Table of Contents
rCell 300 Configuration Guide
Introduction
This guide provides information and procedures necessary to configure an rCell 300 Series router using the mPower Edge Intelligence interface.
The rCell 300 router provides secure data communication between many devices that use legacy as well as current communication technologies.
Some device models support (varies with model: refer to product-specific hardware guide for details):
- Wi-Fi communication to devices with this technology
- GPS capability
This manual provides information about all available configuration parameters and features available within mPower Edge Intelligence software.
Intended Audience
The intended audience of this guide is IT personnel tasked with installing, provisioning, and configuring an rCell 300 router.
The intended audience of this manual is software engineers who are incorporating mPower™ Edge Intelligence options and features in their communications products.
About the rCell 300
The MultiTech rCell 300 router is both an industrial router and a specialized network device designed to connect internet-of-things (IoT) devices. The rCell 300 provides enhanced security to protect against cyber threats, includes edge intelligence to run local applications, and offers secure data communication between many types of devices that use legacy or the latest communication technologies. The rCell 300 can be remotely managed via MultiTech Device Manager.
Conduit AP (MTCAP, MTCAP2, and MTCAP3) (MTCAP) (MTCAP2) securely connects thousands of LoRaWAN® wireless IoT sensors to the cloud using the LoRaWAN® protocol. It expands LoRa network coverage to difficult to reach areas and is capable of packet forwarding user data between LoRa end devices and a centrally located network server on the cloud, in a data center, or a public network.The Conduit AP Access Point packet forwarding gateway offers Ethernet and Cellular Wide Area Networks seamless connectivity options to connect to Cloud based applications in centrally located data centers.
This guide describes the rCell 500 R2 Series Router. The rCell R2 500 offers secure data communication between different types of devices. It features redundant power supplies and dual SIM capability for a more reliable connection
MultiTech CT300 (MTCT300) is a wireless and self-powered electrical current monitoring device. It is capable of reporting average, peak, and minimum RMS Amperes and tracking accumulated Amp-Hours. The device parasitically harvests energy from the monitored conductor, negating the need for routine maintenance to replace or charge batteries.
MTCT300 uses sub-gigahertz LoRaWAN for long range wireless communications. This IoT interface can be deployed as a private network, or used with an available public one. The use of short data messages increases reliability of transmission in suboptimal environments such as metal electrical panels.
Intended Use
The rCell 300 is designed for a variety of industrial and IoT applications. Some of its intended uses include:
- Remote monitoring and control: This device is ideal for remote monitoring and control of equipment and systems in industries such as oil and gas, utilities, and agriculture. The rCell 300 allows for real-time data collection and management of remote locations.
- Smart cities and infrastructure: This device can be used in smart-city applications, including traffic management, environmental monitoring, and electric vehicle charging stations.
- Industrial automation: This device works with current industrial automation equipment (such as RTU) for remote data collection, fault notifications, control/manage field equipment.
The rCell 300 can be used in applications that require equipment to operate in harsh environments. For outdoor deployments, the rCell 300 must be installed in a waterproof enclosure.
Operating Modes
rCell 300 routers can operate in the following modes:
- Network Router
- Cellular IP Passthrough mode
Once the initial commissioning process for the rCell 300 has been completed, the mPower Setup Wizard allows administrators to select the desired operating mode upon logging in to mPower via the LAN.
mPower™ Edge Intelligence
mPower™ Edge Intelligence is an embedded software offering to deliver programmability, network flexibility, enhanced security, and manageability for scalable Industrial Internet of Things (IIoT) solutions. mPower represents the unification and evolution of well-established MultiTech smart router and gateway firmware platforms.
mPower Edge Intelligence simplifies integration with a variety of popular upstream IoT platforms to streamline edge-to-cloud data management and analytics, while also providing the programmability and processing capability to execute critical tasks at the edge of the network to reduce latency; control network and cloud services costs, and ensure core functionality – even in instances when network connectivity may not be available. In response to evolving customer security requirements, mPower Edge Intelligence incorporates a host of new security features including signed firmware validation, secure boot, new Cloud management, programmability of custom apps, DI/DO, and more.
Getting Started
Install the SIM Card(s)
- 
                Using a #1 Phillips screwdriver, remove the SIM card cover.
 
- In the SIM 1 slot, insert the SIM card for the primary cellular network and push until it snaps into place.
- Optional: In the SIM 2 slot, insert the SIM card for the secondary cellular network and push until it snaps into place.
- Reinstall the SIM card cover.
Add the Device to Your Cloud Account
- QR Code- Using a smartphone camera, scan the onboard QR code from the device serial label. See rCell 300 Serial Label.
- Follow the instructions to sign in to your cloud account and quickly onboard the device.
 
- Manually- Sign in to your cloud account.
- Select Gateways.
- Under Actions, select Add device.
- Enter the PID number from the device serial label. See rCell 300 Serial Label.
 
Install the Device
- Connect the cellular, GNSS, and Wi-Fi antennas.
- Connect the local configuration port (ETH0/LAN) on the rCell 300 to the networked device on the LAN network. The LAN port has a static IP of 192.168.2.1.
- 
                Optional: If using a serial device, use the 8-wire terminal block
                    connectors to connect to the RS-232 or RS-485 serial port: 
                - 
                        Wire the push-in spring 8-wire terminal plug per your application needs.
                        Note: Refer to Terminal Block Connector Pinout in the rCell 300 Series Router Hardware Guide for complete information.
- Secure the 8-wire terminal plug to the device using a 2.5 mm slotted screwdriver.
 Note: The RS-232 port on the rCell 300 is not a local configuration port.
- 
                        Wire the push-in spring 8-wire terminal plug per your application needs.
                        
- 
                Connect the power supply:  
                - Using a 2.0 mm slotted screwdriver, screw the power supply wires into the 2-wire terminal plug.
- Secure the 2-wire terminal plug to the 9–36 VDC 2-pin terminal block on the device using a 2.5 mm slotted screwdriver.
- Connect the power supply to a power source. The POWER LED turns solid green when the device is ready for use.
 The proper polarity is shown below. Note: The customer should take steps to prevent any potential reverse polarity connections.
 
- 
                Use the device web user interface to configure the device.
                - The default IP address for the ETH0/LAN port is 192.168.2.1.
- A DHCP server is enabled on the LAN interface to provision an IP to any device making a request for one. The range of addresses being assigned by this server is 192.168.2.100 to 192.168.2.254, with a subnet mask of 255.255.255.0.
- When you log in for the first time, the device is in commissioning mode, which requires you to set up a username and password for an administrator user account. Enter and submit your desired username and password.
 
Commissioning Mode
The rCell 300 ships in what is called Commissioning Mode. As soon as the rCell 300 is reset to factory defaults or right after the manufacturing process is complete, the system is in Commissioning Mode.

In this mode, the ETH1 /WAN is configured as a WAN DHCP Client and the system attempts to connect to Device Manager (MT Cloud) as soon as there is an internet connection.
The ETH0/LAN interface is configured with an IP of 192.168.2.1 and a netmask of 255.255.255.0.
Before proceeding, an Administrative User must be configured.
Configure the Administrative User
Perform the following procedure to create and configure the Administrative user:
- Open a browser and enter the default IP address in the URL field,
                    192.168.2.1. Most browsers display a warning about HTTP addresses being
                unsafe because of a self-signed certificate:- For Edge, click Advanced and then Continue to 192.168.2.1.
- For Firefox, click Advanced and then click Accept the Risk and Continue.
- For Chrome, click Advanced and then Continue to 192.168.2.1 (unsafe).
 
- Enter a username for the Administrative User. Click OK. Follow on screen instructions for usernames.
- Enter a password and click OK. Follow on screen instructions for a secure password.
- Enter the password again to confirm. Click OK.
- Log into the rCell 300 using the new username and password.
The First-Time Setup Wizard will then launch.
First Time Setup Wizard
- Operating mode (e.g., Network Router, Cellular IP Passthrough)
- System date and time
- Cellular connectivity
Select Mode
An rCell 300 can be configured to operate in the following modes:
- Network Router
- Cellular IP Passthrough

From the pull-down list, select the desired Mode in which the rCell 300 is to operate.
Click next.
Time Configuration
Configure Date & Time and Time Zone to reflect the rCell 300's location.

Click Next.
Cellular Configuration
Available options for cellular configuration depend upon whether a SIM card has been installed in the rCell 300.
- For configuration information when a SIM card is present/has been detected, refer to SIM Card Has Been Installed.
- For configuration information when a SIM card is not present, refer to SIM Card Has Not Been Installed.
SIM Card Has Been Installed
When a SIM card has been installed into the rCell 300, the system enables users to set a PIN code and Access Point Name (APN) for the installed SIM card.

The system will create a corresponding provider profile and SIM profile that are linked to the installed SIM card.
If required, enter appropriate values for the PIN and/or APN and then click Finish to complete the initial configuration of the rCell 300 and exit the First Time Setup Wizard.
- For information about configuring the rCell 300 as a network router, refer to Network Router Mode.
- For information about configuring the rCell 300 for cellular IP passthrough mode, refer to Cellular IP Passthrough Mode.
SIM Card Has Not Been Installed
If no SIM card has been installed, an error message similar to that shown here is displayed.

When there is no SIM card installed, the rCell 300 will only support Cellular IP Passthrough operation. Refer to Cellular IP Passthrough Mode for configuration information.
Network Router Mode
Home Menu
The Home menu comprises the following tabs:
- Dashboard
- Services
- Statistics
Dashboard Tab
The Dashboard tab provides a brief overview of the system state and configuration.

Services Tab
The Service Statistics tab lists the available services and their respective status.

Statistics Tab
The System Statistics tab provides the following system information:
- System details, memory and storage usage, system log
- Ethernet interfaces statistics and logs
- Wi-Fi as WAN statistics and logs
- Wi-Fi Access Point statistics and logs
- Cellular statistics and logs
- Serial statistics and logs
- GRE tunnels statistics and logs
- IPSec tunnels statistics and logs
- OpenVPN tunnels statistics and logs

Setup Menu
The Setup menu provides access to the following configuration settings:
- Network Interfaces
- WAN
- DNS
- DHCP
- LLDP
- GPS
- SMTP
- Serial
- SNMP
- Time
- Digital I/O
Network Interfaces
- eth0 is configured as LAN
- eth1 is configured as DHCP Client

Configure eth0
To update the eth0 interface configuration, select the corresponding pencil icon in the OPTIONS column.

The eth0 interface can be removed from the bridge interface and configured independently by updating the Bridge field:

eth0 Configuration Parameters
| Parameter | Valid Values | Description | 
|---|---|---|
| Direction | Valid values are: 
 | WAN: Requires user-configured values for Gateway and Primary DNS
                Server to function effectively. VLAN: Indicates a VLAN interface associated with the eth0 interface. | 
| Bridge | Valid values are: 
 | br0: eth0 is under the bridge. – :eth0 is independent of the bridge. | 
| Enable IPv6 Support | Valid values are: 
 | Enable IPv6 on the interface allowing delegated prefix or static IPv6 address settings. | 
IPv4 Settings
| Parameter | Valid Values | Description | 
|---|---|---|
| Mode | Valid values are: 
 | Configures how the IP address for the rCell 300 will be
                  defined: 
 | 
| Gateway | Default Route Gateway | |
| IP Address | Static IPv4 address to assign to the interface. | |
| Primary DNS Server | Primary DNS server for the network to which the interface is connected. | |
| Mask | The network mask for the network to which the interface will be assigned. | |
| Secondary DNS Server | Secondary DNS server for the network to which the interface is connected. | 
802.1X Authentication
| Parameter | Valid Values | Description | 
|---|---|---|
| Authentication Method | Valid values are: 
 | Defines the authentication method for the rCell 300 on the network connected to the interface. | 
Configure br0
The bridge (br0) interface has the following configuration options to manage all the LAN interfaces assigned to it:

br0 Configuration Parameters
| Parameter | Valid Values | Description | 
|---|---|---|
| Direction | Valid values are: 
 | WAN: Requires user-configured values for Gateway and Primary DNS
                Server to function effectively. VLAN: Indicates a VLAN interface associated with the eth0 interface. | 
| Enable IPv6 Support | Valid values are: 
 | Enable IPv6 on the interface allowing delegated prefix or static IPv6 address settings. | 
IPv4 Settings
| Parameter | Valid Values | Description | 
|---|---|---|
| Mode | Valid values are: 
 | Configures how the IP address for the rCell 300 will be
                  defined: 
 | 
| Gateway | Default Route Gateway | |
| IP Address | Static IPv4 address to assign to the interface. | |
| Primary DNS Server | Primary DNS server for the network to which the interface is connected. | |
| Mask | The network mask for the network to which the interface will be assigned. | |
| Secondary DNS Server | Secondary DNS server for the network to which the interface is connected. | 
Add a VLAN Interface
Create a new VLAN interface, and then configure eth0, eth1, or WLAN1 to use VLAN with the specified VLAN ID.

Typical VLAN interfaces are illustrated here:

To configure an existing ethernet interface to use VLAN (eth0) select VLAN from the Direction pull-down list as shown here:

WAN
A typical WAN Configuration page is illustrated here:

Each WAN interface can be configured for Active or Passive failover with a timeout interval to trigger failover to the next prioritized WAN interface.
Hostname must be specified and Mode Type selected (for example: ICMP for ping, TCP for an actual TCP connect attempt) to verify connectivity. The number of failures is controlled by the ICMP Count setting.

DNS
DNS configuration parameters for the rCell 300 are accessed via tabs included in this section as illustrated here:

Global DNS
A typical Global DNS Configuration page is illustrated here:

Global DNS enables user-defined DNS servers to be specified which are always used to resolve hostnames regardless of what WAN settings or interface are being used. If the Primary Server and Secondary Server are not specified, the DNS servers will default to those specified in the WAN Configuration setup.
For example, if cellular is the active WAN interface and the DNS settings are obtained from the provider, enabling this feature overrides the DNS server settings obtained from the provider with the settings that are specified here.
Configuration scenarios for Global DNS and Enable Forwarding Server, and the corresponding results (the device refers to a MultiTech device) include:
- If Global DNS is not configured and forwarding is enabled, the rCell 300 acts as a proxy server for any devices on the LAN network(s). - In this mode, the rCell 300 uses WAN DNS settings.
- Client Settings: On the client, you must configure the rCell 300 as the default gateway and DNS server. The easiest way to accomplish this is by using the DHCP server on the rCell 300.
 
- If Global DNS is configured and forwarding is enabled, DNS requests are forwarded to servers configured in the Global DNS settings. - The rCell 300 acts as a proxy.
- Client settings: Clients must be configured the same as in the previous case above.
 
- If Global DNS is configured and forwarding is disabled, the default gateway and DHCP server on clients should point to the rCell 300, and the DNS servers on the client must use the same DNS as the Global DNS settings. - Client settings: The client device uses the rCell 300 as a default gateway and DHCP server, but it must have DNS servers configured to the options that will be used.
 
- If neither item is configured/enabled, verify the rCell 300 is properly configure to forward DNS.
Configuration Parameters
Global DNS configuration parameters are described below.
Global DNS Configuration
| Parameter | Valid Values | Description | 
|---|---|---|
| Enable Forwarding Server | Valid values are: 
 | When enabled, the forwarding server is active and DNS is not supported. | 
| Primary Server | IP address for the primary DNS server. | These servers override any DNS servers specified elsewhere in the UI. If no servers are configured, the system defaults to servers defined in WAN Configuration. | 
| Secondary Server | IP address for the secondary DNS server. | 
Hostname Configuration
Users can change the Hostname of the rCell 300 from its default value to a user-specified value to distinguish it from other rCell 300 devices on the network.
Enter the desired name in the Hostname field and click Submit to save the change.
To revert the name back to its default Hostname, click Reset To Default.
Multicast DNS
The Multicast DNS (mDNS) networking protocol resolves hostnames to IP addresses within small networks that do not include a local name server.
mDNS facilitates device access when Ethernet or Wi-Fi as WAN is enabled. Additionally, certain advanced settings may assist devices connected to the rCell 300 through different network interfaces in resolving each other's IP addresses by hostname.
A typical Multicast DNS configuration screen is illustrated here:

Configuration Parameters
Multicast DNS configuration parameters are described below. After you enable the mDNS feature and select the network interfaces, click Save & Apply to resolve your mPower device's IP address using its hostname to differentiate it from other devices in the same LAN.
General Configuration
By default, mDNS is disabled.
| Parameter | Valid Values | Description | 
|---|---|---|
| Enabled | Valid values are: 
 | Enables/disables Multicast DNS. Default Value: Disabled | 
Allowed Network Interfaces
This list displays all available network interfaces, but not ppp0 (cellular). mDNS is not supported on the cellular network interface (ppp0). By default, all network interfaces are disabled.
| Parameter | Valid Values | Description | 
|---|---|---|
| eth0 (Ethernet) | Valid values are: 
 | Enables/disables the eth0 (Ethernet) interface. Default Value: Disabled | 
| eth1 (Ethernet) | Valid values are: 
 | Enables/disables the eth1 (Ethernet) interface. Default Value: Disabled | 
| wlan0 (WiFi as WAN) | Valid values are: 
 | Enables/disables the wlan0 (WiFi as WAN) interface. Default Value: Disabled | 
| wlan1 (WiFi Access Point) | Valid values are: 
 | Enables/disables the wlan1 (WiFi Access Point) interface. Default Value: Disabled | 
| br0 (Bridge) | Valid values are: 
 | Enables/disables the br0 (Bridge) interface. Default Value: Disabled | 
Dynamic DNS
Typical Dynamic DNS configuration settings are illustrated here:

Configuration Parameters
Dynamic DNS configuration parameters are described below.
General Configuration
Refer to the following table for information about each DDNS configuration parameter:
| Parameter | Default Value | Valid Values | 
|---|---|---|
| Enabled | FALSE | True, False | 
| Use External Check IP | TRUE | True, False | 
| Domain | empty | A valid domain name | 
| Check IP Server | checkip.dyndns.org | A valid server name or IP Address, max length is 250 characters | 
| Service Provider | 
Authentication
| Parameter | Default Value | Valid Values | 
|---|---|---|
| Username | empty | Max length is 128 characters | 
| Password | empty | The value must be from 6 to 64 characters long | 
Update Settings
| Parameter | Default Value | Valid Values | 
|---|---|---|
| Force Update Interval (days) | 5 | Range is 1 - 30 days | 
| Check IP Interval (minutes) | 15 | Range is 1 - 14400 minutes (10 days) | 
Commands
| Parameter | Default Value | Value | 
|---|---|---|
| DDNS Force Update | ||
| DDNS Status | 
DHCP
The rCell 300 supports the configuration of IPv4 and IPv6 DHCP servers for all network interfaces that are configured as LAN, include new, user-created VLAN interfaces.
DHCP Configuration
A typical DHCP Configuration page is illustrated here:

Add IPv4 DHCP Server
A typical Add IPv4 DHCP Server configuration page is illustrated here:

Add DHCPv6/RA
Typical DHCPv6 Router Advertisement (RA) configuration information is illustrated here:

Edit DHCPv6/RA
Information for an existing DHCPv6/RA configuration is modified on this tab. Typical RA settings are illustrated here:

LLDP
Typical LLDP configuration settings for eth0 are illustrated here:

GPS
rCell 300 IoT Router hardware uses the radio modem to receive GPS data.
The system configuring a TCP Server sends NMEA strings to a client, and/or a TCP/UDP Client to stream NMEA strings to a server application.
To transfer GPS data to a serial port, configure GPS Streamer parameters on the Serial Configuration page.

Once GPS Position data have been updated, the current position is shown on map as illustrated here:

SMTP
The SMTP client is used to send notifications via email to a configured server.
A typical SMTP configuration page is illustrated here:

Typical SMTP configuration values are illustrated here:
Mail Log Tab
The Mail Log displays:
- Messages that are queued for sending
- Deferred messages
- Sent messages
For example, the Mail Log illustrated here shows two messages have been sent.

To view the details of a message, click on the 

Settings Tab
A typical SMTP Configuration page is illustrated here:

Mail Log Tab
The Mail Log displays:
- Messages that are queued for sending
- Deferred messages
- Sent messages
For example, the Mail Log illustrated here shows two messages have been sent.

To view the details of a message, click on the 

Serial
As illustrated below, rCell 300 is equipped with two serial ports:
- RS232
- RS232/485 GPIO



Each serial port may be configured for one of the following modes:
- Serial-IP
- Modbus RTU/TCP Gateway
- GPS Streamer
To configure either serial port, expand the Mode pull-down list and select the desired mode as illustrated here:

The system shows a warning message on submit when a user tries to configure a port as Modbus RTU/TCP Gateway while the other port is already configured as Modbus RTU/TCP Gateway.

The system shows a warning message on submit when a user tries to configure a port as GPS Streamer while the other port is already configured as GPS Streamer.

Modbus RTU/TCP Gateway
The system allows users to configure one of the serial ports as Modbus RTU/TCP Gateway.
Compared to the previous mPower releases, the Modbus RTU/TCP Gateway feature has not been changed from the user requirements and general functionality standpoint.
Modbus RTU slave is connected to the Serial Port and a remote Modbus TCP Master. Modbus Gateway application works as a translator between Modbus RTU (slave) and Modbus-TCP (master) devices. When the Modbus Gateway is enabled, its application runs in the system. The application works as a translator converting between the Modbus-TCP and Modbus RTU protocols. The Modbus Gateway passes data between an RTU connected to the serial port and a Modbus TCP remote client/server.
An example of the Modbus RTU/TCP Gateway Settings for the server is illustrated here:

An example of the Modbus RTU/TCP Gateway Settings for the client is illustrated here:

GPS Streamer Mode
rCell 300 has two serial ports, and GPS Streamer to a serial port configuration is a part of the Serial Port functionality. The system allows configuring any of the Serial ports as a GPS streamer, but only one Serial port can be configured as a GPS streamer at a time.
The GPS Configuration page allows configuring what NMEA messages must be sent as GPS data, the interval, prefix and ID. The GPS configuration page does not have settings for configuring Serial port. However, it has the GPS To Serial Configuration section that refers to the Serial Configuration page.
To configure GPS data transfer to a serial port, on the GPS Configuration page configure the NMEA messages, interval, add prefix and ID if required, and then go to the Serial Configuration page to configure a serial port as a GPS Streamer.
An example of the GPS Streamer Configuration for the server is illustrated here:

Logging
Serial-IP
The system uses a separate file /var/log/messages/ser-cli.log for logging Serial-IP events.
RS232 and RS232/485 serial ports can be configured and operate as Serial-IP simultaneously, and logs are added to the same event log file: ser-cli.log. RS232 uses the source “serial0” in the logged messages; RS232/485 uses the source “serial1” in the logs.

Modbus RTU/TCP Gateway
The system uses a separate file to store logs when a serial port is configured as Modbus RTU/TCP Gateway: /var/log/messages/modbus-gateway.log.
GPS Streamer
The mtsgpsstreamer services logs events to /var/log/messages

Serial Port Statistics
The Serial Port Statistics page provides information regarding data transferred through the serial port (RX/TX), DCD status (if available), and corresponding logs (if available). The information that is shown on the Statistics page is stored in /api/stats/serial.
The Serial Port dropdown allows switching between available Serial Ports to see corresponding statistics and logs.
The system stores the serial port data transfer statistics (RX/TX) when a user reconfigures the serial port and restarts corresponding services.
The system does not preserve the serial port data transfer statistics (RX/TX) over a reboot. When the system reboots, the serial port statistics are reset.
DCD Status is not available for RS232/485 port; and the DCD Status is hidden on the Serial Port Statistics page.
The Serial Log pane shows the device logs that correspond to the current mode of the selected serial port.

DCD (Data Carrier Detect) Status
Data Carrier Detect (DCD) is a control signal that is present inside an RS-232 serial communications cable and that goes between a computer and another device. The DCD is available in RS-232 serial port only, and is not available in RS232/485 serial port.
DCD Status is available on the Serial Port Statistics page:
- When RS232/485 is selected, the DCD Status is not shown.
- When RS232 is selected, the DCD status is available.

| RS232 Configuration | DCD Status | 
|---|---|
| Disabled | OFF | 
| GPS Streamer Enabled | ON | 
| GPS Streamer Disabled | OFF | 
| Serial-IP Server Mode | OFF until a client connection is established at which time it turns ON. | 
| Serial-IP Client Mode | No Server Connection: OFF Server connection established: DCD
                    Status depends on the specific Connection Activation setting: 
 | 
| Modbus RTU/TCP Gateway | ON When Modbus RTU/TCP Gateway mode is enabled, the system automatically stores the current DCD Status (i.e., ON or OFF.) Once the prior value has been stored, DCD Status will always be ON. When Modbus RTU/TCP Gateway mode becomes disabled or the serial port is configured for another mode, the system restores DCD Status to the status it had prior to enabling Modbus RTU/TCP Gateway. Configuration examples illustrating this system behavior are provided in the following section, Modbus RTU/TCP Gateway Configuration Examples. | 
Modbus RTU/TCP Gateway Configuration Examples
Configuration examples illustrating system behavior when the Serial Port is configured as Modbus RTU/TCP Gateway are provided below.
Example 1
- Initial conditions:- Serial Port: Disabled
- DCD Status: OFF
 
- Serial Port: 
- Enable Modbus RTU/TCP Gateway.- Select Submit ► Save ► Apply to apply changes.
 
- DCD Status toggles to ON.
- Disable Modbus RTU/TCP Gateway.- Select Submit ► Save ► Apply to apply changes.
 
- DCD Status toggles to OFF.
Example 2
- Initial conditions:- Serial Port: GPS Streamer
- DCD Status: ON
 
- Serial Port: 
- Enable Modbus RTU/TCP Gateway.- Select Submit ► Save ► Apply to apply changes.
 
- DCD Status remains ON.
- Disable Modbus RTU/TCP Gateway.- Select Submit ► Save ► Apply to apply changes.
 
- DCD Status toggles to OFF.
Example 3
- Initial conditions:- Serial Port: Serial-IP Server
- Client connection has been established.
- DCD Status: ON
 
- Serial Port: 
- Change Serial-IP mode to Modbus RTU/TCP Gateway.- Select Submit ► Save ► Apply to apply changes.
 
- DCD Status remains ON.
- Disable Modbus RTU/TCP Gateway.- Select Submit ► Save ► Apply to apply changes.
 
- DCD Status momentarily remains ON before toggling OFF.
SNMP
A typical SNMP Configuration page is illustrated here:

| MIB Parameter | OID | OID Description | Comments | 
|---|---|---|---|
| sysDescr | 1.3.6.1.2.1.1.1 | A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software. It is mandatory that this only contain printable ASCII characters. | The system returns the following information: 
 | 
| sysObjectID | 1.3.6.1.2.1.1.2 | The vendor's authoritative identification of the network management subsystem contained in the entity. This value is allocated within the SMI enterprises subtree (1.3.6.1.4.1) and provides an easy and unambiguous means for identifying the type of box being managed. For example, if vendor "Flintstones, Inc." is assigned the subtree 1.3.6.1.4.1.4242, it could assign the identifier 1.3.6.1.4.1.4242.1.1 to "Fred Router". | The sysObjectID is 1.3.6.1.4.1.995.16.1.1.1 | 
| sysUpTime | 1.3.6.1.2.1.1.3 | The time (in hundredths of a second) since the network management portion of the system was last re-initialized. | The uptime of the snmp service. | 
| sysContact | 1.3.6.1.2.1.1.4 | The textual identification of the contact person for this managed node, together with information on how to contact this person. | Empty by default. Configurable. | 
| sysName | 1.3.6.1.2.1.1.5 | An administratively-assigned name for this managed node. By convention, this is the node's fully-qualified domain name. | Empty by default. Configurable. | 
| sysLocation | 1.3.6.1.2.1.1.6 | The physical location of this node ("telephone closet on 3rd floor"). | Empty by default. Configurable. | 
| sysServices | 1.3.6.1.2.1.1.7 | A value which indicates the set of services that this entity primarily offers. The value is a sum which initially has the value zero (0). Then, for each layer, L, in the range 1 - 7, for which a node performs transactions, 2(L - 1) is added to the sum. For example, a node which primarily performs routing functions has a value of (2(3-1)), or 4. In contrast, a node which is a host offering application services has a calculated value of [2(4-1) + 2(7-1)], or 72. Note that in the context of the Internet suite of protocols, values should be calculated accordingly: 
 For systems including OSI protocols, layers 5 and 6 may also be included. | mPower devices will return 76. | 
Time
The time synchronization feature sets up device time according to the specified system settings. Two different options are used to get the correct time:
- NTP Synchronization
- Cellular Synchronization
A typical Time Configuration page is illustrated here:

Time Configuration Parameters
Settings
| Parameter | Valid Values | Description | 
|---|---|---|
| Change Date & Time | Manually adjust the date and time to correspond with the geographic location of the rCell 300. | |
| Time Zone | Select the time zone from the pull-down list that corresponds to the geographic location of the rCell 300. | |
| Current Date and Time | Displays the current date and time. | 
| Parameter | Valid Values | Description | 
|---|---|---|
| Enabled | Valid values are: 
 | Enables/disables Network Time Protocol (NTP)
                                        synchronization. Default Value: Enabled | 
| Minimal Poll Interval | Whole numeric values. | Minimum time duration, in minutes, for the rCell 300 to poll the selected time server to
                                synchronize its time. Default value: 6 | 
| Maximum Poll Interval | Whole numeric values. | Maximum time duration, in minutes, for the rCell 300 to poll the selected time server to
                                synchronize its time. Default value: 10 | 
| Pool Time Server | ||
| Server | Select the desired pool time server from the pull-down list. | |
| Custom Servers | ||
| Server 1 | URL | URL of a custom time server to be used for time synchronization by the rCell 300. | 
| Server 2 | URL | URL of a custom time server to be used for time synchronization by the rCell 300. | 
| Server 3 | URL | URL of a custom time server to be used for time synchronization by the rCell 300. | 
| Server 4 | URL | URL of a custom time server to be used for time synchronization by the rCell 300. | 
| Parameter | Valid Values | Description | 
|---|---|---|
| Enabled | Valid values are: 
 | Enables/disables cellular time synchronization. Default Value: Disabled | 
| Polling Time | Valid values are: 
 | Time duration, in minutes, for the rCell 300 to poll the cellular network to
                                synchronize its time. Default value: 120 | 
Digital I/O
The system allows users to configure and control digital input and output pin states directly from the Web UI, API, and via SMS commands.

Digital I/O allows users to:
- Observe the actual state of the Input and Output pins in the STATE column.
- Set a user-friendly name for the Input and Output pins. This name may include alphanumeric characters only and has a maximum length of 10 characters.
- Change the mode of the output pin from Web UI.
By default, the mode is LEVEL, which means that the output pin stays at the same voltage level: LOW or HIGH. Select Set High or Set Low to change the current state.
The system allows configuring the output pin mode in the PULSE mode. In this mode, the system changes the current voltage level to another level (Active Level) for a user-configurable period of time (Duration (ms)) before returning to its original level.
- Valid values for Active Level are:
        - LOW
- HIGH
 
- Duration (ms) is an integer value. Valid values are:
      	- 1 (minimum)
- 86400000 (maximum corresponding to 24 hours)
 

SMS Configuration and Commands
The following SMS commands are supported:
- #getio di0|do0
- #setio do0 [<value>]

#getio di0|do0
When the system receives the SMS command, it sends back the current state of the digital input (di0) or digital output (do0).
| SMS Command | Custom PIN Name | SMS Response | 
|---|---|---|
| #getio di0 | Not set | The state of the digital output is HIGH. YYYY-MM-DD HH:MM | 
| #getio di0 | OUTPUTNAME | The state of the digital output ‘OUTPUTNAME’ is HIGH. YYYY-MM-DD HH:MM | 
| #getio do0 | Not set | The state of the digital input is LOW. YYYY-MM-DD HH:MM | 
| #getio do0 | INPUT0NAME | The state of the digital input 'INPUT0NAME' is LOW. YYYY-MM-DD HH:MM | 
#setio do0 [<value>]
The system allows users to change the current state of the output pin by sending a corresponding SMS command.
Level Mode
If the mode is LEVEL, add the value “0” to set the voltage level to LOW and “1” to set the voltage level to HIGH. If you do not add a value, the system will set the voltage to LOW.
Examples of SMS Command when the output pin mode is LEVEL:
| Mode | SMS Command | SMS Response | 
|---|---|---|
| LEVEL | #setio do0 0 | The state of the digital output 'OUTPUTNAME' has been changed to LOW. YYYY-MM-DD HH:MM | 
| LEVEL | #setio do0 1 | The state of the digital output 'OUTPUTNAME' has been changed to HIGH. YYYY-MM-DD HH:MM | 
| LEVEL | #setio do0 | The state of the digital output 'OUTPUTNAME' has been changed to LOW. YYYY-MM-DD HH:MM | 
Pulse Mode
If the mode is PULSE, the received SMS command will make the system to change the state of the digital output based on the Pulse mode configuration. Do no add a value parameter, and the system will use the duration configured in the system. You can change the duration by setting a custom interval in the SMS command. To specify a custom duration of the pulse signal in ms, add an integer value. For example, the command #setio do0 15000 will send a signal to change the digital output state for 15 seconds.

| Mode | SMS Command | SMS Response | 
|---|---|---|
| PULSE | #setio do0 | A signal to change the state of the digital output 'OUTPUTNAME' to HIGH for 10000ms (PULSE mode) has been sent. YYYY-MM-DD HH:MM | 
| PULSE | #setio do0 15000 | A signal to change the state of the digital output 'OUTPUTNAME' to HIGH for 15000ms (PULSE mode) has been sent. YYYY-MM-DD HH:MM | 
Cellular Menu
Cellular features such as Cellular connection, cellular diagnostics, and SMS related functionality are configured within this menu.
The rCell 300 is equipped with two SIM slots and supports DUAL SIM functionality.
The following cellular profiles are supported by the rCell 300:
- Provider Profiles
- SIM Profiles
Cellular Configuration
- Enables/disables cellular operation
- Enables/disables Dual SIM operation
- Configures Connection Monitoring parameters
- Configures Connection Recovery parameters.

Cellular Configuration Tab
The Cellular Configuration tab includes settings that users must manage in order for their Cellular Connection to work.
General Configuration
The following General Configuration settings are configured in this area:
- Cellular operation is enabled/disabled.
- If the SIM is locked, the PIN must be configured for it.
- If the customer has a custom APN or is using an MVNO, they may be required to manually configure the APN.
- Dual SIM functionality is enabled/disabled.
Connection Monitoring
Connection Monitoring settings are configured in this area:
- Max Connection Failures – This setting, when enabled, tracks up to the maximum attempts before the additional connection recover activities begin.
- Keep Alive – This is essentially a Ping keep-alive to verify that the data connection is still established and data can be transmitted and received.
- Data Receive Monitor – This is a passive monitor. If the device has not received any packets over the Cellular connection in the configured window it will trigger connection re-establishment activities.
- Network Registration Timeout – If enabled, and the radio is unable to register with the Cellular network in the timeout specified, the Cellular recovery procedures are triggered.
- Roaming Network Timeout – If enabled, if the radio is connected in roaming it will attempt to reconnect to its home network per the timeout setting.
- Signal Quality Timeout – If the RSSI remains below the specified dBm for the timeout period, the recovery procedures are started in order to attempt to find better signal.
Connection Recovery
Connection Recovery settings are enabled/disabled in this area:
- Data Connection Reset – If it is determined that the data connection is not passing traffic the connection will be re-established.
- SIM Switchover – This enables a failover behavior to the other SIM during connection recover after a certain number of attempts or time has elapsed since the last successful data connection.
- Radio Reboot – If this is enabled, after all back-off timers have been exercised, and if the data connection has not been re-established successfully during that time, the radio is rebooted.
- Service Reset – Per algorithm, the entire set of processes, counters, etc., will be restarted at a point if Cellular data connectivity cannot be re-established.

Cellular Profiles Tab
The system supports the configuration of Cellular Provider Profiles and SIM profiles.
The system applies a corresponding Provider Profile and SIM profile based on the settings configured by users.
Default Cellular Profile configuration settings are illustrated here:

Provider profiles support the configuration of Cellular Management settings such as private network APNs, specific settings for different types of SIMs, etc. What is powerful about these profiles is the ability to customize on a provider basis the configuration values that are not defaults or supported through default behavior.
Add Provider Profile Tab
To create a new Provider Profile, select + Add Provider Profile on the Cellular Profiles tab.
The Add Provider Profile tab is then displayed allowing users to configure the new provider profile.

Edit SIM Group
When updating the SIM groups for a profile, what is happening is that each group added is a filter to match only the SIM profiles to be used with the provider profile you are defining groups for. It is possible to have multiple groups which are multiple filters that match different groups of SIMs.
Add SIM Profile Tab
When adding a new provider profile, it is possible to create a SIM group that will be used with that provider profile.
To create a new SIM Profile, select + Add SIM Profile on the Cellular Profiles tab.
The Add SIM Profile tab is then displayed allowing users to configure the new SIM profile.

Diagnostics
Cellular Diagnostics includes the following tabs:
- Radio Status
- Diagnostics
- Cell Radio Firmware Upgrade
Radio Status Tab
Typical Radio Status information is illustrated here:

Diagnostics Tab
The Diagnostics tab includes:
- The Radio Terminal in which users can execute AT commands
- Radio Diagnostics feature which allows users to download cellular related logs and details
- Reset Options which allow the modem to be reset
A typical Diagnostics tab is illustrated here:

Cell Radio Firmware Upgrade Tab
The system allows users to perform a cellular radio firmware upgrade.
A typical Cell Radio Firmware Upgrade tab is illustrated here:

SMS
A typical SMS Configuration page is illustrated here:

Configuration Tab
A typical SMS Configuration tab is illustrated here:

SMS Configuration Parameters
SMS configuration parameters are described in the following sections.
SMS Settings
| Parameter | Description | 
|---|---|
| Enabled | Enables the SMS utilities required to send SMS via API and the Web Management interface. | 
| Sent SMS to Keep | The total number of sent SMS messages to keep in the rCell 300's history. | 
| Resend Failed SMS | The total number of resend attempts for SMS messages that fail to be sent. | 
| Received SMS to Keep | The total number of received SMS messages to keep in the rCell 300's history. | 
SMS Commands
The available SMS Commands for the rCell 300 are displayed in this section. Review the table for detailed information about each command, which are all.
- Disabled by default.
- Required to be in the order listed. For example: #ping [<interface>] [<count>] <address>
- Identified as required when arguments are in angle brackets < >.For example: <address>
- Identified as optional when arguments are within square brackets [ ].For example: [<count>]
| SMS Command | Description | 
|---|---|
| #reboot | Reboot the rCell 300. | 
| #checkin | Check in to DeviceHQ | 
| #rm <enable | disable> [<AccountKey>] | Enable or disable remote management using DeviceHQ. Note: When
                                enabling remote management, if an AccountKey has not been previously
                                configured, it must be included when issuing this SMS
                                command. | 
| #setcellular <enable | disable>
                            [<APN>] | Enable or disable Cellular. To configure the  | 
| #ping [<interface>] [<count>]
                            <address> | Ping a specified IP address or hostname using the following attributes: 
 | 
| #app <start | stop | restart> <app id | app
                                name> | Starts, stops, or restarts a custom application identified by its app idorapp namethat has been
                            installed on the rCell 300. | 
| #setio do0 [<value>] | |
| #getio <di0 | do0> | |
| #serial | Retrieve the following serial information: 
 | 
| #apn | Retrieve the APN string. | 
| #cellular | Retrieve the cellular connection status. | 
| #radio | Retrieve the radio status. | 
| #ethernet | Retrieve the Ethernet interface configuration. | 
| #wan | Retrieve the actual WAN transport and WAN priority configuration. | 
| #wifi | Retrieve the following Wi-Fi information: 
 | 
| #wanips | Retrieve the IPv4 and IPv6 addresses that are currently assigned to existing WAN network interfaces. | 
| #geoposition | Retrieve the following GPS information: 
 Note: This command is supported only by devices with a GPS module
                                that is acquiring a sufficient GPS signal. | 
Security Filters
Security filters involve enabling a security filter password and whitelisting phone numbers to control SMS command execution and ensure only authorized users can execute SMS commands, enhancing system security. The key steps involved are:
- Enable Security Filter Password and Whitelist Phone Number: This ensures that only authorized devices can send commands.
- Use of Whitelisted Cellphones:
- Send messages with a password: For example, p <password> #ping xxx.xxx.xxx.xxx.
- Verify the cellphone receives the status of the ping via an SMS message.
- Messages sent without a password result in the command being ignored.
 
- Send messages with a password: For example, 
- Use of Non-Whitelisted Cellphones:
- Messages sent with or without a password result in the command being ignored by the device.
 
Send/Received SMS Tab
A typical Send/Received SMS tab is illustrated here:

Wireless Menu
- As a Wi-Fi Access Point
- As a Wi-Fi as WAN client
- Concurrently as a Wi-Fi Access Point and Wi-Fi as WAN clientNote: The rCell 300's Wi-Fi module cannot use different bands or channels for its two functional parts. Therefore, the access point's frequency and channel settings will be the same as the Wi-Fi WAN network's.
Wi-Fi Configuration
A typical Wi-Fi Configuration page is illustrated here:

Wi-Fi Access Point Tab
rCell 300 can support up to 16 clients connected to the Wi-Fi Access Point.
Supported regions are limited to USA and Canada.
A typical Wi-Fi Access Point configuration page is illustrated here:

Wi-Fi Access Point Configuration Parameters
Wireless Configuration
| Parameter | Valid Values | Description | 
|---|---|---|
| Enabled | Valid values are: 
 | Enables/disables Wi-Fi Access Point mode. | 
| Network Name (SSID) | The user-specified name for the wi-fi network. | |
| Region | The region in which the rCell 300 is
                                operating. Note: When operating in concurrent
                                mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,)
                                this parameter will be hidden. The rCell 300
                                will use Wi-Fi as WAN configuration information. | |
| Network Band | Valid values are: 
 | The radio frequency over which the rCell 300
                            will communicate. Note: When operating in concurrent
                                mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,)
                                this parameter will be hidden. The rCell 300
                                will use Wi-Fi as WAN configuration information. | 
| Network Mode | Note: When operating in concurrent
                                mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,)
                                this parameter will be hidden. The rCell 300
                                will use Wi-Fi as WAN configuration information. | |
| Channel | The wi-fi channel over which the rCell 300
                            will communicate. Note: When operating in concurrent
                                mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,)
                                this parameter will be hidden. The rCell 300
                                will use Wi-Fi as WAN configuration information. | |
| Width (MHz) | Note: When operating in concurrent
                                mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,)
                                this parameter will be hidden. The rCell 300
                                will use Wi-Fi as WAN configuration information. | 
Security Options
| Parameter | Valid Values | Description | 
|---|---|---|
| Mode | Valid values are: 
 | Note: To configure Wi-Fi Enterprise security,
                                select WPA2-ENTERPRISE. The Radius server that will be
                                responsible for the authentication must also be configured. | 
| WPA Algorithm | 
Radius
| Parameter | Valid Values | Description | 
|---|---|---|
| Host | ||
| Host | ||
| Port | ||
| Port | ||
| Secret | ||
| Secret | 
Advanced Settings
To be provided.
| Parameter | Valid Values | Description | 
|---|---|---|
Clients
To be provided.
Wi-Fi as WAN Tab
Typical Wi-Fi as WAN configuration values are illustrated here:

Wi-Fi as WAN Configuration Parameters
Configuration
| Parameter | Valid Value | Description | 
|---|---|---|
| Enabled | Valid values are: 
 | Enables/disables Wi-Fi as WAN mode. | 
Saved Wi-Fi Networks
- Name
- SSID
- Security
Available Wi-Fi Networks
- SSID
- Security
- Signal
Firewall Menu
The device's firewall enforces a set of rules that determine how incoming and outgoing packets are handled. By default, all outbound traffic originating from the LAN is allowed to pass through the firewall, and all inbound traffic originating from external networks is dropped. This effectively creates a protective barrier between the LAN and all other networks.
The following parameters are configured under the Firewall menu:
- Settings
- Trusted IP
- Static Routes
Firewall Rules and Port Forwarding
Firewall Rules and Port Forwarding are performed using nftables.
To print Firewall Rules in the device console use nft list ruleset.
Settings
Firewall Rules and Port Forwarding configuration and status is performed on the following tabs:
- Settings
- Status
Settings Tab
Typical firewall rule configuration settings are illustrated here:

Port Forwarding
The Add Port Forwarding Rule option allows users to create a Port Forwarding rule which comprises two separate firewall rules:
- A prerouting rule
- A forward filter rule
As soon as a user selects Add Port Forwarding Rule, the system automatically creates two separate rules.
If changes to the port forwarding rules are required, each of the corresponding rules should be updated individually. Alternatively, the incorrect rules can be deleted and a new port forwarding rule created by selecting the Add Port Forwarding Rule button.
Typical port forwarding configuration settings are illustrated here:

Status Tab
The Firewall Status allows users to review the Firewall rules that are currently being applied within the system.
When a user selects Download, the system creates an archive with a firewall-ruleset.log file.
A typical firewall Status tab is illustrated here:

Trusted IP
Trusted IP is a simplified interface to create nftables rules to allow or block specific IPs, IP ranges, or subnets. This feature allows users to create whitelists (which are allowed or trusted IPs) or black lists (which are blocked or unwanted IPs). You can add, edit, and delete IP addresses as needed.
- If you select White List as Trusted IP Mode and do not set any IP range, no traffic will be allowed.
- If you select Black List as Trusted IP Mode and do not set any IP range, all traffic will be allowed.
Typical Trusted IP settings are illustrated here:

Static Routes
Configuring static routes adds persistent routes to remote devices that are automatically recreated when the rCell 300 is rebooted.
A typical Static Route settings page is illustrated here:

Tunnels Menu
Tunneling allows the use of a public network to convey data on behalf of two remote private networks. It is also a way to transform data frames to allow them to pass networks with incompatible address spaces or even incompatible protocols.
The rCell 300 supports the following tunnel mechanisms:
- GRE Tunnels
- IPSec Tunnels
- OpenVPN Tunnels
GRE Tunnels
Generic Routing Encapsulation (GRE) is a tunneling mechanism that uses IP as the transport protocol and can be used for carrying many different passenger protocols.
The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface, then configuring the tunnel endpoints for the tunnel interface.
GRE Configuration Tab
A typical GRE Configuration page is illustrated here:

Add Tunnel Tab
To add a GRE tunnel, navigate to the Add Tunnel tab. Once all parameters have been configured, select Submit.

IPSec Tunnels
The device supports site-to-site VPNs via IPsec tunnels for secure network-to-network communication. Both tunnel endpoints should have static public IP addresses and must be able to agree on the encryption and authentication methods to use.
Setting up an IPsec tunnel is a two-stage negotiation process.
- The first stage negotiates how the key exchange is protected.
- The second stage negotiates how the data passing through the tunnel is protected.
For endpoints that do not have public static IP addresses, additional options may help such as NAT Traversal and Aggressive Mode.
By default, based on the encryption method chosen, the device negotiates ISAKMP hash and group policies from a default set of secure algorithms with no known vulnerabilities. This allows flexibility in establishing connections with remote endpoints. There is an ADVANCED mode that provides a way to specify a strict set of algorithms to use per phase, limiting the remote endpoint's negotiation options.
The default Encryption Method is: AES-128.
The default set of DH Group Algorithms is:
- DH2(1024-bit)
- DH5(1536-bit)
- DH14(2048-bit)
- DH15(3072-bit)
- DH16(4096-bit)
- DH17(6144-bit)
- DH18(8192-bit)
- DH22(1024-bit)
- DH23(2048-bit)
- DH24(2048-bit)
There is the option to add multiple local and remote networks. These additional subnets can provide more complexity, flexibility, efficiency, and redundancy to the VPN. Using multiple networks allows different endpoints in different LAN subnets to securely communicate through the same tunnel. Users do not have to configure an additional tunnel for those subnets saving time and effort.
IPSec Configuration Tab
A typical IPSec Configuration tab is illustrated here:

Add Tunnel Tab
To add an IPSec tunnel, navigate to the Add Tunnel tab. Once all parameters have been configured, select Submit.

Configuration Parameters
Refer to the following table for information about each IPSec configuration parameter.
| Parameter | Description | 
|---|---|
| IPSec Tunnel | |
| Name | Name used to identify the IPsec tunnel in configurations and logs. | 
| Description | Optional text to describe the IPsec tunnel. This description shows up in the UI while hovering over the summary of an IPsec tunnel. | 
| IPSec Remote Tunnel Endpoint | |
| Remote WAN IP | External IP address of the remote tunnel endpoint. The remote device is typically a router. | 
| Remote Network Route | This field is used in conjunction with the Remote Network Mask field and describes the remote endpoint's subnet. This is used to identify packets that are routed over the tunnel to the remote network. | 
| Remote Network Mask | This field is used in conjunction with the Remote Network Route field, to describe the remote endpoint's subnet. It identifies packets that are routed over the tunnel to the remote network. | 
| Tunnel Type | Internet Key Exchange (IKE) for host-to-host, host-to-subnet, or subnet-to-subnet tunnels. Choose from IKE or IKEv2. | 
| IPsec Tunnel: IKE | |
| Authentication Method | Choose between Pre-Shared Key or RSA Signatures. Authentication is performed using secret pre-shared keys and hashing algorithms (like SHA1 MD5) or RSA signatures (you provide the CA Certificate, Local RSA Certificate, and Local RSA Private Key in .pem format). If you check Enable UID, then Local ID and Remote ID become available as options. | 
| Pre-Shared Key | Authentication is performed using a secret pre-shared key and hashing algorithms on both sides. | 
| Secret | Secret key that is known by both endpoints. | 
| Encryption Method | IKE encryption algorithm used for the connection (phase 1 - ISAKMP SA). Based off of phase 1, a secure set of defaults are used for phase 2, unless the Advanced option is used, in which case, all components of both phases 1 and 2 are specified by the user. | 
| RSA Signatures | Authentication is performed using digital RSA signatures. | 
| CA Certificate | Certificate Authority certificate used to verify the remote endpoint's certificate. | 
| Local RSA Certificate | Certificate the local endpoint uses during Phase 1 Authentication. | 
| Local RSA Private Key | The private key that the local endpoint uses during Phase 1 Authentication. | 
| Encryption Method1 | Choose an Encryption Method from the following list: AES-128, AES-192, AES-256, or ADVANCED. IKE encryption algorithm is used for the connection (phase 1 - ISAKMP SA). Based off of phase 1, a secure set of defaults are used for phase 2, unless the Advanced option is used, in which case, all components of both phases 1 and 2 are specified by the user. | 
| Phase 1 Encryption1 | If Advanced is selected for Encryption Method, select Phase 1 Encryption from the drop-down: AES-128, AES-192, AES-256, or ANY AES. | 
| Phase 1 Authentication1 | If Advanced is selected for Encryption Method, select Phase 1 Authentication from the drop-down: SHA-2, SHA2-256, SHA2-384, SHA2-512, or ANY. | 
| Phase 1 Key Group1 | If Advanced is selected for Encryption Method, select the Phase 1 Key Group from the drop-down: DH2 (1024-bit), DH5 (1536-bit), D14 (2048-bit), DH15 (3072-bit), DH16 (4096-bit), DH17 (6144-bit), DH18 (8192-bit), DH22 (1024-bit), DH23 (2048-bit), DH24 (2048-bit), and ANY. | 
| Phase 2 Encryption1 | If Advanced is selected for Encryption Method, select Phase 2 Encryption from the drop-drown: AES-128, AES-192, AES-256, ANY AES, or ANY. | 
| Phase 2 Authentication1 | If Advanced is selected for Encryption Method, select Phase 2 Authentication from the drop-drown: SHA-2, SHA2-256, SHA2-384, SHA2-512, or ANY. | 
| Phase 2 Key Group1 | If Advanced is selected for Encryption Method, select the Phase 2 Key Group from the drop-down: DH2 (1024-bit), DH5 (1536-bit), D14 (2048-bit), DH15 (3072-bit), DH16 (4096-bit), DH17 (6144-bit), DH18 (8192-bit), DH22 (1024-bit), DH23 (2048-bit), DH24 (2048-bit), and ANY. | 
| Enable UID | Unique Identifier String to enable the Local ID and Remote ID fields. | 
| Local ID | String Identifier for the local security gateway (optional) | 
| Remote ID | String Identifier for the remote security gateway (optional) | 
| IPSec Tunnel: Advanced | |
| IKE Lifetime | Duration for which the ISAKMP SA exists from successful negotiation to expiration. | 
| Key Life | Duration for which the IPsec SA exists from successful negotiation to expiration. | 
| Max Retries | Number of retry attempts for establishing the IPsec tunnel. Enter zero for unlimited retries. | 
| Checking Period | Timeout interval in minutes. If Remote WAN IP address is a hostname that can be resolved by DynDNS, the hostname will be resolved at the set interval. Recommended for dynamic IP addresses. | 
| Compression | Enable IPComp. This protocol increases the overall communication performance by compressing the datagrams. Compression requires greater CPU processing. | 
| Aggressive Mode | Whether to allow a less secure mode that exchanges identification in plain text. This may be used for establishing tunnels where one or more endpoints have a dynamic public IP address. Although this mode is faster to negotiate phase 1, the authentication hash is transmitted unencrypted. You can capture the hash and start a dictionary or use brute force attacks to recover the PSK. | 
1 For mPower 5.3 and higher, deprecated encryption and hash algorithms are not available for creating new tunnels. But old tunnels that were created in 5.2 or lower will retain the deprecated settings unless changed. Those deprecated settings include: 3DES, ANY, MD5, and SHA-1.
OpenVPN Tunnels
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.
To use OpenVPN, install an OpenVPN application along with an easy-rsa tool and configure OpenVPN on your computer. Then, generate the certificates for the OpenVPN server and client before configuring the device.
To configure OpenVPN client and server on this device the following files are required:
- CA PEM file or CA certificate (.crt)
- Diffie Hellman PEM file (.pem)
- Server Certificate to be used by the device endpoint (.crt)
- Server/Client Key to be used by the device endpoint (.key)
- When you configure OpenVPN server and client, make sure both sides use the same settings and certificates.
- For mPower 5.3 and higher, some encryption and hash configurations are deprecated and
            not available for creating new tunnels. Any tunnels created in 5.2 or lower will retain
            the deprecated settings unless changed.- Deprecated settings for hash algorithms include: MD4, MD5, RSA-MD4, RSA-MD5, and SHA-1.
- Deprecated settings for encryptions ciphers include: BF-CBC, CAST5-CBC, DES-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC, IDEA-CBC, RC2-40-CBC, RC2-64-CBC, and RC2-CBC.
- Deprecated setting for Minimum TLS version is 1.1.
 
- Some encryption and hash configurations are too weak and NOT supported at all in mPower 5.3 or higher.
These settings do not function when performing an upgrade to mPower 5.3. The system provides a warning message during upgrade and replaces them with Default. The following TLS cipher suites are not supported: TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA and TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA. Also, the following hash algorithms are not supported: DSA, DSA-SHA, DSA-SHA1, DSA-SHA1-old, ECDSA-with-SHA1, RSA-SHA, RSA-SHA1-2, and SHA.
OpenVPN Configuration Tab
A typical OpenVPN Configuration page is illustrated here:

Add Tunnel Tab
To add a OpenVPN tunnel, navigate to the Add Tunnel tab. Once all parameters have been configured, select Submit.

Configuration 1: OpenVPN Tunnel with TLS Authorization Mode (Device only)
This first configuration establishes the OpenVPN Tunnel connection from a device client to a device server using TLS as Authorization Mode. This involves adding and configuring both OpenVPN Server and Client sides within the device UI.
To add an OpenVPN Server using TLS:
- Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
- Select Add Tunnel.
- Enter the Name.
- Select the Type as SERVER from the dropdown.
- You can also enter an optional Description.
- Under OpenVPN Tunnel Configuration, enter the following fields (using TLS as
            Authorization Mode):- Interface Type as TUN from the dropdown.
- Authorization Mode as TLS from the dropdown.
- Protocol as UDP.
- VPN Subnet.
- Port number.
- VPN Netmask.
- LZO Compression as ADAPTIVE from the dropdown.
- Hash Algorithm as DEFAULT.
- NCP (Negotiable Crypto Parameters) as DEFAULT.
- Min. TLS Version as 1.2.
- TLS Cipher Suite as DEFAULT.
- Enter the contents of the following files generated from the easy-rsa tool.
              You can copy and paste this content from the certificate files after opening from a
              text editor like Notepad (all required):- CA PEM (.crt)
- Diffie Hellman PEM (.pem)
- Server Certificate PEM (.crt)
- Server Key PEM (.key)
 Note: Use the same CA PEM certificate and parameters as the server for the OpenVPN clients.
 
- Remote Network Routes create a route from the server network to the client
          network. This allows the server to get access to the client’s network. In the OpenVPN
            Tunnel Network Routes, select Add: - Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
- Enter the Remote Network Mask (usually 255.255.255.0).
- You may enter Gateway (optional).
- Select Add.
 
- The system displays your recently-added Push Route with the client subnet (remote network route + mask).
- Push Routes create a route from client’s network to the server’s network. This
          allows clients to get access to the server’s network. Under Push Routes:- Select Client To Client box if you want this optional feature (this establishes a connection between multiple clients that are connected to the server).
- In the Push Network Route, select Add.
- In the dialog box, enter the Remote Network Route (same address as the server subnet above).
- Enter the Remote Network Mask (same as above).
- Optional: You may enter Gateway.
- Select Add. Note: If you use Static Key Authorization Mode, the Push Routes do not work.
 
- The system displays your recently-added Push Route with the client subnet (remote network route + mask).
- Select Preview to view the tunnel configuration.
- Select Submit.
- Select Save and Apply to save your changes
To add an OpenVPN Client using TLS:
- Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
- Select Add Tunnel.
- Enter the Name of the tunnel.
- Select the Type as CLIENT from the dropdown.
- Optional: Enter a Description.
- Under OpenVPN Tunnel Configuration, enter the following fields (using TLS as
            Authorization Mode):- Interface Type as TUN from the dropdown.
- Authorization Mode as TLS from the dropdown.
- Protocol as UDP.
- Remote Host (server public IP address).
- Remote Port number.
- LZO Compression as ADAPTIVE from the dropdown.
- Hash Algorithm as DEFAULT.
- NCP (Negotiable Crypto Parameters) as DEFAULT.
- Min. TLS Version as 1.2.
- TLS Cipher Suite as DEFAULT.
- Enter the contents of the following files generated from the easy-rsa tool. You can
              copy and paste this content from the certificate files after opening from a text
              editor like Notepad (all required):- CA PEM (.crt)
- Client Certificate PEM (.crt)
- Client Key PEM (.key)
 
 
- If you use TLS as Authorization Mode, you do not need configure or add Remote Network Routes. The server adds the routes if the server's Push Routes are already configured. If you use Static Key as Authorization Mode, you must add and configure Remote Network Routes.
- Select Preview to view the tunnel configuration.
- Select Submit.
- Select Save and Apply to save your changes.
Now the device client can access the device server subnet. You can ping the IP address of the device server subnet from the client console to test this.
Configuration 2: OpenVPN Tunnel with TLS Authorization Mode (Device and Connected PC)
This second configuration provides access between a device server and its subnet and device client and its subnet. An additional configuration is needed on the device server side. This also allows your PC to connect with the device server and ultimately to the device client through that server.
- Configure the device server as shown under how to add an OpenVPN Server using TLS.
- Open device console, go to /var/config/ovpnccd/openVPNServerName. Create the folder if not present in the device.
- Create a file that has the client certificate name with the following information:- iroute [Client_Subnet] [Mask]
- example -- echo “iroute 192.168.3.0 255.255.255.0” > mtrClient1
 
- For each client, you must create a separate file in the folder
            /var/config/ovpnccd/yourserverName. Note: Make the file name the same as the Common Name value used to create the certificate.
- Configure device client as shown under how to add an OpenVPN Client.
Once properly configured, you should have a connection between the device server and device client and their subnets. Your PC can also connect with the device server and thus the device client through that server.
Configuration 3: OpenVPN Tunnel with Static Key Authorization Mode (device server and client)
This third configuration establishes the OpenVPN Tunnel connection from a device client to a device server using Static Key as Authorization Mode. This involves adding and configuring both OpenVPN Server and Client sides within the device UI.
When using Static Key, the OpenVPN tunnel is created between only two end-points, the client and server. You cannot connect more than one client to the server in this mode. Remote Network Route must be specified in both configurations, client and server, in order to establish the connection between subnets.
To add an OpenVPN Server using Static Key:
- Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
- Select Add Tunnel.
- Enter the Name.
- Select the Type as SERVER from the dropdown.
- Optional: Enter a Description.
- Enter the following fields (using STATIC KEY as Authorization Mode):- Interface Type as TUN from the dropdown.
- Authorization Mode as STATIC KEY from the dropdown.
- Protocol as UDP.
- Local Address as DEFAULT.
- Port number.
- Remote Address as DEFAULT.
- LZO Compression as ADAPTIVE from the dropdown.
- Hash Algorithm as DEFAULT.
- NCP (Negotiable Crypto Parameters) as DEFAULT.
- Generate and enter the Static Key PEM (required). Both server and client must
              use the same static key. See example
              below:-----BEGIN OpenVPN Static key V1----- 3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128 -----END OpenVPN Static key V1-----
 
- Remote Network Routes create a route from the server network to the client
          network. This allows the server to get access to the client’s network. In the OpenVPN
            Tunnel Network Routes, select Add: - Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
- Enter the Remote Network Mask (usually 255.255.255.0).
- Select Add.
 
- The system displays your recently-added Remote Network Route with the client
          subnet (remote network route + mask). Note: Push Routes are not required with Static Key as Authorization Mode.
- Select Preview to view the tunnel configuration.
- Select Submit.
- Select Save and Apply to save your changes.
To add an OpenVPN Client using Static Key:
- Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
- Select Add Tunnel.
- Enter the Name.
- Select the Type as CLIENT from the dropdown.
- Optional: Enter a Description.
- Enter the following fields (using STATIC KEY as Authorization Mode):- Interface Type as TUN from the dropdown.
- Authorization Mode as STATIC KEY from the dropdown.
- Protocol as UDP.
- Local Address as DEFAULT.
- Remote Host.
- Remote Address as DEFAULT.
- Remote Port number.
- LZO Compression as ADAPTIVE from the dropdown.
- Select the NCP (Negotiable Crypto Parameters) as DEFAULT from dropdown.
- Select the Hash Algorithm as DEFAULT from dropdown.
- Min. TLS Version as 1.2.
- TLS Cipher Suite as DEFAULT.
- Enter the Static Key PEM (required). Both server and client must use the same
              static key. See example
              below:-----BEGIN OpenVPN Static key V1----- 3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128 -----END OpenVPN Static key V1-----
 
- Remote Network Routes create a route from the server network to the client
          network. This allows the server to get access to the client’s network. In the OpenVPN
            Tunnel Network Routes, select Add: - Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
- Enter the Remote Network Mask (usually 255.255.255.0).
- Select Add.
 
- The system displays your recently-added Remote Network Route with the client
          subnet (remote network route + mask). Note: Push Routes are not required with Static Key as Authorization Mode.
- Select Preview to view the tunnel configuration.
- Select Submit.
- Select Save and Apply to save your changes.
Configuration 4: OpenVPN Tunnel with Static Key Authorization Mode and TCP
This fourth configuration establishes the OpenVPN Tunnel connection from a device client to a device server using Static Key as Authorization Mode and TCP protocol (instead of UDP for the third configuration). This involves adding and configuring both OpenVPN Server and Client sides within the device UI.
To add an OpenVPN Server using Static Key and TCP:
- Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
- Select Add Tunnel.
- Enter the Name.
- Select the Type as SERVER from the dropdown.
- Optional: Enter a Description.
- Enter the following fields (using STATIC KEY as Authorization Mode):- Interface Type as TUN from the dropdown.
- Authorization Mode as STATIC KEY from the dropdown.
- Protocol as TCP.
- Local Address as DEFAULT.
- Remote Host.
- Remote Address as DEFAULT.
- Remote Port number.
- Hash Algorithm as RSA-SHA1.
- LZO Compression as ADAPTIVE from the dropdown.
- NCP (Negotiable Crypto Parameters) as CAMELLIA-256-CBC.
- Min. TLS Version as NONE.
- TLS Cipher Suite as DEFAULT.
- Generate and enter the Static Key PEM (required). Both server and client must
              use the same static key. See example below:
              -----BEGIN OpenVPN Static key V1----- 3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128 -----END OpenVPN Static key V1-----
 
- Select Next.
- Remote Network Routes create a route from the server network to the client
          network. This allows the server to get access to the client’s network. In the OpenVPN
            Tunnel Network Routes, select Add: - Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
- Enter the Remote Network Mask (usually 255.255.255.0).
- Select Add.
 
- The system displays your recently-added Remote Network Route with the client
          subnet (remote network route + mask). Note: Push Routes are not required with Static Key as Authorization Mode.
- Select Preview to view the tunnel configuration.
- Select Submit.
- Select Save and Apply to save your changes.
To add an OpenVPN Client using Static Key and TCP:
- Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
- Select Add Tunnel.
- Enter the Name.
- Select the Type as CLIENT from the dropdown.
- Optional: Enter a Description.
- Enter the following fields (using STATIC KEY as Authorization Mode):- Interface Type as TUN from the dropdown.
- Authorization Mode as STATIC KEY from the dropdown.
- Protocol as TCP.
- Local Address as DEFAULT.
- Remote Host.
- Remote Address as DEFAULT.
- Remote Port number.
- Hash Algorithm as RSA-SHA1.
- LZO Compression as ADAPTIVE from the dropdown.
- NCP (Negotiable Crypto Parameters) as CAMELLIA-256-CBC.
- Min. TLS Version as NONE.
- TLS Cipher Suite as DEFAULT.
- Generate and enter the Static Key PEM (required). Both server and client must
              use the same static key. See example below:
              -----BEGIN OpenVPN Static key V1----- 3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128 -----END OpenVPN Static key V1-----
 
- Select Next.
- Remote Network Routes create a route from the server network to the client
          network. This allows the server to get access to the client’s network. In the OpenVPN
            Tunnel Network Routes, select Add: - Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
- Enter the Remote Network Mask (usually 255.255.255.0).
- Select Add.
 
- The system displays your recently-added Remote Network Route with the client
          subnet (remote network route + mask). Note: Push Routes are not required with Static Key as Authorization Mode.
- Select Preview to view the tunnel configuration.
- Select Submit.
- Select Save and Apply to save your changes.
Administration Menu
User Accounts
The Local User Accounts page supports activities to add, remove, and update user accounts on the device including changing passwords.

SSH Key Management
SSH public keys are managed in this section of the Users page.
- Engineer
- Monitor
- Custom role
Public keys that have been added to a user's account are listed in this section as well.
Add a New Public Key
To create a new public key associated with a user account click Add Public Key as shown here:

Paste the key into the Key field and assign a Title to the key:

The system will not allow a public key to be added/created for a user if one has already been added.

View a Public Key
To view a public key, click on the 

Delete a Public Key
To delete a public key, click on the 
Users Tab
A typical Users tab is illustrated here:

Add User Tab
When adding a user, a User Role must be assigned to that user. By default, the system supports three user roles:
- Administrator
- Engineer
- Monitor
A typical Add User screen is shown here:

When Custom Roles have been added to the system, they will be listed as well, as illustrated here:
Password Complexity Rules Tab
Password complexity is managed through the facilities in Linux and PAM. There is a default complexity mode that is configurable. There is also the credit mode that is available in Linux distributions configurable to require a minimum credit score on a new password.
A typical Password Complexity Rules tab is illustrated here:

Custom Roles Tab
The Custom Roles tab lists all Custom User Roles that have been added to the system. For example:

Add Custom Role
A typical Add Custom Role tab is illustrated here:

Sample custom User Role settings are illustrated here:
Access Configuration
Access Configuration settings allow users to configure a variety of services on the device such as:
- The Web Server for the mPower API used by the mPower Web UI
- Responsiveness to Pings to the device on the LAN and WAN interfaces
- The SNMP server
- The Modbus server
- Enabling and limited configuration of:- DoS prevention
- Ping Limiting
- Brute Force Prevention to lock out user accounts that exceed the password failure limits
 
- SSH Authentication
- Reverse SSH Tunnel
A typical Access Configuration landing page is illustrated here:

- Access Configuration
- SSH Configuration
The following sections provide detailed information about each parameter used to configure device services.
Access Configuration Tab
- Web Server information
- ICMP
- SNMP
- Modbus Device Information
- IP Defense
Web Server Configuration
The rCell 300 only allows secure access to its Web UI. The following parameters configure how HTTP requests are redirected to the rCell 300's secure HTTPS port.
| Parameter | Description | 
|---|---|
| HTTP Port | The port on which the rCell 300 listens for HTTP requests to redirect. | 
| HTTP Redirect to HTTPS | When enabled, users accessing the rCell 300 via HTTP are automatically redirected to the secure HTTPS port. | 
| HTTP via LAN | When enabled, the rCell 300 listens for and redirects incoming HTTP requests from the LAN to HTTPS. | 
| HTTP via WAN | When enabled, the rCell 300 listens for and redirects incoming HTTP requests from the WAN to HTTPS. | 
| HTTPS Port | The port on which the rCell 300 listens for HTTPS requests. | 
| HTTPS via WAN | When enabled, the rCell 300 listens for and responds to HTTPS requests from the WAN. This increases susceptibility to malicious activity. | 
| Session Timeout (seconds) | Amount of time a user's session can remain dormant before automatically being logged out (minutes).Note: Changing this item requires the device to reboot. | 
HTTPS Security
Configure the HTTPS security settings (like version and cipher suite). Click the Show link to the right under HTTPS Security. To enable the Web server to authenticate the client via the client’s public key certificate, check Client Authentication under the Authentication section.
| Parameter | Description | 
|---|---|
| Authentication | |
| Client Authentication | Requires web browsers to have a valid client certificate that is signed by a Certifying Authority (CA) that the server can verify. Otherwise, user access to the UI is blocked. NOTE: You must first upload a CA certificate at Administration > X.509 CA Certificates. | 
| TLS Settings | |
| TLSv1.3, TLSv1.2, and/or TLSv1.1 | Check the version of the TLS protocol to be used: TLSv1.3, TLSv1.2, and/or TLSv1.1 (Deprecated). Default: TLSv1.3 and TLSv1.2 | 
| Cipher Suite Name | Check any preferred Cipher Suite from the following: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256,TLS_AES_128_GCM_SHA256, and also including the following deprecated ciphers: ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-GCM-SHA384, AES256-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, and/or AES128-SHA. Default: All. (You can also set the priority order of the ciphers). | 
ICMP
Internet Control Message Protocol (ICMP) is used by devices to send error messages such as that a requested service is not available or a host or device could not be reached. ICMP can also relay query messages.
| Parameter | Description | 
|---|---|
| Enabled | Enables ICMP responses. | 
| Respond to LAN | If checked, the device will respond to ICMP traffic from the LAN, such as ping requests. | 
| Respond to WAN | If checked, the device will respond to ICMP traffic from the WAN, such as ping requests. This increases susceptibility to malicious activity. | 
SNMP
The rCell 300 offers Simple Network Management Protocol (SNMP) which is used for collecting information from, and configuring network devices on an IP network.
| Parameter | Description | 
|---|---|
| Via LAN | When enabled, the rCell 300 allows access to the SNMP server via the LAN. | 
| Via WAN | When enabled, the rCell 300 allows access to the SNMP server via the WAN. | 
Modbus Device Information
The Modbus feature allows the user to enable the Modbus query server. You can query this server over Modbus-TCP for status information.
| Parameter | Description | 
|---|---|
| Enabled | Enables the Modbus Query Server. | 
| Via LAN | When enabled, the rCell 300 can query the Modbus server via the LAN. | 
| Port | Port number configured for Modbus. | 
For Modbus query information, refer to the MTR Modbus Information page on our Developer Resources website (on .net) for details: http://www.multitech.net/developer/software/mtr-software/mtr-modbus-information/
IP Defense Settings
A set of rules that decreases susceptibility to malicious activity. If these settings are configured too strictly, they may interfere with non-malicious activity.
DoS Prevention
| Parameter | Description | 
|---|---|
| Enabled | Enables DoS prevention (disabled by default). | 
| Per Minute | Allowed number of new connections per minute until burst points are consumed. For example, if 60 new connections are received in a minute, decrement one burst point. If no more burst points, drop the packet. | 
| Burst | Number of allowed burst for traffic spikes. A burst occurs when the Per Minute limit is reached. On a period where the Per Minute limit is not reached, one burst point is regained, up to the maximum. | 
Ping Limit
| Parameter | Description | 
|---|---|
| Enabled | Enables the Ping Limit feature (enabled by default). | 
| Per Second | Allowed number of pings per second before burst points are consumed. Once burst points run out, ICMP packets will be dropped. | 
| Burst | Number of burst points. On a period where the Per Second limit is not reached, one burst point is regained, up to this maximum. | 
Brute Force Protection
| Parameter | Description | 
|---|---|
| Enabled | Enables the Brute Force Prevention feature (enabled by default). | 
| Attempts | The number of failed attempts allowed before the user's account is locked out. | 
| Lockout Minutes | The number of minutes an account is locked out before a new login attempt will be accepted. | 
Bootloader Protection
To see or set these features, go to Administration > Access Configuration > Bootloader Protection and click Show.
Bootloader Shell
This feature enables shell access to the bootloader. It is disabled by default. If the rCell 300 is reset to factory defaults, Bootloader Shell Access is disabled.
- Under Bootloader Shell Access, click Enable.
- Confirm the change.
- If not making other changes, click Submit.
When enabled, the status shows as Enabled and a Disable button appears. Click Disable to turn off Shell Access and confirm the change. The change is applied immediately.
Bootloader Password
This feature enables password authentication to access the rCell 300 bootloader. Bootloader password is set directly to the bootloader. The password is not removed or disabled when resetting to factory defaults. Once you setup a bootloader password, it stays in the bootloader until you disable it.
It is disabled by default.
| Parameter | Description | 
|---|---|
| Enabled | Enables the Bootloader Password feature to the right of Authentication Status (enabled by default). | 
| Password | Enter password to access the rCell 300 bootloader. | 
| Confirm | Enter the password again to confirm. | 
Debug Console
This feature allows the customer to run Silent Mode which turns off the output to the Debug Console. The console output is enabled by default (i.e. Silent Mode is disabled).
When Silent Mode is enabled, Debug Console is turned off. (NOTE: During boot, the device does not output any information after the notice that the Linux Kernel is being decompressed including no login prompt, etc.)
| Parameter | Description | 
|---|---|
| Enable | Enables Silent Mode which turns off output to the Debug Console (disabled by default meaning Debug Console output is on). | 
After making all desired changes, click Submit, then click Save and Apply. (Changes to specific sections may require reboot.)
SSH Configuration Tab
The SSH Configuration tab allows users to configure SSH services on the device such as:
- SSH Settings
- Authentication
- Brute Force Prevention
- SSH Security
- Reverse SSH Tunnel
A typical SSH Configuration page is illustrated here:

SSH Settings
Typical SSH configuration settings are illustrated here:

Idle Timeout (seconds)
Idle Timeout is the length of time, in seconds, that an SSH session will remain idle or inactive before the system automatically closes it.
Valid values, in seconds, for Idle Timeout are:
- 60
- 3600
The default value for Idle Timeout is 300 seconds.
SSH Authentication
SSH Authentication is where the following authentication settings are controlled:
- Password authentication
- Public Key authentication

SSH Brute Force Prevention
SSH Brute Force Prevention protects the system from unauthorized access attempts and prevents attackers from repeatedly trying different passwords to gain SSH access.

- Enabled: true|false
- Attempts: 1 – 99
- Lockout (seconds): 60 — 3600
- Brute Force Prevention: enabled
- Attempts: 3
- Lockout (seconds): 300 (i.e., 5 minutes)
RADIUS Configuration
The RADIUS protocol supports authentication, user session accounting, and authorization of users to the device.
This authentication, accounting, and authorization is independent of the local users created on the device. The user can enable Authentication, Accounting, or both options.
RADIUS user details:
- Access to device if role is one of those in the provided list (Administrator, Engineer, or Monitor).
- All RADIUS users do not have SSH access to the device.
- RADIUS creates a temporary session instead of a local account like local users.
- RADIUS uses shared key encryption.
- Local users shall take priority over RADIUS user (if a RADIUS user has the same username as a local user, the RADIUS user cannot log in even if the local user is disabled).
- RADIUS user with Administrator role can view and modify all local users (but cannot delete a local Administrator if it is the only local admin user on the device).
- RADIUS users with Engineer and Monitor role cannot view or modify user details. They do not have access to the User Accounts page.
- RADIUS users cannot change their own password in the Web UI.
A typical Radius Configuration page is illustrated here:

X.509 Certificates
A typical X.509 Certificates configuration page is illustrated here:

Web Certificate
The system supports generating and uploading a new Web Certificate in .pem format.
A typical Web Certificate tab is illustrated here:

Generate Web Certificate
To generate a new web certificate, click on 
A typical Generate Web Certificate configuration pop-up dialog is illustrated here:

Web Certificate Configuration Parameters
| Parameter | Valid Values | Description | 
|---|---|---|
| Common Name | ||
| Subject Alternative Name | The following types may be added to the self-signed
                                    certificate: 
 | Subject Alternative Name (SAN) is an extension to the X.509
                                specification that allows users to specify additional host names for
                                a single SSL certificate. SAN is used in modern X.509 certificates
                                    to: The system generates a self-signed certificate using
                                the device hostname as a SAN value. 
 | 
| Locality/City | ||
| Days | ||
| Organization | ||
| Country (2 letter code) | ||
| Email Address | ||
| State/Province | 
CA Certificates Tab
The system supports importing X.509 CA Certificates. Imported certificates must be in .pem format.
A typical CA Certificates tab is illustrated here:

Remote Device Management
The following Remote Device Management operations are supported:
- Check-in based on a specified interval, and repeated at a particular time and day(s) of the week
- Upload device configuration to the remote server
- Commands execution: - Configuration upgrade
- Firmware upgrade
- Device Logs Upload
- Reboot
 
A typical Remote Device Management tab is illustrated here:

Notifications
The Notification tab includes settings for users to manage the following:
- Notifications Configuration
- Notifications Sent
The device can send alerts via:
- emailTo send alerts via email, the SMTP server must be enabled. 
- SMSTo send alerts via SMS, refer to SMS Configuration and Commands. 
- SNMPTo enable SNMP traps, refer to SNMP Configuration. 
Configuration Tab
A typical Configuration tab for notifications is illustrated here:

To add a new Recipient Group, click on + Add Group and configure the following information for the group:

To edit an existing Recipient Group, click the 
Sent Tab
A typical Sent tab for notifications is illustrated here:

Web UI Customization
Users can configure the following on the Web UI Customization tab:
- Footer Customization allows the user to add custom organization details to the footer.
- Dashboard Customization allows the user to upload a new image and specify Device Name and Custom ID that will be shown on the Dashboard page.
- UI Customization allows the user to modify the color schema of the buttons, and upload a custom logo and favicon.
A typical Web UI Customization tab is illustrated here:

Firmware Upgrade
Firmware from MultiTech is signed by MultiTech’s private key and the signatures on the artifacts in the firmware must verify successfully for the firmware to be applied to the device flash.
A typical Firmware Upgrade screen is illustrated here:

System Fallback
To improve system reliability and ensure system recovery, the rCell 300 employs a dual volume architecture.
Following a fallback, once the system successfully reboots the following message is displayed on the Firmware Upgrade screen to alert the user:

Package Management
The Package Management feature supports importing and installing packages from the MultiTech online mLinux feeds.
A typical Package Management tab is illustrated here:

Save/Restore
Save/Restore supports restoring from a uploaded configuration file, saving the current configuration to a file, and defaulting the device back to factory settings. The RESET button can be configured to enable it, disable it, or disable factory reset so that the device only resets when the button is pressed.
A typical Save/Restore page is illustrated here:

Debug Options
The Debug Options tab contains a miscellaneous set features and options for debugging and rebooting the device:
- When enabled, the Auto Reboot Timer feature will reboot per the configured timeout.
- When enabled and configured, the Remote Syslog feature will stream the syslog output to the remote server.
- Logging is a global setting to increase or decrease the device logging level.
- The Data Traffic Statistics feature controls the periodicity and data threshold when statistics are saved to persistent storage.
- The Ping feature pings or connects via TCP to the target remote host.
- The Continuous Ping feature pings the target remote host continuously.
A typical Debug Options tab is illustrated here:

Usage Policy
A typical Usage Policy tab is illustrated here:

Apps Menu
Custom Apps
The system allows installing custom applications and uploading configuration files for the installed custom apps.
A typical Custom Apps page is illustrated here:

| Parameter | Description | 
|---|---|
| Enabled | When ENABLED: 
 
 | 
| Backup on Install | When ENABLED (default setting) the currently running custom application is backed up in case a new version of the application is being downloaded and installed. If the install fails, the backup is reinstalled. Disable this option only if there is not enough space to backup custom apps. | 
 button associated with the application to be stopped. For
      additional information, refer to Installed Applications.
 button associated with the application to be stopped. For
      additional information, refer to Installed Applications.Installed Applications
A list of custom applications that have been installed on the rCell 300 is displayed on the Custom Apps page. A typical list is shown here:

Information about available application options is listed here:
| Icon | Function | 
|---|---|
|  | View application details | 
|  | Halt application | 
|  | TBD | 
|  | Delete the application | 
View Application Details
 option is selected:
 option is selected:- Application Name
- Application ID
- Application Version
- Extra Version [optional]
- Installation Location- Persistent Storage
- /var/config/app
- SD Card
 
- Application Status
- Application Description
- Version Notes
- Application Info; Not displayed if info is empty or "not available".
- Process IDs (PIDs)- Process ID
- Running
- Process Name
- CMD
 


Application Status
The list of supported application statuses are provided below:
| Status | Description | 
|---|---|
| STARTED | The application is highlighted with green and there is a stop action in the Options column. | 
| RUNNING | The application is highlighted with green and there is a stop action in the Options column. | 
| STOPPED | The application is not highlighted and there is a start action in the Options column. | 
| FAILED | The application is highlighted with red and the actual status is shown next to the app version. | 
| INSTALL FAILED | The application is highlighted with red and the actual status is shown next to the app version. | 
| START FAILED | The application is highlighted with red and the actual status is shown next to the app version. | 
Extra Version Support
In addition to a custom application's version, which is stored in manifest.json, some applications may have an optional extra version which is managed by the custom application itself. The extra version is stored in the [App Directory]/version_extra file.
If the [App Directory]/version_extra file exists and is not empty, the extra version is displayed next to the application's current version.

Install a Custom App
Perform the following procedure to install a custom application:
- Go to the Custom Apps page, select Add Custom App.
- Specify an App ID and an choose an application file in the pop up. The App ID must be a hexadecimal value with a maximum length of 32 characters.
                  
 
When adding a custom app, the following information applies:
- The application name must be unique. The system does not allow installing two different apps with the same name. The system retrieves the App Name value from the manifest.json.
- The installed application has a corresponding unique App ID. When installing an app, the system verifies if the app with the same name is already installed. If this is true, the system does not allow specifying a different App ID.
- If a user installs a new version of the application that is already installed, the user has to specify the App ID of the installed application. If the user specifies a different App ID, the application installation will fail and corresponding error message will be displayed.
- When installing an app, the system does not allow specifying an App ID that is already used by another application.
- The application's name
- Description
- Installed version
- App ID
- Current status
- Application information
Installation Location
The location where the system installs a custom application is defined in the manifest.json file. The application can be installed to /var/config/app, /var/persistent, or to the SD card.
To install the application to /var/persistent, the manifest.json file shall have the “PersistentStorage” field set to true. If it is absent or set to false, then the app will be installed to the /var/config/app directory.
Example:
{
  "AppName": "Application Name" ,
  "AppVersion": "Application Version" ,
  "AppDescription": "Description to be displayed for the custom app",
  "AppVersionNotes":"Any applicable notes for this version of the app.",
  "PersistentStorage": true
}
The system allows uploading one or more configuration files for the installed custom application.
To upload a new configuration file, select the Upload App Configuration icon in the Actions column.

The files will be uploaded to the /[AppName]/config directory.
- If the /[AppName]/config directory does not exist, the system will create a “config” directory in the application directory.
- You have to specify files with a correct file name that the application supposes to use. If the application uses general.conf, and you upload general_v1.conf and general_v3.conf, all these files will be present in the /config directory, and it depends on the app how to use them. If the file name of the file you upload corresponds to a file from the /config directory, new file will replace the existing one.
Send Notification Utility
Send Notification is a command-line utility providing a simple method to send notifications via SMS and e-mail.
The path to the utility is: /usr/bin/send-notification

Send Notifications supports sending notifications to one or more recipients allowing one notification to be sent to multiple recipients simultaneously.
Cellular IP Passthrough Mode
Setup
- Cellular IP Passthrough
- Time Configuration
Cellular IP Passthrough
The Cellular IP Passthrough screen is where the desired protocol for the rCell 300 is specified.
- IPv4
- IPv6
Depending on the protocol selected, DNS Server and Public IPv4 Mask information are also configured using this screen.
IPv4 Configuration
A typical Cellular IP Passthrough configuration screen for IPv4 is illustrated here:

Sample use cases are detailed in the following table.
| Parameter Values | System Actions and Behavior | 
|---|---|
| Protocol Support: IPv4 IPv4 DNS Server: empty Public IPv4 Mask: 32 | 
 | 
| Protocol Support: IPv4 IPv4 DNS Server: 8.8.8.8 Public IPv4 Mask: 32 | 
 | 
| Protocol Support: IPv4 IPv4 DNS Server: empty Public IPv4 Mask: 24 | 
 | 
| Protocol Support: IPv4 IPv4 DNS Server: 8.8.4.4 Public IPv4 Mask: 24 | 
 | 
IPv6 Configuration
An typical Cellular IP Passthrough configuration screen for IPv6 is illustrated here:

Sample use cases are detailed in the following table.
| Parameter Values | System Actions and Behavior | 
|---|---|
| Protocol Support: IPv6 IPv6 DNS Server: empty | 
 When the Internet (cellular) connection is established: 
 
 | 
| Protocol Support: IPv6 IPv6 DNS Server: 2001:4860:4860::8888 | 
 When the Internet (cellular) connection is established: 
 
 | 
Time Configuration
A typical Time Configuration screen is illustrated here:

Cellular
- Cellular Configuration
- Diagnostics
Cellular Configuration
In Cellular IP Passthrough mode, all cellular features are supported and operate as described for Network Router mode with the following exception(s):
- Connection Monitoring | Keep AliveThis feature is not supported in Cellular IP Passthrough mode and is therefore not included in the Connection Monitoring section. 
A typical Cellular Configuration tab is illustrated here:

Diagnostics
- Radio Status
- Diagnostics
- Cell Radio Firmware Upgrade
Administration
- User Accounts
- Access Configuration
- Web UI Customization
- Firmware Upgrade
- Save/Restore
- Debug Options
- Usage Policy



