-
Document No. TR0190 Rev A1 TR-900 Access Point User’s Guide Rev. A1 Communicate Without Boundaries Tranzeo Wireless Technologies Inc. 19473 Fraser Way, Pitt Meadows, BC, Canada V3Y 2V4 www.tranzeo.com technical support email: support@tranzeo.
-
ER-1000 Access Point User’s Guide Tranzeo, the Tranzeo logo and TR-900 are trademarks of Tranzeo Wireless Technologies Inc. All rights reserved. All other company, brand, and product names are referenced for identification purposes only and may be trademarks that are the properties of their respective owners. Copyright © 2009, Tranzeo Wireless Technologies Inc. TR0190 Rev.
-
ER-1000 User’s Guide FCC Notice to Users and Operators This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for Class B Digital Device, pursuant to Part 15 of the FCC Rules.
-
ER-1000 User’s Guide Table of Contents 1 1.1 1.2 1.3 1.3.1 1.3.2 1.4 1.4.1 Working with the TR-900 ................................................................................... 8 TR-900 Variants .................................................... Error! Bookmark not defined. TR-900 Capabilities...............................................................................................8 TR-900 Interfaces ............................................................................................
-
ER-1000 User’s Guide 4.5.10 4.5.11 4.5.12 4.5.13 4.5.14 4.5.15 4.5.16 5 ‘ifconfig’ command ............................................................................................. 28 ‘route’ command................................................................................................. 28 ‘clear’ command ................................................................................................. 28 ‘history’ command ........................................................................
-
ER-1000 User’s Guide 10.1.2 10.2 Client Address Space Segmentation in Implicit Addressing Mode ..................... 61 Explicit Addressing Scheme................................................................................64 11 11.1 11.2 Ethernet Interface Configuration .................................................................... 66 DHCP ..................................................................................................................66 Manual IP Configuration.................
-
ER-1000 User’s Guide 16.3 16.4 16.4.1 16.4.2 16.4.3 16.5 16.6 Blocking Client-to-Client Traffic .........................................................................102 Connection Tracking .........................................................................................103 Connection Tracking Table Size ...................................................................... 104 Connection Tracking Timeout ..........................................................................
-
Chapter 1: Working with the ER-1000 1 Working with the TR-900 Thank you for choosing the Tranzeo TR-900 802.11 Access Point. The TR-900 is a fullfeatured access point in a ruggedized enclosure designed for outdoor installation. This user’s guide presents a wide array of configuration options, but only a limited number of options have to be configured in order to deploy an TR-900. Throughout the manual, “TR-900” will be used to collectively refer to this family of products.
-
Chapter 1: Working with the ER-1000 AP radio port Ethernet Figure 1. TR-900 interfaces. Interface AP radio port Ethernet Passive PoE Description N-type antenna connector for access point radio 10/100 Mbit Ethernet interface PoE power input (9-28VDC, 12W) Not compatible with IEEE 802.3af Table 2. TR-900 Interfaces 1.2.1 Ethernet and PoE The TR-900 has a 10/100 Ethernet port that supports passive Power over Ethernet (PoE).
-
Chapter 1: Working with the ER-1000 Pin 1 2 3 4 5 6 7 8 Signal Tx+ TxRx+ PoE V+ PoE V+ RxGnd Gnd Standard Wire Color White/Orange Orange White/Green Blue White/Blue Green White/Brown Brown Table 3.
-
Chapter 1: Working with the ER-1000 TR-900V-120-13 Vertical Sector Table 2 Supported Accessory antennas 1.3 Deployment Considerations The TR-900’s radio operates in either the 2.4 GHz or the 5.8 GHz ISM band, depending on the model. It is possible that there will be other devices operating in these bands that will interfere with the TR-900’s radio. Interference from adjacent TR-900s can also degrade performance if the TR-900s are not configured properly.
-
Chapter 1: Working with the ER-1000 Figure 2. 802.11b/g channel chart, showing top, bottom, and center frequencies for each channel TR0190 Rev.
-
Chapter 2: Connecting to the ER-1000 2 Connecting to the TR-900 The TR-900 can be configured and monitored by connecting to one of its network interfaces. The wired Ethernet interface on the TR-900 should be used for initial configuration of the device, but the wireless network interface can be used to connect to the device after initial configuration has been completed. 2.1 Network Interfaces The TR-900 has several network interfaces, as shown in Table 4.
-
Chapter 2: Connecting to the ER-1000 used for initial configuration and for accessing devices whose configuration settings are unknown. 2.2 Connecting to an Unconfigured TR-900 Use the Static Configuration interface with IP address 169.254.253.253 and netmask 255.255.0.0 to establish network connectivity to an unconfigured TR-900. The Static Configuration interface functions only with the TR-900’s wired interface. Do not try to access the TR-900 over a wireless link using the address of this interface.
-
Chapter 2: Connecting to the ER-1000 If you are configuring multiple TR-900s with the same computer in rapid succession, it may be necessary to clear the ARP cache since the IP addresses for the TR-900s will all be the same, but the MAC addresses will vary. The following commands can be used to clear the ARP cache Windows XP (executed in a command prompt window) arp -d * to clear the entire cache, or arp -d 169.254.253.253 to just clear the TR-900 entry Linux arp -d 169.254.253.253 2.
-
Chapter 3: Using the Web Interface 3 Using the Web Interface The TR-900 has a web interface accessible through a browser that can be used to configure the device and display status parameters. 3.1 Accessing the Web Interface You can access the web interface by entering one of the TR-900’s IP addresses in the URL field of a web browser (see section 2.2 for a description of how to access an unconfigured TR900 using its Ethernet interface).
-
Chapter 3: Using the Web Interface A configuration overview page is loaded by default after the login process has been completed.
-
Chapter 3: Using the Web Interface 3.2 Navigating the Web Interface The web interface uses a three-tiered navigation scheme. 1. The first tier of navigation is the navigation bar shown on the left side of the screen. This navigation bar is displayed on all pages in the web interface and remains the same on all pages. 2. The second tier of navigation is the primary row of tabs shown across the top of the screen on many of the pages in the web interface.
-
Chapter 3: Using the Web Interface click on the “Save Changes” button. It typically takes a few seconds to save the changes, after which the page will be reloaded. For the changes to take effect, the TR-900 must be rebooted. After a change has been committed, a message reminding the user to reboot the TR-900 will be displayed at the top of the screen. Figure 7. Page showing "Save Changes" button and message prompting the user to reboot 3.
-
Chapter 3: Using the Web Interface Figure 8. Rebooting the TR-900 TR0190 Rev.
-
Chapter 4: Using the Command Line Interface 4 Using the Command Line Interface All configurable TR-900 parameters can be accessed with a Command Line Interface (CLI). The CLI allows you to: • • • • Modify and verify all configuration parameters Save and restore device configurations Reboot the device Upgrade the firmware 4.1 Accessing the CLI The TR-900’s command-line interface (CLI) is accessible through its network interfaces using an SSH client.
-
Chapter 4: Using the Command Line Interface 4.3 CLI Interfaces The CLI provides the user with a number of interfaces that contain related parameters and controls. Some of these interfaces are hardware interfaces, such as Ethernet, while others are virtual interfaces that contain a set of related parameters.
-
Chapter 4: Using the Command Line Interface 4.4.3 Searching the Command History The command history can be searched by pressing Ctrl+R and entering a search string. The most recently executed command that matches the string entered will be displayed. Press ‘Enter’ to execute that command. 4.4.4 Executing a Previous Command By using the up and down arrow keys you can select previously executed commands.
-
Chapter 4: Using the Command Line Interface 4.5.3 ‘help’ command help [command|parameter] Syntax where the optional argument is either one of the CLI commands (“[command]”) or a parameter in the currently selected interface (“[parameter]”). Description When no argument follows the help command, a help menu showing a list of available commands is displayed. When a command is supplied as the argument, a help message for that particular command is displayed.
-
Chapter 4: Using the Command Line Interface 4.5.5 ‘use’ command use Syntax where is one of the TR-900’s interfaces. A complete list of interfaces is available with the ‘show’ command. Description Selects an interface to use. By selecting an interface you can view and modify the parameters associated with the interface. Example use wlan1 will select the wlan1 virtual AP interface and change the CLI prompt to wlan1> to reflect the interface selection. 4.5.
-
Chapter 4: Using the Command Line Interface 4.5.7 ‘get’ command Syntax get where is the parameter whose value is being fetched. Description Gets the value of one or more configuration parameters for the currently selected interface. The ‘*’ character can be used to specify wildcard characters. This allows multiple values to be fetched with a single command. Example With the ‘eth0’ interface selected get ip.address will return the Ethernet interface’s IP address, while get ip.
-
Chapter 4: Using the Command Line Interface 4.5.8 ‘list’ command Syntax list Description Lists all parameters for the selected interface Example With the ‘eth0’ interface selected list will display acl.mode : access control list mode dhcp.default_lease_time : default dhcp lease expiration in… dhcp.max_lease_time : maximum requestable dhcp lease… dhcp.relay.enable : use dhcp relay (if sys.dhcp.relay.enable=yes) dhcp.reserve : ip addresses to reserve at bottom of range… dhcp.
-
Chapter 4: Using the Command Line Interface 4.5.10 ‘ifconfig’ command Syntax ifconfig Description Displays information, such as IP address and MAC address, for the specified network interface. Example ifconfig wlan1 will display wlan1 4.5.11 Link encap:Ethernet HWaddr 00:15:6D:52:01:FD inet addr:10.2.10.1 Bcast:172.29.255.255 Mask:255.255.0.
-
Chapter 4: Using the Command Line Interface 4.5.13 ‘history’ command Syntax history Description Shows the command history since the TR-900 was last rebooted Example After switching to the ‘wlan1’ interface, inspecting the ESSID setting, and then changing it history will display 1: use wlan1 2: get essid 3: set essid=new_ap_essid TR0190 Rev.
-
Chapter 4: Using the Command Line Interface 4.5.14 ‘!’ command Syntax ! ! !! Description Executes a previously-executed command based either on a command history number or matching a string to the start of a previously-executed command. Note that there is no space between the ‘!’ and the argument. The ‘history’ command shows the command history, with a number preceding each entry in the command history.
-
Chapter 4: Using the Command Line Interface 4.5.15 ‘exit’ command Syntax exit Description Terminates the current CLI session and logs out the user 4.5.16 ‘quit’ command Syntax quit Description Terminates the current CLI session and logs out the user TR0190 Rev.
-
Chapter 5: Initial Configuration of an ER-1000 5 Initial Configuration of an TR-900 This user’s guide provides a comprehensive overview of all of the TR-900’s features and configurable parameters. However, it is possible to deploy a network of TR-900s while only changing a limited number of parameters. The list below will guide you through a minimal configuration procedure that prepares a network of TR-900s for deployment. 1 Change the ‘admin’ password.
-
Chapter 5: Initial Configuration of an ER-1000 Figure 9. Initial configuration web page TR0190 Rev.
-
Chapter 6: Status Information 6 Status Information Multiple web interface pages that display status information about the TR-900 and client devices attached to it are available. These web pages are accessible by clicking on the “Status” link in the navigation bar and then selecting the appropriate tab shown at the top of the page. The status information is not accessible through the CLI. 6.
-
Chapter 6: Status Information 6.2 Interface Status Traffic and neighbor information for the virtual AP and wired interfaces are available on the “Status” tab of the “Status” page. Select the appropriate interface for which you wish to view information from the row of tabs below the primary tab row. 6.2.1 Virtual AP Interfaces The sub-tabs display status information about the virtual AP interfaces.
-
Chapter 6: Status Information 6.2.2 Wired Interface Status The wired interface status pages is similar to the wireless interface status pages, with the exception that it only displays summary information for the interface and does not break down data transferred on a per-device basis. Figure 12. Wired interface status information 6.3 Bridging The “Bridging” tab is only present when the TR-900 is in bridge mode. This page displays information about the current bridge configuration.
-
Chapter 6: Status Information Figure 13. Bridging status information 6.4 Routing Table The routing table used by the device can be displayed by selecting the “Routing” tab on the “Status” page. TR0190 Rev.
-
Chapter 6: Status Information Figure 14. Routing table 6.5 ARP Table The device’s ARP table can be displayed by selecting the “ARP” tab on the “Status” page. Figure 15. ARP table TR0190 Rev.
-
Chapter 6: Status Information 6.6 Event Log The main system log for the device is accessible by selecting “Event Log” on the “Status” page. The log is displayed in reverse chronological order, with the last recorded event appearing at the top of the page. Figure 16.
-
Chapter 6: Status Information Figure 17. DHCP event log The time reported in the DHCP Log corresponds to the time maintained by the TR900and may not be consistent with that shown in the upper left corner of the webpage as this is the time maintained by the computer running the web browser. TR0190 Rev.
-
Chapter 7: Configuration Profile Management 7 Configuration Profile Management Configuration profiles describe an TR-900’s configuration state and can be created to simplify the provisioning and management of devices.
-
Chapter 7: Configuration Profile Management 7.2 Load a Configuration Profile A configuration stored on the TR-900 can be applied using the “Load” tab on the “Profile Management” page. This profile must either have been saved earlier or uploaded to the TR900. Choose a profile name from the “Existing Profiles” box and then click on “Load Profile”. It is necessary to reboot the TR-900 for the loaded profile settings to take effect. A number of default configuration profiles are available on the TR-900.
-
Chapter 7: Configuration Profile Management Figure 20. Deleting a configuration profile 7.4 Downloading a Configuration Profile from an TR-900 A configuration profile can be download from an TR-900 using the “Download from node” tab on the “Profile Management“ page. The existing configuration profiles are listed on this page. Click on the one that is to be downloaded to your computer and you will be given the option to specify where the profile should be saved on the host computer. Figure 21.
-
Chapter 7: Configuration Profile Management 7.5 Uploading a Configuration Profile to an TR-900 A configuration profile can be uploaded to an TR-900 using the “Upload to node” tab on the “Profile Management” page. Use the “Browse” button to select a profile file on your host computer for upload to the TR-900. Alternatively, enter the file name by hand in the text box adjacent to the “Browse” button. Click on the “Upload Profile” button to upload the selected file to the TR-900. Figure 22.
-
Chapter 8: Mode of Operation 8 Mode of Operation The TR-900 can be configured to operate in either routed or bridge mode. In routed mode, all communication is managed at the IP (layer 3) level, with the TR-900 acting as a router. In bridge mode, all communication across the TR-900 is managed at the MAC (layer 2) level, with the TR-900 acting as a switch.
-
Chapter 8: Mode of Operation CLI The TR-900’s operating mode is set with the ‘scheme’ parameter in the ‘sys’ interface. Valid values are ‘aponly’ for routed mode and ‘l2bridge’ for bridge mode. For example, set the operating mode to routed mode with: > use sys sys> set scheme=aponly Web GUI The operating mode can be set via the web interface using the “System” tab on the “System Parameters” page. Figure 23. Setting operating mode TR0190 Rev.
-
Chapter 9: System Settings 9 System Settings This section describes settings that are applicable to the overall operation of the TR-900, but are not related directly to a particular interface. 9.1 User Password The password for the ‘admin’ user is configurable. The default password is ‘default’. See section 2.4 for instructions on resetting the ‘admin’ password if it has been lost. CLI The password for the ‘admin’ user can be set using the ‘password.admin’ parameter in the ‘sys’ interface.
-
Chapter 9: System Settings 9.2 Node ID BRIDGE The only use of the node ID parameter when operating in bridge mode is for setting the default IP address of the bridge interface when one has not been explicitly set or acquired via DHCP. The node ID assigned to an TR-900 affects the IP address spaces assigned to each of the TR900’s virtual AP client access interfaces when it uses implicit addressing in routed mode.
-
Chapter 9: System Settings 9.3 DNS / Domain Settings At least one DNS server, accessible from the TR-900, must be specified for the device to be able to resolve host names. This DNS server is also provided to client devices that acquire an IP address from the local DHCP server on an TR-900. If an TR-900 acquires DNS server information through DHCP on its wired interface, this DNS server information will overwrite any manually set DNS server setting.
-
Chapter 9: System Settings 9.4 DNS Proxy Configuration DNS proxy entries can be added to an TR-900 to force local resolution of host names to IP addresses for the hosts in the proxy list. Use of a DNS proxy list on the TR-900 is a two step process, first populating the host name/IP address pairs, and then enabling DNS proxy. BRIDGE DNS proxy is not supported when operating in bridge mode. CLI A list of hostname/IP address to be resolved locally can be specified using the ‘dnsproxy.
-
Chapter 9: System Settings 9.5 NetBIOS Server The NetBIOS server parameter is used to define a NetBIOS server’s IP address that is provided to client devices when configured by the TR-900’s local DHCP server. BRIDGE The NetBIOS settings are not used when operating in bridge mode. CLI The NetBIOS server is set with the ‘netbios.servers’ parameter in the ‘sys’ interface.
-
Chapter 9: System Settings The contact person and location of the device located via SNMP are set with the ‘snmp.contact. and ‘snmp.location’ parameters in the ‘sys’ interface as shown below. > use sys sys> set snmp.contact=”Joe Smith” sys> set snmp.location=”123 Main St., Anytown, USA” Web GUI The SNMP-related parameters can be set on the “SNMP” tab on the “System” page (see Figure 28). Figure 28. SNMP configuration 9.
-
Chapter 9: System Settings CLI The geographic location of the TR-900 can be stored in the following fields in the ‘sys’ interface: • • • sys.location.gps.altitude sys.location.gps.latitude sys.location.gps.longitude For example, you can set the latitude value as follows. > use sys sys> set location.gps.latitude=”34.01” A description of the TR-900’s location can be stored in the ‘location.postal’ field in the ‘sys’ interface. For example, you can set the location value as shown below.
-
Chapter 9: System Settings 9.8 Certificate Information A certificate for use with splash pages and the web interface is locally generated on the TR900. The information embedded in this certificate can be defined by the user. A new certificate is automatically generated when the parameters describing the TR-900’s location are changed. The specific location parameters to which the certificate is tied to are listed in the sections below.
-
Chapter 9: System Settings Web GUI The synchronization mode and server can be set on the “Time” tab on the “System” page (Figure 30). Figure 30. Automatic time synchronization When automatic synchronization is disabled, the user can set the TR-900’s UTC time (Figure 31). Enter the time using the available drop-down menus and check the “Change Time” checkbox. Figure 31. Setting the time manually TR0190 Rev.
-
Chapter 9: System Settings 9.10 Web GUI Console The web interface allows the user to set parameters that are not otherwise settable through the web interface using a console interface. The console is available on the “Console” tab on the “System” page. CLI key/value pairs can be entered through the console. The key format used is “.”. For example, “wlan1.channel” is the key to set the channel used by virtual AP wlan1.
-
Chapter 9: System Settings The OnRamp utility provides network detection and configuration capabilities for TR-900s. The configuration capabilities are only intended for initial configuration and for security reasons, it is strongly recommended that OnRamp configuration capability is disabled after initial configuration. You can use the CLI, the web interface, or OnRamp to determine whether a device can be configured from OnRamp. In OnRamp, the “Prog” column displays the programming capability from OnRamp.
-
Chapter 9: System Settings 9.12 CLI Timeout The CLI will automatically log out a user if the interface has remained inactive for a certain length of time. The time, in seconds, that a shell must remain inactive before a user is automatically logged out is set with the ‘shell.timeout’ parameter in the ‘sys’ interface, as shown in the example below. The maximum idle time that can be set is 21600 seconds (6 hours). > use sys sys> set shell.timeout=300 TR0190 Rev.
-
Chapter 10: Client Addressing Schemes 10 Client Addressing Schemes BRIDGE The client addressing scheme setting has no effect when the TR-900 is operating in bridge mode. The choice of client addressing scheme affects how TR-900 client access interface addresses are assigned. The TR-900 can be configured to use an implicit addressing scheme for its client access interfaces, where the address spaces assume a default size and the addresses are affected by a number of settable parameters.
-
Chapter 10: Client Addressing Schemes Figure 34. Setting the addressing scheme 10.1 Implicit Addressing Scheme The implicit addressing scheme requires the sharing of a class C network between all active client access interfaces. The subnet address space is based on the node ID and the LAN prefix as shown in Figure 35. Figure 35.
-
Chapter 10: Client Addressing Schemes Interface wlan1 wlan2 wlan3 wlan4 Interface address subnet.1 subnet.129 subnet.161 subnet.193 Broadcast address subnet.127 subnet.159 subnet.191 subnet.223 Client device address range subnet.2-126 subnet.130-158 subnet.162-190 subnet.194-222 subnet = .. Table 7. Default subnet segmentation between interfaces 10.1.
-
Chapter 10: Client Addressing Schemes • • • • • • Each active client access interface must be assigned an address segment. The IP address range start address (‘ip.implicit.start.requested’ in the CLI) must be one of the following values: 1, 33, 65, 97, 129, 161, 193, 225. The IP address range size (‘ip.implicit.size.requested’ in the CLI) must be one of the following values: 31, 63, 127, 255.
-
Chapter 10: Client Addressing Schemes The actual start address and size of a segment are accessible via the ‘ip.implicit.start.actual’ and ‘ip.implicit.size.actual’ parameters. These may values may differ from the requested values if the rules for setting these parameters were not abided by. Web GUI The address space segments’ start addresses and sizes can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 36). Figure 36.
-
Chapter 10: Client Addressing Schemes 10.2 Explicit Addressing Scheme When using the explicit addressing scheme, the IP parameters for each interface can be specified manually on the “Wireless Interface” page. When specifying the IP addresses and subnet sizes for the client access interfaces, the following rules should be followed: • • • • Specify IP address and subnet combinations that do not lead to misalignment, e.g. 10.0.0.4/24 is not a properly aligned address/subnet size combination.
-
Chapter 10: Client Addressing Schemes See section 13.3 for instructions on how to set the IP addresses for the wired and wireless client access interfaces when using the explicit addressing scheme. TR0190 Rev.
-
Chapter 11: Ethernet Interface Configuration 11 Ethernet Interface Configuration BRIDGE The Ethernet interface features described in this chapter are not used in bridge mode. See section 12 for information on how to configure the bridge interface to provide IP access to the TR-900 when operating in bridge mode. The Ethernet interface is used to connect the TR-900 to a LAN. It is also used for initial configuration of the device.
-
Chapter 11: Ethernet Interface Configuration CLI To set the DHCP mode to ‘client’ on the Ethernet interface, set the value of the ‘dhcp.role’ parameter in the ‘eth0’ interface to ‘client’, as shown in the example below. > use eth0 eth0> set dhcp.role=client To disable Ethernet DHCP client mode, set the DHCP mode parameter to ‘none’ as shown below. > use eth0 eth0> set dhcp.
-
Chapter 11: Ethernet Interface Configuration Figure 38. Wired DHCP settings TR0190 Rev.
-
Chapter 11: Ethernet Interface Configuration 11.2 Manual IP Configuration If the Ethernet DHCP mode parameter is set to ‘none’, the manually configured IP address will be used. The default IP configuration that is assigned to the interface based on the LAN prefix and node ID settings is available through the CLI and the web GUI.
-
Chapter 11: Ethernet Interface Configuration eth0> set ip.netmask_force=255.255.255.0 Web GUI The Ethernet IP address, gateway, netmask, and broadcast address parameters can be set via the web interface using the “Wired Interface” page (see Figure 37). The current IP values can be viewed on the “Status” page. TR0190 Rev.
-
Chapter 12: Bridge Interface Configuration 12 Bridge Interface Configuration 12.1 IP Configuration The bridge interface has an IP address that can be set manually or acquired via DHCP. With the exception of the fixed configuration IP address, this is the only active IP address on the device when it is operating in bridge mode. When not explicitly specifying an IP address or enabling DHCP client mode, the address for the bridge interface will default to ..1.1.
-
Chapter 12: Bridge Interface Configuration Figure 39. Bridge configuration page with DHCP client mode disabled The DHCP mode for the bridge interface is set on the “DHCP” tab on the “System” page. When bridge mode is selected, the only setting available on this page is the bridge DHCP mode, as shown in Figure 40. Figure 40. DHCP configuration page when operating in bridge mode TR0190 Rev.
-
Chapter 12: Bridge Interface Configuration 12.2 Bridging Parameters Two parameters are available for controlling how the bridge mode operates: forwarding delay and Spanning Tree Protocol control. The forwarding delay sets how long, in seconds, the TR-900 will watch traffic before participating. If there are no other bridges nearby the TR-900 this value can be set to 0.
-
Chapter 13: Virtual Access Point (VAP) Configuration 13 Virtual Access Point (VAP) Configuration An TR-900 has four virtual access points (VAPs) that can be configured to suit different application needs. These VAPs share a common radio, but, with a few exceptions noted in this chapter, can be configured independently. The availability of the four VAPs provides more flexibility in configuration and catering to different user classes than a single AP does.
-
Chapter 13: Virtual Access Point (VAP) Configuration 13.1 Virtual Access Point Interfaces There are four interfaces that are used to configure the VAPs: wlan1, wlan2, wlan3, and wlan4. The VAPs have equivalent configuration capabilities and there is no inherent prioritization or preference for one VAP. The section on quality-of-service settings (section 17) describes how prioritization on a per-VAP basis can be configured. 13.
-
Chapter 13: Virtual Access Point (VAP) Configuration 10.1.1). Set the netmask by changing the client address space segments as described in 10.1.2. CLI You can view the IP settings for the VAP interfaces with the ‘ip.*’ parameters in the appropriate ‘wlanN’ interface as shown in the example below. > use wlan1 wlan1> get ip.* ip.address = 10.2.4.1 [read-only] ip.address_force = ip.broadcast = 10.2.4.127 [read-only] ip.broadcast_force = ip.gateway = [read-only] ip.gateway_force = ip.netmask = 255.255.255.
-
Chapter 13: Virtual Access Point (VAP) Configuration 13.4 Channel The TR-900HG has an 802.11b/g radio that can be set to operate in the channels listed in Table 9. Channel 1 2 3 4 5 6 7 8 9 10 11 Center Frequency (GHz) 2.412 2.417 2.422 2.427 2.432 2.437 2.442 2.447 2.452 2.457 2.462 Table 9. TR-900HG access point channels and associated center frequencies Note that only channels 1, 6, and 11 are non-overlapping. The TR-900HA has an 802.
-
Chapter 13: Virtual Access Point (VAP) Configuration wlan1> set channel=6 Web GUI The access point channel can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41). 13.5 ESSID The ESSID, or Extended Service Set Identifier, is used in 802.11 infrastructure networks to identify a particular network consisting of one or more Basic Service Sets. It is used to differentiate logical networks that operate on the same channel.
-
Chapter 13: Virtual Access Point (VAP) Configuration 13.6 IP Configuration of Client Devices The VAP interfaces allow client devices to connect to the TR-900.
-
Chapter 13: Virtual Access Point (VAP) Configuration Figure 42. Virtual access point and wired interface DHCP and address space settings If the local DHCP server is enabled for an VAP interface, IP addresses must be reserved for statically configured devices by setting the DHCP reserve parameter. This will reserve the specified number of IP addresses at the bottom of the IP range for the interface. For example, if the interface has the IP address 10.2.4.1, the netmask 255.255.255.
-
Chapter 13: Virtual Access Point (VAP) Configuration CLI The number of IP addresses reserved for statically-configured devices connected to the Ethernet interface is set with the ‘dhcp.reserve’ parameter in the ‘eth0’ interface. Web GUI The ‘dhcp.reserve’ value can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 42). 13.
-
Chapter 13: Virtual Access Point (VAP) Configuration The WEP and WPA configuration settings for each VAP are independent. A VAP can only support one of the encryption/authentication modes at a time, but the VAPs in the TR-900 do not all have to use the same encryption/authentication scheme. Figure 44. Virtual access point authentication and encryption settings 13.8.
-
Chapter 13: Virtual Access Point (VAP) Configuration Key format s:<5 ASCII characters> <10 hex values> s:<13 ASCII characters> <26 hex values> Encryption format Encryption key length WEP 40 bits WEP 104 bits None N/A Table 11.
-
Chapter 13: Virtual Access Point (VAP) Configuration CLI The example below shows how to enable WPA-PSK mode for wlan1. The ‘wpa.key_mgmt’ parameter must also be set to indicate that PSK mode is being used, as shown below. > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK” wlan1> set wpa.
-
Chapter 13: Virtual Access Point (VAP) Configuration • • • • • wpa.enable wpa.key_mgmt wpa.auth.server.addr wpa.auth.server.port wpa.auth.server.shared_secret The ‘wpa.key_mgmt’ parameter must be set to indicate that both PSK and EAP modes can be supported, as shown in the example below. The example below shows how to enable WPA EAP mode. > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK WPA-EAP” wlan1> set wpa.auth.server.addr=1.2.3.4 wlan1> set wpa.auth.server.
-
Chapter 13: Virtual Access Point (VAP) Configuration CLI The example below shows how to set the access point radio’s maximum transmit power using the CLI. The Tx power is specified in dBm, with a granularity of 0.5 dBm. > use wlan1 wlan1> set txpower=20 Web GUI The VAPs’ maximum transmit power can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41). The “+” and “-“ buttons can be used to increase or decrease the power setting in 0.5 dBm steps.
-
Chapter 13: Virtual Access Point (VAP) Configuration CLI The example below shows how to set the preamble type used by a VAP using the CLI. The preamble type is set with the ‘iwpriv.short_preamble’ parameter in the ‘wlanN’ interfaces. To enable short preambles, set this parameter to ‘1’. To force use of long preambles, set this parameter to ‘0’. > use wlan1 wlan1> set iwpriv.
-
Chapter 13: Virtual Access Point (VAP) Configuration be increased by setting a custom maximum link distance value. This value can be specified in either metric or imperial units. The maximum link distance setting is uniform across all VAPs. Changing it for one will automatically change it for all others as well. CLI The example below shows how to set the maximum link distance supported by a VAP using the CLI.
-
Chapter 14: Client DHCP Configuration 14 Client DHCP Configuration When operating in routed mode, two configuration options exist for assigning IP addresses to client devices using DHCP: • • The TR-900 hosts a local DHCP server and supplies IP addresses to devices attaching to any of the client access interfaces A centralized DHCP server supplies IP addresses to client devices, with the TR-900s relaying DHCP messages between client devices and the centralized server.
-
Chapter 14: Client DHCP Configuration The TR-900 can be configured to set aside a number of IP addresses for client devices that will use a static IP address. These IP addresses are taken from the pool that DHCP assigns IP addresses from. Thus, increasing the number of IP addresses set aside for devices with static IP addresses will reduce the size of the DHCP address pool. The DHCP reserve parameter controls the number of IP addresses that will be reserved for static use.
-
Chapter 14: Client DHCP Configuration The DHCP reserve setting for all VAPs and the wired interface can be set via the web interface using the “DHCP” sub-tab under the “DHCP” tab on the “System Parameters” page (see Figure 45). Figure 45. Virtual access point DHCP configuration TR0190 Rev.
-
Chapter 14: Client DHCP Configuration 14.2 Using a Centralized DHCP Server Centralized DHCP server mode uses DHCP relaying to enable assignment of IP addresses to wireless client devices from a common remote DHCP server. The remote DHCP server may reside either on a host connected to the LAN segment that the TR-900’s Ethernet is attached to, or on a server that is beyond one or more routers.
-
Chapter 14: Client DHCP Configuration 14.2.1 Support for Clients with Static IP Addresses When using centralized DHCP server mode for a client access interface, client devices connected to that interface can be assigned static addresses within the client address space. However, for these client devices to roam successfully across TR-900s and third party access point bridges connected to the same LAN, they must employ duplicate address detection by sending out ARP requests for their own IP address.
-
Chapter 14: Client DHCP Configuration > use sys sys> set dhcp.relay.enable=yes sys> set l2.client_mac_fwd=yes In the example below, the central DHCP server and next WAN router reside on the same segment to which the TR-900’s Ethernet interface is connected. > use sys sys> set dhcp.relay.server=192.168.5.2 sys> set dhcp.relay.gateway=192.168.5.1 The example below shows how to set the DHCP mode parameters for the wlan1 and wlan2 interfaces. > use wlan1 wlan1> set dhcp=server wlan1> set wlan1.dhcp.relay.
-
Chapter 14: Client DHCP Configuration On the “System” tab of the “System” page, set the “L2 Emulation” to “enabled”. Figure 46. Centralized DHCP server mode settings 14.2.3 Configuring the Central DHCP Server Guidelines for configuring the central DHCP server are provided below. The full configuration of the central DHCP server will depend on the type of DHCP server that is used and is beyond the scope of this document.
-
Chapter 14: Client DHCP Configuration subnet 192.168.5.0 netmask 255.255.255.0 { option broadcast-address 192.168.5.255; option subnet-mask 255.255.255.0; option domain-name "domain.com"; range 192.168.5.7 192.168.5.254; } Note that in this definition no “routers” option is needed. If a global “routers” option is defined, the TR-900 will automatically change it to an appropriate value in DHCP responses to client devices based on the centralized DHCP settings on the TR-900.
-
Chapter 15: Connecting an ER-1000 to a LAN 15 Connecting an TR-900 to a LAN The options for connecting an TR-900 to a LAN are described below. 15.1 15.1.1 Routed mode Manual Configuration An TR-900 can be directly connected to a LAN without using Network Address Translation.
-
Chapter 15: Connecting an ER-1000 to a LAN > use wlan1 sys> get ip.*_force ip.address_force = 10.5.1.1 ip.broadcast_force = 10.5.1.255 ip.gateway_force = ip.netmask_force = 255.255.255.0 Web GUI The LAN prefix and node ID can be obtained by inspecting the IP addresses available on the “Status” page. The addresses of interest are the IP addresses for each of the active VAPs.
-
Chapter 15: Connecting an ER-1000 to a LAN Web GUI The NAT state can be set via the web interface on the “Wired Interface” page (Figure 47). Figure 47. NAT and VPN settings 15.2 Bridge Mode In bridge mode, the TR-900 can be connected to a LAN with minimal configuration. See section 12.2 for the parameters that are available to control bridging behavior. TR0190 Rev.
-
Chapter 16: Controlling Access to the ER-1000 16 Controlling Access to the TR-900 The TR-900 supports the following features for restricting access to it, restricting inter-client device communication, and shielding client devices from an external network: • • • Firewall Client-to-client communication blocking Gateway firewall It further supports controlled network access by client devices through MAC address black lists. BRIDGE 16.
-
Chapter 16: Controlling Access to the ER-1000 CLI The firewall is enabled by selecting the ‘firewall’ interface and setting the ‘node.enable’ parameter. > use firewall firewall> set node.enable=yes Lists of allowed source and destination ports for inbound TCP and UDP traffic can be specified. These lists can be set with the following parameters in the ‘firewall’ interface: • • • • node.tcp.allow.dest node.tcp.allow.source node.udp.allow.dest node.udp.allow.
-
Chapter 16: Controlling Access to the ER-1000 firewall> set gateway=yes disable it with > use firewall firewall> set gateway=no Web GUI It is not possible to configure the state of the gateway firewall via the web interface. 16.3 Blocking Client-to-Client Traffic Client-to-client traffic can be blocked or permitted on a per-interface basis.
-
Chapter 16: Controlling Access to the ER-1000 Web GUI The client isolation parameters can be set via the web interface on the “Firewall” tab on the “Security” page (see Figure 48). By setting an interface’s client isolation parameter to ‘yes’, client devices connecting to that interface will not be able to communicate with any other client devices connected to the TR-900. Figure 48.
-
Chapter 16: Controlling Access to the ER-1000 sharing applications. A number of parameters are available for tuning how connection tracking is handled. 16.4.1 Connection Tracking Table Size The size of the connection tracking table can be set. Allowed values are in the range from 4096 to 16384. A larger connection tracking table allows more connections to be maintained without dropping older connections.
-
Chapter 16: Controlling Access to the ER-1000 Web GUI The connection tracking timeout is set with the “Conntrack Connection Timeout” field on the “Connections” sub-tab on the “Firewall” tab of the “Security” page (see Figure 48). This field is located under the “Connection Tracking” heading. Specify the timeout limit in seconds. 16.4.3 Limiting Number of TCP Connections Per Client Device The number of TCP connections allowed per client device can be limited.
-
Chapter 16: Controlling Access to the ER-1000 rules for iptables, with the exception of the chain that they are to be added to cannot be specified. All rules will be applied to the iptables forwarding chain. List one rule per line in the text box on the “Custom Rules” tab and click on the “Save and Apply Changes” button when all rules have been entered. The following examples of custom rules illustrate how to use the custom firewall interface.
-
Chapter 16: Controlling Access to the ER-1000 Figure 49. Custom firewall settings 16.6 Access Control Lists (ACLs) The access control lists (ACLs) for the VAP interfaces (wlan1-wlan4) block access to any device with a MAC address matching those on the list. Individual ACLs can be defined for each VAP. Web GUI The ACLs can be defined via the web interface on the appropriate “wlanN” sub-tab under the “ACL” tab on the “Security” page as shown in Figure 50.
-
Chapter 16: Controlling Access to the ER-1000 Figure 50. VAP ACL configuration TR0190 Rev.
-
Chapter 17: Quality of Service (QoS) Configuration 17 Quality of Service (QoS) Configuration BRIDGE QoS rate limiting and reservations are not supported when the TR-900 is operating in bridge mode. Priority level settings are supported in bridge mode. The TR-900 has extensive support for quality of service settings that allow traffic to be prioritized based on the source interface, destination interface, and type of traffic.
-
Chapter 17: Quality of Service (QoS) Configuration When sending data out through any of the wireless interfaces (wlanN), these hardware priorities map directly to the 802.11e hardware priority output queues on the wireless card. The default level for all traffic is Best Effort. To increase the hardware priority of all traffic originating from a particular interface, set the value of Min Hardware Priority to a value larger than 1.
-
Chapter 17: Quality of Service (QoS) Configuration The example below shows how to configure the system such that all traffic from ‘wlan1’ with a ‘Voice’ or ‘Video’ priority will be reduced to a ‘Best Effort’ priority. Traffic with ‘Best Effort’ and ‘Background’ priorities will not be affected. > use qos qos> set in.wlan1.hwpri.max=2 The example below shows how to configure the system such that all traffic from ‘wlan2’ with a ‘Background’ or ‘Best Effort’ priority will be increased to a ‘Video’ priority.
-
Chapter 17: Quality of Service (QoS) Configuration Figure 52. Advanced QoS configuration (only settings for some interfaces are shown) 17.2 Rate Limiting A rate limit can be set at each QoS Control Point shown in Figure 53.
-
Chapter 17: Quality of Service (QoS) Configuration The maximum output data rate for interfaces can be limited with the Output Limit parameters for each client access interface. The default output limit value is applied to interfaces that have the Output Limit parameter set to ‘inherit’. Figure 53. Quality of Service rate limit control points Data rate limits can also be imposed based on traffic type through an interface.
-
Chapter 17: Quality of Service (QoS) Configuration wlan1, wlan2, wlan3, wlan4; and is one of the following: default, eth0, local, wlan1, wlan2, wlan3, wlan4. The ‘out.default.default.limit’ value is applied to interfaces that have the ‘out.
-
Chapter 17: Quality of Service (QoS) Configuration For rate reservations to be enforced, a rate limit must be set for the traffic type that the reservation is made for. Setting a rate limit for a broader traffic type, of which the one the reservation is made for is a subset, is also acceptable. For example, when making a rate reservation for voice traffic from wlan1 to eth0 (‘out.eth0.wlan1.vo.reserve’), a limit must be set with ‘out.eth0.limit’, ‘out.eth0.wlan1.limit’, or ‘out.eth0.wlan1.vo.limit’.
-
Chapter 17: Quality of Service (QoS) Configuration CLI The parameters that are used to set these rate reservations are in the ‘qos’ interface and are of the form ‘out.
-
Chapter 18: Enabling VLAN Tagging 18 Enabling VLAN Tagging The TR-900 supports VLAN tagging, with each client access interface capable of supporting a different VLAN tag. 18.1 Client Access Interface Configuration VLAN tagging can be independently controlled on each client access interface (wlan1-4). The Enable VLAN parameters for the ‘wlan1’, ‘wlan2’, ‘wlan3’, and ‘wlan4’ interfaces controls the state of VLAN tagging.
-
Chapter 18: Enabling VLAN Tagging Figure 55. Configuring VLAN for VAP interfaces 18.2 Ethernet Interface Configuration For VLAN tags to be preserved on traffic that traverses the Ethernet interface, VLAN support must be enabled for the Ethernet interface. The “Enable VLAN” parameter for the wired interface controls the state of VLAN tagging. If VLAN tagging is enabled on the Ethernet interface, all outbound traffic will have its VLAN tags preserved.
-
Chapter 18: Enabling VLAN Tagging When VLAN is enabled for the wired interface, data frames forwarded by the TR-900 to the LAN will preserve their existing VLAN tag, if they have one. Frames that do not have a tag will be tagged with the default VLAN ID for the TR-900’s Ethernet interface. The VLAN ID must be in the range from 0 to 4095. Note that 0 and 4095 are reserved values and 1 is the default VLAN ID. CLI The example below shows how to enable VLAN tagging on Ethernet interface using the ‘vlan.
-
Chapter 19: Integration with Enterprise Equipment 19 Integration with Enterprise Equipment The TR-900 supports authentication, accounting, and monitoring services that easily integrate with enterprise equipment. In this section the following topics are described: • • Splash pages Layer 2 client emulation BRIDGE 19.1 Splash pages are not supported and Layer 2 emulation is unnecessary when operating in bridge mode.
-
Chapter 19: Integration with Enterprise Equipment Use the ‘splash.auth.server.wlanN.enable’ parameters in the ‘sys’ interface to select whether a user is required to provide login credentials for a particular interface. The example below illustrates how to set the parameter for the wlan1 interface such that a user will be required to login to access the network. > use sys sys> set splash.auth.server.enable.
-
Chapter 19: Integration with Enterprise Equipment 19.1.2 Configuring Splash URLs The URL that a user is redirected to for login purposes can be individually configured for each client access interface that supports splash pages (wlan1-4). URLs for successful login, failed login, and error conditions can also be specified for each interface. The ‘login URL’ parameter sets the URL that a user is redirected to when they attach to the interface and have not yet been authenticated.
-
Chapter 19: Integration with Enterprise Equipment Web GUI All of the splash page-related URLs can be set on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 57). 19.1.3 Sample HTML Code for Splash Pages The login HTML page must contain specific form information as shown in the sample code in Figure 58 and Figure 59. Figure 58 contains the code required for an interface that requires a login.
-
Chapter 19: Integration with Enterprise Equipment 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Test Login Page
-
Chapter 19: Integration with Enterprise Equipment • • the port on the server that the RADIUS server is listening on the shared secret – must be a string of alphanumeric characters that is 32 characters or less in length. CLI The ‘splash.auth.server..host’, ‘splash.auth.server..port’, and ‘splash.auth.server..secret’ parameters in the ‘sys’ interface, where is either ‘wlan1’, ‘wlan2’, ‘wlan3’, or ‘wlan4’, specify the authentication server to use.
-
Chapter 19: Integration with Enterprise Equipment Figure 60. Adding trusted MAC addresses and accessible hosts 19.1.6 Bypass Splash Pages for Access to Specific Hosts It is possible to specify a list of IP addresses that client devices can access without the client devices having to view a splash screen. CLI The list of hosts that can be accessed without having to view a splash screen is set with the ‘splash.bypass_hosts’ parameter in the ‘sys’ interface.
-
Chapter 19: Integration with Enterprise Equipment Web GUI The IP addresses of hosts that can be accessed without having to view a splash screen can be set on the “Advanced Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 60). The list of IP addresses of bypassed hosts is displayed on this page. To delete an IP address from the list, click on the “Delete Host” button next to the IP address. 19.2 Layer 2 Emulation Certain back-end systems (e.g.
-
Chapter 19: Integration with Enterprise Equipment > use sys sys> set l2.hide_internal.enable=yes sys> set l2.hide_internal.gateway.deny.all=yes Web GUI The state of layer 2 emulation is set on the “System” tab of the “System” page (see Figure 61). The console interface in the web GUI must be used to configure which address ranges the TR900 responds to ARP requests for. See the CLI section above for parameter names and set these using the console interface (see section 9.10). Figure 61.
-
Chapter 20: Diagnostics Tools 20 Diagnostics Tools The TR-900 has a number of diagnostics tools to help the user diagnose and correct configuration issues. These tools are available on the “Diagnostics” page, accessible from the navigation bar. The individual diagnostics tools are accessible from the row of tabs shown on the “Diagnostics” page. 20.1 Ping The “Ping” tab on the “Diagnostics” page allows the user to check for network connectivity by pinging a remote device (see Figure 62).
-
Chapter 20: Diagnostics Tools Figure 63. Determining the route from the TR-900 to a remote device using traceroute 20.3 Packet Capture The “Packet Capture” tab on the “Diagnostics” page allows the user to capture traffic on the TR-900’s network interfaces (see Figure 64). The captured data can either be displayed in the web interface or saved to a file that can be downloaded and analyzed using 3rd-party tools, such as Wireshark (http://www.wireshark.org/).
-
Chapter 20: Diagnostics Tools 1. 2. 3. 4. 5. 6. 7. 8. Set “Interface” to the one that the client device is attached to Set “Protocol” to “all” Set “Packet Count” to “500” Set “Packet Length” to 500 Set the “Optional Host” to the IP address of the client device of interest Set “Output” to “File” Click on “Start Capture” Allow the capture to complete automatically when the prescribed number of packets has been captured or click on “Stop Capture” to halt the capture 9.
-
Chapter 20: Diagnostics Tools Option Interface Protocol Packet Count Show Host Names Show MAC addresses Packet Length Optional Host Optional Port Common Protocols Optional Additional Parameters Output Output File Prefix Description Selects the interface from which packets are captured. Note that some packets may be available on multiple interfaces. For example, data from a client device connected to wlan1 destined for a device on the Internet will pass through wlan1 and the wired interface.
-
Chapter 20: Diagnostics Tools 20.5 RADIUS Server Testing The “RADIUS” tab on the “Diagnostics” page can be used to test authentication of credentials by a RADIUS servers used for splash page or WPA authentication (see Figure 66). Use the procedure below to test the validity of credentials with a RADIUS server. 1. Select the RADIUS server you want to use for the test from the drop-down menu 2. Enter the credentials you want to test in the “Username” and “Password” fields 3.
-
Chapter 20: Diagnostics Tools Figure 67. Generating a diagnostic dump The list of diagnostic dumps available for download is displayed at the bottom of the page. The diagnostic dumps can be downloaded by clicking on the filenames. To delete one or more diagnostic dumps, select the check boxes next to the ones you wish to delete and then click on the “Delete Selected” button. TR0190 Rev.
-
Chapter 21: Firmware Management 21 Firmware Management 21.1 Displaying the Firmware Version The firmware version string contains the following information: • • • • Build date Major version number Minor version number Build number These values are embedded in the version string as follows: enroute1000_< Build date >_< Major version >_< Minor version >_< Build number> CLI Firmware version information is available in the ‘version’ interface.
-
Chapter 21: Firmware Management If power to the TR-900 is lost during the upgrade process, it is possible that the device will become inoperable. The firmware can be upgraded using the “Upgrade” page.
-
Glossary Glossary Client access interface An interface on the TR-900 used by a client device, such as an 802.11-enabled laptop, to connect to the TR-900. The client access interfaces are the virtual APs wlan1 – wlan4. Client device A device that is connected to one of the TR-900’s client access interfaces, e.g. a laptop Client address scheme The method used to assign address spaces to client address interfaces. The two supported client address schemes are implicit and explicit.
-
Abbreviations Abbreviations ACL Access Control List AP Access Point CLI Command line interface Client access interface An interface on the TR-900 used by a client device, such as an 802.11-enabled laptop, to connect to the TR-900. The client access interfaces are the virtual APs wlan1 – wlan4.