-
Document No. TR0153 Rev E2 EnRoute50x/51x User’s Guide Rev. E1 Communicate Without Boundaries Tranzeo Wireless Technologies Inc. 19473 Fraser Way, Pitt Meadows, BC, Canada V3Y 2V4 www.tranzeo.com technical support email: support@tranzeo.
-
EnRoute50x/51x User’s Guide Tranzeo, the Tranzeo logo and EnRoute500 are trademarks of Tranzeo Wireless Technologies Inc.. All rights reserved. All other company, brand, and product names are referenced for identification purposes only and may be trademarks that are the properties of their respective owners. Copyright © 2007, Tranzeo Wireless Technologies Inc.. TR0153 Rev.
-
EnRoute50x/51x User’s Guide FCC Notice to Users and Operators This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for Class B Digital Device, pursuant to Part 15 of the FCC Rules.
-
EnRoute50x/51x User’s Guide Table of Contents 1 1.1 1.2 1.3 1.4 1.5 1.5.1 1.5.2 1.6 1.6.1 1.6.2 Working with the EnRoute500........................................................................... 9 EnRoute500 Variants ............................................................................................9 EnRoute500 Capabilities.....................................................................................10 Network Topology ..................................................................
-
EnRoute50x/51x User’s Guide 4.5.7 4.5.8 4.5.9 4.5.10 4.5.11 4.5.12 4.5.13 4.5.14 4.5.15 4.5.16 ‘get’ command .................................................................................................... 30 ‘list’ command .................................................................................................... 31 ‘ping’ command .................................................................................................. 31 ‘ifconfig’ command ...........................................
-
EnRoute50x/51x User’s Guide 8.17 CLI Timeout.........................................................................................................65 9.1 9.1.1 9.1.2 9.2 Client Addressing Schemes............................................................................ 66 Implicit Addressing Scheme ................................................................................67 LAN Prefix..........................................................................................................
-
EnRoute50x/51x User’s Guide 13 13.1 13.2 13.2.1 13.2.2 13.2.3 Client IP Configuration via DHCP ................................................................... 99 Using the Local DHCP Server.............................................................................99 Using a Centralized DHCP Server ....................................................................102 Support for Clients with Static IP Addresses.................................................... 103 Configuring the EnRoute500s .....
-
EnRoute50x/51x User’s Guide 18.2 Layer 2 Emulation .............................................................................................140 19 19.1 19.2 19.3 19.4 19.5 19.6 Diagnostics Tools .......................................................................................... 143 Ping...................................................................................................................143 Traceroute..................................................................................
-
Chapter 1: Working with the EnRoute500 1 Working with the EnRoute500 Thank you for choosing the Tranzeo EnRoute500 Wireless Mesh Router. The EnRoute500 allows a wireless mesh network to be rapidly deployed with minimal configuration required by the end user. This user’s guide presents a wide array of configuration options, but only a limited number of options have to be configured in order to deploy a mesh network of EnRoute500s. 1.
-
Chapter 1: Working with the EnRoute500 1.2 EnRoute500 Capabilities The EnRoute500 is capable of automatically forming a mesh network that allows devices that are connected to it, either with a wired or a wireless connection, to communicate with each other and external networks that are accessed through gateway devices. The EnRoute500 has two radios, an 802.11a mesh backhaul radio and an access point radio for 802.11b/g-client devices.
-
Chapter 1: Working with the EnRoute500 Figure 2. Internet extension network An Internet extension network (shown in Figure 2) is typically used when the goal is to provide Internet access to a number of clients that connect to the mesh network. Alternatively, this configuration can be used to provide access for client devices to remote resources on a private network. The key feature to note is that there is a gateway device that provides access from the mesh network to an external network. Figure 3.
-
Chapter 1: Working with the EnRoute500 Mesh neighborhood – a group of two or more EnRoute500 devices with at least one configured as a gateway Mesh device – a single EnRoute500 that is part of a mesh network 1.5 EnRoute500 Interfaces The interfaces available on the EnRoute500 are Ethernet and two radio ports. On the EnRoute5x1 models, an external AC power port is also present. AP radio port Mesh radio port Power Ethernet Figure 4. EnRoute500 interfaces. EnRoute501 shown TR0153 Rev.
-
Chapter 1: Working with the EnRoute500 Interface Power (EnRoute 5x1 only) Mesh radio port AP radio port Ethernet Passive PoE Description Power input (100-240VAC 50-60 Hz) N-type antenna connector for mesh radio N-type antenna connector for access point radio 10/100 Mbit Ethernet interface PoE power input (9-28VDC, 12W) Not compatible with IEEE 802.3af Table 2. EnRoute500 Interfaces 1.5.1 Ethernet and PoE The EnRoute500 has a 10/100 Ethernet port that supports passive Power over Ethernet (PoE).
-
Chapter 1: Working with the EnRoute500 DO NOT CONNECT ANY DEVICE OTHER THAN THE ENROUTE500 TO THE PORT LABELED “CPE” ON THE PoE INJECTOR. NETWORK EQUIPMENT THAT DOES NOT SUPPORT PoE CAN BE PERMANENTLY DAMAGED BY CONNECTING TO A PoE SOURCE. NOTE THAT MOST ETHERNET INTERFACES ON PERSONAL COMPUTERS (PCs), LAPTOP/NOTEBOOK COMPUTERS, AND OTHER NETWORK EQUIPMENT (E.G. ETHERNET SWITCHES AND ROUTERS) DO NOT SUPPORT PoE. 1.5.
-
Chapter 1: Working with the EnRoute500 1.6.2 AP Channel Selection The access point radio channels used by the EnRoute500s in a mesh neighborhood may differ. It is advisable to use different access point channels for adjacent mesh devices to reduce interference. However, it may be more important to select the access point channel based on the presence of other 802.11 devices in the area rather than configuring it to be different than that of an adjacent EnRoute500.
-
Chapter 2: Connecting to the EnRoute500 2 Connecting to the EnRoute500 The EnRoute500 can be configured and monitored by connecting to one of its network interfaces. The wired Ethernet interface on the EnRoute500 should be used for initial configuration of the device, but other network interfaces can be used to connect to the device after initial configuration has been completed. 2.1 Network Interfaces The EnRoute500 has several network interfaces, as shown in Table 4.
-
Chapter 2: Connecting to the EnRoute500 Note that the “Static Configuration” interface is the only interface that has a fixed address that cannot be changed by the user. Since this interface is known to always be present, it can be used for initial configuration and for accessing devices whose configuration settings are unknown. 2.2 Connecting to an Unconfigured EnRoute500 Use the Static Configuration interface with IP address 169.254.253.253 and netmask 255.255.0.
-
Chapter 2: Connecting to the EnRoute500 If you are configuring multiple EnRoute500s with the same computer in rapid succession, it may be necessary to clear the ARP cache since the IP addresses for the EnRoute500s will all be the same, but the MAC addresses will vary. The following commands can be used to clear the ARP cache Windows XP (executed in a command prompt window) arp -d * to clear the entire cache, or arp -d 169.254.253.253 to just clear the EnRoute500 entry Linux arp -d 169.254.253.253 2.
-
Chapter 3: Using the Web Interface 3 Using the Web Interface The EnRoute500 has a web interface accessible through a browser that can be used to configure the device and display status parameters. 3.1 Accessing the Web Interface You can access the web interface by entering one of the EnRoute500’s IP addresses in the URL field of a web browser (see section 2.2 for a description of how to access an unconfigured EnRoute500 using its Ethernet interface).
-
Chapter 3: Using the Web Interface A configuration overview page is loaded by default after the login process has been completed.
-
Chapter 3: Using the Web Interface 3.2 Navigating the Web Interface The web interface uses a three-tiered navigation scheme. 1. The first tier of navigation is the navigation bar shown on the left side of the screen. This navigation bar is displayed on all pages in the web interface and remains the same on all pages. 2. The second tier of navigation is the primary row of tabs shown across the top of the screen on many of the pages in the web interface.
-
Chapter 3: Using the Web Interface configuration, click on the “Save Changes” button. It typically takes a few seconds to save the changes, after which the page will be reloaded. For the changes to take effect, the EnRoute500 must be rebooted. After a change has been committed, a message reminding the user to reboot the EnRoute500 will be displayed at the top of the screen. Figure 9. Page showing "Save Changes" button and message prompting the user to reboot 3.
-
Chapter 3: Using the Web Interface Figure 10. Rebooting the EnRoute500 TR0153 Rev.
-
Chapter 4: Using the Command Line Interface 4 Using the Command Line Interface All configurable EnRoute500 parameters can be accessed with a Command Line Interface (CLI). The CLI allows you to: • • • • Modify and verify all configuration parameters Save and restore device configurations Reboot the device Upgrade the firmware 4.1 Accessing the CLI The EnRoute500’s command-line interface (CLI) is accessible through its network interfaces using an SSH client.
-
Chapter 4: Using the Command Line Interface 4.3 CLI Interfaces The CLI provides the user with a number of interfaces that contain related parameters and controls. Some of these interfaces are hardware interfaces, such as Ethernet, while others are virtual interfaces that contain a set of related parameters.
-
Chapter 4: Using the Command Line Interface 4.4.3 Searching the Command History The command history can be searched by pressing Ctrl+R and entering a search string. The most recently executed command that matches the string entered will be displayed. Press ‘Enter’ to execute that command. 4.4.4 Executing a Previous Command By using the up and down arrow keys you can select previously executed commands.
-
Chapter 4: Using the Command Line Interface 4.5.3 ‘help’ command help [command|parameter] Syntax where the optional argument is either one of the CLI commands (“[command]”) or a parameter in the currently selected interface (“[parameter]”). Description When no argument follows the help command, a help menu showing a list of available commands is displayed. When a command is supplied as the argument, a help message for that particular command is displayed.
-
Chapter 4: Using the Command Line Interface 4.5.5 ‘use’ command Syntax use where is one of the EnRoute500’s interfaces. A complete list of interfaces is available with the ‘show’ command. Description Selects an interface to use. By selecting an interface you can view and modify the parameters associated with the interface. Example use mesh0 will select the backhaul mesh radio interface and change the CLI prompt to mesh0> to reflect the interface selection. TR0153 Rev.
-
Chapter 4: Using the Command Line Interface 4.5.6 ‘set’ command Syntax set = where is the parameter being set and is the value it is being set to. Description Sets a configuration parameter. Note that is only possible to set the parameters for the currently selected interface. If the value of the parameter contains spaces, the value must be surrounded by double quotes (“ “).
-
Chapter 4: Using the Command Line Interface 4.5.7 ‘get’ command Syntax get where is the parameter whose value is being fetched. Description Gets the value of one or more configuration parameters for the currently selected interface. The ‘*’ character can be used to specify wildcard characters. This allows multiple values to be fetched with a single command. Example With the ‘sys’ interface selected get id.node will return the node’s ID, while get id.
-
Chapter 4: Using the Command Line Interface 4.5.8 ‘list’ command Syntax list Description Lists all parameters for the selected interface Example With the ‘firewall’ interface selected list will display firewall.gateway.enable : prevent uninitiated incoming connections past the gateway? firewall.node.allowc2c.eth0 : allow clients to see each other if .role=access firewall.node.allowc2c.wlan1 : allow clients to see each other if .role=access firewall.node.allowc2c.
-
Chapter 4: Using the Command Line Interface 4.5.10 ‘ifconfig’ command Syntax ifconfig Description Displays information, such as IP address and MAC address, for the specified network interface. Example ifconfig wlan1 will display wlan1 4.5.11 Link encap:Ethernet HWaddr 00:15:6D:52:01:FD inet addr:10.2.10.1 Bcast:172.29.255.255 Mask:255.255.0.
-
Chapter 4: Using the Command Line Interface 4.5.13 ‘history’ command Syntax history Description Shows the command history since the EnRoute500 was last rebooted Example After switching to the ‘wlan1’ interface, inspecting the ESSID setting, and then changing it history will display 1: use wlan1 2: get essid 3: set essid=new_ap_essid TR0153 Rev.
-
Chapter 4: Using the Command Line Interface 4.5.14 ‘!’ command Syntax ! ! !! Description Executes a previously-executed command based either on a command history number or matching a string to the start of a previously-executed command. Note that there is no space between the ‘!’ and the argument. The ‘history’ command shows the command history, with a number preceding each entry in the command history.
-
Chapter 4: Using the Command Line Interface 4.5.15 ‘exit’ command Syntax exit Description Terminates the current CLI session and logs out the user 4.5.16 ‘quit’ command Syntax quit Description Terminates the current CLI session and logs out the user TR0153 Rev.
-
Chapter 5: Initial Configuration of an EnRoute500 5 Initial Configuration of an EnRoute500 This user’s guide provides a comprehensive overview of all of the EnRoute500’s features and configurable parameters. However, it is possible to deploy a network of EnRoute500s while only changing a limited number of parameters. The list below will guide you through a minimal configuration procedure that prepares a network of EnRoute500s for deployment. 1 Change the ‘admin’ password.
-
Chapter 5: Initial Configuration of an EnRoute500 After these settings have been changed, the EnRoute500s will be able to form a mesh neighborhood so that further configuration can be done from a central location, using the connectivity of provided by the mesh. This minimal configuration must be performed prior to deployment, but all other configuration can be carried out after deployment.
-
Chapter 5: Initial Configuration of an EnRoute500 Figure 11. Initial configuration web page TR0153 Rev.
-
Chapter 6: Status Information 6 Status Information Multiple web interface pages that display status information about the EnRoute500 and client devices attached to it are available. These web pages are accessible by clicking on the “Status” link in the navigation bar and then selecting the appropriate tab shown at the top of the page. The status information is not accessible through the CLI. 6.
-
Chapter 6: Status Information Links labeled “(change)” are shown next to the settable parameters. These links take you to the appropriate page to change the setting. 6.2 Interface Status Traffic and neighbor information for the mesh, virtual AP, and wired interfaces are available on the “Status” tab of the “Status” page. Select the appropriate interface for which you wish to view information from the row of tabs below the primary tab row. 6.2.
-
Chapter 6: Status Information Figure 13. Mesh status information 6.2.2 Wired Interface Status The wired interface status pages is similar to the wireless interface status pages, with the exception that it only displays summary information for the interface and does not break down data transferred on a per-device basis. TR0153 Rev.
-
Chapter 6: Status Information Figure 14. Wired interface status information 6.3 Routing Table The routing table used by the device can be displayed by selecting the “Routing” tab on the “Status” page. Figure 15. Routing table TR0153 Rev.
-
Chapter 6: Status Information 6.4 ARP Table The device’s ARP table can be displayed by selecting the “ARP” tab on the “Status” page. Figure 16. ARP table 6.5 Event Log The main system log for the device is accessible by selecting “Event Log” on the “Status” page. The log is displayed in reverse chronological order, with the last recorded event appearing at the top of the page. TR0153 Rev.
-
Chapter 6: Status Information Figure 17. Event log The time reported in the Event Log corresponds to the time maintained by the EnRoute500and may not be consistent with that shown in the upper left corner of the webpage as this is the time maintained by the computer running the web browser. 6.6 DHCP Event Log The log of DHCP-related events for the device is accessible by selecting “DHCP Events” on the “Status” page.
-
Chapter 6: Status Information Figure 18. DHCP event log The time reported in the DHCP Log corresponds to the time maintained by the EnRoute500and may not be consistent with that shown in the upper left corner of the webpage as this is the time maintained by the computer running the web browser. TR0153 Rev.
-
Chapter 7: Configuration Profile Management 7 Configuration Profile Management Configuration profiles describe an EnRoute500’s configuration state and can be created to simplify the provisioning and management of devices.
-
Chapter 7: Configuration Profile Management 7.2 Load a Configuration Profile A configuration stored on the EnRoute500 can be applied using the “Load” tab on the “Profile Management” page. This profile must either have been saved earlier or uploaded to the EnRoute500. Choose a profile name from the “Existing Profiles” box and then click on “Load Profile”. It is necessary to reboot the EnRoute500 for the loaded profile settings to take effect.
-
Chapter 7: Configuration Profile Management After loading the same profile to multiple EnRoute500s, at a minimum the node ID of the devices must be changed if they are to operate on the same mesh neighborhood. It is recommended that after the same profile is loaded onto multiple EnRoute500s, the parameters in the minimal configuration webpage are reviewed for each. 7.
-
Chapter 7: Configuration Profile Management Figure 22. Downloading a configuration profile from an EnRoute500 7.5 Uploading a Configuration Profile to an EnRoute500 A configuration profile can be uploaded to an EnRoute500 using the “Upload to node” tab on the “Profile Management” page. Use the “Browse” button to select a profile file on your host computer for upload to the EnRoute500. Alternatively, enter the file name by hand in the text box adjacent to the “Browse” button.
-
Chapter 8: System Settings 8 System Settings This section describes settings that are applicable to the overall operation of the EnRoute500, but are not related directly to a particular interface. 8.1 User Password The password for the ‘admin’ user is configurable. The default password is ‘default’. See section 2.4 for instructions on resetting the ‘admin’ password if it has been lost. CLI The password for the ‘admin’ user can be set using the ‘password.admin’ parameter in the ‘sys’ interface.
-
Chapter 8: System Settings 8.2 Operating Scheme The operating scheme determines an EnRoute500’s role in the mesh network. Typically one of two configurations will be used in a network: All EnRoute500s will be configured as repeater devices to create a stand-alone mesh neighborhood At least one of the EnRoute500s in a mesh neighborhood will be configured as a gateway device, with the remaining devices configured either as gateways or repeaters.
-
Chapter 8: System Settings Figure 25. Setting system parameters 8.3 Using Multiple Gateways It is possible to have more than one gateway device per mesh neighborhood to provide redundancy. The simplest method for creating a second gateway for a mesh neighborhood is to save the profile from the existing gateway, apply it to the device that will become the second gateway, and change at a minimum the following parameters on the new gateway: • • • Node ID (see section 8.
-
Chapter 8: System Settings It is important that all gateways for a common mesh neighborhood connect to the same LAN segment/VLAN trunk, such that the gateways can receive each other's control messages over the wired backhaul. 8.4 Mesh / Node ID An EnRoute500 must be assigned mesh and node IDs before it is deployed as part of a mesh neighborhood.
-
Chapter 8: System Settings It is recommended that the mesh prefix default value of 172.29 is used. CLI The mesh prefix is set with the ‘id.meshprefix’ parameter in the ‘sys’ interface as shown in the example below. > use sys sys> set id.meshprefix=172.29 Web GUI The mesh prefix can be set via the web interface using the “Mesh” tab on the “Wireless Interfaces” page. Figure 27. Setting the mesh prefix 8.
-
Chapter 8: System Settings The internal subnets include by default the mesh subnet, the client access interface subnets, and, if centralized DHCP server mode is enabled, the DHCP client address space subnet. These subnets are automatically listed as internal without requiring the user to specifically identify them as such. It is possible to manually add other subnets to the list of subnets that should be considered internal to the mesh.
-
Chapter 8: System Settings Web GUI A primary and secondary DNS server can be set via the web interface using the “DNS” tab on the “System Parameters” page. Figure 28. Setting the DNS and Netbios server(s) 8.8 DNS Proxy Configuration DNS proxy entries can be added to an EnRoute500 to force local resolution of host names to IP addresses for the hosts in the proxy list.
-
Chapter 8: System Settings Web GUI DNS proxy can be enabled on the “DNS Proxy” sub-tab on the “DNS” tab on the “System Parameters” page as shown in Figure 29. Hostname/IP address pairs can be added on this page as well. Figure 29. Configuring DNS proxy 8.9 NetBIOS Server The NetBIOS server parameter is used to define a NetBIOS server’s IP address that is provided to client devices when they connect to the EnRoute500’s local DHCP server. CLI The NetBIOS server is set with the ‘netbios.
-
Chapter 8: System Settings 8.10 SNMP The EnRoute500 supports SNMP. The read-only and read-write passwords and the port that SNMP uses can be configured. A contact person and device location can also be specified as part of the SNMP configuration. CLI The SNMP read-only and read/write passwords are set with the ‘snmp.community.ro’ and ‘snmp.community.rw’ parameters in the ‘sys’ interface. The example below shows how to set these parameters. > use sys sys> set snmp.community.
-
Chapter 8: System Settings Figure 30. SNMP configuration 8.11 Location Two types of device location information can be stored: • • Latitude/longitude/altitude Postal address or description a device’s location Note that these values are not automatically updated and must be entered after a device has been installed. Altitude is in meters.
-
Chapter 8: System Settings > use sys sys> set location.gps.latitude=”34.01” A description of the EnRoute500’s location can be stored in the ‘location.postal’ field in the ‘sys’ interface. For example, you can set the location value as shown below. > use sys sys> set location.postal=”Light post near 123 Main St., Anytown, CA” Web GUI The location information can be set via the web interface using the “Location” tab on the “System Parameters” page. Figure 31.
-
Chapter 8: System Settings CLI The cluster name is set with ‘info.cluster’ parameter in the ‘sys’ interface. This parameter can be set as shown in the example below. > use sys sys> set info.cluster=”Campus network” Web GUI The cluster name can be set via the web interface using the “Location” tab on the “System Parameters” page (see Figure 31). Use the “Cluster Name” field to set the cluster name. 8.
-
Chapter 8: System Settings automatically synchronize their clocks with the mesh gateway. The delay between following completion of booting and when a repeater synchronizes its clock can be configured. This delay is designed so that if the entire mesh network is rebooted at the same time, the gateway can first synchronize to the external time server, then each repeater, following the delay, will synchronize with the gateway.
-
Chapter 8: System Settings The synchronization delay and server can be set on the “Time” tab on the “System” page when the device is configured as a repeater. When automatic synchronization is disabled, the user can set the EnRoute500’s UTC time (Figure 33). Enter the time using the available drop-down menus and check the “Change Time” checkbox. Figure 33. Setting the time manually 8.
-
Chapter 8: System Settings Figure 34. Web interface console 8.16 OnRamp Configuration Access ONRAMP IS A PC-BASED TOOL THAT WILL BECOME AVAILABLE TO SUPPORT INITIAL CONFIGURATION OF THE ENROUTE500. IT HAS NOT BEEN RELEASED AT THE TIME OF THE WRITING OF THIS DOCUMENT. CHECK WWW.TRANZEO.COM/ONRAMP FOR ONRAMP STATUS. IT IS RECOMMENDED THAT ONRAMP CONFIGURATION ACCESS IS DISABLED UNTIL THE TOOL IS MADE AVAILABLE. The OnRamp utility provides network detection and configuration capabilities for EnRoute500s.
-
Chapter 8: System Settings CLI The OnRamp configuration capability is controlled by the ‘provisioning.enable’ parameter in the ‘sys’ interface. Set this parameter to ‘0’ to disable configuration through OnRamp, as shown in the example below. > use sys sys> set provisioning.enable=0 Web GUI The OnRamp configuration capability is set on the “OnRamp” tab on the “Security” page (see Figure 35). Figure 35. OnRamp configuration access 8.
-
Chapter 9: Client Addressing Schemes 9 Client Addressing Schemes The choice of client addressing scheme affects how EnRoute500 client access interface addresses are assigned. The EnRoute500 can be configured to use an implicit addressing scheme for its client access interfaces, or explicit addresses can be assigned to each client access interface. The addressing scheme choice also affects what the addresses of clients will be when the device is not operating in centralized DHCP server mode.
-
Chapter 9: Client Addressing Schemes Figure 36. Setting the addressing scheme 9.1 Implicit Addressing Scheme The implicit addressing scheme requires a class C network, which has a unique address within a mesh, to be shared between all active client access interfaces. The subnet address space is based on the mesh ID, node ID, and LAN prefix as shown in Figure 37. 10 . 12 . 107 . 0 LAN prefix Mesh ID Node ID Figure 37.
-
Chapter 9: Client Addressing Schemes The default division of the class C address space is shown in Table 7. It is possible to change this configuration, assigning larger address spaces to certain interfaces if not all interfaces are enabled. Interface wlan1 wlan2 wlan3 wlan4 eth0 Interface address subnet.1 subnet.129 subnet.161 subnet.193 subnet.225 Broadcast address subnet.127 subnet.159 subnet.191 subnet.223 subnet.255 Client device address range subnet.2-126 subnet.130-158 subnet.162-190 subnet.
-
Chapter 9: Client Addressing Schemes • • • • • The IP address range start address (‘ip.implicit.start.requested’ in the CLI) must be one of the following values: 1, 33, 65, 97, 129, 161, 193, 225. The IP address range size (‘ip.implicit.size.requested’ in the CLI) must be one of the following values: 31, 63, 127, 255. The IP address range size and start address must be chosen such that the address segment does not cross a netmask boundary. Table 8 lists allowed combinations.
-
Chapter 9: Client Addressing Schemes The actual start address and size of a segment are accessible via the ‘ip.implicit.start.actual’ and ‘ip.implicit.size.actual’ parameters. These may values may differ from the requested values if the rules for setting these parameters were not abided by. Web GUI The address space segments’ start addresses and sizes can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 38). Figure 38.
-
Chapter 9: Client Addressing Schemes 9.2 Explicit Addressing Scheme When using explicit addressing scheme, the IP parameters for each interface must be specified manually on the “Wireless Interface” and “Wired/Backhaul Interface” pages. When specifying the IP addresses and subnet sizes for the client access interfaces, the following rules should be followed: • • • • Specify IP address and subnet combinations that do not lead to misalignment, e.g. 10.0.0.
-
Chapter 10: Mesh Radio Configuration 10 Mesh Radio Configuration The EnRoute500 has an 802.11a radio dedicated to mesh backhaul traffic. The settings for this radio are independent of any settings for the radio used for the EnRoute500’s built-in virtual access points. The channel, SSID< and encryption settings for the mesh radio must be the same on all EnRoute500s in a given mesh neighborhood for them to be able to communicate. Figure 39. Mesh interface parameters 10.1 Channel The 802.
-
Chapter 10: Mesh Radio Configuration All the devices in a mesh neighborhood need to be configured to use the same 802.11a channel. CLI The mesh radio channel is set with the ‘channel’ parameter in the ‘mesh0’ interface as shown in the example below. > use mesh0 mesh0> set channel=157 Web GUI The mesh radio channel can be set via the web interface using the “Mesh” tab on the “Wireless Interfaces” page (see Figure 39). 10.
-
Chapter 10: Mesh Radio Configuration 10.3 Encryption The mesh radio link can be protected with an encryption key to prevent unauthorized users from intercepting or spoofing mesh traffic. Each EnRoute500 in a mesh neighborhood must have the same mesh radio encryption key. CLI To enable encryption, set the ‘key’ parameter in the ‘mesh0’ interface. The examples below illustrate how to set the encryption key.
-
Chapter 10: Mesh Radio Configuration devices in a mesh to reduce the likelihood of asymmetric links. The default transmit power is 21 dBm. If the transmit power is set to a value in excess of what can be supported by the mesh radio, the actual radio output power will be the highest power supported by the mesh radio. CLI The example below shows how to set the mesh radio’s transmit power cap with the ‘txpower’ parameter in the ‘mesh0’ interface.
-
Chapter 10: Mesh Radio Configuration > use mesh0 mesh0> set fabric.rssi.join=27 > use mesh0 mesh0> set fabric.rssi.margin=3 Web GUI The mesh radio RSSI thresholds can be set via the web interface using the “Mesh” tab on the “Wireless Interfaces” page (see Figure 39). 10.6 IP Configuration The IP address, broadcast address, and netmask associated with the mesh radio interface can be viewed through the CLI and web interfaces. It is not possible to directly set these values though.
-
Chapter 11: Ethernet Interface Configuration 11 Ethernet Interface Configuration The function of the Ethernet interface (eth0) depends on the operating scheme that has been selected (see section 8.2). In repeater mode, the Ethernet interface can be used to connect client devices to the mesh neighborhood. In gateway mode, the Ethernet interface is used as a backhaul interface that connects the mesh neighborhood to a WAN. Client devices cannot connect through the Ethernet interface in this mode. 11.
-
Chapter 11: Ethernet Interface Configuration 11.1.2 Ethernet Interface IP Configuration The EnRoute500’s Ethernet interface IP configuration can be changed directly when it is in repeater mode and using the explicit addressing scheme. It should not be changed directly when the device is in repeater mode and using the implicit addressing scheme.
-
Chapter 11: Ethernet Interface Configuration ip.netmask_force=255.255.255.0 Web GUI The current Ethernet IP settings can be viewed through the web interface on the “Config Overview” tab on the “Status” page. When using the implicit addressing scheme, the Ethernet IP settings can be changed by altering the node ID, mesh ID, and LAN prefix settings on the “System” parameters tab on the “System Parameters” page.
-
Chapter 11: Ethernet Interface Configuration 11.2 IP Configuration for Gateway Devices When an EnRoute500 is configured as a gateway, the Ethernet interface is used to provide backhaul capability by connecting it to a WAN or directly to the Internet. Clients cannot connect to the EnRoute500 through the Ethernet interface when operating in this mode. The Ethernet interface IP address can either be acquired from a DHCP server on the WAN or be set manually. Figure 41.
-
Chapter 11: Ethernet Interface Configuration The DHCP reserve parameter (described in section 13.1) has no effect when the DHCP mode parameter is set to ‘client’. To disable Ethernet DHCP client mode, set the DHCP mode to ‘none’. If DHCP client mode is disabled, the IP configuration must be carried out manually, as described in the next section. CLI To set the DHCP mode to ‘client’ on the Ethernet interface, set the value of the ‘dhcp.
-
Chapter 11: Ethernet Interface Configuration The IP configuration settings shown in the ‘eth0’ interface in the CLI and on the “Wired/Backhaul Interface” page of the web interface do not necessarily reflect the current settings of the interface. They are the requested settings and do not take into account whether the interface has been configured via DHCP. If the Ethernet DHCP mode is set to ‘client’, the ‘ip.address’, ip.broadcast’, ‘ip.gateway’, and ‘ip.
-
Chapter 12: Virtual Access Point (VAP) Configuration 12 Virtual Access Point (VAP) Configuration The EnRoute500 has an 802.11b/g radio dedicated to access point traffic. The settings for this radio are independent of any settings for the radio used for the mesh backhaul traffic.
-
Chapter 12: Virtual Access Point (VAP) Configuration 12.1 Access Point Interfaces There are four interfaces that are used to configure the VAPs: wlan1, wlan2, wlan3, and wlan4. The VAPs have equivalent configuration capabilities and there is no inherent prioritization or preference for one VAP. The section on quality-of-service settings (section 16) describes how prioritization on a per-VAP basis can be configured. 12.
-
Chapter 12: Virtual Access Point (VAP) Configuration Mode value 2 3 Mode 802.11b 802.11b/g Table 10. VAP mode value/mode mapping Web GUI The VAP’s client type mode can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 42). Two client type options are available: “802.11b only” and “802.11b/g”. 12.
-
Chapter 12: Virtual Access Point (VAP) Configuration ip.netmask_force = ip.implicit.size.actual = [read-only] ip.implicit.size.requested = 31 ip.implicit.start.actual = [read-only] ip.implicit.start.requested = 1 When an EnRoute500 is using the implicit addressing scheme, the VAP IP settings can be changed by altering the ‘id.node’, ‘id.mesh’, and ‘id.lanprefix’ parameters in the ‘sys’ interface and the ‘ip.implicit.start.requested’ parameter in the appropriate ‘wlanN’ interface.
-
Chapter 12: Virtual Access Point (VAP) Configuration Figure 43. Access point and wired DHCP and address space settings 12.5 Channel The 802.11b/g radio can be set to operate in the channels listed in Table 11. TR0153 Rev.
-
Chapter 12: Virtual Access Point (VAP) Configuration Channel 1 2 3 4 5 6 7 8 9 10 11 Center Frequency (GHz) 2.412 2.417 2.422 2.427 2.432 2.437 2.442 2.447 2.452 2.457 2.462 Table 11. Access point channels and associated center frequencies Note that only channels 1, 6, and 11 are non-overlapping. It is not possible to configure VAPs to use different channels. If the channel for wlan2 is changed, the channel will be changed for wlan1, wlan3, and wlan4.
-
Chapter 12: Virtual Access Point (VAP) Configuration Each VAP can be configured with a different ESSID. This allows network traffic to be separated based on ESSID. Assigning unique ESSIDs to the VAPs in a mesh has the benefit of allowing a user to configure a client device to connect to a specific device in the mesh. Typically a mesh will be deployed with the VAP ESSIDs having the same set of values for each EnRoute500 in order to support seamless roaming.
-
Chapter 12: Virtual Access Point (VAP) Configuration 12.7.1 IP Configuration of Clients Devices via DHCP The EnRoute500 can be set to serve IP addresses to clients on the VAP interfaces using DHCP. DHCP-provided addresses can be served either from a local server on the EnRoute500 or from an external server. The two DHCP modes are described in detail in section 13. 12.7.
-
Chapter 12: Virtual Access Point (VAP) Configuration Figure 44. Virtual access point client status information 12.9 Encryption and Authentication The EnRoute500 supports several common encryption/authentication schemes, including WEP, WPA, and WPA2, to provide secure wireless access for client devices. WEP keys with 40-bit or 104-bit lengths, pre-shared WPA keys, and multiple WPA-EAP modes. The WEP and WPA configuration settings for each VAP are independent.
-
Chapter 12: Virtual Access Point (VAP) Configuration Figure 45. Access point authentication and encryption settings 12.9.1 WEP Encryption The VAPs can be protected with a WEP-based encryption key to prevent unauthorized users from intercepting or spoofing traffic. CLI To enable WEP-based encryption, set the ‘key’ parameter in the ‘wlanN’ interface. The length of the encryption key is determined by the format used to specify the ‘key’ value.
-
Chapter 12: Virtual Access Point (VAP) Configuration Key format s:<5 ASCII characters> <10 hex values> s:<13 ASCII characters> <26 hex values> Encryption format Encryption key length WEP 40 bits WEP 104 bits None N/A Table 12.
-
Chapter 12: Virtual Access Point (VAP) Configuration CLI The example below shows how to enable WPA-PSK mode for wlan1. The ‘wpa.key_mgmt’ parameter must also be set to indicate that PSK mode is being used, as shown below. > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK” wlan1> set wpa.
-
Chapter 12: Virtual Access Point (VAP) Configuration • • • • • wpa.enable wpa.key_mgmt wpa.auth.server.addr wpa.auth.server.port wpa.auth.server.shared_secret The ‘wpa.key_mgmt’ parameter must be set to indicate that both PSK and EAP modes can be supported, as shown in the example below. The example below shows how to enable WPA EAP mode. > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK WPA-EAP” wlan1> set wpa.auth.server.addr=1.2.3.4 wlan1> set wpa.auth.server.
-
Chapter 12: Virtual Access Point (VAP) Configuration CLI The example below shows how to set the VAP radio’s maximum transmit power using the CLI. The Tx power is specified in dBm, with a granularity of 0.5 dBm. > use wlan1 wlan1> set txpower=20 Web GUI The VAPs’ maximum transmit power can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 42). The “+” and “-“ buttons can be used to increase or decrease the power setting in 0.5 dBm steps. 12.
-
Chapter 12: Virtual Access Point (VAP) Configuration CLI The example below shows how to set the preamble type used by a VAP using the CLI. The preamble type is set with the ‘iwpriv.short_preamble’ parameter in the ‘wlanN’ interfaces. To enable short preambles, set this parameter to ‘1’. To force use of long preambles, set this parameter to ‘0’. > use wlan1 wlan1> set iwpriv.
-
Chapter 12: Virtual Access Point (VAP) Configuration be increased by setting a custom maximum link distance value. This value can be specified in either metric or imperial units. The maximum link distance setting is uniform across all VAPs. Changing it for one will automatically change it for all others as well. CLI The example below shows how to set the maximum link distance supported by a VAP using the CLI.
-
Chapter 13: Client IP Configuration 13 Client IP Configuration via DHCP Two configuration options exist for assigning IP addresses to client devices using DHCP: • • Each EnRoute500 hosts a local DHCP server and supplies IP addresses to devices attaching to any of the client access interfaces A centralized DHCP server supplies IP addresses to client devices, with the EnRoute500s relaying DHCP messages between client devices and the centralized server.
-
Chapter 13: Client IP Configuration If the ‘dhcp.reserve’ value is non-zero, the DHCP range start address will be affected as shown below Start address = . . . + 1 - < wlan1 DHCP reserve> CLI The DHCP mode parameters in the ‘wlanN’ and ‘eth0’ interfaces control DHCP behavior. When the role is set to ‘server’, the EnRoute500 will respond to DHCP requests received from client devices connected to the interface.
-
Chapter 13: Client IP Configuration Figure 46. Virtual access point DHCP configuration TR0153 Rev.
-
Chapter 13: Client IP Configuration 13.2 Using a Centralized DHCP Server Centralized DHCP server mode uses DHCP relaying to enable assignment of IP addresses to wireless client devices from a common remote DHCP server. The remote DHCP server may reside either on a host connected to the mesh gateway’s wired segment, or on a server that is beyond one or more routers.
-
Chapter 13: Client IP Configuration client address space is 192.168.5.0/24, with available addresses from 192.168.5.1 to 192.168.5.255, we will use 192.168.5.1 for the server hosting the DHCP server, 192.168.5.2 for the mesh gateway’s backhaul interface, set aside 192.168.5.3 to 192.168.5.18 for the mesh AP interfaces, and configure the remote DHCP server to serve IP addresses in the range of 192.168.5.19 to 192.168.5.254 to wireless client devices. We will keep 192.168.5.
-
Chapter 13: Client IP Configuration interface. Addresses for the remaining client access interfaces are determined by successively incrementing the Base Address by 1.
-
Chapter 13: Client IP Configuration The Base Value, which sets the IP address of client access interfaces on an EnRoute500, is set through the ‘dhcp.relay.base’ parameter in the ‘sys’ interface. The example below shows the configuration for a mesh neighborhood consisting of 3 devices. On the gateway: > use sys sys> set dhcp.relay.base=192.168.5.3 on the first repeater device: > use sys sys> set dhcp.relay.base=192.168.5.8 and on the second repeater device: > use sys sys> set dhcp.relay.base=192.168.5.
-
Chapter 13: Client IP Configuration 13.2.3 Configuring the Central DHCP Server Guidelines for configuring the central DHCP server are provided below. The full configuration of the central DHCP server will depend on the type of DHCP server that is used and is beyond the scope of this document. Typically the following information must be available in order to configure the server: 1. The local interface (to the DHCP server) over which the DHCP-related messages from the mesh neighborhood arrive 2.
-
Chapter 14: Connecting an EnRoute500 Mesh Network to a WAN 14 Connecting an EnRoute500 Mesh Network to a WAN The options for connecting an EnRoute500 gateway to a WAN and establishing layer 3 IP routing include: • Static route configuration on the WAN router • Source network address translation (NAT) on the mesh gateways • Layer 2 mesh emulation as part of DHCP relay mode. Table 13 shows compatibility of single vs. multiple mesh gateways with the use of implicit vs.
-
Chapter 14: Connecting an EnRoute500 Mesh Network to a WAN In the case where the LAN prefix is 10 and the mesh prefix is 172.29, the subnets the router would need to forward to the gateway are 10.2.0.0/255.255.0.0 and 172.29.0.0/255.255.0.0. Alternatively, to avoid any configuration of the WAN router, enable L2 emulation mode on the mesh gateway. This will automatically direct traffic destined for the mesh neighborhood’s mesh devices and clients to the mesh gateway. See section 18.
-
Chapter 14: Connecting an EnRoute500 Mesh Network to a WAN 14.1.4 “Multiple Gateway, Explicit Addressing Scheme” Option This mode of operation is not supported. 14.2 Network Address Translation (NAT) on Mesh Gateways Network Address Translation (NAT) provides a simple method for connecting a mesh neighborhood to a WAN router and also prevents hosts that are located on external networks from initiating connections with client devices and individual mesh repeaters.
-
Chapter 14: Connecting an EnRoute500 Mesh Network to a WAN Figure 48. NAT and VPN settings 14.3 Layer 2 Mesh Emulation in DHCP Relay Mode When DHCP relay and layer 2 emulation mode are both enabled, the mesh network emulates a layer 2 distribution and access network. In this case the WAN router configuration is limited to setting up a static route without a designated next-hop gateway via the router’s LAN interface.
-
Chapter 14: Connecting an EnRoute500 Mesh Network to a WAN 14.4 VPN Access to a Mesh Gateway An EnRoute500 configured as a gateway can establish a VPN connection to an OpenVPN server. This VPN connection provides the following capabilities: • • Any EnRoute500 in the mesh can be contacted directly from a remote host, even when NAT is enabled on the gateway device.
-
Chapter 15: Controlling Access to the EnRoute500 15 Controlling Access to the EnRoute500 The EnRoute500 supports the following features for restricting access to it, restricting interclient device communication and access to mesh devices, and shielding client devices from an external network: • • • Firewall Client-to-client communication blocking Gateway firewall It further supports controlled network access by client devices through MAC address black lists and mesh association through MAC white lists.
-
Chapter 15: Controlling Access to the EnRoute500 CLI The firewall is enabled by selecting the ‘firewall’ interface and setting the ‘node.enable’ parameter. > use firewall firewall> set node.enable=yes Lists of allowed source and destination ports for inbound TCP and UDP traffic can be specified. These lists can be set with the following parameters in the ‘firewall’ interface: • • • • node.tcp.allow.dest node.tcp.allow.source node.udp.allow.dest node.udp.allow.
-
Chapter 15: Controlling Access to the EnRoute500 CLI The state of the gateway firewall is controlled with the ‘gateway’ parameter in the ‘firewall’ interface. Enable the gateway firewall with > use firewall firewall> set gateway=yes disable it with > use firewall firewall> set gateway=no Web GUI It is not possible to configure the state of the gateway firewall via the web interface. 15.3 Blocking Client-to-Client Traffic Client-to-client traffic can be blocked or permitted on a per-interface basis.
-
Chapter 15: Controlling Access to the EnRoute500 > use firewall firewall> set node.allowc2c.eth0=yes Web GUI The client isolation parameters can be set via the web interface using the “Connections” subtab under the “Firewall” tab on the “Security” page (see Figure 49). By setting an interface’s client isolation parameter to ‘yes’, client devices connecting to that interface will not be able to communicate with any other client devices in the mesh. Figure 49.
-
Chapter 15: Controlling Access to the EnRoute500 15.4 Connection Tracking The firewall keeps track of existing TCP connections. It is advisable to enable connection tracking for public networks that can have large numbers of users. In particular, it is important to enable connection tracking if your network is heavily loaded or if it has users running file sharing applications. A number of parameters are available for tuning how connection tracking is handled. 15.4.
-
Chapter 15: Controlling Access to the EnRoute500 to track the connections for all client devices connected to any of the mesh devices in the gateway’s mesh neighborhood. CLI The connection tracking table size is set by selecting the ‘firewall’ interface and setting the ‘conntrack.table_size’ parameter. > use firewall firewall> set conntrack.
-
Chapter 15: Controlling Access to the EnRoute500 • • Block client traffic on certain ports Block traffic from a given client access interface to a certain subnet The custom firewall rules can be added on the “Custom Rules” sub-tab on the “Firewall” tab on the “Security” page as shown in Figure 50. These rules are specified as you would specify rules for iptables, with the exception of the chain that they are to be added to cannot be specified. All rules will be applied to the iptables forwarding chain.
-
Chapter 15: Controlling Access to the EnRoute500 Figure 50. Custom firewall settings 15.6 Access Control Lists (ACLs) Access control lists can be created for each of the VAP interfaces and the mesh interface. 15.6.1 Access Point Access Control Lists (ACLs) The access control lists (ACLs) for the VAP interfaces (wlan1-wlan4) block access to any device with a MAC address matching those on the list. Individual ACLs can be defined for each VAP.
-
Chapter 15: Controlling Access to the EnRoute500 The ACL for a VAP must be enabled after it has been created. Choose “blacklist” from the drop-down menu and click on “Change ACL Mode” to enable the list. Choose “none” from the drop-down menu and click on “Change ACL Mode” to disable the ACL. Figure 51. AP ACL configuration 15.6.
-
Chapter 15: Controlling Access to the EnRoute500 will appear at the bottom of the page. To delete a MAC address in an ACL, click on the “Delete MAC” button next to the address. The ACL for a VAP must be enabled after it has been created. Choose “whitelist” from the drop-down menu and click on “Change ACL Mode” to enable the list. Choose “none” from the drop-down menu and click on “Change ACL Mode” to disable the use of the ACL for the mesh interface. Figure 52. Mesh ACL configuration TR0153 Rev.
-
Chapter 16: Quality of Service (QoS) Configuration 16 Quality of Service (QoS) Configuration The EnRoute500 has extensive support for quality of service settings that allow traffic to be prioritized based on the source interface, destination interface, and type of traffic. The EnRoute500 QoS scheme allows both rate limiting and rate reservation for all interfaces. 16.1 Priority Levels The Flow Priority parameters set the relative priority of outbound traffic based on the source interface.
-
Chapter 16: Quality of Service (QoS) Configuration When sending data out through any of the wireless interfaces (wlanN, mesh0), these hardware priorities map directly to the 802.11e hardware priority output queues on the wireless card. The default level for all traffic is Best Effort. To increase the hardware priority of all traffic originating from a particular interface, set the value of Min Hardware Priority to a value larger than 1.
-
Chapter 16: Quality of Service (QoS) Configuration The example below shows how to configure the system such that all traffic from ‘wlan1’ with a ‘Voice’ or ‘Video’ priority will be reduced to a ‘Best Effort’ priority. Traffic with ‘Best Effort’ and ‘Background’ priorities will not be affected. > use qos qos> set in.wlan1.hwpri.max=2 The example below shows how to configure the system such that all traffic from ‘wlan2’ with a ‘Background’ or ‘Best Effort’ priority will be increased to a ‘Video’ priority.
-
Chapter 16: Quality of Service (QoS) Configuration Figure 54. Advanced QoS configuration (only settings for some interfaces are shown) 16.2 Rate Limiting A rate limit can be set at each QoS Control Point shown in Figure 55.
-
Chapter 16: Quality of Service (QoS) Configuration Output mesh0 eth0 wlan1 wlan2 wlan3 wlan4 wlan2 wlan3 wlan4 QoS Control Point QOS local mesh0 eth0 wlan1 VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE Input Figure 55. Quality of Service rate limit control points Data rate limits can also be imposed based on traffic type through an interface.
-
Chapter 16: Quality of Service (QoS) Configuration mesh0, wlan1, wlan2, wlan3, wlan4. The ‘out.default.default.limit’ value is applied to interfaces that have the ‘out.
-
Chapter 16: Quality of Service (QoS) Configuration For rate reservations to be enforced, a rate limit must be set for the traffic type that the reservation is made for. Setting a rate limit for a broader traffic type, of which the one the reservation is made for is a subset, is also acceptable. For example, when making a rate reservation for voice traffic from wlan1 to mesh0 (‘out.mesh0.wlan1.vo.reserve’), a limit must be set with ‘out.mesh0.limit’, ‘out.mesh0.wlan1.limit’, or ‘out.mesh0.wlan1.vo.limit’.
-
Chapter 16: Quality of Service (QoS) Configuration default value set for the EnRoute500 rate reservation is applied to interfaces that have their bandwidth reservation parameters set to ‘inherit’ or are left blank. CLI The parameters that are used to set these rate reservations are in the ‘qos’ interface and are of the form ‘out.
-
Chapter 18: Integration with Enterprise Equipment 17 Enabling VLAN Tagging The EnRoute500 supports VLAN tagging, with each client access interface capable of supporting a different VLAN tag. 17.1 Client Access Interface Configuration VLAN tagging can be independently controlled on each client access interface (eth0, wlan1-4). The Enable VLAN parameters for the ‘eth0’, ‘wlan1’, ‘wlan2’, ‘wlan3’, and ‘wlan4’ interfaces controls the state of VLAN tagging.
-
Chapter 18: Integration with Enterprise Equipment Figure 57. Configuring VLAN for VAP interfaces 17.2 Gateway Configuration For VLAN tags to be preserved on traffic that exits a mesh neighborhood, VLAN support must be enabled for the Ethernet interface on the mesh neighborhood’s gateway device (the backhaul interface). The “Enable VLAN” parameter for the Wired/Backhaul interface controls the state of VLAN tagging.
-
Chapter 18: Integration with Enterprise Equipment must be in the range from 0 to 4095. Note that 0 and 4095 are reserved values and 1 is the default VLAN ID. CLI The example below shows how to enable VLAN tagging on the backhaul interface on a gateway device using the ‘vlan.enable’ parameter in the ‘eth0’ interface. > use eth0 eth0> set vlan.enable=yes The example below shows how to set the VLAN ID for the backhaul Ethernet interface using the ‘vlan.id’ parameter in the ‘eth0’ interface.
-
Chapter 18: Integration with Enterprise Equipment 18 Integration with Enterprise Equipment The EnRoute500 supports authentication, accounting, and monitoring services that easily integrate with enterprise equipment. In this section the following topics are described: • • • Splash pages Backhaul health monitoring Layer 2 client emulation 18.
-
Chapter 18: Integration with Enterprise Equipment illustrates how to set the parameter for the wlan1 interface such that a user will be required to login to access the network. > use sys sys> set splash.auth.server.enable.wlan1=yes Web GUI Splash pages can be enabled on a per-interface basis on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 59).
-
Chapter 18: Integration with Enterprise Equipment 18.1.2 Configuring Splash URLs The URL that a user is redirected to for login purposes can be individually configured for each client access interface that supports splash pages (wlan1-4). URLs for successful login, failed login, and error conditions can also be specified for each interface. The ‘login URL’ parameter sets the URL that a user is redirected to when they attach to the interface and have not yet been authenticated.
-
Chapter 18: Integration with Enterprise Equipment Web GUI All of the splash page-related URLs can be set on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 59). 18.1.3 Sample HTML Code for Splash Pages The login HTML page must contain specific form information as shown in the sample code in Figure 60 and Figure 61. Figure 60 contains the code required for an interface that requires a login.
-
Chapter 18: Integration with Enterprise Equipment 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Test Login Page
-
Chapter 18: Integration with Enterprise Equipment • • the port on the server that the RADIUS server is listening on the shared secret – must be a string of alphanumeric characters that is 32 characters or less in length. CLI The ‘splash.auth.server..host’, ‘splash.auth.server..port’, and ‘splash.auth.server..secret’ parameters in the ‘sys’ interface, where is either ‘wlan1’, ‘wlan2’, ‘wlan3’, or ‘wlan4’, specify the authentication server to use.
-
Chapter 18: Integration with Enterprise Equipment Figure 62. Adding trusted MAC addresses and accessible hosts 18.1.6 Bypass Splash Pages for Access to Specific Hosts It is possible to specify a list of IP addresses that client devices can access without the client devices having to view a splash screen. CLI The list of hosts that can be accessed without having to view a splash screen is set with the ‘splash.bypass_hosts’ parameter in the ‘sys’ interface.
-
Chapter 18: Integration with Enterprise Equipment displayed on this page. To delete an IP address from the list, click on the “Delete Host” button next to the IP address. 18.2 Layer 2 Emulation Certain back-end systems (e.g. Internet gateways) use the MAC addresses of client devices for authentication and accounting purposes. The EnRoute500 uses a layer 3 approach to mesh routing, which means that the client device MAC addresses are typically not provided to the back-end servers.
-
Chapter 18: Integration with Enterprise Equipment To limit the range of addresses for ARP requests that the gateway will respond to, set the ‘l2.hide_internal.enable’ parameter in the ‘sys’ interface to ‘yes’. Set the ‘l2.hide_internal.gateway.deny.mesh’ in the ‘sys’ interface to ‘yes’ to disregard ARP requests for IP addresses within the mesh subnet (typically 172.29.0.0/16). Set ‘l2.hide_internal.gateway.deny.
-
Chapter 18: Integration with Enterprise Equipment Figure 63. Enabling/disabling layer 2 emulation TR0153 Rev.
-
Chapter 19: Diagnostics Tools 19 Diagnostics Tools The EnRoute500 has a number of diagnostics tools to help the user diagnose and correct configuration issues. These tools are available on the “Diagnostics” page, accessible from the navigation bar. The individual diagnostics tools are accessible from the row of tabs shown on the “Diagnostics” page. 19.1 Ping The “Ping” tab on the “Diagnostics” page allows the user to check for network connectivity by pinging a remote device (see Figure 64).
-
Chapter 19: Diagnostics Tools 19.2 Traceroute The “Traceroute” tab on the “Diagnostics” page allows the user to determine the individual intermediary devices used to route traffic from the EnRoute500 to a remote device (see Figure 65). Enter the IP address, e.g. 10.1.2.3, or hostname, e.g. www.yahoo.com, of the device you wish to find the route path to. Check the “Resolve Names” box if traceroute should show device names, when available, instead of just IP addresses.
-
Chapter 19: Diagnostics Tools Capturing DHCP Traffic From Client Device on wlan1 1. 2. 3. 4. 5. 6. 7. 8. Set “Interface” to “wlan1” Set “Protocol” to “all” Set “Packet Count” to “20” Set “Packet length” to 500 Click on “DHCP” next to “Common Protocols” Set “Output” to “File” Click on “Start Capture” Allow the capture to complete automatically when the prescribed number of packets has been captured or click on “Stop Capture” to halt the capture 9.
-
Chapter 19: Diagnostics Tools Figure 66. Capturing network traffic Option Interface Protocol Packet Count Show Host Names Show MAC addresses Packet Length Optional Host Optional Port Common Protocols Optional Additional Parameters Output Output File Prefix Description Selects the interface from which packets are captured. Note that some packets may be available on multiple interfaces.
-
Chapter 19: Diagnostics Tools 19.4 Centralized DHCP Testing The “DHCP” tab on the “Diagnostics” page can be used to test access to an external DHCP server when the EnRoute500 is in centralized DHCP server mode (see Figure 67). Click on the “Test DHCP” button to initiate a test. The results of the test will be displayed at the bottom of the page. Figure 67. Testing the connection to an external DHCP server 19.
-
Chapter 19: Diagnostics Tools Figure 68. Testing credentials with a RADIUS server 19.6 Diagnostic Dump The “Diagnostic Dump” tab on the “Diagnostics” page allows the user to create a snapshot of diagnostic data that can be downloaded to a PC and sent to Tranzeo technical support for analysis (see Figure 69). Figure 69. Generating a diagnostic dump TR0153 Rev.
-
Chapter 19: Diagnostics Tools The list of diagnostic dumps available for download is displayed at the bottom of the page. The diagnostic dumps can be downloaded by clicking on the filenames. To delete one or more diagnostic dumps, select the check boxes next to the ones you wish to delete and then click on the “Delete Selected” button. TR0153 Rev.
-
Chapter 20:Firmware Management 20 Firmware Management 20.1 Displaying the Firmware Version The firmware version string contains the following information: • • • • Build date Major version number Minor version number Build number These values are embedded in the version string as follows: enroute500_< Build date >_< Major version >_< Minor version >_< Build number> CLI Firmware version information is available in the ‘version’ interface.
-
Chapter 20:Firmware Management There are two approaches for upgrading the firmware of a number of devices in a mesh neighborhood: • • Upgrade the firmware on each device individually Upgrade the firmware for the entire mesh neighborhood from the mesh gateway The latter method is the recommended approach.
-
Chapter 20:Firmware Management Figure 70. Updating firmware on all devices in a mesh neighborhood Follow the procedure below to upgrade the devices in a mesh neighborhood: 1. Select the firmware version you want to upgrade to from the “Firmware on Server” box 2. Click on the button with the arrow to the right of the “Firmware on Server” box. This will begin the download process of the firmware from the Tranzeo upgrade server to the non-volatile memory on the EnRoute500.
-
Chapter 20:Firmware Management 7. Click on “Install All”. Text indicating that the node is being upgraded will be displayed next to the device IP address under the “Nodes Associated with this Gateway” heading. 8. Wait for the upgrade to complete (approximately 20 minutes). 20.2.2 Upgrading the Firmware on an Individual Device The firmware can be upgraded on an individual device using the “Upgrade Node” tab on the “Upgrade” page. This is the only tab that is available on devices configured as repeaters.
-
Chapter 20:Firmware Management Figure 71. Updating firmware on a single device TR0153 Rev.
-
Glossary Glossary Client access interface An interface on the EnRoute500 used by a client device, such as an 802.11-enabled laptop, to connect to the EnRoute500. The client access interfaces are the virtual APs wlan1 – wlan4 and, on devices configured as repeaters, the eth0 Ethernet interface. Client address scheme The method used to assign address spaces to client address interfaces. The two supported client address schemes are implicit and explicit.
-
Abbreviations Abbreviations ACL Access Control List AP Access Point CLI Command line interface ESSID Extended Service Set Identifier LAN Local-Area Network NAT Network Address Translation PoE Power over Ethernet QoS Quality of Service RSSI Received signal strength indicator VAP Virtual Access Point VLAN Virtual Local-Area Network VPN Virtual Private Network WAN Wide-Area Network WLAN Wireless Local-Area Network WPA Wi-Fi Protected Access WPA-PSK Wi-Fi Protected Access Pre-Sha