates the
RADIUS client requests and sends back a response message to the TransPort.
When you are using RADIUSauthentication, you can have both local users and RADIUSusers able to
log in to the device.
Note All TransPort usernames—RADIUS usernames and local usernames—must be unique. If a
RADIUS user has the same username as a local user, the RADIUS user cannot log in.
Set up a RADIUS server
To use RADIUS authentication, you must set up a RADIUS server accessible by the TransPort prior to
configuration. The process of setting up a RADIUS server varies by the server environment. An
example of a RADIUS server is freeRADIUS and a quick-start guide for setting up a freeRADIUS server
is here: http://wiki.freeradius.org/guide/Getting%20Started.
Set up a RADIUS backup server
TransPort also supports the use of a backup RADIUS server to which authentication requests are
automatically sent when the primary RADIUS server is unavailable.
If both the primary and backup RADIUS servers are unavailable, the local-auth configuration can be
used to fall back to local TransPort authentication. If the RADIUS servers are unavailable and the
TransPort falls back to local authentication, only local device users are able to log in. In other words,
after a fall-back event, RADIUS users cannot log in until the RADIUS servers are brought back up.
Use the local-auth parameter
The local-auth parameter configures how the TransPort behaves when all configured RADIUS servers
are unavailable. In most situations, Digi recommends you enable local-auth. In this way, when the
RADIUS servers are unavailable for any reason, local users can log in to the TransPort and configure
other available servers.
If the RADIUS servers become unavailable and local-auth is disabled, no users can log in to the
TransPort. Also, even if local-auth is disabled, no RADIUS user may have the same username as a user
defined locally. If a RADIUS user has the same username as a local user, the RADIUS user cannot log
in.
The table below shows how the primary RADIUS server, the backup RADIUS server, and local
authorization work together.
Primary server
available
Backup server
available
Local
authorization Who can log in?
Yes No N/A RADIUSand local users can log in.
Digi TransPort WR Routers User Guide
90
Page 91
Security Remote Authentication Dial-In User Service (RADIUS)
Primary server
available
No Yes
No No Enabled
Backup server
available
Local
authorization Who can log in?
N/A
RADIUSand local users can log in.
Only local users can log in.
RADIUSusers cannot log in until the
RADIUSservers are brought back up.
No No Disabled No users can log in.
Configure a RADIUS server
This section describes how to configure a RADIUS server for authentication and authorization.
Required configuration items
n Enable the RADIUS server. It is disabled by default.
n Define the primary server IP address or domain name.
n Define the primary server port. It is configured to 1812 by default.
n Define the primary server shared secret.
n Determine whether local authentication is used if a RADIUS server is unavailable. It is enabled
by default.
Additional configuration items
n The server NAS ID. If left blank, the default value of sshd is sent out.
n Time in seconds before the request to the server times out. The default is 3 seconds and the
maximum possible value is 10 seconds.
n Enable debug logging. It is disabled by default.
n Add a backup server in case the primary RADIUS server is unavailable. Configuration items
similar to the primary RADIUS server are also available for the backup RADIUS server.
Web
1. On the menu, click Security > RADIUS. The RADIUS page appears.
2. Under the Settings section, enable the RADIUS-based authentication feature and configure the
basic settings:
a. Click Enable to turn RADIUS based authentication on.
b. In the NASID field, enter a NAS ID for the TransPort. This attribute contains a string
identifying the NAS originating the request to the RADIUS server. If the field is left
blank, the default value of sshd is sent out.
c. Click Local Auth Fallback to enable authentication of local TransPort users when
the primary and backup RADIUS servers are unavailable.
d. Click Debug to log RADIUS debug messages to the TransPort log. This is optional.
3. Under the Primary Server Settings section, configure the primary RADIUS server. See RADIUS
page for detailed information.
Digi TransPort WR Routers User Guide
91
Page 92
Security Remote Authentication Dial-In User Service (RADIUS)
4. If using a backup server, under the Backup Server Settings section, configure the backup
RADIUS server. Configuring a backup server is optional. See RADIUS page for detailed
information.
5. Click Apply to save the changes.
Command line
1. Set the RADIUS server IP address or FQDN:
digi.router> radius server 192.168.10.1
2. Set the RADIUS server port:
digi.router> radius server-port 1812
3. Set the RADIUS server secret:
digi.router> radius server-secret thisisasecret
4. (Optional) Set the RADIUS server nas-id:
digi.router> radius nas-id 123
5. (Optional) Establish whether using the local authentication fallback feature is desired:
digi.router> radius local-auth on
6. (Optional) Set the RADIUS server timeout:
digi.router> radius server-timeout 10
7. (Optional) Turn on debug logging:
digi.router> radius debug on
8. (Optional) Set a backup server IP address or domain name:
digi.router> radius backup-server radius.ny.domain
9. (Optional) Set a backup server port:
digi.router> radius backup-server-port 1813
10. (Optional) Set a backup server secret:
digi.router> radius backup-server-secret thisisthebackupsecret
11. (Optional) Set a backup server timeout:
digi.router> radius backup-server-timeout 10
12. Turn on the RADIUS server authentication:
digi.router> radius state on
Digi TransPort WR Routers User Guide
92
Page 93
Security Remote Authentication Dial-In User Service (RADIUS)
13. Save the configuration:
digi.router> save config
Digi TransPort WR Routers User Guide
93
Page 94
Hotspot
Hotspot
Your TransPort device offers the ability to create a publicly available hotspot, which allows you to
provide internet access to users while restricting their ability to access other functionality on the
TransPort device, as well as applying bandwidth limits, authenticating users, and other features. The
TransPort device's implementation of hotspot uses a "captive portal" page, a web page that is
displayed to users when they first connect to the hotspot and requires users to perform some specific
action before they are granted access to the internet, such as accepting terms of use, logging in with
a shared password or a username/password combination, or using a payment service to purchase
web access via your hotspot.
Authentication of hotspot users can be performed by the device itself, by an external RADIUS server,
or by HotspotSystem (a cloud-based hotspot management and billing service). The device provides
sample html pages to be used for authentication, and you can modify these pages, add your own
pages, or host HTMLlogin pages on a remote web server.
Note Sample HTML pages provide by your TransPort device are located in the hotspot directory on
your device's filesystem. The hotspot directory is created when you enable hotspot for the first time,
and cannot be accessed prior to that.
This chapter contains the following information:
Hotspot authentication modes 95
Selecting a LAN to be used by the hotspot 96
Hotspot DHCP server 96
Hotspot security 96
Hotspot configuration 97
Show hotspot status and statistics 135
Show current hotspot configuration 135
Customize the hotspot login page 136
Hotspot RADIUS attributes 139
Digi TransPort WR Routers User Guide
94
Page 95
Hotspot Hotspot authentication modes
Hotspot authentication modes
During hotspot configuration, you select one the following authentication modes for the hotspot:
n Click-through: Requires each user to accept the terms and conditions. The local HTML page
that the TransPort device uses by default for click-through authentication is
/hotspot/terms.html.
See Configure the hotspot with click-through authentication for information about configuring
hotspot for click-through authentication.
n Local shared password: Requires each user to enter a password. This password is validated
locally on the TransPort device, and the password is the same for all users. The local HTML
page that the device uses by default for local shared password authentication is
/hotspot/password.html.
See Configure the hotspot with a local shared password for information about configuring
hotspot for local shared password authentication.
n RADIUS shared password: Requires each user to enter a password. This password is validated
by an external RADIUS server, and the password is the same for all users. The RADIUSserver
should be "white listed" by including it included in the Allowed Domains or Allowed Subnets
for the hotspot, which allows unauthenticated hotspot clients to access the server for
authentication. The local HTML page that the device uses by default for RADIUSshared
password authentication is /hotspot/password.html.
See Configure the hotspot with a RADIUSshared password for information about configuring
hotspot for RADIUSshared password authentication.
n RADIUS users: Requires each user to enter username and password credentials that are
established on an external RADIUS server. The credentials are validated by the RADIUS server.
The RADIUSserver should be "white listed" by including it included in the Allowed Domains or
Allowed Subnets for the hotspot, which allows unauthenticated hotspot clients to access the
server for authentication. The local HTML page that the device uses by default for
RADIUSshared password authentication is /hotspot/login.html.
See Configure the hotspot with RADIUS users authentication for information about configuring
hotspot for RADIUS users authentication.
n HotspotSystem: Requires each user to be authenticated by HotspotSystem, a cloud hotspot
service that supports various free and paid authentication methods, including social media
account, SMS, voucher, and PayPal. Domains needed for HotspotSystem authenticatiuon,
payment options, and social media login should be "white listed" by including them in the
Allowed Domains or Allowed Subnets for the hotspot, which allows unauthenticated hotspot
clients to access them for authentication. When HotspotSystem is selected for the
authentication mode, the browser is redirected to the HotspotSystem web page.
See Configure the hotspot to use HotspotSystem for information about configuring hotspot for
HotspotSystem authentication.
Prior to authentication, a hotspot client that attempts to make an HTTP request to any domain other
than those included in white-listed sites in Allowed Domains and Allowed Subnets will be redirected
to the login webpage. HTTPS requests will time out, because the hotspot cannot provide a valid SSL
certificate for the requested domain. Requests made via any other protocol will also time out. Most
operating systems will detect this scenario and automatically notify users to open the login page in a
web browser.
Digi TransPort WR Routers User Guide
95
Page 96
Hotspot Selecting a LAN to be used by the hotspot
Selecting a LAN to be used by the hotspot
By default, the hotspot is configured to use LAN2. You can select any LAN on your TransPort device to
serve as the hotspot LAN; however, once you configure a LANfor use as the hotspot LAN, you can no
longer access the device's web interface or SSHserver via that LAN. Therefore, you must make sure
that you do not enable hotspot on a LAN that you are otherwise using to access the device for other
purposes, such as configuring and monitoring the device, or providing clients with non-hotspot access
to your network.
If you lose access to the router by configuring hotspot to use an incorrect LAN, try the following
methods to recover access:
n If you have configured multiple LANs, use one of the other LANs to connect to the device.
n If you have enabled HTTPS or SSH access on the WAN interface, use the WAN to connect to the
device.
n If you were using the command line and the configuration has not been saved, reboot the
router and the hotspot will be not be enabled when the unit boots up again.
n If you have access to Remote Manager, you can disable the Hotspot feature.
If the above methods fail, you may need to reset the router back to factory defaults.
Hotspot DHCP server
When the hotspot is enabled on the TransPort device, it automatically enables a DHCP server. During
hotspot configuration, you assign an IPv4 IP address to the hotspot, and the DHCP server then uses
the subnet of the hotspot's IP address, along with the hotspot's subnet mask, to assign IPv4
addresses to clients that connect to the hotspot.
To prevent the hotspot's DHCP server from assigning IP addresses that are already in use elsewhere
in your local network, the hotspot must use a subnet that is not currently being used in your local
network.
Hotspot security
A typical hotspot is an open network. This means that traffic transferred between the hotspot and the
hotspot clients is not encrypted and can be intercepted by a packet sniffer or similar technology.
However, the sample HTML login pages provided with your TransPort device use CHAP-MD5
authentication, providing a level of security during the authentication process. Additionally, websites
that use the HTTPS protocol provide end-to-end encryption between the browser and the web server.
Hotspot clients are typically untrusted and only given access to the WAN interface on the device. The
default firewall rules prevent hotspot clients from accessing any of the other interfaces on the router
(such as the LAN and VPN interfaces). Additionally, the default firewall rules prevent hotspot clients
from accessing the router itself (for example, via the web interface or SSH).
Digi TransPort WR Routers User Guide
96
Page 97
Hotspot Hotspot configuration
Hotspot configuration
This section provides hotspot configuration procedures based on the type of authentication mode you
select for your hotspot. See Hotspot authentication modes for information about available
authentication modes.
Enable the hotspot using the default configuration 98
Configure the hotspot with click-through authentication 102
Configure the hotspot with a local shared password 108
Configure the hotspot with a RADIUSshared password 114
Configure the hotspot with RADIUS users authentication 122
Configure the hotspot to use HotspotSystem 130
Digi TransPort WR Routers User Guide
97
Page 98
Hotspot Hotspot configuration
Enable the hotspot using the default configuration
The TransPort device's hotspot is configured by default for click-through authentication using LAN2
as the hotspot's LAN, with the hotspot's IP address set to 10.1.0.1 with a subnet mast of
255.255.255.0. You can use the default click-through authentication by simply enabling the hotspot,
adding interfaces to the LAN, and configuring the hotspot's Wi-Fi interface.
Once you have selected a LANfor a hotspot, you have limited configuration capabilities for that LAN.
Most of its configuration (for example, its IP address and DHCP server) is set automatically by the
hotspot, and the LANis dedicated to use only by the hotspot. For this reason, you should select a
LANfor the hotspot that has not already been configured for use outside of hotspot functionality. If
LAN2 is already being used by your TransPort device, you should configure the hotspot to use a
different LAN by using one of the other hotspot configuration procedures in subsequent sections.
WARNING! Once you configure a LANfor use as the hotspot LAN, you can no longer access
the device's web interface or SSHserver via that LAN. Do not enable hotspot for the LAN
that you are using to access the device for other purposes. See Selecting a LAN to be used
by the hotspot for more information.
After enabling the default hotspot configuration, you will want to modify the sample local HTML page
that the TransPort device uses by default for click-through authentication. See Edit sample hotspot
html pages for instructions about how to modify the sample local HTML page.
Enable the hotspot
Hotspot using the default configuration can be enabled by using the Web UI or the command line:
n Web UI instructions
n Command line instructions
Digi TransPort WR Routers User Guide
98
Page 99
Hotspot Hotspot configuration
Web
1. Enable the hotspot with the default configuration:
a. On the menu, click Network > Services > Hotspot.
b. Click Enable to enable the hotspot.
c. Click Apply.
2. Configure the hotspot LAN:
a. On the menu, click Network > Networks> LANs.
n LAN2already exists, select LAN2.
n LAN2 does not exist:
i. Click New Network.
ii. For Select Network, select LAN2.
Most settings for the LAN's configuration are performed automatically when the
hotspot is created and cannot be changed here. You can view the configuration
settings in read-only mode. Only the interfaces and optional description field can be
changed.
b. For Interfaces, select the appropriate Ethernet and/or Wi-Fi interfaces for the
hotspot.
c. Click Apply.
3. Configure the hotspot's Wi-Fi interface:
Note If an Ethernet interface was added to the LAN, no configuration of the Ethernet interface
is required.
a. On the menu, click Network > Interfaces> Wi-Fi.
n If the access point selected as the Wi-FI interface for the hotspot's
LANalready exists, select that access point.
n If the access point selected as the Wi-FI interface for the for the hotspot's
LANdoes not exist
i. Click New Access Point.
ii. For Select Access Point, select the access point of the Wi-FI
interface that was selected for the LAN.
b. For SSID, type the SSID that will be used for this hotspot.
c. For Security, select None.
d. Enable Broadcast SSID.
e. Click Apply.
Digi TransPort WR Routers User Guide
99
Page 100
Hotspot Hotspot configuration
Command line
Note To view the default configuration prior to enabling the hotspot, type the hotspot command at
the command line with no parameters:
digi.router> hotspot
hotspot 1:
allowed-domains
allowed-subnets
auth-mode click-through
auth-port 3990
bandwidth-max-down 10000
bandwidth-max-up 10000
dhcp-lease 600
ip-address 10.1.0.1
lan lan2
local-page
local-shared-password
login local-page
mask 255.255.255.0
radius-nas-id hotspot
radius-secret
radius-server-port 1812
radius-server1
radius-server2
remote-url
server-port 4990
state on
swapoctets off
uamsecret
use-uamsecret off
digi.router>
1. Enable the hotspot:
digi.router> hotspot state on
2. Enable and add interfaces to the hotspot's default LAN (LAN2):
a. Enable the LAN:
digi.router> lan 2 state on
b. Add interfaces to the LAN:
digi.router> lan 2 interfaces wifi-ap2
Digi TransPort WR Routers User Guide
100
Loading...