TELiG User Guide Firmware Rev 2.5.
NOTICE Due to the nature of wireless communications, data delivery cannot be guaranteed. Data transmission or reception may be corrupted, delayed, or lost. The E1500 product should not be used in situations where failure of communications could result in damage of any kind to the user or any other party. Council Rock assumes no liability for damages resulting from delays or errors in data transmitted or received using the E1500 product, or for failure of the product to transmit or receive data.
Contents Overview ................................................................................................................................................................. 5 E1500 ................................................................................................................................................................... 5 Product Description ..................................................................................................................................
Hardware Summary .................................................................................................................................... 88 RF Specifications........................................................................................................................................... 89 Regulatory Info .............................................................................................................................................. 90 Certifications ......................
Overview E1500 Product Description The Council Rock E1500 is a rugged edge computing device with LTE communications capability and Remote Terminal Unit (RTU) protocol bridging features. It provides wireless connectivity for a wide range of critical infrastructure applications including Industrial IoT, Distribution Automation (DA), Distributed Intelligence, and Smart Cities.
The E1500 leverages OpenWRT Linux and includes several sophisticated software packages tailored to Distribution Automation solutions, including: ● Automatic Network Routing software that ensures connectivity of RTU devices to connected networks through the serial and Ethernet ports. ● IP Router/Firewall/VPN capabilities including BGP, MPLS, RIPv2, EIGRP, LDP, ISIS, OSPF, DMVPN, RPL, GRE, etc.
Product Details Description The E1500 is an edge computing WLAN device that connects end devices to the enterprise network with multiple interface options.
Front Panel Figure 4: Models E1500-LW, E1500-8W Figure 3: Models E1500-L8N, E1500-8NW Top Row (1) Status LED – System status indicator for LTE models.
RF Ports map to wan interfaces as shown in the table below, where “Main” indicates the primary radio antenna connector, while “Aux” indicates the secondary radio antenna.
Pin RS232 (serial) RS485 (ModBus) RS232 (console) 1 - - RTS 2 - - DTR 3 - - TXD 4 GND GND GND 5 TXD - GND 6 RXD Modbus B RXD 7 RTS - DSR 8 CTS Modbus A CTS Table 4: Common Serial pinouts (1) Alarm / Power Connector – Door alarm / tamper sensor inputs and DC power. Alarm connection is a dry contact.
Hardware The E1500 unit consists of two primary circuit boards: a Gateway processor card and a power/interface card. The Power/Interface card includes a wideband DC power supply that converts primary input power to the voltages required for the processor and peripherals. The Power/Interface card also includes circuitry to convert serial data signals into EIA-561 compatible serial via an RJ-45 connector. The unit can be powered through the front panel terminal block connector (9-60VDC) or through 802.
Figure 10: Software Architecture The device comes configured with a suite of tools and services to enable Distribution Automation (DA), Smart Networking, and Network Function Virtualization. The software supports an edge intelligence framework that can run 3rd party applications. The Linux operating system is customized with advanced features to enable secure resource allocation and isolation, which provide the foundation for containerizing these applications.
Configuration Initial Setup Unpacking Check the contents against the packing list secured to the outside of the box when unpacking. Council Rock recommends saving all shipping materials in case the unit needs to be returned. Contact Council Rock Support for assistance or notification of any issues. Connect 1. 2. 3. 4. 5. 6. 7.
Web Admin 1. Connect a standard Ethernet cable from your PC to Ethernet 1 on the front panel. 2. The unit should receive an IP address in the 10.0.0.0/24 range from the DHCP server. If not, configure the PC interface with a static IP in the 10.0.0.0/24 subnet, except 10.0.0.1 which is used by the Ethernet 1 interface. 3. Using a web browser, navigate to https://10.0.0.1.
5. For each SIM card installed, an Access Point Name (APN) must be configured. a. Navigate to Network > SIMs b. Note the interface for each SIM in the General Info Section c. In the APNs section, use the text boxes listed under the appropriate interface to enter each SIMs APN d.
Troubleshooting After completing the procedure in “Connect” above, the E1500 should display a solid green light and be ready to use. If it is not, connect to the web admin using the procedure in “Web Admin” above, and review these troubleshooting steps: 1. Navigate to Status > LTE > Overview and review the information displayed. Identify the WAN interface you expect to use. 2. Confirm that the connection state is “connected”, and the operator is the expected provider. If not, verify the device information.
Settings and Web Admin Interface The unit settings are managed through the Web Admin Interface, accessible through a web browser as described in Initial Setup. The unit settings are grouped by function as follows: ● ● ● ● ● STATUS SYSTEM VPN SERVICES NETWORK Menus are organized by function in the left sidebar. Submenus for each function are accessible via Tab headings in the main window.
Overview The System Status Overview is displayed, including system information regarding hardware including serial number, model, and software version as well as memory utilization, network connections including IP/DHCP info for the active network, active DHCP leases, and Multi-Wide Area Network (MWAN) interfaces.
Firewall A complete list of active Firewall rules is displayed in this menu, with real time data regarding network traffic handled by these rules. IPV4 and IPV6 are separately displayed by selecting the Tab at the top of the main window. Firewall rules are shown at the WAN and LAN level for Inputs, Outputs, Forwarding, Rejection, and Quality of Service (QoS). Rules are sorted into Tables by FILTER / NAT / MANGLE / RAW. Firewall NAT tables apply to IPv4 only.
LTE Displays information on the state of LTE modems and connections. Submenus are accessible at the top of the LTE menu for displaying an overview of LTE WAN connections, LTE Bearers, LTE Signal indicators, and a Scan tool for troubleshooting.
Signal Quality is shown as a percentage in the range from 0-100%, where higher percentage indicates better signal quality. Signal quality is based on the LTE radio’s RSSI level. In general, signal quality above 40% is usable. The Bearers tab provides information on each LTE bearer network established for each modem present, including interface status, IPv4 and/or IPv6 network information, and data transmission statistics.
Signal quality level with respect to RSRQ thresholds (Referenced from TIA TSB-88.
Finally, the Scan tab provides a tool for the user to perform a network scan for time intervals from 30 to 90 seconds using any system modems, listing carriers detected. Details are given for Operator Code, Operator Name, Access Technology, and Availability. Figure 19: Status > LTE Scan: Cellular Network Scanning Tool GPS Information retrieved from the E1500's GPS connection is displayed. This includes the last known GPS location and time.
Routes Displays information on currently configured routing rules. The rules are divided into IPv4 and IPv6. An ARP table and an IPv6 neighbors table are also provided. Figure 21: Status > Routes System Log The operating system log output is displayed.
Kernel Log The operating system kernel log is displayed. Figure 23: Status > Kernel Log Processes A list of currently running system processes is displayed, including process ID (PID), owner, command, and CPU / memory usage. To quit a process, action buttons are given for "Hang Up" and to forcibly quit an unresponsive process, the more aggressive "Terminate" and "Kill".
Realtime Graphs Displays live graphs of system performance. The Load tab displays a live graph of the queue of processes handled by the CPU, as well as average and peak loads for the past 1, 5, and 15 minutes. Note that in a single core CPU, a load of 1.0 is considered fully loaded. Figure 25: Status > Realtime Graphs > Load The Traffic tab shows a live graph of inbound and outbound traffic as well as a table of average and peak inbound and outbound traffic.
The Connections tab provides a live graph of network connections, divided into TCP, UDP, and others, including averages and peaks. A table lists each active connection, its protocol, source, destination, and amount of data transferred. Figure 27: Status > Realtime Graphs > Connections Finally, the Rate tab shows the real time download and upload rates by IP address, as well as total bytes and total packets over which the rate is calculated.
Load Balancing Provides information on MWAN interfaces. The Interface tab lists all available MWAN interfaces and their status. Figure 29: Status > Load Balancing > Interface MWAN interfaces are the interfaces participating in a configured load balancing process. See LAN to WAN Traffic or Radio Module Failover use cases for details on how to configure these interfaces.
The Diagnostics tab includes basic tools for testing MWAN interfaces (Gateway ping, Ping tracking IP, Check IP rules, Check routing table, Hotplug ifup, Hotplug ifdown).
The Troubleshooting tab shows the operating system’s output after running diagnostic commands. Information on network interfaces, active routes, routing, and firewall rules can be inspected on the output display.
SYSTEM System menus provide access to the unit’s settings. Here the user can rename the unit and set the administrator password and time settings. Firmware backups/updates are handled here as well as installation and removal of software packages, system startup tasks and recurring tasks. LED status indicators can be configured, and serial port protocols can be set. Advanced users can configure and execute custom commands (shell commands) defined by an admin user.
Figure 35: System > System > Time Synchronization Figure 36: System > System > Language and Style 32
Administration Usernames and passwords are configured in the Administration submenu. The Router Password tab lets the user change the device’s root password. The root user is currently the only user who can access the GUI. Future firmware revisions will allow other users to access the GUI. Figure 37: System > Administration > Router Password The SSH Access tab lets the user enable or disable general users and/or the root user over SSH with password authentication.
The SSH-Keys tab displays uploaded SSH public keys, and lets you upload an SSH public key to access SSH using public-private keypair authentication. Figure 39: System > Administration > SSH-Keys Software Displays free space on the device, and allows the installation, removal, and updating of software packages. The Available tab shows packages available through the configured package manager. The Installed tab shows currently installed packages and allows for their removal.
To configure OPKG, click on the “Configure OPKG” option. The OPKG Configuration screen will pop up. Figure 41: OPKG Configuration On the OPKG configuration screen, go to the last section “opkg/disfeed.conf” and change the default repository to the desired repository where you are hosting the packages you would like to install. Click save after you are done. Click the UPDATE LISTS button to show the available packages in the newly configured repository.
Figure 42: Install new packages. Figure 43: Detailed list of packages (example: block-mount) Clicking INSTALL will show software details as in the example ‘block-mount’ package shown above. Software details including Version, Size, and Dependencies are displayed. A description of the software package is shown at the bottom. The option to overwrite files from other package(s) is selectable by a check box. From this dialog, the user can select CANCEL to go back or INSTALL to install the software package.
Startup The Startup submenu lets the user configure startup and initialization programs. The Initscripts tab displays a list of the available initialization scripts, their priorities, and whether they are enabled or disabled (for run on startup). You can also toggle the scripts between enabled and disabled, and manually start, restart, or stop a script.
Important: Custom Shell Scripting is intended only for Advanced Users. Scheduled Tasks Here the user can set up “cron jobs” - recurring tasks which are configured to run on a set schedule. Figure 46: System > Scheduled Tasks Important: Cron Jobs are intended only for Advanced Users. LED Configuration The status LED is a red/green LED that can be customized to the user’s preferences. The LED Configuration screen lists LED behaviors (actions) and lets the user edit, delete, and reorder them.
Since the status LED contains a green and a red LED, each color can be configured to its own action. For maximum clarity, a simple green ‘always on’ power indicator is typical. Multiple actions can be configured but for simplicity we recommend no more than a one-to-one mapping of a color to an action (maximum of two actions in the list). A new LED action can be added by clicking “Add LED Action “. To edit an existing action, click “EDIT.
Figure 47: System > LED Configuration The example configuration shown above is set up for a green ‘always on’ power indicator with a simultaneous red LAN1 send/receive indicator. Note that the red LED in this example will act the same as the existing ethernet port LED - and therefore is not a recommended LED action based on the rule of thumb of simplicity. “Netdev” trigger settings for the red LED action are seen below.
Backup / Flash Firmware This menu gives access to the unit firmware. The Action tab lets the user backup and restore firmware.
The Configuration tab gives the user the option to specify files and directories to be preserved when flashing new firmware.
Custom Commands Allows for setup and execution of custom commands. These can be any applicable Linux command typically run from a command line interface. As such, these commands should only be performed by an advanced user. The Dashboard tab displays currently configured custom commands and provides a button to run the command. Clicking RUN will display the command output at the bottom of the page when the command has completed.
The Configure tab lets the user add new custom commands and edit and delete existing ones. Warning: Custom Commands are intended only for Advanced Users. Figure 53: System > Custom Commands > Configure Reboot Lets the user perform a Reboot. This is a soft reboot, which restarts the unit and all components without removing power.
VPN The VPN menu lets the user configure Virtual Private Network (VPN) settings using IPSec and OpenVPN. For details on these see two VPN options see https://openvpn.net/ and https://www.strongswan.org/. IPSec Under IPSec there are two main tabs. Status shows the status of all active IPSec configurations, and Config lets the user configure IPSec Connections, Tunnels, and Ciphers.
IPSec is a secure network protocol for encrypting communications between two points, the client and server. To create a configuration there are three steps: 1. define the cipher proposal for authentication (ADD NEW CIPHER PROPOSAL) 2. define the tunnel parameters for encryption (ADD NEW TUNNEL) 3.
Figure 58: IPSec Tunnel configuration The last step in setting up a VPN with IPSec encryption is defined in the Connections window. Here, peer network information (detailing the other end of the VPN tunnel) is entered, and the Cipher (Phase 1) Proposal and Tunnel are selected.
OpenVPN OpenVPN is an open-source VPN protocol that executes virtual private network (VPN) techniques for producing safe site-to-site or point-to-point connections in remote access facilities and bridged or routed configurations. The OpenVPN menu displays a list of configured VPNs and their current states and allows the user to enable, start/stop, add, edit, or delete VPNs.
OpenVPN Templates provided are: ● ● ● ● ● ● Client configuration for an ethernet bridge VPN populates basic settings for a client VPN session where the IP network of the server will be extended to the tunnel interface assigned to this VPN session. The kernel virtual network device is set to TAP which is an Ethernet level (layer 2) and acts like a switch.
# # Routed client # config openvpn_recipe client_tun option _description "Client configuration for a routed multi-client VPN" option _role "client" option client "1" option dev "tun" option remote "vpnserver.example.org 1194" option ca "ca.crt" option cert "my_client.crt" option key "my_client.key" option dh "dh1024.
# # Routed multi-client server # config openvpn_recipe server_tun option _description option _role option dev option port option server option ca option cert option key option dh option client_to_client "1" option keepalive option comp_lzo "Server configuration for a routed multi-client VPN" "server" "tun" "1194" "10.0.100.0 255.255.255.0" "ca.crt" "server.crt" "server.key" "dh1024.
New VPNs can be uploaded from an OpenVPN configuration file, or by using one of the provided VPN templates. Note that when using template configuration, the user must edit the VPN after creation to provide the required information. However, this option is only for client configurations. Use the “OVPN configuration file upload” dialog to name the new configuration and click UPLOAD. The new configuration appears in the table.
SERVICES The Services submenus give access to the following settings: ● Serial Gateway - Includes drop down options for Gateway types: ○ Distributed Network Protocol (DNP3) Gateways ○ Modbus Gateways - Modbus is a standard industrial Programmable Logic Controller (PLC) communication protocol over a serial interface. ● SNMPD - Simple Network Management Protocol (SNMP) is an Internet Standard protocol for device management over IP networks.
Figure 61: Services > Serial Configuration 54
QoS over Nftables (Quality of Service) This menu controls QoS at the packet level. It lets the user set Upload and Download Rate Limits to prioritize network traffic for each system interface. Rate Limits can be created to match traffic based on source IP address. Existing classification rules can be edited or deleted. NFT-QoS Settings > Limit Rate contains settings for Download and Upload rate limits. Select the Limit Enable checkbox.
Static QoS-Download Rate / Static QoS-Upload Rate sections are configurable when the Limit Rate is enabled. These sections allow the user to set Download / Upload rates for specific IP address(es). Click the ADD button and enter each hostname, IP address, MAC (optional) and Limit Rates in bytes/sec, Kbytes/sec, or Mbytes/sec. These Static QoS Rates are configurable in either Limit Type: Static or Limit Type: Dynamic (described in the Limit Rate settings above).
SNMPD This menu provides Simple Network Management Protocol (SNMP) configuration via SNMP agents, SNMP traps, and SNMP informs, to manage the device over the network. SNMP is implemented via the Linux daemon net-snmpd. For more information on configuring SNMPD, see http://net-snmp.sourceforge.net/wiki/index.php/Snmpd.
NETWORK Interfaces Displays information on and allows the configuration of the unit’s network interfaces. Each interface is listed with information including protocol, uptime, MAC address, transmitted and received data, and IPv4/IPV6 address and netmask (if applicable). The user can add / edit / delete interfaces and stop or restart active interfaces. Figure 65: Network > Interfaces To add interfaces, enter a name, select a protocol, and select the physical interface (multiple interfaces if bridging).
Available Options on the Interface editing dialogue vary depending on the selected protocol.
Figure 67: Interfaces > LANx > General Settings Figure 68: Interfaces > LANx > Advanced Settings On the Physical Settings tab, the user can select whether to bridge physical interfaces, and select the physical interface (or interfaces, in the case of a bridge). If bridging is enabled, the user can enable/disable STP and IGMP snooping.
Bridging physical interfaces allows all ports in the bridge to act as a single network. By enabling bridging, we can combine, for example, the WiFi (WLAN) interface(s) with the wired LAN ports to create a single logical network. We can also combine the two ethernet ports if desired. Figure 69: Interfaces > LANx > Physical Settings On the Firewall Settings tab, the user can create / assign the interface’s firewall- zone. The router Firewall collects interfaces into ‘firewall-zones’ to filter traffic.
Figure 70: Interfaces > Firewall Settings On the DHCP Server tab, the user can set up the interface as a DHCP (Dynamic Host Control Protocol) Server. Figure 71: Interfaces > DHCP Server > General General Settings – Here the user can set the following general options: • Ignore interface – select the checkbox to bypass DHCP for this interface • Start: the starting number for address leases (the “N” in the IP address x.x.x.
• Lease Time: the time before leased addresses expire (for hours use ‘h’, for minutes use ‘m’; the minimum allowable is 2m) Advanced Settings – Here the user can set up the following Advanced DHCP options: • Dynamic DHCP – select the checkbox to automatically manage DHCP addresses. Leaving the box unchecked will limit IP address leases to clients with static addresses. • Force – select the checkbox to force DHCP on the interface even if another DHCP server is detected • IPv4-Netmask – (default 255.255.
• • Announced DNS servers – add an IP address to the text box and click the ‘+’ button to set the DNS server to be announced Announced DNS domains – add an IP address to the text box and click the ‘+’ button to set the DNS domain to be announced From the OpenWRT manual: OpenWrt features a versatile RA & DHCPv6 server and relay. Per default, SLAAC (Stateless Address Autoconfiguration) and both stateless and stateful DHCPv6 are enabled on an interface.
Wireless (Available on “W” models) Displays active wireless networks and associated stations. Wireless network interfaces can be enabled / disabled / restarted / added / edited / removed. Figure 74: Wireless > Overview A Restart button can be used to restart the wireless interface. A Scan button starts a network scan for detectable wireless networks, displaying signal strength, SSID (network name), encryption type, and other network information.
When adding / editing a wireless network, the Edit wireless network dialogue is displayed. The General Setup tab (located on the top card of the Edit wireless network dialogue) lets the user enable or disable the network, select the frequency band and channel, and set maximum transmit power.
Figure 76: Wireless > Wireless Network > Advanced [Top Card] and General Setup [Bottom Card] Configuration options available on the bottom card of the Edit wireless network dialogue vary depending on the wireless mode configuration. A common configuration, for example, is to configure the unit as a wireless access point.
The most common is WPA2-PSK password-based encryption. After selecting “WPA2-PSK (strong security)” from the dropdown, the user can enter the Key (password), and optionally enable WPS push button authentication. Figure 77: Wireless > Wireless Network > Wireless Security [Bottom Card] Alternatively, if a RADIUS authentication server exists on the network, the user can select “WPA2-EAP (strong security)” from the dropdown to set up RADIUS authentication. Follow these steps to set up RADIUS: 1.
For both WPA2-PSK and WPA2-EAP encryption, the user has the option to select a cipher, and configure 802.11r fast translation, 802.11w management frame protection, and key reinstallation countermeasures. Under the MAC-Filter tab (located on the bottom card of the Edit wireless network dialogue), the user can set up blacklist (do not allow) or whitelist (only allow) devices with specific MAC addresses.
Under the Advanced Settings tab (located on the bottom card of the Edit wireless network dialogue), the user can configure advanced settings for the wireless network such as preventing client to client communication and overriding the default wireless interface name. Figure 79: Wireless > Wireless Network > Advanced Settings [Bottom Card] Bridge VLANs Allows the user to configure groups of ports as ‘virtual LANs’ The Status tab displays the status of the bridge interfaces and VLANs.
The Configure tab lets the user enable bridge VLAN filtering and specify a bridge interface to use, and to add, edit, and delete bridge VLAN assignments. Figure 81: Network > Bridge VLANs > Configure DHCP and DNS The DHCP and DNS menu lets the user configure Dynamic Host Configuration Protocol (DHCP) server and Domain Name System (DNS) forwarder options for local Network Address Translation (NAT) networks.
The General Settings tab allows the user to set the general behavior for the DHCP server and DNS forwarder. Figure 82: Network > DHCP and DNS > General Settings The Resolv and Hosts Files tab lets the user specify configuration files for the DHCP server, specify a DHCP lease file, specify a DNS resolve file, and specify additional hosts files (in addition to the default /etc/hosts).
The TFTP Settings tab is to enable and configure the root directory for a TFTP server. Figure 84: DHCP and DNS > TFTP Settings The Advanced Settings tab allows the configuration of advanced behavior settings for the DHCP server and DNS forwarder.
Finally, the Static Leases tab lets the user view, add, and edit static leases for DHCP clients as well as view active DHCP leases for IPv4 and IPv6 clients. Static DHCP leases can be configured with optional symbolic hostnames and custom lease times. Figure 86: DHCP and DNS > Static Leases SIMs The SIMs menu lets the user displays current SIM card info in the General Info section.
Hostnames The Hostnames menu lets the user set up custom hostnames for IP addresses. You can add a new hostname entry by clicking the ADD button and entering a hostname then selecting an IP address from the dropdown menu or You can edit or delete existing entries, and reorder entries by dragging them to another location in the list with the ‘ ’ icon.
Static Routes Static routes provide one of the safest methods of Layer 3 connectivity. These are secure from route spoofing attacks because your router does not rely on routing information being sent and received from other routers. All the routing information is user controlled and locally configured.
○ Gateway: Defines where the router should send traffic. If omitted, the gateway from the parent interface is taken if any, otherwise creates a link scope route. If set to 0.0.0.0 no gateway will be specified for the route. Figure 91: Network > Static Routes > General Settings ● ADVANCED SETTINGS ○ Metric: (default: 0) Metric is used as a sorting measure. If a packet that is about to be routed fits two rules, the one with the lower metric is applied.
■ anycast: these destinations are anycast: equivalent to local with one difference - such addresses are invalid when used as the source address of any packet ○ Route Table: (default: main (254)) Defines the table ID to use for the route. The special aliases local (255), main (254) and default (253) as well as ‘custom’ are selectable from the dropdown list. If ‘custom’ is used, enter a number ranging from 0 to 65535 directly in the dropdown.
Firewall The Firewall menu is for setting up Firewall Zones, Rules, and Port Forwarding. The General Settings tab contains default Firewall settings and provides add / edit / delete functions for the listed Firewall Zones. Figure 93: Network > Firewall > General NOTE: “Software flow offloading” This is a Linux kernel- based routing process using netfilter allowing specific kernel modules to register callback functions to the networking stack.
When creating a new firewall zone or editing an existing one, the Firewall - Zone Settings dialogue appears with the following submenus: Firewall - Zone Settings > General Settings contains settings for: ● Zone name ● Zone input, output, and traffic forwarding behavior ● Networks covered by the zone ● Forwarding policy to and from the zone ● Masquerading and MSS clamping.
The Port Forwards tab displays existing port forwarding rules, and lets the user add / edit / delete Port Forwarding Rules. This configures the unit to forward traffic directed to a port on the device to another IP address and port. Figure 94: Network > Firewall > Port Forwards Important: Firewall Port Forwarding is intended only for Advanced Users.
● To pass raw arguments to the underlying iptables command The Traffic Rules tab displays existing traffic rules and provides add / edit / delete functionality. Figure 95: Network > Firewall > Traffic Rules When adding / editing an existing Rule, the Firewall - Traffic Rules dialogue is displayed.
Assign Conntrack Helper - These are modules that can assist the firewall in tracking protocols, intended only for Advanced users Apply Firewall / XOR Firewall Mark - Firewall marks provide a powerful mechanism to group services together, intended only for Advanced users DSCP classification - DSCP Marking is used to determine traffic classification for network data. This can be used to determine which network traffic requires higher bandwidth, has a higher priority, and more likely to drop packets.
Figure 96: Network > Firewall > NAT Rules When adding a new NAT rule or editing an existing one, the Firewall - NAT Rules dialogue is displayed. Firewall - NAT Rules > General Settings lets the user set ● Protocol ● Outbound zone ● Source address ● Destination address And the action to take for packets matching the rule. In the case of the SNAT action, you must specify a rewrite IP address.
The Custom Rules tab lets the user specify a custom shell script to be executed after the default ruleset has been loaded, allowing advanced users direct control to execute arbitrary iptables commands. Figure 97: Network > Firewall > Custom Rules Warning: Custom Rules are intended only for Advanced Users. Diagnostics The Diagnostics menu provides basic tools to verify network state and troubleshoot network issues. Ping, traceroute, or nslookup can be performed on any specified hostname or IP address.
Configure Diagnostics Figure 99: Network > Configure Diagnostics NOTE: Out-of-the-box, the E1500 has no modules installed to display in Configure Diagnostics. See Network > Diagnostics for default tools – ping, traceroute, and nslookup. Use of other diagnostic tools are intended for advanced users only.
Radio Specifications Ordering Information To order, contact sales@council-rock.com Model Options Public LTE Private LTE LTE CBRS LTE Cat-M/NB-IoT Private Enterprise Broadband 900MHz E1500-L8N X X X X X E1500-LW X X X E1500-8NW X X E1500-8W X X Model 2.
Hardware Summary E1500-L8N E1500-LW E1500-8NW E1500-8W ARM Cortex A9 Dual Core ARM Cortex A9 Dual Core ARM Cortex A9 Dual Core ARM Cortex A9 Dual Core Memory 1GB 1GB 1GB 1GB Storage 8GB eMMC 8GB eMMC 8GB eMMC 8GB eMMC 9-60VDC 9-60VDC 9-60VDC 9-60VDC 2 2 2 2 1xRS-232 & 1xRS232/485/422, RJ45 Connectors 1xRS-232 & 1xRS232/485/422, RJ45 Connectors 1xRS-232 & 1xRS232/485/422, RJ45 Connectors 1xRS-232 & 1xRS232/485/422, RJ45 Connectors GPS Yes w/ Precision Time Yes w/ Precision Tim
RF Specifications [see also Model Options] E1500 Model Radio Networks Bands Category L8N LW A First Net, CBRS, Verizon, AT&T, T-Mobile, Sprint 1-5, 7-9, 12-14 18-20, 26, 28-30 32 41, 42, 43, 46 48, 66 Cat 12 DL Cat 13 UL L8N B1 8NW 8W B2 Private Enterprise Broadband 900MHz, Verizon, AT&T, T-Mobile, Sprint 1-5, 7, 8, 12, 13 20, 25, 26, 29, 30 41 Cat 6 DL Cat 6 UL 2, 4, 5, 8, 12, 13 Cat M/NB-IoT ISM - L8N 8NW C Private Enterprise Broadband 900MHz, Verizon, AT&T, T-Mobile LW 8NW 8W F
Regulatory Info Certifications This device is certified under FCC Part 15b as an unintentional radiator. It has also been tested to IEEE1613 for use in electrical substations and conforms to UL standard #121201 and CSA Standard C22.2#213 for operation in Class I Division 2 Groups A-D, T4 hazardous locations. Finally, this device is authorized for use on CBRS, Verizon, AT&T, and FirstNET. Hazardous Locations This device is approved: Class I Division 2 Groups A-D.
Warranty Council Rock warrants that under normal use and service each Product will conform in all material respects to Council Rock’s specifications therefore and the hardware will be free from defects in materials and faulty workmanship. The warranty period (“Warranty Period”) for new ordered Product is three (3) years from its original date of Delivery.
all reported Software errors will be corrected. If on inspection by Council Rock of a returned item there is no fault found (NFF), Purchaser will pay Council Rock’s then prevailing NFF charge and its transportation and insurance costs. Council Rock will charge Purchaser for any maintenance carried out which is not covered by the warranties contained in this Section at Council Rock’s then prevailing standard rates for such Services.
Appendix A: CONFIGURATION FUNDAMENTALS The basic setups in this section can be thought of as the building blocks of an E1500 system configuration. More complicated system setups generally depend upon these fundamental configurations. Fundamentals A: SIM card installation Initial setup of the unit requires SIM card installation prior to powering up. This section describes SIM card installation. SIM cards slots are a nano SIM 4FF form factor. Tools Needed ● T10 Torx bit ● Tweezers OPENING THE UNIT 1.
INSTALLING SIM CARDS 3. Using tweezers, insert the SIM cards in slots 1 and 2. Figure A.A.2: SIM card insertion CLOSING THE UNIT 4. Replace the rear panel and reattach corner screws and lock washers NOTE: See “Initial Setup: Web Admin - step 5” for details on SIM card interface configuration. REMOVING SIM CARDS A ‘pick’ of sorts is needed to remove SIM cards that have previously been installed. Any type of pick with a 90-degree bend at one end should suffice.
Fundamentals B: LAN Interface config To set up the E1500 LAN interface according to your network plan, Interface settings are defined via the Network > Interfaces menu, by clicking on the EDIT button on a LAN interface and selecting the General tab. The LAN interface status is displayed in a highlighted box, showing the Device name, Uptime, MAC address, Total received / transmitted packets (RX/TX), and the IP Address in CIDR notation.
The Advanced Settings tab has settings for: • [Checkbox] – Use built-in IPv6 Management • [Checkbox] – Force link (to ignore carrier sense events) • Overriding the unit’s MAC address • Overriding the default Maximum Transmission Unit (MTU) - packet size (for advanced users only - we recommend the default MTU setting) • Using a gateway metric - Gateway metric defines the value that is assigned to an IP route for a network interface that identifies the cost that is associated with using that route.
Verify the LAN is always in the LAN firewall zone on the Firewall Settings tab. For more, see Fundamentals C: WAN Interface config Fig. A.B.3: LAN Interface Firewall Settings Your network deployment settings will vary from the example screenshots shown here (mainly IP addressing schemes / netmasks / gateways, but may also include settings such as bridging, firewalls, and DHCP servers). Enter your specific network details on each applicable menu tab and click Save.
Fundamentals C: WAN Interface config To set up the E1500 WAN interface according to your network plan, Interface settings are defined via the Network > Interfaces menu, by clicking on the EDIT button on a WAN interface and selecting the General tab. The WAN interface status is displayed in a highlighted box, showing the Device name, Uptime, Total received / transmitted packets (RX/TX), and the IP Address in CIDR notation. Fig. A.C.
The Advanced Settings tab has settings for: • Using built-in IPv6 management • Force link (to ignore carrier sense events) • Overriding the default Maximum Transmission Unit (MTU) - packet size (for advanced users only - we recommend the default MTU setting) • Using the unit as a default gateway. NOTE: “USE AS DEFAULT GATEWAY” Checking this box sets the interface as the outgoing node for any packet whose destination IP is not on the routing table. A user may configure multiple default gateways.
NOTE: A zone can be configured to any set of interfaces but generally there are at least two zones for the sake of simplicity: lan for the collection of LAN interfaces and wan for the WAN interfaces. In most cases users generally want to allow/prevent the same type of traffic in & out of the LAN/WAN interfaces therefore it makes sense to group interfaces of the same type in the same zone. Fig. A.C.
Fundamentals D: System Administration This section covers basic and advanced system administration topics. Changing User / Passwords The password for the device can be changed by navigating to System > Administration > Router Password. The password policy is: Length: minimum 18 characters Requirements: ● 1 lower case letter ● 1 upper case letter ● 1 number ● 1 special character Fig. A.D.
Warning: The following topics are intended only for Advanced Users. Remote System Logging Configuration: Allows the user to configure the unit to send logs to an external syslog server. By default, system logs are stored locally as a text file continually updated during system events. The System > System: Logging page allows the user to specify logging parameters, detailed below.
External system log server: The IP address of the syslog server that the logs will be sent to. External system log server port: The transport layer port of the syslog server that the logs will be sent to. External system log server protocol: The transport layer protocol that will be used to send syslog messages to the external server. Write system log to file: local directory in the device where the syslog messages will be stored. Leave default value Log output level: Syslog logging level.
Fig. A.D.3: System > Software > Installed Fig. A.D.
Appendix B: USE CASES Use Case A: Serial Connection via WAN Example: Connect the E1500 to a device via serial / RS232 with DNP and send device traffic to the Enterprise Network through WAN A Requirements: Fundamentals C: WAN interface config Figure B.A.1 – Serial to WAN concept diagram Steps: 1. Navigate to Services > Serial Gateways and set configuration for Serial A a. Protocol: RS232 b. Gateway: DNP3 c. Baud Rate: 115200 d. Parity: None e. Data Bits: 8 f. Stop Bits: 1 g. TCP Port: 20000 h.
Figure B.A.2 - Services > Serial Gateways ● ● ● ● ● ● Master IPV4/IPV6: IP address of the master device.
Use Case B: LAN to WAN traffic Example: Configure the E1500 to route traffic between radio ports (WAN A / WAN B) and ethernet port (LAN 1) as shown in Figure 2.1. Set WAN load balancing to WAN A 60% / WAN B 40%. Requirements: Fundamentals B: LAN interface config Fundamentals C: WAN interface config Figure B.B.1- LAN to WAN concept diagram Steps: 1. Set up the LAN to WAN firewall zone: ○ Navigate to Network > Firewall > General Settings ○ Under Zones, click ADD and set the following (See Fig. B.B.
Figure B.B.2 - Firewall Zone Settings: lan 2. Set up Load Balancing A. Configure interfaces ○ Navigate to Network > Load Balancing: Interfaces ○ Add/Select the MWAN Interface for wan_a and set up as shown in Figure B.B.3.
■ Interface down: 3 ■ Interface up: 3 ■ Flush conntrack table: all unchecked ■ Metric: this is not an input, just for display ○ Click SAVE & APPLY ○ Click the Interfaces Tab to return to the MWAN - Interfaces view and repeat the setup for wan_b Figure B.B.3 - MWAN Interface wan_a Load Balancing configuration B.
○ ○ ○ ○ balancing and wan_a_secondary to indicate the low priority member for load balancing) Click ADD to open the MWAN Member Configuration window for wan_a_main. Enter the following settings (See Fig. B.B.4) ■ Next to “Interface” click on - - Please choose - ■ Select wan_a ■ Metric = 1 (Metric is used as a sorting measure.
Figure B.B.5 - Member Configuration to set Load Balancing (Weight) on wan_b Figure B.B.6 - Member Configuration summarizing Members Load Balancing C. Add a Load Balancing Policy ○ Navigate to the Policies Tab ○ On the text input line next to the ADD button enter “main_policy” ○ Click ADD to open the MWAN Policy Configuration window for main_policy ■ Next to “Member used” click on - - Please choose - ■ Select wan_a_main (See Fig. B.B.
Figure B.B.7 - Load Balancing Policy Configuration: Member selection Figure B.B.8 - Load Balancing Policy Configuration: Policy settings D. Add a Load Balancing Rule to the Load Balancing Policy ○ Navigate to the Rules Tab ○ On the text input line next to the ADD button enter “wan_a_rule” ○ Click ADD to open the MWAN Rule Configuration window for wan_a_rule ■ Source address: 10.0.0.
Figure B.B.9 - Load Balancing Rule Configuration using Load Balancing Policy Figure B.B.
Use Case C: SIM Failover Example: Configure the E1500 to switch between SIM cards based on signal quality or network connectivity. Check connectivity every 5 minutes. NOTE: SIM failover is only available on dual-SIM units. The menu options shown in this section are not available on single-SIM units. When the primary SIM card’s network fails, the interface switches to the secondary SIM card.
Figure B.C.1 - Network > SIMs: SIM Failover NOTE: Network Ping Address shown here is for example only. An appropriate Ping Address for your network deployment should be entered here. NOTE: After a primary SIM failover event, the ‘non-primary’ SIM becomes the Current SIM. The user can reset the failover by manually switching the Current SIM back to primary.
Use Case D: Radio Module Failover The network balancing feature of the E1500 allows outbound WAN interface traffic to be load balanced over multiple WAN interfaces based on a numeric weight assignment. The user can also configure interfaces as main/backup WANs. The user can configure the device to monitor each WAN connection using repeated ping tests thus allowing the device to automatically route traffic to another WAN interface if the main WAN interface loses connectivity.
• • • • • • • • Ping interval: 5 Failure interval: 5 Keep failure interval: uncheck Recovery interval: 5 Interface down: 3 Interface up: 3 Flush conntrack table: uncheck all i. ifup ii. ifdown iii. connected iv. disconnected Metric: this value is for display only, no data to enter Figure B.D.
Figure B.D.2 - Network > Load Balancing > Interfaces (interface summary screen) 4. Click SAVE to create load balancing interface “wan_a” 5. Repeat steps 1 through 4 for interface wan_b Figure B.D.3 - WAN Interfaces are set up 6. Navigate to Network > Load Balancing > Members. 7. Add a MWAN member for wan_a, the main interface in this example. a. On the text input line left of the ADD button, enter “failover_wan_a” and click ADD b. Click the Interface dropdown and select “wan_a” c. Enter Metric = 1 d.
Figure B.D.4 - Member Configuration – failover_wan_a Figure B.D.5 - Member Configuration – failover_wan_b Figure B.D.
9. Create the Load Balancing Policy. The policy sets the unit to reject traffic across interfaces that are down. a. Navigate to the Policies tab b. On the text input line next to the ADD button, and enter “test_policy” c. From the Member used dropdown, select both ‘failover_wan_a’ and ‘failover_wan_b’ d. Use the default setting for Last Resort: unreachable (reject) e. Click the SAVE & APPLY button, followed by the BACK TO OVERVIEW button. Figure B.D.
c. Configure test_rule as described below. Generally, the default values are used, only the Destination address and the Policy assigned needs to be entered. test_rule configuration: • Source address: blank • Source port: blank • Destination address: 0.0.0.0/0 • Destination port: blank • Protocol: all • Sticky: No • Sticky timeout: blank • IPset: blank • Logging: unchecked • Policy Assigned: test_policy (the policy from the previous step will be available in the dropdown list) Figure B.D.
Figure B.D.10 - Status > Load Balancing > Interface (verify load balancing) Additionally, on the Detail tab, we see the test_policy is directing 100% of traffic to wan_a, the interface we defined with the lowest metric. Figure B.D.
To verify failover is set up correctly, disable the main interface by navigating to Network > Interfaces and clicking the STOP button on wan_a. Navigate back to Status > Load Balancing > Detail to verify that traffic has switched to the backup interface “wan_b”. Figure B.D.12 - Status > Load Balancing > Detail (verify load balancing) Figure B.D.
Use Case E: Interface Bridging The LAN bridge combines the WLAN interface(s) with the wired LAN ports to create a single logical network. Example: Configure a bridge between Ethernet ports lan1 and lan2. Requirements: Fundamentals B: LAN interface config Fundamentals C: WAN interface config Steps: 1. Navigate to Network > Interfaces and click the EDIT button on LAN1. Figure B.E.1 - Network > Interfaces 2. Select the ‘Physical Settings’ tab and select the ‘Bridge interface’ checkbox.
Figure B.E.2 - Interface EDIT > Physical Settings for LAN1 The new pseudo-interface has “br-“ prepended to the interface name (generally br-lan). This indicates the bridged LAN. The new interface will have a single IP address. Figure B.E.
Use Case F: SNMPD Trap Alerts Example: Send traps to a SNMP server using SNMPV2 Configure the unit to send trap alerts to an SNMP server hosted on the network using SNMP version 2. Steps: 1. Navigate to Services > SNMPD Figure B.F.1 - Services > SNMPD 2. Scroll down to the “v2c Traps” section, click the ADD button to open the lines for text input and enter the required information: ● Host: IP address of the SNMP server ● Community: SNMP community string to use when sending traps to the server.
Appendix C: List of Acronyms Definition Definition APN Access Point Name DMVPN Dynamic Multipoint VPN ARM Advanced RISC machine DNP3 Distributed Network Protocol 3 BGP Border Gateway Protocol DNS Domain Name System br-lan the pseudo LAN after being bridged DSCP Differentiated Services Code Point Category M / Narrowband for Cat-M/NB the Internet of Things - cellular IoT data connectivity EIGRP Enhanced Interior Gateway Routing Protocol CFR Code of Federal Regulations eMMC Embedded Mul
Definition Definition ICCID A globally unique serial number for a SIM card MHz Megahertz IEEE Institute of Electrical and Electronics Engineers MIMO Multiple In Multiple Out IGMP Internet Group Management Protocol MODBUS The de facto standard communications protocol for industrial electronic devices IMEI International Mobile Equipment Identity mPCIe Mini-PCI Express (expansion bus form factor) IMSI International Mobile Subscriber Identity MPLS Multiprotocol Label Switching IoT Interne
Definition Definition PLC Programmable Logic Controller STP Spanning Tree Protocol QoS Quality of Service syslog the system log RADIUS Remote Authentication Dial-In User Service TAP Kernel Virtual Network Device: “Network Tap” RAM Random Access Memory TCP Transmission Control Protocol RF Radio Frequency TFTP Trivial File Transfer Protocol RIPv2 Routing Information Protocol Version 2 TIA TSB-88.4 Telecommunications Industry Association Telecommunications Service Bulletin 88.
Appendix D: List of Tables / List of Figures Table 1: LED Status List........................................................................................................................................ 8 Table 2: RF Connectors by Model ................................................................................................................. 8 Table 3: RF Port to WAN mapping ....................................................................................................................
Figure 24: Status > Processes ........................................................................................................................... 25 Figure 25: Status > Realtime Graphs > Load ............................................................................................... 26 Figure 26: Status > Realtime Graphs > Traffic ............................................................................................ 26 Figure 27: Status > Realtime Graphs > Connections .....................
Figure 63: Services > QoS over Nftables > Traffic Priority....................................................................... 56 Figure 64: Services > SNMPD........................................................................................................................... 57 Figure 65: Network > Interfaces ...................................................................................................................... 58 Figure 66: Interfaces > Advanced Settings .............................
