1. Manuals
  2. Brands
  3. Westermo Manuals
  4. Wireless Access Point
  5. Ibex-4000 Series
  6. Configuration manual

Westermo Ibex-4000 Series Configuration Manual

Railway access point with wi-fi 6 e triple radio
Hide thumbs Also See for Ibex-4000 Series:
Table of Contents

Advertisement

Quick Links

Download this manual
Ibex-4000 Series
RAILWAY ACCESS POINT WITH WI-FI 6(E) TRIPLE RADIO
CONFIGURATION MANUAL
Version: 1.0 for firmware V24.18.00 | Date: 20.03.2025

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Ibex-4000 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Westermo Ibex-4000 Series

Summary of Contents for Westermo Ibex-4000 Series

  • Page 1 Ibex-4000 Series RAILWAY ACCESS POINT WITH WI-FI 6(E) TRIPLE RADIO CONFIGURATION MANUAL Version: 1.0 for firmware V24.18.00 | Date: 20.03.2025...

  • Page 2: Table Of Contents

    1.1.3 Regulatory Limits for Changes in Country and Transmit Power Settings 2 About this document 2.1 Information about Formatting 3 About the Ibex-4000 Series 4 How to access the Ibex-4000 Series 4.1 IP Addresses of the Ibex-4000 Series 4.2 Getting to the Web Interface 5 Quick start guide 5.1 Change Password...
  • Page 3 Ibex-4000 Series 6.1.1.3 VLAN 6.1.2 WLAN 6.1.2.1 Channel, Wireless mode, HT mode, Power settings 6.1.2.2 Radio Band Configuration for Models with Antenna Combiner 6.1.2.3 ESSID, WDS Mode, Client separation 6.1.2.4 Encryption 6.1.2.5 Hotspot 2.0 6.1.2.6 Multi-AP Client Isolation 6.1.2.7 Connection Check 6.1.2.8 Access Point Scanning Service (Wireless Monitoring)
  • Page 4 Ibex-4000 Series 6.1.7.2.3 Manual configuration with web interface 6.1.7.3 VPN host configuration (on console) 6.1.8 ICCP 6.1.8.1 Configurable Parameters 6.1.8.2 VLAN over Wireless ICCP 6.1.8.3 Features and Restrictions 6.1.8.4 Static ICCP Protocol 6.1.8.5 Example 6.1.9 QoS 6.2 System 6.2.1 System Properties 6.2.2 Configuration Backups...
  • Page 5 Ibex-4000 Series 7.8 SNMP Applications 7.8.1 SNMP Support for GPS 7.8.2 SNMP Support for Second GPS Source 7.8.3 SNMPTRAP 8 The flying controller mechanism 9 IPSecVPN / StrongSwan 9.1 IPSec Customized Configuration 9.2 IPSec Firewall Custom Rules 10 Decentralized Wi-Fi Controller (DAWN) 10.1 Scoring...

  • Page 7: Important Information

    The complete risk inherent in the utilization of this document or in the results of its utilization shall be with the user; to this end, Westermo Eltec GmbH shall not accept any liability.

  • Page 8: Disclaimer Of Warranty

    Ibex-4000 Series support.eltec@westermo.com 1.1.2.1 Disclaimer of Warranty There is no warranty for the program, to the extent permitted by applicable law. except when otherwise stated in writing the copyright holders and/or other parties provide the program “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

  • Page 9: About This Document

    3 About the Ibex-4000 Series The Ibex-4000 Series is a member of the CyBox family of robust wireless railway access points. It is particularly designed to meet the requirements of rolling stock applications. It offers stable, secure, and high bandwidth connections between the local Ethernet and wireless clients.

  • Page 10: How To Access The Ibex-4000 Series

    12.2 USB Possibilities 4. Using SNMP (see 7 SNMP 4.1 IP Addresses of the Ibex-4000 Series By default, the Ibex-4000 Series is accessible through the following IP addresses (see figure The page Network → Interfaces (default settings)): 192.168.100.1 (LAN) •...

  • Page 11: Getting To The Web Interface

    Before accessing the web interface, your computer must be connected to the Ethernet port LAN 1, and it must be configured to use the same subnet as the Ibex-4000 Series. The web interface is accessible using HTTPS on the IP addresses listed in 4.1 IP Addresses of the Ibex-4000 Series...

  • Page 12: Quick Start Guide

    • Operator workstation and Ibex-4000 Series are connected via Ethernet • Workstation browser is logged-in to the Ibex-4000 Series web interface • Operator is additionally logged in to Ibex-4000 Series via SSH (if available, a serial console terminal would be preferable).

  • Page 13: Change Lan Ip Address (Quick Guide)

    Ibex-4000 Series 5.2 Change LAN IP address (Quick Guide) The factory default IP address 192.168.100.1 must be changed to meet your network topology. Open Network → Interfaces and click the Edit button of the LAN interface. Modify the IP address (IPv4 address field), or change the Protocol field to DHCP client, then click on Save &&...

  • Page 14: Example: Local Access Point

    As a first step, a simple access point is configured. The wired Ethernet and the wireless radios form an isolated local domain where the Ibex-4000 Series provides DHCP services. Finally the example in „LAN IP Address“ shows how to set a new static IP address. In Network > Interfaces → LAN → Protocol you can configure the DHCP client setup to obtain an IP address from a DHCP server in your network.

  • Page 15: Prepare Wlan Radio Interface

    Ibex-4000 Series 5.3.2 Prepare WLAN Radio Interface • Select Network → Wireless: this shows the wireless controllers radio0 and radio1 with some software buttons • Select tab radio0: Unknown “OpenWrt” or click the Edit button of radio0 • In box Device Configuration: •...

  • Page 16: Connecting To Wan

    DHCP service, but there is not yet an uplink to a gateway. 5.3.4 Connecting to WAN As a goal, the Ibex-4000 Series shall integrate its clients via Ethernet in a higher-level network. DHCP, DNS, and gateway services are supposed to be available in that net.

  • Page 17: Create The Management Vlan

    Ibex-4000 Series Network Topology with Three VLANs 5.4.1 Create the Management VLAN Create a new Ethernet interface (eth0.100) and give it the name “vlan100”. Make it a full-valued net host by assigning a static address and a gateway. • Select tab Network tab Interfaces •...

  • Page 18: Configure And Enable The Radio(S)

    Ibex-4000 Series • Submit • [page VLAN101 opens] • Click button Save & Apply Do the same for “vlan102” and “eth0.102”. 5.4.3 Configure and Enable the radio(s) You are free which interface to assign to which radio. If both radios are to be used then this section (7.3.3) must be done for radio1 as well.

  • Page 19: Attach The "Staff" Vlan To Radio0

    • Enter Key (at least 8 characters) • Click button Save & Apply 5.4.6 Check Configuration As a check, you may login to the Ibex-4000 Series through SSH and issue the ifconfig command. The following interfaces should be shown: br-vlan101 Link encap:Ethernet …...

  • Page 20: Disable Unneeded Default Address

    Ibex-4000 Series 5.4.7 Disable Unneeded Default Address After successfully testing the VLAN-based management access (vlan100), the default address 192.168.100.1 may be disabled. This is easily achieved by deleting the LAN interface: • Select tab Network tab Interface • Click button Delete for the LAN interface (usually the lowermost) •...

  • Page 21: The Web Interface

    Ibex-4000 Series 6 The web interface Most pages of the web interface are concerned with the configuration of the Ibex-4000 Series. Many of these pages show some of the following buttons: • Reset: clicking on this button reverts the unsaved input fields of the current page to the values as they were before you modified them.
  • Page 22 Ibex-4000 Series Bridge Interface Create Bridge Interface Configure The configuration specifies the wired ports to attach to this bridge. In order to attach wireless networks, choose the associated interface as network in the wireless settings. Check Bridge interfaces and include all Interfaces that should belong to the new bridge interface.

  • Page 23: Vlan

    Ibex-4000 Series Set LAN Interface to use physical device br-lan Note: Physical interfaces, as eth0 or wlan0, belonging to a network interface, such as LAN, cannot be in any other network interface. 6.1.1.3 VLAN To enable VLAN (virtual LAN, mostly used for logical subnets built on real LANs) tagging, a new custom interface must be set up for the LAN.

  • Page 24: Wlan

    Enable. Wireless Device Overview The example shows a Ibex-4000 Series with two radios installed. Depending on the hardware, other configurations may be shown. After enabling the radio, you can configure physical settings. Clicking Network → Wireless → Edit redirects you to the ‘Device Configuration’...

  • Page 25: Radio Band Configuration For Models With Antenna Combiner

    Ibex-4000 Series Wireless Device Configuration After the device has been enabled, the radio status should be checked if the selected channel / mode combination is working. 6.1.2.2 Radio Band Configuration for Models with Antenna Combiner If the system is equipped with an antenna combiner, (e.g. having two radio modules (WLE-900) but only three antennas) the frequency bands 2.4 GHz and 5 GHz cannot be freely configured for each wireless module.

  • Page 26: Encryption

    When configuring the Ibex-4000 Series as client with a “mixed mode”, it will try both modes when connecting to an access point (normally, only the configured mode is used). The following modes can be combined: •...

  • Page 27: Hotspot

    Ibex-4000 Series Wireless Device Configuration – Encryption Settings When choosing an EAP mode, the connection to the RADIUS server has to be configured. The Ibex-4000 Series connects to the RADIUS server via UDP, supplying a password. The most important settings are: •...

  • Page 28: Multi-Ap Client Isolation

    Access Point is attached to the same cable backbone, and the wifi clients use the same subnet, client isolation must also be enabled between APs. This is also true if the Ibex-4000 Series operates multiple APs on different WLAN modules which are connected (e.g.

  • Page 29: Connection Check

    Ibex-4000 Series The screenshot below shows a configuration where the server address is set in the parameters of the LAN interface (under ‘Network’ → ‘Interfaces’). When the interface is set up as a bridge, the corresponding Bridge name is always ‘br-<original_interface_name>’...

  • Page 30: Access Point Scanning Service (Wireless Monitoring)

    Ibex-4000 Series Deactivate SSIDs when the server is not reachable 6.1.2.8 Access Point Scanning Service (Wireless Monitoring) Reporting nearby APs to interested parties Important A must precondition to use this service is to have at least one available radio device running AP (AccessPoint) mode.
  • Page 31 Ibex-4000 Series Scanning results can be obtained by a SNMP request. Getting queue entry from remote host ~# snmpget -c public -v 2c <device_ip> 1.3.6.1.4.1.2021.8.1.2.159.101.1; iso.3.6.1.4.1.2021.8.1.2.159.101.1 = STRING: "00:15:61:20:AC:8A;CyBoxGW-P-radio1;04:F0:21:3F:2E:AA;36;-27;2020-05-06 13:20:17" In case of empty queue respone will be a “nil” value.

  • Page 32: Client Counting Service

    Ibex-4000 Series 6.1.2.9 Client Counting Service Reporting nearby Clients to interested parties Important A must precondition to use this service is to have at least one available radio device running AP (AccessPoint) mode. Please make sure, such configuration is done and running before activating this service.
  • Page 33 Ibex-4000 Series Results can be obtained by a SNMP request. Getting queue entry from remote host. ~# snmpget -c public -v 2c <device_ip> 1.3.6.1.4.1.2021.8.1.2.160.101.1; iso.3.6.1.4.1.2021.8.1.2.160.101.1 = STRING: "radio1; c78236b5fb56b9023249e23e94dae7092aaa16f792aa168b21c064713b9883fe; n/a; -29dBm; 2020-05-07 09:25:20" In case of empty queue respone will be a “nil” value.

  • Page 34: Rogue Access Point Detection Service

    Ibex-4000 Series 6.1.2.10 Rogue Access Point Detection Service This service is used to detect unauthorized Access Points nearby and scans nearby access points and classifies them as “rogue” or “not rogue”. The rogue APs are reported via SNMP traps. Important...
  • Page 35 These notifications can be enabled with parameter “Enable SNMP Traps”. IP address of the SNMP trap receiver can be configured with the parameter “Target address.” SNMP notifications are defined within the Westermo Eltec MIB and have following format: ELTEC-CYAP-MIB::rogueAPdetected...

  • Page 36: Multi-Wan Manager (Mwan3)

    (using load-balancing among them). Load-balancing requires no remote station on the ground, it is handled entirely by the Ibex-4000 Series. As such, it is no link aggregation. It distributes traffic by streams, not by packets, i.e. a single stream cannot benefit from multiple LTE connections.

  • Page 37: Capabilities

    After complete Modem setup the modem interfaces are up and tracking via ping is active. To check the hotplug MWAN mechanism open a second web interface to Ibex-4000 Series and go to Network → Interfaces. In this example MODEM_S1 has the lowest metric and will be first standard gateway. The test is started with Stop...

  • Page 38: Mwan Status

    Ibex-4000 Series MWAN test stopping a modem As the interface is down, all traffic has stopped and standard gateway switches to modem1. MWAN test 6.1.3.3 MWAN Status The detailed MultiWan status information is found in Status → Load Balancing → Detail.
  • Page 39 Ibex-4000 Series MWAN detailed status page...

  • Page 40: Mwan Modem Interface Configuration

    Ibex-4000 Series 6.1.3.4 MWAN Modem Interface Configuration The MWAN interface configuration has a default setup for every modem card. MWAN Interface configuration The tracking parameters can handle target host IPs, ping interval and timeout.

  • Page 41: Mwan Members Configuration

    Ibex-4000 Series Tracking parameters 6.1.3.5 MWAN Members Configuration Members are profiles attaching a metric and weight to an MWAN interface. Names may contain characters A-Z, a-z, 0-9, _ and no spaces. Members may not share the same name as configured interfaces, policies or rules.

  • Page 42: Mwan Policies Configuration

    Ibex-4000 Series MWAN members 6.1.3.6 MWAN Policies Configuration Policies are profiles grouping one or more members controlling how MWAN distributes traffic. Member interfaces with lower metrics are used first. Interfaces with the same metric use load-balancing. Load-balanced member interfaces distribute more traffic out through those interfaces with higher weights.

  • Page 43: Mwan Rules Configuration

    Ibex-4000 Series MWAN policies page 6.1.3.7 MWAN Rules Configuration Rules specify which traffic will use a particular MWAN policy based on IP address, port, or protocol. Rules are matched from top to bottom. Rules below a matching rule are ignored. Traffic not matching any rule is routed using the main routing table.

  • Page 44: Lacp / Bonding

    Ibex-4000 Series MWAN notification configuration 6.1.4 LACP / Bonding Getting better overall bandwidth and failsave connections by using of Link Aggregation Control Protocol (LACP). Combining multiple Gigabit Ethernet interfaces into a single logical bonding interface results in increased overall bandwidth between connected devices.

  • Page 45: Create Lacp Interface

    Ibex-4000 Series 6.1.4.1.1 Create LACP interface First of all a logical bonding interface should be created. This can be done by using of UI page (Network → Interfaces → Add new interface). 6.1.4.1.2 Setup IP / Netmask Next step is setting an ip address and a netmask for new created bonding interface (see tab -> General Settings).

  • Page 46: Setup Firewall

    Ibex-4000 Series 6.1.4.1.4 Setup Firewall If needed, firewall configuration can be done with tab Firewall Settings.

  • Page 47: Check Interface Status

    Ibex-4000 Series 6.1.4.1.5 Check interface Status After applying new configuration settings, bonding interface bonding-b1 should be up and running. Interface status can also be verified by using of debug console. root@LACP_TEST:~# cat /proc/net/bonding/bonding-b1 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: IEEE 802.3ad Dynamic link aggregation...

  • Page 48: Lacp Testing Example

    Ibex-4000 Series system mac address: 00:00:5b:03:b4:f8 port key: 9 port priority: 255 port number: 1 port state: 61 details partner lacp pdu: system priority: 32768 system mac address: 44:a5:6e:43:5d:70 oper key: 1 port priority: 128 port number: 2 port state: 63...

  • Page 49: Test Bonding Bandwidth Improvement

    The Ibex-4000 Series uses a DNS, TFTP and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN. This service accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive DNS server.

  • Page 50: Firewall

    Be sure you understand zone-based firewalls before changing the firewall configurations. The Ibex-4000 Series has a built-in stateful firewall mapping interfaces into Zones that are used to describe default rules for a given interface, forwarding rules between interfaces, and extra rules that are not covered by the first two.

  • Page 51: Openvpn

    Ibex-4000 Series Zones must always be mapped onto one or more Interfaces, which ultimately map onto physical devices; therefore zones cannot be used to specify networks (subnets), and the generated iptables rules operate on interfaces exclusively. The difference is that interfaces can be used to reach destinations not part of their own subnet, when their subnet contains another gateway.

  • Page 52: Copy Ready-To-Use Configuration With Scp

    The VPN connection is built on this configuration file (myclient.ovpn). This example uses four files that have to be static stored on the Ibex-4000 Series to allow the openvpn program to build up a connection without user interaction. If the ‘auth-user-pass’ option is given to openvpn without a parameter, the connection setup is interrupted and will ask for a username and password.

  • Page 53: Manual Configuration With Web Interface

    After the VPN client part configuration has been done, it’s time to configure the rest of the system and start a first connection. This configuration can be done at console (via SSH) with ‘uci’ commands. The openvpn program execution on the Ibex-4000 Series is managed with the ‘/etc/init.d/openvpn’ script. The following configuration is done at the command prompt: Create the VPN interface: (if not running server-bridge) uci set network.vpn0=interface...
  • Page 54 Ibex-4000 Series uci set firewall.@zone[-1].input=REJECT uci set firewall.@zone[-1].forward=REJECT uci set firewall.@zone[-1].output=ACCEPT uci set `firewall.@zone[-1].network=vpn0 <mailto:firewall.@zone[-1].network=vpn0>`__ uci set firewall.@zone[-1].masq=1 uci set firewall.@zone[-1].mtu\_fix=1 uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='vpn' Commit the changes: uci commit network /etc/init.d/network reload uci commit firewall /etc/init.d/firewall reload...

  • Page 55: Iccp

    (tun0 6.1.8 ICCP The Inter Carriage Connection Protocol is a bridging algorithm developed by Westermo Eltec to establish and maintain a wireless LAN backbone for trains. It can be used in retrofit applications, where it is too expensive to install backbone Ethernet cables in throughout the train.

  • Page 56: Features And Restrictions

    Ibex-4000 Series 6.1.8.3 Features and Restrictions • The native ‘eth0’ interface and the native ‘wlan0/1’ (which is used by ICCP) are no longer available for any bridge devices. • The backbone VLAN networks/bridges must be configured manually. Each VLAN channel needs a separate network interface.

  • Page 57: Example

    In the following example, a networking interface LAN or WLAN is prepared to use the Quality of Service function (QoS). The Ibex-4000 Series implements a QoS function with scripts to configure traffic control (‘tc’ command), which reduces throughput at a selected interface. To see the effect, a performance test can be started with the built-in ‘iperf’...
  • Page 58 Ibex-4000 Series Do an ‘iperf’ performance test. The throughput should be about 10 Mbits/s. If a WLAN interface is bridged with the LAN port, the traffic control can even work on a single part of the bridge. To reduce the wireless traffic only, a new interface label must be added to Network →...

  • Page 59: System

    Ibex-4000 Series 6.2 System 6.2.1 System Properties The System Properties are managed in the tab System → System. These menus handle logging options, NTP time synchronisation and the appearance, language of the web interface. In the General Settings tab the operating system time, that is always stored as UTC time can be synchronized with current browser time.

  • Page 60: Firmware Upgrade

    Ibex-4000 Series a. Restore factory settings Perform reset restores factory settings and performs a reboot. b. Export configuration Use the Generate archive button to export a configuration backup. The generated configuration tar archive is not hardware-specific and may be distributed to other access points, as long as they share the same model and the same firmware version.

  • Page 61: Reboot

    While booting no user configuration settings are applied. The Ibex-4000 Series comes up with network default address 192.168.100.1 (user=root, password=root) and Wifi disabled. The Fail LED blinks orange (red and green on) and the web interface background is orange, as Figure indicates.
  • Page 62 Ibex-4000 Series Emergency System Indication Emergency mode can also be entered by holding the reset button pressed for 5 seconds at the beginning of the boot phase. Note: Normally, the blue background indicates the standard mode and the orange background indicates emergency mode.

  • Page 63: Snmp

    Ibex-4000 Series 7 SNMP 7.1 SNMP Protocol Support Firmware implementations before 2020 only have protocol support for version v1 and v2c. Since 2020 the SNMP protocol v3 is also included in every CyBox firmware. The v1, v2c protocol variants are present with factory default setup.

  • Page 64: Snmp V3 Protocol Examples

    Ibex-4000 Series Demo user account settings The default protocols v1 and v2c should be disabled, when using SNMP-V3 protocol. Activate only SNMP-V3 protocol After all new settings are entered press the Save & Apply. Then the SNMPD service will restarted automatically.

  • Page 65: Snmp Basic Functions

    The new system hostname can be checked on web Status page. 7.3 SNMP Basic Functions The SNMP service is included in Ibex-4000 Series Starting with firmware Version 2.6. The service is enabled, if a valid configuration file ‘/etc/config/snmpd’ is present and service startup is not disabled. On system start this configuration file is parsed and translated into a ‘snmpd.conf’...

  • Page 66: Snmp Commands

    Ibex-4000 Series This address can be changed by means of an UCI command. Assuming to be logged-in on a Ibex-4000 Series via SSH as administrative user, the following command would allow re-specifying the IP address of the “private” group: root@CyBoxAP:~# uci set snmpd.private.source=<ccu>...

  • Page 67: Snmp Read (Snmpwalk And Snmpget)

    = STRING: "CYAP.-V-W8IRQWWEUPX" iso.3.6.1.4.1.2021.8.1.2.100.102.1 = INTEGER: 0 iso.3.6.1.4.1.2021.8.1.2.100.103.1 = "" MIB name: iso.3.6.1.4.1.2021.8.1.2.100.2.1 = STRING: "boardname" Function executed on Ibex-4000 Series: iso.3.6.1.4.1.2021.8.1.2.100.3.1 = STRING: "/bin/cat /var/BOARDNAME" Error code from function call: iso.3.6.1.4.1.2021.8.1.2.100.100.1 = INTEGER: 0 Return value from function call: iso.3.6.1.4.1.2021.8.1.2.100.101.1 = STRING: "CYAP.-V-W8IRQWWEUPX"...

  • Page 68: Readout Current Network Device Order

    • network0, network1 … network9 • wireless0, wireless1 … wireless19 Note: A normal Ibex-4000 Series configuration consists of six wireless interfaces, but there are up to twenty interfaces possible, so snmpwalk will result in up to 80 percent of undefined (Empty UCI entry) values.

  • Page 69: Readout Network Device To Ssid Assignment

    Ibex-4000 Series iso.3.6.1.4.1.2021.8.1.2.151.101.7 = STRING: "Guest_123" **<--- wireless6** iso.3.6.1.4.1.2021.8.1.2.151.101.8 = STRING: "VIP_500" **<--- wireless7** iso.3.6.1.4.1.2021.8.1.2.151.102.1 = INTEGER: 0 iso.3.6.1.4.1.2021.8.1.2.151.103.1 = "" 7.6.2.3 Readout Network Device to SSID Assignment The following command shows the order of the Wifi interfaces. snmpwalk -c public -v 2c 192.168.100.1 1.3.6.1.4.1.2021.8.1.2.152 iso.3.6.1.4.1.2021.8.1.2.152.1.1 = INTEGER: 1...

  • Page 70: Snmp Write (Snmpset)

    By default all SNMP write control is restricted to localhost. Refer to chapter 8.1 to enable write access. A write command to the Ibex-4000 Series is always done on the same UCD MIB OID ‘1.3.6.1.4.1.2021.8.1’. The write operation requires a string parameter, which is parsed with ‘/etc/snmp/set_cyboxap’ and translated into a system internal call on the Ibex-4000 Series.

  • Page 71: Set A New Ssid

    Ibex-4000 Series 7.7.2.2 Set a new SSID snmpwalk -c public -v 2c 192.168.100.1 1.3.6.1.4.1.2021.8.1.2.151 iso.3.6.1.4.1.2021.8.1.2.151.1.1 = INTEGER: 1 iso.3.6.1.4.1.2021.8.1.2.151.2.1 = STRING: "ssid_order" iso.3.6.1.4.1.2021.8.1.2.151.3.1 = STRING: "/etc/snmp/get_cyboxap ssid_order" iso.3.6.1.4.1.2021.8.1.2.151.100.1 = INTEGER: 0 iso.3.6.1.4.1.2021.8.1.2.151.101.1 = STRING: "CyAP0_00486889_00486886_EST0" iso.3.6.1.4.1.2021.8.1.2.151.101.2 = STRING: "Guest_007" iso.3.6.1.4.1.2021.8.1.2.151.101.3 = STRING: "CyAP0_00486889_00486886_vlan007"...

  • Page 72: Edit Configuration Parameters, Create New Fields And Delete Items

    Ibex-4000 Series 7.7.3 Edit configuration parameters, create new fields and delete items If a ‘config.section.option’ is known, the ‘uci set’ command call can be used to read and modify any existing configuration item. If a snmpset command with a string “uci <command> config-item=new-value” is executed, it marks the config-item.

  • Page 73: Delete System Configuration Description Text

    Ibex-4000 Series iso.3.6.1.4.1.2021.8.1.2.108.1.1 = INTEGER: 1 iso.3.6.1.4.1.2021.8.1.2.108.2.1 = STRING: "uci_get" iso.3.6.1.4.1.2021.8.1.2.108.3.1 = STRING: "/usr/sbin/get_snmp uci_get" iso.3.6.1.4.1.2021.8.1.2.108.100.1 = INTEGER: 0 iso.3.6.1.4.1.2021.8.1.2.108.101.1 = STRING: "system.@system[0].config_description=Version 1.1 Beta ABC" iso.3.6.1.4.1.2021.8.1.2.108.102.1 = INTEGER: 0 iso.3.6.1.4.1.2021.8.1.2.108.103.1 = "" Commit this change from UCI temporary storage to permanent overlay file system.

  • Page 74: Snmp Applications

    Ibex-4000 Series 7.8 SNMP Applications 7.8.1 SNMP Support for GPS The following information data structure can be obtained via SNMP command ‘snmpwalk’ from a host system. The command user@host:~$ snmpwalk -c public -v2c 192.168.100.1 1.3.6.1.4.1.2021.8.1.2.155 delivers iso.3.6.1.4.1.2021.8.1.2.155.1.1 = INTEGER: 1 iso.3.6.1.4.1.2021.8.1.2.155.2.1 = STRING: "gps_info"...

  • Page 75: Snmp Support For Second Gps Source

    Ibex-4000 Series root@CyBoxAP:/# uci set system.@gps[0].raw=’1’ root@CyBoxAP:/# uci commit root@CyBoxAP:/# reboot After reboot the GPS subsystem is configured to supply raw NMEA 0183 data. Note that this data is not shown in web interface, but can be readout via SNMP (different OID than converted GPS info).

  • Page 76: Snmptrap

    Ibex-4000 Series gps_module0_info 1.3.6.1.4.1.2021.8.1.2.157 gps_module0_raw 1.3.6.1.4.1.2021.8.1.2.158 gps_module1_info 1.3.6.1.4.1.2021.8.1.2.159 gps_module1_raw 1.3.6.1.4.1.2021.8.1.2.160 7.8.3 SNMPTRAP CyBox AP models support the snmptrap function sending SNMP traps to inform about connected and disconnected clients for the selected wireless access points. This feature is configurable to use either v2c or v3 protocol version.
  • Page 77 Ibex-4000 Series Each wireless interface is separately configurable with it’s corresponding name. The section configuration is self-explanatory. But consider to provide the v3user section name of the previously defined SNMPv3 user if v3 protocol version is used. Otherwise this box is not visible.

  • Page 78: The Flying Controller Mechanism

    “flying”. This way, a central controller is established without creating a single point of failure. The Ibex-4000 Series automatically takes part on the mechanism and could be elected as controller, or otherwise will be a worker.
  • Page 79 Ibex-4000 Series The firewall obtained some additional custom rules Cut and Paste buffer for IPSec Firewall - Custom Rules edit: iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in...

  • Page 80: Decentralized Wi-Fi Controller (Dawn)

    Ibex-4000 Series 10 Decentralized Wi-Fi Controller (DAWN) The DAWN is a decentralized wireless controller that is responsible for monitoring and roaming assistance of wi-fi clients to different access points in the same network. It’s main goal is to ensure a good throughput of all client devices shared accross nearby reachable access points.

  • Page 81: Scoring

    Ibex-4000 Series 10.1 Scoring The DAWN application provides a complex scoring system, on the basis of which the roam decision is made. Also it offers different kicking methods where kick corresponds to a request to roam a client to a different access point. A lot of weighting options are available to configure but the default one is preferable to start with and then further extend until the desired behavior is reached.
  • Page 82 Ibex-4000 Series broadcast_ip IP address for broadcast and multicast (UDP packets for discovering other nodes) broadcast_port IP port for broadcast and multicast tcp_port Port for TCP networking network_option Method of networking between DAWN instances (0: broadcast, 2: multicast with UMDNS discovery, 3: multicast without UMDNS discovery...
  • Page 83 Ibex-4000 Series eval_assoc_req Control whether ASSOCIATION frames are evaluated for rejection kicking Method to select clients to move to better AP kicking_threshold Minimum score difference to consider kicking to alternate AP deny_auth_reason 802.11 code used when AUTHENTICATION is denied deny_assoc_reason 802.11 code used when ASSOCIATION is denied...

  • Page 84: Ssh / Serial Console

    Ibex-4000 Series 11 SSH / Serial console On a Windows PC, you can use the program PuTTY (http://www.putty.org). a. Ethernet cable (SSH) Ensure that an Ethernet cable is connected between your PC and the access point. The following instruction assumes that the default settings are used.

  • Page 85: Uci Configuration

    Ibex-4000 Series Windows device manager showing COM ports Once the connection is established, a login should be requested on serial console window. If this is not the case, press Enter on the keyboard and/or disconnect and reconnect the USB serial adapter on the CyBox side.

  • Page 86: Other Commands

    Ibex-4000 Series Remember to login again to the new IP address. 11.2 Other commands a. Restore factory settings The factory settings can be restored with the command factory_reset b. Export configuration The current configuration can be saved in the CyBox folder ‘/tmp/’ with the command sysupgrade -b /tmp/backup<mybackupname>.tar.gz.

  • Page 87: Remote Firmware Upgrade With New Config

    Ibex-4000 Series 12.1.2 Remote Firmware Upgrade with New Config In most cases an adapted or new configuration archive must also be installed, to match the new firmware version. The overlay partition is used to keep the configuration settings made by user to be present after power cycle. If the firmware detects an empty (cleared) overlay partition, the target directory /mnt/custom/ is checked for a single backup-<target>-<cfg>.tar.gz...

  • Page 88: Usb Possibilities

    Ibex-4000 Series 12.2 USB Possibilities Via USB stick it is possible to update configuration and firmware. A USB stick can be connected to the device, it needs a dedicated USB adapter. a. Export configuration Archived configurations can be exported from the command line to an empty USB stick by copying the configuration to ‘/mnt/sda1’.

  • Page 89: Status Led Blink Codes

    Ibex-4000 Series sysupgrade -t V20.36.3-cyap2-lzma.itb sysupgrade -r backup-cyap2-20.36.3.tar.gz exit 0 12.3 Status LED Blink Codes While the upgrade process is running or has finished the ‘Fail LED’ (red/green) is used as status indicator. Blink codes in upgrades: Blink Code repeated Description RED 0.2sec on - GREEN 0.2sec on...

  • Page 90: Appendix: Gpl License

    Ibex-4000 Series 13 Appendix: GPL license GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright © 2007 Free Software Foundation, Inc. <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
  • Page 91 Ibex-4000 Series States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.
  • Page 92 Ibex-4000 Series implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
  • Page 93 Ibex-4000 Series You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code;...
  • Page 94 Ibex-4000 Series received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge.
  • Page 95 Ibex-4000 Series reading or copying. 7. Additional Terms. “Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law.
  • Page 96 Ibex-4000 Series However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
  • Page 97 Ibex-4000 Series not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
  • Page 98 Ibex-4000 Series all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
  • Page 99 Ibex-4000 Series If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.

  • Page 100: Appendix: Snmp Oid Overview

    Ibex-4000 Series This license document may be reproduced and distributed unchanged, but no modifications are permitted. Translation: <www-en>, 2011-2014, 2016. 14 Appendix: SNMP OID overview This overview is also available with factory settings via the web interface using the URL: http://192.168.100.1/snmpd.txt.
  • Page 101 Ibex-4000 Series # wireless<index>.<entry> <value> # uci <command> <config>.<section>[.<option>]=<value> # service <name> <action> # reboot # SNMPSET system call: # snmpset -c private -v 2c <IPv4> 1.3.6.1.4.1.2021.8.1 s <command string or set entry string> # SNMPGET/SNMPWALK objects: # see list below # SNMPGET system call: # snmpget -c public -v 2c <IPv4>...

  • Page 102: Appendix: Default Factory Settings

    IPv4 address 192.168.100.1/24 lan_alias static IPv4 address Calculated based on serial See chapter 4.1 IP Addresses of number the Ibex-4000 Series lan_dhcp IPv4 DHCP client lan_mac static IPv4 address Calculated based on eth0 MAC See chapter 4.1 IP Addresses of...
  • Page 103 Ibex-4000 Series Default Network Configuration...

Table of Contents