1. Manuals
  2. Brands
  3. Cradlepoint Manuals
  4. Network Hardware
  5. COR IBR350
  6. Manual

Cradlepoint COR IBR350 Manual

Hide thumbs Also See for COR IBR350:
Table of Contents

Advertisement

Quick Links

Download this manual
Cradlepoint COR IBR350 Manual
Highly Available, Cloud-Managed M2M Gateway
The Cradlepoint COR IBR350 Series is a compact, 4G LTE networking solution designed for mission critical connectivity for M2M deployments.
Ideal for kiosks and digital signs, this cloud-managed solution provides organizations the ability to scale deployments quickly and manage their
distributed networks easily in real-time.
Designed with form & function in mind for the cost-conscious consumer, COR IBR350 is perfect to get your applications online.
Key Features
• Cloud-managed for zero-touch deployment and intelligent management
• Internal Verizon LTE modem
• Compact
• Integrated mounting holes
• One 10/100 Ethernet port
• Connectors for external cellular modem antennas (two)
Figure 1: COR IBR350
1

Advertisement

Table of Contents
loading

Related Manuals for Cradlepoint COR IBR350

Summary of Contents for Cradlepoint COR IBR350

  • Page 1 Highly Available, Cloud-Managed M2M Gateway The Cradlepoint COR IBR350 Series is a compact, 4G LTE networking solution designed for mission critical connectivity for M2M deployments. Ideal for kiosks and digital signs, this cloud-managed solution provides organizations the ability to scale deployments quickly and manage their distributed networks easily in real-time.

  • Page 2: Administration Pages

    • Using Enterprise Cloud Manager Administration Pages The COR IBR350 administration pages include the following five tabs: Figure 2: COR IBR350 Admin Page Tabs See Navigating the Administration Pages for helpful information about how to use the device’s GUI-based management interface.
  • Page 3 • • Routing • Statistics • System Logs • VPN Tunnels Network Settings • Content Filtering • DHCP Server • • Firewall • Local Networks • MAC Filtering • MAC Logging • • Routing Internet • Connection Manager • Client Data Usage •...

  • Page 4: Package Contents

    System Requirements • At least one Internet source: a CradlePoint integrated 3G/4G modem with an active data plan, or an Ethernet-based modem. • Windows 2000/XP/7/8, Mac OS X, or Linux computer. • Internet Explorer v6.0 or higher, Firefox v2.0 or higher, Safari v1.0 or higher, or Google Chrome.
  • Page 5 WAN port speed control, several levels of basic and advanced logging for troubleshooting • VPN (IPsec) – Tunnel, NAT-T, and transport modes; connect to Cradlepoint, Cisco/Linksys, CheckPoint, Watchguard, Juniper, SonicWall, Adtran and others; certificate support; Hash (MD5, SHA128, SHA256, SHA384, SHA512), Cipher (AES, 3DES, DES); support for 2 concurrent...
  • Page 6 PDF in the Resources section of antenna and router product pages. Business-Grade Modem Specifications COR IBR350 models include an integrated 4G LTE modem – specific model names include a specific modem (e.g., the COR IBR350L-VZ includes a Verizon LTE modem).
  • Page 7 Figure 3: COR IBR350 Lights & Ports Figure 4: COR IBR350 SIM Door, USB & Antenna Connectors...

  • Page 8: Quick Start

    • No Light = Not receiving power. Check the power switch and the power source connection. • Flashing Amber = Attention. Open the administration pages (see Accessing the Administration Pages) and check the router status. LAN - LAN • Green = LAN is connected. •...

  • Page 9: Accessing The Administration Pages

    1. Insert an activated SIM. A wireless broadband data plan must be added to your Cradlepoint COR IBR350. Wireless broadband data plans are available from wireless carriers such as Verizon, AT&T, Sprint, EE, and Vodafone. The SIM must be provisioned with the carrier. Contact your carrier for details about selecting a data plan and about the process for provisioning your SIM.

  • Page 10: First Time Setup Wizard

    When you log in for the first time, you will be automatically directed to the FIRST TIME SETUP WIZARD, which will walk you through the steps to customize your Cradlepoint COR IBR350. You have the ability to configure any of the following:...

  • Page 11: Using Enterprise Cloud Manager

    Started > Enterprise Cloud Manager Registration. Enter your ECM username and password, and click on “Register”. Once you have registered your device, go to cradlepointecm.com and log in using your ECM credentials. For more information about how to use Cradlepoint Enterprise Cloud Manager, see the following: •...
  • Page 12 Figure 9: Enterprise Cloud Manager Login Page Figure 10: Enterprise Cloud Manager Registration Page...

  • Page 13: Quick Links

    Figure 11: Administrator Login Quick Links The Cradlepoint logo in the top left corner of all the administration pages is a link to the Dashboard (Status > Dashboard), which displays funda- mental information about the router. The bar across the top provides quick access to important information and controls: •...
  • Page 14 Figure 12: Router UI Figure 13: Cradlepoint logo Figure 14: Quick links...

  • Page 15: Configuration Pages

    Figure 15: Modem connection quality Figure 16: WiFi connection strength Configuration Pages The following table shows the navigation layout of the administration pages. Click on the tabs along the top bar to reveal the following dropdown menus. Figure 17: Admin Page Tabs NOTE: These contents vary by product.
  • Page 16 GRE Tunnels Internet Connections Routing Statistics System Logs VPN Tunnels Content Filtering DHCP Server Firewall Local Networks MAC Filter / Logging Routing Connection Manager Client Data Usage Data Usage GRE Tunnels Network Mobility (NEMO) VPN Tunnels Administration Certificate Management Device Alerts Enterprise Cloud Manager Feature Licenses SNMP Configuration...

  • Page 17: Getting Started

    Cradlepoint Enterprise Cloud Manager is Cradlepoint’s next generation management and application platform. Enterprise Cloud Manager (ECM) integrates cloud management with your Cradlepoint devices to improve productivity, increase reliability, reduce costs, and enhance the intelligence of your network and business operations.
  • Page 18 Figure 19: Enterprise Cloud Manager Login Page...

  • Page 19: First Time Setup

    • Failure Check Administrator Password Cradlepoint recommends that you change the router’s ADMINISTRATOR PASSWORD, which is used to log into the administration pages. The administrator password is separate from the WiFi security password, although initially the Default Password is used for both.
  • Page 20 Figure 22: Access Point Name If you are using a SIM-based modem (LTE/GSM/HSPA) with your Cradlepoint router, you may need to configure the APN before it will properly connect to your carrier. Wireless carriers offer several APNs, so check with your carrier to confirm the appropriate one to use. Some examples include: •...
  • Page 21 Figure 23: Moden Authentication – Chap • Username • Password Configuring Failure Check It is possible for a WAN interface to go down without the router recognizing the failure. (For example: the carrier for a cellular modem goes dormant, or your Ethernet connection is properly attached to a modem but the modem becomes disconnected from its Internet source.) Enable Failure Check to ensure that you can get out to the Internet via your primary WAN connection.

  • Page 22: Ip Passthrough Setup

    You can quickly enable IP passthrough with the IP Passthrough Setup Wizard available under Getting Started > IP Passthrough Setup. IP passthrough takes a 3G/4G WAN data source (USB, ExpressCard, or Cradlepoint business-grade modem) and passes the IP address through to...

  • Page 23: Client List

    Using this function requires many changes to your router configuration. The IP Passthrough Setup Wizard will automatically make these changes for you: simply read through the wizard and select Enable IP Passthrough on the second page. For further configuration options, see Network Settings > WiFi / Local Networks.
  • Page 24 • WiFi Networks – Network Settings > Local Networks After the initial setup of the router, every time you log in you will automatically be directed to this Dashboard. Also, you can click on the Cradlepoint logo in the upper left-hand corner to return to the Dashboard from any page.
  • Page 25 Figure 27: COR IBR350 Status Dashboard Figure 28: Cradlepoint Logo...
  • Page 26 Router Information “Detailed Info” links to System Settings > Administration. • Product – Gives the product name • Serial – Device serial number • Firmware – Gives the number of the current firmware version • Build Date – Year-month-day-hours-minutes-seconds for the most recent firmware upgrade •...
  • Page 27 Figure 29: Router Alerts If a modem capable of providing GPS coordinates is connected and GPS support is enabled, this page will show a graphical view of your router’s location. See the GPS section in System Settings > Administration to enable GPS support. Figure 30: GPS Status Map GPS information is only displayed if 1) the modem supports GPS, 2) your carrier allows the GPS functionality, and 3) the modem has sufficient GPS signal strength.

  • Page 28: Gre Tunnels

    Select the device to see detailed information about it. There is only one possible device on the IBR350: • LTE Modem The information displayed varies greatly depending on the technology, especially for 3G/4G modems. Cradlepoint passes on the information provided by the modems, which is specific to the carrier (e.g. Verizon) and technology (e.g. LTE).
  • Page 29 Figure 32: Internet Connection Status Figure 33: Modem Status Figure 34: QoS Status...
  • Page 30 Routing System Routes displays routes associated with networks connected to the router as well as routes learned from routing protocols (such as RIP or BGP). Figure 35: System Routes Static Routes displays user-specified routes configured in Network Settings > Routing. Figure 36: Static Routes There are also tables displaying information for GRE Routes, VPN Routes, and NEMO Routes.

  • Page 31: System Logs

    Wireless Statistics: View the signal strength and other wireless modem information. The wireless device’s signal strength will only be displayed as long as it supports “Live Diagnostics.” Sample rate and size can be adjusted from the dropdown boxes. Figure 37: Wireless Statistics Data Usage: A measure of the amount of information that is currently being sent or received through the network.
  • Page 32 Figure 39: Failover/Failback/Load Banlance Statistics Figure 40: System Log...

  • Page 33: Vpn Tunnels

    Search: Enter keywords to find specific events. Level: Select/Deselect from the following levels to filter messages by priority. • Critical • Error • Warning • Info NOTE: The logs are erased whenever the router is rebooted or loses power.  VPN Tunnels View the status of configured VPN tunnels. Included information: • Name •...
  • Page 34 Figure 41: VPN Tunnel Status...

  • Page 35: Content Filtering

    Content Filtering You have two main options for filtering content for local networks. 1. WebFilter Rules: Create a list of websites that will be either disallowed or allowed. Customize the filter settings for each network and/or each MAC address. (These rules will not block HTTPS websites.) 2.
  • Page 36 • Domain/URL/IP: Enter the Domain Name or URL (address) of the website you wish to control access for, e.g. www.google.com. To make sure the full domain is blocked, enter the most inclusive domain (e.g. google.com will effectively block www.google.com as well as maps.google.com and images.google.com).
  • Page 37 MAC Address WebFilter Rules MAC Address WebFilter Rules allow you to control access from a specific MAC address to external domains or websites. Figure 46: MAC Address WebFilter Rules The settings for the MAC Address WebFilter Rules section match those for the Network WebFilter Rules, except that you must assign a MAC address instead of a network to each rule.

  • Page 38: Dhcp Server

    Figure 49: Add MAC Address WebFilter Default When a network is set to Allow Access, it will allow access to sites not specifically blocked in the WebFilter Rules. When a network is set to Block Access, it will block access to sites not specifically allowed in the WebFilter Rules. Cloud Based Filtering/Security Select Umbrella by OpenDNS, a third-party Cloud Provider from the dropdown list.
  • Page 39 Reservations. DNS, or Domain Name System, is a naming system that translates between domain names (www.cradlepoint.com, for example) and Internet IP addresses (206.207.82.197). A DNS server acts as an Internet phone book, translating between names that make sense to people and the more complex numerical identifiers.
  • Page 40 DNS Settings You have the option to choose specific DNS servers for your network instead of using the DNS servers assigned by your Internet provider. The default DNS servers are usually adequate. You may want to assign DNS servers if the default DNS servers are performing poorly, if you want WiFi clients to access DNS servers that you use for customized addressing, or if you have a local DNS server on your network.
  • Page 41 Figure 54: Dynamic DNS Configuration Advanced Dynamic DNS Settings Update period (hours): (Default: 576) The time between periodic updates to the dynamic DNS, if your dynamic IP address has not changed. The timeout period is entered in hours so valid values are from 1 to 8760. Override External IP: The external IP is usually configured automatically during connection.
  • Page 42 Figure 56: Known Host Entry Edit Since the assigned name is mapped to an IP address, the device’s IP address should not change. To ensure that the device keeps the same IP address, go to Network Settings > DHCP Server and reserve the IP address for the device by selecting the device in the Active Leases list and clicking “Reserve”.
  • Page 43 Figure 57: Zone Firewall Settings Figure 58: Port Forwarding Rules...
  • Page 44 The primary purpose for Cradlepoint’s NPT implementation is for failover/failback and load balancing setups. LAN clients can potentially retain the original IPv6 lease information and may experience a more seamless transition when WAN connectivity changes than if not utilizing NPT.
  • Page 45 Figure 60: Network Prefix Translation • First – Use the first IPv6 prefix found • Static – Always use a static IPv6 translation (input the prefix here) Transitioning from short prefix to a longer prefix (such as from /48 to /64) is not without problems, as some of the LANs may lose IPv6 connectivity. DMZ (DeMilitarized Zone) A DMZ host is effectively not firewalled in the sense that any computer on the Internet may attempt to remotely access network services at the DMZ IP address.
  • Page 46 Figure 62: Remote Admin Access Figure 63: Add/Edit Remote Admin Access...
  • Page 47 Add/Edit Allowed Remote Access Addresses IP Address: The IP address that will be allowed to access administrative services through the WAN. Netmask (Optional): The netmask allows you to specify what IP address sets will be allowed access. If this field is left empty a netmask of 255.255.255.255 is used, which means that only the single specified IP address has remote administration access.
  • Page 48 Figure 65: Firewall Options source of the attack or attempt to gain access to network services that are restricted to certain addresses. Log Web Access: Enable this option to create a syslog record of web (IP port 80) access. Each entry will contain the IP address of the server and the client.
  • Page 49 • The All zone is a special zone used to support legacy firewall configurations. This zone cannot be removed and is reserved for forward- migration of IP Filter Rules from previous firmware versions. The All zone matches any traffic handled by the router. User defined zones are preferred.
  • Page 50 Field 2: Choose one of the following: • Port – Select by the physical port on the router (e.g., “Modem 1”). • Manufacturer – Select by the modem manufacturer (e.g., “Cradlepoint Inc.”). • Model – Select according to the specific model of modem.
  • Page 51 Sample zone interface assignments: WAN Type Port isn’t Modem 1 Filter Policies A Filter Policy is a one-way filter applied to initialized network traffic flowing from one zone to another. A Filter Policy needs to be assigned to a Forwarding for it to take effect. Filter Policies can either be Added, Edited, Removed, or Cloned. Cloning a Policy will copy the entire policy.
  • Page 52 Figure 70: Add Network Filter Policy...
  • Page 53 Figure 71: Filter Rule Editer...
  • Page 54 Rule Editor • Log: When checked each packet matching this filter rule will be logged in the System Logs. • Action: “Allow” or “Deny”. • Protocol: Any, ICMPv4, TCP, UDP, GRE, ESP, ICMPv6, or SCTP. • IP Version: Any, IPv4, or IPv6. IP Source / IP Destination •...

  • Page 55: Local Networks

    Figure 73: Filter Forwarding Editor Local Networks This section is used to configure the settings for networks created by your router (LAN). Note that changes made in this section may also need to be duplicated on wireless devices that you want to connect to your wireless network. For example, if you change a wireless LAN’s IP address, devices within that network will lose connection.
  • Page 56 Figure 74: Local IP Networks...
  • Page 57 Name: This primarily helps to identify this network during other administration tasks. Hostname: [Default: cp (for Cradlepoint)] The hostname is the DNS name associated with the router’s local area network IP address. NOTE: You can access the router’s administration pages by typing the hostname into your browser, so if you change “cp” to another hostname, you can access the administration pages through the new hostname.
  • Page 58 Figure 76: IPv4 Settings Editor...
  • Page 59 NOTE: The final number does not have to be 1, but it is a simple, logical convention for routers that leaves higher numbers free for other devices. Netmask: (Default: 255.255.255.0) The netmask controls how many IP addresses can be used in this network. The default value allows for 254 IP addresses. IPv4 Routing Mode: (Default: NAT) Each network can use a unique routing mode to connect to the Internet and other local networks. NAT is desirable for most configurations.
  • Page 60 Figure 77: IPv6 Settings Editor...
  • Page 61 Figure 78: Network Interface Editor...
  • Page 62 Figure 79: Local Network Access Editor...
  • Page 63 Figure 80: IPv4 DHCP Editor...
  • Page 64 Lease Time: [Default: 720 minutes (12 hours)] The lease time specifies how long DHCP-enabled computers will wait before requesting a new DHCP lease. Smaller values are better suited to busy environments. Custom Options: Input a custom DHCP option by first clicking the Custom Options field to enable it and then clicking “Add” at the top of the table that appears.
  • Page 65 Figure 82: IPv6 Network Adressing Editor...
  • Page 66 Figure 83: Multicast Proxy Editor Figure 84: Add Multicast Proxy...
  • Page 67 Schedule Set up a schedule for this network interface. This allows an interface to be enabled or disabled during specific hours of a day. For example, use this to limit a Hotspot network to business hours. Figure 85: Network Interface Scheduler Schedule Service: (Default: Disabled.) Select to enable.
  • Page 68 Figure 86: Wired 802.1x Authentication Settings Local Network Interfaces Each LAN type – Ethernet and VLAN – has a separate section with configuration options. Unless the default configuration is sufficient, YOU MUST CONFIGURE EACH INTERFACE SEPARATELY in order to create the desired interface options for a network. You can then select these interfaces to add to a network in the Local Network Editor (see above).
  • Page 69 • Internet (WAN) Not available on the IBR350.i • Local Network (LAN) is for connecting a computer or similar device directly to the router with an Ethernet cable. Link Speed: Default setting is Auto. The Auto setting is preferred in most cases. • Auto •...
  • Page 70 Figure 89: VLAN Editor MAC Filtering The MAC Filter allows you to create a list of devices that have either exclusive access (whitelist) or no access (blacklist) to your local network. Figure 90: MAC Filter Configuration Enabled: Click to allow MAC Filter options. Whitelist: Select either “Whitelist”...
  • Page 71 Figure 91: MAC Filter Logging Configuration When QoS (Quality of Service, also known as “Traffic Shaping”) is enabled, the router will control the flow of Internet traffic according to the user-defined rules. In other words, Traffic Shaping improves performance by allowing the user to prioritize applications. Enable QoS: Click on this box to open options for controlling Internet traffic.
  • Page 72 Queues Queues and rules work in conjunction to prioritize bandwidth for the most critical operations. Multiple rules can be associated with one queue. Use rules to associate your more critical operations with queues that have higher bandwidth settings. For example, you might have two queues, one for “critical”...
  • Page 73 • Below Normal • Normal • Above Normal • High • Higher • Highest Click Next to continue to the next page. Figure 95: WAN QoS Download Bandwidth Download Bandwidth Enable Download QoS: (Default: Enabled.) Deselect if you want your rule to apply to upload traffic only. Leave this selected to include download restrictions with this queue.
  • Page 74 DSCP Tagging is sometimes used so that other networking equipment, upstream or post-NAT, can do traffic shaping based on the DSCP Tags as opposed to IP addresses or ports. This setting is optional. For more information see the Differentiated services Wikipedia page.
  • Page 75 Figure 98: QoS Traffic Shaping Rule Example Click Next to continue to the next page. Use ports and/or IP addresses to define the type(s) of traffic attached to this rule. Leaving any field blank will match all values; all fields are optional. Source Port(s) and/or Destination Port(s): Enter a port number between 1 and 65535.
  • Page 76 Figure 99: Static Routes Figure 100: Static Route Editor...

  • Page 77: Connection Manager

    IP Version: Select IPv4 or IPv6. Depending on your selection, you have different options for defining the address range. IP/Network Address or IPv6 Address: The IP address of the target network or host. The IPv6 address field includes CIDR notation to declare a range of addresses.
  • Page 78 WAN Interfaces This is a list of the available interfaces used to access the Internet. You can enable, stop, or start devices from this section. By using the priority arrows (the arrows in the boxes to the left – these show if you have more than one available interface), you can set the interface the router uses by default and the order that it allows failover.
  • Page 79 • State (Connected, Available, etc.) • Port • UID (Unique identifier. This could be a name or number/letter combination.) • IP Address • Gateway • Netmask • Stats: bytes in, bytes out • Uptime Click “Edit” to view configuration options for the selected device. For 3G/4G modems, click “Control” to view options to activate or update the device.
  • Page 80 General Settings Device Settings • Enabled: Select/deselect to enable/disable. • Force NAT: Normally NAT is part of the Routing Mode setting which is selected on the LAN side in Network Settings > WiFi / Local Networks. Select this option to force NAT whenever this WAN device is being used. •...
  • Page 81 • Off: Once the link is established the router takes no action to verify that it is still up. Ping IP Address: If you selected “Active Ping”, you will need to input an IP address. This must be an address that can be reached through your WAN connection (modem/Ethernet).
  • Page 82 • Low (Rate: 10 KB/s. Time Period: 240 seconds.) • Custom (Rate range: 1-100 KB/s. Time Period range: 10-300 seconds.) Time: Fail back only after a set period of time. (Default: 90 seconds. Range: 10-300 seconds.) This is a good setting if you have a primary wired WAN connection and only use a modem for failover when your wired connection goes down.
  • Page 83 There are two main types of IPv6 WAN connectivity: native (Auto and Static) and tunneling over IPv4 (6to4, 6in4, and 6rd). • Native – (Auto and Static) The upstream ISP routes IPv6 packets directly. • IPv6 tunneling – (6to4, 6in4, and 6rd) Each IPv6 packet is encapsulated by the router in an IPv4 packet and routed over an IPv4 route to a tunnel endpoint that decapsulates it and routes the IPv6 packet natively.
  • Page 84 Figure 108: IPv6 Configuration Example • Additional IPv6 DNS Server – Secondary DNS server. • Delegated IPv6 Network – (optional) Network available for delegation to LANs. Depending on your provider, this may be required. Prefixes specified here only take effect if those supplied by the connection are insufficient to configure your LANs. •...
  • Page 85 • Tunnel Server IP – Input the tunnel server IP address provided by your tunnel service. • Local IPv6 Address – Input the local IPv6 address provided by your tunnel service. • Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings > DNS page is “Automatic”.
  • Page 86 Figure 111: Modem Settings...
  • Page 87 Modem Settings Not all modems will have all of the options shown below; the available options are specific to the modem type. On Demand: When this mode is selected a connection to the Internet is made as needed. When this mode is not selected a connection to the Internet is always maintained.
  • Page 88 • When Disconnected: The request to update will only be performed when the modem is either in a disconnected state or dormant state. If the modem is not in one of these states when the request is received, then the router will remember the request and perform the update when the modem becomes disconnected/dormant.
  • Page 89 Figure 113: APN Configuration Update/Activate a Modem Some 3G/4G modems can be updated and activated while plugged into the router. Updates and activation methods vary by modem model and service provider. Possible methods are: PRL Update, Activation, and FUMO. All supported methods will be displayed when you select your modem and click “Control”...
  • Page 90 Figure 115: Modem Update/Activation Figure 116: Modem Update Error...
  • Page 91 Figure 117: Modem Firmware Update Update Modem Firmware Click on the Firmware button to open the Modem Firmware Upgrade window. This will show whether there is new modem firmware available. If you select Automatic (Internet) the firmware will be updated automatically. Use Manual Firmware Upgrade to instead manually upload firmware from a local computer or device.
  • Page 92 Figure 118: WAN Configuration Rules...
  • Page 93 • IP Overrides • IPv6 Settings • Ethernet Settings • Modem Settings • WiMAX Settings • CDMA Settings • SIM/APN/Auth Settings Figure 119: WAN Configuration Rule Editor Filter Criteria If you are creating a new rule, begin by setting the Filter Criteria . Create a name for your rule and the condition for which the rule applies: •...

  • Page 94: Client Data Usage

    Condition Value Port USB Port 1 Type is not WiMAX • When: – Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB Port 2”). – Manufacturer – Select by the modem manufacturer, such as Sierra Wireless. –...

  • Page 95: Data Usage

    When you select Enable Data Usage, you will see the Data Usage Agreement shown below. The purpose of this agreement is to ensure that you understand that the data numbers for your router might not perfectly match those of your carrier: Cradlepoint cannot be held responsible. You must accept the agreement by clicking “Yes”...
  • Page 96 Figure 122: Data Usage Rules Figure 123: Data Usage Rule Editor Page 1...
  • Page 97 than quickly using 100% of a fast 1 GB capped interface while using only a fraction of a slow 10 GB capped interface, thus leaving the rest of the cycle with only the slow interface. To use this setting, you must also go to the Internet > WAN Affinity / Load Balancing page. For the Load Balance Algorithm field select “Data Usage”.
  • Page 98 Figure 125: Data Usage Calendar Figure 126: Data Usage Template Configuration For example, you can set a template rule for all mobile data modems that causes your router to send an alert after 1000 MB of usage in a month. When you attach a new 4G USB modem, your template will immediately create a new Data Usage Rule for the attached modem that sends the alert as specified.
  • Page 99 Figure 127: Historical Data Usage Figure 128: Add Historical Data Usage...
  • Page 100 GRE Tunnels Generic Routing Encapsulation (GRE) tunnels can be used to create a connection between two private networks. Most Cradlepoint routers are enabled for both GRE and VPN tunnels. GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges, but VPN tunnels are much more secure.
  • Page 101 Figure 130: GRE Tunnel Editor...
  • Page 102 – Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB Port 2”). – Manufacturer – Select by the modem manufacturer (e.g., “Cradlepoint Inc.”). – Model – Set your rule according to the specific model of modem.
  • Page 103 Figure 131: GRE Tunnel Toute Editor Figure 132: Keep Alive GRE TUnnel...

  • Page 104: Network Mobility (Nemo)

    Rate: Choose the length of time in seconds for each check (Default: 10 seconds. Range: 2 – 3600 seconds). Retry: Select the number of attempts before the GRE tunnel is considered down or up (Default: 3. Range: 1 – 255). Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels –...
  • Page 105 (Internet Protocol security) to authenticate and encrypt packets exchanged across the tunnels. To set up a VPN tunnel with a Cradlepoint router on one end, there must be another device (usually a router) that also supports IPsec on the other end.
  • Page 106 Figure 135: Add VPN Tunnel...
  • Page 107 MBR1200 Quick Connect: VPN tunnels in more advanced Cradlepoint devices have more choices than they did in the MBR1200, so they are more complex to configure now. Check this box to simplify setup by streamlining your options to match the old settings from the Cradlepoint MBR1200.
  • Page 108 – Port – Select by the physical port on the router that you are plugging the modem into (e.g., “USB Port 2”). – Manufacturer – Select by the modem manufacturer (e.g., “Cradlepoint Inc.”). – Model – Set your rule according to the specific model of modem.
  • Page 109 Figure 138: Add/Edit VPN Tunnel Remote Gateway Figure 139: Add/Edit VPN Tunnel Remote Netowrk...
  • Page 110 Add/Edit Tunnel – Remote Networks The Network Address and the Netmask define the remote network address range that local devices will have access to via the VPN tunnel. NOTE: the remote network IP address MUST be different from the local network IP address. Optionally: A Port can be defined that will limit the traffic going through the VPN tunnel to only that port. If the field is left blank, any port will be accepted by the tunnel.
  • Page 111 • In Main mode, IKE separates the key information from the identities, allowing for the identities of peers to be secure at the expense of extra packet exchanges. • In Aggressive mode, IKE tries to combine as much information into fewer packets while maintaining security. Aggressive mode is slightly faster but less secure.
  • Page 112 Figure 141: Add/Edit VPN Tunnel IKE Phase 2...
  • Page 113 Add/Edit Tunnel – IKE Phase 2 Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in Phase 2 rather than using the same key generated in Phase 1. Additionally, with this option enabled the new keys generated in Phase 2 are exchanged in an encrypted session.
  • Page 114 Request Frequency allows you to adjust the delay between these DPD packets. (Default: 15 seconds. Range: 2 – 30 seconds.) Maximum Requests: Specify how many requests to send at the selected time interval before the tunnel is considered dead. (Default: 5. Range: 2 –...

  • Page 115: System Settings

    VPN with NAT-T If one side of a planned VPN tunnel is behind a NAT (network address translation) firewall, the setup of your tunnel requires the following specifica- tions: 1. Each side of the tunnel must use both a Local Identity and a Remote Identity. These must match the identities on the other side: The Local Identity must match the Remote Identity on the other side of the tunnel, and vice versa.
  • Page 116 Figure 144: Router Security Settings Router Security Advanced Security Mode – Select to enable the following additional security features and options: • TACACS+ and RADIUS server authentication options • Option for multiple users • Increase password security: – minimum 7 characters – at least 1 alpha and 1 numeric character –...
  • Page 117 Figure 145: Local User Settings Figure 146: TACACS+ Settings...
  • Page 118 TACACS+ TACACS+ stands for “Terminal Access Controller Access-Control System plus”. The router will use a TACACS+ server (or two, option- ally) to authorize administration. • Server Timeout – If the servers are not reached within the set time (possibly because the WAN is down), the router will automatically fall back to using Local Users mode to prevent users from being locked out.
  • Page 119 Figure 148: System Clock • Time Zone – Select from a dropdown list. Setting your Time Zone is required to properly show time in your router log. • Daylight Savings Time – Select this checkbox if your location observes daylight savings time. Local Management Figure 149: Local Management Settings •...
  • Page 120 SIM-based models with GPS support require that the SIM be inserted. Some carriers disable GPS support in otherwise supported modems. If you encounter issues with obtaining a fix, contact your carrier and ensure that GPS is supported. Some of the following GPS options are specific to Cradlepoint COR devices, particularly the COR IBR1100 Series.
  • Page 121 Figure 151: GPS Settings...
  • Page 122 General Settings • Enable GPS – Enable support for querying GPS information from capable modems. • TAIP Vehicle ID # – Assign a 4-character ID (default ID is 0000) to use with TAIP. TAIP options are available for the COR IBR1100 Series only. See the TAIP section below for more information.
  • Page 123 Depending on your selections (and other possible factors), reporting may include proprietary sentences. For example, if you select Include System ID, the report will include proprietary sentences of the following format (in addition to the standard sentences): $PCPTI,{System ID},{router timestamp},{GGA timestamp},{GGA checksum}*{checksum} “PCPTI” stands for Proprietary, CradlePoinT, Identification (P-CPT-I).
  • Page 124 TAIP The Trimble ASCII Interface Protocol (TAIP) was designed for vehicle tracking. For more information about TAIP, see these instructions from Trimble. Figure 154: GPS Server TAIP Settings • Enable Vehicle ID Reporting – Include a 4 character vehicle identifier • Enable TAIP message checksum reporting – Include a 2 digit checksum •...
  • Page 125 Figure 155: GPS Server Reporting Interval Settings • Stationary Time Interval (seconds) – Set the interval in seconds between periodic GPS sentence reports when the device is stationary. This overrides the Default Time Interval as long as the unit is stationary. Use this with the Stationary Distance Threshold to define “stationary”. (Disable by setting this value to 0.) –...
  • Page 126 Figure 156: GPS Client Settings...
  • Page 127 NMEA GGA, RMC, and VTG sentences Some devices report GPS information with multiple NMEA (National Marine Electronics Association) sentence formats: GGA, RMC, and VTG. See the examples below. For more examples and information about NMEA sentences, see the following websites: • http://aprs.gids.nl/nmea/ • http://www.gpsinformation.org/dale/nmea.htm#nmea GGA $GPGGA –...
  • Page 128 White List – This list is blank by default, which means that the router will accept SMS messages from any phone number. Leaving this blank is unsecure, so Cradlepoint recommends that you add phone numbers to this list. Once any numbers are listed, only those numbers have the ability to connect to the router via SMS.
  • Page 129 How to Text from a Phone 1. Open the text messaging tool on your phone and start a new message. 2. In the To field, enter the modem’s MDN. 3. In the Subject field, enter the SMS password and command. 4. Click Send. How to Text from an Email Account NOTE: There are limitations with sending texts via email. The SMS engine is currently only compatible with GSM-based carrier operators.
  • Page 130 Example: 1234,restore, rstatus – Get router status Syntax: <password>,rstatus, Example: 1234,rstatus, mstatus – Get modem status (port parameter optional) Syntax: <password>,mstatus,[port,] Examples: 1234,mstatus, //return status of highest priority modem 1234,mstatus,usb1, //return status of modem plugged into port usb1 This command returns info about the indicated modem’s status. The resulting data reflects the modem model number, service type, and connection status and values.
  • Page 131 apn – Reboot the modem (port parameter optional) Syntax: <password>,apn,<new APN>,[port,] Examples: 1234,apn,myapn@apn.com, //set APN of highest priority modem 1234,apn,myapn@apn.com,usb1, //set APN for modem in port usb1 userpass – Set the modem’s authentication username and password (port parameter optional) Syntax: <password>,userpass,<username>,<userpassword>,[port,] Examples: 1234,userpass,joe,mypassword,...
  • Page 132 Sample Debug Session The following is an example of a debug session to discover a modem’s APN is misconfigured and needs to be set. Figure out the state of the modems on the router: 1234,rstatus, Receive the modem’s status and settings: 1234,mstatus, Set the modem’s APN to the correct setting: 1234,apn,broadband, Verify the APN was set properly:...

  • Page 133: Certificate Management

    BOM as ASCII text, which will appear as garbled characters in the log. If this occurs, disable this option. Log to attached USB stick: Only enable this option if instructed by a Cradlepoint support agent. This will write a very verbose log file to the root level of an attached USB stick.
  • Page 134 • PKCS #12 Digital certificates have multiple possible uses in a Cradlepoint networking setup. For example, a digital certificate is a much more secure option for VPN tunnel authentication than a pre-shared key. Go to the following sections for more information about specific certificate management options: •...
  • Page 135 Figure 161: Create PKCS12 Format Certificates...
  • Page 136 • Set as CA certificate: Select if the certificate you are creating is intended to be a CA. • Sign with CA certificate: Select to sign this certificate with a CA you created previously. – Certificate Name: Select your CA certificate from the dropdown list of local certificates. Subject •...
  • Page 137 Figure 162: Certificate Signing Requests Local Certificates This is a table of local certificates, including certificate details. Remove a local certificate by selecting the certificate and clicking the Remove button. • Name: Friendly description of the certificate. • Country: (C) The certificate owner’s country of residence. •...
  • Page 138 Figure 163: Local Certificates Figure 164: Import PEM CA Certificate...

  • Page 139: Device Alerts

    Export Select a local certificate from the dropdown list and download it to your computer or local device in PKCS #12 format. When you export this file, you must create a passphrase to protect it. This key is required for future use of the file. NOTE: This article may contain links that direct you to non-Cradlepoint, Inc. owned websites, and these links are not under the control of Cradlepoint, Inc. or any of its representatives. Cradlepoint, Inc. is not responsible for the content of any linked site or any link contained in a linked site or any changes or updates to such sites outside of cradlepoint.com. Cradlepoint is providing these links as a convenience, and the inclusion of any link does not imply endorsement of the site by Cradlepoint, Inc. or any of its representatives.
  • Page 140 Figure 167: Export PKCS12 Format Certificate The Device Alerts submenu choice allows you to receive email notifications of specific system events. YOU MUST ENABLE AN SMTP EMAIL SERVER TO RECEIVE ALERTS. Alerts can be included for the following: • Firmware Upgrade Available: A firmware update is available for this device. •...
  • Page 141 Figure 168: Device Alert Configuration Figure 169: SMTP Mail Server Configuration...

  • Page 142: Enterprise Cloud Manager

    Retry Delay: The delay between retry attempts. Enterprise Cloud Manager Cradlepoint Enterprise Cloud Manager (ECM) is a cloud-based management service for configuring, monitoring, and organizing your Cradlepoint routers. Key features include the following: • Group based configuration management • Health monitoring of router connectivity and data usage •...

  • Page 143: Feature Licenses

    • Maximum Alerts Buffer: The maximum number of alerts to buffer when offline. Feature Licenses Some Cradlepoint features may require a license. These features are disabled by default. To obtain a feature license, contact your Cradlepoint sales representative. Figure 172: Feature License Registration...

  • Page 144: Snmp Configuration

    SNMP, or Simple Network Management Protocol, is an Internet standard protocol for remote management. You might use this instead of Enterprise Cloud Manager if you want to remotely manage a set of routers that include both Cradlepoint and non-Cradlepoint products.

  • Page 145: System Control

    Figure 174: SNMPv3 Configuration – MD5 with DES encryption – SHA with DES encryption – MD5 with AES encryption – SHA with AES encryption • Username: Enter the Username configured on your SNMP host in the username field. • Password: Enter the Password for your SNMP host in the password and verify password fields. This password must be at least 8 characters long.
  • Page 146 Figure 175: Device Control Figure 176: System Ping...

  • Page 147: System Software

    This allows the administrator to load new firmware onto the router to add new features or fix defects. If you are happy with the operation of the router, you may not want to upgrade just because a new version is available. Check the firmware release notes (cradlepoint.com/firmware) for information to decide if you should upgrade.
  • Page 148 Figure 179: Firmware/System Config Restore Page...

Table of Contents