background image

File system

The LR54 local file system

LR54 User Guide

978

The LR54 local file system

The LR54 local file system has approximately 100 MB of space available for storing files, such as
Python programs, alternative configuration files and firmware versions, and release files, such as
cellular module images. The writable directories within the filesystem are:

n

/tmp

n

/opt

n

/etc/config

Files stored in the /tmp directory do not persist across reboots. Therefore, /tmp is a good location to
upload temporary files, such as files used for firmware updates. Files stored in /opt and /etc/config do
persist across reboots, but are deleted if a factory reset of the system is performed. See

Erase device

configuration and reset to factory defaults

for more information.

Display directory contents

To display directory contents by using the WebUI or the Admin CLI:

  Web

1. Log into the LR54 WebUI as a user with Admin access.

2. On the menu, click

System

. Under

Administration

, click

File System

.

The

File System

page appears.

3. Highlight a directory and click

to open the directory and view the files in the directory.

  Command line

1. Select the device in Remote Manager and click

Actions

>

Open Console

, or log into the LR54

local command line as a user with full Admin access rights.

Depending on your device configuration, you may be presented with an

Access selection

menu

. Type

admin

to access the Admin CLI.

Summary of Contents for TransPort LR54

Page 1: ...LR54 User Guide Firmware version 22 8 ...

Page 2: ...LI commands for generating a custom default config file based on the active config settings on the device l New section on the File System page of the Web UI for loading a configuration backup file as the custom default config l New persistent files folder accessible through Digi Remote Manager where users can upload a configuration backup l Added ability to clear a custom default configuration by...

Page 3: ...e now required to be assigned to an authentication group n New Network Advanced Sequential DHCP address allocation configuration setting for controlling if DHCP addresses are assigned sequentially or randomly disabled by default n Added ability to control if DHCP addresses are assigned sequentially or randomly disabled by default n Added 802 1x port based network access control configurable per ne...

Page 4: ...he cellular modem if a specified number of Surelink tests fail l Added show surelink Admin CLI command n Serial port enhancements l New option to add and configure an external USB to serial adapter l Disable serial history in remote access mode by default n Support for sending analog and digial I O health metrics to Digi Remote Manager n Added show containers Admin CLI command L March 2022 Release...

Page 5: ... when a TCP socket connection is opened to the serial port n New cat Admin CLI command for displaying file contents M June 2022 Release of Digi LR54 firmware version 22 5 n 5G enhancements l Added 5G slice support for configuring the slice type for the 5G modems n Surelink enhancements l Enabled Surelink reset_modem action by default on cellular interfaces and set fail count to three l Updated Sur...

Page 6: ...d commands for downloading cellular modem and device firmware l Added cellular carrier name and PLMN ID to the Modems Status page in the Web UI l Enhanced access technology options to set the modem to 5G only including setting to 5G SA only NSA only or both NSA SA modes n VPN enhancements l Added Dynamic Multipoint VPN DMVPN support l Added a Strict routing setting to IPsec tunnels that routes pac...

Page 7: ... does not represent a commitment on the part of Digi International Digi provides this document as is without warranty of any kind expressed or implied including but not limited to the implied warranties of fitness or merchantability for a particular purpose Digi may make improvements and or changes in this manual or in the product s and or the program s described in this manual at any time Warrant...

Page 8: ...dback To provide feedback on this document email your comments to techcomm digi com Include the document title and part number LR54 User Guide 90002386 N in the subject line of your email LR54 User Guide 8 ...

Page 9: ...R54 front and back views 25 Digi LR54 LEDs 26 Digi LR54 serial connector pinout 27 QR code definition 27 Hardware setup Install SIM cards 30 Apply Dielectric Grease over SIM Contacts 30 Tips for improving cellular signal strength 31 Digi LR54 Mounting options 31 Attach mounting brackets to the device 31 Mount the Digi LR54 on a wall 32 Hang the Digi LR54 on a wall 32 Connect data cables 33 Connect...

Page 10: ...ad to Digi Remote Manager 62 Log into Digi Remote Manager 64 Use Digi Remote Manager to view and manage your device 65 Add a device to Digi Remote Manager 65 Configure multiple LR54 devices by using Digi Remote Manager configurations 66 View Digi Remote Manager connection status 67 Learn more 68 Interfaces Wide Area Networks WANs 70 Wide Area Networks WANs and Wireless Wide Area Networks WWANs 71 ...

Page 11: ...e Access mode 216 Configure Application mode 232 Configure PPP dial in mode 234 Configure UDP serial mode 241 Configure Modbus mode 251 Show serial status and statistics 255 Log serial port messages 256 Wi Fi Wi Fi configuration 259 Default access point SSID and password 259 Default Wi Fi configuration 259 Configure the Wi Fi radio s channel 261 Configure the Wi Fi radio to support DFS channels in...

Page 12: ...ze the hotspot login page 362 Edit sample hotspot HTML pages 363 Upload custom hotspot HTML pages 364 Restore hotspot default sample pages 366 Hotspot RADIUS attributes 367 Routing IP routing 369 Configure a static route 370 Delete a static route 373 Policy based routing 375 Configure a routing policy 376 Example Dual WAN policy based routing 385 Example Domain based routing with dual WAN 388 Exam...

Page 13: ... GRE tunnels 532 Example GRE tunnel over an IPSec tunnel 533 L2TP 549 Configure a PPP over L2TP tunnel 549 Configure SureLink active recovery for PPP over L2TP 559 L2TP with IPsec 567 Show L2TP tunnel status 567 L2TPv3 Ethernet 569 Configure an L2TPv3 tunnel 569 Show L2TPV3 tunnel status 574 NEMO 575 Configure a NEMO tunnel 575 Show NEMO status 581 Services Allow remote access for web administrati...

Page 14: ...tically run your applications 754 Configure scripts to run automatically 754 Show script information 762 Stop a script that is currently running 762 Start an interactive Python session 764 Run a Python application at the shell prompt 764 Configure scripts to run manually 766 Task one Upload the application 766 Task two Configure the application to run automatically 768 Start a manual script 772 Us...

Page 15: ...Delete a custom firewall zone 850 Port forwarding rules 852 Configure port forwarding 852 Delete a port forwarding rule 857 Packet filtering 860 Configure packet filtering 860 Enable or disable a packet filtering rule 864 Delete a packet filtering rule 866 Configure custom firewall rules 868 Configure captive portals 871 Delete captive portals 875 Configure Quality of Service options 876 Web filte...

Page 16: ... a file 936 Restore the device configuration 938 Schedule system maintenance tasks 940 Disable device encryption 946 Re enable cryptography after it has been disabled 946 Configure the speed of your Ethernet ports 948 Monitoring intelliFlow 952 Enable intelliFlow 952 Use intelliFlow to display average CPU and RAM usage 955 Use intelliFlow to display top data usage information 956 Use intelliFlow t...

Page 17: ...nection 1024 Stop ping commands 1024 Use the traceroute command to diagnose IP routing problems 1024 Digi LR54 regulatory and safety statements RF exposure statement 1026 Federal Communication FCC Part 15 Class B 1026 Radio Frequency Interference RFI FCC 15 105 1026 European Community CE Mark Declaration of Conformity DoC 1026 IFETEL 1027 Maximum transmit power for radio frequencies 1028 Innovatio...

Page 18: ...tion commands at the root Admin CLI prompt 1058 Display help for the config command from the root Admin CLI prompt 1058 Configuration mode 1060 Enable configuration mode 1060 Enter configuration commands in configuration mode 1060 Save changes and exit configuration mode 1061 Exit configuration mode without saving changes 1061 Configuration actions 1061 Display command line help in configuration m...

Page 19: ...oad 1093 more 1093 mv 1093 ping 1094 poweroff 1094 reboot 1095 rm 1096 scp 1097 show analyzer 1097 show arp 1097 show cloud 1097 show config 1098 show containers 1098 show dhcp lease 1098 show dns 1098 show eth 1098 show event 1099 show hotspot 1099 show ipsec 1099 show l2tp lac 1099 show l2tp lns 1100 show l2tpeth 1100 show location 1100 show log 1100 show manufacture 1100 show modbus gateway 110...

Page 20: ...aphy 1108 system duplicate firmware 1108 system factory erase 1108 system find me 1108 system firmware ota check 1109 system firmware ota list 1109 system firmware ota update 1109 system firmware update 1109 system power ignition off_delay 1109 system restore 1110 system script start 1110 system script stop 1110 system serial clear 1110 system serial save 1110 system serial show 1111 system serial...

Page 21: ...nel s policies This makes IPsec behave like a policy based VPN rather than a route based VPN l Added the Microsoft version of the Challenge Handshake Authentication Protocol MS CHAPv2 as an option for L2TP network servers authentication methods n Container support l Container support now a premium feature enabled through Digi Remote Manager l Added new metrics for sending container status name CPU...

Page 22: ...ockets Insert the end of each SIM card with the chamfered corner positioned as indicated Push the SIM in until it clicks into place c After SIM cards are installed replace the SIM slot cover 2 Attach cellular antennas Securely finger tighten each antenna to the threaded barrel using the nut at the base of the antenna 3 Using an Ethernet cable connect the LR54 s WAN ETH1 port to the internet such a...

Page 23: ...e device locally rather than using Remote Manager see Firmware configuration in the LR54 User Guide To set up access to Remote Manager 1 Go to shop digi com to create a new Remote Manager account You will receive an email from Remote Manager after your registration is complete 2 Click the link in the email to go to Remote Manager and click Forgot Password to set up your login and password 3 Log in...

Page 24: ... firmware update is complete Step 6 Configure cellular APN If you installed a SIM in step 3 the device will attempt to setup the APN automatically However if your SIM was setup with a custom APN you will need to configure it manually 1 Navigate to the Settings tab in the Remote Manager Device Details view 2 Expand the Config menu item and click on the Network settings menu 3 Expand Interfaces WWAN...

Page 25: ...de Area Network WAN failover failback n Extended operating temperature n Local command line and web interfaces n Superior network performance management through Digi Remote Manager DRM n Global deployment support Digi LR54 front and back views The following figures show front and back views of the Digi LR54 1 Secondary Wi Fi antenna connector Wi Fi enabled models only 2 Secondary cellular antenna ...

Page 26: ...ower n Blue Unit has power 2 WWAN Signal Indicates strength of cellular signal n Off No service n Yellow Poor Fair signal n Green Good Excellent signal 3 WWAN Service Indicates the presence and level of cellular service running on the device n Off No service n Blinking Green 2G 3G 4G connection is coming up n Solid Yellow 2G or 3G connection is up n Solid Green 4G connection is up 4 SIM 1 Indicate...

Page 27: ... network interface is up and there is activity on the network interface n Off No Ethernet link detected n Solid green Ethernet link detected n Blinking green Indicates Ethernet traffic Digi LR54 serial connector pinout The LR54 is a DCE device The pinout for the DB9 serial connector is as follows Signal name RS232 signal DTE signal direction DB9 pin number Transmit Data TxD In 3 Receive Data RxD O...

Page 28: ...e QR code definition LR54 User Guide 28 QR code items Semicolon separated list of ProductName DeviceID Password SerialNumber SKUPartNumber SKUPartRevision Example LR54 00000000 00000000 112233FF FF445566 PW1234567890 50001001 00 ...

Page 29: ...Hardware setup This chapter contains the following topics Install SIM cards 30 Digi LR54 Mounting options 31 Connect data cables 33 Connect antennas 33 LR54 power connector 33 LR54 User Guide 29 ...

Page 30: ...card s into the SIM sockets Insert the end of each SIM card with the chamfered corner first and the SIM contacts facing upwards 4 After all SIM cards are in place replace the SIM slot cover Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite LB 8423 Dielectric Grease or Synco Lube Silicone Dielectric Grease 1 Use a sheet of paper or cardboard over the area where...

Page 31: ...ve signal strength n Move the device to another location n Try connecting a different set of antennas if available n Purchase a Digi Antenna Extender Kit Antenna Extender Kit 1m Digi LR54 Mounting options The Digi LR54 Wall Mount Kit part number 78000001 is available separately for wall mounting It contains two mounting brackets and four screws You will need to supply additional self tapping screw...

Page 32: ...LR54 on wall 2 Tighten self tapping screws to wall through holes of mounting brackets If mounting the device on a concrete wall use sleeve anchors Hang the Digi LR54 on a wall Tighten two self tapping screws to wall but leave a small part of screw protruding from the wall To hang the Digi LR54 on the wall center the holes of the mounting brackets on the two wall mounted screws ...

Page 33: ...onnect antennas Connect antennas to the appropriate antenna connector n GNSS n Wi Fi l Single Wi Fi models Wi Fi 1 Wi Fi 2 l Dual Wi Fi models Wi Fi1 1 Wi Fi1 2 and Wi Fi2 1 Wi Fi2 2 n WWAN l Single cellular models WWAN 1 WWAN 2 l Dual cellular models WWAN1 1 WWAN1 2 and WWAN2 1 WWAN2 2 LR54 power connector The LR54 has a power connector located on the back of the device ...

Page 34: ...default password for the admin user 38 Reset default SSIDs and pre shared keys for the preconfigured Wi Fi access points 40 Configuration methods 42 Using Digi Remote Manager 43 Using the local web interface 43 Use the local REST API to configure the LR54 device 44 Using the command line 49 LR54 User Guide 34 ...

Page 35: ...s to display a list of your devices 3 Locate your device as described in Use Digi Remote Manager to view and manage your device 4 Click the Device ID 5 Click Settings 6 Click to expand Config The following tables list important factory default settings for the LR54 Default interface configuration Interface type Preconfigured interfaces Devices Default configuration Wide Area Network WAN n WAN1 n E...

Page 36: ...0 0 1 8 n Default IP n Bridge LAN1 n Firewall zone Setup n IP address 192 168 210 1 24 n Default Link local IP n Bridge LAN1 n Firewall zone Setup n IP address 169 254 100 100 16 Wi Fi available with LR54W models only n Wi Fi access point Digi AP Wi Fi1 n Wi Fi1 radio n Enabled n SSID Digi LR54W serial_number n Encryption WPA2 Personal PSK n Pre shared key The unique password printed on the bottom...

Page 37: ... Encryption Open Unencrypted Bridges n Bridge LAN1 n Ethernet ETH2 n Ethernet ETH3 n Ethernet ETH4 n Wi Fi access point Digi AP Wi Fi1 n Wi Fi access point Digi AP Wi Fi2 n Enabled n Used by the LAN1 interface n hotspot_bridge n Wi Fi access point Digi Hotspot AP Wi Fi1 n Wi Fi access point Digi Hotspot AP Wi Fi2 n Disabled n Used by the hotspot interface Hotspot n hotspot n Bridge hotspot_ bridge...

Page 38: ...t password for the admin user The unique factory assigned password for the default admin user account is printed on the bottom label of the device and on the loose label included in the package If you erase the device configuration or reset the device to factory defaults the password for the admin user will revert to the original factory assigned default password Note If your device was manufactur...

Page 39: ...rs long and must contain at least one uppercase letter one lowercase letter one number and one special character 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with...

Page 40: ...with an Access selection menu Type quit to disconnect from the device Reset default SSIDs and pre shared keys for the preconfigured Wi Fi access points For the Wi Fi enabled LR54W device by default the SSIDs and pre shared keys for the preconfigured Wi Fi access points are n Enabled n SSID Digi LR54W serial_number n Encryption WAP2 Personal PSK n Pre shared key The unique password printed on the b...

Page 41: ...igi AP Wi Fi1 4 Enter a new SSID and Pre shared key 5 Repeat the above steps for the Digi AP Wi Fi2 access point 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with...

Page 42: ...our LR54 device n Web interface The web interface can be accessed in two ways l Central management using the Digi Remote Manager a cloud based device management and data enablement platform that allows you to connect any device to any application anywhere With the Remote Manager you can configure your LR54 device and use the configuration as a basis for a Remote Manager configuration which can be ...

Page 43: ...registered your device already you can add a device to Remote Manager See Add a device to Digi Remote Manager For information about configuring central management for your LR54 device see Central management Using the local web interface To connect to the LR54 local Web UI 1 Use an Ethernet cable to connect the LR54 s ETH2 port to a laptop or PC 2 Open a browser and go to 192 168 2 1 3 Log into the...

Page 44: ...e Displays the LR54 device s status statistics and identifying information Network Interfaces Displays the status of the network interfaces configured on the device Modems Provides information about the signal strength and technology of the cellular modem s Log out of the web interface n On the main menu click your user name Click Log out Use the local REST API to configure the LR54 device Your LR...

Page 45: ...LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type question mark config auth Authentication cloud Central management firewall Firewall monitoring Monitoring n...

Page 46: ...alue service ssh X GET Enter host password for user admin ok true result type object path service ssh collapsed acl zone 0 internal acl zone 1 edge acl zone 2 ipsec acl zone 3 setup enable true key mdns enable true mdns name mdns type _ssh _tcp port 22 protocol 0 tcp You can also use the GET method to return the configuration parameters associated with an item curl k u admin https 192 168 210 1 cg...

Page 47: ... append parameters For example to add the external firewall zone to the ssh service curl k u admin https 192 168 210 1 cgi bin config cgi value path service ssh acl zone append true value external X POST Enter host password for user admin ok true result service ssh acl zone 4 Use the POST method to add objects to a list array Objects in an array that require one or more underlying values can be se...

Page 48: ...e the GET method to determine the SSH service s list number for the external zone curl k u admin https 192 168 210 1 cgi bin config cgi value path service ssh acl zone X GET ok true result type array path service ssh acl zone collapsed 0 internal 1 edge 2 ipsec 3 setup 4 external 2 Use the DELETE method to remove the external zone list item 4 curl k u admin https 192 168 210 1 cgi bin config cgi v...

Page 49: ...d to allow access and you must log in as a user who has been configured for the appropriate access For further information about configuring access to these services see n Serial Serial port n WebUI Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command line 1 Connect to the LR54 device by using a serial con...

Page 50: ...ss for a list of commands and details Type help for details on navigating the CLI Type exit to disconnect from the Admin CLI See Command line interface for detailed instructions on using the command line interface Exit the command line interface Command line 1 At the command prompt type exit exit 2 Depending on the device configuration you may be presented with another menu for example Access sele...

Page 51: ...gure your device for Digi Remote Manager support 52 Log into Digi Remote Manager 64 Use Digi Remote Manager to view and manage your device 65 Add a device to Digi Remote Manager 65 Configure multiple LR54 devices by using Digi Remote Manager configurations 66 View Digi Remote Manager connection status 67 Learn more 68 LR54 User Guide 51 ...

Page 52: ...com n If your Digi device is configured to use a non default URL to connect to Remote Manager updating the firmware will not change your configuration However if you erase the device s configuration the Remote Manager URL will change to the default of edp12 devicecloud com n If you perform a factory reset by pressing the RESET twice the client side certificate will be erased and you must use the R...

Page 53: ...emote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window ...

Page 54: ...es connection The default is 3199 7 Firmware server should normally be left at the default location 8 Optional For Speedtest server type the name or IP address of the server to use to test the speed of the device s internet connection s 9 Optional For Retry interval type the amount of time that the LR54 device should wait before reattempting to connect to remote cloud services after being disconne...

Page 55: ... device once the connection to the remote cloud servicesis down By default this option is not set which means that the option is disabled Allowed values are any number of hours minutes or seconds and take the format number h m s For example to set Reboot Timeout to ten minutes enter 10m or 600s The minimum value is 30 minutes and the maximum is 48 hours If not set this option is disabled The defau...

Page 56: ...the central management server The default is the Digi Remote Manager server my devicecloud com config cloud drm drm_url url config 6 Optional Set the amount of time that the LR54 device should wait before reattempting to connect to the remote cloud services after being disconnected The minimum value is ten seconds The default is 30 seconds config cloud drm retry_interval value where value is any n...

Page 57: ...he watchdog is used to monitor the connection to remote cloud services If the connection is down you can configure the device to restart the connection or to reboot The watchdog is enabled by default To disable config cloud drm watchdog false config 11 If watchdog is enabled a Optional Set the amount of time to wait before restarting the connection to the remote cloud services once the connection ...

Page 58: ...gin and password to authenticate the user from the remote cloud services CLI config cloud drm cli_local_auth true config If set to false no login prompt will be presented and the user will be logged in as admin The default is false 15 Optional Configure the LR54 device to communicate with remote cloud services by using SMS a Enable SMS messaging config cloud drm sms enable true config b Set the ph...

Page 59: ...l between health sample uploads By default device health data upload is enabled and the health sample interval is set to 60 minutes To avoid a situation where several devices are uploading health metrics information to Remote Manager at the same time the LR54 device includes a preconfigured randomization of two minutes for uploading metrics For example if Health sample interval is set to five minu...

Page 60: ...ve changed health metrics were last uploaded This is useful to reduce the bandwidth used to report health metrics n All metrics are uploaded once every hour When disabled all metrics are uploaded every Health sample interval 6 Device health data upload is enabled by default To disable toggle off Enable Device Health samples upload 7 For Health sample interval select the interval between health sam...

Page 61: ...a 5 By default the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded This is useful to reduce the bandwidth used to report health metrics This is useful to reduce the bandwidth used to report health metrics Even if enabled all metrics are uploaded once every hour To disable config monitoring devicehealth only_send_deltas false ...

Page 62: ...lse config 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enable event log upload to Digi Remote Manager You can configure your device to upload the event log to Digi Remote Manager and configure the inter...

Page 63: ...ion The Configuration window is displayed 3 Click Monitoring Device event logs 4 Click Enable event log uploads 5 For Device event log upload interval select the interval between health sample uploads 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with f...

Page 64: ...ue config where value is one of 1 5 15 30 or 60 and represents the number of minutes between uploads of health sample data 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Log into Digi Remote Manager To sta...

Page 65: ...xample LR54 Add a device to Digi Remote Manager You can register your device with Remote Manager as part of the getting started process See the Quick Start Guide for further information If you have not registered your device already you can add a device to Remote Manager 1 If you have not already done so connect to your Digi Remote Manager account 2 From the menu click Devices to display a list of...

Page 66: ...anager configurations Typically if you want to provision multiple LR54 routers 1 Using the LR54 local WebUI configure one LR54 router to use as the model configuration for all subsequent LR54s you need to manage 2 Register the configured LR54 device in your Remote Manager account 3 In Remote Manager create a configuration a From the Dashboard select Configurations b Click Create c Enter a Name and...

Page 67: ...Digi Remote Manager status pane Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show cloud command to view the status of your device s connection to Re...

Page 68: ...Central management Learn more LR54 User Guide 68 Learn more To learn more about Digi Remote Manager features and functions see the Digi Remote Manager User Guide ...

Page 69: ...s These interfaces can be bridged in a Local Area Network LAN or assigned to a Wide Area Network WAN This chapter contains the following topics Wide Area Networks WANs 70 Local Area Networks LANs 149 Bridging 201 Show Surelink status and statistics 209 LR54 User Guide 69 ...

Page 70: ...reLink enabled for IPv4 You can modify configuration settings for the existing WAN and WWANs and you can create new WANs and WWANs This section contains the following topics Wide Area Networks WANs and Wireless Wide Area Networks WWANs 71 Configure WAN WWAN priority and default route metrics 71 WAN WWAN failover 74 Configure SureLink active recovery to detect WAN WWAN failures 75 Configure the dev...

Page 71: ...d in the WAN s IPv4 and IPv6 metric settings Assigning priority to WANs By default the LR54 device s WAN WAN1 is configured with the lowest metric 1 and is therefor the highest priority WAN By default the Wireless WAN WWAN is configured with a metric of 3 which means it has a lower priority than WAN1 You can assign priority to WANs based on the behavior you want to implement for primary and backup...

Page 72: ...lick Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Set the metrics for WWAN a Click Network Interfaces WWAN IPv4 b For Metric type 1 c Click IPv6 d For Metric type 1 ...

Page 73: ...N Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the metrics for WWAN a Set th...

Page 74: ... There are two ways to detect WAN or WWAN failure active detection and passive detection n Active detection uses Digi SureLinkTM technology to send probe tests to a target host or to test the status of the interface The WAN WWAN is considered to be down if there are no responses for a configured amount of time See Configure SureLink active recovery to detect WAN WWAN failures for more information ...

Page 75: ...ess WANs SureLink tests are only run if the cellular modem is connected and has an IP address Use the SIM failover options to configure the LR54 device to automatically recover the modem in the event that it cannot obtain an IP address See Configure a Wireless Wide Area Network WWAN for details about SIM failover n The type of probe test to be performed one of l Test another interface s status Use...

Page 76: ...red determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets Order of precedence for SureLink actions If multiple SureLink actions such as restarting the interface and rebooting the device are enabled the following order of precedence is used 1 Restart interface 2 Switch to the alternate SIM for WWANs 3 Reset the modem for WWANs 4 ...

Page 77: ... Seventh Surelink failure The device will reboot Web SureLink can be configured for both IPv4 and IPv6 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand...

Page 78: ...t the number of times that the Surelink test must fail before the interface is restarted The default is 1 8 Optional If the interface is a WWAN Reset modem is enabled by default To disable toggle off Enable n Optional For Reset modem fail count type or select the number of times that the Surelink test must fail before the modem is reset The default is 3 9 If the interface is a WWAN Switch SIM is e...

Page 79: ... Tests connectivity by sending a DNS query to the specified DNS server n HTTP test Tests connectivity by sending an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status...

Page 80: ...onfigured for both IPv4 and IPv6 These instructions are for IPv4 to configure IPv6 active recovery replace ipv4 in the command line with ipv6 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to acces...

Page 81: ... is considered to have failed To disable config network interface my_wan ipv4 surelink reset_modem false config network interface my_wan ipv4 surelink 7 n If reset_modem is enabled set the number of times that Surelink tests must fail prior to resetting the modem config network interface my_wan ipv4 surelink reset_modem_ attempts int config network interface my_wan ipv4 surelink where int is an in...

Page 82: ... is 1 9 Add a test target config network interface my_wan add ipv4 surelink target end config network interface my_wan ipv4 surelink target 0 10 Set the test type config network interface my_wan ipv4 surelink target 0 test value config network interface my_wan ipv4 surelink target 0 where value is one of n ping Tests connectivity by sending an ICMP echo request to a specified hostname or IP addres...

Page 83: ...link target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either 10m or 600s config network interface my_wan ipv4 surelink target 0 interface_down_time 600s config network interface my_wan ipv4 surelink target 0 The default is 60 seconds l Optional Set the amount of time to wait f...

Page 84: ...le config network interface my_wan ipv4 surelink target 0 other_interface network interface wan1 config network interface my_wan ipv4 surelink target 0 o Set the alternate interface s IP version This allows you to determine the alternate interface s status for a particular IP version config network interface my_wan ipv4 surelink target 0 other_ip_version value config network interface my_wan ipv4 ...

Page 85: ...rgets or all of the test targets config network interface my_wan ipv4 surelink success_condition value config network interface my_wan ipv4 surelink Where value is either one or all d Set the number of probe attempts before the WAN is considered to have failed config network interface my_wan ipv4 surelink attempts num config network interface my_wan ipv4 surelink The default is 3 e Set the amount ...

Page 86: ...dress See Configure a Wireless Wide Area Network WWAN for details about SIM failover n Enable device reboot upon interface failure n The type of probe test to be performed one of l Test another interface s status Used to create a failover or coupled relationship between two interfaces Requires the name of the alternate interface the IP version to be tested and the expected status of the alternate ...

Page 87: ...cribed in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create a new interface or select an existing one n To create a new interface see Configure a Local Area Network LAN C...

Page 88: ...re the interface is restarted The default is 1 8 Enable Reboot device If Reboot device is enabled at the same time as Restart interface Reboot device takes precedence n For Reboot fail count type or select the number of times that the Surelink test must fail before the device is rebooted The default is 1 9 Click to expand Test targets 10 For Add Test Target click 11 Select the Test type n Test ano...

Page 89: ...ed Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Initial connection time to ten minutes enter 10m or 600s The default is 60 seconds 12 Optional active recovery configuration parameters a Change the Interval between connectivity tests Allowed values are any number of weeks days hours minutes or seconds and take the forma...

Page 90: ...e configuration schema For example for a interface named my_wan change to the my_wan node in the configuration schema config network interface my_wan config network interface my_wan 4 Enable SureLink SureLink can be enabled for both IPv4 and IPv6 configurations By default SureLink is enabled for IPv4 for the preconfigured WAN wan1 and WWAN wwanwwan2 It is disabled for IPv6 When SureLink is configu...

Page 91: ...arget config network interface my_wan add ipv4 surelink target end config network interface my_wan ipv4 surelink target 0 8 Set the test type config network interface my_wan ipv4 surelink target 0 test value config network interface my_wan ipv4 surelink target 0 where value is one of n ping Tests connectivity by sending an ICMP echo request to a specified hostname or IP address l Specify the hostn...

Page 92: ...link target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either 10m or 600s config network interface my_wan ipv4 surelink target 0 interface_down_time 600s config network interface my_wan ipv4 surelink target 0 The default is 60 seconds l Optional Set the amount of time to wait f...

Page 93: ...le config network interface my_wan ipv4 surelink target 0 other_interface network interface wan1 config network interface my_wan ipv4 surelink target 0 o Set the alternate interface s IP version This allows you to determine the alternate interface s status for a particular IP version config network interface my_wan ipv4 surelink target 0 other_ip_version value config network interface my_wan ipv4 ...

Page 94: ...rgets or all of the test targets config network interface my_wan ipv4 surelink success_condition value config network interface my_wan ipv4 surelink Where value is either one or all d Set the number of probe attempts before the WAN is considered to have failed config network interface my_wan ipv4 surelink attempts num config network interface my_wan ipv4 surelink The default is 3 e Set the amount ...

Page 95: ... allow DNS resolution follow this procedure to disable the default SureLink connectivity tests You can also disable DNS lookup or other internet activity while retaining the SureLink interface test Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Rem...

Page 96: ... be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change to the WAN or WWAN s node in the configuration schema For example to disable SureLink for the WWAN interface config network interface wwan config network interface wwan 4 Disable SureLink config network interface wwan ipv4 surelink enab...

Page 97: ...sical link is up and that a route is present to send traffic out of the network interface Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config L...

Page 98: ... and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change to WAN...

Page 99: ...m the device Example Use a ping test for WAN failover from Ethernet to cellular In this example configuration the WAN1 interface serves as the primary WAN while the cellular WWAN interface serves as the backup WAN In this example configuration SureLink is used over for the WAN1 interface to send a probe packet of size 256 bytes to the IP host 43 66 93 111 every 10 seconds If there are three consec...

Page 100: ...ck Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Configure active recovery on WAN1 a Click Network Interface WAN1 IPv4 SureLink b For Interval type 10s c Click to expand Test targets d Delete the existing test targets Click the menu icon next to each target and select Delete ...

Page 101: ...ghts Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Configure SureLink on WAN1 a Set the interval to ten seconds config network interface wan1 ipv4 surelink interval 10s config b Delete the existing test targets config network interface wan1 de...

Page 102: ...e Ethernet interfaces as a WAN when connecting to the Internet through a device such as a cable modem By default the WAN ETH1 Ethernet device is configured as a WAN named WAN1 with both DHCP and NAT enabled and using the External firewall zone This means you should be able to connect to the Internet by connecting the WAN ETH1 Ethernet port to another device that already has an internet connection ...

Page 103: ...r switching is enabled by default n Configure the access technology n Determine which cellular antennas to use Additional configuration items n If Active SIM slot is set to Any determine the preferred SIM slot In the event of a failover to a non preferred SIM or if manual SIM switching is used to switch to a non preferred SIM the modem will attempt to reconnect to the SIM in the preferred SIM slot...

Page 104: ... modem This is used when using dual APN SIMs The default is 1 7 Enable Carrier switching to allow the modem to automatically match the carrier for the active SIM Carrier switching is enabled by default 8 For Access technology select the type of cellular technology that this modem should use to access the cellular network or select All technologies to configure the modem to use the best available t...

Page 105: ...one Does not consider either SIM slot to be the preferred slot n 1 Configures the first SIM slot as the preferred SIM slot n 2 Configures the second SIM slot as the preferred SIM slot In the event of a failover to a non preferred SIM or if manual SIM switching is used to switch to a non preferred SIM the modem will attempt to reconnect to the SIM in the preferred SIM slot The default is none 6 Set...

Page 106: ...modem wwan antenna value config where value is one of the following n main n aux n both 10 Save the configuration and apply the change config save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure cellular modem APNs The LR54 device uses a preconfigured l...

Page 107: ...ge your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 For APN type the Access Point Name APN to be used when connecting to the cellular carrier 4 Optional IP version For IP version select one of the following n Automatic Requests both IPv4 and IPv6...

Page 108: ... device to bypass its preconfigured APN list and only use the configured APNs enable APN list only 8 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access sel...

Page 109: ...required n auto The device will attempt to connect using CHAP first and then PAP n chap Uses the Challenge Handshake Authentication Profile CHAP to authenticate n pap Uses the Password Authentication Profile PAP to authenticate If auto chap or pap is selected enter the Username and Password required to authenticate config network interface wwan modem apn 0 username name config network interface ww...

Page 110: ...ate billing structures for public and private traffic n Site to site networking without the overhead of tunneling for each device In the following example configuration all traffic on LAN1 is routed through the public APN to the internet and all traffic on LAN2 is routed through the private APN to the customer s data center To accomplish this we will create separate WWAN interfaces that use the sa...

Page 111: ...mple we will create two interfaces named WWAN_Public and WWAN_Private a Click Network Interfaces b For Add Interface type WWAN_Public and click c For Interface type select Modem d For Zone select External e For Device select WWAN cellular modem f Optional Configure the public APN If the public APN is not configured the LR54 will attempt to determine the APN i Click to expand APN list APN ii For AP...

Page 112: ...nal j For Device select WWAN cellular modem This should be the same modem selected for the WWAN_Public WWAN k Enable APN list only l Click to expand APN list APN m For APN type the private APN provided to you by your cellular carrier 5 Create the routing policies For example to route all traffic from LAN1 through the public APN and LAN2 through the private APN ...

Page 113: ...Interface select LAN1 f Configure the destination address i Click to expand Destination address ii For Type select Interface iii For Interface select Interface WWAN_Public g Click the to add another route policy h For Label enter Route through private APN i For Interface select Interface WWAN_Private j Configure the source address i Click to expand Source address ii For Type select Interface iii F...

Page 114: ...figuration mode config config 3 Set the maximum number of interfaces for the modem config network modem wwan max_intfs 2 config 4 Create the WWAN interfaces a Create the WWANPublic interface config add network interface WWANPublic config network interface WWANPublic b Set the interface type to modem config network interface WWANPublic type modem config network interface WWANPublic c Set the modem ...

Page 115: ...ue config network interface WWANPrivate j Set the private APN config network interface WWANPublic modem apn private_apn config network interface WWANPublic 5 Create the routing policies For example to route all traffic from LAN1 through the public APN and LAN2 through the private APN a Add a new routing policy config add network route policy end config network route policy 0 b Set the label that w...

Page 116: ...figuration config nnetwork route policy 0 config nnetwork route policy g Add a new routing policy config network route policy add end config network route policy 1 h Set the label that will be used to identify this route policy config network route policy 1 label Route through private apn config network route policy 1 i Set the interface config network route policy 1 interface network interface WW...

Page 117: ...lar carrier based on the SIM that is in use and the status of available carriers in your area Alternatively you can configure the devices to manually select the carrier based on the Network PLMN ID You can also configure the device to use manual carrier selection and fall back to automatic carrier selection if connecting to the manually configured carrier fails You can use also use the modem scan ...

Page 118: ...ed on your SIM and cellular network status n Manual The device will only connect to the carrier identified in the Network PLMN ID If the carrier is not available no cellular connection will be established n Manual Automatic The device will attempt to connect to the carrier identified in the Network PLMN ID If the carrier is not available the device will fall back to using automatic carrier selecti...

Page 119: ...ual The device will only connect to the carrier identified in the Network PLMN ID If the carrier is not available no cellular connection will be established n manual_automatic The device will attempt to connect to the carrier identified in the Network PLMN ID If the carrier is not available the device will fall back to using automatic carrier selection 4 If carrier section mode is set to manual or...

Page 120: ...resh the list click SCAN 5 The current carrier is highlighted in green To switch to a different carrier a Highlight the appropriate carrier and click SELECT The Carrier selection dialog opens b For Carrier selection mode select one of the following n Manual Automatic The device will use automatic carrier selection if this carrier is not available n Manual Does not allow the device to use automatic...

Page 121: ...T Mobile 310260 3G Available AT T 310410 4G Available Verizon 311480 4G Available 311 490 311490 4G Available 313 100 313100 4G Show cellular status and statistics You can view a summary status for all cellular modems or view detailed status and statistics for a specific modem Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the menu click Status 3 Under Connections click Modems The ...

Page 122: ...te connected Signal Strength Good 85 dBm Bars 2 5 Access Mode 4G Network Technology CNTI LTE Band B2 Temperature 34C wwan1 Interface APN 1234 IPv4 surelink passing IPv4 address 189 232 229 47 IPv4 gateway 189 232 229 1 IPv4 MTU 1500 IPv4 DNS server s 245 144 162 207 245 144 162 208 IPv6 surelink passing IPv6 address 11f6 4680 0d67 59d2 552b 3429 81a8 f1ea IPv6 gateway ff50 d95d 7e98 abe8 3030 9138...

Page 123: ...ce configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt use the modem puk unlock command to set a new PIN for the SIM card modem puk unlock puk_code new_pin modem_name For example to unlock a SIM card in the modem named wwan with PUK code 12345678 and set the new SIM PIN to 1234 modem puk unlock 12345678 1234 wwan 3 Type exit...

Page 124: ...T command access To run AT commands from the LR54 command line Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type modem at interactiv...

Page 125: ...an ssh client and press ENTER Connected ati Manufacturer Sierra Wireless Incorporated Model MC7455 Revision SWI9X30C_02 24 03 00 r6978 CARMD EV FRMWR2 2017 03 02 13 36 45 MEID 35907206045169 IMEI 359072060451693 IMEI SV 9 FSN LQ650551070110 GCAP CGSM OK 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnec...

Page 126: ... default route l When to use DNS servers for this interface l Whether to include the LR54 device s hostname in DHCP requests l SureLink active recovery configuration See Configure SureLink active recovery to detect WAN WWAN failures for further information n IPv6 configuration l The metric for IPv6 routes associated with the WAN l The relative weight for IPv6 routes associated with the WAN l The I...

Page 127: ...er to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Create the WAN or select an existing WAN n To create a new WAN for Add interface type a name for the WAN and click n To edit an existing WAN click t...

Page 128: ...e metrics for further information about metrics ii For Weight type the relative weight for default routes associated with this interface For multiple active interfaces with the same metric Weight is used to load balance traffic to the interfaces iii Set the Management priority This determines which interface will have priority for central management activity The interface with the highest number w...

Page 129: ...ffic to the interfaces h Set the Management priority This determines which interface will have priority for central management activity The interface with the highest number will be used i Set the MTU j For Use DNS n Always DNS will always be used for this WAN when multiple interfaces have the same DNS server the interface with the lowest metric will be used for DNS requests n When primary default...

Page 130: ...ne type config to enter configuration mode config config 3 Create a new WAN or edit an existing one n To create a new WAN named my_wan config add network interface my_wan config network interface my_wan n To edit an existing WAN named my_wan change to the my_wan node in the configuration schema config network interface my_wan config network interface my_wan 4 Set the appropriate firewall zone conf...

Page 131: ...fig network interface my_wan ipv4 type dhcp config network interface my_wan a Optional IPv4 configuration items i Set the IP metric config network interface my_wan ipv4 metric num config network interface my_wan See Configure WAN WWAN priority and default route metrics for further information about metrics ii Set the relative weight for default routes associated with this interface For multiple ac...

Page 132: ...then be configured to register the device s hostname and IP address with an associated DNS server config network interface my_wan ipv4 dhcp_hostname true config network interface my_wan n See RFC4702 for further information about DHCP server support for the Client FQDN option n See Configure system information for information about setting the LR54 device s system name b See Configure SureLink act...

Page 133: ... WAN WWAN priority and default route metrics for further information about metrics 8 Optional To configure 802 1x port based network access control Note The LR54 can function as an 802 1x authenticator it does not function as an 802 1x supplicant a Enable the 802 1x authenticator on the LR54 device config network interface my_wan 802_1x authentication enable true config network interface my_wan b ...

Page 134: ...ss for example 32 A6 84 2E 81 58 b Repeat for each additional MAC address 11 Save the configuration and apply the change config network interface my_wan save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a Wireless Wide Area Network WWAN Configuring a...

Page 135: ... IPv6 routes associated with the WAN l The IPv6 management priority of the WAN The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access l The IPv6 Maximum Transmission Unit MTU of the WAN l When to use DNS always never or only when this interface is the primary default route l SureLink ...

Page 136: ...t To disable toggle off Enable n To edit an existing WWAN click to expand the WWAN 5 For Zone select External 6 For Device select the cellular modem 7 For Match SIM by select a SIM matching criteria to determine when this WWAN should be used n If SIM slot is selected for Match SIM slot select which SIM slot must be in active for this WWAN to be used n If Carrier is selected for Match SIM carrier s...

Page 137: ...ies which means that the best available technology will be used Note If Manual is configured for Carrier selection mode and a specific network technology is selected for the Network technology your modem must support the selected technology or no cellular connection will be established If you are using a cellular connection to perform this procedure you may lose your connection and the device will...

Page 138: ...highest number will be used f Set the MTU g For Use DNS n Always DNS will always be used for this WWAN when multiple interfaces have the same DNS server the interface with the lowest metric will be used for DNS requests n When primary default route Only use the DNS servers provided for this WWAN when the WWAN is the primary route n Never Never use DNS servers for this WWAN The default setting is W...

Page 139: ...min to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new WWAN or edit an existing one n To create a new WWAN named my_wwan config add network interface my_wwan config network interface my_wwan n To edit an existing WWAN named my_wwan change to the my_wwan node in the configuration schema config network interface my_wwan config network i...

Page 140: ...erface my_wwan modem carrier Match SIM carrier The SIM carrier match criteria This interface is applied when the SIM card is provisioned from the carrier Format AT T Rogers Sprint T Mobile Telstra Verizon Vodafone other Default value AT T Current value AT T config network interface my_wwan b Set the carrier config network interface my_wwan modem carrier value config network interface my_wwan n icc...

Page 141: ...interface my_wwan Normally this should be left blank It is only necessary to complete this field if the SIM does not have a phone number or if the phone number is incorrect 9 Roaming is enabled by default To disable config network interface my_wwan modem roaming false config network interface my_wwan 10 Set the carrier selection mode config network interface my_wwan modem operator_mode value confi...

Page 142: ...the active SIM fails to connect To disable config network interface my_wwan modem sim_failover false config network interface my_wwan If enabled a Set the number of times that the device should attempt to connect to the active SIM before failing over to the next available SIM config network interface my_wwan modem sim_failover_retries num config network interface my_wwan The default setting is 5 b...

Page 143: ...nterface my_wwan b Set the metric config network interface my_wwan ipv4 metric num config network interface my_wwan See Configure WAN WWAN priority and default route metrics for further information about metrics c Set the relative weight for default routes associated with this interface For multiple active interfaces with the same metric the weight is used to load balance traffic to the interfaces...

Page 144: ...with this interface For multiple active interfaces with the same metric the weight is used to load balance traffic to the interfaces config network interface my_wwan ipv4 weight num config network interface my_wwan d Set the management priority This determines which interface will have priority for central management activity The interface with the highest number will be used config network interf...

Page 145: ... selection menu Type admin to access the Admin CLI 2 Enter the show network command at the Admin CLI prompt show network Interface Proto Status Address defaultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 lan1 IPv4 up 192 168 2 1 24 lan1 IPv6 up fd00 2704 1 48 loopback IPv4 up 127 0 0 1 8 wan1 IPv4 up 10 10 10 10 24 wan1 IPv6 up fe00 2404 240 f4ff fe80 120 64 wwan IPv4 up...

Page 146: ...10 10 10 1 IPv4 MTU 1500 IPv4 Metric 1 IPv4 Weight 10 IPv4 DNS Server s 10 10 10 2 10 10 10 3 IPv6 Status up IPv6 Type dhcpv6 IPv6 Address es fe00 2404 240 f4ff fe80 120 64 IPv6 Gateway ff80 234 f3ff ff0e 4320 IPv6 MTU 1500 IPv6 Metric 1 IPv6 Weight 10 IPv6 DNS Server s fd00 244 1 fe80 234 f3f4 fe0e 4320 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented ...

Page 147: ...on window is displayed 3 Click Network Interfaces 4 Click the menu icon next to the name of the WAN or WWAN to be deleted and select Delete 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuratio...

Page 148: ...our device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Default outbound WAN WWAN ports The following table lists the default outbound network communications for LR54 WAN WWAN interfaces Description TCP UDP Port number Digi Remote Manager connection to my devicecloud com TCP 3199 NTP date time sync to time devicecloud com UDP 123 DNS reso...

Page 149: ...ou can create new LANs This section contains the following topics About Local Area Networks LANs 150 Configure a Local Area Network LAN 150 Change the default LAN subnet 158 Example Configure two LANs 159 Show LAN status and statistics 169 Delete a LAN 171 DHCP servers 173 Create a Virtual LAN VLAN route 191 Default services listening on LAN ports 194 Configure an interface to operate in passthrou...

Page 150: ... LAN to have an IP address if you want to send traffic from other networks to the LAN you must configure an IP address Note By default LAN1 is set to an IP address of 192 168 2 1 and uses the IP subnet of 192 168 2 0 24 If the WAN ETH1 Ethernet device is being used by a WAN with the same IP subnet you should change the default IP address and subnet of LAN1 Additional configuration items n Addition...

Page 151: ... length and ID l IPv6 DHCP server configuration See DHCP servers for more information n MAC address denylist and allowlist To create a new LAN or edit an existing LAN Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage ...

Page 152: ...e LR54 can function as an 802 1x authenticator it does not function as an 802 1x supplicant a Click to expand Authentication b Click Enable server to enable the 802 1x authenticator on the LR54 device c Set the Reauth period 9 Configure IPv4 settings a Click to expand IPv4 IPv4 support is enabled by default b For Type select Static IP address c For Address type the IP address and subnet of the LAN...

Page 153: ...ance traffic to the interfaces h Set the Management priority This determines which interface will have priority for central management activity The interface with the highest number will be used i Set the MTU 12 Optional Click to expand MAC address denylist Incoming packets will be dropped from any devices whose MAC addresses is included in the MAC address denylist a Click to expand MAC address de...

Page 154: ...ll configuration for further information 5 Select an Ethernet device a Wi Fi device or a bridge See Bridging for more information about bridging a Enter device to view available devices and the proper syntax config network interface my_lan device Device The network device used by this network interface Format network device eth1 network device eth2 network device eth3 network device eth4 network d...

Page 155: ...rk interface my_lan b Optional IPv4 configuration items i Set the IP metric config network interface my_lan ipv4 metric num config network interface my_lan ii Set the relative weight for default routes associated with this interface For multiple active interfaces with the same metric the weight is used to load balance traffic to the interfaces config network interface my_lan ipv4 weight num config...

Page 156: ...t Value enable true Enable metric 0 Metric mgmt 0 Management priority mtu 1500 MTU prefix_id 1 Prefix ID prefix_length 48 Prefix length type prefix_delegation Type weight 10 Weight Additional Configuration connection_monitor Active recovery dhcpv6_server DHCPv6 server config network interface my_lan View default settings for the IPv6 DHCP server config network interface my_lan ipv6 dhcpv6_server D...

Page 157: ...value is an integer between 0 and 86400 The default is 3600 9 Optional Configure the MAC address deny list Incoming packets will be dropped from any devices whose MAC addresses is included in the MAC address denylist a Add a MAC address to the denylist config network interface my_lan add mac_denylist end mac_address config network interface my_lan where mac_address is a hyphen separated MAC addres...

Page 158: ...Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window...

Page 159: ...e Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Example Configure two LANs The default configuration of the LR54 consists of one LAN LAN1 which is configured to use the LAN1 bridge Its default IP address is 192 168 2 1 and it has its DHCP server enabled The default configuration of the LAN1 bridge consist...

Page 160: ... Configure bridges In this task we will create a new bridge and configure the LAN1 and LAN2 bridges to use the following devices n LAN1 bridge l ETH2 l WWAN2 cellular modem n LAN2 bridge l ETH3 l Digi AP Wi Fi2 In task two we will assign the new LAN2 bridge to a LAN ...

Page 161: ...te Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Configuration Network Bridges LAN1 Devices 4 Delete the ETH3 ETH4 and Digi AP Wi Fi2 devices from the bridge a Click the menu icon next to the ETH3 device and se...

Page 162: ...click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Display a list of devices currently configured for the LAN1 bridge config show network bri...

Page 163: ...e LAN1 bridge now has only two devices ETH2 and Digi AP Wi Fi1 config show network bridge lan1 device 0 network device eth2 1 network wireless ap digi_ap1 config 5 Create a new bridge named LAN2 config add network bridge LAN2 config network bridge LAN2 6 Add devices to the bridge a View available devices and the proper syntax by using the add device command with the TAB autocomplete feature config...

Page 164: ...N2 bridge now has two devices ETH3 and Digi AP Wi Fi2 config network bridge LAN2 show network bridge lan2 device 0 network device eth3 1 network wireless ap digi_ap2 config network bridge LAN2 7 Save the configuration and apply the change config network bridge LAN2 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access ...

Page 165: ...into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click ...

Page 166: ...ridge LAN2 c Click to expand IPv4 d For Address type 192 168 3 1 24 e Click to expand DHCP server f Click Enable 6 Enable the access points and set the SSIDs a Configure Digi AP Wi Fi1 i Click Network Wi Fi Access points Digi AP Wi Fi1 ii Click Enable iii For SSID type Example1 iv For Pre shared key enter a password that clients will use to connect to this access point ...

Page 167: ...mand line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a new network interface named LAN2 config add network interface LAN2 config network interface LAN2 4 Configure the device for the LAN2 interfac...

Page 168: ...gure the IPv4 address for the LAN2 interface config network interface LAN2 ipv4 address 192 168 3 1 24 config network interface LAN2 7 Enable the DHCP server for the LAN2 interface config network interface LAN2 ipv4 dhcp_server enable true config network interface LAN2 8 Enable the access points and set the SSIDs a Move to the root of the configuration schema by typing three periods config network...

Page 169: ...e new configuration The final step in this example is to verify the new configuration 1 Connect an Ethernet cable from an internet connected modem to WAN1 through the WAN ETH1 Ethernet port 2 Verify that LAN1 is operating correctly a Connect a device to LAN1 through the ETH2 Ethernet port or by connecting to the Digi AP Wi Fi1 access point b Verify that the device has been provided an IP address f...

Page 170: ...p fe00 2404 240 f4ff fe80 120 64 wwan IPv4 up 10 200 1 101 30 wwan IPv6 down 3 Additional information can be displayed by using the show network verbose command show network verbose Interface Proto Status Type Zone Device Metric Weight defaultip IPv4 up static setup lan1 10 10 defaultlinklocal IPv4 up static setup lan1 0 10 lan1 IPv4 up static internal lan1 5 10 lan1 IPv6 up static internal lan1 5...

Page 171: ...LI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a LAN Follow this procedure to delete any LANs that have been added to the system You cannot delete the preconfigured LAN LAN1 Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configura...

Page 172: ...u click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click the menu icon next to the name of the LAN to be deleted and select Delete 5 Click Apply to save the configuration and apply the change ...

Page 173: ... enable DHCP on your LR54 device to assign IP addresses to clients using either n The DHCP server for the device s local network which assigns IP addresses to clients on the device s local network Addresses are assigned from a specified pool of IP addresses For a local network the device uses the DHCP server that has the IP address pool in the same IP subnet as the local network When a host receiv...

Page 174: ...ents n The TFTP server name n The filepath and name of the bootfile on the TFTP server n Custom DHCP options See Configure DHCP options for information about custom DHCP options n Static leases See Map static IP addresses to hosts for information about static leases Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configura...

Page 175: ... address for example 192 168 2 xxx The remainder of the IP address will be based on the LAN s static IP address as defined in the Address field Allowed values are between 1 and 254 and the default is 100 for Lease range start and 250 for Lease range end 9 Optional DHCP server settings a Click to expand Advanced settings b For Gateway select either n None No gateway is broadcast by the DHCP server ...

Page 176: ...o access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the DHCP server for an existing LAN For example to enable the DHCP server for a LAN named my_lan config network interface my_lan ipv4 dhcp_server enable true config See Configure a Local Area Network LAN for information about creating a LAN 4 Optional Set the amount of time that a DHCP lease...

Page 177: ... Allows you to identify the IP address of a custom gateway to be broadcast config network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_address config The default is auto c Determine how the DHCP server should broadcast the the MTU config network interface my_lan ipv4 dhcp_server advanced mtu value config where value is one of n none An MTU of length 0 is broadcast This is not recom...

Page 178: ...server advanced primary_dns_custom ip_address config The default is auto f Set the IP address or host name of the TFTP server config network interface my_lan ipv4 dhcp_server advanced nftp_ server ip_address config g Set the relative path and file name of the bootfile on the TFTP server config network interface my_lan ipv4 dhcp_server advanced bootfile filename config 8 See Configure DHCP options ...

Page 179: ...th full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click to expa...

Page 180: ... CLI 2 At the command line type config to enter configuration mode config config 3 Add a static lease to the DHCP server configuration for an existing LAN For example to add static lease to a LAN named my_lan config add network interface my_lan ipv4 dhcp_server advanced static_ lease end config network interface my_lan ipv4 dhcp_server advanced static_lease 0 See Configure a Local Area Network LAN...

Page 181: ...ng To view your current static IP mapping Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Networking click DHCP Leases Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an A...

Page 182: ...elete static IP mapping entries To delete a static IP entry Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu clic...

Page 183: ...Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Show the static lease configuration For example to show the static leases for a lan named my_lan config show network interface my_lan ipv4 dhcp_server advanced static_ lease 0 ip 192 168 2 10 mac BF C3 46 24 0E D9 no name 1 ip 192 168 2 11 mac E3 C1 1F 65 C3 0E no ...

Page 184: ...CP options to DHCP clients You can also set the user class which enables you to specify which specific DHCP clients will receive the option You can also force the command to be sent to the clients DHCP options can be set on a per LAN basis or can be set for all LANs A total of 32 DHCP options can be configured Required configuration items n DHCP option number n Value for the DHCP option Additional...

Page 185: ... is displayed 3 Click Network Interfaces 4 Click to expand an existing LAN or create a new LAN See Configure a Local Area Network LAN 5 Click to expand IPv4 DHCP server Advanced settings Custom DHCP option 6 For Add Custom option click Custom options are enabled by default To disable toggle off Enable 7 For Option number type the DHCP option number 8 For Value type the value of the DHCP option 9 O...

Page 186: ...stom_option 0 See Configure a Local Area Network LAN for information about creating a LAN 4 Custom options are enabled by default To disable config network interface my_lan ipv4 dhcp_server advanced custom_option 0 enable false config network interface my_lan ipv4 dhcp_server advanced custom_option 0 5 Set the option number for the DHCP option config network interface my_lan ipv4 dhcp_server advan...

Page 187: ...e configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure DHCP relay DHCP relay allows a router to forward DHCP requests from one LAN to a separate DHCP server typically connected to a different LAN For the LR54 device DHCP relay is configured by providing the IP address of a DHCP relay server rather than an IP address range If both the DH...

Page 188: ... your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Interfaces 4 Click to expand an existing LAN or create a new LAN See Configure a Local Area Network LAN 5 Disable the DHCP server if it is enabled a Click to expand IPv4 DHCP server ...

Page 189: ...e a Local Area Network LAN for information about creating a LAN 4 Set the IP address of the DHCP relay server config network interface my_lan ipv4 dhcp_relay 0 address 10 10 10 10 config network interface my_lan ipv4 dhcp_relay 0 5 Optional Add additional DHCP relay servers a Move back one step in the configuration schema by typing two periods config network interface my_lan ipv4 dhcp_relay 0 conf...

Page 190: ...tworking click DHCP Leases Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter the show dhcp lease command at the Admn CLI prompt show dhcp lease IP Address ...

Page 191: ...o disconnect from the device Create a Virtual LAN VLAN route Virtual LANs VLANs allow splitting a single physical LAN into separate Virtual LANs This is useful for security reasons and also helps to reduce broadcast traffic on the LAN Required configuration items n Device to be assigned to the VLAN n The VLAN ID The TCP header uses the VLAN ID to identify the destination VLAN for the packet ...

Page 192: ...scribed in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Virtual LAN 4 Type a name for the VLAN and click 5 Select the Device 6 Type or select a unique numeric ID for the VLAN ID 7 Click...

Page 193: ...ig 4 Set the device to be used by the VLAN a View a list of available devices config network vlan vlan1 device Device The Ethernet device to use for this virtual LAN Format network device wan1 network device lan1 network device eth3 network device eth4 network device loopback network vlan vlan1 network bridge lan network wireless ap digi_ap Current value config network vlan vlan1 b Add the device ...

Page 194: ... port 443 Configure an interface to operate in passthrough mode You can configure interfaces on your LR54 device to operate in passthrough mode which means that the device passes the IP address assigned to it on a WAN or cellular modem interface to a client connected to a LAN interface Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access ...

Page 195: ... off Enable 5 For Interface type select IP Passthrough 6 For Zone select Internal 7 For Device select an Ethernet device or a Wi Fi access point 8 Add one or more interface that will be the source of the passed through IP address a Click to expand Source interfaces b Click to add a source interface c Select the appropriate Interface d Repeat for additional interfaces 9 Optional Packet filtering is...

Page 196: ...ient 13 If PPPoE server is selected for Server type a Click to expand PPPoE server b For Service name type the name of service to offer to the client c For Access concentrator name type the name of the access concentrator to report to the client If no name is provided the host name is used d For Authentication method select the authentication method used to connect to the remote peer If an authent...

Page 197: ...metric Weight is used to load balance traffic to the interfaces e Set the Management priority This determines which interface will have priority for central management activity The interface with the highest number will be used f Set the MTU g For Use DNS select one of the following n Always DNS will always be used for this WAN when multiple interfaces have the same DNS server the interface with t...

Page 198: ...zone to internal config network interface ip_passthrough_interface zone internal config network interface ip_passthrough_interface 6 Select an Ethernet device or a Wi Fi access point for this interface a Enter device to view available devices and the proper syntax config network interface my_wan device Device The network device used by this network interface Format network device eth1 network devi...

Page 199: ...will be used config network interface ip_passthrough_interface ipv4 mgmt num config network interface ip_passthrough_interface d Set the MTU config network interface ip_passthrough_interface ipv4 mtu num config network interface ip_passthrough_interface e Configure how to use DNS config network interface ip_passthrough_interface ipv4 use_dns value config network interface ip_passthrough_interface ...

Page 200: ...an 802 1x authenticator it does not function as an 802 1x supplicant a Enable the 802 1x authenticator on the LR54 device config network interface ip_passthrough_interface 802_1x authentication enable true config network interface ip_passthrough_interface b Set the frequency period for reauthorization config network interface ip_passthrough_interface 802_1x authentication reauth_period value confi...

Page 201: ...ple devices such as Ethernet devices and wireless access points By default the LR54 has the following preconfigured bridges You can modify configuration settings for the existing bridge and you can create new bridges This section contains the following topics Edit the preconfigured LAN1 bridge 202 Configure a bridge 206 ...

Page 202: ...LAN1 bridge Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Config...

Page 203: ...e 6 Optional Enable Spanning Tree Protocol STP STP is used when using multiple LANs on the same device to prevent bridge loops and other routing conflicts a Click STP b Click Enable c For Forwarding delay enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data The default is 2 seconds 7 Click Apply to save the con...

Page 204: ...the devices included with the bridge config show network bridge lan1 device 0 network device eth2 1 network device eth3 2 network device eth4 3 network wireless ap digi_ap1 4 network wireless ap digi_ap2 config ii Use the index number to delete the appropriate device For example to delete the Digi AP Wi Fi1 Wi Fi access point from the bridge config del network bridge lan device 3 config Note If yo...

Page 205: ... my_bridge add device end network wireless ap digi_ap1 config 5 Optional Enable Spanning Tree Protocol STP STP is used when multiple LANs are configured on the same device to prevent bridge loops and other routing conflicts a Enable STP config network bridge lan1 stp enable true b Set the number of seconds that the device will spend in each of the listening and learning states before the bridge be...

Page 206: ...ridge Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuratio...

Page 207: ...ddress of the bridge is taken from the first available device in the list 7 Optional Enable Spanning Tree Protocol STP STP is used when using multiple LANs on the same device to prevent bridge loops and other routing conflicts a Click STP b Click Enable c For Forwarding delay enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begin...

Page 208: ... network bridge my_bridge enable false config network bridge my_bridge n To enable if it has been disabled config network bridge my_bridge enable true config network bridge my_bridge 5 Add devices to the bridge a Determine available devices config network bridge my_bridge interface lan1 device Device The network device used by this network interface Format network device eth1 network device eth2 n...

Page 209: ...num config The default is 2 seconds 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show Surelink status and statistics You can show Surelink status for all interfaces or for an individual interface You can...

Page 210: ...device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show surelink interface name name command to show the Surelink status of a specific interface for example show surelink interface...

Page 211: ...t the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show surelink ipsec tunnel name command to show the Surelink status of a specific tunnel for example show surelink ipsec tu...

Page 212: ...tatus for a specific OpenVPN client To show the Surelink status a specific OpenVPN client use the show surelink openvpn client name command 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access ...

Page 213: ...used to log into the CLI n Remote Access Provides socket level access to ports n Application Provides access to the serial device from Python applications n UDP serial Provides access to the serial port using UDP n Modbus Allows the device to function as a Modbus protocol gateway View serial port information n Show serial status and statistics n Log serial port messages Default serial port configu...

Page 214: ...reflected in both 3 Click the name of the port that you want to configure The serial port is enabled by default To disable toggle off Enable 4 For Mode select Login This is the default 5 Optional For Label enter a label that will be used when referring to this port 6 Expand Serial Settings The entries in the following fields must match the information for the power controller Refer to your power c...

Page 215: ...elect the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 The serial port is enabled by default To disable co...

Page 216: ...nfig 10 Set the type of flow control used by the device to which you want to connect config path paramflow value config where value is one of n none n rts cts n xon xoff 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect fr...

Page 217: ...e used when referring to this port 6 Expand Serial Settings The entries in the following fields must match the information for the power controller Refer to your power controller manual for the correct entries a Baud rate For Baud rate select the baud rate used by the device to which you want to connect The default is 115000 b Data bits For Data bits select the number of data bits used by the devi...

Page 218: ...ettings All service settings are disabled by default Click available options to toggle them to enabled and set the IP ports as appropriate For each type of service you can also configure the access control To do this you need to go to Device Configuration a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed b Access the configuration for t...

Page 219: ...s n To limit access to specified IPv6 addresses and networks i Click IPv6 Addresses ii For Add Address click iii For Address enter the IPv6 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type iv Click again...

Page 220: ...i For Data match string type the string that when received will trigger the connection ii Flush match string is enabled by default which will discard the matched string from data sent to the server Click to toggle off to disable g Click Enable TCP keep alive messages to enable TCP keepalive on the connection h Click Enable TCP nodelay to enable TCP nodelay on the connection i For Socket ID string ...

Page 221: ...min to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Serial ports is enabled by default To disable config serial port_number enable false config Command line examples in this section will use port1 for the serial port However any port number can be used 4 Set the mode config serial port1 mode remoteaccess config 5 Optional Set a label that will ...

Page 222: ...on settings a Set the characters used to start an escape sequence config serial port1 escape string config If no characters are defined the escape sequence is disabled The default is b b Limit access to the serial port to a single active session config serial port1 exclusive true config c Set the number of bytes of output from the serial port that are written to buffer These bytes are redisplayed ...

Page 223: ...3 Optional Configure autoconnect a Enable autoconnect config serial port1 autoconnect enable true config b Set the option that will trigger the connection config serial port1 autoconnect trigger value config where value is one of n always n data n dcd n destination n dsr n match If match is selected i Set the string that when received will trigger the connection config serial port1 autoconnect mat...

Page 224: ... for example config serial port1 autoconnect destination admin 192 168 1 1 config e Set the TCP port of the destination server config serial port1 autoconnect port int config where int is any integer between 1 and 65535 f To enable TCP keepalive config serial port1 autoconnect keepalive true config g To enable TCP nodelay config serial port1 autoconnect nodely true config h Set the text to be tran...

Page 225: ...u want to remove the end pattern from the packet before it is sent config serial port1 framing strip_pattern true config 15 Optional Configure service settings a Configure SSH settings i Enable SSH config serial port1 service ssh enable true config ii Set the port to be used for ssh communications config serial port1 service ssh port int config where int is any integer between 1 and 65535 The defa...

Page 226: ...cess the service type Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the LR54 device config add serial port1 service ssh acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network inte...

Page 227: ...epeat this step to include additional firewall zones vi Optional Enable Multicast DNS mDNS config serial port1 service ssh mdns enable true config b Configure TCP settings i Enable TCP config serial port1 service tcp enable true config ii Set the port to be used for ssh communications config serial port1 service tcp port int config where int is any integer between 1 and 65535 The default is 4001 i...

Page 228: ...at this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add serial port1 service tcp acl address6 end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type Repeat this step to list addition...

Page 229: ... is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external hotspot internal ipsec loopback setup config Repeat this...

Page 230: ...ig add serial port1 service telnet acl address end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add serial port1 serv...

Page 231: ...local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limit access based on firewall zones config add serial port1 service telnet acl zone end value config Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones...

Page 232: ...ess selection menu Type quit to disconnect from the device Configure Application mode Application mode provides access to the serial device from Python applications To change the configuration to match the serial configuration of the device to which you want to connect Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the menu click System Under Configuration click Serial Configuratio...

Page 233: ...d at the top of the WebUI page You may need to scroll to the top of the page to locate it Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line t...

Page 234: ...PP dial in allows the device to answer Point to Point Protocol PPP connections over serial ports To change the configuration to match the serial configuration of the device to which you want to connect Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi...

Page 235: ...ut type the amount of time that the active session can be idle before the session is disconnected Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Idle timeout to ten minutes enter 10m or 600s 9 Click to expand PPP dial in 10 For Local IP address type the IP address assigned to this interface 11 For Remote IP address type ...

Page 236: ...ed in addition to the default configuration d For Configuration file paste or type the configuration data in the format of a pppd options file 16 Optional Configure a script that will be run to prepare the link before PPP negotiations are started a Click to expand Connect script b Click Enable to enable the use of a connection script c For Connect script filename type the name of the script Script...

Page 237: ...on you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 The serial port is enabled by default To disable config serial port1 enable false config 4 Set the mode config serial port1 mode ppp_dialin config 5 Optional Set a label that will be used when referring to this port config serial por...

Page 238: ...p_dialin remote_address IPv4_address config 11 Set the authentication method used to authenticate the remote peer config serial port1 ppp_dialin auth value config where value is one of n none No authentication is required n auto Attempt to authenticate using CHAP first and then PAP n chap Use Challenge Handshake Authentication Protocol CHAP to authenticate n pap Use Password Authentication Protoco...

Page 239: ...ipsec loopback setup Default value internal Current value internal config b Set the zone config serial port1 ppp_dialin zone zone config 14 Optional Configure the serial port to use a custom PPP configuration file a Enable the use of a custom PPP configuration file config serial port1 ppp_dialin custom enable true config b Enable override to override the default PPP configuration and only use the ...

Page 240: ...Windows dial up networking connection with built in standard 33600 bps modem driver and phone number 123 The shell s read builtin breaks on newline so translate incoming carriage return to newline and outgoing newline to carriage return newline stty icrnl onlcr opost Read input from the serial port one line at a time while read r line do case line in ATDT123 echo CONNECT instruct the peer to start...

Page 241: ...System Under Configuration click Serial Configuration The Serial Configuration page is displayed Note You can also configure the serial port by using Device Configuration Serial Changes made by using either Device Configuration or Serial Configuration will be reflected in both 3 Click to expand the port that you want to configure for UDP serial mode The serial port is enabled by default To disable...

Page 242: ...used by the device to which you want to connect 7 Expand Data Framing Settings a Click to expand Data Framing i Click Enable to enable the data framing feature ii For Maximum Frame Count enter the maximum size of the packet The default is 1024 iii For Idle Time enter the length of time the device should wait before sending the packet iv For End Pattern enter the end pattern The packet is sent when...

Page 243: ... Description enter a description of the destination iii For Hostname enter the host name or IP address of the remote site to which data should be sent iv For Port enter the port number of the remote site to which data should be sent You can also configure access control for the serial port To do this you need to go to Device Configuration a On the menu click System Under Configuration click Device...

Page 244: ...owed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the service type iv Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks i Click IPv6 Addresses ii For Add Address click iii For Address enter the IPv6 address or network...

Page 245: ...ii For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information about firewall zones iv Click again to allow access through additional firewall zones 9 Click Apply to save the configuration and apply the change The Apply button is located at the top of the WebUI page You may need to scroll to the top of the page to locate it Command line 1 Select the d...

Page 246: ...al port1 label databits bits config 8 Set the type of parity used by the device to which you want to connect config serial port1 label parity parity config Allowed values are n even n odd n none The default is none 9 Set the stop bits used by the device to which you want to connect config serial port1 label stopbits bits config 10 Set the type of flow control used by the device to which you want t...

Page 247: ...onfig 12 Set the UDP port config serial port1 udp port port config The default is 4001 13 Optional Enter a string that should be added at the beginning of each packet config serial port1 udp socketid backslash escaped string config 14 Configure the remote sites to which you want to send data If you do not specify any destinations the LR54 send new data to the last hostname and port from which data...

Page 248: ...4 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add serial port1 udp acl address6 end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the servi...

Page 249: ...zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external hotspot internal ipsec loopback setup config Repeat this step to include additional firewall zones n To limit access to specified IPv4 addresses and networks config add serial...

Page 250: ...ified interface on the LR54 device config add serial port1 udp acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 ww...

Page 251: ...ge config save Configuration saved 17 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure Modbus mode Modbus mode allows you to use the serial port for Modbus See Modbus gateway To change the configuration to match the serial configuration of the device to which you want to conne...

Page 252: ...tries a Baud rate For Baud rate select the baud rate used by the device to which you want to connect The default is 115000 b Data bits For Data bits select the number of data bits used by the device to which you want to connect The default is 8 c Parity For Parity select the type of parity used by the device to which you want to connect The default is None d Stop bits For Stop bits select the numb...

Page 253: ...path paramflow value config where value is one of n none n rts cts n xon xoff 7 Click Apply to save the configuration and apply the change The Apply button is located at the top of the WebUI page You may need to scroll to the top of the page to locate it Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Adm...

Page 254: ...r of data bits used by the device to which you want to connect The default is 8 c Parity For Parity select the type of parity used by the device to which you want to connect The default is None d Stop bits For Stop bits select the number of stop bits used by the device to which you want to connect The default is 1 e Flow control For Flow control select the type of flow control used by the device t...

Page 255: ... may be presented with an Access selection menu Type quit to disconnect from the device Show serial status and statistics To show the status and statistics for the serial port Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Connections click Serial Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR5...

Page 256: ...efresh to refresh the log display 8 Click Download to download the serial port log 9 Optional For Log size configure the maximum allowed log size for the serial port log The default is 65536 Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may ...

Page 257: ...al port log system serial clear port number 6 To save the serial port log system serial save port number path where path is the path and file name to save captured traffic to If a relative path is provided etc config serial will be used as the root directory for the path and file 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection ...

Page 258: ...figure the Wi Fi radio s band and protocol 265 Configure the Wi Fi radio s transmit power 268 Configure an open Wi Fi access point 270 Configure a Wi Fi access point with personal security 276 Configure a Wi Fi access point with enterprise security 284 Isolate Wi Fi clients 292 Configure a Wi Fi client and add client networks 300 Show Wi Fi access point status and statistics 309 Show Wi Fi client ...

Page 259: ...ss point SSID and password By default the LR54W device has two access points enabled The default SSID for both of the access point is Digi LR54W serial_number The password for the default access point is the unique password as found on the device s label See Reset default SSIDs and pre shared keys for the preconfigured Wi Fi access points for information about changing the default SSID and passwor...

Page 260: ...MHz 40 MHz Beacon interval 100 100 n Access points Digi AP Wi Fi1 Digi AP Wi Fi2 Enabled or disabled Enabled Enabled Radio Wi Fi1 radio Wi Fi2 radio SSID Digi LR54W serial number Digi LR54W serial_number SSID broadcast Enabled Enabled Encyrption WPA2 Personal PSK WPA2 Personal PSK Pre shared key Default password as found on the device s label Default password as found on the device s label Group r...

Page 261: ...supported You can also enable support for DFS channels in client mode See Configure the Wi Fi radio to support DFS channels in client mode for information about enabling DFS support Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to v...

Page 262: ...epending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the channel for the radio a Determine available radios config network wifi radio Additional Configuration wifi1 Wi Fi1 radio wifi2 Wi Fi2 radio config network wifi radio b Determine the band for...

Page 263: ...non Wi Fi proposes In addition to the standard non DFS channels 36 40 44 and 48 your LR54W can be configured to have one or more Wi Fi clients that can connect to external Wi Fi access points that support DFS channels n DFS channels 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 and 144 n Higher 5GHz non DFS channels 149 153 157 161 and 165 The Wi Fi access point must also support connect...

Page 264: ...iguration The Configuration window is displayed 3 Click Network WiFi 4 Click to expand the appropriate Wi Fi radio 5 For Frequency band select 5 GHz 6 Click to enable DFS Client Support Note When DFS Client Support is enabled any enabled access points that use this radio will not be started and cannot be used as access points 7 Click Apply to save the configuration and apply the change Command lin...

Page 265: ...nfig Note When DFS client support is enabled any enabled access points that use this radio will not be started and cannot be used as access points 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure t...

Page 266: ...d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network WiFi 4 Click to expand the appropriate Wi Fi radio 5 For Frequency band select either 2 4 GHz or 5 GHz 6 For Access point mode select the appropriate mode Only modes appropriate for the selected band are displayed 7 Click Apply to sav...

Page 267: ...dio wifi2 Wi Fi2 radio config network wifi radio b Set the band for the appropriate radio config network wifi radio wifi1 band value config where value is either 2400mhz or 5000mhz c Set the mode for the Wi Fi radio For example n If the Wi Fi radio has a band of 2400mhz config network wifi radio wifi1 2400mhz mode value config where value is one of b bg bgn g gn or n n If the Wi Fi radio has a ban...

Page 268: ...Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network WiFi 4 ...

Page 269: ... access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set transmit power for the radio a Determine available radios config network wifi radio Additional Configuration wifi1 Wi Fi1 radio wifi2 Wi Fi2 radio config network wifi radio b Set the transmit power percentage for the appropriate radio config network wifi radio wifi1 tx_power value config where v...

Page 270: ...the access point n Configure open security for the access point n LAN bridge assignment Once you configure a Wi Fi access point you must assign the Wi Fi access point to a LAN interface or to a bridge See Configure a Local Area Network LAN and Configure a bridge for more information Additional configuration items n Determine whether to broadcast the access point s SSID n Determine whether to isola...

Page 271: ...he access point and click n To modify an existing access point click to expand the access point The Wi Fi access point configuration window is displayed 5 For SSID type the SSID Up to 32 characters are allowed 6 Enable SSID broadcast to configure the radio to broadcast the SSID 7 Optional Enable Isolate clients to prevent clients that are connected to this access point from communicating with each...

Page 272: ...ime between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected to see all broadcast traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 10 Assign the Wi Fi access point to a LAN interface or to a bridge See Configure a Local Area Network LAN and Configure a b...

Page 273: ...ifi ap new_AP where value is either n none No encryption is used n owe Uses WPA3 Enhanced Open which uses Opportunistic Wireless Encryption OWE technology to provide encryption for Wi Fi networks that do not use password protection Note Only select owe if you know that all Wi Fi clients connecting to this device will have WPA3 capabilities 7 Optional Determine whether to prevent clients that are c...

Page 274: ...nterface or to a bridge See Configure a Local Area Network LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 2 Save the configuration and apply the change config save Configuration saved 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection...

Page 275: ...vide encryption for Wi Fi networks that do not use password protection Note Only select owe if you know that all Wi Fi clients connecting to this device will have WPA3 capabilities 7 Optional Determine whether to prevent clients that are connected to this access point from communicating with each other config network wifi ap digi_ap1 isolate_client true config See Isolate Wi Fi clients for informa...

Page 276: ...a Local Area Network LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 2 Save the configuration and apply the change config save Configuration saved 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the...

Page 277: ...access point so that they cannot communicate with each other n The amount of time to wait before changing the group key To configure a Wi Fi access point to use personal security Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view...

Page 278: ...ryption select one of the following n WPA Personal PSK All Wi Fi clients must support WPA to be able to authenticate n WPA WPA2 Personal PSK Wi Fi clients that support WPA and WPA2 are able to authenticate n WPA2 Personal PSK All Wi Fi clients must support WPA2 to be able to authenticate n WPA2 PSK WPA3 SAE mixed mode Wi Fi clients that support WPA2 and WPA3 are able to authenticate n WPA3 Persona...

Page 279: ...a bridge that is assigned to an active LAN 12 Click Apply to save the configuration and apply the change Command line Configure a new Access point 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to ...

Page 280: ...support WPA2 and WPA3 are able to authenticate n sae Uses WPA3 Personal mode All Wi Fi clients must support WPA3 to be able to authenticate config network wifi ap new_AP encryption type psk2sae config network wifi ap new_AP 7 Optional Determine whether to prevent clients that are connected to this access point from communicating with each other config network wifi ap digi_ap1 isolate_clients true ...

Page 281: ...ten minutes enter either 10m or 600s config network wireless ap new_AP encryption group_rekey 600s config network wireless ap new_AP Increasing the time between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected to see all broadcast traffic on the wireless network until the Wi Fi radio is restarted ...

Page 282: ... option config network wifi ap new_AP encryption type value config network wifi ap new_AP where value is one of n psk Uses WPA Personal PSK All Wi Fi clients must support WPA to be able to authenticate n mixedpsk Uses mixed WPA WPA2 Personal PSK mode Wi Fi clients that support WPA and WPA2 are able to authenticate n psk2 Uses WPA2 Personal PSK mode All Wi Fi clients must support WPA2 to be able to...

Page 283: ...f the access point and after a client has disconnected it will be able to use the group key to decrypt broadcast packets until the key is changed config network wifi ap digi_ap1 encryption group_rekey value config where value is any number of days hours minutes or seconds and takes the format number d h m s For example to set group rekey interval to ten minutes enter either 10m or 600s config netw...

Page 284: ...i AP Wi Fi2 You cannot delete default access points but you can modify them or you can create your own access points Required configuration items n Enable the Wi Fi access point n Select a Wi Fi radio for the access point n The Service Set Identifier SSID for the access point n Configure security for the access point to WPA2 enterprise n The IP address for one or more RADIUS servers n The secret k...

Page 285: ...ck to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network WiFi Access points 4 Create a new access point or modify an existing access point n To create a new access point for Add WiFi access point type a name for the access point and click n To modify an existing access point click to expand the ...

Page 286: ...xpand RADIUS server list b Click to expand RADIUS server c For RADIUS IP hostname type the IP address or hostname of the RADIUS server d Optional Change the RADIUS port The default port is 1812 e For RADIUS secret key type the secret key as configured on the RADIUS server f To add additional RADIUS servers click 10 Optional For Group rekey interval type the amount of time to wait before changing t...

Page 287: ...e device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new access point config add network wifi ap new_AP...

Page 288: ... as configured on the RADIUS server config network wifi ap new_AP encryption radius_servers 0 key secret_key config network wifi ap new_AP c Optional Set the RADIUS server s port The default is 1812 config network wifi ap new_AP encryption radius_servers 0 port port config network wifi ap new_AP d Optional Add and configure additional radius servers i Add a server config network wifi ap new_AP add...

Page 289: ...to a LAN interface or to a bridge See Configure a Local Area Network LAN and Configure a bridge for more information The access point must be assigned to an active LAN or a bridge that is assigned to an active LAN 2 Save the configuration and apply the change config save Configuration saved 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access...

Page 290: ...municating with each other config network wifi ap digi_ap1 isolate_client true config See Isolate Wi Fi clients for information about how to prevent clients connected to different access points from communicating with each other 8 Set the IP address or hostname of the RADIUS server config network wifi ap digi_ap1 encryption host_wpa2 hostname config 9 Set the secret key as configured on the RADIUS...

Page 291: ...or 600s config network wireless ap digi_ap1 encryption group_rekey 600s config Increasing the time between rekeys can improve connectivity issues in noisy environments To disable group rekeys set to 0 This will allow any client that has previously connected to see all broadcast traffic on the wireless network until the Wi Fi radio is restarted The default is 10 minutes 1 Assign the Wi Fi access po...

Page 292: ... provides instructions for both mechanisms Isolate clients connected to the same access point Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Conf...

Page 293: ... access point See Configure an open Wi Fi access point Configure a Wi Fi access point with personal security or Configure a Wi Fi access point with enterprise security 4 Optional Set the client isolation config network wifi ap digi_ap1 isolate_client true config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device ...

Page 294: ...evice Configuration The Configuration window is displayed 3 Configure the firewall a Click Firewall Zones b In Add Zone enter LAN2_isolation_zone for the name of the zone and click Note We will be creating LAN2 later in the procedure c Create a firewall filter to provide internet access for the LAN2_isolation_zone i For Add packet filter click ii For Label type Allow LAN2_isolation_zone to Externa...

Page 295: ...ernal zone to the LAN2_isolation_zone this filter must be listed prior to the Allow all outgoing traffic filter which allows the Internal zone to have access to any zone To move the Drop traffic from Internal to LAN2_isolation_zone filter to the top of the list i Click the filter title ii Drag and drop the filter to the top of the list 4 Create a new LAN By default the LR54W device comes with one ...

Page 296: ...ck the down arrow next to the the Digi AP Wi Fi2 access point and select Delete 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type ad...

Page 297: ...e security for the access point config network wifi ap new_AP encryption type value config network wifi ap new_AP where value is one of n none n psk n psk2 n wpa2 e Complete other encryption related fields as appropriate based on the type of encryption See Configure an open Wi Fi access point Configure a Wi Fi access point with personal security or Configure a Wi Fi access point with enterprise se...

Page 298: ...e external config firewall filter 2 d Create a firewall filter to drop traffic from the Internal zone used by the LAN1 interface to the LAN2_isolation_zone Firewall filters are applied in the order that they are listed As a result in order to drop traffic from the Internal zone to the LAN2_isolation_zone this filter must be added before the Allow all outgoing traffic filter which allows the Intern...

Page 299: ...s from the default LAN a Return to the root config prompt by typing three periods config firewall filter 0 config b Add the new LAN config add network interface LAN2 config network interface LAN2 c Set the device to digi_ap2 config network interface LAN2 device network wifi ap digi_ap2 config network interface LAN2 d Set the zone to LAN2_isolation_zone config network interface LAN2 zone LAN2_isola...

Page 300: ...d configuration items n Create the Wi Fi client n The LR54W device s Wi Fi radio that the Wi Fi client will use n SSID of the access point that the client will log into n The encryption type used by the access point l If a personal or mixed mode option is selected identify the Pre shared key l If an enterprise option is selected o Select the Extensible Authentication Protocol EAP one of o TLS Clie...

Page 301: ...ove between access points that have the same SSID as their signal strength varies n Additional access points that client will attempt to use If connection to one access point fails the device will attempt to connect to the next access point in the list To configure a Wi Fi client Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the de...

Page 302: ... the client will use a Click to expand SSID list b Enter the SSID of the access point that the client will use to connect to the Wi Fi network c Select the type of Encryption used by the access point n If a personal or mixed mode is selected for Pre shared key enter the password that the client will use to connect to the access point n If WPA2 Enterprise is selected l Select the Extensible Authent...

Page 303: ...interval and Long interval options to determine how often the device should scan for available access points n If the signal strength from the access point to which the client is currently connected is below the Scan threshold it will use the Short interval to determine how often to scan for available access points n If the signal strength from the access point to which the client is currently con...

Page 304: ...Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new Wi Fi client config add network wifi client new_client con...

Page 305: ...yption for Wi Fi networks that do not use password protection n psk WPA personal encryption n mixedpsk Uses both WPA and WPA2 personal encryption n psk2 WPA2 personal encryption n psk2sae Uses WPA2 PSK WPA3 AES mixed mode n sae Uses WPA3 Personal mode n wpa2 WPA2 enterprise encryption c If the type of encryption is set to n psk mixedpsk psk2 psk2sae or sae set the password that the client will use...

Page 306: ...t SCEP Client The SCEP client which this Wi Fi client will use to download the necessary keys and certificates from the SCEP server Format SCEP_test_client SCEP_test_client1 Current value config network wifi client new_client ii Set the SCEP client for example config network wifi client new_client ssid 0 encryption scep_client SCEP_test_client config network wifi client new_client See Configure a ...

Page 307: ...s points that have the same SSID that is configured for the client connection based on the signal strength of the access points a Enable background scanning config network wifi client new_client background_scanning enable true config network wifi client new_client b Set the scan threshold bgscan_strength in dB that is used to determine the scanning frequency config network wifi client new_client b...

Page 308: ...point to which the client is currently connected is greater than the value of bgscan_strength config network wifi client new_client bgscan_long_interval value config network wifi client new_client where value is any integer greater than 0 The default is 1 e Configure the frequencies that will be scanned for available access points The LR54W device has three preconfigured frequencies n 2412 MHz n 2...

Page 309: ...y the change config network wireless client new_client save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device After you configure a Wi Fi client you must assign the Wi Fi client to a WAN See Wide Area Networks WANs and Wireless Wide Area Networks WWANs for further i...

Page 310: ... view information about both active and inactive access points include the all parameter show wifi ap all AP Enabled Status SSID BSSID my_AP true up my_SSID 01 41 D1 14 36 37 digi_ap1 true up Digi2 00 40 D0 13 35 36 digi_ap2 false down Show detailed status and statistics of a specific Wi Fi access point To show a detailed status and statistics of a Wi Fi access point use the show wifi ap name name...

Page 311: ...i Fi client use the show wifi client command 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show wifi client show wifi client Client Enabled S...

Page 312: ...he LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show wifi cleint name name show wifi client name my_client Client my_client Enabled true SSID my_SSID Status up Signal 43 MAC Address 91 fe 86 d1 0e 81 Channel 48 Radio wifi1 TX...

Page 313: ...ss via your hotspot Authentication of hotspot users can be performed by the device itself by an external RADIUS server or other remote server or by HotspotSystem a cloud based hotspot management and billing service The device provides sample html pages to be used for authentication and you can modify these pages add your own pages or host HTML login pages on a remote web server Note Sample HTML pa...

Page 314: ...ADIUS server The credentials are validated by the RADIUS server The RADIUS server should be white listed by including it in the Walled garden Allowed domains or Walled garden Allowed subnets setting for the hotspot which allows unauthenticated hotspot clients to access the server for authentication The sample HTML page included with your LR54 device for RADIUS shared password authentication is log...

Page 315: ... is an open network This means that traffic transferred between the hotspot and the hotspot clients is not encrypted and can be intercepted by a packet sniffer or similar technology However the sample HTML login pages provided with your LR54 device use CHAP MD5 authentication providing a level of security during the authentication process Additionally websites that use the HTTPS protocol provide e...

Page 316: ...nable hotspot using the default configuration 317 Change the default hotspot SSID 322 Change the default hotspot IP address and subnet 324 Change the default hotspot bandwidth limits 327 Add an Ethernet port to the default hotspot 329 Use policy routes with hotspot 332 Create a new hotspot 332 Configure the hotspot to use local shared password authentication 345 Configure the hotspot to use RADIUS...

Page 317: ...ccess points n Name l Digi Hotspot AP Wi Fi1 l Digi Hotspot AP Wi Fi2 n Disabled n SSID Digi Hotspot n Encryption Open unencrypted n Hotspot access points should be set to open unencrypted See Hotspot security for further information LAN n Name LAN hotspot n Disabled n Device hotspot_bridge n IP address 192 168 100 1 30 This IP address is not used by the hotspot or the hotspot s DHCP server It mus...

Page 318: ... IP address and subnet n Modify the sample local HTML page that the LR54 device uses by default for click through authentication See Edit sample hotspot HTML pages for information Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to vie...

Page 319: ...twork Hotspots hotspot b Click Enable hotspot 4 Enable the hotspot access points a Click Network Wi Fi Access points Digi Hotspot AP Wi Fi1 b Click Enable c Click Digi Hotspot AP Wi Fi2 d Click Enable 5 Enable the hotspot bridge a Click Network Bridges hotspot_bridge b Click Enable ...

Page 320: ...Hotspot Hotspot configuration LR54 User Guide 320 6 Enable the hotspot LAN a Click Network Interface LAN LAN hotspot b Click Enable 7 Click Apply to save the configuration and apply the change ...

Page 321: ... 3 Enable the hotspot config network hotspot hotspot enable true config 4 Enable the hotspot access points config network ap digi_hotspot_ap1 enable true config network ap digi_hotspot_ap2 enable true config 5 Enable the hotspot bridge config network bridge hotspot_bridge enable true config 6 Enable the hotspot LAN config network interface lan_hotspot enable true config 7 Save the configuration an...

Page 322: ...ser with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Wi Fi Access points ...

Page 323: ...ter configuration mode config config 3 Change the SSID for digi_hotspot_ap1 to your preferred value config network wifi ap digi_hotspot_ap1 ssid value where value is a string of 1 to 32 characters If the value contains spaces enclose in quote marks 4 Change the SSID for digi_hotspot_ap2 to your preferred value config network wifi ap digi_hotspot_ap1 ssid value where value is a string of 1 to 32 ch...

Page 324: ...ettings l Lease time l Lease range start and end To change the default hotspot IP address and subnet Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expa...

Page 325: ...the range to assign to hotspot clients The value entered here represents the low order byte of the IP address and is combined with the subnet of the hotspot s static IP address The default is 100 d For Lease range end type the highest IP address in the range to assign to hotspot clients The value entered here represents the low order byte of the IP address and when DHCP addresses are assigned to c...

Page 326: ... either 10m or 600s config network hotspot hotspot ipv4 dhcp_server lease_time 600s config The default is 10 minutes b Set the lowest IP address in the range to assign to hotspot clients This value represents the low order byte of the IP address and is combined with the subnet of the hotspot s static IP address config network hotspot hotspot ipv4 address dhcp_server lease_start value config where ...

Page 327: ...ation for instructions n Maximum download speed in Kbps n Maximum upload speed in Kbps To change the default hotspot IP address and subnet Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Devi...

Page 328: ...s Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Change the default maximum download speed config network hotspot hotspot bandwidth_max_down value config where value is an integer between 1 and 100000 and represents the maximum download speed i...

Page 329: ...instructions n Ethernet port to be added to the hotspot To add an Ethernet port to the default hotspot Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to ex...

Page 330: ...eed to reconfigure the Ethernet port configuration for other interfaces For example to remove the ETH4 port from the LAN1 bridge a Click Network Bridges LAN1 Devices b Click the menu icon next to the Ethernet ETH4 device entry and select Delete 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into ...

Page 331: ... the ETH1 device is configured as the device for the WAN1 interface and ETH2 ETH3 and ETH4 are configured as devices in the LAN1 bridge which is used by the LAN1 interface As a result when you add an Ethernet port to the hotspot you may need to reconfigure the Ethernet port configuration for other interfaces For example to remove the ETH4 port from the LAN1 bridge a Display the current LAN1 bridge...

Page 332: ... 0 src zone hotspot config network route policy 0 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Create a new hotspot Required configuration items n A device or bridge for the hotstpot l If a bridge is use...

Page 333: ...the hotspot n The Server port used by the hotspot n Hotspot DHCP server settings l Lease time l Lease range start and end n Walled garden configuration l Domains that clients connected to the hotspot can access prior to the client being authenticated l Subnets that clients connected to the hotspot can access prior to the client being authenticated n Maximum download speed in Kbps n Maximum upload ...

Page 334: ...c For Radio select the appropriate Wi Fi radio d For SSID type the SSID Up to 32 characters are allowed This will be the SSID used by clients to connect to the hotspot If you are creating multiple access points each access point must have the same SSID e For Encryption select Open Unencrypted Hotspot access points must use open unencrypted communication See Hotspot security for more information f ...

Page 335: ...k The new hotspot configuration appears 7 Hotspots are enabled by default when they are created To disable toggle off Enable hotspot 8 For Zone leave at the default setting of hotspot The hotspot firewall zone provides the necessary firewall rules for hotspot functionality 9 For Device select an access point and Ethernet port or a bridge 10 For Authentication Mode select one of the following n Cli...

Page 336: ... an HTML page for authentication that is served by a remote web server This parameter is not available if HotspotSystem is selected for the Authentication mode 12 Optional If Local is selected for Login page source for Login page type the name of the local HTML file used for authentication This parameter is not available if HotspotSystem is selected for the Authentication mode Normally this field ...

Page 337: ...garden settings define the white list of domains and subnets that unauthenticated clients are able to access If external servers are used for client authentication such as a RADIUS server or HotspotSystem they should be included in the walled garden settings If Remote has been selected for Login page source the domain for the web server that is being use to serve the remote HTML files must be incl...

Page 338: ...guration mode config config 3 Optional Create new access points for the hotspot You can also use existing access points for the hotspot Access Points that are assigned to a hotspot or to a bridge used by a hotspot cannot be used for any other purpose If more than one access point is being used by the hotspot you must create a bridge that includes the access points a Create a new access point confi...

Page 339: ...new_hotspot_AP1 Hotspot access points must use open unencrypted communication See Hotspot security for more information e Type to return to the config prompt config network wifi ap new_hotspot_AP1 config f Add additional access points by following the above instructions 4 Optional Create a new bridge and interface for the hotspot Note Hotspot bridges must also be part of an interface with a config...

Page 340: ... config network bridge new_hotspot_bridge config d Create an interface for the bridge config add network interface hotspot_bridge_interface config network interface hotspot_bridge_interface e Add the new bridge to the interface config network interface hotspot_bridge_interface device network bridge new_hotspot_bridge config network interface hotspot_bridge_interface f Set an IP address for the int...

Page 341: ... new_hotspot_bridge interface lan1 device Device The network device used by this network interface Format network device eth1 network device eth2 network device eth3 network device eth4 network device loopback network bridge hotspot_bridge network bridge lan1 network wireless ap digi_ap1 network wireless ap digi_ap2 network wireless ap digi_hotspot_ap1 network wireless ap digi_hotspot_ap2 Default ...

Page 342: ...t the authentication mode config network hotspot new_hotspot auth value config network hotspot new_hotspot where value is one of n click_through Requires each user to accept the terms and conditions n local_shared_password Requires each user to enter a password This password is validated locally on the LR54 device and the password is the same for all users See Configure the hotspot to use local sh...

Page 343: ...ed for login set the name of the local HTML file used for authentication This option is not available if auth is set to hotspotsystem config network hotspot new_hotspot local_page HTML_filename config network hotspot new_hotspot Normally this parameter should be left blank and the device will use the default authentication HTML page See Hotspot authentication modes for information about the defaul...

Page 344: ...s in the range to assign to hotspot clients This value represents the low order byte of the IP address and is combined with the subnet of the hotspot s static IP address config network hotspot new_hotspot ipv4 address dhcp_server lease_ start value config network hotspot new_hotspot where value is any integer between 1 and 254 The default is 100 c Set the highest IP address in the range to assign ...

Page 345: ...tspot bandwidth_max_up value config network hotspot new_hotspot where value is an integer between 1 and 100000 and represents the maximum upload speed in Kbps 18 Optional Enable verbose logging to the system log config network hotspot new_hotspot debug true config network hotspot new_hotspot 19 Save the configuration and apply the change config save Configuration saved 20 Type exit to exit the Adm...

Page 346: ...hentication page and include that server in the white list of servers that unauthenticated hotspot clients can access See Customize the hotspot login page for further information Hotspot LAN configuration Configure hotspot for local shared password authentication from the WebUI 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device c...

Page 347: ...ights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new hotspot or Enable hotspot using the default configuration 4 Set the authentication mode to local shared password config network hotspot hotspot_name auth local shared password co...

Page 348: ...dress or hostname of the primary RADIUS server n A user on the RADIUS server with the username guest n RADIUS server secret n RADIUS NAS ID n Domain name or subnet of the RADIUS server included in the white list of servers that unauthenticated hotspot clients can access Additional configuration items n IP address or hostname of the secondary RADIUS server to be used if the primary RADIUS server is...

Page 349: ...ble c Optional For Port type the port number to use for RADIUS authentication requests The default is 1812 d Optional For Accounting port type the port number to use for RADIUS accounting requests The default is 1813 e For Secret enter the shared secret for the RADIUS server This is configured on the RADIUS server f For NAS ID enter the unique Network Access Server NAS identifier used by the RADIU...

Page 350: ...mmand line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Create a new hotspot or Enable hotspot using the default configuration 4 Set the authentication mode to radius shared password config network hots...

Page 351: ...be reversed on the RADIUS server config network hotspot hotspot_name radius swap octets true config The default is disabled 6 Set walled garden settings Walled garden settings define the white list of domains and subnets that unauthenticated clients are able to access Include the domain or subnet of the RADIUS server s that are being used for authentication n Add domains that can be accessed by th...

Page 352: ...ate a new hotspot or Enable hotspot using the default configuration n Select RADIUS users authentication n IP address or hostname of the primary RADIUS server n Users configured on the RADIUS server n RADIUS server secret n RADIUS NAS ID n Domain name or subnet of the RADIUS server included in the white list of servers that unauthenticated hotspot clients can access Additional configuration items ...

Page 353: ...imary server name enter the IP address or fully qualified domain name of the primary RADIUS server to use to authenticate hotspot users b Optional For Secondary server name enter the IP address or fully qualified domain name of the backup RADIUS server to use to authenticate hotspot users if the primary RADIUS server is not available c Optional For Port type the port number to use for RADIUS authe...

Page 354: ...v4 address and optional subnet mask using the format IPv4_ address netmask or the keyword any d Repeat to add additional subnets 7 Click Apply to save the configuration and apply the change Configure hotspot for RADIUS users authentication from the Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin acc...

Page 355: ...adius nas_id id config The default is hotspot g Optional Enable Swap Octets to swap the meaning of the input octets packets and output octets packets RADIUS attributes This can fix issues if the data limits and or accounting reports appear to be reversed on the RADIUS server config network hotspot hotspot_name radius swap octets true config The default is disabled 6 Set walled garden settings Wall...

Page 356: ...customize the authentication page as needed or host an authentication page on a remote server See Customize the hotspot login page for further information Required configuration items n Create a new hotspot or Enable hotspot using the default configuration n Select HotspotSystem authentication n Create and configure a HotspotSystem account n The Operator name and location ID for the HotspotSystem ...

Page 357: ...ess to a number of domains depending on which services you select Contact HotspotSystem for an up to date list of domains that need to be whitelisted n FREE Social login requires a number of domains depending on which services you select Refer to the following page for an up to date list of social login domains that need to be whitelisted Whitelist for hotspot free social login Configure hotspot f...

Page 358: ... authentication a Click to expand Allowed domains b Click to add a domain c For Domain type the hostname of the allowed domain d Repeat to add additional domains n To add subnets that can be accessed by the client prior to authentication a Click to expand Allowed subnets b Click to add a subnet c For Subnet type an IPv4 address and optional subnet mask using the format IPv4_ address netmask or the...

Page 359: ...t of supporting servers for payment or other external login and authentication such as social media sites n Add domains that can be accessed by the client prior to authentication config network hotspot new_hotspot add walled_garden domains end domain_name config network hotspot new_hotspot Repeat to add additional domains n Add IP addresses and subnets that can be accessed by the client prior to a...

Page 360: ...and statistics LR54 User Guide 360 Show hotspot status and statistics Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Networking click Hotspot The Hotspot status page is displayed ...

Page 361: ... display information about clients connected to a specific hotspot show hotspot name hotspot MAC Address IP Address Auth Username Duration max sec Idle max sec max up bandwidth max down bandwidth 8C 2D 2D C8 41 AA 10 1 0 101 yes mariev 0 0 0 0 0 0 0 0 E5 8A FC D3 DC 7E 10 1 0 100 no 0 0 0 0 0 0 0 0 4 Enter the show hotspot ip ip_address command at the Admin CLI prompt to display information about ...

Page 362: ... about which HTML file is used for each authentication mode The sample HTML webpages use ChilliLibrary js to perform authentication Do not modify ChilliLibrary js You can customize the sample HTML pages or replace them with your own page so that hotspot users will be redirected to your custom HTML page when they log into the hotspot You can also host the HTML pages on an external web server rather...

Page 363: ... sample HTML file a Log into the LR54 WebUI as a user with Admin access b On the menu click System Under Administration click File System The File System page appears c Highlight the hotspot directory and click to open the directory d Select the HTML file you want to edit and click download Note The files in the hotspot directory are only available after hotspot has been enabled for the first time...

Page 364: ...st time 3 On your local machine edit the file as needed 4 Upload the edited file from your local machine the the LR54 device For example scp host 192 168 4 1 user admin remote home admin temp local etc config hotspot login html to local admin 192 168 4 1 s password adminpwd login html Upload custom hotspot HTML pages Rather than editing the sample HTML pages you can upload a custom login page with...

Page 365: ...ate hotspot to expand c Ensure that Login page source is set to Local d For Login page type the name of your custom HTML file e Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be p...

Page 366: ...eset The hotspot directory and files are loaded when the hotspot is enabled and you can restore the default pages by doing the following 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the...

Page 367: ...y send attributes to the hotspot to affect the operation of a client session For example here are some of the RADIUS attributes that the hotspot handles n Session Timeout n Idle Timeout n Acct Interim Interval n WISPr Redirection URL n WISPr Session Terminate Time n ChilliSpot Max Input Octets n ChilliSpot Max Output Octets n ChilliSpot Max Total Octets Also if the RADIUS server requests it the ho...

Page 368: ...Routing This chapter contains the following topics IP routing 369 Show the routing table 401 Dynamic DNS 403 Virtual Router Redundancy Protocol VRRP 409 LR54 User Guide 368 ...

Page 369: ... cannot find a route for the destination it uses a default route 4 If there are two or more routes to a destination the device uses the route with the longest mask 5 If there are two or more routes to a destination with the same mask the device uses the route with the lowest metric This section contains the following topics Configure a static route 370 Delete a static route 373 Policy based routin...

Page 370: ... The metric for the route When multiple routes are available to reach the same destination the route with the lowest metric is used n The Maximum Transmission Units MTU of network packets using this route To configure a static route Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your ...

Page 371: ... 255 0 type 192 168 47 0 24 The any keyword can also be used to route packets to any destination with this static route 7 For Interface select the interface on the LR54 device that will be used with this static route 8 Optional For Gateway type the IPv4 address of the gateway used to reach the destination Set to blank if the destination can be accessed without a gateway 9 Optional For Metric type ...

Page 372: ...te to accounting network config network route static 0 5 Set the IP address or network of the destination of this route For example config network route static 0 destination ip_address netmask config network route static 0 For example to route traffic to the 192 168 47 0 network that uses a subnet mask of 255 255 255 0 config network route static 0 dst 192 168 47 0 24 config network route static 0...

Page 373: ...ig network route static 0 where value is an interger between 0 and 65535 The default is 0 9 Optional Set the Maximum Transmission Units MTU of network packets using this route config network route static 0 mtu integer config network route static 0 10 Save the configuration and apply the change config save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration...

Page 374: ...Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the static route to ...

Page 375: ...d routing to forward the packet based on other criteria such as the source of the packet For example you can configure the LR54 device so that high priority traffic is routed through the cellular connection while all other traffic is routed through an Ethernet WAN connection Policy based routing for the LR54 device uses the following criteria to determine how to route traffic n Firewall zone for e...

Page 376: ...if protocol is set to tcp or udp n The network interface used to reach the destination Additional configuration items n A label for the routing policy n Whether packets that match this policy should be dropped when the gateway interface is disconnected rather than forwarded through other interfaces To configure a routing policy Web 1 Log into Digi Remote Manager or log into the local Web UI as a u...

Page 377: ... for Protocol type the port numbers of the Source port and Destination port or set to any to match for any port n If ICMP is selected for Protocol type the ICMP type and optional code or set to any to match for any ICMP type 10 For DSCP type the 6 bit hexadecimal Differentiated Services Code Point DSCP field match criteria This will match packets based on the DHCP field within the ToS field of the...

Page 378: ...Pv6 address Matches the destination IP address to the specified IP address or network Use the format IPv6_address prefix_length or use any to match any IPv6 address n Domain Matches the destination IP address to the specified domain names To specify domains i Click to expand Domains ii Click the to add a domain iii For Domain type the domain name iv Repeat to add additional domains n Default route...

Page 379: ... as the next hop Format network interface defaultip network interface defaultlinklocal network interface lan1 network interface lan_hotspot network interface loopback network interface wan1 network interface wwan Current value config network route policy 0 interface b Set the interface For example config network route policy 0 interface network interface wan1 config network route policy 0 6 Option...

Page 380: ... destination ports are matched a Set the source port config network route policy 0 src_port value config network route policy 0 where value is the port number or the keyword any to match any port as the source port b Set the destination port config network route policy 0 dst_port value config network route policy 0 where value is the port number or the keyword any to match any port as the destinat...

Page 381: ...zone For example config network route policy 0 src zone external config network route policy 0 See Firewall configuration for more information about firewall zones n interface Matches the source IP address to the selected interface s network address Set the interface a Use the to determine available interfaces config network route policy 0 src interface Interface The network interface Format netwo...

Page 382: ...g network route policy 0 src address6 value config network route policy 0 where value uses the format IPv6_address prefix_length or any to match any IPv6 address n mac Matches the source MAC address to the specified MAC address Set the MAC address to be matched config network route policy 0 src mac MAC_address config network route policy 0 10 Set the destination address type config network route p...

Page 383: ...rk interface lan1 network interface lan_hotspot network interface loopback network interface wan1 network interface wwan Current value config network route policy 0 dst interface b Set the interface For example config network route policy 0 dst interface network interface wan1 config network route policy 0 n address Matches the destination IPv4 address to the specified IP address or network Set th...

Page 384: ...pecified MAC address Set the MAC address to be matched config network route policy 0 dst mac MAC_address config network route policy 0 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 385: ...te Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is ...

Page 386: ...ess type the IP address that will be the destination for outgoing traffic routed through the WWAN interface In the above example this is 241 236 162 59 9 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device ...

Page 387: ...licy 0 ii Set the zone to internal config network route policy 0 src zone internal config network route policy 0 e Configure the destination address i Set the destination to use an IPv4 address config network route policy 0 dst type address config network route policy 0 ii Set the IP address that will be the destination for outgoing traffic routed through the WWAN interface In the above example th...

Page 388: ... Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration ...

Page 389: ...ce select WAN1 7 Configure the source address a Click to expand Source address b For Type select Zone c For Zone select Any 8 Configure the destination address a Click to expand Destination address b For Type select Domain c Click to expand Domains d Click the to add a new domain e For Domain type youtube com You can add additional domains by repeating the last two steps ...

Page 390: ...nfig config 3 Create the route policy a Add a new routing policy config add network route policy end config network route policy 0 b Set the label that will be used to identify this route policy config network route policy 0 label Domain based policy config network route policy 0 c Set the interface config network route policy 0 interface network interface wan1 config network route policy 0 d Leav...

Page 391: ...g network route policy 0 You can add additional domains by repeating this step with a different domain name 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 392: ...are routed through the Ethernet WAN Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configura...

Page 393: ...For Add Zone type EthernetWAN and click ii Enable Source NAT 4 Configure the WAN interfaces to use the new zones a Configure the cellular WAN interface i Click Network Interfaces ii For Zone select CellularWAN b Configure the Ethernet WAN interface i Click Network Interfaces ii For Zone select EthernetWAN 5 Configure the policy based route for traffic from the client device that will be sent over ...

Page 394: ...f Configure the destination zone i Click to expand Destination address ii For Type select Zone iii For Zone select CellularWAN 6 Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface a Click Firewall Packet filtering b Click the to add a new packet filtering rule c For Label type Reject LAN traffic to cellular WAN d For Action select Drop e For Source zone...

Page 395: ...firewall zone config add firewall zone CellularWAN config firewall zone CellularWAN i Enable Source NAT on the new zone config firewall zone CellularWAN src_nat true config firewall zone CellularWAN b Create second firewall zone named EthernetWAN with Source NAT enabled i Type to move back one node in the configuration config firewall zone CellularWAN config firewall zone ii Create the firewall zo...

Page 396: ... phone config network route policy 0 c Set the interface config network route policy 0 interface network interface config network route policy 0 d Configure the source as the MAC address of the VoIP phone i Set the source type to mac config network route policy 0 src type mac config network route policy 0 ii Set the MAC address to the MAC address of the VoIP phone config network route policy 0 src...

Page 397: ... config firewall filter 2 d Set the source zone to internal config firewall filter 2 src_zone internal config firewall filter 2 e Set the destination zone to CellularWAN config firewall filter 2 dst_zone CellularWAN config firewall filter 2 7 Save the configuration and apply the change config firewall filter 2 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device conf...

Page 398: ...e supports OSPFv2 RFC2328 OSPFv3 The IPv6 Open Shortest Path First OSPF service supports OSPFv3 RFC2740 BGP The Border Gateway Protocol BGP service supports BGP 4 RFC1771 IS IS The IPv4 and IPv6 Intermediate System to Intermediate System IS IS service Configure routing services Required configuration items n Enable routing services n Enable and configure the types of routing services that will be ...

Page 399: ... Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Routes Routing services 4 Click Enable The default firewall zone setting Dynamic routes is specifically designed to work with routing services ...

Page 400: ...pending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable routing services config network route service enable true config 4 Configure routing services that will be used a Use the to display available routing services config network route service Rou...

Page 401: ...ace Interfaces neighbour Neighbours redis Route redistribution timer Timers config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show the routing table To display the routing table Web 1 Log into Digi Rem...

Page 402: ...tes The Network Routing window is displayed 4 Click IPv4 Load Balance to view IPv4 load balancing 5 Click IPv6 Load Balance to view IPv6 load balancing Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection m...

Page 403: ...0 e231 1 default 1024 IPv4 Route Load Balance wan1 75 0 wwan1 25 0 IPv6 Route Load Balance wan1 75 0 wwan1 25 0 You can limit the display to only IPv4 entries by using show route ipv4 or to IPv6 entries by using show route ipv6 You can also display more information by adding the verbose option to the show route and show route ip_type commands 3 Type exit to exit the Admin CLI Depending on your dev...

Page 404: ...gure dynamic DNS on a LR54 device Required configuration items n Add a new Dynamic DNS service n The interface that has its IP address registered with the Dynamic DNS provider n The name of a Dynamic DNS provider n The domain name that is linked to the interface s IP address n The username and password to authenticate with the Dynamic DNS provider Additional configuration items n If the Dynamic DN...

Page 405: ... device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network Dynamic DNS 4 Type a name for this Dynamic DNS instance in Add Service and click The Dynamic DNS configuration page ...

Page 406: ...le to set Check interval to ten minutes enter 10m or 600s 11 Optional For Forced update interval type the amount of time to wait to force an update of the interface s IP address Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Forced update interval to ten minutes enter 10m or 600s The setting for Forced update interval mu...

Page 407: ...twork ddns new_ddns_instance 4 Set the interface for the Dynamic DNS instance a Use the to determine available interfaces config network ddns new_ddns_instance interface Interface The network interface from which to obtain the IP address to register with the dynamic DNS service Format defaultip defaultlinklocal lan1 lan_hotspot loopback wan1 wwan Current value config network ddns new_ddns_instance...

Page 408: ...rname to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance username name config network ddns new_ddns_instance 9 Set the password to authenticate with the Dynamic DNS provider config network ddns new_ddns_instance password pwd config network ddns new_ddns_instance 10 Optional Set the amount of time to wait to check if the interface s IP address needs to be updated co...

Page 409: ...etwork ddns new_ddns_instance retry_count value config network ddns new_ddns_instance where value is any interger The default is 5 14 Save the configuration and apply the change config save Configuration saved 15 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Virtual Router Redundancy...

Page 410: ...IP address by either sending an ICMP echo request ping or attempting to open a TCP socket to the IP address Configure VRRP This section describes how to configure VRRP on a LR54 device Required configuration items n Enable VRRP n The interface used by VRRP n The Router ID that identifies the virtual router instance The Router ID must be the same on all VRRP devices that participate in the same VRR...

Page 411: ...Router ID field type the ID of the virtual router instance The Router ID must be the same on all VRRP devices that participate in the same VRRP device pool Allowed values are from 1 and 255 and it is configured to 50 by default 8 For Priority type the priority for this router in the group The router with the highest priority will be used as the master router If the master router fails then the IP ...

Page 412: ...on and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a VRRP ...

Page 413: ...irtual router is mapped to the backup device with the next highest priority If this device s actual IP address is being used as the virtual IP address of the VRRP pool then the priority of this device should be set to 255 Allowed values are from 1 and 255 and it is configured to 100 by default config network vrrp VRRP_test priority int config network vrrp VRRP_test 8 Optional Set a password that w...

Page 414: ...y VRRP If multiple WAN interfaces are being monitored on the same device the VRRP priority will be adjusted only if all WAN interfaces fail SureLink tests l The amount that the VRRP priority will be modified when SureLink determines that the VRRP interface is not functioning correctly l Configure the VRRP interface s DHCP server to use a custom gateway that corresponds to one of the VRRP virtual I...

Page 415: ...played 3 Click Network VRRP 4 Create a new VRRP instance or click to expand an existing VRRP instance See Configure VRRP for information about creating a new VRRP instance 5 Click to expand VRRP 6 Click Enable 7 Add interfaces to monitor a Click to expand Monitor interfaces b Click to add an interface for monitoring c For Interface select the local interface to monitor Generally this will be a cel...

Page 416: ...ster device when SureLink connectivity fails For example if the VRRP master device has a priority of 100 and the backup device has a priority of 80 then the Priority modifier should be set to an amount greater than 20 so that if SureLink fails on the master it will lower its priority to below 80 and the backup device will assume the master role 10 Configure the VRRP interface The VRRP interface is...

Page 417: ...tests should occur more often than the default of 15 minutes Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Interval to five seconds enter 5s iv Click to expand Test targets Test target v Configure the test target For example to configure SureLink to verify internet connectivity on the LAN by pinging my devicecloud com i...

Page 418: ...nt value config network vrrp test interface b Set the interface for example config add network vrrp VRRP_test vrrp_plus monitor_interface end network interface wwan config c Optional Repeat for additional interfaces 6 Set the amount that the device s priority should be decreased or increased due to SureLink connectivity failure or success config network vrrp VRRP_test vrrp_plus weight value config...

Page 419: ...mine the VRRP virtual IP addresses config show network vrrp VRRP_test virtual_address 0 192 168 3 3 1 10 10 10 1 config iii Set the custom gateway to one of the VRRP virtual IP addresses For example config network interface lan1 ipv4 dhcp_server advanced gateway_custom 192 168 3 3 config b For backup devices set the default gateway to the IP address of the VRRP interface on the master device For e...

Page 420: ...t 0 where value is one of n ping Tests connectivity by sending an ICMP echo request to a specified hostname or IP address l Specify the hostname or IP address config network interface lan1 ipv4 surelink target 0 ping_host host config network interface lan1 ipv4 surelink target 0 l Optional Set the size in bytes of the ping packet config network interface lan1 ipv4 surelink target 0 ping_size num c...

Page 421: ...r seconds and takes the format number w d h m s For example to set interface_down_time to ten minutes enter either 10m or 600s config network interface lan1 ipv4 surelink target 0 interface_down_time 600s config network interface lan1 ipv4 surelink target 0 The default is 60 seconds l Optional Set the amount of time to wait for an initial connection to the interface before this test is considered ...

Page 422: ...VRRP pool containing two LR54 devices Configure device one master device Web Task 1 Configure VRRP on device one 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click...

Page 423: ...e a name for the VRRP instance and click The new VRRP instance configuration is displayed 5 Click Enable 6 For Interface select Interface LAN1 7 For Router ID leave at the default setting of 50 8 For Priority leave at the default setting of 100 9 Click to expand Virtual IP addresses 10 Click to add a virtual IP address 11 For Virtual IP type 192 168 3 3 ...

Page 424: ... IP address for the VRRP interface LAN1 on device one 1 Click Network Interfaces LAN1 IPv4 2 For Address type 192 168 3 1 24 Task 4 Configure the DHCP server for LAN1 on device one 1 Click to expand Network Interfaces LAN1 IPv4 DHCP Server 2 For Lease range start leave at the default of 100 3 For Lease range end type 199 4 Click to expand Advanced settings 5 For Gateway select Custom 6 For Custom ...

Page 425: ...etwork vrrp VRRP_test 5 Set the VRRP interface to LAN1 config network vrrp VRRP_test interface network interface lan1 config network vrrp VRRP_test 6 Add the virtual IP address associated with this VRRP instance config network vrrp VRRP_test add virtual_address end 192 168 3 3 config network vrrp VRRP_test Task 2 Configure VRRP on device one 1 Enable VRRP config network vrrp VRRP_test vrrp_plus en...

Page 426: ...00 config network interface lan1 ipv4 dhcp_server lease_start 100 config b Set the end address to 199 config network interface lan1 ipv4 dhcp_server lease_end 199 config 2 Set the DHCP server gateway type to custom config network interface lan1 ipv4 dhcp_server advanced gateway custom config 3 Set the custom gateway to 192 168 3 3 config network interface lan1 ipv4 dhcp_server advanced gateway_cus...

Page 427: ...on Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Network VRRP 4 For Add VRRP instance type a name for the VRRP instance and click The new VRRP...

Page 428: ...onfigure VRRP on device two 1 Click to expand VRRP 2 Click Enable 3 Click to expand Monitor interfaces 4 Click to add an interface for monitoring 5 Select Interface WWAN 6 Click to enable Monitor VRRP master 7 For Priority modifier type 30 Task 3 Configure the IP address for the VRRP interface LAN1 on device two 1 Click Network Interfaces LAN1 IPv4 2 For Address type 192 168 3 2 24 3 For Default g...

Page 429: ...xpand Network Interfaces LAN1 IPv4 DHCP Server 2 For Lease range start type 200 3 For Lease range end type 250 4 Click Advanced settings 5 For Gateway select Custom 6 For Custom gateway enter 192 168 3 3 7 Click Apply to save the configuration and apply the change Command line Task 1 Configure VRRP on device two 1 Select the device in Remote Manager and click Actions Open Console or log into the L...

Page 430: ...k vrrp VRRP_test add virtual_address end 192 168 3 3 config network vrrp VRRP_test Task 2 Configure VRRP on device two 1 Enable VRRP config network vrrp VRRP_test vrrp_plus enable true config network vrrp VRRP_test 2 Add the interface to monitor config network vrrp VRRP_test add vrrp_plus monitor_interface end network interface wwan config network vrrp VRRP_test 3 Enable the ability to monitor the...

Page 431: ...e true config 2 Create a SureLink test target config add network interface lan1 ipv4 surelink target end config network interface lan1 ipv4 surelink target 0 3 Set the type of test to ping config network interface lan1 ipv4 surelink target 0 test ping config network interface lan1 ipv4 surelink target 0 4 Set my devicecloud com as the hostname to ping config network interface lan1 ipv4 surelink ta...

Page 432: ... save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show VRRP status and statistics This section describes how to display VRRP status and statistics for a LR54 device VRRP status is available from the Web UI only Web 1 Log into Digi Remote Manager or log into th...

Page 433: ...and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type show vrrp show vrrp VRRP Status Proto State Virtual IP VRRP_test Up IPv4 Backup 10 10 10 1 VRRP_test Up IPv4 Backup 100 100 100 1 3 T...

Page 434: ...est VRRP Status Enabled True Status Up Interface lan IPv4 Virtual IP address es 10 10 10 1 100 100 100 1 Current State Master Current Priority 100 Last Transition Tue Jan 1 00 00 39 2019 Became Master 1 Released Master 0 Adverts Sent 71 Adverts Received 4 Priority Zero Sent 0 Priority zero Received 0 ...

Page 435: ...y connect two private networks together so that devices can connect from one network to the other using secure channels This chapter contains the following topics IPsec 436 OpenVPN 493 Generic Routing Encapsulation GRE 527 L2TP 549 L2TPv3 Ethernet 569 NEMO 575 LR54 User Guide 435 ...

Page 436: ...ec can run in two different modes Tunnel and Transport Tunnel The entire IP packet is encrypted and or authenticated and then encapsulated as the payload in a new IP packet Transport Only the payload of the IP packet is encrypted and or authenticated The IP header is left untouched This mode has limitations when using an authentication header because the IP addresses in the IP header cannot be tra...

Page 437: ...d key authentication mode provides additional security by using client authentication credentials in addition to the standard pre shared key The LR54 device can be configured to authenticate with the remote peer as an XAUTH client RSA Signatures With RSA signatures authentication the LR54 device uses a private RSA key to authenticate with a remote peer that is using a corresponding public key Cert...

Page 438: ...Configure SureLink active recovery for IPsec for information about IPsec active recovery Additional configuration items The following additional configuration settings are not typically configured to get an IPsec tunnel working but can be configured as needed n Determine whether the device should use UDP encapsulation even when it does not detect that NAT is being used n If using IPsec failover id...

Page 439: ...e you must configure a static route to direct the traffic either through the IPsec tunnel or through the WAN outside of the IPsec tunnel See Configure a static route for information about configuring a static route Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as describe...

Page 440: ...nable Force UDP encapsulation to force the tunnel to use UDP encapsulation even when it does not detect that NAT is being used 9 For Zone select the firewall zone for the IPsec tunnel Generally this should be left at the default of IPsec Note Depending on your network configuration you may need to add a packet filtering rule to allow incoming traffic For example for the IPsec zone a Click to expan...

Page 441: ...ted The IP header is unencrypted 13 Select the Protocol either n ESP Encapsulating Security Payload Provides encryption as well as authentication and integrity n AH Authentication Header Provides authentication and integrity only 14 Strict routing is disabled by default Toggle on to enable Strict routing makes IPsec behave like a policy based VPN rather than a route based VPN 15 Click to expand Au...

Page 442: ...te key Leave blank if the private key is not encrypted iii For Certificate paste the local X 509 certificate in PEM format iv For Peer verification select either l Peer certificate For Peer certificate paste the peer s X 509 certificate in PEM format l Certificate Authority For Certificate Authority chain paste the Certificate Authority CA certificates These must include all peer certificates in t...

Page 443: ...ied Domain Name and sent as an ID_FQDN IKE identity For FQDN ID value type the ID as an FQDN n KeyID The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity For KEYID ID value type the key ID n MAC address The device s primary MAC address will be used as the ID and sent as a ID_KEY_ID IKE identity n Serial number The device s serial number will be used as the ID and sent as a ...

Page 444: ...v6 formatted ID This can be a fully qualified domain name or an IPv6 address n RFC822 Email The ID will be interpreted as an RFC822 email address For RFC822 ID value type the ID in internet email address format n FQDN The ID will be interpreted as FQDN Fully Qualified Domain Name and sent as an ID_FQDN IKE identity For FQDN ID value type the ID as an FQDN n KeyID The ID will be interpreted as a Ke...

Page 445: ...f the following n Any Matches any protocol n TCP Matches TCP protocol only n UDP Matches UDP protocol only n ICMP Matches ICMP requests only n Other protocol Matches an unlisted protocol If Other protocol is selected type the number of the protocol e For Port type the port matching criteria Allowed values are a port number a range of port numbers or any f Optional Click to expand Remote traffic se...

Page 446: ...y the peer n Never Do not send oversized IKE messages in fragments n Accept Do not send oversized IKE messages in fragments but announce support for fragmentation to the peer The default is Always e For Enable padding click to disable the padding of IKE packets This should normally not be disabled except for compatibility purposes f For Phase 1 lifetime enter the amount of time that the IKE securi...

Page 447: ...ng next to Add Phase 2 Proposal 23 Optional Click to expand Dead peer detection Dead peer detection is enabled by default Dead peer detection uses periodic IKE transmissions to the remote endpoint to detect whether tunnel communications have failed allowing the tunnel to be automatically restarted when failure occurs a To enable or disable dead peer detection click Enable b For Delay type the numb...

Page 448: ...fig vpn ipsec tunnel ipsec_example enable false config vpn ipsec tunnel ipsec_example 4 Optional Set the tunnel to use UDP encapsulation even when it does not detect that NAT is being used config vpn ipsec tunnel ipsec_example force_udp_encap true config vpn ipsec tunnel ipsec_example 5 Set the firewall zone for the IPsec tunnel Generally this should be left at the default of ipsec config vpn ipse...

Page 449: ...for the IPsec tunnel When more than one active route matches a destination the route with the lowest metric is used The metric can also be used in tandem with SureLink to configure IPsec failover behavior See Configure IPsec failover for more information config vpn ipsec tunnel ipsec_example metric value config vpn ipsec tunnel ipsec_example where value is any integer between 0 and 65535 7 Set the...

Page 450: ...c tunnel ipsec_example n asymmetric secrets Uses asymmetric pre shared keys to authenticate with the remote peer a Set the local pre shared key This must be the same as the remote key on the remote host config vpn ipsec tunnel ipsec_example auth local_secret key config vpn ipsec tunnel ipsec_example b Set the remote pre shared key This must be the same as the local key on the remote host config vp...

Page 451: ...X 509 certificate in PEM format config vpn ipsec tunnel ipsec_example auth cert certificate config vpn ipsec tunnel ipsec_example d Set the method for verifying the peer s X 509 certificate config vpn ipsec tunnel ipsec_example auth peer_verify value config vpn ipsec tunnel ipsec_example where value is either l cert Uses the peer s X 509 certificate in PEM format for verification o For the peer_ce...

Page 452: ...rue config vpn ipsec tunnel ipsec_example 13 Configure the local endpoint a Set the method for determining the local network interface config vpn ipsec tunnel ipsec_example local type value config vpn ipsec tunnel ipsec_example where value is either n defaultroute Uses the same network interface as the default route n interface Select the Interface to be used as the local endpoint b Set the ID typ...

Page 453: ...The ID will be interpreted as FQDN Fully Qualified Domain Name and sent as an ID_FQDN IKE identity n keyid The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity Set the key ID config vpn ipsec tunnel ipsec_example local id type keyid_id id config vpn ipsec tunnel ipsec_example n mac_address The device s MAC address will be used for the Key ID and sent as an ID_KEY_ID IKE ide...

Page 454: ...alue of the tunnels endpoints n raw Enter an ID and have it passed unmodified to the underlying IPsec stack Set the unmodified ID that will be passed config vpn ipsec tunnel ipsec_example remote id type raw_id id config vpn ipsec tunnel ipsec_example n any Any ID will be accepted n ipv4 The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR IKE identity Set an IPv4 formatted ID ...

Page 455: ... Set the IKE version config vpn ipsec tunnel ipsec_example ike version value config vpn ipsec tunnel ipsec_example where value is either ikev1 or ikev2 This setting must match the peer s IKE version b Determine whether the device should initiate the key exchange rather than waiting for an incoming request By default the device will initiate the key exchange This must be disabled if remote hostname...

Page 456: ...nnel ipsec_example ike phase1_lifetime 600s config vpn ipsec tunnel ipsec_example The default is three hours g Set the amount of time that the IKE security association expires after a successful negotiation and must be rekeyed config vpn ipsec tunnel ipsec_example ike phase2_lifetime value config vpn ipsec tunnel ipsec_example where value is any number of weeks days hours minutes or seconds and ta...

Page 457: ...mple ike phase1_proposal 0 hash value config vpn ipsec tunnel ipsec_example ike phase1_proposal 0 where value is one of md5 sha1 sha256 sha384 or sha512 The default is sha1 iv Set the type of Diffie Hellman group to use for key exchange during phase 1 i Use the to determine available Diffie Hellman group types config vpn ipsec tunnel ipsec_example ike phase1_proposal 0 dh_group curve25519 curve448...

Page 458: ...hase2_proposal 0 iii Set the type of encryption to use during phase 2 config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 cipher value config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 where value is one of 3des aes128 aes192 aes256 or null The default is 3des iv Set the type of hash to use during phase 2 to verify communication integrity config vpn ipsec tunnel ipsec_example ike...

Page 459: ... dead peer detection Dead peer detection is enabled by default Dead peer detection uses periodic IKE transmissions to the remote endpoint to detect whether tunnel communications have failed allowing the tunnel to be automatically restarted when failure occurs a Change to the root of the configuration schema config vpn ipsec tunnel ipsec_example ike phase2_proposal 0 config b To disable dead peer d...

Page 460: ... the configuration schema config vpn ipsec tunnel ipsec_example nat 0 config b Add a policy config add vpn ipsec tunnel ipsec_example policy end config vpn ipsec tunnel ipsec_example policy 0 c Set the type of local traffic selector config vpn ipsec tunnel ipsec_example policy 0 local type value config vpn ipsec tunnel ipsec_example policy 0 where value is one of n address The address of a local n...

Page 461: ...k ii Set the interface For example config vpn ipsec tunnel ipsec_example policy 0 local network wan1 config vpn ipsec tunnel ipsec_example policy 0 n custom A user defined network Set the custom network config vpn ipsec tunnel ipsec_example policy 0 local custom value config vpn ipsec tunnel ipsec_example policy 0 where value is the IPv4 address and optional netmask The keyword any can also be use...

Page 462: ... config vpn ipsec tunnel ipsec_example policy 0 g Set the port matching criteria for the remote traffic selector config vpn ipsec tunnel ipsec_example policy 0 remote port value config vpn ipsec tunnel ipsec_example policy 0 where value is the port number a range of port numbers or the keyword any h Set the protocol matching criteria for the remote traffic selector config vpn ipsec tunnel ipsec_ex...

Page 463: ... time Additional Configuration connection_retry_timeout Connection retry timeout connection_try_interval Connection try interval ike_timeout IKE timeout config Generally the default settings for these should be sufficient c You can also enable debugging for IPsec config vpn ipsec advanced debug value config where value is one of n none n basic_auditing n detailed_control n generic_control n raw_da...

Page 464: ...h tunnels are active simultaneously and there is minimal downtime due to failover l Identify the preferred tunnel during configuration of the backup tunnel In this scenario the backup tunnel is not active until the preferred tunnel fails IPsec failover using SureLink With this configuration when two IPsec tunnels are configured with the same local and remote endpoints but different metrics traffic...

Page 465: ...dpoint Web 1 Configure the primary IPsec tunnel See Configure an IPsec tunnel for instructions n During configuration of the IPsec tunnel set the metric to a low value for example 10 n Configure SureLink for the primary IPsec tunnel and enable Restart interface See Configure SureLink active recovery for IPsec for instructions 2 Create a backup IPsec tunnel Configure this tunnel to use the same loc...

Page 466: ... a value that is higher than the metric of the primary tunnel for example 20 config vpn ipsec tunnel IPsecFailoverBackupTunnel metric 20 config vpn ipsec tunnel IPsecFailoverBackupTunnel IPsec failover using Preferred tunnel Web 1 Configure the primary IPsec tunnel See Configure an IPsec tunnel for instructions 2 Create a backup IPsec tunnel See Configure an IPsec tunnel for instructions 3 During ...

Page 467: ...uration items n A valid IPsec configuration See Configure an IPsec tunnel for configuration instructions n Enable IPsec active recovery n The behavior of the LR54 device upon IPsec failure either l Restart the IPsec interface l Reboot the device Additional configuration items n The interval between connectivity tests n Whether the interface should be considered to have failed if one of the test ta...

Page 468: ... Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN IPsec 4 Create a new IPsec tunnel or select an existing one n To create a new IPsec tunnel see Configure an IPsec tunnel n To edit an existing IPsec tunnel click to expand the appropriate tunnel ...

Page 469: ... seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes 10 For Success condition determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Response timeout ...

Page 470: ...ding an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status The interface is considered to be down based on l Down time The amount of time that the interface can be do...

Page 471: ...t the interface when its connection is considered to have failed config vpn ipsec tunnel ipsec_example surelink restart true config vpn ipsec tunnel ipsec_example This is useful for interfaces that may regain connectivity after restarting such as a cellular modem 6 To configure the device to reboot when the interface is considered to have failed config vpn ipsec tunnel ipsec_example surelink reboo...

Page 472: ...timeout to ten minutes enter either 10m or 600s config vpn ipsec tunnel ipsec_example surelink timeout 600s config vpn ipsec tunnel ipsec_example The default is 15 seconds 11 Configure test targets a Add a test target config vpn ipsec tunnel ipsec_example add surelink target end config vpn ipsec tunnel ipsec_example surelink target 0 b Set the test type config vpn ipsec tunnel ipsec_example sureli...

Page 473: ...face takes before this test is considered to have failed l Optional Set the amount of time that the interface can be down before this test is considered to have failed config vpn ipsec tunnel ipsec_example surelink target 0 interface_down_time value config vpn ipsec tunnel ipsec_example surelink target 0 where value is any number of weeks days hours minutes or seconds and takes the format number w...

Page 474: ...network interface Format network interface defaultip network interface defaultlinklocal network interface lan1 network interface lan_hotspot network interface loopback network interface wan1 network interface wwan Current value config vpn ipsec tunnel ipsec_example surelink target 0 other_interface ii Set the interface For example config vpn ipsec tunnel ipsec_example surelink target 0 other_inter...

Page 475: ...e device Show IPsec status and statistics Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the menu select Status IPsec The IPsec page appears 3 To view configuration details about an IPsec tunnel click the configuration icon in the upper right of the tunnel s status pane Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local comm...

Page 476: ...ted with the remote end of the tunnel you can enable IPsec debug messages to be written to the system log See View system and event logs for more information about viewing the system log Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager...

Page 477: ...d apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the IPsec de...

Page 478: ...tificate Signing Requests CSRs provide Certificate Revocation Lists CRLs and distribute valid certificates from a Certificate Authority CA Required configuration n Enable the SCEP client n The fully qualified domain name of the SCEP server to be used for certificate requests n The challenge password provided by the SCEP server that the SCEP client will use when making SCEP requests n The distingui...

Page 479: ...splayed 5 Click Enable to enable the SCEP client 6 For Maximum Polling Time type the maximum time that the device will poll the SCEP server when operating in manual mode Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Maximum Polling Time to ten minutes enter 10m or 600s The default is 1d 7 For Polling Interval type the a...

Page 480: ...and SCEP server 12 For FQDN type the fully qualified domain name or IP address of the SCEP server 13 Optional For CA identity type a string that will be understood by the certificate authority For example it could be a domain name or a user name If the certificate authority has multiple CA certificates this field can be used to distinguish which is required 14 For Path Type the HTTP URL path requi...

Page 481: ...fault is URL d If Type is set to URL for URL type the URL to be used 21 Configure certificate renewal a Click to expand Renewal b Click Use New Private Key to enable the creation of a new private key for renewal requests c Use Client Certificate is enabled by default Click to disable the use of a client certificate for renewal requrests 22 Click Apply to save the configuration and apply the change...

Page 482: ...s required config network scep_client scep_client_name server ca_ident string config network scep_client scep_client_name 7 Set the HTTP URL path required for accessing the certificate authority You should leave this option at the default of cgi bin pkiclient exe unless directed by the CA to use another path config network scep_client scep_client_name server path path config network scep_client sc...

Page 483: ...distinguished_name cn value config network scep_client scep_client_name 10 Optional Configure the certificate revocation list CRL a Enable the CRL config network scep_client scep_client_name crl enable true config network scep_client scep_client_name b Set the type of CRL config network scep_client scep_client_name crl type value config network scep_client scep_client_name where value is one of n ...

Page 484: ...t scep_client_name The default is 1d 13 Set the amount of time that the device should wait between polling attempts when operating in manual mode config network scep_client scep_client_name polling_interval value config network scep_client scep_client_name where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set polling_interval to t...

Page 485: ...server 1 Enable ports for SCEP services a From the menu select Network Interfaces b Select the appopriate port and click Edit c For Access Rights Services enable the following services n HTTPS SCEP n HTTPS CRL Downloads n HTTP SCEP n HTTP CRL Downloads d The remaining fields can be left at their defaults or changed as appropriate e Click OK 2 Create a Certificate Authority CA a From the menu click...

Page 486: ...s before the certified is expired type the number of days that the certificate enrollment can be renewed prior to the request expiring The Renewable Time setting on the LR54 device must match the setting of this parameter g The remaining fields can be left at their defaults or changed as appropriate h Click OK LR54 configuration On the LR54 device Web 1 Log into Digi Remote Manager or log into the...

Page 487: ... 6 For Renewable Time type the number of days that the certificate enrollment can be renewed prior to the request expiring This value must match the setting of the Allow renewal x days before the certified is expired option on the Fortinet server 7 Optional Click Debug to enable verbose logging in var log scep_client 8 Click to expand SCEP server 9 For FQDN type the fully qualified domain name or ...

Page 488: ...fault enrollment password on the Fortinet server 11 Click to expand Distinguished Name 12 Type the value for each appropriate Distinguished Name attribute The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server 13 Click Apply to save the configuration and apply the change ...

Page 489: ...lly qualified domain name or IP address of the SCEP server config network scep_client Fortinet_SCEP_client server url https fortinet example com config network scep_client Fortinet_SCEP_client 6 Set the challenge password as configured on the SCEP server This corresponds to the Default enrollment password on the Fortinet server config network scep_client Fortinet_SCEP_client server password challe...

Page 490: ...client 8 Set the number of days that the certificate enrollment can be renewed prior to the request expiring This value must match the setting of the Allow renewal x days before the certified is expired option on the Fortinet server config network scep_client Fortinet_SCEP_client renewable_time integer config network scep_client Fortinet_SCEP_client 9 Optional Enable verbose logging in var log sce...

Page 491: ...d Expiry test true Jun 4 19 05 25 2022 GMT test1 false 3 To display details about a specific SCEP client show scep client name name For example show scep client name test test SCEP Status Enabled true Client Certificate Subject C US ST MA L BOS O Digi OU IT1 CN dummy Issuer CN TA SCEP 1 CA Serial 1100000017A30C8EDD3805EB52000000000017 Expiry Jun 4 19 05 25 2022 GMT Certificate Authority Certificat...

Page 492: ...EP 1 CA Serial 681670E9EFB7FCB74E79C33DD9D54847 Expiry Apr 25 13 36 42 2027 GMT Certificate Revocation List Issuer CN TA SCEP 1 CA Last Update May 23 13 27 21 2022 GMT 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 493: ...ubnet from the OpenVPN server and other OpenVPN clients OpenVPN clients use Network Address Translation NAT to route traffic from devices connected on its LAN interfaces to the OpenVPN server The manner in which the IP subnets are defined depends on the OpenVPN topology in use The LR54 device supports two types of OpenVPN topology OpenVPN Topology Subnet definition method net30 Each OpenVPN client...

Page 494: ...rd interface configuration for example a standard DHCP server configuration l TAP Device only An alternate form of OpenVPN bridging mode in which the device rather than OpenVPN controls the interface configuration If this method is is the OpenVPN server must be included as a device in either an interface or a bridge n The firewall zone to be used by the OpenVPN server n The IP network and subnet m...

Page 495: ...he TCP UDP port to use By default the LR54 device uses port 1194 n Access control list configuration to restrict access to the OpenVPN server through the firewall n Additional OpenVPN parameters Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote...

Page 496: ... device types this should be set to Internal to treat clients as LAN devices b Optional Select the Metric for the OpenVPN server If multiple active routes match a destination the route with the lowest metric will be used The default setting is 0 c For Address type the IP address and subnet mask of the OpenVPN server d Optional For First IP address and Last IP address set the range of IP addresses ...

Page 497: ...s control list to restrict access to the OpenVPN server n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 add...

Page 498: ... 3 At the config prompt type config add vpn openvpn server name config vpn openvpn server name where name is the name of the OpenVPN server The OpenVPN server is enabled by default To disable the server type config vpn openvpn server name enable false config vpn openvpn server name 4 Set the mode used by the OpenVPN server config vpn openvpn server name device_type value config vpn openvpn server ...

Page 499: ...o internal Format any dynamic_routes edge external hotspot internal ipsec loopback setup Current value config vpn openvpn server name c Optional Set the route metric for the OpenVPN server If multiple active routes match a destination the route with the lowest metric will be used config vpn openvpn server name metric value config vpn openvpn server name where value is an interger between 0 and 655...

Page 500: ...certificates externally and add them to the server config vpn openvpn server name autogenerate false config vpn openvpn server name The default setting is false c If autogenerate is set to false i Set the authentication type config vpn openvpn server name authentication value config vpn openvpn server name where value is one of n cert Uses only certificates for client authentication Each client re...

Page 501: ...ses and networks config vpn openvpn server name add acl address end value config vpn openvpn server name Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses ...

Page 502: ...nfig vpn openvpn server name add acl zone end value config vpn openvpn server name Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config vpn openvpn server name firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control li...

Page 503: ...ce configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure an OpenVPN Authentication Group and User If username and password authentication is used for the OpenVPN server you must create an OpenVPN authentication group and user See Configure an OpenVPN server for information about configuring an OpenVPN server to use username and password ...

Page 504: ...uration window is displayed 3 Add an OpenVPN authentication group a Click Authentication Groups b For Add Group type a name for the group for example OpenVPN_Group and click The new authentication group configuration is displayed c Click OpenVPN access to enable OpenVPN access rights for users of this group d Click to expand the OpenVPN node ...

Page 505: ...k Authentication Users b For Add type a name for the user for example OpenVPN_User and click c Type a password for the user This password is used for local authentication of the user You can also configure the user to use RADIUS or TACACS authentication by configuring authentication methods See User authentication methods for information d Click to expand the Groups node e Click to add a group to ...

Page 506: ...Virtual Private Networks VPN OpenVPN LR54 User Guide 506 5 Click Apply to save the configuration and apply the change ...

Page 507: ..._Group 4 Enable OpenVPN access rights for users of this group config auth group OpenVPN_Group acl openvpn enable true 5 Add an OpenVPN tunnel to which users of this group will have access a Determine available tunnels config auth group OpenVPN_Group vpn openvpn server Servers A list of openvpn servers Additional Configuration OpenVPN_server1 OpenVPN server config auth group OpenVPN_Group b Add a t...

Page 508: ...client if configured on the OpenVPN server See Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Dev...

Page 509: ...firewall zone for the OpenVPN client 8 Optional Select the Metric for the OpenVPN client If multiple active routes match a destination the route with the lowest metric will be used 9 Optional For Username and Password type the login credentials as configured on the OpenVPN server 10 For OVPN file paste the content of the client ovpn file 11 Click Apply to save the configuration and apply the chang...

Page 510: ...ce Format any dynamic_routes edge external hotspot internal ipsec loopback setup Current value config vpn openvpn client name 5 Optional Set the route metric for the OpenVPN server If multiple active routes match a destination the route with the lowest metric will be used config vpn openvpn client name metric value config vpn openvpn client name where value is an interger between 0 and 65535 The d...

Page 511: ... address of the OpenVPN server n Certificates and keys l The CA certificate usually in a ca crt file l The Public key for example client crt l The Private key for example client key Additional configuration items n The route metric for the OpenVPN client n The login credentials for the OpenVPN client if configured on the OpenVPN server n Additional OpenVPN parameters See Configure SureLink active ...

Page 512: ...de 512 a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Clients 4 For Add type a name for the OpenVPN client and click The new OpenVPN client configuration is displayed ...

Page 513: ... port used by the OpenVPN server The default is 1194 13 Paste the contents of the CA certificate usually in a ca crt file the Public key for example client crt and the Private key for example client key into their respective fields The contents will be hidden when the configuration is saved 14 Optional Click to expand Advanced Options to manually set additional OpenVPN parameters a Click Enable to...

Page 514: ...vpn client name 4 The default behavior is to use an OVPN file for client configuration To disable this behavior and configure the client manually config vpn openvpn client name use_file false config vpn openvpn client name 5 Set the mode used by the OpenVPN server config vpn openvpn client name device_type value config vpn openvpn client name where value is either tun or tap The default is tun 6 S...

Page 515: ...me 10 Optional Set the port used by the OpenVPN server config vpn openvpn client name port port config vpn openvpn client name The default is 1194 11 Paste the contents of the CA certificate usually in a ca crt file into the value of the cacert parameter config vpn openvpn client name cacert value config vpn openvpn client name 12 Paste the contents of the public key for example client crt into th...

Page 516: ...has failed and take remedial action Required configuration items n A valid OpenVPN client configuration See Configure an OpenVPN client by using an ovpn file or Configure an OpenVPN client without using an ovpn file for configuration instructions n Enable OpenVPN active recovery n The behavior of the LR54 device upon OpenVPN failure either l Restart the OpenVPN interface l Reboot the device Additi...

Page 517: ...to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click VPN OpenVPN Clients 4 Create a new OpenVPN client or select an existing one n To create a new OpenVPN client see Configure an OpenVPN client by using an ovpn file or Configure an OpenVPN client without using an ovpn file n To edit an existing OpenVPN...

Page 518: ...or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes 10 For Success condition determine whether the interface should fail over based on the failure of one of the test targets or all of the test targets 11 For Attempts type the number of probe attempts before the WAN is considered to have failed 12 For Response timeou...

Page 519: ...nding an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface status The interface is considered to be down based on l Down time The amount of time that the interface can be d...

Page 520: ...ient1 5 To configure the device to restart the interface when its connection is considered to have failed config vpn openvpn client openvpn_client1 surelink restart true config vpn openvpn client openvpn_client1 This is useful for interfaces that may regain connectivity after restarting such as a cellular modem 6 To configure the device to reboot when the interface is considered to have failed con...

Page 521: ...ays hours minutes or seconds and takes the format number w d h m s For example to set timeout to ten minutes enter either 10m or 600s config vpn openvpn client openvpn_client1 surelink timeout 600s config vpn openvpn client openvpn_client1 The default is 15 seconds 11 Configure test targets a Add a test target config vpn openvpn client openvpn_client1 add surelink target end config vpn openvpn cli...

Page 522: ...pn client openvpn_client1 surelink target 0 http_url value config vpn openvpn client openvpn_client1 surelink target 0 where value uses the format http s hostname path n interface_up The interface is considered to be down based on the interfaces down time and the amount of time an initial connection to the interface takes before this test is considered to have failed l Optional Set the amount of t...

Page 523: ...nt openvpn_client1 surelink target 0 The default is 60 seconds l other Allows you to test another interface s status to create a failover or coupled relationship between interfaces config vpn openvpn client openvpn_client1 surelink target 0 other value config vpn openvpn client openvpn_client1 surelink target 0 If other is set o Set the alternate interface to be tested i Use the to determine avail...

Page 524: ...nfig vpn openvpn client openvpn_client1 surelink target 0 where value is either up or down For example if other_status is set to down but the alternate interface is determined to be up then this test will fail 12 Save the configuration and apply the change config vpn openvpn client openvpn_client1 connection_monitor target 0 save Configuration saved 13 Type exit to exit the Admin CLI Depending on ...

Page 525: ...pe Zone IP Address Port OpenVPN_server1 true tun internal 192 168 30 1 24 1194 OpenVPN_server2 false tun internal 192 168 40 1 24 1194 3 To display details about a specific server show openvpn server name OpenVPN_server1 Server OpenVPN_server1 Enable true Type tun Zone internal IP Address 192 168 30 1 24 Port 1194 Use File true Metric 0 Protocol udp First IP 80 Last IP 99 4 Type exit to exit the A...

Page 526: ...ls about all configured OpenVPN clients type the following at the prompt show openvpn client all Client Enable Status Username Use File Zone OpenVPN_Client1 true connected true internal OpenVPN_Client2 true pending true internal 3 To display details about a specific client show openvpn client name OpenVPN_client1 Client OpenVPN_client1 Enable true Status up Username user1 IP address 123 122 121 12...

Page 527: ...red configuration items n A GRE loopback endpoint interface n GRE tunnel configuration l Enable the GRE tunnel The GRE tunnels are enabled by default l The local endpoint interface l The IP address of the remote device peer Additional configuration items n A GRE key n Enable the device to respond to keepalive packets Task One Create a GRE loopback endpoint interface Web 1 Log into Digi Remote Mana...

Page 528: ...o expand IPv4 10 For Address enter the IP address and subnet mask of the local GRE endpoint for example 10 10 1 1 24 11 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented...

Page 529: ...nfig network interface gre_interface 7 Save the configuration and apply the change config network interface gre_interface save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Task Two Configure the GRE tunnel Web 1 Log into Digi Remote Manager or log into the loca...

Page 530: ...or an IP address 9 Optional Enable keepalive reply to enable the device to reply to Cisco GRE keepalive packets 10 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with...

Page 531: ...ted in GRE packets created by this tunnel The key must match the key set by the remote endpoint config vpn iptunnel gre_example key value config vpn iptunnel gre_example where value is an interger between 0 and 4294967295 or an IP address 7 Optional Enable the device to reply to Cisco GRE keepalive packets config vpn iptunnel gre_example keepalive true config vpn iptunnel gre_example 8 Save the co...

Page 532: ...view information about currently configured GRE tunnels Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the menu click Status IP tunnels The IP Tunnelspage appears 3 To view configuration details about a GRE tunnel click the configuration icon in the upper right of the tunnel s status pane ...

Page 533: ... 0 2 32 2 Create an IPsec endpoint interface named ipsec_endpoint1 a Zone set to Internal b Device set to Ethernet Loopback c IPv4 Address set to the IP address of the local GRE tunnel 172 30 0 1 32 3 Create a GRE tunnel named gre_tunnel1 a Local endpoint set to the IPsec endpoint interface Interface ipsec_endpoint1 b Remote endpoint set to the IP address of the GRE tunnel on LR54 2 172 30 0 2 4 C...

Page 534: ...d gre_interface2 and add it to the GRE tunnel a Zone set to Internal b Device set to IP tunnel gre_tunnel2 c IPv4 Address set to a virtual IP address on the GRE tunnel 172 31 0 2 30 Configuration procedures Configure the LR54 1 device Task one Create an IPsec tunnel Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configura...

Page 535: ...e testkey 7 Click to expand Remote endpoint 8 For Hostname type public IP address of the LR54 2 device 9 Click to expand Policies 10 For Add Policy click to add a new policy 11 Click to expand Local network 12 For Type select Custom network 13 For Address type the IP address and subnet of the local GRE tunnel 172 30 0 1 32 14 For Remote network type the IP address and subnet of the remote GRE tunn...

Page 536: ...y to testkey config vpn ipsec tunnel ipsec_gre1 auth secret testkey config vpn ipsec tunnel ipsec_gre1 5 Set the remote endpoint to public IP address of the LR54 2 device config vpn ipsec tunnel ipsec_gre1 remote hostname 192 168 101 1 config vpn ipsec tunnel ipsec_gre1 6 Add a policy config vpn ipsec tunnel ipsec_gre1 add policy end config vpn ipsec tunnel ipsec_gre1 policy 0 7 Set the local netw...

Page 537: ...ion GRE LR54 User Guide 537 config vpn ipsec tunnel ipsec_gre1 policy 0 remote network 172 30 0 2 32 config vpn ipsec tunnel ipsec_gre1 policy 0 10 Save the configuration and apply the change config ipsec tunnel ipsec_gre1 policy 0 save Configuration saved ...

Page 538: ...int interface Web 1 Click Network Interface 2 For Add Interface type ipsec_endpoint1 and click 3 For Zone select Internal 4 For Device select Ethernet loopback 5 Click to expand IPv4 6 For Address type the IP address of the local GRE tunnel 172 30 0 1 32 7 Click Apply to save the configuration and apply the change ...

Page 539: ...rk device loopback config network interface ipsec_endpoint1 device network device loopback config network interface ipsec_endpoint1 5 Set the IPv4 address to the IP address of the local GRE tunnel 172 30 0 1 32 config network interface ipsec_endpoint1 ipv4 address 172 30 0 1 32 config network interface ipsec_endpoint1 6 Save the configuration and apply the change config vpn ipsec tunnel ipsec_endp...

Page 540: ... config add vpn iptunnel gre_tunnel1 config vpn iptunnel gre_tunnel1 3 Set the local endpoint to the IPsec endpoint interface created in Task two network interface ipsec_endpoint1 config vpn iptunnel gre_tunnel1 local network interface ipsec_ endpoint1 config vpn iptunnel gre_tunnel1 4 Set the remote endpoint to the IP address of the GRE tunnel on LR54 2 172 30 0 2 config vpn iptunnel gre_tunnel1 ...

Page 541: ... 1 Click Network Interfaces 2 For Add Interface type gre_interface1 and click 3 For Zone select Internal 4 For Device select the GRE tunnel created in Task three IP tunnel gre_tunnel1 5 Click to expand IPv4 6 For Address type 172 31 0 1 30 for a virtual IP address on the GRE tunnel 7 Click Apply to save the configuration and apply the change ...

Page 542: ...5 Set 172 31 0 1 30 as the virtual IP address on the GRE tunnel config network interface gre_interface1 ipv4 address 172 31 0 1 30 config network interface gre_interface1 6 Save the configuration and apply the change config network interface gre_interface1 save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection...

Page 543: ...layed 3 Click VPN IPsec Tunnels 4 For Add IPsec Tunnel type ipsec_gre2 and click 5 Click to expand Authentication 6 For Pre shared key type the same pre shared key that was configured for the LR54 1 testkey 7 Click to expand Remote endpoint 8 For Hostname type public IP address of the LR54 1 device 9 Click to expand Policies 10 For Add Policy click to add a new policy 11 Click to expand Local netw...

Page 544: ...nfig to enter configuration mode config config 3 Add an IPsec tunnel named ipsec_gre2 config add vpn ipsec tunnel ipsec_gre2 config vpn ipsec tunnel ipsec_gre2 4 Set the pre shared key to the same pre shared key that was configured for the LR54 1 testkey config vpn ipsec tunnel ipsec_gre2 auth secret testkey config vpn ipsec tunnel ipsec_gre2 5 Set the remote endpoint to public IP address of the L...

Page 545: ...e GRE tunnel 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre2 policy 0 remote network 172 30 0 1 32 config vpn ipsec tunnel ipsec_gre2 policy 0 10 Save the configuration and apply the change config vpn ipsec tunnel ipsec_gre2 policy 0 save Configuration saved Task two Create an IPsec endpoint interface Web 1 Click Network Interfaces 2 For Add Interface type ipsec_endpoint2 and click 3 For Zone sel...

Page 546: ...endpoint2 3 Set the zone to internal config network interface ipsec_endpoint2 zone internal config network interface ipsec_endpoint2 4 Set the device to network device loopback config network interface ipsec_endpoint2 device network device loopback config network interface ipsec_endpoint2 5 Set the IPv4 address to the IP address of the local GRE tunnel 172 30 0 2 32 config network interface ipsec_...

Page 547: ...n mode config config 2 Add a GRE tunnel named gre_tunnel2 config add vpn iptunnel gre_tunnel2 config vpn iptunnel gre_tunnel2 3 Set the local endpoint to the IPsec endpoint interface created in Task two network interface ipsec_endpoint2 config vpn iptunnel gre_tunnel2 local network interface ipsec_ endpoint2 config vpn iptunnel gre_tunnel2 4 Set the remote endpoint to the IP address of the GRE tun...

Page 548: ...nel created in Task three IP tunnel gre_tunnel2 5 Click to expand IPv4 6 For Address type 172 31 0 2 30 for a virtual IP address on the GRE tunnel 7 Click Apply to save the configuration and apply the change Command line 1 At the command line type config to enter configuration mode config config 2 Add an interface named gre_interface2 config add network interface gre_interface2 config network inte...

Page 549: ... you may be presented with an Access selection menu Type quit to disconnect from the device L2TP Your LR54 device supports PPP over L2TP Layer 2 Tunneling Protocol Configure a PPP over L2TP tunnel Your LR54 device supports PPP over L2TP Layer 2 Tunneling Protocol The tunnel endpoints are known as L2TP Access Concentrators LAC and L2TP Network Servers LNS Each endpoint terminates the PPP session Re...

Page 550: ...n method l The metric for the tunnel l Enable custom PPP configuration options for the tunnel o Whether to override the default configuration and only use the custom options o Optional configuration data in the format of a pppd options file Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Loca...

Page 551: ... to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s service type Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that ca...

Page 552: ...f the custom configuration should override the default configuration and only use the custom options iii For Configuration file paste or type the configuration data in the format of a pppd options file k For SureLink see Configure SureLink active recovery for PPP over L2TP 7 To add an L2TP network server a Click to expand L2TP network servers b For Add L2TP network server type a name for the LNS a...

Page 553: ... the tunnel This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel k Optional Custom PPP configuration i Enable custom PPP configuration ii Enable Override if the custom configuration should override the default configuration and only use the custom options iii For Configuration file paste or type the configuration data in the format of a pppd opt...

Page 554: ...n be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the LR54 device config add vpn l2tp acl interface end value config Where value is an interface def...

Page 555: ...al Configuration any dynamic_routes edge external hotspot internal ipsec loopback setup config Repeat this step to include additional firewall zones 5 To add an L2TP access concentrator a Add an LAC config add vpn l2tp lac name config add vpn l2tp lac name where name is the name of the LAC For example to add an LAC named lac_tunnel config add vpn l2tp lac lac_tunnel config vpn l2tp lac lac_tunnel ...

Page 556: ...et the metric for the tunnel config vpn l2tp lac lac_tunnel metric int config vpn l2tp lac lac_tunnel where int is an integer between 0 and 65535 The default is 1 g Set the firewall zone for the tunnel This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel i Use the to determine available zones config vpn l2tp lac lac_tunnel zone Zone The firewall...

Page 557: ...er L2TP 6 To add an L2TP network server a Add an LNS config add vpn l2tp lns name config add vpn l2tp lac name where name is the name of the LNS For example to add an LNS named lns_server config add vpn l2tp lns lns_server config vpn l2tp lns lns_server LACs are enabled by default To disable config vpn l2tp lns lns_server enable false config vpn l2tp lns lns_server b Set the IP address of the L2TP...

Page 558: ...o authenticate If auto chap pap or mschapv2 is selected enter the Username and Password required to authenticate config vpn l2tp lns lns_server username username config vpn l2tp lns lns_server password password config vpn l2tp lns lns_server The default is none f Optional Set the metric for the tunnel config vpn l2tp lns lns_server metric int config vpn l2tp lns lns_server where int is an integer ...

Page 559: ...s file config vpn l2tp lns lns_server custom config_file data config vpn l2tp lns lns_server 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure SureLink active recovery for PPP over L2TP You can conf...

Page 560: ...a response to a probe attempt before considering it to have failed To configure the LR54 device to regularly probe the PPP over L2TP connection Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the...

Page 561: ... reboot when the WAN connection is considered to have failed 9 Change the Interval between connectivity tests Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Interval to ten minutes enter 10m or 600s The default is 15 minutes 10 For Success condition determine whether the interface should fail over based on the failure of...

Page 562: ...S test Tests connectivity by sending a DNS query to the specified DNS server n HTTP test Tests connectivity by sending an HTTP or HTTPS GET request to the URL specified in Web servers The URL should take the format of http s hostname path n Test DNS servers configured for this interface Tests connectivity by sending a DNS query to the DNS servers configured for this interface n Test the interface ...

Page 563: ...nfig vpn l2tp lac lac_tunnel config vpn l2tp lac lac_tunnel 4 Enable active recovery config vpn l2tp lac lac_tunnel surelink enable true config vpn l2tp lac lac_tunnel 5 To configure the device to restart the interface when its connection is considered to have failed config vpn l2tp lac lac_tunnel surelink restart true config vpn l2tp lac lac_tunnel This is useful for interfaces that may regain co...

Page 564: ...ac_tunnel where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set interval to ten minutes enter either 10m or 600s config vpn l2tp lac lac_tunnel surelink timeout 600s config vpn l2tp lac lac_tunnel The default is 15 seconds 11 Configure test targets a Add a test target config vpn l2tp lac lac_tunnel add surelink target end config v...

Page 565: ...th n interface_up The interface is considered to be down based on the interfaces down time and the amount of time an initial connection to the interface takes before this test is considered to have failed l Optional Set the amount of time that the interface can be down before this test is considered to have failed config vpn l2tp lac lac_tunnel surelink target 0 interface_down_time value config vp...

Page 566: ...be tested i Use the to determine available interfaces config vpn l2tp lac lac_tunnel surelink target 0 other_interface Interface The network interface Format network interface defaultip network interface defaultlinklocal network interface lan1 network interface lan_hotspot network interface loopback network interface wan1 network interface wwan Current value config vpn l2tp lac lac_tunnel surelink...

Page 567: ...upport the configuration of IPsec protocol port traffic selectors This means that you cannot restrict traffic on the IPsec tunnel to L2TP traffic typically UDP port 1701 While multiple L2TP clients are supported on the LR54 by configuring a separate LNS for each client multiple clients behind a Network Address Translation NAT device are not supported because they will all appear to have the same I...

Page 568: ...ls about a specific tunnel show l2tp lac name lac_test2 lac_test2 L2TP Access Concentrator Status Enabled true Status pending 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show the status of L2TP network servers from the Admin CLI 1 Select the device in Remote Manager and click Act...

Page 569: ...ersion 3 L2TPv3 static unmanaged Ethernet tunnels Configure an L2TPv3 tunnel Your LR54 device supports Layer 2 Tunneling Protocol Version 3 L2TPv3 static unmanaged Ethernet tunnels Required configuration items n A name for the L2TPv3 tunnel n Enable the tunnel n The remote endpoint IP address n The local endpoint IP address n The session ID n The peer session ID Additional configuration items n En...

Page 570: ...nel type a name for the tunnel and click 5 For Remote endpoint type the IPv4 address of the remote endpoint 6 For Local endpoint select the interface that will be the local endpoint 7 For Tunnel ID type the tunnel identifier for this tunnel This must match the value for Peer tunnel ID on the remote peer Allowed value is any integer between 1 and 4294967295 8 For Peer tunnel ID type the Tunnel ID o...

Page 571: ...a sequence number to each outgoing packet n Receive Reorder packets if they are received out of order n Both Add a sequence number to each outgoing packet and reorder packets if they are received out of order The default is None h Repeat for additional sessions 11 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Co...

Page 572: ...ace wan1 config vpn l2tpeth L2TPv3_example 6 Set the tunnel identifier for this tunnel This must match the value for peer tunnel ID on the remote peer config vpn l2tpeth L2TPv3_example tunnel_id value config vpn l2tpeth L2TPv3_example where value is any integer between 1 and 4294967295 7 Set the tunnel ID of the remote peer config vpn l2tpeth L2TPv3_example peer_tunnel_id value config vpn l2tpeth ...

Page 573: ...L2TPv3_example session_example peer_session_id value config vpn l2tpeth L2TPv3_example session_example where value is any integer between 1 and 4294967295 12 Optional Set the cookie value to be assigned to the session config vpn l2tpeth L2TPv3_example session_example cookie value config vpn l2tpeth L2TPv3_example session_example Allowed value is 8 or 16 hex digits 13 Optional Set the cookie value ...

Page 574: ...WebUI as a user with Admin access 2 On the menu select Status Under VPN select L2TPv3 Ethernet The L2TPv3 Ethernet page appears 3 To view configuration details about an L2TPV3 tunnel click the configuration icon in the upper right of the tunnel s status pane Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full...

Page 575: ... disconnect from the device NEMO Network Mobility NEMO is a mobile networking technology that provides access to one or more Local Area Networks LANs on your device NEMO creates a tunnel between the home agent on the mobile private network and the LR54 device isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management Dynamic Mo...

Page 576: ...led by default If it is disabled identify the MTU n Care of address the local network interface that is used to communicate with the peer l If set to Interface identify the local interface to be used Generally this will be the Wirelesss WAN WWAN or WWAN2 l If set to IP address enter the IP address n The local network of the GRE endpoint negotiated by NEMO l If the local network is set to Interface...

Page 577: ...ent value 9 For Home agent registration lifetime in seconds type the number of seconds number of seconds until the authorization key expires This is provided by your cellular carrier 10 For MTU discovery leave enabled to determine the maximum transmission unit MTU size If disabled for MTU type the MTU size The default MTU size for LANs on the LR54 device is 1500 The MTU size of the NEMO tunnel wil...

Page 578: ... full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a NEMO tunnel For example to add a NEMO tunnel named nemo_example config add vpn nemo nemo_example config vpn nemo nemo_example The NEMO tunnel is enabled by default T...

Page 579: ...s used in the authentication extension when registering This should be normally left at the default setting of 256 unless your service provider indicates a different value config vpn nemo nemo_example spi integer config vpn nemo nemo_example Allowed values are any integer between 256 and 4294967295 10 Set the firewall zone for the NEMO tunnel to internal config vpn nemo nemo_example zone internal ...

Page 580: ...mo nemo_example The default is defaultroute 12 Set the GRE tunnel local endpoint a Set the method to determine the GRE tunnel local endpoint config vpn nemo nemo_example tun_local type value config vpn nemo nemo_example where value is one of n defaultroute Uses the same network interface as the default route n interface If interface is used set the interface i Use the to determine available interf...

Page 581: ... save Configuration saved 15 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show NEMO status Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the menu select Status NEMO The NEMO page appears 3 To view configuration details about an NEMO tunnel click the configuration ic...

Page 582: ...NEMO Status Enabled true Status up Home Agent 4 3 2 1 Care of Address 10 10 10 1 Interface wwan GRE Tunnel 10 10 10 1 4 3 2 1 Metric 255 MTU 1476 Lifetime Actual 600 Local Network Subnet Status lan1 192 168 2 1 24 Advertized LAN2 192 168 3 1 24 Advertized 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconn...

Page 583: ... with key authentication 606 Configure telnet access 609 Configure DNS 614 Simple Network Management Protocol SNMP 622 Location information 629 Modbus gateway 659 System time 677 Network Time Protocol 681 Configure a multicast route 688 Ethernet network bonding 692 Enable service discovery mDNS 697 Use the iPerf service 701 Configure the ping responder service 707 LR54 User Guide 583 ...

Page 584: ... Set the idle timeout for LR54 users for information about setting the inactivity timeout for the web administration and SSH services To allow web administration or SSH for the External firewall zone Add the External firewall zone to the web administration service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configurati...

Page 585: ...epending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the external zone to the web administration service config add service web_admin acl zone end external config 4 Save the configuration and apply the change config save Configuration saved 5 Type...

Page 586: ...device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Configuration Services SSH Access Control List Zones 4 For Add Zone click ...

Page 587: ...Services Allow remote access for web administration and SSH LR54 User Guide 587 5 Select External 6 Click Apply to save the configuration and apply the change ...

Page 588: ...to monitor and configure the LR54 device by using the WebUI a browser based interface By default the web administration service is enabled and uses the standard HTTPS port 443 The default access control for the service uses the Internal firewall zone which means that only devices connected to the LR54 s LAN can access the WebUI If this configuration is sufficient for your needs no further configur...

Page 589: ...Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Web administration 4 Click Enable 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager an...

Page 590: ...ype exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to ...

Page 591: ...vice d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s web administration service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No...

Page 592: ...ed certificate n The SSL certificate and private key must be in PEM format n The private key can use one of the following algorithms l RSA l DSA l ECDSA l ECDH Note Password protected certificate keys are not supported Example a Generate the SSL certificate and private key for example openssl req newkey rsa 2048 nodes keyout key pem x509 days 365 out certificate pem b Paste the contents of certifi...

Page 593: ...here value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the web administratrion service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service web_admin acl address6 end value config Where value can be ...

Page 594: ...isplay a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external hotspot internal ipsec loopback setup config Repeat this step to include additional firewall zones 4 Optional If you ha...

Page 595: ...GptY2JhbmVAZGlnaS5jb20wHhcN MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi dRyRi4vr7...

Page 596: ... MzTD062xaqTenL0jKgKQrWig4DpUUhfc4BFJmHyeitosDPG98oCxuh6HfuMOeM1v Xag6Z391VcsCgYBgBnpfFU1JoC L7m lIPPZykWbPT qBeYBBki5 0lhzebR9Stn VicrmROjojQk sRGxR7fDixaGZolUwcRg7N7SH y3zA7SDp4WvhjFeKFR8b6O1d4 PFnWO2envUUiE 50ZoPFWsv1o8eK2XT67Qbn56t9NB5a7QPvzSSR7jG77QKBgD w BrqTT9wl4DBrsxEiLK 1g0 iMKCm8dkaJbHBMgsuw1m7 K fAzwBwtpWk21alGX Ly3eX2j9zNGwMYfXjgO1hViRxQEgNdqJyk9fA2gsMtYltTbymVYHyzMweMD88fRC Ey2FlHfxIf...

Page 597: ...o redirect client HTTP requests to the HTTPS service Legacy port redirection is enabled by default and normally these settings should not be changed To disable legacy port redirection config service web_admin legacy enable false config 9 Save the configuration and apply the change config save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be p...

Page 598: ... service n Multicast DNS mDNS support n A private key to use for communications with the SSH service n Create custom SSH configuration settings See Set the idle timeout for LR54 users for information about setting the inactivity timeout for the SSH service Enable or disable the SSH service The SSH service is enabled by default To disable the service or enable it if it has been disabled Web 1 Log i...

Page 599: ... with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable or disable the SSH service n To enable the service config service ssh enable true config n To disable the sevice config service ssh enable false config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit...

Page 600: ...e Configuration window is displayed 3 Click Services SSH 4 Optional For Port enter the port number for the service Normally this should not be changed 5 Click Access control list to configure access control n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s SSH servic...

Page 601: ...ation for information about firewall zones d Click again to allow access through additional firewall zones 6 Multicast DNS mDNS is enabled by default mDNS is a protocol that resolves host names in small networks that do not have a DNS server To disable mDNS or enable it if it has been disabled click Enable mDNS 7 For Private key type the private key in PEM format If Private key is blank the device...

Page 602: ...signation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the SSH service Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service ssh acl address6 end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2...

Page 603: ...yword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external hotspot internal ipsec loopback setup config Repeat this step to include additional firewall zones 4 Optional Se...

Page 604: ... custom enable true config b To override the standard SSH configuration and only use the config_file parameter config service ssh custom override true config n If override is set to true entries in Configuration file will be used in place of the standard SSH configuration n If override is set to false entries in Configuration file will be added to the standard SSH configuration The default is fals...

Page 605: ...es Configure SSH access LR54 User Guide 605 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 606: ... the user s ssh directory The private and public keys are named id_rsa and id_rsa pub If you need to generate an SSH key pair you can use the ssh keygen application For example the following entry generates an RSA key pair in the user s ssh directory ssh keygen t rsa f ssh id_rsa The private key file is named id_rsa and the public key file is named id_rsa pub The pub extension is automatically app...

Page 607: ... the change Command line You can add configure passwordless SSH login for an existing user or include the support when creating a new user See User authentication for information about creating a new user These instructions assume an existing user named temp_user 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin a...

Page 608: ...enter by pasting or typing a public encryption key that this user can use for passwordless SSH login 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 609: ...ulticast DNS mDNS support See Set the idle timeout for LR54 users for information about setting the inactivity timeout for the telnet service Enable the telnet service The telnet service is disabled by default To enable the service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your d...

Page 610: ...menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the telnet service config service telnet enable true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to ...

Page 611: ...onfigure access control n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s telnet service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the tel...

Page 612: ...DNS is a protocol that resolves host names in small networks that do not have a DNS server To enable mDNS click Enable mDNS 7 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be pre...

Page 613: ...available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service telnet acl zone end value config Where v...

Page 614: ...uld not be changed config service telnet port 25 config 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure DNS The LR54 device includes a caching DNS server which forwards queries to the DNS servers ...

Page 615: ...eir IP addresses The device is configured by default with the hostname digi device which corresponds to the 192 168 210 1 IP address To configure the DNS server Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your d...

Page 616: ... interface on the LR54 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information about firewa...

Page 617: ...cess rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Configure access control n To limit access to specified IPv4 addresses and networks config add service dns acl address end value config Where value can be l A single IP address or host ...

Page 618: ... IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service dns acl zone end value config Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config f...

Page 619: ...fig service dns query_all_servers false config 6 Optional Rebind protection By default rebind protection is disabled If enabled this prevents upstream DNS servers from returning private IP addresses To enable config service dns stop_dns_rebind false config 7 Optional Allow localhost rebinding By default localhost rebinding is enabled by default if rebind protection is enabled This is useful for Re...

Page 620: ...rvice dns host 0 10 Save the configuration and apply the change config save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show DNS server You can display status for DNS servers This command is available only at the Admin CLI Command line Show DNS information 1 ...

Page 621: ...n1 fd00 2704 1 wan1 fe80 227 4ff fe2b ae12 wan1 fe80 227 4ff fe44 105b wan1 fe80 240 ffff fe80 23b0 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 622: ...onfigure the SNMP access control list to allow the device to receive the packets See Configure Simple Network Management Protocol SNMP Configure Simple Network Management Protocol SNMP Required configuration items n Enable SNMP n Firewall configuration using access control to allow remote connections to the SNMP agent n The user name and password used to connect to the SNMP agent Additional config...

Page 623: ...t Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the SNMP agent d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network ...

Page 624: ...es in small networks that do not have a DNS server To enable mDNS click Enable mDNS 10 Optional Select the Authentication type either MD5 or SHA The default is MD5 11 Optional Type the Privacy passphrase If not set the password entered above is used 12 Optional Select the Privacy protocol either DES or AES The default is DES 13 Optional Click Enable version 2c access to enable read only access to ...

Page 625: ...MP service Repeat this step to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the LR54 device config add service snmp acl interface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additi...

Page 626: ...snmp username name config 6 Set the password for the user that will be used to connect to the SNMP agent config service snmp password pwd config 7 Optional Set the port number for the SNMP agent The default is 161 config service snmp port port config 8 Optional Configure Multicast DNS mDNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server For the SNMP agen...

Page 627: ...ng on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Download MIBs This procedure is available from the WebUI only Required configuration items n Enable SNMP To download a zip archive of the SNMP MIBs supported by this device Web 1 Log into the LR54 WebUI as a user with Admin access 2 Enable SNMP See Configure Simple Network Man...

Page 628: ...Services Simple Network Management Protocol SNMP LR54 User Guide 628 The SNMP page is displayed 4 Click Download ...

Page 629: ... the LR54 device or from external sources to a remote host Additionally the device can be configured to use a geofence to allow you to determine actions that will be taken based on the physical location of the device This section contains the following topics Configure the location service 630 Configure the device to use a user defined static location 632 Configure the device to accept location me...

Page 630: ...r with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Location 4 The locati...

Page 631: ...formation about configuring Destination servers see Forward location information to a remote host 8 For information about configuring Geofence see Configure geofencing 9 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending...

Page 632: ...onfigure the device to use a user defined static location You can configured your LR54 device to use a user defined static location Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c...

Page 633: ...cimal places 10 For Altitude type the altitude of the device Allowed values are an integer followed by m or km for example 100m or 1km 11 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration yo...

Page 634: ...nfig service location source 0 Where alt is an integer followed by m or km for example 100m or 1km 9 Save the configuration and apply the change config save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure the device to accept location messages from exte...

Page 635: ...s 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Location Location sources 4 Click to add a location...

Page 636: ...hat can access the location server UDP port d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the LR54 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zone...

Page 637: ...onfig Where value can be l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the location server UDP port Repeat this step to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks config add service location source 1 acl address6 end value config Where v...

Page 638: ...ess based on firewall zones config add service location source 1 acl zone end value config Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config prompt config firewall zone Zones A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists Additional C...

Page 639: ...sage protocol type of the messages being forwarded either NMEA or TAIP Additional configuration items n Additional remote hosts to which the location messages will be forwarded n Location update interval which determines how often the device will forward location information to the remote hosts n A description of the remote hosts n Specific types of NMEA or TAIP messages that should be forwarded n...

Page 640: ...8 For Communication protocol select either UDP or TCP 9 For Forward interval multiplier select the number of Location update intervals to wait before forwarding location data to this server See Configure the location service for more information about setting the Location update interval 10 For NMEA filters select the filters that represent the types of messages that will be forwarded By default a...

Page 641: ...remote host Optional If NMEA is selected a Select a Talker ID The talker ID is a two character prefix in the NMEA message that identifies the source type The talker ID set here will override the talker ID from all sources and all forwarded sentences will use the configured ID The default setting is Default which means that the talker ID provided by the source will be used b Determine the Behavior ...

Page 642: ...TCP or UDP port on the remote host to which location messages will be sent config service location forward 0 server_port 8000 config service location forward 0 7 Set the number of Location update intervals to wait before forwarding location data to this server See Configure the location service for more information about setting the Location update interval config service location forward 0 interv...

Page 643: ...value is one of n none No messages are sent n empty Send messages with empty fields n last_fix Send messages with information from the last valid fix The default is empty 9 Optional Set the text to prepend to the forwarded message Two variables can be included in the prepended text n s Includes the LR54 device s serial number in the prepended text n v Includes the vehicle ID in the prepended text ...

Page 644: ...type a Use the show command to determine the index number of the message type to be deleted config service location forward 0 show filter_nmea 0 gga 1 gll 2 gsa 3 gsv 4 rmc 5 vtg config service location forward 0 b Use the index number to delete the message type For example to delete the gsa index number 2 message type config service location forward 0 del filter_nmea 2 config service location for...

Page 645: ...ype For example to delete the id index number 2 message type config service location forward 0 del filter_taip 2 config service location forward 0 To add a message type a Change to the filter_taip node config service location forward 0 filter_taip config service location forward 0 filter_taip b Use the add command to add the message type For example to add the id message type config service locati...

Page 646: ...taken when the device s location triggers a geofence event You can define actions for two types of events l Actions taken when the device enters the boundary of the geofence or is inside the boundary when the device boots l Actions taken when the device exits the boundary of the geofence or is outside the boundary when the device boots For each event type l Determine if the action s associated wit...

Page 647: ...e Configuration The Configuration window is displayed 3 Click Services Location Geofence 4 For Add Geofence type a name for the geofence and click The geofence is enabled by default To disable toggle off Enable 5 For Update interval type the amount of time that the geofence should wait between polling for updated location data The default is one minute Allowed values are any number of weeks days h...

Page 648: ...n integer followed by m or km for example 100m or 1km n If Polygonal is selected a Click to expand Coordinates b Click to add a point that represents a vertex of the polygon A vertex is the point at which two sides of a polygon meet c Type the Latitude and Longitude of one of the vertices of the polygon Allowed values are l For Latitude any integer between 90 and 90 with up to six decimal places l...

Page 649: ...ctions For example if the Update interval is 1m one minute and the Number of intervals is 3 the On entry actions will not be performed until the device has been inside the geofence for three minutes d Click to expand Actions e Click to create a new action f For Action type select either l Factory erase to erase the device configuration when the action is triggered l Custom script to execute a cust...

Page 650: ...it actions if the device is inside the geofence when it boots c For Number of intervals type or select the number of Update Intervals that must take place prior to performing the On exit actions For example if the Update interval is 1m one minute and the Number of intervals is 3 the On entry actions will not be performed until the device has been inside the geofence for three minutes d Click to ex...

Page 651: ...esented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a geofence config add service location geofence name config service location geofence name where name is a name for the geofence For example config add service location geofence test_geofence config service location geofence test_geofence The ge...

Page 652: ...0 and 180 with up to six decimal places b Set the radius of the circle config service location geofence test_geofence radius radius config service location geofence test_geofence where radius is an integer followed by m or km for example 100m or 1km n If boundary is set to polygonal a Set the coordinates of one vertex of the polygon A vertex is the point at which two sides of a polygon meet i Add ...

Page 653: ... polygon around the Digi headquarters configure a polygon with four points config service location geofence test_geofence add coordinates end config service location geofence test_geofence coordinates 0 latitude 44 927220 config service location geofence test_geofence coordinates 0 longitude 93 399200 config service location geofence test_geofence coordinates 0 config service location geofence tes...

Page 654: ...evice enters the geofence or is inside the geofence when it boots a Optional Configure the device to preform the actions if the device is inside the geofence when it boots config service location geofence test_geofence on_entry bootup true config b Set the number of update_intervals that must take place prior to performing the actions config service location geofence test_geofence on_entry num_ in...

Page 655: ...0 commands script config service location geofence test_geofence on_entry action 0 If the script begins with then the proceeding file path will be used to invoke the script interpreter If not then the default shell will be used ii To log the output of the script to the system log config service location geofence test_geofence on_entry action 0 syslog_stdout true config service location geofence te...

Page 656: ...peat for any additional actions n To define actions that will be taken when the device exits the geofence or is outside the geofence when it boots a Optional Configure the device to preform the actions if the device is outside the geofence when it boots config service location geofence test_geofence on_exit bootup true config b Set the number of update_intervals that must take place prior to perfo...

Page 657: ... path will be used to invoke the script interpreter If not then the default shell will be used ii To log the output of the script to the system log config service location geofence test_geofence on_exit action 0 syslog_stdout true config service location geofence test_geofence on_exit action 0 iii To log the errors from the script to the system log config service location geofence test_geofence on...

Page 658: ...min CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Show location information You can view status and statistics about location information from either the WebUI or the command line Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click Status 3 Under Services click Location The device...

Page 659: ...cess selection menu Type admin to access the Admin CLI 2 Use the show location geofence command at the system prompt show location geofence Geofence Status State Transitions Last Transition test_geofence Up Inside 0 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Modbus gateway The L...

Page 660: ...ection type is serial o The serial port to be used l Modbus address or addresses to determine if messages should be forwarded to a destination device Additional configuration items n Server configuration l The packet mode l The maximum time between bytes in a packet l If the connection type is set to socket o The port to use o The inactivity timeout o Access control list l If the connection type i...

Page 661: ...ll Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services Modbus Gateway 4 Click Enable ...

Page 662: ...cket mode select RTU or RAW if Connection type is set to Socket or ASCII if Connection typeis set to Serial for the type of packet that will be used by this connection The default is RTU 6 For Packet idle gap type the maximum allowable time between bytes in a packet Allowed values are between 10 milliseconds and one second and take the format number ms s For example to set Packet idle gap to 20 mi...

Page 663: ...ss or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the web administration service d Click again to list additional IP addresses or networks n To limit access to hosts connected through a specified interface on the LR54 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface f...

Page 664: ...y this connection The default is RTU 6 For Packet idle gap type the maximum allowable time between bytes in a packet Allowed values are between 10 milliseconds and one second and take the format number ms s For example to set Packet idle gap to 20 milliseconds enter 20ms 7 If Connection type is set to Socket for Inactivity timeout type the amount of time to wait before disconnecting the socket whe...

Page 665: ... For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information about firewall zones d Click again to allow access through additional firewall zones 10 Optional Enable Send broadcast messages to configure the gateway to send broadcast messages to this client 11 For Response timeout type the maximum time to wait for a response to a me...

Page 666: ...n different buses For example if there are two devices on two different buses that have the same Modbus address of 10 you can create two clients on the gateway n Client one l Modbus address filter set to 10 This will configure the gateway to deliver all messages that have the Modbus server address of 10 to this device n Client two l Modbus address filter set to 20 l Adjust Modbus server address se...

Page 667: ...either socket or serial The default is socket n If connection_type is set to socket i Set the IP protocol config service modbus_gateway server test_modbus_server socket protocol value config service modbus_gateway server test_modbus_server where value is either tcp or udp ii Set the port config service modbus_gateway server test_modbus_server socket port config service modbus_gateway server test_m...

Page 668: ...enter either 10m or 600s config service modbus_gateway server test_modbus_server inactivity_timeout 600s config service modbus_gateway server test_modbus_server n If connection_type is set to serial i Set the serial port i Use the to determine available serial ports config service modbus_gateway server test_modbus_ server serial port Serial Additional Configuration port1 Port 1 config service modb...

Page 669: ...d service modbus_gateway server test_modbus_server config b Add a client config add service modbus_gateway client name config service modbus_gateway client name where name is a name for the client for example config add service modbus_gateway client test_modbus_client config service modbus_gateway client test_modbus_client The Modbus client is enabled by default To disable config service modbus_ga...

Page 670: ...between 10 milliseconds and one second and take the format number ms s For example to set idle_gap to 20 milliseconds enter 20ms v Set the amount of time to wait before disconnecting the socket when it has become inactive config service modbus_gateway client test_modbus_client inactivity_timeout value config service modbus_gateway client test_modbus_client where value is any number of minutes or s...

Page 671: ...t serial packet_mode value config service modbus_gateway client test_modbus_client where value is either rtu or ascii The default is rtu iii Set the maximum allowable time between bytes in a packet config service modbus_gateway client test_modbus_client serial idle_gap value config service modbus_gateway client test_modbus_client where value is any number between 10 milliseconds and one second and...

Page 672: ... more of the filters the message is forwarded If it does not match the filters the message is not forwarded Allowed values are 1 through 255 or a hyphen separated range For example n To have this client filter for incoming messages that contain the Modbus address of 10 set the index 0 entry to 10 config service modbus_gateway client test_modbus_client filter 0 10 config service modbus_gateway clie...

Page 673: ...This allows you to configure clients on the gateway that will forward messages to remote devices with the same Modbus address on different buses For example if there are two devices on two different buses that have the same Modbus address of 10 you can create two clients on the gateway n Client one l filter set to 10 This will configure the gateway to deliver all messages that have the Modbus serv...

Page 674: ... device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show modbus gateway command at the system prompt show modbus gateway Server Connection IP Address Port Uptime modbus_socket 10 4...

Page 675: ...ections 4 Packet Errors 0 RX Broadcasts 0 RX Requests 12 TX Exceptions 0 TX Responses 12 Clients modbus_socket_41 Address Translation Errors 0 Connection Errors 0 Packet Errors 0 RX Responses 4 RX Timeouts 0 TX Broadcasts 0 TX Requests 4 modbus_socket_21 Address Translation Errors 0 Connection Errors 0 Packet Errors 0 RX Responses 4 RX Timeouts 0 TX Broadcasts 0 TX Requests 4 modbus_serial_client ...

Page 676: ...R54 User Guide 676 RX Timeouts 0 TX Broadcasts 0 TX Requests 4 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 677: ...NTP server providing NTP services to downstream devices See Network Time Protocol for more information about NTP server support You can also set the local date and time manually if there is no access to NTP servers See Manually set the system date and time for information Configure the system time This procedure is optional The LR54 device s default system time configuration uses the Digi NTP serv...

Page 678: ...the default value of the NTP server a Click NTP servers b For Server type a new server name n To add an NTP server a Click NTP servers b For Add Server click c For Server enter the hostname of the upstream NTP server that the device will use to synchronize its time d Click to add additional NTP servers If multiple servers are included servers are tried in the order listed until one succeeds Note T...

Page 679: ...r log messages It also affects actions that occur at a specific time of day Format Africa Abidjan Africa Accra Africa Addis_Ababa config 4 Optional Add an upstream NTP server that the device will use to synchronize its time to the appropriate location in the list of NTP servers The default setting is time devicecloud com n To delete the default NTP server time devicecloud com config del service nt...

Page 680: ... Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Test the configured NTP servers for connectivity system time test Testing NTP server time devicecloud com on UDP port 123 server 52 2 40 158 stratum 2 offset 0 000216 delay 0 05800 server 35 164 164 69 stratum 2 offset 0 000991 delay 0 07188 24 Aug 22 ...

Page 681: ...l command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Set the device s local date and time system time set value where value is the The date in year month day hour minute second format For example system time set 2022 08 26 03 41 00 3 Type exit to exit the Admin CLI Depen...

Page 682: ...ing is the Digi NTP server time devicecloud com Additional Configuration Options n Additional upstream NTP servers n Access control list to limit downstream access to the LR54 device s NTP service n The time zone setting if the default setting of UTC is not appropriate To configure the LR54 device s NTP service Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Adm...

Page 683: ...ck again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s NTP service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses ...

Page 684: ...pstream NTP server that the device will use to synchronize its time d Click to add additional NTP servers If multiple servers are included servers are tried in the order listed until one succeeds Note This list is synchronized with the list of servers included with NTP client configuration and changes made to one will be reflected in the other See Configure the system time for more information abo...

Page 685: ... service ntp server 1 time server com config Note This list is synchronized with the list of servers included with NTP client configuration and changes made to one will be reflected in the other See Configure the system time for more information about NTP client configuration 5 Allow the device s local system clock to be used as backup time source config service ntp local true config 6 Optional Co...

Page 686: ...nterfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service ntp acl zone end value config Where value is a fire...

Page 687: ...e is the timezone using the format specified with the following command config system time timezone Timezone The timezone for the location of this device This is used to adjust the time for log messages It also affects actions that occur at a specific time of day Format Africa Abidjan Africa Accra Africa Addis_Ababa config 8 Save the configuration and apply the change config save Configuration sav...

Page 688: ... system prompt show ntp NTP Status Status Status Up Sync Status Up Remote Refid ST T When Poll Reach Delay Offset Jitter ec2 52 2 40 158 129 6 15 32 2 u 191 1024 377 33 570 1 561 0 991 128 136 167 120 128 227 205 3 3 u 153 1024 1 43 583 1 895 0 382 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect fro...

Page 689: ... is enabled by default To disable toggle off Enable 6 Type the Source address for the route This must be a multicast IP address between 224 0 0 1 and 239 255 255 255 7 Select a Source interface where multicast packets will arrive 8 To add one or more destination interface that the LR54 device will send mutlicast packets to a Click to expand Destination interfaces b Click c For Destination interfac...

Page 690: ...ce multicast test 6 Set the source interface for the route where multicast packets will arrive a Use the to determine available interfaces config service multicast test src_interface Source interface Where the multicast packets will arrive IP routes do not have an effect in the incoming stream Format network interface defaultip network interface defaultlinklocal network interface lan1 network inte...

Page 691: ...config service multicast test src_interface b Set the interface For example config service multicast test add interface end network interface wan1 config service multicast test c Repeat for each additional destination interface 8 Save the configuration and apply the change config save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented ...

Page 692: ...ncing as well as fault tolerance n The Ethernet devices in the bonded pool n Create a new network interface for the bonded Ethernet devices and disable the any interfaces associated with those Ethernet devices Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in ...

Page 693: ...kup Transmits data on only one of the bonded devices at a time When the active device fails the next available device in the list is chosen This mode provides for fault tolerance n Round robin Alternates between bonded devices to provide load balancing as well as fault tolerance 6 Click to expand Devices 7 Add Ethernet devices a For Add device click b For Device select an Ethernet device to partic...

Page 694: ...thernet bond created above d Complete the rest of the interface configuration See Configure a Wide Area Network WAN or Configure a Local Area Network LAN for further information e Disable any other interfaces associated with the devices that were added to the Ethernet bond For example if ETH1 and ETH2 were added to the Ethernet bond disable the WAN1 and LAN1 interfaces In some cases the device may...

Page 695: ... with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a network bond config add network bond name config network bond name For example to create an Ethernet bond named eth_bond config add network bond eth_bond config network bond eth_bond 4 The new network bond is enabled by default To disable config netw...

Page 696: ...net bond a Type to return to the root of the configuration config network bond eth_bond config b Create a new interface for example config add network interface eth_bond_interface config network interface eth_bond_interface c For device select the Ethernet bond created above config network interface eth_bonding_interface device network bond eth_bond config network interface eth_bonding_interface d...

Page 697: ... digi_ap1 4 network wifi ap digi_ap2 config b Use the index number to delete the device from the bridge config del network bridge lan1 device 0 config See Configure a bridge for more information 9 Save the configuration and apply the change config save Configuration saved 10 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Ty...

Page 698: ...rol n To limit access to specified IPv4 addresses and networks a Click IPv4 Addresses b For Add Address click c For Address enter the IPv4 address or network that can access the device s mDNS service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example 192 168 1 0 24 l any No limit to IPv4 addresses that can access the mDNS service d Click agai...

Page 699: ...ones d Click again to allow access through additional firewall zones 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to acce...

Page 700: ...rface end value config Where value is an interface defined on your device Display a list of available interfaces Use network interface to display interface information config network interface Interfaces Additional Configuration defaultip Default IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limi...

Page 701: ...k throughput an interface can handle This is useful when diagnosing network speed issues to determine for example whether a cellular connection is providing expected throughput The LR54 implementation of iPerf3 supports testing with both TCP and UDP Note Using iPerf clients that are at a version earlier than iPerf3 to connect to the LR54 device s iPerf3 server may result in unpredictable results A...

Page 702: ... 702 When the iPerf server is enabled the LR54 device will automatically configure its firewall rules to allow incoming connections on the configured listening port You can restrict access by configuring the access control list for the iPerf server ...

Page 703: ...pand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Services iPerf 4 Click Enable 5 Optional For IPerf Server Port type the appropriate port number for the iPerf server listening port 6 Optional Click to expand Access control list to restrict access to the iPerf server n To limit access to specified IPv4 a...

Page 704: ...pecified interface on the LR54 device a Click Interfaces b For Add Interface click c For Interface select the appropriate interface from the dropdown d Click again to allow access through additional interfaces n To limit access based on firewall zones a Click Zones b For Add Zone click c For Zone select the appropriate firewall zone from the dropdown See Firewall configuration for information abou...

Page 705: ...orks n To limit access to specified IPv6 addresses and networks config add service iperf acl address6 end value config Where value can be l A single IP address or host name l A network designation in CIDR notation for example 2001 db8 48 l any No limit to IPv6 addresses that can access the service type Repeat this step to list additional IP addresses or networks n To limit access to hosts connecte...

Page 706: ... interfaces that can be referred to by packet filtering rules and access control lists Additional Configuration any dynamic_routes edge external hotspot internal ipsec loopback setup config Repeat this step to include additional firewall zones 6 Save the configuration and apply the change config save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you m...

Page 707: ...tes 281 Mbits sec 0 1 60 MBytes 4 9 00 10 00 sec 33 2 MBytes 279 Mbits sec 0 1 60 MBytes ID Interval Transfer Bandwidth Retr 4 0 00 10 00 sec 315 MBytes 264 Mbits sec 37 sender 4 0 00 10 00 sec 313 MBytes 262 Mbits sec receiver iperf Done Configure the ping responder service Your LR54 device s ping responder service replies to ICMP and ICMPv6 echo requests The service is enabled by default You can...

Page 708: ...v4 addresses that can access the ping responder d Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks a Click IPv6 Addresses b For Add Address click c For Address enter the IPv6 address or network that can access the device s ping responder Allowed values are l A single IP address or host name l A network designation in CIDR notation f...

Page 709: ...ue config 4 Optional Set the port number for the iPerf server listening port The default is 5201 config service iperf port port_number config 5 Optional Set the access control list to restrict access to the iPerf server n To limit access to specified IPv4 addresses and networks config add service iperf acl address end value config Where value can be l A single IP address or host name l A network d...

Page 710: ...ltip Default IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limit access based on firewall zones config add service iperf acl zone end value config Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config p...

Page 711: ... port 5201 4 local 192 168 3 100 port 54934 connected to 192 168 1 1 port 5201 ID Interval Transfer Bandwidth Retr Cwnd 4 0 00 1 00 sec 26 7 MBytes 224 Mbits sec 8 2 68 MBytes 4 1 00 2 00 sec 28 4 MBytes 238 Mbits sec 29 1 39 MBytes 4 2 00 3 00 sec 29 8 MBytes 250 Mbits sec 0 1 46 MBytes 4 3 00 4 00 sec 31 2 MBytes 262 Mbits sec 0 1 52 MBytes 4 4 00 5 00 sec 32 1 MBytes 269 Mbits sec 0 1 56 MBytes...

Page 712: ...e system restarts at specific intervals or at a specified time This chapter contains the following topics Develop Python applications 713 The use led function 745 Releasing the LEDs to system control 745 Set up the LR54 to automatically run your applications 754 Start an interactive Python session 764 Run a Python application at the shell prompt 764 Configure scripts to run manually 766 Start a ma...

Page 713: ...a Python application In addition to the standard Python library the LR54 includes a set of extensions to access its configuration and interfaces See Python modules The LR54 provides you with the ability to n Run Python applications on the device interactively or from a file n Specify Python applications and other scripts to be run each time the device system restarts at specific intervals or at a ...

Page 714: ...ervice discovery mDNS 4 Configure SSH access a Click Services SSH b Click Enable Note For more information see the following topics Configure SSH access Use SSH with key authentication and Allow remote access for web administration and SSH 5 Enable shell access a Click Authentication Groups admin b Click the Interactive shell access option c If this option is not displayed see Disable shell access...

Page 715: ...nch an application To create build and launch your application 1 Write your Python application code Code can include n Any Python 3 6 standard feature n Access to the LR54 configuration and hardware with the Python modules n Third party modules included in the LR54 for example l pySerial 3 4 l PyModbus 2 3 l Eclipse Paho MQTT Python Client n Any other third party module implemented in Python 2 Ins...

Page 716: ... device s configuration and interfaces The following submodules are included with the digidevice module l LEDs digidevice led l SMS digidevice sms l GPS digidevice location l Digi Remote Manager o digidevice datapoint o digidevice device_request o digidevice name l Device configuration digidevice config l Command line interface digidevice cli l Access runtime database digidevice runt l Set the mai...

Page 717: ...be to topics and receive published messages Note Module related documentation is in the Digidevice module section Digidevice module The Python digidevice module provides platform specific extensions that allow you to interact with the device s configuration and interfaces The following submodules are included with the digidevice module This section contains the following topics ...

Page 718: ...ython command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Execute a CLI command using the cli execute command function For example to print the system status and statistics to stdout using the show syst...

Page 719: ...n python Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the cli submodule from digidevice import cli 4 Use the help command with cli execute help cli execute Help on function execute in module digidevice cli execute command timeout 5 Execute a CLI command with the timeout specified returning the results 5 Use Ctrl D...

Page 720: ...ay 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the datapoint submodule and other necessary modules from digidevice import datapoint import time 4 Upload the datapoints to Remote Manager datapoint upload Velocity 69 units mph datapoint upload Temperature 24 geo_location 54 409469 1 718836 129 datapoint upload Emergency_Door closed timestam...

Page 721: ... the Digi Remote Manager Programmers Guide for more information on web services and datapoints Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint upload and datapoint upload_multiple 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and...

Page 722: ...device configuration Use the config Python module to access and modify the device configuration Read the device configuration 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an A...

Page 723: ...cfg config load interfaces cfg get network interfaces print interfaces get lan ipv4 address Which returns 192 168 2 1 24 Modify the device configuration Use the set and commit methods to modify the device configuration 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a...

Page 724: ... configuration by accessing help for digidevice config 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the she...

Page 725: ...uest module on your LR54 device to create a response 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell...

Page 726: ... of the device d Click Add e Click OK 3 Click Examples SCI Data Service Send Request Code similar to the following will be displayed in the HTTP message body text box sci_request version 1 0 data_service targets device id 00000000 00000000 0000FFFF A83CF6A3 targets requests device_request target_name myTarget my payload string device_request requests data_service sci_request Note The value of the ...

Page 727: ...rbose def status_cb error_code error_description if error_code 0 print error handling showSystem device request s error_ description device_request register showSystem handler status_callback status_ cb Do not let the process finish so that it handles device requests while True time sleep 10 2 Upload the showsystem py application to the etc config scripts directory on two or more Digi devices In t...

Page 728: ...r device ii Click the Device ID iii Click Settings iv Click to expand Config Local Web UI i On the menu click System Under Configuration click Device Configuration The Configuration window is displayed iii Click System Scheduled tasks Custom scripts iv Click to add a custom script v For Label type Show system application vi For Run mode select On boot vii For Exit action select Restart script ...

Page 729: ...pplication entry config add system schedule script end config system schedule script 0 Scheduled scripts are enabled by default To disable config system schedule script 0 enable false config system schedule script 0 iv Provide a label for the script config system schedule script 0 label Show system application v Configure the application to run automatically when the device reboots config system s...

Page 730: ...s Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell ii Type the following at the shell prompt python etc config scripts showsystem py iii Exit the shell exit 4 In Remote Manager click Documentation API Explorer 5 Select the device...

Page 731: ...sci_reply version 1 0 data_service device id 00000000 00000000 0000FFFF A83CF6A3 requests device_request target_name showSystem status 0 Model Digi LR54 Serial Number LR54 000068 Hostname LR54 MAC 00 40 D0 13 35 36 Hardware Version 50001959 01 A Firmware Version 22 8 33 50 Bootloader Version 1 Firmware Build Date Mon 26 August 2022 03 41 00 Schema Version 461 Timezone UTC Current Time Mon 26 Augus...

Page 732: ...y Usage MB MB Disk tmp Usage 0 004MB 40 96MB 0 Disk var Usage 0 820MB 32 768MB 3 device_ request requests device data_service sci_request Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface SCI requests by accessing help for digidevice device_request 1 Select a device in Remote Manager that is configured to allow...

Page 733: ...nd with device_request unregister help device_request unregister Help on function unregister in module digidevice device_request unregister target str bool 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Use digidevice runtime to access the runtime database Use the runt submodule to access and modify the device runtime database Read from the runtime databas...

Page 734: ...m network pam serial system b Print available keys for the system key print runt keys system This will return the following boot_count chassis cpu_temp cpu_usage disk load_avg local_time mac mcu model ram serial uptime c Use the get method to print the device s MAC address print runt get system mac This will return the MAC address of the device 6 Use the stop method to close the runtime database 7...

Page 735: ...iable my value 6 Use the get method to verify the change print runt get my variable my variable 7 Close the runtime database runt stop 8 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for using Python to access the runtime database Get help for reading and modifying the device runtime database by accessing help for digidevice runt 1 Select a device in R...

Page 736: ... will be removed from the previous device and added to the new device n If Remote Manager is configured to apply a profile to a device based on the device name changing the name of the device may cause Remote Manager to automatically push a profile onto the device Together these two features allow you to swap one device for another by using the name submodule to change the device name while guaran...

Page 737: ... copyright credits or license for more information 3 Import the name submodule from digidevice import name 4 Upload the name to Remote Manager name upload my_name 5 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidev...

Page 738: ...pshot can be subsequently updated by using the update method Determine if the device s location 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shel...

Page 739: ...session You can also exit the session using exit or quit Update the location data The location submodule takes a snapshot of the current location and stores it in the runtime database You can update this snapsot 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user w...

Page 740: ...e admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 ...

Page 741: ...ity 0 0 source_idx 1 label gnss source_idx 1 quality No Fix Invalid state Enabled signal utc_date_time Aug 26 2022 03 41 00 vertical_velocity 0 0 6 Use Ctrl D to exit the Python session You can also exit the session using exit or quit Help for the digidevice location module Get help for the digidevice location module 1 Select a device in Remote Manager that is configured to allow shell access to t...

Page 742: ...r more details 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no...

Page 743: ...evice configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt use the python command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Import the maintenance submodule from digidevice import ma...

Page 744: ... Blue GNSS Led GNSS Green WIFI1 LR54W only Led WIFI1 Green WIFI2 LR54W only Led WIFI2 Green WWAN1 Signal Led WWAN1_SIGNAL_GREEN Green Led WWAN1_SIGNAL_YELLOW Yellow WWAN1 Service Led WWAN1_SERVICE_GREEN Green Led WWAN1_SERVICE_YELLOW Yellow Available LED states State Attribute name Solid on State ON Off State OFF Slow flash State FLASH_SLOW Fast flash State FLASH_FAST Use Python to set the state o...

Page 745: ...ntrol During a Python interactive session or from within a Python script you can release control of the LED from Python to system control using the led release method If the Python script or session terminates prior to releasing control to the system the LEDs will continue to have the state that Python set to them until the device is rebooted See Configure scripts to run automatically for informat...

Page 746: ...s 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks 4 Click to enable Allow scheduled scr...

Page 747: ...n and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device See Configure scripts to run automatically for more information about scheduling scripts Example digidevice sms code The following example code receives an SMS message and sends a r...

Page 748: ...to a USB Human Interface Device HID from within a Python script For example to determine information about a USB connected keyboard 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented wit...

Page 749: ...D to exit the Python session You can also exit the session using exit or quit Help for the hid module Get help for the hid module 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with ...

Page 750: ...serial ports 1 Select a device in Remote Manager that is configured to allow shell access to the admin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 Determine the path to the serial port ls dev serial ...

Page 751: ...ts and system information to the MQTT server at 192 168 1 100 The MQTT server IP is configurable MQTT client example Reporting some device metrics from runt Reporting DHCP clients Firmware update feature simple implementation read TODO in cmd_fwupdate import sys import time import paho mqtt client as mqtt import json from acl import runt config from http import HTTPStatus import urllib request imp...

Page 752: ...irmware update finished return HTTPStatus OK CMD_HANDLERS reboot cmd_reboot fw update cmd_fwupdate def send_cmd_reply client cmd_path cid cmd status if not status or not cid return if cmd_path startswith PREFIX_CMD path cmd_path len PREFIX_CMD else print Invalid command path cannot send reply format cmd_path return reply cmd cmd status status client publish PREFIX_RSP path cid json dumps reply sep...

Page 753: ...int Invalid command format cmd status HTTPStatus NOT_IMPLEMENTED send_cmd_reply client msg topic cid cmd status def publish_dhcp_leases leases try with open etc config dhcp leases r as f for line in f elems line split if len elems 5 continue leases append mac elems 1 ip elems 2 host elems 3 if leases client publish PREFIX_EVENT leases json dumps leases separators except print Failed to open DHCP l...

Page 754: ...True publish_dhcp_leases publish_system time sleep POLL_TIME Set up the LR54 to automatically run your applications This section contains the following topics n Configure scripts to run automatically n Show script information n Stop a script that is currently running Configure scripts to run automatically You can configure a script or a python application to run automatically when the system resta...

Page 755: ...e l None l Restart the script l Reboot the device n Whether to write the script output and errors to the system log n If the script is set to run at a specified interval whether another instance of the script should be run at the specified interval if the previous instance is still running n The memory available to be used by the script n Whether the script should run one time only Task one Upload...

Page 756: ...ername is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the LR54 device n local path is the location on the LR54 device where the copied file will be placed For example To upload a script from a remote host with an IP address of 192 168 4 1 to the etc config scripts directory on the LR54 device issue the followi...

Page 757: ...ration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks Custom scripts 4 For Add Script click The script configuration win...

Page 758: ...minutes enter 10m or 600s l Click to enable Run single to run only a single instance of the script at a time If Run single is not enabled a new instance of the script will be started at every interval regardless of whether the script is still running from a previous interval n Set time Runs the script at a specified time of the day l If Set Time is selected specify the time that the script should ...

Page 759: ...Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mod...

Page 760: ... ten minutes enter either 10m or 600s config system schedule script 0 on_interval 600s config system schedule script 0 l Optional Configure the script to run only a single instance at a time config system schedule script 0 once true config system schedule script 0 If once is set to false a new instance of the script will be started at every interval regardless of whether the script is still runnin...

Page 761: ...nly the script s exit code is written to the system log 8 Set the maximum amount of memory available to be used by the script and its subprocesses config system schedule script 0 max_memory value config system schedule script 0 where value uses the syntax number b bytes KB k MB MB M GB G TB T 9 To run the script only once at the specified time config system schedule script 0 once true config syste...

Page 762: ...splays Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the show scripts command at the system prompt show scripts Index Label Enabled Status Run time 0 scr...

Page 763: ...hts Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Determine the name of scripts that are currently running show scripts Index Label Enabled Status Run time 0 script1 true active 1 script2 true idle 01 00 Scripts that are currently running have the status of active 3 Stop the appropriate script system script stop scrip...

Page 764: ...ll prompt use the python command with no parameters to enter an interactive Python session python Python 3 10 1 default May 9 2021 22 49 59 GCC 8 3 0 on linux Type help copyright credits or license for more information 3 Type Python commands at the Python prompt For example to view help for the digidevice module type help digidevice Help on package digidevice NAME digidevice Digi device python ext...

Page 765: ...e device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI b At the command line use the scp command to upload the Python application script to the LR54 device scp host hostname or ip user usernam...

Page 766: ...dmin user and click Actions Open Console Alternatively log into the LR54 local command line as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 3 Use the python command to run the Python application In the following example the Python application test py takes 3 parameters 120 ports and storage ...

Page 767: ... Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line use the scp command to upload the Python application script to the LR54 device scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote hos...

Page 768: ...mand when logged in with shell access Task two Configure the application to run automatically Note This feature does not provide syntax or error checking Certain commands can render the device inoperable Use with care Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as descr...

Page 769: ...cute the script n If a Python script is being used include the full path to the Python script For example python etc config scripts test py n If the script begins with then the script will be invoked in the location specified by the path for the script command Otherwise the default shell will be used equivalent to bin sh 8 Script logging options a Click to enable Log script output to log the scrip...

Page 770: ...ange Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a script config add system...

Page 771: ...g config system schedule script 0 syslog_stderr true config system schedule script 0 If syslog_stdout and syslog_stderr are not enabled only the script s exit code is written to the system log 8 Set the maximum amount of memory available to be used by the script and its subprocesses config system schedule script 0 max_memory value config system schedule script 0 where value uses the syntax number ...

Page 772: ...a user with Admin access 2 At the Status page click Scripts The Scripts page displays 3 For scripts that are enabled and configured to have a run mode of Manual click Start Script to start the script Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration...

Page 773: ...pt system script start script1 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 774: ...5 Authentication groups 783 Local users 794 Terminal Access Controller Access Control System Plus TACACS 808 Remote Authentication Dial In User Service RADIUS 815 LDAP 821 Configure serial authentication 828 Disable shell access 831 Set the idle timeout for LR54 users 832 Example user configuration 835 LR54 User Guide 774 ...

Page 775: ...ns for a group You can modify the released groups and create additional groups as needed for your site A user can be assigned to more than one group n admin Provides the logged in user with administrative and shell access n serial Provides the logged in user with access to serial ports Users Defines local users for the LR54 n admin Belongs to both the admin and serial groups TACACS Configures supp...

Page 776: ...tion Dial In User Service RADIUS for information about configuring RADIUS authentication n TACACS Users authenticated by using a remote TACACS server for authentication See Terminal Access Controller Access Control System Plus TACACS for information about configuring TACACS authentication n LDAP Users authenticated by using a remote LDAP server for authentication See LDAP for information about con...

Page 777: ...Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is dis...

Page 778: ... in the list 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add the new authentication method t...

Page 779: ...on in the list use an index value to indicate the appropriate position For example config add auth method 1 auth_type config where auth_type is one of local radius tacacs or ldap n You can also use the move command to rearrange existing methods See Rearrange the position of authentication methods for information about how to reorder the authentication methods 4 Save the configuration and apply the...

Page 780: ...ick the menu icon next to the method and select Delete 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin C...

Page 781: ...resented with an Access selection menu Type quit to disconnect from the device Rearrange the position of authentication methods Web Authentication methods are reordered by changing the method type in the Method drop down for each authentication method to match the appropriate order For example the following configuration has Local users as the first method and RADIUS as the second To reorder these...

Page 782: ... the second Method 6 In the Method drop down select Local users 7 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access th...

Page 783: ...s Users with Admin access can be configured to have either l The ability to manage the LR54 device by using the WebUI or the Admin CLI l Read only access to the WebUI and Admin CLI n Shell access Users with Shell access have the ability to access the shell when logging into the LR54 via ssh telnet or the serial console Shell access is not available if the Allow shell parameter has been disabled Se...

Page 784: ...tication Authentication groups LR54 User Guide 784 This section contains the following topics Change the access rights for a predefined group 785 Add an authentication group 787 Delete an authentication group 792 ...

Page 785: ...n Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Groups 4 Click the authentication group to be changed either admin or serial to expand its configuration node 5 Click the box next ...

Page 786: ...ion about the Allow shell parameter 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command...

Page 787: ... information about the Allow shell parameter n Serial access l To enable Serial access for the admin group config auth group admin acl serial enable true config 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the devi...

Page 788: ...nager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Groups 4 For Add type a name for the group and click The group configuration window is dis...

Page 789: ... which users of this group have access a Click Serial ports to expand the Serial ports node b For Add Port click c In the Port dropdown select a port d Click again to add additional serial ports 7 Optional Configure OpenVPN access See for further information 8 Optional Configure captive portal access a Enable captive portal access rights for users of this group by checking the box next to Captive ...

Page 790: ...nted with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Use the add auth group command to add a new authentication For example to add a group named test config add auth group test config auth group test 4 Enable access rights for the group n Admin access config auth group test acl admin enable true config n...

Page 791: ... available portals config show firewall portal portal1 auth none enable true http redirect no interface no message no redirect_url no terms timeout 24h no title config ii Add a captive portal config add auth group test acl portal portals end portal1 config 6 Optional Configure Nagios monitoring config auth group test acl nagios enable true config 7 Optional Enable users that belong to this group t...

Page 792: ...preconfigured authentication groups admin and serial These groups cannot be deleted To delete an authentication group that you have created Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Dev...

Page 793: ...ne as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth group groupname 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exi...

Page 794: ... the device and is the most critical security feature for the device If you reset the device to factory defaults you must log in using the default user and password and you should immediately change the password to a custom password Before deploying or mounting the LR54 device record the default password so you have the information available when you need it even if you cannot physically access th...

Page 795: ...tem Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 Click the username to expand the user s configuration node 5 For Password enter the new password The password must be at least eight characters long and must contain at least one uppercase letter one lowercase letter one number and one special character For the admin user the pas...

Page 796: ...t in the device device s configuration being erased and reset to the default configuration You can also change the password for the active user by clicking the user name in the menu bar The active user must have full Admin access rights to be able to change the password 6 Click Apply to save the configuration and apply the change ...

Page 797: ... Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure a local user Required configuration items n A username n A password The password must be at least eight characters long and must contain at least one uppercase letter one lowercase letter one number and one special character For security reasons passwords are...

Page 798: ...sscode reuse time based verification only l The passcode refresh interval time based verification only l The valid code window size l The login limit l The login limit period l One time use eight digit emergency scratch codes To configure a local user Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Man...

Page 799: ...e the same alias the alias will be disabled 6 Enter a password for the user The password must be at least eight characters long and must contain at least one uppercase letter one lowercase letter one number and one special character 7 Click to expand Login failure lockout The login failure lockout feature is enabled by default To disable toggle off Enable a For Lockout tries type the number of uns...

Page 800: ... for the user to use passwordless SSH login a Click SSH keys b In Add SSH key paste or type a public encryption key that this user can use for passwordless SSH login and click 10 Optional Configure two factor authentication for SSH telnet and serial console login a Click Two factor authentication b Check Enable to enable two factor authentication for this user c Select the Verification type n Time...

Page 801: ...he amount of time that the user is allowed to attempt to log in Allowed values are any number of weeks days hours minutes or seconds and take the format number w d h m s For example to set Login limit period to ten minutes enter 10m or 600s j Scratch codes are emergency codes that may be used once at any time To add a scratch code i Click Scratch codes ii For Add Code click iii For Code enter the ...

Page 802: ...alse config auth user new_user a Set the number of unsuccessful login attempts before the user is locked out of the device where value is any integer The minimum value is 1 and the default value is 5 b Set the amount of time that the user is locked out after the number of unsuccessful login attempts defined in lockout tries config auth user new_user lockout duration value config auth user new_user...

Page 803: ...o use passwordless SSH login a Change to the user s ssh_key node config auth user new_user ssh_key config auth user new_user ssh_key b Add the key by using the ssh_key command and pasting or typing a public encryption key that this user can use for passwordless SSH login config auth user new_user ssh_key ssh_key key config auth user new_user ssh_key 9 Optional Configure two factor authentication f...

Page 804: ...s the format number w d h m s For example to set refresh_interval to ten minutes enter either 10m or 600s config auth user name 2fa refresh_interval 600s config auth user name 2fa The default is 30s g Configure the valid code window size This represents the allowed number of concurrently valid codes In cases where TOTP is being used increasing the valid code window size may be necessary when the c...

Page 805: ... end code config auth user new_user 2fa scratch_code Where code is an digit number with a minimum of 10000000 iii To add additional scratch codes use the add end code command again 10 Save the configuration and apply the change config auth user new 2fa scratch_code save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access...

Page 806: ...menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication Users 4 Click the menu icon next to the name of the user to be deleted and select Delete 5 Click Apply to save the configuration and apply the change ...

Page 807: ... may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 At the config prompt type config del auth user username 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Acc...

Page 808: ...nd connection parameters to a TACACS server over TCP The TACACS server then authenticates the TACACS client requests and sends back a response message to the device When you are using TACACS authentication you can have both local users and TACACS users able to log in to the device To use TACACS authentication you must set up a TACACS server that is accessible by the LR54 device prior to configurat...

Page 809: ... sudo gedit etc tacacs tac_plus conf 2 Add users to the file using the following format This example will create two users one with admin and serial access and one with only serial access user user1 name User1 for LR54 pap cleartext password1 service system groupname admin serial user user2 name User2 for LR54 pap cleartext password2 service system groupname serial The groupname attribute is optio...

Page 810: ...lable or if the user is not defined on the TACACS server then you should list the TACACS authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the TACACS servers are unavailable and the LR54 device falls back to local authentication only users defined locally on the device are able to log in TACACS ...

Page 811: ...Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration w...

Page 812: ...the TACACS server s configuration to identify the LR54 authentication group or groups that the user is a member of For example in TACACS user configuration the group attribute in the sample tac_plus conf file is groupname which is also the default setting in the LR54 configuration 7 Optional For Service type the value of the service attribute in the the TACACS server s configuration For example in...

Page 813: ...min CLI 2 At the command line type config to enter configuration mode config config 3 Optional Prevent other authentication methods from being used if TACACS authentication fails Other authentication methods will only be used if the TACACS server is unavailable config auth tacacs authoritative true config 4 Optional Configure the group_attribute This is the name of the attribute used in the TACACS...

Page 814: ...rver end config auth tacacs server 0 b Enter the TACACS server s IP address or hostname config auth tacacs server 0 hostname hostname ip address config auth tacacs server 0 c Optional Change the default port setting to the appropriate port config auth tacacs server 0 port port config auth tacacs server 0 d Optional Repeat the above steps to add additional TACACS servers 9 Add TACACS to the authent...

Page 815: ...erver over UDP The RADIUS server then authenticates the RADIUS client requests and sends back a response message to the device When you are using RADIUS authentication you can have both local users and RADIUS users able to log in to the device To use RADIUS authentication you must set up a RADIUS server that is accessible by the LR54 device prior to configuration The process of setting up a RADIUS...

Page 816: ...ely if the user is also configured as a local user on the LR54 device and the RADIUS server authenticates the user but does not return any groups the local configuration determines the list of groups See Authentication groups for more information about authentication groups The Unix FTP Group Names attribute can contain one group or multiple groups in a comma separated list 3 Save and close the fi...

Page 817: ...a RADIUS server for authentication and authorization Required configuration items n Define the RADIUS server IP address or domain name n Define the RADIUS server shared secret n Add RADIUS as an authentication method for your LR54 device Additional configuration items n Whether other user authentication methods should be used in addition to the RADIUS server or if the RADIUS server should be consi...

Page 818: ...this should be left at the default setting of port 1812 d For Secret type the RADIUS server s shared secret This is configured in the secret parameter of the RADIUS server s client conf file for example secret testing123 e For Timeout type or select the amount of time in seconds to wait for the RADIUS server to respond Allowed value is any integer from 3 to 60 The default value is 3 f Optional Cli...

Page 819: ... the order they are listed until the first successful authentication result is returned See Rearrange the position of authentication methods for information about rearranging the position of the methods in the list 9 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as...

Page 820: ...ing to the appropriate port config auth radius server 0 port port config auth radius server 0 d Configure the amount of time in seconds to wait for the RADIUS server to respond Allowed value is any integer from 3 to 60 The default value is 3 config auth radius server 0 timeout value config auth radius server 0 e Optional Repeat the above steps to add additional RADIUS servers 7 Add RADIUS to the a...

Page 821: ... parameters to an LDAP server The LDAP server then authenticates the LDAP client requests and sends back a response message to the device When you are using LDAP authentication you can have both local users and LDAP users able to log in to the device To use LDAP authentication you must set up a LDAP server that is accessible by the LR54 device prior to configuration The process of setting up a LDA...

Page 822: ...ng the following format dn uid john dc example dc com objectClass inetOrgPerson cn John Smith sn Smith uid john userPassword password ou admin serial n The value of uid and userPassword must correspond to the username and password used to log into the LR54 device n The ou attribute is optional If used the value must correspond to authentication groups configured on your LR54 Alternatively if the u...

Page 823: ...P server then you should list the LDAP authentication method prior to the Local users authentication method See User authentication methods for more information about authentication methods If the LDAP servers are unavailable and the LR54 device falls back to local authentication only users defined locally on the device are able to log in LDAP users cannot log in until the LDAP servers are brought...

Page 824: ...the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication LDAP Servers ...

Page 825: ...This is the preferred method for LDAP 7 If Enable TLS or Start TLS are selected for TLS connection n Leave Verify server certificate at the default setting of enabled to verify the server certificate with a known Certificate Authority n Disable Verify server certificate if the server is using a self signed certificate 8 Optional For Server login type a distinguished name DN that is used to bind to...

Page 826: ...lt is returned See Rearrange the position of authentication methods for information about rearranging the position of the methods in the list 15 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configura...

Page 827: ...this option unset if the server allows anonymous connections config auth ldap bind_dn dn_value config For example config auth ldap bind_dn cn user dc example dc com config 7 Set the password used to log into the LDAP server Leave this option unset if the server allows anonymous connections config auth ldap bind_password password config 8 Set the distinguished name DN on the server to search for us...

Page 828: ... the appropriate port config auth ldap server 0 port port config auth ldap server 0 d Optional Repeat the above steps to add additional LDAP servers 13 Add LDAP to the authentication methods Authentication methods are attempted in the order they are listed until the first successful authentication result is returned This example will add LDAP to the end of the list See User authentication methods ...

Page 829: ...TLS certificate and private key in PEM format If empty the certificate for the web administration service is used See Configure the web administration service for more information 5 For Peer authentication select the method used to verify the certificate of a remote peer 6 Include standard CAs is enabled by default This allows peers with certificates that have been signed by standard Certificate A...

Page 830: ...n PEM format config auth serial identiy cert and private key config 4 Set the method used to verify the certificate of a remote peer config auth serial verify value config where value is either n ca Uses certificate authorities CAs to verify n peer Uses the remote peer s public certificate to verify 5 By default peers with certificates that have been signed by standard Certificate Authorities CAs ...

Page 831: ...he Admin CLI Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Clic...

Page 832: ... the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the allow_shell parameter to false config auth allow_shell false Note If shell access is disabled re enabling it will erase the device s configuration and perform a factory reset 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on...

Page 833: ...Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Authentication 4 For Idle timeout enter the amount of time that the active session can be idle before the user is automatically logged out Allowed values are any number of weeks days hours minutes or seconds and take the format...

Page 834: ...mand line type config to enter configuration mode config config 3 At the config prompt type config auth idle_timeout value where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set idle_timeout to ten minutes enter either 10m or 600s config auth idle_timeout 600s config 4 Save the configuration and apply the change config save Configu...

Page 835: ...into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configurat...

Page 836: ...min access to enable iv Verify that Access level is set to Full access If not select Full access e Verify that Local users is one of the configured authentication methods i Click Authentication Methods ii Verify that Local users is one of the methods listed in the list If not i For Add Method click ii For Method select Local users 7 Click Apply to save the configuration and apply the change Comman...

Page 837: ...up admin acl admin level full config 4 Verify that local is one of the configured authentication methods config show auth method 0 local config If local is not listed config add auth method end local config 5 Create the user In this example the user is being created with the username adminuser config add auth user adminuser config auth user adminuser 6 Assign a password to the user config auth use...

Page 838: ...sing all three authentication methods In this example when the user attempts to log in to the LR54 device user authentication will occur in the following order 1 The user is authenticated by the RADIUS server If the RADIUS server is unavailable 2 The user is authenticated by the TACACS server If both the RADIUS and TACACS servers are unavailable 3 The user is authenticated by the LR54 device using...

Page 839: ... Names parameter c Save and close the users file 2 Configure a user on the TACACS server a On the ubuntu machine hosting the TACACS server open the etc tacacs tac_plus conf file sudo gedit etc tacacs tac_plus conf b Add a TACACS user to the tac_plus conf file user admin1 name Admin1 for TX64 pap cleartext password1 service system groupname admin In this example n The user s username is admin1 n Th...

Page 840: ... d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 5 Configure the authentication methods a Click Authentication Methods b For Method select RADIUS c For Add Method click to add a new method d For the new method select TACACS e Click to add another new method f For the new method select Local users ...

Page 841: ... i Click Authentication Groups ii Click admin iii Verify that the admin group has Admin access enabled If not click Admin access to enable iv Verify that Access level is set to Full access If not select Full access 7 Click Apply to save the configuration and apply the change Command line 1 Configure a user on the RADIUS server a On the ubuntu machine hosting the FreeRadius server open the etc free...

Page 842: ...this example n The user s username is admin1 n The user s password is password1 n The authentication group on the LR54 device admin is identified in the groupname parameter c Save and close the tac_plus conf file 3 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration...

Page 843: ...full administrator rights config show auth group admin acl admin enable true level full config If admin enable is set to false config auth group admin acl admin enable true config If admin level is set to read only config auth group admin acl admin level full config 7 Configure the local user a Create a local user with the username admin1 config add auth user admin1 config auth user admin1 b Assig...

Page 844: ...844 8 Save the configuration and apply the change config auth user adminuser save Configuration saved 9 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 845: ... following topics Firewall configuration 846 Port forwarding rules 852 Packet filtering 860 Configure custom firewall rules 868 Configure captive portals 871 Configure Quality of Service options 876 Web filtering 888 LR54 User Guide 845 ...

Page 846: ...to access administration services l IPsec The default zone for IPsec tunnels l hotspot The default zone for hotspots l Dynamic routes Used for routes learned using routing services n Port forwarding A list of rules that allow network connections to the LR54 to be forwarded to other servers by translating the destination address n Packet filtering A list of packet filtering rules that determine whe...

Page 847: ...figuration The Configuration window is displayed 3 Click Firewall Zones 4 In Add Zone enter a name for the zone and click The firewall configuration window is displayed 5 Optional If traffic on this zone will be forwarded from a private network to the internet enable Network Address Translation NAT 6 Click Apply to save the configuration and apply the change See Configure the firewall zone for a n...

Page 848: ...ice configuration you may be presented with an Access selection menu Type quit to disconnect from the device See Configure the firewall zone for a network interface for information about how to configure network interfaces to use a zone Configure the firewall zone for a network interface Firewall zones allow you to group network interfaces for the purpose of packet filtering and access control The...

Page 849: ...one select External 5 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type confi...

Page 850: ...rom the device Delete a custom firewall zone You cannot delete preconfigured firewall zones To delete a custom firewall zone Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click ...

Page 851: ...Firewall configuration LR54 User Guide 851 3 Click Firewall Zones 4 Click the menu icon next to the appropriate custom firewall zone and select Delete 5 Click Apply to save the configuration and apply the change ...

Page 852: ... by a firewall that prevents users on a public network from accessing servers on the private network To allow a computer on the Internet to connect to a specific server on a private network set up one or more port forwarding rules Port forwarding rules provide mapping instructions that direct incoming traffic to the proper device on a LAN Configure port forwarding Required configuration items n Th...

Page 853: ...er with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Port forwarding 4 Fo...

Page 854: ...Port s type the port number comma separated list of port numbers or range of port numbers on the server to which traffic should be forwarded For example to forward traffic to ports one three and five through ten enter 1 3 5 10 12 Optional Click Access control list to create a white list of devices that are authorized to leverage this forwarding rule based on either the IP address or firewall zone ...

Page 855: ...tches the IP address of this network interface a Use the to determine available interfaces config firewall dnat 0 interface Interface Network connections will only be forwarded if their destination address matches the IP address of this network interface Format defaultip defaultlinklocal lan1 lan_hotspot loopback wan1 wwan Current value config firewall dnat 0 interface b Set the interface For exam...

Page 856: ...e forwarded config firewall dnat 0 to_port value config firewall dnat 0 where value is the port number comma separated list of port numbers or range of port numbers on the server to which traffic should be forwarded For example to forward traffic to ports one three and five through ten enter 1 3 5 10 10 Optional To create a white list of devices that are authorized to leverage this forwarding rule...

Page 857: ...l 11 Save the configuration and apply the change config save Configuration saved 12 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a port forwarding rule To delete a port forwarding rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin a...

Page 858: ...o save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode confi...

Page 859: ...IPv6 port forwarding rule port 10002 protocol tcp to_address6 c097 4533 bd63 bb12 9a6f 5569 4b53 c29a to_port 10003 config 4 To delete the rule use the index number with the del command For example config del firewall dnat 1 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented wit...

Page 860: ...cket filtering rule will perform either Accept Reject or Drop n The source firewall zone Packets originating from interfaces on this zone will be monitored by this rule n The destination firewall zone Packets destined for interfaces on this zone will be accepted rejected or dropped by this rule Additional configuration requirements n A label for the rule n The IP version to be matched either IPv4 ...

Page 861: ... default packet filtering rule or another existing packet filtering rule click to expand the rule The packet filtering rule configuration window is displayed Packet filters are enabled by default To disable toggle off Enable 4 Optional Type a Label that will be used to identify the rule 5 For Action select one of n Accept Allows matching network connections n Reject Blocks matching network connect...

Page 862: ...ager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config To edit the default packet filtering rule or another existing packet filtering rule...

Page 863: ...ections and does not send a reply 5 Set the firewall zone that will be monitored by this rule for incoming connections from network interfaces that are a member of this zone See Firewall configuration for more information about firewall zones config firewall filter 1 src_zone my_zone config firewall filter 1 6 Set the destination firewall zone Packets destined for network interfaces that are membe...

Page 864: ...onnect from the device Enable or disable a packet filtering rule To enable or disable a packet filtering rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Clic...

Page 865: ...og into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the appropriate port forwarding rule config show firewall filter 0 action accept dst_zone a...

Page 866: ...save Configuration saved 7 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete a packet filtering rule To delete a packet filtering rule Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote M...

Page 867: ...4 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Determine the index number of the packet filtering rule you want to delete config show firewall filter 0 action accept dst_zone any enab...

Page 868: ...es consist of a script of shell commands that can be used to install firewall rules ipsets and other system configuration These commands are run whenever system configuration changes occur that might cause changes to the firewall To configure custom firewall rules Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configurati...

Page 869: ...4 Enable the custom rules 5 Optional Enable Override to override all preconfigured firewall behavior and rely solely on the custom firewall rules 6 For Rules type the shell command that will execute the custom firewall rules script 7 Click Apply to save the configuration and apply the change ...

Page 870: ...g config 3 Enable custom firewall rules config firewall custom enable true config 4 Optional Instruct the device to override all preconfigured firewall behavior and rely solely on the custom firewall rules config firewall custom override true config 5 Set the shell command that will execute the custom firewall rules script config firewall custom rules shell command config 6 Save the configuration ...

Page 871: ...nly To configure captive portals Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuratio...

Page 872: ...S port 443 n Disallow Does not allow access over an insecure connection HTTP port 80 Note This setting does not affect access to HTTP port 80 after the client has been granted access to the portal 8 For Authorization select the method that will be used to authorize the user n None Users are not required to enter any information to access the portal n User login Users are required to authenticate w...

Page 873: ...rtal1 4 Set the network interface for the portal Traffic received on this interface s network device will not be forwarded unless the client has been granted access a Use the to determine available interfaces config firewal portal portal1 interface Interface The network interface to run the portal on Traffic received on this interface s network device will not be forwarded unless the client has be...

Page 874: ...port 80 after the client has been granted access to the portal 7 Set the method that will be used to authorize the user config firewall portal portal1 auth value config firewall portal portal1 where value is one of n none Users are not required to enter any information to access the portal n login Users are required to authenticate with an account on this device Users must be part of a user group ...

Page 875: ...change config save Configuration saved 13 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Delete captive portals To delete captive portals Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Ma...

Page 876: ...he configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Configure Quality of Service options Quality of Service QoS options allow you to manage the traffic performance of various services such as Voice over IP VoIP cloud c...

Page 877: ...user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Quality of Service...

Page 878: ... config firewall qos 1 enable true config 4 Set the interface for the binding Use the index number of the binding for example to set the interface for the Outbound binding a Use the to determine available interfaces config firewall qos 0 interface Interface The network interface Format network interface defaultip network interface defaultlinklocal network interface lan1 network interface lan_hotsp...

Page 879: ...Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window...

Page 880: ... can contain up to 30 rules a Click to expand Policy b For Add Policy click The QoS binding policy configuration window is displayed New QoS binding policies are enabled by default To disable toggle off Enable c Optional Type a Label for the binding policy d For Weight type a value for the amount of available bandwidth allocated to the policy relative to other policies for this binding The larger ...

Page 881: ...of common TOS values v For Protocol select the IP protocol matching criteria for this rule vi For Source port type the port or any as a source traffic matching criteria vii For Destination port type the port or any as a destination traffic matching criteria viii Click to expand Source address and select the Type n Any Source traffic from any address will be matched n Interface Only traffic from th...

Page 882: ...e the format IPv4_address netmask or use any to match any IPv4 address n IPv6 address Only traffic destined for the IP address typed in IPv6 address will be matched Use the format IPv6_address prefix_length or use any to match any IPv6 address Repeat to add a new rule Up to 30 rules can be configured 10 Click Apply to save the configuration and apply the change ...

Page 883: ... qos 2 4 Optional Set a label for the new binding config firewall qos 2 label my_binding config firewall qos 2 5 Set the interface to queue egress packets on The binding will only match traffic that is being sent out on this interface a Use the to determine available interfaces config firewall qos 2 interface Interface The network interface Format network interface defaultip network interface defa...

Page 884: ...licy config firewall qos 2 policy 0 d Set a value for the amount of available bandwidth allocated to the policy relative to other policies for this binding The larger the weight with respect to the other policy weights the larger portion of the maximum bandwidth is available for this policy For example if a binding contains three policies and each policy contains a weight of 10 each policy will be...

Page 885: ...licy 0 rule 0 label my_binding_policy_ rule config firewall qos 2 policy 0 rule 0 iv Set the value of the Type of Service ToS packet header that defines packet priority If unspecified this field is ignored config firewall qos 2 policy 0 rule 0 tos value config firewall qos 2 policy 0 rule 0 where value is a hexadecimal number See https www tucny com Home dscp tos for a list of common TOS values v ...

Page 886: ...etwork interface defaultip network interface defaultlinklocal network interface lan1 network interface lan_hotspot network interface loopback network interface wan1 network interface wwan Current value config network qos 2 policy 0 rule 0 src interface ii Set the interface For example config network qos 2 policy 0 rule 0 src interface network interface wan1 config network qos 2 policy 0 rule 0 n a...

Page 887: ...ched Set the interface i Use the to determine available interfaces config network qos 2 policy 0 rule 0 dst interface Interface Match the IP address with the specified interface s network address Format network interface defaultip network interface defaultlinklocal network interface lan1 network interface lan_hotspot network interface loopback network interface wan1 network interface wwan Current ...

Page 888: ...ame System DNS traffic to a web filtering service This allows the network security administrator to configure a set of policies with the web filtering service that are applied to all routing devices with web filtering enabled For example a policy may allow or deny access to a specific service or type of service such as social media gaming and so on Your LR54 device supports two methods for configu...

Page 889: ...ll Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Firewall Web filtering service ...

Page 890: ...Enable web filtering config firewall web filter enable true config 4 Set the web filter service type to umbrella config firewall web filter service umbrella config 5 Set umbrella_token to the API token generated in Task one Generate a Cisco Umbrella API token config firewall web filter umbrella_token token config 6 Save the configuration and apply the change config save Configuration saved 7 Type ...

Page 891: ... manual DNS servers Required configuration items n Enable web filtering n The IP address of one or more DNS servers Cisco provides two open DNS servers for web filtering l 208 67 222 220 l 208 67 220 222 See https www opendns com setupguide for more information about using Cisco DNS servers for web filtering To configure web filtering with manual DNS servers Web 1 Log into Digi Remote Manager or l...

Page 892: ...layed 3 Click Firewall Web filtering service 4 Click Enable web filtering to enable 5 For Web filtering service select Manual 6 Click to expand Servers 7 Click to add a server 8 For IP address enter the IP address of the DNS server 9 Optional Repeat for additional DNS servers 10 Click Apply to save the configuration and apply the change Command line ...

Page 893: ...config 5 Add a DNS server config add firewall web filter server end config firewall web filter server 0 6 Set the DNS server s IP address config firewall web filter server 0 ip ip_address config firewall web filter server 0 7 Optional Repeat for additional DNS servers For example to configure manual web filtering using Cisco s open DNS servers a Enable web filtering config firewall web filter enab...

Page 894: ...g implementation has the service set to Cisco Umbrella or if it is configured to use manual DNS servers and uses the Cisco open DNS servers you can verify the web filtering implementation by using the Cisco test site www internetbadguys com To verify the implementation Web This procedure assumes you have already configured web filtering to use either Cisco Umbrella or the Cisco open DNS servers n ...

Page 895: ...attempt to connect to the Cisco test URL http www internetbadguys com The connection should be successful 5 Return to the LR54 WebUI and enable web filtering a Click Firewall Web filtering service b Click Enable web filtering to enable c Click Apply to save the configuration and apply the change 6 From your browser attempt to connect to http www internetbadguys com again The connection attempt sho...

Page 896: ...t URL http www internetbadguys com by using either a web browser or the curl command from a Linux shell curl I http www internetbadguys com HTTP 1 1 200 OK Server Apache Content Type text html charset UTF 8 Accept Ranges bytes Date Mon 26 August 2022 03 41 00 X Varnish 4201397492 Age 0 Via 1 1 varnish Connection keep alive You should receive an HTTP 1 1 200 OK message as highlighted above 4 Return...

Page 897: ...dmin to access the Admin CLI 2 At the Admin CLI prompt use the show web filtercommand to view information about the web filter service show web filter Enabled true Service umbrella Device ID 0004b5s63f5e2de7aa If the device is configured to use Cisco Umbrella for web filtering a device ID is displayed The device ID is a unique ID assigned to the device by Cisco Umbrella If there is a problem with ...

Page 898: ... the main menu click Status Under Services click Containers 3 Click Upload New Container 4 From your local file system select the container file in tgz format You can download a simple example container file test_lxc tgz from the Digi website 5 Create Configuration is selected by default This will create a configuration on the device for the container when it is installed If deselected you will ne...

Page 899: ...s Additional configuration items n If virtual networking is enabled l The bridge to be used to provide network connectivity l A static IP address for the container l The network gateway n Serial ports on the device that the container will have access to Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote M...

Page 900: ...iner This must be a valid IP address for the bridge or if left blank a DHCP server can assign the container an IP address c Optional For Gateway type the IP address of the network gateway 7 Click to expand Serial ports to sssign serial ports that the container will have access to a For Add Port click b For Port select the serial port 8 Click Apply to save the configuration and apply the change Com...

Page 901: ... container name network true config system container name b Set the network bridge device that will be used to provide network access i Use the to determine the available bridges config system container name bridge Network Bridge Device Containers require a bridge to access the network Choose which bridge to connect the container to Format lan1 Current value config system container name ii Set the...

Page 902: ...enu Type quit to disconnect from the device Starting and stopping the container Container commands are not available from the Admin CLI You must access the device shell in order to run Python applications from the command line See Authentication groups for information about configuring authentication groups that include shell access Note Container support must be enabled in Digi Remote Manager Con...

Page 903: ...ne as a user with shell access Depending on your device configuration you may be presented with an Access selection menu Type shell to access the device shell 2 At the shell prompt type lxc test_lxc p lxc This will start the container by using bin sh l which runs the shell and loads the shell profile The default shell profile includes an lxc prompt Starting a container by including an executable Y...

Page 904: ... containers Web 1 Log into the LR54 WebUI as a user with Admin access 2 From the main menu click Status Under Services click Containers The Containers status page is displayed Command line Show status of all containers Use the show containers command with no additional arguments to show the status of all containers on the system 1 Select the device in Remote Manager and click Actions Open Console ...

Page 905: ... presented with an Access selection menu Type admin to access the Admin CLI 2 At the prompt type show containers container test_lxc Container Configured Enabled State test_lxc True enabled RUNNING PID 19327 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Schedule a script to run in t...

Page 906: ...on click Device Configuration The Configuration window is displayed 3 Click System Scheduled tasks Custom scripts 4 For Add Script click The script configuration window is displayed 5 Optional For Label type container_script 6 For Run mode select Interval 7 For Interval type 10s 8 For Commands type the following lxc container_name bin ping c 1 IP_address ...

Page 907: ...mmand line type config to enter configuration mode config config 3 Add a script config add system schedule script end config system schedule script 0 4 Provide a label for the script for example config system schedule script 0 label test_lxc config system schedule script 0 5 Set the mode to interval config system schedule script 0 when interval config system schedule script 0 6 Set the interval to...

Page 908: ...ner that contains a python script in the etc directory In this example we will use a simple container file named test_lxc tgz You can download test_lxc tgz from the Digi website At the command line of a Linux host we will unpack the file add a simple python script and create a new container file that includes the python script Create the custom container file 1 At the command line of a Linux host ...

Page 909: ...ck Upload New Container iv From your local file system select the container file You can download a simple example container file test_lxc tgz from the Digi website v Create Configuration is selected by default This will create a configuration on the device for the container when it is installed If deselected you will need to create the configuration manually vi Click Apply 2 Select a device in Re...

Page 910: ...ware 915 Update cellular module firmware 921 Reboot your LR54 device 925 Erase device configuration and reset to factory defaults 928 Locate the device by using the Find Me feature 933 Configuration files 935 Schedule system maintenance tasks 940 Disable device encryption 946 Configure the speed of your Ethernet ports 948 LR54 User Guide 910 ...

Page 911: ...sic system information 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Enter show system at the prompt show system Model Digi LR54 Serial Number LR54 000065 SKU LR54 Hostna...

Page 912: ...Address DF DD E2 AE 21 18 Hardware Version 50001947 01 1P Firmware Version 22 8 33 50 Alt Firmware Version 22 8 33 50 Alt Firmware Build Date Mon 26 August 2022 03 41 00 Bootloader Version 19 7 23 0 15f936e0ed Schema Version 715 Timezone UTC Current Time Mon 26 August 2022 03 41 00 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Load Average 0 01 0 03 0 02 RAM Usage 119 554MB 1878...

Page 913: ...vice n A banner that will be displayed when users access terminal services on the device To enter system information Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings...

Page 914: ...on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set a name for the device This name will appear in log messages and at the command prompt config system name 192 168 3 1 192 168 3 1 config 4 Set the contact for the device 192 168 3 1 config system contact ...

Page 915: ...i Remote Manager User Guide Certificate management for firmware images The system firmware files are signed to ensure that only Digi approved firmware load onto the device The LR54 device validates the system firmware image as part of the update process and only successfully updates if the system firmware image can be authenticated Downgrading Downgrading to an earlier release of the firmware may ...

Page 916: ...may be presented with an Access selection menu Type admin to access the Admin CLI 2 Use the system firmware ota check command to determine if new modem firmware is available on the Digi firmware repository system firmware ota check Current firmware version is 22 5 50 62 Checking for latest LR54 firmware Newest firmware version available to download is 22 8 33 50 Device firmware update from 22 5 50...

Page 917: ...ository use the version parameter to identify the appropriate firmware version as determined by using system firmware ota list command For example a Update the firmware system firmware ota update version 22 8 33 50 Downloading firmware version 22 8 33 50 Downloaded firmware tmp cli_firmware bin remaining Applying firmware version 22 8 33 50 41388K netflash got tmp cli_firmware bin length 42381373 ...

Page 918: ... Load the firmware image onto the device We recommend using the tmp directory scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the LR54 device n lo...

Page 919: ... 50 MAC 0040FF800120 Model Digi LR54 Current Time Mon 26 August 2022 03 41 00 0000 Uptime 42 seconds 42s Dual boot behavior By default the LR54 device stores two copies of firmware in two flash memory banks n The current firmware version that is used to boot the device n A copy of the firmware that was in use prior to your most recent firmware update When the device reboots it will attempt to use ...

Page 920: ...be presented with an Access selection menu Type admin to access the Admin CLI 2 Duplicate the firmware system duplicate firmware How to recover a LR54 that will not boot This section describes the process for recovering a LR54 device that cannot boot because both firmware images stored in flash memory have become corrupted When a LR54 device is in this state the device will continually reboot as i...

Page 921: ...r Once the firmware image is downloaded the WWAN2 Signal SIM 1 LED briefly lights b The device verifies the firmware image c The device reboots loading and running the new firmware image 7 After the device is finished rebooting update the device to the latest firmware The recovery process does not write the recovery firmware to flash memory so you must update the firmware by using the normal firmw...

Page 922: ...rmware over the air OTA You can update your modem firmware by querying the Digi firmware repository to determine if there is new firmware available for your modem and performing an OTA modem firmware update 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you m...

Page 923: ...atest Generic firmware Retrieving modem firmware list Newest firmware version available to download is 25 20 666_CUST_ 067_1 Retrieving download location for modem firmware 25 20 666_CUST_067_ 1 n To perform an OTA firmware update by using a specific version from the Digi firmware repository use the version parameter to identify the appropriate firmware version as determined by using modem firmwar...

Page 924: ...at the firmware file may not have a tar gz extension but it is a tar file and can be unzipped with tar or a similar tool See Use the scp command for information about uploading files to the LR54 device 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be...

Page 925: ...you may be presented with an Access selection menu Type quit to disconnect from the device Reboot your LR54 device You can reboot the LR54 device immediately or schedule a reboot for a specific time every day Note You may want to save your configuration settings to a file before rebooting See Save configuration to a file Reboot your device immediately Web 1 Log into the LR54 WebUI as a user with A...

Page 926: ...ice as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Select System Scheduled tasks 4 For Reboot time enter the time of the day that the device should reboot using the format HH MM The dev...

Page 927: ...n to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Set the reboot time config system schedule reboot_time time config where time is the time of the day that the device should reboot using the format HH MM For example the set the device to reboot at two in the morning every day config system schedule reboot_time 02 00 config If reboot_time is set...

Page 928: ...system log files Additionally if the RESET button is used to erase the configuration pressing the RESET button a second time immediately after the device has rebooted n Erases all automatically generated certificates and keys n With firmware release 22 2 9 x and newer erases the client side certificate used for communication with Digi Remote Manager If you are using Digi Remote Manager with firmwa...

Page 929: ...mand line you will be required the change the SSIDs and pre shared keys passwords for the preconfigured Wi Fi access points before you can save any configuration changes See Reset default SSIDs and pre shared keys for the preconfigured Wi Fi access points for instructions c Optional Reset the default password for the admin account See Change the default password for the admin user for further info...

Page 930: ...ss the RESET button perform a device reset The RESET button has the following modes n Configuration reset l Press and hold the RESET button for 10 seconds l The device reboots automatically and resets to factory defaults This does not remove any automatically generated certificates and keys n Full device reset l After the device reboots from the first button press immediately press and hold the RE...

Page 931: ...ine type config to enter configuration mode config config 3 At the config prompt enter revert config revert config 4 Set the password for the admin user prior to saving the changes config auth user admin password pwd config 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with...

Page 932: ...et the device to factory defaults it will automatically have your required network configuration 3 On the main menu click System Under Configuration click Configuration Maintenance The Configuration Maintenance windows is displayed 4 In the Configuration backup section click SAVE Do not set a Passphrase for the configuration backup The file will be downloaded using your browser s standard download...

Page 933: ...lt config bin 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Locate the device by using the Find Me feature Use the Find Me feature to cause LEDs on the device to blink which can help you to identify the specific device To use this feature Web 1 Log into the LR54 WebUI as a user wit...

Page 934: ...ck Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 To activate the Find Me feature at the prompt type the following at the command prompt system find me on 3 To deactivate the Find Me feature type the following at the co...

Page 935: ...make changes to the LR54 configuration the changes are not automatically saved You must explicitly save configuration changes which also applies the changes If you do not save configuration changes the system discards the changes Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your dev...

Page 936: ...uration changes 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Save configuration to a file You can save your LR54 device s configuration to a file and use this file to restore the configuration either to ...

Page 937: ... system backup path passphrase passphrase type type where n path is the location on the LR54 s filesystem where the configuration backup file should be saved n passphrase optional is a passphrase used to encrypt the configuration backup n type is the type of backup either l archive Creates a binary archive file containing the device s configuration certificates and keys and other information l cli...

Page 938: ...ckup from the device or a backup from a similar device Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click System Under Configuration click Configuration Maintenance The Configuration Maintenance windows is displayed 3 In the Configuration Restore section a If a passphrase was used to create the configuration backup for Passphrase save restore enter the passphrase b ...

Page 939: ...username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied to the LR54 device n local path is the location on the LR54 device where the copied file will be placed For example scp host 192 168 4 1 user admin remote home admin bin backup archive 0040FF800120 22 8 33 50 19 23 42 bin local opt to local 3 Enter the follo...

Page 940: ... of the triggers must be met n The tasks to be performed Options are l Firmware updates l Digi Remote Manager configuration check n Whether the device will check for updates to the device firmware n Whether the device will check for updates to the modem firmware n The frequency daily weekly or monthly that checks for firmware updates will run Web 1 Log into Digi Remote Manager or log into the loca...

Page 941: ... Start time is not set maintenance tasks are not scheduled and will not be run The behavior of Start time varies depending on the setting of Duration window which is configured in the next step l If Duration window is set to Immediately all scheduled tasks will begin at the exact time specified in Start time l If Duration window is set to 24 hours Start time is effectively obsolete and the mainten...

Page 942: ...a Time period for maintenance window trigger type and specify a time window of when you want the automated firmware checks and updates to occur 1 Click to enable Device firmware update to instruct the system to look for any updated device firmware during the maintenance window If updated firmware is found it will then be installed 2 Click to enable Modem firmware update to instruct the system to l...

Page 943: ...igger end config b Set the type of trigger config add system schedule maintenance trigger type value config where value is one of n interface_up If interface_up is set i Set the interface config add system schedule maintenance trigger interface value config ii i Use the to determine available interfaces config system schedule maintenance trigger 0 interface Test interface Test the status of this i...

Page 944: ...s effectively obsolete and the maintenance tasks will be scheduled to run at any time Setting the duration length to 24 hours can potentially overstress the device and should be used with caution l If the duration length is set to any value other than to 0 or 24 hours the maintenance tasks will run at a random time during the time allotted for the duration window l If the duration length is set to...

Page 945: ...fw_update true config 2 Configure the device to look for any updated modem firmware during the maintenance window If updated firmware is found it will then be installed The device will look for updated firmware both on the local device and over the network using either a WAN or cellular connection config system schedule maintenance modem_fw_update true config 3 Configure the device to allow for th...

Page 946: ... except for the default 192 168 210 1 24 network on the local LAN Ethernet ports DHCP server is also disabled The device can only be accessed by using telnet from a local machine connecting to the 192 168 210 1 24 network Disabling device encryption is not available in the WebUI It can only be performed from the Admin CLI Command line 1 Select the device in Remote Manager and click Actions Open Co...

Page 947: ...ant network connection on the Windows PC b Click the Internet Protocol Version 4 TCP IPv4 parameter c Click Properties The Internet Protocol Version 4 TCP IPv4 Properties dialog appears d Configure with the following details n IP address for PC 192 168 210 2 n Subnet 255 255 255 0 n Gateway 192 168 210 1 ...

Page 948: ...ice at the IP address of 192 168 210 1 4 Log into the device n Username admin n Password The default unique password for your device is printed on the device label 5 At the shell prompt type rm etc config nocrypt flatfsd i This will re enable encryption and leave the device at its factory default setting Configure the speed of your Ethernet ports You can configure the speed of your LR54 device s E...

Page 949: ...tion The Configuration window is displayed 3 Click Network Device 4 Click to expand the Ethernet port to be configured 5 For Speed select the appropriate speed for the Ethernet port or select Auto to automatically detect the speed The default is Auto 6 Click Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log...

Page 950: ...100 Sets the speed to 100 Mbps l 1000 Sets the speed to 1 Gbps Available only for devices with Gigabit Ethernet ports auto Configures the device to automatically determine the best speed for the Ethernet port The default is auto 4 Save the configuration and apply the change config save Configuration saved 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented...

Page 951: ...Monitoring This chapter contains the following topics intelliFlow 952 Configure NetFlow Probe 959 Enable the Wi Fi scanner 963 LR54 User Guide 951 ...

Page 952: ...he chart to drill down to view more granular information and menu options allow you to change various aspects of the information being displayed Note When intelliFlow is enabled and the device is connected to Digi aView it adds an estimated 50MB of data usage for the device by reporting the metrics to aView intelliflow does not currently work with Digi Remote Manager Enable intelliFlow Required co...

Page 953: ...ck Apply to save the configuration and apply the change Command line 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration ...

Page 954: ... clients are present on the zone specified Format any dynamic_routes edge external hotspot internal ipsec loopback setup Default value internal Current value internal config b Set the zone to be used by IntelliFlow config monitoring intelliflow zone my_zone 5 Save the configuration and apply the change config save Configuration saved 6 Type exit to exit the Admin CLI Depending on your device confi...

Page 955: ...into the LR54 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow The System Utilisation chart is displayed n Display more granular information 1 Click and drag over an area in the chart to zoom into that area and provide more granular information 2 Release to display the selected portion of the char...

Page 956: ... Select the time period to be displayed n Save or print the chart 1 Click the menu icon 2 To save the chart to your local filesystem select Export to PNG 3 To print the chart select Print chart Use intelliFlow to display top data usage information With intelliFlow you can display top data usage information based on the following n Top data usage by host n Top data usage by server n Top data usage ...

Page 957: ... the Top Data Usage by Server chart click Top Data Usage by Server n To display the Top Data Usage by Service chart click Top Data Usage by Service 5 Change the type of chart that is used to display the data a Click the menu icon b Select the type of chart 6 Change the number of top users displayed You can display the top five top ten or top twenty data users ...

Page 958: ... Use intelliFlow to display data usage by host over time To generate a chart displaying a host s data usage over time Web 1 Log into the LR54 WebUI as a user with Admin access 2 If you have not already done so enable intelliFlow See Enable intelliFlow 3 From the menu click Status intelliFlow 4 Click Host Data Usage Over Time n Display more granular information a Click and drag over an area in the ...

Page 959: ...d configuration items n Enable NetFlow n The IP address of a NetFlow collector Additional configuration items n The NetFlow version n Enable flow sampling and select the flow sampling technique n The number of flows from which the flow sampler can sample n The number of seconds that a flow is inactive before it is exported to the NetFlow collectors n The number of seconds that a flow is active bef...

Page 960: ...d in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed 3 Click Monitoring NetFlow probe 4 Enable NetFlow probe 5 Protocol version Select the Protocol version Available options are n NetFlow v5 Supports IPv4...

Page 961: ... be inactive before sent to a collector Allowed value is any number between 1 and 15 The default is 15 9 For Active timeout type the number of seconds that a flow can be active before sent to a collector Allowed value is any number between 1 and 1800 The default is 1800 10 For Maximum flows type the maximum number of flows to probe simultaneously Allowed value is any number between 0 and 2000000 T...

Page 962: ...n flows where n is the value of the flow sample population n hash Randomly selects one out of every n flows using the hash of the flow key where n is the value of the flow sample population 5 If you are using a flow sampler set the number of flows for the sampler config monitoring netflow sampler_population value config where value is any number between 2 and 16383 The default is 100 6 Set the num...

Page 963: ...w collector 0 save Configuration saved 11 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enable the Wi Fi scanner The Wi Fi scanner allows you to configure your device to detect Wi Fi enabled devices that are nearby and then opens an SSH port that remote hosts can access to read basic...

Page 964: ...g filtering options l Minimum RSSI level that a device must have to be logged by the Wi Fi scanner This allows more distant devices to be filtered out of the report l Whether to report on clients only access points only or both l A file of blocklisted MAC addresses and Organizationally Unique Identifiers OUIs Devices listed in the blocklist file will not be reported l Whether to filter out devices...

Page 965: ...e the frequency in milliseconds that the Wi Fi scanner will hop from one channel to the next during scanning Allowed values are any number of seconds or milliseconds and take the format number s ms For example to set Hop frequency to one second enter 1s or 1000ms The default is 150ms and the maximum is 10000ms 10s 7 Optional For Update interval type the number of seconds between scans Allowed valu...

Page 966: ...ing a file to the LR54 device s filesystem d For Wi Fi device type to report select either Access points Clients or All The default is All e Optional Configure the device to automatically determine what Wi Fi signal transmitters are stationary and to exclude stationary devices from the output log i Click to expand Static transmitter filtering ii Click Enable iii For Observation period type the amo...

Page 967: ...ed under Candidate static transmitters n From the Admin CLI Use the command show wifi scanner candidates to show devices that are being considered for automatic blocklist 11 Optional Configure the device to push Wi Fi scanner results to one or more remote servers a Click to expand Push scanner results b Click Enable c For Interface select the network interface on the device that will be used to pu...

Page 968: ...ses that can access the SSH service iv Click again to list additional IP addresses or networks n To limit access to specified IPv6 addresses and networks i Click IPv6 Addresses ii For Add Address click iii For Address enter the IPv6 address or network that can access the device s SSH service Allowed values are l A single IP address or host name l A network designation in CIDR notation for example ...

Page 969: ...to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Enable the Wi Fi scanner config monitoring wifi_scanner enable true config 4 Set the appropriate Wi Fi radio config monitoring wifi_scanner radio value config where value is either wifi1 or wifi2 5 Optional Set the Wi Fi channels that will be scanned by this instance of the service config monitori...

Page 970: ...i i Use the to determine available interfaces config monitoring wifi_scanner push interface Interface The network interface Format defaultip defaultlinklocal lan1 lan_hotspot loopback wan1 wwan Current value config monitoring wifi_scanner push interface ii Set the interface For example config monitoring wifi_scanner push interface wan1 config c Add a remote server config add monitoring wifi_scanne...

Page 971: ...ng wifi_scanner ssh enable true config 11 Optional Set the number of the port that the Wi Fi scanner will use The default is 3101 config monitoring wifi_scanner ssh port port config 12 Configure access control n To limit access to specified IPv4 addresses and networks config add wifi scanner ssh acl address end value config Where value can be l A single IP address or host name l A network designat...

Page 972: ...Default IP defaultlinklocal Default Link local IP lan1 LAN1 loopback Loopback wan1 WAN1 wwan WWAN config Repeat this step to list additional interfaces n To limit access based on firewall zones config add wifi scanner ssh acl zone end value config Where value is a firewall zone defined on your device or the any keyword Display a list of available firewall zones Type firewall zone at the config pro...

Page 973: ...logged into the LR54 device n From a remote host by connecting to the LR54 device by using the scanning service s SSH port To view the output of the Wi Fi scanning service you must first enable the service See Enable the Wi Fi scanner for instructions For users to view the output of the Wi Fi scanner they must be a member of an authentication group that has Wi Fi scanner access enabled See Add an ...

Page 974: ...ntication group that has Wi Fi scanner access enabled See Add an authentication group for details You can view the output of the Wi Fi scanner from either the Admin CLI menu or by using the show wifi scanner command n To view the output of the Wi Fi scanner from either the Admin CLI menu 1 Log into the LR54 command line 2 At the Access selection menu type Wi Fi The Wi Fi option is only available i...

Page 975: ...ates command to view devices that have not yet been filtered out but are being considered for automatic blocklisting show wifi scanner candidates MAC Address Type Observations Observation Min Signal Strength Max Signal Strength Variance 5D 0C D2 C6 12 0E AP 1 1 88 88 0 00 84 8F 2D 0F 65 80 client 1 1 86 86 0 00 29 2C EA EB DB A4 client 7 11 91 87 2 69 99 64 9D 0C A1 DA AP 60 100 86 79 1 87 View th...

Page 976: ... as configured for the system Field 2 The location of the device as configured for the system Field 3 The most recent time this device was seen by the scanner Time is in seconds since January 1 1970 Field 4 The MAC address of the Wi Fi access point or the Wi Fi client Field 5 If the device is a Wi Fi client the MAC address of the access point to which the Wi Fi client is connected Field 6 The chan...

Page 977: ...he LR54 local file system 978 Display directory contents 978 Create a directory 979 Display file contents 980 Copy a file or directory 980 Move or rename a file or directory 981 Delete a file or directory 982 Upload and download files 983 LR54 User Guide 977 ...

Page 978: ...st across reboots but are deleted if a factory reset of the system is performed See Erase device configuration and reset to factory defaults for more information Display directory contents To display directory contents by using the WebUI or the Admin CLI Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the menu click System Under Administration click File System The File System page ...

Page 979: ...mand specifying the name of the directory For example 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mkdir path dir_name For example to create...

Page 980: ...ser admin password 2a 05 W1sls1oxsadf n4J0XT Rgr6ewr1yerHtXQdbafsatGswKg0YUm schema version 461 3 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Copy a file or directory This procedure is not available through the WebUI To copy a file or directory by using the Admin CLI use the cp com...

Page 981: ...me a file named test py in etc config scripts to final py 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt type mv etc config scripts test py etc con...

Page 982: ...o be deleted and click to open the directory 4 Highlight the file to be deleted and click 5 Click OK to confirm Command line To delete a file named test py in etc config scripts 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Acces...

Page 983: ... exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Upload and download files You can download and upload files by using the WebUI or from the command line by using the scp Secure Copy command or by using a utility such as SSH File Transfer Protocol SFTP or an SFTP application like FileZilla Upload an...

Page 984: ...o the LR54 device To copy a file from a remote host to the LR54 device use the scp command as follows scp host hostname or ip user username remote remote path local local path to local where n hostname or ip is the hostname or ip address of the remote host n username is the name of the user on the remote host n remote path is the path and filename of the file on the remote host that will be copied...

Page 985: ...he IP address of 192 168 4 1 1 Use the system support report command to generate the report system support report var log Saving support report to var log support report 0040D0133536 22 08 26 03 41 00 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local var log support report 00 40 D0 13 35 36 22 08 26 0...

Page 986: ...ost This example downloads a file named test py from the LR54 device at the IP address of 192 168 2 1 with a username of ahmed to the local directory on the remote host sftp ahmed 192 168 2 1 Password Connected to 192 168 2 1 sftp get test py Fetching test py to test py test py 100 254 0 3KB s 00 00 sftp exit ...

Page 987: ... report 988 View system and event logs 993 Configure syslog servers 998 Configure options for the event and system logs 1001 Analyze network traffic 1006 Use the ping command to troubleshoot network connections 1024 Use the traceroute command to diagnose IP routing problems 1024 LR54 User Guide 987 ...

Page 988: ... 1110 Mbps Tx latency 31 45 ms Rx download average 44 7588 Mbps Rx latency 30 05 ms 3 To output the result in json format use the output parameter speedtest host output json tx_avg 51 8510 tx_avg_units Mbps tx_latency 31 07 tx_latency_units ms rx_avg 39 5770 rx_avg_units Mbps rx_latency 34 19 rx_latency_units ms 4 To change the size of the speedtest packet use the size parameter speedtest host siz...

Page 989: ...08 26 03 41 00 bin Support report saved 3 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local var log support report 00 40 D0 13 35 36 22 08 26 03 41 00 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 22 08 26 03 41 00 bin 4 Type exit to exit the Admin CLI Depending on your device configuration you...

Page 990: ...sts between reboots and system resets Directory Filename Notes opt log_last messages With persistent system logs enabled syslog info will be stored in the opt directory which isn t erased after reboots or system resets tmp Output from a series of diagnostic queries is stored in a randomly generated sub directory within tmp When combing through these logs pay particular attention to config_dump pub...

Page 991: ...ts ip6tables_ nv_ L_ t_nat Firewall table used to direct NAT d traffic iptables_ nv_ L A list of IPv4 firewall tables iptables_ nv_ L_ t_mangle Firewall table used when handling mangled fragmented IPv4 packets iptables_ nv_ L_ t_nat Firewall table used to direct NAT d traffic s_ RlhA_etcconfig An index of items in etc config and its sub directories ls_ RlhA_opt An index of items in opt and its sub...

Page 992: ...5 minutes var log The running system log is stored in messages until reaching a set line count 1 000 lines by default Once this limit is exceeded that file is renamed to messages 0 and a new running log is written to the now empty messages log Directory Filename Notes var log messages Current syslog information messages 0 Rollover syslog information var run This directory can be disregarded for mo...

Page 993: ... about configuring the information displayed in event and system logs View System Logs Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click System Logs The system log displays 3 Limit the display in the system log by using the Find search tool 4 Use filters to configure the types of information displayed in the system logs ...

Page 994: ...lld 621 reloading status 3 Optional Use the show log number num command to limit the number of lines that are displayed For example to limit the log to the most recent ten lines show log number 10 Timestamp Message Nov 26 21 54 34 LR54 netifd Interface interface_wan is setting up now Nov 26 21 54 35 LR54 firewalld 621 reloading status 4 Optional Use the show log filter value command to limit the n...

Page 995: ...ype quit to disconnect from the device View Event Logs Web 1 Log into the LR54 WebUI as a user with Admin access 2 On the main menu click System Logs 3 Click System Logs to collapse the system logs viewer or scroll down to Events 4 Click Events to expand the event viewer 5 Limit the display in the event log by using the Find search tool 6 Click to download the event log Command line ...

Page 996: ...s 3 Optional Use the show event number num command to limit the number of lines that are displayed For example to limit the event list to the most recent ten lines show event number 10 Timestamp Type Category Message Nov 26 21 42 37 status stat intf eth1 type ethernet rx 11332435 tx 5038762 Nov 26 21 42 35 status system local_time Thu 08 Aug 2019 21 42 35 0000 uptime 3 hours 0 minutes 48 seconds 4...

Page 997: ...s View system and event logs LR54 User Guide 997 5 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device ...

Page 998: ...log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate your device as described in Use Digi Remote Manager to view and manage your device b Click the Device ID c Click Settings d Click to expand Config Local Web UI a On the menu click System Under Configuration click Device Configuration The Configuration window is displayed ...

Page 999: ... error informational and status event categories by clicking to toggle off the category e For Syslog egress port type the port number to use for the syslog server The default is 514 f For Protocol select the IP protocol to use for communication with the syslog server Available options are TCP and UPD The default is UPD 5 Click Apply to save the configuration and apply the change Command line 1 Sel...

Page 1000: ...tically enabled when the server is enabled n To disable informational event messages config system log remote 0 info false config system log remote 0 n To disable status event messages config system log remote 0 status false config system log remote 0 n To disable informational event messages config system log remote 0 error false config system log remote 0 4 Set the port number to use for the sys...

Page 1001: ...f time to wait before sending a heartbeat event if no other events have been sent is set to 30 minutes n All event categories are enabled To change or disable the heartbeat interval or to disable event categories and to perform other log configuration Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Man...

Page 1002: ...ent Categories b Click an event category to expand c Depending on the event category you can enable or disable informational events status events and error events Some categories also allow you to set the Status interval which is the time interval between periodic status events 6 Optional See Configure syslog servers for information about configuring remote syslog servers to which log messages wil...

Page 1003: ...ds and takes the format number w d h m s For example to set the heartbeat interval to ten minutes enter either 10m or 600s config system log heartbeat_interval 600s config To disable the heartbeat interval set the value to 0s 4 Enable preserve system logs functionality to save the current session s system log after a reboot By default the LR54 device erases system logs each time the device is powe...

Page 1004: ...o allow you to set the status interval which is the time interval between periodic status events For example to configure DHCP server logging i Use the question mark to determine what events are available for DHCP server logging configuration config system log event dhcpserver DHCP server Settings for DHCP server events Informational events are generated when a lease is obtained or released Status...

Page 1005: ...set the status interval to ten minutes enter either 10m or 600s config system log event dhcpserver status_interval 600s config 6 Optional See Configure syslog servers for information about configuring remote syslog servers to which log messages will be sent 7 Save the configuration and apply the change config save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device confi...

Page 1006: ...re detailed analysis you can download the captured data traffic from the device and view it using a third party application Note Data traffic is captured to RAM and the captured data is lost when the device reboots unless you save the data to a file See Save captured data traffic to a file This section contains the following topics Configure packet capture for the network analyzer 1007 Example fil...

Page 1007: ...or time that will trigger the analyzer to run using this capture configuration l The amount of time that the analyzer session will run l The frequency with which captured events will be saved To configure a packet capture configuration Web 1 Log into Digi Remote Manager or log into the local Web UI as a user with full Admin access rights 2 Access the device configuration Remote Manager a Locate yo...

Page 1008: ...new capture filter configuration is displayed 5 Optional Add a filter type a Click to expand Filter You can select from preconfigured filters to determine which types of packets to capture or ignore or you can create your own Berkeley packet filter expression b To create a filter that either captures or ignores packets from a particular IP address or network ...

Page 1009: ...ption is disabled which means that the filter will capture packets that use this protocol v Click to add additional IP protocols filters d To create a filter that either captures or ignores packets from a particular port i Click to expand Filter TCP UDP port ii Click to add a TCP UDP port iii For IP TCP UDP port to capture or ignore type the number of the port to be captured or ingored iv For TCP ...

Page 1010: ... setting instance c For Device select an interface d Repeat to add additional interfaces to the capture filter 7 Optional For Berkeley packet filter expression type a filter using Berkeley Packet Filter BPF syntax See Example filters for capturing data traffic for examples of filters using BPF syntax 8 Optional Schedule the analyzer to run using this capture filter based on a specified event or at...

Page 1011: ...election menu Type admin to access the Admin CLI 2 At the command line type config to enter configuration mode config config 3 Add a new capture filter config add network analyzer name config network analyzer name 4 Add an interface to the capture filter config network analyzer name add device end device config network analyzer name Determine available devices and the proper syntax To determine av...

Page 1012: ...ess network is the source n destination The filter will apply to packets when the IP address network is the destination n either The filter will apply to packets when the IP address network is either the source or the destination iv Optional Set the filter should ignore packets from this IP address network config network analyzer name filter address 0 ignore true config network analyzer name filte...

Page 1013: ...ter protocol 0 ignore true config network analyzer name filter protocol 0 By default is option is set to false which means that the filter will capture packets from this protocol vi Repeat these steps to add additional protocol filters c To create a filter that either captures or ignores packets from a particular port i Add a new port filter config network analyzer name add filter port end config ...

Page 1014: ...yzer name filter mac_address 0 address value config network analyzer name filter mac_address 0 where value is the MAC address to be filtered using colon hexadecimal notation with lower case for example 00 aa 11 bb 22 cc iii Set whether the filter should apply to packets when the MAC address is the source the destination or both config network analyzer name filter mac_address 0 match value config n...

Page 1015: ...cket Filter BPF syntax Values that contain spaces must be enclosed in double quotes See Example filters for capturing data traffic for examples of filters using BPF syntax 6 Optional Schedule the analyzer to run using this capture filter based on a specified event or at a particular time a Enable scheduling for this capture filter config network analyzer name schedule enable true config network an...

Page 1016: ... network analyzer name save_interval 600s config network analyzer name d Set the frequency with which captured events will be saved config network analyzer name save_interval value config network analyzer name where value is any number of weeks days hours minutes or seconds and takes the format number w d h m s For example to set save_interval to ten minutes enter either 10m or 600s config network...

Page 1017: ...pture traffic from UDP port 53 ip proto udp and src port 53 n Capture to and from IP host 10 0 0 1 but filter out ports 22 and 80 ip host 10 0 0 1 and not port 22 or port 80 Example Ethernet capture filters n Capture Ethernet packets to and from a host with a MAC address of 00 40 D0 13 35 36 ether host 00 40 D0 13 35 36 n Capture Ethernet packets from host 00 40 D0 13 35 36 ether src 00 40 D0 13 3...

Page 1018: ...menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer start name capture_filter where capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer for more information To determine available packet capture configurations use the analyzer start name name Name of the capture filter to use Format test_captur...

Page 1019: ...d traffic data To view captured data traffic use the show analyzer command The command output show the following information for each packet n The packet number n The timestamp for when the packet was captured n The length of the packet and the amount of data captured n Whether the packet was sent or received by the device n The interface on which the packet was sent or received n A hexadecimal du...

Page 1020: ...0x00 Total Length 40 bytes ID 15670 0x3d36 Flags Do not fragment Fragment Offset 0 0x0000 TTL 128 0x80 Protocol TCP 6 Checksum 0x14bc Source IP Address 10 10 74 130 Dest IP Address 10 10 74 72 TCP Header Source Port 52654 Destination Port 22 Sequence Number 2756443999 Ack Number 3995064355 Data Offset 5 Flags ACK Window 2050 Checksum 0xc740 Urgent Pointer 0 TCP Data 00 00 00 00 00 00 where capture...

Page 1021: ...to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer save filename filename name capture_filter where n filename is the name of the file that the captured data will be saved to Determine filenames already in use Use the tab autocomplete feature to determine filenames that are currently in use analyzer save name tab test1_analyzer_capture test2_analyzer_capture analyzer sav...

Page 1022: ...r and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type scp to use the Secure Copy program to copy the file to your PC scp host hostname or ip user username remote remote path local local path to remote where n ...

Page 1023: ...ne as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 Type the following at the Admin CLI prompt analyzer clear name capture_filter where capture_filter is the name of a packet capture configuration See Configure packet capture for the network analyzer for more information To determi...

Page 1024: ...Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Stop ping commands To stop pings when the number of pings to send the count parameter has been set to a high value enter Ctrl C Use the traceroute command to diagnose IP routing problems Use the traceroute command to diagnose IP routing problems This command t...

Page 1025: ... Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending on your device configuration you may be presented with an Access selection menu Type admin to access the Admin CLI 2 At the Admin CLI prompt use the traceroute command to view IP routing information traceroute 8 8 8 8 traceroute to 8 8 8 8 8 ...

Page 1026: ...to correct the interference by one or more of the following measures n Reorient or relocate the receiving antenna n Increase the separation between the equipment and the receiver n Connect the equipment into an outlet that is on a circuit different from the receiver n Consult the dealer or an experienced radio TV technician for help Labeling Requirements FCC 15 19 LR54 complies with Part 15 of FCC...

Page 1027: ...ulatory agency in the desired countries of operation for more information IFETEL Número IFETEL RTIDILR21 0246 La operación de este equipo está sujeta a las siguientes dos condiciones 1 es posible que este equipo o dispositivo no cause interferencia perjudicial y 2 este equipo o dispositivo debe aceptar cualquier interferencia incluyendo la que pueda causar su operación no deseada Applies to the no...

Page 1028: ...nds Maximum transmit power 13 overlapping channels at 22 MHz or 40 MHz wide spaced at 5 MHz Centered at 2 412 MHz to 2 472 MHz 651 784 mW 165 overlapping channels at 22 MHz or 40 MHz or 80 MHz wide spaced at 5 MHz Centered at 5180 MHz to 5825 MHz 351 295 mW Innovation Science and Economic Development Canada IC certifications This digital apparatus does not exceed the Class B limits for radio noise...

Page 1029: ... Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Use only the accessories attachments and power supplies provided by the manufacturer connecting non approved antennas or power supplies may damage the router cause interference or create an electric shock hazard and will void the warranty n Do not attemp...

Page 1030: ... of cellular services to the offender legal action or both As with any electrical equipment do not operate the router in the presence of flammable gases fumes or potentially explosive atmospheres Do not use radio devices anywhere that blasting operations occur Wireless routers receive and transmit radio frequency energy when power is on Interference can occur when using the router close to TV sets...

Page 1031: ...ългарски Croatian Hrvatski French Français Greek Ε λληνικά Hungarian Magyar Italian Italiano Latvian Latvietis Lithuanian Lietuvis Polish Polskie Portuguese Português Slovak Slovák Slovenian Esloveno Spanish Español LR54 User Guide 1031 ...

Page 1032: ...le parts Never open the equipment For safety reasons the equipment should be opened only by qualified personnel The unit must be powered off where blasting is in progress where explosive atmospheres are present or near medical or life support equipment Do not power on the unit in any aircraft Operation of this equipment in a residential environment could cause radio interference For ambient temper...

Page 1033: ... потребителя Н икога не отваряйте оборудването О т съображения за безопасност оборудването трябва да се отваря само от квалиф ициран персонал У редът трябва да се изключи там където се извърш ва взривяване където има експлозивна атмосф ера или в близост до медицинско оборудване или оборудване за поддържане на живота Н е включвайте устройството в самолет Р аботата с това оборудване в жилищ на среда...

Page 1034: ...servisirati Nikada ne otvarajte opremu Iz sigurnosnih razloga opremu bi trebalo otvarati samo kvalificirano osoblje Uređaj se mora isključiti tamo gdje je u tijeku miniranje gdje su prisutne eksplozivne atmosfere ili u blizini medicinske opreme ili opreme za održavanje života Nemojte uključivati jedinicu ni u jednom zrakoplovu Rad ove opreme u stambenom okruženju mogao bi prouzročiti radio smetnje...

Page 1035: ... Ne jamais ouvrir l équipement Pour des raisons de sécurité l équipement ne doit être ouvert que par du personnel qualifié L unité doit être éteinte là où le dynamitage est en cours où des atmosphères explosives sont présentes ou à proximité d équipements médicaux ou de survie N allumez pas l appareil dans un avion L utilisation de cet équipement dans un environnement résidentiel peut provoquer de...

Page 1036: ...οίγετ ε ποτ έ τ ον εξ οπλισμό Γ ια λόγους ασφαλείας ο εξ οπλισμός πρέπει να ανοίγει μόνο από εξ ειδικευμένο προσωπικό Η μονάδα πρέπει να είναι απενεργοποιημένη ότ αν βρίσκετ αι σε εξ έλιξ η η έκρηξ η όπου υπάρχουν εκρηκτ ικές ατ μόσφαιρες ή κοντ ά σε ιατ ρικό εξ οπλισμό ή εξ οπλισμό υποστ ήριξ ης τ ης ζ ωής Μην ενεργοποιείτ ε τ η μονάδα σε κανένα αεροσκάφος Η λειτ ουργία αυτ ού τ ου εξ οπλισμού σε...

Page 1037: ... személyzet nyithatja meg Az egységet ki kell kapcsolni ha robbantás folyik ahol robbanásveszélyes környezet van vagy orvosi vagy életmentő berendezések közelében Semmilyen repülőgépen ne kapcsolja be az egységet A berendezés lakókörnyezetben történő működtetése rádiózavarokat okozhat 60 C feletti környezeti hőmérséklet esetén ezt a berendezést csak korlátozott hozzáférésű helyre kell telepíteni A...

Page 1038: ...re mai l apparecchiatura Per motivi di sicurezza l apparecchiatura deve essere aperta solo da personale qualificato L unità deve essere spenta dove sono in corso esplosioni dove sono presenti atmosfere esplosive o vicino ad apparecchiature mediche o di supporto vitale Non accendere l unità in nessun aereo Il funzionamento di questa apparecchiatura in un ambiente residenziale potrebbe causare inter...

Page 1039: ...etotāja apkalpojamas daļas Nekad neatveriet aprīkojumu Drošības apsvērumu dēļ aprīkojumu drīkst atvērt tikai kvalificēts personāls Iekārtai jābūt izslēgtai ja notiek spridzināšana sprādzienbīstama vide vai medicīnas vai dzīvības uzturēšanas aprīkojuma tuvumā Nevienā lidmašīnā neieslēdziet ierīci Šīs ierīces darbība dzīvojamā vidē var izraisīt radio traucējumus Ja apkārtējā temperatūra pārsniedz 60...

Page 1040: ...tojui prižiūrimų dalių Niekada neatidarykite įrangos Saugumo sumetimais įrangą turėtų atidaryti tik kvalifikuotas personalas Įrenginys turi būti išjungtas ten kur vyksta sprogdinimas sprogi aplinka arba šalia medicinos ar gyvybės palaikymo įrangos Neįjunkite įrenginio jokiuose orlaiviuose Naudojant šią įrangą gyvenamojoje aplinkoje gali kilti radijo trukdžių Esant aukštesnei nei 60 C aplinkos temp...

Page 1041: ...e otwieraj urządzenia Ze względów bezpieczeństwa urządzenie powinno być otwierane wyłącznie przez wykwalifikowany personel Urządzenie musi być wyłączone w miejscach w których trwają prace wybuchowe w atmosferze wybuchowej lub w pobliżu sprzętu medycznego lub podtrzymującego życie Nie włączaj urządzenia w żadnym samolocie Praca tego sprzętu w środowisku mieszkalnym może powodować zakłócenia radiowe...

Page 1042: ...er feita pelo usuário Nunca abra o equipamento Por razões de segurança o equipamento deve ser aberto apenas por pessoal qualificado A unidade deve ser desligada onde houver detonações em andamento onde houver presença de atmosferas explosivas ou próximo a equipamentos médicos ou de suporte à vida Não ligue a unidade em nenhuma aeronave A operação deste equipamento em um ambiente residencial pode c...

Page 1043: ...ateľom Nikdy neotvárajte zariadenie Z bezpečnostných dôvodov by malo zariadenie otvárať iba kvalifikovaný personál Jednotka musí byť vypnutá tam kde prebiehajú trhacie práce kde je prítomné výbušné prostredie alebo v blízkosti lekárskych prístrojov alebo zariadení na podporu života Jednotku nezapínajte v žiadnom lietadle Prevádzka tohto zariadenia v obytnom prostredí by mohla spôsobiť rádiové ruše...

Page 1044: ...ih lahko uporabljal uporabnik Nikoli ne odpirajte opreme Iz varnostnih razlogov naj opremo odpira samo usposobljeno osebje Enoto je treba izklopiti tam kjer poteka razstreljevanje kjer so prisotne eksplozivne atmosfere ali v bližini medicinske opreme ali opreme za vzdrževanje življenja Enote ne vklopite v nobenem letalu Delovanje te opreme v stanovanjskem okolju lahko povzroči radijske motnje Pri ...

Page 1045: ... que pueda reparar el usuario Nunca abra el equipo Por razones de seguridad el equipo debe ser abierto únicamente por personal calificado La unidad debe estar apagada donde se estén realizando explosiones cuando haya atmósferas explosivas o cerca de equipos médicos o de soporte vital No encienda la unidad en ningún avión El funcionamiento de este equipo en un entorno residencial puede provocar int...

Page 1046: ...ontact your Digi representative for repair information Certification category Standards Electromagnetic Compatibility EMC compliance standards n EN 300 328 v1 8 1 n EN 301 893 v1 7 2 n EN 301 489 n FCC Part 15 Subpart B Class B Safety compliance standards EN 62368 E UTRA CA E UTRA FDD E UTRA TDD UMTS FDD PTCRB Cellular carriers See the current list of carriers on the LR54 datasheet available on th...

Page 1047: ... web interface 1049 Display help for commands and parameters 1051 Auto complete commands and parameters 1053 Available commands 1054 Use the scp command 1055 Display status and statistics using the show command 1056 Device configuration using the command line interface 1057 Execute configuration commands at the root Admin CLI prompt 1058 Configuration mode 1060 Command line reference 1082 LR54 Use...

Page 1048: ...n WebUI Configure the web administration service n SSH Configure SSH access n Telnet Configure telnet access Log in to the command line interface Command line 1 Connect to the LR54 device by using a serial connection SSH or telnet or the Terminal in the WebUI or the Console in the Digi Remote Manager See Access the command line interface for more information n For serial connections the default co...

Page 1049: ...rface Command line 1 At the command prompt type exit exit 2 Depending on the device configuration you may be presented with another menu for example Access selection menu a Admin CLI s Shell q Quit Select access or quit admin Type q or quit to exit Execute a command from the web interface 1 Log into the LR54 WebUI as a user with Admin access 2 At the main menu click Terminal The device console app...

Page 1050: ...Command line interface Execute a command from the web interface LR54 User Guide 1050 The Admin CLI prompt appears ...

Page 1051: ... start of line Ctrl E Move cursor to end of line Ctrl W Delete word under cursor until start of line or Ctrl R If the current input is invalid then characters will be deleted until a prefix for a valid command is found Ctrl left Jump cursor left until start of line or Ctrl right Jump cursor right until start of line or The question mark command When executed from the root command prompt displays a...

Page 1052: ...DHCP leases dns Show DNS servers event Show event list ipsec Show IPsec statistics location Show loction information log Show syslog manufacture Show manufacturer information modbus gateway Show modbus gateway status statistics modem Show modem statistics network Show network interface statistics ntp Show NTP information openvpn Show OpenVPN statistics route Show IP routing information scripts Sho...

Page 1053: ...le Typing the space bar has similar behavior If multiple commands are available that will match the entered text auto complete is not performed and the available commands are displayed instead Auto complete applies to these command elements only n Command names For example typing net Tab auto completes the command as network n Parameter names For example l ping hostname int Tab auto completes the ...

Page 1054: ... for information about the help command ls Lists the contents of a directory mkdir Creates a directory modem Executes modem commands more Displays the contents of a file mv Moves a file or directory ping Pings a remote host using Internet Control Message Protocol ICMP Echo Request messages reboot Reboots the LR54 device rm Removes a file scp Uses the secure copy protocol SCP to transfer files betw...

Page 1055: ... being copied to a remote host from the LR54 device o The path and filename of the file on the LR54 device that will be copied to the remote host o The location on the remote host where the file will be copied Copy a file from a remote host to the LR54 device To copy a file from a remote host to the LR54 device use the scp command as follows scp host hostname or ip user username remote remote path...

Page 1056: ...t report 0040D0133536 22 08 26 03 41 00 bin Support report saved 2 Use the scp command to transfer the report to a remote host scp host 192 168 4 1 user admin remote home admin temp local var log support report 00 40 D0 13 35 36 22 08 26 03 41 00 bin to remote admin 192 168 4 1 s password adminpwd support report 0040D0133536 22 08 26 03 41 00 bin Display status and statistics using the show comman...

Page 1057: ...ersion 19 7 23 0 15f936e0ed Current Time Mon 26 August 2022 03 41 00 0000 CPU 1 4 Uptime 6 days 6 hours 21 minutes 57 seconds 541317s Temperature 40C show network The show network command displays status and statistics for network interfaces show network Interface Proto Status Address defaultip IPv4 up 192 168 210 1 24 defaultlinklocal IPv4 up 169 254 100 100 16 lan IPv4 up 192 168 2 1 lan IPv6 up...

Page 1058: ...nable false The LR54 device s ssh service is now disabled Note When the config command is executed at the root prompt certain configuration actions that are available in configuration mode cannot be performed This includes validating configuration changes canceling and reverting configuration changes and performing actions on elements in lists See Configuration mode for information about using con...

Page 1059: ...mote_control Remote control snmp SNMP ssh SSH telnet Telnet web_admin Web administration config service 3 Next display help for the config service ssh command config service ssh SSH An SSH server for managing the device Parameters Current Value enable true Enable key private Private key port 22 Port Additional Configuration acl Access control list mdns config service ssh 4 Lastly display the allow...

Page 1060: ... configuration commands in configuration mode There are two ways to enter configuration commands while in configuration mode n Enter the full command string from the config prompt For example to disable the ssh service by entering the full command string at the config prompt config service ssh enable false config n Execute commands by moving through the configuration schema For example to disable ...

Page 1061: ...fig cancel After using cancel to discard unsaved changes to the configuration you will automatically exit configuration mode Configuration actions In configuration mode configuration actions are available to perform tasks related to saving or canceling the configuration changes and to manage items and elements in lists The commands can be listed by entering a question mark at the config prompt The...

Page 1062: ...ple 1 Enter at the config prompt config This will display the following help information config Additional Configuration application Custom scripts auth Authentication cloud Central management firewall Firewall monitoring Monitoring network Network serial Serial service Services system System vpn VPN config 2 You can then display help for the additional configuration commands For example to displa...

Page 1063: ...display help for the service ssh command use one of the following methods n At the config prompt enter service ssh config service ssh n At the config prompt a Enter service to move to the service node config service config service b Enter ssh to move to the ssh node config service ssh config service ssh c Enter to display help for the ssh node config service ssh Either of these methods will displa...

Page 1064: ... config service b Enter ssh to move to the ssh node config service ssh config service ssh c Enter enable to display help for the enable parameter config service ssh enable config service ssh Either of these methods will display the following information config service ssh enable Enable Enable the service Format true false yes no 1 0 Default value true Current value true config service ssh enable M...

Page 1065: ...guration by entering two periods config service ssh acl zone config service ssh acl You can also move back multiples nodes in the configuration by typing multiple sets of two periods config service ssh acl zone config service n Move to the root of the config prompt from anywhere within the configuration by entering three periods config service ssh acl zone config Manage elements in lists While in ...

Page 1066: ... keyword is used to add an element to the end of a list Additionally the end keyword is used to add an element to a list that does not have any elements For example to add an authentication group to a user that has just been created 1 Use the show command to verify that the user is not currently a member of any groups config show auth user new user group config 2 Use the end keyword to add the adm...

Page 1067: ...ements in a list For example to reorder the authentication methods 1 Use the show command to display current authentication method configuration config show auth method 0 local 1 tacacs 2 radius config 2 To configure the device to use TACACS authentication first to authenticate a user use the move index_number_1 index_number_2 command config move auth method 1 0 config 3 Use the show command again...

Page 1068: ...min password pwd config 3 Save the configuration and apply the change config save Configuration saved 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Revert a subset of configuration changes to the default settings There are two methods to revert a subset of configuration changes to ...

Page 1069: ...he auth node config auth config auth 2 Enter the revert command with the path set to method config auth revert method config auth 3 Save the configuration and apply the change config auth save Configuration saved 4 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Enter strings in config...

Page 1070: ...hod one Create a user at the root of the config prompt config add auth user user1 config auth user user1 n Method two Create a user by moving through the configuration a At the config prompt enter auth to move to the auth node config auth config auth b Enter user to move to the user node config auth user config auth user c Create a new user with the username user1 config auth user add user1 config...

Page 1071: ... auth user user1 7 Save the configuration and apply the change config auth user user1 save Configuration saved 8 Type exit to exit the Admin CLI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Example Configure multiple WANs and LANs by using the command line The default configuration of the LR54 consists of one WAN ...

Page 1072: ...use the new bridge We will also create a second WAN that uses the ETH4 Ethernet port to provide additional redundant failover WAN capabilities Note To avoid potential problems with access to the device while performing these procedures you should use the serial port to perform these tasks or if you are using an Ethernet connection it should be connected to LAN1 through the ETH2 Ethernet port Task ...

Page 1073: ... device eth2 1 network device eth3 2 network device eth4 3 network wireless ap digi_ap1 4 network wireless ap digi_ap2 config n Method two Move within the configuration to the network bridge lan1 device location and the use the show command display the list of devices a Change to the network node config network config network b Change to the bridge node config network bridge config network bridge ...

Page 1074: ...nd config del network bridge lan1 device 2 config c Remove the ETH3 device network device eth3 from the bridge using its index number 1 as determined above with the show command config del network bridge lan1 device 1 config d Use the show command again to verify that the LAN1 bridge now has only two devices ETH2 and Digi AP Wi Fi1 config show network bridge lan1 device 0 network device eth2 1 net...

Page 1075: ...LI Depending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Task two Create a new LAN In this task we will create a new LAN named LAN2 to use the LAN2 bridge created in task one 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights ...

Page 1076: ... LAN2 interface to internal config network interface LAN2 zone internal config network interface LAN2 6 Configure the IPv4 address for the LAN2 interface config network interface LAN2 ipv4 address 192 168 3 1 24 config network interface LAN2 7 Enable the DHCP server for the LAN2 interface config network interface LAN2 ipv4 dhcp_server enable true config network interface LAN2 8 Enable the access p...

Page 1077: ...pending on your device configuration you may be presented with an Access selection menu Type quit to disconnect from the device Task three Create a new WAN In this task we will create a second WAN interface named WAN2 using the ETH4 device 1 Select the device in Remote Manager and click Actions Open Console or log into the LR54 local command line as a user with full Admin access rights Depending o...

Page 1078: ...twork interface WAN2 6 Change the zone for the WAN to external config network interface WAN2 zone external config network interface WAN2 7 Configure the WAN as an IPv4 DHCP client a Enter ipv4 to determine the available settings for ipv4 the appropriate setting is highlighted in the example output config network interface WAN2 ipv4 IPv4 Parameters Current Value address Address enable true Enable g...

Page 1079: ...ample configuration WAN1 should be the primary WAN and WAN2 only used when WAN1 is down Additionally the Wireless WANs will provide additional failover capabilities and will be used only when both WAN1 and WAN2 are unable to connect to the internet To do this we will set the metric for WAN2 to a value that is higher than the metric for WAN1 and lower than the metric for the WWANs a Determine the m...

Page 1080: ...the ETH3 Ethernet port or by connecting to the Digi AP Wi Fi2 access point b Verify that the device has been provided an IP address from the LAN2 DHCP server in the 192 168 3 subnet c Verify that the device has access to the internet 4 Verify that WAN priority and failover are operating correctly between WAN1 and WAN2 a Connect an Ethernet cable from an alternate internet connected modem to WAN2 t...

Page 1081: ...Command line interface Configuration mode LR54 User Guide 1081 and the WAN2 Ethernet cable from the ETH4 Ethernet port iii Verify that devices connected to the LR54 have internet access through the WWAN ...

Page 1082: ...ware ota download 1089 modem firmware ota list 1089 modem firmware ota update 1089 modem firmware update 1090 modem pin change 1090 modem pin disable 1090 modem pin enable 1091 modem pin status 1091 modem pin unlock 1091 modem puk status 1091 modem puk unlock 1092 modem reset 1092 modem scan 1092 modem sim slot 1092 monitoring 1093 monitoring metrics upload 1093 more 1093 mv 1093 ping 1094 powerof...

Page 1083: ... 1105 show wifi client 1105 show wifi scanner 1106 show wifi scanner blocklist 1106 show wifi scanner candidates 1106 show wifi scanner log 1106 speedtest 1107 ssh 1107 system backup 1107 system disable cryptography 1108 system duplicate firmware 1108 system factory erase 1108 system find me 1108 system firmware ota check 1109 system firmware ota list 1109 system firmware ota update 1109 system fi...

Page 1084: ...apture filter to use path The path and filename to save captured traffic to If a relative path is provided etc config analyzer will be used as the root directory for the path and file analyzer start Start a capture session of packets on this devices interfaces Syntax analyzer start name Parameters name Name of the capture filter to use analyzer stop Stops the traffic capture session Syntax analyze...

Page 1085: ...rocess creates a copy of the image so the orginal image may be deleted after creating the container without breaking the container Syntax container create path Parameters path Filepath for container image to be created container delete Delete a LXC container This will remove the LXC container configuration and the container image Syntax container delete container Parameters container Filepath for ...

Page 1086: ...ference LR54 User Guide 1086 destination The destination path to copy the source file or directory to force Do not ask to overwrite the destination file if it exists help Show CLI editing and navigation commands Syntax help Parameters None ...

Page 1087: ... Command line reference LR54 User Guide 1087 ls List a directory Syntax ls path show hidden Parameters path List files and directories under this path show hidden Show hidden files and directories Hidden filenames begin with ...

Page 1088: ...CLI command on modem at interactive Start an AT command session on the modem s AT serial port Syntax modem at interactive name STRING imei STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem firmware check Inspect opt MODEM_MODEL Custom_Firmware directory for new modem firmware file Syntax modem firm...

Page 1089: ...are from the server The firmware will be downloaded on the device but the modem won t be updated Syntax modem firmware ota download name STRING imei STRING version STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on version Firmware version name modem firmware ota list Query the Digi firmware server for a ...

Page 1090: ...STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on version Firmware version name modem pin change Change the SIM s PIN code Warning Attempting to use an incorrect PIN code may PUK lock the SIM Syntax modem pin change old pin new pin name STRING imei STRING Parameters old pin The SIM s PIN code new pin The...

Page 1091: ...us and the number of PIN enable disable unlock attempts remaining The SIM will be PUK locked when there are no remaining retries Syntax modem pin status name STRING imei STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem pin unlock Temporarily unlock the SIM card with a PIN code Set the PIN field in...

Page 1092: ...The IMEI of the modem to execute this CLI command on modem reset Reset the modem hardware reboot it This can be useful if the modem has stopped responding to the network or is behaving inconsistently Syntax modem reset name STRING imei STRING Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on modem scan List of ...

Page 1093: ...I of the modem to execute this CLI command on monitoring Commands to clear the device s status or systems monitoring metrics Device metrics commands uplaod Immediately upload current device health metrics Functions as if a scheduled upload was triggered Parameters None monitoring metrics upload Immediately upload current device health metrics Functions as if a scheduled upload was triggered Syntax...

Page 1094: ...be the broadcast address interface The network interface to send ping packets from when the host is reachable over a default route If not specified the system s primary default route will be used source The ping command will send a packet with the source address set to the IP address of this interface rather than the address of the interface the packet is sent from ipv6 If a hostname is defined as...

Page 1095: ...Command line interface Command line reference LR54 User Guide 1095 reboot Reboot the system Parameters None ...

Page 1096: ...Command line interface Command line reference LR54 User Guide 1096 rm Remove a file or directory Syntax rm path force Parameters path The path to remove force Force the file to be removed without asking ...

Page 1097: ...e host or from the remote host to the local device port The SSH port to use to connect to the remote host Minimum 1 Maximum 65535 Default 22 show analyzer Show packets from a specified analyzer capture Syntax show analyzer name Parameters name Name of the capture filter to use show arp Show ARP tables If no IP version is specified IPv4 IPV6 will be displayed Syntax show arp ipv4 ipv6 verbose Param...

Page 1098: ...session although individual output lines maybe context sensitive and unable to be entered in isolation show containers Show container status statistics Syntax show containers container STRING Parameters container Display more details and config data for a specific container show dhcp lease Show DHCP leases Syntax show dhcp lease all verbose Parameters all Show all leases active and inactive not in...

Page 1099: ...1 Default 20 show hotspot Show hotspot statistics Syntax show hotspot name STRING ip STRING Parameters name The configured instance name of the hotspot ip IP address of a specific client to limit the status display to only this client show ipsec Show IPsec status statistics Syntax show ipsec tunnel STRING all verbose Parameters tunnel Display more details and config data for a specific IPsec tunne...

Page 1100: ...ails for a specific L2TPv3 ethernet tunnel session show location Show location information Syntax show location geofence Parameters geofence Show geofence information show log Show system log low level Syntax show log number INTEGER filter critical warning debug info Parameters number Number of lines to retrieve from log Minimum 1 Default 20 filter Filters for type of log message displayed critica...

Page 1101: ...detail show modem Show modem status statistics Syntax show modem name STRING imei STRING verbose Parameters name The configured name of the modem to execute this CLI command on imei The IMEI of the modem to execute this CLI command on verbose Display more information less concise more detail show nemo Show NEMO status and statistics Syntax show nemo name STRING Parameters name Display more details...

Page 1102: ...N client status statistics Syntax show openvpn client name STRING all Parameters name Display more details and config data for a specific OpenVPN client all Display all clients including disabled clients show openvpn server Show OpenVPN server status statistics Syntax show openvpn server name STRING all Parameters name Display more details and config data for a specific OpenVPN server all Display ...

Page 1103: ...how scripts Show scheduled system scripts Syntax show scripts Parameters None show serial Show serial status statistics Syntax show serial port STRING Parameters port Display more details and config data for a specific serial port show surelink interface Show SureLink status statistics for network interfaces Syntax show surelink interface name STRING all Parameters name The name of a specific netw...

Page 1104: ...ureLink status statistics for OpenVPN clients Syntax show surelink openvpn client STRING all Parameters client The name of the OpenVPN client all Show all OpenVPN clients show system Show system status statistics Syntax show system verbose Parameters verbose Display more information disk usage etc show usb Show USB information Syntax show usb Parameters None show version Show firmware version Synt...

Page 1105: ...bled instances show web filter Show web filter status statistics Syntax show web filter Parameters None show wifi ap Display details for Wi Fi access points Syntax show wifi ap name STRING all Parameters name Display more details for a specific Wi Fi access point all Display all Wi Fi access points including disabled Wi Fi access points show wifi client Display details for Wi Fi client mode connec...

Page 1106: ...uated as static Parameters None wifi scanner log Show output log for the last update interval Parameters None show wifi scanner blocklist Show transmitters that have been evaluated as static and not included in the output log Syntax show wifi scanner blocklist Parameters None show wifi scanner candidates Show transmitters detected during the most recent observation period but not evaluated as stat...

Page 1107: ...remote host user The username to use when connecting to the remote host port The SSH port to use to connect to the remote host Minimum 1 Maximum 65535 Default 22 command The command that will be automatically executed once the SSH session to the remote host is established system backup Save the device s configuration to a file Archives are full backups including generated SSH keys and dynamic DHCP...

Page 1108: ...e consecutively Syntax system disable cryptography Parameters None system duplicate firmware Duplicate the running firmware to the alternate partition so that the device will always boot the same firmware version Syntax system duplicate firmware Parameters None system factory erase Erase the device to restore to factory defaults All configuration and automatically generated keys will be erased Syn...

Page 1109: ...rform FOTA firmware over the air update The device will be updated to the latest firmware version unless the version argument is used to specify the firmware version Syntax system firmware ota update version STRING Parameters version Firmware version name system firmware update Update the current firmware image Upon reboot the new firmware will be run Syntax system firmware update file Parameters ...

Page 1110: ...th a passphrase system script start Run a manual script Scripts that are disabled not a manual script or already running can not be run Syntax system script start script Parameters script Script to start system script stop Stop an active running script Scripts scheduled to run again will still run again disable a script to prevent it from running again Syntax system script stop script Parameters s...

Page 1111: ...isplays the serial log on the screen Syntax system serial show port Parameters port Serial port system serial start Start logging data on a serial port Syntax system serial start port size INTEGER Parameters port Serial port size Maximum size of serial log Default 65536 system serial stop Start logging data on a serial port Syntax system serial stop port Parameters port Serial port system support ...

Page 1112: ...stem time sync Perform a NTP query to the configured server s and set the local time to the first server that responds Syntax system time sync Parameters None system time test Test the configured NTP server s for connectivity This test will not affect the device s current local date and time Syntax system time test Parameters None telnet Use Telnet protocol to log into a remote server Syntax telne...

Page 1113: ...port number will be incremented by each probe A value of 1 specifies that no specific port will be used Minimum 1 Default 1 nqueries Sets the number of probe packets per hop A value of 1 indicated Minimum 1 Default 3 src_addr Chooses an alternative source address Note that you must select the address of one of the interfaces By default the address of the outgoing interface is used tos For IPv4 set...

Reviews: