Metacom MC601 User Manual

Metacom MC601 Router
User Manual
6 Ndabeni Business Park; Inyoni Avenue; Ndabeni; 7405; South Africa
PO Box 1582; Cape Town; 8000; South Africa
Telephone: +27 (0) 21 531 9900
Facsimile: +27 (0) 21 531 9901
info@metacom.co.za www.metacom.co.za
Metacom MC601 Router Page 2 User Manual
Contents
REVISION HISTORY ................................................................................................................................................................. 3
ORDERING INFORMATION .................................................................................................................................................... 3
LICENSE AGREEMENT ............................................................................................................................................................ 4
1. OVERVIEW .............................................................................................................................................................................. 6
2. SETUP ........................................................................................................................................................................................ 7
3. CONFIGURATION .................................................................................................................................................................. 7
3.1 GETTING AN IP ............................................................................................................................................................................. 7
3.2 CONNECTING ................................................................................................................................................................................. 8
3.3 SYSTEM ADMINISTRATION PANEL ................................................................................................................................................... 10
3.3.1 Administration user ............................................................................................................................................................. 10
3.3.2 Host parameters ................................................................................................................................................................... 11
3.3.3 Reboot system ...................................................................................................................................................................... 12
3.4 NETWORK CONFIGURATION PANEL .................................................................................................................................................. 13
3.4.1 Network settings ................................................................................................................................................................... 13
3.4.2 DHCP server settings .......................................................................................................................................................... 15
3.4.3 GPRS APN settings .............................................................................................................................................................. 16
3.4.4 SNMP configuration ............................................................................................................................................................ 18
3.4.5 VPN settings ......................................................................................................................................................................... 19
3.4.6 Management ........................................................................................................................................................................ 20
3.5 FIREWALL PANEL ......................................................................................................................................................................... 22
3.5.1 Firewall status ..................................................................................................................................................................... 22
3.5.2 Firewall log ......................................................................................................................................................................... 23
3.5.3 Firewall access .................................................................................................................................................................... 24
3.5.4 Firewall rules ...................................................................................................................................................................... 26
3.5.5 Firewall NAT ....................................................................................................................................................................... 29
3.5.6 Firewall source NAT ............................................................................................................................................................ 30
3.6 SYSTEM STATUS PANEL ................................................................................................................................................................ 32
3.6.1 Network status ..................................................................................................................................................................... 32
3.6.2 Gprs status ........................................................................................................................................................................... 33
3.6.3 Routing table ........................................................................................................................................................................ 34
3.6.4 Test connection (ping) ......................................................................................................................................................... 35
3.6.5 Active connections ............................................................................................................................................................... 36
3.6.6 System load .......................................................................................................................................................................... 36
3.6.7 ARP table ............................................................................................................................................................................. 37
4. TECHNICAL SPECIFICATIONS ....................................................................................................................................... 38
GENERAL FEATURES ........................................................................................................................................................................... 38
GPRS/EDGE SPECIFICATION ............................................................................................................................................................ 38
LED INDICATORS ............................................................................................................................................................................. 39
HARDWARE WATCHDOG ..................................................................................................................................................................... 39
5. FAULT FINDING ................................................................................................................................................................... 40
6. ABBREVIATIONS ................................................................................................................................................................. 41
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 3 User Manual
Revision History
Date Description Firmware Version
30 Jan 2008 Initial Release l2tp-20071207-2203 1.0 19 Feb 2008 Updated reboot, network and
firewall status tab
l2tp-20080218-2205 1.1
28 Feb 2008 DHCP updated l2tp-20080218-2206 1.2 12 Feb 2009 Firewall updated l2tp-20080218-2216 1.3
Document Name: MC601_usermanual.doc
Ordering Information
Part Number: MC601 Router Description: Metacom MC601 Router
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 4 User Manual
License Agreement
Metacom (Pty) Ltd End-user Product License Agreement
CAUTION: USING THIS PRODUCT INDICATES YOUR UNDERSTANDING AND ACCEPTANCE OF THE FOLLOWING TERMS AND CONDITIONS. PLEASE CAREFULLY READ THESE TERMS AND CONDITIONS BEFORE USING THE PRODUCT. IF YOU DO NOT AGREE WITH THEM, PROMPTLY RETURN THE UNUSED PRODUCT TO METACOM (PTY) LTD OR THE DISTRIBUTOR OR RESELLER FROM WHICH IT WAS ACQUIRED.
Subject to the following terms and conditions, Metacom (Pty) Ltd grants to you (“User”) a non­exclusive license to use the software and/or hardware described in the related Documentation. The term “Product” means all the computer software and/or hardware licensed to User as a single integrated product and the term “Documentation” refers to all the manuals licensed to the User.
1. Scope of License
1.1. This license allows the User to install and use the Product solely on a single computer
(i.e. with a single central processing unit). Except as otherwise specified in the Documentation, User may not grant sublicenses, leases, or other rights in the Product, nor may User transfer, sell, assign, or otherwise convey the Product to another party without Metacom’s prior written consent. User may not split the Product into its component parts and transfer, sell, assign, distribute or re-license or otherwise convey those components as individual products to another part. Transfer of the Product to another computer may be made on a permanent basis provided no active copies are retained on the original computer. This Agreement automatically terminates if User transfer possession of any copy of the Product or Product Update to another party.
1.2. A Product Update replaces part or all of a Product Update previously licensed. Use of a
Product Update terminates the license to use the Product or that part of the Product Update replaces and User shall destroy or return to PSC all copies of any prior Product or Product Update. User may obtain rights to acquire Product Updates and other technical services under Metacom’s then current fees and terms.
2. Proprietary Rights. The Product and Documentation are proprietary products of Metacom are
protected by copyright law. By virtue of this Agreement, User acquire only the non-exclusive right to use the Product and does not acquire any rights of ownership in the Product or the media upon which it is embodied. Metacom shall at all times retain all rights, title, and interest in the Product and the media.
3. Non-Disclosure; Copies; Alterations. User agrees not to cause or permit the reverse
engineering, disassembly, copying, or decompilation of the Product, except to reproduce machine-readable object code portions for backup purposes and installation of new releases, under penalty of license termination but not exclusive of any other remedies. User may copy the Product for installation, backup or other purpose as described in the Documentation. User may not copy nor allow others to copy the Product or Product Update for any other purposes. User agrees not to remove any product identification, copyright notice, or other notices or proprietary restrictions from the Product. User may not copy nor allow others to copy any part of the manuals or other printed material provided with the Product or Product Update by any means, including data transmission or translation.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 5 User Manual
4. Limited Warranty. Metacom warrants that the materials of both the Product media and
Documentation are not defective and that the software is properly recorded on the media. If either the media or the Documentation is physically defective, Metacom will replace it free of charge during the 60-day warranty period. User’s remedy is limited to return of the media and/or Documentation to the supplier or to Metacom for replacement. This Limited Warranty is in effect for claims made within 60 days from User’s purchase of the Product. Metacom warrants that it has the right to license the Product(s). Metacom will defend User against any claim based on an allegation that a Product infringes a South African patent or copyright, but only if Metacom is notified promptly in writing of such claim and is given sole control of the defense thereof and all related settlement negotiations relating thereto. Notwithstanding the foregoing, Metacom shall not be liable to User for any claim arising from or based upon the alteration or modification of any of the Product(s).
5. The Product has been tested and the Documentation has been reviewed. However, except as
specifically stated above, METACOM MAKES NO WARRANTY OR PRESENTATION, EITHER EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR PARTICULAR PURPOSE, WITH RESPECT TO THIS PRODUCT AND DOCUMENTATION. For example, Metacom does not warrant that there are no discrepancies between the Product and the Documentation, nor that errors cannot arise during the use of the Product.
6. THIS WARRANTY GIVES THE USER SPECIFIC LEGAL RIGHTS, AND MAY ALSO IMPLY OTHER
RIGHTS WHICH VARY FROM TIME TO TIME, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES, AND DO NOT ALLOW A LIMITATION ON HOW LONG ANY IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS MAY NOT APPLY. No Metacom (Pty) Ltd employee, supplier, or agent is authorised to make any modifications or addition to this warranty.
7. Limitation of liability. TO EXTENT PERMITTED APPLICABLE LAW, THE LIABILITY OF METACOM,
IF ANY, FOR DAMAGES RELATING TO ANY PRODUCTS SHALL BE LIMITED TO THE ACTUAL AMOUNTS PAID BY USER FOR SUCH PRODUCT AND SHALL IN NO EVENT INCLUDE INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND.
8. Miscellaneous. This Agreement is governed by the laws of South Africa. If any provision of
this Agreement is declared invalid, illegal or unenforceable, the remaining provisions of this Agreement shall remain in effect.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 6 User Manual
1. Overview
The MC601 Router is a fully functional Linux (kernel 2.6) based router that connects a local area network (LAN) to a wide area network (WAN) and handles the task of routing messages between the two networks. The WAN in this case is the GPRS/EDGE connection to an APN.
In addition the router has a firewall that secures the router and the LAN, shielding it from access by unauthorized users. The router can also be configured on a virtual private network (VPN). This will give the users a secure tunnel over which data can be transmitted.
The router can be configured and interrogated remotely via a web front-end.
The MC601 has been designed so that it can use 2 SIM cards thereby ensuring redundancy against a GSM network failure.
Due to the part that the device has more than ample flash and memory it can also be used for specialized applications that need to have custom processing done on the router. These can also use the resident hardware watchdog to provide the necessary robustness and stability.
Metacom MC601 Router
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 7 User Manual
2. Setup
If you are inserting new SIM cards these must have a pin of 00000. The pin will then be changed to a unique pin for the SIM once the router starts up to eliminate fraudulent use of the SIM.
Connect the antenna. Connect the power supply and switch the device on. The power LED and SIM 1 should be on. After about a minute you should see the network led giving slow flashes and then after about 10 seconds giving a double flash every 3 seconds with the status led on. If there is no GPRS connectivity for that network then the device will try the second SIM, repeating the above process. If the network led gives very slow flashes then a PUK is normally required for the SIM.
If the router has been setup to be on the VPN the status led will give a short flash every 20 seconds.
Once the above has occurred the router is fully functional.
3. Configuration
Configuring the router is done either over the WAN or the LAN via the web front-end on the device.
3.1 Getting an IP
To access the router over the WAN you will need to be on the same GPRS network via an APN. The Metacom SIM cards used on the routers are configured to each have 2 static IPs, 1 virtual IP and a DNS name. Normally you would use the virtual IP to connect to the device (i.e. 10.3.x.y) which will be provided to you by Metacom and will uniquely identify one router with 2 SIMs.
Accessing the administration web page of the router via the LAN is as easy as connecting an Ethernet cable to LAN1. The cable may be a straight pin to pin or a cross over cable. If DHCP is enabled on the router your PC should get a new IP, network mask, DNS server and gateway. If you have problems getting this information then please disable and enable your local area connection on your PC. The LAN1 details will be supplied by Metacom if the DHCP server has not been activated on the router. The IP address of the LAN1 interface is the gateway address (normally 192.168.1.1).
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 8 User Manual
3.2 Connecting
Once the IP address of the router has been established the administration interface can be accessed by entering the following URL into a browser:
http://<IP>
This will bring up the following login dialog:
The default username and password is “admin”. Please use the correct case.
Please try connecting to the device again if invalid login details have been supplied. If no login screen appears then try pinging the router’s IP and checking that you are either on the GPRS network or on the same local LAN as the router.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 9 User Manual
Every web page has the following header:
System Name
DNS name of the device that includes the serial number e.g. MC60100742.gprs.datalinx.co.za
System Time
The current time on the device that is updated via the time server. E.g. Wed, 30 Jan 2008 11:28:31 +0200
System Uptime
The number of days and hours that the device has been up without being rebooted. e.g. 21:39
WAN Status
The status of the GPRS/EDGE interface. e.g. Up or Down
VPN Status
The status of the virtual private network. e.g. Down
Software Version
The current software version on the router. e.g. l2tp-20071207-2203
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 10 User Manual
3.3 System Administration panel
This panel contains the general settings for the device. After login the following page is displayed:
3.3.1 Administration user
Admin User Name Admin User Password
These specify the login parameters when accessing this administration front-end.
Save
Stores the settings on the device.
Reset
Reverts the settings back to their original values.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 11 User Manual
3.3.2 Host parameters
Host name Unique name of the device, usually the serial number (displayed on the back). E.g. MC60100742
Domain Domain name of the device. E.g. gprs.datalinx.co.za Time Server IP address of the NTP server on the network. The NTP server is accessed every hour to update the
time on the router. E.g. 196.25.1.1
Time Zone
The timezone takes the format GMT[+|-]<num>. South Africa has GMT-2.
Save
Stores the settings on the device.
Reset
Reverts the settings back to their original values.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 12 User Manual
3.3.3 Reboot system
Reboot
Reboots the router. You will then need to connect to the device again. It is advisable to reboot the router if major changes have been done. E.g changing the LAN IPs
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 13 User Manual
3.4 Network configuration panel
This panel contains all the network related WAN and LAN settings.
3.4.1 Network settings
LAN IP Address eth0
The IP address of the LAN1 ethernet port on the back of the router. E.g. 192.168.5.2
LAN Network Mask eth0
The network mask of the LAN1 ethernet port. E.g. 255.255.255.0
LAN IP Address eth1
The IP address of the LAN2 ethernet port on the back of the router. E.g. 192.168.0.2
LAN Network Mask eth1
The network mask of the LAN2 ethernet port. E.g. 255.255.255.0
Enable eth1
The LAN2 port will only be enabled if this checkbox is selected.
Primary DNS Server
Primary DNS server on the WAN. E.g. 209.212.96.1
Secondary DNS Server
Backup DNS server on the WAN. E.g. 209.212.97.1
Restart the service
If checked the network will be re-initialised with the above settings and the routing table updated. The DNS IPs will be inserted into the /etc/resolv.conf file. Please make sure you restart the firewall if any of these settings have been changed.
Save
This will write the settings to the flash and restart the service if it has been selected. e.g. sample output when changing the LAN IP address:
updating lan_ipaddress to 192.168.5.3 [OK]
Applying Changes....
Processing variables [OK] Committed Changes [OK] Restarting Network
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 14 User Manual
Stopping networking on device: eth0 Setting up networking on device: lo Setting up networking on device: eth0 Setting up networking on device: eth1 Setting up nameservers in /etc/resolv.conf
Reset
Reverts the settings back to their original values.
Note:
If the LAN1 settings change the DHCP settings and firewall forwarding rules might have to be
changed as well.
LAN1 and LAN2 must be 2 totally separated networks.
Please try not to use the following IP address ranges as they could clash with the WAN/VPN
IP addresses: 10.3.0.0/16, 10.128.0.0/16, 10.129.0.0/16, 10.254.0.0/16, 10.0.0.0/16,
10.253.0.0/16, 10.252.0.0/16, 172.16.0.0/16, 192.168.2.0/24
Version l2tp-20071207-2203: Please restart the router if DHCP is used and the LAN1
network changes. This is due to the fact that the DHCP service is not restarted. It has been fixed in l2tp-20080218-2205.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 15 User Manual
3.4.2 DHCP server settings
Dynamic host control protocol or DHCP provides a mechanism for allocating IP addresses dynamically so that addresses can be reused. DHCP can only be activated on LAN1 and a maximum of 255 addresses are supplied (last octet is only changed).
DHCP active
DHCP will only be started if this checkbox is selected. Only from version l2tp-20080218-2206
DHCP Lease Period
Specifies the number of seconds until the IP address lease expires. When this occurs, the client can ask the server to renew the lease. If the DHCP server doesn't hear from the client beyond the expiry of the lease period, it will put that address back in the pool ready to be re- used. Start Address The last octet in the LAN1 IP address that is used as the first IP in the DHCP address pool.
Number of hosts
Number of IPs in the pool starting at LAN1 with the last octet being the start address above. Entering a 0 here will de-activate DHCP. Remember: Every network has 2 reserved addresses: broadcast (all bits are set) and the network (host number is set to 0).
Restart the service
Restarts the DHCP service.
Save
Stores the settings on the device and restarts the DHCP service if selected.
Reset
Reverts the settings back to their original values.
Note:
In pre l2tp-20080218-2206 versions the DHCP server could not be deactivated.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 16 User Manual
3.4.3 GPRS APN settings
This panel specifies the APN login details for the individual SIM cards. If these are incorrect the device will never be able to attach onto the GPRS network.
Primary APN
The APN name for SIM1. This parameter has to be correct for the device to connect on this SIM. The username and password are ignored on the Metacom APNs.
Primary APN username
APN username for SIM1 which is ignored on the Metacom APN.
Primary APN password
APN password for SIM1 which is ignored on the Metacom APN.
Secondary APN
The APN name for SIM2. This parameter has to be correct for the device to connect on this SIM. The username and password are ignored on the Metacom APNs.
Secondary APN username
APN username for SIM2 which is ignored on the Metacom APN.
Secondary APN password
APN password for SIM2 which is ignored on the Metacom APN.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 17 User Manual
Preferred SIM
This is the SIM card that is used when the router is switched on. Only if it cannot connect on this SIM does it switch to the other.
Restart the service
This will restart the gprs service.
Save
Stores the settings on the device and restarts the gprs service if selected.
Reset
Reverts the settings back to their original values.
Note:
If you are attached remotely to the device then you must make sure that one of the SIM
cards can always get onto the APN, otherwise you will not be able to access the router remotely anymore.
It is advisable to reboot the device if you currently are on a VPN.
The firewall will automatically be restarted if you are restarting the service as the WAN IP
might have changed.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 18 User Manual
3.4.4 SNMP configuration
A protocol used by network hosts to exchange information used in the management of networks.
This Location Location description of the device. Read-Only Community String
Name of the node in the Management Information base (MIB) that can be accessed and contains the properties of this device. E.g. public
System Contact Administrator email address. Restart the service
Restarts the SNMP service.
Save
Stores the settings on the device and restarts the SNMP service if selected.
Reset
Reverts the settings back to their original values.
Note: This section will be expanded on in future versions of this document.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 19 User Manual
3.4.5 VPN settings
A virtual private network (VPN) establishes a private or secure network connection within a public network which is in this case the GPRS network. Only devices on the same VPN can communicate with this router. A username and password combination is used to authenticate the router. The device must be configured on a VPN server to which it connects. The VPN tunnel is implemented by the Layer 2 Transport Protocol (L2TP). Future versions will provide IPSEC functionality as well.
VPN Active
Enable or disable the VPN. At least one VPN server must have been configured.
Primary VPN Server
This router normally connects to this VPN server.
Primary VPN User Name
Username to connect to the primary VPN server.
Primary VPN User Password
Password to connect to the primary VPN server.
Backup VPN Server
Only if the primary server fails or is unreachable does the router connect to this VPN server.
Backup VPN User Name
Username to connect to the backup VPN server.
Backup VPN User Password
Password to connect to the backup VPN server.
Restart the service
Restart the VPN service
Save
Stores the settings on the device and restarts the VPN service if selected.
Reset
Reverts the settings back to their original values.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 20 User Manual
3.4.6 Management
This panel specifies the management networks, update and heartbeat server that need to access this router over the GPRS interface. All of these addresses will get an appropriate entry in the routing table as well as an access rule in the firewall. These rules have precedence over any user defined rules.
Manageing IP Address
Primary network IP address from which this device can be managed.
Manageing Network Mask
Primary network mask used with the previous network address. Manageing IP Address (backup) Backup network IP address from which this device can be managed.
Manageing Network Mask (backup)
Backup network mask used with the previous network address.
Update server IP Address
IP of the server from which software updates are downloaded.
Heartbeat server IP Address
Every hour this device sends the serial number and version to a server having this IP.
Update the routing table
This will update the routing table.
Save
Stores the settings on the device and updates the routing table if selected. Please restart the firewall so that the new rules can take affect. E.g sample output when changing the primary network and updating the routing table: updating man_ip to 192.168.2.0 [OK] updating man_netmask to 255.255.255.0 [OK]
Applying Changes....
Processing variables [OK] Committed Changes [OK] Adding routes add route to management network add route to backup management network add route to update server
add route to heartbeat server
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 21 User Manual
Reset
Reverts the settings back to their original values.
Note:
If you want Metacom to be able to access the device you need to leave the
209.212.98.162/29 as the backup management network.
The update server address should also be left untouched if you wish to receive software
updates for the router.
When updating the routing table only new IPs are added and not removed.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 22 User Manual
3.5 Firewall panel
This panel contains all the firewall related settings. The firewall is based on Linux’s netfilter and iptables which allows the user to create rules for the packet filtering (both inbound and outbound) and NAT modules. The firewall is a stateful firewall which allows connection tracking. In the current version the LAN ports are both deemed to be trusted meaning that any traffic originating from them may pass to and through the router. This might change in future versions.
3.5.1 Firewall status
Firewall status
Current state of the firewall: Disabled or Enabled
Firewall Active
Setting this will enable the firewall the next time the service is restarted.
Default masquerading rule
Only available from version l2tp-20080218-2205. If selected a default masquerading rule on ppp0 is executed when the firewall is inactive. On the Metacom APN this lets any attached PCs on the Ethernet ports have access to the internet.
Restart the service
Disables or enables the firewall.
Note:
If the firewall is disabled, there will still be a default firewall in place. This will be the
following:
o Only the IPs on the Management panel may connect to the router.
o A masquerading rule might be added that allows a PC on the LAN port to access the
internet.
o Any already established connections are allowed over the WAN interface.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 23 User Manual
3.5.2 Firewall log
This page allows the user to interrogate the log file on the device.
Lines
Maximum number of lines to display from the log file.
Start of message
Message prefix that was entered in the firewall rules or firewall access rules.
Refresh
Search the log files for matching messages and display them in the textbox.
Note:
The log file is kept in memory and saved to the flash once a day. Only a history of 3 days is
kept by the device. In the current version only the memory resident log file can be interrogated.
Log messages for packets arriving from the WAN are the only ones to be stored and listed.
Traffic between the LAN ports is not logged.
E.g. sample log data
Jan 31 06:17:31 MC60100576 user.debug kernel: fw_Dropped (IN): IN=ppp0 OUT= MAC= SRC=65.55.192.61 DST=10.252.10.207 LEN=52 TOS=0x00 PREC=0x60 TTL=111 ID=33975 DF PROTO=TCP SPT=443 DPT=1100 WINDOW=65535 RES=0x00 ACK URGP=0
The fw_Dropped message indicates that this packet was dropped by the router.
The (IN) means it came from the WAN or ppp0 interface (incoming).
SRC is the source IP address of this packet
DST is the destination IP address (in this case the static IP of the WAN interface)
PROTO specifies that it was a TCPIP packet.
SPT is the source port
DPT is the destination port
The rest of the details are TCPIP specific properties.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 24 User Manual
3.5.3 Firewall access
This panel allows the user to enter IP addresses that are allowed to access the router or a LAN port. Please use the firewall rules web page to add custom forwarding rules. Initially only empty input fields are displayed so that a rule may be added. Only when the rule has been flagged as active, saved, committed and the firewall restarted is the rule applied to the traffic. The buttons are also dependent on the current state of the edited or selected rule.
Select
If the checkbox is selected then the buttons below will apply to this rule.
Src IP
Originating network/IP on WAN interface. E.g. 207.46.19.254
Protocol
The protocol to which this rule applies to. i.e. all/tcp/udp
Dest port
Destination port on the router.
Action
Action to take if this rule matches. i.e. ACCEPT or DROP the packet
New
If checked then new connections and established ones are allowed. Otherwise only already established connections are allowed.
Message
Log message written into log file.
Description
The description for this rule.
Active
If checked then this rule is active.
Insert before
The currently edited rule is inserted before the selected rule.
Insert after
The currently edited rule is inserted after the selected rule.
Edit
Edit the selected rule.
Delete
Delete the selected rule.
Reset
Revert back to the last committed rule set.
Save
Save the currently edited rule.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 25 User Manual
Commit
This will commit the rules to persistent storage and this will normally be done when the user is satisfied with his/her current set of rules. All the above operations only apply to the temporary set of rules and will be lost if they are not committed.
Restart firewall
Restart the firewall with the currently committed rules. Please make sure you have committed them before restarting the firewall.
Note:
The order of the rules is important as they are applied in the same order that they are
displayed.
This panel will be replaced in future version by a firewall management list containing just the
IPs/networks that may access this router. This will simplify the configuration.
An IP of 0.0.0.0 is invalid. The word any or 0.0.0.0/0 can be used wherever an IP or network
address is required.
Broadcast packets are not sent over the GPRS network.
If there are errors in one of the rules the rule number will be displayed in the output. i.e ***
Invalid access rule <num> ***
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 26 User Manual
3.5.4 Firewall rules
Here the user may specify rules that forward IP packets from the incoming interface (VPN or WAN) to a destination on the LAN1 or LAN2 network and visa versa. The access rules in the previous section are applied before these rules.
Select
If the checkbox is selected then the buttons below will apply to this rule.
Src IP
Originating network/IP on WAN/VPN interface. E.g. 207.46.19.254
Dest IP
Destination IP on internal network E.g. 192.168.2.0
Protocol
The protocol to which this rule applies to. i.e. all/tcp/udp
Router port
Listening port on the router.
Dest port
Listening port on destination LAN.
Action
Action to take if this rule matches. i.e. ACCEPT or DROP the packet
Interface 1
This field is used to show from where and to where the packets are going to. i.e. WAN, VPN or eth0 (LAN1).
Dir
Indicates the direction packets will take from one interface to the other.
Interface 2
This field is used to show from where and to where the packets are going to. i.e. eth0 (LAN1), eth1 (LAN2) and eth+ (both LAN ports).
Message
Log message written into log file.
Description
The description for this rule.
Active
If checked then this rule is active.
Insert before
The currently edited rule is inserted before the selected rule.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 27 User Manual
Insert after
The currently edited rule is inserted after the selected rule.
Edit
Edit the selected rule.
Delete
Delete the selected rule.
Reset
Revert back to the last committed rule set.
Save
Save the currently edited rule.
Commit
This will commit the rules to persistent storage and this will normally be done when the user is satisfied with his/her current set of rules. All the above operations only apply to the temporary set of rules and will be lost if they are not committed.
Restart firewall
Restart the firewall with the currently committed rules. Please make sure you have committed them before restarting the firewall.
e.g. output when restarting the firewall Restarting firewall... Stopping firewall: Clearing Tables Starting firewall: Set up management access Set up management access (backup) Set up primary VPN access Set up backup VPN access Set up DNS primary server access Set up DNS backup server access Set up NTP access Set up radius access Setting user rules Allowing traffic between eth0 and eth1 Executing the user firewall access rules... Finished executing user firewall access rules... Executing the user firewall rules... Finished executing user firewall rules... Executing the user nat rules... Finished executing user nat rules... Executing the user firewall snat rules... Finished executing user firewall snat rules... Drop all other packets
Note:
The order of the rules is important as they are applied in the same order that they are
displayed.
An IP of 0.0.0.0 is invalid. The word any or 0.0.0.0/0 can be used wherever an IP or network
address is required.
For every forwarding rule WAN->LAN that is created, the firewall adds another rule where
the originating network is the other LAN port instead of the WAN.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 28 User Manual
In a future version the user may specify traffic between any of the available interfaces and
forward data between them.
If there are errors in one of the rules the rule number will be displayed in the output. i.e ***
Invalid rule <num> ***
Here are some things to consider when adding rules:
The rules are implemented internally using the linux iptables utility
If eth1 is used for an interface then the interface needs to be enabled.
If a destination port is specified then the direction may not be <->.
Internally eth0 eth1 or eth0 eth0 will generate a forward rule between the interfaces
using protocol, IPs and destination port.
New connections should be allowed if the destination is both ways (ie. <->)
Internally eth0 <-> eth1 will generate a forward rule between the interfaces using only the
protocol.
A DNAT (Destination nat) is only allowed for WAN (protocol must be set).
The router port is ignored for directions or <->.
Internally WAN<-, WAN<->, VPN<- or VPN<-> generate a forward rule using protocol, IPs
and destination port.
If a firewall nat is used (section 3.5.5) then all packets are forwarded from ppp0 (ie.WAN) to
the destination IP/network and visa versa.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 29 User Manual
3.5.5 Firewall NAT
Network Address Translation is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world. NAT on the router can be used to masquerade or hide the inside LAN IPs when accessing the internet.
Select
If the checkbox is selected then the buttons below will apply to this rule.
Source IP
Originating network/IP e.g. 192.168.2.0/24
Outgoing interface
Interface where the traffic will leave the firewall. It can either be eth0 (LAN1), eth1 (LAN2), ppp0 (GPRS) and ppp1 (VPN). Usually you specify ppp0 as this is where a connection can be established to the internet.
Active
If checked then this NAT rule is active.
Save
Save the currently edited NAT rule.
Edit
Edit the selected NAT rule.
Delete
Delete the selected NAT rule.
Reset
Revert back to the last committed NAT rule set.
Commit
This will commit the rules to persistent storage and this will normally be done when the user is satisfied with his/her current set of rules. All the above operations only apply to the temporary set of rules and will be lost if they are not committed.
Restart firewall
Restart the firewall with the currently committed NAT rules. Please make sure you have committed them before restarting the firewall.
Note:
If there are errors in one of the rules the rule number will be displayed in the output. i.e ***
Invalid nat rule <num> ***
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 30 User Manual
3.5.6 Firewall source NAT
The rules listed on this page are used for changing the source IP address in the packets. When traffic is forwarded from the router to a LAN port (i.e. LAN to LAN communication) the response UDP packet will contain the source IP address of the destination device/PC and not the router. A rule can be added here that changes this packet’s source address to be the router’s LAN address where the original request was sent to.
Select
If the checkbox is selected then the buttons below will apply to this rule.
Src IP
Originating network/IP eg. 192.168.2.0/24
Outgoing interface
Interface where the traffic will leave the firewall. It can either be eth0 (LAN1), eth1 (LAN2), ppp0 (GPRS), ppp1 (VPN) or all interfaces.
Dest IP
Destination IP on internal network E.g. 192.168.2.0
Protocol
The protocol to which this rule applies to. i.e. all/tcp/udp
Dest port
Listening port on destination LAN.
New IP
The source IP will be changed to this IP. Normally it is the LAN1 or LAN2 IP address if the packets are sent between the two interfaces. This IP must be entered.
Active
If checked then this SNAT rule is active.
Save
Save the currently edited SNAT rule.
Edit
Edit the selected SNAT rule.
Delete
Delete the selected SNAT rule.
Reset
Revert back to the last committed SNAT rule set.
Commit
This will commit the rules to persistent storage and this will normally be done when the user is satisfied with his/her current set of rules. All the above operations only apply to the temporary set of rules and will be lost if they are not committed.
Restart firewall
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 31 User Manual
Restart the firewall with the currently committed NAT rules. Please make sure you have committed them before restarting the firewall.
Note:
If there are errors in one of the rules the rule number will be displayed in the output. i.e ***
Invalid snat rule <num> ***
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 32 User Manual
3.6 System Status panel
This panel contains details on the state of the interfaces within the router.
3.6.1 Network status
This lists the router’s internal interfaces.
Interface
Name of the interface on the router. i.e. eth0 (LAN1), eth1 (LAN2)
MACAddr
A unique Metacom registered MAC address for the Ethernet adapter.
Status
Status of the interface. i.e. UP (enabled), DOWN (disabled)
IP Address
Configured IP address (see Network configuration tab).
Broadcast
Broadcast IP for this network.
Net Mask
Network mask as configured on the Network configuration tab.
MTU
Maximum transmission unit. This is the maximum number of bytes that a IP packet can have before it is fragmented.
RX Bytes
Number of received bytes on this interface since the last reboot.
RX Packets
Number of received IP packets on this interface since the last reboot.
TX Bytes
Number of transmitted bytes on this interface since the last reboot.
TX Packets
Number of transmitted IP packets on this interface since the last reboot.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 33 User Manual
3.6.2 Gprs status
This page takes a while to be displayed as it interrogates the tower and the GPRS module and retrieving the state of the GPRS connection and listing the neighbouring cellphone towers.
Signal strength
Specifies the GPRS signal strength. If this value falls below 25% then the router might not function properly. Normally a value above 40% will be adequate for normal operation.
Bit error rate
If this value is non zero then the router might be too far from the tower and communication with the router could become slow.
Cells
Lists the neighbouring tower information with the active one on top. Cell: tower id in hex, BSIC: Base station identity code Chan: Absolute Frequency Channel Number RSSI: Received signal level of the BCCH carrier (signal strength, value 0-63)
Medium
Indicates if the router is attached on GPRS or EDGE.
Distance from tower
Distance from the tower in steps of 550 m.
Network
Current network provider: Vodacom-SA or MTN.
Note:
The signal strength indicator has been changed to green in the newer released software.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 34 User Manual
3.6.3 Routing table
This panel shows the current routing table.
Destination
Destination IP or network address.
Gateway
The gateway address or 0.0.0.0 if none set.
Mask
The netmask for the destination net; '255.255.255.255' for a host destination and '0.0.0.0' for the default route.
Flags
Possible flags: U (route is up) H (target is a host) G (use gateway) R (reinstate route for dynamic routing) D (dynamically installed by daemon or redirect) M (modified from routing daemon or redirect) A (installed by addrconf) C (cache entry) ! (reject route)
Interface
Name of outgoing interface.
Note:
Currently the metric value is not shown in the list so there might be 2 default routes but
having different metrics.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 35 User Manual
3.6.4 Test connection (ping)
This page allows the user to ping the primary and backup radius servers. At least one on these should always be reachable. This basic test will show whether the router is on the GPRS network and can send and accept ICMP packets.
jh-rad-1.datalinx.co.za jp-rad-1.datalinx.co.za
Select a radius server to ping.
Ping
Start the ping.
The above is a typical result of pinging one of the radius servers.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 36 User Manual
3.6.5 Active connections
Displays all the currently connected users to the router.
Local address
LAN address of the router.
Foreign address Your IP address and source port.
3.6.6 System load
This page displays the average number of jobs in the Linux run queue over the last 1, 5 and 15 minutes.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 37 User Manual
3.6.7 ARP table
The Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a physical machine address that is recognized in the local network. The ARP table will only contain entries from the LAN1 or LAN2 networks.
IP address
IP address on the LAN.
HW address
The MAC address of this device/PC.
Device
LAN interface that this device or PC is on.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 38 User Manual
4. Technical Specifications
Metacom MC402 Rear Panel
General features
Siemens MC75 with EDGE/GPRS and Quad-Band Module
Linux Operating System with open framework
DHCP Server
32MB Flash Memory
64MB RAM
2 x 10/100 Base T Ethernet Ports
2 x Serial Ports
Dual Network Connectivity for ultra reliability
SMA Antenna Connector
Hardware Watchdog
GPRS/EDGE specification
Quad-Band
o Cl ass 4 (2W) for EGSM850
o Cl ass 4 (2W) for EGSM900
o Cl ass 1 (1W) for GSM1800
o Cl ass 1 (1W) for GSM1900
EDGE Multislot Class 10
GPRS Multislot Cl ass 12
Integrated TCP/IP Stack
SIM Application Toolkit (SAT Release 99)
Ambient Temperature
o -30 C to +65 C
Mobile Station Class B
Fully Approved!
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 39 User Manual
Interfaces
2 x RS232 DB-9 DCE
2 x RJ-45 connectors
1 x SMA Antenna connector
1 x AC Power Connector
LED Indicators
Power Blue
o Permanently ON if power is applied
Network Green
o Slow flash every one second: Not registered on GSM network
o Short 75ms flash every 3 seconds: Registered on GSM network
o Double flash every 3 seconds: Registered on GPRS/EDGE
Status Orange/Red
o On if WAN interface is up
Transmit Green
o Application specific
Receive Green
o Application specific
LAN 1 Orange
o On if connected
LAN 2 Orange
o On if connected
SIM 1 Green
o On if SIM 1 is being used
SIM 2 Green
o On if SIM 2 is being used
Hardware Watchdog
The hardware watchdog can only be used by specialized software on the router.
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 40 User Manual
5. Fault Finding
Symptom: Power LED not On
Causes: Power not connected
Power not On
Symptom: Router cannot be accessed via the LAN
Causes: LAN port not activated (use LAN1) PC not on the same network as the router (start DHCP server on the router or use static IP settings)
Symptom: Router cannot be accessed via the GPRS virtual IP address
Causes: Router is not on GPRS (check status LED and ping IP) Low signal strength (check antennae and location of router) Router’s or PC’s firewall is blocking access
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Metacom MC601 Router Page 41 User Manual
6. Abbreviations
Term Description
APN Access Point Name BER Bit Error Rate EDGE Enhanced Data for Global Evolution GPRS General Packet Radio Services GSM Global System for Mobile Communications IMEI International Mobile Equipment Identity LED Light Emitting Diode MSISDN Mobile Station Integrated Services Digital Network SIM Subscriber Identity Module SMS Short Message Service VPN Virtual Private Network LAN Local area network WAN Wide area network DHCP Dynamic host control protocol SNMP Simple Network Management Protocol L2TP Layer 2 Transport Protocol NAT Network Address Translation SNAT Source/Secure Network Address Translation MAC Media Access Control DNS Domain Name Server
Cellular Continuum Series
Copyright © Metacom (Pty) Ltd
Loading...