rCell 300 Configuration Guide

Model: MTR3-L4G2D

Document Part Number: S000829

Introduction

This guide provides information and procedures necessary to configure an rCell 300 Series router using the mPower Edge Intelligence interface.

The rCell 300 router provides secure data communication between many devices that use legacy as well as current communication technologies.

Note: For complete hardware information about the rCell 300 router, refer to the rCell 300 Series Router Hardware Guide.

Some device models support (varies with model: refer to product-specific hardware guide for details):

Wi-Fi communication to devices with this technology
GPS capability

This manual provides information about all available configuration parameters and features available within mPower Edge Intelligence software.

Note: The information included in this manual is hardware agnostic. For hardware-specific configuration information refer to the appropriate Configuration Guide for the respective device.

Intended Audience

The intended audience of this guide is IT personnel tasked with installing, provisioning, and configuring an rCell 300 router.

The intended audience of this manual is software engineers who are incorporating mPower™ Edge Intelligence options and features in their communications products.

About the rCell 300

The MultiTech rCell 300 router is both an industrial router and a specialized network device designed to connect internet-of-things (IoT) devices. The rCell 300 provides enhanced security to protect against cyber threats, includes edge intelligence to run local applications, and offers secure data communication between many types of devices that use legacy or the latest communication technologies. The rCell 300 can be remotely managed via MultiTech Device Manager.

Conduit AP (MTCAP, MTCAP2, and MTCAP3) (MTCAP) (MTCAP2) securely connects thousands of LoRaWAN^® wireless IoT sensors to the cloud using the LoRaWAN^® protocol. It expands LoRa network coverage to difficult to reach areas and is capable of packet forwarding user data between LoRa end devices and a centrally located network server on the cloud, in a data center, or a public network.The Conduit AP Access Point packet forwarding gateway offers Ethernet and Cellular Wide Area Networks seamless connectivity options to connect to Cloud based applications in centrally located data centers.

This guide describes the rCell 500 R2 Series Router. The rCell R2 500 offers secure data communication between different types of devices. It features redundant power supplies and dual SIM capability for a more reliable connection

MultiTech CT300 (MTCT300) is a wireless and self-powered electrical current monitoring device. It is capable of reporting average, peak, and minimum RMS Amperes and tracking accumulated Amp-Hours. The device parasitically harvests energy from the monitored conductor, negating the need for routine maintenance to replace or charge batteries.

MTCT300 uses sub-gigahertz LoRaWAN for long range wireless communications. This IoT interface can be deployed as a private network, or used with an available public one. The use of short data messages increases reliability of transmission in suboptimal environments such as metal electrical panels.

Intended Use

The rCell 300 is designed for a variety of industrial and IoT applications. Some of its intended uses include:

Remote monitoring and control: This device is ideal for remote monitoring and control of equipment and systems in industries such as oil and gas, utilities, and agriculture. The rCell 300 allows for real-time data collection and management of remote locations.
Smart cities and infrastructure: This device can be used in smart-city applications, including traffic management, environmental monitoring, and electric vehicle charging stations.
Industrial automation: This device works with current industrial automation equipment (such as RTU) for remote data collection, fault notifications, control/manage field equipment.

The rCell 300 can be used in applications that require equipment to operate in harsh environments. For outdoor deployments, the rCell 300 must be installed in a waterproof enclosure.

Operating Modes

rCell 300 routers can operate in the following modes:

Network Router
Cellular IP Passthrough mode

Once the initial commissioning process for the rCell 300 has been completed, the mPower Setup Wizard allows administrators to select the desired operating mode upon logging in to mPower via the LAN.

mPower™ Edge Intelligence

mPower™ Edge Intelligence is an embedded software offering to deliver programmability, network flexibility, enhanced security, and manageability for scalable Industrial Internet of Things (IIoT) solutions. mPower represents the unification and evolution of well-established MultiTech smart router and gateway firmware platforms.

mPower Edge Intelligence simplifies integration with a variety of popular upstream IoT platforms to streamline edge-to-cloud data management and analytics, while also providing the programmability and processing capability to execute critical tasks at the edge of the network to reduce latency; control network and cloud services costs, and ensure core functionality – even in instances when network connectivity may not be available. In response to evolving customer security requirements, mPower Edge Intelligence incorporates a host of new security features including signed firmware validation, secure boot, new Cloud management, programmability of custom apps, DI/DO, and more.

Getting Started

Install the SIM Card(s)

To operate the device on a particular wireless network, install a micro (3FF) SIM card rated for industrial use.

Using a #1 Phillips screwdriver, remove the SIM card cover.
In the SIM 1 slot, insert the SIM card for the primary cellular network and push until it snaps into place.
Optional: In the SIM 2 slot, insert the SIM card for the secondary cellular network and push until it snaps into place.
Reinstall the SIM card cover.

Add the Device to Your Cloud Account

You must have a MultiTech Cloud Service Platform Account. To create an account, go to https://cloud.multitech.com. Refer to the rCell 300 Quick Start Guide to connect and manage your device.

You can choose to add the rCell 300 device either via QR code or manually:

QR Code
1. Using a smartphone camera, scan the onboard QR code from the device serial label. See rCell 300 Serial Label.
2. Follow the instructions to sign in to your cloud account and quickly onboard the device.
Manually
1. Sign in to your cloud account.
2. Select Gateways.
3. Under Actions, select Add device.
4. Enter the PID number from the device serial label. See rCell 300 Serial Label.

Install the Device

To begin using the rCell 300:

Connect the cellular, GNSS, and Wi-Fi antennas.
Connect the local configuration port (ETH0/LAN) on the rCell 300 to the networked device on the LAN network. The LAN port has a static IP of 192.168.2.1.
Optional: If using a serial device, use the 8-wire terminal block connectors to connect to the RS-232 or RS-485 serial port:
1. Wire the push-in spring 8-wire terminal plug per your application needs.
  
  Note: Refer to Terminal Block Connector Pinout in the rCell 300 Series Router Hardware Guide for complete information.
2. Secure the 8-wire terminal plug to the device using a 2.5 mm slotted screwdriver.
Note: The RS-232 port on the rCell 300 is not a local configuration port.
Connect the power supply:
1. Using a 2.0 mm slotted screwdriver, screw the power supply wires into the 2-wire terminal plug.
2. Secure the 2-wire terminal plug to the 9–36 VDC 2-pin terminal block on the device using a 2.5 mm slotted screwdriver.
3. Connect the power supply to a power source. The POWER LED turns solid green when the device is ready for use.
The proper polarity is shown below.

Note: The customer should take steps to prevent any potential reverse polarity connections.
Use the device web user interface to configure the device.
- The default IP address for the ETH0/LAN port is 192.168.2.1.
- A DHCP server is enabled on the LAN interface to provision an IP to any device making a request for one. The range of addresses being assigned by this server is 192.168.2.100 to 192.168.2.254, with a subnet mask of 255.255.255.0.
- When you log in for the first time, the device is in commissioning mode, which requires you to set up a username and password for an administrator user account. Enter and submit your desired username and password.

Commissioning Mode

The rCell 300 ships in what is called Commissioning Mode. As soon as the rCell 300 is reset to factory defaults or right after the manufacturing process is complete, the system is in Commissioning Mode.

In this mode, the ETH1 /WAN is configured as a WAN DHCP Client and the system attempts to connect to Device Manager (MT Cloud) as soon as there is an internet connection.

The ETH0/LAN interface is configured with an IP of 192.168.2.1 and a netmask of 255.255.255.0.

Important: Once the rCell 300 has been powered up and is in Commissioning Mode, its Web UI can be accessed directly through the LAN interface at 192.168.2.1. The LAN interface has a DHCP server running on it to provide addresses in the range of 192.168.2.100 - 192.168.2.254, netmask 255.255.255.0.

Before proceeding, an Administrative User must be configured.

Configure the Administrative User

Perform the following procedure to create and configure the Administrative user:

Note: MultiTech recommends using Firefox.

Open a browser and enter the default IP address in the URL field, 192.168.2.1. Most browsers display a warning about HTTP addresses being unsafe because of a self-signed certificate:
- For Edge, click Advanced and then Continue to 192.168.2.1.
- For Firefox, click Advanced and then click Accept the Risk and Continue.
- For Chrome, click Advanced and then Continue to 192.168.2.1 (unsafe).
Enter a username for the Administrative User. Click OK. Follow on screen instructions for usernames.
Enter a password and click OK. Follow on screen instructions for a secure password.
Enter the password again to confirm. Click OK.
Log into the rCell 300 using the new username and password.

The First-Time Setup Wizard will then launch.

First Time Setup Wizard

Once commissioning is complete, the First Time Setup Wizard launches which enables users to configure:

Operating mode (e.g., Network Router, Cellular IP Passthrough)
System date and time
Cellular connectivity

Select Mode

An rCell 300 can be configured to operate in the following modes:

Network Router
Cellular IP Passthrough

From the pull-down list, select the desired Mode in which the rCell 300 is to operate.

Note: If a SIM card has not been installed, Cellular IP Passthrough will be the only mode available.

Click next.

Time Configuration

Configure Date & Time and Time Zone to reflect the rCell 300's location.

Important: When configuring the rCell 300 for Cellular IP Passthrough operation, the system does not have an internet connection. Therefore, the automatic synchronization of system time is not supported.

Click Next.

Note: If the rCell 300 is not equipped with a radio modem (i.e., it does not support Cellular operation,) no further configuration is required. Click Finish to complete the initial configuration and exit the First Time Setup Wizard.

Cellular Configuration

Available options for cellular configuration depend upon whether a SIM card has been installed in the rCell 300.

For configuration information when a SIM card is present/has been detected, refer to SIM Card Has Been Installed.
For configuration information when a SIM card is not present, refer to SIM Card Has Not Been Installed.

SIM Card Has Been Installed

When a SIM card has been installed into the rCell 300, the system enables users to set a PIN code and Access Point Name (APN) for the installed SIM card.

Note: By default, the system will only detect a SIM card that has been installed into the SIM1 slot. Users must install a SIM card into the SIM1 slot, otherwise the system will not see the SIM card. When installing a SIM card into the SIM2 slot, users must manually enable and configure the SIM2 slot separately when configuring mPower.

The system will create a corresponding provider profile and SIM profile that are linked to the installed SIM card.

If required, enter appropriate values for the PIN and/or APN and then click Finish to complete the initial configuration of the rCell 300 and exit the First Time Setup Wizard.

For information about configuring the rCell 300 as a network router, refer to Network Router Mode.
For information about configuring the rCell 300 for cellular IP passthrough mode, refer to Cellular IP Passthrough Mode.

SIM Card Has Not Been Installed

If no SIM card has been installed, an error message similar to that shown here is displayed.

When there is no SIM card installed, the rCell 300 will only support Cellular IP Passthrough operation. Refer to Cellular IP Passthrough Mode for configuration information.

Network Router Mode

Home Menu

The Home menu comprises the following tabs:

Dashboard
Services
Statistics

Dashboard Tab

The Dashboard tab provides a brief overview of the system state and configuration.

Services Tab

The Service Statistics tab lists the available services and their respective status.

Statistics Tab

The System Statistics tab provides the following system information:

System details, memory and storage usage, system log
Ethernet interfaces statistics and logs
Wi-Fi as WAN statistics and logs
Wi-Fi Access Point statistics and logs
Cellular statistics and logs
Serial statistics and logs
GRE tunnels statistics and logs
IPSec tunnels statistics and logs
OpenVPN tunnels statistics and logs

Setup Menu

The Setup menu provides access to the following configuration settings:

Network Interfaces
WAN
DNS
DHCP
LLDP
GPS
SMTP
Serial
SNMP
Time
Digital I/O

Network Interfaces

A typical Network Interfaces configuration page is illustrated here:

Note: By default:

eth0 is configured as LAN
eth1 is configured as DHCP Client

Configure eth0

To update the eth0 interface configuration, select the corresponding pencil icon in the OPTIONS column.

Note: By default the eth0 interface is configured “under” the bridge interface. br0.

The eth0 interface can be removed from the bridge interface and configured independently by updating the Bridge field:

eth0 Configuration Parameters

Parameter	Valid Values	Description
Direction	Valid values are: LAN WAN VLAN	WAN: Requires user-configured values for Gateway and Primary DNS Server to function effectively. VLAN: Indicates a VLAN interface associated with the eth0 interface.
Bridge	Valid values are: br0 –	br0: eth0 is under the bridge. – :eth0 is independent of the bridge.
Enable IPv6 Support	Valid values are: Enabled Disabled	Enable IPv6 on the interface allowing delegated prefix or static IPv6 address settings.

IPv4 Settings

Parameter	Valid Values	Description
Mode	Valid values are: Static DHCP Client	Configures how the IP address for the rCell 300 will be defined: Select Static for static IP and Mask settings. Select DHCP Client for obtaining address information via DHCP.
Gateway		Default Route Gateway
IP Address		Static IPv4 address to assign to the interface.
Primary DNS Server		Primary DNS server for the network to which the interface is connected.
Mask		The network mask for the network to which the interface will be assigned.
Secondary DNS Server		Secondary DNS server for the network to which the interface is connected.

802.1X Authentication

Parameter	Valid Values	Description
Authentication Method	Valid values are: EAP-PWD EAP-TLS EAP-TTLS EAP-PEAP None	Defines the authentication method for the rCell 300 on the network connected to the interface.

Configure br0

The bridge (br0) interface has the following configuration options to manage all the LAN interfaces assigned to it:

br0 Configuration Parameters

Parameter	Valid Values	Description
Direction	Valid values are: LAN WAN VLAN	WAN: Requires user-configured values for Gateway and Primary DNS Server to function effectively. VLAN: Indicates a VLAN interface associated with the eth0 interface.
Enable IPv6 Support	Valid values are: Enabled Disabled	Enable IPv6 on the interface allowing delegated prefix or static IPv6 address settings.

IPv4 Settings

Parameter	Valid Values	Description
Mode	Valid values are: Static DHCP Client	Configures how the IP address for the rCell 300 will be defined: Select Static for static IP and Mask settings. Select DHCP Client for obtaining address information via DHCP.
Gateway		Default Route Gateway
IP Address		Static IPv4 address to assign to the interface.
Primary DNS Server		Primary DNS server for the network to which the interface is connected.
Mask		The network mask for the network to which the interface will be assigned.
Secondary DNS Server		Secondary DNS server for the network to which the interface is connected.

Add a VLAN Interface

Create a new VLAN interface, and then configure eth0, eth1, or WLAN1 to use VLAN with the specified VLAN ID.

Typical VLAN interfaces are illustrated here:

To configure an existing ethernet interface to use VLAN (eth0) select VLAN from the Direction pull-down list as shown here:

WAN

A typical WAN Configuration page is illustrated here:

Note: All WAN interfaces on the device should be configured for Mode.

Each WAN interface can be configured for Active or Passive failover with a timeout interval to trigger failover to the next prioritized WAN interface.

Hostname must be specified and Mode Type selected (for example: ICMP for ping, TCP for an actual TCP connect attempt) to verify connectivity. The number of failures is controlled by the ICMP Count setting.

DNS

DNS configuration parameters for the rCell 300 are accessed via tabs included in this section as illustrated here:

Global DNS

A typical Global DNS Configuration page is illustrated here:

Global DNS enables user-defined DNS servers to be specified which are always used to resolve hostnames regardless of what WAN settings or interface are being used. If the Primary Server and Secondary Server are not specified, the DNS servers will default to those specified in the WAN Configuration setup.

For example, if cellular is the active WAN interface and the DNS settings are obtained from the provider, enabling this feature overrides the DNS server settings obtained from the provider with the settings that are specified here.

Configuration scenarios for Global DNS and Enable Forwarding Server, and the corresponding results (the device refers to a MultiTech device) include:

If Global DNS is not configured and forwarding is enabled, the rCell 300 acts as a proxy server for any devices on the LAN network(s).
- In this mode, the rCell 300 uses WAN DNS settings.
- Client Settings: On the client, you must configure the rCell 300 as the default gateway and DNS server. The easiest way to accomplish this is by using the DHCP server on the rCell 300.
If Global DNS is configured and forwarding is enabled, DNS requests are forwarded to servers configured in the Global DNS settings.
- The rCell 300 acts as a proxy.
- Client settings: Clients must be configured the same as in the previous case above.
If Global DNS is configured and forwarding is disabled, the default gateway and DHCP server on clients should point to the rCell 300, and the DNS servers on the client must use the same DNS as the Global DNS settings.
- Client settings: The client device uses the rCell 300 as a default gateway and DHCP server, but it must have DNS servers configured to the options that will be used.
If neither item is configured/enabled, verify the rCell 300 is properly configure to forward DNS.

Configuration Parameters

Global DNS configuration parameters are described below.

Global DNS Configuration

Parameter	Valid Values	Description
Enable Forwarding Server	Valid values are: Enabled Disabled	When enabled, the forwarding server is active and DNS is not supported.
Primary Server	IP address for the primary DNS server.	These servers override any DNS servers specified elsewhere in the UI. If no servers are configured, the system defaults to servers defined in WAN Configuration.
Secondary Server	IP address for the secondary DNS server.

Parameter

Valid Values

Description

Enable Forwarding Server

Valid values are:

Enabled
Disabled

When enabled, the forwarding server is active and DNS is not supported.

Primary Server

IP address for the primary DNS server.

These servers override any DNS servers specified elsewhere in the UI.

If no servers are configured, the system defaults to servers defined in WAN Configuration.

Secondary Server

IP address for the secondary DNS server.

Hostname Configuration

Users can change the Hostname of the rCell 300 from its default value to a user-specified value to distinguish it from other rCell 300 devices on the network.

Enter the desired name in the Hostname field and click Submit to save the change.

To revert the name back to its default Hostname, click Reset To Default.

Multicast DNS

The Multicast DNS (mDNS) networking protocol resolves hostnames to IP addresses within small networks that do not include a local name server.

mDNS facilitates device access when Ethernet or Wi-Fi as WAN is enabled. Additionally, certain advanced settings may assist devices connected to the rCell 300 through different network interfaces in resolving each other's IP addresses by hostname.

A typical Multicast DNS configuration screen is illustrated here:

Configuration Parameters

Multicast DNS configuration parameters are described below. After you enable the mDNS feature and select the network interfaces, click Save & Apply to resolve your mPower device's IP address using its hostname to differentiate it from other devices in the same LAN.

General Configuration

By default, mDNS is disabled.

Parameter	Valid Values	Description
Enabled	Valid values are: Disabled Enabled	Enables/disables Multicast DNS. Default Value: Disabled

Allowed Network Interfaces

This list displays all available network interfaces, but not ppp0 (cellular). mDNS is not supported on the cellular network interface (ppp0). By default, all network interfaces are disabled.

Parameter	Valid Values	Description
eth0 (Ethernet)	Valid values are: Disabled Enabled	Enables/disables the eth0 (Ethernet) interface. Default Value: Disabled
eth1 (Ethernet)	Valid values are: Disabled Enabled	Enables/disables the eth1 (Ethernet) interface. Default Value: Disabled
wlan0 (WiFi as WAN)	Valid values are: Disabled Enabled	Enables/disables the wlan0 (WiFi as WAN) interface. Default Value: Disabled
wlan1 (WiFi Access Point)	Valid values are: Disabled Enabled	Enables/disables the wlan1 (WiFi Access Point) interface. Default Value: Disabled
br0 (Bridge)	Valid values are: Disabled Enabled	Enables/disables the br0 (Bridge) interface. Default Value: Disabled

Dynamic DNS

Typical Dynamic DNS configuration settings are illustrated here:

Configuration Parameters

Dynamic DNS configuration parameters are described below.

General Configuration

Refer to the following table for information about each DDNS configuration parameter:

Parameter	Default Value	Valid Values
Enabled	FALSE	True, False
Use External Check IP	TRUE	True, False
Domain	empty	A valid domain name
Check IP Server	checkip.dyndns.org	A valid server name or IP Address, max length is 250 characters
Service Provider

Authentication

Parameter	Default Value	Valid Values
Username	empty	Max length is 128 characters
Password	empty	The value must be from 6 to 64 characters long

Update Settings

Parameter	Default Value	Valid Values
Force Update Interval (days)	5	Range is 1 - 30 days
Check IP Interval (minutes)	15	Range is 1 - 14400 minutes (10 days)

Commands

Parameter	Default Value	Value
DDNS Force Update
DDNS Status

DHCP

The rCell 300 supports the configuration of IPv4 and IPv6 DHCP servers for all network interfaces that are configured as LAN, include new, user-created VLAN interfaces.

DHCP Configuration

A typical DHCP Configuration page is illustrated here:

Add IPv4 DHCP Server

A typical Add IPv4 DHCP Server configuration page is illustrated here:

Add DHCPv6/RA

Typical DHCPv6 Router Advertisement (RA) configuration information is illustrated here:

Edit DHCPv6/RA

Information for an existing DHCPv6/RA configuration is modified on this tab. Typical RA settings are illustrated here:

LLDP

Note: LLDP (Link Layer Discovery Protocol) is supported only on the eth0 interface.

Typical LLDP configuration settings for eth0 are illustrated here:

GPS

rCell 300 IoT Router hardware uses the radio modem to receive GPS data.

The system configuring a TCP Server sends NMEA strings to a client, and/or a TCP/UDP Client to stream NMEA strings to a server application.

To transfer GPS data to a serial port, configure GPS Streamer parameters on the Serial Configuration page.

Once GPS Position data have been updated, the current position is shown on map as illustrated here:

SMTP

The SMTP client is used to send notifications via email to a configured server.

A typical SMTP configuration page is illustrated here:

Typical SMTP configuration values are illustrated here:

Mail Log Tab

The Mail Log displays:

Messages that are queued for sending
Deferred messages
Sent messages

For example, the Mail Log illustrated here shows two messages have been sent.

To view the details of a message, click on the icon in the OPTIONS column that corresponds with the desired message. A dialog similar to the following will include the message details.

Settings Tab

A typical SMTP Configuration page is illustrated here:

Mail Log Tab

The Mail Log displays:

Messages that are queued for sending
Deferred messages
Sent messages

For example, the Mail Log illustrated here shows two messages have been sent.

To view the details of a message, click on the icon in the OPTIONS column that corresponds with the desired message. A dialog similar to the following will include the message details.

Serial

As illustrated below, rCell 300 is equipped with two serial ports:

RS232
RS232/485 GPIO

Note: By default, the RS232 port and the RS232/485 port are disabled.

Each serial port may be configured for one of the following modes:

Serial-IP
Modbus RTU/TCP Gateway
GPS Streamer

To configure either serial port, expand the Mode pull-down list and select the desired mode as illustrated here:

Note: Only one port may be configured for Modbus RTU/TCP Gateway at a time.

The system shows a warning message on submit when a user tries to configure a port as Modbus RTU/TCP Gateway while the other port is already configured as Modbus RTU/TCP Gateway.

Note: Only one port may be configured for GPS Streamer at a time.

The system shows a warning message on submit when a user tries to configure a port as GPS Streamer while the other port is already configured as GPS Streamer.

Note: The RS232 and RS232/485 ports may be configured for Serial-IP simultaneously.

Modbus RTU/TCP Gateway

The system allows users to configure one of the serial ports as Modbus RTU/TCP Gateway.

Compared to the previous mPower releases, the Modbus RTU/TCP Gateway feature has not been changed from the user requirements and general functionality standpoint.

Modbus RTU slave is connected to the Serial Port and a remote Modbus TCP Master. Modbus Gateway application works as a translator between Modbus RTU (slave) and Modbus-TCP (master) devices. When the Modbus Gateway is enabled, its application runs in the system. The application works as a translator converting between the Modbus-TCP and Modbus RTU protocols. The Modbus Gateway passes data between an RTU connected to the serial port and a Modbus TCP remote client/server.

An example of the Modbus RTU/TCP Gateway Settings for the server is illustrated here:

An example of the Modbus RTU/TCP Gateway Settings for the client is illustrated here:

GPS Streamer Mode

rCell 300 has two serial ports, and GPS Streamer to a serial port configuration is a part of the Serial Port functionality. The system allows configuring any of the Serial ports as a GPS streamer, but only one Serial port can be configured as a GPS streamer at a time.

Important: GPS Streamer supports data transfer when the baud rate is between 4800 and 115200 bps. If the baud rate is not in this range, the data transfer will not be performed.

The GPS Configuration page allows configuring what NMEA messages must be sent as GPS data, the interval, prefix and ID. The GPS configuration page does not have settings for configuring Serial port. However, it has the GPS To Serial Configuration section that refers to the Serial Configuration page.

To configure GPS data transfer to a serial port, on the GPS Configuration page configure the NMEA messages, interval, add prefix and ID if required, and then go to the Serial Configuration page to configure a serial port as a GPS Streamer.

An example of the GPS Streamer Configuration for the server is illustrated here:

Logging

Serial-IP

The system uses a separate file /var/log/messages/ser-cli.log for logging Serial-IP events.

RS232 and RS232/485 serial ports can be configured and operate as Serial-IP simultaneously, and logs are added to the same event log file: ser-cli.log. RS232 uses the source “serial0” in the logged messages; RS232/485 uses the source “serial1” in the logs.

Modbus RTU/TCP Gateway

The system uses a separate file to store logs when a serial port is configured as Modbus RTU/TCP Gateway: /var/log/messages/modbus-gateway.log.

GPS Streamer

The mtsgpsstreamer services logs events to /var/log/messages

Serial Port Statistics

The Serial Port Statistics page provides information regarding data transferred through the serial port (RX/TX), DCD status (if available), and corresponding logs (if available). The information that is shown on the Statistics page is stored in /api/stats/serial.

The Serial Port dropdown allows switching between available Serial Ports to see corresponding statistics and logs.

The system stores the serial port data transfer statistics (RX/TX) when a user reconfigures the serial port and restarts corresponding services.

The system does not preserve the serial port data transfer statistics (RX/TX) over a reboot. When the system reboots, the serial port statistics are reset.

DCD Status is not available for RS232/485 port; and the DCD Status is hidden on the Serial Port Statistics page.

The Serial Log pane shows the device logs that correspond to the current mode of the selected serial port.

DCD (Data Carrier Detect) Status

Data Carrier Detect (DCD) is a control signal that is present inside an RS-232 serial communications cable and that goes between a computer and another device. The DCD is available in RS-232 serial port only, and is not available in RS232/485 serial port.

DCD Status is available on the Serial Port Statistics page:

When RS232/485 is selected, the DCD Status is not shown.
When RS232 is selected, the DCD status is available.

The DCD status depends on the serial port/RS232 configuration and status as detailed here:

RS232 Configuration	DCD Status
Disabled	OFF
GPS Streamer Enabled	ON
GPS Streamer Disabled	OFF
Serial-IP Server Mode	OFF until a client connection is established at which time it turns ON.
Serial-IP Client Mode	No Server Connection: OFF Server connection established: DCD Status depends on the specific Connection Activation setting: ALWAYS ON DCD Status turns ON immediately On-Demand DCD Status remains OFF until the corresponding activation trigger is received, at which time it immediately turns ON. DTR-ASSERT DCD Status remains OFF until the corresponding activation trigger is received, at which time it immediately turns ON. CR DCD Status remains OFF until the corresponding activation trigger is received, at which time it immediately turns ON.
Modbus RTU/TCP Gateway	ON When Modbus RTU/TCP Gateway mode is enabled, the system automatically stores the current DCD Status (i.e., ON or OFF.) Once the prior value has been stored, DCD Status will always be ON. When Modbus RTU/TCP Gateway mode becomes disabled or the serial port is configured for another mode, the system restores DCD Status to the status it had prior to enabling Modbus RTU/TCP Gateway. Configuration examples illustrating this system behavior are provided in the following section, Modbus RTU/TCP Gateway Configuration Examples.

Modbus RTU/TCP Gateway Configuration Examples

Configuration examples illustrating system behavior when the Serial Port is configured as Modbus RTU/TCP Gateway are provided below.

Example 1

Initial conditions:
- Serial Port: Disabled
- DCD Status: OFF
Enable Modbus RTU/TCP Gateway.
- Select Submit ► Save ► Apply to apply changes.
DCD Status toggles to ON.
Disable Modbus RTU/TCP Gateway.
- Select Submit ► Save ► Apply to apply changes.
DCD Status toggles to OFF.

Example 2

Initial conditions:
- Serial Port: GPS Streamer
- DCD Status: ON
Enable Modbus RTU/TCP Gateway.
- Select Submit ► Save ► Apply to apply changes.
DCD Status remains ON.
Disable Modbus RTU/TCP Gateway.
- Select Submit ► Save ► Apply to apply changes.
DCD Status toggles to OFF.

Example 3

Initial conditions:
- Serial Port: Serial-IP Server
- Client connection has been established.
- DCD Status: ON
Change Serial-IP mode to Modbus RTU/TCP Gateway.
- Select Submit ► Save ► Apply to apply changes.
DCD Status remains ON.
Disable Modbus RTU/TCP Gateway.
- Select Submit ► Save ► Apply to apply changes.
DCD Status momentarily remains ON before toggling OFF.

SNMP

A typical SNMP Configuration page is illustrated here:

The following MIB information is compatible with RFC1213 for the rCell 300:

Note: By default, the values for sysContact, sysName, and sysLocation are empty. However, they may be configured by populating the Contact, Name, and Location fields (respectively) on the SNMP Configuration page.

MIB Parameter	OID	OID Description	Comments
sysDescr	1.3.6.1.2.1.1.1	A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software. It is mandatory that this only contain printable ASCII characters.	The system returns the following information: Product ID Serial Number mPower Firmware Release vendor ID
sysObjectID	1.3.6.1.2.1.1.2	The vendor's authoritative identification of the network management subsystem contained in the entity. This value is allocated within the SMI enterprises subtree (1.3.6.1.4.1) and provides an easy and unambiguous means for identifying the type of box being managed. For example, if vendor "Flintstones, Inc." is assigned the subtree 1.3.6.1.4.1.4242, it could assign the identifier 1.3.6.1.4.1.4242.1.1 to "Fred Router".	The sysObjectID is 1.3.6.1.4.1.995.16.1.1.1
sysUpTime	1.3.6.1.2.1.1.3	The time (in hundredths of a second) since the network management portion of the system was last re-initialized.	The uptime of the snmp service.
sysContact	1.3.6.1.2.1.1.4	The textual identification of the contact person for this managed node, together with information on how to contact this person.	Empty by default. Configurable.
sysName	1.3.6.1.2.1.1.5	An administratively-assigned name for this managed node. By convention, this is the node's fully-qualified domain name.	Empty by default. Configurable.
sysLocation	1.3.6.1.2.1.1.6	The physical location of this node ("telephone closet on 3rd floor").	Empty by default. Configurable.
sysServices	1.3.6.1.2.1.1.7	A value which indicates the set of services that this entity primarily offers. The value is a sum which initially has the value zero (0). Then, for each layer, L, in the range 1 - 7, for which a node performs transactions, 2^{(L - 1)} is added to the sum. For example, a node which primarily performs routing functions has a value of (2^(3-1)), or 4. In contrast, a node which is a host offering application services has a calculated value of [2^(4-1) + 2^(7-1)], or 72. Note that in the context of the Internet suite of protocols, values should be calculated accordingly: Layer 1: physical (repeaters) Layer 2: datalink/subnetwork (bridges) Layer 3: internet (IP gateways) Layer 4: end-to-end (IP hosts) Layer 7: applications (mail relays) For systems including OSI protocols, layers 5 and 6 may also be included.	mPower devices will return 76.

Time

The time synchronization feature sets up device time according to the specified system settings. Two different options are used to get the correct time:

NTP Synchronization
Cellular Synchronization

Note: When using the Cellular Synchronization exclusively, verify that the rCell 300 is successfully synchronizing time with the local cellular provider. In some areas cellular networks may not synchronize time correctly on the cellular radio.

A typical Time Configuration page is illustrated here:

Time Configuration Parameters

Settings

Parameter	Valid Values	Description
Change Date & Time		Manually adjust the date and time to correspond with the geographic location of the rCell 300.
Time Zone		Select the time zone from the pull-down list that corresponds to the geographic location of the rCell 300.
Current Date and Time		Displays the current date and time.

NTP Configuration

Parameter	Valid Values	Description
Enabled	Valid values are: Enabled Disabled	Enables/disables Network Time Protocol (NTP) synchronization. Default Value: Enabled
Minimal Poll Interval	Whole numeric values.	Minimum time duration, in minutes, for the rCell 300 to poll the selected time server to synchronize its time. Default value: 6
Maximum Poll Interval	Whole numeric values.	Maximum time duration, in minutes, for the rCell 300 to poll the selected time server to synchronize its time. Default value: 10
Pool Time Server
Server		Select the desired pool time server from the pull-down list.
Custom Servers
Server 1	URL	URL of a custom time server to be used for time synchronization by the rCell 300.
Server 2	URL	URL of a custom time server to be used for time synchronization by the rCell 300.
Server 3	URL	URL of a custom time server to be used for time synchronization by the rCell 300.
Server 4	URL	URL of a custom time server to be used for time synchronization by the rCell 300.

Cellular Time

Parameter	Valid Values	Description
Enabled	Valid values are: Enabled Disabled	Enables/disables cellular time synchronization. Default Value: Disabled
Polling Time	Valid values are: 5 minutes (minimum value) 1440 minutes (maximum value)	Time duration, in minutes, for the rCell 300 to poll the cellular network to synchronize its time. Default value: 120

Digital I/O

The system allows users to configure and control digital input and output pin states directly from the Web UI, API, and via SMS commands.

Digital I/O allows users to:

Observe the actual state of the Input and Output pins in the STATE column.
Set a user-friendly name for the Input and Output pins. This name may include alphanumeric characters only and has a maximum length of 10 characters.
Change the mode of the output pin from Web UI.

By default, the mode is LEVEL, which means that the output pin stays at the same voltage level: LOW or HIGH. Select Set High or Set Low to change the current state.

The system allows configuring the output pin mode in the PULSE mode. In this mode, the system changes the current voltage level to another level (Active Level) for a user-configurable period of time (Duration (ms)) before returning to its original level.

Valid values for Active Level are:
- LOW
- HIGH
Duration (ms) is an integer value. Valid values are:
- 1 (minimum)
- 86400000 (maximum corresponding to 24 hours)

SMS Configuration and Commands

The following SMS commands are supported:

#getio di0|do0
#setio do0 [<value>]

#getio di0|do0

When the system receives the SMS command, it sends back the current state of the digital input (di0) or digital output (do0).

SMS Command	Custom PIN Name	SMS Response
#getio di0	Not set	The state of the digital output is HIGH. YYYY-MM-DD HH:MM
#getio di0	OUTPUTNAME	The state of the digital output ‘OUTPUTNAME’ is HIGH. YYYY-MM-DD HH:MM
#getio do0	Not set	The state of the digital input is LOW. YYYY-MM-DD HH:MM
#getio do0	INPUT0NAME	The state of the digital input 'INPUT0NAME' is LOW. YYYY-MM-DD HH:MM

#setio do0 [<value>]

The system allows users to change the current state of the output pin by sending a corresponding SMS command.

Level Mode

If the mode is LEVEL, add the value “0” to set the voltage level to LOW and “1” to set the voltage level to HIGH. If you do not add a value, the system will set the voltage to LOW.

Examples of SMS Command when the output pin mode is LEVEL:

Mode	SMS Command	SMS Response
LEVEL	#setio do0 0	The state of the digital output 'OUTPUTNAME' has been changed to LOW. YYYY-MM-DD HH:MM
LEVEL	#setio do0 1	The state of the digital output 'OUTPUTNAME' has been changed to HIGH. YYYY-MM-DD HH:MM
LEVEL	#setio do0	The state of the digital output 'OUTPUTNAME' has been changed to LOW. YYYY-MM-DD HH:MM

Pulse Mode

If the mode is PULSE, the received SMS command will make the system to change the state of the digital output based on the Pulse mode configuration. Do no add a value parameter, and the system will use the duration configured in the system. You can change the duration by setting a custom interval in the SMS command. To specify a custom duration of the pulse signal in ms, add an integer value. For example, the command #setio do0 15000 will send a signal to change the digital output state for 15 seconds.

Mode	SMS Command	SMS Response
PULSE	#setio do0	A signal to change the state of the digital output 'OUTPUTNAME' to HIGH for 10000ms (PULSE mode) has been sent. YYYY-MM-DD HH:MM
PULSE	#setio do0 15000	A signal to change the state of the digital output 'OUTPUTNAME' to HIGH for 15000ms (PULSE mode) has been sent. YYYY-MM-DD HH:MM

Cellular Menu

Cellular features such as Cellular connection, cellular diagnostics, and SMS related functionality are configured within this menu.

The rCell 300 is equipped with two SIM slots and supports DUAL SIM functionality.

The following cellular profiles are supported by the rCell 300:

Provider Profiles
SIM Profiles

Cellular Configuration

The Cellular Configuration page:

Enables/disables cellular operation
Enables/disables Dual SIM operation
Configures Connection Monitoring parameters
Configures Connection Recovery parameters.

The Cellular Configuration page is illustrated here:

Cellular Configuration Tab

The Cellular Configuration tab includes settings that users must manage in order for their Cellular Connection to work.

General Configuration

The following General Configuration settings are configured in this area:

Cellular operation is enabled/disabled.
If the SIM is locked, the PIN must be configured for it.
If the customer has a custom APN or is using an MVNO, they may be required to manually configure the APN.
Dual SIM functionality is enabled/disabled.

Connection Monitoring

Connection Monitoring settings are configured in this area:

Max Connection Failures – This setting, when enabled, tracks up to the maximum attempts before the additional connection recover activities begin.
Keep Alive – This is essentially a Ping keep-alive to verify that the data connection is still established and data can be transmitted and received.
Data Receive Monitor – This is a passive monitor. If the device has not received any packets over the Cellular connection in the configured window it will trigger connection re-establishment activities.
Network Registration Timeout – If enabled, and the radio is unable to register with the Cellular network in the timeout specified, the Cellular recovery procedures are triggered.
Roaming Network Timeout – If enabled, if the radio is connected in roaming it will attempt to reconnect to its home network per the timeout setting.
Signal Quality Timeout – If the RSSI remains below the specified dBm for the timeout period, the recovery procedures are started in order to attempt to find better signal.

Connection Recovery

Connection Recovery settings are enabled/disabled in this area:

Data Connection Reset – If it is determined that the data connection is not passing traffic the connection will be re-established.
SIM Switchover – This enables a failover behavior to the other SIM during connection recover after a certain number of attempts or time has elapsed since the last successful data connection.
Radio Reboot – If this is enabled, after all back-off timers have been exercised, and if the data connection has not been re-established successfully during that time, the radio is rebooted.
Service Reset – Per algorithm, the entire set of processes, counters, etc., will be restarted at a point if Cellular data connectivity cannot be re-established.

Cellular Profiles Tab

The system supports the configuration of Cellular Provider Profiles and SIM profiles.

The system applies a corresponding Provider Profile and SIM profile based on the settings configured by users.

Default Cellular Profile configuration settings are illustrated here:

Provider profiles support the configuration of Cellular Management settings such as private network APNs, specific settings for different types of SIMs, etc. What is powerful about these profiles is the ability to customize on a provider basis the configuration values that are not defaults or supported through default behavior.

Add Provider Profile Tab

To create a new Provider Profile, select + Add Provider Profile on the Cellular Profiles tab.

The Add Provider Profile tab is then displayed allowing users to configure the new provider profile.

Edit SIM Group

When updating the SIM groups for a profile, what is happening is that each group added is a filter to match only the SIM profiles to be used with the provider profile you are defining groups for. It is possible to have multiple groups which are multiple filters that match different groups of SIMs.

Add SIM Profile Tab

When adding a new provider profile, it is possible to create a SIM group that will be used with that provider profile.

To create a new SIM Profile, select + Add SIM Profile on the Cellular Profiles tab.

The Add SIM Profile tab is then displayed allowing users to configure the new SIM profile.

Diagnostics

Cellular Diagnostics includes the following tabs:

Radio Status
Diagnostics
Cell Radio Firmware Upgrade

Radio Status Tab

Typical Radio Status information is illustrated here:

Diagnostics Tab

The Diagnostics tab includes:

The Radio Terminal in which users can execute AT commands
Radio Diagnostics feature which allows users to download cellular related logs and details
Reset Options which allow the modem to be reset

A typical Diagnostics tab is illustrated here:

Cell Radio Firmware Upgrade Tab

The system allows users to perform a cellular radio firmware upgrade.

A typical Cell Radio Firmware Upgrade tab is illustrated here:

SMS

A typical SMS Configuration page is illustrated here:

Configuration Tab

A typical SMS Configuration tab is illustrated here:

SMS Configuration Parameters

SMS configuration parameters are described in the following sections.

SMS Settings

Parameter	Description
Enabled	Enables the SMS utilities required to send SMS via API and the Web Management interface.
Sent SMS to Keep	The total number of sent SMS messages to keep in the rCell 300's history.
Resend Failed SMS	The total number of resend attempts for SMS messages that fail to be sent.
Received SMS to Keep	The total number of received SMS messages to keep in the rCell 300's history.

SMS Commands

The available SMS Commands for the rCell 300 are displayed in this section. Review the table for detailed information about each command, which are all.

Disabled by default.
Required to be in the order listed.
For example:#ping [<interface>] [<count>] <address>
Identified as required when arguments are in angle brackets < >.
For example: <address>
Identified as optional when arguments are within square brackets [ ].
For example: [<count>]

SMS Command	Description
`#reboot`	Reboot the rCell 300.
`#checkin`	Check in to DeviceHQ
`#rm <enable \| disable> [<AccountKey>]`	Enable or disable remote management using DeviceHQ. Note: When enabling remote management, if an AccountKey has not been previously configured, it must be included when issuing this SMS command.
`#setcellular <enable \| disable> [<APN>]`	Enable or disable Cellular. To configure the `APN` value, include it when issuing this command.
`#ping [<interface>] [<count>] <address>`	Ping a specified IP address or hostname using the following attributes: `<interface>`: the gateway interface through which the Ping request will be issued. Supported gateways are: cellular wi-fi ethernet If no interface is specified, the default gateway interface is used. `<count>`: the number of times to send a Ping request. The range of valid values is: Minimum: 1 Maximum: 20 Default: 4 `<address>`: the IP address or hostname to be Pinged.
`#app <start \| stop \| restart> <app id \| app name>`	Starts, stops, or restarts a custom application identified by its `app id` or `app name` that has been installed on the rCell 300.
`#setio do0 [<value>]`
`#getio <di0 \| do0>`
`#serial`	Retrieve the following serial information: Mode Valid values are: Server Client RX bytes TX bytes DCD Status Protocol Port (Server mode only) Server IP Address (Client mode only) Servet Port (Client Mode only)
`#apn`	Retrieve the APN string.
`#cellular`	Retrieve the cellular connection status.
`#radio`	Retrieve the radio status.
`#ethernet`	Retrieve the Ethernet interface configuration.
`#wan`	Retrieve the actual WAN transport and WAN priority configuration.
`#wifi`	Retrieve the following Wi-Fi information: Date and time Format: `YYYY-MM-DD HH:MM` Mode Valid values are: WAN Access Point MAC address Status (WAN mode only) SSID Security settings (Access Point mode only) Valid values are: None WPA WPA2-PSK WPA/WPA2-PSK
`#wanips`	Retrieve the IPv4 and IPv6 addresses that are currently assigned to existing WAN network interfaces.
`#geoposition`	Retrieve the following GPS information: latitude longitude Note: This command is supported only by devices with a GPS module that is acquiring a sufficient GPS signal.

Security Filters

Security filters involve enabling a security filter password and whitelisting phone numbers to control SMS command execution and ensure only authorized users can execute SMS commands, enhancing system security. The key steps involved are:

Enable Security Filter Password and Whitelist Phone Number: This ensures that only authorized devices can send commands.
Use of Whitelisted Cellphones:
- Send messages with a password: For example, p <password> #ping xxx.xxx.xxx.xxx.
- Verify the cellphone receives the status of the ping via an SMS message.
- Messages sent without a password result in the command being ignored.
Use of Non-Whitelisted Cellphones:
- Messages sent with or without a password result in the command being ignored by the device.

Send/Received SMS Tab

A typical Send/Received SMS tab is illustrated here:

Wireless Menu

The rCell 300 may be configured to operate:

As a Wi-Fi Access Point
As a Wi-Fi as WAN client
Concurrently as a Wi-Fi Access Point and Wi-Fi as WAN client
Note: The rCell 300's Wi-Fi module cannot use different bands or channels for its two functional parts. Therefore, the access point's frequency and channel settings will be the same as the Wi-Fi WAN network's.

Wi-Fi 6 is supported by rCell 300. The Security Options support WPA3-SAE authentication method.

Note: rCell 300 does not support Dual Homing.

Wi-Fi Configuration

A typical Wi-Fi Configuration page is illustrated here:

Wi-Fi Access Point Tab

rCell 300 can support up to 16 clients connected to the Wi-Fi Access Point.

Supported regions are limited to USA and Canada.

A typical Wi-Fi Access Point configuration page is illustrated here:

Wi-Fi Access Point Configuration Parameters

Wireless Configuration

Parameter	Valid Values	Description
Enabled	Valid values are: Enabled Disabled	Enables/disables Wi-Fi Access Point mode.
Network Name (SSID)		The user-specified name for the wi-fi network.
Region		The region in which the rCell 300 is operating. Note: When operating in concurrent mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,) this parameter will be hidden. The rCell 300 will use Wi-Fi as WAN configuration information.
Network Band	Valid values are: 2.4 GHz 5 GHz	The radio frequency over which the rCell 300 will communicate. Note: When operating in concurrent mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,) this parameter will be hidden. The rCell 300 will use Wi-Fi as WAN configuration information.
Network Mode		Note: When operating in concurrent mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,) this parameter will be hidden. The rCell 300 will use Wi-Fi as WAN configuration information.
Channel		The wi-fi channel over which the rCell 300 will communicate. Note: When operating in concurrent mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,) this parameter will be hidden. The rCell 300 will use Wi-Fi as WAN configuration information.
Width (MHz)		Note: When operating in concurrent mode (i.e., both Wi-Fi Access Point and Wi-Fi as WAN are enabled,) this parameter will be hidden. The rCell 300 will use Wi-Fi as WAN configuration information.

Security Options

Parameter	Valid Values	Description
Mode	Valid values are: NONE WPA-PSK WPA/WPA2-PSK WPA2-ENTERPRISE WPA2-PSA WPA2-PSK/WPA3-SAE WPA3-SAE	Note: To configure Wi-Fi Enterprise security, select WPA2-ENTERPRISE. The Radius server that will be responsible for the authentication must also be configured.
WPA Algorithm

Radius

Parameter	Valid Values	Description
Host
Host
Port
Port
Secret
Secret

Advanced Settings

To be provided.

Parameter	Valid Values	Description

Clients

To be provided.

Wi-Fi as WAN Tab

Typical Wi-Fi as WAN configuration values are illustrated here:

Wi-Fi as WAN Configuration Parameters

Configuration

Parameter	Valid Value	Description
Enabled	Valid values are: Enabled Disabled	Enables/disables Wi-Fi as WAN mode.

Saved Wi-Fi Networks

This section provides the following information for each Wi-Fi network that has been saved by the rCell 300:

Name
SSID
Security

Available Wi-Fi Networks

This section provides the following information about all available wi-fi networks detected by the rCell 300:

SSID
Security
Signal

Firewall Menu

The device's firewall enforces a set of rules that determine how incoming and outgoing packets are handled. By default, all outbound traffic originating from the LAN is allowed to pass through the firewall, and all inbound traffic originating from external networks is dropped. This effectively creates a protective barrier between the LAN and all other networks.

The following parameters are configured under the Firewall menu:

Settings
Trusted IP
Static Routes

Note: As a best security practice, the device employs minimum firewall rules by default. This means that the Output Filter Rules are configured to permit all outbound traffic to be transmitted. (Traffic through the device is handled by Port Forwarding Rules.) However, all inbound traffic to the device via WAN interfaces is blocked using Input Filter Rules. Users may create their own specific and targeted input filter rules to allow certain traffic to the device based on their specific needs.

Firewall Rules and Port Forwarding

Firewall Rules and Port Forwarding are performed using nftables.

To print Firewall Rules in the device console use nft list ruleset.

Settings

Firewall Rules and Port Forwarding configuration and status is performed on the following tabs:

Settings
Status

Settings Tab

Typical firewall rule configuration settings are illustrated here:

Port Forwarding

The Add Port Forwarding Rule option allows users to create a Port Forwarding rule which comprises two separate firewall rules:

A prerouting rule
A forward filter rule

As soon as a user selects Add Port Forwarding Rule, the system automatically creates two separate rules.

If changes to the port forwarding rules are required, each of the corresponding rules should be updated individually. Alternatively, the incorrect rules can be deleted and a new port forwarding rule created by selecting the Add Port Forwarding Rule button.

Typical port forwarding configuration settings are illustrated here:

Status Tab

The Firewall Status allows users to review the Firewall rules that are currently being applied within the system.

When a user selects Download, the system creates an archive with a firewall-ruleset.log file.

A typical firewall Status tab is illustrated here:

Trusted IP

Trusted IP is a simplified interface to create nftables rules to allow or block specific IPs, IP ranges, or subnets. This feature allows users to create whitelists (which are allowed or trusted IPs) or black lists (which are blocked or unwanted IPs). You can add, edit, and delete IP addresses as needed.

If you select White List as Trusted IP Mode and do not set any IP range, no traffic will be allowed.
If you select Black List as Trusted IP Mode and do not set any IP range, all traffic will be allowed.

Typical Trusted IP settings are illustrated here:

Static Routes

Configuring static routes adds persistent routes to remote devices that are automatically recreated when the rCell 300 is rebooted.

A typical Static Route settings page is illustrated here:

Tunnels Menu

Tunneling allows the use of a public network to convey data on behalf of two remote private networks. It is also a way to transform data frames to allow them to pass networks with incompatible address spaces or even incompatible protocols.

The rCell 300 supports the following tunnel mechanisms:

GRE Tunnels
IPSec Tunnels
OpenVPN Tunnels

GRE Tunnels

Generic Routing Encapsulation (GRE) is a tunneling mechanism that uses IP as the transport protocol and can be used for carrying many different passenger protocols.

The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface, then configuring the tunnel endpoints for the tunnel interface.

GRE Configuration Tab

A typical GRE Configuration page is illustrated here:

Add Tunnel Tab

To add a GRE tunnel, navigate to the Add Tunnel tab. Once all parameters have been configured, select Submit.

IPSec Tunnels

The device supports site-to-site VPNs via IPsec tunnels for secure network-to-network communication. Both tunnel endpoints should have static public IP addresses and must be able to agree on the encryption and authentication methods to use.

Setting up an IPsec tunnel is a two-stage negotiation process.

The first stage negotiates how the key exchange is protected.
The second stage negotiates how the data passing through the tunnel is protected.

For endpoints that do not have public static IP addresses, additional options may help such as NAT Traversal and Aggressive Mode.

By default, based on the encryption method chosen, the device negotiates ISAKMP hash and group policies from a default set of secure algorithms with no known vulnerabilities. This allows flexibility in establishing connections with remote endpoints. There is an ADVANCED mode that provides a way to specify a strict set of algorithms to use per phase, limiting the remote endpoint's negotiation options.

The default Encryption Method is: AES-128.

The default set of DH Group Algorithms is:

DH2(1024-bit)
DH5(1536-bit)
DH14(2048-bit)
DH15(3072-bit)
DH16(4096-bit)
DH17(6144-bit)
DH18(8192-bit)
DH22(1024-bit)
DH23(2048-bit)
DH24(2048-bit)

There is the option to add multiple local and remote networks. These additional subnets can provide more complexity, flexibility, efficiency, and redundancy to the VPN. Using multiple networks allows different endpoints in different LAN subnets to securely communicate through the same tunnel. Users do not have to configure an additional tunnel for those subnets saving time and effort.

IPSec Configuration Tab

A typical IPSec Configuration tab is illustrated here:

Add Tunnel Tab

To add an IPSec tunnel, navigate to the Add Tunnel tab. Once all parameters have been configured, select Submit.

Configuration Parameters

Refer to the following table for information about each IPSec configuration parameter.

Parameter	Description
IPSec Tunnel
Name	Name used to identify the IPsec tunnel in configurations and logs.
Description	Optional text to describe the IPsec tunnel. This description shows up in the UI while hovering over the summary of an IPsec tunnel.
IPSec Remote Tunnel Endpoint
Remote WAN IP	External IP address of the remote tunnel endpoint. The remote device is typically a router.
Remote Network Route	This field is used in conjunction with the Remote Network Mask field and describes the remote endpoint's subnet. This is used to identify packets that are routed over the tunnel to the remote network.
Remote Network Mask	This field is used in conjunction with the Remote Network Route field, to describe the remote endpoint's subnet. It identifies packets that are routed over the tunnel to the remote network.
Tunnel Type	Internet Key Exchange (IKE) for host-to-host, host-to-subnet, or subnet-to-subnet tunnels. Choose from IKE or IKEv2.
IPsec Tunnel: IKE
Authentication Method	Choose between Pre-Shared Key or RSA Signatures. Authentication is performed using secret pre-shared keys and hashing algorithms (like SHA1 MD5) or RSA signatures (you provide the CA Certificate, Local RSA Certificate, and Local RSA Private Key in .pem format). If you check Enable UID, then Local ID and Remote ID become available as options.
Pre-Shared Key	Authentication is performed using a secret pre-shared key and hashing algorithms on both sides.
Secret	Secret key that is known by both endpoints.
Encryption Method	IKE encryption algorithm used for the connection (phase 1 - ISAKMP SA). Based off of phase 1, a secure set of defaults are used for phase 2, unless the Advanced option is used, in which case, all components of both phases 1 and 2 are specified by the user.
RSA Signatures	Authentication is performed using digital RSA signatures.
CA Certificate	Certificate Authority certificate used to verify the remote endpoint's certificate.
Local RSA Certificate	Certificate the local endpoint uses during Phase 1 Authentication.
Local RSA Private Key	The private key that the local endpoint uses during Phase 1 Authentication.
Encryption Method¹	Choose an Encryption Method from the following list: AES-128, AES-192, AES-256, or ADVANCED. IKE encryption algorithm is used for the connection (phase 1 - ISAKMP SA). Based off of phase 1, a secure set of defaults are used for phase 2, unless the Advanced option is used, in which case, all components of both phases 1 and 2 are specified by the user.
Phase 1 Encryption¹	If Advanced is selected for Encryption Method, select Phase 1 Encryption from the drop-down: AES-128, AES-192, AES-256, or ANY AES.
Phase 1 Authentication¹	If Advanced is selected for Encryption Method, select Phase 1 Authentication from the drop-down: SHA-2, SHA2-256, SHA2-384, SHA2-512, or ANY.
Phase 1 Key Group¹	If Advanced is selected for Encryption Method, select the Phase 1 Key Group from the drop-down: DH2 (1024-bit), DH5 (1536-bit), D14 (2048-bit), DH15 (3072-bit), DH16 (4096-bit), DH17 (6144-bit), DH18 (8192-bit), DH22 (1024-bit), DH23 (2048-bit), DH24 (2048-bit), and ANY.
Phase 2 Encryption¹	If Advanced is selected for Encryption Method, select Phase 2 Encryption from the drop-drown: AES-128, AES-192, AES-256, ANY AES, or ANY.
Phase 2 Authentication¹	If Advanced is selected for Encryption Method, select Phase 2 Authentication from the drop-drown: SHA-2, SHA2-256, SHA2-384, SHA2-512, or ANY.
Phase 2 Key Group¹	If Advanced is selected for Encryption Method, select the Phase 2 Key Group from the drop-down: DH2 (1024-bit), DH5 (1536-bit), D14 (2048-bit), DH15 (3072-bit), DH16 (4096-bit), DH17 (6144-bit), DH18 (8192-bit), DH22 (1024-bit), DH23 (2048-bit), DH24 (2048-bit), and ANY.
Enable UID	Unique Identifier String to enable the Local ID and Remote ID fields.
Local ID	String Identifier for the local security gateway (optional)
Remote ID	String Identifier for the remote security gateway (optional)
IPSec Tunnel: Advanced
IKE Lifetime	Duration for which the ISAKMP SA exists from successful negotiation to expiration.
Key Life	Duration for which the IPsec SA exists from successful negotiation to expiration.
Max Retries	Number of retry attempts for establishing the IPsec tunnel. Enter zero for unlimited retries.
Checking Period	Timeout interval in minutes. If Remote WAN IP address is a hostname that can be resolved by DynDNS, the hostname will be resolved at the set interval. Recommended for dynamic IP addresses.
Compression	Enable IPComp. This protocol increases the overall communication performance by compressing the datagrams. Compression requires greater CPU processing.
Aggressive Mode	Whether to allow a less secure mode that exchanges identification in plain text. This may be used for establishing tunnels where one or more endpoints have a dynamic public IP address. Although this mode is faster to negotiate phase 1, the authentication hash is transmitted unencrypted. You can capture the hash and start a dictionary or use brute force attacks to recover the PSK.

¹ For mPower 5.3 and higher, deprecated encryption and hash algorithms are not available for creating new tunnels. But old tunnels that were created in 5.2 or lower will retain the deprecated settings unless changed. Those deprecated settings include: 3DES, ANY, MD5, and SHA-1.

OpenVPN Tunnels

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

To use OpenVPN, install an OpenVPN application along with an easy-rsa tool and configure OpenVPN on your computer. Then, generate the certificates for the OpenVPN server and client before configuring the device.

To configure OpenVPN client and server on this device the following files are required:

CA PEM file or CA certificate (.crt)
Diffie Hellman PEM file (.pem)
Server Certificate to be used by the device endpoint (.crt)
Server/Client Key to be used by the device endpoint (.key)

Note:

When you configure OpenVPN server and client, make sure both sides use the same settings and certificates.
For mPower 5.3 and higher, some encryption and hash configurations are deprecated and not available for creating new tunnels. Any tunnels created in 5.2 or lower will retain the deprecated settings unless changed.
- Deprecated settings for hash algorithms include: MD4, MD5, RSA-MD4, RSA-MD5, and SHA-1.
- Deprecated settings for encryptions ciphers include: BF-CBC, CAST5-CBC, DES-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC, IDEA-CBC, RC2-40-CBC, RC2-64-CBC, and RC2-CBC.
- Deprecated setting for Minimum TLS version is 1.1.
Some encryption and hash configurations are too weak and NOT supported at all in mPower 5.3 or higher.

These settings do not function when performing an upgrade to mPower 5.3. The system provides a warning message during upgrade and replaces them with Default. The following TLS cipher suites are not supported: TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA and TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA. Also, the following hash algorithms are not supported: DSA, DSA-SHA, DSA-SHA1, DSA-SHA1-old, ECDSA-with-SHA1, RSA-SHA, RSA-SHA1-2, and SHA.

OpenVPN Configuration Tab

A typical OpenVPN Configuration page is illustrated here:

Add Tunnel Tab

To add a OpenVPN tunnel, navigate to the Add Tunnel tab. Once all parameters have been configured, select Submit.

Configuration 1: OpenVPN Tunnel with TLS Authorization Mode (Device only)

This first configuration establishes the OpenVPN Tunnel connection from a device client to a device server using TLS as Authorization Mode. This involves adding and configuring both OpenVPN Server and Client sides within the device UI.

To add an OpenVPN Server using TLS:

Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
Select Add Tunnel.
Enter the Name.
Select the Type as SERVER from the dropdown.
You can also enter an optional Description.
Under OpenVPN Tunnel Configuration, enter the following fields (using TLS as Authorization Mode):
1. Interface Type as TUN from the dropdown.
2. Authorization Mode as TLS from the dropdown.
3. Protocol as UDP.
4. VPN Subnet.
5. Port number.
6. VPN Netmask.
7. LZO Compression as ADAPTIVE from the dropdown.
8. Hash Algorithm as DEFAULT.
9. NCP (Negotiable Crypto Parameters) as DEFAULT.
10. Min. TLS Version as 1.2.
11. TLS Cipher Suite as DEFAULT.
12. Enter the contents of the following files generated from the easy-rsa tool. You can copy and paste this content from the certificate files after opening from a text editor like Notepad (all required):
  - CA PEM (.crt)
  - Diffie Hellman PEM (.pem)
  - Server Certificate PEM (.crt)
  - Server Key PEM (.key)
  Note: Use the same CA PEM certificate and parameters as the server for the OpenVPN clients.
Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel Network Routes, select Add:
1. Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
2. Enter the Remote Network Mask (usually 255.255.255.0).
3. You may enter Gateway (optional).
4. Select Add.
The system displays your recently-added Push Route with the client subnet (remote network route + mask).
Push Routes create a route from client’s network to the server’s network. This allows clients to get access to the server’s network. Under Push Routes:
1. Select Client To Client box if you want this optional feature (this establishes a connection between multiple clients that are connected to the server).
2. In the Push Network Route, select Add.
3. In the dialog box, enter the Remote Network Route (same address as the server subnet above).
4. Enter the Remote Network Mask (same as above).
5. Optional: You may enter Gateway.
6. Select Add.
  Note: If you use Static Key Authorization Mode, the Push Routes do not work.
The system displays your recently-added Push Route with the client subnet (remote network route + mask).
Select Preview to view the tunnel configuration.
Select Submit.
Select Save and Apply to save your changes

To add an OpenVPN Client using TLS:

Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
Select Add Tunnel.
Enter the Name of the tunnel.
Select the Type as CLIENT from the dropdown.
Optional: Enter a Description.
Under OpenVPN Tunnel Configuration, enter the following fields (using TLS as Authorization Mode):
1. Interface Type as TUN from the dropdown.
2. Authorization Mode as TLS from the dropdown.
3. Protocol as UDP.
4. Remote Host (server public IP address).
5. Remote Port number.
6. LZO Compression as ADAPTIVE from the dropdown.
7. Hash Algorithm as DEFAULT.
8. NCP (Negotiable Crypto Parameters) as DEFAULT.
9. Min. TLS Version as 1.2.
10. TLS Cipher Suite as DEFAULT.
11. Enter the contents of the following files generated from the easy-rsa tool. You can copy and paste this content from the certificate files after opening from a text editor like Notepad (all required):
  - CA PEM (.crt)
  - Client Certificate PEM (.crt)
  - Client Key PEM (.key)
If you use TLS as Authorization Mode, you do not need configure or add Remote Network Routes. The server adds the routes if the server's Push Routes are already configured. If you use Static Key as Authorization Mode, you must add and configure Remote Network Routes.
Select Preview to view the tunnel configuration.
Select Submit.
Select Save and Apply to save your changes.

Now the device client can access the device server subnet. You can ping the IP address of the device server subnet from the client console to test this.

Note: The PC connected to the device does not have access to the device server subnet.

Configuration 2: OpenVPN Tunnel with TLS Authorization Mode (Device and Connected PC)

This second configuration provides access between a device server and its subnet and device client and its subnet. An additional configuration is needed on the device server side. This also allows your PC to connect with the device server and ultimately to the device client through that server.

Configure the device server as shown under how to add an OpenVPN Server using TLS.
Open device console, go to /var/config/ovpnccd/openVPNServerName. Create the folder if not present in the device.
Create a file that has the client certificate name with the following information:
1. iroute [Client_Subnet] [Mask]
2. example -- echo “iroute 192.168.3.0 255.255.255.0” > mtrClient1
For each client, you must create a separate file in the folder /var/config/ovpnccd/yourserverName.
Note: Make the file name the same as the Common Name value used to create the certificate.
Configure device client as shown under how to add an OpenVPN Client.

Once properly configured, you should have a connection between the device server and device client and their subnets. Your PC can also connect with the device server and thus the device client through that server.

Configuration 3: OpenVPN Tunnel with Static Key Authorization Mode (device server and client)

This third configuration establishes the OpenVPN Tunnel connection from a device client to a device server using Static Key as Authorization Mode. This involves adding and configuring both OpenVPN Server and Client sides within the device UI.

When using Static Key, the OpenVPN tunnel is created between only two end-points, the client and server. You cannot connect more than one client to the server in this mode. Remote Network Route must be specified in both configurations, client and server, in order to establish the connection between subnets.

To add an OpenVPN Server using Static Key:

Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
Select Add Tunnel.
Enter the Name.
Select the Type as SERVER from the dropdown.
Optional: Enter a Description.

Enter the following fields (using STATIC KEY as Authorization Mode):

Interface Type as TUN from the dropdown.
Authorization Mode as STATIC KEY from the dropdown.
Protocol as UDP.
Local Address as DEFAULT.
Port number.
Remote Address as DEFAULT.
LZO Compression as ADAPTIVE from the dropdown.
Hash Algorithm as DEFAULT.
NCP (Negotiable Crypto Parameters) as DEFAULT.

Generate and enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

-----BEGIN OpenVPN Static key V1-----
              3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128

-----END OpenVPN Static key V1-----

Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel Network Routes, select Add:
1. Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
2. Enter the Remote Network Mask (usually 255.255.255.0).
3. Select Add.
The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
Note: Push Routes are not required with Static Key as Authorization Mode.
Select Preview to view the tunnel configuration.
Select Submit.
Select Save and Apply to save your changes.

To add an OpenVPN Client using Static Key:

Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
Select Add Tunnel.
Enter the Name.
Select the Type as CLIENT from the dropdown.
Optional: Enter a Description.
Enter the following fields (using STATIC KEY as Authorization Mode):
1. Interface Type as TUN from the dropdown.
2. Authorization Mode as STATIC KEY from the dropdown.
3. Protocol as UDP.
4. Local Address as DEFAULT.
5. Remote Host.
6. Remote Address as DEFAULT.
7. Remote Port number.
8. LZO Compression as ADAPTIVE from the dropdown.
9. Select the NCP (Negotiable Crypto Parameters) as DEFAULT from dropdown.
10. Select the Hash Algorithm as DEFAULT from dropdown.
11. Min. TLS Version as 1.2.
12. TLS Cipher Suite as DEFAULT.
13. Enter the Static Key PEM (required). Both server and client must use the same static key. See example below:
```
-----BEGIN OpenVPN Static key V1-----

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128

-----END OpenVPN Static key V1-----
```
Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel Network Routes, select Add:
1. Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
2. Enter the Remote Network Mask (usually 255.255.255.0).
3. Select Add.
The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
Note: Push Routes are not required with Static Key as Authorization Mode.
Select Preview to view the tunnel configuration.
Select Submit.
Select Save and Apply to save your changes.

Configuration 4: OpenVPN Tunnel with Static Key Authorization Mode and TCP

This fourth configuration establishes the OpenVPN Tunnel connection from a device client to a device server using Static Key as Authorization Mode and TCP protocol (instead of UDP for the third configuration). This involves adding and configuring both OpenVPN Server and Client sides within the device UI.

To add an OpenVPN Server using Static Key and TCP:

Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
Select Add Tunnel.
Enter the Name.
Select the Type as SERVER from the dropdown.
Optional: Enter a Description.

Enter the following fields (using STATIC KEY as Authorization Mode):

Interface Type as TUN from the dropdown.
Authorization Mode as STATIC KEY from the dropdown.
Protocol as TCP.
Local Address as DEFAULT.
Remote Host.
Remote Address as DEFAULT.
Remote Port number.
Hash Algorithm as RSA-SHA1.
LZO Compression as ADAPTIVE from the dropdown.
NCP (Negotiable Crypto Parameters) as CAMELLIA-256-CBC.
Min. TLS Version as NONE.
TLS Cipher Suite as DEFAULT.

Generate and enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

-----BEGIN OpenVPN Static key V1-----

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128

-----END OpenVPN Static key V1-----

Select Next.
Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel Network Routes, select Add:
1. Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
2. Enter the Remote Network Mask (usually 255.255.255.0).
3. Select Add.
The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
Note: Push Routes are not required with Static Key as Authorization Mode.
Select Preview to view the tunnel configuration.
Select Submit.
Select Save and Apply to save your changes.

To add an OpenVPN Client using Static Key and TCP:

Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
Select Add Tunnel.
Enter the Name.
Select the Type as CLIENT from the dropdown.
Optional: Enter a Description.

Enter the following fields (using STATIC KEY as Authorization Mode):

Interface Type as TUN from the dropdown.
Authorization Mode as STATIC KEY from the dropdown.
Protocol as TCP.
Local Address as DEFAULT.
Remote Host.
Remote Address as DEFAULT.
Remote Port number.
Hash Algorithm as RSA-SHA1.
LZO Compression as ADAPTIVE from the dropdown.
NCP (Negotiable Crypto Parameters) as CAMELLIA-256-CBC.
Min. TLS Version as NONE.
TLS Cipher Suite as DEFAULT.

Generate and enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

-----BEGIN OpenVPN Static key V1-----

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c380bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd00305c7cb30beef66ad33f43dacc2e662128

-----END OpenVPN Static key V1-----

Select Next.
Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel Network Routes, select Add:
1. Enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
2. Enter the Remote Network Mask (usually 255.255.255.0).
3. Select Add.
The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
Note: Push Routes are not required with Static Key as Authorization Mode.
Select Preview to view the tunnel configuration.
Select Submit.
Select Save and Apply to save your changes.

Administration Menu

User Accounts

The Local User Accounts page supports activities to add, remove, and update user accounts on the device including changing passwords.

Note: The Engineer and Monitor roles can only change their own account settings, while the Administrator role can update any account.

SSH Key Management

SSH public keys are managed in this section of the Users page.

Users with an administrator role can view, add, and delete public keys for themselves as well as all other users with the following roles:

Engineer
Monitor
Custom role

Only users with a local administrator role can add a public key for themselves.

Public keys that have been added to a user's account are listed in this section as well.

Add a New Public Key

To create a new public key associated with a user account click Add Public Key as shown here:

Paste the key into the Key field and assign a Title to the key:

Note: The maximum length for a Public Key is 3000 characters.

The system will not allow a public key to be added/created for a user if one has already been added.

View a Public Key

To view a public key, click on the icon associated with the key to be viewed.

Delete a Public Key

To delete a public key, click on the icon associated with the key to be deleted.

Note: When a user account is deleted, all public keys associated with that account are also deleted by the system.

Users Tab

A typical Users tab is illustrated here:

Add User Tab

When adding a user, a User Role must be assigned to that user. By default, the system supports three user roles:

Administrator
Engineer
Monitor

A typical Add User screen is shown here:

When Custom Roles have been added to the system, they will be listed as well, as illustrated here:

Note: For information about creating custom user roles, refer to Add Custom Role.

Password Complexity Rules Tab

Password complexity is managed through the facilities in Linux and PAM. There is a default complexity mode that is configurable. There is also the credit mode that is available in Linux distributions configurable to require a minimum credit score on a new password.

A typical Password Complexity Rules tab is illustrated here:

Custom Roles Tab

The Custom Roles tab lists all Custom User Roles that have been added to the system. For example:

Add Custom Role

A typical Add Custom Role tab is illustrated here:

Sample custom User Role settings are illustrated here:

Access Configuration

Access Configuration settings allow users to configure a variety of services on the device such as:

The Web Server for the mPower API used by the mPower Web UI
Responsiveness to Pings to the device on the LAN and WAN interfaces
The SNMP server
The Modbus server
Enabling and limited configuration of:
- DoS prevention
- Ping Limiting
- Brute Force Prevention to lock out user accounts that exceed the password failure limits
SSH Authentication
Reverse SSH Tunnel

A typical Access Configuration landing page is illustrated here:

Access Configuration settings are presented on the following tabs:

Access Configuration
SSH Configuration

The following sections provide detailed information about each parameter used to configure device services.

Access Configuration Tab

The Access Configuration tab allows users to configure access-related properties such as:

Web Server information
ICMP
SNMP
Modbus Device Information
IP Defense

Web Server Configuration

The rCell 300 only allows secure access to its Web UI. The following parameters configure how HTTP requests are redirected to the rCell 300's secure HTTPS port.

Parameter	Description
HTTP Port	The port on which the rCell 300 listens for HTTP requests to redirect.
HTTP Redirect to HTTPS	When enabled, users accessing the rCell 300 via HTTP are automatically redirected to the secure HTTPS port.
HTTP via LAN	When enabled, the rCell 300 listens for and redirects incoming HTTP requests from the LAN to HTTPS.
HTTP via WAN	When enabled, the rCell 300 listens for and redirects incoming HTTP requests from the WAN to HTTPS.
HTTPS Port	The port on which the rCell 300 listens for HTTPS requests.
HTTPS via WAN	When enabled, the rCell 300 listens for and responds to HTTPS requests from the WAN. This increases susceptibility to malicious activity.
Session Timeout (seconds)	Amount of time a user's session can remain dormant before automatically being logged out (minutes).Note: Changing this item requires the device to reboot.

HTTPS Security

Configure the HTTPS security settings (like version and cipher suite). Click the Show link to the right under HTTPS Security. To enable the Web server to authenticate the client via the client’s public key certificate, check Client Authentication under the Authentication section.

Note: Enabling Client Authentication can prevent users from accessing the Web UI. When Client Authentication is enabled it is required that a web browser has a valid client certificate that is signed by a CA that the server can verify. The CA certificate needs to be uploaded to the device using the upload feature at Administration > X.509 CA Certificates. Configure TLS version and cipher suites under the TLS Settings section.

Note: For mPower 5.3 and above, deprecated encryption and ciphers are not available for creating new tunnels. However, old tunnels created in 5.2 or lower will retain the deprecated settings unless changed.

Parameter	Description
Authentication
Client Authentication	Requires web browsers to have a valid client certificate that is signed by a Certifying Authority (CA) that the server can verify. Otherwise, user access to the UI is blocked. NOTE: You must first upload a CA certificate at Administration > X.509 CA Certificates.
TLS Settings
TLSv1.3, TLSv1.2, and/or TLSv1.1	Check the version of the TLS protocol to be used: TLSv1.3, TLSv1.2, and/or TLSv1.1 (Deprecated). Default: TLSv1.3 and TLSv1.2
Cipher Suite Name	Check any preferred Cipher Suite from the following: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256,TLS_AES_128_GCM_SHA256, and also including the following deprecated ciphers: ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-GCM-SHA384, AES256-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, and/or AES128-SHA. Default: All. (You can also set the priority order of the ciphers).

ICMP

Internet Control Message Protocol (ICMP) is used by devices to send error messages such as that a requested service is not available or a host or device could not be reached. ICMP can also relay query messages.

Parameter	Description
Enabled	Enables ICMP responses.
Respond to LAN	If checked, the device will respond to ICMP traffic from the LAN, such as ping requests.
Respond to WAN	If checked, the device will respond to ICMP traffic from the WAN, such as ping requests. This increases susceptibility to malicious activity.

SNMP

The rCell 300 offers Simple Network Management Protocol (SNMP) which is used for collecting information from, and configuring network devices on an IP network.

Note: For additional information, refer to SNMP.

Parameter	Description
Via LAN	When enabled, the rCell 300 allows access to the SNMP server via the LAN.
Via WAN	When enabled, the rCell 300 allows access to the SNMP server via the WAN.

Modbus Device Information

The Modbus feature allows the user to enable the Modbus query server. You can query this server over Modbus-TCP for status information.

Parameter	Description
Enabled	Enables the Modbus Query Server.
Via LAN	When enabled, the rCell 300 can query the Modbus server via the LAN.
Port	Port number configured for Modbus.

For Modbus query information, refer to the MTR Modbus Information page on our Developer Resources website (on .net) for details: http://www.multitech.net/developer/software/mtr-software/mtr-modbus-information/

IP Defense Settings

A set of rules that decreases susceptibility to malicious activity. If these settings are configured too strictly, they may interfere with non-malicious activity.

DoS Prevention

The following parameters configure a set of rules at the firewall that prevents Denial-of-Service attacks by limiting the amount of new connection requests to the device.

Parameter	Description
Enabled	Enables DoS prevention (disabled by default).
Per Minute	Allowed number of new connections per minute until burst points are consumed. For example, if 60 new connections are received in a minute, decrement one burst point. If no more burst points, drop the packet.
Burst	Number of allowed burst for traffic spikes. A burst occurs when the Per Minute limit is reached. On a period where the Per Minute limit is not reached, one burst point is regained, up to the maximum.

Ping Limit

The following parameters define a set of rules at the firewall that prevent ping flood attacks by limiting the number of ICMP requests to the rCell 300. These rules that mitigate the effects of a ping DoS on the rCell 300 do not apply if ICMP is disabled.

Parameter	Description
Enabled	Enables the Ping Limit feature (enabled by default).
Per Second	Allowed number of pings per second before burst points are consumed. Once burst points run out, ICMP packets will be dropped.
Burst	Number of burst points. On a period where the Per Second limit is not reached, one burst point is regained, up to this maximum.

Brute Force Protection

This feature tracks login attempts at the RESTFUL API level. Its purpose is to prevent Dictionary attacks that attempt to brute force the user's password. The rCell 300 reboots after applying changes in this section.

Parameter	Description
Enabled	Enables the Brute Force Prevention feature (enabled by default).
Attempts	The number of failed attempts allowed before the user's account is locked out.
Lockout Minutes	The number of minutes an account is locked out before a new login attempt will be accepted.

Bootloader Protection

To see or set these features, go to Administration > Access Configuration > Bootloader Protection and click Show.

Bootloader Shell

This feature enables shell access to the bootloader. It is disabled by default. If the rCell 300 is reset to factory defaults, Bootloader Shell Access is disabled.

To allow shell access:

Under Bootloader Shell Access, click Enable.
Confirm the change.
If not making other changes, click Submit.

When enabled, the status shows as Enabled and a Disable button appears. Click Disable to turn off Shell Access and confirm the change. The change is applied immediately.

Bootloader Password

This feature enables password authentication to access the rCell 300 bootloader. Bootloader password is set directly to the bootloader. The password is not removed or disabled when resetting to factory defaults. Once you setup a bootloader password, it stays in the bootloader until you disable it.

It is disabled by default.

Parameter	Description
Enabled	Enables the Bootloader Password feature to the right of Authentication Status (enabled by default).
Password	Enter password to access the rCell 300 bootloader.
Confirm	Enter the password again to confirm.

Debug Console

This feature allows the customer to run Silent Mode which turns off the output to the Debug Console. The console output is enabled by default (i.e. Silent Mode is disabled).

When Silent Mode is enabled, Debug Console is turned off. (NOTE: During boot, the device does not output any information after the notice that the Linux Kernel is being decompressed including no login prompt, etc.)

Parameter	Description
Enable	Enables Silent Mode which turns off output to the Debug Console (disabled by default meaning Debug Console output is on).

After making all desired changes, click Submit, then click Save and Apply. (Changes to specific sections may require reboot.)

SSH Configuration Tab

The SSH Configuration tab allows users to configure SSH services on the device such as:

SSH Settings
Authentication
Brute Force Prevention
SSH Security
Reverse SSH Tunnel

A typical SSH Configuration page is illustrated here:

SSH Settings

Typical SSH configuration settings are illustrated here:

Idle Timeout (seconds)

Idle Timeout is the length of time, in seconds, that an SSH session will remain idle or inactive before the system automatically closes it.

Valid values, in seconds, for Idle Timeout are:

60
3600

The default value for Idle Timeout is 300 seconds.

To disable Idle Timeout, set this value to 0.

Note: When a session has been inactive for the defined Idle Timeout setting, the session is automatically closed and related logs are stored in /var/log/messages.

SSH Authentication

SSH Authentication is where the following authentication settings are controlled:

Password authentication
Public Key authentication

SSH Brute Force Prevention

SSH Brute Force Prevention protects the system from unauthorized access attempts and prevents attackers from repeatedly trying different passwords to gain SSH access.

Note: Brute Force Prevention is applicable to password authentication only.

Valid values for Brute Force Prevention configuration settings are:

Enabled: true|false
Attempts: 1 – 99
Lockout (seconds): 60 — 3600

Default values for Brute Force Prevention are:

Brute Force Prevention: enabled
Attempts: 3
Lockout (seconds): 300 (i.e., 5 minutes)

RADIUS Configuration

The RADIUS protocol supports authentication, user session accounting, and authorization of users to the device.

This authentication, accounting, and authorization is independent of the local users created on the device. The user can enable Authentication, Accounting, or both options.

RADIUS user details:

Access to device if role is one of those in the provided list (Administrator, Engineer, or Monitor).
All RADIUS users do not have SSH access to the device.
RADIUS creates a temporary session instead of a local account like local users.
RADIUS uses shared key encryption.
Local users shall take priority over RADIUS user (if a RADIUS user has the same username as a local user, the RADIUS user cannot log in even if the local user is disabled).
RADIUS user with Administrator role can view and modify all local users (but cannot delete a local Administrator if it is the only local admin user on the device).
RADIUS users with Engineer and Monitor role cannot view or modify user details. They do not have access to the User Accounts page.
RADIUS users cannot change their own password in the Web UI.

A typical Radius Configuration page is illustrated here:

X.509 Certificates

A typical X.509 Certificates configuration page is illustrated here:

Web Certificate

The system supports generating and uploading a new Web Certificate in .pem format.

A typical Web Certificate tab is illustrated here:

Generate Web Certificate

To generate a new web certificate, click on on the Web Certificate page.

A typical Generate Web Certificate configuration pop-up dialog is illustrated here:

Web Certificate Configuration Parameters

Parameter	Valid Values	Description
Common Name
Subject Alternative Name	The following types may be added to the self-signed certificate: DNS URI E-mail IP address “Other name” Used for adding OIDs	Subject Alternative Name (SAN) is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. SAN is used in modern X.509 certificates to: Specify multiple domain names and/or IP addresses associated with a certificate Replace the Common Name (CN) as the primary identifier (modern browsers no longer rely on CN) Enable secure access to a service through various names (e.g., mts.example.com, example.org, 192.168.2.1) Ensure compliance with current TLS/SSL standards and browser security requirements The system generates a self-signed certificate using the device hostname as a SAN value.
Locality/City
Days
Organization
Country (2 letter code)
Email Address
State/Province

CA Certificates Tab

The system supports importing X.509 CA Certificates. Imported certificates must be in .pem format.

A typical CA Certificates tab is illustrated here:

Remote Device Management

The following Remote Device Management operations are supported:

Check-in based on a specified interval, and repeated at a particular time and day(s) of the week
Upload device configuration to the remote server
Commands execution:
- Configuration upgrade
- Firmware upgrade
- Device Logs Upload
- Reboot

A typical Remote Device Management tab is illustrated here:

Notifications

The Notification tab includes settings for users to manage the following:

Notifications Configuration
Notifications Sent

The device can send alerts via:

email
To send alerts via email, the SMTP server must be enabled.
SMS
To send alerts via SMS, refer to SMS Configuration and Commands.
SNMP
To enable SNMP traps, refer to SNMP Configuration.

Configuration Tab

A typical Configuration tab for notifications is illustrated here:

To add a new Recipient Group, click on + Add Group and configure the following information for the group:

To edit an existing Recipient Group, click the associated with the group to be edited. Add or delete contact information as required.

Sent Tab

A typical Sent tab for notifications is illustrated here:

Web UI Customization

Users can configure the following on the Web UI Customization tab:

Footer Customization allows the user to add custom organization details to the footer.
Dashboard Customization allows the user to upload a new image and specify Device Name and Custom ID that will be shown on the Dashboard page.
UI Customization allows the user to modify the color schema of the buttons, and upload a custom logo and favicon.

A typical Web UI Customization tab is illustrated here:

Firmware Upgrade

Firmware from MultiTech is signed by MultiTech’s private key and the signatures on the artifacts in the firmware must verify successfully for the firmware to be applied to the device flash.

A typical Firmware Upgrade screen is illustrated here:

System Fallback

To improve system reliability and ensure system recovery, the rCell 300 employs a dual volume architecture.

If at any time the rCell 300 fails to boot five consecutive times the system automatically reverts to the prior firmware version that is stored in the second volume.

Note: If the system successfully boots prior to triggering a fallback (e.g., during its fourth attempted reboot,) the boot counter is reset to zero.

Following a fallback, once the system successfully reboots the following message is displayed on the Firmware Upgrade screen to alert the user:

Note: This message will not be displayed if the system reverts to a firmware version prior to 7.1.0.

Package Management

The Package Management feature supports importing and installing packages from the MultiTech online mLinux feeds.

A typical Package Management tab is illustrated here:

Save/Restore

Save/Restore supports restoring from a uploaded configuration file, saving the current configuration to a file, and defaulting the device back to factory settings. The RESET button can be configured to enable it, disable it, or disable factory reset so that the device only resets when the button is pressed.

A typical Save/Restore page is illustrated here:

Debug Options

The Debug Options tab contains a miscellaneous set features and options for debugging and rebooting the device:

When enabled, the Auto Reboot Timer feature will reboot per the configured timeout.
When enabled and configured, the Remote Syslog feature will stream the syslog output to the remote server.
Logging is a global setting to increase or decrease the device logging level.
The Data Traffic Statistics feature controls the periodicity and data threshold when statistics are saved to persistent storage.
The Ping feature pings or connects via TCP to the target remote host.
The Continuous Ping feature pings the target remote host continuously.

A typical Debug Options tab is illustrated here:

Usage Policy

A typical Usage Policy tab is illustrated here:

Apps Menu

Custom Apps

The system allows installing custom applications and uploading configuration files for the installed custom apps.

Note: For information about creating custom applications, refer to Creating a Custom Application.

A typical Custom Apps page is illustrated here:

Parameter	Description
Enabled	When ENABLED: The system launches all installed applications on boot. The system launches a custom application as soon as it has been installed. When DISABLED: The system does not launch custom application that are installed. The Run action icon is not available on UI and user cannot run the application manually. The system allows the installation of custom applications, but it does not launch them. The system does not allow starting applications.
Backup on Install	When ENABLED (default setting) the currently running custom application is backed up in case a new version of the application is being downloaded and installed. If the install fails, the backup is reinstalled. Disable this option only if there is not enough space to backup custom apps.

Parameter

Description

Enabled

When ENABLED:

The system launches all installed applications on boot.
The system launches a custom application as soon as it has been installed.

When DISABLED:

The system does not launch custom application that are installed. The Run action icon is not available on UI and user cannot run the application manually.
The system allows the installation of custom applications, but it does not launch them.
The system does not allow starting applications.

Backup on Install

When ENABLED (default setting) the currently running custom application is backed up in case a new version of the application is being downloaded and installed. If the install fails, the backup is reinstalled. Disable this option only if there is not enough space to backup custom apps.

Note: When a user disables the Enabled option and selects Save and Apply, the system does not stop any applications that are already running. To halt an application manually, locate the application in the list of installed applications and click the

button associated with the application to be stopped. For additional information, refer to Installed Applications.

Installed Applications

A list of custom applications that have been installed on the rCell 300 is displayed on the Custom Apps page. A typical list is shown here:

Information about available application options is listed here:

Icon	Function
	View application details
	Halt application
	TBD
	Delete the application

View Application Details

The following information about custom applications is displayed in a pop-up window when the respective

option is selected:

Application Name
Application ID
Application Version
Extra Version [optional]
Installation Location
- Persistent Storage
- /var/config/app
- SD Card
Application Status
Application Description
Version Notes
Application Info; Not displayed if info is empty or "not available".
Process IDs (PIDs)
- Process ID
- Running
- Process Name
- CMD

Typical Application Details pop-ups are displayed below:

Application Status

The list of supported application statuses are provided below:

Status	Description
STARTED	The application is highlighted with green and there is a stop action in the Options column.
RUNNING	The application is highlighted with green and there is a stop action in the Options column.
STOPPED	The application is not highlighted and there is a start action in the Options column.
FAILED	The application is highlighted with red and the actual status is shown next to the app version.
INSTALL FAILED	The application is highlighted with red and the actual status is shown next to the app version.
START FAILED	The application is highlighted with red and the actual status is shown next to the app version.

Extra Version Support

In addition to a custom application's version, which is stored in manifest.json, some applications may have an optional extra version which is managed by the custom application itself. The extra version is stored in the [App Directory]/version_extra file.

If the [App Directory]/version_extra file exists and is not empty, the extra version is displayed next to the application's current version.

Install a Custom App

Perform the following procedure to install a custom application:

Go to the Custom Apps page, select Add Custom App.
Specify an App ID and an choose an application file in the pop up. The App ID must be a hexadecimal value with a maximum length of 32 characters.

When adding a custom app, the following information applies:

The application name must be unique. The system does not allow installing two different apps with the same name. The system retrieves the App Name value from the manifest.json.
The installed application has a corresponding unique App ID. When installing an app, the system verifies if the app with the same name is already installed. If this is true, the system does not allow specifying a different App ID.
If a user installs a new version of the application that is already installed, the user has to specify the App ID of the installed application. If the user specifies a different App ID, the application installation will fail and corresponding error message will be displayed.
When installing an app, the system does not allow specifying an App ID that is already used by another application.

When the application has been installed, the following information is displayed:

The application's name
Description
Installed version
App ID
Current status
Application information

Installation Location

The location where the system installs a custom application is defined in the manifest.json file. The application can be installed to /var/config/app, /var/persistent, or to the SD card.

To install the application to /var/persistent, the manifest.json file shall have the “PersistentStorage” field set to true. If it is absent or set to false, then the app will be installed to the /var/config/app directory.

Example:

{
  "AppName": "Application Name" ,
  "AppVersion": "Application Version" ,
  "AppDescription": "Description to be displayed for the custom app",
  "AppVersionNotes":"Any applicable notes for this version of the app.",
  "PersistentStorage": true
}

The system allows uploading one or more configuration files for the installed custom application.

To upload a new configuration file, select the Upload App Configuration icon in the Actions column.

The files will be uploaded to the /[AppName]/config directory.

Note:

If the /[AppName]/config directory does not exist, the system will create a “config” directory in the application directory.
You have to specify files with a correct file name that the application supposes to use. If the application uses general.conf, and you upload general_v1.conf and general_v3.conf, all these files will be present in the /config directory, and it depends on the app how to use them. If the file name of the file you upload corresponds to a file from the /config directory, new file will replace the existing one.

Send Notification Utility

Send Notification is a command-line utility providing a simple method to send notifications via SMS and e-mail.

The path to the utility is: /usr/bin/send-notification

Send Notifications supports sending notifications to one or more recipients allowing one notification to be sent to multiple recipients simultaneously.

Cellular IP Passthrough Mode

When operating in Cellular IP Passthrough mode, the rCell 300 negotiates a cellular data link and a fixed IP address is assigned to it.

Note: Not all routing and firewall features are available in Cellular IP Passthrough Mode.

Setup

The Setup menu provides access to the following configuration settings:

Cellular IP Passthrough
Time Configuration

Cellular IP Passthrough

The Cellular IP Passthrough screen is where the desired protocol for the rCell 300 is specified.

Supported protocols are:

IPv4
IPv6

Depending on the protocol selected, DNS Server and Public IPv4 Mask information are also configured using this screen.

Note: A working Cellular connection is required.

IPv4 Configuration

A typical Cellular IP Passthrough configuration screen for IPv4 is illustrated here:

Sample use cases are detailed in the following table.

Parameter Values	System Actions and Behavior
Protocol Support: IPv4 IPv4 DNS Server: empty Public IPv4 Mask: 32	The system obtains the network settings from the rCell 300 and cellular network. When the Internet (cellular) connection is NOT established, the IPv4 Address is assigned from the local subnet (192.168.2.0/24 by default). IPv4 Default Gateway and IPv4 DHCP Server correspond to the IPv4 Address of the rCell 300. When the Internet (cellular) connection is established, the IPv4 Address corresponds to the IP Address that the cellular network provided. The IPv4 DNS Server address(es) are obtained from the cellular network. There is an Internet connection on the user's computer that is connected to the rCell 300. Ping to google.com from the user's computer is successful. The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page. Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.
Protocol Support: IPv4 IPv4 DNS Server: 8.8.8.8 Public IPv4 Mask: 32	The system obtains the network settings from the rCell 300 and cellular network. When the Internet (cellular) connection is NOT established, the IPv4 Address is assigned from the local subnet (192.168.2.0/24 by default). IPv4 Default Gateway and IPv4 DHCP Server correspond to the IPv4 Address of the rCell 300. When the Internet (cellular) connection is established, the IPv4 Address corresponds to the IP Address that the cellular network provided. The IPv4 DNS Server address is 8.8.8.8. There is an Internet connection on the user's computer that is connected to the rCell 300. Ping to google.com from the user's computer is successful. The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page. Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.
Protocol Support: IPv4 IPv4 DNS Server: empty Public IPv4 Mask: 24	The system obtains the network settings from the rCell 300 and cellular network. When the Internet (cellular) connection is NOT established, the IPv4 Address is assigned from the local subnet (192.168.2.0/24 by default). IPv4 DHCP Server corresponds to the IPv4 Address of the rCell 300. When the Internet (cellular) connection is established, the IPv4 Address corresponds to the IP Address that the cellular network provided. IPv4 Default Gateway is obtained from the cellular network The IPv4 DNS Server addresses are obtained from the Cellular network. There is an Internet connection on the user's computer that is connected to the rCell 300. Ping to google.com from the user's computer is successful. The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page. Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.
Protocol Support: IPv4 IPv4 DNS Server: 8.8.4.4 Public IPv4 Mask: 24	The system obtains the network settings from the rCell 300 and cellular network. When the Internet (cellular) connection is NOT established, the IPv4 Address is assigned from the local subnet (192.168.2.0/24 by default). IPv4 DHCP Server corresponds to the IPv4 Address of the rCell 300. When the Internet (cellular) connection is established, the IPv4 Address corresponds to the IP Address that the cellular network provided. IPv4 Default Gateway is obtained from the cellular network The IPv4 DNS Server address is 8.8.4.4 There is an Internet connection on the user's computer that is connected to the rCell 300. Ping to google.com from the user's computer is successful. The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page. Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.

IPv6 Configuration

An typical Cellular IP Passthrough configuration screen for IPv6 is illustrated here:

Sample use cases are detailed in the following table.

Parameter Values	System Actions and Behavior
Protocol Support: IPv6 IPv6 DNS Server: empty	The system obtains the network settings from the rCell 300 and cellular network. IPv4 Address is obtained from the local IPv4 subnet of the rCell 300. IPv4 Default Gateway and IPv4 DHCP Server correspond to the IPv4 IP Address of the rCell 300. When the Internet (cellular) connection is established: The IPv6 Address on the Dashboard corresponds to the br0 network interface IPv6 address (issue ifconfig in the device console to see the inet6 addr for br0). The device Web UI can be accessed via the IPv6 address. For example: https://[fe80::58a1:b3ff:febc:ca86]/ The ethernet interface on the user's PC obtains the following IPv6 network settings from the cellular network: IPv6 Address IPv6 Default Gateway IPv6 DNS Servers There is an Internet connection on the user's computer that is connected to the rCell 300. Ping to ipv6.google.com from the user's computer is successful. The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page. Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.
Protocol Support: IPv6 IPv6 DNS Server: 2001:4860:4860::8888	The system obtains the network settings from the rCell 300 and cellular network. IPv4 Address is obtained from the local IPv4 subnet of the rCell 300. IPv4 Default Gateway and IPv4 DHCP Server correspond to the IPv4 IP Address of the rCell 300 . When the Internet (cellular) connection is established: The IPv6 Address on the Dashboard corresponds to the br0 network interface IPv6 address (issue ifconfig in the device console to see the inet6 addr for br0) The device Web UI is accessible via the IPv6 address. For example:https://[fe80::58a1:b3ff:febc:ca86]/ The ethernet interface on the user's PC obtains the following IPv6 network settings from the cellular network: IPv6 Address IPv6 Default Gateway The IPv6 DNS Server is 2001:4860:4860::8888 . There is an Internet connection on the user's computer that is connected to the rCell 300. Ping to ipv6.google.com from the user's computer is successful. The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page. Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.

Parameter Values

System Actions and Behavior

Protocol Support: IPv6

IPv6 DNS Server: empty

The system obtains the network settings from the rCell 300 and cellular network.
IPv4 Address is obtained from the local IPv4 subnet of the rCell 300.
IPv4 Default Gateway and IPv4 DHCP Server correspond to the IPv4 IP Address of the rCell 300.

When the Internet (cellular) connection is established:

The IPv6 Address on the Dashboard corresponds to the br0 network interface IPv6 address (issue ifconfig in the device console to see the inet6 addr for br0).
The device Web UI can be accessed via the IPv6 address.
For example: https://[fe80::58a1:b3ff:febc:ca86]/

The ethernet interface on the user's PC obtains the following IPv6 network settings from the cellular network:
- IPv6 Address
- IPv6 Default Gateway
- IPv6 DNS Servers
There is an Internet connection on the user's computer that is connected to the rCell 300.
Ping to ipv6.google.com from the user's computer is successful.
The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page.
Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.

Protocol Support: IPv6

IPv6 DNS Server:

2001:4860:4860::8888

The system obtains the network settings from the rCell 300 and cellular network.
IPv4 Address is obtained from the local IPv4 subnet of the rCell 300.
IPv4 Default Gateway and IPv4 DHCP Server correspond to the IPv4 IP Address of the rCell 300 .

When the Internet (cellular) connection is established:

The IPv6 Address on the Dashboard corresponds to the br0 network interface IPv6 address (issue ifconfig in the device console to see the inet6 addr for br0)
The device Web UI is accessible via the IPv6 address.
For example:https://[fe80::58a1:b3ff:febc:ca86]/

The ethernet interface on the user's PC obtains the following IPv6 network settings from the cellular network:
- IPv6 Address
- IPv6 Default Gateway
The IPv6 DNS Server is 2001:4860:4860::8888 .
There is an Internet connection on the user's computer that is connected to the rCell 300.
Ping to ipv6.google.com from the user's computer is successful.
The mPower Web UI is accessible via the IPv4 address that is configured on the Cellular IP Passthrough Configuration page.
Identical behavior is observed when the user's computer is connected to the rCell 300 via the ETH0 and ETH1 ports. Both ethernet ports work the same.

Time Configuration

A typical Time Configuration screen is illustrated here:

Cellular

The Cellular menu provides access to the following configuration settings:

Cellular Configuration
Diagnostics

Cellular Configuration

In Cellular IP Passthrough mode, all cellular features are supported and operate as described for Network Router mode with the following exception(s):

Connection Monitoring | Keep Alive
This feature is not supported in Cellular IP Passthrough mode and is therefore not included in the Connection Monitoring section.

A typical Cellular Configuration tab is illustrated here:

Diagnostics

The Diagnostics menu provides access to the following configuration settings:

Radio Status
Diagnostics
Cell Radio Firmware Upgrade

When in Cellular IP Passthrough mode, each feature is configured and operates as described when the rCell 300 is configured as a Network Router.

Administration

The Administration menu provides access to the following administrative configuration settings:

User Accounts
Access Configuration
Web UI Customization
Firmware Upgrade
Save/Restore
Debug Options
Usage Policy

Note: Not all Administration-level features are available when in Cellular IP Passthrough mode.

When in Cellular IP Passthrough mode, each of the listed features is configured and operates as described when the rCell 300 is configured as a Network Router.

Table of Contents

rCell 300 Configuration Guide

Introduction

Intended Audience

About the rCell 300

Intended Use

Operating Modes

mPower™ Edge Intelligence

Getting Started

Install the SIM Card(s)

Add the Device to Your Cloud Account

Install the Device

Commissioning Mode

Configure the Administrative User

First Time Setup Wizard

Select Mode

Time Configuration

Cellular Configuration

SIM Card Has Been Installed

SIM Card Has Not Been Installed

Network Router Mode

Home Menu

Dashboard Tab

Services Tab

Statistics Tab

Setup Menu

Network Interfaces

Configure eth0

eth0 Configuration Parameters

Configure br0

br0 Configuration Parameters

Add a VLAN Interface

WAN

DNS

Global DNS

Configuration Parameters

Multicast DNS

Configuration Parameters

Dynamic DNS

Configuration Parameters

DHCP

DHCP Configuration

Add IPv4 DHCP Server

Add DHCPv6/RA

Edit DHCPv6/RA

LLDP

GPS

SMTP

Mail Log Tab

Settings Tab

Mail Log Tab

Serial

Modbus RTU/TCP Gateway

GPS Streamer Mode

Logging

Serial-IP

Modbus RTU/TCP Gateway

GPS Streamer

Serial Port Statistics

DCD (Data Carrier Detect) Status

Modbus RTU/TCP Gateway Configuration Examples

SNMP

Time

Time Configuration Parameters

Digital I/O

SMS Configuration and Commands

#getio di0|do0

#setio do0 [<value>]

Cellular Menu

Cellular Configuration

Cellular Configuration Tab

General Configuration

Connection Monitoring

Connection Recovery

Cellular Profiles Tab

Add Provider Profile Tab

Edit SIM Group

Add SIM Profile Tab

Diagnostics

Radio Status Tab