-
Document No. TR0153 Rev D2 EnRoute50x/51x User’s Guide Rev. D2 Communicate Without Boundaries Tranzeo Wireless Technologies Inc. 19473 Fraser Way, Pitt Meadows, BC, Canada V3Y 2V4 www.tranzeo.com technical support email: support@tranzeo.
-
EnRoute50x/51x User’s Guide Tranzeo, the Tranzeo logo and EnRoute500 are trademarks of Tranzeo Wireless Technologies Inc.. All rights reserved. All other company, brand, and product names are referenced for identification purposes only and may be trademarks that are the properties of their respective owners. Copyright © 2007, Tranzeo Wireless Technologies Inc.. TR0153 Rev.
-
EnRoute50x/51x User’s Guide FCC Notice to Users and Operators This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for Class B Digital Device, pursuant to Part 15 of the FCC Rules.
-
EnRoute50x/51x User’s Guide Table of Contents 1 1.1 1.2 1.3 1.4 1.5 1.5.1 1.5.2 1.6 1.6.1 1.6.2 Working with the EnRoute500 ........................................................................... 8 EnRoute500 Variants ............................................................................................8 EnRoute500 Capabilities .......................................................................................8 Network Topology ................................................................
-
EnRoute50x/51x User’s Guide 3.4 3.5 4 Help Information .................................................................................................. 30 Rebooting ............................................................................................................ 30 Initial Configuration of an EnRoute500 .......................................................... 32 5 5.1 5.2 5.3 5.4 5.5 Configuration Profile Management .................................................................
-
EnRoute50x/51x User’s Guide 9.3 9.4 9.5 9.6 9.6.1 9.6.2 9.6.3 9.7 9.8 9.8.1 9.8.2 9.8.3 9.9 Access Point Client Device Address Space ........................................................ 64 Channel ............................................................................................................... 66 ESSID ................................................................................................................. 67 IP Configuration for Nodes and Their Clients ...........................
-
EnRoute50x/51x User’s Guide 15.1.4 15.1.5 15.1.6 15.2 Configuring the Authentication Server .............................................................. 109 Trusted MAC Addresses .................................................................................. 110 Bypass Splash Pages for Access to Specific Hosts ......................................... 111 Layer 2 Emulation ............................................................................................. 112 16 16.1 16.
-
EnRoute50x/51x User’s Guide 1 Working with the EnRoute500 Thank you for choosing the Tranzeo EnRoute500 Wireless Mesh Router. The EnRoute500 allows a wireless mesh network to be rapidly deployed with minimal configuration required by the end user. This user‟s guide presents a wide array of configuration options, but only a limited number of options have to be configured in order to deploy a mesh network of EnRoute500s. 1.
-
EnRoute50x/51x User’s Guide Figure 1. EnRoute500 sample network – devices attach to the EnRoute500 through both wired and wireless connections 1.3 Network Topology EnRoute500s can be used to create two network topologies: a stand-alone network or an Internet extension network that attaches to a network with connectivity to the Internet. Figure 2.
-
EnRoute50x/51x User’s Guide Figure 3. Stand-alone network In a stand-alone network, as shown in Figure 3, all nodes are configured to operate in the same mode (repeater mode). This network configuration is suitable for applications where the clients using the mesh only need to communicate with each other and do not need to access the Internet or other remote network resources that are not directly connected to the mesh. 1.
-
EnRoute50x/51x User’s Guide AP radio port Mesh radio port Power Ethernet Figure 4. EnRoute500 interfaces. EnRoute501 shown Interface Power (EnRoute 5x1 only) Mesh radio port AP radio port Ethernet Passive PoE Description Power input (100-240VAC 50-60 Hz) N-type antenna connector for mesh radio N-type antenna connector for access point radio 10/100 Mbit Ethernet interface PoE secondary power input (9-28VDC, 12W) Not compatible with IEEE 802.3af Table 2. EnRoute500 Interfaces 1.5.
-
EnRoute50x/51x User’s Guide The EnRoute500 is equipped with an auto-sensing Ethernet port that allows both regular and cross-over cables to be used to connect to it. Pin 1 2 3 4 5 6 7 8 Signal Tx+ TxRx+ PoE V+ PoE V+ RxGnd Gnd Standard Wire Color White/Orange Orange White/Green Blue White/Blue Green White/Brown Brown Table 3. Ethernet port pinout 1.5.2 Antennas Attach the supplied antennas to the mesh and access point (AP) radio ports on the EnRoute500.
-
EnRoute50x/51x User’s Guide 1.6.2 AP channel selection The access point radio channels used by the EnRoute500s in a mesh cluster may differ. It is advisable to use different access point channels for adjacent mesh nodes to reduce interference. However, it may be more important to select the access point channel based on the presence of other 802.11 devices in the area rather than configuring it to be different than that of an adjacent EnRoute500.
-
EnRoute50x/51x User’s Guide 2 Using the Command Line Interface All configurable EnRoute500 parameters can be accessed with a Command Line Interface (CLI). The CLI allows you to: Modify and verify all configuration parameters Save and restore device configurations Reboot the device Upgrade the firmware 2.1 Accessing the CLI The EnRoute500‟s command-line interface (CLI) is accessible through the device‟s network interfaces using an SSH client.
-
EnRoute50x/51x User’s Guide 3. Login to the node using an SSHv2-capable client application with the credentials provided in Table 4. Windows XP does not include an SSH client application. You will need to install a 3rd-party client such as SecureCRT from Van Dyke software (http://www.vandyke.com/products/securecrt) or the free PuTTY SSH client (http://www.putty.nl/) to connect to an EnRoute500 using SSH.
-
EnRoute50x/51x User’s Guide be set by the „monitor‟ user is the shell timeout (see section 6.10). The passwords for both users can only be set by the „admin‟ user. The procedure for changing passwords is described in section 6.1. 2.3 CLI Interfaces The CLI provides the user with a number of interfaces that contain related parameters and controls. Some of these interfaces are actual hardware interfaces, such as Ethernet, while others are virtual interfaces that contain a set of related parameters.
-
EnRoute50x/51x User’s Guide 2.4.2 Cancel a Command Ctrl+C cancels the input on the current command line and moves the cursor to a new, blank command line. 2.4.3 Searching the Command History The command history can be searched by pressing Ctrl+R and entering a search string. The most recently executed command that matches the string entered will be displayed. Press „Enter‟ to execute that command. 2.4.
-
EnRoute50x/51x User’s Guide 2.5.3 ‘help’ command help [command|parameter] Syntax where [command] is one of the CLI commands or [parameter] is a parameter in the currently selected interface. Description When no argument follows the help command, a help menu showing a list of available commands is displayed. When a command is supplied as the argument, a help message for that particular command is displayed.
-
EnRoute50x/51x User’s Guide 2.5.5 ‘use’ command Syntax use where is one of the EnRoute500‟s interfaces. A complete list of interfaces is available with the „show‟ command. Description Selects an interface to use. By selecting an interface you can view and modify the parameters associated with the interface. Example use mesh0 will select the backhaul mesh radio interface and change the CLI prompt to mesh0> to reflect the interface selection. TR0153 Rev.
-
EnRoute50x/51x User’s Guide 2.5.6 ‘set’ command Syntax set = where is the parameter being set and is the value it is being set to. Description Sets a configuration parameter. Note that is only possible to set the parameters for the currently selected interface. If the value of the parameter contains spaces, the value must be surrounded by double quotes (“ “). If a valid 'set' command is entered, it will output its result and any effects on other parameters.
-
EnRoute50x/51x User’s Guide 2.5.7 ‘get’ command Syntax get where is the parameter whose value is being fetched. Description Gets the value of one or more configuration parameters for the currently selected interface. The „*‟ character can be used to specify wildcard characters. This allows multiple values to be fetched with a single command. Example With the „sys‟ interface selected get id.node will return the node‟s ID, while get id.
-
EnRoute50x/51x User’s Guide 2.5.8 ‘list’ command Syntax list Description Lists all parameters for the selected interface Example With the „firewall‟ interface selected list will display firewall.gateway.enable : prevent uninitiated incoming connections past the gateway? firewall.node.allowc2c.eth0 : allow clients to see each other if .role=access firewall.node.allowc2c.wlan1 : allow clients to see each other if .role=access firewall.node.allowc2c.wlan2 : allow clients to see each other if .
-
EnRoute50x/51x User’s Guide 2.5.10 ‘ifconfig’ command Syntax ifconfig Description Displays information, such as IP address and MAC address, for the specified network interface. Example ifconfig wlan1 will display wlan1 2.5.11 Link encap:Ethernet HWaddr 00:15:6D:52:01:FD inet addr:10.2.10.1 Bcast:172.29.255.255 Mask:255.255.0.
-
EnRoute50x/51x User’s Guide 2.5.13 ‘history’ command Syntax history Description Shows the command history since the node was last rebooted Example After switching to the „wlan1‟ interface, inspecting the ESSID setting, and then changing it history will display 1: use wlan1 2: get essid 3: set essid=new_ap_essid TR0153 Rev.
-
EnRoute50x/51x User’s Guide 2.5.14 ‘!’ command Syntax ! ! !! Description Executes a previously-executed command based either on a command history number or matching a string to the start of a previously-executed command. Note that there is no space between the „!‟ and the argument. The „history‟ command shows the command history, with a number preceding each entry in the command history.
-
EnRoute50x/51x User’s Guide 2.5.15 ‘exit’ command Syntax exit Description Terminates the current CLI session and logs out the user 2.5.16 ‘quit’ command Syntax quit Description Terminates the current CLI session and logs out the user TR0153 Rev.
-
EnRoute50x/51x User’s Guide 3 Using the Web Interface The EnRoute500 has a web interface accessible through a browser that can also be used to configure the node and display status parameters. 3.1 Accessing the Web Interface You can access the web interface by entering one of the node‟s IP addresses preceded by “https://” in the URL field of a web browser (see section 2.1 for a description of how to access an unconfigured node using its Ethernet interface).
-
EnRoute50x/51x User’s Guide Figure 6. Certificate warning 3.2 Configuration Overview Page A configuration overview page is loaded by default after the login process has been completed.
-
EnRoute50x/51x User’s Guide Figure 7. Sample status page 3.3 Setting Parameters Many of the web interface pages allow you to set EnRoute500 operating parameters. Each page that contains settable parameters has a “Save Changes” button at the bottom of the page. When you have made your changes on a page and are ready to commit the new TR0153 Rev.
-
EnRoute50x/51x User’s Guide configuration, click on the “Save Changes” button. It typically takes a few seconds to save the changes, after which the page will be reloaded. For the changes to take effect, the node must be rebooted. After a change has been committed, a message reminding the user to reboot the node will be displayed at the top of the screen. Figure 8. Sample page showing "Save Changes" button and message prompting the user to reboot 3.
-
EnRoute50x/51x User’s Guide Figure 9. Rebooting the node TR0153 Rev.
-
EnRoute50x/51x User’s Guide 4 Initial Configuration of an EnRoute500 This user‟s guide provides a comprehensive overview of all of the EnRoute500‟s features and configurable parameters. However, it is possible to deploy a network of EnRoute500s while only changing a limited number of parameters. The list below will guide you through a minimal configuration procedure that prepares a network of EnRoute500s for deployment. 1 Change the ‘admin’ and ‘monitor’ passwords.
-
EnRoute50x/51x User’s Guide After these settings have been changed, the EnRoute500s will be able to form a mesh cluster and you will be able to configure the nodes from a central location. This minimal configuration must be performed prior to deployment, but all other configuration can be carried out after deployment. To simplify initial configuration, the web GUI has a page that allows the user to change all the parameters listed in this section on a single page.
-
EnRoute50x/51x User’s Guide 5 Configuration Profile Management Configuration profiles describe an EnRoute500‟s configuration state and can be created to simplify the provisioning and management of nodes.
-
EnRoute50x/51x User’s Guide 5.2 Load a Configuration Profile A configuration stored on the node can be loaded on the “Load” tab on the “Profile Management“ page. This profile must either have been saved earlier or uploaded to the node. Choose a profile name from the “Existing Profiles” box and then click on “Load Profile”. It is necessary to reboot the node for the loaded profile settings to take effect. Figure 12. Load a configuration profile 5.
-
EnRoute50x/51x User’s Guide Figure 13. Deleting a configuration profile 5.4 Downloading a Configuration Profile from a Node A configuration profile can be download from a node using the “Download from node” tab on the “Profile Management“ page. The existing configuration profiles are listed on this page. Click on the one that is to be downloaded to your computer and you will be given the option to specify where the profile should be saved on the host computer. Figure 14.
-
EnRoute50x/51x User’s Guide 5.5 Uploading a Configuration Profile to a Node A configuration profile can be uploaded to a node using the “Upload to node” tab on the “Profile Management“ page. Use the “Browse” button to select a profile file on your host computer for upload to the node. Alternatively, enter the file name by hand in the text box adjacent to the “Browse” button. Click on the “Upload Profile” button to upload the selected file to the node. Figure 15.
-
EnRoute50x/51x User’s Guide 6 System Settings This section describes settings that are applicable to the overall operation of the EnRoute500, but are not related directly to a particular interface. 6.1 User Passwords The passwords for the „admin‟ and „monitor‟ users are configurable. The default password for both accounts is „mesh‟. CLI The passwords for the „admin‟ and „monitor‟ users can be set using the „password.admin‟ and „password.monitor‟ parameters in the „sys‟ interface.
-
EnRoute50x/51x User’s Guide 6.2 Operating Scheme The operating scheme determines a node‟s role in the mesh network. Typically one of two configurations will be used in a network: All EnRoute500s will be configured as repeater nodes to create a stand-alone mesh cluster At least one of the EnRoute500s in a mesh cluster will be configured as a gateway node, with the remaining nodes configured either as gateways or repeaters.
-
EnRoute50x/51x User’s Guide Figure 17. Setting the operating scheme 6.3 Mesh / Node ID An EnRoute500 must be assigned mesh and node IDs before it is deployed as part of a mesh cluster. Together, these values uniquely identify a node within a mesh cluster and no two nodes in a cluster are allowed to have the same node ID. The mesh ID must be the same for all nodes in a cluster The range of valid mesh IDs is 0 through 254. The node ID is part of the node‟s IP address as shown in Figure 18.
-
EnRoute50x/51x User’s Guide > use sys sys> set id.node=107 Web GUI The mesh and node IDs can be set via the web interface using the “System” tab on the “System Parameters” page. Figure 19. Setting the mesh and node IDs 6.4 Mesh Prefix The mesh prefix parameter sets the first two octets of a node‟s mesh interface IP address. It must be set the same for all nodes in a given mesh cluster. The allowed range of values is 172.16 through 172.29.
-
EnRoute50x/51x User’s Guide Web GUI The mesh prefix can be set via the web interface using the “Mesh” tab on the “Wireless Interfaces” page. Figure 20. Setting the mesh prefix 6.5 LAN Prefix A Class C subnet is shared between a EnRoute500‟s access point and Ethernet interfaces. The subnet address space is based on the mesh ID, node ID, and LAN prefix. The suggested values for the LAN prefix are 10 and 192. The LAN prefix must be the same for all nodes in a mesh cluster. 10 . 12 . 107 .
-
EnRoute50x/51x User’s Guide Interface wlan1 wlan2 wlan3 wlan4 eth0 Interface address subnet.1 subnet.129 subnet.161 subnet.193 subnet.225 Broadcast address subnet.127 subnet.159 subnet.191 subnet.223 subnet.255 Client address range subnet.2-126 subnet.130-158 subnet.162-190 subnet.194-222 subnet.226-254 subnet = .. Table 6. Default subnet segmentation between interfaces CLI The LAN prefix is set with the „id.
-
EnRoute50x/51x User’s Guide Web GUI A primary and secondary DNS server can be set via the web interface using the “DNS” tab on the “System Parameters” page. Figure 22. Setting the DNS server(s) 6.7 DNS Proxy Configuration DNS proxy entries can be added to an EnRoute500 to force local resolution of host names to IP addresses. CLI A list of hostname/IP address to be resolved locally can be specified using the „dnsproxy.hosts‟ parameter in the „sys‟ interface.
-
EnRoute50x/51x User’s Guide Web GUI DNS proxying can be enabled through the Web GUI as shown in Figure 23. Hostname/IP address pairs can be added through the web interface as well. Figure 23. Configuring DNS proxying 6.8 NetBIOS Server The NetBIOS server parameter is used to define a NetBIOS server IP address that is provided to client devices by the local DHCP server. CLI The NetBIOS server is set with the „netbios.servers‟ parameter in the „sys‟ interface.
-
EnRoute50x/51x User’s Guide Figure 24. Setting the NetBIOS server(s) 6.9 Location Two types of node location information can be stored: Latitude/longitude/altitude Postal address or description a node‟s location Note that these values are not automatically updated and must be entered after a node has been installed. Altitude is in meters.
-
EnRoute50x/51x User’s Guide A description of the node‟s location can be stored in the „location.postal‟ field in the „sys‟ interface. For example, you can set the location value as shown below. > use sys sys> set location.postal=”Light post near 123 Main St., Anytown, CA” Web GUI The location information can be set via the web interface using the “Location” tab on the “System Parameters” page. Figure 25. Setting location information 6.
-
EnRoute50x/51x User’s Guide sys.organization.state – state name sys.organization.country – two-letter country abbreviation Web GUI The certificate information can be set via the web interface using the “Location” tab on the “System Parameters” page. Figure 26. Setting certificate information 6.11 CLI timeout The CLI will automatically log out a user if the interface has remained inactive for a certain length of time.
-
EnRoute50x/51x User’s Guide 7 Mesh Radio Configuration The EnRoute500 has an 802.11a radio dedicated to mesh backhaul traffic. The settings for this radio are independent of any settings for the radio used for the EnRoute500‟s built-in access points. The majority of the mesh radio settings must be the same on all nodes in a given mesh cluster for the nodes to be able to communicate. Figure 27. Mesh interface parameters 7.1 Channel The 802.
-
EnRoute50x/51x User’s Guide All the nodes in a mesh cluster need to be configured to use the same 802.11a channel. CLI The mesh radio channel is set with the „channel‟ parameter in the „mesh‟ interface as shown in the example below. > use mesh0 mesh0> set channel=157 Web GUI The mesh radio channel can be set via the web interface using the “Mesh” tab on the “Wireless Interfaces” page (see Figure 27). 7.2 Service Set Identifier (SSID) The Service Set Identifier, or SSID, is used in 802.
-
EnRoute50x/51x User’s Guide Web GUI The mesh radio SSID and its broadcast state can be set via the web interface using the “Mesh” tab on the “Wireless Interfaces” page (see Figure 27). 7.3 Encryption The mesh radio link can be protected with an encryption key to prevent unauthorized users from intercepting or spoofing mesh traffic. Each node in a mesh cluster must have the same encryption key. CLI To enable encryption, set the „key‟ parameter in the „mesh0‟ interface.
-
EnRoute50x/51x User’s Guide 7.4 Transmit Power The transmit power of the mesh radio is configurable. Increased output power will improve communication range, but will also extend the interference range of the radios. It is suggested that the transmit power is initially set to the maximum level for an installation and is then reduced if it is determined that the transmit power far exceeds the level required to maintain links.
-
EnRoute50x/51x User’s Guide the „RSSI Join‟ value specified to be usable. The „RSSI Join‟ value is set to 27 by default. This value reflects the lowest RSSI that will allow the mesh radio to operate at its highest data rate. It is possible to achieve longer link ranges, at the cost of reduced throughput, by reducing the „RSSI Join‟ value. In combination with the „RSSI Join‟ value, the „RSSI Margin‟ value is used to set the RSSI level at which links are dropped.
-
EnRoute50x/51x User’s Guide Web GUI The mesh radio IP settings are available through the web interface on the “Status” page. 7.7 Neighbor Status Information on mesh neighbors is provided on the mesh status page of the web GUI, accessible under the „Status‟ tab on the „Status‟ page. The signal strength of each mesh neighbor device, it‟s MAC address, its IP address, and the time since data was last received from it are listed. A sample of the mesh neighbor status page is shown in Figure 28.
-
EnRoute50x/51x User’s Guide 8 Ethernet Interface Configuration The function of the Ethernet interface (eth0) depends on the operating scheme that has been selected (see section 6.2). In repeater mode, the Ethernet interface can be used to connect client devices to the mesh cluster. In gateway mode, the Ethernet interface is used as a backhaul interface that connects the mesh cluster to a WAN. Client devices cannot connect through the Ethernet interface in this mode. 8.
-
EnRoute50x/51x User’s Guide The IP address range start address („ip.start.requested‟ in the CLI) must be one of the following values: 1, 33, 65, 97, 129, 161, 193, 225. The IP address range size („ip.size.requested‟ in the CLI) must be one of the following values: 31, 63, 127, 255. The IP address range size and start address must be chosen such that the address segment does not cross a netmask boundary. Table 9 lists allowed combinations.
-
EnRoute50x/51x User’s Guide Web GUI The eth0 address segment start address and size can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 30). Figure 30. ‘eth0’ DHCP and address space settings TR0153 Rev.
-
EnRoute50x/51x User’s Guide 8.1.2 Ethernet Interface IP Address The EnRoute500‟s Ethernet interface IP address should not be changed directly when it is in repeater mode. To set the IP address to the desired value, modify the node ID, mesh ID, and LAN prefix parameters (see sections 6.3 and 6.5). CLI You can view the IP settings for the Ethernet interface with the „ip.*‟ parameters in the „eth0‟ interface as shown in the example below. > use eth0 eth0> get ip.* ip.address = 10.2.4.225 [read-only] ip.
-
EnRoute50x/51x User’s Guide 8.1.4 Manual IP Configuration of Client Devices The client devices connected via the Ethernet interface that use static IP addresses must have addresses that are within the subnet of the Ethernet interface. If the local DHCP server is enabled for the Ethernet interface, IP addresses must be reserved for statically-configured devices by setting the DHCP reserve parameter. This will reserve the specified number of IP addresses at the bottom of the IP range for the interface.
-
EnRoute50x/51x User’s Guide Figure 31. Wired interface parameters with EnRoute500 using wired interface for backhaul 8.2.1 DHCP When configured as a gateway, the EnRoute500 can be set to obtain an obtain an IP address for its Ethernet interface using DHCP. To enable the DHCP client mode on the Ethernet interface, set the value of the Ethernet DHCP role parameter to „client‟. When configured as a DHCP client, the EnRoute500 will continually attempt to contact a DHCP server until it is successful.
-
EnRoute50x/51x User’s Guide To disable Ethernet DHCP client mode, set the DHCP role parameter to „none‟ as shown below. > use eth0 eth0> set dhcp.role=none Web GUI The Ethernet DHCP role value can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 30). 8.2.2 Manual IP Configuration When a node is configured as a gateway, there are no limitations imposed by the EnRoute500 on the IP address assigned to the Ethernet interface.
-
EnRoute50x/51x User’s Guide These parameters cannot be set though. These default parameters can be overridden with the parameters listed below. ip.address_force ip.broadcast_force ip.gateway_force ip.netmask_force The example below, shows how a custom IP address can be set for the Ethernet interface > use eth0> eth0> eth0> eth0> eth0> eth0 set dhcp=none set ip.address_force=192.168.1.2 set ip.broadcast_force=192.168.1.255 set ip.gateway_force=192.168.1.1 set ip.netmask_force=255.255.255.
-
EnRoute50x/51x User’s Guide 9 Access Point (AP) Configuration The EnRoute500 has an 802.11b/g radio dedicated to access point traffic. The settings for this radio are independent of any settings for the radio used for the mesh backhaul traffic. The settings for the access points can vary from node to node in the mesh, but typically it is desirable to set certain parameters to the same value for all the access points in a mesh to allow clients to roam seamlessly within the mesh network.
-
EnRoute50x/51x User’s Guide there is no inherent prioritization or preference for one access point. The section on quality-ofservice settings (section 13) describes how prioritization on a per-access point basis can be configured. 9.2 Enabling and Disabling Access Points Access points can be individually enabled or disabled. An access point can be configured when it is disabled and parameter settings are retained when it is disabled.
-
EnRoute50x/51x User’s Guide The address spaces for enabled interfaces should not overlap. Each of the enabled interfaces‟ address segments should be configured to avoid overlap with the other interfaces‟ address segments. In the case where a node is configured such that this requirement is not met, address spaces will be automatically reduced in size to prevent overlap. CLI In the example below, the WLAN interfaces are set up to use the lower half of the class C address space.
-
EnRoute50x/51x User’s Guide Figure 33. ‘wlanN’ DHCP and address space settings 9.4 Channel The 802.11b/g radio can be set to operate in the channels listed in Table 10. TR0153 Rev.
-
EnRoute50x/51x User’s Guide Channel 1 2 3 4 5 6 7 8 9 10 11 Center Frequency (GHz) 2.412 2.417 2.422 2.427 2.432 2.437 2.442 2.447 2.452 2.457 2.462 Table 10. Access point channels and associated center frequencies Note that only channels 1, 6, and 11 are non-overlapping. It is not possible to configure access points to use different channels. If the channel for wlan2 is changed, the channel will be changed for wlan1, wlan3, and wlan4.
-
EnRoute50x/51x User’s Guide Each access point can be configured with a different ESSID. This allows network traffic to be separated based on ESSID. Assigning unique ESSIDs to the access points in a mesh has the benefit of allowing a user to configure a client device to connect to a specific node in the mesh. Typically a mesh will be deployed with the access point ESSIDs having the same set of values for each EnRoute500 in order to support seamless roaming.
-
EnRoute50x/51x User’s Guide 9.6.1 Access Point IP Address The IP address, broadcast address, and netmask associated with an access point interface can be viewed, but not directly changed through the CLI or web GUI. To set the IP address to the desired value, modify the node ID, mesh ID, and LAN prefix parameters (see sections 6.3 and 6.5). You can view the resulting settings for the AP interface with either the CLI or the web GUI.
-
EnRoute50x/51x User’s Guide use by statically configured devices. The remaining IP addresses in the interfaces address space can be assigned by the DHCP server to other client devices. CLI The number of IP addresses reserved for statically-configured devices connected to the Ethernet interface is set with the „dhcp.reserve‟ parameter in the „eth0‟ interface. Web GUI The „dhcp.
-
EnRoute50x/51x User’s Guide The WEP and WPA configuration settings for each access point are independent. An access point can only support one of the encryption/authentication modes at a time, but the APs in the EnRoute500 do not all have to use the same encryption/authentication scheme. Figure 35. Access point authentication and encryption settings 9.8.
-
EnRoute50x/51x User’s Guide Key format s:<5 ASCII characters> <10 hex values> s:<13 ASCII characters> <26 hex values> Encryption format Encryption key length WEP 40 bits WEP 104 bits None N/A Table 11.
-
EnRoute50x/51x User’s Guide CLI The example below shows how to enable WPA-PSK mode for wlan1. The „wpa.key_mgmt‟ parameter must also be set to indicate that PSK mode is being used, as shown below. > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK” wlan1> set wpa.
-
EnRoute50x/51x User’s Guide wpa.auth.server.port wpa.auth.server.shared_secret The „wpa.key_mgmt‟ parameter must be set to indicate that both PSK and EAP modes can be supported, as shown in the example below. The example below shows how to enable WPA EAP mode. > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK WPA-EAP” wlan1> set wpa.auth.server.addr=1.2.3.4 wlan1> set wpa.auth.server.port=1812 wlan1> set wpa.auth.
-
EnRoute50x/51x User’s Guide When setting the output power for an access point, consider the output power of the clients that will be communicating the access point. If these devices have output power levels that are far lower than that of the access point, an asymmetric link may result.
-
EnRoute50x/51x User’s Guide 10 Client DHCP Configuration Two configuration options exists for assigning IP addresses to client devices using DHCP: Each EnRoute500 hosts a local DHCP server and supplies IP addresses to devices attaching to any of the client interfaces A centralized DHCP server supplies IP addresses to client devices, with the EnRoute500s relaying DHCP messages between client devices and the centralized server.
-
EnRoute50x/51x User’s Guide addresses to the DHCP pool. You may reserve the entire range of IP addresses, but the EnRoute500 will use at least the highest address in the range for DHCP. If the „dhcp.reserve‟ value is non-zero, the DHCP range start address will be affected as shown below Start address = . . . + 1 - < wlan1 DHCP reserve> CLI The examples below show how to set the DHCP server state for the „wlan1‟ interface.
-
EnRoute50x/51x User’s Guide Figure 36. Access point DHCP configuration TR0153 Rev.
-
EnRoute50x/51x User’s Guide 10.2 Using a Centralized DHCP Server DHCP relay enables assignment of IP addresses to wireless clients from a common remote DHCP server. The remote DHCP server may reside either on a host connected to the mesh gateway‟s wired segment, or on a server that is beyond one or more routers. When using a common DHCP server, wireless clients are assigned IP addresses from a single address pool, and are allowed to keep their IP address while roaming seamlessly from AP to AP.
-
EnRoute50x/51x User’s Guide Each client interface on the EnRoute500 that is to support centralized DHCP mode must be configured to be in DHCP server mode for it to support relay of IP addresses to clients from a central DHCP server. This configuration is set with the DHCP role parameter in each of the client interfaces (eth0, wlan1-4). It is possible to disable DHCP address assignments to clients on a per-interface basis and have them use static IP addresses instead.
-
EnRoute50x/51x User’s Guide > use wlan3 wlan3> set dhcp=none The Client Address Space value is set with the „dhcp.relay.dhcp_subnet‟ parameter in the „sys‟ interface. This value should be a class A, B, or, C subnet specified using CIDR notation as shown in the example below. > use sys sys> set dhcp.relay.dhcp_subnet=192.168.5.0/24 The Base Value, which sets the IP address of client interfaces on a node, is set through the „dhcp.relay.base‟ parameter in the „sys‟ interface.
-
EnRoute50x/51x User’s Guide Figure 37. DHCP relay settings for use with a centralized DHCP server 10.2.2 Configuring the Central DHCP Server Guidelines for configuring the central DHCP server are provided below. The full configuration of the central DHCP server will depend on the type of DHCP server that is used and is beyond the scope of this document. Typically the following information must be available in order to configure the server: 1.
-
EnRoute50x/51x User’s Guide the mesh network includes 3 mesh nodes, 2 IP addresses are set aside for the DHCP server and the mesh gateway, and therefore the address pool starts from 192.168.5.18. TR0153 Rev.
-
EnRoute50x/51x User’s Guide 11 Connecting an EnRoute500 Gateway to a WAN The options for connecting an EnRoute500 gateway to a WAN are described below. 11.1 Manual Configuration An EnRoute500 gateway can be directly connected to a WAN without using Network Address Translation. With this gateway configuration, the router on the network that the gateway is attached to must be configured to forward the mesh subnet and the LAN subnets to the gateway‟s Ethernet IP address.
-
EnRoute50x/51x User’s Guide However, devices on the external network cannot initiate communication with any nodes in the mesh cluster, or their clients, other than the mesh cluster gateway. The advantages of using NAT are: You can easily attach a mesh cluster to an existing network. You do not need to modify any settings on the router on your existing network to forward packets to the IP addresses used in your mesh cluster.
-
EnRoute50x/51x User’s Guide Figure 38. NAT setting 11.3 VPN Access to a Mesh Gateway An EnRoute500 configured as a gateway can establish a VPN connection to an OpenVPN server. This VPN connection provides the following capabilities: Any node in the mesh can be contacted directly from a remote host, even when NAT is enabled on the gateway node.
-
EnRoute50x/51x User’s Guide > use eth0 sys> set vpn.enable=yes sys> set vpn.server=192.168.0.1 sys> set vpn.port=1194 Web GUI These parameters can be set via the web interface on the “Wired/Backhaul Interface” page when the node scheme is set to „gateway‟. Figure 39. VPN client settings TR0153 Rev.
-
EnRoute50x/51x User’s Guide 12 Controlling Access to the EnRoute500 The EnRoute500 supports the following features for restricting access to the mesh node, interclient device communication and access to mesh nodes and client devices from an external network: Firewall Client-to-client communication blocking Gateway firewall It further supports controlled network access by client devices through MAC address black lists and mesh association through MAC white lists. 12.
-
EnRoute50x/51x User’s Guide If ports that are open by default are reconfigured to be closed, certain EnRoute500 functions will be affected. It is strongly recommended that all of the ports listed in Table 14 be kept open. CLI The firewall is enabled by selecting the „firewall‟ interface and setting the „node.enable‟ parameter. > use firewall firewall> set node.enable=yes Lists of allowed source and destination ports for inbound TCP and UDP traffic can be specified.
-
EnRoute50x/51x User’s Guide > use firewall firewall> set gateway=yes disable it with > use firewall firewall> set gateway=no 12.3 Blocking Client-to-Client Traffic Client-to-client traffic can be blocked or permitted on a per-interface basis. By enabling clientto-client traffic blocking for one or more of an EnRoute500‟s client interfaces, the clients that attach to that particular interface will not be able to communicate with any clients attached to that or any other client interface in the mesh.
-
EnRoute50x/51x User’s Guide clients connecting to that interface will not be able to communicate with any other clients in the mesh. Figure 40. Client-to-client firewall settings Note that devices connected to different interfaces can only communicate with each other if client-to-client isolation is disabled for both interfaces. Client-to-client isolation is only enabled if the EnRoute500 node firewall (firewall.node.enable) is enabled (section 12.1). TR0153 Rev.
-
EnRoute50x/51x User’s Guide 12.4 Access Control Lists (ACLs) Access control lists can be created for each of the access point interfaces and the mesh interface. 12.4.1 Access Point Access Control Lists (ACLs) The access control lists (ACLs) for the access point interfaces (wlan1-wlan4) block access to any device with a MAC address matching those on the list. Individual ACLs can be defined for each access point.
-
EnRoute50x/51x User’s Guide 12.4.2 Mesh ACL The access control list (ACL) for the mesh interface blocks access to the node via the mesh interface for any node whose mesh MAC address is not listed in the ACL. It is possible to isolate a mesh node from other nodes in the mesh if the mesh ACL is incorrectly configured. If the mesh ACL is enabled and no MAC addresses are present on the list, or the wrong addresses are present, it will not be possible for other mesh nodes to communicate with the node.
-
EnRoute50x/51x User’s Guide 13 Quality of Service (QoS) Configuration The EnRoute500 has extensive support for quality of service settings that allow traffic to be prioritized based on the source interface, destination interface, and type of traffic. The EnRoute500 QoS scheme allows both rate limiting and rate reservation for all interfaces. 13.1 Priority Levels The Flow Priority parameters set the relative priority of outbound traffic based on the source interface.
-
EnRoute50x/51x User’s Guide When sending data out through any of the wireless interfaces (wlanN, mesh0), these priorities map directly to the hardware priority output queues on the wireless card. The default level is Best Effort. To increase the hardware priority of traffic from a particular interface, set the value of Min Hardware Priority to a value larger than 1. This will force all traffic from the chosen interface to use a hardware queue equal to or greater than the Min Hardware Priority value set.
-
EnRoute50x/51x User’s Guide Web GUI Flow priorities can be set via the web interface under the “QoS” tab on the “QoS” page (see Figure 43). The hardware priority levels can be set for each interface under the “Advanced QoS” tab on the “QoS” page (see Figure 44). Figure 43. QoS settings TR0153 Rev.
-
EnRoute50x/51x User’s Guide Figure 44. Advanced QoS configuration (only settings for some interfaces are shown) 13.2 Rate Limiting A rate limit can be set at each QoS Control Point shown in Figure 45.
-
EnRoute50x/51x User’s Guide Output mesh0 eth0 wlan1 wlan2 wlan3 wlan4 wlan2 wlan3 wlan4 QoS Control Point QOS local mesh0 eth0 wlan1 VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE VI VO BK BE Input Figure 45. Quality of Service rate limit control points Data rate limits can also be imposed based on traffic type through an interface.
-
EnRoute50x/51x User’s Guide mesh0, wlan1, wlan2, wlan3, wlan4. The „out.default.default.limit‟ value is applied to interfaces that have the „out.
-
EnRoute50x/51x User’s Guide For rate reservations to be enforced, a rate limit must be set for the traffic type that the reservation is made for. Setting a rate limit for a broader traffic type, of which the one the reservation is made for is a subset, is also acceptable. For example, when making a rate reservation for voice traffic from wlan1 to mesh0 („out.mesh0.wlan1.vo.reserve‟), a limit must be set with „out.mesh0.limit‟, „out.mesh0.wlan1.limit‟, or „out.mesh0.wlan1.vo.limit‟.
-
EnRoute50x/51x User’s Guide value are applied to interfaces that have their bandwidth reservation parameters set to „inherit‟ or are left blank. CLI The parameters that are used to set these rate reservations are in the „qos‟ interface and are of the form „out.
-
EnRoute50x/51x User’s Guide 14 Enabling VLAN Tagging The EnRoute500 supports VLAN tagging, with each client interface capable of supporting a different VLAN tag. If VLAN tagging is enabled for an interface, client devices that connect to the interface must be capable of receiving VLAN-tagged frames. 14.1 Client Interface Configuration VLAN tagging can be independently controlled on each client interface (eth0, wlan1-4).
-
EnRoute50x/51x User’s Guide Figure 47. Configuring VLAN for access point interfaces 14.2 Gateway Configuration For VLAN tags to be preserved on traffic that exits a mesh cluster, VLAN support must be enabled for the Ethernet interface on the mesh cluster‟s gateway node. The Enable VLAN parameter for the Wired/Backhaul interface controls the state of VLAN tagging. If VLAN tagging is enabled on the gateway‟s interface to the WAN, all outbound traffic will have its VLAN tags preserved.
-
EnRoute50x/51x User’s Guide The example below shows how to set the VLAN ID for the backhaul Ethernet interface using the „vlan.id‟ parameter in the „eth0‟ interface. > use eth0 eth0> set vlan.id=1 Web GUI The backhaul VLAN parameters are set on the “Wired/Backhaul Interface” page as shown in Figure 48. Figure 48. Configuring VLAN for backhaul interface TR0153 Rev.
-
EnRoute50x/51x User’s Guide 15 Integration with Enterprise Equipment The EnRoute500 supports authentication, accounting, and monitoring services that easily integrate with enterprise equipment. In this section the following topics are described: Splash pages Backhaul health monitoring Layer 2 client emulation 15.1 Configuring Splash Pages The EnRoute500 supports splash pages, which can be used to restrict access to the mesh network and provide information to users that connect to the mesh.
-
EnRoute50x/51x User’s Guide illustrates how to set the parameter for the wlan1 interface such that a user will be required to login to access the network. > use sys sys> set splash.auth.server.enable.wlan1=yes Web GUI Splash pages can be enabled on a per-interface basis on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 49). Setting whether client login is required can also be set on this page with the “Require Login” parameter. Figure 49.
-
EnRoute50x/51x User’s Guide 15.1.2 Configuring Splash URLs The URL that a user is redirected to for login purposes can be individually configured for each client interface that supports splash pages (wlan1-4). URLs for successful login, failed login, and error conditions can also be specified for each interface. The „login URL‟ parameter sets the URL that a user is redirected to when they attach to the interface and have not yet been authenticated.
-
EnRoute50x/51x User’s Guide Web GUI All of the splash page-related URLs can be set on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 49). 15.1.3 Sample HTML Code for Splash Pages The login HTML page must contain specific form information as shown in the sample code in Figure 50 and Figure 51. Figure 50 contains the code required for an interface that requires a login.
-
EnRoute50x/51x User’s Guide 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Test Login Page
-
EnRoute50x/51x User’s Guide the port on the server that the RADIUS server is listening on the shared secret – must be a string of alphanumeric characters that is 32 characters or less in length. CLI The „splash.auth.server..host‟, „splash.auth.server..port‟, and „splash.auth.server..secret‟ parameters in the „sys‟ interface, where is either „wlan1‟, „wlan2‟, „wlan3‟, or „wlan4‟, specify the authentication server to use.
-
EnRoute50x/51x User’s Guide Figure 52. Adding trusted MAC addresses and accessible hosts 15.1.6 Bypass Splash Pages for Access to Specific Hosts It is possible to specify a list of IP addresses that clients can access without the clients having to view a splash screen. CLI The list of hosts that can be accessed without having to view a splash screen is set with the „splash.bypass_hosts‟ parameter in the „sys‟ interface. The hosts are specified by their IP addresses and must be separated by commas.
-
EnRoute50x/51x User’s Guide 15.2 Layer 2 Emulation Certain back-end systems (Internet gateways) use the MAC addresses of client devices for authentication and accounting purposes. The EnRoute500 uses a layer 3 approach to mesh routing, which means that the client MAC addresses are typically not provided to the back-end servers. A layer 2 emulation mode can be enabled on the EnRoute500 to provide the client MAC address information to back-end systems.
-
EnRoute50x/51x User’s Guide 16 Firmware Management The EnRoute500 supports secure remote firmware upgrade. 16.1 Displaying the Firmware Version CLI Firmware version information is available in the „version‟ interface. The example below shows how to display the current firmware version. > use version version> get release release = ENROUTE500_20060419_00_00_0133 Web GUI The firmware version is also displayed at the top of the “Status” page accessible via the web interface. 16.
-
EnRoute50x/51x User’s Guide 17 Glossary ACL Access Control List AP Access Point CLI Command line interface ESSID Extended Service Set Identifier LAN Local-Area Network Mesh cloud A group of EnRoute500 nodes configured as one or more clusters Mesh cluster A group of two or more EnRoute500 nodes with at least one configured as a gateway Mesh gateway A mesh node that, in addition to relaying traffic between neighboring mesh nodes and supporting wireless clients through its built-in APs, acts as