WS-431E 4G Router 1. OVERVIEW Support 4G/3G/2G Internet access in various modes, which can be used in the fields of Internet of Networked Medical Treatment, Intelligent Agriculture, Smart City, Smart Robots, Security Monitoring Networking, Intelligent Bus Wifi etc. 1x WAN RJ45 port (configurable for LAN), 10/100 Mbps, supports automatic MDI/MDIX, ...
2. PRODUCT OVERVIEW 2.1. INTRODUCTION The WS-431E 4G Router is a new Qualcomm solution Wi-Fi enhanced industrial router with excellent anti-interference capability and stable connection performance, supports WIFI hotspot, WIFI client, and WIFI relay modes, and is integrated with 4G LTE, Wi-Fi, Ethernet ports (2LAN and 1WAN/LAN) and VPN technologies.
WS-431E 4G Router INDICATORS Power indicator, lights up after powered on WIFI Lights up when WiFi is enabled 2/3/4G network 2G led lights up after being connected to 2G network indicator 3G led lights up after being connected to 3G network Both leds light up after being connected to 4G network 2×...
WS-431E router products. It is recommended that users read this chapter and follow the instructions to have a basic understanding of 4G router products. Refer to subsequent sections for specific functional details and descriptions.
Networking: Insert the SIM card in the power off state (the front of the card slot corresponds to the positive direction of the "sim "screen printing) Power supply: The working voltage of the WS-431E is DC5-36V. You are advised to use the DC 12V/1A power adapter provided by the factory After power-on, observe the indicators: the PWR is on, the LAN is blinking, the 4G indicator ...
Figure 5 4G indicator (3G+2G) 3.1.2. NETWORK CONNECTION Internet test: Power on the WS-431E, wait for about 2 minutes, the 2/3G indicator starts to light, indicating that the 4G network of the router is successful, then you can directly surf the Internet.
WS-431E 4G Router Figure 6 Web Server login web Enter admin for the user name and password. On the left menu bar, select Network => Network Diagnosis => ping. If the domain name can be pinged, the network connection is normal. You can also directly open the browser and enter the URL of the website you want to land.
(2) Plug the SIM card in socket. (3) Power on the module by power adaptor and check the LED status. (4) Connect PC or mobile to the WS-431E router via LAN interface or Wi-Fi interface. Wi-Fi password is “www.waveshare.com”. (5) Log in Web Server of router. (Default IP address of router is 192.168.1.1, either the username and password is “admin”...
WS-431E 4G Router Figure 9 APN configuration 4.2.2. CREATE A VPN CLIENT User can set VPN client configuration by Web Server as follow: Figure 10 VPN Client 4.3. NETWORKING MODE 4.3.1. WAN+LAN+4G www.waveshare.com 12 / 68 www.waveshare.com/wiki...
WS-431E 4G Router In this networking mode, user can access internet through WAN interface and 4G interface. WAN interface has higher priority than 4G interface to ensure communication and save 4G flows. When WAN interface occurs problems, router can change to 4G interface to connect internet. In this mode, user can also connect to router through WIFI.
4G Router Figure 13 LAN+LAN+4G networking 4.4. COMMON FUNCTIONS 4.4.1. 4G INTERFACE WS-431E 4G Router supports one 4G interface to access internet. Functional diagram as follow: Figure 14 4G interface User can configure 4G interface by Web Server as follow: www.waveshare.com 15 / 68 www.waveshare.com/wiki...
4G Router Figure 15 4G interface 4.4.2. LAN INTERFACE WS-431E supports two LAN interface (one is WAN/LAN interface). Default settings: One LAN interface (WAN/LAN used as WAN interface; IP address: 192.168.1.1; Subnet mask: 255.255.255.0; Open DHCP function). User can configure LAN interface by Web Server as follow: Figure 16 LAN interface DHCP default range of distribution is from 192.168.1.100 to 192.168.1.250 and default address...
Figure 17 DHCP function 4.4.3. WAN INTERFACE WS-431E supports one WAN interface and WAN interface can switch between WAN/LAN interface. WAN interface supports DHCP and Static IP, and default setting is DHCP. User can configure WAN interface by Web Server as follow: www.waveshare.com...
WS-431E 4G Router Figure 18 WAN interface 4.4.4. WLAN INTERFACE Default parameters as follows: SSID WS-431E-XXXX(XXXX 是 MAC) Password www.waveshare.com Channel auto HT Mode auto Encryption mixed-psd Figure 19 WLAN default parameters Figure 20 WLAN interface www.waveshare.com 18 / 68...
Page 19
WS-431E 4G Router Entering WLAN interface configuration web, user can change follow parameters. User can configure SSID on Web Server as follow: Figure 21 WLAN interfaceConfigure SSID User can configure password on Web Server as follow: www.waveshare.com 19 / 68...
Page 20
WS-431E 4G Router Figure 22 Configure password Other settings on Web Server as follow: www.waveshare.com 20 / 68 www.waveshare.com/wiki...
Page 21
WS-431E 4G Router Figure 23 Other settings You can view the list of wifi clients on the wireless screen: www.waveshare.com 21 / 68 www.waveshare.com/wiki...
4.4.5. NETWORK DIAGNOSIS User can use network diagnosis function by Web Server as follow: Figure 25 Network diagnosis Ping: User can do PING test to a specific address in WS-431E. Traceroute: Can acquire routing path to visit a specific address.
4.4.6. MODULE NAME AND TIME ZONE WS-431E default module name is WS-431E and default Time Zone is New York time zone. User can configure module name and Time Zone by Web Server as follow: Figure 26 Module name and Time Zone 4.4.7.
Page 24
WS-431E 4G Router The static route has the following parameters. By default, a maximum of 20 static routes can be added. Name Description Default parameter Lan, wan_4G, wan_wired, port interfaces Object (destination The address or address range of the empty...
WS-431E 4G Router Figure 29 Add routing table page 4.5. BASIC FUNCTIONS 4.5.1. WEB SERVER PASSWORD Default password is root, this password is used to enter Web Server. User can change password by Web Server as follow: www.waveshare.com 25 / 68...
WS-431E 4G Router Figure 30 Web Server password 4.5.2. RESTORE Hardware restore: Press Reload button over 5 seconds and release, WS-431E will restore default settings and reset. User can restore default settings by Web Server as follow: www.waveshare.com 26 / 68...
WS-431E 4G Router Figure 31 Restore default settings 4.5.3. UPGRADE FIRMWARE VERSION Upgrade by Web Server as follow: Figure 32 Upgrade firmware version www.waveshare.com 27 / 68 www.waveshare.com/wiki...
WS-431E 4G Router The whole upgrade process will last about 1 minute, user can enter Web Server after about 1 minute. User can choose saving settings.User should keep powering up and LAN/WIFI connection during the whole upgrade process. 4.5.4. RESET Reset time is about 40~60 seconds.Reset by Web Server as follow:...
Page 29
WS-431E 4G Router Figure 34 Firewall setting interface <Introduction> Input: a packet accessing the router IP. Output: the packet to be sent by the router IP; Forwarding: data forwarding between interfaces, without going through the route itself; ...
Page 30
WS-431E 4G Router Wired WAN port and 4G port accept "inbound", "outbound" and "forwarding"; If there is an "input" packet, logging in to the router's webpage from the WAN port is allowed; If there is an "output" packet, the router accessing the external network through WAN port ...
WS-431E 4G Router 4.6.2. NAT FUNCTION 1. IP address masquerading IP address masquerading refers to the practice of modifying the source IP address of outgoing data packets to a specific interface's IP address on the router. When the "Masquerading" option is selected, the system will change the source IP address of outgoing data packets to the IP address of the WAN port on the router.
Page 32
WS-431E 4G Router Figure 37 SNAT setting 1 Then set the Source NAT, and change the source IP address of the packet leaving the router to a fixed IP, which is located under "firewall-Traffic rules". Fix the source IP address to 192.168.9.1, and its setting interface is as follows.
Page 34
WS-431E 4G Router Figure 39 SNAT setting 3 If the source IP, source port and destination IP and destination port are not filled in, all IP and ports will be defaulted. Save after setting. Name Description Default parameter Name The name of this firewall rule...
Page 35
WS-431E 4G Router input traffic, empty means matching the destination port. Modify the source address of matching Customized IP when SNAT IP address traffic to this address. adding Modify the source port of matching SNAT port traffic to this port,...
Page 36
WS-431E 4G Router Figure 41 Port setting interface 1 After setting the forwarding rule, you need to click the "Add" button on the right, and then this rule will be displayed in the rule column. Figure 42 Port setting interface II Then click the "Save &...
Page 37
WS-431E 4G Router When we access port 81 from WAN, the access request will be transferred to 192.168.1.1:80. < description > You can add 20 rules to the upper limit of port forwarding rules. Name Description Default parameter Name and character type of this port...
WS-431E 4G Router Figure 43 DMZ setting one Click Add and save. Figure 44 DMZ setting two < Note > Port mapping and DMZ functions cannot be used at the same time. 4.6.3. COMMUNICATION RULES www.waveshare.com 38 / 68 www.waveshare.com/wiki...
Page 39
WS-431E 4G Router Communication rules can selectively filter specific Internet data types and prevent Internet access requests, and enhance network security through these communication rules. Firewall has a wide range of applications. Here are some common applications. Name Description Default parameter...
Page 40
WS-431E 4G Router WAN: indicates the rules for external network to access internal network. The destination IP address of the Destination address access. empty Empty: Represents all addresses. The destination port number of the Destination port access. empty Empty: stands for all.
Page 41
WS-431E 4G Router Figure 45 Firewall IP blacklist 1 In the jumped page, select “lan” as the source zone, and select “any” as the source MAC addresses and source IP address options (if only the specific IP in the local area network is restricted from accessing the specific IP of the external network, you need to fill in the IP address or MAC address here, one of which is "any"...
Page 42
WS-431E 4G Router Figure 46 Firewall IP blacklist 2 Select WAN in the destination zone, fill in the destination address that is forbidden to access, and click "Save” and “Apply" after the setting of "Reject" is selected. As shown below.
Page 44
WS-431E 4G Router Figure 48 Firewall IP blacklist 4 Once this configuration is set up, the blacklist function will be implemented. 2. IP address Whitelist First, add the communication rule of IP or MAC address to be whitelisted, enter the name of the rule in the new forwarding rule, and then click Add and Edit.
Page 45
WS-431E 4G Router Figure 49 Firewall IP white list 1 In the jumped page, select “lan” as the source zone, and select “any” as the source MAC address and source address (if it is a specific IP that allows a specific IP in the LAN to access the external network, you need to fill in the IP address or MAC address here, one of which is "any"...
Page 46
WS-431E 4G Router Figure 49 Firewall IP white list 2 Select WAN in the target zone, fill in the IP allowed to access in the target address, and click "Save” and “Apply" after the setting "Accept" is selected. As shown below.
Page 47
WS-431E 4G Router Figure 50 Firewall IP white list 3 Next, set a rule that all communications are rejected. The source address is set to “any”, the destination address is set to “any”, and the action is selected to Reject. Pay attention to the order of the two rules.
Page 48
WS-431E 4G Router Figure 51 Firewall IP white list 4 3. Denies a subnet device access to a specified IP. First add a forwarding rule. www.waveshare.com 48 / 68 www.waveshare.com/wiki...
Page 49
WS-431E 4G Router Figure 52 Firewall setting 1 If TCP+UDP is selected as the protocol, the specified destination IP can be ping for the specified source IP, and the TCP/UDP connection cannot be established; If ICMP is selected as the protocol, the specified source IP cannot ping the specified target IP, ...
Page 50
WS-431E 4G Router Figure 53 Firewall setting 2 Please keep the source area and destination area as the default, and select one of the source MAC and source IP. If both are filled in, please keep the MAC and IP corresponding, otherwise it will not take effect.
Page 53
WS-431E 4G Router Figure 56 Firewall setting 2 The source zone and target zone can be defaulted. Select all the source MAC and IP (according to whether all subnet devices are forbidden to ping according to the demand), and the source port number is not required to be filled in.
Page 54
WS-431E 4G Router Figure 57 Firewall setting 3 Click Apply to take effect immediately after the setting is completed. To temporarily disable the "Ping" function or other firewall policy settings, uncheck the box on the right and click Apply. To enable it again, check the box and click Apply.
Page 55
WS-431E 4G Router Figure 58 Firewall setting 4 No ping function takes effect. www.waveshare.com 55 / 68 www.waveshare.com/wiki...
WS-431E 4G Router Figure 59 Firewall setting 5 4.6.4. ACCESS RESTRICTION Access restriction implements access restriction on specified domain names, and supports setting of blacklist and whitelist of domain names. When the blacklist is selected, devices connected to routers cannot access blacklisted domain names, but other domain names can be accessed normally.
Page 57
WS-431E 4G Router Figure 60 Domain name blacklist 2. Domain name whitelist First, select the white list in the mode option, click Add to enter the name and correct domain name of the rule, and then click Save. The rule will take effect immediately, and the devices connected to the router will not be able to access other domain names except the domain name in the rule.
WS-431E 4G Router Figure 61 Domain name whitelist 4.7. VPN FUNCTION VPN (Virtual Private Network) is divided into PPTP, L2TP, IPSec, OpenVPN, GRE, etc. Next, the principles of creating VPN by these protocols are introduced respectively. PPTP: a point-to-point tunneling protocol, which uses a TCP (port 1723) connection to...
WS-431E 4G Router transmitted in another network layer protocol (such as IP). GRE adopts the technology of Tunnel, which is the third layer tunnel protocol of VPN. Note: These protocols can build VPN, and you can choose a more suitable protocol according to your own needs.
Page 60
WS-431E 4G Router Interface: wan_4G, wan_wired and automatic can be selected according to different networking modes; User name/password: obtained from VPN server; Encryption method: MPPE encryption, no encryption, obtained from VPN server, and checked or unchecked according to the actual situation;...
Figure 63 Router enables VPN state detection 4.7.2. L2TP CLIENT L2TP is a Layer 2 tunneling protocol, similar to PPTP. At present, WS-431E supports tunnel password authentication, MPPE encryption and L2TP OVER IPSec pre-shared key encryption. Enter the VPN--L2TP interface, select Enable L2TP client, and fill in the parameters in turn.
Page 62
WS-431E 4G Router Figure 64 L2TP Client Enable Settings Interface < Description > L2TP supports tunnel password authentication, MPPE encryption and L2TP OVER IPSec encryption; Server address: fill in the IP or domain name of the VPN server to be connected;...
WS-431E 4G Router Enable static tunnel IP Address: it is not enabled by default, and the server automatically allocates IP. You can fill in the static tunnel IP here; Extra option: append the PPPD option, magic words, etc. No operation is required by ...
Page 64
WS-431E 4G Router Figure 65 Basic settings after enabling IPSec < Description > Interface: wan_4G, wan_wired and automatic can be selected according to different networking modes; Peer address: it can be divided into VPN client and VPN server. Please fill in the IP/ domain ...
WS-431E 4G Router includes encryption mode, integrity scheme and DH exchange algorithm in IKE stage; IKE life time: set the life cycle of IKE, in seconds, the default is 28800; Authentication type: currently, the authentication mode of pre-shared key is supported;...
Page 66
WS-431E 4G Router Figure 66 OpenVPN Enable Settings Interface < Description > Device: TUN (routing mode) or TAP (bridge mode) can be selected; Channel protocol: UDP or TCP; Port: the listening port of OpenVPN client; VPN server address: IP/ domain name of OpenVPN server;...
WS-431E 4G Router After obtaining the certificate file, add different certificate contents to the configuration interface respectively. 4.7.5. GRE Figure 67 GRE basic configuration < Description > Peer WAN IP: The WAN IP address of the remote GRE peer.
Page 68
WS-431E 4G Router For example: 172.16.10.1/24, corresponding to IP of 172.16.10.1 and subnet mask of 255.255.255.0; Local tunnel IP: IP address of local GRE tunnel; TTL: set the TTL of GRE channel, which is 255 by default; Set MTU: set the MTU of GRE channel, and the default is 1450.