Welotec TK800 User Manual

Welotec GmbH

www.welotec.com

Version: V3.0 July 2015

TK8X5L Series

User's Manual

Preface

Format

Significance

Bold

Keywords of command line (the part that should be remained unchanged in

command and be entered as it is) are expressed with bold font.

Italic

The parameters of command line (the part that must be replaced with the actual

value in command) are expressed in italic.

[ ]

Indicating that the part in “[]” is optional in command configuration.

{ x | y | ... }

Indicating to select one from multiple options.

[ x | y | ... ]

Indicating to select one or not to select from multiple options.

{ x | y | ... } *

Indicating to select at least one from multiple options.

[ x | y | ... ] *

Indicating to select one or more or not to select from multiple options.

&<1-n>

Indicating that the parameter in front of the symbol & can be repeatedly entered

for 1~n times.

The lines starting from no. “#” are comment lines.

2. Format Conventions on Graphic Interface

Format

Significance

Thanks for choosing TK8X5L series industrial routers! This user’s manual will guide you in detail on how to configure TK8X5L.

The preface includes the following contents:

Readers Conventions in the Manual Obtaining Documentation Technical Support Information Feedback

Readers

This manual is mainly intended for the following engineers:

Network planners On-site technical support and maintenance personnel Network administrators responsible for network configuration and maintenance

Conventions in the Manual

1. Format Conventions on Command Line

[ ]

The content in angle brackets "<>" indicates button name, e.g. "click <OK> button.”

The content in square brackets "[]" indicates window name, menu name or data sheet, e.g. “pop-up the [New User] window”.

Multi-level menu is separated by "/". For example, the multi-level menu [File / New / Folder] indicates the menu item [Folder] under the submenu [New] under the menu [File].

3. Various Signs The manual also uses a variety of eye-catching signs to indicate the places to which special

attention should be paid in operation. The significances of these signs are as follows:

It indicates matters to be noted. Improper operation may cause data loss or damage to the device.

The necessary complement or description on the contents of operation.

Obtaining Documentation

The latest product information is available on the website of Welotec (www.welotec.com):

The main columns related to product information on the website of Welotec are described as follows:

[Service Support / Document Center]: Product information in terms of hardware installation,

software upgrade, configuration, etc., is available. [Product Technology]: Documents on product introduction and technology introduction

including relevant introduction on product, technical introduction, technical white papers, etc., are available.

[Service Support / Software Download]: The supporting information on software version is

available.

Technical Support

E-mail: support@welotec.com Website: www.welotec.com

Information Feedback

If you have any question on product information in use, you can feed back through the following ways:

E-mail：info@welotec.com Thanks for your feedback to let us do better!

CONTENTS

TK8X5L SERIE ..............................................................................................................................................................

USER'S MANUAL ...........................................................................................................................................................

VERSION: V3.0 ................................................................................................................................................................

PREFACE..........................................................................................................................................................................

READERS .........................................................................................................................................................................

CONVENTIONS IN THE MANUAL .............................................................................................................................

TECHNICAL SUPPORT .................................................................................................................................................

E-MAIL: SUPPORT@WELOTEC.COM ......................................................................................................................

INFORMATION FEEDBACK ........................................................................................................................................

E-MAIL：INFO@WELOTEC.COM ............................................................................................................................

1. TK8X5L

INTRODUCTION ............................................................................................................................................

1.1 Overview ..............................................................................................................................................................

1.2 Product Features ........................................................................................................ ...........................................

2. LOGIN ROUTER .......................................................................................................................................................

2.1 Establish Network Connection ............................................................................................ .................................

2.1.1 Automatic acquisition of IP address (recommended) ..................................................................... ....................

2.1.2 Set a static IP address .................................................................................................................................. ........

2.2 Confirm that the network between the supervisory PC and router is connected .................................................

2.3 Cancel the Proxy Server ................................................................................................. ......................................

3. WEB CONFIGURATION .........................................................................................................................................

3.1 Login the Web Setting Page of Router ..................................................................................................................

3.2 Management ............................................................................................................... ........................................

3.2.1 System .................................................................................................................................................. ...............

3.2.2 System Time .........................................................................................................................................................

3.2.3 Admin Access ....................................................................................................................................................... 24

3.2.4 AAA ...................................................................................................................................................................... 28

3.2.5 Configuration Management ................................................................................................................................ 32

3.2.6 SNMP ................................................................................................................................................................... 33

3.2.7 Alarm ................................................................................................................................................................... 36

3.2.8 System Log ........................................................................................................................................................... 40

3.2.9 System Upgrading ................................................................................................................................................ 41

3.2.10 Reboot ............................................................................................................................................................... 42

3.3 Network ............................................................................................................................................................. 42

3.3.1 Ethernet Port ....................................................................................................................................................... 42

3.3.2 Dialup Port ........................................................................................................................................................... 45

3.3.3 PPPoE ................................................................................................................................................................... 49

3.3.4 Loopback .............................................................................................................................................................. 50

3.3.5 DHCP service ........................................................................................................................................................ 50

3.3.6 DNS Services ........................................................................................................................................................ 54

3.3.7 Dynamic Domain Name ....................................................................................................................................... 55

3.3.8 SMS ...................................................................................................................................................................... 57

3.4 Link Backup......................................................................................................................................................... 58

3.4.1 SLA ....................................................................................................................................................................... 58

3.4.2 Track Module ....................................................................................................................................................... 59

3.4.3 VRRP .................................................................................................................................................................... 60

3.4.4 Interface Backup .................................................................................................................................................. 65

3.5 Routing ............................................................................................................................................................... 69

3.5.1 Static Route.......................................................................................................................................................... 69

3.5.2 Dynamic Routing .................................................................................................................................................. 71

3.5.3 Multicast Routing................................................................................................................................................. 80

3.6 Firewall ............................................................................................................................................................... 82

3.6.1 Access Control ..................................................................................................................................................... 83

3.6.2 NAT ...................................................................................................................................................................... 87

3.7Qos ...................................................................................................................................................................... 91

3.7.1QoS ....................................................................................................................................................................... 93

3.7.2 QoS Application Example ..................................................................................................................................... 94

3.8VPN ..................................................................................................................................................................... 94

3.8.1IPSec ..................................................................................................................................................................... 95

3.8.2GRE ..................................................................................................................................................................... 102

3.8.3 DMVPN .............................................................................................................................................................. 104

3.8.4L2TP .................................................................................................................................................................... 111

3.8.5OPENVPN ............................................................................................................................................................ 112

3.8.6 Certificate Management .................................................................................................................................... 116

3.9 Industrial .......................................................................................................................................................... 116

3.9.1 DTU .................................................................................................................................................................... 117

3.9.2 IO ....................................................................................................................................................................... 120

3.10 Tools ............................................................................................................................................................... 121

3.10.1PING .................................................................................................................................................................. 121

3.10.2 Routing detection ............................................................................................................................................ 122

3.10.3 Link Speed Test ................................................................................................................................................ 123

3.11 Configuration Wizard ...................................................................................................................................... 123

3.11.1 New LAN .......................................................................................................................................................... 123

3.11.2 New WAN ........................................................................................................................................................ 124

3.11.3 New Cellular..................................................................................................................................................... 124

3.11.4 New IPSec Tunnel ............................................................................................................................................ 125

3.11.5 New Port Mapping ........................................................................................................................................... 126

3.12 Network Mode ............................................................................................................................................... 126

3.12.1 Cellular ............................................................................................................................................................. 126

3.12.2 ADSL Dialup (PPPoE) ........................................................................................................................................ 126

APPENDIX 1 TROUBLESHOOTING ...................................................................................................................... 128

APPENDIX 2 INSTRUCTION OF COMMAND LINE ................................................................ ........................... 130

APPENDIX 3 GLOSSARY OF TERMS .................................................................................................................... 136

APPENDIX 4 DESCRIPTION OF LEDS .................................................................................................................. 138

1. TK8X5L Introduction

This chapter includes the following parts：

Overview Product Features

1.1 Overview

Thanks for choosing TK8X5L series industrial router. TK8X5L is the new generation of industrial router developed by Welotec for M2M in 4G era.

Integrating 4G LTE and various broadband WANs, TK8X5L provides uninterrupted access to internet. With the features of complete security and wireless service, TK8X5L can connect up to ten thousand devices. TK8X5L has also been built for rapid deployment and easy management, which enables enterprises to quickly set up large scale industrial network with minimized cost and time. There are currently three TK8X5L series: TK8x2, TK8x5 which can provide up to 5 intelligent ports and they support LAN/WAN protocol. TK8X5L products not only offer more options on WAN port access, but also effectively save additional purchasing cost on switch equipment.

1.2 Product Features



Uninterrupted Access to Internet from Anywhere



Redundant WAN connection, 2 Ethernet ports, 3G/4G embedded, various DSL, TK8X5L is built to support various WAN and ensure network availability. Whether the device is located in commercial region or wild field, it can always keep on line with broadband service or widespread 3G/4G connection. Furthermore, TK8X5L can automatically switch over between broadband and 3G/4G when one link is failed, so as to ensure uninterrupted WAN connection. With TK8X5L, your business is always online.





Support Large Scale Deployment



In your M2M application, there are thousands of remote machines, or tens of thousands of VPN connection, which turns out to be a big challenge for network management. TK8X5L make large scale deployment much easier with following features:







Multiple configuration tools including Web and CLI, enable administrator to rapidly

configure thousands of TK8X5L





Remote Network Management: TK8X5L works with network management platforms installed



in application center or headquarter. To remotely batch configure, download and upload

configuration file, upgrade firmware, monitor status of connection and VPN tunnel… all these become essential for operating a M2M system especially when a large number of devices scatter widely with limited field staff or even totally unattended.



TK8X5L supports industrial standard SNMP and 3

integrate into enterprise level IT management system.

SNMP software platform, so as to





TK8X5L also collaborates with Welotec Device Manager to handle cellular specialty of

network management. Welotec Device Manager can be cloud based or installed within enterprise’s intranet. Welotec Device Manager improves for cellular circumstance to monitor cellular data flow, signal strength on site, location of the device. Even better,

there’s no need to apply costly private network from telecomm operator, and you can build

your worldwide M2M system across multiple operators.



Multiple diagnostic tools, supporting 3G/4G modem status, IMEI, IMSI and registration

status of cellular networks, help engineer out of complex network circumstance.



Support dynamic routing of RIP, OSPF, automatically update routing of whole network,

largely increase efficiency of large scale deployment.



Support Dynamic Multipoint VPN (DM VPN), greatly reduce workload to configure



thousands of remote TK8X5L. Establishing a large & secured remote network never made so

easy!



Robust Security





Secured VPN Connections



Support GRE, L2TP, IPSec VPN, DMVPN, OpenVPN; CA, ensure data security





Security of Network

Support firewall functions to protect from network attacks, such as: Stateful Packet Inspection (SPI), Access Control List (ACL), resist DoS attack, intrusion protection, attack protection, IP/MAC Binding and etc.





Security of Devices

Support AAA, TACACS, Radius, LDAP, local authentication, and multi levels user authority, so as to establish a secured mechanism on centralized authentication and authorization of device access.



High Reliability





Redundancy



WAN Redundancy: support link backup, VRRP to support automatic switch over between

WANs.

Dual SIM cards: backup between different mobile operators to ensure networks availability

and bargaining power on data plan.





Automatic Link Detection & Recovery

PPP Layer Detection: keep the connection with mobile network, prevent forced hibernation,

able to detect dial link stability.

Network connection Detection: automatic redial when link broken, keep Long Connection. VPN Tunnel Detection: sustain VPN tunnel, to ensure availability of business.





TK8X5L Auto-recovery

TK8X5L embeds hardware watchdog, able to automatically recover from various failure,

ensure highest level of availability.



Entirely Ruggedized



TK8X5L inherits Welotec Networks’ legacy on best-in-class ruggedized design. From component

selection to circuit layout, TK8X5L satisfies electric power and industrial applications on EMC, IP

protection, temperature range and etc. TK8X5L is designed to last in harshest circumstances.



High Performance, High Bandwidth







Equipped with powerful Cortex-A8 processor and 256MB memory, support more

application needs





Support 4G/LTE (100Mbps downlink and 50Mbps uplink) and HSPA+ (21Mbps downlink

and 5.76Mbps uplink)



Welotec Network Operation System: INOS 2.0



Welotec Network Operation System (INOS) has been built as the highly reliable & real-time basis for all network functions, as well as easy-to-use configuration interface via Web, CLI or SNMP. INOS is in modular design, expandable, and adaptable to various M2M applications.





Embed WIFI AP and Client, Easy to Establish Versatile Wireless Network





Support 802.11 b/g/n standard, fulfill the need to connect WLAN devices, up to 150Mbps

throughput







Easily establish wireless LAN, support WEP/WPA/WPA2 for network security



WIFI can be the backup WAN link for 3G/4G



2. Login Router

This chapter mainly contains the following contents:

Establish Network Connection

Confirm that the connection between supervisory PC and router

Cancel the Proxy Server

2.1 Establish Network Connection

2.1.1 Automatic acquisition of IP address (recommended)

Please set the supervisory computer to "automatic acquisition of IP address" and "automatic acquisition of DNS server address" (default configuration of computer system) to let the router automatically assign IP address for supervisory computer.

1) Open “Control Panel”, double click “Network and Internet” icon, enter “Network and Sharing

Centers”

2) Click the button <Local Connection> to enter the window of "Local Connection Status”

3) Click <Properties>to enter the window of "Local Connection Properties”, as shown below.

4) Select “Internet Portocol Version 4(TCP/IPv4)”, click <Properties> to enter “Internet Portocol

Version 4 (TCP/IPv4) Properties” page. Select “Obtain an IP address automatically” and “Obtain

DNS Server address automatically”, then click <OK> to finish setting, as shown below.

2.1.2 Set a static IP address

Enter “Internet Portocol Version 4 (TCP/IPv4)Properties” page, select “Use the following IP address”, type IP address (arbitrary value between 192.168.2.2 ～192.168.2.254), Subnet Mask

(255.255.255.0), and Defafult Gateway (192.168.2.1), then click <OK>to finish setting, as shown below.

2.2 Confirm that the network between the supervisory PC and router is connected

1) Click the button <Start> at the lower left corner to research “cmd.exe”, and run cmd.exe

2) Enter "ping 192.168.2.1 (IP address of router; it is the default IP address), and click the button

<OK>. If the pop-up dialog box shows the response returned from the router side, it indicates that the

network is connected; otherwise, check the network connection.

2.3 Cancel the Proxy Server

If the current supervisory computer uses a proxy server to access the Internet, it is required to

cancel the proxy service and the operating steps are as follows: (1) Select [Tools/Internet OPtions] in the browser to enter the window of [Internet Options]

(2) Select the tab”Connect” and click the button<LAN Setting(L)> to enter the page of “LAN

Setting”.Please confirm if the option”Use a Proxy Server for LAN” is checked;if it is

checked,please cancel and click the button<OK>.

3. Web Configuration

This chapter includes the following parts:

Routing Firewall QOS VPN Tools

Installation Guide

3.1 Login the Web Setting Page of Router

Run the Web browser, enter “http://192.168.2.1” in the address bar, and press Enter to skip to

the Web login page, as shown in Figure 3-1. Enter the “User Name” (default: adm) and “Password” (default: 123456), and click button <OK> or directly press Enter to enter the Web setting page.

At the same time, the router allows up to four users to manage through the Web setting page.

When multi-user management is implemented for the router, it is suggested not to conduct configuration operation for the router at the same time; otherwise it may lead to inconsistent data configuration.

For security, you are suggested to modify the default login password after the first login and

safe keep the password information.

3.2 Management

3.2.1 System

3.2.2.1 System Status

From the left navigation panel, select Administration << System, then enter “System Status” page. On this page you can check system status and network status, as shown below. In system status, by clicking <Sync Time>you can make the time of router synchronized with the system time of the host. Click the “Set” behind Cellular1, Fastethernet 0/1 and Fastethernet 0/2 respectively on network status to enter into the configuration screen directly. For configuration methods, refer to Section 3.3.1and 3.3.2.

User can define the refresh interval of the screen through the drop down list at the lower right corner of the screen.

3.2.1.2 Basic Settings

Select Administration << System, then enter “Basic Setup” page. You can set the language of Web

Parameter Name

Description

Default

Language

Select system language of Router

English

Router Name

Define Router Name

Router

Configuration Page and define Router Name, as shown below.

Page description is shown below:

3.2.2 System Time

To ensure the coordination between this device and other devices, user is required to set the system time in an

accurate way since this function is used to configure and check system time as well as system time zone.

The device supports manual setting of system time and the time to pass self-synchronistic SNTP server.

3.2.2.1 System Time

Time synchronization of router with connected host could be set up manually in system time configuration

part while system time is allowed to be set as any expected value after Year 2000 manually.

From the left navigation panel, select Administration >> System Time, then enter “System Time” page, as

shown below. By clicking <Sync Time>you can make the time of router synchronized with the system time of the host. Select

the expected parameters in Year/Month/Date and Hour:Min:Sec colum, then click <Apply & Save>. The router will immediately set the system time into expected value.

Parameters

Description

Default

Router Time

System time of Router

1970.01.01

PC Time

Time of connected PC

None

Year/Month/Da

Set the expected Year/Month/Date

Current

Year/Month/Date

Hour:Min:Sec

Set the expected Hour:Min:Sec

Current

Hour:Min:Sec

Timezone

Set timezone

UTC+08:00

Page description is shown below:

3.3.2.2 SNTP Client

SNTP, namely Simple Network Time Protocol, is a system for synchronizing the clocks of networked computers as a computer network protocol and provides comprehensive mechanisms to access national time and frequency dissemination services, organize the time-synchronization subnet and adjust the local clock in each participating subnet peer. In most places of the Internet today, SNTP provides accuracies of 1-50ms depending on the characteristics of the synchronization source and network paths.

The purpose of using SNTP is to achieve time synchronization of all devices equipped with a clock on network so as to provide multiple applications based on uniform time.

From the left navigation panel, select Administration << System Time, then enter “SNTP Client” page, as shown below.

Parameters

Description

Default

Enable

Enable/Disable SNTP client

Disable

Update Interval

Synchronization time intervals with SNTP server

3600

Source Interface

Cellular1,Fastethernet 0/1,Fastethernet 0/2

None

Source IP

The corresponding IP of source interface

None

Server Address

SNTP server address (domain name /IP), maximum to set10

None

SNTP server

Port The service port of SNTP server

123

Page description is shown below:

SNTP Servers List

The meanings of key items in the page are shown in the table below

Before setting a SNTP server, should ensure SNTP server reachable.

Especially when the IP address of SNTP server is domain, should ensure DNS

server has been configured correctly.

If you configure a source interface and then cannot configure the source address. the opposite is also true

When setting multiple SNTP server, system will poll all SNTP servers

until find an available SNTP server.

3.2.3 Admin Access

Parameters

Description

Default

Username

New username

None

New Password

New password

None

Confirm New Password

Confirm the new password

None

User Summary

List all the users of current system

None

Admin Access allows the management of users which are categorized into superuser and common user.

Superuser: only one automatically created by the system, allocated with the user name of adm and granted with all access rights to the router.

Common user: created by superuser with the right to check rather then modify router configuration.

3.2.3.1 Create a User

Select Administration >>Admin Access, then enter “Create a User” page, as shown below.

Create a user

Page description is shown below:

3.2.3.2 Modify a User

From the left navigation panel, select Administration << Admin Access, then enter “Modify a User” page, as shown below.

Press the user that needs to modify in “User Summary”, after the background turns blue, enter new

information in “Modify a User”.

Modify user information

Parameters

Description

Default

User Summary

List all the users of current system

adm

Username

The username needs to modify

None

New Password

New password

None

Confirm New Password

Confirm the new password

None

Page description is shown below:

3.2.3.3 Remove Users

From the left navigation panel, select Administration << Admin Access, then enter “Remove Users” page, as shown below.

Press the user that needs to remove in”User Summary”. After the background turns blue, press <Delete> to remove the user.

The super user (adm) can neither be modified nor deleted. But super user’s password can be

modified.

3.2.3.4 Management Service

HTTP

HTTP, shortened form of Hypertext Transfer Protocol, is used to transmit Web page information on Internet. HTTP is located as the application layer in TCP/IP protocol stack.

Through HTTP, user could log on the device to access and control it through Web. HTTPS

HTTPS (Hypertext Transfer Protocol Secure) supports HTTP in SSL (Security Socket Layer).

HTTPS, depending on SSL, is able to improve the device’s security through following aspects:

Distinguish legal clients from illegal clients through SSL and forbidden illegal clients to access the device;

Encrypt the data exchanged between client and device to guarantee security and integrality of data transmission so as to achieve the safe management of device;

An access control strategy based on certificate attributions is established for further control of client’s access authority so as to further avoid attack for illegal clients.

TELNET

Telnet is an application layer protocol in TCP/IP protocol family, providing telnet and VT functions through Web. Depending on Server/Client, Telnet Client could send request to Telnet server which provides Telnet services. The device supports Telnet Client and Telnet Server.

Connection of Telnet is shown in following figure:

Router A now functions as the Telnet Server, but also provides Telnet Client service. Router B and Router A provides Telnet Client function.

SSH

Telnet adopts TCP to execute Plaintext Transmit, lacking of secure authentication mode and being vulnerable to DoS (Denial of Service), Host IP spoofing and routing spoofing and other malicious attacks, generating great potential security hazards.

In comparison with Telnet, STelnet (Secure Telnet), based on SSH2, allows the Client to negotiate with Server so as to establish secure connection. Client could log on Server just as operation of Telnet.

Through following measures SSH will realize the secure telnet on insecure network:

Support RAS authentication.

Support encryption algorithms such as DES, 3DES and AES128 to encrypt username password and data

transmission. TK8X5L only supports SSH Server and could connect with multiple SSH Clients. SSH supports local connection and WAN connection.

Local connection. A SSH channel could be established between SSH Client and SSH Server to achieve

local connection. Following is a figure showing the establishment of a SSH channel in LAN:

WAN connection. A SSH channel could be established between SSH Client and SSH Server to achieve

WAN connection. Following is a figure showing the establishment of a SSH channel in WAN:

From the left navigation panel, select Administration << Admin Access, then enter “Management

Service” page, as shown below.

Parameters

Description

Default

HTTP

Hypertext Transfer Protocol, Plaintext Transmission, Port: 80.

On HTTPS

Secure SSL Encryption Transmission Protocol. Port: 443

Off TELNET

Standard protocol and main way for Internet telnet service. Port:

Port: 22

Timeout: timeout of SSH session. No operation within this

SSH

period on SSH Client, SSH Server disconnect. Default: 120s

Off

Cipher Mode: set up public key encryption method (currently

only RSA supported). Cipher Code Length: set up cipher code

length, 512 or 1024. default: 1024

Page description is shown below:

3.2.4 AAA

AAA access control is used to control visitors and corresponding services available as long as access is

allowed. Same method is adopted to configure three independent safety functions. It provides modularization methods for following services:

Authentication: verify whether the user is qualified to access to the network.

Authorization: related with services available.

Charging: records of the utilization of network resources.

User may only use one or two safety services provided by AAA. For example, the company just wants

identity authentication when employees are accessing to some specified resources, then network administrator only needs to configure authentication server. But if recording of the utilization of network is required, then, a charging server shall be configured.

Commonly AAA adopts “Client—Server” structure which is featured by favorable expandability and

facilitates centralized management of users’ information, as the following figure shows:

3.2.4.1 Radius

Remote Authentication Dial-in User Service (RADIUS), an information exchange protocol with a

distributive Client/Server structure, could prevent the network from any disturbance from unauthorized access and is generally applied in various network environments with higher requirements on security and that permit remote user access. The protocol has defined the Radius frame format based on UDP and information transmission mechanism, confirmed UDP Port 1812 as the authentication port. Radius Server generally runs on central computer or workstation; Radius Client generally is located on NAS.

Initially Radius is designed and developed against AAA protocol of dial-in users. Along with the diversified

development of user access ways, Radius also adapts itself to such changes, including Ethernet access and ADSL access. Access service is rendered through authentication and authorization.

Message flow between Radius Client and Server is shown as follows:

User name and passport will be sent to the NAS when the user logs on it;

Radius Client on NAS receives username and password and then sends an authentication request to

Radius Server;

Upon the reception of legal request, Radius Server executes authentication and feeds back required user

+ 113 hidden pages

Welotec TK800 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual