Download Arctic networking properties

Document related concepts

Airborne Networking wikipedia , lookup

Wireless security wikipedia , lookup

Computer network wikipedia , lookup

Deep packet inspection wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

IEEE 1355 wikipedia , lookup

TCP congestion control wikipedia , lookup

Parallel port wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Internet protocol suite wikipedia , lookup

AppleTalk wikipedia , lookup

Point-to-Point Protocol over Ethernet wikipedia , lookup

I²C wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Lag wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
Arctic Networking Properties
Jari Lahti, CTO
Wireless
Industry
General networking
properties
Solutions
Network menu
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
Summary
Summary
• Shows the status of all active network interfaces
– loopback, Ethernet, SSH-VPN, L2TP-Tunnel, Dial-In
• Shows the routing table
• Shows the ARP cache
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
Ethernet
Ethernet
• 10 Base-T or 100 Base-T
– supports auto negotiation
– supports half duplex and full duplex
• Shielded Ethernet connection, shield connected to
power supply ground
– when using shielded cable consider the possible
potential differences
Ethernet settings
•
Override Ethernet configuration by DHCP?
–
–
•
Host name
–
–
•
•
NOTE
– Arctic must have only one default
route (Ethernet, GPRS, Tunnel)
enabled simultaneously!
–
The IP address of default gateway on LAN
Use only when Ethernet should be used as
default route
Disable by entering 0
DNS servers
–
•
The network mask of Ethernet network
Default gateway
–
–
•
The IP address of Arctic Ethernet interface
(LAN)
Network mask
–
•
The Host name of Arctic
Identifies Arctic on SSH-VPN and L2TP
Tunnels. Each Arctic must have different
hostname on Tunneling configurations
Ethernet IP address
–
•
Enable if Arctic should fetch the Ethernet
configuration from DHCP server on LAN
Make sure the Default gateway is not
enabled by DHCP server if other interface
(Tunnel, GPRS) should be used as default
route
Addresses of DNS servers
MAC address
–
shows Arctic's MAC/HW address
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
GPRS
GPRS
•
•
•
•
•
•
•
•
General Packet Radio Service
Wireless packet data channel
Based on GSM technology and networks
Designed for TCP/IP traffic
Dynamic radio channel allocation
Faster data transfer compared to GSM data
Pricing based on amount of data
Different pricing models, subscription and operator
dependent
– X EUR / MB (typically 0,5 - 2 EUR/MB)
– X EUR / 100 MB (typically 5 - 15 EUR / 100 MB)
– X EUR / Unlimited communication (typically 10 - 20
EUR)
• Public network, Global - low initial investments
GPRS throughput
• Class 10 (4 downlink channels, 2 uplink channels)
CS1
CS2
CS3
CS4
Uplink
Downlink
speed
speed
18,1
36,2
26,8
53,6
31,2
62,4
42,8
107,0
CODING SCHEMES:
CS1 => 9.05 kbps
CS2 => 13.4 kbps
CS3 => 15.6 kbps
CS4 => 21.4 kbps
• Typically CS1 and CS2 supported by GPRS networks
• Table above indicates maximum throughput
– practical throughput ~ 70-80% of maximum
– ~5 kB/sec download
• Round-trip times 350 ms - 2 sec
– first packets typically have longer delays
GPRS settings
•
GPRS enabled
–
•
Access point name
–
–
–
•
–
Maximum MTU value
–
•
–
Enable if GPRS is used as a default route
to external networks (typically when plain
GPRS is used)
Disable if other connection (Tunnel,
Ethernet) is used as a default route to
external networks
–
NOTE
–
Arctic must have only one default route
(Ethernet, GPRS, Tunnel) enabled
simultaneously!
•
Data only - GPRS LED blinks when data is
transmitted
Informative - GPRS LED indicates data and
GPRS registration status
GPRS username & password
–
–
•
The PIN code of GPRS SIM card (e.g. 1234)
Non-numeric value causes Arctic not to try
PIN code
The SIM card must have at least 2 tries left
Led indication
–
Maximum size of sent GPRS packet in
bytes
Default route
–
•
•
mandatory parameter
public APN usually "INTERNET"
private APN (e.g. viola.fi) requires operator
contract
PIN code
–
–
•
Set Yes to allow GPRS communication
Username and password required by APN
Use ”dummy” values e.g. user and pass even
when not required by APN
PPP idle timeout
– If GPRS connection is idle more than defined
amount of seconds Arctic will re-establish
GPRS connection
– The ICMP Echo sending interval of monitor
should be smaller than PPP idle timeout in
order to have uninterrupted connetion
GPRS LED
• On "Data only" mode the GPRS LED blinks when Arctic
transmits GPRS data
• On "Informative" mode the GPRS LED behaves
following way
– OFF: GPRS Modem turned off
– 600 ms ON / 600 ms OFF: No SIM card inserted or
no PIN entered, or network search in progress
– 75 ms ON / 3 s OFF: Logged to network
– 75 ms ON / 75 ms OFF / 75 ms ON / 3 s OFF: GPRS
activated
– Flashing slow: Indicates GPRS data transfer
– ON: GSM Data call on progress
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
Dial - in
GSM Data
WiMax
Dial-in
• It is possible to dial-in into Arctic with GSM data call
– To configure Arctic in situations where GPRS
connection is not possible
– Public APN, Firewall blocks, D-NAT forwards TCP
ports 22 (SSH), 23 (Telnet) or 80 (HTTP), Tunnel
problems
– Installed but unconfigured device
• The SIM card must allow incoming data calls
• Dial-in is enabled in Arctic by default
• change the default username and password for
Dial-in
• When dial-in is active the GPRS data is suspended
• Dial-in uses PPP protocol, not plain data.
GSM data
Dial-in settings
•
Dial-in enabled
–
•
Require authentication (PAP)
–
•
NOTE
– also SMS Config is available for
remote configuration in situations
where GSM data is not possible
•
If the dial-in connection is idle more than
defined timeout of seconds Arctic closes the
connection
Local IP address
–
–
•
The required username/password
combination
Idle timeout
–
•
Set Yes to require password/username
authentication for PPP connection
Required username & password
–
•
Set Yes to allow incoming data calls
The IP address Arctic allocates itself in PPP
connection
After the connection is established the Arctic
can be reached by using this IP address
Peer's IP address
–
The IP address Arctic allocates for Peer (e.g.
Laptop computer) in PPP connection
Configuring Dial-In on Windows
•
Modem needs to be installed on PC (conventional
PSTN or GSM modem)
•
•
•
•
•
•
•
•
•
•
•
•
Go to Control Panel > Network connections
Select "Create new Connection"
Network connection type is "Connect to the Internet"
Select "Set up my connection manually"
Select "Connect using a dial-up modem"
Select suitable modem
ISP name can be e.g. Arctic or the hostname of Arctic
Type the Arctic SIM card number as number to dial
– Arctic SIM must support incoming GSM data call
Type the username and password for Arctic Dial-in
– "user" and "pass" by default
Uncheck "Make this the default internet connection"
Press finish - the Dial-in connection is configured
To Dial-in to Arctic double-click the created connection
icon on Control Panel > Network connections
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
SSH-VPN
Tunneling
WiMax
SSH-VPN
•
Secure and authenticated VPN tunnel
–
–
–
•
•
Extra GPRS data caused by SSH-VPN ~ 50-60 bytes/packet
Tunnel establishment takes more time and data than with L2TPTunneling
–
•
•
uses SSH protocol
authentication with 1024 bit RSA keys
communicating parties must know each other's public keys in order to be able
to authenticate
Operators usually drop GPRS connections after X hours
When SSH-VPN Tunnel is succesfully formed the "Status" LED of Arctic
lits
SSH uses TCP protocol
–
–
–
TCP is connection oriented protocol - possible NAT devices between Arctic
and M2M GW maintains NAT binding without keepalive data
Each packet must be acknowledged by receiver with ACK packet
If the "tunneled" data also uses TCP this leads situation where multiple ACK
packets are sent. This increases the amount of data transmitted and
decreases performance on interactive applications
Usually combined to a single packet
USER TCP DATA OVER SSH
SSH ACK
USER TCP ACK OVER SSH
SSH ACK
SSH-VPN settings
•
Use SSH-VPN
–
•
Interface
–
•
Routing mode
–
–
•
"None" used if the SSH-VPN is a default route
•
already and Arctic is not required to advertise
any specific network to Ethernet with Proxy-ARP
•
"Tunnel the following network" used to tell the
Arctic which network is reachable behind tunnel.
This must be used when the remote network is a
subnet of the network in Ethernet interface or
•
when the SSH-VPN is not the default route of
Arctic
Remote network IP & mask
–
Defines the remote network behind tunnel
Define the interface (GPRS or Ethernet)
used to form SSH-VPN Tunnel
Default route
–
•
Set Yes to allow SSH-VPN operation
–
–
Enable if the SSH-VPN tunnel is the
primary comunication channel
Usually this should be enabled
If enabled all other default gateways
(Ethernet, GPRS) must be disabled
Tunnel server IP
–
The public IP address of M2M Gateway
Tunnel server port
–
The TCP port M2M Gateway listens for
incoming SSH connections
Tunnel server GW
–
If Ethernet is used and M2M Gateway is
not in same LAN as Arctic this field must
contain the IP address of LAN's default
gateway
SSH-VPN key management
• Local SSH public key
– The public SSH key of Arctic. This must be copied to M2M Gateway
– Use SHIFT-END to select the whole key and copy with CNTRL-C
– Paste to M2M GW with CNTRL-V
• Server SSH key
– Shows the public key of M2M GW if the key is known by Arctic
• Retrieve SSH server key
– Uses HTTP (TCP port 80) to fetch the public key from M2M GW
• Insert SSH server key
– Paste the public key of M2M GW here manually if the "retrieve"
method does not work
Common SSH-VPN problems
•
Most of the problems are routing-related
–
–
–
•
SSH-VPN can not be established
–
–
–
•
Check the Arctic monitor pings the other end of tunnel, not the public IP
address
SSH-VPN drops after several hours
–
•
Check the SSH-VPN interface (GPRS or Ethernet)
Check the public keys. M2M GW and Arctic must know each other's public
keys
Check the firewall in M2M GW side to allow TCP port 22
SSH-VPN works only certain time if operator closes PDP contexts
–
•
Multiple default routes defined to Arctic, there must be only one default
route/default gateway defined
"Remote network IP" and "Remote network mask" are incompatible in
Arctic. Check the routes in Network>Summary when tunnel is active
"Remote network IP" and "Remote network mask" are incompatible in M2M
GW. Check with "route" command on M2M GW when tunnel is active.
Check how often the operator drops GPRS connections
SSH-VPN is slow or high variance in response times
–
"TCP over TCP" decreases performance, consider L2TP Tunnel
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
L2TP TUNNEL
L2TP TUNNEL
•
Plain tunneling without strong authentication or encryption
–
–
•
•
•
•
•
•
Very fast data transfer and small delays when compared to other tunnels
Very fast tunnel establishment
Suitable for bringing full routing to private-APN systems
Suitable for applications not requiring strong security
Extra GPRS data caused by L2TP Tunnel ~ 30-40 bytes/packet
L2TP uses UDP
–
–
–
•
M2M Gateway authenticates the Arctic only by user/password combination
Data is not encrypted
UDP is connectionless protocol - possible NAT devices (APN, firewall)
between Arctic and M2M GW may maintain the NAT binding only 30-60
seconds
In order to keep the NAT binding valid additional keepalive data may be
required
Ask the NAT binding timeout from operator!
When L2TP Tunnel is succesfully formed the "Status" LED of Arctic lits
L2TP-TUNNEL settings
•
Use L2TP-VPN
–
•
Interface
–
•
–
–
Routing mode
–
–
•
•
"None" used if the L2TP is a default route already and
Arctic is not required to advertise any specific network to
Ethernet with Proxy-ARP
"Tunnel the following network" used to tell the Arctic
•
which network is reachable behind tunnel. This must be
used when the remote network is a subnet of the network
in Ethernet interface or when the L2TP is not the default
route of Arctic
Remote network IP & mask
–
Defines the remote network behind tunnel
•
The public IP address of L2TP server
L2TP server port
–
•
Enable if the L2TP tunnel is the primary
comunication channel
Usually this should be enabled
If enabled all other default gateways (Ethernet,
GPRS) must be disabled
L2TP server IP
–
•
Define the interface (GPRS or Ethernet) used to
form L2TP Tunnel
Default route
–
•
Set Yes to allow L2TP tunneling
The UDP port L2TP server listens for incoming
connections
L2TP server gateway
–
If Ethernet is used and L2TP server is not in same
LAN as Arctic this field must contain the IP
address of LAN's default gateway
L2TP username & password
–
If the L2TP server requires PAP authentication
these settings define the username/password
combination
Hello interval
–
Interval sending L2TP "Hello" messages in order
to keep NAT binding active
Common L2TP problems
•
Most of the problems are routing-related
–
–
–
•
L2TP Tunnel can not be established
–
–
•
Check the L2TP interface (GPRS or Ethernet)
Check the firewall in M2M GW side to allow UDP port 1701
L2TP works only certain time
–
•
Multiple default routes defined to Arctic, there must be only one default
route/default gateway defined
"Remote network IP" and "Remote network mask" are incompatible in
Arctic. Check the routes in Network>Summary when tunnel is active
"Remote network IP" and "Remote network mask" are incompatible in M2M
GW. Check with "route" command on M2M GW when tunnel is active.
Check the Arctic monitor pings the other end of tunnel, not the public IP
address
L2TP works only certain time (minutes)
–
–
Check how long the operator's NAT (or other NAT device between Arctic
and L2TP server) maintains NAT binding for UDP and adjust the L2TP Hello
interval to be smaller than the timeout
Extra data caused by keepalive ~30 bytes / packet
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
Monitor
Monitor
• The monitor application performs runtime supervisory of
Arctic by inspecting various resources like
– Status of filesystem and memory
– GPRS modem and SIM card
– Status of applications
• The monitor should be used to verify the "end-to-end"
operation of GPRS or Tunnel connection. This is achieved
by periodically pinging the defined IP address.
– In Tunnel mode pinging the private Tunnel IP of M2M GW
– In plaing GPRS mode pinging suitable public IP address.
• If the ping fails the monitor restarts GPRS connection and
the Tunnel
• If the systems inspection fails or the ping fails many times
the monitor reboots Arctic
• The monitor itself is protected by HW watchdog. If the
monitor application hangs the Arctic will reboot.
Monitor settings
•
ICMP Echo sending
–
•
Interval
–
•
•
–
–
–
–
each ping sent consumes ~50 bytes of
data in plain GPRS mode and ~100 bytes
in Tunnel mode
the reply consumes same amount
the Interval defines the minimum time to
detect closed GPRS or Tunnel
connection. Adjust this parameter
according the criticality of connection
the interval must be smaller than GPRS
idle timeout (typically 2/3 of GPRS idle
timeout) in order to have uninterrupted
communication
•
Number of retries sent before detecting
connection to be closed
Target IP address
–
–
•
The timeout in seconds waiting reply for sent
ICMP Echo request
Retries
–
NOTE
The interval in seconds between ICMP Echo
requests (pings) sent
Reply timeout
–
•
Set enabled in order to allow end-to-end
testing of GPRS or Tunnel connection
The IP address where ICMP Echo requests
are sent
In Tunnel mode this should be the other end
of tunnel (M2M GW)
Secondary target IP address
–
–
The secondary IP address where ICMP Echo
requests are sent if the primary IP address
does not respond
Use this option only in plain GPRS mode
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
Routing
Routing settings
•
Act as a router?
–
–
•
Enable in order to allow Arctic to route
traffic between Ethernet, GPRS and
Tunnel
Enabled by default
Use Proxy ARP?
–
–
–
–
Enable in order to allow Arctic to "cheat"
devices in Ethernet
Usually used with subnetting when the
network behind tunnel is a subnet of the
network behind Ethernet interface
Proxy-ARP makes it possible to access
devices in subnet without using Arctic as a
default gateway for Ethernet devices
Disabled by default
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
NAT
Network Address
WiMax
Translation
S-NAT (Source NAT)
• Replaces the source address of IP packet with GPRS IP
address
• This is usually required (Network does not know how to
route private IP addresses)
– access internet from laptop-PC thru Arctic
• The S-NAT can be turn completely off on Arctic
• It's also possible to define only certain source addresses
to be S-NAT processed
ARCTIC
GPRS IP: 11.22.33.44
Ethernet IP: 10.10.10.1
Ethernet
1
2
Data from 10.10.10.2
Data from 11.22.33.44
GPRS
S-NAT settings
• Enable S-NAT
– set Yes to enable S-NAT
operation
• Use
– Yes - The defined source
address is S-NAT
processed
– No - The defined source
address is not S-NAT
processed
• From IP
•
IP Address syntax
– single IP address format (1.2.3.4)
– net/bits on net (1.2.3.0/24)
– any IP (0/0 or empty)
•
S-NAT is enabled by default
– Defines the IP address or IP
address range to be S-NAT
processed
D-NAT (Destination NAT)
ARCTIC
GPRS IP: 11.22.33.44
Ethernet IP: 10.10.10.1
2
Ethernet
1
Connect to 11.22.33.44 port 888
GPRS
Forward to 10.10.10.4 port 80
Reply from 10.10.10.4 port 80
Reply from 11.22.33.44 port 888
3
4
•
•
•
Requires fixed GPRS IP address (Private APN)
Arctic forwards defined (protocol,port) connections from GPRS to
Ethernet by replacing the destination IP address of packet
The reply contains Arctic's GPRS IP as source address
Makes it possible to access Ethernet devices behind GPRS without
tunneling
The Ethernet devices use Arctic as default gateway
•
The Arctic uses GPRS connection as default route
•
•
D-NAT settings
•
Enable D-NAT
–
•
Use
–
–
•
•
•
– single IP address format (1.2.3.4)
– net/bits on net (1.2.3.0/24)
– any IP (0/0 or empty)
•
"Redirect to IP" accepts only single
IP address format
•
The source address of packet
Destination port
–
Source IP Address syntax
ANY - Checks the IP address only
TCP - Protocol must be TCP
UDP - Protocol must be UDP
ICMP - Protocol must be ICMP
Source IP
–
•
Yes - The defined rule is processed
No - The defined rule is not processed
Protocol
–
–
–
–
•
set Yes to enable D-NAT operation
The destination port (TCP,UDP) or ICMP
type of packet
Redirect to IP
–
The new destination IP address where
packet is redirected
Redir. port
–
The new destination port (TCP,UDP) or
ICMP type where packet is redirected
Common NAT problems
• Redirecting (D-NAT) TCP port 22 (SSH), Telnet (23) or
80 HTTP and therefore making it impossible to access
Arctic configuration from GPRS.
– Solution: SMS config or Dial-in still provides access
• Setting D-NAT protocol to ANY and therefore making it
impossible to access Arctic configuration from GPRS.
– Solution: SMS config or Dial-in still provides access
• Running FTP server on passive mode behind D-NAT
does not work, FTP must use active mode
• Some VPN programs (Ipsec in tunnel mode) require
NAT traversal in order to work over S-NAT
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
DNS Update
DNS Update
• Requires public (but not static) GPRS IP address
• Requires GPRS operator to allow incoming GPRS
connections
– Operator and subscription dependent policy
• The idea is that Arctic informs remote Domain Name
Server which IP address Arctic got from GPRS
• Then the Arctic can be addressed with domain name
instead of IP address
– Makes it easier to access GPRS device, especially on
automatic data collection applications
IP 62.22.33.11
I Have IP 62.22.33.11
DNS SERVER
Which IP is "arctic.exampledomain.com"?
GPRS IP: 62.22.33.11
APN
"arctic.exampledomain.com" is 62.22.33.11
Connect to 62.22.33.11
USER
DNS Update settings
•
Enable
–
•
Record TTL
–
•
•
–
–
DNS update works with common DNS
servers like DNS-BIND
DNS update does not work with
DynDSN.org and other similar services
using non-standard protocols
•
The domain name Arctic is given
Use Transaction Signatures
–
•
The IP address of DNS server which is
responsible of maintaing the Zone's Name-IP
address bindings
Our domain name
–
•
The Zone (domain) where Arctic belongs
Authoritative name server address
–
NOTE
How often Arctic refresh the DNS server
about it's IP address (should be smaller than
Record TTL)
Zone
–
•
Informs the DNS server how long the IP
address is valid
Record refresh interval
–
•
set Yes to enable DNS update
Set yes to enable DNS update authentication
(usually required)
Tsig key name and Tsig key
–
–
Like username and password for
authentication
The key must be Base64 encoded
WiFi
BLUETOOTH
EDGE
CDMA
UMTS
GPRS
WiMax
SMS Config
SMS Config
• Enables Artic to be monitored and controlled with SMS
messages
– "Emergency" situations when Arctic on the field is not
reacheable with GPRS or Dial-in
• Two versions
– Version 1.1
• Simple command set
– Versions 1.2 and newer
• Advanced command set
• Advanced permission configuration
• SMS Config is enabled by default
• NOTE
– SMS Config will delete all messages from SIM card
– SMS Config will send "unknown command" reply if it does
not recognise command
– =>Make sure the SIM card message storage is empty!
SMS Config 1.1
•
•
Password
– If password is defined for Arctic it must be given in SMS before the command by
separating it with a comma (,)
Command set (all commands must be small-cap)
–echo <string> echoes back the string (e.g. echo test)
–reboot reboots arctic
–restart gprs restarts GPRS
–get hostname returns Arctic host name
–get gprs enabled return is the GPRS enabled
–get gprs pin returns GPRS PIN code
–get gprs apn returns GPRS APN name
–get gprs user returns GPRS user name
–get gprs passwd returns GPRS password
–get gprs defaultroute returns is the GPRS default route
enabled
–get gprs status returns is the GPRS enabled, active,
interface name and enable status of default route
–Exampe with password: pass,restart gprs
–Example without password: restart GPRS
Wireless
Industry
Firewall
Solutions
Firewall menu
Firewall
• Arctic firewall limits the IP
communication between the
following networks
– From GPRS to Arctic (incoming)
– From GPRS to LAN (forwarding)
– From LAN to GPRS (outgoing)
•Each firewall section can be turn on/off separately
•The firewall can be turn completely on/off
•Turning off the section or firewall means there is no traffic limitation
•The tunnel connections are not affected by firewall
•The dial-in connections are not affected by firewall
Stateful inspection
• Arctic firewall remembers the state of connections
• No necessary to define separate rules for incoming and
outgoing data of connection
• S-NAT and D-NAT rules are prosessed before firewall
rules
• E.g. D-NAT is used to forward GPRS TCP port 888 to
LAN IP 10.10.10.2 port 80
• GPRS to LAN firewall needs to be configured to accept
TCP connection to 10.10.10.2 port 80
ARCTIC
GPRS IP: 11.22.33.44
Ethernet IP: 10.10.10.1
2
Ethernet
1
Connect to 11.22.33.44 port 888
GPRS
Forward to 10.10.10.2 port 80
Reply from 10.10.10.2 port 80
Reply from 11.22.33.44 port 888
3
4
Order of rule processing
• The rules are processed from top to bottom
• It's not possible to enable communication if it's disabled
on rule before
• It's not possible to disable communication if it's enabled
on rule before
• Examples of misleading configurations
This setup accepts all data
This setup drops all data to 10.10.10.4
GRPS to Arctic
•
•
Defines the rules how to treat the
traffic coming from GPRS targeted
to Arctic
Action
– NO RULE - rule is disabled
– ACCEPT - data is accepted
– DROP - data is discharded
•
Protocol
–
–
–
–
•
IP Address syntax
– single IP address format (1.2.3.4)
– net/bits on net (1.2.3.0/24)
– any IP (0/0)
•
ANY - Checks the IP address only
TCP - Protocol must be TCP
UDP - Protocol must be UDP
ICMP - Protocol must be ICMP
From IP
– The source address of packet
•
Destination port
– The destination port (TCP,UDP) or
ICMP type of packet
GRPS to LAN
•
•
Defines the rules how to treat the
traffic coming from GPRS targeted
to LAN
Action
– NO RULE - rule is disabled
– ACCEPT - data is accepted
– DROP - data is discharded
•
Protocol
–
–
–
–
•
IP Address syntax
– single IP address format (1.2.3.4)
– net/bits on net (1.2.3.0/24)
– any IP (0/0 or empty)
•
ANY - Checks the IP address only
TCP - Protocol must be TCP
UDP - Protocol must be UDP
ICMP - Protocol must be ICMP
From IP
– The source address of packet
•
Destination IP
– The destination address of packet
•
Destination port
– The destination port (TCP,UDP) or
LAN to GPRS
•
•
Defines the rules how to treat the
traffic coming from LAN targeted to
GPRS
Action
– NO RULE - rule is disabled
– ACCEPT - data is accepted
– DROP - data is discharded
•
Protocol
–
–
–
–
•
IP Address syntax
– single IP address format (1.2.3.4)
– net/bits on net (1.2.3.0/24)
– any IP (0/0 or empty)
•
This firewall section is useful for
accepting only wanted data to enter
GPRS network
•
ANY - Checks the IP address only
TCP - Protocol must be TCP
UDP - Protocol must be UDP
ICMP - Protocol must be ICMP
From IP
– The source address of packet
•
Destination IP
– The destination address of packet
•
Destination port
– The destination port (TCP,UDP) or
Common firewall problems
• GPRS to Arctic firewall disables TCP port 22 (SSH),
Telnet (23) or 80 HTTP and therefore makes it
impossible to access Arctic configuration from GPRS.
– Solution: SMS config or Dial-in still provides access
• Violating the "from top to bottom" rule processing
principle causes different operation than required
Wireless
Industry
Services
Solutions
Services menu
WWW Server Settings
•
WEB Server
–
•
WEB Configuration Access
–
•
•
Enable to allow Arctic WEB server run on
TCP port 80
Enable to allow Arctic configuration by using
WEB browser
Both settings are enabled by default
NOTE
–
–
–
Disabling WEB Server or WEB Configuration access makes it impossible to
turn them back by using WEB browser
Consider do you need to disable WWW or block access to it from GPRS by
using GPRS to Arctic firewall
For enabling them again command line interface must be used
Telnet Server Settings
•
Telnet server
–
•
•
•
Enable to allow Arctic Telnet server run on
TCP port 23
Telnet server is required to configure Arctic
remotely with Telnet command line
interface
Telnet server is enabled by default
NOTE
–
–
–
Disabling Telnet server makes it impossible to turn them back by using Telnet
Consider do you need to disable Telnet totally or block access to it from GPRS
by using GPRS to Arctic firewall
For enabling Telnet again use WEB browser or SSH or command line
SSH Server Settings
•
SSH server
–
•
•
•
Enable to allow Arctic SSH server run on
TCP port 22
SSH server is required to configure Arctic
remotely with SSH command line interface
SSH server is enabled by default
NOTE
–
–
–
Disabling SSH server makes it impossible to turn them back by using SSH
Consider do you need to disable SSH totally or block access to it from GPRS
by using GPRS to Arctic firewall
For enabling SSH again use WEB browser or Telnet or command line
DHCP Server
• Arctic has built-in DHCP server for allocating Ethernet
configuration for Ethernet devices
– IP address, netmask, default gateway, DNS server etc.
• The Ethernet devices must have standard DHCP client
– available on any PC operating system
• There should be only one DHCP server on Ethernet LAN
• The IP addresses allocated by DHCP server should not
be used on manual configurations
– prevents multiple devices having same IP address on LAN
• DHCP server is disabled by default
Give me IP address and other
network information
Here you are 172.16.8.80
Data from 172.16.8.80
DHCP Server Settings
•
DHCP Server
–
•
Subnet (mandatory)
–
–
–
•
NTP server (optional)
–
•
LPR server (optional)
–
•
Network Time Protocol server IP address to give
for DHCP clients
Print server IP address to give for DHCP clients
WINS server (optional)
–
•
–
•
Broadcast address to give for DHCP clients
Default lease time (optional)
–
WINS server IP address to give for DHCP
clients
Default gateway IP address to give for DHCP Clients
Usually the Ethernet IP address of Arctic
Broadcast address (optional)
–
•
DNS server IP address to give for DHCP clients
Default gateway (optional)
–
–
•
Domain name to give for DHCP clients
DNS servers (optional)
–
•
Subnet mask to give for DHCP clients
Domain name (optional)
–
•
Defines the lP address range DHCP allocates for
clients
Subnet mask (optional)
–
•
Netmask for Ethernet interface
Address range to share (mandatory)
–
•
Defines the subnet where DHCP server listens for
requests
Must be same as the subnet of Arctic Ethernet
interface
The subnet means the network part of IP address
Netmask (mandatory)
–
•
Enable to allow Arctic DHCP server
How many seconds the given IP address is valid by
default
The DHCP client can request different lease time
Max lease time (optional)
–
The maximum lease time allowed
Wireless
Tools
Industry
Solutions
Debug
information
Console
• Allows Linux shell commands to be executed from WEB
user interface
• Suggested use is only for monitoring, not configuring
– uptime, ps, ifconfig, df, cat, etc.
System log
• Provides the information of Arctic system log
• Useful for debugging problems
Recent events
• Provides recent events from system log
Modem info
• Provides information about GPRS modem and GPRS
network
Send SMS
• Sending SMS from Arctic by using WEB interface
• Useful for solving the GSM phone number of SIM card
Default settings
• Overwrites Arctic current settings with default ones
• Hostname and Ethernet settings remain unchanged
• Also from command line
– /etc/defaults/setdef.sh
• NOTE! It is not possible to revert back to old settings!