COR Series Router
Contents
1. cradlepotnt User Manual IBR600 IBR650 11 5 15 OpenVPN supports the CBC CFB and OFB cipher modes however CBC is recommended Q Add or Edit test 2 O and CFB and OFB should be considered Security advanced modes Cipher BF GBC e Auth Algorithm Authenticate packets with HMAC using message digest algorithm alg The default is SHA1 HMAC is a commonly used message authentication algorithm MAC that uses a data string a secure hash algorithm and a key to produce a digital signature e TLS Authentication In client server mode adds an additional layer of HMAC authentication on top of the tls control channel to protect against DoS attacks In point to point mode encrypts the communication using a static key These keys must match on each endpoint Add Edit Tunnel Remote Servers Create a list of remote server connections to connect to OpenVPN will try to connect to each host in the list If a disconnect occurs from a given server the next server will be tried in a round robin fashion Auth Algorithm SHA1 TLS Authentication Host IP address of the remote server Port Specify the port if desired Protocol Select UDP or TCP Add Edit Tunnel Routes Add or remove the routes that will be used to direct packets through the tunnel e Network Address e Netmask Generate Client Configuration The Generate Client Configuration button can be used to generate client configurat2. 431919 ESTABL seen reply as 100 98 9 52 2450 2 8001 522450 2 100 98 9 58870 TCP 64 TIME W seen reply as 192 168 63 1106 443 63 110 6 10098 9 56273 TCP 64 TIME W seen reply as 192 168 63 110 6 443 63 110 6 100 98 9 56272 TCP 431956 ESTABL seenreply as 192 168 398138 1 443 98 138 1 100 98 9 54903 TCP 431999 ESTABL seen reply as 192 168 192 168 80 192 168 192 168 56101 TCP 62 SYN SE confirmedsna 192 168 172 184 445 172 18 4 100 98 9 56317 TCP 65 TIME W seen reply as 192 168 63 110 6 443 63 110 6 100 98 9 56289 ROUTING Displays information about your System GRE and NEMO Routes To configure these routes 90 to System Routes NETWORKING gt Tunnels 1230 ae 100 107 201 144 30 Scd858ae 0 192 168 0 0 24 primarylan 0 192 168 10 0 24 guestlan 0 tedi 64 primarylan 256 2015 Cradlepoint A Rights Reserved 1 855 813 3385 cradlepoint com D cradlepotnt User Manual IBR600 IBR650 11 5 15 ETHERNET Displays information about your Ethernet ports To configure Ethernet ports go to NETWORKING gt Local Networks gt Ethernet Ethernet Ports i l D down 1 up 2 down none GPS Displays GPS location and status To enable and configure GPS go to SYSTEM gt Administration gt GPS SYSTEM LOGS Displays System Log information To configure System Logging 90 to SYSTEM gt A
3. L _ SAY en ee polni A 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 10 17 42 10 20 00 10 23 00 10 26 00 10 29 00 10 32 00 10 35 00 10 38 00 10 41 00 10 44 00 10 47 00 Time wan n wan Gut Bin in ianocut Failover Failback Load Balance Sample Rate 200 Samples Hour Sample Size 100 Samples Connected g CO m Disconnected 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 0805 2015 08 05 2015 0805 2015 08 05 10 17 42 10 21 00 10 24 00 10 27 00 10 30 00 10 33 00 10 36 00 10 39 00 10 42 00 10 45 00 Time sihemet e0 mdm modem OOS Displays packets and bytes transmitted and received by your Quality of Service QoS queues To enable and configure QoS go to NETWORKING gt Qos cradlepotnt Qos Receive packets bytes Queue Default Transmit packets bytes 634 231 41 KB 26 11 95 KB 1455 213 70 KB test 29 4 30 KB Reserved 1 855 813 3385 cradlepoint com 22 2015 Cradlepoint All Rights User Manual IBR600 IBR650 11 5 15 CLIENT LIST Displays information about Wirel en g Wireless Clients Our wireless Ired an Tae Clients and allows E you to Kick Munsee Clients az E N oiin 20 MHz 63 Mbps 2 4 0 02 18 block MAC addresses of both Wired Clients Wireless and Wired Clients ZEN CI NK A a Block M and Revoke Hotsp
4. identifies it M Add or Edit ss General Anonymous Mode Select to allow remote connections paan Z from any IP address ee Responder Mode When enabled the router will not Local identity initiate negotiation with peers pagel Authentication Mode Pre Shared Key Local Identity Specifies the identifier sent to the Pre Snared Key remote host during phase 1 negotiation If left blank it T Tes will default to the IP address of the WAN connection Ria lt Currently we only support identifiers in the form of an ANE IP address a user fully qualified domain name user mydomain com or just a fully qualified domain name www mydomain com If the remote side of the tunnel is configured to expect an identifier then both must match in order for the negotiation to succeed If NAT T is being used a single word instead of an address can be used if a DynDNS connection is not being used Remote Identity Specifies the identifier we expect to receive from the remote host during phase 1 negotiation If no identifier is defined then no verification of the remote peer s identification will be done Currently we only support identifiers in the form of an IP address a user fully qualified domain name user mydomain com or just a fully qualified domain name www mydomain com If left blank we will default to the IP address of the WAN connection If NAT T is being used a single word instead of an address can be used if a DynDNS connection is not b
5. identities Host Addresses PORTS A port identity member can be entered as a single Start port number or as a port range by entering both a Start and End port number To add a Port Identity click Add MAC ADDRESSES MAC addresses are entered in the form aa bb cc dd ee fF To add a MAC Address Identity click Add ZONE DEFINITION Identities A Zone is a group of network interfaces By default all interfaces within a zone Zone Firewall are allowed to initialize network communication with each other however any network traffic initialized outside of a zone to the interfaces within the zone will be denied To add a zone click Add fone Definition Filter Policies fone Forwarding Options Network Prefix Translation Remote Access Restriction Port Forward NAT cradlepotnt 015 Cradlepaint Al Rights Reserved 1 855 8133385 cradlepoint com GI User Manual IBR600 IBR650 FILTER POLICIES A Filter Policy is a one way filter applied to initialized network traffic flowing from one zone to another A Filter Policy needs to be assigned to a Forwarding for it to take effect Filter Policies can either be Added Edited or Removed Default Allow All is a preconfigured policy to allow all traffic initialized from one zone to flow to another zone The state of the connection is tracked to allow responses to traverse the zones back to the source LAN to WAN forwardings use this policy by default The policy c
6. 1 EVDO 24 dBm 1 typical conducted Antennas two SMA male plug finger tighten only maximum torque spec is 7 kefcm Industry Standards amp Certs PTCRB FCC WiFi Alliance IBR600 only AT amp T SIM one 2FF slot GPS standalone GPS support COR IBRGOOLPE SP COR IBR650LPE SP 4G LTE HSPA EVDO for Sprint Technology LTE HSPA EVDO RevA Downlink Rates LTE 50 Mbps HSPA 21 1 Mbps EVDO 3 1 Mbps theoretical Uplink Rates LTE 50 Mbps HSPA 5 76 Mbps EVDO 1 8 Mbps theoretical Frequency Bands LTE Band 2 1900 MHz Band 4 AWS 1700 2100 MHz Band 5 850 MHz Band 13 700 MHz Band 17 700 MHz Band 25 1900 MHz HSPA UMTS 850 900 1900 2100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm 1 EVDO 24 dBm 1 typical conducted Antennas two SMA male plug finger tighten only maximum torque spec is 7 kefcm Industry Standards amp Certs FCC WiFi Alliance IBR600 only Sprint SIM one 2FF slot GPS standalone GPS support COR IBR600LPE GN COR IBR650LPE GN 4G LTE HSPA EVDO generic for use on T Mobile in the U S and Rogers Bell amp TELUS in Canada e Technology LTE HSPA EVDO Rev A Downlink Rates LTE 50 Mbps HSPA 21 1 Mbps EVDO 3 1 Mbps theoretical Uplink Rates LTE 50 Mbps HSPA 5 76 Mbps EVDO 1 8 Mbps theoretical Frequency Bands LTE Band 2 1900 MHz Band 4 AWS Band 5 850 MHz Band 13 700
7. NETWORK PREFIX TRANSLATION Network Prefix Translation is used in IPv6 networks to translate one IPv6 prefix to another IPv6 prefix translation is an experimental specification RFC 6296 trying to achieve address independence similar to NAT in IPv4 Unlike NAT however NPT is stateless and preserves the IPv6 principle that each device has a routable public address But it still breaks any protocol embedding IPv6 addresses e g IPsec and is generally not recommended for use by the IETF NPT can help to keep internal network ranges consistent across various IPv6 providers but it cannot be used effectively in all situations The primary purpose for Cradlepoint s NPT implementation is for failover failback and load balancing setups LAN clients can potentially retain the original IPv6 lease information and may experience a more seamless transition when WAN connectivity changes than if not utilizing NPT Mode None No translation is performed Load Balance Only Default Only translate networks when actively load balancing First Use the first IPv6 prefix found Static Always use a Static IPv6 translation input the prefix here Transitioning from short prefix to a longer prefix Such as from 48 to 64 is not without problems as some of the LANs may lose IPv6 connectivity REMOTE ACCESS RESTRICTION Add any IPv4 addresses that need access to remote administration to this list Clicking Add will allow the addition of IP addres
8. User Manual IBR600 IBR650 11 5 15 SNMPv3 If you select SNMPv3 you have several additional configuration options for added security Authentication type Select the authentication and encryption type that will be used when connecting to the router from the following dropdown list These settings must match the configuration used on any SNMP clients MD5 with no encryption SHA with no encryption MDS with DES encryption SHA with DES encryption MD5 with AES encryption SHA with AES encryption Username Enter the Username configured on your SNMP host in the username field Password Enter the Password for your SNMP host in the password and verify password fields This password must be at least eight characters long Enable SNMP traps Enabling traps will allow you to configure a destination server community and port for trap notifications Trap notifications are returned to the server with SNMPV1 Trap community string The trap notifications will be returned to the trap server using this SNMPv1 trap community name Address for trap server Enter the address of the host system that you want trap alerts sent to Trap server port Enter the port number that the remote host will be listening for trap alerts on Default 162 General Settings System information via SNMP is Read Writable by default However if a value is set here that field will become Read Only System Contact Input the email address of the system administrator
9. Ethemet Ports Hotspot Services DHCP Server Local IP Networks MAC Filter amp Logging this from the pre configured name Security Mode You have several options for selecting a security mode The mode you choose depends on the security features your wireless adapters support WPA2 Personal WPA WPA2 Personal WPA2 Enterprise WPA WPA2 Enterprise WEP Auto Open 11 5 15 IBR600 pb Public 5a6 Wireless Radio Enable Wireless Access Points SSIDs oO IM WiFi Name SSID Security Mode O Hidden WPA2 Personal AES Open No No Yes Yes tan vant esti No Yes Yes No Select Open to create a hotspot otherwise select the best security that your devices will support Cradlepoint recommends WPA2 Depending on which Security Mode you select there are different setup options Personal security modes require passwords Enterprise security modes are linked to a RADIUS server and require RADIUS authentication IP Port and Shared Key Secondary IP and NAS ID optional cradlepotnt User Manual IBR600 IBR650 11 5 15 WPA2 Personal or Enterprise forces AES as the WPA Cipher WPA WPA2 and WPA Personal or Enterprise allow AES TKIP AES and TKIP WEP Auto requires a WEP Key Open has no password or other security measures NOTE If you don t know whether you should choose Personal or Enterprise assume Personal since you need to know
10. MAC Address Port Password 127 0 0 1 00 00 00 00 00 00 1812 fo 127 0 0 1 00 00 00 00 00 00 1613 po A MAC Media Access Control address is a unique identifier for a computer or other device This page allows you to manage clients by MAC address You can filter clients by MAC addresses and or keep a log of devices connected to your router Filter Configuration The MAC Filter allows you to create a list of devices that have either exclusive access whitelist or no access blacklist to your local network cradlepotnt User Manual IBR600 IBR650 Enabled Click to allow MAC Filter options Whitelist Select either Whitelist or Blacklist from a dropdown menu In Whitelist mode the router will restrict LAN access to all computers except those contained in the MAC Filter List panel In Blacklist mode listed devices are completely blocked from local network access MAC Filter List Whitelist or Blacklist Add devices to either your whitelist or Blacklist simply by inputting each device s MAC address NOTE Use caution when using the MAC Filter to avoid accidentally blocking yourself from accessing the router MAC Logging Configuration Enable MAC Logging Enabling MAC Logging will cause the router to log MAC addresses that are connected to the router MAC addresses that you do not want to have logged addresses that you expect to be connected should b
11. certain types of modems G Editor General Settings IPv4 Settings IPv6 Settings Enabled M Interfaces Provide a unique name for this network Access Control Name IPv4 DHCP Hostname Multicast Proxy IPv6 Addressing Schedule VRRP STP Wired 802 1X User Manual IBR600 IBR650 11 5 15 IPv4 Settings IP Address This is the address used by the router for local area network communication Changes to this parameter may require a restart to computers on this network Netmask The netmask controls how many IP addresses can be used in this network The default value is usually acceptable for most situations IPv4 Routing Mode Each network can use a unique routing mode to connect to the Internet The default of NAT is desirable in most configurations NAT Network Address Translation hides private IP addresses behind the router s IP address Standard Without NAT exposes the subnet addresses which requires them to be externally routable IP Passthrough IP Passthrough passes the IP address given by the modem WAN through the router Hotspot VPN and GRE must be disabled Any Wireless interfaces must be removed from this network in order to enable IP Passthrough Hotspot Provide Hotspot Services on this Network requiring Terms of Service or RADIUS UAM authentication before WAN access will occur on both Wireless and Wired LAN connections IPv6 Settings IPv6 Address Source The Address source has three settings The defaul
12. 05 2015 12 19 16 Ethernet WAN GMT 0600 Mountain Daylight Tima Modems WWAN a Ethernet WAN Z gil Modems 2 A WWAN 2 Fthernet LAN wan 100 Megabit Ethernet Switch i gay hat o VE No WWAN Devices Detected k Wi Fi LAN rees ONS Servers r ort ateway 1 i i Up Time P Address 100 To quickly edit settings for any of these areas Er eno pe click on the pencil icon x in the top right of the Stats Up Time 0 01 Disconnected desired dialog box Ethernet LAN 2 WIEI LAN YOU may return to the Dashboard at any time by Primary LAN 192 168 0 1 255 255 255 0 ie ie wees a clicking on DASHBOARD from the left menu or by Route Mode clicking on the Cradlepoint logo at the top left of None the screen Admin Access DHCP Guest LAN 192 168 10 1 255 255 255 0 cradlepotnt 015 Cradlepaint All Rights Reserved 1 855 8133385 cradlepoint com amp User Manual IBR600 IBR650 11 5 15 CONNECTION MANAGER The router can establish an uplink via Ethernet WiFi as WAN or 3G 4G modems removable or external USB If the Drimary WAN connection fails the router will automatically attempt to bring up a new link on another device this feature is called failover If Load Balance is enabled multiple WAN devices may establish a link concurrently WAN INTERFACE PROFILES amp PRIORITY This is a list of the available interfaces used to access the Internet You can enable stop or start devices from this section Drag the priority i
13. 255 255 255 255 Enable Rate e 10 Secs Add Edit Tunnel Keep Alive tand 3 revies GRE Keep alive packets can be enabled Failover Tunne to be sent through the tunnel in order Failback Tunne to monitor the status of the tunnel and more accurately determine if the tunnel is alive or not GRE Keep alive packets may be sent from both sides of a tunnel or from just one side Enabled Select to enable GRE Keep Alive to continually send keep alive packets to the remote peer cradlepoint User Manual IBR600 IBR650 11 5 15 Rate Choose the length of time in seconds for each check Default 10 seconds Range 2 3600 seconds Retry Select the number of attempts before the GRE tunnel is considered down or up Default 3 Range 1 255 Failover Tunnel and Failback Tunnel Use these settings to create two tunnels one as the primary tunnel and one as the backup tunnel To configure tunnel failover failback complete the following steps 1 Create two tunnels one for primary and one for backup Make sure both tunnels have Keep Alive enabled 2 Choose one to be the primary tunnel Open the editor for this tunnel and make sure Tunnel Enabled is selected Then go to the Keep Alive page Under Failover Tunnel select the other tunnel you have created 3 Open the editor for the failover tunnel Make sure Tunnel Enabled is not selected On the Keep Alive page set the Failback Tunnel to your primary tunnel
14. IBR600 IBR650 11 5 15 NETWORK WEB FILTER RULES Domain URL filter rules allow you to control access from your network to any external domain o Edit or Add Network Rule 7x or website Rules euz assigned to a specific LAN Enter the Domain Name or URL address of the website you wish to control access for i e network and the highest priority rule will have www example com To make sure the full domain is blocked enter the most inclusive domain precedence when there is a conflict Addresses can i e example com will effectively block www example com as well as mail example com and images example com Alternatively you can use an IP address i e 8 8 8 8 or address range be added by URL Domain name or by IP address written in CIDR notation i e 8 8 8 0 24 IP address ranges can be filtered by using CIDR Addresses that have an Allow action assigned will have access allowed while Addresses with a notation 6 8 4 2 22124 Block action assigned will be blocked l When multiple rules conflict the rule with the highest priority is used Exceptions to existing rules can be created by Assigned Network adding another rule with higher priority For Domain URLIP T lt 2 www company com or example if access to maps example com is desired but example com is blocked with a priority of 50 The addition of an allow rule for maps example com with a priority of 49 or less will allow access Filter Action Block Rule Priority 50 Ena
15. Me s Enable WAN Zone Primary LAN Zone Default Deny All be Added Edited Removed or Toggled Toggling a Enable Primary LAN Zone WAN Zone Default Alow Al Forwarding will either enable or disable the Forwarding na num pendana any Enable Guest LAN Zone WAN Zone Default Allow All Forwardings Source and Destination zones are chosen from the list of Zone Definitions In addition two special zones can be selected for forwarding endpoints The All zone will match any traffic handled by the router and is used as an endpoint for IP Filter Rules migrated from previous firmware versions User editable zones are preferred when adding new forwardings The Router zone will match any traffic initialized from or directed to router services and can be used to filter router service traffic An example of traffic initialized by a router service would be the ECM Management service An example of traffic destined to a router service would be the SNMP service OPTIONS Firewall Options Anti Spoof Anti Spoof checks help protect against malicious users faking the source address in packets they transmit in order to either hide themselves or to impersonate someone else Once the user has spoofed their address they can launch a network attack without revealing the true source of the attack or attempt to gain access to network services that are restricted to certain addresses Log Web Access Enable this option to create a syslog record of w
16. NEMO Network Mobility NEMO is an Internet m standards track protocol defined in Network Mobility NEMO settings REL 5177 The protocol allows session Enable A continuity for every node in a mobile WAN Unique ID i network as the network moves nm With WAN z NOTE NEMO requires a feature license ram m ome IP Address not included with ECM Prime Go to Home Netm ask Bits SYSTEM gt Administration gt Feature Licenses to enable this feature Home Agent IP Address NEMO requires a service provider e g tadi aca Verizon Wireless Private Network Home Agent SPI with DMNR Dynamic Mobile Network Renew Registration 30 Routing Your NEMO service provider will define many of the settings for your NEMO configuration Once you have a NEMO service provider and a valid feature license add networks to the Networks Routed by NEMO section by first clicking Add In the popup window input MTU e Network Address This is the network address that is the destination of the route This should be set to the network address at the remote side of the tunnel e Netmask This is the corresponding subnet mask of the network being defined Default 255 255 255 0 The Network Address and Netmask or subnet mask together define a range of IP addresses that comprise the local network you want associated with the NEMO settings Network Mobility NEMO Settings Enbable Enable NEMO WAN Select the WAN s to use for the NE
17. NTP server poolnip org established and once a week thereafter the router will NTP server port 123 ask the server for the current time so it can correct itself Time zone UTG 7 Mountan Ariznna You then have the option of selecting an NTP server and adjusting the NTP server port Select the NTP server from the dropdown list Any of the given NTP servers Reset Daylight Savings Time will be sufficient unless for example you need to synchronize your router s time with other devices ina network Time Zone Select from a dropdown list Setting your Time Zone is required to properly show time in your router log Daylight Savings Time Select this checkbox if your location observes daylight saving time LOCAL MANAGEMENT Enable Internet Bounce Pages Bounce pages show up in your web browser when the router is not connected to the Internet They inform you that you are not connected and try to explain why If you disable bounce pages then you will just get the usual browser timeout In the normal case when the router is connected to the Internet you don t see them at all Reboot Count Track number of router reboots cradlepotnt User Manual IBR600 IBR650 Enable Login Banner Add the CLI banner to the router s login page Local Domain The local domain is used as the suffix for DNS entries of local hosts This is tied to the hostnames of DHCP clients as DHCP HOSTNAME LOCAL_DOMAIN System Identif
18. Name Authorization name specified by and to the remote system as the local system identity sometimes a username or hostname Leave blank to match any Secret Shared secret or password used to authenticate the associated Local and Remote names Overrides Override Authentication methods parameters With methods set to Allow the two ends of the tunnel can negotiate a common scheme Sometimes this negotiation fails or the implementation on one end is incompatible with the other To solve those authentication issues enable the overrides as needed Authentication Username for user specific authorization Leave blank to disable CHAP Choose from Allowed Refused or Required PAP Choose from Allowed Refused or Required Name Override names used to authenticate the router Leave empty to use the default Add Edit Tunnel Routes Typically specific routes are unnecessary but they can be added in this section if needed You can add or remove routes to be used to funnel packets through the tunnel Network Address This is the network address that is the destination of the route This should be set to the network address at the remote side of the tunnel Netmask This is the corresponding subnet mask of the network being defined STATIC ROUTES gt Local Networks Add a new static route to the IP routing table or edit remove an existing route VLAN Interfaces Static routes are used in networks with more than one
19. Password RIPv2 allows packets to be authenticated via either an insecure plain text password included with the packet or a more secure MD5 based HMAC Keyed Hashing for Message AuthentiCation RIPv1 cannot be Networks authenticated at all so when authentication is configured RIP will discard routing updates received via RIPv1 packets Plain text password Select to use a plain text password instead of an MD5 HMAC WARNING A plain text password is insecure Enabled Click to enable disable the policy Default enabled Networks Set the RIP enabled interfaces by network RIP is enabled on the interfaces that have addresses within the network range Neighbors When a neighbor doesn t understand multicast this command is used to specify neighbors In some cases not all routers will be able to understand multicasting where packets are sent to a network or a group of addresses In a situation where a neighbor cannot process multicast packets it is necessary to establish a direct link between routers The neighbor command allows the network administrator to specify a router asa RIP neighbor The no neighbor a b c d command will disable the RIP neighbor Assign a neighbor by inputting an IP address Redistribute Routes Redistribute routes of the specified protocol or kind into RIP with the metric type and metric set if specified filtering the routes using the given route map if specified Redistributed routes may als
20. RADIUS authentication for Enterprise In order to protect your network from hackers and unauthorized users Cradlepoint highly recommends WPA2 AES for security if your attached devices can support it WEP and WPA TKIP are obsolete and have been replaced by WPA AES Using those security settings will cause the WiFi to limit to 802 118 modes NOTE If you select one of the security modes and are unable to connect to the router afterwards you can use the reset buttons to reset the router to its factory default state and try a different security mode instead Hidden This shows whether the router broadcasts its SSID It is somewhat harder for hackers to find and attack a router that is not broadcasting its SSID which adds to the wireless security but it is also more difficult for friendly users to attach to a WiFi network with a hidden SSID Isolate Select this to isolate all wireless clients so they cannot directly communicate with each other on the wireless network WMM WiFi Multimedia This is a basic traffic shaping or QoS quality of service system for the network WMM works behind the scenes to set priorities for different types of traffic on your network For example video streams are given higher priority than print jobs since video streams need consistent throughput Enabled Whether the network is available EN h WiFi Settings When you select WiFi Radio 1 2 4GHz from Local g Networks you have several additional options
21. Range 5 3600 seconds Scan Interval 2 60 Scan While Connected Continue to scan for Scan While Connected C WiFi as WAN profile updates when connected User Manual IBR600 IBR650 11 5 15 Each time a scan occurs the wireless communication of the router will be temporarily interrupted Normally this should be disabled WAN AFFINI WAN Affinity rules allow you to manage traffic in your network so that particular bandwidth uses Affinity Rules are associated with particular WAN sources This Add P allows you to prioritize bandwidth EXAMPLE You could specify that your guest LAN is only associated with your Ethernet connection with no failover Then if your Ethernet connection goes down and the embedded modem connects for failover for your primary LAN your guest LAN will not take bandwidth from your primary LAN saving you money Click Add to open the WAN Affinity Policy Editor and create a new WAN Affinity rule Name Give a name for your rule that is test any any true ethernet wan meaningful to you Q Edit or Add Affinity Rule vo DSCP DiffServ Differentiated Services Code ma Ban Point is the successor to TOS Type of Service HZ Use this field to select traffic based on the DSCP m re header in each IP packet This field is sometimes set by latency sensitive equipment such as VoIP phones If you Know specific DSCP values you can input one here DSCP Negate When checked this rul
22. Serial will start a Telnet server that Tenet to Serial Configuration passes its connection to the serial adapter Enabling this service Enabled is not necessary when accessing serial through SSH LAN LAN Enable serial redirector for LAN connections aiii Authenticated LAN Enable serial redirector for Authenticated LAN connections You must be logged into the router to use the redirector WAN Enable serial redirector for WAN connections Server Port Enter a port number for the redirector to use Default 7218 WAN Server Port 7218 Input Pin e Default Ignored In this mode the input pin is not nem used Input Pin lenition Sensing In this mode the router will turn Current Value IGNORED off after the input has been held low for the timeout period in seconds The router will then reboot when the input is returned to high If the input is held low Timeout 300 for less than the timeout period before returning to high no action is taken Input Sensing In this mode the logic state high or low is automatically sensed by the router and is readable as the Current Value Router Reset In this mode an external device can reset the router by holding the input low for 10 seconds Input Mode Default lgnored Output Pin Default Low In this mode the output pin is not used and is at OV ground potential Output Pin Set High Router Running In these modes the output Current Value LOW pin is logic low
23. System Name Input the router s hostname System Location Input the physical location of the router This is simply a string for your own information SYSTEM SOFTWARE Administration This allows the administrator to load new firmware onto the router to add new features or fix defects If you are happy with the operation of the router you may not want to upgrade just because a new version is available Check the firmware release notes cradlepoint com firmware Senal Redirector for information to decide if you should upgrade SNMP Configuration Current Firmware Version Ses Saye Shows the number of the Current firmware and the date it was updated Available Firmware Version eee Device Options If there is a new firmware version available this will list the version number Click Check Again to have the router check for the newest firmware Automatic Firmware Check Automatically check for new firmware updates once daily Enterprise Cloud Manager Device Alerts Firmware Upgrade Current Firmware Version v6 0 0 Mon Aug 24 15 15 08 MDT 2015 System Firmware Available Firmware Version Managed by ECM RRNA Modem Firmware cradlepoint 015 shts Reserved 1 855 813 338 on User Manual IBR600 IBR650 Manual Firmware Upload Upload the router firmware from an attached computer Go to cradlepoint com firmware to download the firmware System Config Save Restore Download Settings Click on Do
24. VPN virtual private network tunnels are used to establish a secure connection to a remote network over a public network For example VPN tunnels can be used across the Internet by an individual to connect to an office network while traveling or by two office networks to function as one network The two networks set up a secure connection across the normally unsecure Internet by assigning VPN encryption protocols cradlepotnt User Manual IBR600 IBR650 11 5 15 Cradlepoint VPN tunnels use IPsec IPSec VPN T Internet Protocol security to ma puas authenticate and encrypt packets add f Q exchanged across the tunnels To set up a VPN tunnel with a Cradlepoint router on one end there must be another device usually a router that also Supports IPsec on the other end IKE Internet Key Exchange is the security protocol in IPsec IKE has two phases phase 1 and phase 2 The router has several different security protocol options for each phase but the default selections will be sufficient for most users The VPN tunnel status page allows you to view the state of the VPN tunnels If a tunnel fails to connect to the remote site check the System Logs for more information You may double click on a cell to directly edit that information Click Add to configure a new VPN tunnel click Edit to make changes to an existing tunnel Add Edit Tunnel General Tunnel Name Give the tunnel a name that uniquely
25. can enter your ECM username and password to register the router ECM REGISTRATION Enterprise Cloud Manager Registration Register this router with the Gradiepoint Enterprise Gloud Manager EGM Service ECM Usemame EGM Password User Manual IBR600 IBR650 11 5 15 FIRST TIME SETUP Administrator Password and Time Zone Enter a password for the administrator who will have full access to the router s management interface Setting Your Administrator Password and Time Zone To secure your router please set and verify the administrator password below Your default password is printed on the product sticker found on the back of your product The administrator password allows you to modify all router settings You can use the default password on the back of your product or you can create a custom Administrator Password This is separate from the WiFi security password if applicable Administrator Password If you plan to use your router in a PCI OSS compliant environment do not use this setting Use the Administration gt Router Security Configuring Your Wireless Network Wireless Network Name When you are browsing for e ra VNA ee ee Oe A En available wireless networks this is the name that iene gad hated will be broadcast from this router This name is also referred to as the SSID For security purposes it is highly recommended you change the pre configured wireless network name Enable Guest Net
26. container format is more secure than the PEM container format because it is protected by an encryption Key To import choose a certificate file in PKCS 12 format from your computer or local device and upload it to the router Give the certificate a name that is meaningful to you PKCS 12 files are protected by a passphrase you must Know this key to import the file cradlepotnt User Manual IBR600 IBR650 11 5 15 To export select a local certificate from the dropdown list Import PKCS12 Format Certificates and download it to your computer or local device in PKCS RES 12 format When you export this file you must create a Kas prm passphrase to protect it This key is reguired for future use of Ni the file ome NZ import Upload Certificate Export PKCS12 Format Certificates Certificate Name None Passphrase wnload Certificate cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 72 User Manual IBR600 IBR650 SYSTEM Administration Enterprise Cloud Manager Device Alerts Seral Redirector GPIO Connector SNMP Configuration system Control Diagnostics Setup Wizards iti ROUTER SECURITY Administration When the router is Router Security configured to use the advanced security mode several aspects of the routers configuration and System Clock networking functionality Local Management will be extended to support Remote Admin Feature Lic
27. defined URL Redirect URL If you have chosen to send users to an administrator defined URL you will need to specify the address Session Timeout Default 60 minutes The amount of time the user may use the router before being forced to authenticate again Idle Timeout Default 15 minutes If the user is idle for this amount of time make them re authenticate Bandwidth upload Default 512 Kbits sec The data rate limit for users uploading data through the hotspot Bandwidth download Default 1024 Kbits sec The data rate limit for users downloading data through the hotspot Allowed Hosts Domains Prior to Authentication Adding hostnames to this list will allow access from your network to any external domain or website prior to being authenticated For example a hotel might allow access to its own website prior to authentication Click Add to enter new hostnames you wish to allow Enter the hostname or domain name of the website you wish to allow e g www company com or company com To 11 5 15 Simple Mode Settings Display Intemal Terms of Use Terms of Use Text Redirection On Successful Authentication To the URL the user intended to visit Session Timeout idle Timeout Bandwidth upload e Bandwidth download e 60 Mins 0 Disabled 15 Mins 0 Disabled 512 Kbits sec 0 No Limit 1024 Kbits sec 0 No Limit Sos Allowed Hosts Domains Prior to Aut
28. field could then also be 80 or you could choose another port number that will be used BA Nasa across the Internet to access your E Canel Gancel Web server If you choose a number other than 80 for the Internet Port connections to that number will be mapped to 80 and therefore the Web server within your network Protocol Select from the following options in the dropdown menu TCP UDP TCP amp UDP Click Save to save your completed port forwarding rule Local Computer Local Port s gt Port Proxying Rules A port proxying rule allows traffic from the local LAN to be redirected to a specific computer IP address on the Internet Click Add to create a new port proxying rule or select an existing rule and click Edit Add Edit Port Proxying Rule Name Name your rule Enabled Toggle whether your rule is o Edit eo enabled Selected by default Use Port Range Check this box to create a rule which proxies a contiguous range of ports instead of a single port The remote port s will require the same number of contiguous ports Protocol TGP amp UDP Local Port s Specify the IP port s on the LAN to proxy to a remote computer Remote Computer Specify the remote computer to receive proxied traffic Remote Port s Specify the IP port first if a range on the remote computer to receive proxy traffic Protocol Select the IP protocol traffic to proxy from the following options in the dropdown
29. for Channel Selection Method Smart Selection configuring your wireless LANs under the WiFi Settings Channel Selection Schedule Once heading Client Timeout 300 Channel Selection Method This controls how a WiFi TX Power 100 channel is selected RTS Threshold s 2347 bytes User Selection Manually set the channel Fragmentation Threshold 2346 bytes Random Selection The router randomly sets the DTIM s 1 channel Smart Selection Default Scans to determine the lowest interference WiFi channel Beacon lt 100 ms Short Slot i j u 11 Wireless Mode 802 11 b g n Channel Selection Schedule When using the Smart channel selection this controls whether the router will periodically rescan for a better channel and change to it Select from Once Daily Weekly or Monthly Note that there may be a momentary WiFi Extended Channel Above disconnection while the channel changes MCS Auto Protection Auto Airtime Faimess Channel Width 20 MHz Short GI Channel Shows if User Selection is selected The WiFi channel corresponds to a frequency the router uses RADIUS Timeout 3600 to communicate with other devices For 2 4 GHz the RADIUS Retry 60 range is 1 to 11 and 1 6 and 11 do not overlap each other Select a channel from the dropdown list Reset 1 2412 MHz 2 2417 MHz 3 2422 MHz cradlepotnt User Manual IBR600 IBR650 11 5 15 4 2
30. grouped together even if they are not physically attached to the same network switch To enable a VLAN select a VID virtual LAN ID and a group of Ethernet ports through which users can access the VLAN Then go back up to the Local Network Editor to attach your new VLAN toa network To use a VLAN the VID must be shared with another router or similar device so that multiple physical networks have access to the one virtual network Click Add to create a new VLAN interface To edit an interface select the check box next to the desired interface D TUNNELS CP SECURE VPN Local Networks VLAN Interfaces Tunnels GP Secure VPN IPSec VPN OpenVPN GRE NEMO L2TP visit cradlepoint com IPSEC VPN 11 5 15 VLAN Interfaces Oaa 7 o wan 1 WAN lan 2 LAN Ports OU 1U 2U 3U 4U 5U 6U 7U 8U 9U 10U 11U 12U G Edit wan VID 1 Name UID wan Mode WAN Configured Ports Add f x Ethernet WAN Untagged Configured deployed and managed from the cloud CP Secure VPN delivers a virtual private data network that minimizes both cost and complexity Unlike traditional bulky head end concentrator hardware solutions CP Secure VPN allows IT managers to secure their expanding Edge Networks using architectures that scale quickly and are easy to maintain For more information visit cradlepoint com NOTE CP Secure VPN requires an ECM Prime subscription For more information
31. identities or enter individual criteria for the appropriate Host Port G Rule Editor vo Fe Nave zne aes TTT war Oow Dey O Nore Log _ Poliey level logging overrides this setting IP Version IPv4 IPV6 _ IPv4 IPv6 Source Destination Protocols Application Sets Host Pot MAC C CT S Ce Si None assigned None assigned Port identities are ignored unless UDP 6 and or TGP 17 are selected in Protocols tab None assigned e and MAC address columns to match the source of the traffic Host Enter an IP address or select a host identity Port Enter a port port range or select a port identity MAC Enter a MAC address or select a MAC address identity Destination Select defined identities or enter individual criteria for the appropriate Host Port and MAC address columns to match the destination of the traffic See Source for the column definitions Protocols Select protocols such as TCP UDP GRE etc from the defined list or enter a numeric code for other protocols to match traffic of that protocol Application Sets Select the defined application set or sets to match traffic related to those sets cradlepotnt User Manual IBR600 IBR650 11 5 15 ZONE FORWARDING Forwardings define how Filter Policies affect traffic flowing between zones in one direction Simply configure the Source Zone Destination Zone and feel ME Q Filter Policy to define a Forwarding Forwardings can
32. including licensing terms and your rights to access source code contact Cradlepoint at cradlepoint com opensource Cradlepoint Inc warrants this product against defects in materials and workmanship to the original purchaser for a period of three 3 years from the date of shipment This warranty is limited to a repair or replacement of the product at Cradlepoint s discretion as purchaser s sole and exclusive remedy Cradlepoint does not warrant that the operation of the device will meet your requirements or be error free The information contained in this Safety Regulatory and Warranty Guide is subject to change without notice and does not represent any commitment on the part of Cradlepoint or its affiliates CRADLEPOINT AND ITS AFFILIATES HEREBY SPECIFICALLY DISCLAIM LIABILITY FOR ANY AND ALL A DIRECT INDIRECT SPECIAL GENERAL INCIDENTAL CONSEQUENTIAL PUNITIVE OR EXEMPLARY DAMAGES INCLUDING WITHOUT LIMITATION FOR LOSS OF PROFITS OR REVENUE OR OF ANTICIPATED PROFITS OR REVENUE ARISING OUT OF THE USE OR INABILITY TO USE THE DEVICE EVEN IF CRADLEPOINT AND OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF SUCH DAMAGES ARE FORESEEABLE OR B CLAIMS BY ANY THIRD PARTY NOTWITHSTANDING THE FOREGOING IN NO EVENT SHALL THE AGGREGATE LIABILITY OF CRADLEPOINT AND OR ITS AFFILIATES ARISING UNDER OR IN CONNECTION WITH THE DEVICE REGARDLESS OF THE NUMBER OF EVENTS OCCURRENCES OR CLAIMS GIVING RISE TO LIABILITY
33. is made as needed When On reed Enable On Demand Mode KZ Demand is not selected a connection to the Internet WAN Verify start Connected is always maintained Fallback Maximum Idle Time s 5 minutes Data Usage WAN VERIFY If this is enabled the router will check that the highest priority active WAN interface can get to the a WAN Management oe On Demand Internet even if the WAN connection is not actively being used If the interface goes down the router will switch to the next highest priority interface available If this is not selected the router will still failover to the next highest priority interface but only after the user has attempted to get out to the Internet and failed Pv4 Failure Check Idle Check Interval 30 seconds Failback Data Usage Monitor while connected Off IPv6 Failure Check Idle Check Interval m 30 seconds Monitor while connected Off Idle Check Interval The amount of time between each check Default 30 seconds Range 10 3600 seconds Monitor while connected Default Off Select from the following dropdown options e Passive DNS modem only The router will take no action until data is detected that is destined for the WAN When this data is detected the data will be sent and the router will check for received data for two seconds If no data is received the router behaves as described below under Active DNS e Active DNS modem only A DNS
34. new GRE tunnel click Edit to make changes to an existing tunnel Add Edit Tunnel General Tunnel Name Give the tunnel a name that Uniquely identifies it O Add Edit Tunnel 96 Tunnel Key Enables an ID key for a GRE z tunnel which can be used as an identifier aln m for mGRE Multipoint GRE baina Local Network This is the local side of Local Enapolnt 0 0 0 0 the Glue Network a network created Remote Endpoint 0 0 0 0 by the administrator to form the tunnel Subnet Mask 255 255 255 252 The user creates the IP address entered Remote Gateway 0 0 0 0 here It must be different from the IP rne 64 addresses of the networks it is gluing together Choose any private IP address from the following three ranges that doesn t match either network 10 0 0 0 10 255 255 255 Fae 172 16 0 0 172 31 255 255 nm 192 168 0 0 192 168 255 255 Remote Network This is the remote side of the Glue Network Again the user must create an IP address that is distinct from the IP addresses of the networks that are being glued together The Remote Network and Local Network values will be flipped when input for the other side of the tunnel configuration MTU WAN Binding Unique ID is invert Binding DHGP Enable nos Subnet Mask This is the subnet mask for the Glue Network The Local and Remote Network addresses must fit with this mask 255 255 255 0 is a logical choice
35. of the upload and download configuration values and the observed capabilities of the device Data Usage This mode works in concert with the Data Usage feature The router will make a best effort to keep data usage between interfaces at a similar percentage of the assigned data cap in the data usage rule for each interface rather than distributing sessions based solely on bandwidth For proper functioning you need to create data usage rules for each WAN device you will be load balancine Make certain to select the Use with Load Balancing checkbox in the data usage rule editor Client Data Usage displays upload and download traffic for each LAN client Click Enable Client Data Usage Monitoring Service to begin tracking this information This data is not retained between router reboots cradlepotnt Client Data Usage Enable Client Data Usage Monitoring Service 1 Go to Status gt Internet gt Client Data Usage to view monitored data usage 11 5 15 User Manual IBR600 IBR650 For each client this shows Name IP address MAC address amount of data uploaded MB amount of data downloaded MB and when traffic was last sent or received for that client Last Traffic The names that are shown are received during a DHCP exchange If a client disconnects and reconnects with a new IP address there will be an additional entry in this list Pressing Reset Statistics will restart all counters at 0
36. option if instructed by a Cradlepoint support agent This will write a very verbose log file to the root level of an attached USB stick Please disable the feature before removing the USB stick or you may lose some logging data Verbose modem logging Only enable this option if instructed by a Cradlepoint support agent Create support log This functionality allows for a quick collection of system logging Create this log file when instructed by a Cradlepoint support agent ROUTER SERVICES By default router services Enterprise Cloud Manager NTP etc connect to the router via the WAN In some setups it makes sense to use the LAN instead For example if your router is used strictly for 3G 4G failover behind another router you may not want to use 3G 4G data unnecessarily Select Use LAN Gateway to set your router services to connect via the LAN LAN Gateway Address Input the IP address of the LAN side connection If this is a 3G 4G failover router operating behind another router the LAN Gateway Address is the IP address of that other router cradlepotnt Router Services Use LAN Gateway User Manual IBR600 IBR650 11 5 15 DNS Server and Secondary DNS Server The primary and secondary DNS server numbers match the static DNS values set at NETWORKING gt DNS Servers You can leave the default values or set them manually here Changing these values also changes the static DNS values Cradlepoint E
37. or select an existing network and click Edit to view configuration options General Settings Enabled The network can be manually disabled or in some specific situations may be automatically disabled to work with certain types of modems Name The name property primarily helps to identify this network during other administration tasks Hostname The hostname is the DNS name associated with the router s local area network IP address cradlepotnt Local IP Networks O ad 7 O Primary LAN Multicast Proxy DHGP Server DHGP Relay Schedule VRRP Failover State 192 168 0 1 255 255 255 0 Enabled Disabled Enabled Disabled Disabled Disabled IPv4 Routing Mode nat IPv6 Addressing Mode delegated Access Gontrol Enabled O Guest LAN Multicast Proxy DHGP Server DHGP Relay Schedule Disabled VRRP Failover State Disabled IPv4 Routing Mode nat IPv6 Addressing Mode delegated Access Control Disabled Attached Interfaces e Virtual LAN 802 19 WiFi Access Point e WiFi Access Point VLAN 2 lan Port s 1 2 3 4 5 6 7 8 9 10 11 12 WiFi 2 4 GHz AER3100 15d WiFi 5 GHz AER3100 15d 5g 192 168 10 1 255 255 255 0 Enabled Disabled Enabled Disabled Attached Interfaces WiFi Access Point WiFi Access Point WiFi 2 4 GHz Public 15d WiFi 5 GHz Public 15d 5g ve The network can be manually disabled or in some specific situations may be automatically disabled to work with
38. while the router is booting and transitions to logic high when the router is fully running If the router is reset the output returns to low until the router has fully rebooted Modem Connected In this mode the output pin is logic low until the modem has connected to the tower If the connection drops this output is set low until the connection is restored Output Mode Default Low cradlepotnt G User Manual IBR600 IBR650 11 5 15 SNMP or Simple Network Management Protocol is an Internet standard protocol for remote management You might use this instead of Enterprise Cloud Manager if you want to remotely manage a set of routers that include both Cradlepoint and non Cradlepoint products SNMP Configuration Enable SNMP Selecting Enable SNMP will reveal the SNMP Configuration router s SNMP configuration Enable SNMP options Network Settings Network Settings Enable SNMP on LAN C Enable SNMP on LAN Enabling SNMP on LAN will pens Wel make SNMP services available Enable SNMP on WAN on the LAN networks provided WAN port 161 by this router SNMP will not be available on guest or SNMP Version SNMPv1 virtual networks that do not have administrative access SNMP v1 amp v2c Settings LAN port Use the LAN Pe EEA port field to configure the OE LAN port number you wish Set community string to access SNMP services on Default 161 General Settings Enable SNMP on WAN N
39. wirelessly may be delayed corrupted i e contain errors or totally lost The IBR1100 device is not intended for and Cradlepoint recommends the device not be used in any critical applications where failure to transmit or receive data could result in property damage or loss or personal injury of any kind including death to the user or to any other party Cradlepoint expressly disclaims liability for damages of any Kind resulting from a delays errors or losses of any data transmitted or received using the device or b any failure of the device to transmit or receive such data cradlepotnt B55 User Manual IBR600 IBR650 11 5 15 For proper and safe vehicle installations the GPIO accessory cable must be connected to a fused circuit in the vehicle This fused circuit requires a 2A fuse If the supply connection is made directly to the battery the fuse should be installed in the positive lead For North America a UL Listed fuse is to be used WARNING This product is only to be installed by qualified personnel Purchaser agrees to indemnify Cradlepoint against any liability or damages caused to third parties as a result of Purchaser s misuse or misapplication of the Cradlepoint product This product contains software distributed under one or more of the following open source licenses GNU General Public License Version 2 BSD License Net SNMP License and PSF License Agreement for Python 3 3 For more information on this software
40. 1 5 15 LEDS y POWER The Cradlepoint IBR600 IBR650 must be powered using an approved 12V DC power source Blue Powered ON No Light Not receiving power Check the power switch and the power source connection Flashing Amber Attention Open the administration pages and check the router status WiFi BROADCAST Indicates WiFi activity Green WiFi is on and operating normally Flashing Amber Attention Open the administration pages and check the router status Y INTEGRATED MODEM Indicates information about the integrated modem Green Connected to integrated modem Yul SIGNAL STRENGTH Blue LED bars indicate the active modem s signal strength 4 Solid Bars Strongest signal 1 Blinking Bar Weakest signal A blinking bar indicates half of a bar ADDITIONAL LED INDICATIONS Several different LEDs flash when the factory reset button is detected Two of the modem LEDs blink red in unison for 10 seconds when there is an error during firmware upgrade cradlepotnt User Manual IBR600 IBR650 11 5 15 QUICK START BASIC SETUP 1 Insert an activated SIM A wireless broadband data plan must be added to your Cradlepoint IBR600 IBR650 Wireless broadband data plans are available from wireless carriers such as Verizon AT amp T Sprint EE and Vodafone The SIM must be provisioned with the carrier Contact your carrier for details about selecting a data plan and about the process for provisioning your SIM Inse
41. 11 n ac 802 11 b g n e 802 11 ac 802 11 n e 802 11 n e 802118 802 11 b Protection In Auto mode the device will use protection to improve performance in mixed mode networks Turn protection off to maximize throughput with 802 11n clients Airtime Fairness Airtime Fairness will attempt to balance air time between faster and slower wireless clients to more fairly distribute bandwidth Channel Width Selects whether the router uses a single 20 MHz channel to send receive or uses two adjacent 20 MHz channels to create a 40 MHz channel Higher performance is possible with the 40 MHz channel Selecting Auto is generally best Enabling WiFi as WAN will force 20 MHz only mode Extended Channel When operating in 40 MHz mode the access point will use an extended channel either below or above the current channel Optimal selection will depend on the channels of other networks in the area MCS 802 11n uses multiple Modulation Coding Schemes to enable higher throughput in various environments Since clients can dynamically change rates depending on environment selecting Auto is generally best Short Gl Short Gl is an optimization for shortening the interval between transmissions May be incompatible with older clients RADIUS Timeout Default 3600 seconds When using an Enterprise security mode clients will be forced to re authenticate with the RADIUS server at this interval in seconds This allows administrators to revoke access so when an atta
42. 22 mm CERTIFICATIONS FCC WiFi Alliance Shock Vibration MIL STD 810G and SAEJ1455 Carrier certifications see individual SKUs for additional certifications IBR600 only ACCESSORIES Universal 3G 4G LTE antenna w SMA connector 2dBi 3dBi Part 170649 000 Directional Patch antenna for external outside mounting Part H 170587 000 Directional Yagi Log Periodic antenna for external outside mounting Part 170588 000 Omni directional antenna for external outside mounting Part 170586 000 12 Mag mount antenna Part 170605 000 4 Mini mag mount antenna Part 170606 000 COR 2 meter power amp GPIO cable direct wire Part 170585 000 COR 2 meter power amp GPIO cable direct wire with filter required for E mark compliant vehicle installations Part 170635 100 COR vehicle power adapter Part 4 170635 000 COR wall power adapter Part 4 170584 000 COR international wall power adapter Part 170446 002 COR mounting bracket Part 170593 000 See the Cradlepoint antenna accessories page for more information about antennas Also see the Antenna Ordering and Installation Guide available as a PDF in the Resources section of antenna and router product pages BUSINESS GRADE MODEM SPECIFICATIONS COR IBR600 and COR IBR650 models include an integrated 4G LTE or HSPA or LTE HSPA EVDO modem specific model names include a specific modem e e the COR IBR650LPE VZ includes a Verizon LTE modem CO
43. 427 MHz 5 2432 MHz 6 2437 MHz 7 2442 MHz 8 2447 MHz 9 2452 MHz 10 2457 MHz 11 2462 MHz For 5 0 GHz the ranges are 36 to b4 and 149 to 165 36 5180 MHz 40 5200 MHz 44 5220 MHz 48 5240 MHz 149 5745 MHz 153 5765 MHz 157 5785 MHz 161 5805 MHz 165 5825 MHz Channels listed above represent US FCC settings EU users will see different settings Client Timeout If the access point is not able to communicate with the client it will disconnect it after this timeout in seconds TX Power Normally the wireless transmitter operates at 100 power In some circumstances however there might be a need to isolate specific frequencies to a smaller area By reducing the power of the radio you can prevent transmissions from reaching beyond your corporate home office or designated wireless area RTS Threshold When an excessive number of wireless packet collisions are occurring wireless performance can be improved by using the RTS CTS Request to Send Clear to Send handshake protocol The wireless transmitter will begin to send RTS frames and wait for CTS when data frame size in bytes is greater than the RTS Threshold This setting should remain at its default value Fragmentation Threshold Wireless frames can be divided into smaller units fragments to improve performance in the presence of RF interference and at the limits of RF coverage Fragmentation will occur when frame size in bytes is greater than t
44. 600 seconds 20 seconds will be sufficient in almost all cases Tunnel Connect Retry Number of seconds between connection attempts Default 30 seconds Range 10 255 seconds 30 seconds will be sufficient in almost all cases cradlepoint 02 User Manual IBR600 IBR650 11 5 15 OPEN VPN OpenVPN is an open source software application that implements virtual private network VPN techniques for creating secure point to point or site to site connections in routed or bridged configurations and remote access facilities NOTE OpenVPN requires a feature license not included with ECM Prime Go to SYSTEM gt Administration gt Feature Licenses to enable this feature Once you have a valid feature license click Add to create a new OpenVPN tunnel Click Edit to make changes to an existing tunnel Add Edit Tunnel General e Tunnel Name Enter a name to uniquely identify this tunnel Q Add or Edit oo e Tunnel Mode Select which mode this tunnel nael 4 endpoint is reguired to be Choose from the a Following unnel Mode Site To Site l Device Type Routed Client ocal Endpoint 0 0 0 0 Server Ocal Netmask 255 255 255 0 e Device Type Select between Routed TUN or Bridged TAP virtual device letmask 255 255 255 0 Routed creates an interface that can a be used in the Zone Firewall and is fully routable Bridged creates a network interface that can be assigned to a LAN under the Local nd L Networks configur
45. 9 4 dB RSRP 80 dB RSRO 12 dB Profile 1 vzwims Profile 2 vzwadmin Profile 3 VZWINTERNET Profile 4 vzwapp Profile 5 vzw800 Profile 6 vzwadmin Profile 9 vzwims Profile 10 vzwadmin Profile 11 VZWINTERNET Profile 12 vzwapp Profile 13 Cell ID 2965526 0x2d4016 Operating Mode Online System Mode LTE IMS Registration State In Progress PS State Attached PRL Version 15414 RF Band Band 4 Bandwidth 10 MHz RX Channel 2000 TX Channel 20000 LTE Tx Power 3 0 dBm RX Frequency Band 2110 2155 MHz TX Frequency Band 1710 1755 MHz EMM State Registered EMM Sub State Normal Service EMM Connection State RRC Connected Network Address Identifier NAI MOO Profile 0 Enabled Home Address 0 0 0 0 Primary Home Agent 255 255 255 255 Secondary Home Agent 255 255 255 255 MN AAA SPI 2 MN HA SPI 300 MN AAA SS Set MN HA SS Set Reverse Tunneling 1 EVDO AAA Auth Status Not Requested Home PLMN ID 311480 Tracking Area Code 2817 cradlepotnt Unique Identifier Port Type Model 6ddc 068b int1 mdm Internal LPE SIM1 IP Address Netmask Gateway DNS Servers 100 67 93 1 255 255 255 252 100 67 93 2 198 224 164 135 198 224 160 135 Outgoing Bytes Incoming Bytes Connection Uptime 288098 0 08 00 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 11 5 15 User Manual IBR600 IBR650 11 5 15 CLIENT DATA USAGE Displays the following client infor
46. EXCEED THE PRICE PAID BY THE ORIGINAL PURCHASER OF THE DEVICE Cradlepoint collects general data pertaining to the use of Cradlepoint products via the Internet including by way of example IP address device ID operating system browser type and version number etc To review Cradlepoint s privacy policy please visit cradlepoint com privacy By activating or using your IBR600 or IBR650 device you agree to be bound by Cradlepoint s Terms of Use User License and other applicable Legal Policies 2015 Cradlepoint Inc All rights reserved Cradlepoint is not responsible for omissions or errors in typography or photography Cradlepoint IBR600 IBR650 and the Cradlepoint logo are trademarks of Cradlepoint Inc in the US and other countries Other trademarks are property of their respective owners ROUTER COMMUNICATION DATA USAGE The factory default configuration of the router is set to communicate with Cradlepoint and other resources at regular intervals to access the latest firmware and modem updates clock synchronization NTP and Enterprise Cloud Manager ECM membership Such communication may result in data usage and applicable charges regardless of whether the router uses a wired or wireless Internet connection To avoid such data usage and potential charges consult the following Knowledge Base article http knowledgebase cradlepoint com articles support router communication data usage cradlepoint B55 89
47. If more than one IBR600 wireless router is visible you can find the NE poe o area x EPS o conditions 1 This device may not cause harmful interference and 2 This device must correct unit by checking for its SSID service set identifier the unigue IN oe A A Aas EI a aap name of the local network The default SSID of the primary network has FS ca UU ustiste X the form IBR600 xxx where xxx is the last 3 digits of the router s MAC rar ee Via 1285 405 PISS Model IBR600LPE address Made in Taiwan 12V 1 5A H W 1 3 www cradlepoint com NOTE The product label above is an example only your DEFAULT PASSWORD and SSID will be unique cradlepotnt B55 User Manual IBR600 IBR650 11 5 15 ACCESSING THE ADMINISTRATION PAGES Once you are connected open the Cradlepoint IBR600 s GUI based administration pages to make configuration changes to your router 1 Open a browser window and type cp or 192 168 0 1 in the address bar Press ENTER RETURN 2 When prompted for your password type the eight character DEFAULT PASSWORD found on the product label It s possible and more efficient to do all your configuration changes through Cradlepoint Enterprise Cloud Manager ECM without logging into the local administration pages Set up a group of routers and set the configuration for all of them at once See below for more information about ECM FIRST TIME SETUP WIZARD When you log in for the first time you will be a
48. MHz Band 17 700 MHz Band 25 1900 MHz HSPA UMTS 850 900 1900 2100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm 1 EVDO 24 dBm 1 typical conducted Antennas two SMA male plug finger tighten only maximum torque spec is 7 kefcm Industry Standards amp Certs CE WiFi Alliance IBR600 only GCF CC SIM one 2FF slot cradlepotnt User Manual IBR600 IBR650 11 5 15 GPS standalone GPS support COR IBRGOOLP3 EU COR IBR650LP3 EU Technology LTE HSPA Downlink Rates LTE 50 Mbps HSPA 21 Mbps theoretical Uplink Rates LTE 50 Mbps HSPA 5 76 Mbps theoretical Frequency Bands LTE Band 1 2100 MHz Band 3 1800 MHz Band 7 2600 MHz Band 8 900 MHz Band 20 800 MHz HSPA UMTS 800 850 900 1900 2100 MHz GSM GPRS EDGE 850 900 1800 1900 MHz Module Power LTE 23 dBm 1 UMTS 23dBm 1 typical conducted Module Antennas two SMA male plug 2 dBi gain finger tighten only maximum torque spec is 7 kgf cm Industry Standards amp Certs CE WiFi Alliance IBR600 only GCF CC SIM one 2FF slot GPS standalone GPS support COR IBRGOOP INTL COR IBR650P INTL Technology HSPA Downlink Rates HSPA 21 Mbps theoretical Uplink Rates HSPA 5 76 Mbps theoretical Frequency Bands HSPA UMTS 800 850 900 1900 2100 MHz GSM GPRS EDGE 850 900 1800 1900 MHz Module Power LTE 23 dBm 1 UMTS 23dBm 1 typ
49. MO connection An expression such as Unique ID is any will allow NEMO to operate on any WAN whereas Type is LTE will limit NEMO operation to the WAN s provided by any connected LTE device s With WAN Register the NEMO connection simultaneous with its specified WAN connection becoming available If not checked will only register the NEMO connection when needed Home IP Address and Home Netmask These may be provided by your NEMO service provider The IP address is a placeholder dummy address any IP address can be used 1 2 3 4 is common cradlepoint D User Manual IBR600 IBR650 11 5 15 Home Agent IP Address Home Agent Password and Home Agent SPI Your home agent will be defined by your NEMO service provider Renew Registration The NEMO network regularly re registers with the home agent e g every 30 seconds Specify the number of seconds between each check in MTU Override the maximum transmission unit MTU of the NEMO tunnel The TCP MSS maximum segment size is automatically derived from the MTU Leave blank to rely on Path MTU Discovery L2TP Layer 2 Tunneling Protocol L2TP tunnels can be used to create a connection between two private networks NOTE L2TP Tunnels require a feature license not included with ECM Prime Go to SYSTEM gt Administration gt Feature Licenses to enable this feature Once you have a valid feature license click Add to create a new L2TP tunnel Cl
50. NHRP Next Hop Resolution Protocol is a protocol used to discover addresses of clients on Non Broadcast Multiple Access NBMA networks It is used to create next generation VPN technologies that allow shortcutting between spokes With NHRP systems attached to an NBMA network dynamically learn the NBMA address of the other systems that are part of that network allowing these systems to directly communicate without requiring an intermediate hop NOTE NHRP Configuration requires a feature license not included with ECM Prime Go to SYSTEM gt Administration gt Feature Licenses to enable this feature The NHRP Supported Interfaces table displays the following fields for each configured NHRP interface O Md 7 x Name Name of the GRE tunnel that NHRP will use Protocol Address Prefix GRE L test tunnel endpoint mapping that NHRP associates with the NBMA server NBMA Address NBMA server address the protocol address prefix is associated with Flags SD Shortcut Destination N Non Caching S Shortcut NHRP Supported Interfaces Protocol Address Prefix NBMA Address Enabled 1 2 3 4 255 255 255 0 2 3 4 5 None Enabled G NHRP Editor A R Redirect Click Add to create a new NHRP interface Enabled Enable or disable the interface Name Give the interface a unigue name that matches the mGRE multipoint GRE tunnel Select from configured GRE tunnels or input manually Peer Authentication Embeds the secr
51. NS Override External IP DNS O Matic ChangelP Reset NO IP a Custom Server DynDNS clone cradlepotnt B55 D User Manual IBR600 IBR650 11 5 15 Custom Server Address Only available if you select Custom Server from the Server Address dropdown list Enter your custom DynDNS clone server address here For example www mydyndns or8 Use HTTPS Use the more secure HTTPS protocol This is recommended but can be disabled if not compatible with the server Host name Enter your host name fully qualified For example myhost mydomain net User name Enter the user name or key provided by the dynamic DNS service provider If the dynamic DNS provider supplies only a key enter that key for both the User name and Password fields Password Enter the password or key provided by the dynamic DNS service provider Advanced Dynamic DNS Settings Update period hours Default 576 The time between periodic updates to the dynamic DNS if your dynamic IP address has not changed The timeout period is entered in hours so valid values are from 1 to 8760 Override External IP The external IP is usually configured automatically during connection However in Situations where the unit is within a private network behind a firewall or router the network s external IP address will have to be manually configured in this field You may find out what your external IP address is by going to http myip dnsomatic com in a web browser Known Hosts Configu
52. R IBRGOOLPE VZ COR IBR650LPE VZ 4G LTE HSPA EVDO for Verizon e Technology LTE HSPA EVDO Rev A Downlink Rates LTE 50 Mbps HSPA 21 1 Mbps EVDO 3 1 Mbps theoretical Uplink Rates LTE 50 Mbps HSPA 5 76 Mbps EVDO 1 8 Mbps theoretical Frequency Bands LTE Band 2 1900 MHz Band 4 AWS 1700 2100 MHz Band 5 850 MHz Band 13 700 MHz Band 17 700 MHz Band 25 1900 MHz HSPA UMTS 850 900 1900 2100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm 1 EVDO 24 dBm 1 typical conducted Antennas two SMA male plug finger tighten only maximum torque spec is 7 kefcm Industry Standards amp Certs FCC WiFi Alliance IBR600 only Verizon Verizon NEMO DMNR for Primary Wireless Access SIM one 2FF slot cradlepotnt O User Manual IBR600 IBR650 11 5 15 GPS standalone GPS support COR IBRGOOLPE AT COR IBR650LPE AT 4G LTE HSPA EVDO for AT amp T Technology LTE HSPA EVDO RevA Downlink Rates LTE 50 Mbps HSPA 21 1 Mbps EVDO 3 1 Mbps theoretical Uplink Rates LTE 50 Mbps HSPA 5 76 Mbps EVDO 1 8 Mbps theoretical Frequency Bands LTE Band 2 1900 MHz Band 4 AWS 1700 2100 MHz Band 5 850 MHz Band 13 700 MHz Band 17 700 MHz Band 25 1900 MHz HSPA UMTS 850 900 1900 2100 MHz AWS GSM GPRS EDGE 850 900 1800 1900 MHz CDMA EVDO Rev A 1xRTT 800 1900 MHz Power LTE 23 dBm 1 HSPA 23 dBm
53. SETUP WIZARDS 84 APPENDIX 87 SAFETY REGULATORY AND WARRANTY GUIDE 87 ROUTER COMMUNICATION DATA USAGE 89 cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com User Manual IBR600 IBR650 11 5 15 INTRODUCTION WHAT S IN THE BOX COR IBR600 IBR650 Integrated Broadband Router w metal mounting bracket External 3G 4G mobile broadband modem antennas 2 SMA w support for GPS on auxiliary connection some models finger tighten only External WiFi antennas 2 reverse SMA 5 dBi gain finger tighten only 12V 1 5A power supply w locking connector GPIO power cable available Quick Start Guide with warranty information KEY FEATURES LTE only HSPA or LTE HSPA EVDO Advanced Modem Failure Check VLAN 802 10 DHCP Server Client Relay DNS and DNS Proxy DynDNS UPnP DMZ Multicast Multicast Proxy QoS DSCP and Priority Queuing MAC Address Filtering Cradlepoint Enterprise Cloud Manager Web UI API CLI Data Usage Alerts router and per client Advanced Troubleshooting support Device Alerts SNMP SMS control e IPsec Tunnel up to two concurrent sessions GRE Tunnel e Routing Rules e NAT less Routing e Virtual Server Port Forwarding IPV6 e CP Secure VPN compatible Cradlepoint Secure VPN NAT configuration only cradlepotnt B55 O User Manual IBR600 IBR650 RADIUS and TACACS support 802 1x authentication for Ethernet Certificate Suppo
54. The required antenna impedance is 50 ohms This device has been designed to operate with WiFi antennas having a maximum gain of 5 dBi Antennas having a higher gain are strictly prohibited per regulations of Industry Canada The required antenna impedance is 50 ohms cradlepoint B55 D User Manual IBR600 IBR650 11 5 15 Ce dispositif est conforme a la norme CNR 210 CNR 102 et CNR Gen d Industrie Canada applicable aux appareils radio exempts de licence Son fonctionnement est sujet aux deux conditions suivantes 1 le dispositif ne doit pas produire de brouillage prejudiciable et 2 ce dispositif doit accepter tout brouillage re u y compris un brouillage susceptible de provoquer un fonctionnement ind sirable Pour l utilisation de dispositifs mobiles Declaration d exposition aux radiations Cet equipement est conforme aux limites d exposition aux rayonnements IC etablies pour un environnement non controle Cet equipement doit tre install et utilise avec un minimum de 25 cm de distance entre la source de rayonnement et votre corps Ce dispositive a ete concu pour fonctionner ave une antenna cellulaire ayant un gain maximal de 3 dBi Une antenne a gain plus eleve est strictement interdite par les reglemnets d Industrie Canada Limpedance d antenne requise est de 50 ohms Ce dispositive a ete concu pour fonctionner ave une antenna WiFi ayant un gain maximal de 5 dBi Une antenne a gain plus eleve est strictement interdite par les
55. Tree Protocol loop detection Bridge Priority Set the priority of the bridge When determining the root bridge of the spanning tree topology the bridge priority is compared first The bridge with the lowest priority with will win If you want this router to be the root bridge then set it to a value less than the default of 32768 A valid priority value is between 0 and D3535 Wired 802 1X Enable 802 1X Require IEEE 802 1X Authorization Reauthentication Period EAP reauthentication period in seconds Auth Server IP Address IP address of the connected RADIUS server Auth Server MAC Address Hardware address of the connected RADIUS server s interface NOTE If you don t know the MAC address for the RADIUS server enter 00 00 00 00 00 00 and the service will try to find the MAC address from the given IP address Port Password Acct Server IP Address IP address of the connected RADIUS server Acct Server MAC Address This is the Hardware address of the connected RADIUS server s interface NOTE If you don t know the MAC address for the RADIUS server enter 00 00 00 00 00 00 and the service will try to find the MAC address from the given IP address Port Password MAC FILTER amp LOGGING Configure 802 1 port based network access control for this network Enable 802 1X Reauthentic ation Penod Auth Server IP Address Auth Server MAC Address Port Password Acct Server IP Address Acct Server
56. User Manual IBR600 IBR650 11 5 15 cradiepoint Global Leader in 4G LTE Network Solutions COR Series Router IBR600 IBR650 User Manual cradlepoint com cradlepotnt User Manual IBR600 IBR650 11 5 15 TABLE OF CONTENTS INTRODUCTION WHAT S IN THE BOX KEY FEATURES WAN LAN MANAGEMENT VPN AND ROUTING SECURITY SYSTEM REQUIREMENTS SPECIFICATIONS ACCESSORIES BUSINESS GRADE MODEM SPECIFICATIONS SUPPORT AND WARRANTY HARDWARE LEDS QUICK START BASIC SETUP ACCESSING THE ADMINISTRATION PAGES FIRST TIME SETUP WIZARD USING ENTERPRISE CLOUD MANAGER ADMINISTRATION PAGES QUICK LINKS DASHBOARD CONNECTION MANAGER WAN INTERFACE PROFILES amp PRIORITY STATUS INTERNET CLIENT LIST TUNNELS FIREWALL cradlepotnt 2015 Lradlepoint All Rights Vv O O GO W W n K K K K gn A D m O 11 11 12 12 12 Reserved 1 855 813 3385 cradlepoint com User Manual IBR600 IBR650 11 5 15 ROUTING 24 ETHERNET 25 GPS 25 SYSTEM LOGS 25 NETWORKING 26 LOCAL NETWORKS 26 VLAN INTERFACES 37 TUNNELS 37 ROUTING 49 DNS SERVERS 53 WIFI AS WAN 55 WAN AFFINITY 5 7 CLIENT DATA USAGE 58 NHRP 59 SECURITY 61 IDENTITIES 61 ZONE FIREWALL 61 CONTENT FILTERING 66 CERTIFICATE MANAGEMENT 70 SYSTEM 73 ADMINISTRATION 73 ENTERPRISE CLOUD MANAGER 78 DEVICE ALERTS 78 SERIAL REDIRECTOR 80 GPIO CONNECTOR 80 SNMP CONFIGURATION 81 SYSTEM CONTROL 82 DIAGNOSTICS 84
57. address Protocol Prefix Optional prefix for protocol address NBMA Address Destination mapped address from protocol address prefix Register his optional parameter specifies that a Registration Request should be sent to this peer on Startup displays flag R in the static mapping table if selected Proprietary OS This should be enabled if the statically mapped peer is running proprietary OS displays flag C in the static mapping table if selected cradlepoint G User Manual IBR600 IBR650 11 5 15 SECURITY Identities are reusable groups of items that are added to filter policy rules A Identities match on any single item in the group will cause the rule to match Identities are referenced in rules by their name Choosing descriptive names like NW Sales Team or Engineering will aid in understanding existing rules and in choosing identities for new rules Zone Firewall Content Filtering Certificate Management HOST ADDRESSES A Host identity can contain IPv4 IPv6 and Fully Qualified Domain Name addresses A single identity can contain a combination of IPv4 and IPv6 addresses IPv4 6 addresses cannot be combined with FODN addresses in the same identity IP addresses are entered using CIDR notation e g 1 2 3 4 32 and 0123 4567 CDEF 128 Ports FODN addresses are entered with at least one dot separating a top level domain from MAC Addresses a root zone e g cradlepoint com To add a Host Address Identity click Add
58. ain Connected Static OSPF BGP Metric RIPng metric is a value for distance for the network Usually the RIP service increments the metric when the network information is received The metric for redistributed routes is set to 1 Route Map Route maps provide a means to filter and or apply actions to routes allowing policies to be applied to routes DNS or Domain Name System is a naming system that translates between domain names www cradlepoint com for example and Internet IP addresses 206 207 82 197 A DNS server acts as an Internet phone book translating between names that make sense to people and the more complex numerical identifiers The DNS page for the device has these distinct functions DNS Settings By default your router is set to automatically acquire DNS servers through your Internet provider Automatic DNS Settings allows you to specify DNS servers of your choosing instead Static Split DNS Enable or disable the redirecting of specified domains to alternate DNS servers Dynamic DNS Configuration Allows you to host a server Web FTP etc using a domain name that you have purchased www example com with your dynamically assigned IP address Known Hosts Configuration Allows you to map a name printer scanner laptop etc to an IP address of a device on the network DNS Settings You have the option to choose specific DNS servers for your network instead of using the DNS servers assigned by your Internet pro
59. al priority of the route Lower numbers have higher priority Allow Network Access Default Deselected Some static routes will need an IP Filter Rule via the Firewall to allow packets through the route without being blocked Selecting this option automatically creates this IP Filter Rule If the IP Network Address falls outside the LAN IP range you probably need to select this option Distribute Allow this static route to be distributed viaa routing protocol BGP OSPF RIP RIPng BGP 11 5 15 G Edit or Add Static Route IP Version Py4 IP Network Address fs Net ask Prefix Bits Gateway Device Metric 4 Allow Network Access Distribute The latest version of BGP Border Gateway Protocol is version 4 BGP 4 is one of the Exterior Gateway Protocols and de facto standard of Inter Domain routing protocol BGP 4 is described in RFC1771 A Border Gateway Protocol 4 BGP 4 BGP is a distance vector routing protocol and the AS Path framework provides distance vector metric and loop detection to BGP RFC1930 BGP Editor Name Unique name of the policy ASN The AS Autonomous System number is one of the essential elements of BGP Router ID This sets the router ID of the BGP process The router ID may be an IP address of the router but need not be it can be any arbitrary 32 bit number However it MUST be unigue within the entire BGP domain to the BGP speaker bad things will happen
60. an be removed or altered to filter the traffic flow Default Deny All is a preconfigured policy to deny all traffic initialized from one zone to be blocked to another zone WAN to LAN forwardings use this policy by default The policy can be removed or altered to filter the traffic flow Click Add to create a new filter policy or select an existing policy and click Edit to open the filter policy editor Name Create a name meaningful to you 11 5 15 Policy Editor Log Enabling policy evel logging forces logging for all rules in the policy Rules add f 8 Deny oe o m a menene None defined ove E Action Choose either Allow or Deny This is the action taken by the firewall if none of the filter policy rules match the traffic being filtered Log When checked every rule in the policy will log matching packets as if the rule s Log option had been Selected Click Add to create a new rule for this filter policy or Select an existing rule and click Edit to open the Rule Editor Name Create a rule name meaningful to you Action Choose either Allow or Deny This is the action taken by the firewall if the rule criteria match the traffic being filtered Log When checked each packet matching this filter rule will be logged in the System Log IP Version Select the IP version to match Enter match criteria under Source Destination Protocols and Application Sets Source Select defined
61. ary and one for backup Make sure that both tunnels have the same Remote Network and that both have Dead Peer Detection enabled 2 Choose one to be the primary tunnel Open the editor for this tunnel and make sure Tunnel Enabled is selected Then go to the Dead Peer Detection page Under Failover Tunnel select the other tunnel you have created 3 Open the editor for the failover tunnel Make sure Tunnel Enabled is not selected On the Dead Peer Detection page set the Failback Tunnel to your primary tunnel Global VPN Settings These settings apply to all configured VPN tunnels Enable VPN Service Enabling VPN Service will allow you to load a certificate for VPN to the router Global VPN Settings Certificate Name Select the Certificate Name Enable VPN Service IKE ISAKMP Port Internet Key Exchange Internet nee Security Association and Key Management Protocol port ern ae Default 500 This is a standard VPN port that usually RE LER ELE Pic does not need to be changed NAT T KeepAlive interval e IKE ISAKMP NAT T Port Internet Key Exchange annan Internet Security Association and Key Management Protocol network address translation traversal port Reset Default 4500 This is a standard VPN NAT T port that usually does not need to be changed NAT T KeepAlive Interval Number of seconds between sending NAT T packets to keep the tunnel alive if no other traffic is being sent Default 20 seconds Range 0 3
62. ation This interface Ping Restart 60 is managed through the assigned LAN Tunnel Enabled z device e Local Endpoint Enter the IP Address of the La Remote Endpont 0 0 0 0 Z O hd b Tunnel Protocol UDP Port 1194 LNS tunnel server peer e Local Netmask Enter the Netmask of the LNS tunnel server peer e Remote Endpoint Enter the IP Address of the LNS tunnel server peer e Remote Netmask Enter the Netmask of the LNS tunnel server peer e Support IPv6 Tunnels Allow IPv6 traffic to be forwarded over this tunnel If you select this option also input an IPv6 Tunnel Address and Tunnel Prefix Length for IPv6 e Tunnel Protocol Choose UDP or TCP e Port Specify the port if desired e Ping Displays if the Configuration Mode is Advanced If no packets have been sent in the amount of time entered a ping is sent to the remote endpoint e Ping Restart Displays if the Configuration Mode is Advanced If no pings have been received in the amount of time entered OpenVPN restarts the tunnel e Tunnel Enabled Click to enable disable this tunnel Add Edit Tunnel Security e Cipher Encrypt packets with the selected algorithm The default is BF CBC an abbreviation for Blowfish in Cipher Block Chaining mode Blowfish has the advantages of being fast very secure and allowing key sizes of up to 448 bits Blowfish is designed to be used in situations where Keys are changed infrequently
63. ation credentials Threat Management Certificate Management Local Certificates Certificate Signing Request To add a local certificate click Add PEM Remove a local certificate by selecting the certificate and clicking the PKCS12 Remove button Local Certificates Add O CP Secure CA N A NIA NIA N A N A AccessMyLAN com Root Authority CP Zscaler CA San Jose California US Zscaler zPath tiv prod zpath net CP Zscaler Boise Idaho US Cradlepoint Inc NIA cradlepoint com tly prod zpath net Add New Certificate oo General Desoiptim Set as CA certificate Sign with GA certificate Subject Gountry Name State or Province Name Local Name Organization Name Org Unit Gommon Name Email Address Validity Days 1 Public Key Algorithm Type C RSA C DSA Digest L MDS SHA 128 C SHA 256 Bits C 1024 C 2048 he MDNI Cradinnnint All Diahtrc Dacnr iG A ig tele Jes S D 6 U 1 cradloanaint com Ql IIIe SU UH Ee zi pes NES Ite shell Vele ee 2 1 ts we T LI du No AEE User Manual IBR600 IBR650 11 5 15 CERTIFICATE SIGNING REQUEST Request a certificate signature from a remote CA Using an established third party CA increases the likelihood that your certificate will be trusted by others see security issues for self signed certificates for more information Generate a certificate signing request CSR by selecting a certificate from the d
64. bled A When creating rules keep in mind that some sites use multiple domains so each domain may needa rule added to produce the desired behavior To add a Network Web Filter Rule click Add geaz IEEE TE Gt Edit or Add Default Filter Settings Primary LAN oo When a network is set to Allow Blacklist it will When a network is set to Allow Blacklist it will allow access to any site not blocked in the Filter Rules Selecting Block allow access to those sites not blocked Hi the Whitelist will only allow access to websites with an assigned Allow action in the Filter rules all other sites will be Filter Rules Selecting Block Whitelist will only blocked allow access to websites with dn Allow action In Selecting to Filter URLs by IP Address will cause the router to perform a ONS lookup on URL entries and the IP the Filter rules all other sites will be blocked addresses will be appended to the appropriate block allow list This can have side effect of being very strict and sites that are hosted across many domains may need every domain added the list for full functionality Selecting to Filter URLs by IP Address will cause Default Action Allow Access the router to perform a DNS lookup on URL entries Filer URLs by IP Address No and the IP addresses will be appended to the appropriate block allow list This can have side effect of being very strict and sites that are hosted across many domains may need every domain added the lis
65. ch session to the available WAN connections e Rate Distribute load based on the current upload and download rates A WAN device s upload and download bandwidth values can be set in Internet gt Connection Manager cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com D User Manual IBR600 IBR650 11 5 15 e Spillover This was the default algorithm in older version 3 firmware Load is always given to devices with the most available bandwidth The estimated bandwidth rate is based Data Usage MR ik on a combination of the upload and download configuration ere Load Balance Algorithm Submit values and the observed capabilities of the device s Ee Submit Round Robin WAN Management e Data Usage This mode works in concert with the Data Usage Rate feature Internet gt Data Usage Spillover The router will make a best effort to keep data usage between Data Usage interfaces at a similar percentage of the assigned data cap in the data usage rule for each interface rather than distributing sessions based solely on bandwidth For proper functioning you need to create data usage rules for each WAN device you will be load balancing Make certain to select the Use with Load Balancing checkbox in the data usage rule editor ON DEMAND Typically modem connections are not always on When the On Demand mode is selected a connection 1 WAN Management oe to the Internet
66. ched client s authentication expires the client must re authenticate RADIUS Retry Default 60 seconds When using an Enterprise security mode if a RADIUS query fails to receive a response from the server it will delay by this interval in seconds before attempting another query This helps protect the network from floods of authentication requests if the RADIUS server is temporarily unreachable ETHERNET PORTS Ethernet Port Configuration provides controls for your router s Ethernet ports There are two ports by default one WAN port and one LAN port While default settings will be sufficient in most circumstances you have the ability to control Mode WAN or LAN and Link Speed Additional controls for WAN ports are available in CONNECTION MANAGER Mode WAN or LAN By default there is one LAN Local Area Network port and one WAN Wide Area Network port Internet WAN is used as a possible source of Internet for the router Local Network LAN is for connecting a computer or similar device directly to the router with an Ethernet cable Link Speed Default setting is Auto The Auto setting is preferred in most cases Auto 10Mbps Half Duplex 10Mbps Full Duplex cradlepoint 29 User Manual IBR600 IBR650 11 5 15 100Mbps Half Duplex 100Mbps Full Duplex 1000Mbps Full Duplex HOTSPOT SERVICES Any of your networks can be enabled as a hotspot To enable a hotspot you need to select a network and set it as a hotsp
67. con Ss up or down to set the interface the router uses by default and the order that it allows failover WAN Interface Profiles amp Priority Add ae ai dk ai aie a ni be di fei O Profile Name Ethernet Ly LAN 2 VID 2 LTE only Modems Legacy Profile Ly internal LPE VZ SIM LTE 3G Multi node Modems WiFi as WAN 3G only Modems Conditions type is Ethernet Unplugged type is Modem tech is LTE type is Modem tech is L Connected type is Modem tech is LTE 3G type is WWAN type is Modem tech is 3G SI SJ S SJE SE S Availability m U 0 O Q D 0 0 O Q owe O GG Q O 0 O Q A U 0 O Q amp Q Q O 0 O O Q O V Q Q Availability Key v ou Enable Load Balance On Demand lel WAN Verify LOAD BALANCE To enable Load Balancing select the check box for each desired device If this is enabled the router will use multiple WAN interfaces to increase the data transfer throughput by using any connected WAN interface consecutively Selecting Load Balance will automatically start the WAN interface and add it to the pool of WAN interfaces to use for data transfer Turning off Load Balance for an active WAN interface may require the user to restart any current browsing session From WAN Management select the Load Balance Algorithm from the following dropdown options Failback ail Data Usage e Round Robin Evenly distribute ea
68. devices will have access to via the VPN tunnel ee NOTE the remote network IP address MUST be different from the local network IP address Optionally A Port can be defined that will limit the traffic going through the VPN tunnel to only that port If the field is left blank any port will be accepted by the tunnel Add Edit Tunnel IKE Phase 1 IKE security has two phases phase 1 and phase 2 You have the ability to distinctly configure each M Add or Edit test phase but the default settings will be sufficient for a re most users Key Lifetime Secs 28800 To set up a tunnel with a remote site you need to Bini Hash Group match your tunnel s IKE negotiation parameters with s vene m emme the remote site By selecting several encryption J AES 128 J uns A croup t hash and DH group options you improve your ae an m B chances for a successful tunnel negotiation For snes C ia ih ereatest compatibility select all options for greatest J SHA2512 security select only the most secure options that your devices support ME AE Exchange Mode The IKE protocol has two modes of negotiating phase 1 Main also called Identity Protection and Aggressive In Main mode IKE separates the key information from the identities allowing for the identities of peers to be secure at the expense of extra packet exchanges In Aggressive mode IKE tries to combine as much information into fewer packets whi
69. dministration gt System Logging Message Type to filter Type to filter Type to filter Type to filter Thu Sep 3rd 12 29 19 2015 openvpn 919 INFO UDP v4 link remote AF_INET 1 2 3 4 1194 Thu Sep 3rd 12 29 19 2015 openvpn 919 INFO UDP v4 link local bound undef Thu Sep 3rd 12 29 19 2015 openvpn 519 INFO Preserving previous TUN TAP instance tun Thu Sep 3rd 12 29 19 2015 openvpn 919 INFO Re using pre shared static key Thu Sep 3rd 12 29 19 2015 openvpn 919 WARNING NOTE the current script secunty setting may allow this configuration Thu Sep 3rd 12 29 17 2015 openvpn 919 INFO SIGUSR1 soft ping restart received process restarting cradlepotnt 02015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com B User Manual NETWORKING Local Networks VLAN Interfaces Tunnels Routing QoS DNS Servers WiFi as WAN WAN Affinity Client Data Usage NHRP KO N C T J 1 J B 1 C LUI VI VVI J ATN L MJ OZ NE INL U U M N VI WIFI RADIO 1 2 4GHZ WiFi Name SSID When users browse for available wireless networks this is the name that they will see This name is referred to as the SSID Service set identifier For security purposes Cradlepoint highly recommends that you change IBR600 IBR650 Local Networks VLAN Interfaces Tunnels Routing QoS DNS Servers WiFi as WAN WAN Affinity Client Data Usage NHRP Local Networks WiFi Radio 1 2 4GHz
70. e WAN device is connected Authentication Protocol Username Password idle Check Interval e 30 seconds Failure Gheck Off Enable and Configure Failure Check Failure check will test the connection to verify the WAN device is connected idle Check Interval Set the number of seconds the router will wait between checks to see if the WAN is Still available Failure Check Off Once the link is established the router takes no action to verify that it is still up On Modems will be set to use the Passive DNS failure check type Ethernet and WiFi as WAN connections will be set to use Active Ping Ping IP Address This IP address must be an address that can be reached through your WAN connection modem Ethernet Some ISPs Carriers block certain Summary Below is a summary of your system settings Please record these newly established router settings for future access When you are satisfied with the configuration push the Finish button below Time Zone UTC 7 Mountain Arizona Wireless Network Name IBR1100 pb Security Mode BEST WPA2 We encourage you to register this router with the Cradlepoint Enterprise Cloud Manager ECM Service upon finish ECM is a cloud based itori r management service for configuring monitoring and organizing your Cradlepoint routers Yes Register for ECM upon Finish addresses so choose an address that all of your WAN connections can use Summary Review your setti
71. e added to the Ignored MAC Addresses list You can configure the router to send an alert if a connected device has a MAC address that the router doesn t recognize Go to SYSTEM gt Device Alerts to set up these email alerts Ignored MAC Addresses This is the list of MAC addresses that will not produce an alert or a log entry when they are connected to the router These should be MAC m addresses that you expect to be connected to the router To add MAC 11 5 15 Filter Configuration Enable List Type Blacklist MAC Filter List Blacklist Add f E Address Mask Optional aacbb cc dd ee fi MAC Logging Configuration Enable MAC Logging Ignored MAC Addresses Add f G E MAC Address aa bb ce dd ee ff addresses to this list simply select devices shown in the MAL Address Log and click Ignore You can also add addresses manually MAC Address Log This shows the last 64 MAC addresses that have connected to the router as well as which interface was used to connect The time date that is logged is the time of the first connection The page may need to be refreshed to show the most recent log entries Double clicking on entries from this list will add them to the Ignored MAC Addresses list cradlepotnt User Manual IBR600 IBR650 A virtual local area network or VLAN functions as any other physical LAN but it enables computers and other devices to be
72. e will Shutdown when the assigned usage is reached A cycle reset or a rule deletion will re enable the device Alert on Cap An email alert will be generated and sent when the assigned data cap is reached NOTE The SMTP mail server must be configured in System gt Device Alerts Custom Alerts Check to enable custom alerts at specified percentage of usage Cap WAN Management Custom Alert Percentages Example 50 80 90 110 values can exceed LoadBalance 100 Triggers alerts when 50 80 90 110 of usage cap is used NOTE To enable data usage check Data Usage Enabled from WAN Data Usage Enabled Management cradlepotnt 2016 Cradlepoint All Rights Reserved 1 855 8133385 radlepointcom User Manual IBR600 IBR650 STATUS Internet Client List AM Tunnels i Intemet Firewall gi Routing Client List Ethernet Tunnels GPS Firewall System Logs Sera Ethemet GPS system Logs INTERNE CONNECTIONS Select your device to reveal detailed information about the Ah following device properties Intemet Summary mae Modem ee Cellular Network Client Data Usage General Information Statistics IPv4 Information ae QoS Statistics Device List Device Information Internal LPE SIM1 F Device Property Ethernet Ethernet 0 Summary Modem Internal LPE 5IM1 Modem Internal LPE SIM2 Modem Cellular Network General Information IPv4 Informa
73. e will match on any packet that does NOT match the DSCP field Protocol Select from the dropdown list to specify the protocol for a particular data use Otherwise leave Any selected Any ICMP TCP UDP GRE ESP SCTP Source IP Address Source Netmask Source Negate Destination IP Address Destination Netm ask Destination Negate Failover L WAN Binding Type Load Balance Algorithm Unique ID Round Robin Source IP Address Source Netmask Destination IP Address and Destination Netmask Specify an IP address or range of IP addresses by combining an IP address with a netmask for either source or destination or both Source vs destination is defined by traffic flow Leave these blank to include all IP addresses such as if your rule is defined by a particular port instead EXAMPLE If you want to associate this rule with your guest LAN you could input the IP address and netmask for the guest LAN here leaving the last slot 0 to allow for any user attached to the guest network Source IP Address 192 168 10 0 cradlepotnt User Manual IBR600 IBR650 Source Netmask 255 255 255 0 11 5 15 Failover Default Selected When this is selected and traffic from the chosen WAN device for this rule is interrupted the router will fail over to another available WAN device Deselect this option to restrict this traffic to only the selected WAN interface When Condit
74. eb IP port 80 access Each entry will contain the the IP address of the server and the client Note that this may create a lot of log entries especially on a busy network Sending the system log to a syslog server is recommended Application Gateways Enabling an application gateway makes pinholes thru the firewall This may be required for some applications to function or for an application to improve functionality or add features NOTE Exercise caution in enabling application gateways as they impact the security of your network PPTP For virtual private network access using Point to Point Tunneling Protocol SIP For Voice over IP using Session Initiation Protocol TFTP Enables file transfer using Trivial File Transfer Protocol FTP To allow normal mode when using File Transfer Protocol Not needed for passive mode IRC For Direct Client to Client DCC transfer when using Internet Relay Chat You may wish to forward TCP port 113 for incoming identd RFC 1413 requests DMZ Demilitarized Zone A DMZ host is effectively not firewalled in the sense that any computer on the Internet may attempt to remotely access network services at the DMZ IP address Typical uses involve running a public web server Supporting older games or sharing files NOTE As with port forwarding caution should be used when enabling the DMZ feature as it can threaten the security of your network cradlepoint B55 User Manual IBR600 IBR650 11 5 15
75. ed by the router and displayed when the device is connected to the router 11 il e Condition Select is is not starts with contains or ends with to create your condition s statement e Value If the correct values are available select from the dropdown list You may need to manually input the value Invert WAN Binding Advanced option that inverts the meaning of WAN Binding to only establish this tunnel when the specified WAN Binding device s are NOT connected Tunnel Enabled Select to activate the tunnel Add Edit Tunnel Routes Adding routes allows you to configure what types of network traffic from the local host or hosts will be allowed through the tunnel Click Add Route to configure a new route You will need to input the following information defined by the remote network e Network Address This is the network address that is the destination of the route This should be set to the network address at the remote side of the tunnel e Netmask This is the corresponding subnet mask of the network being defined Default 255 255 255 0 You can set the tunnel to connect to a range of IP addresses or to a single IP address For example you could input 192 168 0 0 and 255 255 255 0 to connect your tunnel to all the addresses of the remote network in the 192 168 0 x range Alternatively you could select a single address by o Add Edit test Tunnel 9 Q inputting that address along with a Netmask of
76. eing used Authentication Mode Select from Pre Shared Key and Certificate Pre Shared Key is used when there is a single key common to both ends of the VPN Certificate requires the creation of a set of certificates anda private key that can be uploaded to the router Select Enable Certificate Support in the Global VPN Settings section to upload a single set of certificates for the router to use Pre Shared Key Create a password or key The routers on both sides of the tunnel must use this same key Mode Select from Tunnel Transport or VTI Tunnel Tunnel Mode is used for protecting traffic between different networks when traffic must pass through an intermediate untrusted network Transport Mode is cradlepotnt B 1 855 813 336 on B User Manual IBR600 IBR650 11 5 15 used for end to end communications for example for communications between a client and a server VTI Tunnel creates a virtual tunnel interface with a specified virtual IP address This interface can then be added to the zone firewall Initiation Mode Always On or On Demand Always On is used if you want the tunnel to initiate the tunnel connection whenever the WAN becomes available Select On Demand if you want the tunnel to initiate a connection if and only if there is data traffic bound for the remote side of the tunnel Tunnel Enabled Enabled or Disabled G Add or Edit test vo Add Edit Tunnel Local Gateway eae IP Version Select IPv4 or IP
77. en 8 and 64 characters long A combination of upper and lower case letters along with numbers and special characters is recommended to prevent hackers from gaining access to your network Configuring Your APN and Modem Authentication If you are using a SIM based modem LTE GSM HSPA with Config Yeu EN Zao again your Cradlepoint router you May need to configure the APN gasses before it will properly connect to your carrier Wireless TI cee Carriers offer several APNs so check with your carrier to a ee esa ENE ee oe eT ee confirm the appropriate one to use You can use the default mmama te Omen Naa pam iar moda eee ELLE password on the back of your product or you can createa ET custom Administrator Password a NOTE DO NOT USE THIS APN WIZARD if you have already configured an APN Any specific modem settings will not be overwritten by this generic APN setup Leave this setting as default and after finishing this Wizard go to the Bak prem cradlepotnt B 1 855 813 336 on BD 11 5 15 User Manual IBR600 IBR650 CONNECTION MANAGER page select your modem and edit the settings The SIM PIN APN tab has more available settings than are provided here Some modems require a username and password to be entered to authenticate with a carrier Do not fill in the following fields unless you are sure your modem needs authentication Enable and configure Failure Check Failure check will test the connection to verify th
78. encryption that is used by the network None WEP Auto WEP Open WEP Shared WPA1 Personal WPA2 Personal WPA1 amp WPA2 Personal You have two options for adding network profiles Automatic Select a WiFi network in Site Survey and click Import Manual Click on Add under Saved Profiles and input the required information Site Survey This is a list of WiFi networks that the router Site Survey can currently find along with information about the network such as its mode and import channel Click Refresh if a WiFi network you want to connect to is not listed You can sort sai aaa a sen the list based on any of the fields by clicking a v sa zero RA BZpublic ec c8 82 fb d1 d1 71 b g wpa1wpa2psk tkipaes 11 on the Field name ec c8 82 fb d1 d2 49 b g wepauto 11 If you import a network from Site Survey S 9 n l i 00 23 04 37 d2 60 61 big wpatwpa2 unsupported 1 most of the information about the network northwesternm e0 1c 41 29 72 d5 83 b g n wpa2psk 6 will already be completed You need to input MBR1200B 2ee 00 30 44 18 22 ee 81 bigin wpa2psk 1 the passwo rd if there is one and then click alyssa 00 30 44 18 f5 23 79 b g n wpatwpa2psk aes 2 submit to save the WiFi as WAN profile a NA OS PCA_BYOD f0 25 72 ca 7c f1 79 b g n wpa2 unsupported 11 Wireless Scan Settings Scan Interval How often WiFi as WAN scans WiFi Radio 1 Se ee the environment for updates Default 60 seconds
79. enses 11 5 15 Router Security Advanced Security Mode Admin Password 000000000000000000000010000000000000 GPS high security environments This includes support for multiple user accounts SMS system Logging Router Services REMOTE ADMIN Remote Management allows a user to enable incoming WAN pings or change settings for the router from the Internet using the router s Internet address Allow WAN pings When enabled the functionality allows an external WAN client to ping the router Allow Remote Web Administration When remote administration is enabled it allows access to these administration web pages from the Internet With it disabled you must be a client on the local network to access the administration website For security remote increased password security and additional network spoofing filters If you plan to use your router in a PCI DSS compliant environment this option is mandatory Remote Admin Allow WAN pings Allow Remote Web Administration Require HTTPS Gonnection HTTP Port Secure HTTPS Port 8080 8443 Allow Remote SSH Access Remote Access can be restricted by IP address in the Firewall Only applicable when SSH is enabled in the Local Management tab access is usually done via a non standard http port Additionally encrypted connections can be required for an added level of security Require HTTPS Connection Requirin
80. equires 128 bit A VPN to newer Cisco or Juniper devices will typically require 128 bit cradlepoint O User Manual IBR600 IBR650 11 5 15 Add Edit Tunnel Dead Peer Detection Dead Peer Detection DPD defines how the router will detect when one end of the IPsec session loses Q Add or Edit test oo connection while a policy is in use Dead Peer Detection IH Connection Idle Time Configure how long the router Connection ide Tine S a will allow an IPsec session to be idle before beginning Request Frequency 5 15 to send Dead Peer Detection DPD packets to the Maximum Requests C 5 peer machine Default 30 seconds Range 10 3600 Faiback Retry Period 5 m seconds Failover Tunnel Failback Tunnel Reguest Freguency allows you to adjust the delay between these DPD packets Default 15 seconds Range 2 30 seconds Maximum Reguests Specify how many reguests to send at the selected time interval before the tunnel is considered dead Default 5 Range 2 10 Failback Retry Period If you have VPN tunnel failover failback enabled see below set the time period between each check on the primary network after failover Default 10 seconds Range 5 60 seconds Failover Tunnel and Failback Tunnel Use these settings to create two tunnels one as the primary tunnel and one as the backup tunnel To configure tunnel failover failback complete the following steps 1 Create two tunnels one for prim
81. er Range End Enable DHCP Server When the DHCP server is Lease Time 720 mins enabled users of your network will be able to automatically connect to the Internet without Custom Options C any special configuration It is recommended DHCP Relay Enable DHCP Relay _ cradlepoint 015 Cradlepoint All Rights Reserved 1 855 8133385 cradiepoint com 6 User Manual IBR600 IBR650 11 5 15 that you leave this enabled Advanced DHCP server configuration is available at NETWORKING gt Local Networks gt DHCP Server Range Start The starting IP address in the DHCP Server range is the beginning of the reserved pool of IP addresses which will be given to any DHCP enabled computers on your network The default value is almost always sufficient Range End The ending IP address in the DHCP Server range is the end of the reserved pool of IP addresses which will be given to any DHCP enabled computers on your network The default value is almost always sufficient Lease Time The lease time specifies how long DHCP enabled computers will wait before requesting a new DHCP lease Smaller values are better suited to busy environments Custom Options Send optional extra options to DHCP clients of this network This can be used to for example set the boot TFTP server of a network for disk less clients DHCP Relay Enable DHCP Relay DHCP Relay communicates with a DHCP server and acts as a proxy for DHCP broadcast messages that must be ro
82. ert Binding Advanced option that inverts the meaning of WAN Binding to only establish this tunnel when the specified WAN Binding device s are NOT connected Add Edit Tunnel Local Networks IP Version Select IPv4 or IPv6 The Network Address and the Netmask define what local devices have access to or can be accessed from the VPN tunnel cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com User Manual IBR600 IBR650 11 5 15 NOTE the local network IP address MUST be different from the remote network IP address Optionally A Port can be defined that will limit the traffic going through the VPN tunnel to only that port If the field is left Blank any port will be accepted by the tunnel Add Edit Tunnel Remote Gateway Gateway This value can be any of the following an IPv4 address an IPv6 address or a fully qualified G Add or Edit test vo name in the form of host domain com DNS names Remote Gateway saje Gateway are case insensitive so only lower case letters are emote Networks allowed It is recommended that you use a dynamic Rover Services CI DNS hostname instead of the static IP address by O add 7 6 using the dynamic DNS hostname updates of the S network agarose a aa remote WAN IP are compensated for while connecting to a VPN tunnel Add Edit Tunnel Remote Networks The Network Address and the Netmask define the remote network address range that local
83. et plaintext password to outgoing NHRP packets Incoming NHRP packets on this interface are discarded unless this password is present Max length eight characters Holding Time Specifies the holding time for NHRP registration requests and resolution replies cradlepotnt Enabled Name Peer Authentication Holding Time Shoricut Destination Non Gaching Shoricut Redrect Multicast Static Peer Map ada VA K 7200 NHS Q a User Manual IBR600 IBR650 11 5 15 Shortcut Destination Reply with authoritative answers on NHRP resolution requests destined to addresses in this interface instead of forwarding the packets Non Caching Disables caching of peer information from forwarded NHRP resolution reply packets Shortcut Enable creation of shortcut routes Redirect Enable sending of proprietary enterprise style NHRP traffic indication packets e Multicast Determines how multicast packets should be forwarded through NHRP interfaces NHS Multicast packets will be forwarded to each statically configured next hop server This is default and is typical for the configuration of an NHRP spoke Dynamic Multicast packets will be forwarded to each connected peer This is typically used for an NHRP hub You also have the option to create static mappings for this interface Click Add in the table to open the static mapping editor Protocol Address Mapped endpoint to from protocol address to NBMA
84. for most users Remote Gateway This is the public facing WAN side IP address of the network to which the local gateway is going to connect TTL Set the Time to Live TTL or hop limit for the GRE tunnel MTU Set the maximum transmission unit MTU for the GRE tunnel WAN Binding WAN Binding is an optional parameter used to configure the GRE tunnel to ONLY operate when the specified WAN device s are available and connected An example use case is when there is a router with both a primary and failover WAN device and the tunnel should only be used when the system has failed over to the backup connection Make a selection for When Condition and Value to create a WAN Binding The condition will be in the form of these examples Port IS USB Port 1 Type Is not WiMax cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com B User Manual IBR600 IBR650 11 5 15 e When e Port Select by the physical port on the router into which you are plugging the modem e e USB Port 2 e Manufacturer Select by the modem manufacturer e 9 Cradlepoint Inc e Model Set your rule according to the specific model of modem e Type Select by type of Internet source Ethernet LTE Modem Wireless as WAN WiMAX e Serial Number Select a 3G or LTE modem by the serial number e MAC Address Select a WiMAX modem by MAC Address e Unique ID Select by ID This is generat
85. g a secure https connection is recommended HTTP Port Default 8080 This option is disabled if you select Require Secure Connection cradlepotnt User Manual IBR600 IBR650 11 5 15 Secure HTTPS Port Default 8443 NOTE You can restrict remote access to only specified IP addresses in SECURITY gt Zone Firewall gt Remote Access Restriction Allow Remote SSH Access This will enable SSH access to the router from the Internet It is only available when SSH access is enabled in the Local Management tab Some carriers block the remote SSH access ports If a ping to the router s WAN port does not work it is unlikely that remote SSH access will work FEATURE LICENSES Some Cradlepoint features may require a license These Pomjan features are disabled by default To obtain a feature license contact your Cradlepoint sales representative Once you have obtained the feature license file upload ene Enterprise License m kal che file foenable the feature A reboot is required afrar eee mona a CP Secure Connect unlicensed 0 Uploading a feature license file Feature License File Choose File Upload SYSTEM CLOCK Enabling NTP will tell the router to get its system time from a remote server on the Internet If you do not System Clock enable NTP then the router time will be based on when Enable NTP the router firmware was built which is guaranteed to be wrong Whenever the Internet connection is re
86. he Fragmentation Threshold This setting should remain at its default value Setting the Fragmentation value too low may result in poor performance DTIM A DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages When the wireless router has buffered broadcast or multicast messages for associated clients it sends the next DTIM with a DTIM Interval value Wireless clients detect the beacons and awaken to receive the broadcast and multicast messages The default value is 1 Valid settings are between 1 and 255 Beacon Beacons are packets sent by a wireless router to synchronize wireless devices Specify a Beacon Period value between 20 and 1000 milliseconds Short Slot Slot Time is the period wireless clients use in determining if the channel is free for transmission Enabling this value allows clients that can utilize a shorter time to do so Disabling this option forces all clients to use a longer backoff check and thus may reduce network throughput while reducing the number of transmission collisions Wireless Mode Select the WiFi clients with which the router will be compatible Greater compatibility is a tradeoff with better performance For greatest compatibility with all WiFi devices select 802 11 a b g n or 802 11 a b e n ac cradlepotnt 28 User Manual IBR600 IBR650 11 5 15 2 4 GHz options 5 GHz options 802 11 D e 802 11 a b g n ac 802 11 b g e 802 11 9 n ac 802 11 a b g n e 802
87. hentication Add P N Pd E company com allow all domain and sub domain options use a wildcard e g company com Click Update to save your additions Authorized MAC Addresses Add the MAC addresses of trusted machines This gives them automatic access through the hotspot portal Click Add to enter new MAC Addresses you wish to allow Click Update to save your additions DHCP SERVER Authorized MAC Addresses Add f M MAC Address aabb cc dd ee fi DHCP stands for Dynamic Host Configuration Protocol The built in DHCP server automatically assigns IP addresses to the computers and other devices on each local area network LAN In this section you can view a list of assigned IP addresses and reserve IP addresses for particular devices Active Leases A list of devices that have been provided DHCP leases The DHCP server automatically assigns these leases This list will not include any devices that have static IP addresses on the network Select a device cradlepotnt User Manual IBR600 IBR650 and click Reserve to add the device and its IP address to the list of Reservations Reservations This is a list of devices with reserved IP addresses This reservation is almost the same as when a device has a Static IP address except that the device must still request an IP address from the router The router will provide the device the same IP address every time DHCP re
88. her channels is not possible This device is restricted for indoor use This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment This equipment should be installed and operated with minimum distance 20 cm between the radiator and your body This device and its antenna s must not be co located or operating in conjunction with any other antenna or transmitter except in accordance with FCC multi transmitter product procedures To comply with FCC regulations limiting both maximum RF output power and human exposure to RF radiation for the IBR600 and IBR650 the maximum antenna gain in the cellular bands must not exceed 3dBi For the IBR600 the maximum WiFi antenna gain in the 2 4 GHz band must not exceed 5dBi This device complies with RSS 210 RSS 102 and RSS Gen of the Industry Canada Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation This eguipment complies with IC radiation exposure limits set forth for an uncontrolled environment This eguipment should be installed and operated with minimum distance 25cm between the radiator and your body This device has been designed to operate with cellular antennas having a maximum gain of 3 dBi Antennas having a higher gain are Strictly prohibited per regulations of Industry Canada
89. ical conducted Module Antennas two SMA male plug 2 dBi gain finger tighten only maximum torque spec is 7 kgf cm Industry Standards amp Certs PTCRB GCF CC FCC IC CE WiFi Alliance IBR600 only SIM one 2FF slot GPS standalone GPS support Cradlepoint products with the EU and INTL SKUs enable and disable WiFi channels to comply with EU law The EU and INTL SKUs are not legal for use in North America The EU and INTL versions come with an adapter kit for non USA Canada power outlets includes US EU and UK options SUPPORT AND WARRANTY CradleCare Support available in the US and Canada with technical support software upgrades and advanced hardware exchange 1 3 and 5 year options Three year limited hardware warranty available world wide on IBR600 IBR650 series products when purchased from an approved Cradlepoint Partner or Distributor extend warranty to 5 years cradlepoint 9 User Manual IBR600 IBR650 11 5 15 HARDWARE 3G 4G Antenna SIM slot Power Switch 3G 4G Antenna Connector SMA Connector SMA WiFi Antenna Connector WiFi Antenna Connector Reverse SMA Reset Button USB port Reverse SMA o o cx z Power Port 10 100 Ethernet Ports cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com User Manual IBR600 IBR650 1
90. ice if Ethernet Threshold is met This will block hotspot use of the WAN when the threshold is met This can be used if the router is being used as a backup failover connection to another router with a wired connection If that other router s wired connection goes down and it starts using this router for its primary connection then disable hotspot use of the WAN connection Set the limiting Rate KB s and Time Period Seconds Redirect HTTPS Requests This allows initial requests to HTTPS websites to be redirected appropriately Hotspot UAM Authentication Port Default 8000 Type in a different port number or use the slider to change the port Simple Mode Settings Display This section allows you to choose if a Terms of Use page will be given to the user connecting to the hotspot Internal Terms of Use Fill in your own terms of use External Terms of Use Specify a URL that has the Terms of Use page Users will automatically be directed to this page No Terms of Use Redirect Only Redirection on Successful Authentication Depending on your choice for the Terms of Use page your have further options for where the user will be directed After the user accepts the terms you can either let him cradlepoint 30 User Manual IBR600 IBR650 her continue to the URL they were trying to reach or you can force the user to go to a specified URL once before continuing on To the URL the user intended to visit To an administrator
91. ick Edit to make changes to an existing tunnel Add Edit Tunnel General Tunnel Name Enter a name to uniquely identify this tunnel LNS address Enter the IP Address of the LNS tunnel server peer MTU Set the maximum transmission unit MTU for the L2TP tunnel MRU Set the maximum receive unit MRU to request from the tunnel peer The MRU is very Similar to the MTU MTU is for packets sent and MRU is for packets received Tunnel Enabled Click to enable disable this tunnel Default Enabled Authentication More authentication options and overrides are available in the next section Username Username for user specific authorization Leave blank to disable Password Shared secret or password used to authenticate the associated Local and Remote names Redial Enabled When this is selected the tunnel will attempt to reconnect if disconnected Add Edit Tunnel Authentication cradlepotnt Q Add or Edit L2TP Tunnel oo General MTU MRU Tunnel Enabled h Authentication ard Redial Enabled G Add or Edit L2TP Tunnel test oo Authentication Remote Name Local Name Overrides Overrides Authentication Allowed CHAP Allowed PAP Allowed Name User Manual IBR600 IBR650 11 5 15 Remote Name Authorization name specified by and to the remote system as its identity sometimes a username or hostname Leave blank to match any Local
92. ier This is a customizable identity that will be used in router reporting and alerting The default value is the product name and the last three characters of the MAC address of the router Asset Identifier This is a customizable string that will be used in router reporting and alerting Require HTTPS Connection Check this box if you want to encrypt all router administration communication Secure HTTPS Port Enter the port number you want to use The default is 443 Enable SSH Server When the router s SSH server is 11 5 15 Local Management Enable Internet Bounce Pages Reboot Count Enable Login Banner Local Domain local tid System Identifier 1IBR1100 994 Asset Identifier Require HTTPS Connection Secure HTTPS Port 443 Enable SSH Server kA Automatically Set System Identifier enabled you may access the router s command line interface CLI using the standards based SSH protocol Use the username admin and the standard system password to log in SSH Server Port Default 22 Automatically Set System Identifier This will automatically set the system ID to the name of the first client that gets a DHCP lease This feature cannot be used with email alerts but alerts can be sent to ECM GPS If you have an attached device with GPS support you can enable a graphical view of your router s location which appears in STATUS gt GPS SIM based models with GPS S
93. if multiple BGP speakers are configured with the same router ID Enabled Click to enable disable the policy Default enabled Networks Associated with ASN or IPv6 Networks Associated with ASN To configure a BGP router you need an AS number An AS number is an identification of autonomous system BGP protocol uses the AS number G Add or Edit A Networks Associated with ASN for detecting whether the BGP connection is internal one or external one Use the IPv4 address and netmask or IPv6 address with a CIDR notation prefix length to define the address range Neighbor Options or IPv6 Neighbor Options Creates a new neighbor identified by remote ASN and IP address Redistribute Routes Redistribute routes of the specified protocol or kind into BGP with the metric type and metric set if specified filtering the routes using the given route map if specified Redistributed routes may also be filtered with distribute lists cradlepotnt User Manual IBR600 IBR650 11 5 15 Type The type is the source of the route Select from Main Connected Static RIP and OSPF Metric Numerical priority of the route Route Map Route maps provide a means to filter and or apply actions to routes allowing policies to be applied to routes OSPF OSPF Open Shortest Path First version 2 is a routing protocol described in RFC2328 OSPF Version 2 OSPF is an IGP Interior Gateway Protocol Compared with RIP OSPF can p
94. iguration 11 5 15 Alert Configuration Firmware Upgrade Available System Reboot Occurred Unrecognized MAG Address Configuration Change Login Success Login Failure Account Locked Recurring System Log SMTP Mail Server Server Address Server Port Require Encrypted Session Authentication Required From Address To Address Advanced Delivery Options Email Subject Prefix IP Address Banned _ VPN Tunnel Goes Down Feature License Expiration Router SDK Application Full System Log WAN Device Status Ghange Verify Email Settings Gradlepoint Alert Login Success A successful login oe attempt has been detected mas 7 Login Failure A failed login attempt has been detected e ses Account Locked Account has been locked due to excessive failed login attempts IP Address Banned An IP address has been banned VPN Tunnel Goes Down Sends an alert when a VPN tunnel goes down Feature License Expiration Sends an alert when a feature license is about to expire Router SDK Application A router SDK Application may send an alert Full System Log The system log has filled This alert contains the contents of the system log Recurring System Log The system log is sent periodically This alert contains all of the system events since the last recurring alert It can be scheduled for daily weekly and monthly reports Frequency You also choose the Time you want the alert sent SMTP Mail Se
95. ion Port Is Type Is not When Value USB Port 1 WiMax Port Select by the physical port on the router that you are plugging the modem into e e USB Port a Manufacturer Select by the modem manufacturer e 9 Cradlepoint Inc Model Set your rule according to the specific model of modem Type Select by type of Internet source Ethernet LTE Modem Wireless as WAN WiMAX Serial Number Select a 3G or LTE modem by the serial number MAC Address Select from a dropdown list of attached devices Unique ID Select by ID This is generated by the router and displayed when the device is connected to the router Condition Select is Statement is not starts with contains or ends with to create your condition s Value If the correct values are available select from the dropdown list You may need to manually input the value Load Balance Algorithm Select the Load Balance Algorithm for this WAN Affinity rule from the following dropdown options Round Robin Evenly distribute each session to the available WAN connections Rate Distribute load based on the current upload and download rates A WAN device s upload and download bandwidth values can be set in CONNECTION MANAGER Spillover This was the default algorithm in older version 3 firmware Load is always given to devices with the most available bandwidth The estimated bandwidth rate is based on a combination
96. ions for OpenVPN tunnels configured in Server mode An ovpn file will be created that can be imported to a variety of OpenVPN client devices Android iOS Windows If the private key for the server s certificate authority is known a client certificate can be generated otherwise one can be selected GRE Generic Routing Encapsulation GRE tunnels can be used to create a connection between two private networks Most Cradlepoint routers are enabled for both GRE and VPN tunnels GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges but VPN tunnels are much more secure In order to set up a tunnel you must configure the following e Local Network and Remote Network addresses for the Glue Network the network that is created by the administrator that serves as the glue between the networks of the tunnel Each address must be a different IP address from the same private network and these addresses together form the endpoints of the tunnel e Remote Gateway the public facing WAN IP address that the local gateway is going to connect to cradlepoint D User Manual IBR600 IBR650 11 5 15 e Routes that allow you to configure what network traffic from local host s will be allowed through the tunnel Optionally you might also want to enable the tunnel Keep Alive feature to monitor the status of a tunnel and more accurately determine if the tunnel is alive or not Click Add to configure a
97. l network Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name Primary Split DNS server for name resolution Secondary Split DNS Enable Split DNS Primary Split DNS and Secondary Split DNS If you choose to Specify your DNS servers then enter the IP addresses of the servers you want as your primary and secondary DNS servers in these fields The Secondary DNS is optional Domain Click Add to add desired domain for Split DNS Dynamic DNS Configuration The Dynamic DNS feature allows you to host a server Web FTP etc using a domain name that Dynamic DNS Configuration you have purchased www yourname com with your Enable Dynamic DNS dynamically assigned IP address Most broadband Client Status Service needs to be configured Internet Service Providers assign dynamic changing ee IP addresses When you use a Dynamic DNS service ee eee er provider you can enter your host name to connect to Configure Dynamic ONS Service with Provider your server no matter what your IP address is Use HTTPS Enable Dynamic DNS Enable this option only if Hostname myhostmydomainnet you have purchased your own domain name and User name registered with a Dynamic DNS service provider Password Server Type Select a dynamic DNS service Advanced Dynamic DNS Settings provider from the dropdown list Update period hours 576 D yn D
98. layer such as when there Tunnels is anetwork within a network so that packet destinations are hidden behind an additional router Adding a static route is a way of telling the router about an additional step that packets will need to take to reach their destination r Routing Static Routes BGP Click Add to create a new static route OSPF IP Version Select IPv4 or IPv6 Depending on your selection you have different RIP options for defining the address range RIPng IP Network Address or IPv6 Address The IP address of the target network or host The Pv6 address field includes CIDR notation to declare a range of addresses Netmask Prefix The Netmask along with the IPv4 address defines the network the computer belongs to and which other IP addresses the computer can see in the same LAN An IP address of 192 168 0 1 along with a Netmask of 255 255 255 0 defines a network with 256 available IP addresses from 192 168 0 0 to 192 168 0 255 Gateway or IPv6 Gateway Specifies the next hop to be taken if this route is used A gateway of 0 0 0 0 implies there is no next hop and the IP address matched is directly connected to the router on the interface specified LAN or WAN cradlepotnt B55 User Manual IBR600 IBR650 Device Select the network interface from the dropdown menu e g ethernet wan You can use this instead of defining the IP address especially in cases when the IP address is changing Metric Set the numeric
99. le maintaining security Aggressive mode is slightly faster but less secure Because it has better security Main mode is recommended for most users cradlepotnt User Manual IBR600 IBR650 11 5 15 Key Lifetime The lifetime of the generated keys of phase 1 of the IPsec negotiation from IKE After the time has expired IKE will renegotiate a new set of phase 1 Keys Encryption Hash and DH Groups Each IKE exchange uses one encryption algorithm one hash function and one DH group to make a secure exchange Encryption Used to encrypt messages sent and received by IPsec AES 128 AES 256 DES 3DES Hash Used to compare authenticate and validate that data across the VPN arrives in its intended form and to derive keys used by IPSec MD5 SHA1 SHA2 256 SHA2 384 SHA2 512 Note that some Encryption Hash combinations e e 3DES with SHA2 384 512 are computationally expensive impacting WAN performance AES is as strong an encryption and performs much better than 3DES DH Groups The DH Diffie Hellman Group is a property of IKE and is used to determine the length of prime numbers associated with key generation The strength of the key generated is partially determined by the strength of the DH Group Group 5 for instance has greater strength than Group 2 Group 1 768 bit key Group 2 1024 bit key Group 5 1536 bit key In IKE Phase 1 you can only select one DH group if you are using Aggressive exchange mode By defau
100. lepoint com Session Retry Timer How long to wait in seconds before starting a new ECM EEA session following a connection drop or connectivity failure Note that this value is a starting point for an internal backoff timer that prevents Superfluous retries during connectivity loss Unmanaged Checkin Timer How often in seconds the router checks with ECM to see if the router is remotely activated Note that this value is a starting point for an internal backoff timer that reduces network usage over time Maximum Alerts Buffer The maximum number of alerts to buffer when offline Unmanaged Gheckin Timer 1e 86400 Seconds Maximum Alerts Buffer 20 The Device Alerts submenu choice allows you to receive email notifications of specific system events YOU MUST ENABLE AN SMTP EMAIL SERVER TO RECEIVE ALERTS Alerts can be included for the following cradlepoint User Manual IBR600 IBR650 Firmware Upgrade Available A firmware update is available for this device System Reboot Occurred his router has rebooted This depends on NTP being enabled and available to report the correct time Unrecognized MAC Address Used with the MAC monitoring lists An alert is sent when a new unrecognized MAC address is connected to the router WAN Device Status Change An attached WAN device has changed Status The possible statuses are plugged unplugged connected and disconnected Configuration Change A change to the router conf
101. license Go to SYSTEM gt Feature Licenses to enable this feature Enter your Zscaler account information to enable these settings Input local network information Network Address and Netmask to assign your Zscaler implementation to one or more local network s cradlepotnt 11 5 15 Cloud Based Filtering Security Cloud Provider Umbrella OpenDNS UMBRELLA by Glent Status Service needs to be configured Usemame Password OpenDNS ISP Filter Bypass Algorithm E Cloud Based Filtering Security Gloud Provider Zscaler Secure Web Gateway gt zscaler User ID PreShared Key Gateway Local Networks VA G E notno ase E Cloud Based Filtering Security Gloud Provider Zscaler Intemet Security gt zscaler Mode DynDNS Failure Operation Allow Traffic Glent Status Service needs to be configured DynDNS Settings Primary ONS 8 34 34 34 Secondary DNS 8 35 35 35 DynDNs Server Address ddns zscalershiftnet User name Password E User Manual IBR600 IBR650 11 5 15 LOCAL CERTIFICATES Identities This is a table of local certificates including certificate details Zone Firewall Name Friendly description of the certificate Content Filtering Location The certificate issuer s locality city town etc e Organization Information The organization to which the certificate issuer belongs Common Name Name used to match authentic
102. lt all the algorithms encryption hash and DH groups supported by the device are checked which means they are allowed for any given exchange Deselect these options to limit which algorithms will be accepted Be sure to check that the router or similar device at the other end of the tunnel has matching algorithms The algorithms are listed in order by priority You can reorder this priority list by clicking and dragging algorithms up or down Any selected algorithm may be used for IKE exchange but the algorithms on the top of the list are more likely to be used more often Add Edit Tunnel IKE Phase 2 Perfect Forward Secrecy PFS Enabling this feature will require IKE to generate a new set of Keys in phase 2 rather than using the same key generated in phase 1 Additionally with this option enabled the new Keys generated in phase 2 are exchanged in an encrypted session Enabling this feature affords the policy greater security Key Lifetime The lifetime of the generated keys of phase 2 of the IPsec negotiation from IKE After the time has expired IKE will renegotiate a new set of phase 2 Keys Phase 2 has the same selection of Encryption and DH Groups as phase 1 but you are restricted to only one DH Group Phase 2 and phase 1 selections do not have to match For the Hash selection an added value of SHA 256 128 128 bit truncation is avaliable The original specification and the Cradlepoint default is 96 bit truncation but RFC4868 r
103. ltered out A log level of Debug will record the most information while a log level of Critical will only record the most urgent messages Each level includes all messages from all of the levels below it on the list e g Warning includes all Error and Critical messages as well Debug Info Warning Error Critical Enable Logging to a Syslog Server Enabling this option will send log messages to a specified Syslog server After enabling type the Hostname or IP address of the Syslog server or select from the dropdown menu Syslog Server Address Select the Hostname or IP address from the dropdown menu or type this in manually Include System ID This option will include the router s System ID at the beginning of every log message This is often useful when a single remote Syslog server is handling logs for several routers Include UTF8 Byte Order Mark The log message is sent using UTF 8 encoding By default the router will attach the Unicode Byte Order Mark BOM to the Syslog message in compliance with the Syslog system Logging Logging Level Info Enable Logging to a Syslog Server Log to attached USB stick Verbose modem logging Create support log MR Ai protocol RFC5424 Some Syslog servers may not fully support RFC5424 and will treat the BOM as ASCII text which will appear as garbled characters in the log If this occurs disable this option Log to attached USB stick Only enable this
104. mation Name P Address MAC Address Data Uploaded Data Downloaded Client Data Usage Reset Statistics pburroughs 192 168 0 132 34 e6 d7 43 5d df 0 18 MB 0 20 MB 9 3 12 14 Last Traffic To reset information click Reset Statistics STATISTICS Statistics can be gathered at variable Sample Rate and Sample Size for the following areas Wireless Device Data Usage Failover Failback Load Balance Wireless Device Sample Rate 200 Samples Hour 100 Samples 2015 08 05 10 29 00 2015 08 05 10 23 00 2015 08 05 10 26 00 2015 08 05 2015 08 05 10 17 42 10 20 00 56 0 10 32 00 56 5 57 0 sig 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 2015 08 05 10 17 42 10 20 00 10 23 00 10 26 00 10 29 00 10 32 00 Time 0 sinr Time 2015 08 05 2015 08 05 10 38 00 2015 08 05 10 41 00 2013 08 05 10 35 00 oc 0 5 5 oot H H O H A O A eee eer V 05 2015 08 05 10 35 00 2075 08 05 10 38 00 2075 08 05 10 41 00 2015 08 05 10 44 00 2015 08 05 10 47 00 cradlepotnt 2015 Cradlepoint All 2015 08 05 2015 08 05 10 44 00 10 47 00 Rights Reserved 1 855 813 3385 cradlepoint com User Manual IBR600 IBR650 11 5 15 Data Usage Sample Rate Sample Size 200 Samples Hour 900 800 700 600 500 KB 400 300 200 100 va mna w Pd tz o K 100 Samples
105. menu TCP UDP TCP amp UDP Click Save to Save your completed port proxying rule Name Enabled Local Portis gt Remote Gomputer Remote Portis gt cradlepotnt B 1 855 813 336 on OB User Manual IBR600 IBR650 NAT 11 5 15 Zone NAT is similar to Port Forwarding and provides that functionality by mapping ports available on interfaces associated with the Zone to ports available on local clients Zone NAT also has the ability to map many types interfaces selectable via a Zone For example GRE interfaces can be used to port forward traffic from the GRE endpoints to local client thereby limiting exposure to the local LAN while still gaining the benefits of GRE Click Add to create a Zone NAT Source Zone Name The Zone created in Zone Firewall Select the Zone to NAT Original Destination IP Specify which inbound traffic to this router will have the destination IP translated to an internal network Inbound Port s Specify the IP port s on the inbound traffic to forward to a local computer Local Computer Specify the local computer to receive forwarded traffic Local Port s Specify the IP port first if a range on the local computer to receive forwarded traffic Protocol Select the IP protocol traffic to forward Dynamic 1 1 NAT Dynamic NAT allows translating the destination ip of incoming network traffic to a local network All ports and protocols will be forwarded Netmasks should ge
106. nerally match If the local network range is larger than the incoming destination range then network traffic will begin using port overloading One to One NAT can be accomplished by Specifying a host address or a 32 cidr address Click Add to create a Dynamic 1 1 NAT m T H identities WEBFILTER SETTINGS General Settings b Zone Firewall v Content Filtering Web Filter Settings MAC Web Filter Rules Network Web Filter Rules forwarding Upstream Proxy Settings G Edit NAT Entry Source Zone Name Original Destination IP inbound Portis gt O Local Portis L Protocol TGP oa E X Edit Dynamic NAT Original Destination IP NAT To Network lt Enbable Webfilter Selecting Enable Webfilter will enable the webfiltering service This is used to enable or disable all router based webfiltering and Filter HTTPS Selecting Filter HTTPS enables redirection of all port 443 traffic into the proxy The proxy will then extract the host name from the SNI Server Name Indication If SNI is unavailable then the original destination IP address is used for filtering No decoding of the SSL TLS session is done Enabled Select whether the use of an Upstream Proxy server is enabled cradlepotnt User Manual IBR600 IBR650 Proxy Address The Proxy Address is the address the desired HTTP proxy is hosted at Addresses can be input as host names or as ip addresses If the p
107. ngs and click Finish to exit or Back to edit IP PASSTHROUGH SETUP IP passthrough takes a 3G 4G WAN data source USB ExpressCard or Cradlepoint business rade modem and passes the IP address through to Ethernet LAN Enabling IP passthrough will make many changes to your router configuration Please review this list and ensure they are compatible with how the router will be used All Ethernet ports will be set to LAN All network groups except the primary network group will be removed All WAN devices will have Load Balance disabled and the highest priority device will be used All Wireless interfaces will be removed from the primary network group All Router based VPN and GRE services will be disabled The Routing Mode will be set to IP Passthrough The Subnet Selection Mode will be set to Automatically Create Subnet unless overridden via the Subnet Selection Mode dropdown Any Ethernet WAN connections should be disconnected before IP passthrough is enabled cradlepoint B55 86 User Manual IBR600 IBR650 11 5 15 APPENDIX SAFETY REGULATORY AND WARRANTY GUIDE This important Product Information and Safety Guide contains safety handling disposal regulatory trademark copyright and software licensing information To avoid injury read all safety information below and operating instructions before using the device This equipment has been tested and found to comply with the limits for a Class B digital device pursua
108. nt to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one of the following measures Reorient or relocate the receiving antenna Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Increase the separation between the equipment and receiver Consult the dealer or an experienced radio TV technician for help Any changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate this equipment This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation For product available in the USA Canada market only channel 1 11 can be operated Selection of ot
109. nterprise Cloud Manager ECM is a cloud based management service for configuring monitoring and organizing your Cradlepoint routers Key features include the following Group based configuration management Health monitoring of router connectivity and data usage Remote management and control of routers Historical record Keeping of device logs and status Registering Your Router Once you have signed up for ECM click on the Register Router button to begin managing the router through ECM Input your ECM Username and ECM Password and click Register You have now registered the device with Enterprise Cloud Manager Suspending the ECM Client Click on the Suspend Client button to stop communication between the device and ECM Suspending the client will make it stop any current activity and go dormant It will not attempt to contact the server while suspended This is a temporary setting that will not survive a router reboot to disable the client altogether use the Advanced Enterprise Cloud Manager Settings panel below ene Cloud Manager Settings Advanced Enabled Enable the ECM client to contact the server While this box Enterprise Cloud Manager Settings is unchecked the ECM client will Enabled never attempt to contact the server Server Host Port stream oradlepointeom com 8001 Default Enabled Session Retry Timer Ce 60 Seconds Server Host Port The DNS hostname and port number for your ECM server Default stream crad
110. o be filtered with distribute lists Type The type is the source of the route Select from Main Connected Static OSPF BGP Metric RIP metric is a value for distance for the network Usually RIP increments the metric when the network information is received The metric for redistributed routes is set to 1 Route Map Route maps provide a means to filter and or apply actions to routes allowing policies to be applied to routes cradlepoint B User Manual IBR600 IBR650 RIPNG RIPng RIP next generation extends RIPv2 to support IPv6 See RIPng on Wikipedia and RFC 2080 for details RIPng Editor Name Unique name of the policy Metric RIPng metric is a value for distance for the network Usually the RIP service increments the metric when the network information is received The metric for redistributed routes is set to 1 Enabled Click to enable disable the policy Default enabled Networks Set the RIPng enabled interfaces by network using IPv6 addresses RIPng is enabled on the interfaces that have addresses within the network range Routes Set RIPng static routing announcement of specified network address 11 5 15 Add or Edit Networks A Redistribute Routes Redistribute routes of the specified protocol or kind into RIPng with the metric type and metric set if specified filtering the routes using the given route map if specified Type The type is the source of the route Select from M
111. oad or restore router settings Restore Settings Firmware Management Restore amp Upgrade Restore router settings and upgrade router firmware Modem Firmware Upgrade Change Carrier Modems Internal LPE VZ SIM1 Current Firmware Version 05 05 16 02 VZW 005 013 010 Available Firmware Version Check for Update SLS g t i th Automatic Firmware Check nao omenen Reboot Options Manually reboot the router Reboot The Device Reset the router to its original settings Once reset your SSID and admin password will match the sticker on the bottom of the router Factory Reset Router Access router s command line interface CLI console Device Console Scheduled Reboot Scheduled Reboot Never Enable Watchdog Reboot A User Manual IBR600 IBR650 Ping Test A simple test to check Internet connectivity Type the Hostname or IP address of the computer you want to ping and click the Ping button Speed Test Tests Against Cradlepoint Server Up to ten speed tests are permitted against a Cradlepoint server WAN Device The WAN Device that is selected will have the test run on it If no device is selected then the highest priority connected device will be used Custom Server Type the Hostname or IP address of the server to which you wish to perform a test If left empty the test will be done to a Cradlepoint server Custom Port Optional The port to which the tes
112. of data passed over time This is a good setting aa ih for when you have a dual mode EVDO WiMAX modem and you are going in and out of WiMAX coverage If the router has failed over to EVDO it will wait until you have low data usage before bringing down the EVDO connection to check if a WiMAX connection can be made High Rate 80 KB s Time Period 30 seconds Normal Rate 20 KB s Time Period 90 seconds Low Rate 10 KB s Time Period 240 seconds Custom Rate range 1 100 KB s Time Period range 10 300 seconds Time Fail back only after a set period of time Default 90 seconds Range 10 300 seconds This is a good setting if you have a primary wired WAN connection and only use a modem for failover when your wired connection goes down This ensures that the higher priority interface has remained online for a set period of time before it becomes active in case the connection is dropping in and out for example Disabled Deactivate failback mode Immediate Mode Fail back immediately whenever a higher priority interface is plugged in or when there is a priority change Immediate failback returns you to the use of your preferred Internet source more quickly which may have advantages such as reducing the cost of a failover data plan but it may cause more interruptions in your network than Usage or Time modes DATA USAGE Data Usage displays upload and download traffic for each LAN client Check Monitor Monthly or Weekl
113. ot Clients pburoughs eee pburroughs mu RH Block M Hotspot Clients Fromme ip T pana Tine Rohe No HotSpot Clients TUNNELS A CP SECURE VPN Intemet Displays status of your CP Secure Client List VPN Tunnels To add and configure CP Secure VPN Tunnels go to NETWORKING gt Tunnels gt CP Secure CP Secure VPN VPN IPSec VPN OpenVPN GRE Tunnels IPSEC VPN Displays status of your IPSec VPN IPS IPSec VPN Tunnels Tunnels To add and configure IPSec VPN Tunnels go to NETWORKING gt Tunnels gt IPSec VPN 0 mytunnel Idle OPEN VPN Displays status of your OpenVPN Tunnels To add and configure OpenVPN Tunnels 90 to NETWORKING gt Tunnels gt OpenVPN OpenVPN Tunnels Connected Updated Since Remote Address Local Address mytunnel Thu Sep 3 12 25 24 2015 1 2 3 4 0 0 0 0 145 15M 0 006 idle down cradlepotnt 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 23 User Manual IBR6OO IBR650 11 5 15 GRE Displays status of your GRE Tunnels To add and configure GRE Tunnels go to NETWORKING gt Tunnels gt GRE GRE Tunnels Transmit packets bytes Receive packets bytes mytunnel Tunnel Not Alive 5 120 00 bytes O 0 00 bytes 14 6 FIREWALL Displays information about your Firewall Connection Tracking States To configure your firewall select SECURITY from the left navigation Connection Tracking States
114. ot in Hotspot Made Simple NETWORKING gt Hotspot Services NOTE Although any network can be a hotspot the router allows only one hotspot Hotspot Settings Local IP Network Unconfigured Gonfigure Allow Service on 3G 4G modems Disable Service if Ethemet Threshold is Hotspot Mode Choose from the following met dropdown options Rate s 20 KBis Simple Allows Terms of Use page and Time Period 90 seconds timeout settings controlled within the Redirect HTTPS Requests C router Hotspot UAM Authentication Port 8000 RADIUS UAM Allows you to set up external authentication servers Local IP Network A single LAN Group including both WiFi and Ethernet can be configured as your hotspot If you do not already have a LAN Group configured as a hotspot click Configure and set the IPv4 Routing Mode to Hotspot for the LAN Group you want to use NOTE Routing Mode is in the Primary LAN Editor under the IPv4 Settings tab Select a network in NETWORKING gt Local IP Networks and click Edit to open the Primary LAN Editor Allow Service on 3G 4G Modems Allows you to enable or disable hotspot access to the Internet over a modem This is often used if the router has a main wired link and a secondary modem for failover typically with a more expensive limited data plan Select this option if you want the router to allow data traffic over the modem if the wired connection goes down Disable Serv
115. ote System information via SNMP is by default Read WWritable However if fhe value is set here that field will become Read Only Enabling SNMP on WAN will JE NEM hat fi iy make SNMP services available System Contact to the WAN interfaces of the SN oysiem Name router WAN port Use the WAN System Location port field to configure which publicly accessible Reset preu port you wish to make SNMP services available on Default 161 SNMP Version e SNMPv1 SNMP version 1 is the most basic version of SNMP SNMPv1 will configure the router to transmit with settings compatible with SNMP version 1 protocols SNMPv2c SNMP version 2c has the same features as v1 with some additional commands SNMPv2c will configure the router to use settings and data formatting compatible with SNMP version 2c SNMPv3 SNMP version 3 includes all prior features with security available SNMPv3 is the most secure setting for SNMP If you wish to configure traps then you must use SNMP version 3 SNMP v1 amp v2c Settings Get community string The Get community string is used to read SNMP information from the router This String is like a password that is transmitted in regular text with no protection Set community string The Set community string is used when writing SNMP settings to the router This String is like a password It is a good idea to make it different than the Get community string cradlepotnt B 1 855 813 336 on 9
116. per tool or key to access the device and have been informed about the potential high surface temperatures and instructed on how to safely handle and or service the device Under no circumstances should the IBR600 device be used in any areas a where blasting is in progress b where explosive atmospheres may be present or c that are near i medical or life support equipment or ii any equipment which may be susceptible to any form of radio interference In such areas the IBR600 device MUST BE POWERED OFF AT ALL TIMES since the device otherwise could transmit signals that might interfere with such equipment In addition under no circumstances should the IBR600 device be used in any aircraft regardless of whether the aircraft is on the ground or in flight In any aircraft the IBR600 device MUST BE POWERED OFF AT ALL TIMES since the device otherwise could transmit signals that might interfere with various onboard systems on such aircraft Furthermore under no circumstances should the IBR600 device be used by the driver or operator of any vehicle Such use of the device will detract from the driver s or operator s control of that vehicle In some jurisdictions use of the IBR600 device while driving or operating a vehicle constitutes a civil and or criminal offense Due to the nature of wireless communications transmission and reception of data by the IBR600 device can never be guaranteed and it is possible that data communicated or transmitted
117. ration The Known Hosts Configuration feature allows you to map a name printer scanner laptop etc toan Known Hosts Configuration IP address of a device on the network This assigns a new hostname that can be used to conveniently Add f identify a device within the network such as an s office printer T EEA sample c ipd 1 2 34 Click Add to name a device in your network Fill in the following fields Hostname Choose a name that is meaningful to you No spaces are allowed in this field IP address The address of the device within your network EXAMPLE a personal laptop with IP address 192 168 0 164 could be assigned the name MyLaptop Since the assigned name is mapped to an IP address the device s IP address should not change To ensure that the device keeps the same IP address go to NETWORKING gt Local Networks gt DHCP Server and reserve the IP address for the device by selecting the device in the Active Leases list and clicking Reserve WiFi as WAN uses an outside WiFi network as its Internet source When WiFi as WAN is enabled the router will find other WiFi networks that you can select and connect to Unless a selected WiFi source is on an Unprotected network you will need to know its password or key To enable WiFi as WAN select WiFi Radio 1 and Wireless as WAN under WiFi Client Mode UST r ESEM Wireless Scan Settings Radio Settings WiFi Client Mode Wireles
118. reglemnets d Industrie Canada L impedance d antenne requise est de 50 ohms Cradlepoint Inc declares that the IBR600 IBR650 is in compliance with the essential requirements of the R amp TTE Directive 1999 5 EC Energy Related Products Directive 2009 125 EC Electromagnetic Compatibility Directive 2004 108 EC Low Voltage Directive 2006 95 EC and ROHS2 Directive 2011 65 EU A copy of the original European DoC may be obtained from cradlepoint com product certifications AT BE BG CY CZ DK EE FI FR DE GR HU IE IT LV LT LU MT NL PL PT RO SK SI ES SE GB IS LI NO CH TR Operation of the device in the 5150 5250 MHz frequency band is restricted to indoor use only RF Exposure Statement To comply with RF Exposure reguirements this eguipment should be installed and operated with a minimum distance of 25cm between the radiating device and your body To find information on Cradlepoint s commitment to our environment and how to responsibly recycle or recover Cradlepoint products at the end of their useful life please visit cradlepoint com This equipment is designed to operate in ambient temperatures up to 70 C 158 F When operating in elevated ambient temperatures the surface of the equipment may exceed 70 C and become too hot to safely touch Under this condition this product must be installed in a secured location that is not accessible to accidental touch and access to the device must be restricted to service persons or users who possess the pro
119. request will be sent to the DNS servers If no data is received the DNS request cradlepotnt 015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com User Manual IBR600 IBR650 11 5 15 will be retried four times at five second intervals The first two requests will be directed at the Primary DNS server and the second two requests will be directed at the Secondary DNS server If still no data is received the device will be disconnected and failover will occur e Active Ping A ping request will be sent to the Ping Target If no data is received the ping request will be retried four times at five second intervals If still no data is received the device will be disconnected and failover will occur When Active Ping is selected the next line gives an estimate of data usage in this form Active Ping could use as much as 9 3 MB of data per month This amount depends on the Idle Check Interval e Off Once the link is established the router takes no action to verify that it is still up FAILBACK This is used to configure failback which is the ability to go back to a higher priority WAN interface if it regains connection to its network Select the Failback Mode from the following B G WAN Management 00 Usage R mp Failback Mode Usage eri sz reshold Time res Usage Threshold Custom al C i Disabled Rate 20 KB s Data Usage Time Period N 90 seconds Usage Threshold Fail back based on the amount
120. ropdown list Certificate Name field and downloading the CSR The CSR can then be sent to a remote CA for a signature Once the certificate has been signed import the certificate in PEM or PKCS 12 format When you export the CSR select a Digest or cryptographic hash function These are listed in order of increasing security More security requires more router resources MD5 SHA 128 SHA 256 Certificate Signing Request Certificate Name Digest C MDS O SHA 128 SHA 256 PEM PEM is a container format for encoding data in this case X 509 certificates PEM was originally designed for encoding email PEM stands for Privacy enhanced Electronic Mail but it has never been widely used for that purpose The format is bnan ej much more common for encoding digital certificates The PEM format uses Base64 and DER Distinguished Encoding Rules encoding Export PEM Format CA Certificates Import PEM CA Certificate Name To import choose a certificate file in PEM format from your Certificate Name computer or local device and upload it to the router Give the certificate a name that is meaningful to you To export select a local certificate from the dropdown list and download it to your computer or local device in PEM format PKCS12 PKCS 12 is one of the public key cryptography standards PKCS 12 files bundle public and private certificate keys in an archive file format The PKCS 12
121. rovide more scalable network support and faster convergence times OSPF is widely used in large networks such as ISP Internet Service Provider backbone and enterprise networks OSPF Areas Area Areas are identified by an ID Default Cost Set the cost of default summary LSAS announced to stubby areas Stub Area Configure area to be stub area No Summary Prevents ABR from injecting inter area summaries into the specified stub area OSPF Editor Router ID This sets the router ID of the OSPF l l process The router ID may be an IP address of the Q Edit or Add router but need not be it can be any arbitrary 32 OSPF Router bit number However it MUST be unique within the Router ID entire OSPF domain to the OSPF speaker Enable Authentication Key Set OSPF authentication key to a simple password After setting authentication Network Areas key all OSPF packets are authenticated The Add 7 o authentication key has a maximum length of eight characters Enabled Click to enable disable the policy Default enabled Network Areas Areas are identified by an ID number Use the IP address and netmask fields to associate a network with this policy Add a x Redistribute Routes Redistribute routes of the R tye Metric Route Map Specified protocol or kind into BGP with the metric type and metric set if specified filtering the routes using the given route map if specified Redistributed routes Cancel Save ma
122. roxy is unavailable HTTP traffic will fail to cross the network and a notification page will be shown HTTP Port The port the HTTP Proxy is listening on HTTPS Port Optional The port for the proxy to forward HTTPS traffic to HTTPS is not transparently intercepted and must have the LAN clients configured to use the Cradlepoint 11 5 15 Webfilter Settings General Settings Enable Webfilter 4 Filter HTTPS Upstream Proxy Settings Enabled router as a proxy for HTTPS to work properly MAC WEB FILTER RULES MAC Address WebFilter Rules allow you to control access from a specific MAC address to external domains or websites To adda rule click Add MAC Address Enter MAL Address Filter Action Select Block or Allow Domain URL IP Enter the Domain Name or URL address of the website you wish to control access for e g www google com To make sure the full domain is blocked enter the most inclusive domain e g google com will effectively block www google com as well as maps google com and images google com Alternatively you can use an IP address e g 8 8 8 8 or address range written in CIDR notation e g 8 8 8 0 24 Rule Priority Higher number rules overrule lower number rules Enabled A rule can be enabled or disabled by selecting or deselecting the checkbox Use MAC Address WebFilter Defaults together Reset G Edit or Add MAC Rule vo Enter the Domain Name or URL address of
123. rt ALGS MAC Address Filtering Advanced Security Mode local user management only Per Client Web Filtering IP Filtering Content Filtering basic Website Filtering 11 5 15 Native support for authentication Authorization and accounting support through hotspot captive portal services Enterprise Cloud Manager requires a subscription SYSTEM REQUIREMENTS At least one Internet source a Cradlepoint integrated 3G 4G modem with an active data plan an Ethernet based modem or WiFi as WAN Windows 7 8 Mac OS X or Linux computer with WiFi adapter 802 11n recommended for WiFi functionality Internet Explorer v6 0 or higher Firefox v2 0 or higher Safari v1 0 or higher SPECIFICATIONS WAN Integrated LTE only HSPA or LTE HSPA EVDO modem Two 10 100 Ethernet ports WAN or LAN LAN Two 10 100 Ethernet ports WAN or LAN PORTS Power Two Ethernet LAN or WAN Two cellular antenna connectors SMA Two WiFi connectors reverse SMA TEMPERATURE 20 C to 60 C 4 F to 140 F operating modem as WAN 20 C to 50 C 4 F to 122 F operating Ethernet as WAN 30 C to 70 C 22 F to 158 F storage HUMIDITY non condensing 10 to 85 operating 5 to 90 storage POWER DC input steady state voltage range 9 18VDC Recommended inline fuse for vehicle installations 1 5A fast blow cradlepotnt User Manual IBR600 IBR650 11 5 15 SIZE 3 3 x 4 0 x 0 9 in 85 x 102 x
124. rt the card with the notch end first and the gold contacts facing down it will click into place 2 Attach the WiFi and modem antennas Attach the two WiFi antennas and two modem antennas to the connectors Antennas are jointed which enables you to position them for optimal signal To attach hold the antenna straight and twist the base of the antenna to connect folding the joint if needed NOTE Ensure that the router antennas are not near metal or other RF reflective surfaces 3 Connect the power source Plug the provided power supply into an electrical outlet Then connect the power supply to the router 4 Ensure power is switched on O OFF ON 5 Connect to a computer or other network equipment For the IBR650 simply connect your device s to the router via Ethernet Part IBR600LPE VZ ka 1 Ona WiFi enabled computer or device open the window or cradlepoint dropdown menu that allows you to access wireless networks The NEM PEU IBR600 network will appear on the list select this network A RON KUK 2 Log in You will need to input the Default Password when prompted SIT TN MT RIO The Default Password is provided on the product label found on the MEID 35 6195 0500 5289 bottom of your router this password is the last eight digits of the BIH lalalala H f h n router s MAC address which can be found on the product box or On ion mi on the product label Serial No MM14030123456 CJF h a l SSID IBR600 6aa NOTE
125. rver Since your router does not have its own email server to receive alerts you must enable an SMTP server This is possible through most email services Gmail Yahoo etc Each SMTP server will have different specifications for setup so you have to look those up separately The following is an example using Gmail Server Address smtp email com Server Port 587 for TLS or Transport Layer Security port the router does not support SSL Authentication Reguired For Gmail mark this checkbox User Name Your full email address Password Your Gmail password From Address Your email address To Address Your email address Once you have filled in the information for the SMTP server click on the Verify SMTP Settings button You Should receive a test email at your account Delivery Options Advanced cradlepoint User Manual IBR600 IBR650 11 5 15 Email Subject Prefix This optional string is prefixed to the alert subject It can be customized to help you identify alerts from specific routers Retry Attempts The number of attempts made to send an alert to the mail server After the attempts are exhausted the alert is discarded Retry Delay The delay between retry attempts A single USB Serial device can be used to establish a serial link to a host port on the router The USB Serial device can also be accessed by running serial from an SSH session Telnet to Serial Configuration Enabled Enabling Telnet to
126. s and netmask pairs to the administration filter Edit will allow you to change settings for the selected address Remove will remove a selected entry PORT FORWARD A port forwarding rule allows traffic from the Internet to reach a computer on the Port Forwarding Rules inside of your network For example a port O ad 7 x aaas Server NOTE Exercise caution when addine new rules as they impact the security of your network Port Proxying Rules Click Add to create a new port forwarding Ada o ee Add Edit Port Forwarding Rule Name Name your rule Enabled Togele whether your rule is enabled Selected by default Use Port Range Changes the selection options to allow you to input a range of ports if desired Internet Port s The port number s as you want it defined on the Internet Typically these will be the Same as the local port numbers but they do not have to be These numbers will be mapped to the local port numbers Local Computer Select the IP address of an attached device from the dropdown menu or manually input the IP address of a device User Manual IBR600 IBR650 11 5 15 Local Port s The port number s that corresponds to the service Web server Edit oo FTP etc on a local computer or device Name For example you might input 80 in Enabled Z the Local Port s field to open a port for intemet Port gt a Web server on a computer within your network The Internet Port s
127. s as WAN cradlepoint 015 shts Reserved 1 855 813 338 point con User Manual IBR600 IBR650 11 5 15 All Cradlepoint routers and some other routers use the same default IP address for the primary network 192 168 0 1 If you attempt to set up WiFi as WAN and there is an IP conflict you need to change the IP address The router is attempting to use the same IP address for both WAN and LAN which is impossible Go to Network Settings gt WiFi Local Networks Select the network and click Edit You can change the IP address under IPv4 Settings For example you might change 192 168 0 1 to 192 168 1 1 Saved Profiles This is a list of WiFi networks that have already been configured as WAN sources The router will attempt to connect to any of these access points using the password you have configured If more than one access point is in range then the router will connect with the highest priority network Network The name SSID or Service Set Identifier that is broadcast by the access point BSSID The numeric ID of the network Basic Service Set Identifier This parameter is required when trying to connect to a hidden network using WiFi as WAN It is optional when connecting to a visible network If it is set in a profile both the SSID and BSSID must match to connect to an access point If the BSSID is not set ina profile then the router will connect to any access point that matches the given SSID Auth Mode The type of
128. servations are helpful for server computers on the local network that are hosting applications such as Web and FTP Servers on your network should either use a static IP address or a reservation 11 5 15 Active Leases 192 168 0 132 34 e6 d7 43 5d df 12 hours 0 mins pburroughs Reservations Add VA IP Addr IPv6 Addr Hardware Addr host ABC 567 0 0 8888 9999 1111 0 aa bb cc dd ee ff true While you have the option to manually input the information to reserve an IP address Hostname Hardware Addr IP Addr it is much simpler to select a device under the Active Leases section and click Reserve The selected device s information will automatically be added under Reservations LOCAL IP NETWORKS Local IP Networks displays the following information for each network Network Name IP address Netmask and Enabled Disabled along the top bar Multicast Proxy Enabled Disabled DHCP Server Enabled Disabled DHCP Relay Enabled Disabled Schedule Enabled Disabled See the Schedule tab in the Local Network Editor VRRP Failover State Disabled Backup or Master IPv4 Routing Mode NAT Standard IP Passthrough Hotspot Disabled IPv6 Addressing Mode SLAAC Only SLAAC with DHCP Disable SLAAC and DHCP Access Control Admin Access UPnP Gateway LAN Isolation Attached Interfaces Ethernet ports WiFi VLAN Click Add to configure a new network Remove to delete a network
129. t for full functionality The settings can be changed by selecting a network and clicking the Edit button MOSOO4 Cc i A er ers Me mMm a narre MAN Sa a Pa P i User Manual IBR600 IBR650 CLOUD BASED FILTERING Select a third party Cloud Provider from the dropdown list Umbrella by OpenDNS Zscaler Secure Web Gateway Zscaler Internet Security Umbrella by OpenDNS Umbrella by OpenDNS is a cloud based web filtering and security solution that protects you online by filtering websites Go to http www opendns com business security for information about Umbrella Enter your Umbrella account information in order to use these content filtering settings OpenDNS ISP Filter Bypass Algorithm It is possible that your Internet Service Provider ISP uses the port that OpenDNS is configured to access port 53 which will prevent OpenDNS filtering If OpenDNS does not appear to be working correctly enabling this will attempt to bypass those ports when using an OpenDNS content filtering level Zscaler Zscaler is a cloud based web filtering and security provider that offers several plan options Depending on your Zscaler implementation this could include Global Cloud Platform Real Time Reporting Behavioral Analysis URL Filtering Advanced Threat Protection Inline Anti Virus amp Anti Spyware Web 2 0 Control Data Loss Prevention Bandwidth Management Web Access Control And more NOTE Zscaler requires a feature
130. t is directed Max Duration The Max Duration is the Maximum amount of time for which the test should be run The test may finish sooner if sufficient data is collected 11 5 15 Ping Test Parket Size 64 Don t Fragment Speed Test Tests Against Gradlepoint Server 0 10 WAN Device Gusiom Server Optiona Gustom Port Optional Limits should be adjusted to the WAN interface used Large amounts of data could be used on the selected WAN device Max Duration 0 Data Limit 10 Test Type Data Limit The Data Limit is the limit of how much data will be transferred while measuring the connection speed this should be limited to reduce the expense of a speed test Setting the limit to O will cause the test to run until enough data is collected or the duration limit is met Test Type Select the type of test you would like to run TCP Upload will test speed going to the server TCP Download will test speed coming to the client and UDP will measure the speed going to the server Administration Enterprise Cloud Manager Device Alerts Senal Redirector SNMP Configuration system Control Diagnostics Setup Wizards ECM Registration First Time Setup IP Passthrough Setup cradlepotnt To register the router with Cradlepoint ECM you must first have an account If you need to create an account you can signup at cradlepoint com Once you ve created an account or if you already have one you
131. t of Delegated is desirable in most configurations Delegated The address is provided by a router connected to this router s WAN Static The address is provided by the router admin None No use of an IPv6 WAN address IPv6 is disabled on the WAN IPv6 Address An IPv6 Address is a unique numerical label for a computer or device using the Internet Protocol IP IPv6 addresses are typically in the format composed of 8 sets of 4 hexadecimal numbers Leading zeros can be ignored and the longest set of continuous zeros can be replaced with For example the IPv6 address of 0001 0000 0234 5678 0000 0000 9abc 0def can be expressed as 1 0 234 5678 9abc def Interfaces Select the network interfaces which will be attached to this network by either dragging desired interface or clicking lert Available Interfaces Selected Interfaces or right arrows to move them between Interfaces WiFi 2 4 GHz unconfigured Select the network interfaces which will be attached to this network WiFi 2 4 GHz unc onfigured Access Control UPnP Gateway Select the UPnP Universal Plug and Play option if you ai zk kani ia z lt want to enable the UPnP Gateway service for computers on this network Admin Access When enabled users may access these optionally provide custom DHCP settings admin pages from this network DHCP Server Enable DHCP Server A WiFi 5 GHz unconfigured pa IPv4 DHCP Range Start DHCP Serv
132. te an SMS plan White list Add V Q l SMS Phone number SMS is not a guaranteed delivery protocol The carriers do not guarantee that the SMS message will be delivered to the modem or that the modem s response will be delivered to the sender This means an administrator might have to send messages multiple times before the desired action is performed SMS is a slow protocol It can take seconds or up to a few minutes for messages to be delivered SMS messages are not encrypted they are sent in full readable text over the network Enable SMS support SMS support is enabled by default on the router Deselect this to disable Password By default the password is the last eight characters of the router s MAC address i e the Default Password on the product label You can change this password to anything between 1 and 16 characters It should be long enough to be useful for security but short enough to easily type into your phone or other textine client White List This list is blank by default which means that the router will accept SMS messages from any phone number Leaving this blank is unsecure so Cradlepoint recommends that you add phone numbers to this list Once any numbers are listed only those numbers Nave the ability to connect to the router via SMS cradlepotnt User Manual IBR600 IBR650 SYSTEM LOGGING 11 5 15 Logging Level Setting the log level controls which messages are stored or fi
133. the website you wish to control access for i e www example com To make sure the full domain is blocked enter the most inclusive domain i e example com will effectively block www example com as well as mail example com and images example com Alternatively you can use an IP address i e 8 8 8 8 or address range written in CIDR notation i e 8 8 8 0 24 Addresses that have an Allow action assigned will have access allowed while Addresses with a Block action assigned will be blocked When multiple rules conflict the rule with the highest priority is used Filter Action Block Rule Priority 50 Enabled kA with MAC Address WebFilter Rules to control website access for specific MAC addresses By default each MAC address is allowed website access Click Add Edit to change this setting for a MAC address Input the MAC Address and Default Action you would like to apply to that MAC address Default Action Select from the following dropdown options Allow Access default Block Access When a network is set to Allow Access it will allow access to sites not specifically blocked in the WebFilter Rules When a network is set to Block Access it will block access to sites not specifically allowed in the WebFilter Rules cradlepotnt G Edit or Add Default Filter Settings oo Input the MAG address and default action you would like to apply to that MAG address Default Action Block Access o E User Manual
134. tion Statistics cradlepotnt 2015 Cradi 11 5 15 User Manual IBR600 IBR650 Property 11 5 15 E Summary State Manufacturer Model service Display Home Carrier Roaming Status Signal Strength RSSI SINR RSRP RSROQ MEID IMEI Network Address Ide Current APN IP Address Netmask Gateway DNS Servers cradlepotnt Modem Firmware Ver Mobile Directory Num connected Cradlepoint Inc Internal LDE 5IM1 S5WI9x15C 05 05 16 02 r21040 carmd fwl LTE Verizon VZWINTERNET 100 97 122 176 255 255 255 252 100 97 122 177 195 224 164 135 195 224 160 135 2015 Cradlepoint All Rights Reserved 1 855 813 3385 cradlepoint com 19 Summary H Modem Manufacturer Product Model supported Technologies Firmware Version Package Version Mobile Directory Number ESN IMEI MEID IMEI ICCID Mobile Subscriber Identification IMSI PRI ID PRI Version PIN Status Chipset Hardware Version Cradlepoint Inc Internal LPE 5IM1 Internal LPE slM1 lte 3g SWI9X15C 05 05 16 02 21040 c4 05 05 16 02 VzwW 005 013 0710 User Manual IBR600 IBR650 Home Carrier Verizon Roaming Status Home Carrier Status UP Connection State Active Service Display LTE Signal Strength 100 RSSI 53 dBm SINR 1
135. ts the GPS sentence reporting to a remote server to a specific time interval Start Time Reporting start time End Time Reporting end time SMS 11 5 15 G Add or Edit NS Client Details Enable this client 4 Glient name omne OOO Server myhostmydomannet Port lne i Specify Time Interval A Start Time 9 00 AM End Tme 5 00 PM SMS Short Message Service or text messaging requires a cellular modem with an active data plan SMS is not designed to be a full remote management feature SMS allows you to connect to the router for a few simple queries or commands with a text messaging service e 8 from your phone A modem that does not have an active data connection may still be reachable by SMS because Internet traffic and SMS traffic operate on Separate channels so SMS can be used to bring an offline router back online SMS is enabled on the router by default However it only works if SMS is supported and enabled on the modem Most modems have SMS enabled by default but the carrier may charge a fee for each text message sent or received Contact your carrier to review these fees and or to enable an SMS plan Important notes about SMS Messages are limited to 160 characters SMS Enable SMS support This feature only works if SMS is supported and enabled on the modem SMS messages are subject to carrier charges based on the texting plan Contact your carrier to enable SMS and activa
136. unt you need to register Log into the device administration pages and select Enterprise Cloud Manager from the SYSTEM menu Enter your ECM username and password and click on Register Once you Nave registered your device 90 to cradlepointecm com and log in using your ECM credentials For more information about how to use Cradlepoint Enterprise Cloud Manager see the following e Getting Started e ECM on the Knowledge Base cradlepoint User Manual IBR600 IBR650 11 5 15 ADMINISTRATION PAGES Quick Links Dashboard Connection Manager Status Networking Security System QUICK LINKS Quick Links allows you to bookmark your most commonly used settings Simply click on the bookmark icon 5 to add an item to your Quick Links menu To remove an item from your Quick Links menu select the item and click on the remove bookmark icon Router Secunty Local Networks Local Networks EGM Registration WiFi Radio 1 2 4GHz WiFi Radio 1 2 4GHz WiFi Radio 1 Settings 2 4 GHz WiFi Radio 2 5GHz WiFi Radio 2 5GHz WiFi Radio 2 Settings 5 GHz Ethemet Ports Ethemet Ports Quick Links Menu Add Quick Link Delete Quick Link Device Information The Dashboard is a centralized location for basic ar information about the status of your router The ott IBR600LPE LI MM150127401039 prwi oca Fri Sep 11 13 23 27 MDT areas include Ob 0 days 0 hours 4 mins D 00 30 44 1c a5 a6 pceuj 32 Device Information Managed by ECM Mon Oct
137. upport reguire that the SIM be inserted Some carriers disable GPS support in otherwise supported modems If you encounter issues with obtaining a fix contact your carrier and ensure that GPS is supported Enable GPS Enable support for querying GPS information from capable modems Send to Client s Enable this Server Enables a local server to which clients can connect and recieve GPS sentences Server Name Your server s name should include only Aa Zz numerals and Enable GPS server on LAN Enables a server on the LAN side of the firewall which will periodically send GPS sentences to TCP connected clients Q Add or Edit Server Details Enable this Server Enable GPS server on LAN Enable GPS server on WAN A Enable GPS server on WAN Enables a server on the WAN side of the firewall which will periodically send GPS sentences to TCP connected clients Port Choose a port between 1 and 65535 Send to Server s cradlepotnt User Manual IBR600 IBR650 Enable this client Enables periodic reporting of GPS sentences to a remote server The router will buffer GPS sentences if errors are encountered or if the Internet connection goes down and send the buffered sentences when the connection is restored Client name Your client s name should include only Aa Zz numerals and Server Remote server hostname or IP Port Remote server port Specify Time Interval Restric
138. urs of a day Virtual Router ID VRRP Router Priority Enable VRRP Enable or disable VRRP Virtual Router IP IP Address of the Virtual Router Virtual Router ID Identifier of the Virtual Router Advertisement Interval Router Priority Failover priority of this router The highest priority router will take ownership of the Virtual IP WAN Fault Priority This optional value sets the failover priority Authentication None of this router when no WAN connection is available If the value matches the normal router priority WAN connection state will WAN Fault Pnority Initial Virtual Router State Master Provide Virtual IP in DHCP leases cradlepoint D User Manual IBR600 IBR650 11 5 15 not be considered If the value is empty the default the router will always give up the Virtual IP and let a new master take over when no WAN connection is available Advertisement Interval Sets the amount of time in seconds between sending VRRP advertisements Initial Value Router State This controls the initial failover state of the VRRP instance when it first comes up Authentication VRRP Authentication Method Note that VRRP Authentication has been deprecated as of RFC 3768 Password VRRP Group Password Provide Virtual IP in DHCP leases Select this to automatically set the DHCP default gateway address and DNS server address to the Virtual IP in DHCP leases provided on this network STP Enable STP Enable Spanning
139. uted to remote segments This is accomplished by converting broadcast DHCP messages to unicast messages to communicate between clients and servers Multicast Proxy Multicast Proxy Enables IGMP proxying to allow Multicast Streams to flow across this network Quick Leave Mode Disable quick leave mode if it s vital that the daemon should act exactly as a real multicast client on the upstream interface However disabling this function increases the risk of bandwidth saturation Altnet If multicast traffic originates outside the upstream subnet add address es to the altnet to define legal multicast sources IPv6 Addressing Address Configuration Mode SLAAC stands for Stateless address autoconfiguration A network can be configured to use SLAAC only or it can be configured to also use DHCPV6 to provide ip addresses to clients DHCP Range Start The DHCP Range Start is the beginning of the range that will be used for IPV6 DHCP addresses The IPv6 range will always start at 1 DHCP Range End The ending IP address in the DHCP Server range is the end of the reserved pool of IP addresses which will be given to any DHCP enabled computers on your network IPv6 DHCP Lease Time Specifies how long DHCP enabled computers will wait before requesting a new DHCP lease Schedule Enable Schedule Service Enable the interface scheduler A Enable VRRP 4 schedule allows an interface to be enabled or disabled during Virtual Router IF specific ho
140. utomatically directed to the FIRST TIME SETUP WIZARD which will walk you through the steps to customize your Cradlepoint IBR600 IBR650 You have the ability to configure any of the following Administrator Password Time Zone WiFi Network Name Security Mode Access Point Name APN for SIM based modems Modem Authentication Failure Check If you are currently using the router s WiFi network you will need to reconnect your devices to the network using the newly established wireless network name and password NOTE To return to the First Time Setup Wizard after your initial login select SYSTEM from the navigation bar expand Setup Wizard and select First Time Setup USING ENTERPRISE CLOUD MANAGER Rapidly deploy and dynamically manage networks at geographically distributed stores and branch locations with Enterprise Cloud Manager Cradlepoint s next generation management and application platform Enterprise Cloud Manager ECM integrates cloud management with your Cradlepoint devices to improve productivity increase reliability reduce costs and enhance the intelligence of your network and business operations Click here to sign up for a free 30 day ECM trial Depending on your ordering process your devices may have already been bulk loaded into ECM If so simply log in at cradlepointecm com using your ECM credentials and begin managing your devices seamlessly from the cloud If your device has not yet been loaded into your ECM acco
141. v6 WAN Binding Unique ID b WAN Binding WAN Binding is an optional parameter aaa used to configure the VPN tunnel to ONLY operate when IP Version IPv4 the specified WAN device s are available and connected Q as 7 o An example use case is when there is a router with both ESN a primary and failover WAN device and the tunnel should only be used when the system has failed over to the backup connection Make a selection for When Condition and Value to create a WAN Binding The condition will be in the form of these examples Port Is USB Port 1 Type Is not WiMax When Port Select by the physical port on the router that you are plugging the modem into e e USB Port 2 Manufacturer Select by the modem manufacturer e 9 Cradlepoint Inc Model Set your rule according to the specific model of modem Type Select by type of Internet source Ethernet LTE Modem Wireless as WAN WiMAX Serial Number Select a 3G or LTE modem by the serial number MAC Address Select a WiMAX modem by MAC Address Unique ID Select by ID This is generated by the router and displayed when the device is connected to the router 11 ks Condition Select is is not starts with contains or ends with to create your condition s statement Value If the correct values are available select from the dropdown list You may need to manually input the value Inv
142. vider The default DNS servers are usually adequate You may want to assign DNS servers if the default DNS servers are performing poorly if you want WiFi clients to access DNS servers that you use for customized addressing or if you have a local DNS server on your network cradlepotnt User Manual IBR600 IBR650 11 5 15 Mode Automatic or Static default Automatic DNS Settings Switching to Static enables you to set specific DNS servers in the Primary DNS and Secondary DNS fields e Primary DNS and Secondary DNS If you choose to specify your DNS servers then enter the IP addresses of the servers you want as your primary Force All DNS Requests To and secondary DNS servers in these fields The DNS oma Server settings will be pre populated with public DNS server IP addresses You can override the IP address EN with any other DNS server IP address of your choice For example Google Public DNS servers have the IP addresses 8 8 8 8 and 8 8 4 4 while 4 2 2 2 and 4 2 2 3 are servers from Level 3 Communications Force All DNS Requests To Router Enabling this will redirect all DNS requests from LAN clients to the router s DNS server This will allow the router even more control over IP addresses even when clients have their own DNS servers Statically set Split DNS Split DNS allows you create two zones for the same domain one to be used by the internal network the other used by Split DNS the externa
143. wload Settings to save your current settings to a file on a computer Restore Settings Click on Restore Settings to restore your previous settings from a file on a computer Firmware Management Load new firmware and restore your previous settines from a file on a computer without rebooting between steps MODEM FIRMWARE Modems Select desired modem Current Firmware Version Shows the number of the current firmware and the date it was updated Available Firmware Version If there is a new firmware version available this will list the version number Click Check Again to have the router check the newest firmware Automatic Firmware Check Automatically check for new firmware updates once daily Manual Firmware Upload Upload the router firmware from an attached computer DEVICE OPTIONS Reboot Options Reboot the Device Manually restart the router Factory Reset Router Reset the router to its original settines Once reset your SSID and admin password will match the sticker on the bottom of the router Device Console Access router s command line interface CLI console Scheduled Reboot Scheduled Reboot Router will restart at user specified time Enable Watchdog Reboot Router will restart when it determines an unrecoverable error condition has occurred cradlepotnt 11 5 15 system Config Save Restore Backup or save current router settings Download Settings Upl
144. work If the guest network is enabled anyone can connect to the special guest network which allows limited connectivity to the Internet while preventing access to your local network OG Sa Sse NE ae m Security Mode a ae ae pi S i Da N or mi ng ne lea Best ne nn yau ale Enable vi Neo yau ie a second obl Fonda fam your ruter log guests o ipl and ensiy adapters support WPA2 only mode This will SPI aa connect to most new devices and is the most In odar to proc your network from une unera la HR recommand you ove the Nghest vel of noci that Teratai Secure but may not connect to older devices or Cradlepoint recommends the WPA2 security mode some handheld devices such as a PSP cg acion stings by res te Reset btn four on he sile You te forte seconde Tis il esto or pose be Good WPA1 amp WPA2 Select this option if your SE wireless adapters support WPA or WPA2 This is the MAPA oS most compatible with modern devices and PCs Poor WEP Select this option if your wireless ne adapters only support WEP This should only be used if a legacy device that only supports WEP will be connected to the router WEP is insecure and obsolete and is only supported in the router for legacy reasons The router cannot use 802 11n modes if WEP is enabled router WiFi performance and range will be limited None OPEN Select this option if you do not want to activate any security features WPA Password The WPA Password must be betwe
145. y also be filtered with distribute lists Type The type is the source of the route Select from Main Connected Static RIP OSPF Metric Numerical priority of the route Route Map Route maps provide a means to filter and or apply actions to routes allowing policies to be applied to routes Redistribute Routes cradlepoint 015 Cradlepaint Al Rights Reserved 1 855 8133385 cradlepoint com B User Manual IBR600 IBR650 11 5 15 RIP RIP Routing Information Protocol is a widely deployed interior gateway protocol RIP is a distance vector protocol based on the Bellman Ford algorithms As a distance vector protocol RIP sends updates from one router to its neighbors periodically allowing the convergence to a known topology In each update the distance to any given network will be broadcast to its neighboring router The router supports RIP version 2 as described in RFC2453 and RIP version 1 as described in RFC1058 RIP Editor Name Unique name of the policy Metric RIP metric is a value for distance for the Q Add or Edit 96 network Usually RIP increments the metric when the network information is received The metric for redistributed routes is set to 1 Protocol Version RIP can be configured to send either m version 1 or version 2 packets The default is to send oe RIPv2 while accepting both RIPv1 and RIPv2 and replying with packets of the appropriate version for REQUESTS triggered updates
146. y or Daily Usage to begin tracking this information This data is not retained between router reboots For Monthly and Weekly you are able to specify the day to start each cycle e g the 1st or Tuesday respectively cradlepoint B55 User Manual IBR600 IBR650 11 5 15 Usage Cap Enter a Cap amount in Megabytes 1024 Megabyte is equal to 1 Gigabyte Q WAN Management A On Demand Use with Load Balancing When checked the Load Ked week Yar OOOO l l WAN Verify Balancing feature is allowed to use the thresholds and BPRM H iaid likai a metrics of this rule when making balance decisions This causes Load Balancing to spread the data usage between interfaces according to the assigned usage rather than bandwidth This is a best effort to keep all interfaces with these rules at a similar percentage utilization of data e g Data Usage Cycle Start Day of Month 1 Monthly Usage Cap MB Use with Load Balancing Shutdown on Cap 10 50 90 as the cycle progresses rather than quickly PRR L using 100 of a fast 1GB capped interface while using only er a fraction of a Slow 10GB capped interface thus leaving Custom Alert Percentages the rest of the cycle with only the slow interface The Data a e oa values Usage algorithm on the WAN Affinity Load Balancing page Triggers alerts when 50 80 90 must be selected or this checkbox has no effect 110 of usage cap is used Shutdown on Cap When checked the WAN devic
Download Pdf Manuals
Related Search