GW3300 - Router Virtual Access - Free user manual and instructions

USER MANUAL GW3300 Virtual Access

GW3300 Series User Manual

Issue: 1.8

Date: 02 February 2018

1 Introduction....10

1.1 Document scope 10
1.2 Using this documentation.... 10

2 GW3300 Series router hardware 13

2.1 Hardware specification.... 13
2.2 Hardware features 13
2.3 RS232 mode pin-out on the GW3300.... 14
2.4 RS485 mode pin-out on the GW3300.... 14
2.5 Mobile technology 14
2.6 WiFi technology 14
2.7 Power supply.... 15
2.8 Dimensions.... 15
2.9 Operating temperature range 15
2.10 Antenna.... 16
2.11 Getting started 16
2.12 Inserting the SIM cards 16
2.13 Connecting cables.... 16
2.14 Connecting the antenna.... 16
2.15 Powering up 17
2.16 Reset button 17

3 GW3300 Series LED behaviour....18

3.1 Configuration LED 18
3.2 SIM LED 18
3.3 Signal strength LEDs 18
3.4 Ethernet port LED behaviour 19

4 Installing a router into a vehicle....20

4.1 Installing a router into a vehicle using a non-fused power cable....20
4.2 Installing a router into a vehicle using a fused power cable 21

5 Factory configuration extraction from SIM card 22

6 Accessing the router....23

6.1 Configuration packages used 23
6.2 Accessing the router over Ethernet using the web interface 23
6.3 Accessing the router over Ethernet using an SSH client 24
6.4 Accessing the router over Ethernet using a Telnet client 25
6.5 Configuring the password.... 25
6.6 Configuring the password using the web interface.... 25
6.7 Configuring the password using UCI 26
6.8 Configuring the password using package options.... 26
6.9 Accessing the device using RADIUS authentication 27
6.10 Accessing the device using TACACS+ authentication 28

6.11 SSH 31
6.12 Package dropbear using UCI 33
6.13 Certs and private keys.... 34
6.14 Configuring a router's web server 35
6.15 Basic authentication (httpd conf) 40
6.16 Securing uhttpd 41
6.17 Displaying custom information via login screen 41

7 Router file structure 43

7.1 System information....43
7.2 Identify your software version 44
7.3 Image files....45
7.4 Directory locations for UCI configuration files 45
7.5 Viewing and changing current configuration 45
7.6 Configuration file syntax 46
7.7 Managing configurations 46
7.8 Exporting a configuration file 47
7.9 Importing a configuration file 48

8 Using the Command Line Interface....52

8.1 Overview of some common commands 52
8.2 Using Unified Configuration Interface (UCI) 55
8.3 Configuration files....60
8.4 Configuration file syntax 60

9 Upgrading router firmware....62

9.1 Software versions 62
9.2 Upgrading firmware using CLI 68

10 System settings....71

10.1 Configuration package used 71
10.2 Configuring system properties 71
10.3 System settings using UCI 75
10.4 System diagnostics 76

11 Configuring an Ethernet interface....78

11.1 Configuration packages used 78
11.2 Configuring an Ethernet interface using the web interface 78
11.3 Interface configuration using UCI 90
11.4 Configuring port maps....93
11.5 Port map packages....93
11.6 Interface diagnostics....95

12 Configuring VLAN 97

12.1 Maximum number of VLANs supported 97
12.2 Configuration package used 97

12.3 Configuring VLAN using the web interface 97
12.4 Viewing VLAN interface settings.... 100
12.5 Configuring VLAN using the UCI interface.... 101

13 Configuring ignition sense 102

13.1 Configuration packages used 102
13.2 Configuring vapowermond using the web interface.... 102
13.3 Configuring vapowermond using the command line 104
13.4 Ignition sense diagnostics 105

14 Configuring a WiFi connection .... 106

14.1 Configuration packages used 106
14.2 Configuring a WiFi interface using the web interface.... 106
14.3 Configuring WiFi in AP mode.... 112
14.4 Configuring WiFi using UCI 114
14.5 Creating a WiFi in Client mode using the web interface 117
14.6 Configuring WiFi in Client mode using command line 118

15 Configuring a mobile connection 120

15.1 Configuration package used 120
15.2 Configuring a mobile connection using the web interface.... 120
15.3 Configuring a mobile connection using CLI 126
15.4 Diagnositcs 127

16 Configuring mobile manager....131

16.1 Configuration package used 131
16.2 Configuring mobile manager using the web interface.... 131
16.3 Configuring mobile manager using command line.... 136
16.4 Monitoring SMS 137
16.5 Sending SMS from the router 138
16.6 Sending SMS to the router 138

17 Configuring a GRE interface....139

17.1 Configuration packages used.... 139
17.2 Creating a GRE connection using the web interface 139
17.3 GRE configuration using command line 144
17.4 GRE configuration using UCI 144
17.5 GRE configuration using package options.... 144
17.6 GRE diagnostics.... 145

18 Configuring static routes ...... 147

18.1 Configuration package used 147
18.2 Configuring static routes using the web interface 147
18.3 Configuring IPv6 routes using the web interface 148
18.4 Configuring routes using command line 148
18.5 IPv4 routes using UCI.... 149

18.6 IPv4 routes using package options.... 150
18.7 IPv6 routes using UCI.... 150
18.8 IPv6 routes using packages options.... 150
18.9 Static routes diagnostics.... 151

19 Configuring BGP (Border Gateway Protocol) 152

19.1 Configuration package used 152
19.2 Configuring BGP using the web interface.... 152
19.3 Configuring BGP using UCI 155
19.4 Configuring BGP using packages options.... 156
19.5 View routes statistics.... 157

20 Configuring OSPF (Open Shortest Path First) 158

20.1 Introduction 158
20.2 Configuration package used 163
20.3 Configuring OSPF using the web interface 164
20.4 Configuring OSPF using the command line 167
20.5 OSPF using UCI 168
20.6 OSPF using package options.... 169
20.7 OSPF diagnostics 170
20.8 Quagga/Zebra console.... 171

21 Configuring VRRP 177

21.1 Overview 177
21.2 Configuration package used 177
21.3 Configuring VRRP using the web interface 177
21.4 Configuring VRRP using command line.... 181

22 Configuring Routing Information Protocol (RIP) 184

22.1 Introduction 184
22.2 Configuration package used 185
22.3 Configuring RIP using the web interface.... 186
22.4 Configuring RIP using command line 190
22.5 RIP diagnostics.... 194

23 Configuring Multi-WAN 198

23.1 Configuration package used 198
23.2 Configuring Multi-WAN using the web interface.... 198
23.3 Configuring Multi-WAN using UCI 202
23.4 Multi-WAN diagnostics.... 204

24 Automatic operator selection....206

24.1 Configuration package used 206
24.2 Configuring automatic operator selection via the web interface 206
24.3 Configuring via UCI 230
24.4 Configuring no PMP + roaming using UCI 234

24.5 Automatic operator selection diagnostics via the web interface 236
24.6 Automatic operator selection diagnostics via UCI 238

25 Configuring Connection Watch (cwatch) 241

25.1 Configuration package used 241
25.2 Configuring Connection Watch using the web interface 241
25.3 Configuring cwatch using command line 243
25.4 cwatch diagnostics 244

26 Configuring DHCP server and DNS (Dnsmasq) 245

26.1 Configuration package used 245
26.2 Configuring DHCP and DNS using the web interface 245
26.3 Configuring DHCP and DNS using UCI 253
26.4 Configuring DHCP pools using UCI 255
26.5 Configuring static leases using UCI 256

27 Configuring DHCP client....257

27.1 Configuration packages used 257
27.2 Configuring DHCP client using the web interface 257
27.3 Configuring DHCP client using command line 263
27.4 DHCP client diagnostics 264

28 Configuring DHCP forwarding 267

28.1 Configuration packages used 267
28.2 Configuring DHCP forwarding using the web interface 267
28.3 Configuring DHCP forwarding using command line 268
28.4 DHCP forwarding over IPSec.... 269
28.5 DHCP forwarding diagnostics 272

29 Configuring Dynamic DNS....274

29.1 Overview 274
29.2 Configuration packages used 274
29.3 Configuring Dynamic DNS using the web interface 274
29.4 Dynamic DNS using UCI 276

30 Configuring hostnames....278

30.1 Overview 278
30.2 Local host file records.... 278
30.3 PTR records.... 280
30.4 Static leases.... 282

31 Configuring firewall....285

31.1 Configuration package used 285
31.2 Configuring firewall using the web interface 285
31.3 Configuring firewall using UCI 297
31.4 IPv6 notes 300
31.5 Implications of DROP vs. REJECT 300

31.6 Connection tracking 301
31.7 Firewall examples 301

32 Configuring IPSec....309

32.1 Configuration package used 309
32.2 Configuring IPSec using the web interface 309
32.3 Configuring IPSec using UCI 318
32.4 Configuring an IPSec template for DMVPN via the web interface 322
32.5 Configuring an IPSec template to use with DMVPN 329
32.6 IPSec diagnostics using the web interface 331
32.7 IPSec diagnostics using UCI 331

33 Dynamic Multipoint Virtual Private Network (DMVPN) 332

33.1 Prerequisites for configuring DMVPN 332
33.2 Advantages of using DMVPN 332
33.3 DMVPN scenarios 333
33.4 Configuration packages used 335
33.5 Configuring DMVPN using the web interface 335
33.6 DMVPN diagnostics.... 337

34 Configuring multicasting using PIM and IGMP interfaces 340

34.1 Overview 340
34.2 Configuration package used 340
34.3 Configuring PIM and IGMP using the web interface 340
34.4 Configuring PIM and IGMP using UCI 342

35 QoS: VLAN 802.1Q PCP tagging .... 344

35.1 Configuring VLAN PCP tagging 344

36 QoS: type of service....347

36.1 QoS configuration overview 347
36.2 Configuration packages used 347
36.3 Configuring QoS using the web interface.... 347
36.4 Configuring QoS using UCI 349
36.5 Example QoS configurations 352

37 Management configuration settings 353

37.1 Activator 353
37.2 Monitor 353
37.3 Configuration packages used 353
37.4 Autoload: boot up activation.... 354
37.5 Autoload packages 354
37.6 Autoload using UCI 357
37.7 HTTP Client: configuring activation using the web interface 358
37.8 Httpclient: Activator configuration using UCI 361
37.9 Httpclient: Activator configuration using package options.... 361

37.10 User management using UCI 362
37.11 Configuring the management user password using UCI 363
37.12 Configuring management user password using package options.... 364
37.13 User management using UCI 364
37.14 User management using package options 364
37.15 Configuring user access to specific web pages 365

38 Configuring Monitor 366

38.1 Introduction 366
38.2 Reporting device status to Monitor 366
38.3 Reporting GPS location to Monitor 372
38.4 Reporting syslog to Monitor 373
38.5 Configuring ISAD 375

39 Configuring SNMP 378

39.1 Configuration package used 378
39.2 Configuring SMNP using the web interface.... 378
39.3 Configuring SNMP using command line 384
39.4 Configuring SNMP interface alias with static SNMP index 390
39.5 SNMP diagnostics.... 392

40 Event system 394

40.1 Configuration package used 394
40.2 Event system overview 394
40.3 Configuring the event system using the web interface 395
40.4 Configuring the event system using command line 406
40.5 Event system diagnostics.... 414

41 Configuring data usage monitor 418

41.1 Introduction 418
41.2 Configuration package used 418
41.3 Configuring data usage using the web interface 418
41.4 Data usage status.... 421
41.5 Data usage diagnostics.... 421

42 Configuring Terminal Server 423

42.1 Overview 423
42.2 Configuration packages used 423
42.3 Configuring Terminal Server using the web interface 423
42.4 Terminal Server using UCI 434
42.5 Terminal Server using package options.... 434
42.6 Terminal server DSR signal management based on network configuration.... 434
42.7 Terminal Server diagnostics 436

43 Configuring terminal package....439

43.1 Configuration packages used 439

43.2 Configuring terminal package using the web interface 439
43.3 Configuring terminal package using UCI 439
43.4 Configuring terminal using package options.... 440
43.5 Terminal diagnostics.... 440
44.1 What are SAToP and CESoPSN? 441
44.2 Clocking.... 441
44.3 Virtual Access proprietary SAToP/CESoPSN protocol extension.... 442
44.4 Configuration package used 442
44.5 Configuring SAToP/CESoPSN 443
44.6 Configuring main settings using UCI 444
44.7 Configuring port settings using the web interface 445
44.8 Configuring port settings using UCI 451
44.9 CESoPSN diagnostics.... 452
45.1 Overview 462
45.2 Monitoring serial interfaces using the web interface 462
45.3 Monitoring serial interfaces using command line 463

44 Configuring SAToP and CESoPSN 441

45 Serial interface 462

1 Introduction

This user manual describes the features and how to configure Virtual Access GW3300 Series routers.

Designed for managed network providers, GW3300 Series routers provide secure WAN connectivity for internet and private networking environments over 3G or 4G broadband paths and incorporate optional 802.11n WiFi connectivity.

1.1 Document scope

This document covers the following models in the GW3300 Series.

GW3330 Four Ethernet, 3G/4G/LTE, Dual SIM, WiFi, Serial

1.2 Using this documentation

You can configure your router using either the router's web interface or via the command line using UCI commands. Each chapter explains first the web interface settings, followed by how to configure the router using UCI. The web interface screens are shown along with a path to the screen for example, 'In the top menu, select Service -> SNMP.' followed by a screen grab.

After the screen grab there is an information table that describes each of the screen's fields.

1.2.1 Information tables

We use information tables to show the different ways to configure the router using the router's web and command line. The left-hand column shows three options:

• Web: refers the command on the router's web page,
  • UCI : shows the specific UCI command, and
• Opt: shows the package option.

The right-hand column shows a description field that describes the feature's field or command and shows any options for that feature.

Some features have a drop-down menu and the options are described in a table within the description column. The default value is shown in a grey cell.

Values for enabling and disabling a feature are varied throughout the web interface, for example, 1/0; Yes/No; True/False; check/uncheck a radio button. In the table descriptions, we use 0 to denote Disable and 1 to denote Enable.

Some configuration sections can be defined more than once. An example of this is the routing table where multiple routes can exist and all are named 'route'. For these sections, the UCI command will have a code value [0] or [x] (where x is the section number) to identify the section.

Note: these sections can be given a label for identification when using UCI or package options.

network.@route[0]=route
network.@route[0].metric=0 

can be written as:

network routename=route
network.routename.metric=0 

However the documentation usually assumes that a section label is not configured.

The table below shows fields from a variety of chapters to illustrate the explanations above.

Table 1: Example of an information table

1.2.2 Definitions

Throughout the document, we use the host name 'VA_router' to cover all router models.

UCI commands and package option examples are shown in the following format:

root@VA_router:~# vacmd show current config 

1.2.3 Diagnostics

Diagnostics are explained at the end of each feature's chapter.

1.2.4 UCI commands

For detailed information on using UCI commands, read chapters 'Router File Structure' and 'Using Command Line Interface'.

2 GW3300 Series router hardware

2.1 Hardware specification

Figure 1: GW3300 router front interface

2.2 Hardware features

• Dual SIM sockets
• Seven SMA connectors: 2 for WiFi, 2 for each radio module, and 1 for GPS
  • Four 1Gbps Ethernet ports
• Two serial ports
• WiFi
• USB*
  • Power ignition sense
• Last GASP
• Optional SIM protection cover

* Note: USB not currently supported.

The asynchronous serial ports are named '/dev/ttyUSB0' and '/dev/ttyUSB1'

Each serial port has a number of configurable settings, such as baud rate, word size, parity, flow control mode, and so on.

Each serial port is configurable to operate in either RS232 or RS485 mode. The default mode is RS232 for the first port and RS485 for the second port.

For more information on using the port in RS485 mode, read the Terminal Server section of this manual.

2.3 RS232 mode pin-out on the GW3300

Table 2: RS232 mode pin-out on the GW3300

2.4 RS485 mode pin-out on the GW3300

Table 3: RS485 mode pin-out on the GW3300

2.5 Mobile technology

• LTE (FDD) B1/B2/B3/B5/B7/B8/B20
• 450LTE/LTE/FDD on 450 band 31
• Quad-band DC-HSPA+/HSPA+/HSPA/UMTS 850/900/1900/2100 MHz
• Quad-band EDGE/ GPRS/GSM 850/900/1800/1900 MHz

2.6 WiFi technology

• 802.11 a/b/g/n
• Dual band 2.4GHz and 5GHz
• 802.11ndata rate to 300Mbps
• At least 20dBm output power

2.7 Power supply

• DC input 9-36V
  • Active power conditioning accommodating voltage dips
• Ignition sense

2.8 Dimensions

Unit size: H45 x W180 x D153 (mm)

Unit weight: 940g

Vehicle mount kit √

DIN rail option √

2.9 Operating temperature range

The operating temperature range depends on the router's type of module.

Table 4: RF bands with operating temperatures

2.10 Antenna

Up to 7 SMA female connectors:

• 2 x WiFi
• 2 x WAN-1
• 2 x WAN-2
• 1 xGPS, 5V power

2.11 Getting started

To enable and configure connections on your router, it must be correctly installed.

The GW3300 Series router contains an internal web server that you use for configurations. Before you can access the internal web server and start the configuration, ensure the components are correctly connected and that your PC has the correct networking setup.

2.12 Inserting the SIM cards

1. Ensure the unit is powered off.
2. Hold the SIM 1 card with the chip side facing down and the cut corner front left.
3. Gently push the SIM card into SIM slot 1 until it clicks in.
4. If using SIM 2 then hold the SIM with the cut corner front right
5. Gently push the SIM card into SIM slot 2 until it clicks in.

2.13 Connecting cables

Connect one end of the Ethernet cable into port A and the other end to your PC or switch.

2.14 Connecting the antenna

If only connecting one antenna, screw the antenna into the MAIN SMA connector. If using multiple antennas, screw the antennas into the relevant SMA connectors.

Virtual Access supplies a wide range of antennas. Please visit our website: www.virtualaccess.com or contact Virtual Access for more information.

2.15 Powering up

During boot time, the power LED flashes.

Other LEDs display different diagnostic patterns during boot up.

Booting is complete when the power LED stops flashing and stays on steady.

2.16 Reset button

The reset button is used to request a system reset.

When you press the reset button all LEDs turn on simultaneously. The length of time you hold the reset button will determine its behaviour.

Table 5: GW3300 Series router reset behaviour

2.16.1 Recovery mode

Recovery mode is a fail-safe mode where the router can load a default configuration from the routers firmware. If your router goes into recovery mode, all config files are kept intact. After the next reboot, the router will revert to the previous config file.

You can use recovery mode to manipulate the config files, but should only be used if all other configs files are corrupt. If your router has entered recovery mode, contact your local reseller for access information.

3 GW3300 Series LED behaviour

3.1 Configuration LED

The configuration LED is either flashing or solid depending on the router's status.

The GW3300 Series takes approximately 1 minute to boot up. During this time, the configuration LED flashes.

Other LEDs display different diagnostic patterns during boot up.

Booting is complete when the configuration LED stops flashing and stays on steady.

LED	Colour	Status
	Green flashing quickly Unit	is booting from power on.
	Green flashing slowly	Unit is in recovery mode.
	Green flashing quickly Unit	is in factory config.
	Green on	Unit has completed booting up process and is in either config 1 or config2

Table 6: Config LED colours and status descriptions

3.2 SIM LED

The SIM LED is either flashing or solid depending on which SIM is in use and its status.

LED	Colour	Status
	Green on Using SIM connected to network.
	Green flashing Using SIM attempting to connect to network.

Table 7: SIM LED colours and status descriptions

3.3 Signal strength LEDs

There are three signal strength LEDs. They are all green.

LEDs	Colour	Status
	Green Off/off No signal detected.
	Green flashing Off/on	Low signal strength.
	Green flashing On/off	Medium signal strength.
	Green On/on	Good signal strength.

Table 8: Signal strength LED status descriptions

3.4 Ethernet port LED behaviour

The Ethernet ports have two LEDs: a LINK LED (green) and an ACT LED (amber). When looking at the ports, the LED on the left hand side is the LINK LED, and the ACT LED is on the right hand side.

Figure 2: Ethernet LEDs on the GW3300 router

4 Installing a router into a vehicle

The type of cable you need depends on your application and vehicle. You will have received either a fused or non-fused power cable for the installation.

4.1 Installing a router into a vehicle using a non-fused power cable

Install the router using the vehicle installation power cable 840-00076 provided.

Figure 3: 840-00076 3 core power cable

Table 9: Power cable descriptions

• Connect the BLACK wire to a ground wire.
• Connect the BLUE wire to a 12V switched vehicle ignition wire.
• Connect the RED wire to a 12V permanent wire.

Plug the 6 pin connector into the router.

4.2 Installing a router into a vehicle using a fused power cable

Install the router using the vehicle installation power cable 840-00105 provided.

Figure 4: 840-00105 3 core power cable

Table 10: Power cable descriptions

• Connect the BLACK wire to a ground wire.
• Connect the BLUE wire to a 12V switched vehicle ignition wire.
• Connect the RED wire to a 12V permanent wire.

Plug the 6 pin connector into the router.

5 Factory configuration extraction from SI M card

Virtual Access routers have a feature to update the factory configuration from a SIM card. This allows you to change the factory configuration of a router when installing the SIM.

1. Make sure the SIM card you are inserting has the required configuration written on it.
2. Ensure the router is powered off.
3. Hold the SIM 1 card with the chip side facing down and the cut corner front left.
4. Gently push the SIM card into SIM slot 1 until it clicks in.
5. Power up the router.

Depending on the model, the power LED and/or the configuration LED flash as usual.

The SIM LED starts flashing. This indicates the application responsible for 3G and configuration extraction management is running. It also means the update of the configuration is happening.

When the update is finished, depending on the model, the power LED and/or the configuration LED blink alternatively and very fast for 20 seconds.

Note: factory configuration extraction is only supported on mobile modules that support phone book operations.

6 Accessing the router

Access the router through the web interface or by using SSH. By default, Telnet is disabled.

6.1 Configuration packages used

6.2 Accessing the router over Ethernet using the web interface

DHCP is disabled by default, so if you do not receive an IP address via DHCP, assign a static IP to the PC that will be connected to the router.

Assuming that the PC is connected to Port A on the router, in your internet browser, type in the default local IP address 192.168.100.1, and press Enter. The Authorization page appears.

Figure 5: The login page

The password may vary depending on the factory configuration the router has been shipped with. The default settings are shown below. The username and password are case sensitive.

In the username field, type root.

In the Password field, type admin.

Click Login. The Status page appears.

6.3 Accessing the router over Ethernet using an SSH client

You can also access the router over Ethernet, using Secure Shell (SSH) and optionally over Telnet.

To access CLI over Ethernet start an SSH client and connect to the router's management IP address, on port 22:192.168.100.1/24.

On the first connection, you may be asked to confirm that you trust the host.

Figure 6: Confirming trust of the routers public key over SSH

Figure 7: SSH CLI logon screen

In the SSH CLI logon screen, enter the default username and password.

Username: root

Password: admin

6.3.1 SCP (Secure Copy Protocol)

As part of accessing the router over SSH, you can also use SCP protocol. Use the same user authentication credentials as for SSH access. You can use SCP protocol to securely, manually transfer files from and to the router's SCP server.

No dedicated SPC client is supported; select the SCP client software of your own choice.

6.4 Accessing the router over Ethernet using a Telnet client

Telnet is disabled by default, when you enable Telnet, SSH is disabled.

To enable Telnet, enter:

root@VA_router: ~# /etc/init.d/dropbear disable
root@VA_router: ~# reboot -f 

To re-enable SSH, enter:

root@VA_router: ~# /etc/init.d/dropbear enable
root@VA_router: ~# reboot -f 

Note: As SSH is enabled by default, initial connection to the router to enable Telnet must be established over SSH.

6.5 Configuring the password

6.5.1 Configuration packages used

6.6 Configuring the password using the web interface

To change your password, in the top menu click System -> Administration. The Administration page appears.

Figure 8: The router password section

In the Router Password section, type your new password in the password field and then retype the password in the confirmation field.

Scroll down the page and click Save & Apply.

Note: the username 'root' cannot be changed.

6.7 Configuring the password using UCI

The root password is displayed encrypted via the CLI using the hashpassword option.

root@VA_router:~# uci show system
system.main=system
system.main.hostname=VA_router
system.main.hashpassword=1jRX/x8A/$U5kLCMpi9dcahRhOl7eZV1 

If you are changing the password using UCI, enter the new password in plain text using the password option.

root@VA_router:~# uci system.main.password=newpassword
root@VA_router:~# uci commit 

The new password will take effect after reboot and will now be displayed in encrypted format via the hashpassword option.

6.8 Configuring the password using package options

The root password is displayed encrypted via the CLI using the hashpassword option.

root@VA_router:~# uci export system
package system

config system 'main'
option hostname 'VA_router'
option hashpassword '1wRYYiJOz$EeHN.GQcxXhRgNPVbqxVw 

If you are changing the password using UCI, enter the new password in plain text using the password option.

package system
config system 'main'
option hostname 'VA_router'
option hashpassword '1wRYYiJOz$EeHN.GQcxXhRgNPVbqxVw'
option password 'newpassword' 

The new password will take effect after reboot and will now be displayed in encrypted format via the hashpassword option.

6.9 Accessing the device using RADIUS authentication

You can configure RADIUS authentication to access the router over SSH, web or local console interface.

package system

config system 'main'
    option hostname 'VirtualAccess'
    option timezone 'UTC'

config pam_auth
    option enabled 'yes'
    option pamservice 'login'
    option pammodule 'auth'
    option pamcontrol 'sufficient'
    option type 'radius'
    option servers '192.168.0.1:3333|test|20 192.168.2.5|secret|10'

config pam_auth
    option enabled 'yes'
    option pamservice 'sshd'
    option pammodule 'auth'
    option pamcontrol 'sufficient' it checks package management_users
    option type 'radius'
    option servers '192.168.0.1:3333|test|20 192.168.2.5|secret|10'

config 'pam_auth'
    option enabled 'yes'
    option pamservice 'luci'
    option pammodule 'auth'
    option pamcontrol 'sufficient'
    option type 'radius'
    servers '192.168.0.1:3333|test|20 192.168.2.5|secret|10' 

Table 11: Information table for RADIUS authentication

6.10 Accessing the device using TACACS+ authentication

TACACS+ authentication can be configured for accessing the router over SSH, web or local console interface.

package system
config system 'main'
    option hostname 'VirtualAccess'
    option timezone 'UTC'

config pam_auth
    option enabled 'yes'
    option pamservice 'sshd' 

option pammodule 'auth'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'

config pam_auth
option enabled 'yes'
option pamservice 'sshd'
option pammodule 'account'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'
option args 'service=ppp'

config pam_auth
option enabled 'yes'
option pamservice 'sshd'
option pammodule 'session'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'
option args 'service=ppp'

config pam_auth
option enabled 'yes'
option pamservice 'luci'
option pammodule 'auth'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'

config pam_auth
option enabled 'yes'
option pamservice 'luci'
option pammodule 'account'
option pamcontrol 'sufficient'
option type 'tacplus' 

option servers '192.168.0.1:49|secret'
option args 'service=ppp'

config pam_auth
option enabled 'yes'
option pamservice 'luci'
option pammodule 'session'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'
option args 'service=ppp'

config pam_auth
option enabled 'yes'
option pamservice 'login'
option pammodule 'auth'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'

config pam_auth
option enabled 'yes'
option pamservice 'login'
option pammodule 'account'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'
option args 'service=ppp'

config pam_auth
option enabled 'yes'
option pamservice 'login'
option pammodule 'session'
option pamcontrol 'sufficient'
option type 'tacplus'
option servers '192.168.0.1:49|secret'
option args 'service=ppp' 

Table7: Information table for TACACS authentication

6.11 SSH

SSH allows you to access remote machines over text-based shell sessions. SSH uses public key cryptography to create a secure connection. These connections allow you to issue commands remotely via a command line.

The router uses a package called Dropbear to configure the SSH server on the box. You can configure Dropbear via the web interface or through an SSH connection by editing the file stored on: /etc/config_name/dropbear.

6.11.1 Configuration packages used

6.11.2 SSH access using the web interface

In the top menu, click System -> Administration. The Administration page appears. Scroll down to the SSH Access section.

Figure 9: The SSH access section

Table 12: Information table for SSH access settings

6.12 Package dropbear using UCI

root@VA_router:~# uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].RootPasswordAuth=on
dropbear.@dropbear[0].GatewayPorts=0
dropbear.@dropbear[0].IdleTimeout=30
dropbear.@dropbear[0].Port=22
dropbear.@dropbear[0].MaxLoginAttempts=3
Package dropbear using package options 

root@VA_router:~# uci export dropbear
package dropbear
config dropbear'
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
option GatewayPorts '0'
option IdleTimeout '30'
option MaxLoginAttempts '3' 

6.13 Certs and private keys

Certificates are used to prove ownership of a public key. They contain information about the key, its owner's ID, and the digital signature of an individual that has verified the content of the certificate.

In asymmetric cryptography, public keys are announced to the public, and a different private key is kept by the receiver. The public key is used to encrypt the message, and the private key is used to decrypt it.

To access certs and private keys, in the top menu, click System -> Administration. The Administration page appears. Scroll down to the Certs & Private Keys section.

Figure 10: The certificates & private keys section

This section allows you to upload any certificates and keys that you may have stored. There is support for IPSec, OpenVPN and VA certificates and keys.

If you have generated your own SSH public keys, you can input them in the SSH Keys section, for SSH public key authentication.

Figure 11: The SSH-keys box

6.14 Configuring a router's web server

The router's web server is configured in package uhttpd. This file defines the behaviour of the server and default values for certificates generated for SSL operation. uhttpd supports multiple instances, that is, multiple listen ports, each with its own document root and other features, as well as cgi and lua. There are two sections defined:

Main: this uHTTPd section contains general server settings.

Cert: this section defines the default values for SSL certificates.

6.14.1 Configuration packages used

To configure the router's HTTP server parameters, in the top menu, select Services -> HTTP Server. The HTTP Server page has two sections.

6.14.2 Main settings

Figure 12: HTTP server settings

Table 13: Information table for http server basic settings

6.14.3 HTTP server using UCI

Multiple sections of the type uhttpd may exist. The init script will launch one webserver instance per section.

A standard uhttpd configuration is shown below.

root@VA_router:~# uci show uhttpd
uhttpd.main=uhttpd
uhttpd.main.listen_http=0.0.0.0:80
uhttpd.main.listen_https=0.0.0.0:443
uhttpd.main.home=/www
uhttpd.main.rfc1918_filter=1
uhttpd.main.cert=/etc/uhttpd.crt
uhttpd.main.key=/etc/uhttpd.key
uhttpd.main.cgi_prefix=/cgi-bin
uhttpd.main.script_timeout=60
uhttpd.main.network_timeout=30
uhttpd.main.config=/etc/http.conf
HTTP server using package options
root@VA_router:~# uci export dropbear
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_https '0.0.0.0:443'
option home '/www'
option rfc1918_filter '1'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
option script_timeout '60'
option network_timeout '30'
option config '/etc/http.conf' 

6.14.4 HTTPS server certificate settings

To configure HTTPS server certificate settings, in the top menu, select Services -> HTTP Server. Scroll down to the Certificate Settings section.

Figure 13: HTTP server certificate settings

Table 14: Information table for HTTP server certificate settings

6.14.5 HTTPS server using UCI

root@VA_router:~# uci show uhttpdpx5g
uhttpdpx5g=cert
uhttpdpx5g.days=3650
uhttpdpx5g.bits=1024
uhttpdpx5g.country=IE
uhttpdpx5g.state=Dublin
uhttpdpx5g.location=Dublin
uhttpdpx5g.commonname=00E0C8000000
HTTPS server using package options
root@VA_router:~# uci export uhttpd
package uhttpdconfig 'cert' 'px5g'
option 'days' '3650'
option 'bits' '1024'
option 'state' 'Dublin'
option 'location' 'Dublin'
option 'commonname' '00E0C8000000' 

6.15 Basic authentication (httpd conf)

For backward compatibility reasons, uhttpd uses the file /etc/httpd.conf to define authentication areas and the associated usernames and passwords. This configuration file is not in UCI format.

Authentication realms are defined in the format prefix:username:password with one entry and a line break.

Prefix is the URL part covered by the realm, for example, cgi-bin to request basic auth for any CGI program.

Username specifies the username a client has to login with.

Password defines the secret password required to authenticate.

The password can be either in plain text format, MD5 encoded or in the form \p\user where the user refers to an account in /etc/shadow or /etc/passwd.

If you use \p\... format, uhttpd will compare the client provided password against the one stored in the shadow or passwd database.

6.16 Securing uhttpd

By default, uhttpd binds to 0.0.0.0 which also includes the WAN port of your router. To bind uhttpd to the LAN port only you have to change the listen_http and listen_https options to your LAN IP address.

To get your current LAN IP address, enter:

uci get network.lan.ipaddr 

Then modify the configuration appropriately:

uci set uhttpd.main.listen_http='192.168.1.1:80'
uci set uhttpd.main.listen_https='192.168.1.1:443'
config 'uhttpd' 'main'
list listen_http 192.168.1.1:80
list listen_https 192.168.1.1:443 

6.17 Displaying custom information via login screen

The login screen, by default, shows the hostname of the router in addition to the username and password prompt. However, the router can be configured to show some other basic information if required using a UDS script.

Note: this can only be configured via the command line.

6.17.1 Configuration packages used

6.17.2 Configuring login screen custom information

The luci package option login_page_info_template is configured with the path to a UDS script that would render the required information on the right side of the login page.

The following example shows how to display serial number and mobile signal strength.

Note: this can only be configured via the command line.

Figure 14: Example login screen displaying serial and signal strength

6.17.2.1 Login screen custom information using UCI

root@VA_router:~# uci show luci
luci.main=core
luci.main.login_page_info_template=/tmp/uds/sysauth_template

root@VA_router:~# uci show uds
uds.sysauth_template=script
uds.sysauth_template.enabled=1
uds.sysauth_template.exec_type=none
uds.sysauth_template.fname=sysauth_template.htm
uds.sysauth_template.type=none
uds.sysauth_template.text=Serial: <%=pcdata(luci.version.serial)%><br/><%
local sig = luci.dispatcher.uci.cursor_state():get("mobile", "3g_1_1",
"sig_dbm") or -113 sig = tonumber(sig) local hue = (sig + 113) * 2 local
hue = math.min(math.max(hue, 0), 120) %> Signal strength: <h3
style="color:hsl(<%=hue%), 90%, 50%); display:inline;"><%=sig%></h3> dBm 

6.17.2.2 Login screen custom information using package options

root@VA_router:~# uci export luci
package luci
config core 'main'
    option login_page_info_template '/tmp/uds/sysauth_template'
root@VA_router:~# uci export uds
package uds
config script 'sysauth_template'
    option enabled '1'
    option exec_type 'none'
    option fname 'sysauth_template.htm'
    option type 'none'
    list text 'Serial: <%=pcdata(luci.version.serial) %><br/>
    list text '<% local sig = luci.dispatcher.uci.cursor_state():get("mobile", "3g_1_1", "sig_dbm") or -113'

list text 'sig = tonumber(sig)'
list text 'local hue = (sig + 113) * 2'
list text 'local hue = math.min(math.max(hue, 0), 120) %>'
list text 'Signal strength: <h3 style="color:hsl(<%=hue%), 90%, 50%); display:inline;"><%=sig%></h3> dBm 

7 Router file structure

This section describes the file structure and location of essential directories and files on Virtual Access routers.

Throughout this document, we use information tables to show the different ways to configure the router using the router's web interface and command line interface (CLI).

When showing examples of the command line interface we use the host name 'VA_router' to indicate the system prompt. For example, the table below displays what the user should see when entering the command to show the current configuration in use on the router:

root@VA_router:~# va_config.sh 

7.1 System information

General information about software and configuration used by the router is displayed on the Status page. To view the running configuration file status on the web interface, in the top menu, select Status -> Overview. This page also appears immediately after you have logged in.

Figure 15: Example of the status page

System information is also available from the CLI if you enter the following command:

The example below shows the output from the above command.

VA_SERIAL: 00E0C8121215
VA_MODEL: GW0000
VA_ACTIVEIMAGE: image2
VA_ACTIVECONFIG: config1
VA_IMAGE1VER: VIE-16.00.44
VA_IMAGE2VER: VIE-16.00.44 

7.2 Identify your software version

To check which software version your router is running, in the top menu, browse to Status -> Overview.

Status

Figure 16: The status page showing a software version prior to 72.002

Figure 17: The status page showing software version 72.002

In the Firmware Version row, the first two digits of the firmware version identify the hardware platform, for example LIS-15; while the remaining digits: .00.72.002, show the software version.

7.3 Image files

The system allows for two firmware image files:

• image1, and
• image2

Two firmware images are supported to enable the system to rollback to a previous firmware version if the upgrade of one image fails.

The image names (image1, image2) themselves are symbols that point to different partitions in the overall file system. A special image name “altimage” exists which always points to the image that is not running.

The firmware upgrade system always downloads firmware to "altimage".

7.4 Directory locations for UCI configuration files

Router configurations files are stored in folders on:

• /etc/factconf,
• /etc/config1, and
• /etc/config2

Multiple configuration files exist in each folder. Each configuration file contains configuration parameters for different areas of functionality in the system.

A symbolic link exists at /etc/config, which always points to one of factconf, config1 or config2 is the active configuration file.

Files that appear to be in /etc/config are actually in /etc/factconf|config1|config2 depending on which configuration is active.

If /etc/config is missing on start-up, for example on first boot, the links and directories are created with configuration files copied from /rom/etc/config/.

At any given time, only one of the configurations is the active configuration. The UCI system tool (Unified Configuration Interface) only acts upon the currently active configuration.

7.5 Viewing and changing current configuration

To show the configuration currently running, enter:

root@VA_router:~# va_config.sh 

To show the configuration to run after the next reboot, enter:

root@VA_router:~# va_config.sh next 

To set the configuration to run after the next reboot, enter:

root@VA_router:~# va_config.sh -s [factconf|config1|config2|altconfig] 

7.6 Configuration file syntax

The configuration files consist of sections – or packages - that contain one or more config statements. These optional statements define actual values.

Below is an example of a simple configuration file.

package 'example'
config 'example' 'test'
option 'string' 'some value'
option 'boolean' '1'
list 'collection' 'first item'
list 'collection' 'second item' 

The config 'example' 'test' statement defines the start of a section with the type example and the name test.

Table 1: Common commands, target and their descriptions

7.7 Managing configurations

7.7.1 Managing sets of configuration files using directory manipulation

Configurations can also be managed using directory manipulation.

To remove the contents of the current folder, enter:

root@VA_router:/etc/config1# rm -f * 

Warning: the above command makes irreversible changes.

To remove the contents of a specific folder regardless of the current folder (config2), enter:

root@VA_router:/ # rm -f /etc/config1/* 

Warning: the above command makes irreversible changes.

To copy the contents of one folder into another (config2 into config1), enter:

root@VA_router:/etc/config1# cp /etc/config2/* /etc/config1 

7.8 Exporting a configuration file

If you have software versions prior to 72.002, to export a configuration file using the web interface, go to section 7.8.1.

If you have software version 72.002 or above, export a configuration file using the web interface go to section 7.8.2.

To export a configuration file using CLI, for any software version, go to section 7.8.3.

7.8.1 Exporting a configuration file using the web interface for software versions pre- 72.002

The current running configuration file may be exported using the web interface.

In the top menu, select System > Backup/ Flash Firmware. The Flash operations page appears.

Figure 18: The flash operations page

In the Backup/Restore section, select Generate Archive.

7.8.2 Exporting a configuration file using the web interface for software version 72.002 and above

The current running configuration file may be exported using the web interface.

In the top menu, select System > Flash Operations. The Flash operations page appears.

Figure 19: The flash operations page

In the Flash Operation section, click the configuration file in the Contents column to download it.

7.8.3 Exporting a configuration file using UCI

You can view any configuration file segment using UCI.

To export the running configuration file, enter:

root@VA_router:~# uci export 

To export the factory configuration file, enter:

root@VA_router:~# uci -c /etc/factconf/ export 

To export config1 or config2 configuration file, enter:

root@VA_router:~# uci -c /etc/config1/ export
root@VA_router:~# uci -c /etc/config2/ export 

7.9 Importing a configuration file

If you have software versions prior to 72.002, to export a configuration file using the web interface, go to section 7.9.1.

If you have software version 72.002 or above, export a configuration file using the web interface go to section 7.9.2.

To export a configuration file using CLI, for any software version, go to section 7.9.3.

7.9.1 Importing a configuration file using the web interface for software versions pre- 72.002

You can import a configuration file to the alternate configuration segment using the web interface. This will automatically reboot the router into this configuration file.

In the top menu, select System > Backup/ Flash Firmware. The Flash operations page appears.

Figure 20: The flash operations page

Under Backup/Restore, choose Restore Backup: Choose file. Select the appropriate file and then click Upload archive.

Figure 21: The system – restoring...page

When the 'waiting for router' icon disappears, the upgrade is complete, and the login homepage appears.

7.9.2 Importing a configuration file using the web interface for software version 72.002 and above

You can import a configuration file to the alternate configuration segment using the web interface.

In the top menu, select System > Flash Operations. The Flash operations page appears.

Figure 22: The flash operations page

In the Operations column, click Upload new. Select the appropriate file.

Figure 23: The flash operations succeed upload configuration page

If you select 'Flash image and do not reboot', the router will only run this configuration if you click OK to return to the Flash Operations page. There you can manually select Made Active (after reboot). Then click Reboot Now in the 'Reboot using Active Configuration' section.

7.9.3 Importing a configuration file using UCI

You can import a configuration file to any file segment using UCI.

To import to config1, enter:

root@VA_router:~# uci -c /etc/config1/ import
<paste in config file>
<CTRL-D> 

Note: it is very important that the config file is in the correct format otherwise it will not import correctly.

8 Using the Command Line Interface

This chapter explains how to view Virtual Access routers' log files and edit configuration files using a Command Line Interface (CLI) and the Unified Configuration Interface (UCI) system. Some commands may vary between router models.

8.1 Overview of some common commands

Virtual Access routers' system has an SSH server typically running on port 22.

The factconf default password for the root user is admin.

To change the factconf default password, enter:

root@VA_router:/# uci set system.main.password="*******"
root@VA_router:/# uci commit system 

To reboot the system, enter:

The system provides a Unix-like command line. Common Unix commands are available such as ls, cd, cat, top, grep, tail, head, more and less.

Typical pipe and redirect operators are also available, such as: >, >>, <, |

The system log can be viewed using any of the following commands:

root@VA_router:/# logread
root@VA_router:/# logread | tail
root@VA_router:/# logread -f 

These commands will show the full log, end of the log (tail) and continuously (-f). Enter Ctrl-C to stop the continuous output from logread -f.

To view and edit configuration files, the system uses the Unified Configuration Interface (UCI) which is described further on in this chapter. This is the preferred method of editing configuration files. However, you can also view and edit these files using some of the standard Unix tools.

For example, to view a text or configuration file in the system, enter:

root@VA_router:/# cat /etc/passwd 

The command output information shows the following, or similar output.

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
sftp:*:56:56:sftp:/var:/usr/lib/sftp-server
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false

To view files in the current folder, enter:

root@VA_router:/# ls
bin etc lib opt sbin usr
bkrepos home linuxrc proc sys var
dev init mnt root tmp www 

For more details add the -l argument:

root@VA_router:/# ls -l
drwxrwxr-x 2 root root 642 Jul 16 2012 bin
drwxr-xr-x 5 root root 1020 Jul 4 01:27 dev
drwxrwxr-x 1 root root 0 Jul 3 18:41 etc
drwxr-xr-x 1 root root 0 Jul 9 2012 lib
drwxr-xr-x 2 root root 3 Jul 16 2012 mnt
drwxr-xr-x 7 root root 0 Jan 1 1970 overlay
dr-xr-xr-x 58 root root 0 Jan 1 1970 proc
drwxr-xr-x 16 root root 223 Jul 16 2012 rom
drwxr-xr-x 1 root root 0 Jul 3 22:53 root
drwxrwxr-x 2 root root 612 Jul 16 2012 sbin
drwxr-xr-x 11 root root 0 Jan 1 1970 sys
drwxrwxrwt 10 root root 300 Jul 4 01:27 tmp
drwxr-xr-x 1 root root 0 Jul 3 11:37 usr
lrwxrwxrwx 1 root root 4 Jul 16 2012 var -> /tmp
drwxr-xr-x 4 root root 67 Jul 16 2012 www 

To change the current folder, enter cd followed by the desired path:

root@VA_router:/# cd /etc/config1
root@VA_router:/etc/config1# 

Note: if the specified directory is actually a link to a directory, the real directory will be shown in the prompt.

To view scheduled jobs, enter:

root@VA_router:/# crontab -l
0 * * * * slaupload 00FF5FF92752 TFTP 1 172.16.250.100 69 

To view currently running processes, enter:

root@VA_router:/# ps
PID Uid VmSize Stat Command
1 root 356 S init
2 root DW [keventd]
3 root RWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
8 root SW [mtdblockd]
89 root 344 S logger -s -p 6 -t
92 root 356 S init
93 root 348 S syslogd -C 16
94 root 300 S klogd
424 root 320 S wifi up
549 root 364 S httpd -p 80 -h /www -r VA_router
563 root 336 S crond -c /etc/crontabs
6712 root 392 S /usr/sbin/dropbear
6824 root 588 S /usr/sbin/dropbear
7296 root 444 S -ash
374 root 344 R ps ax
375 root 400 S /bin/sh /sbin/hotplug button
384 root 396 R /bin/sh /sbin/hotplug button
385 root RW [keventd] 

To search for a process, enter: pgrep -fl '':

root@VA_router:/# pgrep -fl 'wifi'
424 root 320 S wifi up 

To kill a process, enter the PID:

8.2 Using Unified Configuration Interface (UCI)

The system uses Unified Configuration Interface (UCI) for central configuration management. Most common and useful configuration settings can be accessed and configured using the UCI system.

UCI consists of a Command Line Utility (CLI), the files containing the actual configuration data, and scripts that take the configuration data and apply it to the proper parts of the system, such as the networking interfaces. Entering the command 'uci' on its own will display the list of valid arguments for the command and their format.

root@VA_router:/lib/config# uci 

Usage: uci [] []

Commands:
export    [<config>]
import    [<config>]
changes    [<config>]
commit    [<config>]
add    <config> <section-type>
add_list    <config>.<section>.<option>=<string>
show    [<config>[.<section>[.<option>]]]
get    <config>.<section>[.<option>]
set    <config>.<section>[.<option>]=<value>
delete    <config>[.<section[.<option>]]
rename    <config>.<section>[.<option>]=<name>
revert    <config>[.<section>[<option>]]
Options:
-c <path> set the search path for config files (default: /etc/config)
-d <str> set the delimiter for list values in uci show
-f <file> use <file> as input instead of stdin
-m when importing, merge data into an existing package 

-n name unnamed sections on export (default)
-N don't name unnamed sections
-p <path> add a search path for config change files
-P <path> add a search path for config change files and use as default
-q quiet mode (don't print error messages)
-s force strict mode (stop on parser errors, default)
-S disable strict mode
-X do not use extended syntax on 'show' 

The table below describes commands for the UCI command line and some further examples of how to use this utility.

Table 15: Common commands, target and their descriptions

Note: all operations do not act directly on the configuration files. A commit command is required after you have finished your configuration.

root@VA_router:~# uci commit 

8.2.1 Using uci commit to avoid router reboot

After changing the port, uhttpd listens on from 80 to 8080 in the file /etc/config/uhttpd; save it, then enter:

root@VA_router:~# uci commit uhttpd 

Then enter:

root@VA_router:~# /etc/init.d/uhttpd restart 

For this example, the router does not need to reboot as the changes take effect when the specified process is restarted.

8.2.2 Export a configuration

Using the uci export command it is possible to view the entire configuration of the router or a specific package. Using this method to view configurations does not show comments that are present in the configuration file:

root@VA_router:~# uci export httpd
package 'httpd'
config 'httpd'
option 'port' '80'
option 'home' '/www' 

8.2.3 Show a configuration tree

The configuration tree format displays the full path to each option. This path can then be used to edit a specific option using the uci set command.

To show the configuration 'tree' for a given config, enter:

root@VA_router:/# uci show network
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.proto=dhcp
network.wan=interface
network.wan.username=foo 

network.wan.password=bar
network.wan.proto=3g
network.wan.device=/dev/ttyACM0
network.wan.service=umts
network.wan.auto=0
network.wan.apn=arkessa.com
network.@va_switch[0]=va_switch
network.@va_switch[0].eth0=A B C
network.@va_switch[0].eth1=D 

It is also possible to display a limited subset of a configuration:

root@VA_router:/# uci show network.wan
network.wan=interface
network.wan.username=foo
network.wan.password=bar
network.wan.proto=3g
network.wan.device=/dev/ttyACM0
network.wan.service=umts
network.wan.auto=0
network.wan.apn=hs.vodafone.ie 

8.2.4 Display just the value of an option

To display a specific value of an individual option within a package, enter:

root@VA_router:~# uci get httpd.@httpd[0].port
80
root@VA_router:~# 

8.2.5 High level image commands

To show the image running currently, enter:

root@VA_router:~# vacmd show current image 

To set the image to run on next reboot, enter:

root@VA_router:~# vacmd set next image [image1|image2|altimage]
root@VA_router:~# reboot 

8.2.6 Format of multiple rules

When there are multiple rules next to each other, UCI uses array-like references for them. For example, if there are 8 NTP servers, UCI will let you reference their sections as timeserver.@timeserver[0] for the first section; or timeserver.@timeserver[7] for the last section.

You can also use negative indexes, such as timeserver.@timeserver[-1] '-1' means the last one, and '-2' means the second-to-last one. This is useful when appending new rules to the end of a list.

root@VA_router:/# uci show va_eventd
va_eventd.main=va_eventd
va_eventd.main.enabled=yes
va_eventd.main.event_queue_file=/tmp/event_buffer
va_eventd.main.event_queue_size=128K
va_eventd.@conn_tester[0]=conn_tester
va_eventd.@conn_tester[0].name=Pinger
va_eventd.@conn_tester[0].enabled=yes
va_eventd.@conn_tester[0].type=ping
va_eventd.@conn_tester[0].ping_dest_addr=192.168.250.100
va_eventd.@conn_tester[0].ping_success_duration_sec=5
va_eventd.@target[0]=target
va_eventd.@target[0].name=MonitorSyslog
va_eventd.@target[0].enabled=yes
va_eventd.@target[0].type=syslog
va_eventd.@target[0].target_addr=192.168.250.100
va_eventd.@target[0].conn_tester=Pinger
va_eventd.@target[0].suppress_duplicate_forwardings=no
va_eventd.@forwarding[0]=forwarding
va_eventd.@forwarding[0].enabled=yes
va_eventd.@forwarding[0].className=ethernet
va_eventd.@forwarding[0].target=MonitorSyslog
va_eventd.@forwarding[1]=forwarding
va_eventd.@forwarding[1].enabled=yes
va_eventd.@forwarding[1].className=auth
va_eventd.@forwarding[1].target=MonitorSyslog
va_eventd.@forwarding[2]=forwarding
va_eventd.@forwarding[2].enabled=yes
va_eventd.@forwarding[2].className=ads1 

va_eventd.@forwarding[2].target=MonitorSyslog
va_eventd.@forwarding[3]=forwarding
va_eventd.@forwarding[3].enabled=yes
va_eventd.@forwarding[3].className=ppp
va_eventd.@forwarding[3].target=MonitorSyslog 

8.3 Configuration files

The table below lists common package configuration files that can be edited using uci commands. Other configuration files may also be present depending on the specific options available on the Virtual Access router.

8.4 Configuration file syntax

The configuration files usually consist of one or more config statements, so-called sections with one or more option statements defining the actual values.

Below is an example of a simple configuration file.

package 'example'
config 'example' 'test'
option 'string' 'some value'
option 'boolean' '1'
list 'collection' 'first item'
list 'collection' 'second item' 

The config 'example' 'test' statement defines the start of a section with the type example and the name test. There can also be so-called anonymous sections with only a type, but no name identifier. The type is important for the processing programs to decide how to treat the enclosed options.

The option 'string' 'some value' and option 'boolean' '1' lines define simple values within the section.

Note: there are no syntactical differences between text and boolean options. Per convention, boolean options may have one of the values '0', 'no', 'off' or 'false' to specify a false value or '1', 'yes', 'on' or 'true' to specify a true value.

In the lines starting with a list keyword, an option with multiple values is defined. All list statements that share the same name collection in our example will be combined into a single list of values with the same order as in the configuration file.

The indentation of the option and list statements is a convention to improve the readability of the configuration file but it is not syntactically required.

Usually you do not need to enclose identifiers or values in quotes. Quotes are only required if the enclosed value contains spaces or tabs. Also it is legal to use double-quotes instead of single-quotes when typing configuration options.

All of the examples below are valid syntax.

option example value
option 'example' value
option example "value"
option "example" 'value'
option 'example' "value" 

In contrast, the following examples are not valid syntax.

option 'example" "value' 

Quotes are unbalanced.

option example some value with space 

Missing quotes around the value.

It is important to note that identifiers and config file names may only contain the characters a-z, A-Z, 0-9 and _. However, option values may contain any character, as long they are properly quoted.

9 Upgrading router firmware

This chapter describes how to upgrade router firmware. The upgrade process is as follows:

• Firmware is transferred to the device.
• Firmware is checked to ensure there are no corruptions.
• Firmware is saved to persistent storage.
  • Data in persistent storage is validated.

To avoid any unrecoverable errors during the process, you must follow several safety steps described in this chapter.

On successful completion of the process, you can restart the device running the new firmware.

9.1 Software versions

If you have software versions prior to 72.002, to upgrade firmware using the web interface, go to section 9.1.2.

If you have software version 72.002 or above, to upgrade firmware using the web interface go to section 9.1.3.

To upgrade firmware using CLI, for any software version, go to section 9.1.4.

9.1.1 Identify your software version

To check which software version your router is running, in the top menu, browse to Status -> Overview.

Figure 24: The status page showing a software version prior to 72.002

Figure 25: The status page showing software version 72.002

In the Firmware Version row, the first two digits of the firmware version identify the hardware platform, for example LIS-15; while the remaining digits: .00.72.002, show the software version.

9.1.2 Upgrading router firmware for software versions pre-72.002

Copy the new firmware issued by Virtual Access to a PC connected to the router.

In the top menu, select System tab -> Backup/ Flash Firmware. The Flash operations page appears.

Figure 26: The flash operations page

Under Flash new firmware image, click Choose File or Browse.

Note: the button will vary depending on the browser you are using.

Select the appropriate image and then click Flash Image. The Flash Firmware – Verify page appears.

Figure 27: The flash firmware - verify page

Click Proceed. The System – Flashing... page appears.

Figure 28: The system – flashing...page
When the 'waiting for router' icon disappears, the upgrade is complete, and the login homepage appears.

To verify that the router has been upgraded successfully, click Status in the top menu. The Firmware Version shows in the system list.

Figure 29: The system status list

9.1.3 Upgrading router firmware for software version 72.002 and above

Copy the new firmware issued by Virtual Access to a PC connected to the router.

In the top menu, select System tab > Flash operations. The Flash operations page appears.

Figure 30: The flash operations page

Under Flash Operations, click Flash Image. Only the inactive image is available to flash. Select the appropriate image and then wait until image has loaded.

Note: this process may take a while depending on the available connection speed. When the image has loaded, the Update Firmware page appears.

Figure 31: The flash firmware - verify page

Click either: Flash image and do not reboot, or Flash image and reboot using new image immediately. The 'Firmware update is being applied' message appears.

When the firmware update is complete, the Update Firmware page appears. There are various messages, depending on which option you selected, or if any corruptions have occurred.

9.1.4 Flash image and do not reboot option

Figure 32: The firmware update page after '...do not reboot' option selected

If you select 'Flash image and do not reboot', the router will only run the firmware if you click OK to return to the Flash Operations page. There you can manually select Made Active (after reboot). Then click Reboot Now in the 'Reboot using Active Configuration' section.

9.1.5 Update flash image and reboot using new image immediately option

Figure 33: The firmware update page after 'update flash image and reboot...' option selected

If you select 'Update flash image and reboot using new image immediately' and the overall validation and flashing process has succeeded, the router will reboot immediately. To regain access to the router you must login again. If any part of the processes encounters an error the reboot does not occur and a report is given.

9.1.6 Possible file corruption

Figure 34: The firmware update failure page
In the unfortunate event that the firmware upgrade fails, the 'Failed verification File is most likely corrupt' or similar message will appear in the Verify file integrity row. No changes will be made to the system and the general message File verification failed appears.

9.1.7 Verify the firmware has been upgraded successfully

To check the firmware version, in the top menu, browse to System -> Flash Operations, or after router reboots, in the top menu, click Status. The Firmware Version shows in the system list and also in the right top corner of the menu bar.

Figure 35: The system status list showing current firmware version

9.2 Upgrading firmware using CLI

9.2.1 Transfer file to router

To upgrade firmware using CLI, you will need a TFTP server on a connected PC or SCP available.

Open up an SSH or Telnet session to the router.

Enter in the relevant username and password.

To access the temp folder, enter cd / tmp

Depending on the router's software version the following TFTP clients are available:

• atftp
• curl

To determine which is available on your router, enter:

which curl || which atftp 

The output shows the available application:

/usr/bin/curl 

ATFTP

Inline command usage:

atftp -g -r LIS-15.00.72.002.image -l /tmp/LIS-15.00.72.002.image x.x.x.x

where x.x.x.x is the IP address of your PC, -g is get operation and -l / -r are local and remote file name to store.

CURL

Inline command usage:

curl tftp://x.x.x.x/LIS-15.00.72.002.image -o /tmp/LIS-15.00.72.002.image

where x.x.x.x is the IP of your PC, -o is local file name to store.

SCP

Secure Copy (SCP) is a part of Secure Shell (SSH) and enables file transfers to the router using authentication and encryption. It is different to TFTP, which uses UDP, while SCP uses a TCP connection. On Unix machines, SCP is a standard part of the system; on Windows it requires an additional application.

The usage example below is for a Unix machine and therefore assumes the image file is in the current folder.

scp LIS-15.00.72.002.image root@x.x.x.x:/tmp/LIS-15.00.72.002.image 

Where the first argument 'LIS-15.00.72.002.image' in SCP is the source and the second argument 'tmp/LIS-15.00.72.002.image' is the destination path, enter root as the username to connect to x.x.x.x IP address.

After you execute the above command you will be asked to provide a root password.

At this stage the output shows the process of copying the software file into destination directory.

root@192.168.100.1's password:
LIS-15.00.72.000.image 100% 6812KB 2.2MB/s 00:03 

9.2.1.1 Image verification before flashing

To verify the integrity of the image, firmware version xx.yy.72.002 and later uses an image-check application.

Note: it is the user's responsibility to verify the image before starting to write the image to flash process.

To use the image-check on downloaded image, enter:

image-check /tmp/LIS-15.00.72.002.image 

In the case of any image corruption, an appropriate error message appears:

Error: no SquashFS filesystem after CRC'd section - data length 3
Error: read failed, expected at least 3 more bytes 

or similar.

Note: the image is valid only if no error message appears. This process is done automatically during Web UI firmware update.

Flashing

When downloaded firmware verification succeeds, the new image can be written to flash.

To write the image into the alternative image, enter:

mtd write LIS-15.00.72.002.image altimage 

Note: this is an example, substitute the correct file name.

9.2.1.2 Flash verification after flashing

After the write process has finished, you must complete a post verification of the firmware.

To verify the checksum of downloaded firmware, enter:

va_image_csum.sh /tmp/LIS-15.00.72.002.image 

The checksum of the downloaded binary is shown:

08761cd03e33c569873bcc24cf2b7389 7006920 LIS-15.00.72.002 This MD5 

To verify the checksum of written firmware, enter:

va_image_csum.sh alt 

After a while the checksum will be calculated:

Calculating checksum...... 

08761cd03e33c569873bcc24cf2b7389 7006920 LIS-15.00.72.002 This MD5 

Verify and compare the checksum with the MD5 sum of the downloaded image.

If the checksum of the written firmware in altimage matches the one from the downloaded image in /tmp, the new firmware has been programmed successfully.

9.2.1.3 Setup an alternative image

Provided the programming has succeeded, you can set it as the next image to use after reboot; enter:

vacmd set next image altimage 

To reboot using the new firmware, enter:

reboot 

10 System settings

The system section contains settings that apply to the most basic operation of the system, such as the host name, time zone, logging details, NTP server, language and style.

The host name appears in the top left hand corner of the interface menu. It also appears when you open a Telnet or SSH session.

Note: this document shows no host name in screen grabs. Throughout the document we use the host name 'VA_router'.

The system configuration contains a logging section for the configuration of a Syslog client.

10.1 Configuration package used

10.2 Configuring system properties

To set your system properties, in the top menu, click System. There are four sections in the System page.

10.2.1 General settings

Figure 36: General settings in system properties

Table 16: Information table for general settings section

10.2.2 Logging

Figure 37: The logging section in system properties

Table 17: Information table for the logging section

10.2.3 Language and style

Figure 38: The language and style section in system properties

Table 18: Information table for the language and style page

10.2.4 Time synchronization

The router time must be synchronised using NTP. The router can act as both an NTP client and an NTP server. It is enabled as an NTP client by default and individual interfaces can be configured to respond to NTP requests.

Figure 39: The time synchronization section in system properties

Table 19: Information table for time synchronization section

10.2.5 System reboot

The router can be configured to reboot immediately, or scheduled to reboot a configured time in the future.

In the top menu, select System -> Reboot. The System page appears.

Ensure you have saved all your configuration changes before you reboot.

Figure 40: The reboot page

Check the Reboot now check box and then click Reboot.

10.3 System settings using UCI

root@VA_router:~# uci show system
system.main=system
system.main.hostname=VA_router
system.main.timezone=UTC
system.main.log_ip=1.1.1.1
system.main.log_port=514
system.main.conloglevel=8
system.main.cronloglevel=8
system.ntp.interval_hours=auto
system.ntp.server=0.VA_router.pool.ntp.org 10.10.10.10
System settings using package options
root@VA_router:~# uci export system
package 'system'

config 'system' 'main'
option 'hostname' "VA_router"
option 'timezone' "UTC" 

option 'log_ip' "1.1.1.1"
option 'log_port' "514"
option time_save_interval_min "10"
option conloglevel '8'
option cronloglevel '8'

config 'timeserver' 'ntp'
option interval_hours 'auto'
list server "0.VA_router.pool.ntp.org"
list server '10.10.10.10'
option listen 'LAN1 LAN2' 

10.4 System diagnostics

10.4.1 System events

Events in the system have a class, sub class and severity. All events are written to the system log.

10.4.1.1 Logread

To view the system log, enter:

root@VA_router:~# logread 

Shows the log.

root@VA_router:~# logread | tail 

Shows end of the log.

root@VA_router:~# logread | more 

Shows the log page by page.

root@VA_router:~# logread -f 

Shows the log on an ongoing basis. To stop this option, press ctrl-c.

root@VA_router:~# logread -f & 

Shows the log on an ongoing basis while in the background. This allows you to run other commands while still tracing the event logs. To stop this option, type fg to view the current jobs, then press ctrl-c to kill those jobs.

10.4.2 System events in flash

Since logread is only small in size it can be beneficial to write system events to flash. To do this you need to modify the system config under the system package. Set the options 'log_file', 'log_size' and 'log_type' as below:

root@VA_router:~# uci export system
package system
config system 'main'
option hostname 'VA_router'
option zonename 'UTC'
option timezone 'GMT0'
option conloglevel '8'
option cronloglevel '8'
option time_save_interval_hour '10'
option log_hostname '%serial'
option log_ip '1.1.1.1'
option log_port '514'
option log_file '/root/syslog.messages'
option log_size '400'
option log_type 'file' 

The above commands will take effect after a reboot.

root@VA_router:~# cat /root/syslog.messages 

Shows all the system events stored in flash.

root@VA_router:~# tail /root/syslog.messages 

Shows end of the events stored flash.

root@VA_router:~# tail -f /root/syslog.messages & 

Shows the log on an ongoing basis. To stop this option, press ctrl-c.

11 Configuring an Ethernet interface

This section describes how to configure an Ethernet interface including configuring the interface as a DHCP server, adding the interface to a firewall zone, mapping the physical switch ports and defining loopback interface.

11.1 Configuration packages used

11.2 Configuring an Ethernet interface using the web interface

To create and edit interfaces via the web interface, in the top menu, click Network -> Interfaces. The Interfaces overview page appears.

Figure 41: The interfaces overview page

There are three sections in the Interfaces page.

11.2.1 Interface overview: editing an existing interface

To edit an existing interface, from the interface tabs at the top of the page, select the interface you wish to configure. Alternatively, click Edit in the interface's row.

11.2.2 Interface overview: creating a new interface

To create a new interface, in the Interface Overview section, click Add new interface. The Create Interface page appears.

Figure 42: The create interface page

Table 20: Information table for the create new interface page

Click Submit. The Interface configuration page appears. There are three sections:

11.2.3 Interface overview: common configuration

The common configuration section has four sub sections:

11.2.3.1 Common configuration – general setup

Figure 43: The Ethernet connection common configuration settings page

Table 21: Information table for LAN interface common configuration settings

11.2.3.2 Common configuration: advanced settings

Figure 44: The Ethernet connection advanced settings page

Table 22: Information table for common configuration advanced settings

11.2.3.3 Common configuration: physical settings

Figure 45: The common configuration physical settings page

Table 23: Information table for physical settings page

11.2.3.4 Loopback interfaces

Loopback interfaces are defined in exactly the same way as Ethernet interfaces. Please see section above.

Note: There is no software limitation as to how many loopback interfaces can exist on the router.

11.2.3.5 Common configuration: firewall settings

Use this section to select the firewall zone you want to assign to this interface.

Select unspecified to remove the interface from the associated zone or fill out the create field to define a new zone and attach the interface to it.

Figure 46: GRE firewall settings

11.2.4 Interface overview: IP-aliases

IP aliasing means associating more than one IP address to a network interface. You can assign multiple aliases.

11.2.4.1 IP-alias packages

11.2.4.2 IP-alias using the web

To use IP-aliases, enter a name for the alias and click Add. This name will be assigned to the alias section for this IP-alias. In this example, we use the name 'ethalias1'.

Figure 47: The IP-Aliases section

Table 24: Information table for IP-Aliases name assignment

The IP Aliases configuration options page appears. The IP-Alias is divided into two sub sections: general setup and advanced.

11.2.4.3 IP-aliases: general setup

Figure 48: The IP-Aliases general setup section

Table 25: Information table for IP-Alias general setup page

11.2.4.4 IP-aliases: advanced settings

Figure 49: The IP-Aliases advanced settings section

Table 26: Information table for IP-Alias advanced settings page

11.2.5 Interface overview: DHCP server

Note: this option is only available for interfaces with a static IP address.

11.2.5.1 DHCP server: packages

To assign a DHCP Server to the interface, click Setup DHCP Server.

Figure 50: The DHCP Server settings section

The DHCP Server configuration options will appear. The DHCP Server is divided into two sub sections – general setup and advanced.

11.2.5.2 DHCP server: general setup

Figure 51: The DHCP server general setup section

Table 27: Information table for DHCP server general setup page

11.2.5.3 DHCP server: advanced settings

Figure 52: The DHCP server advanced settings section

Table 28: Information table for DHCP advanced settings page

For more advanced configuration on the DHCP server, read 'DHCP server and DNS configuration section.

11.3 Interface configuration using UCI

The configuration files are stored on /etc/config/network, /etc/config/firewall and /etc/config/dhcp

root@VA_router:~# uci show network
.....
network.newinterface=interface
network.newinterface.proto=static
network.newinterface.ifname=eth0
network.newinterface.montored=0
network.newinterface.ipaddr=2.2.2.2
network.newinterface.netmask=255.255.255.0
network.newinterface.gateway=2.2.2.10
network.newinterface.broadcast=2.2.2.255
network.newinterface.vlan_qos_map_ingress=1:2 2:1
network.ethalias1=alias
network.ethalias1.proto=static
network.ethalias1.interface=newinterface
network.ethalias1.ipaddr=10.10.10.1
network.ethalias1.netmask=255.255.255.0 

network.ethalias1.gateway=10.10.10.10
network.ethalias1.bcast=10.10.10.255
network.ethalias1.dns=8.8.8.8

root@VA_router:~# uci show firewall
....firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[0].network=lan newinterface

root@VA_router:~# uci show dhcp
...
dhcp.@dhcp[0]=dhcp
dhcp.@dhcp[0].start=100
root@VA_router:~# uci show firewall
dhcp.@dhcp[0].leasetime=12h
dhcp.@dhcp[0].limit=150
dhcp.@dhcp[0].interface=newinterface 

To change any of the above values use uci set command.

11.3.1 Interface common configuration using package options

The configuration files are stored on /etc/config/network, /etc/config/firewall and /etc/config/dhcp

root@VA_router:~# uci export network
package network
......
config interface 'newinterface'
option proto 'static'
option ifname 'eth0'
option monitored '0'
option ipaddr '2.2.2.2'
option netmask '255.255.255.0'
option gateway '2.2.2.10'
option broadcast '2.2.2.255'
list vlan_qos_map_ingress '1:2' 

list vlan_qos_map_ingress '2:1'
config alias 'ethalias1'
option proto 'static'
option interface 'newinterface'
option ipaddr '10.10.10.1'
option netmask '255.255.255.0'
option gateway '10.10.10.10'
option bcast '10.10.10.255'
option dns '8.8.8.8'

root@VA_router:~# uci export firewall
package firewall

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan newinterface'

root@VA_router:~# uci export dhcp
package dhcp

......

config dhcp
option start '100'
option leasetime '12h'
option limit '150'
option interface 'newinterface' 

To change any of the above values use uci set command.

11.3.2 Loopback interfaces

Loopback interfaces are defined in exactly the same way as Ethernet interfaces. Read the section above.

Note: There is no software limitation as to how many loopback interfaces can exist on the router.

An example showing a partial uci export of a loopback interface configuration is shown below.

root@VA_router:~# uci export network
...
config interface 'loopback'
option proto 'static'
option ifname 'lo'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0' 

11.4 Configuring port maps

11.5 Port map packages

11.5.1 Configuring port map using the web interface

The new logical Ethernet interface needs to be mapped to a physical switch port. To configure the Ethernet switch physical port to logical interface mappings, go to the Port Map section at Network->Interfaces.

Figure 53: The Interface port map section

Table 29: Information table for interface port map page

11.5.2 Configuring port maps using UCI

The configuration files are stored on /etc/config/network

root@VA_router:~# uci show network
......
network.@va_switch[0]=va_switch
network.@va_switch[0].eth0=A
network.@va_switch[0].eth1=B
network.@va_switch[0].eth2=C
network.@va_switch[0].eth3=D 

To change any of the above values use uci set command.

11.5.3 Configuring port map using package options

The configuration files are stored on /etc/config/network

root@VA_router:~# uci export network
...
config va_switch
option eth0 'A'
option eth1 'B'
option eth2 'C'
option eth3 'D' 

To change any of the above values use uci set command.

11.5.4 ATM bridges

The ATM bridges section is not used when configuring an Ethernet interface.

11.6 Interface diagnostics

11.6.1 Interfaces status

To show the current running interfaces, enter:

root@VA_router:~# ifconfig
3g-CDMA Link encap:Point-to-Point Protocol
inet addr:10.33.152.100 P-t-P:178.72.0.237 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:428 (428.0 B) TX bytes:2986 (2.9 KiB)
eth0 Link encap:Ethernet HWaddr 00:E0:C8:12:12:15
inet addr:192.168.100.1 Bcast:192.168.100.255
Mask:255.255.255.0
inet6 addr: fe80::2e0:c8ff:fe12:1215/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6645 errors:0 dropped:0 overruns:0 frame:0
TX packets:523 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:569453 (556.1 KiB) TX bytes:77306 (75.4 KiB) 

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:385585 errors:0 dropped:0 overruns:0 frame:0
TX packets:385585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:43205140 (41.2 MiB) TX bytes:43205140 (41.2 MiB) 

To display a specific interface, enter:

root@VA_router:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:E0:C8:12:12:15
inet addr:192.168.100.1 Bcast:192.168.100.255
Mask:255.255.255.0
inet6 addr: fe80::2e0:c8ff:fe12:1215/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7710 errors:0 dropped:0 overruns:0 frame:0
TX packets:535 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:647933 (632.7 KiB) TX bytes:80978 (79.0 KiB) 

11.6.2 ARP table status

To show the current ARP table of the router, enter:

root@GW7314:~# arp
? (10.67.253.141) at 30:30:41:30:43:36 [ether] on eth8
? (10.47.48.1) at 0a:44:b2:06 [ether] on gre-grel 

11.6.3 Route status

To show the current routing status, enter:

root@VA_router:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0 

Note: a route will only be displayed in the routing table when the interface is up.

12 Configuring VLAN

12.1 Maximum number of VLANs supported

Virtual Access' routers support up to 4095 VLANs.

12.2 Configuration package used

12.3 Configuring VLAN using the web interface

12.3.1 Create a VLAN interface

To configure VLAN using the web interface, in the top menu, select Network - > Interfaces.

Click Add new interface. The Create Interface page appears.

Figure 54: The create interface page

Table 30: Information table for the create interface page

Click Submit. The Interfaces page for VLAN1 appears.

12.3.2 General setup: VLAN

Figure 55: The VLAN 1 interface page

Table 31: Information table for VLAN general settings

12.3.3 Firewall settings: VLAN

Use this section to select the firewall zone you want to assign to the VLAN interface.

Select unspecified to remove the interface from the associated zone or fill out the create field to define a new zone and attach the interface to it.

Figure 56: Firewall settings page

When you have added all the VLAN interfaces you require, click Save & Apply.

12.4 Viewing VLAN interface settings

To view the new VLAN interface settings, in the top menu, select Network -> Interfaces. The Interfaces Overview page appears.

The example below shows two VLAN interfaces configured.

Figure 57: The interface overview page showing two VLAN interfaces

12.5 Configuring VLAN using the UCI interface

You can configure VLANs through CLI. The VLAN configuration file is stored on: /etc/config/network

<h1 id="uci-export-network">uci export network</h1>
package network
config interface 'vlan100'
option proto 'static'
option ifname 'eth0.100'
option monitored '0'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option gateway '192.168.100.10'
option broadcast '192.168.100.255'
option dns '8.8.8.8' 

Modify these settings by running uci set command.

When specifying the ifname ensure that it is written in dotted mode, that is, eth1.100 where eth1 is the physical interface assigned to VLAN tag 100.

Note: VLAN1 is, by default the native VLAN and will not be tagged.

13 Configuring ignition sense

In automotive applications, the ignition sense input can detect when the vehicle's ignition has been enabled. This allows the router to remain powered on after the vehicle has stopped. The time delay between ignition off and power down is configurable.

Routers for ignition sense applications are supplied with a power lead with 3 connectors for 12V permanent, 12V switched (ignition sense) and ground.

13.1 Configuration packages used

13.2 Configuring vapowermond using the web interface

You can configure the Vapowermond package using the web interface. In the top menu, click Services -> Power Monitor. The basic settings page appears.

Figure 58: Power monitor basic settings page

13.2.1 Power monitor basic settings

Table 32: Information table for power monitor basic settings

13.2.2 Power monitor advanced settings

Click the Advance tab to access advanced settings.

Figure 59: Power monitor advanced settings page

Table 33: Information table for power monitor advanced settings

13.3 Configuring vapowermond using the command line

13.3.1 UCI

root@VA_router:~# uci show vapowermond
vapowermond.main=vapowermond
vapowermond.main.enabled=1
vapowermond.main.timeout=30
vapowermond.main.voltage_sense_scripts_enable=0
vapowermond.main.voltage_on_script=/usr/bin/powermon_voltage_on.sh
vapowermond.main.voltage_off_script=/usr/bin/powermon_voltage_off.sh
vapowermond.main.voltage_msg=powermon
vapowermond.main.log_severity=5 

13.3.2 Package options

root@VA_router:~# uci export vapowermond
package vapowermond

config vapowermond 'main'
    option enabled '1'
    option timeout '30'
    option voltage_sense_scripts_enable '0'
    option voltage_on_script '/usr/bin/powermon_voltage_on.sh'
    option voltage_off_script '/usr/bin/powermon_voltage_off.sh'
    option voltage_msg 'powermon'
    option log_severity '5' 

13.4 Ignition sense diagnostics

13.4.1 Monitoring Vapowermond status using the command line interface

To view status information about the current ignition sense state enter:

root@VA_router:~# cat /sys/class/gpio/gpio29/value 1 

1 for ignition on; 0 for ignition off

14 Configuring a WiFi connection

This section explains how to configure WiFi on a Virtual Access router using the web interface or via UCI.

WiFi can act as an Access Point (AP) to another device in the network or it can act as a client to an existing AP.

You can configure WiFi in two different ways:

• on a new interface, or
• on an existing interface

14.1 Configuration packages used

14.2 Configuring a WiFi interface using the web interface

To create a new WiFi interface via the web interface, in the top menu, click Network -> Wifi. The Wireless overview page appears.

Figure 60: The wireless overview page

Click Add to create a new WiFi interface. The Wireless Network configuration page appears. The Wireless Network configuration page consists of two sections:

14.2.1 Wireless network: device configuration

The Device Configuration section covers physical settings of the radio hardware such as channel, transmit power or antenna selection, which is shared among all defined wireless

networks (if the radio hardware is multi-SSID capable). There are two sections within the Device Configuration section.

14.2.1.1 Device configuration: general setup

Figure 61: The device configuration general setup section

Table 34: Information table for the device configuration section

14.2.1.2 Device configuration: advanced settings

Figure 62: The device configuration advanced settings section

Table 35: Information table for device configuration advanced settings

14.2.2 Wireless network: interface configuration

The interface configuration section is used to configure the network and security settings. It has three sub sections.

14.2.2.1 Interface configuration: general setup

Use this section to configure the interface name, mode and network settings. Differing web options may be presented depending on the Mode selected.

Figure 63: The interface configuration general setup section

Table 36: Information table for the interface configuration general setup section

14.2.2.2 Interface configuration: wireless security

Use this section to configure encryption, ciper and create a security key. Differing options will be defined depending on the encryption selected.

Figure 64: The wireless security section

Table 37: Information table for the interface configuration wireless security section

14.2.2.3 Interface configuration: MAC filter

Figure 65: The MAC filter section

Table 38: Information table for interface configuration MAC filter section

14.3 Configuring WiFi in AP mode

AP mode is when the routers WiFi is used as an access point to one of the routers other interfaces. For example, if a router is connected to the internet via 3G, the WiFi on the router can be used as an access point for other devices to connect to the router and use its 3G internet connection.

14.3.1 AP mode on a new interface

Configure the WiFi network in AP mode as described in the above section 'Configuring a WiFi interface', selecting a new interface for the Wireless Network in the Interface Configuration section.

Next, in the top menu, select Network -> Interfaces. The Interface Overview page appears.

In the Interface Overview page, click Edit on the newly created WiFi interface. Then configure the interface by following instructions in the chapter 'Configuring an Ethernet interface'. When you have completed those steps, continue with the section below.

14.3.2 AP mode on an existing Ethernet interface

Configure the WiFi network in AP mode as described in the above section 'Configuring a WiFi interface'.

Next, in the top menu, select Network -> Interfaces. The Interface Overview page appears.

In the Interface Overview page, click Edit on the Ethernet interface that will be bridged into the router's WiFi AP. The Common Configuration page appears. It has four sections.

This configuration only uses the Physical Settings section.

Figure 66: The physical settings section in the common configuration page

Table 39: Information table for the physical section on the common configuration page

14.4 Configuring WiFi using UCI

The configuration files are stored on:

• Network file /etc/config/network
• Wireless file /etc/config/wireless

14.4.1 AP modem on a new Ethernet interface using package options

root@VA_router:~# uci export network
package network

config interface 'newwifilan'
    option proto 'static'
    option ipaddr '192.168.111.1'
    option netmask '255.255.255.0'
root@VA_router:~# uci export wireless
package wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option phy 'phy0'
    option hwmode '11ng'
    option htmode 'HT20'

list ht_capab 'SHORT-GI-40'
    list ht_capab 'TX-STBC'
    list ht_capab 'RX-STBC1'
    list ht_capab 'DSSS_CCK-40'
    option txpower '17'
    option country 'US'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option disabled '1'
    option ssid 'Test_AP'
    option network 'newwifilan'
    option encryption 'psk'
    option key 'secretkey' 

14.4.2 AP modem on a new Ethernet interface using UCI

root@VA_router:~# uci show network
network.newlan=interface
network.newlan.proto=static
network.newlan.ipaddr=192.168.111.1
network.newlan.netmask=255.255.255.0
root@VA_router:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type=mac80211
wireless.radio0.channel=11
wireless.radio0.phy=phy0
wireless.radio0.hwmode=11ng
wireless.radio0.htmode=HT20
wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio0.txpower=17
wireless.radio0.country=US
wireless.@wifi-iface[0]=wifi-iface
wireless.@wifi-iface[0].device=radio0
wireless.@wifi-iface[0].mode=ap
wireless.@wifi-iface[0].disabled=1
wireless.@wifi-iface[0].ssid=Test_AP
wireless.@wifi-iface[0].network=newlan
wireless.@wifi-iface[0].encryption=psk
wireless.@wifi-iface[0].key=secretkey 

14.4.3 AP mode on an existing Ethernet interface using packages options

root@VA_router:~# uci export network
package network
config interface 'lan'
    option ifname 'eth0'
    option proto 'static'
    option ipaddr '192.168.100.1'
    option netmask '255.255.255.0'
    option type 'bridge'
root@VA_router:~# uci export wireless
package wireless 

config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option phy 'phy0'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option txpower '17'
option country 'US'

config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '1'
option ssid 'Test_AP'
option network 'lan'
option encryption 'psk'
option key 'secretkey' 

14.4.4 AP mode on an existing Ethernet interface using UCI

root@VA_router:~# uci show network
network.lan=interface
network.lan.ifname=eth0
network.lan.proto=static
network.lan.ipaddr=192.168.6.1
network.lan.netmask=255.255.255.0
network.lan.type=bridge
root@VA_router:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type=mac80211
wireless.radio0.channel=11
wireless.radio0.phy=phy0
wireless.radio0.hwmode=11ng 

wireless.radio0.htmode=HT20
wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio0.txpower=17
wireless.radio0.country=US
wireless.@wifi-iface[0]=wifi-iface
wireless.@wifi-iface[0].device=radio0
wireless.@wifi-iface[0].mode=ap
wireless.@wifi-iface[0].disabled=1
wireless.@wifi-iface[0].ssid=Test_AP
wireless.@wifi-iface[0].network=lan
wireless.@wifi-iface[0].encryption=psk
wireless.@wifi-iface[0].key=secretkey 

14.5 Creating a WiFi in Client mode using the web interface

A WiFi network in Client mode receives a wireless network from another WiFi AP.

Configure the Wifi network in Client mode as described in the above section 'Configuring a WiFi interface', selecting a new interface for the Wireless Network in the Interface Configuration section. For the examples below the new WiFi interface will be called 'newwifiClient'

Example:

wireless.@wifi-iface[0].network=newwifiClient
wireless.@wifi-iface[0].mode=sta 

In the top menu, select Network -> Interfaces. The Interfaces Overview page appears. Click Edit in the newly created WiFi Client interface. The Common Configuration page appears.

Figure 67: The client interface page

Table 40: Information table for interfaces WClient page

When you have clicked Save and Apply, the router will restart the network package. It may take up to one minute for connectivity to the router to be restored.

14.6 Configuring WiFi in Client mode using command line

The configuration files are stored on:

• Network file /etc/config/network
- Wireless file /etc/config/wireless

14.6.1 Client modem using package options

root@VA_router:~# uci export network
package network
config interface 'newwifiClient'
option proto 'dhcp'
root@VA_router:~# uci export wireless
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option phy 'phy0'
option hwmode '11ng'
option htmode 'HT20'
list ht_capab 'SHORT-GI-40' 

list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option txpower '17'
option country 'US'

config wifi-iface
option device 'radio0'
option ssid 'Remote-AP'
option mode 'sta'
option network 'newwifiClient'
option encryption 'psk2'
option key 'testtest' 

14.6.2 Client modem using UCI

root@VA_router:~# uci show network
network.new=interface
network.WCLIENT.proto=dhcp 

14.6.2.1 uci show wireless

root@VA_router:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type=mac80211
wireless.radio0.channel=11
wireless.radio0.phy=phy0
wireless.radio0.hwmode=11ng
wireless.radio0.htmode=HT20
wireless.radio0.ht_capab=SHORT-GI-40 TX-STBC RX-STBC1 DSSS_CCK-40
wireless.radio0.txpower=17
wireless.radio0.country=US
wireless.@wifi-iface[0]=wifi-iface
wireless.@wifi-iface[0].device=radio0
wireless.@wifi-iface[0].ssid=Remote-AP
wireless.@wifi-iface[0].mode=sta
wireless.@wifi-iface[0].network=newwifiClient
wireless.@wifi-iface[0].encryption=psk2
wireless.@wifi-iface[0].key=testtest 

15 Configuring a mobile connection

15.1 Configuration package used

15.2 Configuring a mobile connection using the web interface

Note: if you are creating multiple mobile interfaces, simply repeat the steps in this chapter for each interface. Multiple interfaces are required for dual SIM or multiple radio module scenarios. Configuring static routes and/or Multi-WAN can be used to manage these interfaces.

In the top menu, select Network -> Interfaces. The Interfaces Overview page appears.

15.2.1 Create a new mobile interface

To create a new mobile interface, in the Interface Overview section, click Add new interface. The Create Interface page appears. In the examples below, 3G has been used for the interface name.

Figure 68: The create interface page

Table 41: Information table for the create interface page

Click Submit. The Common Configuration page appears. There are three sections in the mobile interface common configurations:

15.2.1.1 Mobile interface: general setup

Figure 69: The common configuration page

Table 42: Information table for common configuration settings

The Modem Configuration link at the bottom of the page is used for SIM pin code and SMS configuration. For more information, read the chapter 'Configuring mobile manager'.

15.2.1.2 Mobile interface: advanced settings

Figure 70: The advanced settings tab

Table 43: Information table for general set up page

15.2.1.3 Mobile interface: firewall settings

Use this section to select the firewall zone you want to assign to the interface.

Select unspecified to remove the interface from the associated zone or fill out the create field to define a new zone and attach the interface to it.

Figure 71: Firewall settings page

15.3 Configuring a mobile connection using CLI

15.3.1 UCI

To establish a basic mobile connection, enter:

root@VA_router:~# uci show network
network.3G=interface
network.3G.proto=3g
network.3G.montored=0
network.3G.sim=any
network.3G.auto=1
network.3G.defaultroute=1
network.3G.metric=1
network.3G.service=autonetwork.3G.apn=test.apn
network.3G.username=username
network.3G.password=password
network.3G.ipv4mode=dhcp
network.3G.ipv6mode=none 

15.3.2 Package options

root@VA_router:~#
package network

config interface '3G'
    option proto '3g'
    option monitored '0'
    option auto '1'
    option sim 'any'
    option defaultroute '1'
    option metric '1' option service 'auto'
    option apn 'test.apn'
    option username 'username'
    option password 'password'
    option ipv4mode 'dhcp'
    option ipv6mode 'none' 

15.4 Diagnositcs

Note: the information presented on screen and data output using UCI depends on the actual mobile hardware being used. Therefore, the interfaces or output you see may differ from the samples shown here.

15.4.1 Mobile status via the web

To view mobile connectivity information, in the top menu, select Status -> Mobile Information. The Mobile Information page appears. The information presented depends on the actual mobile hardware used; it might therefore differ from the samples shown here.

Figure 72: The mobile information page

Figure 73: The advanced information page

Figure 74: The cell information page

15.4.2 Mobile status using UCI

To display information and status of mobile interfaces such as 3G, 4G or CDMA, enter mobile_status:

root@VA_router:~# mobile_status
Mobile Interface : WAN
Status : idle
SIM In : yes
SIM Slot : 1
Operator : vodafone IE
Technology : UMTS
CS Network Status : Home network
PS Network Status : Home network
Signal (dBm) : -107
IMEI : 358743040012737
IMSI : 272017113618040 

For more advanced information, enter mobile_status -a:

root@ VA_router:~# mobile_status -a
Mobile Interface : WAN
Status : idle
CS Network Status : Home network 

PS Network Status : Home network
IMEI : 358743040012737
IMSI : 272017113618040
Operator : vodafone IE
Phone Number : +353874512040
SIM In : yes
SIM Slot : 1
SIM1 ICCID : 8935301140701270414
Signal (dBm) : -107
Technology : UMTS
Temperature (C) : 28
Hardware Revision : R1C08 

16 Configuring mobile manager

The Mobile Manager feature allows you to configure SIM settings.

16.1 Configuration package used

16.2 Configuring mobile manager using the web interface

Select Services -> Mobile Manager. The Mobile Manager page appears.

There are four sections in the mobile manager page:

16.2.1 Mobile manager: basic settings

Figure 75: The mobile manager basic page

Table 44: Information table for mobile manager basic settings

16.2.2 Mobile manager: CDMA settings

This configuration page is only supported for the Telit CE910-SL CDMA module.

Figure 76: The mobile manager CDMA page

Table 45: Information table for mobile manager CDMA settings

16.2.3 Mobile manager: callers

Figure 77: The mobile manager CDMA page

Table 46: Information table for mobile manager callers settings

16.2.4 Mobile manager: roaming interface template

For more information on Roaming Interface Template configuration, read the chapter, 'Automatic Operator Selection'.

16.3 Configuring mobile manager using command line

16.3.1 Mobile manager using UCI

The configuration files for mobile manager are stored on /etc/config/mobile

The following example shows how to enable the SMS functionality to receive and respond from certain caller ID numbers.

root@VA_router:~# uci show mobile
uci set mobile.main=mobile
uci set mobile.main.sim1pin=0000
uci set mobile.main.sim2pin=0000
uci set mobile.main.roaming_sim=none
uci set mobile.main.sms=1
uci set mobile.main.hdr_password=5678
uci set mobile.main.hdr_userid=1234
uci set mobile.main.init_get_iccids=1
uci set mobile.@caller[0]=caller
uci set mobile.@caller[0].name=user1
uci set mobile.@caller[0].number=3538712345678
uci set mobile.@caller[0].enabled=1 

uci set mobile.@caller[0].respond=1
uci set mobile.@caller[1]=caller
uci set mobile.@caller[1].name=user2
uci set mobile.@caller[1].number=3538723456789
uci set mobile.@caller[1].enabled=1
uci set mobile.@caller[1].respond=1 

16.3.2 Mobile manager using package options

root@VA_router:~# uci export mobile
package mobile
config mobile 'main'
    option sim1pin '0000'
    option sim2pin '0000'
    option roaming_sim 'none'
    option sms '1'
    option hdr_password '5678'
    option hdr_userid '1234'
    option init_get_iccids '1'
config caller
    option name 'vasupport'
    option number '353871234567'
    option enabled '1'
    option respond '1'
config caller
    option name 'vasupport1'
    option number '353872345678'
    option enabled '1'
    option respond '1' 

16.4 Monitoring SMS

You can monitor inbound SMS messages using the router's web browser or via an SSH session.

To monitor SMS using the web browser, login and select Status > system log.

Scroll to the bottom of the log to view the SMS message.

Figure 78: Example of output from system log

To monitor using SSH, login and enter:

logread -f &

An outgoing SMS message appears.

sendsms 353879876543 'hello'
root@VirtualAccess:~# Aug 10 16:29:11 user.notice VirtualAccess mobile[1737]: Queue sms to 353879876543 "hello" 

16.5 Sending SMS from the router

You can send an outgoing message via the command line using the following syntax:

sendsms 353879876543 'hello'
root@VirtualAccess:~# Aug 10 16:29:1 user.notice VirtualAccess mobile[1737]: Queue sms to 353879876543 "hello" 

16.6 Sending SMS to the router

The router can accept UCI show and set commands via SMS if the caller is enabled.

Note: commands are case sensitive.

An example would be to SMS the SIM card number by typing the following command on the phone and checking the SMS received from the router.

uci show mobile.@caller[0].number 

17 Configuring a GRE interface

General Routing Encapsulation (GRE) is a tunnelling protocol used for encapsulation of other communication protocols inside point to point links over IP.

17.1 Configuration packages used

17.2 Creating a GRE connection using the web interface

To create GRE interfaces through the web interface, in the top menu, select Network - > Interfaces.

There are three sections in the Interfaces page.

In the Interface Overview section, click Add new interface. The Create Interface page appears.

Figure 79: The create interface page

Table 47: Information table for the create new interface page

Click Submit. The Common Configuration page appears. There are three sections in the Common Configurations page.

17.2.1 GRE connection: common configuration - general setup

Figure 80: The GRE common configuration page

Table 48: Information table for GRE

17.2.2 GRE connection: common configuration-advanced settings

Figure 81: GRE advanced settings page

Table 49: Information table for GRE advanced settings

17.2.3 GRE connection: firewall settings

Use this section to select the firewall zone you want to assign to this interface.

Select unspecified to remove the interface from the associated zone or fill out the create field to define a new zone and attach the interface to it.

Figure 82: GRE firewall settings

Click Save and Apply. This will save the current settings and return you to the Interface Overview page. To configure further settings on the GRE interface select EDIT for the relevant GRE interface.

17.2.4 GRE connection: adding a static route

After you have configured the GRE interface, you must configure a static route to route the desired traffic over the GRE tunnel. To do this, browse to Network->Static Routes. For more information, read the chapter 'Configuring Static Routes'.

17.3 GRE configuration using command line

The configuration file is stored on /etc/config/network

For the examples below tunnel1 is used as the interface logical name.

17.4 GRE configuration using UCI

root@VA_router:~# uci show network
network.tunnel1=interface
network.tunnel1.proto=gre
network.tunnel1.monitored=0
network.tunnel1.ipaddr=172.255.255.2
network.tunnel1.mask_length=24
network.tunnel1.local_interface=wan
network.tunnel1.remote_ip=172.255.255.100
network.tunnel1.ttl=128
network.tunnel1.key=1234
network.tunnel1.mtu=1472
network.tunnel1.auto=1 

17.5 GRE configuration using package options

root@VA_router:~# uci export network
config interface 'tunnel1'
option proto 'gre'
option monitored '0'
option ipaddr '172.255.255.2'
option mask_length '24'
option local_interface 'wan'
option remote_ip '172.255.255.100'
option ttl '128' 

option key '1234'
option mtu '1472'
option auto '1' 

To change any of the above values use uci set command.

17.6 GRE diagnostics

17.6.1 GRE interface status

To show the current running interfaces, enter:

root@VA_router:~# ifconfig
base0 Link encap:Ethernet HWaddr 00:00:00:00:01:01
inet6 addr: fe80::200:ff:fe00:101/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1504 Metric:1
RX packets:39810 errors:0 dropped:0 overruns:0 frame:0
TX packets:365 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10889090 (10.3 MiB) TX bytes:68820 (67.2 KiB)
eth4 Link encap:Ethernet HWaddr 00:1E:10:1F:00:00
inet addr:10.68.66.54 Bcast:10.68.66.55 Mask:255.255.255.252
inet6 addr: fe80::21e:10ff:felf:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:81 errors:0 dropped:0 overruns:0 frame:0
TX packets:127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8308 (8.1 KiB) TX bytes:12693 (12.3 KiB)
gre-Tunnel1 Link encap:UNSPEC HWaddr 0A-44-42-36-DB-B0-00-48-00-00-00-00-00-00-00
inet addr:13.13.13.2 Mask:255.255.255.248
inet6 addr: fe80::5efe:a44:4236/64 Scope:Link
UP RUNNING MULTICAST MTU:1472 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:912 (912.0 B) TX bytes:884 (884.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr::1/128 Scope:Host 

UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1465 errors:0 dropped:0 overruns:0 frame:0
TX packets:1465 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:166202 (162.3 KiB) TX bytes:166202 (162.3 KiB) 

To display a specific GRE interface, enter ifconfig gre-:

root@VA_router:~# ifconfig gre-Tunnel1
gre-Tunnel1 Link encap:UNSPEC HWaddr 0A-44-42-36-00-00-7F-E2-00-00-00-00-00-00-00-00
inet addr:13.13.13.2 Mask:255.255.255.248
inet6 addr: fe80::5efe:a44:4236/64 Scope:Link
UP RUNNING MULTICAST MTU:1472 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:912 (912.0 B) TX bytes:8GRE route status 

To show the current GRE route status, enter:

root@VA_router:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.68.66.53 0.0.0.0 UG 0 0 0 eth4
0.0.0.0 13.13.13.1 0.0.0.0 UG 1 0 0 gre-
Tunnel1
10.68.66.52 0.0.0.0 255.255.255.252 U 0 0 0 eth4
13.13.13.0 0.0.0.0 255.255.255.248 U 0 0 0 gre-
Tunnel1
172.19.101.3 13.13.13.1 255.255.255.255 UGH 0 0 0 gre-
Tunnel1 

Note: a GRE route will only be displayed in the routing table when the interface is up.

18 Configuring static routes

It is possible to define arbitrary IPv4 routes on specific interfaces using route sections. As for aliases, multiple sections can be attached to an interface. These types of routes are most commonly known as static routes.

You can add static routes to the routing table to forward traffic to specific subnets when dynamic routing protocols are not used or they are not configured for such subnets. They can be created based on outgoing interface or next hop IP address.

18.1 Configuration package used

18.2 Configuring static routes using the web interface

In the top menu, select Network -> Static Routes. The Routes page appears.

Figure 83: The routes page

In the IPv4 Routes section, click Add.

Table 50: Information table for IPv4 static routes section

18.3 Configuring IPv6 routes using the web interface

You can also specify IPv6 routes by defining one or more IPv6 routes. In the IPv6 routes section, click Add.

Web Field/ UCI / Package Option	Description
Web: InterfaceUCI: network.@route[1].interfaceOpt: interface	Specifies the logical interface name of the parent or master interface this route belongs to. It must refer to one of the defined interface sections.
Web: targetUCI: network.@route[1].targetOpt: target	Specifies the route network IP address, or subnet in CIDR notation:Example: 2001:0DB8:100:F00:BA3::1/64
Web: GatewayUCI: network.@route[1].gatewayOpt: Gateway	Network gateway. If omitted, the gateway from the parent interface is taken. If set to 0.0.0.0 no gateway will be specified for the route.
Web: MetricUCI: network.@route[1].metricOpt: metric	Specifies the route metric to use.
Web: MTUUCI: network.@route[1].mtuOpt:mtu	Defines a specific MTU for this route. If omitted the MTU from the parent interface will be taken.
	Empty
	Range

Table 51: Information table for IPv6 routes

When you have made your changes, click Save & Apply.

18.4 Configuring routes using command line

By default all routes are named 'route', it is identified by @route then the route's position in the package as a number. For example, for the first route in the package using UCI:

network.@route[0]=route
network.@route[0].interface=lan 

Or using package options:

config route option 'interface' 'lan' 

However, you can give a route a name if desired. For example, a route named 'myroute' will be network.myroute.

To define a named route using UCI, enter:

network.name_your_route=route
network.name_your_route.interface=lan 

To define a named route using package options, enter:

config route 'name_your_route'
option 'interface' 'lan' 

18.5 IPv4 routes using UCI

The command line example routes in the subsections below do not have a configured name.

root@VA_router:~# uci show network
network.@route[0]=route
network.@route[0].interface=lan
network.@route[0].target=3.3.3.10
network.@route[0].netmask=255.255.255.255
network.@route[0].gateway=10.1.1.2
network.@route[0].metric=3
network.@route[0].mtu=1400 

18.6 IPv4 routes using package options

root@VA_router:~# uci export network
package network
...
config route
option interface 'lan'
option target '2.2.2.2'
option netmask '255.255.255.255'
option gateway '192.168.100.1'
option metric '1'
option mtu '1500' 

18.7 IPv6 routes using UCI

root@VA_router:~# uci show network
network.@route[1]=route
network.@route[1].interface=lan
network.@route[1].target=2001:0DB8:100:F00:BA3::1/64
network.@route[1].gateway=2001:0DB8:99::1
network.@route[1].metric=1
network.@route[1].mtu=1500 

18.8 IPv6 routes using packages options

root@VA_router:~# uci export network
package network
...
config route
    option interface 'lan'
    option target '2001:0DB8:100:F00:BA3::1/64'
    option gateway '2001:0DB8:99::1'
    option metric '1'
    option mtu '1500' 

18.9 Static routes diagnostics

18.9.1 Route status

To show the current routing status, enter:

root@VA_router:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0 

Note: a route will only be displayed in the routing table when the interface is up.

19 Configuring BGP (Border Gateway Protocol)

BGP is a protocol for exchanging routing information between gateway hosts, each with its own router, in a network of autonomous systems. BGP is often the protocol used between gateway hosts on the internet. The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen.

19.1 Configuration package used

19.2 Configuring BGP using the web interface

In the top menu, select Network -> BGP. BGP configuration page appears. The page has three sections: Global Settings, BGP Neighbours and BGP Route Map.

Figure 84: The BGP page

19.2.1 BGP global settings

To configure global BGP settings, click Add. The Global Settings page appears.

Figure 85: The BGP global settings page

Table 52: Information table for BGP global settings

19.2.2 Optionally configure a BGP route map

Route maps provide a means to both filter and/or apply actions to a route. This allows a policy to be applied to routes. Route maps are an ordered list of route map entries each with a set of criteria that must be matched before specific attributes of the route are modified.

Scroll down to the BGP Route Map section.

Type in a name for the BGP route map name and then click Add. The ROUTEMAP configuration section appears. You can configure multiple route maps.

Figure 86: The routemap section

Table 53: Information table for routemap

19.2.3 Configure BGP neighbours

To configure BGP neighbours, in the BGP neighbours section, click Add. The BGP Neighbours page appears. Multiple BGP neighbours can be configured.

Figure 87: The BGP neighbours section

Table 54: Information table for BGP neighbours

19.3 Configuring BGP using UCI

You can also configure BGP using UCI. The configuration file is stored on /etc/config/bgpd

root@VA_router:~# uci show bgpd
bgpd.bgpd=routing
bgpd.bgpd.enabled=yes
bgpd.bgpd.router_id=3.3.3.3
bgpd.bgpd.asn=1
bgpd.bgpd.network=11.11.11.0/29 192.168.103.1/32
bgpd.@peer[0]=peer
bgpd.@peer[0].route_map_in=yes
bgpd.@peer[0].ipaddr=11.11.11.1
bgpd.@peer[0].asn=1
bgpd.@peer[0].route_map=ROUTEMAP
bgpd.ROUTEMAP=routemap 

bgpd.ROUTEMAP.order=10
bgpd.ROUTEMAP.permit=yes
bgpd.ROUTEMAP.match_type=ip address
bgpd.ROUTEMAP.match=192.168.101.1/32
bgpd.ROUTEMAP.set_type=ip next-hop
bgpd.ROUTEMAP.set='192.168.101.2/32' 

To change any of the above values use UCI set command.

19.4 Configuring BGP using packages options

root@VA_router:~# uci export bgpd
package bgpd

config routing 'bgpd'
    option enabled 'yes'
    option router_id '3.3.3.3'
    option asn '1'
    list network '11.11.11.0/29'
    list network '192.168.103.1/32'

config peer
    option route_map_in 'yes'
    option ipaddr '11.11.11.1'
    option asn '1'
    option route_map 'ROUTEMAP'

config routemap 'ROUTEMAP'
    option order '10'
    option permit 'yes'
    option match_type 'ip address'
    option match '192.168.101.1/32'
    option set_type 'ip next-hop'
    option set '192.168.101.2/32' 

19.5 View routes statistics

To view routes statistics, in the top menu click Status -> Routes. The routing table appears.

Routes
The following rules are currently active on this system.
ARP

Active IPv4-Routes

Active IPv6-Routes

Figure 88: The routing table

To view routes via the command line, enter:

root@support:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-lan2 

20 Configuring OSPF (Open Shortest Path First)

20.1 Introduction

OSPF is a standardised Link State routing protocol, designed to scale efficiently to support larger networks. Link State protocols track the status and connection type of each link and produce a calculated metric based on these and other factors, including some set by the network administrator. Link State protocols will take a path which has more hops, but that uses a faster medium over a path using a slower medium with fewer hops.

• OSPF adheres to the following Link State characteristics:
• OSPF employs a hierarchical network design using areas.
• OSPF will form neighbour relationships with adjacent routers in the same area.
• Instead of advertising the distance to connected networks, OSPF advertises the status of directly connected links using Link-State Advertisements (LSAs).
• OSPF sends updates (LSAs) when there is a change to one of its links, and will only send the change in the update. LSAs are additionally refreshed every 30 minutes.
• OSPF traffic is multicast either to address 224.0.0.5 (all OSPF routers) or 224.0.0.6 (all designated routers).
• OSPF uses the Dijkstra Shortest Path First algorithm to determine the shortest path.
• OSPF is a classless protocol, and therefore supports variable Length Subnet Masks (VLSMs).

Other characteristics of OSPF include:

• OSPF supports only IP routing.
- OSPF routes have an administrative distance is 110.
- OSPF uses cost as its metric, which is computed based on the bandwidth of the link. OSPF has no hop-count limit.

The OSPF process builds and maintains three separate tables:

• A neighbour table containing a list of all neighbouring routers
• A topology table containing a list of all possible routes to all known networks within an area
• A routing table containing the best route for each known network

20.1.1 OSPF areas

graph TD
    subgraph Area 0 (Backbone Area)
        A["Router"] --> B["Router"]
        B --> C["Router"]
        C --> D["Router"]
        D --> E["Router"]
        E --> F["Router"]
        F --> G["Router"]
    end
    subgraph Area 1
        H["Router"] --> I["Router"]
        I --> J["Router"]
        J --> K["Router"]
        K --> L["Router"]
        L --> M["Router"]
        M --> N["Router"]
        N --> O["Router"]
        O --> P["Router"]
        P --> Q["Router"]
        Q --> R["Router"]
        R --> S["Router"]
        S --> T["Router"]
        T --> U["Router"]
        U --> V["Router"]
        V --> W["Router"]
        W --> X["Router"]
        X --> Y["Router"]
        Y --> Z["Router"]
        Z --> A
    end
    style Area 0 fill:#f9f,stroke:#333
    style Area 1 fill:#ccf,stroke:#333
    style Area 2 fill:#cfc,stroke:#333
    style Area 3 fill:#fcc,stroke:#333
    style Area 4 fill:#cff,stroke:#333
    style Area 5 fill:#ffc,stroke:#333
    style Area 6 fill:#cfc,stroke:#333
    style Area 7 fill:#fcc,stroke:#333
    style Area 8 fill:#ffc,stroke:#333
    style Area 9 fill:#cfc,stroke:#333
    style Area 10 fill:#fcc,stroke:#333
    style Area 11 fill:#cfc,stroke:#333
    style Area 12 fill:#fcc,stroke:#333
    style Area 13 fill:#cfc,stroke:#333
    style Area 14 fill:#fcc,stroke:#333
    style Area 15 fill:#cfc,stroke:#333
    style Area 16 fill:#fcc,stroke:#333
    style Area 17 fill:#cfc,stroke:#333
    style Area 18 fill:#fcc,stroke:#333
    style Area 19 fill:#cfc,stroke:#333
    style Area 20 fill:#fcc,stroke:#333

Figure 89: OSPF areas

OSPF has a number of features that allow it to scale well for larger networks. One of these features is OSPF areas. OSPF areas break up the topology so that routers in one area know less topology information about the subnets in the other area, and they do not know anything about the routers in the other area at all. With smaller topology databases, routers consume less memory and take less processing time to run SPF.

The Area Border Router (ABR) is the border between two areas. The ABR does not advertise full topology information about the part of the network in area 0 to routers in area 1. Instead the ABR advertises summary information about the subnets in area 0. Area 1 will just see a number of subnets reachable via area 0.

20.1.2 OSPF neighbours

OSPF forms neighbour relationships, called adjacencies, with other routers in the same Area by exchanging 'Hello' packets to multicast address 224.0.0.5. Only after an adjacency is formed can routers share routing information.

Each OSPF router is identified by a unique router ID. The router ID can be determined in one of three ways:

• The router ID can be manually specified.
- If not manually specified, the highest IP address configured on any Loopback interface on the router will become the router ID.
- If no loopback interface exists, the highest IP address configured on any physical interface will become the router ID.

By default, Hello packets are sent out OSPF-enabled interfaces every 10 seconds for broadcast and point-to-point interfaces, and 30 seconds for non-broadcast and point-to-multipoint interfaces.

OSPF also has a 'Dead Interval', which indicates how long a router will wait without hearing any hellos before announcing a neighbour as 'down'. The default setting for the Dead Interval is 40 seconds for broadcast and point-to-point interfaces, and 120 seconds for non-broadcast and point-to-multipoint interfaces. By default, the Dead Interval timer is four times the Hello interval.

OSPF routers will only become neighbours if the following parameters within a Hello packet are identical on each router:

• Area ID
  • Area Type (stub, NSSA, etc.)
• Prefix
• Subnet Mask
• Hello Interval
• Dead Interval
  • Network Type (broadcast, point-to-point, etc.)
• Authentication

The Hello packets also serve as keepalives to allow routers to quickly discover if a neighbour is down. Hello packets also contain a neighbour field that lists the router IDs of all neighbours the router is connected to. A neighbour table is constructed from the OSPF Hello packets, which includes the following information:

• The router ID of each neighbouring router
- The current ‘state’ of each neighbouring router
• The interface directly connecting to each neighbour
• The IP address of the remote interface of each neighbour

20.1.3 OSPF designated routers

In multi-access networks such as Ethernet, there is the possibility of many neighbour relationships on the same physical segment. This leads to a considerable amount of unnecessary Link State Advertisement (LSA) traffic. If a link of a router were to fail, it would flood this information to all neighbours. Each neighbour, in turn, would then flood that same information to all other neighbours. This is a waste of bandwidth and processor load.

To prevent this, OSPF will elect a Designated Router (DR) for each multi-access networks, accessed via multicast address 224.0.0.6. For redundancy purposes, a Backup Designated Router (BDR) is also elected.

OSPF routers will form adjacencies with the DR and BDR. If a change occurs to a link, the update is forwarded only to the DR, which then forwards it to all other routers. This greatly reduces the flooding of LSAs. DR and BDR elections are determined by a router's OSPF priority, which is configured on a per-interface basis (a router can have interfaces in multiple multi-access networks). The router with the highest priority becomes the DR; second highest becomes the BDR. If there is a tie in priority, whichever router has the highest Router ID will become the DR.

20.1.4 OSPF neighbour states

Neighbour adjacencies will progress through several states, described in the table below.

Table 55: Neighbour adjacency states

20.1.5 OSPF network types

OSPF's functionality is different across several different network topology types.

Table 56: OSPF functionality over different topology types

20.1.6 The OSPF hierarchy

OSPF is a hierarchical system that separates an autonomous system into individual areas. OSPF traffic can either be:

• intra-area (within one area),
• inter-area (between separate areas), or
• external (from another AS).

OSPF routers build a topology database of all links within their area, and all routers within an area will have an identical topology database. Routing updates between these routers will only contain information about links local to their area. Limiting the topology database to include only the local area conserves bandwidth and reduces CPU loads.

Area 0 is required for OSPF to function, and is considered the backbone area. As a rule, all other areas must have a connection into area 0, though this rule can be bypassed using virtual links. Area 0 is often referred to as the transit area to connect all other areas.

OSPF routers can belong to multiple areas, and therefore contain separate topology databases or each area. These routers are known as Area Border Routers (ABRs).

graph TD
    External_Networks["External Networks"] --> Router_G["Router G"]
    Router_G --> Router_C["Router C"]
    Router_G --> Router_D["Router D"]
    Router_C --> Router_A["Router A"]
    Router_C --> Router_B["Router B"]
    Router_C --> Router_C
    Router_D --> Router_E["Router E"]
    Router_D --> Router_F["Router F"]
    Router_C --> Area_0["Area 0"]
    Router_D --> Area_0
    Router_C --> Area_1["Area 1"]
    Router_D --> Area_2["Area 2"]

Figure 90: OSPF hierarchy

In the above example three areas exist: Area 0, Area 1, and Area 2.

Area 0 is the backbone area for this autonomous system.

Both Area 1 and Area 2 must directly connect to Area 0. Routers A and B belong fully to Area 1, while Routers E and F belong fully to Area 2. These are known as Internal Routers.

Router C belongs to both Area 0 and Area 1; so it is an ABR. Because it has an interface in Area 0, it can also be considered a Backbone Router (BR). The same can be said for Router D, as it belongs to both Area 0 and Area 2.

Router G also belongs to Area 0 however it also has a connection to the internet, which is outside this autonomous system. This makes Router G an Autonomous System Border Router (ASBR).

A router can become an ASBR in one of two ways:

• By connecting to a separate Autonomous System, such as the internet
• By redistributing another routing protocol into the OSPF process.

ASBRs provide access to external networks. OSPF defines two types of external routes, as shown in the table below.

Table 57: Types of external routes

20.1.7 OSPF router types

The four separate OSPF router types are shown in the table below.

20.2 Configuration package used

20.3 Configuring OSPF using the web interface

Select Network -> OSPF. The OSPF page appears.

There are three sections in the OSPF page:

20.3.1 Global settings

The Global Settings section configures the ospfd routing section. The web automatically names the routing section 'ospfd'.

Figure 91: The OSPF global settings configuration page

Table 58: Information table for OSPF global settings

20.3.2 Topology configuration

The Topology section configures the ospfd network section. This section specifies the OSPF enabled interface(s). The router can provide network information to the other OSPF routers via this interface.

Note: to advertise OSPF on an interface, the network mask prefix length for the topology configuration statement for the desired interface advertisement must be equal or smaller (IE. larger network) than the network mask prefix length for the interface.

For example, the topology configuration statement in the screenshot below does not enable OSPF on an interface with address 12.1.1.1/23, but it would on an interface with address 12.1.1.129/25.

Figure 92: The OSPF topology configuration page

Table 59: Information table for OSPF topology configuration

20.3.3 Interfaces configuration

The Interfaces section contains settings to configure the OSPF interface. It defines interface configuration for OSPF and interface specific parameters.

OSPFv2 allows packets to be authenticated using either an insecure plain text password, included with the packet, or by a more secure MD5 based HMAC (keyed-Hashing for Message Authentication). Enabling authentication prevents routes being updated by

unauthenticated remote routers, but still can allow routes, that is, the entire OSPF routing table, to be queried remotely, potentially by anyone on the internet, via OSPFv1.

This section defines key_chains to be used for MD5 authentication.

Figure 93: The OSPF interfaces configuration section

Table 60: Information table for OSPF interface commands

20.4 Configuring OSPF using the command line

OSPF is configured under the ospfd package /etc/config/ospfd.

There are three config sections: ospfd, interface and network.

You can configure multiple interface and network sections.

By default, all OSPF interface instances are named interface, instances are identified by @interface then the interface position in the package as a number. For example, for the first interface in the package using UCI:

ospfd.@interface[0]=interface
ospfd.@interface[0].ospf_interface=lan 

Or using package options:

config interface option ospf_interface 'lan'

By default, all OSPF network instances are named network, it is identified by @network then the interface position in the package as a number. For example, for the first network in the package using UCI:

ospfd.@network[0]=network
ospfd.@network[0].ip_addr=12.1.1.1 

Or using package options:

config network
option ip_addr '12.1.1.1' 

20.5 OSPF using UCI

root@VA_router:~# uci show ospfd
ospfd.ospfd=routing
ospfd.ospfd.enabled=yes
ospfd.ospfd.default_info_originate=yes
ospfd.ospfd.router_id=1.2.3.4
ospfd.@network[0]=network
ospfd.@network[0].ip_addr=12.1.1.1
ospfd.@network[0].mask_length=24
ospfd.@network[0].area=0
ospfd.@network[0].stub_area=yes
ospfd.@interface[0]=interface
ospfd.@interface[0].ospf_interface=lan8
ospfd.@interface[0].hello_interval=10
ospfd.@interface[0].dead_interval=40
ospfd.@interface[0].network_type=broadcast
ospfd.@interface[0].passive=yes
ospfd.@interface[0].auth_mode=text
ospfd.@interface[0].text_auth_key=secret
ospfd.@interface[1]=interface
ospfd.@interface[1].ospf_interface=lan7
ospfd.@interface[1].network_type=point-to-point
ospfd.@interface[1].passive=no 

ospfd.@interface[1].hello_interval=30
ospfd.@interface[1].dead_interval=120
ospfd.@interface[1].auth_mode=md5
ospfd.@interface[1].key_id=1
ospfd.@interface[1].md5_auth_key=test 

20.6 OSPF using package options

root@VA_router:~# uci export ospfd
package ospfd

config routing 'ospfd'
    option enabled 'yes'
    option default_info_originate 'yes'
    option router_id '1.2.3.4'

config network
    option ip_addr '12.1.1.1'
    option mask_length '24'
    option area '0'
    option stub_area 'yes'

config interface
    option ospf_interface 'lan8'
    option hello_interval '10'
    option dead_interval '40'
    option network_type 'broadcast'
    option passive 'yes'
    option auth_mode 'text'
    option text_auth_key 'secret'

config interface
    option ospf_interface 'lan7'
    option network_type 'point-to-point'
    option passive 'no'
    option hello_interval '30'
    option dead_interval '120' 

option auth_mode 'md5'
option key_id '1'
option md5_auth_key 'test' 

20.7 OSPF diagnostics

20.7.1 Route status

To show the current routing status, enter:

Note: a route will only be displayed in the routing table when the interface is up.

20.7.2 Tracing OSPF packets

Typically, OSPF uses IP as its transport protocol. The well-known IP protocol type for OSPF traffic is 0x59. To trace OSPF packets on any interface on the router, enter: tcpdump -i any -n proto ospf &

root@VA_router:~# tcpdump -i any -n proto ospf &
root@VA_router:~# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 

To stop tracing enter fg to bring tracing task to foreground, and then to stop the trace.

root@VA_router:~# fg
tcpdump -i any -n proto ospf
^C
33 packets captured
33 packets received by filter
0 packets dropped by kernel 

20.8 Quagga/ Zebra console

Quagga is the routing protocol suite embedded in the router firmware. Quagga is split into different daemons for implementation of each routing protocol. Zebra is a core daemon for Quagga, providing the communication layer to the underlying Linux kernel, and routing updates to the client daemons.

Quagga has a console interface to Zebra for advanced debugging of the routing protocols.

To access, enter:

root@VA_router:~# telnet localhost zebra
Entering character mode
Escape character is '^]'.
Hello, this is Quagga (version 0.99.21).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password: 

To see OSPF routing from Zebra console, enter:

root@VA_router:~# sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, P - PIM, H - HSLS, o - OLSR,
b - BATMAN, A - Babel,
> - selected route, * - FIB route 

K>* 0.0.0.0/0 via 10.206.4.65, usb0
O 10.1.0.0/16 [110/11] via 11.11.11.1, gre-GRE, 02:35:28
C>* 10.1.0.0/16 is directly connected, eth1
C>* 10.206.4.64/30 is directly connected, usb0
O 11.11.11.0/29 [110/10] is directly connected, gre-GRE, 02:35:29
C>* 11.11.11.0/29 is directly connected, gre-GRE
K>* 89.101.154.151/32 via 10.206.4.65, usb0
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.100.0/24 is directly connected, eth0
O>* 192.168.101.1/32 [110/11] via 11.11.11.1, gre-GRE, 02:35:28
O>* 192.168.104.1/32 [110/20] via 11.11.11.4, gre-GRE, 02:30:45
O 192.168.105.1/32 [110/10] is directly connected, lo, 02:47:52
C>* 192.168.105.1/32 is directly connected, lo 

20.8.1 OSPF debug console

When option tty_enabled (see Global settings section above) is enabled in the OSPF configuration, OSPF debug console can be accessed for advanced OSPF debugging.

To access OSPF debug console enter: telnet localhost ospfd (password zebra)

root@VA_router:~# telnet localhost ospfd
Entering character mode
Escape character is '^]'.
Hello, this is Quagga (version 0.99.21).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password: 

To see OSPF routing from OSPF debug console, enter: sh ip ospf route

UUT> sh ip ospf route
==================== OSPF network routing table =================== 

N 10.1.0.0/16 [11] area: 0.0.0.0
via 11.11.11.1, gre-GRE
N 11.11.11.0/29 [10] area: 0.0.0.0
directly attached to gre-GRE
N 192.168.101.1/32 [11] area: 0.0.0.0
via 11.11.11.1, gre-GRE
N 192.168.104.1/32 [20] area: 0.0.0.0
via 11.11.11.4, gre-GRE
N 192.168.105.1/32 [10] area: 0.0.0.0
directly attached to lo
================ O SPF router routing table ====================
================ OSPF external routing table ==================== 

To see OSPF neighbours from OSPF debug console, enter: sh ip ospf neighbour

root@VA_router:~# sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
1.1.1.1 255 Full/DR 33.961s 11.11.11.1 gre-GRE:11.11.11.5
0 0 0 

To see OSPF interface details from OSPF debug console, enter: sh ip ospf interface

root@VA_router:~# sh ip ospf interface
base0 is up
ifindex 8, MTU 1518 bytes, BW 0 Kbit <UP,BROADCAST,RUNNING,MULTICAST>
OSPF not enabled on this interface
eth0 is up
ifindex 9, MTU 1500 bytes, BW 0 Kbit <UP,BROADCAST,RUNNING,MULTICAST>
OSPF not enabled on this interface
eth1 is up
ifindex 10, MTU 1500 bytes, BW 0 Kbit
<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>
OSPF not enabled on this interface
eth2 is down 

ifindex 11, MTU 1500 bytes, BW 0 Kbit <BROADCAST,MULTICAST>
OSPF not enabled on this interface
eth3 is down
ifindex 12, MTU 1500 bytes, BW 0 Kbit <BROADCAST,MULTICAST>
OSPF not enabled on this interface
eth4 is down
ifindex 13, MTU 1500 bytes, BW 0 Kbit <BROADCAST,MULTICAST>
OSPF not enabled on this interface
eth5 is down
ifindex 14, MTU 1500 bytes, BW 0 Kbit <BROADCAST,MULTICAST>
OSPF not enabled on this interface
eth6 is down
ifindex 15, MTU 1500 bytes, BW 0 Kbit <BROADCAST,MULTICAST>
OSPF not enabled on this interface
eth7 is down
ifindex 16, MTU 1500 bytes, BW 0 Kbit <BROADCAST,MULTICAST>
OSPF not enabled on this interface
gre-GRE is up
ifindex 19, MTU 1472 bytes, BW 0 Kbit <UP,RUNNING,MULTICAST>
Internet Address 11.11.11.5/29, Area 0.0.0.0
MTU mismatch detection:enabled
Router ID 192.168.105.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 1.1.1.1, Interface Address 11.11.11.1
Backup Designated Router (ID) 192.168.105.1, Interface Address 11.11.11.5
Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 3.334s
Neighbor Count is 1, Adjacent neighbor count is 1
gre0 is down
ifindex 6, MTU 1476 bytes, BW 0 Kbit <NOARP>
OSPF not enabled on this interface
ifb0 is down
ifindex 2, MTU 1500 bytes, BW 0 Kbit <BROADCAST,NOARP>
OSPF not enabled on this interface
ifb1 is down
ifindex 3, MTU 1500 bytes, BW 0 Kbit <BROADCAST,NOARP> 

OSPF not enabled on this interface
lo is up
ifindex 1, MTU 16436 bytes, BW 0 Kbit <UP,LOOPBACK,RUNNING>
Internet Address 192.168.105.1/32, Broadcast 192.168.105.1, Area 0.0.0.0
MTU mismatch detection:enabled
Router ID 192.168.105.1, Network Type LOOPBACK, Cost: 10
Transmit Delay is 1 sec, State Loopback, Priority 1
No designated router on this network
No backup designated router on this network
Multicast group memberships: <None>
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in inactive
Neighbor Count is 0, Adjacent neighbor count is 0
sit0 is down
ifindex 7, MTU 1480 bytes, BW 0 Kbit <NOARP>
OSPF not enabled on this interface
teql0 is down
ifindex 4, MTU 1500 bytes, BW 0 Kbit <NOARP>
OSPF not enabled on this interface
tunl0 is down
ifindex 5, MTU 1480 bytes, BW 0 Kbit <NOARP>
OSPF not enabled on this interface
usb0 is up
ifindex 17, MTU 1500 bytes, BW 0 Kbit <UP,BROADCAST,RUNNING,MULTICAST>
OSPF not enabled on this interface 

To see OSPF database details from OSPF debug console, enter: sh ip ospf database

root@VA_router:~# sh ip ospf database
OSPF Router with ID (192.168.105.1)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Link count
1.1.1.1 1.1.1.1 873 0x80006236 0xd591 3
192.168.104.1 192.168.104.1 596 0x8000000a 0x3a2d 2 

192.168.105.1 192.168.105.1 879 0x8000000b 0x4919 2
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum
11.11.11.1 1.1.1.1 595 0x80000004 0x5712 

21 Configuring VRRP

21.1 Overview

Virtual Router Redundancy Protocol (VRRP) is a networking protocol designed to eliminate the single point of failure inherent in the static default routed environment.

VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic failover in the forwarding responsibility from the Master to a backup router should the Master become unavailable. This process allows the virtual router IP address(es) on the LAN to be used as the default first hop router by end hosts. The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end host.

Two or more routers forming the redundancy cluster are configured with the same Router ID and Virtual IP address. A VRRP router group operates within the scope of the single LAN. Additionally, the VRRP routers are configured with its initial role (Master or Backup) and the router priority, which is a factor in the master router election process. You can also configure a password authentication to protect VRRP protocol messages against spoofing.

The VRRP protocol is implemented according to internet standard RFC2338.

21.2 Configuration package used

21.3 Configuring VRRP using the web interface

To configure VRRP through the web interface, in the top menu, select Network ->VRRP. The VRRP page appears.

There are two sections in the VRRP page:

21.3.1 Global settings

The Global Settings section configures vrrp package main section.

To access configuration settings, click ADD.

Figure 94: The VRRP global settings configuration page

21.3.2 VRRP group configuration settings

The VRRP Group Configuration section configures vrrp package vrrp_group section. To access configuration settings, click ADD.

Figure 95: The VRRP group configuration page

Table 61: Information table for VRRP group settings

21.4 Configuring VRRP using command line

The configuration file is stored on /etc/config/vrrp.

There are two config sections - main and vrrp_group.

Multiple VRRP groups can be configured. By default, all VRRP group instances are named 'vrrp_group'. It is identified by @vrrp_group then the vrrp_group position in the package as a number. For example, for the first vrrp_group in the package using UCI:

However, to better identify, it is recommended to give the vrrp_group instance a name. For example, to define a vrrp_group instance named 'g1' using UCI, enter:

vrrp.gl.vrrp_group
vrrp.gl.enabled=1 

To define a named keepalive instance using package options, enter:

config vrrp_group 'gl'
option enabled '1' 

21.4.1 VRRP using UCI

To view the configuration in UCI format, enter:

root@VA_router:~# uci show vrrp
vrrp.main=vrrp
vrrp.main.enabled=yes
vrrp.gl=vrrp_group
vrrp.gl.enabled=yes
vrrp.gl.interface=lan
vrrp.gl.track_iface=WAN MOBILE
vrrp.gl.init_state=BACKUP
vrrp.gl.router_id=1
vrrp.gl.priority=100
vrrp.gl.advert_int_sec=120
vrrp.gl.password=secret
vrrp.gl.virtual_ipaddr=10.1.10.150/16
vrrp.gl.garp_delay_sec=5
vrrp.gl.ipsec_connection=Test
vrrp.gl.track_ipsec=conn1 conn2 

21.4.2 VRRP using package options

To view the configuration in package option format, enter:

root@VA_router:~# uci export vrrp
package vrrp

config vrrp 'main'
    option enabled 'yes'

config vrrp_group 'gl'
    option enabled 'yes'
    option interface 'lan'
    list track_iface 'WAN'
    list track_iface 'MOBILE' 

option init_state 'BACKUP'
option router_id '1'
option priority '100'
option advert_int_sec '120'
option password 'secret'
option virtual_ipaddr '10.1.10.150/16'
option garp_delay_sec '5'
option ipsec_connection 'Test'
list track_ipsec 'conn1'
list track_ipsec 'conn2' 

22 Configuring Routing Information Protocol (RIP)

22.1 Introduction

RIP is a dynamic routing algorithm used on IP-based internet networks.

A distance-vector routing algorithm is used by RIP to assist in maintaining network convergence. It uses a metric or 'hop' count as the only routing criteria. Each route is advertised with the number of hops a datagram would take to reach the destination network. The maximum metric for RIP is 15. This limits the size of the network that RIP can support. Smaller metrics are more efficient-based on the cost associated with each metric.

RIP protocol is most useful as an Interior Gateway Protocol (IGP). An IGP refers to the routing protocol used within a single autonomous system. There may be a number of autonomous systems, using different routing protocols, combined together to form a large network.

In most networking environments, RIP is not the preferred choice for routing as its time to converge and scalability are poor compared to EIGRP or OSPF.

22.1.1 RIP characteristics

RIP is a standardised distance vector protocol, designed for use on smaller networks. RIP was one of the first true distance vector routing protocols, and is supported on a wide variety of systems.

RIP adheres to the following distance vector characteristics:

• RIP sends out periodic routing updates, every 30 seconds
• RIP sends out the full routing table every periodic update
• RIP uses a form of distance as its metric, in this case, hopcount
• RIP uses the Bellman-Ford distance vector algorithm to determine the best path to a particular destination

Other characteristics of RIP include:

• RIP supports IP and IPX routing
- RIP utilizes UDP port 520
- RIP routes have an administrative distance of 120
- RIP has a maximum hopcount of 15 hops. Any network that is 16 hops away or more is considered unreachable to RIP, thus the maximum diameter of the network is 15 hops. A metric of 16 hops in RIP is considered a poison route or infinity metric.

If multiple paths exist to a particular destination, RIP will load balance between those paths, by default, up to 4, only if the metric (hopcount) is equal. RIP uses a round-robin system of load-balancing between equal metric routes, which can lead to pinhole congestion.

For example, two paths might exist to a particular destination, one going through a 9600 baud link, the other via a T1. If the metric (hopcount) is equal, RIP will load-balance, sending an equal amount of traffic down the 9600 baud link and the T1. This will cause the slower link to become congested.

22.1.2 RIP versions

RIP has two versions, Version 1 (RIPv1) and Version2 (RIPv2).

RIPv1 (RFC 1058) is classful, and therefore does not include the subnet mask with its routing table updates. Because of this, RIPv1 does not support Variable Length Subnet Masks (VLSMs). When using RIPv1, networks must be contiguous, and subnets of a major network must be configured with identical subnet masks. Otherwise, route table inconsistencies or worse will occur.

RIPv1 sends updates as broadcasts to address 255.255.255.255.

RIPv2 (RFC 2453) is classless, and therefore does include the subnet mask with its routing table updates. RIPv2 fully supports VLSMs, allowing discontinuous networks and varying subnet masks to exist.

Other enhancements offered by RIPv2 include:

• Routing updates are sent via multicast, using address 224.0.0.9
• Encrypted authentication can be configured between RIPv2 routers
• Route tagging is supported

RIPv2 can interoperate with RIPv1. By default:

• RIPv1 routers will sent only Version 1 packets
• RIPv1 routers will receive both Version 1 and 2 updates
• RIPv2 routers will both send and receive only Version 2 updates

Virtual Access ripd package supports RIP version 2 as described in RFC2453 and RIP version 1 as described in RFC1058. It is part of Quagga suite of applications for routing.

22.2 Configuration package used

22.3 Configuring RIP using the web interface

To configure RIP using the web interface, select Network->RIP. The RIP page appears. There are four sections in the RIP page.

22.3.1 Global settings

The web browser automatically names the routing section 'ripd'.

Figure 96: The RIP global settings configuration page

Table 62: Information table for RIP global settings

22.3.2 Offset configuration

This section is used for RIP metric manipulation. RIP metric is a value for distance in the network. Usually, ripd package increments the metric when the network information is received. Redistributed routes' metric is set to 1.

Figure 97: The RIP global settings configuration page

Table 63: Information table for RIP offset commands

22.3.3 Interfaces configuration

Figure 98: The RIP interfaces configuration page

Table 64: Information table for RIP interface configuration

22.3.4 MD5 authentication key chains

RIPv2 (only) allows packets to be authenticated using either an insecure plain text password, included with the packet, or by a more secure MD5 based HMAC (keyed-Hashing for Message AuthentiCation). Enabling authentication prevents routes being updated by unauthenticated remote routers, but still can allow routes, that is, the entire RIP routing table, to be queried remotely, potentially by anyone on the internet, using RIPv1.

This section defines key_chains to be used for MD5 authentication.

Figure 99: The MD5 authentication key chains configuration section

Table 65: Information table for MD5 authentication key chains commands

22.4 Configuring RIP using command line

RIP is configured under the ripd package / etc/ config/ ripd.

There are four config sections ripd, interface, key_chain and offset.

You can configure multiple interface, key_chain and offset sections.

By default, all RIP interface instances are named interface, it is identified by @interface then the interface position in the package as a number. For example, for the first interface in the package using UCI:

ripd.@interface[0]=interface
ripd.@interface[0].rip_interface=lan 

Or using package options:

config interface
option rip_interface 'lan'

By default, all RIP key_chain instances are named key_chain, it is identified by @key_chain then the key_chain position in the package as a number. For example, for the first key_chain in the package using UCI:

ripd.@key_chain[0]=key_chain
ripd.@key_chain[0].key_chain_name=Keychain1 

Or using package options:

config key_chain
option key_chain_name 'Keychain1' 

By default, all RIP offset instances are named offset, it is identified by @offset then the offset position in the package as a number. For example, for the first offset in the package using UCI:

ripd.@offset[0]=offset
ripd.@offset[0].metric=1 

Or using package options:

config offset option metric '1' 

22.4.1 RIP using UCI

root@VA_router:~# uci show ripd
ripd.ripd=routing
ripd.ripd.version=2
ripd.ripd.enabled=yes
ripd.ripd.network=lan2 gre1
ripd.ripd.neighbor=10.1.1.100 10.1.2.100
ripd.ripd.tb_update_sec=30
ripd.ripd.tb_timeout_sec=180
ripd.ripd.tb_garbage_sec=120
ripd.ripd.default_info_originate=yes
ripd.ripd redistribution_kernel_routes=yes
ripd.@interface[0]=interface
ripd.@interface[0].rip_interface=lan
ripd.@interface[0].auth_mode=no
ripd.@interface[0].split_horizon=1
ripd.@interface[0].poison_reverse=0
ripd.@interface[0].passive=0
ripd.@interface[1]=interface
ripd.@interface[1].rip_interface=lan2
ripd.@interface[1].split_horizon=1
ripd.@interface[1].poison_reverse=0
ripd.@interface[1].passive=0 

ripd.@interface[1].auth_mode=text
ripd.@interface[1].auth_key=secret
ripd.@interface[2]=interface
ripd.@interface[2].rip_interface=lan3
ripd.@interface[2].split_horizon=1
ripd.@interface[2].poison_reverse=0
ripd.@interface[2].passive=0
ripd.@interface[2].auth_mode=md5
ripd.@interface[2].key_chain=Keychain1
ripd.@key_chain[0]=key_chain
ripd.@key_chain[0].key_chain_name=Keychain1
ripd.@key_chain[0].key_id=1
ripd.@key_chain[0].auth_key=123
ripd.@offset[0]=offset
ripd.@offset[0].metric=1
ripd.@offset[0].match_network=10.1.1.1/24 

22.4.2 RIP using package options

root@VA_router:~# uci export ripd
package ripd

config routing 'ripd'
    option version '2'
    option enabled 'yes'
    list network 'lan2'
    list network 'gre1'
    list neighbor '10.1.1.100'
    list neighbor '10.1.2.100'
    option tb_update_sec '30'
    option tb_timeout_sec '180'
    option tb_garbage_sec '120'
    option default_info_originate 'yes'
    option redistribute_kernel_routes 'yes'

config interface
    option rip_interface 'lan' 

option auth_mode 'no'
option split_horizon '1'
option poison_reverse '0'
option passive '0'

config interface
option rip_interface 'lan2'
option split_horizon '1'
option poison_reverse '0'
option passive '0'
option auth_mode 'text'
option auth_key 'textsecret'

config interface
option rip_interface 'lan3'
option split_horizon '1'
option poison_reverse '0'
option passive '0'
option auth_mode 'md5'
option key_chain 'keychain1'

config key_chain
option key_chain_name 'Keychain1'
option key_id '1'
option auth_key '123'

config offset
option metric '1'
option match_network '10.1.1.1/24' 

22.5 RIP diagnostics

22.5.1 Route status

To show the current routing status, enter route -n:

root@VA_router:~#
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.205.154.65 0.0.0.0 UG 1 0 0 usb0
10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.205.154.64 0.0.0.0 255.255.255.252 U 0 0 0 usb0
11.11.11.0 0.0.0.0 255.255.255.248 U 0 0 0 gre-
GRE
89.101.154.151 10.205.154.65 255.255.255.255 UGH 0 0 0 usb0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.104.1 11.11.11.4 255.255.255.255 UGH 3 0 0 gre-
GRE
192.168.154.154 11.11.11.1 255.255.255.255 UGH 2 0 0 gre-
GRE 

Note: a route will only be displayed in the routing table when the interface is up.

22.5.2 Tracing RIP packets

RIP uses UDP port 520. To trace RIP packets on any interface on the router, enter:

tcpdump -i any -n -p port 520 & 

root@VA_router:~# tcpdump -i any -n -p port 520 &
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 

To stop tracing enter fg to bring tracing task to foreground, and then to stop the trace.

root@VA_router:~# fg
tcpdump -i any -n -p port 67
^C
33 packets captured
33 packets received by filter 

0 packets dropped by kernel 

22.5.3 Quagga/ zebra console

Quagga is the routing protocol suite embedded in the router firmware. Quagga is split into different daemons for implementation of each routing protocol. Zebra is a core daemon for Quagga, providing the communication layer to the underlying Linux kernel, and routing updates to the client daemons.

Quagga has a console interface to Zebra for advanced debugging of the routing protocols.

To access, enter: telnet localhost zebra (password: zebra)

root@VA_router:~# telnet localhost zebra
Entering character mode
Escape character is '^]'.
Hello, this is Quagga (version 0.99.21).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password: 

To see RIP routing information from Zebra console, enter: sh ip route

root@VA_router:~# sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
    O - OSPF, I - IS-IS, B - BGP, P - PIM, H - HSLS, o - OLSR,
    b - BATMAN, A - Babel,
    > - selected route, * - FIB route
K>* 0.0.0.0/0 via 10.205.154.65, usb0
C>* 10.1.0.0/16 is directly connected, eth1
C>* 10.205.154.64/30 is directly connected, usb0
C>* 11.11.11.0/29 is directly connected, gre-GRE
K>* 89.101.154.151/32 via 10.205.154.65, usb0
C>* 127.0.0.0/8 is directly connected, lo 

C>* 192.168.100.0/24 is directly connected, eth0
R>* 192.168.104.1/32 [120/3] via 11.11.11.4, gre-GRE, 15:54:47
C>* 192.168.105.1/32 is directly connected, lo
R>* 192.168.154.154/32 [120/2] via 11.11.11.1, gre-GRE, 16:09:51 

22.5.4 RIP debug console

When option tty_enabled (see Global settings section above) is enabled in the RIP configuration, RIP debug console can be accessed for advanced RIP debugging.

To access RIP debug console enter: telnet localhost ripd (password zebra)

root@VA_router:~# telnet localhost ripd
Entering character mode
Escape character is '^]'.
Hello, this is Quagga (version 0.99.21).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password: 

To see RIP status from RIP debug console, enter: sh ip rip

root@VA_router:~# show ip rip
Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface

Network Next Hop Metric From Tag Time
C(i) 11.11.11.0/29 0.0.0.0 1 self 0
R(n) 192.168.104.1/32 11.11.11.4 3 11.11.11.1 0 02:48
C(i) 192.168.105.1/32 0.0.0.0 1 self 0
R(n) 192.168.154.154/32 11.11.11.1 2 11.11.11.1 0 02:48 

To see RIP status from RIP debug console, enter: sh ip rip status

root@VA_router:~# sh ip rip status
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 17 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
gre-GRE 2 2
lo 2 2
Routing for Networks:
11.0.0.0/8
192.168.105.1/32
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
11.11.11.1 0 0 120 00:00:20
Distance: (default is 120) 

23 Configuring Multi-WAN

Multi-WAN is used for managing WAN interfaces on the router, for example, 3G interfaces to ensure high-availability. You can customise Multi-WAN for various needs, but its main use is to ensure WAN connectivity and provide a failover system in the event of failure or poor coverage.

Multi-WAN periodically does a health check on the interface. A health check comprises of a configurable combination of the following:

• interface state
  • pings to an ICMP target
• signal level checks using signal threshold, RSCP threshold and ECIO threshold option values

A fail for any of the above health checks, results in a fail. After a configurable number of health check failures, Multi-WAN will move to the next highest priority interface. Multi-WAN will optionally stop the failed interface and start the new interface, if required.

In some circumstances, particularly in mobile environments, it is desirable for a primary interface to be used whenever possible. In this instance Multi-WAN will perform a health check on the primary interface after a configurable period. If the health checks pass for the configured number of recovery health checks then the primary will be used.

23.1 Configuration package used

23.2 Configuring Multi-WAN using the web interface

In the top menu, select Network -> Multi-Wan. The Multi-WAN page appears.

Multi-WAN

Multi-WAN allows for the use of multiple uplinks for load balancing and failover.

Enable

Preempt

Alternate Mode

It will use alternate interface after reboot

Figure 100: The multi-WAN page

Table 66: Information table for multi-WAN page

When you have enabled Multi-WAN, you can add the interfaces that will be managed by Multi-WAN, for example 3G interfaces.

The name used for Multi-WAN must be identical, including upper and lowercases, to the actual interface name defined in your network configuration. To check the names and settings are correct, select Network -> Interfaces and view the Interfaces Overview page.

In the WAN interfaces section, enter the name of the WAN interface to configure, and then click Add. The new section for configuring specific parameters appears.

WAN Interfaces

Health Monitor detects and corrects network changes and failed connections.

WAN

Figure 101: Example interface showing failover traffic destination as the added multi-WAN interface

Table 67: Information table for multi-WAN interface page

23.3 Configuring Multi-WAN using UCI

Multi-WAN UCI configuration settings are stored on /etc/config/multiwan

Run UCI export or show commands to see multiwan UCI configuration settings. A sample is shown below.

root@VA_router:~# uci export multiwan

package multiwan

config multiwan 'config'
    option preempt 'yes'
    option alt_mode 'no'
    option enabled 'yes'

config interface 'wan'
    option disabled '0'
    option health_interval '10'    option health_fail_retries '3'
    option health_recovery_retries '5'
    option priority '2'
    option manage_state 'yes'
    option exclusive_group '0'
    option ifup_retry_sec '40'
    option icmp_hosts 'disable'
    option icmp_interval '1'
    option timeout '3'
    option icmp_count '1'
    option conntrack_hosts 'disable'    option signal_threshold '-111'

    option rscp_threshold '-90'
    option ecio_threshold '-15'
    option ifup_timeout_sec '120'

root@VA_router:~# uci show multiwan
multiwan.config=multiwan
multiwan.config.preempt=yes
multiwan.config.alt_mode=no
multiwan.config.enabled=yes
multiwan.wan=interface
multiwan.wan.disabled=0
multiwan.wan.health_interval=10multiwan.wan.health_fail_retries=3
multiwan.wan.health_recovery_retries=5
multiwan.wan.priority=2
multiwan.wan.manage_state=yes 

multiwan.wan.exclusive_group=0
multiwan.wan.ifup_retry_sec=36000
multiwan.wan.icmp_hosts=disable
multiwan.wan.timeout=3
multiwan.wan.icmp_interval '1'
multiwan.wan.timeout '3'
multiwan.wan.icmp_count '1'
multiwan.wan.conntrack_hosts 'disable'
multiwan.wan.signal_threshold=-111
multiwan.wan.rscp_threshold=-90
multiwan.wan.ecio_threshold=-15 

23.4 Multi-WAN diagnostics

The multi-WAN package is linked to the network interfaces within /etc/config/network.

Note: multi-WAN will not work if the WAN connections are on the same subnet and share the same default gateway.

To view the multi-WAN package, enter:

root@VA_router:~# uci export multiwan
package multiwan

config multiwan 'config'
    option enabled 'yes'
    option preempt 'yes'
    option alt_mode 'no'

config interface 'ADSL'
    option health_interval '10'
    option icmp_hosts 'dns'
    option timeout '3'
    option health_fail_retries '3'
    option health_recovery_retries '5'
    option priority '1'
    option manage_state 'yes'
    option exclusive_group '0'
    option ifup_retry_sec '300'
    option ifup_timeout_sec '40' 

config interface 'Ethernet'
option health_interval '10'
option icmp_hosts 'dns'
option timeout '3'
option health_fail_retries '3'
option health_recovery_retries '5'
option priority '2'
option manage_state 'yes'
option exclusive_group '0'
option ifup_retry_sec '300'
option ifup_timeout_sec '40' 

The following output shows the multi-WAN standard stop/start commands for troubleshooting.

root@VA_router:~# /etc/init.d/multiwan
Syntax: /etc/init.d/multiwan [command] 

Available commands:

start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable service autostart
disable Disable service autostart 

When troubleshooting, make sure that the routing table is correct using

route -n.

Ensure all parameters in the multi-WAN package are correct. The name used for multi-WAN interfaces must be identical, including upper and lowercases, to the interface name defined in the network configuration.

To check the names and settings are correct, browse to Network -> interfaces (or alternatively, run: cat/etc/config/network through CLI).

Enter the name of the WAN interface to configure, and then click Add. The new section for configuring specific parameters will appear.

24 Automatic operator selection

This section describes how to configure and operate the Automatic Operator Selection feature of a Virtual Access router.

When the roaming SIM is connected, the radio module has the ability to scan available networks. The router, using mobile and multi-WAN packages, finds available networks to create and sort interfaces according to their signal strength. These interfaces are used for failover purposes.

24.1 Configuration package used

24.2 Configuring automatic operator selection via the web interface

While the router boots up it checks for mobile networks. Based on available networks, the router creates interfaces and the multiwan package is used to run failover between interfaces. Typically these auto-generated interfaces are sorted by signal strength.

Details for these interfaces are provided in the mobile package. When you have created the interfaces, Multi-WAN manages the operation of primary (predefined) and failover (auto created) interfaces.

Multi-WAN periodically does a health check on the active interface. A health check comprises of a configurable combination of the following:

• interface state
  • pings to an ICMP target
• signal level checks using signal threshold, RSCP threshold and ECIO threshold option values

A fail for any of the above health checks results in an overall fail. After a configurable number of health check failures, multiwan will move to the next highest priority interface. Multi-WAN will optionally stop the failed interface and start the new interface, if required.

In some circumstances, particularly in mobile environments, it is desirable for a primary interface to be used whenever possible. In this instance, if the active interface is a not the primary interface, multiwan will perform a health check on the primary interface after a configurable period. If the health checks pass for the configured number of recovery health checks then the primary interface will be used.

There are typically three scenarios:

• Primary Mobile Provider (PMP) + roaming: pre-empt enabled
• PMP + roaming: pre-empt disabled
- No PMP + roaming

24.2.1 Scenario 1: PMP + roaming: pre-empt enabled

24.2.1.1 Overview

In this scenario, the PMP interface is used whenever possible.

The PMP interface is attempted first. When the health checks fail on the PMP interface, and Multi-WAN moves to an autogenerated interface, a timer is started multiwan option ifup_retry_sec. On expiration of this timer, multiwan will disconnect the current interface and retry the PMP interface.

The PMP interface will then be used if the configurable number of health checks pass the checks.

24.2.1.2 Software operation

1. Multiwan first attempts to bring up the PMP interface. If the PMP interface connects within the time set by multiwan option ifup_timeout continue to step 2. Otherwise go to step 4.
2. A health check is periodically done on the PMP interface as determined by the multiwan option health_interval. If the health check fails for the number of retries (multiwan option health_fail_retries), disconnect the PMP interface.
3. Connect the first auto-generated interface.
4. If the interface connects within the time set by multiwan option ifup_timeout continue to step 5, otherwise multiwan moves to the next auto-generated interface.
5. Wait until the health check fails on the auto-generated interface, or until the PMP interface is available to connect after it was disconnected in step 2. (multiwan option ifup_retry_sec).
6. Disconnect auto-generated interface.
7. If the interface was disconnected due to health check failure then connect the next auto-generated interface and repeat step 4. If the interface was disconnected because ifup_retry_sec of PMP interface timed out, then go back to step 1 and repeat the process.

The PMP predefined interface is defined in the network package. Ensure the interface name matches the interface name defined in the multiwan package.

24.2.1.3 Create a primary predefined interface

In the web interface top menu, go to Network -> Interfaces. The Interfaces page appears.

Figure 102: The interface overview page

Click Add new interface... The Create Interface page appears.

Figure 103: The create interface page

Table 68: Information table for the create interface page

Click Submit. The Common Configuration page appears.

Figure 104: The common configuration page

Table 69: Information table for the general set up section

Click Save & Apply.

24.2.1.4 Set multi-WAN options for primary predefined interface

On the web interface go to Network ->Multi-Wan. The Multi-WAN page appears.

Figure 105: The multi-WAN page

In the WAN Interfaces section, type in the name of the Multi-WAN interface.

Click Add. The Multi-WAN page appears.

Figure 106: The multi-WAN page

Table 70: Information table for Multi-WAN page

Click Save.

24.2.2 Set options for automatically created interfaces (failover)

From the top menu on the web interface page, select Services -> Mobile Manager. The Mobile Manager page appears.

There are four sections in the mobile manager page:

24.2.3 Mobile manager: basic settings

Figure 107: The mobile manager basic page

Table 71: Information table for mobile manager basic settings

24.2.4 Mobile manager: CDMA settings

This configuration page is only supported for the Telit CE910-SL CDMA module.

Figure 108: The mobile manager CDMA page

Table 72: Information table for mobile manager CDMA settings

24.2.5 Mobile manager: callers

Figure 109: The mobile manager CDMA page

Table 73: Information table for mobile manager callers settings

24.2.6 Roaming interface template

Figure 110: The roaming interface template page