I-MO 310 Series Client User Guide

Product Installation Manual

i-MO 310 Series Bonding Router

Installation Manual for the i-MO 310 Series Appliance

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Content

Content ...... 2 I-MO Appliance Identification Guide ...... 4 General Safety Guidelines for EMS Hardware Equipment ...... 5 Installation Safety Guidelines and Warnings ...... 5 Operating Temperature Warning ...... 5 Product Disposal Warning ...... 6 General Electrical Safety Warnings for EMS Hardware Equipment ...... 6 Radio Frequency Interference ...... 6 Electromagnetic Compatibility ...... 6 AC Power Electrical Safety Guidelines ...... 6 Hardware Installation Guide ...... 7 1) Attach WiFi antennas (optional) ...... 7 2) Attach 3G/4G antennas and cables ...... 7 3) Attach network cables (optional) ...... 8 4) Install SIM cards ...... 8 5) Power cable ...... 9 6) Power switch ...... 9 7) Status display ...... 11 Web Configuration ...... 12 General Section Configuration ...... 12 Home ...... 12 My Profile ...... 13 Log out ...... 14 Network Section Configuration ...... 14 Edit Configuration ...... 14 General Tab ...... 15 Interfaces Tab (Image 1) ...... 15 Interfaces Tab (Image 2) ...... 17 Bonding Tab ...... 17 Firewall Tab ...... 18 VPN Tab ...... 20 NAS ...... 23 Command Line Interface ...... 24 Appendix A - Optional WiFi Radio Component ...... 28 Warnings ...... 28 Regulatory Notices ...... 28

ELECTRONIC MEDIA SERVICES LIMITED Page 2 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

FCC ID: N7N-MHS802 ...... 28 Certification Information (SAR) ...... 29 Technical Data ...... 29 Safety Regulation and Operating Environment ...... 29 Optional WiFi Radio Aerial...... 30 Appendix B - Optional 3G Radio Component ...... 31 External Installation ...... 31 Safety ...... 31 Choosing a Mounting Location ...... 32 Mounting the Antennas ...... 32 Connecting the External Antennas to the i-MO ...... 32 Appendix C ...... 33 Access Point Name File...... 33 Appendix D ...... 34 Configuration File ...... 34 Example 1. 1 x WAN Link, 1 X LTE for failover without a Concentrator ...... 42 Example 2. 1 x Wan Link, 1 X LTE for failover with a Concentrator ...... 45 Example 3. 1 x WAN Link, 1 X LTE for failover with a Concentrator & split routing...... 48 Appendix E ...... 51 Configuration Options Reference ...... 51 Appendix F - Disposal and Recycling Information ...... 55 WEEE EU Directive ...... 55 Reduction of Hazardous Substances ...... 55 Appendix G - Warranty Information ...... 56 Obtaining Technical Assistance ...... 58

ELECTRONIC MEDIA SERVICES LIMITED Page 3 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

I-MO Appliance Identification Guide

The following diagram shows the basic and optional i-MO hardware components.

ELECTRONIC MEDIA SERVICES LIMITED Page 4 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

General Safety Guidelines for EMS Hardware Equipment

The following guidelines help ensure your safety and protect the hardware equipment from damage. The list of guidelines might not address all potentially hazardous situations in your working environment, so be alert and exercise good judgment at all times.

• Perform only the procedures explicitly described in this documentation. Make sure that only authorized service personnel perform other system services. • Keep the area around the chassis clear and free from dust before, during, and after installation. • Keep tools away from areas where people could trip over them while walking. • Wear safety glasses if you are working under any conditions that could be hazardous to your eyes. • Do not perform any actions that create a potential hazard to people or make the equipment unsafe. • Never install or manipulate wiring during electrical storms. • Never install electrical jacks in wet locations unless the jacks are specifically designed for wet environments. • Operate the hardware equipment only when the chassis is properly grounded.

• Do not open or remove chassis covers or sheet metal parts unless instructions are provided in this documentation. Such an action could cause severe electrical shock. • Do not push or force any objects through any opening in the chassis frame. Such an action could result in electrical shock or fire. • Avoid spilling liquid onto the chassis or onto any hardware component. Such an action could cause electrical shock or damage the hardware equipment. • Do not use the device where inflammables or explosives are stored, for example, in a fuel station, oil depot, or chemical plant. Otherwise, explosions or fires may occur. • Use only the accessories supplied or authorized by the device manufacturer. Otherwise, the performance of the device may get affected, the warranty for the device or the laws and regulations related to telecommunications terminals may become null and void, or an injury may occur. • Do not use the power adapter if its cable is damaged. Otherwise, electric shocks or fires may occur.

• Do not use the antennas if the connectors, cables, or antennas are damaged. Otherwise, radio frequency interference or electric shock may occur.

Installation Safety Guidelines and Warnings

Read the installation instructions before you connect the hardware equipment to a power source.

Operating Temperature Warning

To prevent the hardware equipment from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of 40°C. To prevent airflow restriction, allow at least 2 inches of clearance around the rear ventilation grille.

Do not expose to direct sunlight.

ELECTRONIC MEDIA SERVICES LIMITED Page 5 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Do not place containers of liquids on the device or allow the device to come in contact with liquids.

Do not place near or on a source of heat.

Product Disposal Warning

Disposal of this product must be handled according to all national laws and regulations.

See Appendix F for details.

General Electrical Safety Warnings for EMS Hardware Equipment

Radio Frequency Interference

You can reduce or eliminate the emission of radio frequency interference (RFI) from your site wiring by using twisted-pair network cabling with a good distribution of grounding conductors. If you must exceed the recommended distances, use a high-quality twisted-pair cable with one ground conductor for each data signal when applicable.

Electromagnetic Compatibility

If your site is susceptible to problems with electromagnetic compatibility (EMC), particularly from lightning or radio transmitters, you might want to seek expert advice. Strong sources of electromagnetic interference (EMI) can destroy the signal drivers and receivers in the router and conduct power surges over the lines into the equipment, resulting in an electrical hazard. It is particularly important to provide a properly grounded and shielded environment and to use electrical surge-suppression devices.

AC Power Electrical Safety Guidelines

The i-MO requires an AC supply of 100-240Volts, 50/60Hz and can draw a current of up to 2 Amps. i-MO routers are shipped with a three-wire electrical cord with a grounding-type plug that fits only a grounding-type power outlet. Do not circumvent this safety feature. Equipment grounding should comply with local and national electrical codes. The power cord serves as the main disconnecting device. The socket outlet must be near the router and be easily accessible.

ELECTRONIC MEDIA SERVICES LIMITED Page 6 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Hardware Installation Guide

1) Attach WiFi antennas (optional)

The i-MO appliance is supplied with a WiFi interface. This can be enabled on request at time of order. If the WiFi interface is enabled install the two antennas on the aerial connectors numbered 4 and 5 as shown below. Position these at an angle as shown below.

2) Attach 3G/4G antennas and cables

Up to 3 antennas may be provided dependent upon the number of modems installed. The antennas must be mounted outside and as high as possible. The antennas should be spaced at least 1 metre apart from each other.

The connector on each aerial cable should be attached to the aerial sockets (1-3) as shown below. Note: Connectors should be touch tight only! Do not over tighten.

ELECTRONIC MEDIA SERVICES LIMITED Page 7 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

3) Attach network cables (optional)

The i-MO appliance provides six Ethernet ports at the rear. Each of these can be individually configured as WAN or LAN ports. Network cables (not provided) can be connected as shown below. The default configuration is all ports configured for LAN usage (6 port network hub).

Note: The first port on the left as viewed from the rear is a Console (RS232) Port available for unit configuration purposes only. This port is NOT available for network use.

4) Install SIM cards

The appliance supports up to 6 SIMs which are installed in the SIM card slots on the rear of the appliance as illustrated below.

ELECTRONIC MEDIA SERVICES LIMITED Page 8 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

• Note: Please ensure you insert the SIM cards carefully in their slots and ensure that they are pressed in as illustrated above • Note: Up to six SIMs can be inserted - starting with slots SIM 1, SIM 3 and SIM 5

5) Power cable

The appliance is powered by an AC Adapter power supply. Do not connect the power supply to the mains yet. Please insert the power cable as shown below. Now connect power supply to mains.

Note: We recommend the use of UPS units where power regulation cannot be guaranteed (e.g. use of a generator)

6) Power switch

The power switch at the front of the unit is used to turn the appliance on (boot) or off (shutdown). As soon as the button is pressed it will illuminate to show that the appliance is powering up. Press the button again to start the power off sequence. The message on the status display will change and when the power off sequence has completed the light in the button will extinguish.

ELECTRONIC MEDIA SERVICES LIMITED Page 9 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Note: Do NOT hold the power button in unless specifically instructed to do so by a support engineer.

ELECTRONIC MEDIA SERVICES LIMITED Page 10 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

7) Status display

The LCD display shows the status of up to three mobile connections plus the overall status of the link.

Link Status This shows the overall status of the link which can either be UP or DOWN. When the link is DOWN the appliance is not able to send or receive data.

Just to the right of the link status the letters T and R will flash when the appliance is Transmitting or Receiving data.

Mobile Status This shows the status of each mobile channel. The letter U will be displayed when the link is UP and D is displayed when the link is DOWN.

The status will also flash T and R when the channel is transmitting or receiving data.

Network This shows the name of the network the appliance is using.

Mode The standard appliance currently supports five network protocols: GPRS, EDGE, 3G, HSDPA and HSPA+.

The letter G is displayed for GPRS, E for EDGE, 3 for 3G and H for HSDPA or HSPA+ modes.

Note: If one or more 4G compatible modems are fitted then those channels will also support the 4G protocol. The digit 4 will then be displayed.

Signal Strength This shows the strength of the signal being received from the mobile network.

ELECTRONIC MEDIA SERVICES LIMITED Page 11 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Web Configuration

The i-MO appliance can easily be configured and managed using the web interface. Enter the default url: http://192.168.0.1/ and select the "Login" option from the top right hand side of the page.

This will load the Login page:

Enter your username and password and click the Login button. The default administrator username is admin and the password is admin.

It is strongly recommend that the default password is changed using the “My Profile” page.

General Section Configuration

Home The current home page has no content.

ELECTRONIC MEDIA SERVICES LIMITED Page 12 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

My Profile The "My profile" option allows you to change your password.

There is no mechanism to recover a forgotten password and if the password has been forgotten then the factory reset is required to restore the default password.

It is strongly recommend that the default password is changed using this page.

ELECTRONIC MEDIA SERVICES LIMITED Page 13 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Log out

Network Section Configuration

Edit Configuration The configuration of the network is managed using the Network Configuration menu and the associated tabbed pages.

ELECTRONIC MEDIA SERVICES LIMITED Page 14 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

General Tab The host name of the i-MO appliance can be set on the "General" tab.

It must be RFC952 compliant. The host name can be up to 24 characters long and consist of letters (a-z), numbers 0-9), minus sign (-), and period (.). The periods are normally used to delimit components of a "domain style" name (See RFC-921). It must not contain blank or space characters. The host name is case insensitive and letters may be upper or lower case. The first character must be a letter.

Valid examples: i-mo.1234.mydomain.com my-imo

Interfaces Tab (Image 1) The i-MO 310 and 540 appliances have 6 Gb Ethernet ports plus an optional wireless 802.11 b/g/n wireless interface. The GbE interfaces are named eth0 through eth5 and the wireless interface is named wlan0.

All of the physical devices can be individually configured and can be assigned to internal, dmz, or external zones in the firewall.

One or more physical interfaces can be combined into a single logical interface (br0). The logical interface is like an Ethernet switch and MAC address to physical port mappings are typically remembered for up to 5 minutes before traffic for a given address is broadcast to all ports again.

The IP address of the interfaces should be specified using a CIDR which is a representation of an IP address and its associated routing prefix, for example: 192.168.0.1/24 or 10.0.0.1/16

In the following example the firewall is enabled and all the Ethernet ports (0-5) plus the WiFi interface (wlan0) are assigned to the bridge interface (br0).

The bridge interface is assigned to the “internal” zone and the IP address is set to 192.168.0.111 and the DHCP server is enabled and will issue IP address from the range 192.168.0.100 to 192.168.0.200 inclusive. The additional DHCP options for the DNS and WINS servers and the DNS search domain can be set in the DHCP setting.

In the wlan0 section you can specify the “service set identifier “ (SSID) or name that will be broadcast. The SSID may be up to 31 characters long and can contain upper and lowercase letters (A-Z, a-z) or numbers (0- 9). It may also include any punctuation except the following: ", $, [, \, ], and +, it cannot start with a !, # or ; character. For example: my-wifi

ELECTRONIC MEDIA SERVICES LIMITED Page 15 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

The WiFi password (shared key) must be between 8 and 63 characters long and can contain any printable character.

ELECTRONIC MEDIA SERVICES LIMITED Page 16 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Interfaces Tab (Image 2)

Bonding Tab The “Bonding” tab configures a single tunnel that is used for bonding multiple physical links into a single logical link. More complicated bonding configurations (e.g. over WAN links) can configure using the configuration file, see Appendix D.

ELECTRONIC MEDIA SERVICES LIMITED Page 17 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

You need to specify a unique Concentrator IP for each cellular modem that is installed.

The Concentrator Key is a shared secret used to authenticate the i-MO appliance with the Concentrator. The randomness and length of the key affects the quality of the encryption if enabled. For applications that require good security you should use a 16 or 32 character key and it should consist of numbers plus upper and lower case letters. Standard dictionary words should not be used.

This is an example of a poor key: thisismykey

This is a much stronger key: vjXt3Z7bqw6rjUXe

Traffic over the tunnel can be encrypted setting encrypt option equal to yes. The default encryption is Blowfish 128.

The compress option enables compression of data sent over the bonded channel.

The protocol version allows for communication with Concentrators running different i-MO releases. It should normally be configured for a value of 2.

The Client IP is the internal endpoint of the tunnel on the i-MO appliance which is used on the Concentrator for routing and must be unique.

Firewall Tab The Firewall tab configures various options for the firewall.

ELECTRONIC MEDIA SERVICES LIMITED Page 18 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

The NAT option enables masquerading or NATting.

The “Masqueraded Networks” rule defines which internal computers/networks are allowed to access the internet via masquerading.

The format of the rule is a space separated list of: [,,[,port[:port]]

If the protocol is icmp then port is interpreted as ICMP type.

Examples:

• "0/0" unrestricted access to the internet

• "10.0.0.0/8" allows the whole 10.0.0.0 network with unrestricted access.

• "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows http and ftp traffic from the 10.0.1.0 network to the internet. • "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the 10.0.1.0/24 network is allowed to access unprivileged ports whereas 10.0.2.0/24 is granted unrestricted access. The ““Non-Masqueraded Networks” rule defines which internal computers/networks to exclude from masquerading.

The format of the rule is a space separated list of : [,,[,port[:port]]

Examples:

• “0/0,10.0.0.0/8" do not masquerade packets from anywhere to the 10.0.0.0/8 network The Forward rule defines which services or networks are routed through the firewall, regardless of which zone they are in.

ELECTRONIC MEDIA SERVICES LIMITED Page 19 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

With this option you can allow access to e.g. your mail server. The machines must have valid public IP addresses.

The format of the rule is a space separated list of: ,[,protocol[,destination port[,flags]]]

If the protocol is icmp then port is interpreted as icmp type

The flags parameter is a comma separated list and may consist of one or more of the following:

• ipsec matches packets that originate from an IPsec tunnel • zonein=zone name matches packets entering on interfaces in the specified zone • zoneout=zone name matches packets leaving on interfaces in the specified zone Examples:

• "0/0,0/0,udp,514" always permit udp port 514 through the firewall

• "192.168.1.0/24,10.10.0.0/16,,,ipsec \ 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic from 192.168.1.0/24 to 10.10.0.0/16 and vice versa provided that both networks are connected via an IPsec tunnel • "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh" allow ssh from one IPv6 network to another

VPN Tab The VPN tab configures one or more IPSEC tunnels.

Basic VPN Settings Tab On the basic tab you can enable or disable the VPN client.

When the VPN is enabled you must specify the IP address of the remote VPN server and the shared secret.

ELECTRONIC MEDIA SERVICES LIMITED Page 20 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

VPN Subnets Tab The local and remote subnet for the VPN tunnel and should be CIDRS, for example: 172.16.0.0/12 10.0.0.0/8

Advanced VPN Settings Tab Normally use can choose the “auto” option for all the settings on this page. However if the VPN does not form then you may need to specify the Phase 1 and/or Phase 2 parameters. E.g. The encryption type (AES/DES), the hashing algorithm (MD5/SHA) and the Diffe-Hellman group.

ELECTRONIC MEDIA SERVICES LIMITED Page 21 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

If the VPN forms but fails after a few hours then check the that Phase 1 and Phase 2 lifetimes match those of the remote end. The default values if auto is selected is 28800s (8 hours for Phase 1 and 3600s (1 hour) for Phase 2.

Restore Setup Configuration This option restores the factory default setting, any user configuration will be deleted.

ELECTRONIC MEDIA SERVICES LIMITED Page 22 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

File On the File page you can down load the current configuration file and upload a new configuration file. See Appendix D for description of the configuration file.

You can also download and upload an edited Access Point Name (APN) file. The APN is like a “telephone number” that is used to setup a data call. The standard file includes the standard APN setting for contract data SIMs. If you are using a pre-paid data SIM or a private APN you may need to edit this file. A description and the format of this file is given in Appendix C.

NAS On this tab you can enable or disable the NAS (File Share) service.

ELECTRONIC MEDIA SERVICES LIMITED Page 23 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

This option is only valid if the i-MO has one or more Hard Drives installed that have been initialised with the RAID command. See the following chapter for the command line utilities.

When the NAS is enabled a user on the local LAN can mount the public share.

Command Line Interface

The i-MO appliance has a command line interface (CLI) that can be accessed by logging in on the serial console or via SSH from the local subnet. The username is admin and the default password is i-MO/admin.

It is strongly recommend that the default password is changed using the “passwd” command.

The CLI provides access to a number of standard Linux commands to view the system configuration and logfiles. It also includes a number of standard network diagnostic tools including nslookup, ping, route and traceroute.

The current running configuration file is located in /admin/config.

This folder also contains the following files:

• hostapd.accept • hostapd.deny • hostapd.wpa_psk • hostapd.vlan • hosts.allow • hosts.deny

hostapd.accept can contain a list of MAC address that should be allowed access to the WiFi Access Point:

# List of MAC addresses that are allowed to authenticate (IEEE 802.11) # with the AP. Optional VLAN ID can be assigned for clients based on the # MAC address. 00:11:22:33:44:55 00:66:77:88:99:aa 00:00:22:33:44:55

ELECTRONIC MEDIA SERVICES LIMITED Page 24 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

hostapd.deny can contain a list of MAC address that should be denied access to the WiFi Access Point:

# List of MAC addresses that are not allowed to authenticate (IEEE 802.11) # with the AP. 00:20:30:40:50:60 00:ab:cd:ef:12:34 00:00:30:40:50:60

hostapd.wpa_psk can contain a list of MAC addresses and Pre Shared Keys:

# List of MAC addresses and the PSK used to authenticate (IEEE 802.11) # with the AP. 11:22:33:44:55:66 a8ed05e96eed9df63bdc4edc77b965770d802e 22:33:44:55:66:77 eac8f79f06e167352c18c266ef56cc26982513 33:44:55:66:77:aa 550a613348ffe64698438a7e7bc319fc3f1f55 44:55:66:77:aa:bb ad328e5f2b16bdd9b44987793ed7e09e6d7cca

hostapd.vlan defines vlans for the WiFi Access Point:

# VLAN ID to network interface mapping 1 vlan1 2 vlan2 3 vlan3 100 guest # Optional wildcard entry matching all VLAN IDs. The first # in the interface # name will be replaced with the VLAN ID. The network interfaces are created # (and removed) dynamically based on the use. * vlan#

To apply any changes made to these file you must run the following command

systemctl restart hostapd.service

The files hosts.allow and hosts.deny are used to restrict access to services that are running on the i-MO appliance. Typically this is used to limit access to SSH from external IP addresses. For example if the public IP address of your network was 195.74.68.1 then you might use the following to restrict access only to that address: hosts.allow

# iMO default settings sshd: 127.0.0.1 : ALLOW sshd: 192.168. : ALLOW sshd: 172.16.0.0/255.240.0.0 : ALLOW sshd: 10. : ALLOW sshd: 195.74.68.1 : ALLOW sshd: ALL : DENY

ELECTRONIC MEDIA SERVICES LIMITED Page 25 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

This will permit access from any private IP address (RFC 1918) plus 195.74.68.1 and will deny access from any other address.

The CLI supports command history recall and editing. The up arrow key will bring back previous command lines and left / right arrows can be used to position the cursor for command editing.

The full list of available commands is given in the following table: arp gunzip passwd tail awk halt ping tcpdump cat head ping6 tftp clear hexdump poweroff telnet cp hostname pwd time cut less reboot traceroute bzip2 ls rm traceroute6 bunzip2 ifconfig rmdir unzip date ip route uptime diff ipcalc scp vi egrep md5sum sed watch fgrep mkdir showlog wc ftpget mv ssh wget ftpput more sync zip grep nano systemctl gzip nslookup tar

These are all standard Linux commands except showlog.

For most commands the –h option will display usage information:

~ $ tar –h Usage: tar -[cxtzjahmvO] [-X FILE] [-T FILE] [-f TARFILE] [-C DIR] [FILE]... Create, extract, or list files from a tar file Operation: c Create x Extract t List f Name of TARFILE ('-' for stdin/out) C Change to DIR before operation v Verbose z (De)compress using gzip j (De)compress using bzip2 a (De)compress using lzma O Extract to stdout h Follow symlinks m Don't restore mtime exclude File to exclude X File with names to exclude T File with names to include

The only non standard command is the showlog command that is used to view various log files including the system (messages), firewall and i-MO daemon log files.

ELECTRONIC MEDIA SERVICES LIMITED Page 26 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

The usage is:

~ $ showlog -h Usage: showlog [log name] -t, --tail=+/-LINES see tail of file -f, --tailf continuous tail of file -c, --cat 'cat' entire file -l, --less use 'less' pager -g, --grep=STRING use 'grep' file searcher -h, --help this help message

Valid log names: messages System log file firewall Packets logged by firewall imo i-MO daemon imostats i-MO statistics gathering daemon smb Samba (smbd) nmb Samba name service (nmbd) dhcpd.leases DHCP leases mob0.imo Card 0 details mob0.sig Card 0 signal mob0.dat Card 0 IP info mob1.imo Card 1 details mob1.sig Card 1 signal mob1.dat Card 1 IP info mob2.imo Card 2 details mob2.sig Card 2 signal mob2.dat Card 2 IP info nginx-error nginx http server - errors nginx-access nginx http server - access

ELECTRONIC MEDIA SERVICES LIMITED Page 27 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix A - Optional WiFi Radio Component

Warnings

When using the device, ensure that the antenna of the device is at least 1 cm away from all persons.

Do not use the device where using wireless devices is prohibited or may cause interference or danger.

Do not operate the WiFi device in areas where blasting is in progress, where explosive atmospheres may be present, near medical equipment, life support equipment, or any equipment which may be susceptible to any form of radio interference. In such areas, the WiFi device MUST BE POWERED OFF. It can transmit signals that could interfere with this equipment.

Do not operate the WiFi device in any aircraft, whether the aircraft is on the ground or in flight. In aircraft, the WiFi device MUST BE POWERED OFF. When operating, it can transmit signals that could interfere with various on-board systems.

Regulatory Notices

The design of the WiFi device complies with U.S. Federal Communications Commission (FCC) guidelines respecting safety levels of radio frequency (RF) exposure for mobile devices, which in turn are consistent with the following safety standards previously set by U.S. and international standards bodies:

• ANSI / IEEE C95.1-1999, IEEE Standard for Safety Levels with Respect to Human Exposure to Radio Frequency Electromagnetic Fields, 3kHz to 300 GHz • National Council on Radiation Protection and Measurements (NCRP) Report 86, 1986, Biological Effects and Exposure Criteria for Radio Frequency Electromagnetic Fields • International Commission on Non-Ionising Radiation Protection (ICNIRP) 1998, Guidelines for limiting exposure to time-varying electric, magnetic, and electromagnetic fields (up to 300 GHz)

FCC ID: N7N-MHS802

RF Exposure - This device has been tested for compliance with FCC RF exposure limits in a portable configuration. At least 1.0 cm of separation distance between the WiFi Antenna and the user's body must be maintained at all times. This device must not be used with any other antenna or transmitter that has not been approved to operate in conjunction with this device.

WARNING (EMI) - United States FCC Information - This equipment has been tested and found to comply with the limits for a Class B computing device peripheral, pursuant to Parts 15 and 27 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.

This equipment generates, uses, and can radiate radio frequency energy. If not installed and used in accordance with the instructions, it may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna. • Increase the separation between the equipment and receiver.

ELECTRONIC MEDIA SERVICES LIMITED Page 28 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help.

CAUTION: Any changes or modifications not expressly approved by EMS Ltd could void the user’s authority to operate the equipment.

This device complies with Parts 15 and 27 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

Certification Information (SAR)

Your wireless device is a radio transmitter and receiver. It is designed not to exceed the limits for exposure to radio waves recommended by international guidelines.

These guidelines are developed by the independent scientific organization International Commission on Non-ionizing Radiation Protection (ICNIRP) and include safety margins designed to assure the protection of all persons, regardless of age and health.

The guidelines use a unit of measurement known as the Specific Absorption Rate, or SAR. The SAR limit for wireless devices is 2.0 watts/kilogram (W/kg) and the highest SAR value for this device when tested complies with this limit.

Important safety information regarding radio frequency (RF) radiation exposure is as follows:

To ensure compliance with RF exposure guidelines, the device must be used with a minimum of 2.5cm distance from the body. Failure to observe these instructions could result in your RF exposure exceeding the relevant guideline limits.

Technical Data

• 2412 ~ 2472, 2484 MHz (subject to local regulations) • Modulation Technology OFDM and DSSS • Modulation Techniques 64QAM, 16QAM, QPSK, BPSK, CCK, DQPSK, DBPSK • Data Rates 54, 48, 36, 18,12, 9, 11, 6, 5.5, 2, and 1 Mbps, auto fallback • Peak Output Power Targeted at 14dBm @54Mbps, 18dBm @11Mbps • Minimum Receive Sensitivity Targeted at -70dBm @54Mbps; -80dBm@11Mbps • Antenna External antenna with the gain of 2dBi, L type

Safety Regulation and Operating Environment

• FCC Part 15 (USA) DGT (Taiwan) • EMC certification • CE (Europe) • Temperature Range Operating: 0 ~ 40 degree C, • Storage: -20 ~ 65 degree C

ELECTRONIC MEDIA SERVICES LIMITED Page 29 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Optional WiFi Radio Aerial

Technical Data GSM

• GSM 850/ 900: 824 - 960 MHz • GSM 1800: 1710 - 1990 MHz • UMTS: 2.1 GHz • WLAN: 2.4 GHz • Gain: 2.2 dBi • VSWR: <= 2.0 • Polarization: vertical • max. Power: 25 W • Connector[GSM]: SMA male 2 x WiFi Aerial

ELECTRONIC MEDIA SERVICES LIMITED Page 30 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix B - Optional 3G Radio Component

Two optional 3G radio components may be attached to the i-MO to provide a 3G signal.

External Aerial Type A External Aerial Type B External Aerial Type C

Technical Data Technical Data Technical Data

GSM/UMTS Specifications GSM/UMTS Specifications GSM/UMTS Specifications

Frequency ranges: Frequency ranges: Frequency ranges: • GSM 850 / 900 MHz 824 - 960 MHz • GSM 850 / 900 MHz 824 - 960 MHz • GSM 850 / 900 MHz 824 - 960 MHz • GSM 1800 MHz 1710 - 1990 MHz • GSM 1800 MHz 1710 - 1990 MHz • GSM 1800 MHz 1710 - 1990 MHz • UMTS 2,1 GHz 1900 - 2170 GHz • UMTS 2,1 GHz 1900 - 2170 GHz • UMTS 2,1 GHz 1900 - 2170 GHz

Gain 2.2 dBi Gain 5 dBi Gain 2.2 dBi Polarization vertical Polarization vertical Polarization vertical Rod Length 53mm Rod Length 290mm Rod Length 240mm Power maximum: 25W Power maximum: 20 W Power maximum: 10 W

Connector SMA male Cable length 2500 mm Cable length 5000 mm Cable type RG 174 Cable type RG 58 VSWR: <= 2.0 Connector SMA male Connector SMA male

VSWR: <= 1.5 VSWR: 1.5

External Installation

Safety Installation of this antenna near power lines is dangerous. For your safety, follow these instructions.

Select your installation site with safety, as well as performance in mind. Remember: electric power lines and phone lines look alike. For your safety, assume that any overhead line can kill you.

When installing your antenna, remember:

• Do not use a metal ladder. • Do not work on a wet or windy day. • Do dress properly—shoes with rubber soles and heels, rubber gloves, long sleeved shirt or jacket.

ELECTRONIC MEDIA SERVICES LIMITED Page 31 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

If any part of the antenna system should come in contact with a power line, don’t touch it or try to remove it yourself. Call your local power company. They will remove it safely. If an accident should occur with the power lines call for qualified emergency help immediately.

Choosing a Mounting Location The location of the antenna is important. Objects such as metal columns, walls, etc. will reduce efficiency. Best performance is achieved when antennas are mounted at the same height and in a direct line of sight with no obstructions. If this is not possible and reception is poor, you should try different mounting positions to optimize reception.

The antenna is designed to create an omni-directional broadcast pattern. To achieve this pattern, the antenna should be mounted clear of any obstructions to the sides of the radiating element. If the mounting location is on the side of a building or tower, the antenna pattern will be degraded on the building or tower side.

Before attempting to install your antenna, think where you can best place the antenna for safety and performance. Install your antenna at about 8 to 10 feet above the ground and away from all power lines and obstructions.

Mounting the Antennas The antennas should be mounted externally and as high as possible but ensure they are clear of any power lines. The antennas should be spaced about 1 metre apart. The antenna is vertically polarized. Since the antenna has vertical gain, it is very important to mount the antenna in a vertical (not leaning) position for optimal performance.

Connecting the External Antennas to the i-MO The connector on each 3G aerial cable should be attached to the aerial sockets by means of the screw threads as shown below.

ELECTRONIC MEDIA SERVICES LIMITED Page 32 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix C

Access Point Name File

The Access Point Name file defines the APN that will be used to set-up a data call and also the network name that is displayed on the front panel.

The file format is XML and includes the DTD at the start of the file:

The file consists of one or more elements. Within the network the Mobile Country Code (mcc), Mobile Network Code (mnc) and Access Point Name (apn) MUST be specified. The other entries are optional. E.g.

422 2 oman mobile taif Oman

422 3 nawras isp.nawras.com.om Nawras

ELECTRONIC MEDIA SERVICES LIMITED Page 33 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix D

Configuration File

The Web Interface enables the most common deployment scenarios to be configured and managed. However more advanced configurations may require editing of the device configuration file.

The configuration file comprises of section headers and name value pairs. The configuration may include comments lines but these will be lost if the configuration is edited using the web interface. A comment always starts on a new line and the first character must be a hash, e.g:

# This is a comment - it will be lost if the configuration is edited using # the web interface

A new section header starts the configuration of a feature or group of settings, a section header always starts on a new line and is enclosed by square brackets (e.g. [sys]) It is followed by one or more name value pairs. Name value pairs always start on a new line and the value part is enclosed by quote characters (e.g. hostname="imo4-xxxxxx.build.ems-imo.com")

Names are formed by using the device or option name, followed by the index of the device or option if there is more than one. The name may then be further extended by adding any sub-options.

For example the name to set the start IP address of the DHCP server for the second Ethernet port is: eth1dhcpstartip

The [sys] section set a few system wide options. The only option that must be set is the "hostname" for the router.

[sys] hostname="imo4-xxxxxx.build.ems-imo.com" timezone="GMT" ntpserver="pool.ntp.org" dnsserver="8.8.8.8, 8.8.4.4"

The [display] section configures what is shown on the front display of the unit.

With this you can enable or disable status display for the different system functions.

Each option can be set to yes or no.

[display] time="yes" tunneling="yes" wan="no" mobilerouter="yes"

The [lan] section configures the physical and logical networks interfaces.

The i-MO 310 and 540 appliances have 6 Gb Ethernet ports plus an optional wireless 802.11 b/g/n wireless interface. The GbE interfaces are named eth0 through eth5 and the wireless interface is named wlan0.

ELECTRONIC MEDIA SERVICES LIMITED Page 34 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

All of the physical devices can be individually configured and can be assigned to internal, dmz, or external zones in the firewall.

The following shows an example of configuring Ethernet ports 0-2 and wlan0 as a single bridged interface, the DHCP range is set to 100 addresses from 100 to 199 and the interface is assigned to the internal zone on the firewall. The Wi-Fi SSID is set to "imo" and the shared key is "12345678":

[lan] # Enable the br0 logical interface br0enabled="yes" # Add this interface to the internal zone in firewall br0firewallzone="internal" # IP address and netmask for the interface br0ip="192.168.0.1/24" # Enable DHCP on this interface br0dhcp="yes" # Set the DHCP range br0dhcpstartip="192.168.0.100" br0dhcpendip="192.168.0.199" # SetDHCP DNS and WINS options dhcpdnsserver1="8.8.8.8" dhcpdnsserver2="8.8.4.4" dhcpwinsserver1="10.0.1.16" dhcpwinsserver2="10.0.1.17" dhcpdnsdomain="mydomain.com" # Enable the eth0, eth1, eth2 and wlan0 ports and add to the br0 interface eth0enabled="yes" eth0bridging="yes" eth1enabled="yes" eth1bridging="yes" eth2enabled="yes" eth2bridging="yes" wlan0enabled="yes" wlan0bridging="yes" wlan0wifissid="imo" wlan0wifiwpakey="123456" wlan0wifichannel="manual" wlan0wifichannelvalue="5" wlan0wifirate="manual" wlan0wifiratevalue="24" wlan0wifi80211mode="g"

Ethernet port 3 is configured for a separate subnet with its own DHCP range. Unless a routing rule is added in the [fw] section, no data will be routed between the 192.168.0.0/24 and 192.168.100.0/24 subnets.

eth3enabled="yes" eth3bridging="no" eth3firewallzone="internal" eth3ip="192.168.100.1/24"

ELECTRONIC MEDIA SERVICES LIMITED Page 35 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

eth3dhcp="yes" eth3dhcpstartip="192.168.100.50" eth3dhcpendip="192.168.100.99"

Ethernet port 4 is configured as DMZ zone:

eth4enabled="yes" eth4bridging="no" # Add this port to the firewall dmz zone eth4firewallzone="dmz" eth4ip="172.16.0.1/24"

Ethernet port 5 is configured as a WAN port and placed in the external zone:

eth5enabled="yes" eth5bridging="no" # Add this port to the firewall external zone eth5firewallzone="external" eth5ip="195.74.68.4/28"

The [fw] section configures various options for the firewall. The masq option enables masquerading or NAT- ting.

The masqnets rule defines which internal computers/networks are allowed to access the internet via masquerading.

The format of the rule is a space separated list of [,,[,port[:port]]

If the protocol is icmp then port is interpreted as ICMP type.

Examples:

• "0/0" unrestricted access to the internet • "10.0.0.0/8" allows the whole 10.0.0.0 network with unrestricted access. • "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows http and ftp traffic from the 10.0.1.0 network to the internet. • "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the 10.0.1.0/24 network is allowed to access unprivileged ports whereas 10.0.2.0/24 is granted unrestricted access.

The nomasqnets rule defines which internal computers/networks to exclude from masquerading.

The format of the rule is a space separated list of [,,[,port[:port]]

Examples:

• “0/0,10.0.0.0/8" do not masquerade packets from anywhere to the 10.0.0.0/8 network

The forward rule defines which services or networks are routed through the firewall, regardless of which zone they are in.

ELECTRONIC MEDIA SERVICES LIMITED Page 36 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

With this option you can allow access to e.g. your mailserver. The machines must have valid public IP addresses.

The format of the rule is a space separated list of ,[,protocol[,destination port[,flags]]]

If the protocol is icmp then port is interpreted as icmp type

The flags parameter is a comma separated list and may consist of one or more of the following:

Examples:

• "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any service on the host 2.2.2.2 • "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16 to access any service in the network 4.4.4.4/24 • "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages from 5.5.5.5 to 6.6.6.6 • "0/0,0/0,udp,514" always permit udp port 514 through the firewall • "192.168.1.0/24,10.10.0.0/16,,,ipsec \ 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic from 192.168.1.0/24 to 10.10.0.0/16 and vice versa provided that both networks are connected via an IPsec tunnel • "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh" allow ssh from one IPv6 network to another

This following example shows masquerading enabled for all data from the local subnet except for the traffic that will be routed over the VPN tunnel to the remote 10.0.0.0/24 subnet.

[fw] enabled="yes" masq="yes" masqnets="0/0" nomasqnets="192.168.0.0/24,10.0.0.0/24" # Enable routing over the VPN tunnel between the remote and local IPs # Note the rule includes both the forward and reverse direction! forward="192.168.0.0/24,10.0.0.0/24 10.0.0.0/24,192.160.0.0/24"

The [tunneling] section configures one or more tunnels that are used for encrypting traffic or for bonding multiple physical links into a single logical link.

A tunnel is defined by setting its logical name. This should match the available tunnel names on the Concen- trator.

The protocol version allows for communication with Concentrators running different i-MO releases. It should normally be configured for a value of 2.

The IP is the internal endpoint of the tunnel on the i-MO appliance which is used on the Concentrator for routing and must be unique.

The key is a shared secret used to authenticate the i-MO appliance with the Concentrator. The randomness and length of the key affects the quality of the encryption if enabled. For applications that require good security you should use a 16 or 32 character key and it should consist of numbers plus upper and lower case letters. Standard dictionary words should not be used.

ELECTRONIC MEDIA SERVICES LIMITED Page 37 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

This is an example of a poor key: thisismykey

This is a much stronger key: vjXt3Z7bqw6rjUXe

Traffic over the tunnel can be encrypted setting encrypt option equal to yes. The default encryption is Blow- fish 128.

The compress option enables compression of data sent over the bonded channel. The default value is no. Valid options are no, yes, zlib:x where x is a number between 1 and 9 that specifies the level of compression with 1 giving best speed and 9 giving the best compression.

The bonding option specifies if the link will be used for bonding of multiple connections, the default value is yes. This value should be set to no if the tunnel is only being used for failover. If bonding is not enabled then only one instance of the tunnel must exist at any time.

The networks option is used to update the routing table when the tunnel is active. This option is either a CIDR (e.g. 192.168.0.1/24) or the value “default” which means all any traffic that does not match another routing rule with be sent over this link.

The heartbeatrefresh sets how often in seconds that the status of the tunnel is checked. The status of the tunnel is checked by sending an ICMP ping to the remote end of the tunnel. The heartbeatperiod sets number of seconds the link should be unresponsive before the tunnel is destroyed.

[tunneling] enabled="yes" tunnel0name="imo" tunnel0protocolversion="2" tunnel0ip="10.250.250.250" tunnel0key="imokey" tunnel0encrypt="no" tunnel0compress="no" tunnel0bonding="yes" tunnel0networks="default" tunnel0heartbeatrefresh="10" tunnel0heartbeatperiod="30"

The [vpn] section configures one or more IPSEC tunnels.

The following example shows configuring an IPSEC VPN from the public IP of the i-MO appliance (195.74.68.12) to public IP of the VPN server (100.68.86.56). Two tunnels will be created for for each of the remote subnets 172.16.0.0/12 and 10.0.0.8/8.

[vpn] enabled="yes" remotepeerip="100.68.86.56" remotesubnets="172.16.0.0/12 10.0.0.0/8" remoteid_is_auto="no" remoteid= localid_is_auto="no" localpeerip_is_auto="no" localpeerip="195.74.68.12" localid= localinterface="br0" localsubnets="172.16.0.0/1 172.16.0.0/2"

ELECTRONIC MEDIA SERVICES LIMITED Page 38 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

sharedkey="imovpnsharedsecret" # Do not autonegotiate connect, only accept the options set phase1_combined_encrypt_hashing_dhmode_is_auto="no" # Set the phase 1 encryption to 3des. Available options are 3des or aes phase1encrypt="3des" # Set the phase 1 hash to md5, available options are mds or sha1 phase1hashing="md5" # Set the Diffie Hellman Group phase1dhmode="modp1024" # Lifetime in seconds phase1lifetime_is_auto="no" phase1lifetime="28800"

phase2_combined_encrypt_hashing_is_auto="yes" phase2encrypt="3des" phase2hashing="md5" phase2pfs="no" phase2lifetime_is_auto="no" phase2lifetime="3600"

The [failover] section configures the failover from a primary to secondary or backup link. The router updates the internal tables every "refresh" seconds and if the active link is down for "period" seconds then it will be marked as unavailable.

A failover link can be a physical interface (e.g. eth0) or a tunnel (e.g. imo).

When an interface becomes active the “networks” option is used to update the routing table. This option is either a CIDR (e.g. 192.168.0.1/24) or the value “default” which means all any traffic that does not match another routing rule with be sent over this link.

In the following example eth1 is defined as the primary link. The interface is checked every 5 seconds and if the eth1 is reported as down for 15 seconds the default route is switched to eth2.

[failover] enabled="yes" routerrefresh="5" routerperiod="15" networks="default" # (or a space separated list of CIDR) tunnel="failovertunnel" link0device="eth1" link1device="eth2"

The values for “refresh” and “period” should be carefully considered. If the link has high latency, packet loss then setting these values too low may cause the router to wrongly mark the link and down and start the start failover process.

A heavily utilised or saturated link my cause packet loss or very high latency, if the “period” is set too low then the router may wrongly mark the link as down. Once the failover has occurred the primary link will become responsive again and it will be restored, which may lead to “flapping”.

For cellular based connections that suffer more packet loss than wired circuits the refresh should be 10 seconds and the period of 40 to 60 seconds.

ELECTRONIC MEDIA SERVICES LIMITED Page 39 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

The [mobilerouter] section sets the options for the router process that manages the available cellular connections. The status of a link is tested by sending an ICMP ping to the "heartbeataddress" which can be either a fully qualified domain name or an IP address.

If a tunnelname and concentratoraddress is specified then a new tunnel will be created or the link added to an existing tunnel if bonding is enabled on the tunnel.

The networks option will add a route to the given subnets on this interface. The value may either be “default” or a CIDR.

[mobilerouter] enabled="yes" # Number of seconds between update heartbeatrefresh="10" # Number of seconds before an inactive link is disabled heartbeatperiod="30"

mob0linkname="mob0" # Override the default values for this link mob0heartbeatrefresh="20" mob0heartbeatperiod="50" mob0hearbeataddress="1.2.3.4" mob0concentratoraddress="1.2.3.4" mob0tunnelname="tunnelname" mob0networks="10.11.12.13/24"

mob1linkname="mob1" mob1hearbeataddress="1.2.3.1" mob1concentratoraddress="1.2.3.1" mob1tunnelname="tunnelname" mob1networks="10.11.12.14/24"

The [wan] section is used to configure any interfaces that are used for WAN links.

The wan router process is started when enabled is set to yes.

The device is the physical name of an interface, typically this will be one of the internal GbE ports.

The gateway option sets the nexthop for data sent via this interface.

The status of a link is tested by sending an ICMP ping to the "heartbeataddress" which can be either a fully qualified domain name or an IP address. The link is checked every heartbeatrefresh seconds and if the link is unresponsive for hearbeatperiod seconds then the port is marked as down.

If a tunnelname and concentratoraddress is specified then a new tunnel will be created or the link added to an existing tunnel if bonding is enabled on the tunnel.

The networks option will add a route for the given subnet on this interface. The value may either be “default” or a CIDR.

[wan] enabled="yes"

ELECTRONIC MEDIA SERVICES LIMITED Page 40 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

# device must defined to enable this interface wan0device="eth1" wan0gateway="1.2.3.6" # Number of seconds between update wan0heartbeatrefresh="10" # Number of seconds that the interface must down before being marked as unavailable wan0heartbeatperiod="30" # Address of heart beat device used to check interface active wan0hearbeataddress="1.2.3.7" wan0concentratoraddress="1.2.3.7" wan0tunnel="wantunnel" wan0networks="default" (or a CIDR)

# device must defined to enable this interface wan1device="eth2" # Number of seconds between update wan1heartbeatrefresh="10" # Number of seconds that the interface must down before being marked as unavailable wan1heartbeatperiod="30" # Address of heart beat device used to check interface active wan1hearbeataddress="1.2.3.8" wan1concentratoraddress="1.2.3.8" wan1tunnel="wantunnel"

ELECTRONIC MEDIA SERVICES LIMITED Page 41 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Example 1. 1 x WAN Link, 1 X LTE for failover without a Concentrator

This configuration provides a resilient Internet connection. In the event of the primary (WAN) link failing all traffic is routed via the secondary (LTE) link.

All traffic from the private subnet to the public internet is masqueraded or NATted. No services or ports are open on the external or public side of the firewall.

The integrate WiFi access point and the first 5 GbE ports are bridged into a single logical interface.

The diagram below shows the logical network diagram.

Logical Network Diagram

[sys] hostname="imo" # Set the hostname

# Display time, wan and mobile status [display] time="yes" tunneling="no" wan=“yes” mobilerouter=“yes”

[lan] br0enabled="yes" # Enable logical bridge device br0firewallzone="internal" # Place interface in internal firewall zone br0ip="192.168.0.1/24" # Set IP address/netmask of bridge interface br0dhcp="yes" # Enable DHCP service on interface br0dhcpstartip="192.168.0.100" # Set start and end address for DHCP br0dhcpendip="192.168.0.199" dhcpdnsserver1="8.8.8.8" # Use GOOGLE public DNS servers dhcpdnsserver2="8.8.4.4" dhcpdnsdomain="mydomain.com" # Set default DHCP domain eth0enabled="yes" # Enable ports 0–4 and add to bridge interface eth0bridging="yes" eth1enabled="yes" eth1bridging="yes"

ELECTRONIC MEDIA SERVICES LIMITED Page 42 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

eth2enabled="yes" eth2bridging="yes" eth3enabled="yes" eth3bridging="yes" eth4enabled="yes" eth4bridging="yes" wlan0enabled="yes" # Enable WiFi and add to bridge interface wlan0bridging="yes" wlan0wifissid="imo" # Set SSID wlan0wifiwpakey="12345678" # Set WPA key – must be 8-63 characters long wlan0wifichannel="manual" # Only manual selection currently supported wlan0wifichannelvalue="6" # Set WiFi Channel 1-13, 1/6/11 preferred wlan0wifirate="manual" # Set maximum bandwidth wlan0wifiratevalue="24" wlan0wifi80211mode="g" # Set WiFi 802.11b/g mode eth5enabled="yes" # Configure port 5 as WAN port eth5bridging="no" eth5firewallzone="external" # Place in external zone eth5ip="195.74.68.4/28" # Set IP address/netmask eth5dhcp="no"

[failover] enabled="yes" # Enable failover routerrefresh="10" # The failover router will be updated # every “routerrefresh” seconds routerperiod="31" # If active link is unavailable for # “routerperiod” seconds it will be # marked unavailable and next failover # link will become active networks="default" # Subnet to be routed to active failover link link0device="eth5" # Interface or link name for primary link link1device="mob0" # Interface or link name for secondary link

[tunneling] enabled="no" # Disable tunneling

[wan] enabled="yes" # Enable WAN router wan0device="eth5" # Device for this port wan0gateway="195.74.68.1" # Gateway address wan0heartbeatrefresh="10" # Status of the link will be checked # every “heartbeatrefresh” seconds wan0heartbeatperiod="30" # If the heartbeat address is unavailable for # “heartbeatperiod” seconds it will be # marked as down wan0hearbeataddress="8.8.8.8" # The address of the heart beat device # This address must respond to ICMP pings

ELECTRONIC MEDIA SERVICES LIMITED Page 43 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

mob0heartbeatperiod="50" # If heartbeat address is unavailable for # “heartbeatperiod” seconds it will be # marked as down mob0hearbeataddress="8.8.4.4" # The address of the heartbeat device # This address must respond to ICMP pings

[vpn] enabled="no" # VPN disabled

[fw] enabled="yes" # Enable the firewall masq="yes" # Enable masquerading (NAT) masqnets="0/0" # Masquerade all traffic sent to external zone

[nas] enabled="yes" # Enable the NAS server

ELECTRONIC MEDIA SERVICES LIMITED Page 44 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Example 2. 1 x Wan Link, 1 X LTE for failover with a Concentrator

This configuration provides a resilient private connection between the remote site and the head-office network. In the event of the primary (WAN) link failing all traffic is routed via the secondary (LTE) link.

All traffic from the remote site is routed over the private tunnel to the head office network. The firewall does not masquerade any packets and no services or ports are open on the external or public side of the firewall.

The integrate WiFi access point and the first 5 GbE ports are bridged into a single logical interface.

The diagram below shows the logical network diagram.

Logical Network Diagram

[sys] hostname="imo" # Set the hostname

# Display time, tunneling, WAN and mobile status [display] time="yes" tunneling="yes" wan="yes" mobilerouter="yes"

ELECTRONIC MEDIA SERVICES LIMITED Page 45 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

br0dhcpendip="192.168.0.199" dhcpdnsserver1="10.0.0.16" # Use head office private DNS servers dhcpdnsserver2="10.0.0.17" dhcpdnsdomain="mydomain.com" # Set default DHCP domain eth0enabled="yes" # Enable ports 0–4 and add to bridge interface eth0bridging="yes" eth1enabled="yes" eth1bridging="yes" eth2enabled="yes" eth2bridging="yes" eth3enabled="yes" eth3bridging="yes" eth4enabled="yes" eth4bridging="yes" wlan0enabled="yes" # Enable WiFi and add to bridge interface wlan0bridging="yes" wlan0wifissid="imo" # Set SSID wlan0wifiwpakey="12345678" # Set WPA key – must be 8-63 characters long wlan0wifichannel="manual" # Only manual selection currently supported wlan0wifichannelvalue="6" # Set WiFi Channel 1-13, 1/6/11 preferred wlan0wifirate="manual" # Set maximum bandwidth wlan0wifiratevalue="24" wlan0wifi80211mode=“g” # Set WiFi 802.11b/g mode eth5enabled="yes" # Configure port 5 as WAN port eth5bridging="no" eth5firewallzone="external" # Place in external zone eth5ip="195.74.68.4/28" # Set IP address/netmask

[failover] enabled="yes" # Enable failover routerrefresh="10" # The failover router will be updated # every “routerrefresh” seconds routerperiod="31" # If active link is unavailable for # “routerperiod” seconds it will be # marked unavailable and next failover # link will become active. tunnel="imo" # Name of tunnel to create when a # failover link becomes active link0device="eth5" # Interface or link name for primary link link1device="mob0" # Interface or link name for seconday link

[tunneling] enabled="yes" # Enable tunneling protocolversion="2" # i-MO version 2 protocol (default protocol) encrypt="yes" # Encrypt tunnels by default compress="no" # Do not compress by default tunnel0name="imo" # Set tunnel name tunnel0firewallzone="internal" # Set to trusted firewall zone tunnel0ip="10.250.0.10" # IP address for tunnel tunnel0key="imokey" # Shared secret tunnel0bonding="no" # Channel bonding off # this tunnel is only used for failover tunnel0networks="default" # Subnets to route over the tunnel # “default” shows this is the default route

ELECTRONIC MEDIA SERVICES LIMITED Page 46 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

[wan] enabled="yes" # Enable WAN router wan0device="eth5" # Device for this port wan0gateway="195.74.68.1" # Gateway address wan0heartbeatrefresh="10" # Status of the link will be checked # every “heartbeatrefresh” seconds wan0heartbeatperiod="30" # If the heartbeat address is unavailable for # “heartbeatperiod” seconds it will be # marked as down wan0hearbeataddress="195.74.68.131" # Address of the heartbeat device # When a tunnel is being used this is # normally the IP of the Concentrator wan0concentratoraddress="195.74.68.131" # Address of the Concentrator

[mobilerouter] enabled="yes" # Enable the mobile router mob0linkname="mob0" # Link name for the cellular link mob0heartbeatrefresh="20" # Status of the link will be checked # every “heartbeatrefresh” seconds mob0heartbeatperiod="50" # If heartbeat address is unavailable for # “heartbeatperiod” seconds it will be # marked as down mob0hearbeataddress="195.74.68.130" # Address of the heartbeat device # When a tunnel is being used this is # normally the IP of the Concentrator mob0concentratoraddress="195.74.68.130" # Address of the Concentrator

[vpn] enabled="no" # VPN disabled

[fw] enabled="yes" # Enable the firewall masq="no" # Disable masquerading (NAT) forward="192.168.0.0/24,10.0.0.0/24 10.0.0.0/24,192.168.0.0/24" # Forward traffic for tunnel

[nas] enabled="yes" # Enable the NAS server

ELECTRONIC MEDIA SERVICES LIMITED Page 47 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Example 3. 1 x WAN Link, 1 X LTE for failover with a Concentrator & split routing

All traffic for the head office is routed over the private tunnel and traffic for the Internet is sent out the active interface. The firewall masquerades traffic for the Internet but does not masquerade traffic sent over the tunnel to the head office network.

The integrate WiFi access point and the first 5 GbE ports are bridged into a single logical interface.

The diagram below shows the logical network diagram

Logical Network Diagram

[sys] hostname="imo" # Set the hostname

# Display time, tunneling, WAN and mobile status [display] time="yes" tunneling="yes" wan="yes" mobilerouter="yes"

[lan] br0enabled="yes" # Enable logical bridge device

ELECTRONIC MEDIA SERVICES LIMITED Page 48 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

br0firewallzone="internal" # Place interface in internal firewall zone br0ip="192.168.0.1/24" # Set IP address/netmask of bridge interface br0dhcp="yes" # Enable DHCP service on interface br0dhcpstartip="192.168.0.100" # Set start and end address for DHCP br0dhcpendip="192.168.0.199" dhcpdnsserver1="10.0.0.16" # Use head office private DNS servers dhcpdnsserver2="10.0.0.17" dhcpdnsdomain="mydomain.com" # Set default DHCP domain eth0enabled="yes" # Enable ports 0–4 and add to bridge interface eth0bridging="yes" eth1enabled="yes" eth1bridging="yes" eth2enabled="yes" eth2bridging="yes" eth3enabled="yes" eth3bridging="yes" eth4enabled="yes" eth4bridging="yes" wlan0enabled="yes" # Enable WiFi and add to bridge interface wlan0bridging="yes" wlan0wifissid="imo" # Set SSID wlan0wifiwpakey="12345678" # Set WPA key – must be 8-63 characters long wlan0wifichannel="manual" # Only manual selection currently supported wlan0wifichannelvalue="6" # Set WiFi Channel 1-13, 1/6/11 preferred wlan0wifirate="manual" # Set maximum bandwidth wlan0wifiratevalue="24" wlan0wifi80211mode="g" # Set WiFi 802.11b/g mode eth5enabled="yes" # Configure port 5 as WAN port eth5bridging="no" eth5firewallzone="external" # Place in external zone eth5ip="195.74.68.4/28" # Set IP address/netmask

[failover] enabled="yes" # Enable failover routerrefresh="10" # The failover router will be updated # every “routerrefresh” seconds routerperiod="31" # If active link is unavailable for # “routerperiod” seconds it will be # marked unavailable and next failover # link will become active. tunnel="imo" # Name of tunnel to create when a # failover link becomes active networks="default" # Active interface is default route link0device="eth5" # Interface or link name for primary link link1device="mob0" # Interface or link name for seconday link

ELECTRONIC MEDIA SERVICES LIMITED Page 49 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

tunnel0bonding="no" # Channel bonding off # this tunnel is only used for failover tunnel0networks="10.0.0.0/24" # Subnets to route over the tunnel

[wan] enabled="yes" # Enable WAN router wan0device="eth5" # Device for this port wan0gateway="195.74.68.1" # Gateway address wan0heartbeatrefresh="10" # Status of the link will be checked # every “heartbeatrefresh” seconds wan0heartbeatperiod="30" # If the heartbeat address is unavailable for # “heartbeatperiod” seconds it will be # marked as down wan0hearbeataddress="195.74.68.131" # Address of the heartbeat device # When a tunnel is being used this is # normally the IP of the Concentrator wan0concentratoraddress="195.74.68.131" # Address of the Concentrator

[vpn] enabled="no" # VPN disabled

[fw] enabled="yes" # Enable the firewall masq="yes" # Enable masquerading (NAT) masqnets="0/0" # Masquerade traffic sent to external zone nomasqnets="192.168.0.0/24,10.0.0.0/24 10.0.0.0/24,192.168.0.0/24" # Do not masquerade traffic for tunnel forward="192.168.0.0/24,10.0.0.0/24 10.0.0.0/24,192.168.0.0/24" # Forward traffic for tunnel

[nas] enabled="yes" # Enable the NAS server

ELECTRONIC MEDIA SERVICES LIMITED Page 50 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix E

Configuration Options Reference

[sys]

Variable Required Default Notes hostname Yes imo.mydomain.com RFC 1123 compliant hostname timezone No GMT GMT/GMT+x/GMT-x (x = integer) ntpserver No pool.ntp.org IP address or RFC 1123 hostname dnsserver No 8.8.8.8, 8.8.4.4 IP address list (comma separated if more than 1)

[display]

Variable Required Default Notes Time No yes yes/no tunneling No yes yes/no Wan No no yes/no mobilerouter No yes yes/no

[lan]

Variable Required Default Notes br0enabled Yes yes yes/no br0firewallzone Yes internal internal/external/dmz br0ip Yes 192.168.0.1/24 CIDR IP address br0dhcp If enabled yes yes/no br0dhcpstartip If br0dhcp 192.168.0.100 IP address within br0ip range br0dhcpendip If br0dhcp 192.168.0.199 IP address within br0ip range eth[0-9]enabled Yes yes yes/no eth[0-9]bridging Yes yes yes/no internal/external/dmz (blank if disabled/ eth[0-9]firewallzone If enabled & not bridged bridged) eth[0-9]ip If enabled & not bridged CIDR IP address yes/no (blank if interface disabled or eth[0-9]dhcp If enabled & not bridged bridged) eth[0-9]dhcpstartip If eth[0-9]dhcp IP address within ethXip range eth[0-9]dhcpendip If eth[0-9]dhcp IP address within ethXip range wlan0enabled Yes yes yes/no wlan0bridging Yes yes yes/no internal/external/dmz (blank if disa- wlan0firewallzone If enabled & not bridged bled/bridged) wlan0ip If enabled & not bridged CIDR IP address wlan0dhcp If enabled & not bridged yes/no (blank if disabled/bridged) wlan0dhcpstartip If wlan0dhcp IP address within wlanXip range wlan0dhcpendip If wlan0dhcp IP address within wlanXip range wlan0wifissid Yes unless wlan0 disabled imo A-Z, a-z, 0-9 31 character limit

ELECTRONIC MEDIA SERVICES LIMITED Page 51 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

wlan0wifiwpakey Yes unless wlan0 disabled imo-xxxxxximo 8-63 printable ASCII characters wlan0wifichannel Yes unless wlan0 disabled manual manual wlan0wifichannelvalue Yes unless wlan0 disabled 6 1-13 (1, 6 or 11 preferred) wlan0wifirate Yes unless wlan0 disabled auto auto/manual wlan0wifiratevalue If wlan0wifirate = manual 1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, 56 wlan0wifi80211mode Yes unless wlan0 disabled g b/g dhcpdnsserver1 No IP address/blank dhcpdnsserver2 No IP address/blank dhcpwinsserver1 No IP address/blank dhcpwinsserver2 No IP address/blank dhcpdnsdomain No Domain string or blank

[failover]

Variable Required Default Notes enabled Yes no yes/no routerrefresh No Integer 5-60 routerperiod No Integer 15-600 tunnel No Tunnel name – a-z 0-9 string networks If enabled (optional with tunneling) [default] [CIDR] [CIDR]… link[0-3]device If enabled – at least one Interface name

[tunneling]

Variable Required Default Notes enabled Yes yes yes/no protocolversion No 2 Integer 0-9 firewallzone No external internal/external/dmz encrypt No no yes/no compress No no yes/no bonding No yes yes/no heartbeatrefresh No 10 Integer 5-60 heartbeatperiod No 30 Integer 10-600 tunnel[0-9]name If enabled imo a-z 0-9 string tunnel[0-9]protocolversion No 2 Integer 0-9 tunnel[0-9]firewallzone No external internal/external/dmz tunnel[0-9]ip If enabled 10.250.250.250 IP address tunnel[0-9]key If enabled imokey A-Z, a-z, 0-9 string tunnel[0-9]encrypt No no yes/no tunnel[0-9]compress No no yes/no tunnel[0-9]bonding No yes yes/no tunnel[0-9]heartbeatrefresh No 10 Integer 5-60 tunnel[0-9]heartbeatperiod No 30 Integer 10-600 tunnel[0-9]networks No default [default] [CIDR] [CIDR]…

ELECTRONIC MEDIA SERVICES LIMITED Page 52 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

[wan]

Variable Required Default Notes enabled Yes no yes/no heartbeatrefresh No 10 Integer 5-60 heartbeatperiod No 30 Integer 10-600 tunnel No a-z string wan[0-9]device If enabled eth1 Interface name wan[0-9]gateway If enabled 1.2.3.6 IP address wan[0-9]heartbeatrefresh No 10 Integer 5-60 wan[0-9]heartbeatperiod No 30 Integer 10-600 wan[0-9]heartbeataddress If enabled 1.2.3.7 IP address wan[0-9]concentratoraddress If tunnel set 1.2.3.7 IP address wan[0-9]tunnel No a-z string wan[0-9]networks No blank/[default] [CIDR] [CIDR]…

[mobilerouter]

Variable Required Default Notes enabled Yes yes yes/no firewallzone No external internal/external/dmz echorequest No 15 Integer 1-600 echofailure No 4 Integer 1-100 pppoptions No PPPD option list heartbeatrefresh No 10 Integer 5-60 heartbeatperiod No 30 Integer 10-600 tunnel No imo a-z string mob[0-2]linkname No a-z 0-9 string (defaults to “mob[0-2]”) mob[0-2]firewallzone No external internal/external/dmz mob[0-2]echorequest No 15 Integer 1-600 mob[0-2]echofailure No 4 Integer 1-100 mob[0-2]pppoptions No PPPD option list mob[0-2]heartbeatrefresh No 20 Integer 5-60 mob[0-2]heartbeatperiod No 50 Integer 10-600 mob[0-2]heartbeataddress No IP address mob[0-2]concentratoraddress No IP address mob[0-2]tunnel No a-z string mob[0-2]networks No [default] [CIDR] [CIDR]…

[adsl]

Variable Required Default Notes enabled Yes no yes/no TO BE CONFIRMED

ELECTRONIC MEDIA SERVICES LIMITED Page 53 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

[vpn]

Variable Required Default Notes enabled Yes no yes/no TO BE CONFIRMED

[fw]

Variable Required Default Notes enabled Yes yes yes/no masq Yes yes yes/no masqnets If masq=yes 0/0 TO BE CONFIRMED nomasqnets No TO BE CONFIRMED forward No TO BE CONFIRMED redirect No TO BE CONFIRMED

[nas]

Variable Required Default Notes enabled Yes no yes/no

ELECTRONIC MEDIA SERVICES LIMITED Page 54 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix F - Disposal and Recycling Information

This device (and any included batteries) should not be disposed of as normal household garbage. Do not dispose of your device or batteries as unsorted municipal waste. The device (and any batteries) should be handed over to a certified collection point for recycling or proper disposal at the end of their life.

For more detailed information about the recycling of the device or batteries, contact your local city office, the household waste disposal service, or the retail store where you purchased this device.

WEEE EU Directive

The disposal of this device is subject to the Waste from Electrical and Electronic Equipment (WEEE) directive of the European Union. The reason for separating WEEE and batteries from other waste is to mini- mize the potential environmental impacts on human health of any hazardous substances that may be present.

If in any doubt, please view detailed WEEE information on the following web page from the Environment Agency's web site: http://www.environment-agency.gov.uk/business/topics/waste/32084.aspx

Reduction of Hazardous Substances

This device is compliant with the EU Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) Regulation (Regulation No 1907/2006/EC of the European Parliament and of the Council) and the EU Restriction of Hazardous Substances (RoHS) Directive (Directive 2002/95/EC of the European Parlia- ment and of the Council). For more information about the REACH compliance of the device, visit the Web site www.ems-uk corn/certification. You are recommended to visit the Web site regularly for up-to-date information.

ELECTRONIC MEDIA SERVICES LIMITED Page 55 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Appendix G - Warranty Information

EMS's Limited Warranty Statement (1-Year Warranty)

Thank you for purchasing the enclosed i-MO Appliance. The product is provided with a one year limited warranty commencing from the date of purchase.

One-Year Limited Warranty

THIS PRODUCT IS PROVIDED TO YOU UNDER THE FOLLOWING TERMS AND CONDITIONS THAT CONTAIN LIMITATIONS ON WARRANTIES AND LIABILITIES AND YOUR REMEDIES. BY USING THIS PRODUCT YOU AGREE TO THE TERMS AND CONDITIONS BELOW.

The original end-user purchaser of the enclosed i-MO Appliance (the “Product”) from EMS Ltd (the “Vendor”) or one of its authorized Partners, is offered with a non-transferable, limited warranty that: (a) the Product will be of good quality and free from defects in design, materials, workmanship, and manufacture under normal use and service; (b) all materials, parts, components, and other items incorporated in the Product will be new; and (c) the Product will be compliant with, and perform in accordance with, its specifications, for a period that expires one year from the original purchase date of the Product (the “Warranty Period”).

During the Warranty Period, if Vendor determines that a Product is defective under a proper warranty claim, then Vendor will, at its sole discretion, either (a) pay parts and labour charges for the repair of the Product, or (b) replace the Product with a new or rebuilt unit (which unit may use refurbished parts of similar quality and functionality), provided that the defective Product is returned to a Vendor-authorized service centre for the Product, transportation charges prepaid, and is accompanied by written proof of purchase in the form of a bill of sale or receipted invoice indicating that the Product was purchased by you and is within the Warranty Pe- riod. After the Warranty Period, you are responsible for paying all parts, labour, and shipping charges. The warranty described above shall apply to all repaired or replaced Product for a period of 90 days from the date of return to you, or the balance of the Warranty Period, whichever is greater.

This limited warranty does not cover and is void with respect to: (a) Products which have been improperly installed, repaired, maintained, or modified; (b) Products which have been subjected to misuse (including using the Products with hardware which is electrically or mechanically incompatible with the Products), abuse, accident, physical damage, abnormal operation, improper handling or storage, neglect, exposure to fire, water, or excessive moisture or dampness, or extreme changes in climate or temperature; (c) Products which have been opened, repaired, modified, or altered by anyone other than Vendor or a Vendor-authorized service centre; (d) Products which have been damaged due to fire, flood, acts of God, or other acts which are not Vendor’s fault and which the Product is not specified to tolerate; (e) cosmetic damage; (f) Products which have been operated outside of published maximum ratings; (g) cost of installation, removal, or re- installation of the Product; (h) signal reception problems (unless caused by a defect in material(s) or workmanship); or (i) Products on which warranty stickers or serial numbers have been removed, altered, or ren- dered illegible. This limited warranty is not transferable to any third party including, but not limited to, any subsequent purchaser or owner of the Products. Any transfer or resale of any of the Products will automati- cally terminate Vendor’s warranty coverage of such Products. This limited warranty does not cover customer education, instruction, installation, set-up adjustments, or signal reception problems.

REPAIR OR REPLACEMENT, AS PROVIDED FOR UNDER THIS LIMITED WARRANTY, IS YOUR SOLE AND EXCLUSIVE REMEDY FOR BREACH OF THIS LIMITED WARRANTY. TO THE EXTENT PERMIT- TED BY APPLICABLE LAW, NEITHER VENDOR NOR THE ORIGINAL OWNER OF THE PRODUCT MAKE ANY OTHER REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF ANY KIND, EXPRESS OR IM- PLIED OR STATUTORY, WITH RESPECT TO THE PRODUCT INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF MERCHANTABLE QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE.

ELECTRONIC MEDIA SERVICES LIMITED Page 56 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

This warranty gives you specific rights and you may also have other rights, which vary from jurisdiction to jurisdiction. Some jurisdictions do not allow the exclusion of implied warranties and conditions and do not permit the exclusion or limitation of certain damages. Therefore, the foregoing exclusions may not apply to you.

THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THIS PRODUCT IS ASSUMED BY YOU. NEITHER THE ORIGINAL OWNER OF THE PRODUCT NOR THE VENDOR NOR VENDOR’S DIS- TRIBUTORS, RESELLERS, SUPPLIERS, AGENTS, OFFICERS, AND DIRECTORS SHALL HAVE ANY LIABILITY TO YOU OR TO ANY OTHER PERSON OR ENTITY FOR ANY DAMAGES HOWSOEVER CAUSED INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, INCIDENTAL, SPECIAL, GENERAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES WHATSOEVER INCLUDING, BUT NOT LIM- ITED TO, LOSS OF REVENUE OR PROFIT, DAMAGES TO PROPERTY OR PERSONS, LOST OR DAM- AGED DATA, OR OTHER COMMERCIAL OR ECONOMIC LOSS, EVEN IF ANY SUCH AFOREMEN- TIONED PERSON HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR THEY ARE FORESEEABLE, OR FOR CLAIMS BY ANY THIRD PARTY. MAXIMUM AGGREGATE LIABILITY OF THE AFOREMENTIONED PERSONS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PROD- UCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH, DEFAULT, NONPERFORMANCE, OR FAILURE IS A BREACH OF FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH.

If any provision or term of these terms and conditions is determined to be invalid or unenforceable, the inva- lidity or un-enforceability of that provision or term will not affect the validity or enforceability of the remaining provisions and terms or the validity or enforceability of that provision or term in any other jurisdiction.

THIS LIMITED WARRANTY IS NOT AN ALTERNATIVE TO THE PURCHASE OF AN ANNUAL MAINTE- NANCE AGREEMENT. For further details of Annual Maintenance Agreement Terms & Conditions please refer to the separate Maintenance Agreement documentation provided by EMS Ltd or Authorised Partner.

ELECTRONIC MEDIA SERVICES LIMITED Page 57 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]

INSTALLATION MANUAL FOR THE EMS I-MO 310 SERIES APPLIANCE Version 1.2

Obtaining Technical Assistance

EMS Ltd provides www.ems-imo.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using this Web Site. Registered users (requires a valid Annual Maintenance Agreement) have complete access to the technical support resources on the www.ems-imo.com Web Site.

ELECTRONIC MEDIA SERVICES LIMITED Page 58 of 58 PASSFIELD BUSINESS CENTRE, LYNCHBOROUGH ROAD, LIPHOOK, HAMPSHIRE, GU30 7SB, UK Tel: 01428 751655 | Fax: 01428 751654 | E-mail: [email protected]