Configuration Manual

ICR-2[0456]00 Family

Advantech Czech s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic
Document No. MAN-0059-EN, revised on March 7, 2025.
 © 2025 Advantech Czech s.r.o. No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photography, recording, or any information storage and retrieval system without written consent.
Information in this manual is subject to change without notice, and it does not represent a commitment on the part of Advantech.
Advantech Czech s.r.o. shall not be liable for incidental or consequential damages resulting from the furnishing, performance,
or use of this manual.
All brand names used in this manual are the registered trademarks of their respective owners. The use of trademarks or other
designations in this publication is for reference purposes only and does not constitute an endorsement by the trademark holder.
Used symbols

Danger – Information regarding user safety or potential damage to the router.

Attention – Problems that can arise in specific situations.

Information – Useful tips or information of special interest.

Firmware Version
This manual is compatible with firmware version 6.5.2 (March 3, 2025).
Contents
1. Getting Started 1
1.1 Document Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Configuration Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Web Interface Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.2 Remote Management Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.1 Persistent Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.2 Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2. Status 8
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.3 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.4 Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.5 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Mobile WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 WiFi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4 WiFi Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.5.1 Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.6 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.7 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.8 WireGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.9 DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.10 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3. Configuration 26
3.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.1.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.1.2 IPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.1.3 802.1X Authentication to RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1.4 LAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3.1 VRRP Usage Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4 Mobile WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.1 Connection to Mobile Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4.2 DNS Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4.3 Check Connection to Mobile Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4.4 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4.5 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4.6 Switch between SIM Cards Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4.7 Examples of SIM Card Switching Configuration . . . . . . . . . . . . . . . . . . . . . . 50
3.4.8 PPPoE Bridge Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.5 PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.6 WiFi Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.7 WiFi Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.8 Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.8.1 Default Priorities for Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.8.2 User Customized Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.8.3 Backup Routes Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.10 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.10.1 Example of the IPv4 Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . 78
3.10.2 Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.11 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.11.1 Examples of NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.12 OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.12.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network . . . . . . . . . . . . 89
3.13 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.13.1 Route-based Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.13.2 IPsec Authentication Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.13.3 Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.13.4 Basic IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.14 WireGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.14.1 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . 100
3.15 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.15.1 Example of the GRE Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 103
3.16 L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.16.1 Example of the L2TP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . 107
3.17 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
3.17.1 Example of the PPTP Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . 110
3.18 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.18.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.18.2 DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.18.3 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.18.4 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.18.5 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3.18.6 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
3.18.7 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
3.18.8 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
3.18.9 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
3.18.10 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
3.18.11 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
3.19 Expansion Ports – RS232 & RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
3.19.1 Examples of Expansion Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . 137
3.20 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
3.20.1 Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
3.20.2 Example of Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
3.20.3 Up/Down Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
3.20.4 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
3.21 Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
3.21.1 Example of Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
3.21.2 Example of Automatic Update Based on MAC . . . . . . . . . . . . . . . . . . . . . . . 143
4. Customization 144
4.1 Router Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

5. Administration 147
5.1 Manage Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
5.2 Modify User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
5.2.1 Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.2.2 Passwordless Console Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.2.3 Expired Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
5.3 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5.4 Set Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.5 Set SMS Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.6 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.7 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.8 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.9 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.10 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.11 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
5.12 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.13 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

6. Typical Situations 164

6.1 Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
6.2 Backup Access to the Internet from LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
6.3 Secure Networks Interconnection or Using VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.4 Serial Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Appendix A: Open Source Software License 173

Appendix B: Glossary and Acronyms 174

Appendix C: Index 179

Appendix D: Related Documents 182

List of Figures
1 Web Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Mobile WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 WiFi Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4 WiFi Scan Output Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6 Connection List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7 DHCP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8 IPsec Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
9 WireGuard Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
10 DynDNS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
11 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
12 LAN Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
13 IPv6 Address with Prefix Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
14 IEEE 802.1X Functional Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
15 Network Topology for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
16 LAN Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
17 Network Topology for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
18 LAN Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
19 Network Topology for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
20 LAN Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
21 VLAN Configuration Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
22 VRRP Configuration Example Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
23 Main Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
24 Backup Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
25 Mobile WAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
26 Check Connection Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
27 Configuration for SIM card switching Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 50
28 Configuration for SIM card switching Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 50
29 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
30 WiFi Access Point Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
31 WiFi Station Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
32 Backup Routes Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
33 Example #1: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
34 Example #1: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
35 Example #2: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
36 Example #2: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
37 Example #3: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
38 Example #3: Topology for Single WAN mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
39 Example #3: Topology for Multiple WAN mode . . . . . . . . . . . . . . . . . . . . . . . . . . 71
40 Example #4: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
41 Example #4: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
42 Example #5: GUI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
43 Example #5: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
44 Static Routes Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
45 IPv6 Default Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
46 Topology for the IPv4 Firewall Configuration Example . . . . . . . . . . . . . . . . . . . . . . 78
47 IPv4 Firewall Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
48 Firewall Sites Configuration GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
49 NAT IPv4 Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
50 Topology for NAT Configuration Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
51 NAT Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
52 Topology for NAT Configuration Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
53 NAT Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
54 OpenVPN tunnel configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
55 Topology of OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
56 IPsec Tunnels Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
57 Topology of IPsec Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
58 WireGuard Tunnels Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
59 Topology of WireGuard Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 100
60 Router A – WireGuard Status Page and Route Table . . . . . . . . . . . . . . . . . . . . . . . 101
61 Router B – WireGuard Status Page and Route Table . . . . . . . . . . . . . . . . . . . . . . . 101
62 GRE Tunnel Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
63 Topology of GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . 103
64 L2TP Tunnel Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
65 Topology of L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . 107
66 PPTP Tunnel Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
67 Topology of PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . 110
68 Common Configuration Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
69 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
70 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
71 DynDNS Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
72 Configuration of FTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
73 HTTP Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
74 Example of NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
75 OID Basic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
76 SNMP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
77 MIB Browser Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
78 SMTP Client Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
79 SMS Configuration for Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
80 SMS Configuration for Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
81 SMS Configuration for Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
82 SMS Configuration for Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
83 SSH Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
84 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
85 Telnet Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
86 Expansion Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
87 Example of Ethernet to Serial Communication Configuration . . . . . . . . . . . . . . . . . . . 137
88 Example of Serial Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
89 Example of a Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
90 Example of IPv6 Up/Down Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
91 Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
92 Example of Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
93 Example of Automatic Update Based on MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
94 Default Router Apps GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
95 Router Apps GUI with Available Online Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
96 Router Apps Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
97 Modify User Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
98 Users Administration Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
99 Links for Google Authenticator Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
100 Links for Authenticator-Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
101 Standard Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
102 Verification Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
103 SSH Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
104 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
105 Expired Password Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
106 Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
107 Set Real Time Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
108 Set SMS Service Center Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
109 Unlock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
110 Unblock SIM Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
111 Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
112 Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
113 Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
114 Update Firmware Administration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
115 Process of Firmware Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
116 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
117 Access to the Internet from LAN – Sample Topology . . . . . . . . . . . . . . . . . . . . . . . 164
118 Access to the Internet from LAN – Ethernet Configuration . . . . . . . . . . . . . . . . . . . . 165
119 Access to the Internet from LAN – Mobile WAN Configuration . . . . . . . . . . . . . . . . . . 165
120 Backup access to the Internet – sample topology . . . . . . . . . . . . . . . . . . . . . . . . . 166
121 Backup access to the Internet – Ethernet configuration . . . . . . . . . . . . . . . . . . . . . . 166
122 Backup access to the Internet – Mobile WAN configuration . . . . . . . . . . . . . . . . . . . . 167
123 Backup access to the Internet – Backup Routes configuration . . . . . . . . . . . . . . . . . . 168
124 Secure Networks Interconnection – Sample Topology . . . . . . . . . . . . . . . . . . . . . . 169
125 Secure Networks Interconnection – OpenVPN Configuration . . . . . . . . . . . . . . . . . . . 170
126 Serial Gateway – Sample Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
127 Serial Gateway – konfigurace Expansion Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 172
List of Tables
1 Reset Storage Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Mobile Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Peripheral Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5 Mobile Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6 Signal Strength Value Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7 Description of Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
8 Mobile Network Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9 Detailed Information about WiFi Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10 Description of Interfaces in Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
11 Description of Information in Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
12 DHCP Status Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
13 Configuration of the Network Interface – IPv4 and IPv6 . . . . . . . . . . . . . . . . . . . . . . 27
14 Configuration of the Network Interface – Global Items . . . . . . . . . . . . . . . . . . . . . . 28
15 Configuration of the Dynamic DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
16 Configuration of Static DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
17 IPv6 Prefix Delegation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
18 Supported Roles for IEEE 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 32
19 Configuration of 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
20 VLAN Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
21 VRRP Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
22 Check Connection Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
23 Mobile WAN Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
24 Check Connection to Mobile Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . 47
25 Data Limit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
26 Switching Between SIM Cards Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
27 Parameters for SIM Card Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
28 PPPoE Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
29 PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
30 WiFi Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
31 WLAN Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
32 Backup Routes Modes Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
33 Backup Routes Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . 66
34 Static Routes Configuration for IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
35 Filtering of Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
36 Forward Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
37 NAT Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
38 Remote Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
39 Incoming Packets Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
40 Related Features Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
41 OpenVPN Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
42 OpenVPN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
43 IPsec Tunnel Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
44 Simple IPv4 IPSec Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
45 WireGuard Tunnel Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . 99
46 WireGuard IPv4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 100
47 GRE Tunnel Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
48 GRE Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
49 L2TP Tunnel Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
50 L2TP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
51 PPTP Tunnel Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
52 PPTP Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
53 Enter Caption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
54 Configuration of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
55 Configuration of TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
56 DynDNS Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
57 FTP Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
58 HTTP Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
59 NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
60 SNMP Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
61 SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
62 SNMP Configuration (R-SeeNet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
63 Object Identifiers for Binary Inputs and Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . 120
64 SMTP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
65 SMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
66 Control via SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
67 Control SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
68 Send SMS on the Serial Port 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
69 Send SMS on the Serial Port 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
70 Sending/receiving of SMS on TCP Port Specified . . . . . . . . . . . . . . . . . . . . . . . . . 126
71 List of AT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
72 SSH Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
73 Syslog configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
74 Telnet Configuration Items Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
75 Expansion Port Configuration – Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 136
76 Expansion Port Configuration – Check TCP Connection . . . . . . . . . . . . . . . . . . . . . 136
77 Automatic Update Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
78 Router Apps Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
79 Action Button Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
80 User Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
1. Getting Started
1.1 Document Content

This manual provides detailed setup procedures for Advantech ICR-2[0456]00 family routers, offering
comprehensive guidance on the following topics:

• Web configuration interface for the routers – detailed in Chapter 1.2.

• Overview of available remote management system – see Chapter 1.2.2.
• Detailed configuration instructions, item by item, following the web interface’s structure:
◦ Status – discussed in Chapter 2.
◦ Configuration – outlined in Chapter 3.
◦ Customization – covered in Chapter 4.
◦ Administration – explained in Chapter 5.
• Configuration examples for typical scenarios – presented in Chapter 6.

For detailed information on topics such as ordering, hardware features, initial setup, and technical specifi-
cations, refer to the Hardware Manual available on the Engineering Portal.

ICR-2[0456]00 Family Configuration Manual 1

1. Getting Started 1.2 Configuration Environments

1.2 Configuration Environments

• If you are unsure about the correctness of your configuration or its potential impact on the
router’s longevity, consult our technical support for guidance.

• Before putting the router into operation, make sure to connect all the components required for
running your applications. Refer to the Hardware Manual for details.

• For security reasons, we recommend regularly updating the router’s firmware to the latest ver-
sion. Downgrading the firmware to an older version than the production version or uploading
firmware intended for a different device may cause the device to malfunction.

• It is highly recommended to have JavaScript enabled in the browser; otherwise, field validation
and some functions will be disabled.

• Three unsuccessful login attempts will block HTTP(S) access from the IP address for one
minute.

• All routers have the WebAccess/DMP client pre-installed by default. The activated client peri-
odically uploads router identifiers and configuration to the WebAccess/DMP server. See Chap-
ter 1.2.2 Remote Management Platform for more information.

For configuring an Advantech router, one of the following environments may be used:

• Via a graphical interface accessible in a web browser. This option is primarily covered in this
manual, start with Chapter 1.2.1 Web Interface Initial Setup.

• Via a console interface accessing the router by Secure Shell (SSH). For console configuration
commands, refer to the Command Line Interface Application Note.

• Via Advantech’s remote device management platform, WebAccess/DMP, which provides extensive
management and monitoring capabilities to ensure devices remain secure and up-to-date. For more
information, refer to Chapter 1.2.2 Remote Management Platform.

For more information on enhancing the router’s basic functionality, refer to the Extending Router Func-
tionality Application Note.

ICR-2[0456]00 Family Configuration Manual 2

1. Getting Started 1.2 Configuration Environments

1.2.1 Web Interface Initial Setup

• Please note that if you are logged in to the router configuration web interface with the User role,
you will have read-only access to the GUI, except for Modify User, and some menu items may be
unavailable.

• Refer to Chapter Allowed and Restricted Input Characters for the rules regarding characters used in
the graphical web interface.

• Configure the router’s Name and Location in the SNMP settings to display them in the web interface’s
upper right corner. See Chapter 3.18.6 SNMP for details.

Routers can be efficiently configured through a username and password-protected web interface (see
Figure 1). This interface offers a comprehensive configuration GUI, detailed statistics on router activities,
signal strength, system logs, and more.

To access the router’s web interface on a new router with default settings, follow these steps:

• For cellular routers, it is essential to correctly configure the carrier settings and activate the account.
Ensure that you insert the appropriate SIM card. For detailed guidance, refer to the Hardware Manual,
Chapter SIM Card Slots. If a PIN is required for the SIM card, follow the instructions in Chapter 5.6 Un-
lock SIM Card.

• Before connecting the router to a power supply, attach the cellular antenna (or antennas). Ideally,
attach all antennas, including the WiFi antennas for WiFi models.

• Connect the power supply to the router (refer to the Hardware Manual, Chapter Power Supply).

• The router will initiate its boot process. By default, the cellular router will automatically establish
a connection to the default Access Point Name (APN) associated with the inserted SIM card.

• Ensure that your PC is configured to obtain IP settings automatically (DHCP client) from the network
and connect its Ethernet interface to the router’s default LAN interface (ETH0 port).

• The DHCP server running by default on the router will assign an IP address to your PC. Enter the
following URL in your web browser’s address bar: https://192.168.1.1. Please note that using the
HTTPS protocol for secure communication over the network is mandatory.

• The only user in the new router is user root having the Admin role.

• Check the product label on the router for the default password.

• Upon first login to the new router, the user will be prompted to change their password.

• Note: To prevent domain mismatch warnings, you will need to install a security certificate. For detailed
instructions, see Chapter Managing HTTPS Certificates.

ICR-2[0456]00 Family Configuration Manual 3

1. Getting Started 1.2 Configuration Environments

Figure 1: Web Configuration GUI

ICR-2[0456]00 Family Configuration Manual 4

1. Getting Started 1.2 Configuration Environments

Managing HTTPS Certificates

The router includes a self-signed HTTPS certificate. Since the identity of this certificate cannot be vali-
dated, web browsers may display a warning message. To avoid this warning, you can upload your own cer-
tificate—signed by a Certification Authority—to the router. If you wish to use your own certificate (for exam-
ple, in combination with a dynamic DNS service), replace the /etc/certs/https_cert and /etc/certs/https_key
files on the router. This can easily be done via the GUI on the HTTP configuration page, as detailed in
Chapter 3.18.4.
To use the router’s self-signed certificate without encountering the security warning (due to a domain
name mismatch) each time you log in, follow these steps:

• Add a DNS record to your DNS system. For Linux/Unix systems, edit /etc/hosts; for Windows,
navigate to C:\WINDOWS\system32\drivers\etc\hosts; or configure your own DNS server. Insert
a new record pairing the router’s IP address with a domain name derived from its MAC address
(specifically, the MAC address of the first network interface, as shown in the Network Status on the
router’s web interface), using dashes instead of colons for separation. For example, a router with the
MAC address 00:11:22:33:44:55 would use the domain name 00-11-22-33-44-55.
• Access the router via this new domain name (e.g., https://00-11-22-33-44-55). If a security warn-
ing appears, add an exception to prevent it from recurring (for example, in the Firefox web browser).
If the option to add an exception is unavailable, export the certificate to a file and import it into your
browser or operating system.

Note: Using a domain name based on the router’s MAC address may not be compatible with all operating
system and browser combinations.

Allowed and Restricted Input Characters

When configuring the router via the web interface, it is crucial to avoid using forbidden characters in any
input field—not just in password fields. Below are the valid and forbidden characters for input. Note that, in
some cases, the space character may also be disallowed.
Valid characters include: 0-9 a-z A-Z * , + - . / : = ? ! # % @ [ ] _ { } ~
Forbidden characters include: “ $ & ' ( ) ; < > \ ^ ` |
It is important to follow these guidelines during configuration, as entering invalid characters can lead to
errors or unintended behavior.

Supported Certificate Formats

All GUI forms that allow the uploading of certificate files support the following file types:

• CA, Local/Remote Certificate: *.pem, *.crt, *.p12

• Private Key: *.pem, *.key, *.p12

ICR-2[0456]00 Family Configuration Manual 5

1. Getting Started 1.2 Configuration Environments

1.2.2 Remote Management Platform

WebAccess/DMP is an advanced, enterprise-grade platform for provisioning, monitoring, managing, and
configuring Advantech’s routers and IoT gateways. It offers zero-touch enablement for each remote device.
For more information, refer to the application note [3] or visit the WebAccess/DMP webpage.
New routers come pre-installed with the WebAccess/DMP client, which by default activates the connec-
tion to the WebAccess/DMP server. This connection can be disabled on the Welcome page upon initial
web interface login or under (Customization → Router Apps → WebAccess/DMP Client).

The activated client periodically uploads router identifiers and configurations to the WebAccess/DMP
server.

ICR-2[0456]00 Family Configuration Manual 6

1. Getting Started 1.3 Device

1.3 Device
1.3.1 Persistent Storage
The device’s persistent storage consists of three partitions, combined into a single directory structure:

• System Data: System data distributed with firmware upgrades.

• User Data: Separate storage for user data, accessible at /var/data .

• Router Apps Installed: Separate storage for Router Apps data, accessible at /opt .

1.3.2 Reset

Before performing a factory reset on the router, consider creating a backup of its configuration. See
Chapter 5.9 Backup Configuration.

The reset button on the router, labeled as RST, serves three different purposes:

• Reset:
◦ Hold the RST button for less than 4 seconds.
◦ The router will reboot, applying its customized configuration.
◦ You can also trigger a reboot by selecting the Reboot option in the router’s web GUI.

• Configuration Reset1 :
◦ Press and hold the RST button for more than 4 seconds.
◦ The PWR LED will turn off and then back on. It is recommended to hold the RST button for an
additional second after the PWR LED turns back on.
◦ The router will reset to its default factory configuration, including RA configurations.

• Emergency Reset1 :
◦ Use this option if the router fails to boot due to incorrect configuration or a filesystem error.
◦ Power off the router by disconnecting its power supply. Then, while holding the RST button,
power on the router and continue holding the RST button for at least 10 seconds.
◦ The router will reset its configuration, including RA configurations, similar to the Configuration
Reset.

The following table summarizes which storage areas are retained and which are deleted during different
reset procedures.

Storage Reset Configuration Reset Emergency Reset

Router & RA Configuration Keep Reset to default Reset to default
System Data Keep Keep Keep
User Data Keep Keep Keep
Router Apps Installed Keep Keep Keep
Table 1: Reset Storage Actions

1
Upon first login after a reset, the user will be prompted to change their password.

ICR-2[0456]00 Family Configuration Manual 7

2. Status
All status pages can display live data. To enable this feature, click on the refresh button in the top right
corner on the status page. To stop the data update and to limit the amount of data transferred, disable
automatic data updates by clicking the pause button again.

2.1 General
You can reach a summary of basic router information and its activities by opening the General status
page. This page is displayed when you log in to the device by default. The information displayed on this
page is divided into several sections, based upon the type of the router and its hardware configuration.
Typically, there are sections for the mobile connection, LAN, system information, system information, and
eventually for the WiFi and peripheral ports, if the device is equipped with.

IPv6 Address item can show multiple different addresses for one network interface. This is standard behav-
ior since an IPv6 interface uses more addresses. The second IPv6 Address showed after pressing More
Information is automatically generated EUI-64 format link local IPv6 address derived from MAC address
of the interface. It is generated and assigned the first time the interface is used (e.g. cable is connected,
Mobile WAN connecting, etc.).

2.1.1 Mobile Connection

Item Description
SIM Card Identification of the SIM card
Interface Defines the interface
Flags Displays network interface flags:
None - no flags
Up - the interface is administratively enabled
Running - the interface is in operational state (cable detected)
Multicast - the interface is capable of multicast transmission
IP Address IP address of the interface
MTU Maximum packet size that the equipment is able to transmit
Rx Data Total number of received bytes
Rx Packets Received packets
Rx Errors Erroneous received packets
Rx Dropped Dropped received packets
Rx Overruns Lost received packets because of overload
Tx Data Total number of sent bytes
Tx Packets Sent packets
Tx Errors Erroneous sent packets
Tx Dropped Dropped sent packets
Tx Overruns Lost sent packets because of overload
Uptime Indicates how long the connection to the cellular network has been established
Table 2: Mobile Connection

ICR-2[0456]00 Family Configuration Manual 8

2. Status 2.1 General

2.1.2 Ethernet
Every Ethernet interface has its separate section on the General status page. Items displayed here have
the same meaning as items in Mobile Connection part. Moreover, the MAC Address item shows the MAC
address of the corresponding router’s interface. Visible information depends on the Ethernet configuration,
see Chapter 3.1.

2.1.3 Peripheral Ports

Binary interface available for all models, serial interface only for ICR-24xx and ICR-26xx models.

Information about installed peripheral ports is displayed in the Peripheral Ports section.

Item Description
Expansion Port 1 Interface detected on the first expansion port.
Expansion Port 2 Interface detected on the second expansion port.
Binary Input State of the binary input.
Binary Output State of the binary output.
Table 3: Peripheral Ports

2.1.4 Security Information

This section provides information about the logged-in user, their last login time, IP address, and the
number of failed login attempts.

ICR-2[0456]00 Family Configuration Manual 9

2. Status 2.1 General

2.1.5 System Information

System information about the device is displayed in the System Information section.

Item Description
Product Name Name of the product (may not match with the P/N or order code).
Product Type Type of the product (may be N/A or the same as the Product Name).
Firmware Version Information about the firmware version.
Serial Number Serial number of the router (in case of N/A is not available).
Hardware UUID1 Unique HW identifier for the device.
Product Revision1 Manufactured product revision number.
Profile Current profile – standard or alternative profiles (profiles are used for example
to switch between different modes of operation).
Free space Free space available for Router Apps and user data.
CPU Usage CPU usage value (turn on the refresh in the top right corner).
Memory Usage Memory usage value (turn on the refresh in the top right corner).
Time Current date and time.
Uptime Indicates how long the router is used.
Licenses Link to the list of open source software components of the firmware together
with their license type. Click on the license type to see the license text.
Table 4: System Information

1
It may not be available for some models.
2
Only for models with PoE. The router’s power supply voltage must meet the required voltage.

ICR-2[0456]00 Family Configuration Manual 10

2. Status 2.2 Mobile WAN

2.2 Mobile WAN

The Mobile WAN menu item contains current information about connections to the mobile network. The
first part of this page (Mobile Network Information) displays basic information about mobile network the
router operates in. There is also information about the module, which is mounted in the router.

Item Description
Registration State of the network registration
Operator Specifies the operator’s network the router operates in.
Technology Transmission technology
PLMN Code of operator
Cell Cell the router is connected to (in hexadecimal format).
LAC/TAC Unique number (in hexadecimal format) assigned to each location area. LAC (Lo-
cation Area Code) is for 2G/3G networks and TAC (Tracking Area Code) is for 4G
networks.
Channel Channel the router communicates on
• ARFCN in case of GPRS/EDGE technology,
• UARFCN in case of UMTS/HSPA technology,
• EARFCN in case of LTE technology.
Band Cellular band abbreviation.
Signal Strength Signal strength (in dBm) of the selected cell, for details see Table 6.
Signal Quality Signal quality of the selected cell:
• EC/IO for UMTS (it’s the ratio of the signal received from the pilot
channel – EC – to the overall level of the spectral density, ie the
sum of the signals of other cells – IO).
• RSRQ for LTE technology (Defined as the ratio N ×RSRP
RSSI ).
• The value is not available for the EDGE technology.
RSSI, RSRP, Other parameters reporting signal strength or quality. Please note, that some of
RSRQ, SINR, them may not be available, depending on the cellular module or cellular technology.
RSCP or Ec/Io
CSQ Cell signal strength with following value ranges:
• 2 – 9 = Marginal,
• 10 – 14 = OK,
• 15 – 19 = Good,
• 20 – 30 = Excelent.
Neighbours Signal strength of neighboring hearing cells (GPRS only)1 .
Manufacturer Module manufacturer
Model Type of module
Revision Revision of module
IMEI IMEI (International Mobile Equipment Identity) number of module
MEID MEID number of module
Continued on next page

1
If a neighboring cell for GPRS is highlighted in red, router may repeatedly switch between the neighboring and the primary cell
affecting the router’s performance. To prevent this, re-orient the antenna or use a directional antenna.

ICR-2[0456]00 Family Configuration Manual 11

2. Status 2.2 Mobile WAN

Continued from previous page

Item Description
ICCID Integrated Circuit Card Identifier is international and unique serial number of the
SIM card.
Table 5: Mobile Network Information

Figure 2: Mobile WAN Status

The value of signal strength is displayed in different color: in black for good, in orange for fair and in red
for poor signal strength.

Signal Strength GPRS/EDGE/CDMA UMTS/HSPA LTE

(RSSI) (RSCP) (RSRP)
good > -70 dBm > -75 dBm > -90 dBm
fair -70 dBm to -89 dBm -75 dBm to -94 dBm -90 dBm to -109 dBm
poor < -89 dBm < -94 dBm < -109 dBm
Table 6: Signal Strength Value Ranges

ICR-2[0456]00 Family Configuration Manual 12

2. Status 2.2 Mobile WAN

The middle part of this page, called Statistics, displays information about mobile signal quality, transferred
data and number of connections for all the SIM cards (for each period). The router has standard intervals,
such as the previous 24 hours and last week, and also period starting with Accounting Start defined for the
MWAN module.

Period Description
Today Today from 0:00 to 23:59
Yesterday Yesterday from 0:00 to 23:59
This week This week from Monday 0:00 to Sunday 23:59
Last week Last week from Monday 0:00 to Sunday 23:59
This period This accounting period
Last period Last accounting period
Table 7: Description of Periods

Item Description
RX data Total volume of received data
TX data Total volume of sent data
Connections Number of connection to mobile network establishment
Signal Min Minimal signal strength
Signal Avg Average signal strength
Signal Max Maximal signal strength
Cells Number of switch between cells
Availability Availability of the router via the mobile network (expressed as a percentage)
Table 8: Mobile Network Statistics

Tips for Mobile Network Statistics table:

• Availability is expressed as a percentage. It is the ratio of time connection to the mobile network has
been established to the time that router has been is turned on.

• Placing your cursor over the maximum or minimum signal strength will display the last time the router
reached that signal strength.

The last part (Connection Log) displays information about the mobile network connections and any prob-
lems that occurred while establishing them.

ICR-2[0456]00 Family Configuration Manual 13

2. Status 2.3 WiFi

2.3 WiFi

This feature is accessible only on routers equipped with a WiFi module.

Selecting the Status → WiFi → Status option in the web interface’s main menu displays details about the
WiFi access point (AP) and the WiFi station (STA), including a list of all stations connected to the AP.
An example output for WiFi status is illustrated in the figure below. It includes information on the WiFi
chip, its firmware version, and the supported modes for the module. For instance, the notation "Supports
1 station and 2 access points" indicates that it is possible to use one station configuration alongside two
distinct Access Point configurations simultaneously.

Figure 3: WiFi Status

ICR-2[0456]00 Family Configuration Manual 14

2. Status 2.4 WiFi Scan

2.4 WiFi Scan

This feature is accessible only on routers equipped with a WiFi module.

Selecting Status → WiFi → Scan initiates a scan for nearby WiFi networks, with the results displayed as
shown in Figure 4.

Figure 4: WiFi Scan Output Example

If you click on the Connect button next to the respective WiFi network, you will be redirected to the
Configuration → WiFi → Station page, where the available fields will be pre-filled and you will be able to
connect to the network by entering authentication details.
For each network, you can view details by clicking on the More Information button. Below is the descrip-
tion of some items from the WiFi scanning output.

Item Description
BSS MAC address of the access point (AP).
TSF Synchronizes timers across all stations in a Basic Service Set (BSS).
freq Frequency band of the WiFi network in MHz.
beacon interval Time between synchronization beacons.
capability Properties list of the access point (AP).
signal Signal strength of the access point (AP).
last seen [boottime] Timestamp of the last time the access point (AP) was detected, relative
to the scanning device’s boot time.
last seen [ms ago] Timestamp of the last response from the access point (AP).
SSID Name identifier of the access point (AP).
Supported rates Data rates supported by the access point (AP).
DS Parameter set Broadcasting channel of the access point (AP).
ERP Provides backward compatibility for PHY rates.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 15

2. Status 2.4 WiFi Scan

Continued from previous page

Item Description
RSN Protocol ensuring secure wireless communication.
Extended supported rates Additional supported rates beyond the basic eight.
Country Regulatory domain for the AP, dictating operational parameters.
BSS Load Current load information on the Basic Service Set (BSS).
RM enabled capabilities AP’s ability to report radio spectrum measurements.
(V)HT capabilities Features enhancing data rates for 802.11ac/n networks.
(V)HT operation Utilization of (V)HT capabilities in the current setup.
Overlapping BSS scan Guides scanning for overlapping BSS to minimize interference.
params
Extended capabilities Additional AP features improving network functions.
WMM Prioritizes network traffic to ensure quality for voice and video.
Table 9: Detailed Information about WiFi Networks

ICR-2[0456]00 Family Configuration Manual 16

2. Status 2.5 Network

2.5 Network
To view information about the interfaces and the routing table, open the Network item in the Status menu.
The upper part of the window displays detailed information about the active interfaces only:

Note: Some interfaces may not be available on your router, depending on the router hardware.

Interface Description
ethx Ethernet interfaces
lanx LAN interfaces
lo Local loopback interface
null0 Loopback interface used by the translator gateway between IPv6 and IPv4 addresses.
switch0 SWITCH interface
usbx Active connection to the mobile network – wireless module is connected via USB interface.
wlanx WiFi interfaces – if configured
pppx PPP interfaces (e.g., PPPoE tunnel – if configured)
tunx OpenVPN tunnel interfaces – if configured
ipsecx IPSec tunnel interfaces – if configured
grex GRE tunnel interfaces – if configured
wgx WireGuard tunnel interfaces – if configured
Table 10: Description of Interfaces in Network Status

The following information can be displayed for network interfaces:

Item Description
HWaddr Hardware (unique, MAC) address of a network interface.
inet addr IPv4 address of interface
inet6 addr IPv6 address of interface. There can be more of them for single network interface.
P-t-P IP address of the opposite end (in case of point-to-point connection).
Bcast Broadcast address
Mask Mask of network
MTU Maximum packet size that the equipment is able to transmit.
Metric Number of routers the packet must go through.
RX • packets – received packets
• errors – number of errors
• dropped – dropped packets
• overruns – incoming packets lost because of overload.
• frame – wrong incoming packets because of incorrect packet size.

Continued on next page

ICR-2[0456]00 Family Configuration Manual 17

2. Status 2.5 Network

Continued from previous page

Item Description
TX • packets – transmit packets
• errors – number of errors
• dropped – dropped packets
• overruns – outgoing packets lost because of overload.
• carrier – wrong outgoing packets with errors resulting from the physical layer.

collisions Number of collisions on physical layer.

txqueuelen Length of buffer (queue) of the network interface.
RX bytes Total number of received bytes.
TX bytes Total number of transmitted bytes.
Table 11: Description of Information in Network Status

You may view the status of the mobile network connection on the network status screen. If the connection
to the mobile network is active, it will appear in the system information as a usb0 interface.
The Route Table is displayed on the Network Status page. Both the IPv4 Route Table and the IPv6 Route
Table are shown below.
At the bottom of the page, there is a Backup Routes section, which reports the currently selected Backup
Routes.
If NAT64 is enabled (Configuration → NAT → IPv6 → Enable NAT64), it is automatically used when
connected via IPv6 and communicating with an IPv4 device or network. This works in conjunction with
DNS64 running on the router, which translates domain names to IP addresses. The default NAT64 prefix,
64:ff9b::/96, is used, as seen in Figure 5 below in the IPv6 Route Table section.

ICR-2[0456]00 Family Configuration Manual 18

2. Status 2.5 Network

Figure 5: Network Status

ICR-2[0456]00 Family Configuration Manual 19

2. Status 2.5 Network

2.5.1 Connections
On the Network Status page, scroll down and click the »Connections« link. A new window listing all
active router connections will display, see Figure 6.

Figure 6: Connection List

ICR-2[0456]00 Family Configuration Manual 20

2. Status 2.6 DHCP

2.6 DHCP
Information about the DHCP server activity is accessible via the DHCP item. The DHCP server automat-
ically configures the client devices connected to the router. The DHCP server assigns each device an IP
address, subnet mask, and default gateway (IP address of the router) and DNS server (IP address of the
router). DHCPv6 server is supported.
See Figure 7 for the DHCP Status example. Records in the DHCP Status window are divided into two
parts based on the interface.

Figure 7: DHCP Status

The DHCP status window displays the following information on a row for each client in the list. All items
are described in Table 12.

Item Description
IPv4 Address IPv4 address assigned to a client.
IPv6 Address IPv6 address assigned to a client.
Lease Starts The time the IP address lease started.
Lease Ends The time the IP address lease expires.
MAC MAC address of the client.
Hostname Client hostname.
IA-NA IPv6 unique identifier.
Table 12: DHCP Status Description

The DHCP status may occasionally display two records for one IP address. It may be caused by resetting
the client network interface.

ICR-2[0456]00 Family Configuration Manual 21

2. Status 2.7 IPsec

2.7 IPsec
Selecting the IPsec option in the Status menu of the web page will bring up the information for any
IPsec Tunnels that have been established. If the tunnel has been built correctly, the screen will display
ESTABLISHED and the number of running IPsec connections 1 up (orange highlighted in the figure below.)
If there is no such text in log (e.g. "0 up"), the tunnel was not created!

Figure 8: IPsec Status

ICR-2[0456]00 Family Configuration Manual 22

2. Status 2.8 WireGuard

2.8 WireGuard
Selecting the WireGuard option in the Status menu of the web page will bring up the information for any
WireGuard Tunnels established. In the figure below is an example of the first WireGuard tunnel running.

Figure 9: WireGuard Status Page

The Latest handshake time is the time left from the latest successful communication with the opposite
tunnel side. This item will not be shown here until there is a tunnel communication (data sent by the
client-side or the keepalive data sent when NAT/Firewall Traversal is set to yes).

ICR-2[0456]00 Family Configuration Manual 23

2. Status 2.9 DynDNS

2.9 DynDNS
The router supports Dynamic DNS using a DNS server. If Dynamic DNS is configured, its status can be
viewed by selecting the DynDNS menu option.

You can use the servers listed below for the Dynamic DNS service. DynDNSv6 can be used when IP
Mode is set to IPv6 on the Services → DynDNS configuration page.

• www.freedns.afraid.org
• www.duckdns.org
• www.noip.com

Figure 10: DynDNS Status

When the router detects a DynDNS record update, the dialog displays one or more of the following
messages:

• DynDNS client is disabled.

• Invalid username or password.
• Specified hostname doesn’t exist.
• Invalid hostname format.
• Hostname exists, but not under specified username.
• No update performed yet.
• DynDNS record is already up to date.
• DynDNS record successfully update.
• DNS error encountered.
• DynDNS server failure.

The router’s SIM card must have public IP address assigned or DynDNS will not function correctly.

ICR-2[0456]00 Family Configuration Manual 24

2. Status 2.10 System Log

2.10 System Log

Sensitive data in the report is filtered out for security reasons.

You can view the system log by selecting the Status → System Log menu item. This displays detailed
reports from individual applications running on the router.
The default size of the system log is 1000 KiB. Once this limit is reached, a new file is created to store
subsequent log entries. When the second file becomes full, the first file is overwritten. You can configure
the Log Size Limit and other related settings in the Syslog configuration, accessible via Configuration →
Services → Syslog.
Use the Save Log button to save the system log to a connected computer. The log will be saved as a text
file with the .log extension.
The Save Report button generates a detailed report, saved as a text file with the .txt extension.
This report includes system information, statistical data, routing and process tables, details of running
processes, filesystem information, the system log, and configuration details.

Figure 11: System Log

ICR-2[0456]00 Family Configuration Manual 25

3. Configuration
3.1 Ethernet
To configure the Local Area Network (LAN), navigate to the Ethernet menu item under the Configuration
section. Expanding the Ethernet menu on the left allows you to select the appropriate Ethernet interface
for configuration: ETH0 for the first Ethernet interface and ETH1 for the second Ethernet interface.
The LAN configuration page is divided into IPv4 and IPv6 sections, as shown in Figure 12. The router
supports dual-stack operation, meaning IPv4 and IPv6 can run concurrently. You can configure either one
or both. When both IPv4 and IPv6 are enabled, network devices will automatically select the appropri-
ate protocol. The configuration options and key differences between IPv4 and IPv6 are described in the
following tables.

Figure 12: LAN Configuration Page

ICR-2[0456]00 Family Configuration Manual 26

3. Configuration 3.1 Ethernet

Item Description
DHCP Client Enables or disables the DHCP client function. If in the IPv6 column, the DHCPv6
client is enabled. The DHCPv6 client supports all three methods of obtaining an
IPv6 address – SLAAC, stateless DHCPv6, and stateful DHCPv6.

• disabled – The router does not allow automatic allocation of an IP address

from a DHCP server in the LAN network.
• enabled – The router allows automatic allocation of an IP address from
a DHCP server in the LAN network.
IP Address A fixed IP address for the Ethernet interface. Use IPv4 notation in the IPv4
column and IPv6 notation in the IPv6 column. Shortened IPv6 notation is sup-
ported.
Subnet Mask / Prefix Specifies the subnet mask for the IPv4 address. In the IPv6 column, fill in the
prefix for the IPv6 address – a number in the range of 0 to 128.
Default Gateway Specifies the IP address of the default gateway. If provided, every packet with
a destination not found in the routing table is sent to this IP address. Use the
correct IP address notation in both the IPv4 and IPv6 columns.
Primary DNS Server Specifies the primary IP address of the DNS server. When the IP address is
not found in the routing table, the router forwards the request to the DNS server
specified here. Use the correct IP address notation in both the IPv4 and IPv6
columns.
Secondary DNS Specifies the secondary IP address of the DNS server.
Server
Table 13: Configuration of the Network Interface – IPv4 and IPv6

The Default Gateway and DNS Server items are only used if the DHCP Client is set to disabled and if the
ETH0 or ETH1 LAN is selected by the Backup Routes system as the default route. (The selection algorithm
is described in section 3.8). Since FW 5.3.0, Default Gateway and DNS Server are also supported on
bridged interfaces (e.g., eth0 + eth1).

The following three items (in the table below) are global for the configured Ethernet interface. Only one
bridge can be active on the router at a time. The DHCP Client, IP Address, and Subnet Mask / Prefix
parameters of only one of the interfaces are used for the bridge. The ETH0 LAN has higher priority when
both interfaces (ETH0 and ETH1) are added to the bridge. Other interfaces can be added to or removed
from an existing bridge at any time. The bridge can be created on demand for such interfaces, but not if it
is configured by their respective parameters.

Under certain conditions, the ETH interface may operate as a WAN interface, and the rules defined
in the Firewall settings will be applied to it. Details are described in Chapter Backup Routes and are
demonstrated with examples provided in that chapter.

ICR-2[0456]00 Family Configuration Manual 27

3. Configuration 3.1 Ethernet

Item Description
Bridged Activates or deactivates the bridging function on the router.

• no – The bridging function is inactive (default).

• yes – The bridging function is active.

See the Bridge Notes below the table for further details.
Media Type Specifies the type of duplex and speed used in the network.

• Auto-negation – The router automatically sets the best speed and duplex
mode of communication according to the network’s possibilities.
• 100 Mbps Full Duplex – The router communicates at 100 Mbps, in the full
duplex mode.
• 100 Mbps Half Duplex – The router communicates at 100 Mbps, in the half
duplex mode.
• 10 Mbps Full Duplex – The router communicates at 10 Mbps, in the full
duplex mode.
• 10 Mbps Half Duplex – The router communicates at 10 Mbps, in the half
duplex mode.
MTU Maximum Transmission Unit value. Default value is 1500 bytes.
Table 14: Configuration of the Network Interface – Global Items

Bridge Notes

A bridge behaves like a network switch, forwarding packets between interfaces that are connected to it.
The Advantech router supports creating a bridge network within Ethernet interfaces or between Ethernet
interfaces and Wi-Fi Access Point (AP) interfaces. Once the bridge is configured and established, a new
interface named br0 is created. This interface will appear in the Status → Network → Interfaces section.
If a bridge is configured on two Ethernet interfaces, the br0 interface will inherit the IP address of the
Ethernet interface with the lower index. IP address and subnet configuration of the Ethernet interface with
the higher index will be removed. This behavior is consistent regardless of the order in which the interfaces
are configured.
To include a Wi-Fi AP interface in the bridge, at least one Ethernet interface must also be part of the
bridge configuration. In this case, the IP address of the bridge interface br0 will again be determined by
the Ethernet interface (or interfaces) with the lowest index.

1
Available only on models equipped with the PoE PSE functionality.

ICR-2[0456]00 Family Configuration Manual 28

3. Configuration 3.1 Ethernet

3.1.1 DHCP Server

The DHCP server assigns the IP address, gateway IP address (IP address of the router) and IP address
of the DNS server (IP address of the router) to the connected clients. If these values are filled in by the
user in the configuration form, they will be preferred.
The DHCP server supports static and dynamic assignment of IP addresses. Dynamic DHCP assigns
clients IP addresses from a defined address space. Static DHCP assigns IP addresses that correspond to
the MAC addresses of connected clients.
If IPv6 column is filled in, the DHCPv6 server is used. DHCPv6 server offers stateful address configuration
to connected clients. Only when the Subnet Prefix above is set to 64, the DHCPv6 server offers both – the
stateful address configuration and SLAAC (Stateless Address Autoconfiguration).

For DHCPv6 static address assignment to work, DHCPv6 client must use DUID-LL or DUID-LLT types that
are derived from its MAC address.

Do not to overlap ranges of static allocated IP addresses with addresses allocated by the dynamic
DHCP server. IP address conflicts and incorrect network function can occur if you overlap the ranges.

Item Description
Enable dynamic DHCP leases Select this option to enable a dynamic DHCP server.
IP Pool Start Starting IP address allocated to DHCP clients. Use proper notation in
the IPv4 and IPv6 columns.
IP Pool End Ending IP address allocated to DHCP clients. Use proper IP address
notation in the IPv4 and IPv6 columns.
Lease Time Duration (in seconds) for which the assigned IP address remains valid
before it can be reassigned.
Table 15: Configuration of the Dynamic DHCP Server

Item Description
Enable static DHCP leases Select this option to enable a static DHCP server. You can define
up to thirty-two rules. A new row for defining the next rule appears
automatically after filling in the previous one.
MAC Address MAC address of a DHCP client.
IPv4 Address Assigned IPv4 address. Use proper notation.
IPv6 Address Assigned IPv6 address. Use proper notation.
Table 16: Configuration of Static DHCP Server

ICR-2[0456]00 Family Configuration Manual 29

3. Configuration 3.1 Ethernet

3.1.2 IPv6 Prefix Delegation

This is an advanced configuration option. IPv6 prefix delegation works automatically with DHCPv6 –
use only if different configuration is desired and if you know the consequences.

If you want to override the automatic IPv6 prefix delegation, you can configure it in this form. You have
to know your Subnet ID Width (part of IPv6 address), see Figure below for the calculation help – it is an
example: 48 bits is Site Prefix, 16 bits is Subnet ID (Subnet ID Width) and 64 bits is Interface ID.

Figure 13: IPv6 Address with Prefix Example

Item Description
Enable IPv6 prefix delegation Enables prefix delegation configuration filled-in below.
Subnet ID The decimal value of the Subnet ID of the Ethernet interface. Maxi-
mum value depends on the Subnet ID Width.
Subnet ID Width The maximum Subnet ID Width depends on your Site Prefix – it is the
remainder to 64 bits.
Table 17: IPv6 Prefix Delegation Configuration

ICR-2[0456]00 Family Configuration Manual 30

3. Configuration 3.1 Ethernet

3.1.3 802.1X Authentication to RADIUS Server

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC), part of the IEEE
802.1 group of networking protocols. It provides an authentication mechanism for devices wishing to
attach to a LAN or WLAN through "EAP over LAN" or EAPoL, which encapsulates the Extensible Authen-
tication Protocol (EAP) over IEEE 802.

IEEE 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentica-
tion server, illustrated in Figure 14.

Figure 14: IEEE 802.1X Functional Diagram

• The supplicant is a client device (e.g., a laptop) wishing to attach to the LAN/WLAN, also referring
to the client software providing credentials to the authenticator.

• The authenticator is a network device facilitating the data link between the supplicant and the net-
work, capable of permitting or denying network traffic. This device communicates with the authenti-
cation server to decide on network access authorization for a supplicant.

• The authentication server, usually a trusted server, handles requests for network access, informing
the authenticator about connection permissions and the settings applicable to the client’s connection.
It commonly runs software supporting the RADIUS and EAP protocols.

ICR-2[0456]00 Family Configuration Manual 31

3. Configuration 3.1 Ethernet

Table 18 summarizes the supported roles and cases for IEEE 802.1X authentication on Advantech
routers.
Advantech routers support the roles of supplicant and authenticator only. The authentication server role is
not supported.

Interface Supplicant Role Authenticator Role

LAN As a built-in feature, configure LAN with While not a built-in feature, it can be facil-
802.1X authentication, see Chapter 3.1.3. itated by the 802.1X Authenticator Router
App.
WiFi In Station (STA) mode, see Chapter 3.7. In Access Point (AP) mode, see Chapter 3.6.
Table 18: Supported Roles for IEEE 802.1X Authentication

Authentication (802.1X) to RADIUS server can be enabled in next configuration section. This functionality
requires additional setting of identity and certificates as described in the following table.

Item Description
Enable IEEE Select this option to enable 802.1X Authentication.
802.1X Authenti-
cation
Authentication Select authentication method (EAP-PEAPMSCHAPv2 or EAP-TLS).
Method
CA Certificate Definition of CA certificate for EAP-TLS authentication protocol.
Local Certificate Definition of local certificate for EAP-TLS authentication protocol.
Local Private Key Definition of local private key for EAP-TLS authentication protocol.
Identity User name – identity.
Password Access password. This item is available for EAP-PEAPMSCHAPv2 protocol only.
Enter valid characters only, see chap. 1.2.1.
Local Private Key Definition of password for private key of EAP-TLS protocol. This item is available
Password for EAP-TLS protocol only. Enter valid characters only, see chap. 1.2.1.
Table 19: Configuration of 802.1X Authentication

ICR-2[0456]00 Family Configuration Manual 32

3. Configuration 3.1 Ethernet

3.1.4 LAN Configuration Examples

Example 1: IPv4 Dynamic DHCP Server, Default Gateway and DNS Server

• The range of dynamic allocated IPv4 addresses is from 192.168.1.2 to 192.168.1.4.

• The address is allocated for 600 second (10 minutes).
• Default gateway IP address is 192.168.1.20
• DNS server IP address is 192.168.1.20

Figure 15: Network Topology for Example 1

ICR-2[0456]00 Family Configuration Manual 33

3. Configuration 3.1 Ethernet

Figure 16: LAN Configuration for Example 1

ICR-2[0456]00 Family Configuration Manual 34

3. Configuration 3.1 Ethernet

Example 2: IPv4 Dynamic and Static DHCP server

• The range of allocated addresses is from 192.168.1.2 to 192.168.1.4.

• The address is allocated for 600 seconds (10 minutes).
• The client with the MAC address 01:23:45:67:89:ab has the IP address 192.168.1.10.
• The client with the MAC address 01:54:68:18:ba:7e has the IP address 192.168.1.11.

Figure 17: Network Topology for Example 2

ICR-2[0456]00 Family Configuration Manual 35

3. Configuration 3.1 Ethernet

Figure 18: LAN Configuration for Example 2

ICR-2[0456]00 Family Configuration Manual 36

3. Configuration 3.1 Ethernet

Example 3: IPv6 Dynamic DHCP Server

• The range of dynamic allocated IPv6 addresses is from 2001:db8::1 to 2001:db8::ffff.

• The address is allocated for 600 second (10 minutes).
• The router is still accessible via IPv4 (192.168.1.1).

Figure 19: Network Topology for Example 3

ICR-2[0456]00 Family Configuration Manual 37

3. Configuration 3.1 Ethernet

Figure 20: LAN Configuration for Example 3

ICR-2[0456]00 Family Configuration Manual 38

3. Configuration 3.2 VLAN

3.2 VLAN
This section provides options for configuring VLANs on the device. You can configure up to three VLANs.
The configuration form consists of multiple sections that allow you to set up VLAN interfaces, manage
DHCP leases, and configure IPv6 delegation. See Figure 21 and Table 20 for details.

Figure 21: VLAN Configuration Form

Item Description
Create VLAN connection Enables VLAN creation.
DHCP Client (IPv4/IPv6) Enables or disables the DHCP client for IPv4 and IPv6:

• Disabled — Disables the DHCP client.

• Enabled — Enables the DHCP client for the respective protocol.

IP Address Manually specifies the IP address for the VLAN interface.
Subnet Mask / Prefix Defines the subnet mask for IPv4 or the prefix length for IPv6.
Interface Selects the Ethernet interface associated with the VLAN.
VLAN ID Specifies the VLAN ID for the virtual LAN interface.
MTU Defines the Maximum Transmission Unit (MTU) size in bytes.
Continued on the next page

ICR-2[0456]00 Family Configuration Manual 39

3. Configuration 3.2 VLAN

Continued from previous page

Item Description
Enable dynamic DHCP leases Configures dynamic DHCP leases for IPv4 and IPv6.

• IP Pool Start: Defines the starting IP address of the DHCP pool.

• IP Pool End: Defines the ending IP address of the DHCP pool.

• Lease Time: Specifies the lease duration in seconds (default:

600 seconds).
Enable static DHCP leases Configures static DHCP leases for specific MAC addresses. You can
define up to thirty-two rules for each. A new row for defining the next
rule appears automatically after filling in the previous one.

• MAC Address: Specifies the MAC address of the client.

• IP Address: Assigns a fixed IPv4 address to the client.

• IPv6 Address: Assigns a fixed IPv6 address to the client.

Enable IPv6 prefix delegation Configures IPv6 prefix delegation:

• Subnet ID: Specifies the subnet ID for prefix delegation.

• Subnet ID Width: Defines the width of the subnet ID in bits.

Table 20: VLAN Configuration Options

ICR-2[0456]00 Family Configuration Manual 40

3. Configuration 3.3 VRRP

3.3 VRRP
Select the VRRP menu item to enter the VRRP configuration. There are two submenus allowing the
configuration of up to two VRRP instances. The VRRP protocol (Virtual Router Redundancy Protocol)
enables packet routing to be transferred from the primary router to a backup router in case of a failure. This
can be useful for providing a cellular backup to a primary wired router in critical applications. If the Enable
VRRP option is checked, you can configure the following parameters:

Item Description
Protocol Version Select the VRRP version (VRRPv2 or VRRPv3).
Interface Select the interface to be used for VRRP communication.
Virtual Server IP Address Sets the virtual server IP address, which must be the same for both the
primary and backup routers. Devices on the LAN will use this address
as their default gateway.
Virtual Server ID Identifies the virtual router on the network. The primary and backup
routers must use the same value.
Host Priority Determines which router is the primary. The router with the highest
priority (set by the Host Priority parameter) becomes the main router.
According to RFC 2338, the primary router should have the highest
possible priority (255). Backup routers should have a priority value be-
tween 1 and 254 (default: 100). A priority value of 0 is not allowed.
Table 21: VRRP Configuration Items Description

In the second section of the configuration window, you can enable the Check connection option to allow
automatic test messages for the cellular network. In some cases, the mobile WAN connection may appear
active, but the router might be unable to transmit data over the cellular network. This feature helps verify
whether data can be sent over the PPP connection, complementing the standard VRRP message handling.
The currently active router (primary/backup) will send test messages (Ping) to the specified Ping IP
Address at periodic intervals (Ping Interval) and wait for a response (Ping Timeout). If no response is
received, the router will retry up to the number of times specified by the Ping Probes parameter. If all
attempts fail, the router will switch to backup mode until the PPP connection is restored.

You may use the DNS server of the mobile carrier as the destination IP address for test messages (Pings).

The Enable traffic monitoring option helps reduce unnecessary test messages for verifying the PPP con-
nection. When this option is enabled, the router will monitor the interface for non-ping traffic. If a response
to another type of packet is received within the Ping Timeout period, the router assumes the connection is
still active. If no response is received within this period, the router will initiate standard Ping tests to check
the mobile WAN connection.

Item Description
Ping IP Address Destination IP address for Ping commands. The IP address cannot be spec-
ified as a domain name.
Ping Interval Interval, in seconds, between outgoing Ping requests.
Ping Timeout Time, in seconds, to wait for a response to a Ping request.
Ping Probes Maximum number of consecutive failed Ping requests before considering the
connection as down.
Table 22: Check Connection Parameters

ICR-2[0456]00 Family Configuration Manual 41

3. Configuration 3.3 VRRP

3.3.1 VRRP Usage Example

In this example, VRRP is configured on two routers to ensure high availability and minimize downtime
for network clients. Figure illustrates the overall topology, where both routers share a virtual IP address.
The main router is configured with a higher priority, while the backup router has a lower priority. Should the
main router fail or become unreachable, the backup router automatically takes over as the default gateway,
preventing service disruption.

Figure 22: VRRP Configuration Example Topology

Figure 23: Main Router Configuration

Figure 24: Backup Router Configuration

ICR-2[0456]00 Family Configuration Manual 42
3. Configuration 3.4 Mobile WAN

3.4 Mobile WAN

Notes for models with one SIM slot:

• You can still configure the 2nd SIM card in the GUI described in this chapter.

• You can switch to the 2nd SIM card which means that the configuration for the 2nd SIM will be
applied to the installed SIM.

• You can utilize this setting to e.g. configure public and private APN independently.

• The configuration can be switched manually, by SMS, or automatically if configured.

Select the Mobile WAN item in the Configuration menu section to enter the cellular network configuration
page. See Mobile WAN Configuration page in Figure 25.

ICR-2[0456]00 Family Configuration Manual 43

3. Configuration 3.4 Mobile WAN

Figure 25: Mobile WAN Configuration

ICR-2[0456]00 Family Configuration Manual 44

3. Configuration 3.4 Mobile WAN

3.4.1 Connection to Mobile Network

If the Create connection to mobile network checkbox is checked, then the router will automatically attempt
to establish a connection after booting up. You can specify the following parameters for each SIM card
separately.

Item Description
Carrier Available For NAM routers only. Network carrier selection. Provides either auto-
matic detection option, or manual selection of AT&T, Rogers or Verizon.
APN Network identifier (Access Point Name).
Username The user name used for logging on to the GSM network.
Password The password used for logging on to the GSM network. Enter valid characters only,
see chap. 1.2.1.
Authentication Authentication protocol used in the GSM network:

• PAP or CHAP – The router selects the authentication method.

• PAP – The router uses the PAP authentication method.
• CHAP – The router uses the CHAP authentication method.
IP Mode Specifies the version of IP protocol used:

• IPv4 – IPv4 protocol is used only (default).

• IPv6 – IPv6 protocol is used only.
• IPv4/IPv6 – IPv4 and IPv6 independent dual stack is enabled.
IP Address For use in IPv4 and IPv4/IPv6 mode only. Specifies the IPv4 address of the SIM card.
You manually enter the IP address only when mobile network carrier has assigned
the IP address.
Dial Number Specifies the telephone number which the router dials for GPRS or a CSD connection.
The router uses the default telephone number *99***1 # .
Operator Specifies the carrier code. You can specify this parameter as the PLNM preferred
carrier code.
Network type Specifies the type of protocol used in the mobile network.
Automatic selection - The router automatically selects the transmission method ac-
cording to the availability of transmission technologies. Automatic selection never
selects NB-IoT networks. Use NB-IoT in the selection for NB-IoT networks.
PIN Specifies the PIN used to unlock the SIM card. Use only if this is required by a given
SIM card. The SIM card will be blocked after several failed attempts to enter the PIN.
MRU Maximum Receive Unit – maximum size of packet that the router can receive via
Mobile WAN. The default value is 1500 B. Other settings may cause the router to
receive data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B. Minimal
value in IPv6 mode: 1280 B.
MTU Maximum Transmission Unit – maximum size of packet that the router can transmit
via Mobile WAN. The default value is 1500 B. Other settings may cause the router to
transmit data incorrectly. Minimal value in IPv4 and IPv4/IPv6 mode: 128 B. Minimal
value in IPv6 mode: 1280 B.
Table 23: Mobile WAN Configuration Items Description

ICR-2[0456]00 Family Configuration Manual 45

3. Configuration 3.4 Mobile WAN

The following list contains tips for working with the Mobile WAN configuration form:

• If the MTU size is set incorrectly, then the router will not exceed the data transfer. If the MTU value
is set too low, more frequent fragmentation of data will occur. More frequent fragmentation will mean
a higher overhead and also the possibility of packet damage during defragmentation. In contrast,
a higher MTU value can cause the network to drop the packet.

• If the IP address field is left blank, when the router establishes a connection, the mobile network
carrier will automatically assign an IP address. If you assign an IP address manually, then the router
will access the network quicker.

• If the APN field is left blank, the router automatically selects the APN using the IMSI code of the SIM
card. The name of the chosen APN can be found in the System Log.

• If you enter the word blank in the APN field, then the router interprets the APN as blank.

The correct PIN must be filled in. An incorrect PIN may block the SIM card.

Parameters identified with an asterisk require you to enter the appropriate information only if this infor-
mation is required by the mobile network carrier.
When the router is unsuccessful in establishing a connection to mobile network, you should verify accu-
racy of the entered data. Alternatively, you could try a different authentication method or network type.

3.4.2 DNS Address Configuration

The DNS Settings parameter is designed to simplify configuration on the client side. When this value is
set to get from operator, the router will attempt to automatically obtain IP addresses from the primary and
secondary DNS servers of the mobile network carrier. To manually specify the IP addresses of the primary
or secondary DNS servers, select set manually from the DNS Setting drop-down list. You can then enter
the IPv4 or IPv6 address of the DNS server (or both), depending on the selected IP Mode.

3.4.3 Check Connection to Mobile Network

Enabling the Check Connection function for mobile networks is necessary for uninterrupted and con-
tinuous operation of the router.

If the Check Connection item is set to enabled or enabled + bind, the router will be sending the ping
requests to the specified domain or IP address configured in Ping IP Address or Ping IPv6 Address at
regular time intervals set up in the Ping Interval.
In case of an unsuccessful ping, a new ping will be sent after the Ping Timeout. If the ping is unsuccessful
three times in a row, the router will terminate the cellular connection and will attempt to establish a new one.
This monitoring function can be set for both SIM cards separately, but running on the active SIM at given
time only. Be sure, you configure a functional address as the destination for the ping, for example an IP
address of the operator’s DNS server.
If the Check Connection item is set to the enabled, the ping requests are being sent on the basis of the
routing table. Therefore, the requests may be sent through any available interface. If you require each
ping request to be sent through the network interface, which was created when establishing a connection
to the mobile operator, it is necessary to set the Check Connection to enabled + bind. The disabled option
deactivates checking of the connection to the mobile network.

ICR-2[0456]00 Family Configuration Manual 46

3. Configuration 3.4 Mobile WAN

A note for routers connected to the Verizon carrier (detected by the router):
The retry interval for connecting to the mobile network prolongs with more retries. First two retries
are done after 1 minute. Then the interval prolongs to 2, 8 and 15 minutes. The ninth and every other
retry is done in 90 minutes interval.

If Enable Traffic Monitoring item is checked, the router will monitor the Mobile WAN traffic without sending
the ping requests. If there is no traffic, the router will start sending the ping requests.

Item Description
Ping IP Address Specifies the ping queries destination IPv4 address or domain name. Avail-
able in IPv4 and IPv4/IPv6 IP Mode.
Ping IPv6 Address Specifies the ping queries destination IPv6 address or domain name. Avail-
able in IPv6 and IPv4/IPv6 IP Mode.
Ping Interval Specifies the time interval between outgoing pings.
Ping Timeout Time in seconds to wait for a Ping response.
Table 24: Check Connection to Mobile Network Configuration

3.4.4 Check Connection Example

The figure below displays the following scenario: the connection to the mobile network in IPv4 IP Mode
is controlled on the address 8.8.8.8 with a time interval of 60 seconds for the first SIM card and on the
address www.google.com with the time interval 80 seconds for the second SIM card (for an active SIM
only). Because the Enable traffic monitoring option is enabled, the control pings are not sent, but the data
stream is monitored. The ping will be sent, if the data stream is interrupted.

Figure 26: Check Connection Example

ICR-2[0456]00 Family Configuration Manual 47

3. Configuration 3.4 Mobile WAN

3.4.5 Data Limit Configuration

Item Description
Data Limit Specifies the maximum expected amount of data transmitted (sent and re-
ceived) over mobile interface in one billing period (one month). Maximum
value is 2 TB (2097152 MB).
Warning Threshold Specifies a percentage of the "Data Limit" in the range of 50 % to 99 %. If
the given percentage data limit is exceeded, the router will send an SMS in
the following form; Router has exceeded (value of Warning Threshold) of data
limit.
Accounting Start Specifies the day of the month in which the billing cycle starts for a given SIM
card. When the service provider that issued the SIM card specifies the start of
the billing period, the router will begin to count the amount of data transferred
starting on this day.
Table 25: Data Limit Configuration

If the parameter Data Limit State (see below) is set to not applicable or Send SMS when data limit is
exceeded in SMS Configuration is not selected, the Data Limit set here will be ignored.

3.4.6 Switch between SIM Cards Configuration

In the lower part of the configuration form you can specify the rules for toggling between the two SIM
cards.
The router will automatically toggle between the SIM cards and their individual setups depending on the
configuration settings specified here (manual permission, roaming, data limit, binary input state). Note
that the SIM card selected for connection establishment is the result of the logical product (AND) of the
configuration here (table below).

Item Description
SIM Card Enable or disable the use of a SIM card. If you set all the SIM cards to
disabled, this means that the entire cellular module is disabled.

• enabled – It is possible to use the SIM card.

• disabled – Never use the SIM card, the usage of this SIM is forbidden.
Roaming State Configure the use of SIM cards based on roaming. This roaming feature has
to be activated for the SIM card on which it is enabled!

• not applicable – It is possible to use the SIM card everywhere.

• home network only – Only use the SIM card if roaming is not detected.
Data Limit State Configure the use of SIM cards based on the Data Limit set above:

• not applicable – It is possible to use the SIM regardless of the limit.

• not exceeded – Use the SIM card only if the Data Limit (set above) has
not been exceeded.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 48

3. Configuration 3.4 Mobile WAN

Continued from previous page

Item Description
BINx State Configure the use of SIM cards based on binary input x state, where x is the
input number:

• not applicable – It is possible to use the SIM regardless of BINx state.

• on – Only use the SIM card if the BINx state is logical 0 – voltage
present.
• off – Only use the SIM card if the BINx state is logical 1 – no voltage.
Table 26: Switching Between SIM Cards Configuration

Use the following parameters to specify the decision making of SIM card switching in the cellular module.

Item Description
Default SIM Card Specifies the modules’ default SIM card. The router will attempt to establish
a connection to mobile network using this default.

• 1st – The 1st SIM card is the default one.

• 2nd – The 2nd SIM card is the default one.
Initial State Specifies the action of the cellular module after the SIM card has been se-
lected.

• online – establish connection to the mobile network after the SIM card
has been selected (default).
• offline – go to the off-line mode after the SIM card has been selected.

Note: If offline, you can change this initial state by SMS message only – see
SMS Configuration. The cellular module will also go into off-line mode if none
of the SIM cards are not selected.
Switch to other SIM Applicable only when connection is established on the default SIM card and
card when connection then fails. If the connection failure is detected by Check Connection feature
fails above, the router will switch to the backup SIM card.
Switch to default SIM If enabled, after timeout, the router will attempt to switch back to the default
card after timeout SIM card. This applies only when there is default SIM card defined and the
backup SIM is selected beacuse of a failure of the default one or if roaming
settings cause the switch. This feature is available only when Switch to other
SIM card when connection fails is enabled.
Initial Timeout Specifies the length of time that the router waits before the first attempt to
revert to the default SIM card, the range of this parameter is from 1 to 10000
minutes.
Subsequent Timeout Specifies the length of time that the router waits after an unsuccessful attempt
to revert to the default SIM card, the range is from 1 to 10000 min.
Additive Constant Specifies the length of time that the router waits for any further attempts to
revert to the default SIM card. This length time is the sum of the time spec-
ified in the "Subsequent Timeout" parameter and the time specified in this
parameter. The range in this parameter is from 1 to 10000 minutes.
Table 27: Parameters for SIM Card Switching

ICR-2[0456]00 Family Configuration Manual 49

3. Configuration 3.4 Mobile WAN

3.4.7 Examples of SIM Card Switching Configuration

Example 1: Timeout Configuration

Mark the Switch to default SIM card after timeout check box, and fill-in the following values:

Figure 27: Configuration for SIM card switching Example 1

The first attempt to change to the default SIM card is carried out after 60 minutes. When the first attempt
fails, a second attempt is made after 30 minutes. A third attempt is made after 50 minutes (30+20). A fourth
attempt is made after 70 minutes (30+20+20).

Example 2: Data Limit Switching

The following configuration illustrates a scenario in which the router changes to the second SIM card
after exceeding the data limit of 800 MB on the first (default) SIM card. The router sends a SMS upon
reaching 400 MB (this settings has to be enabled on the SMS Configuration page). The accounting period
starts on the 18th day of the month.

Figure 28: Configuration for SIM card switching Example 2

ICR-2[0456]00 Family Configuration Manual 50

3. Configuration 3.4 Mobile WAN

3.4.8 PPPoE Bridge Mode Configuration

This functionality is not related to the bridge function that can be configured for Ethernet or Wi-Fi AP
interfaces.

Enable PPPoE bridge mode functionality activates the PPPoE bridge protocol. PPPoE (Point-to-Point
Protocol over Ethernet) is a network protocol used for encapsulating Point-to-Point Protocol (PPP) frames
inside Ethernet frames.
This bridge mode allows you to create a PPPoE connection from a device behind the router, such as
a PC connected to the router’s ETH interface. In this configuration, the SIM IP address is assigned directly
to the connected PC.

Item Description
Enable PPPoE bridge mode Tick to enable the PPPoE bridge mode.
Table 28: PPPoE Bridge Mode

ICR-2[0456]00 Family Configuration Manual 51

3. Configuration 3.5 PPPoE

3.5 PPPoE
PPPoE (Point-to-Point over Ethernet) is a network protocol that encapsulates PPP frames into Ethernet
frames. The router uses the PPPoE client to connect to devices supporting a PPPoE bridge or server. The
bridge or server is typically an ADSL router.
To open the PPPoE Configuration page, select the PPPoE menu item. If you check the Create PPPoE
connection box, the router will attempt to establish a PPPoE connection after boot-up. Once connected, the
router obtains the IP address of the device to which it is connected. Communication from devices behind
the PPPoE server is then forwarded to the router, enabling full network access.

Figure 29: PPPoE Configuration

Item Description
Create PPPoE connec- Enable PPPoE on the selected interface.
tion
Interface Select an Ethernet interface for the PPPoE connection.
Username Username for secure access to PPPoE.
Password Password for secure access to PPPoE. Enter valid characters only, see chap.
1.2.1.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 52

3. Configuration 3.5 PPPoE

Continued from previous page

Item Description
Authentication Authentication protocol in the GSM network.

• PAP or CHAP – The router selects the authentication method.

• PAP – The router uses the PAP authentication method.
• CHAP – The router uses the CHAP authentication method.
IP Mode Specifies the version of the IP protocol:

• IPv4 – Only the IPv4 protocol is used (default).

• IPv6 – Only the IPv6 protocol is used.
• IPv4/IPv6 – Dual stack for both IPv4 and IPv6 is enabled.
MRU Specifies the Maximum Receive Unit. The MRU identifies the maximum
packet size that the router can receive via PPPoE. The default value is 1492 B
(bytes). Other settings may result in incorrect data transmission. The min-
imum value for IPv4 and IPv4/IPv6 mode is 128 B, and for IPv6 mode is
1280 B.
MTU Specifies the Maximum Transmission Unit. The MTU identifies the maximum
packet size that the router can transfer in a given environment. The default
value is 1492 B (bytes). Other settings may result in incorrect data transmis-
sion. The minimum value for IPv4 and IPv4/IPv6 mode is 128 B, and for IPv6
mode is 1280 B.
Clamp Max. Segment Enhances network performance and stability by adjusting the Maximum Seg-
Size ment Size (MSS) of TCP packets to align with the network connection’s Path
Maximum Transmission Unit (PMTU). It is enabled by default.
DNS Settings Can be set to obtain the DNS address from the server or to configure it man-
ually.
Primary DNS Server Primary IPv4 address of the DNS server.
Primary IPv6 DNS Primary IPv6 address of the DNS server.
Server
Secondary DNS Server Secondary IPv4 address of the DNS server.
Secondary IPv6 DNS Secondary IPv6 address of the DNS server.
Server
Table 29: PPPoE Configuration

Setting an incorrect packet size value (MRU, MTU) can cause unsuccessful transmission.

ICR-2[0456]00 Family Configuration Manual 53

3. Configuration 3.6 WiFi Access Point

3.6 WiFi Access Point

• This feature is available only on routers equipped with a WiFi module.

• The router supports the configuration of two separate WLANs (Multiple SSIDs).

• Multi-role mode allows the router to function as both an access point (AP) and a station (STA) simul-
taneously. However, multichannel mode is not supported, meaning the AP and STA must operate on
the same channel. Please note that only one AP can be active alongside the STA in operation.

• RADIUS (Remote Authentication Dial-In User Service), a networking protocol for centralized Authen-
tication, Authorization, and Accounting (AAA) management, is supported for WiFi. The router acts as
a RADIUS client (not a server), typically as a WiFi AP (Access Point) communicating with a RADIUS
server.

To enable WiFi access point mode, check the Enable WiFi AP box at the top of the Configuration → WiFi
→ Access Point 1 or Access Point 2 configuration pages. In this mode, the router functions as an access
point, allowing other devices in station (STA) mode to connect.
The table below lists the available configuration options.

Item Description
Enable WiFi AP Enables the WiFi access point (AP).
IP Address A fixed IP address for the WiFi interface. Use IPv4 notation in the IPv4 column
and IPv6 notation in the IPv6 column. Shortened IPv6 notation is supported.
Subnet Mask / Pre- Specifies a Subnet Mask for the IPv4 address. In the IPv6 column, enter the prefix
fix length (0 to 128).
Bridged Activates bridge mode:

• no – Bridged mode is disabled (default). The WLAN network is separate

from the LAN.
• yes – Bridged mode is enabled. The WLAN network is connected to one
or more LAN networks. In this case, most of the setting in this table are
ignored, and the router uses the settings of the selected network interface
(LAN).
See the Bridge Notes in Chapter 3.1 for further details.
Enable dynamic Enables dynamic allocation of IP addresses using the DHCP (DHCPv6) server.
DHCP leases
IP Pool Start Beginning of the range of IP address range assigned to DHCP clients. Use proper
notation for IPv4 and IPv6 column.
IP Pool End End of the range of IP address range assigned to DHCP clients. Use proper
notation for IPv4 and IPv6 column.
Lease Time Duration (in seconds) for which a client can use the assigned IP address.
Enable IPv6 prefix Enables prefix delegation for IPv6.
delegation
Subnet ID The decimal value of the Subnet ID for the Ethernet inter face. The maximum
value depends on the Subnet ID Width.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 54

3. Configuration 3.6 WiFi Access Point

Continued from previous page

Item Description
Subnet ID Width Maximum Subnet ID Width,which depends on your site’s configuration. The re-
maining bits to reach 64 are used for the prefix.
SSID The unique identifier (SSID) of the WiFi network.
Broadcast SSID Defines how the SSID is broadcast in the beacon frame.

• Enabled – SSID is included in the beacon frame

• Zero length – The beacon frame does not include the SSID. Requests for
sending beacon frame are ignored.
• Clear – SSID characters in beacon frames are replaced with zeros, main-
taining the original length. Requests for beacon frames are ignored.
SSID Isolation When enabled, and a zone is selected, WiFi clients connected to this access point
cannot communicate with clients connected to another access point that has a
different zone selected. However, clients can still communicate with other clients
connected to the same access point unless Client Isolation is also enabled.
Client Isolation If enabled, the access point isolates each connected client, preventing them from
communicating with each other (they are in separate networks and cannot PING
each other). If disabled, the access point functions like a switch, allowing clients
on the same LAN to see and communicate with each other.
WMM Enables basic QoS (Quality of Service) for WiFi networks. This feature does not
guarantee network throughput but is suitable for simple applications that require
QoS.
Country Code • The country code where the router is installed. This code must be entered in
ISO 3166-1 alpha-2 format.
• For proper and optimal utilization of WiFi functionality in the given region, al-
ways set the correct country code.
• After changing the country code, save the settings by clicking the Apply button,
then continue with further WiFi configuration.
• If the country code is not specified, the default "00" code is used.
• If an incorrect country code is entered, the router may violate country-specific
regulations regarding the use of WiFi parameters.
• This option is not available for NAM routers, where the "US" country code is set
by default.
Follow STA radio When enabled, and the STA is connected to a foreign AP, the access point’s radio
settings settings will automatically adjust to match those of the connected foreign AP.
HW Mode1 Specifies the WiFi standard (HW mode) that will be supported by the WiFi access
point.

• IEEE 802.11b (2.4 GHz)

• IEEE 802.11b+g (2.4 GHz)
• IEEE 802.11b+g+n (2.4 GHz)
• IEEE 802.11a (5 GHz)
• IEEE 802.11a+n (5 GHz)
• IEEE 802.11ac (5 GHz)
Continued on next page

ICR-2[0456]00 Family Configuration Manual 55

3. Configuration 3.6 WiFi Access Point

Continued from previous page

Item Description
Channel1 The channel on which the WiFi access point (AP) is transmitting. The available
channels depend on the selected Country Code. You can choose Auto to allow
the system to select the optimal channel automatically. To view the channels
available for a different country code, change the country code, click Apply, and
the channel list will update accordingly.
Note: On NAM routers, only channels 1 to 11 are supported.
Bandwidth1 Allows you to select the transfer bandwidth. Note that this option may be unavail-
able for some hardware modes. If a selected bandwidth is already occupied, the
router may automatically switch to a lower bandwidth.
Short GI This option, available for HW mode 802.11n, enables the use of a short guard
interval (GI) of 400 ns instead of the standard 800 ns, improving data transmission
efficiency.
Authentication Defines access control and authorization methods for users in the WiFi network.

• Open – No authentication required (free access point).

• Shared – Basic authentication using a WEP key.
• WPA-PSK – Pre-Shared Key (PSK) authentication with WPA encryption.
• WPA2-PSK – Pre-Shared Key (PSK) authentication using WPA2 encryption
with AES.
• WPA3-PSK – Pre-Shared Key (PSK) authentication using WPA3 encryption
with AES.
• WPA-Enterprise – RADIUS-based authentication using an external server
with username/password.
• WPA2-Enterprise – RADIUS-based authentication with stronger encryp-
tion.
• WPA3-Enterprise – RADIUS-based authentication with stronger encryp-
tion.
Encryption Specifies the type of data encryption used in the WiFi network.

• None – No data encryption.

• WEP – Wired Equivalent Privacy (WEP) encryption with static keys. This
method is considered insecure and may not be available on some models.
• TKIP – Temporal Key Integrity Protocol (TKIP), used for WPA-PSK and
WPA2-PSK authentication.
• AES – Advanced Encryption Standard (AES), used for WPA2-PSK authen-
tication.
WEP Key Type Specifies the WEP key format.

• ASCII – WEP key in ASCII format.

• HEX – WEP key in hexadecimal format.
WEP Default Key Specifies the default WEP key.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 56

3. Configuration 3.6 WiFi Access Point

Continued from previous page

Item Description
WEP Key 1–4 Allows entry of up to four different WEP keys.

• ASCII format: The WEP key must be entered in quotes and can have the
following lengths:
– 5 characters (40-bit WEP key)
– 13 characters (104-bit WEP key)
– 16 characters (128-bit WEP key)
• Hexadecimal format: The WEP key must be entered using hexadecimal
digits and can have the following lengths:
– 10 hex digits (40-bit WEP key)
– 26 hex digits (104-bit WEP key)
– 32 hex digits (128-bit WEP key)
WPA PSK Type Specifies the available key options for WPA-PSK authentication.

• 256-bit secret – A 64-character hexadecimal key.

• ASCII passphrase – An alphanumeric passphrase of 8 to 63 characters.
• PSK File – Absolute path to a file containing a list of key-MAC address pairs.
WPA PSK The key used for WPA-PSK authentication. This key must match the selected
WPA PSK type:

• 256-bit secret – A 64-character hexadecimal string.

• ASCII passphrase – An 8 to 63-character passphrase.
• PSK File – The absolute path to a file containing PSK key and MAC address
pairs.
RADIUS Auth IPv4 or IPv6 address of the RADIUS authentication server. This is required when
Server IP using RADIUS-based authentication.
RADIUS Auth Access password for the RADIUS authentication server. Required when using
Password RADIUS authentication.
RADIUS Auth Port Port number of the RADIUS authentication server. The default value is 1812.
Required when using RADIUS authentication.
RADIUS Acct IPv4 or IPv6 address of the RADIUS accounting server. Define this only if it differs
Server IP from the authentication server. Required when using RADIUS authentication.
RADIUS Acct Access password for the RADIUS accounting server. Define this only if it differs
Password from the authentication server. Required when using RADIUS authentication.
RADIUS Acct Port Port number of the RADIUS accounting server. The default value is 1813. Define
this only if it differs from the authentication server. Required when using RADIUS
authentication.
Access List Defines the mode of the Access/Deny list.

• Disabled – The Access/Deny list is not used.

• Accept – Only clients in the Accept/Deny list can access the network.
• Deny – Clients in the Accept/Deny list cannot access the network.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 57

3. Configuration 3.6 WiFi Access Point

Continued from previous page

Item Description
Accept/Deny List List of client MAC addresses for network access control. Each MAC address
should be entered on a new line.
Syslog Level Defines the logging level used when writing to the system log.

• Verbose debugging – The highest level of logging.

• Debugging
• Informational – The default logging level.
• Notification
• Warning – The lowest level of system logging.
Extra options Allows the user to define additional parameters for hostapd . Options are
added as-is to the end of the configuration file. For more information, refer to
the hostapd.conf Linux man page. Use this option only if you are familiar with
its functionality.
Table 30: WiFi Configuration Items Description

1
The availability of configuration options may vary depending on the specific WiFi module and can be affected by the selected
country code.

ICR-2[0456]00 Family Configuration Manual 58

3. Configuration 3.6 WiFi Access Point

Figure 30: WiFi Access Point Configuration Page

ICR-2[0456]00 Family Configuration Manual 59

3. Configuration 3.7 WiFi Station

3.7 WiFi Station

• This feature is available only on routers equipped with a WiFi module.

• The WiFi module supports multi-role mode, allowing the router to operate as both an access point
(AP) and a station (STA) simultaneously. However, multichannel mode is not supported, meaning
the AP and STA must operate on the same channel.

• In WiFi STA mode, only the authentication methods EAP-PEAP/MSCHAPv2 (both PEAPv0 and
PEAPv1) and EAP-TLS are supported.

Activate WiFi station mode by checking the Enable WiFi STA box at the top of the Configuration → WiFi
→ Station configuration page. In this mode, the router functions as a client station, receiving data packets
from the available access point (AP) and transmitting data from its wired connection over the WiFi network.

Figure 31: WiFi Station Configuration Page

ICR-2[0456]00 Family Configuration Manual 60

3. Configuration 3.7 WiFi Station

Item Description
Enable WiFi STA Enables the WiFi station (STA) mode.
DHCP Client Activates or deactivates the DHCP client. In the IPv6 column, this enables the
DHCPv6 client.
IP Address Specifies a fixed IP address for the WiFi interface. Use IPv4 notation in the
IPv4 column and IPv6 notation in the IPv6 column. Shortened IPv6 notation is
supported.
Subnet Mask / Prefix Defines a subnet mask for the IPv4 address. In the IPv6 column, enter the prefix
length (a number between 0 and 128).
Default Gateway Specifies the IP address of the default gateway. If provided, all packets with
destinations not found in the routing table are sent to this gateway. Use the
appropriate IP address notation in the IPv4 and IPv6 columns.
Primary DNS Server Specifies the primary IP address of the DNS server. If the requested IP address
is not found in the routing table, this DNS server is queried. Use proper IP
address notation in the IPv4 and IPv6 columns.
Secondary DNS Specifies the secondary IP address of the DNS server.
Server
SSID The unique identifier of the WiFi network.
Probe Hidden An access point (AP) with a hidden SSID (see the Broadcast SSID option in the
SSID AP configuration) does not respond to broadcast probe requests, preventing the
station from obtaining the necessary information to connect. Enable this option
to force the station to probe a specific SSID. If you do not expect a hidden SSID,
it is recommended to disable this setting to avoid unnecessary radio transmis-
sions.
Country Code • Note: The country code must be entered in ISO 3166-1 alpha-2 format.
• Optional entry of the country code where the router is installed.
• If not specified, the code is inherited from the AP to which the STA connects.
• If an incorrect country code is entered, the router may violate country-specific
regulations regarding WiFi parameters.
• This option is not available for NAM routers, where the "US" country code is
set by default.
Continued on the next page

ICR-2[0456]00 Family Configuration Manual 61

3. Configuration 3.7 WiFi Station

Continued from previous page

Item Description
Authentication Access control and authorization of users in the WiFi network.

• Open – No authentication required (public access point).

• Shared – Authentication based on Pre-Shared Keys (PSK) using the WEP
protocol (considered insecure).
• WPA-PSK – Authentication based on Pre-Shared Keys (PSK) using the
original WPA protocol (considered insecure).
• WPA2-PSK – Authentication based on Pre-Shared Keys (PSK) using the
WPA2 standard.
• WPA3-PSK – Authentication based on Pre-Shared Keys (PSK) using the
latest WPA3 standard.
• WPA-Enterprise – Authentication using RADIUS with the original WPA
protocol (considered insecure).
• WPA2-Enterprise – Authentication using RADIUS with the WPA2 stan-
dard.
• WPA3-Enterprise – Authentication using RADIUS with the WPA3 stan-
dard.
Encryption Type of data encryption in the WiFi network:

• None – No encryption (unencrypted network).

• WEP – Static encryption using WEP keys. This encryption can be used
with Shared authentication but is considered insecure and may not be sup-
ported on some models.
• TKIP – Legacy dynamic encryption used with WPA and WPA2 authentica-
tion.
• AES – Modern dynamic encryption used with WPA2 and WPA3 authenti-
cation.
WEP Key Type Specifies the format of the WEP key:

• ASCII – WEP key in ASCII format.

• HEX – WEP key in hexadecimal format.
WEP Default Key Defines the default WEP key used for encryption.
WEP Key 1–4 Allows entry of up to four different WEP keys:

• WEP key in ASCII format (must be enclosed in quotes). Supported lengths:

– 5 ASCII characters (40-bit WEP key)
– 13 ASCII characters (104-bit WEP key)
– 16 ASCII characters (128-bit WEP key)
• WEP key in hexadecimal format. Supported lengths:
– 10 hexadecimal digits (40-bit WEP key)
– 26 hexadecimal digits (104-bit WEP key)
– 32 hexadecimal digits (128-bit WEP key)
Continued on the next page

ICR-2[0456]00 Family Configuration Manual 62

3. Configuration 3.7 WiFi Station

Continued from previous page

Item Description
WPA PSK Type Specifies the type of key used for WPA-PSK authentication.

• 256-bit secret – Requires a 64-digit hexadecimal key.

• ASCII passphrase – Accepts a passphrase between 8 and 63 characters.
WPA PSK The WPA-PSK authentication key. The key format depends on the selected WPA
PSK type:

• 256-bit secret – Must be a 64-digit hexadecimal value.

• ASCII passphrase – Must contain between 8 and 63 characters.
RADIUS EAP Specifies the EAP protocol used for authentication.
Authentication
• EAP-PEAP/MSCHAPv2 – Uses TLS to protect legacy EAP authentication.
• EAP-TLS – Utilizes TLS for mutual authentication between the client and
server.
RADIUS CA The Certificate Authority (CA) certificate used to verify the server certificate when
Certificate EAP-TLS authentication is selected.
RADIUS Local The client certificate required for authentication when EAP-TLS is selected.
Certificate
RADIUS Local The private key associated with the client certificate for EAP-TLS authentication.
Private Key
RADIUS Identity The identity used for connecting to the RADIUS server.
RADIUS Password The password used to authenticate the RADIUS identity when EAP-
PEAP/MSCHAPv2 authentication is selected.
RADIUS Local Pri- Password used to access the RADIUS Local Private Key when EAP-TLS au-
vate Key Password thentication is selected.
Syslog Level Defines the logging level for system log messages.

• Verbose debugging – The highest level of logging.

• Debugging
• Informational – Default logging level.
• Notification
• Warning – The lowest level of system communication.
Extra options Allows users to define additional parameters for hostapd . The options
are appended directly to the configuration file. For more details, refer to the
hostapd.conf Linux man page. Use this feature only if you fully understand
its implications.
Table 31: WLAN Configuration Items Description

ICR-2[0456]00 Family Configuration Manual 63

3. Configuration 3.8 Backup Routes

3.8 Backup Routes

• Note that some interfaces, typically WiFi, ETH2, or ETH1, may not be available for some router
product lines or for the model you are currently using.

• Note that an ETH interface won’t be used as WAN for the default backup route priorities if
neither an IP address is configured nor the DHCP client is enabled for this ETH interface.

• Just for the default priorities mode: Unplugging the Ethernet cable does not switch the WAN
interface to the next one in order.

Typically, you want the router to direct traffic from the whole LAN (Local Area Network) behind the router
to an external WAN (Wide Area Network) outside, such as the Internet.
Backup Routes is a mechanism that enables customizing which router’s interfaces will be used for com-
munication to the WAN outside the router. The Backup Routes configuration page is shown in Figure 32.
You may not care about this configuration and leave this process on the default router mechanism. In
this case, leave the Backup Routes configuration page as it is, unconfigured, and the router will proceed as
described in Chapter 3.8.1 Default Priorities for Backup Routes.
If you want to set up this feature your way, see Chapter 3.8.2 User Customized Backup Routes for more
information.

3.8.1 Default Priorities for Backup Routes

By default, when the first checkbox, Enable backup routes switching, is unchecked, the backup routes
system is not user customized and operates with the default mechanism. Instead, the router selects a route
to the WAN based on the default priorities.
The following is the list of the network interfaces in descending order from the highest priority to the
lowest priority interface for use as a WAN interface.

1. Mobile WAN (pppX, usbX)

2. PPPoE (ppp0)
3. WiFi STA (wlan0)
4. ETH1 (eth1)
5. ETH2 (eth2)
6. ETH0 (eth0)

For example, based on the list above, we can say that the ETH1 interface will only be used as the WAN
interface if Mobile WAN, PPPoE, and WiFI STA interfaces are down or disabled.
It is clear from the above that an interface connected to a LAN network can take over the role of a WAN
interface under certain circumstances. Possible communication from the LAN to the WAN can be blocked
or forwarded rules configured on the NAT and Firewall configuration pages.

ICR-2[0456]00 Family Configuration Manual 64

3. Configuration 3.8 Backup Routes

3.8.2 User Customized Backup Routes

You can choose preferred router interfaces acting as the WAN, including their priorities, on the Backup
Routes configuration page; see Figure 32. Switching between the WAN is then carried out according to the
order of priority and the state of all the affected interfaces.
There are three different modes you can choose for the connection backup as described in Table 32.

Item Description
Enable backup Enables the customized backup routes setting made on the whole configuration
routes switching page. If disabled (unchecked), the backup routes system operates in the default
mechanism, as described in Chapter 3.8.1.
Mode Single WAN

• Just one interface is used for the WAN communication at a time.

• Other interfaces (if enabled) are used as the backup routes for the WAN com-
munication when the active interface fails (based on the priorities set).
• Just one interface, currently active, is allowed to access the router from a
network outside the router.

Multiple WANs

• Just one interface is used for the WAN communication at a time.

• Other interfaces (if enabled) are used as the backup routes for the WAN com-
munication when the active interface fails (based on the priorities set).
• The router is accessible from networks outside on all enabled interfaces. This
is the only difference from the Single WAN mode.
Load Balancing

• In this mode, it is possible to split the volume of data passing through individ-
ual WAN interfaces.
• If the mode was chosen, the weight for every interface is enabled in the GUI
and can be set.
• This setting determines the relative number of data streams passing through
the interfaces.
Table 32: Backup Routes Modes Items Description

You have now selected a backup route mode. To add a network interface to the backup routes system,
mark the enable checkbox of that interface. Enabled interfaces are used for WAN access based on their
priorities.

ICR-2[0456]00 Family Configuration Manual 65

3. Configuration 3.8 Backup Routes

Note for Load Balancing mode: The weight setting for load balancing may not precisely match the
amount of balanced data. It depends on the number of data flows and the data structure. The best
result of the balancing is achieved for a high amount of data flows.

Note for Mobile WAN: If you want to use a mobile WAN connection as a backup route, choose
the enable + bind option in the Check Connection item on the Mobile WAN page and fill in the ping
address; see chapter 3.4.1.

Note for an ETH interface: Unlike the default backup route mode, disconnecting the Ethernet cable
from an ETH interface switches the route to the next in the sequence.

Settings, which can be made for each interface, are described in the table below. Any changes made to
settings will be applied after pressing the Apply button.

Item Description
Priority Priority for the type of connection (network interface).
Ping IP Address Destination IPv4 address or domain name of ping queries to check the connec-
tion.
Ping IPv6 Address Destination IPv6 address or domain name of ping queries to check the connec-
tion.
Ping Interval The time interval between consecutive ping queries.
Ping Timeout Time in seconds to wait for a response to the ping.
Weight Weight for the Load Balancing mode only. The number from 1 to 256 determines
the ratio for load balancing of the interface.
For example, if two interfaces set the weight to 1, the ratio is 50% to 50%. If they
set the weight up to 1 and 4, the ratio is 20% to 80%.
Table 33: Backup Routes Configuration Items Description

Other notes:

• The system checks the status state of an interface. For example, unlike the Default Priorities mode,
unplugging the Ethernet cable triggers a switchover to the next WAN interface in the sequence.

• To monitor the interface availability, you can use one or both Ping IP Addresses (IPv4 and IPv6) based
on the IP protocol used on a particular network interface and WAN connection settings.

ICR-2[0456]00 Family Configuration Manual 66

3. Configuration 3.8 Backup Routes

Figure 32: Backup Routes Configuration Page

ICR-2[0456]00 Family Configuration Manual 67

3. Configuration 3.8 Backup Routes

3.8.3 Backup Routes Examples

Example #1: Default Settings

As already described above, by default, if the Backup Routes are unconfigured, the system operates with
the default priorities as described in Chapter 3.8.1. Figure 33 shows the GUI configuration.

Note: Assume all the affected interfaces are correctly configured and activated on their configuration pages.

Figure 33: Example #1: GUI Configuration

Figure 34 illustrates the example topology.

Figure 34: Example #1: Topology

ICR-2[0456]00 Family Configuration Manual 68

3. Configuration 3.8 Backup Routes

Example #2: Default Routes Switching

This example illustrates when the interface, primarily used for the WAN connection, is down. Its role is
taken over by the interface with the second highest priority. Since the Backup Routes configuration is still
unconfigured, the system operates with the default system priorities described in Chapter 3.8.1. Figure 35
shows the GUI configuration.

Note: Assume all the affected interfaces are correctly configured and activated on their configuration pages.

Figure 35: Example #2: GUI Configuration

Figure 36 illustrates the example topology.

Figure 36: Example #2: Topology

ICR-2[0456]00 Family Configuration Manual 69

3. Configuration 3.8 Backup Routes

Example #3: Custom Backup Routes

This example illustrates the configuration of custom backup routes for the Mobile WAN, PPPoE, and
ETH1 interfaces. The Mobile WAN interface has the highest priority, and the ETH1 interface has the lowest
priority. Figure 37 shows the GUI configuration.

Note: Assume all the affected interfaces are correctly configured and activated on their configuration pages.

Figure 37: Example #3: GUI Configuration

ICR-2[0456]00 Family Configuration Manual 70

3. Configuration 3.8 Backup Routes

Figure 38 illustrates the example topology for Single WAN mode. If the Mobile WAN connection goes
down, the PPPoE tunnel takes its role, and so on. The ping to the 172.16.1.1 address, tested every 30
seconds with a timeout of 10 seconds, checks the status of the PPPoE tunnel.
Figure 39 illustrates the example topology for Multiple WAN mode. As you can see, the only difference
between these two modes is that in the Multiple WAN mode, the router is accessible on all interfaces from
the WAN simultaneously.

Figure 38: Example #3: Topology for Single WAN mode

Figure 39: Example #3: Topology for Multiple WAN mode

ICR-2[0456]00 Family Configuration Manual 71

3. Configuration 3.8 Backup Routes

Example #4: Load Ballancing Mode

This example illustrates the Load Balancing mode configuration. There are just two interfaces configured,
the Mobile WAN and PPPoE. The weight is set to 4 and 1, so the traffic data volume is approximately 80
and 20 percent. Figure 40 shows the GUI configuration.

Figure 40: Example #4: GUI Configuration

Figure 41 illustrates the example topology.

Figure 41: Example #4: Topology

ICR-2[0456]00 Family Configuration Manual 72

3. Configuration 3.8 Backup Routes

Example #5: No WAN Routes

This example illustrates when Router Backup is enabled but no specific interface is selected for the WAN
route. In this case, the router has no dedicated WAN interface and routes the traffic within the LANs.
Figure 42 shows the GUI configuration.

Note: The Mobile WAN interface is not accessible, even if configured and connected to a cellular network.

Figure 42: Example #5: GUI Configuration

Figure 43 illustrates the example topology.

Figure 43: Example #5: Topology

ICR-2[0456]00 Family Configuration Manual 73

3. Configuration 3.9 Static Routes

3.9 Static Routes

Static routes can be configured on the Static Routes page. A static route provides a fixed routing path
within the network. It is manually set on the router and must be updated whenever the network topology
changes.
By default, static routes remain private unless redistributed by a routing protocol. Two configuration forms
are available: one for IPv4 and another for IPv6. You can define up to thirty-two rules for each, IPv4 and
IPv6 form. A new row for defining the next rule appears automatically after filling in the previous one. The
static routes configuration form for IPv4 is shown in Figure 44.

Figure 44: Static Routes Configuration Page

The description of all configuration items is listed in Table 34.

Item Description
Enable IPv4 static Enables static routing functionality when checked. Only routes explicitly enabled
routes via the checkbox in the first column of the table become active.
Destination Network Specifies the destination IP address of the remote network or host to which the
static route applies.
Mask or Prefix Defines the subnet mask or prefix length of the remote network or host IP ad-
Length dress.
Gateway Specifies the IP address of the gateway device that facilitates communication
between the router and the remote network or host.
Metric Defines the route priority within the routing table. Lower metric values indicate
higher priority.
Interface1 Selects the interface through which the remote network or host is reachable.
Table 34: Static Routes Configuration for IPv4

1
The Any interface allows users, for example, to configure static routes toward a GRE tunnel. When using this interface, specifying
a Gateway address is mandatory, as it determines the interface through which communication occurs.

ICR-2[0456]00 Family Configuration Manual 74

3. Configuration 3.10 Firewall

3.10 Firewall
The firewall is responsible for filtering network traffic. The router implements independent IPv4 and IPv6
firewalls, as it supports a dual-stack configuration for both protocols.
Clicking the Firewall item in the Configuration menu on the left expands it into three submenus: IPv4,
IPv6, and Sites.
Figure 45 displays the default configuration page for the IPv6 firewall. The configuration fields are identi-
cal in both the IPv4 Firewall Configuration and IPv6 Firewall Configuration forms.

Figure 45: IPv6 Default Firewall Configuration

The first section of the configuration form defines the incoming firewall policy. If the Enable filtering
of incoming packets checkbox is unchecked, all incoming connections are accepted. When enabled, and
if connections originate from the WAN interface, the router checks them against the PREROUTING chain
in the mangle table. The router accepts a connection only if a matching rule exists with the Action set to
accept (the first matching rule is applied). If no matching rule is found or if the Action is set to deny, the
connection is dropped.
You can define rules based on IP addresses, protocols, and ports to allow or deny access to the router
and the internal network behind it. The system allows up to thirty-two rules, each of which can be enabled
or disabled using the checkbox on the left of the rule row. A new row for defining the next rule appears
automatically after filling in the previous one. See Table 35 for a description of the incoming rule definitions.
Please note that incoming rules apply only to connections originating from the WAN side (or WAN
interface). For details on priority rules related to WAN interfaces, refer to Chapter 3.8.1.

ICR-2[0456]00 Family Configuration Manual 75

3. Configuration 3.10 Firewall

Item Description
Source1 Specifies the IP address to which the rule applies. Use an IPv4 address in IPv4
Firewall Configuration and an IPv6 address in IPv6 Firewall Configuration.
Protocol Specifies the protocol to which the rule applies:

• all – The rule applies to all protocols, including those not listed below.
• TCP – The rule applies to the TCP protocol.
• UDP – The rule applies to the UDP protocol.
• GRE – The rule applies to the GRE protocol.
• ESP – The rule applies to the ESP protocol.
• ICMP/ICMPv6 – The rule applies to the ICMP protocol. In the IPv6 Firewall
Configuration, there is an option for ICMPv6.
Target Port(s) Specifies the port numbers or range that allow access to the router. Enter the initial
and final port numbers separated by a hyphen. A single static port can also be
specified.
Action Specifies the action the router performs based on the rule:

• allow – The router permits the packets to enter the network.

• deny – The router blocks the packets from entering the network.
Description A user-defined description of the rule.
Table 35: Filtering of Incoming Packets
The next section of the configuration form defines the forwarding firewall policy. If the Enable filtering
of forwarded packets checkbox is unchecked, all incoming packets are accepted. When enabled, and if
a packet is addressed to another network interface, the router processes it through the FORWARD chain
in the iptables firewall. If the FORWARD chain accepts the packet, the router forwards it, provided there is
a corresponding entry in the routing table.
You can define up to thirty-two rules, each of which can be enabled or disabled using the checkbox
on the left side of the rule row. A new row for defining the next rule appears automatically after filling in
the previous one. The forwarding settings apply to all interfaces, regardless of whether the interface is
designated as WAN.
The configuration form includes a table for specifying filter rules. You can create a rule to allow data for
a selected protocol by specifying only the protocol, or you can define stricter rules by specifying values for
source IP addresses, destination IP addresses, and ports. See Table 36 for a description of the forwarding
rule definitions.
As shown in the Figure 45, the first entry in the IPv6 forwarded packets configuration is the default firewall
rule for NAT64, which is disabled by default. To enable the NAT64 interface, navigate to Configuration →
NAT → IPv6 → Enable NAT64.

1
This field supports IP address input in the formats: IP , IP/mask , or IP_start-IP_end .

ICR-2[0456]00 Family Configuration Manual 76

3. Configuration 3.10 Firewall

Item Description
Source1 Specifies the source IP address to which the rule applies. Use an IPv4 address in
the IPv4 Firewall Configuration and an IPv6 address in the IPv6 Firewall Configura-
tion.
Destination1 Specifies the destination IP address to which the rule applies. Use an IPv4 ad-
dress in the IPv4 Firewall Configuration and an IPv6 address in the IPv6 Firewall
Configuration.
Protocol Specifies the protocol to which the rule applies:

• all – The rule applies to all protocols, including those not listed below.
• TCP – The rule applies to the TCP protocol.
• UDP – The rule applies to the UDP protocol.
• GRE – The rule applies to the GRE protocol.
• ESP – The rule applies to the ESP protocol.
• ICMP/ICMPv6 – The rule applies to the ICMP protocol. In the IPv6 Firewall
Configuration, there is an option for ICMPv6.
Target Port(s) Specifies the target port numbers. Enter the initial and final port numbers separated
by a hyphen. A single static port can also be specified.
Action Defines the action the router performs based on the rule:

• allow – The router permits the packets to be forwarded.

• deny – The router blocks the packets from being forwarded.
Description A user-defined description of the rule.
Table 36: Forward Filtering

When the Enable filtering of locally destined packets function is enabled, the router automatically drops
packets requesting an unsupported service without sending any notification.
To protect against DoS attacks, the Enable protection against DoS attacks option limits the number of
allowed connections per second to five. A DoS attack floods the target system with excessive requests,
overwhelming its resources.

1
This field supports IP address input in the formats: IP , IP/mask , or IP_start-IP_end .

ICR-2[0456]00 Family Configuration Manual 77

3. Configuration 3.10 Firewall

3.10.1 Example of the IPv4 Firewall Configuration

The router permits the following access:

• Access from IP address 198.51.100.45 using any protocol.

• Access from the IP address range 192.0.2.123 to 192.0.3.127 using the TCP protocol on port 1000.
• Access from IP address 203.0.113.67 using the ICMP protocol.
• Access from IP address 203.0.113.67 using the TCP protocol on target ports ranging from 1020 to
1040.

See the network topology and configuration form in the figures below.

Figure 46: Topology for the IPv4 Firewall Configuration Example

Figure 47: IPv4 Firewall Configuration Example

ICR-2[0456]00 Family Configuration Manual 78

3. Configuration 3.10 Firewall

3.10.2 Sites
This feature works only if the device is using the router as its DNS server.

On the Sites configuration page, you can define URL addresses to be blocked by the firewall (see Fig-
ure 48). To enable site blocking, tick the Enable sites blocking checkbox and enter the URL addresses in
the Block list box, placing each address on a separate line. You can also use the Load From File... button
to import addresses from a plain text file.

Figure 48: Firewall Sites Configuration GUI

ICR-2[0456]00 Family Configuration Manual 79

3. Configuration 3.11 NAT

3.11 NAT
To configure the address translation function, navigate to NAT under the Configuration section of the
main menu, then select either the IPv4 or IPv6 subpage. The NAT IPv4 configuration page is shown in
Figure 49. Separate NAT configuration options are available for IPv4 and IPv6, as the router supports
dual-stack operation. The configuration fields are consistent across both IPv4 and IPv6 pages.
The router utilizes Port Address Translation (PAT), a technique that maps one TCP/UDP port to another
by modifying the packet header as packets pass through. This configuration form allows you to define up to
sixty-four PAT rules. A new row for defining the next rule appears automatically after filling in the previous
one. Table 37 describes the fields used for specifying these rules.

Item Description
Public Port(s) Defines the range of public port numbers for NAT. Enter the initial and final port
numbers separated by a hyphen. A single static port can also be specified.
Private Port(s) Defines the range of private port numbers for NAT. Enter the initial and final port
numbers separated by a hyphen. A single static port can also be specified.
Type Specifies the protocol type: TCP or UDP.
Server IP Address (NAT IPv4 only) Specifies the IPv4 address to which the router forwards incom-
ing traffic.
Server IPv6 Address (NAT IPv6 only) Specifies the IPv6 address to which the router forwards incom-
ing traffic.
Description A user-defined description of the rule.
Table 37: NAT Configuration Items Description

If you require more than sixty-four NAT rules, you can add the additional rules to the Startup Script. The
Startup Script dialog is located on the Scripts page under the Configuration section of the menu. To define
NAT rules in the Startup Script, use the following command for IPv4 NAT:

iptables -t nat -A pre_nat -p tcp --dport [PORT_PUBLIC] -j DNAT

--to-destination [IPADDR]:[PORT_PRIVATE]

Replace the placeholders as follows:

[IPADDR] – The destination IP address.
[PORT_PUBLIC] – The public port number.
[PORT_PRIVATE] – The private port number.

For IPv6 NAT, use the ip6tables command with the same options:

ip6tables -t nat -A napt -p tcp --dport [PORT_PUBLIC] -j DNAT

--to-destination [IP6ADDR]:[PORT_PRIVATE]

If you enable the following options and specify a port number, the router allows remote access from the
WAN (Mobile WAN) interface.

ICR-2[0456]00 Family Configuration Manual 80

3. Configuration 3.11 NAT

Figure 49: NAT IPv4 Configuration Page

The next section allows enabling or disabling access to common protocols on specific ports. See Table 38
for details.

Item Description
Enable remote HTTP access on port This option redirects HTTP traffic to HTTPS only.
Enable remote HTTPS access on port If enabled and a port number is specified, the router’s web
interface can be accessed remotely.
Enable remote FTP access on port Allows remote access to the router via FTP.
Enable remote SSH access on port Allows remote access to the router via SSH.
Enable remote Telnet access on port Allows remote access to the router via Telnet.
Enable remote SNMP access on port Allows remote access to the router via SNMP.
Table 38: Remote Access Configuration

Enable remote HTTP access on port only redirects HTTP traffic to HTTPS and does not allow unse-
cured HTTP access to the web configuration. To configure the web interface, always enable HTTPS
access. Never enable HTTP alone for Internet access; always enable HTTPS or both HTTP and
HTTPS for redirection.

ICR-2[0456]00 Family Configuration Manual 81

3. Configuration 3.11 NAT

Parameters for routing incoming data from the WAN (Mobile WAN) to a connected computer are listed in
Table 39.

Item Description
Send all remaining incoming Enables forwarding of unmatched incoming packets to the default
packets to default server server specified in the Default Server IPv4/IPv6 Address field.
This setting forwards data from the mobile WAN to the assigned
IP address.
Default Server IPv4/IPv6 Address Specifies the IPv4/IPv6 address of the default server.
Table 39: Incoming Packets Configuration

The configuration options for NAT helpers, which assist with handling specific protocols, are described in
Table 40. These options improve packet forwarding and connection stability for services such as FTP and
VPN when NAT is in use.

Item Description
Enable NAT64 (NAT IPv6 only) Activates the NAT64 interface, serving as an internal
translator gateway between IPv6 and IPv4 addresses.
Note: Ensure that the predefined Default rule for NAT64 is enabled in
Firewall → IPv6 for proper functionality.
Masquerade outgoing Enables Network Address Translation (NAT) for outgoing packets. This
packets ensures that all outgoing traffic appears to originate from the router’s
external IP address, concealing the internal network structure.
Enable SIP ALG (NAT IPv4 only) Enables the SIP Application Layer Gateway (ALG).
When enabled, the router modifies SIP packets to facilitate proper NAT
traversal, which is essential for VoIP traffic.
Enable FTP Helper on public Assists in handling FTP traffic on the specified public port (default: 21).
port(s) The FTP Helper improves FTP traffic traversal through NAT, particularly
for active FTP sessions.
Enable PPTP Helper on (NAT IPv4 only) Enables the PPTP (Point-to-Point Tunneling Protocol)
public port(s) Helper for VPN traffic on the specified public port (default: 1723). The
PPTP Helper ensures proper NAT handling for PPTP connections.
Table 40: Related Features Configuration

The NAT64 functionality utilizes the Jool implementation. Due to limitations in Jool, it is not possible
to connect to the router performing NAT64 translation using the router’s IPv4 address mapped into
IPv6.
For example, if the router has the IP addresses 192.0.2.1/24 and 2001:db8::1/64 , you
can access the router using both IPv4 and IPv6 addresses. However, the NAT64-mapped address
64:ff9b::192.0.2.1 will not work.
Additionally, the firewall must explicitly allow such incoming connections. The permitted address must
be specified in the incoming packets firewall rules rather than the forwarding rules because Jool drops
incoming packets and recreates outgoing packets.

ICR-2[0456]00 Family Configuration Manual 82

3. Configuration 3.11 NAT

3.11.1 Examples of NAT Configuration

Example 1: IPv4 NAT Configuration with Single Device Connected

For this configuration, it is essential to enable the Send all remaining incoming packets to default server
option. The IP address specified in this setting should correspond to the device located behind the router.
Additionally, the default gateway of the devices within the subnet connected to the router must match
the IP address displayed in the Default Server IP Address field. When properly configured, the connected
device will respond to a PING request sent to the IP address assigned to the SIM card.

Figure 50: Topology for NAT Configuration Example 1

Figure 51: NAT Configuration for Example 1

ICR-2[0456]00 Family Configuration Manual 83

3. Configuration 3.11 NAT

Example 2: IPv4 NAT Configuration with Multiple Devices Connected

In this example, a switch is used to connect multiple devices behind the router. Each device has its own
IP address. To configure port forwarding, enter the device’s IP address in the Server IP Address field within
the NAT dialog.
The devices communicate on port 80, but you can specify different public and private ports using the
Public Port and Private Port fields in the NAT dialog. This setup enables access to the internal socket
192.168.1.2:80 from the Internet by using the router’s public IP address 10.0.0.1:81.
If you send a ping request to the router’s public IP address (10.0.0.1), the router responds as usual
without forwarding the request. Since the Send all remaining incoming packets to default server option is
inactive, the router denies any other connection attempts.

Figure 52: Topology for NAT Configuration Example 2

Figure 53: NAT Configuration for Example 2

ICR-2[0456]00 Family Configuration Manual 84
3. Configuration 3.12 OpenVPN

3.12 OpenVPN
Select the OpenVPN item to configure an OpenVPN tunnel. The menu item will expand and you will see
separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. The OpenVPN tunnel
function allows you to create a secure connection between two separate LAN networks. The router allows
you to create up to four OpenVPN tunnels. IPv4 and IPv6 dual stack is supported.

Item Description
Description Specifies the description or name of tunnel.
Interface Type TAP is basically at the Ethernet level (layer 2) and acts as a switch, whereas
TUN works at the network level (layer 3) and routes packets on the VPN. TAP
is bridging, whereas TUN is routing.

• TUN – Choose the TUN mode.

• TAP – Choose the TAP mode, but remember first to configure the bridge
on the ethernet interface.
Protocol Specifies the communication protocol.

• UDP – The OpenVPN communicates using UDP.

• TCP server – The OpenVPN communicates using TCP in server mode.
• TCP client – The OpenVPN communicates using TCP in client mode.
• UDPv6 – The OpenVPN communicates using UDP over IPv6.
• TCPv6 server – The OpenVPN communicates using TCP over IPv6 in
server mode.
• TCPv6 client – The OpenVPN communicates using TCP over IPv6 in
client mode.
UDP/TCP port Specifies the port of the relevant protocol (UDP or TCP).
1st Remote IP Specifies the first IPv4, IPv6 address or domain name of the opposite side of
Address the tunnel.
2nd Remote IP Specifies the second IPv4, IPv6 address or domain name of the opposite side
Address of the tunnel.
Remote Subnet IPv4 address of a network behind opposite side of the tunnel.
Remote Subnet Mask IPv4 subnet mask of a network behind opposite tunnel’s side.
Redirect Gateway Adds (rewrites) the default gateway. All the packets are then sent to this gate-
way via tunnel, if there is no other specified default gateway inside them.
Local Interface IP Specifies the IPv4 address of a local interface. For proper routing it is recom-
Address mended to fill-in any IPv4 address from local range even if you are using
IPv6 tunnel only.
Remote Interface Specifies the IPv4 address of the interface of opposite side of the tunnel. For
IP Address proper routing it is recommended to fill-in any IPv4 address from local
range even if you are using IPv6 tunnel only.
Remote IPv6 Subnet IPv6 address of the remote IPv6 network. Equivalent of the Remote Subnet in
IPv4 section.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 85

3. Configuration 3.12 OpenVPN

Continued from previous page

Item Description
Remote IPv6 Prefix IPv6 prefix of the remote IPv6 network. Equivalent of the Remote Subnet Mask
in IPv4 section.
Local Interface Specifies the IPv6 address of a local interface.
IPv6 Address
Remote Interface Specifies the IPv6 address of the interface of opposite side of the tunnel.
IPv6 Address
Ping Interval Time interval after which the router sends a message to opposite side of tunnel
to verify the existence of the tunnel.
Ping Timeout Specifies the time interval the router waits for a message sent by the opposite
side. For proper verification of the OpenVPN tunnel, set the Ping Timeout to
greater than the Ping Interval.
Renegotiate Interval Specifies the renegotiate period (reauthorization) of the OpenVPN tunnel. You
can only set this parameter when the Authenticate Mode is set to username/-
password or X.509 certificate. After this time period, the router changes the
tunnel encryption to keep the tunnel secure.
Max Fragment Size Maximum size of a sent packet.
Compression Compression of the data sent:

• none – No compression is used.

• LZO – A lossless compression is used, use the same setting on both
sides of the tunnel.
NAT Rules Activates/deactivates the NAT rules for the OpenVPN tunnel:

• not applied – NAT rules are not applied to the tunnel.

• applied – NAT rules are applied to the OpenVPN tunnel.
Authenticate Mode Specifies the authentication mode:

• none – No authentication is set.

• Pre-shared secret – Specifies the shared key function for both sides of
the tunnel.
• Username/password – Specifies authentication using a CA Certificate,
Username and Password.
• X.509 Certificate (multiclient) – Activates the X.509 authentication in
multi-client mode.
• X.509 Certificate (client) – Activates the X.509 authentication in client
mode.
• X.509 Certificate (server) – Activates the X.509 authentication in server
mode.
Security Mode Choose the security mode, tls-auth or tls-crypt. We recommend to use the tls-
crypt mode for the security reasons. In this mode, all the data is encrypted with
a pre-shared key. Moreover, this mode is more robust against the TLS denial
of service attacks.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 86

3. Configuration 3.12 OpenVPN

Continued from previous page

Item Description
Pre-shared Secret Specifies the pre-shared secret which you can use for every authentication
mode.
CA Certificate Specifies the CA Certificate which you can use for the username/password and
X.509 Certificate authentication modes.
DH Parameters Specifies the protocol for the DH parameters key exchange which you can use
for X.509 Certificate authentication in the server mode.
Local Certificate Specifies the certificate used in the local device. You can use this authentica-
tion certificate for the X.509 Certificate authentication mode.
Local Private Key Specifies the key used in the local device. You can use the key for the X.509
Certificate authentication mode.
Local Passphrase Passphrase used during private key generation.
Username Specifies a login name which you can use for authentication in the username/-
password mode.
Password Specifies a password which you can use for authentication in the username/-
password mode. Enter valid characters only, see chap. 1.2.1.
Security Level Set the Security Level1 :

• 0 - Weak – [Default] Everything is permitted. This setting is not recom-

mended; it is advisable to set a higher security level!
• 1 - Low – 80 bits of security.
• 2 - Medium – 112 bits of security.
• 3 - High – 128 bits of security.
• 4 - Very High – 192 bits of security.
User’s Up Script Custom script, executed when the OpenVPN tunnel is established.
User’s Down Script Custom script, executed when the OpenVPN tunnel is closed.
Extra Options Specifies additional parameters for the OpenVPN tunnel, such as DHCP op-
tions. The parameters are proceeded by two dashes. For possible parameters
see the help text in the router using SSH – run the openvpnd --help command.
Table 41: OpenVPN Configuration Items Description

There is a condition for tunnel to be established: WAN route has to be active (for example mobile connection
established) even if the tunnel does not go through the WAN.

The changes in settings will apply after pressing the Apply button.

1
For detailed explanation see the Security Guidelines [15], specifically the chapter on Cryptographic algorithms.
2
Parameters passed to the script are cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init |
restart ], see Reference manual for OpenVPN, option –up cmd.

ICR-2[0456]00 Family Configuration Manual 87

3. Configuration 3.12 OpenVPN

Figure 54: OpenVPN tunnel configuration Page

ICR-2[0456]00 Family Configuration Manual 88

3. Configuration 3.12 OpenVPN

3.12.1 Example of the OpenVPN Tunnel Configuration in IPv4 Network

Figure 55: Topology of OpenVPN Configuration Example

OpenVPN tunnel configuration:

Configuration A B
Protocol UDP UDP
UDP Port 1194 1194
Remote IP Address 10.0.0.2 10.0.0.1
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Local Interface IP Address 19.16.1.0 19.16.2.0
Remote Interface IP Address 19.16.2.0 19.16.1.0
Compression LZO LZO
Authenticate mode none none
Table 42: OpenVPN Configuration Example

Examples of different options for configuration and authentication of OpenVPN tunnel can be found in the
application note OpenVPN Tunnel [5].

ICR-2[0456]00 Family Configuration Manual 89

3. Configuration 3.13 IPsec

3.13 IPsec
The IPsec tunnel function allows you to create a secured connection between two separate LAN net-
works. These router family allows you to create up to four IPsec tunnels.
To open the IPsec tunnel configuration page, click IPsec in the Configuration section of the main menu.
The menu item will expand and you will see separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd
Tunnel and 4th Tunnel.
Supported are both, policy-based and route-based VPN approaches, see the different configuration
scenarios in Chapter 3.13.1.
IPv4 and IPv6 tunnels are supported (dual stack), you can transport IPv6 traffic through IPv4 tunnel and
vice versa. For different IPsec authentication scenarios, see Chapter 3.13.2.

To encrypt data between the local and remote subnets, specify the appropriate values in the subnet
fields on both routers. To encrypt the data stream between the routers only, leave the local and
remote subnets fields blank.

If you specify the protocol and port information in the Local Protocol/Port field, then the router encap-
sulates only the packets matching the settings.

For optimal an secure setup, we recommend to follow instructions on the Security Recommendations
strongSwan web page.

Detailed information and more examples of IPsec tunnel configuration and authentication can be found in
the application note IPsec Tunnel [6].

FRRouting (FRR) router app is an Internet routing protocol suite for Advantech routers. This UM includes
protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.

3.13.1 Route-based Configuration Scenarios

There are more different route-based configuration options which can be configured and used in Advan-
tech routers. Below are listed the most common cases which can be used (for more details see Route-
based VPNs strongSwan web page):

1. Enabled Installing Routes

• Remote (local) subnets are used as traffic selectors (routes).
• It results to the same outcome as a policy-based VPN.
• One benefit of this approach is the possibility to verify non-encrypted traffic passed through an IPsec
tunnel number X by tcdump tool: tcpdump -i ipsecX.
• Set up the Install Routes to yes option.

ICR-2[0456]00 Family Configuration Manual 90

3. Configuration 3.13 IPsec

2. Static Routes
• Routes are installed statically by an application as soon as the IPsec tunnel is up.
• As an application for static routes installation can be used for example FRR/STATICD application.
• Set up the Install Routes to no option.

3. Dynamic Routing
• Routes are installed dynamically while running by an application using a dynamic protocol.
• As an application for dynamic routes installation can be used for example FRR/BGP or FRR/OSPF
application. This application gains the routes dynamically from an (BGP, OSPF) server.
• Set up the Install Routes to no option.

4. Multiple Clients
• Allows to create VPN network with multiple clients. One Advantech router acts as the server and
assigns IP address to all the clients on the network.
• The server has Remote Virtual Network and Remote Virtual Mask items configured and the client
has Local Virtual Address item configured.
• Set up the Install Routes to yes option.

3.13.2 IPsec Authentication Scenarios

There are four basic authentication options which can be configured and used in Advantech routers:

1. Pre-shared Key
• Set Authenticate Mode to pre-shared key option.
• Enter the shared key to the Pre-shared key field.

2. Public Key
• Set Authenticate Mode to X.509 certificate option.
• Enter the public key to the Local Certificate / PubKey field.
• CA certificate is not required.

3. Peer Certificate
• Set Authenticate Mode to X.509 certificate option.
• Enter the remote key to the Remote Certificate / PubKey field. Users with this certificate will be
allowed.
• CA certificate is not required.

4. CA Certificate
• Set Authenticate Mode to X.509 certificate option.
• Enter the CA certificate or a list of CA certificates to the CA Certificate field. Any certificate signed
by the CA will be accepted.
• Remote certificate is not required.

Notes:
• The Peer and CA Certificate (options 3 and 4) can be configured and used simultaneously – authen-
tication can be done by one of this method.
• The Local ID is significant. When using certificate authentication, the IKE identity must be contained
in the certificate, either as subject or as subjectAltName.

ICR-2[0456]00 Family Configuration Manual 91

3. Configuration 3.13 IPsec

3.13.3 Configuration Items Description

The configuration GUI for IPsec is shown in Figure 56 and the description of all items, which can be
configured for an IPsec tunnel, are described in Table 43.

Figure 56: IPsec Tunnels Configuration Page

ICR-2[0456]00 Family Configuration Manual 92

3. Configuration 3.13 IPsec

Item Description
Description Name or description of the tunnel.
Type • policy-based – Choose for the policy-based VPN approach.
• route-based – Choose for the route-based VPN approach.
Note: Data throughput via route-based VPN is slightly lower in comparison
with policy-based VPN.
Host IP Mode • IPv4 – The router communicates via IPv4 with the opposite side of the
tunnel.
• IPv6 – The router communicates via IPv6 with the opposite side of the
tunnel.
1st Remote IP First IPv4, IPv6 address or domain name of the remote side of the tunnel,
Address based on selected Host IP Mode above.
2nd Remote IP Second IPv4, IPv6 address or domain name of the remote side of the tunnel,
Address based on selected Host IP Mode above.
Tunnel IP Mode • IPv4 – The IPv4 communication runs inside the tunnel.
• IPv6 – The IPv6 communication runs inside the tunnel.
Remote ID Identifier (ID) of remote side of the tunnel. It consists of two parts: a hostname
and a domain-name.
Local ID Identifier (ID) of local side of the tunnel. It consists of two parts: a hostname
and a domain-name.
Install Routers For route-based type only. Choose yes to use traffic selectors as route(s).
First Remote Subnet IPv4 or IPv6 address of a network behind remote side of the tunnel, based on
Tunnel IP Mode above.
First Remote Subnet IPv4 subnet mask of a network behind remote side of the tunnel, or IPv6
Mask/Prefix prefix (single number 0 to 128).
Second Remote IPv4 or IPv6 address of the second network behind remote side of the tunnel,
Subnet based on Tunnel IP Mode above. For IKE Protocol = IKEv2 only.
Second Remote IPv4 subnet mask of the second network behind remote side of the tunnel, or
Subnet Mask/Prefix IPv6 prefix (single number 0 to 128). For IKE Protocol = IKEv2 only.
Remote Protocol/Port Specifies Protocol/Port of remote side of the tunnel. The general form is pro-
tocol/port, for example 17/1701 for UDP (protocol 17) and port 1701. It is also
possible to enter only the number of protocol, however, the above mentioned
format is preferred.
First Local Subnet IPv4 or IPv6 address of a local network, based on Tunnel IP Mode above.
First Local Subnet IPv4 subnet mask of a local network, or IPv6 prefix (single number 0 to 128).
Mask/Prefix
Second Local Subnet IPv4 or IPv6 address of the second local network, based on Tunnel IP Mode
above. For IKE Protocol = IKEv2 only.
Second Local Subnet IPv4 subnet mask of the second local network, or IPv6 prefix (single number
Mask/Prefix 0 to 128). For IKE Protocol = IKEv2 only.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 93

3. Configuration 3.13 IPsec

Continued from previous page

Item Description
Local Protocol/Port Specifies Protocol/Port of a local network. The general form is protocol/port,
for example 17/1701 for UDP (protocol 17) and port 1701. It is also possible
to enter only the number of protocol, however, the above mentioned format is
preferred.
MTU Maximum Transmission Unit value (for route-based mode only). Default value
is 1426 bytes.
Remote Virtual Specifies virtual remote network for server (responder).
Network
Remote Virtual Mask Specifies virtual remote network mask for server (responder).
Local Virtual Address Specifies virtual local network address for client. To get address from server
set up the address to 0.0.0.0.
Cisco FlexVPN Enable to support the Cisco FlexVPN functionality. The route-based type
must be chossen. For more information, see strongswan.conf page.
Encapsulation Mode Specifies the IPsec mode, according to the method of encapsulation.
• tunnel – entire IP datagram is encapsulated.
• transport – only IP header is encapsulated. Not supported by route-based
VPN.
• beet – the ESP packet is formatted as a transport mode packet, but the
semantics of the connection are the same as for tunnel mode.
Force NAT Traversal Enable NAT traversal enforcement (UDP encapsulation of ESP packets).
IKE Protocol Specifies the version of IKE (IKEv1/IKEv2, IKEv1 or IKEv2).
IKE Mode Specifies the mode for establishing a connection (main or aggressive). If
you select the aggressive mode, then the router establishes the IPsec tunnel
faster, but the encryption is permanently set to 3DES-MD5. We recommend
that you not use the aggressive mode due to lower security!
IKE Algorithm Specifies the means by which the router selects the algorithm:
• auto – The encryption and hash algorithm are selected automatically.
• manual – The encryption and hash algorithm are defined by the user.
IKE Encryption Encryption algorithm – 3DES, AES128, AES192, AES256,
AES128GCM128, AES192GCM128, AES256GCM128.
IKE Hash Hash algorithm – MD5, SHA1, SHA256, SHA384 or SHA512.
IKE DH Group Specifies the Diffie-Hellman groups which determine the strength of the key
used in the key exchange process. Higher group numbers are more secure,
but require more time to compute the key.
IKE Reauthentication Enable or disable IKE reauthentication (for IKEv2 only).
XAUTH Enabled Enable extended authentication (for IKEv1 only).
XAUTH Mode Select XAUTH mode (client or server).
XAUTH Username XAUTH username.
XAUTH Password XAUTH password.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 94

3. Configuration 3.13 IPsec

Continued from previous page

Item Description
ESP Algorithm Specifies the means by which the router selects the algorithm:
• auto – The encryption and hash algorithm are selected automatically.
• manual – The encryption and hash algorithm are defined by the user.
ESP Encryption Encryption algorithm – 3DES, AES128, AES192, AES256,
AES128GCM128, AES192GCM128, AES256GCM128.
ESP Hash Hash algorithm – MD5, SHA1, SHA256, SHA384 or SHA512.
PFS Enables/disables the Perfect Forward Secrecy function. The function ensures
that derived session keys are not compromised if one of the private keys is
compromised in the future.
PFS DH Group Specifies the Diffie-Hellman group number (see IKE DH Group).
Key Lifetime Lifetime key data part of tunnel. The minimum value of this parameter is 60 s.
The maximum value is 86400 s.
IKE Lifetime Lifetime key service part of tunnel. The minimum value of this parameter is
60 s. The maximum value is 86400 s.
Rekey Margin Specifies how long before a connection expires that the router attempts to
negotiate a replacement. Specify a maximum value that is less than half of
IKE and Key Lifetime parameters.
Rekey Fuzz Percentage of time for the Rekey Margin extension.
DPD Delay Time after which the IPsec tunnel functionality is tested.
DPD Timeout The period during which device waits for a response.
Authenticate Mode Specifies the means by which the router authenticates:
• Pre-shared key – Sets the shared key for both sides of the tunnel.
• X.509 Certificate – Allows X.509 authentication in multiclient mode.
(Local) Pre-shared Specifies the shared key (local for IKEv2) for both sides of the tunnel. The
Key prerequisite for entering a key is that you select pre-shared key as the au-
thentication mode.
Remote Pre-shared Specifies the remote shared key (for IKEv2) for both sides of the tunnel. The
Key prerequisite for entering a key is that you select pre-shared key as the au-
thentication mode.
CA Certificate CA certificate chain for X.509 authentication. Specify the CA certificate or
certificates used to validate the remote certificate.
Remote Certificate \ Certificate for X.509 authentication or PubKey for public key signature au-
PubKey thentication.
Local Certificate \ Certificate for X.509 authentication or PubKey for public key signature au-
PubKey thentication.
Local Private Key Private key for X.509 authentication.
Local Passphrase Passphrase used during private key generation.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 95

3. Configuration 3.13 IPsec

Continued from previous page

Item Description
Revocation Check Certificate revocation policy:
• if possible – Fails only if a certificate is revoked, i.e. it is explicitly known
that it is bad.
• if URI defined – Fails only if a CRL/OCSP URI is available, but certificate
revocation checking fails, i.e. there should be revocation information avail-
able, but it could not be obtained.
• always – Fails if no revocation information is available, i.e. the certificate is
not known to be unrevoked.
User’s Up Script1 Custom script, executed when the IPSec tunnel is established.
User’s Down Script1 Custom script, executed when the IPSec tunnel is closed.
Debug Choose the level of logging verbosity from: silent, audit, control (default),
control-more, raw, private (most verbose including the private keys). See
Logger Configuration in strongSwan web page for more details.
Table 43: IPsec Tunnel Configuration Items Description

We recommend that you keep up the default settings. When you set key exchange times higher, the
tunnel produces lower operating costs, but the setting also provides less security. Conversely, when you
reducing the time, the tunnel produces higher operating costs, but provides for higher security. The changes
in settings will apply after clicking the Apply button.

Do not miss:
• If local and remote subnets are not configured then only packets between local and remote IP
address are encapsulated, so only communication between two routers is encrypted.
• If protocol/port fields are configured then only packets matching these settings are encapsu-
lated.

1
Parameters passed to the script:
for policy-based type: one parameter: connection name, returns e.g. ipsec1-1,
for route-based type: two parameters: connection name and interface name, returns e.g. ipsec1-1 and ipsec0.

ICR-2[0456]00 Family Configuration Manual 96

3. Configuration 3.13 IPsec

3.13.4 Basic IPv4 IPSec Tunnel Configuration

Figure 57: Topology of IPsec Configuration Example

Configuration of Router A and Router B is as follows:

Configuration A B
Host IP Mode IPv4 IPv4
1st Remote IP Address 10.0.0.2 10.0.0.1
Tunnel IP Mode IPv4 IPv4
First Remote Subnet 192.168.2.0 192.168.1.0
First Remote Subnet Mask 255.255.255.0 255.255.255.0
First Local Subnet 192.168.1.0 192.168.2.0
First Local Subnet Mask 255.255.255.0 255.255.255.0
Authenticate mode pre-shared key pre-shared key
Pre-shared key test test
Table 44: Simple IPv4 IPSec Tunnel Configuration

ICR-2[0456]00 Family Configuration Manual 97

3. Configuration 3.14 WireGuard

3.14 WireGuard
WireGuard is a communication protocol and free open-source software that implements encrypted virtual
private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and
low attack surface. It aims for better performance and more power than IPsec and OpenVPN, two common
tunneling protocols. The WireGuard protocol passes traffic over UDP. Advantech routers allows you to
create up to four WireGuard tunnels.
To open the WireGuard tunnel configuration page, click WireGuard in the Configuration section of the
main menu. The menu item will expand and you will see separate configuration pages: 1st Tunnel, 2nd
Tunnel, 3rd Tunnel and 4th Tunnel.
IPv4 and IPv6 tunnels are supported (dual stack), you can transport IPv6 traffic through IPv4 tunnel and
vice versa.
FRRouting (FRR) router app is an Internet routing protocol suite for Advantech routers. This UM includes
protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.

Detailed information and more examples of WireGuard tunnel configuration and authentication can be found
in the application note WireGuard Tunnel [8].

The configuration GUI for WireGuard is shown in Figure 58 and the description of all items, which can be
configured for an WireGuard tunnel, are described in Table 45.

Item Description
Description Name or description of the tunnel.
Host IP Mode • IPv4 – The router communicates via IPv4 with the opposite side of the tunnel.
• IPv6 – The router communicates via IPv6 with the opposite side of the tunnel.
Remote IP Address IPv4, IPv6 address or domain name of the remote side of the tunnel to connect
to. The address must match with the selected Host IP Mode above.
Remote Port Port of the remote side of the tunnel.
Local Port Port of the local side of the tunnel (default port is 51820).
MTU Maximum Transmission Unit value. Default value is 1400 bytes.
NAT/Firewall If set up to yes, keepalive communication (every 25 seconds) is running to
Traversal preserve the tunnel established. It is useful when a client is running behind the
NAT.
Interface IPv4 Local IPv4 tunnel interface address.
Address
Interface IPv4 Local IPv4 tunnel interface prefix.
Prefix Length
Interface IPv6 Local IPv6 tunnel interface address.
Address
Interface IPv6 Local IPv6 tunnel interface prefix.
Prefix Length
Install Routes • no – Do not install routes. Use when a dynamic routing protocol is configured.
• yes – Install routes.
Traffic Selector • all traffic – Procced all the packets to the WireGuard tunnel.
• subnets – Route based on the subnets listed below.
Remote Subnets If the Traffic Selector is set to subnets, then other subnets (routes) can be
routed through the wire tunnel.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 98

3. Configuration 3.14 WireGuard

Continued from previous page

Item Description
Pre-shared Key The optional key for additional encryption layer and security strengthening. You
can use the Generate button to generate a random key.
Local Private Key The private key of the local side. You can use the Generate button to generate
a random key.
Local Public Key The public key of the local tunnel side.
Remote Public Key The public key of the remote tunnel side.
Table 45: WireGuard Tunnel Configuration Items Description

The changes in settings will apply after clicking the Apply button.

Figure 58: WireGuard Tunnels Configuration Page

ICR-2[0456]00 Family Configuration Manual 99

3. Configuration 3.14 WireGuard

3.14.1 WireGuard IPv4 Tunnel Configuration Example

There is an example of WireGuard IPv4 tunnel configuration between Router A and Router B.

Figure 59: Topology of WireGuard Configuration Example

Router B is configured to listen, and Router A is the side initiating the tunnel connection. Configuration
of Router A and Router B from the topology above is as follows:

Configuration Router A Router B

Host IP Mode IPv4 IPv4
Remote IP Address 10.0.6.60 –
Remote Port 51820 –
Local Port 51820 51820
NAT/Firewall Traversal yes no
Interface IPv4 Address 172.16.24.1 172.16.24.2
Interface IPv4 Prefix Length 30 30
Install Routes yes yes
Traffic Selector subnets subnets
Remote Subnets 192.168.2.0/24 192.168.1.0/24
Local Private Key local private key local private key
Local Public Key local public key local public key
Remote Public Key public key of the opposite side public key of the opposite side
Table 46: WireGuard IPv4 Tunnel Configuration Example

ICR-2[0456]00 Family Configuration Manual 100

3. Configuration 3.14 WireGuard

In the figure below is the WireGuard status page of Router A. If the tunnel connection is established
successfully, the Latest handshake time is shown here. This value is the time left from the latest successful
communication with the opposite tunnel side. This item will not be shown here until there is a tunnel
communication (data sent by the Router A or the keepalive data sent when NAT/Firewall Traversal is set to
yes).

Figure 60: Router A – WireGuard Status Page and Route Table

Figure 61: Router B – WireGuard Status Page and Route Table

ICR-2[0456]00 Family Configuration Manual 101

3. Configuration 3.15 GRE

3.15 GRE

GRE is an unencrypted protocol. GRE via IPv6 is not supported.

To open the GRE Tunnel Configuration page, click GRE in the Configuration section of the main menu.
The menu item will expand and you will see separate configuration pages: 1st Tunnel, 2nd Tunnel, 3rd
Tunnel and 4th Tunnel.
The GRE tunnel function allows you to create an unencrypted connection between two separate LAN
networks. The router allows you to create four GRE tunnels.

Item Description
Description Description of the GRE tunnel.
Remote IP Address IP address of the remote side of the tunnel.
Local IP Address IP address of the local side of the tunnel.
Remote Subnet IP address of the network behind the remote side of the tunnel.
Remote Subnet Mask Specifies the mask of the network behind the remote side of the tunnel.
Local Interface IP IP address of the local side of the tunnel.
Address
Remote Interface IP IP address of the remote side of the tunnel.
Address
Multicasts Activates/deactivates sending multicast into the GRE tunnel:

• disabled – Sending multicast into the tunnel is inactive.

• enabled – Sending multicast into the tunnel is active.
Pre-shared Key Specifies an optional value for the 32 bit shared key in numeric format, with this
key the router sends the filtered data through the tunnel. Specify the same key
on both routers, otherwise the router drops received packets.
Table 47: GRE Tunnel Configuration Items Description

The GRE tunnel cannot pass through the NAT.

The changes in settings will apply after pressing the Apply button.

ICR-2[0456]00 Family Configuration Manual 102

3. Configuration 3.15 GRE

Figure 62: GRE Tunnel Configuration Page

3.15.1 Example of the GRE Tunnel Configuration

Figure 63: Topology of GRE Tunnel Configuration Example

ICR-2[0456]00 Family Configuration Manual 103

3. Configuration 3.15 GRE

GRE tunnel configuration:

Configuration A B
Remote IP Address 10.0.0.2 10.0.0.1
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Table 48: GRE Tunnel Configuration Example

Examples of different options for configuration of GRE tunnel can be found in the application note GRE
Tunnel [7].

ICR-2[0456]00 Family Configuration Manual 104

3. Configuration 3.16 L2TP

3.16 L2TP

L2TP is an unencrypted protocol. L2TP via IPv6 is not supported.

To open the L2TP Tunnel Configuration page, click L2TP in the Configuration section of the main menu.
The L2TP tunnel function allows you to create a password-protected connection between two different LAN
networks. Enable the Create L2TP tunnel checkbox to activate the tunnel.

Figure 64: L2TP Tunnel Configuration Page

Item Description
Mode Specifies the L2TP tunnel mode on the router side:

• L2TP server – Specify an IP address range offered by the server.

• L2TP client – Specify the IP address of the server.
Server IP Address IP address of the server.
Client Start IP Address IP address to start with in the address range. The range is offered by the
server to the clients.
Client End IP Address The last IP address in the address range. The range is offered by the server
to the clients.
Local IP Address IP address of the local side of the tunnel.
Remote IP Address IP address of the remote side of the tunnel.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 105

3. Configuration 3.16 L2TP

Continued from previous page

Item Description
Remote Subnet Address of the network behind the remote side of the tunnel.
Remote Subnet Mask The mask of the network behind the remote side of the tunnel.
MRU Maximum Receive Unit value. Default value is 1400 bytes.
MTU Maximum Transmission Unit value. Default value is 1400 bytes.
Username Username for the L2TP tunnel login.
Password Password for the L2TP tunnel login. Enter valid characters only.
Table 49: L2TP Tunnel Configuration Items Description

ICR-2[0456]00 Family Configuration Manual 106

3. Configuration 3.16 L2TP

3.16.1 Example of the L2TP Tunnel Configuration

Figure 65: Topology of L2TP Tunnel Configuration Example

Configuration of the L2TP tunnel:

Configuration A B
Mode L2TP Server L2TP Client
Server IP Address — 10.0.0.1
Client Start IP Address 192.168.2.5 —
Client End IP Address 192.168.2.254 —
Local IP Address 192.168.1.1 —
Remote IP Address — —
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Username username username
Password password password
Table 50: L2TP Tunnel Configuration Example

ICR-2[0456]00 Family Configuration Manual 107

3. Configuration 3.17 PPTP

3.17 PPTP

PPTP is an unencrypted protocol. PPTP via IPv6 is not supported.

Select the PPTP item in the menu to configure a PPTP tunnel. PPTP tunnel allows password-protected
connections between two LANs. It is similar to L2TP. The tunnels are active after selecting Create PPTP
tunnel.

Figure 66: PPTP Tunnel Configuration Page

Item Description
Mode Specifies the L2TP tunnel mode on the router side:

• PPTP server – Specify an IP address range offered by the server.

• PPTP client – Specify the IP address of the server.
Server IP Address IP address of the server.
Local IP Address IP address of the local side of the tunnel.
Remote IP Address IP address of the remote side of the tunnel.
Remote Subnet Address of the network behind the remote side of the tunnel.
Remote Subnet Mask The mask of the network behind the remote side of the tunnel
MRU Maximum Receive Unit value. Default value is 1460 bytes to avoid
fragmented packets.
Continued on next page

ICR-2[0456]00 Family Configuration Manual 108

3. Configuration 3.17 PPTP

Continued from previous page

Item Description
MTU Maximum Transmission Unit value. Default value is 1460 bytes to avoid
fragmented packets.
Username Username for the PPTP tunnel login.
Password Password for the PPTP tunnel login. Enter valid characters only.
Table 51: PPTP Tunnel Configuration Items Description

The changes in settings will apply after pressing the Apply button.

The firmware also supports PPTP passthrough, which means that it is possible to create a tunnel through
the router.

ICR-2[0456]00 Family Configuration Manual 109

3. Configuration 3.17 PPTP

3.17.1 Example of the PPTP Tunnel Configuration

Figure 67: Topology of PPTP Tunnel Configuration Example

Configuration of the PPTP tunnel:

Configuration A B
Mode PPTP Server PPTP Client
Server IP Address — 10.0.0.1
Local IP Address 192.168.1.1 —
Remote IP Address 192.168.2.1 —
Remote Subnet 192.168.2.0 192.168.1.0
Remote Subnet Mask 255.255.255.0 255.255.255.0
Username username username
Password password password
Table 52: PPTP Tunnel Configuration Example

ICR-2[0456]00 Family Configuration Manual 110

3. Configuration 3.18 Services

3.18 Services
3.18.1 Authentication
User authentication options can be configured on the Configuration → Authentication page. Figure 68
shows the configuration for local user database mode. Table 53 describes configuration items for local user
database mode that are common to all other modes as well.

Figure 68: Common Configuration Items

Item Description
Two-Factor Authen- To enable the two-factor authentication service, choose the service type you want
tication to use from Google Authenticator or OATH Toolkit. For more details refer to Chap-
ter 5.2.1 Two-Factor Authentication.
Mode
• Local user database – Authenticate against the local user database only.
See Chapter 5.1Manage Users.
• RADIUS with fallback – Authenticate against the RADIUS server first, and
then against the local database if the RADIUS server is not accessible.
• RADIUS only – Authenticate only against the RADIUS server. Note that you
will not be able to authenticate to the router if the RADIUS server is not ac-
cessible!
• TACACS+ with fallback – Authenticate against the TACACS+ server first,
and then against the local database if the TACACS+ server is not accessible.
• TACACS+ only – Authenticate only against the TACACS+ server. Note that
you will not be able to authenticate to the router if the TACACS+ server is not
accessible!
Lock Account After Number of failed login attempts after which the account will be locked.
Continued on the next page

ICR-2[0456]00 Family Configuration Manual 111

3. Configuration 3.18 Services

Continued from previous page

Item Description
Count Fails For The time window for which unsuccessful login attempts will be counted.
Unlock After The time after which logging will be unlocked if it was previously locked.
Force Password Specify the level of password complexity:
Complexity
• very weak – Not secure and not recommended. Requires 6 characters. Time
to crack: Seconds to minutes.
• weak – Not secure and not recommended. Requires 8 characters from two
sets (numbers, letters) [NIST SP 800-63B compliant]. Time to crack: Hours
to days.
• good – Reasonably secure. Requires 12 characters from three sets (upper-
case letters, lowercase letters, and numbers), with a maximum of 3 same
characters in sequence [FirstNet compliant]. Time to crack: Months to years.
• strong – For the best security level. Requires 16 characters from four sets
(uppercase and lowercase letters, digits, and special characters). Time to
crack: Centuries.
Expire Password Af- Number of days after which the password will expire and the user will be prompted
ter to change it; see Chapter 5.2.3 Expired Password.
Delay After Fail The time after which the login screen will appear again in case of a previous unsuc-
cessful attempt.
Debug Enable or disable debugging in the Syslog.
Table 53: Enter Caption

ICR-2[0456]00 Family Configuration Manual 112

3. Configuration 3.18 Services

RADIUS Mode

When authenticate against the RADIUS server, user with the same name must exist locally. It can
be created manually (see Chapter 5.1 Manage Users) or can be created automatically based on data
from RADIUS server, if the Take Over Server Users option is enabled as described hereunder.

To configure the authentication against a RADIUS server, choose RADIUS with fallback or RADIUS only
as the PAM mode and set up all required items, see Figure 69. Table 54 describes all the configuration
options for the RADIUS PAM modes.

Figure 69: Configuration of RADIUS

Item Description
Server Address of the RADIUS server. Up to two servers can be configured.
Port Port of the RADIUS server.
Secret The secret For authentication to the RADIUS server.
Timeout Timeout for authentication to the RADIUS server.
Take Over If enabled, a new user account is created during the login, in case the RADIUS authen-
Server Users tication is successful and appropriate local account does not exist. New accounts are
created without the password. An existing user account with a password is never modi-
fied by this feature.
Default User Choose the user role (Admin or User). This role corresponds with router’s user roles, see
Role Chapter 5.1 Manage Users.
Selected role will be used for a user in case the option Take Over Server Users is enabled
and if the user’s Service-Type set on the RADIUS server is missing or is not set up to NAS-
Prompt-User or Administrative-User.
When Service-Type is set to NAS-Prompt-User, the User role will be used.
When Service-Type is set to Administrative-User, the Admin role is used.
Table 54: Configuration of RADIUS

ICR-2[0456]00 Family Configuration Manual 113

3. Configuration 3.18 Services

TACACS+ Mode

When authenticate against the TACACS+ server, user with the same name must exist locally. It can
be created manually (see Chapter 5.1 Manage Users) or can be created automatically based on data
from TACACS+ server, if the Take Over Server Users option is enabled as described hereunder.

To configure the authentication against a TACACS+ server, choose TACACS+ with fallback or TACACS+
only as the PAM mode and set up all required items, see Figure 70. Table 55 describes all the configuration
options for the TACACS PAM modes.

Figure 70: Configuration of TACACS+

Item Description
Authentication Choose ASCII, PAP or CHAP as authentication type. To configure the two-factor authen-
Type tication for a user, see Chapter 5.2.1 Two-Factor Authentication.
Timeout Timeout for authentication to the TACACS+ server.
Server Address of the TACACS+ server. Up to two servers can be configured.
Port Port of the TACACS+ server.
Secret The secret For authentication to the TACACS+ server.
Take Over If enabled, a new user account is created during the login, in case the TACACS+ authen-
Server Users tication is successful and appropriate local account does not exist. New accounts are
created without the password. An existing user account with a password is never modi-
fied by this feature.
Default User Choose the user role (Admin or User). This role corresponds with router’s user roles, see
Role Chapter 5.1 Manage Users.
Selected role will be used for a new user when Take Over Server Users is used.
Table 55: Configuration of TACACS+

ICR-2[0456]00 Family Configuration Manual 114

3. Configuration 3.18 Services

3.18.2 DynDNS
The DynDNS function allows you to access the router remotely using an easy-to-remember custom host-
name. This DynDNS client monitors the router’s IP address and updates it whenever a change occurs. For
DynDNS to function, a public IP address, either static or dynamic, is required, along with an active Remote
Access service account on a Dynamic DNS server. Register the custom (third-level) domain and account
information specified in the configuration form.
Other services can also be used, see the table below under the Server item. To open the DynDNS
Configuration page, click DynDNS in the main menu.

Item Description
Hostname The third-level domain registered on a Dynamic DNS server.
Username Username for logging into the DynDNS server.
Password Password for logging into the DynDNS server. Enter only valid characters (see
Chapter 1.2.1).
IP Mode Specifies the IP protocol version:

• IPv4 – Only the IPv4 protocol is used (default).

• IPv6 – Only the IPv6 protocol is used.
• IPv4/IPv6 – Dual stack mode (IPv4 and IPv6) is enabled.
Server Specifies a DynDNS service. Some available free services include:
www.freedns.afraid.org, www.duckdns.org, www.noip.com.
Enter the update server’s service information in this field. If left blank, the default
server members.dyndns.org will be used.
Table 56: DynDNS Configuration Items Description

Example of a DynDNS client configuration with the domain company.dyndns.org:

Figure 71: DynDNS Configuration Example

To access the router’s configuration remotely, ensure that this option is enabled in the NAT configuration
(bottom part of the form). See Chapter 3.11 NAT.

ICR-2[0456]00 Family Configuration Manual 115

3. Configuration 3.18 Services

3.18.3 FTP
FTP protocol (File Transfer Protocol) can be used to transfer files between the router and another device
on the computer network. Configuration form of TP server can be done in FTP configuration page under
Services menu item.

Item Description
Enable FTP service Enabling of FTP server.
Maximum Sessions Indicates how many concurrent connections shall the FTP server ac-
cept. Once the maximum is reached, additional connections will be re-
jected until some of the existing connections are terminated. The range
is from 1 to 500.
Session Timeout Is used to close inactive sessions. The server will terminate a FTP
session after it has not been used for the given amount of seconds.
The range is from 60 to 7200.
Table 57: FTP Configuration Items Description

Figure 72: Configuration of FTP server

ICR-2[0456]00 Family Configuration Manual 116

3. Configuration 3.18 Services

3.18.4 HTTP
The HTTP protocol (Hypertext Transfer Protocol) is used to exchange hypertext documents in HTML
format. It enables access to the router’s web server for user configuration. However, it is recommended to
use the HTTPS protocol, which encrypts data for secure communication.
The HTTP configuration page, found under the Services menu, allows for configuring both HTTP and
HTTPS services. By default, HTTP is disabled, and HTTPS is preferred. For this default setting, any HTTP
request is automatically redirected to HTTPS.

Item Description
Enable HTTP service Enables the HTTP service.
Enable HTTPS service Enables the HTTPS service.
Minimum TLS Version Specifies the minimum supported TLS version. For better security, choose
the highest version of the TLS protocol unless compatibility with older web
browsers is required.
Session Timeout Defines the inactivity timeout period after which the session is closed.
Login Banner Displays the specified text on the login page above the credentials fields.
Keep the current certifi- Retains the current certificate in the router.
cate
Generate a new certificate Generates a new self-signed certificate for the router.
Upload a new certificate Uploads a custom PEM certificate, which can be signed by a Certificate
Authority.
Certificate Specifies the file containing the PEM certificate to upload.
Note: The file may contain multiple certificates organized in a certificate
chain.
Private Key Specifies the file containing the private key for the certificate.
Table 58: HTTP Configuration Items Description

Figure 73: HTTP Configuration Page

ICR-2[0456]00 Family Configuration Manual 117

3. Configuration 3.18 Services

3.18.5 NTP
The NTP configuration form allows you to configure the NTP client. To open the NTP page, click NTP
in the Configuration section of the main menu. NTP (Network Time Protocol) allows you to periodically set
the internal clock of the router. The time is set from servers that provide the exact time to network devices.

• If you mark the Enable local NTP service check box, then the router acts as a NTP server for other
devices in the local network (LAN).
• If you mark the Synchronize clock with NTP server check box, then the router acts as a NTP client.
This means that the router automatically adjusts the internal clock every 8 hours.

Item Description
Primary NTP Server IP or domain address of primary NTP server.
Address
Secondary NTP IP or domain address of secondary NTP server.
Server Address
Timezone Specifies the time zone where you installed the router.
Daylight Saving Time Activates/deactivates the DST shift.

• No – The time shift is inactive.

• Yes – The time shift is active.
Table 59: NTP Configuration

The figure below displays an example of a NTP configuration with the primary server set to ntp.cesnet.cz
and the secondary server set to tik.cesnet.cz and with the automatic change for daylight saving time en-
abled.

Figure 74: Example of NTP Configuration

ICR-2[0456]00 Family Configuration Manual 118

3. Configuration 3.18 Services

3.18.6 SNMP
The SNMP page allows you to configure the SNMP v1/v2 or v3 agent, which transmits information about
the router and its expansion ports (if applicable) to a management station. To access the SNMP page, click
SNMP in the Configuration section of the main menu.
SNMP (Simple Network Management Protocol) provides status information about network elements such
as routers or endpoint computers. In SNMP v3, communication is secured through encryption. To enable
the SNMP service, select the Enable the SNMP agent checkbox. Sending SNMP traps to IPv6 addresses
is supported.

Item Description
Name Router designation.
Location Physical location where the router is installed.
Contact Contact details of the person responsible for managing the router.
Custom Field for entering additional specific information based on user requirements.
Table 60: SNMP Agent Configuration

To enable SNMPv1/v2, select the Enable SNMPv1/v2 access checkbox and specify a password for
access to the Community SNMP agent. The default setting is public.

You can define a separate password for the Read community (read-only) and the Write community (read
and write) in SNMPv1/v2. Additionally, SNMPv3 allows you to configure up to two SNMP users: one with
read-only access (Read) and another with read and write access (Write).
Each user’s configuration is independent, and the router applies these settings exclusively for SNMP
access.

To enable SNMPv3, select the Enable SNMPv3 access checkbox and specify the following parameters:

Item Description
Username Name of the SNMPv3 user.
Authentication Encryption algorithm used in the Authentication Protocol to verify user identity.
Authentication Password used to generate the authentication key.
Password Note: Enter valid characters only, see Chapter 1.2.1.
Privacy Encryption algorithm used in the Privacy Protocol to ensure data confidentiality.
Privacy Password Password used for encryption in the Privacy Protocol.
Note: Enter valid characters only, see Chapter 1.2.1.
Table 61: SNMPv3 Configuration

Activating the Enable I/O extension function allows you to monitor the binary I/O inputs on the router.

Enabling the Enable M-BUS extension option and configuring the Baudrate, Parity, and Stop Bits settings
allows you to monitor the status of meters connected via the MBUS interface. While the MBUS expansion
port is not currently supported, it is possible to use an external RS232/MBUS converter.

Enabling the Enable reporting to supervisory system option and specifying the IP Address and Period
allows the router to send statistical data to the R-SeeNet monitoring system.

Item Description
IP Address Specifies the IPv4 or IPv6 address.
Period Interval for sending statistical information (in minutes).
Table 62: SNMP Configuration (R-SeeNet)

ICR-2[0456]00 Family Configuration Manual 119

3. Configuration 3.18 Services

Each monitored value is uniquely identified using a numerical identifier called an OID (Object Identifier).
This identifier consists of a sequence of numbers separated by dots, forming a hierarchical tree structure.
Each OID derives from its parent identifier, appending an additional number to indicate its position in the
hierarchy. The figure below illustrates the fundamental tree structure used for creating OIDs.

Figure 75: OID Basic Structure

The SNMP values specific to Advantech routers form a hierarchical tree starting at OID .1.3.6.1.4.1.30140.
This OID can be interpreted as follows:

iso.org.dod.internet.private.enterprises.conel

This means that the router provides, for example, information about the internal temperature
(OID 1.3.6.1.4.1.30140.3.3) or power voltage (OID 1.3.6.1.4.1.30140.3.4).

For binary inputs and outputs, the following OID range is used:

OID Description
.1.3.6.1.4.1.30140.2.3.1.0 Binary input BIN0 (values: 0,1)
.1.3.6.1.4.1.30140.2.3.2.0 Binary output OUT0 (values: 0,1)
.1.3.6.1.4.1.30140.2.3.3.0 Binary input BIN1 (values: 0,1)
Table 63: Object Identifiers for Binary Inputs and Outputs

The list of available and supported OIDs, along with other details, can be found in the application note
SNMP Object Identifiers [11].

ICR-2[0456]00 Family Configuration Manual 120

3. Configuration 3.18 Services

The following figure shows an example of SNMP configuration.

Figure 76: SNMP Configuration Example

ICR-2[0456]00 Family Configuration Manual 121

3. Configuration 3.18 Services

The next figure illustrates SNMP browsing in the MIB Browser.

Figure 77: MIB Browser Example

To access a specific device, enter the IP address of the SNMP agent (the router) in the Remote SNMP
Agent field. The dialog displays the internal variables in the MIB tree after entering the IP address. Addi-
tionally, you can check the status of internal variables by entering their corresponding OID.

The path to the SNMP objects is:

iso → org → dod → internet → private → enterprises → Conel → protocols

The path to router-specific information is:

iso → org → dod → internet → mgmt → mib-2 → system

ICR-2[0456]00 Family Configuration Manual 122

3. Configuration 3.18 Services

3.18.7 SMTP
You use the SMTP form to configure the Simple Mail Transfer Protocol client (SMTP) for sending emails.

Item Description
SMTP Server Address IP or domain address of the mail server.
SMTP Port Port the SMTP server is listening on.
Secure Method none, SSL/TLS, or STARTTLS. The secure method must be supported by the
SMTP server.
Username Name for the email account.
Password Password for the email account. Enter valid characters only.
Own Email Address Address of the sender.
Table 64: SMTP Client Configuration

The mobile service provider may block other SMTP servers, so you might only be able to use the SMTP
server of the service provider.

Figure 78: SMTP Client Configuration Example

You can send emails from the startup script. The Startup Script dialog is located in Scripts in the Config-
uration section of the main menu.
The router also allows you to send emails using an SSH connection. Use the email command, see
Command Line Interface [1] Application Note for details.

ICR-2[0456]00 Family Configuration Manual 123

3. Configuration 3.18 Services

3.18.8 SMS
Open the SMS page in the Services submenu of the Configuration section of the main menu. The router
can automatically send SMS messages to a cell phone or SMS message server when certain events occur.
The format allows you to select which events generate an SMS message.

Item Description
Send SMS on power up Activates/deactivates the sending of an SMS message automatically on
power up.
Send SMS on connect Activates/deactivates the sending of an SMS message automatically
to mobile network when the router is connected to a mobile network.
Send SMS on discon- Activates/deactivates the sending of an SMS message automatically
nect to mobile network when the router is disconnection from a mobile network.
Send SMS when Activates/deactivates the sending of an SMS message automatically
datalimit exceeded when the data limit exceeded.
Send SMS when binary Automatic sending SMS message after binary input on I/O port (BIN0) is
input on I/O port (BIN0) active. Text of message is intended parameter BIN0.
is active
Add timestamp to SMS Activates/deactivates the adding a time stamp to the SMS messages. This
time stamp has a fixed format YYYY-MM-DD hh:mm:ss.
Phone Number 1 Specifies the phone number to which the router sends the generated
SMS.
Phone Number 2 Specifies the phone number to which the router sends the generated
SMS.
Phone Number 3 Specifies the phone number to which the router sends the generated
SMS.
Unit ID The name of the router. The router sends the name in the SMS.
BIN0 – SMS Text of the SMS message when the first binary input is activated.
BIN1 – SMS Text of the SMS message when the second binary input is activated.
Table 65: SMS Configuration

ICR-2[0456]00 Family Configuration Manual 124

3. Configuration 3.18 Services

Remote Control via SMS

After you enter a phone number in the Phone Number 1 field, the router allows you to configure the
control of the device using an SMS message. You can configure up to three numbers for incoming SMS
messages. To enable the function, mark the Enable remote control via SMS check box. The default setting
of the remote control function is active.

Item Description
Phone Number 1 Specifies the first phone number allowed to access the router using an SMS.
Phone Number 2 Specifies the second phone number allowed to access the router using an SMS.
Phone Number 3 Specifies the third phone number allowed to access the router using an SMS.
Table 66: Control via SMS

If you enter one or more phone numbers, then you can control the router using SMS messages sent
only from the specified phone numbers.
If you enter the wild card character ∗, then you can control the router using SMS messages sent from
any phone number.

Most of the control SMS messages do not change the router configuration. For example, if the router is
changed to the off line mode using an SMS message, the router remains in this mode, but it will return back
to the on-line mode after reboot. The only exception is set profile command that changes the configuration
permanently, see the table below.
To control the router using an SMS, send only message text containing the control command. You can
send control SMS messages in the following format:

SMS Description
go online sim 1 Switch the mobile WAN to the SIM1.
go online sim 2 Switch the mobile WAN to the SIM2. Models with one SIM slot will switch
the settings for inserted SIM to the settings configured for the 2nd SIM.
go online Switch the router to the online mode.
go offline Switch the router to the off line mode.
set out0=0 Set the binary output to 0.
set out0=1 Set the binary output to 1.
set profile std Set the standard profile. This change is permanent.
set profile alt1 Set the alternative profile 1. This change is permanent.
set profile alt2 Set the alternative profile 2. This change is permanent.
set profile alt3 Set the alternative profile 3. This change is permanent.
reboot Reboot the router.
get ip Respond with the IP address of the SIM card.
Table 67: Control SMS

Note: Every received control SMS is processed and then deleted from the router! This may cause
a confusion when you want to use AT-SMS protocol for reading received SMS (see section below).

ICR-2[0456]00 Family Configuration Manual 125

3. Configuration 3.18 Services

Advanced SMS control: If there is unknown command in received SMS and remote control via SMS is
enabled, the script located in "/var/scripts/sms" is run before the SMS is deleted. It is possible to define your
own additional SMS commands using this script. Maximum of 7 words can be used in such SMS. Since
the script file is located in RAM of the router, it is possible to add creation of such file to Startup Script. See
example in Command Line Interface Application Note [1].

AT-SMS Protocol

AT-SMS protocol is a private set of AT commands supported by the routers. It can be used to access the
cellular module in the router directly via commonly used AT commands, work with short messages (send
SMS) and cellular module state information and settings.

Choosing Enable AT-SMS protocol on expansion port 1 and Baudrate makes it possible to use AT-SMS
protocol on the serial Port 1.

Item Description
Baudrate Communication speed on the expansion port 1
Table 68: Send SMS on the Serial Port 1

Choosing Enable AT-SMS protocol on expansion port 2 and Baudrate makes it possible to use AT-SMS
protocol on the Serial Port 2.

Item Description
Baudrate Communication speed on the expansion port 2
Table 69: Send SMS on the Serial Port 2

Setting the parameters in the Enable AT-SMS protocol over TCP frame, you can enable the router to use
AT-SMS protocol on a TCP port. This function requires you to specify a TCP port number.

Item Description
TCP Port TCP port on which will be allowed to send/receive SMS messages.
Table 70: Sending/receiving of SMS on TCP Port Specified

If you establish a connection to the router through a serial interface or interface using the TCP protocol,
then you can use AT commands to manage SMS messages.
Only the commands supported by the routers are listed in the following table. For other AT commands
the OK response is always sent. There is no support for treatment of complex AT commands, so in such a
case the router sends ERROR response.

AT Command Description
AT+CGMI Returns the manufacturer specific identity
AT+CGMM Returns the manufacturer specific model identity
AT+CGMR Returns the manufacturer specific model revision identity
AT+CGPADDR Displays the IP address of the Mobile WAN interface
AT+CGSN Returns the product serial number
Continued on next page

ICR-2[0456]00 Family Configuration Manual 126

3. Configuration 3.18 Services

Continued from previous page

AT Command Description
AT+CIMI Returns the International Mobile Subscriber Identity number (IMSI)
AT+CMGD Deletes a message from the location
AT+CMGF Sets the presentation format of short messages
AT+CMGL Lists messages of a certain status from a message storage area
AT+CMGR Reads a message from a message storage area
AT+CMGS Sends a short message from the device to entered tel. number
AT+CMGW Writes a short message to SIM storage
AT+CMSS Sends a message from SIM storage location value
AT+CNUM Returns the phone number, if available (stored on SIM card)
AT+COPS? Identifies the available mobile networks
AT+CPIN Is used to find out the SIM card state and enter a PIN code
AT+CPMS Selects SMS memory storage types, to be used for short message operations
AT+CREG Displays network registration status
AT+CSCA Sets the short message service centre (SMSC) number
AT+CSCS Selects the character set
AT+CSQ Returns the signal strength of the registered network
AT+GMI Returns the manufacturer specific identity
AT+GMM Returns the manufacturer specific model identity
AT+GMR Returns the manufacturer specific model revision identity
AT+GSN Returns the product serial number
ATE Determines whether or not the device echoes characters
ATI Transmits the manufacturer specific information about the device
Table 71: List of AT Commands

A detailed description and examples of these AT commands can be found in the application note AT Com-
mands (AT-SMS) [12].

Sending SMS from Router

There are more ways how to send your own SMS from the router:

• Using AT-SMS protocol described above – if you establish a connection to the router through a se-
rial interface or interface using the TCP protocol, then you can use AT commands to manage SMS
messages. See application note AT Commands (AT-SMS) [12].

• Using HTTP POST method for a remote execution, calling CGI scripts in the router. See Command
Line Interface Application Note [1] for more details and example.

• From Web interface of the router, in Administration section, Send SMS item, see Chapter 5.8.

• Using gsmsms command e.g. in terminal when connected to the router via SSH. See Command
Line Interface Application Note [1].

ICR-2[0456]00 Family Configuration Manual 127

3. Configuration 3.18 Services

Examples of SMS Configuration

Example 1 Sending SMS Configuration

After powering up the router, the phone with the number entered in the dialog receives an SMS in the
following format:
Router (Unit ID) has been powered up. Signal strength –xx dBm.
After connecting to mobile network, the phone with the number entered in the dialog receives an SMS in
the following format:
Router (Unit ID) has established connection to mobile network. IP address xxx.xxx.xxx.xxx
After disconnecting from the mobile network, the phone with the number entered in the dialog receives an
SMS in the following format:
Router (Unit ID) has lost connection to mobile network. IP address xxx.xxx.xxx.xxx

Figure 79: SMS Configuration for Example 1

ICR-2[0456]00 Family Configuration Manual 128

3. Configuration 3.18 Services

Example 2 Sending SMS via Serial Interface on the Port 1

Figure 80: SMS Configuration for Example 2

ICR-2[0456]00 Family Configuration Manual 129

3. Configuration 3.18 Services

Example 3 Control the Router Sending SMS from any Phone Number

Figure 81: SMS Configuration for Example 3

ICR-2[0456]00 Family Configuration Manual 130

3. Configuration 3.18 Services

Example 4 Control the Router Sending SMS from Two Phone Numbers

Figure 82: SMS Configuration for Example 4

ICR-2[0456]00 Family Configuration Manual 131

3. Configuration 3.18 Services

3.18.9 SSH
SSH protocol (Secure Shell) allows to carry out a secure remote login to the router. Configuration form
of SSH service can be done in SSH configuration page under Services menu item. By ticking Enable SSH
service item the SSH server on the router is enabled.

Item Description
Enable SSH service Enabling of SSH service.
Port Listening port.
Session Timeout Inactivity timeout when the session is closed. The maximum allowed
value may vary based on security requirements for the specific model.
Login Banner The text specified in this field will be displayed in the console during the
SSH login just after the login name entry.
Keep the current SSH key Choose to keep current key.
Generate a new SSH key Choose to generate new key.
Key Type Choose the key type to be generated. The minimum allowed value
may vary based on security requirements for the specific model. There
are two types of keys: the RSA (Rivest-Shamir-Adleman) key and the
ED25519 key. The ED25519 key is based on elliptic curve cryptography
and is considered more secure than RSA.
Table 72: SSH Configuration Items Description

Figure 83: SSH Configuration Page

ICR-2[0456]00 Family Configuration Manual 132

3. Configuration 3.18 Services

3.18.10 Syslog
Configuration of the system log, known as syslog, is accessible from this configuration page. It is possible
to limit the log size by specifying the maximum number of entries (rows). Additionally, users have the option
to set an address and UDP port for distributing the log in real time.
To view this log, navigate to the router’s GUI via Status → System Log, or access it through the console
with the slog command.

Item Description
Log Size Restriction of log size by the maximum number of rows.
Log Persistent Set to yes to enable logging to a file saved in non-volatile memory, ensuring
that logs are preserved even after the router is powered down. This feature is
exclusive to routers equipped with eMMC memory.
Remote Host Remote host address for real-time log distribution. Hostnames are supported1 .
Remote UDP Port UDP port for real-time log distribution.
Device ID A unique identification string for remote logging purposes. If left blank, the de-
fault string Router is utilized.
Table 73: Syslog configuration

Figure 84: Syslog configuration

1
DNS translation is refreshed every 60 minutes.

ICR-2[0456]00 Family Configuration Manual 133

3. Configuration 3.18 Services

3.18.11 Telnet
Telnet is a protocol used to provide a bidirectional interactive text-oriented communication facility with the
router. Configuration form of Telnet service can be done in Telnet configuration page under Services menu
item.

Item Description
Enable Telnet service Enabling of Telnet service.
Maximum Sessions Is used to close inactive sessions. The server will terminate a Telnet session
after it has not been used for the given amount of seconds. The range is from
1 to 500.
Table 74: Telnet Configuration Items Description

Figure 85: Telnet Configuration Page

ICR-2[0456]00 Family Configuration Manual 134

3. Configuration 3.19 Expansion Ports – RS232 & RS485

3.19 Expansion Ports – RS232 & RS485

The RS232 and RS485 interfaces are available only for ICR-24xx and ICR-26xx models.

Configuration of the RS232 and RS485 interfaces can be done via Expansion Port 1 resp. Expansion
Port 2 menu items.
At the top of the configuration window, you can activate the port, and the connected port’s type is dis-
played under the Port Type field. Additional settings are detailed in the table below. Support is provided for
IPv6 TCP/UDP client/server configurations.

Figure 86: Expansion Port Configuration

Item Description
Baudrate Configurable communication speed: 300, 600, 1200, 2400, 4800, 9600 (default),
19200, 38400, 57600, 115200, 230400.
Data Bits Number of data bits: 5, 6, 7, 8 (default).
Continued on next page

ICR-2[0456]00 Family Configuration Manual 135

3. Configuration 3.19 Expansion Ports – RS232 & RS485

Continued from previous page

Item Description
Parity Parity control bit:
• None – Data will be sent without parity.
• Even – Data will be sent with even parity.
• Odd – Data will be sent with odd parity.
Stop Bits Number of stop bits: 1 (default), 2.
Flow Control Select the flow control method: None or Hardware.
Split Timeout Time threshold for message segmentation. If the gap between two characters ex-
ceeds this value (in milliseconds), any buffered characters will be sent over the
Ethernet port.
Protocol Communication protocol:
• TCP – Communication using the connection-oriented TCP protocol.
• UDP – Communication using the connectionless UDP protocol.
Mode Connection mode:
• TCP Server – The router listens for incoming TCP connection requests.
• TCP Client – The router connects to a TCP server using the specified IP
address and TCP port.
Server Address When operating in TCP Client mode, specify the Server Address and TCP Port.
Both IPv4 and IPv6 addresses are supported.
TCP Port TCP/UDP port used for communication. The router applies this setting for both
server and client modes.
Inactivity Timeout The time period after which the TCP/UDP connection is terminated due to inactivity.
Table 75: Expansion Port Configuration – Serial Interface

If the Reject new connections check box is selected, the router will reject any additional connection
attempts. This means that the router will no longer support multiple connections.
If the Check TCP connection check box is selected, the router will continuously verify the status of the
TCP connection.

Item Description
Keepalive Time Time interval after which the router verifies the connection status.
Keepalive Interval Duration the router waits for a response before retrying.
Keepalive Probes Number of keepalive attempts before considering the connection inactive.
Table 76: Expansion Port Configuration – Check TCP Connection

ICR-2[0456]00 Family Configuration Manual 136

3. Configuration 3.19 Expansion Ports – RS232 & RS485

3.19.1 Examples of Expansion Port Configuration

Figure 87: Example of Ethernet to Serial Communication Configuration

Figure 88: Example of Serial Interface Configuration

ICR-2[0456]00 Family Configuration Manual 137

3. Configuration 3.20 Scripts

3.20 Scripts
There is an option to create your own shell scripts that are executed in specific situations. There are
three subpages under the Scripts page in the Configuration section: Startup, Up/Down IPv4, and Up/Down
IPv6.

• The script defined on the Startup page is executed after the router starts up, either from powering on
or resetting.

• The Up/Down script is executed when the WAN connection is either established (up) or lost (down).

For more details, see the following subchapters. For console configuration commands, refer to the Com-
mand Line Interface Application Note. For more information on enhancing the router’s basic functionality,
refer to the Extending Router Functionality Application Note.

3.20.1 Startup Script

Use the Startup Script window to create your own scripts which will be executed after all of the initial-
ization scripts are run – right after the router is turned on or rebooted. To save the script press the Apply
button.

Any changes made to a startup script will take effect next time the router is power cycled or rebooted.
This can be done with the Reboot button in the Administration section, or by SMS message.

3.20.2 Example of Startup Script

Figure 89: Example of a Startup Script

When the router starts up, stop syslogd program and start syslogd with remote logging on address
192.168.2.115 and limited to 100 entries. Add these lines to the startup script:
killall syslogd
syslogd -R 192.168.2.115 -S 100

ICR-2[0456]00 Family Configuration Manual 138

3. Configuration 3.20 Scripts

3.20.3 Up/Down Scripts

Use the Up/Down IPv4 and Up/Down IPv6 page to create scripts executed when the WAN connection
is established (up) or lost (down). There is an independent IPv4 and IPv6 dual-stack implemented in the
router, so there is independent IPv4 and IPv6 Up/Down script. IPv4 Up/Down Script runs only on the
IPv4 WAN connection established/lost, IPv6 Up/Down Script runs only on the IPv6 WAN connection estab-
lished/lost. Any scripts entered into the Up Script window will run after a WAN connection is established.
Script commands entered into the Down Script window will run when the WAN connection is lost.

The changes in settings will apply after pressing the Apply button. Also you need to reboot the router to
make Up/Down Script work.

3.20.4 Example of IPv6 Up/Down Script

Figure 90: Example of IPv6 Up/Down Script

After establishing or losing an IPv6 WAN connection, the router sends an email with information about
the connection state. It is necessary to configure SMTP before.

Add this line to the Up Script field:

email -t [email protected] -s "Router" -m "Connection up."

Add this line to the Down Script field:

email -t [email protected] -s "Router" -m "Connection down."

ICR-2[0456]00 Family Configuration Manual 139

3. Configuration 3.21 Automatic Update

3.21 Automatic Update

The router can be configured to automatically check for firmware updates from an FTP site or a web
server and update its firmware or configuration information; see Figure 91 and Table 77.

Figure 91: Automatic Update

Item Description
Enable automatic update of If enabled and if there is a new configuration file, it will update it and
configuration reboot.
Enable automatic update of If enabled and if there is a new firmware, it will update it and reboot.
firmware
Source Select the location of the update files:

• HTTP(S)/FTP(S) server – Updates are downloaded from the

Base URL address below. The used protocol is specified by that
address: HTTP, HTTPS, FTP, or FTPS (only implicit mode is sup-
ported).
• USB flash drive – The router finds the current firmware or con-
figuration in the root directory of the connected USB device.
• Both – Looking for the current firmware or configuration from both
sources.
Base URL Base URL, IPv4, or IPv6 address from which the configuration file will
be downloaded. This option also specifies the communication protocol
(HTTP, HTTPS, FTP, or FTPS), see examples below.
Continued on the next page

ICR-2[0456]00 Family Configuration Manual 140

3. Configuration 3.21 Automatic Update

Continued from previous page

Item Description
Unit ID Name of configuration (name of the file without extension). If the Unit
ID is not filled, the MAC address of the router is used as the filename
(the delimiter colon is used instead of a dot).
Decryption Password Password for decryption of the encrypted configuration file. This is re-
quired only if the configuration is encrypted.
Update Window Start Choose an hour (range from 1 to 24) when the automatic update will be
performed on a daily basis.
If the time is not specified (set to dynamic), the automatic update is per-
formed five minutes after the router boots up and then regularly every
24 hours.
Update Window Length This value defines the period within which the update will be done. This
period starts at the time set in the Update Window Start field. The exact
time, when the update will be done, is generated randomly.
Skip Certificate Verification If enabled, the server certificate validation is not executed.
Use Custom CA Certificate If enabled, the server certificate validation is executed to verify server
identity.
CA Certificate CA certificate to validate on the server.
Table 77: Automatic Update Options

To prevent possible unwanted manipulation of the files, the router verifies that the downloaded file is in
the tar.gz format. First, the format of the downloaded file is checked. Then, the type of architecture and
each file in the archive (tar.gz file) is checked.
The configuration file name consists of the Base URL, the hardware MAC address of the ETH0 inter-
face, and the cfg extension. The hardware MAC address and cfg extension are added to the file name
automatically, so it is not necessary to enter them. When the parameter Unit ID is enabled, it defines the
specific configuration name that will be downloaded to the router, and the hardware MAC address in the
configuration name will not be used.
The firmware file name consists of the Base URL, the type of router, and the bin extension. For the
proper firmware filename, see the Update Firmware page in the Administration section; it is written there,
see Chapter 5.11.

It is necessary to load two files (*.bin and *.ver) to the server. If only the *.bin file is uploaded and
the HTTP(S) server sends an incorrect 200 OK response (instead of the expected 404 Not Found)
when the device tries to download the nonexistent *.ver file, the router may download the .bin file
repeatedly.

Firmware update can cause incompatibility with the router apps. It is recommended that you update
router apps to the most recent version. Information about the router apps and firmware compatibility
is provided at the beginning of the router app’s Application Note.

The automatic update feature is also executed five minutes after the firmware upgrade, regardless of
the scheduled time.

ICR-2[0456]00 Family Configuration Manual 141

3. Configuration 3.21 Automatic Update

3.21.1 Example of Automatic Update

In the following example, the router is configured to check for new firmware or a configuration file daily at
1:00 a.m. This scenario is specifically tailored for ICR-4401 router.

• Firmware file: https://example.com/icr-440x.bin

• Configuration file: https://example.com/test.cfg

Figure 92: Example of Automatic Update

ICR-2[0456]00 Family Configuration Manual 142

3. Configuration 3.21 Automatic Update

3.21.2 Example of Automatic Update Based on MAC

The example provided demonstrates how to check for new firmware or configurations daily between 1:00
a.m. and 3:00 a.m. The configuration file is encrypted, necessitating the setup of a decryption password.
This specific example is applicable to ICR-4161 router with the MAC address 00:11:22:33:44:55.

• Firmware file: https://example.com/icr-416x.bin

• Configuration file: https://example.com/00.11.22.33.44.55.cfg

Figure 93: Example of Automatic Update Based on MAC

ICR-2[0456]00 Family Configuration Manual 143

4. Customization
4.1 Router Apps
A user with the User role can only view the installed Router Apps. Management of Router Apps is allowed
only for users with the Admin role.

Router Apps (RA), formerly known as User Modules, enhance router functionality through custom soft-
ware programs. These apps extend the router’s capabilities in areas such as security and advanced net-
working, offering a flexible and customizable experience.
For Advantech routers, a diverse array of Router Apps is offered, encompassing categories such as
connectivity, routing, services, among others. These applications are freely accessible on the Advantech
Router Apps webpage, providing users with a wide range of options to enhance the functionality of their
devices.
Figure 94 illustrates the default layout of the Router Apps configuration interface. The initial segment,
titled Installed Apps, presents a comprehensive list of Router Apps currently installed on the device. The
subsequent section, Manual Installation, provides the functionality for manually adding Router Apps to the
system. The Free Space row indicates the available space. Lastly, the third section facilitates the online
acquisition and installation of Router Apps accessible from a public server.

Figure 94: Default Router Apps GUI

Manual RA Installation and Update

For the manual installation of a RA, prepare the application package with a *.tgz extension. In the
router interface, use the Choose File button to select your file and the Add or Update button to start the
installation.

Online RA Installation and Update

To install Router Apps from the public server, it is imperative to first ensure that the router is correctly
configured and connected as outlined in Chapter 4.2. By default, routers are set to automatically connect
to the public Advantech server. To proceed with the installation, click on the Load Available Apps button,
which initiates the loading of a comprehensive list of RA that are available on the server for installation.

Keep these notes in mind:

• The online RA installation functionality starts with firmware version 6.4.0 and is not available for the
v2 production platform.

• Note that an Internet connection is required to access the public server. Without it, you will encounter
an error: "Cannot get auth header: Couldn’t resolve host name".

ICR-2[0456]00 Family Configuration Manual 144

4. Customization 4.1 Router Apps

• The list of online applications is updated only when the Reload Available Apps button is pressed. The
last loading timestamp is visible next to this button.
• If the router is rebooted, the list of applications is cleared and needs to be reloaded.
• The Load Available Apps button is deactivated if the connection to the server is disabled.

Figure 95 displays an instance where the assortment of online applications accessible for installation
has been successfully loaded. This figure further demonstrates that only the Customer Logo application,
version v1.0.0, is installed on the local device, as indicated by its solitary listing in the Installed Apps section.
Within the Online Installation section, it is highlighted that an updated version of the Customer Logo
application, version v1.1.0, is available for download from the server, showcasing the potential for upgrading
existing applications directly through the router’s interface.

Figure 95: Router Apps GUI with Available Online Apps

RA Management
Installed Router Apps, regardless of whether they were installed manually or from the server, appear in
the Installed Apps section.
Apps with an index.html or index.cgi page have a clickable link in their name. Clicking on this
link opens the GUI of the respective application.
To remove an app, click the Delete button, which is located next to the respective application in the
Installed Apps section.

The programming and compiling of router applications is described in the Application Note Programming of
Router Apps [14].

ICR-2[0456]00 Family Configuration Manual 145

4. Customization 4.2 Settings

4.2 Settings
To configure the connection settings for the online application hosting server, navigate to the Customiza-
tion → Settings menu option. Figure 96 and Table 78 offer comprehensive details regarding the configura-
tion parameters for the server, ensuring users can effectively customize their router to connect to the online
application hosting server.

Figure 96: Router Apps Settings

Item Description
Disable server communi- Connection to the server is disabled, preventing any data exchange
cation with the online application hosting server.
Use public server Opt to utilize the public server, managed by Advantech, as the pri-
mary source for Router Apps. This is the default configuration. An
active internet connection is mandatory for accessing the server.
Use custom server1 Select this option to establish a connection with a self-hosted server
that adheres to the Advantech specifications for Router Apps.
API URL Enter the URL for the self-hosted server, ensuring the inclusion of
the ‘https://‘ prefix to denote a secure connection.
CA certificate Provide the certificate for the self-hosted server, especially if it uti-
lizes a Certificate Authority (CA) that is not widely recognized or
standard.
Table 78: Router Apps Settings

1
Operating your own self-hosted server is feasible exclusively with an on-premises installation of the WebAccess/DMP product by
Advantech.

ICR-2[0456]00 Family Configuration Manual 146

5. Administration
5.1 Manage Users

Be careful not to lock out all users with the Admin role. In this state, no user will have the rights to
configure user accounts!

• This configuration menu is available only to users with the Admin role.

• For user authentication settings, such as two-factor authentication and account locking rules, refer to
Chapter 3.18.1.

• The user will be prompted to change their password in the following situations:
◦ When logging into the new router for the first time.
◦ When a user’s password has been forcefully changed by a user with the Admin role upon their first
login.
◦ When a Configuration Reset or Factory Reset is performed on the router.

To manage users, open the Manage Users form in the Administration section of the main menu, as
shown in Figure 97. In this figure, you can see that there are two users defined on the router: root with
the Admin role, and the user Alice with the User role. By clicking the Add User button, the user John
(whose data is filled in the form) will be added to the router.

Figure 97: Modify User Page

The first part of this configuration form contains a list of all existing users. Table 79 describes the meaning
of the buttons located to the right of each user.

ICR-2[0456]00 Family Configuration Manual 147

5. Administration 5.1 Manage Users

Button Description
Lock Locks the user account. This user is not allowed to log in to the router, either to the web
interface or via SSH.
Modify Allows you to change the password or key for the corresponding user, see Chapter 5.2.
Delete Deletes the user account.
Table 79: Action Button Description

The second part of the configuration form allows adding a new user. All items are described in Table 80.
To create a new user, configure all required items and click the Add User button.

Item Description
Role • User
◦ User with basic permissions.
◦ Read-only access to the web GUI, except for Modify User.
◦ Some menu items are hidden in the web GUI.
◦ Read-only access to the Router Apps GUI.
◦ No access to the router via Telnet, SSH or SFTP.
◦ Read-only access to the FTP server.
• Admin
◦ User with enhanced permissions.
◦ Full access to all items in the web GUI.
◦ Access to the router via Telnet, SSH or SFTP.
◦ Not the same rights as the superuser on a Linux-based system.
Username Specifies the name of the user having access to log in to the device.
New Password Specifies the password for the user. It must match the rules stated in the GUI,
which depend on the Force Password Complexity level set in Configuration →
Services → Authentication, as described in Chapter 3.18.1.
Confirm Password Confirms the password.
Public key Enter the SSH Public Key to enable passwordless SSH login. Refer to Chap-
ter 5.2.2 for details.
Phone Number User’s phone number. If configured, an SMS is sent to the user when their pass-
word is changed. A functional SIM card is required.
Email Address User’s email address. If configured, an email is sent to the user when their pass-
word is changed. SMTP must be configured.
Add User Click this button to create a new user based on the entries in the fields above.
Table 80: User Parameters

ICR-2[0456]00 Family Configuration Manual 148

5. Administration 5.2 Modify User

5.2 Modify User

• This configuration menu is only available for users with the User role. Such users can only modify
their own account.

• To view the current user authentication configuration settings, such as two-factor authentication and
account locking rules, refer to Chapter 3.18.1

If a user with a User role is logged in, they can manage only their user account. This can be done on the
Administration → Modify User page. You will get the same configuration page if you have the Admin role
when modifying another user account on the Manage Users page.

Figure 98: Users Administration Form

The meaning of the items in the first part of this window is clear or described in more detail in Chapter 5.1.
If you want to change your own password, you will need to enter the current password as well. In the second
part, you can configure two-factor authentication for a user, including its secret key.

ICR-2[0456]00 Family Configuration Manual 149

5. Administration 5.2 Modify User

5.2.1 Two-Factor Authentication

If the configuration of two-factor authentication fails or does not complete properly, you will be unable
to log in to the router using that user account. It is recommended to set up a backup account to log
in to the router in case issues arise during the configuration process. You can delete this backup
account after successfully configuring two-factor authentication.

To successfully log in using two-factor authentication, the correct system time must be set on the
router. Therefore, it is strongly recommended to enable the Synchronize clock with remote NTP
server option. For more details, refer to Chapter 3.18.5 NTP.

If you have enabled one of the two-factor authentication services, as mentioned above, you should see
the chosen service name in the Two-Factor Auth field, as shown in Figure 98.
A secret key is required to activate the two-factor authentication. You can generate this key by choosing
the Generate a new secret key option. You can upload the user’s secret key from a file using Upload a new
secret key. Clicking the Apply button the secret key will be saved. Next, click the Show button, located to
the right of the secret key, the secret key will be shown. If the secret key is defined, a QR code will appear
on the right, allowing you to easily add this key to the chosen authentication application by scanning it, see
section Authenticator

Without the secret key, a user will not be able to finish two-factor configuration and log in to the router.

A user with the Admin role cannot generate or upload the secret key for another user; they can only delete
the key.

Implementation Notes

• Two different two-factor implementations are supported:

◦ Google Authenticator,
◦ OATH Toolkit.

• Implemented for the following services only:

◦ the router’s web server login,
◦ SSH login,
◦ TELNET login.

• Two-factor authentication is disabled by default.

• Two-factor authentication data are backed up/restored during user backup/restore.

• All private two-factor authentication data are removed when the corresponding user is deleted.

• No internet or mobile connection is required to use two-factor authentication, but keep in mind the
need to synchronize the system time.

ICR-2[0456]00 Family Configuration Manual 150

5. Administration 5.2 Modify User

Configuration Steps

1. Enable the two-factor authentication service as described in Chapter 3.18.1.

2. Enable the two-factor authentication for a user as described in Chapter 5.2.
3. Use an application or service to perform the two-factor authentication to the router as described in
following Authenticator Chapter.

Authenticator

To log in with two-factor authentication, you need an Authenticator application. Both Google Authenticator
and OATH use TOTP (Time-based One-Time Password, RFC 6238) mode by default. You can use any
compatible authenticator. For information about authenticator usage, see the corresponding manual.

You can use the Google Authenticator application; see Figure 99 for the download links.

Figure 99: Links for Google Authenticator Application

Authenticator-Extension is available as an extension for all popular browsers; see Figure 100 for the
download links.

Figure 100: Links for Authenticator-Extension

In an Authenticator application, you can create a new entry by entering the secret key you have noted
down or by scanning the QR code shown for the user on the Modify User configuration page.

ICR-2[0456]00 Family Configuration Manual 151

5. Administration 5.2 Modify User

Router Web Login

When logging into the router’s web interface, enter the Username and Password as you would for a
standard login; see Figure 101.

Figure 101: Standard Login

Next, you will be prompted to enter the Verification Code; see Figure 102. This code is obtained from
your Authenticator. Note that there is a limited time for code usage, typically within five minutes, assuming
the system time is correct.

Figure 102: Verification Code

After entering the correct code, you will be successfully logged in to the router’s web interface.

SSH and Telnet Login

Logging into SSH and Telnet with two-factor authentication is similar. Enter your username, password,
and the generated verification code. For an example of SSH login, see Figure 103.

Figure 103: SSH Login

ICR-2[0456]00 Family Configuration Manual 152

5. Administration 5.2 Modify User

5.2.2 Passwordless Console Login

You can log in to SSH without a password using the SSH Public Key. The process of key generation and
connection will be demonstrated in this chapter using PuTTY , a free terminal emulator for Windows OS.

Installation Notes

• For simplicity and clarity, we will perform a manual installation of PuTTY to the directory C:\bin,
instead of using an .msi installation package.

• From the PuTTY application download page, under the section Alternative binary files, download the
individual files named putty.exe, puttygen.exe, and pageant.exe. You will likely want the 64-bit
x86 version. We use PuTTY version 0.80. Save these files to the C:\bin directory.

Generate Keys

• Run the downloaded puttygen.exe application to create your SSH key, see Figure 104.

• Ensure the RSA option is selected.

• Click the Generate button. Move your mouse within the window to generate the keys.

• Once complete, the key data appears.

Figure 104: Key Generation

ICR-2[0456]00 Family Configuration Manual 153

5. Administration 5.2 Modify User

• Click both Save public key and Save private key buttons to save these keys on your computer:
◦ Name the public key something like hostpublickey and the private key something like hostpri-
vatekey, without manually adding extensions.
◦ If prompted about a passphrase, click Yes to save without a passphrase.

• Leave the PuTTY Key Generator application open.

Uploading Public Key to the Router:

• In the router GUI (Administration → Manage Users), click the Modify button for the user to whom you
want to add the public key. Ensure the user has the Admin role, since a user with the User role is not
permitted for SSH login.

• Enter the generated public key for the user:

◦ In the PuTTY Key Generator, select the entire public key as demonstrated in Figure 104 with the
key data selected (in blue), and copy it to the clipboard.
◦ In the router GUI, paste the key into the SSH Public Key field.
◦ It is important that the key starts with "ssh-rsa " followed by the key itself.

• Save the user settings by clicking the Apply button.

• Now, you can close the PuTTY Key Generator application.

PuTTY Session Configuration

• Open the c:\bin\putty.exe application.

• In the configuration window, navigate to Connection → Data and enter the username (the router’s
user to whom the public key was saved) in the Auto-login username field.

• Under Connection → SSH → Auth → Credentials, click the Browse button near the Private key file
for authentication field, and select your hostprivatekey file generated according to the steps above.

• In the configuration window, navigate to the Session menu item and configure the following:
◦ Host Name: IP address of your router.
◦ Port: 22.
◦ Connection Type: SSH.
◦ Saved Session: Enter a name for this session.
◦ Click Save to store these session settings.

Connecting to the Router

• Open the c:\bin\putty.exe application.

• Select and load your session with the Load button.

• Click Open to establish the connection.

• If everything is configured correctly, an SSH console prompt will open with the user logged in.

ICR-2[0456]00 Family Configuration Manual 154

5. Administration 5.2 Modify User

5.2.3 Expired Password

If the password expires after the number of days defined in Expire Password After has passed, the user
will be prompted to enter a new password as shown in Image 105. The new password must match the rules
stated in the GUI, which depend on the Force Password Complexity level set in Configuration → Services
→ Authentication, as described in Chapter 3.18.1.

Figure 105: Expired Password Prompt

ICR-2[0456]00 Family Configuration Manual 155

5. Administration 5.3 Change Profile

5.3 Change Profile

In addition to the standard profile, up to three alternate router configurations or profiles can be stored in
router’s non-volatile memory. You can save the current configuration to a router profile through the Change
Profile menu item. Select the alternate profile to store the settings to and ensure that the Copy settings from
current profile to selected profile box is checked. The current settings will be stored in the alternate profile
after the Apply button is pressed. Any changes will take effect after restarting router through the Reboot
menu in the web administrator or using an SMS message.

Example of using profiles: Profiles can be used to switch between different modes of operation of the
router such as PPP connection, VPN tunnels, etc. It is then possible to switch between these settings using
the front panel binary input, an SMS message, or Web interface of the router.

Figure 106: Change Profile

ICR-2[0456]00 Family Configuration Manual 156

5. Administration 5.4 Set Date and Time

5.4 Set Date and Time

This administration page is not for configuring the NTP client, but only for one-time date and time
settings. For permanent NTP client configuration, please go to the Configuration → Services → NTP
page.

There are three ways to set the system date and time on a one-time basis, as shown in the figure below:

1. Set current browser time: This option sets the device’s clock to match the time displayed on your
web browser.

2. Set specific date/time: You can manually input the date and time. Ensure you adhere to the yyyy-
mm-dd format for the date. For the time, use the HH:MM:SS format. Note: The time preloaded is
the browser time, not the router time.

3. Query NTP server: To query the date and time from an NTP server, input the address of the NTP
server. The system supports both IPv4 and IPv6 addresses, as well as domain names.

Figure 107: Set Real Time Clock

ICR-2[0456]00 Family Configuration Manual 157

5. Administration 5.5 Set SMS Service Center

5.5 Set SMS Service Center

The function requires you to enter the phone number of the SMS service center to send SMS mes-
sages. To specify the SMS service center phone number use the Set SMS Service Center configuration
form in the Administration section of the main menu. You can leave the field blank if your SIM card contains
the phone number of the SMS service center by default. This phone number can have a value without
an international prefix (xxx-xxx-xxx) or with an international prefix (+420-xxx-xxx-xxx). If you are unable to
send or receive SMS messages, contact your carrier to find out if this parameter is required.

Figure 108: Set SMS Service Center Address

5.6 Unlock SIM Card

It is possible to use the SIM card protected by PIN number in the router – just fill in the PIN on the
Mobile WAN Configuration page. Here you can remove the PIN protection (4–8 digit Personal Identification
Number) from the SIM card, if your SIM card is protected by one. Open the Unlock SIM Card form in the
Administration section of the main menu and enter the PIN number in the SIM PIN field, then click the
Apply button. It is applied on the currently enabled SIM card, or on the first SIM card if there is no SIM card
enabled at the moment.

The SIM card is blocked after three failed attempts to enter the PIN code. Unblocking of SIM card by
PUK number is described in next chapter.

Figure 109: Unlock SIM Card

ICR-2[0456]00 Family Configuration Manual 158

5. Administration 5.7 Unblock SIM Card

5.7 Unblock SIM Card

On this page you can unblock the SIM card after 3 wrong PIN attempts or change the PIN code of the
SIM card. To unblock the SIM card, go to Unblock SIM Card administration page. In both cases enter the
PUK code into SIM PUK field and new SIM PIN code into New SIM PIN field. To proceed click on Apply
button. It is applied on the currently enabled SIM card, or on the first SIM card if there is no SIM card
enabled at the moment.

The SIM card will be permanently blocked after the three unsuccessful attempts of the PUK code
entering.

Figure 110: Unblock SIM Card

5.8 Send SMS

You can send an SMS message from the router to test the cellular network. Use the Send SMS dialog
in the Administration section of the main menu to send SMS messages. Enter the Phone number and text
of your message in the Message field, then click the Send button. The router limits the maximum length of
an SMS to 160 characters. (To send longer messages, install the pduSMS router app).

Figure 111: Send SMS

It is also possible to send an SMS message using CGI script. For details of this method. See the
application note Command Line Interface [1].

ICR-2[0456]00 Family Configuration Manual 159

5. Administration 5.9 Backup Configuration

5.9 Backup Configuration

Keep in mind potential security issues when creating a backup, especially for user accounts. En-
crypted configuration or a secured connection to the router should be used.

You can save the current configuration of the router using the Backup Configuration item in the Adminis-
tration menu section. If you click on this item, a configuration pane will open, see Figure 112. Here you can
choose what will be backed up. You can back up the configuration of the router (item Configuration) or the
configuration of all user accounts (item Users). Both types of configurations can be backed up separately
or together into one configuration file.

It is recommended to save the configuration into an encrypted file. If the encryption password is not
configured, the configuration is stored in an unencrypted file.

Click on the Apply button and the configuration will be stored into a configuration file (file with cfg exten-
sion) in a directory according to the settings of the web browser. The stored configuration can be used later
for restoration, see Chapter 5.10 for more information.

Figure 112: Backup Configuration

ICR-2[0456]00 Family Configuration Manual 160

5. Administration 5.10 Restore Configuration

5.10 Restore Configuration

You can restore a router configuration stored in a file. You created the file as shown in the previous
chapter.
To restore the configuration from this file, use the Restore Configuration form. Next, click the Browse
button to navigate to the directory containing the configuration file you wish to load to the router. If the
configuration was stored in an encrypted file, the decryption password must be set to decrypt the file
successfully. To start the restoration process, click on the Apply button.

Figure 113: Restore Configuration

ICR-2[0456]00 Family Configuration Manual 161

5. Administration 5.11 Update Firmware

5.11 Update Firmware

The latest firmware for our routers is available on the Engineering Portal’s product page. For downloading
the appropriate firmware for your router model, please visit icr.advantech.com/download/routers-firmware.

• For enhanced security, it is strongly recommended to regularly update your router’s firmware
to the latest version. Avoid downgrading the firmware to a version older than the production
release, and refrain from uploading firmware meant for different models, as these actions can
lead to device malfunction.

• Be aware that firmware updates may cause compatibility issues with Router Apps. To minimize
such issues, it is advisable to update all Router Apps to their latest versions concurrently with the
router’s firmware. Detailed compatibility information for each app is provided at the beginning
of its Application Note.

• When using the HTTP protocol to communicate with the router (not recommended for security
reasons), some advanced firewalls–especially those with AI capabilities–may falsely detect the
firmware file content as insecure and block communication. In such cases, use HTTPS or ask
your infrastructure administrator to remove the relevant rule.

The Update Firmware administration page showcases the current firmware version and the name of the
router’s firmware, as illustrated in Figure 114. This page also offers the capability to update the router’s
firmware, accommodating both manual updates and online updates from the public server.

Figure 114: Update Firmware Administration Page

Manual Firmware Update

To manually update the router’s firmware, click on the Choose File button and select the firmware file.
Then, press the Update button to initiate the firmware update process.

Online Firmware Update

Starting with firmware version 6.4.0, the firmware can be updated from a public server. Ensure that your
router is properly configured as described in Chapter 4.2.
To verify the availability of a newer firmware version on the server, click the Check for updates button. If
a new version is available, the version information and a Download and Update button will appear. Clicking
this button initiates the firmware update process.

ICR-2[0456]00 Family Configuration Manual 162

5. Administration 5.12 Reboot

During the firmware update, the router will display status messages as depicted in Figure 115. Upon
completion, the router will automatically reboot. After rebooting, click the here link in the web interface to
reopen it.

Figure 115: Process of Firmware Update

5.12 Reboot
To reboot the router select the Reboot menu item and then press the Reboot button.

Figure 116: Reboot

5.13 Logout
By clicking the Logout menu item, the user is logged out from the web interface.

ICR-2[0456]00 Family Configuration Manual 163

6. Typical Situations
Although Advantech routers have wide variety of uses, they are commonly used in the following ways.
All the examples below are for IPv4 networks.

6.1 Access to the Internet from LAN

Figure 117: Access to the Internet from LAN – Sample Topology

In this example, a LAN connecting to the Internet via a mobile network, the SIM card with a data tariff has
to be provided by the mobile network operator. This requires no initial configuration. You only need to place
the SIM card in the SIM1 slot (Primary SIM card), attach the antenna to the ANT connector and connect
the computer (or switch and computers) to the router’s ETH0 interface (LAN). Wait a moment after turning
on the router. The router will connect to the mobile network and the Internet. This will be indicated by the
LEDs on the front panel of the router (WAN and DAT ).
Additional configuration can be done in the Ethernet and Mobile WAN items in the Configuration section
of the web interface.

Ethernet configuration: The factory default IP address of the router’s ETH0 interface is in the form
of 192.168.1.1. This can be changed (after login to the router) in the Ethernet item in the Configuration
section, see Figure 118. In this case there is no need of any additional configuration. The DHCP server
is also enabled by factory default (so the first connected computer will get the 192.168.1.2 IP address
etc.). Other configuration options are described in Chapter 3.1.

Mobile WAN Configuration: Use the Mobile WAN item in the Configuration section to configure the con-
nection to the mobile network, see Figure 119. In this case (depending on the SIM card) the configuration
form can be blank. But make sure that Create connection to mobile network is checked (this is the factory
default). For more details, see Chapter 3.4.1.
To check whether the connection is working properly, go to the Mobile WAN item in the Status sec-
tion. You will see information about operator, signal strength etc. At the bottom, you should see the mes-
sage: Connection successfully established. The Network item should display information about the newly
created network interface, usb0 (mobile connection). You should also see the IP address provided by the
network operator, as well as the route table etc. The LAN now has Internet access.

ICR-2[0456]00 Family Configuration Manual 164

6. Typical Situations 6.1 Access to the Internet from LAN

Figure 118: Access to the Internet from LAN – Ethernet Configuration

Figure 119: Access to the Internet from LAN – Mobile WAN Configuration

ICR-2[0456]00 Family Configuration Manual 165

6. Typical Situations 6.2 Backup Access to the Internet from LAN

6.2 Backup Access to the Internet from LAN

Figure 120: Backup access to the Internet – sample topology

The configuration form on the Backup Routes page lets you back up the primary connection with alter-
native connections to the Internet/mobile network. Each backup connection can be assigned a priority.

Figure 121: Backup access to the Internet – Ethernet configuration

LAN configuration In the Ethernet –> ETH0 item, you can use the factory default configuration as in the
previous situation. The ETH1 interface on the front panel of the router is used for connection to the Internet.
It can be configured in ETH1 menu item. Connect the cable to the router and set the appropriate values
as in Figure 121. You may configure the static IP address, default gateway and DNS server. Changes will
take effect after you click on the Apply button. Detailed Ethernet configuration is described in Chapter 3.1.
Mobile WAN configuration To configure the mobile connection it should be sufficient to insert the SIM
card into the SIM1 slot and attach the antenna to the ANT connector. (Depending on the SIM card you are
using).

ICR-2[0456]00 Family Configuration Manual 166

6. Typical Situations 6.2 Backup Access to the Internet from LAN

To set up backup routes you will need to enable Check Connection in the Mobile WAN item. (See Fig-
ure 122.) Set the Check connection option to enabled + bind and fill in an IP address of the mobile opera-
tor’s DNS server or any other reliably available server and enter the time interval of the check. For detailed
configuration, see Chapter 3.4.1.

Figure 122: Backup access to the Internet – Mobile WAN configuration

Backup Routes configuration After setting up the backup routes you will need to set their priorities. In
Figure 123, the ETH1 wired connection has the highest priority. If that connection fails, the second choice
will be the mobile connection – usb0 network interface.
The backup routes system must be activated by checking the Enable backup routes switching item for
each of the routes. Click the Apply button to confirm the changes. For detailed configuration see Chapter
3.8.

ICR-2[0456]00 Family Configuration Manual 167

6. Typical Situations 6.2 Backup Access to the Internet from LAN

Figure 123: Backup access to the Internet – Backup Routes configuration

You can verify the configured network interfaces in the Status section in the Network item. You will see
the active network interfaces: eth0 (connection to LAN), eth1 (wired connection to the Internet) and usb0
(mobile connection to the Internet). IP addresses and other data are included.
At the bottom of the page you will see the Route Table and corresponding changes if a wired connection
fails or a cable is disconnected the mobile connection will be used.
Backup routes work even if they are not activated in the Backup Routes item, but the router will use the
factory defaults.

ICR-2[0456]00 Family Configuration Manual 168

6. Typical Situations 6.3 Secure Networks Interconnection or Using VPN

6.3 Secure Networks Interconnection or Using VPN

Figure 124: Secure Networks Interconnection – Sample Topology

VPN (Virtual Private Network) is a protocol used to create a secure connection between two LANs,
allowing them to function as a single network. The connection is secured (encrypted) and authenticated
(verified). It is used over public, untrusted networks, see fig. 124. You may use several different secure
protocols.

• OpenVPN (it is a configuration item in the web interface of the router), see Chapter 3.12 or Application
Note [5],

• IPsec (it is also configuration item in the web interface of the router), see Chapter 3.13 or Application
Note [6].

You can also create non-encrypted tunnels: GRE, PPTP and L2TP. You can use GRE or L2TP tunnel in
combination with IPsec to create VPNs.
There is an example of an OpenVPN tunnel in Figure 124. To establish this tunnel you will need the
opposite router’s IP address, the opposite router’s network IP address (not necessary) and the pre-shared
secret (key). Create the OpenVPN tunnel by configuring the Mobile WAN and OpenVPN items in the
Configuration section.

Mobile WAN configuration: The mobile connection can be configured as described in the previous
situations. (The router connects itself after a SIM card is inserted into SIM1 slot and an antenna is attached
to the ANT connector.)
Configuration is accessible via the Mobile WAN item the Configuration section, see Chapter 3.4.1). The
mobile connection has to be enabled.

ICR-2[0456]00 Family Configuration Manual 169

6. Typical Situations 6.3 Secure Networks Interconnection or Using VPN

OpenVPN configuration: OpenVPN configuration is done with the OpenVPN item in the Configuration
section. Choose one of the two possible tunnels and enable it by checking the Create 1st OpenVPN tun-
nel. You will need to fill in the protocol and the port (according to the settings on the opposite side of the
tunnel or Open VPN server). You may fill in the public IP address of the opposite side of the tunnel includ-
ing the remote subnet and mask (not necessary). The important items are Local and Remote Interface IP
Address where the information regarding the interfaces of the tunnel’s end must be filled in. In the example
shown, the pre-shared secret is known, so you would choose this option in the Authentication Mode item
and insert the secret (key) into the field. Confirm the configuration clicking the Apply button. For detailed
configuration see Chapter 3.12 or Application Note [5].

Figure 125: Secure Networks Interconnection – OpenVPN Configuration

The Network item in the Status section will let you verify the activated network interface tun0 for the
tunnel with the IP addresses of the tunnel’s ends set. Successful connection can be verified in the System
Log where you should see the message: Initialization Sequence Completed. The networks are now
interconnected. This can also be verified by using the ping program. (Ping between tunnel’s endpoint IP
addresses from one of the routers. The console is accessible via SSH).

ICR-2[0456]00 Family Configuration Manual 170

6. Typical Situations 6.4 Serial Gateway

6.4 Serial Gateway

Figure 126: Serial Gateway – Sample Topology

The router’s serial gateway function lets you establish serial connectivity across the Internet or with
another network. Serial devices (meters, PLC, etc.) can then upload and download data, see Figure 126.
Configuration is done in the Configuration section, Mobile WAN, with the Expansion Port 1 item for
RS232, or Expansion Port 2 for RS485. In this example, the RS232 interface of the router is used.

Mobile WAN Configuration: Mobile WAN configuration is the same as in the previous examples. Just
insert the SIM card into the SIM1 slot at the back of the router and attach the antenna to the ANT connector
at the front. No extra configuration is needed (depending on the SIM card used). For more details see
Chapter 3.4.1.

ICR-2[0456]00 Family Configuration Manual 171

6. Typical Situations 6.4 Serial Gateway

Expansion Port 1 Configuration: The RS232 interface (port) can be configured in the Configuration
section, via the Expansion Port 1 item, see Figure 127.) You will need to enable the RS232 port by checking
Enable expansion port 1 access over TCP/UDP. You may edit the serial communication parameters (not
needed in this example). The important items are Protocol, Mode and Port. These set the parameters of
communication out to the network and the Internet. In this example the TCP protocol is chosen, and the
router will work as a server listening on the 2345 TCP port. Confirm the configuration clicking the Apply
button.

Figure 127: Serial Gateway – konfigurace Expansion Port 1

To communicate with the serial device (PLC), connect from the PC (Labeled as SCADA in Figure 126)
as a TCP client to the IP address 10.0.6.238, port 2345 (the public IP address of the SIM card used in
the router, corresponding to the usb0 network interface). The devices can now communicate. To check the
connection, go to System Log (Status section) and look for the TCP connection established message.

ICR-2[0456]00 Family Configuration Manual 172

Appendix A: Open Source Software License
The software in this device includes various open-source components governed by the following licenses:

• GPL versions 2 and 3

• LGPL version 2
• BSD-style licenses
• MIT-style licenses

A complete list of components and their respective license texts can be found directly on the device.
To access them, click the Licenses link at the bottom of the router’s main web page (General Status) or
navigate to the following URL in your browser (replace DEVICE_IP with the actual router’s IP address):

https://DEVICE_IP/licenses.cgi

This serves as a written offer, valid for three years from the date of purchase, to provide any third party
with a complete machine-readable copy of the corresponding source code on a flash drive medium for a fee
no greater than the cost of physically performing the source distribution. If you wish to obtain the source
code, please contact us at:

[email protected]

Modifications and debugging of LGPL-linked executables:

The device manufacturer grants customers the right to use debugging techniques (e.g., decompilation)
and modify any executable linked with an LGPL library for their own use. These rights are strictly limited
to personal usage—redistribution of modified executables or sharing information obtained through these
actions is not permitted.

Source code under the GPL license is available at:

icr.advantech.com/source-code

ICR-2[0456]00 Family Configuration Manual 173

Appendix B: Glossary and Acronyms

B|D|G|H|I|L|N|O|P|R|S|T|U|V|W|X

B G

Backup Routes Allows user to back up the primary GRE Generic Routing Encapsulation (GRE) is a tunnel-
connection with alternative connections to the ing protocol that can encapsulate a wide va-
Internet/mobile network. Each backup connec- riety of network layer protocols inside virtual
tion can have assigned a priority. Switching be- point-to-point links over an Internet Protocol
tween connections is done based upon set pri- network. It is possible to create four different
orities and the state of the connections. tunnels.

D
H

DHCP The Dynamic Host Configuration Protocol

(DHCP) is a network protocol used to config- HTTP The Hypertext Transfer Protocol (HTTP) is an
ure devices that are connected to a network application protocol for distributed, collabora-
so they can communicate on that network us- tive, hypermedia information systems. HTTP is
ing the Internet Protocol (IP). The protocol is the foundation of data communication for the
implemented in a client-server model, in which World Wide Web.
DHCP clients request configuration data, such Hypertext is structured text that uses logical
as an IP address, a default route, and one links (hyperlinks) between nodes containing
or more DNS server addresses from a DHCP text. HTTP is the protocol to exchange or trans-
server. fer hypertext.
DHCP client Requests network configuration from HTTPS The Hypertext Transfer Protocol Secure
DHCP server. (HTTPS) is a communications protocol for se-
DHCP server Answers configuration request by DHCP cure communication over a computer network,
clients and sends network configuration de- with especially wide deployment on the Inter-
tails. net. Technically, it is not a protocol in and of
DNS The Domain Name System (DNS) is a hierarchical itself; rather, it is the result of simply layering
distributed naming system for computers, ser- the Hypertext Transfer Protocol (HTTP) on top
vices, or any resource connected to the Inter- of the SSL/TLS protocol, thus adding the secu-
net or a private network. It associates various rity capabilities of SSL/TLS to standard HTTP
information with domain names assigned to communications.
each of the participating entities. Most promi-
nently, it translates easily memorized domain
names to the numerical IP addresses needed I
for the purpose of locating computer services
and devices worldwide. By providing a world-
wide, distributed keyword-based redirection IP address An Internet Protocol address (IP address)
service, the Domain Name System is an es- is a numerical label assigned to each de-
sential component of the functionality of the In- vice (e.g., computer, printer) participating in
ternet. a computer network that uses the Internet
DynDNS client DynDNS service lets you access the Protocol for communication. An IP address
router remotely using an easy to remember serves two principal functions: host or net-
custom hostname. This client monitors the work interface identification and location ad-
router’s IP address and updates it whenever dressing. Its role has been characterized as
it changes. follows: A name indicates what we seek. An

ICR-2[0456]00 Family Configuration Manual 174

 address indicates where it is. A route indicates L
how to get there
The designers of the Internet Protocol defined
an IP address as a 32-bit number and this L2TP Layer 2 Tunnelling Protocol (L2TP) is a tunnelling
system, known as Internet Protocol Version 4 protocol used to support virtual private net-
(IPv4), is still in use today. However, due to the works (VPNs) or as part of the delivery of ser-
enormous growth of the Internet and the pre- vices by ISPs. It does not provide any encryp-
dicted depletion of available addresses, a new tion or confidentiality by itself. Rather, it relies
version of IP (IPv6), using 128 bits for the ad- on an encryption protocol that it passes within
dress, was developed in 1995. the tunnel to provide privacy.
IP masquerade Kind of NAT. LAN A local area network (LAN) is a computer network
IP masquerading see NAT. that interconnects computers in a limited area
IPsec Internet Protocol Security (IPsec) is a protocol such as a home, school, computer laboratory,
suite for securing Internet Protocol (IP) com- or office building using network media. The
munications by authenticating and encrypt- defining characteristics of LANs, in contrast
ing each IP packet of a communication ses- to wide area networks (WANs), include their
sion. The router allows user to select encap- usually higher data-transfer rates, smaller ge-
sulation mode (tunnel or transport), IKE mode ographic area, and lack of a need for leased
(main or aggressive), IKE Algorithm, IKE En- telecommunication lines.
cryption, ESP Algorithm, ESP Encryption and
much more. It is possible to create four differ-
ent tunnels. N
IPv4 The Internet Protocol version 4 (IPv4) is the fourth
version in the development of the Internet Pro-
tocol (IP) and the first version of the protocol NAT In computer networking, Network Address Trans-
to be widely deployed. It is one of the core lation (NAT) is the process of modifying IP ad-
protocols of standards-based internetworking dress information in IPv4 headers while in tran-
methods of the Internet, and routes most traf- sit across a traffic routing device.
fic in the Internet. However, a successor pro- The simplest type of NAT provides a one-to-
tocol, IPv6, has been defined and is in various one translation of IP addresses. RFC 2663
stages of production deployment. IPv4 is de- refers to this type of NAT as basic NAT, which
scribed in IETF publication RFC 791 (Septem- is often also called a one-to-one NAT. In
ber 1981), replacing an earlier definition (RFC this type of NAT only the IP addresses,
760, January 1980). IP header checksum and any higher level
IPv6 The Internet Protocol version 6 (IPv6) is the latest checksums that include the IP address are
revision of the Internet Protocol (IP), the com- changed. The rest of the packet is left un-
munications protocol that provides an identifi- touched (at least for basic TCP/UDP function-
cation and location system for computers on ality; some higher level protocols may need fur-
networks and routes traffic across the Inter- ther translation). Basic NATs can be used to
net. IPv6 was developed by the Internet En- interconnect two IP networks that have incom-
gineering Task Force (IETF) to deal with the patible addressing.
long-anticipated problem of IPv4 address ex- NAT-T NAT traversal (NAT-T) is a computer network-
haustion. ing methodology with the goal to establish
IPv6 is intended to replace IPv4, which still and maintain Internet protocol connections
carries the vast majority of Internet traffic as of across gateways that implement network ad-
2013. As of late November 2012, IPv6 traffic dress translation (NAT).
share was reported to be approaching 1%. NTP Network Time Protocol (NTP) is a networking pro-
IPv6 addresses are represented as eight tocol for clock synchronization between com-
groups of four hexadecimal digits separated puter systems over packet-switched, variable-
by colons latency data networks.
(2001:0db8:85a3:0042:1000:8a2e:0370:7334),
but methods of abbreviation of this full notation
exist. O

ICR-2[0456]00 Family Configuration Manual 175

OpenVPN OpenVPN implements virtual private net- cial variety is based on the ITU-T X.509 stan-
work (VPN) techniques for creating secure dard, which normally includes a digital signa-
point-to-point or site-to-site connections. It is ture from a certificate authority (CA).
possible to create four different tunnels. Digital certificates are verified using a chain
of trust. The trust anchor for the digital certifi-
cate is the Root Certificate Authority (CA). See
P X.509.
Router A router is a device that forwards data pack-
ets between computer networks, creating an
PAT Port and Address Translation (PAT) or Network Ad- overlay internetwork. A router is connected
dress Port Translation (NAPT) see NAT. to two or more data lines from different net-
Port In computer networking, a Port is an application- works. When a data packet comes in one of
specific or process-specific software construct the lines, the router reads the address infor-
serving as a communications endpoint in a mation in the packet to determine its ultimate
computer’s host operating system. A port is destination. Then, using information in its rout-
associated with an IP address of the host, as ing table or routing policy, it directs the packet
well as the type of protocol used for commu- to the next network on its journey. Routers per-
nication. The purpose of ports is to uniquely form the traffic directing functions on the Inter-
identify different applications or processes run- net. A data packet is typically forwarded from
ning on a single computer and thereby enable one router to another through the networks that
them to share a single physical connection to constitute the internetwork until it reaches its
a packet-switched network like the Internet. destination node.
PPTP The Point-to-Point Tunneling Protocol (PPTP)
is a tunneling protocol that operates at the
Data Link Layer (Layer 2) of the OSI Ref- S
erence Model. PPTP is a proprietary tech-
nique that encapsulates Point-to-Point Proto-
col (PPP) frames in Internet Protocol (IP) pack- SFTP Secure File Transfer Protocol (SFTP) is a secure
ets using the Generic Routing Encapsulation version of File Transfer Protocol (FTP), which
(GRE) protocol. Packet filters provide access facilitates data access and data transfer over
control, end-to-end and server-to-server. a Secure Shell (SSH) data stream. It is part of
the SSH Protocol. This term is also known as
SSH File Transfer Protocol.
R SMTP The SMTP (Simple Mail Transfer Protocol) is a
standard e-mail protocol on the Internet and
part of the TCP/IP protocol suite, as defined by
RADIUS Remote Authentication Dial-In User Service IETF RFC 2821. SMTP defines the message
(RADIUS) is a networking protocol that pro- format and the message transfer agent (MTA),
vides centralized Authentication, Authoriza- which stores and forwards the mail. SMTP
tion, and Accounting (AAA or Triple A) man- by default uses TCP port 25. The protocol
agement for users who connect and use a net- for mail submission is the same, but uses
work service. Because of the broad support port 587. SMTP connections secured by SSL,
and the ubiquitous nature of the RADIUS pro- known as SMTPS, default to port 465.
tocol, it is often used by ISPs and enterprises SMTPS SMTPS (Simple Mail Transfer Protocol Secure)
to manage access to the Internet or internal refers to a method for securing SMTP with
networks, wireless networks, and integrated e- transport layer security. For more information
mail services. about SMTP, see description of the SMTP.
Root certificate In cryptography and computer security, SNMP The Simple Network Management Protocol
a root certificate is either an unsigned public (SNMP) is an Internet-standard protocol for
key certificate or a self-signed certificate that managing devices on IP networks. Devices
identifies the Root Certificate Authority (CA). A that typically support SNMP include routers,
root certificate is part of a public key infras- switches, servers, workstations, printers, mo-
tructure scheme. The most common commer- dem racks, and more. It is used mostly

ICR-2[0456]00 Family Configuration Manual 176

 in network management systems to monitor to set up special transmission channels or data
network-attached devices for conditions that paths. The protocol was designed by David P.
warrant administrative attention. SNMP is a Reed in 1980 and formally defined in RFC 768.
component of the Internet Protocol Suite as URL A uniform resource locator, abbreviated URL,
defined by the Internet Engineering Task Force also known as web address, is a specific
(IETF). It consists of a set of standards for character string that constitutes a reference
network management, including an application to a resource. In most web browsers, the
layer protocol, a database schema, and a set URL of a web page is displayed on top in-
of data objects. side an address bar. An example of a typi-
SSH Secure Shell (SSH), sometimes known as Secure cal URL would be http://www.example.com/
Socket Shell, is a UNIX-based command in- index.html, which indicates a protocol (http),
terface and protocol for securely getting ac- a hostname (www.example.com), and a file
cess to a remote computer. It is widely used name (index.html). A URL is technically a
by network administrators to control Web and type of uniform resource identifier (URI), but
other kinds of servers remotely. SSH is actu- in many technical documents and verbal dis-
ally a suite of three utilities – slogin, ssh, and cussions, URL is often used as a synonym for
scp – that are secure versions of the earlier URI, and this is not considered a problem.
UNIX utilities, rlogin, rsh, and rcp. SSH com-
mands are encrypted and secure in several
ways. Both ends of the client/server connec- V
tion are authenticated using a digital certifi-
cate, and passwords are protected by being
encrypted. VPN A virtual private network (VPN) extends a private
network across a public network, such as the
Internet. It enables a computer to send and re-
ceive data across shared or public networks
T
as if it were directly connected to the private
network, while benefiting from the functional-
ity, security and management policies of the
TCP The Transmission Control Protocol (TCP) is one of
private network. This is done by establishing
the core protocols of the Internet protocol suite
a virtual point-to-point connection through the
(IP), and is so common that the entire suite
use of dedicated connections, encryption, or a
is often called TCP/IP. TCP provides reliable,
combination of the two.
ordered, error-checked delivery of a stream of
A VPN connection across the Internet is similar
octets between programs running on comput-
to a wide area network (WAN) link between the
ers connected to a local area network, intranet
sites. From a user perspective, the extended
or the public Internet. It resides at the transport
network resources are accessed in the same
layer.
way as resources available from the private
Web browsers use TCP when they connect to
network.
servers on the World Wide Web, and it is used
VPN server see VPN.
to deliver email and transfer files from one lo-
VPN tunnel see VPN.
cation to another.
VRRP VRRP protocol (Virtual Router Redundancy Pro-
tocol) allows you to transfer packet routing
from the main router to a backup router in case
U
the main router fails. (This can be used to pro-
vide a wireless cellular backup to a primary
wired router in critical applications).
UDP The User Datagram Protocol (UDP) is one of the
core members of the Internet protocol suite
(the set of network protocols used for the In- W
ternet). With UDP, computer applications can
send messages, in this case referred to as
datagrams, to other hosts on an Internet Proto- WAN A wide area network (WAN) is a network that
col (IP) network without prior communications covers a broad area (i.e., any telecommuni-

ICR-2[0456]00 Family Configuration Manual 177

 cations network that links across metropoli- WebAccess/VPN WebAccess/VPN is an advanced
tan, regional, or national boundaries) using VPN management solution for safe intercon-
private or public network transports. Business nection of Advantech routers and LAN net-
and government entities utilize WANs to re- works in public Internet. Connection among
lay data among employees, clients, buyers, devices and networks can be regional or global
and suppliers from various geographical loca- and can combine different technology plat-
tions. In essence, this mode of telecommuni- forms and various wireless, LTE, fixed and
cation allows a business to effectively carry out satellite connectivities.
its daily function regardless of location. The In-
ternet can be considered a WAN as well, and is
used by businesses, governments, organiza- X
tions, and individuals for almost any purpose
imaginable.
X.509 In cryptography, X.509 is an ITU-T standard for
WebAccess/DMP WebAccess/DMP is an advanced a public key infrastructure (PKI) and Privilege
Enterprise-Grade platform solution for provi- Management Infrastructure (PMI). X.509 spec-
sioning, monitoring, managing and configur- ifies, amongst other things, standard formats
ing Advantech’s routers and IoT gateways. It for public key certificates, certificate revocation
provides a zero-touch enablement platform for lists, attribute certificates, and a certification
each remote device. path validation algorithm.

ICR-2[0456]00 Family Configuration Manual 178

Appendix C: Index

A E
Access Point Expansion Port
Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 RS232 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Accessing the router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Add User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 F
AT commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Filtering of Forwarded Packets . . . . . . . . . . . . . . . 76
Filtering of Incoming Packets . . . . . . . . . . . . . . . . . 76
Protection against DoS attacks . . . . . . . . . . . . . . . 77
B
Firmware update . . . . . . . . . . . . . . . . . . . . . . . . . . . 140, 162
Backup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Firmware version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Backup Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 First-Time Login to the Admin Web Interface. . . . . . . . 3
Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

G
C
GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102, 174
Change Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Clock synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Configuration update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Control SMS messages . . . . . . . . . . . . . . . . . . . . . . . . . 125
H
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

D
I
Data limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 61 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Default IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90, 175
Default password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Authenticate Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Default SIM card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Encapsulation Mode . . . . . . . . . . . . . . . . . . . . . . . . . 94
Default username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 IKE Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 27, 61, 174 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 IPv6 . . . 8, 18, 26, 30, 45, 46, 75, 80, 85, 90, 115, 139
Dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 27, 61 L
DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27, 46, 61 L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105, 175
DNS64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 LAN
Domain Name System . . . . . . . . . . . . . . . . . . . . . see DNS ETH0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 ETH1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Dynamic Host Configuration Protocol . . . . . see DHCP IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24, 115 Location Area Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
DynDNSv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24, 115 Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

ICR-2[0456]00 Family Configuration Manual 179

 M Serial line
RS232 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Mobile network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 RS485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Modify User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Serial number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Multiple WANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64, 66, 74 Set internal clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Signal Quality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Simple Network Management Protocol. . . . see SNMP
N SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
SMS Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80, 175 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123, 176
NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119, 176
Neighbouring WiFi Networks . . . . . . . . . . . . . . . . . . . . . . 15 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Network Address Translation. . . . . . . . . . . . . . . . see NAT Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118, 175 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Switch between SIM Cards . . . . . . . . . . . . . . . . . . . . . . . 48
Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
O
Object Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 T
OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85, 176
Authenticate Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Transmission Control Protocol . . . . . . . . . . . . . . see TCP
P Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . 150

PAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
PIN number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 U
PLMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 UDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Unblock SIM card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
PPPoE Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Uniform resource locator . . . . . . . . . . . . . . . . . . . see URL
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108, 176 Unlock SIM card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Prefix delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Up/Down script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
PUK number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Usage Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
User Datagram Protocol . . . . . . . . . . . . . . . . . . . . see UDP
R Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32, 54, 57

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 V
Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Restore Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Virtual private network . . . . . . . . . . . . . . . . . . . . . . see VPN
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Accessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Router Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41, 177

S W
Save Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 WiFi
Save Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56, 62
Send SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 HW Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

ICR-2[0456]00 Family Configuration Manual 180

WiFi AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
WiFi STA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WireGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
WiFi Station

ICR-2[0456]00 Family Configuration Manual 181

Appendix D: Related Documents

[1] Command Line Interface

[2] Remote Monitoring
[3] WebAccess/DMP
[4] R-SeeNet
[5] OpenVPN Tunnel
[6] IPsec Tunnel
[7] GRE Tunnel
[8] WireGuard Tunnel
[9] FlexVPN
[10] VLAN
[11] SNMP Object Identifiers
[12] AT Commands (AT-SMS)
[13] Quality of Service (QoS)
[14] Programming of Router Apps
[15] Security Guidelines

[EP] Product-related documents and applications can be obtained on Engineering Portal at

https://icr.advantech.com/download address.

[RA] Router Apps (formerly User modules) and related documents can be obtained on Engineering Portal at
https://icr.advantech.com/products/router-apps address.

ICR-2[0456]00 Family Configuration Manual 182