Omada SDN Controller User Guide

About this Guide
Chapter 1 Omada SDN Controller Solution Overview
- Overview of Omada SDN Controller Solution
- Core Components
Chapter 2 Get Started with Omada SDN Controller
Chapter 3 Manage Omada Managed Devices and Sites
- Create Sites
- Adopt Devices
Chapter 4 Configure the Network with Omada SDN Controller
Chapter 5 Configure the Omada SDN Controller
Chapter 6 Configure and Monitor Omada Managed Devices
Chapter 7 Monitor and Manage the Clients
- Manage Wired and Wireless Clients in Clients Page
- Manage Client Authentication in Hotspot Manager
Chapter 8 Monitor the network
Chapter 9 Manage Administrator Accounts of Omada SDN Controller
Chapter 10 Omada APP

4. Configure the Network with Omada SDN Controller

This chapter guides you on how to configure the network with Omada SDN Controller. As the command center and management platform at the heart of the Omada network, Omada SDN Controller provides a unified approach to configuring enterprise networks comprised of routers, switches, and wireless access points. The chapter includes the following sections:

�? 4. 1 Navigate the UI

�? 4. 2 Modify the Current Site Configuration

�? 4. 3 Configure Wired Networks

�? 4. 4 Configure Wireless Networks

�? 4. 5 Network Security

�? 4. 6 Transmission

�? 4. 7 Configure VPN

�? 4. 8 Create Profiles

�? 4. 9 Authentication

�? 4. 10 Services

4. 1 Navigate the UI

As you start using the management interface of the controller (Controller UI) to configure and monitor your network, it is helpful to familiarize yourself with the most commonly-used elements of the Controller UI that are frequently referenced in this guide.

The Controller UI is grouped into task-oriented menus, which are located in the top right-hand corner and the left-hand navigation bar of the page. Note that the settings and features that appear in the UI depend on your user account permissions. The following image depicts the main elements of the Controller UI.

The elements in the top right corner of the screen give quick access to:

Site Management

Site Manager �? have a quick overview of sites, including the name, location, managed devices, and connected clients.

Add New Site �? add a new site, which is the logically separated network location. The site is the largest unit for managing the network.

Import Site �? import the site from another controller.

Global Search Feature

and enter the keywords to quickly look up the functions that you want to configure. And you can search for the devices by their MAC addresses and device names.

My Account

to display account information, Account Settings and Log Out. You can change your password on Account Settings.

More Settings

to display Preferences, About and Tutorial.

Preferences : Click to jump to Maintenance and customize the Controller UI depending on your needs. For details, refer to 5. 3 Maintenance

About : Click to display the controller version.

Tutorial : Click to view the quick Getting Started guide which demonstrates the navigation and tools available for the controller.

The left-hand navigation bar provides access to:

	Dashboard displays a summarized view of the network status through different visualizations. The widget-driven dashboard is customizable depending on your needs.
	Statistics provides a visual representation of the clients and network managed by the controller. The run charts show changes in device performances over time, including the status of switches and speed test results.
	Map generates the system topology automatically and you can look over the provisioning status of devices. By clicking on each node, you can view the detailed information of each device. You can also upload images of your location for a visual representation of your network.
	Devices displays all TP-Link devices discovered on the site and their general information. This list view can change depending on your monitoring needs through customizing the columns. You can click any device on the list to reveal the Properties window for more detailed information of each device and provisioning individual configurations to the device.
	Clients displays a list view of wired and wireless clients that are connected to the network. This list view can change depending on your monitoring need through customizing the columns. You can click any clients on the list to reveal the Properties window for more detailed information of each client and provisioning individual configurations to the client.
	Insight displays a list of statistics of your network device, clients and services during a specified period. You can change the range of date in one-day increments.
	Log displays logs that record varied activities of users, devices, and systems events, such as administrative actions and abnormal device behaviors. You can also configure notifications to receive alert emails of certain activities.
	Admin allows you to configure multi-level administrative accounts with a hierarchy of permissions that can be configured to provide finely grained levels of access to the controller as required by your enterprise.
	Settings is divided to two parts: Site Settings and Controller Settings. In Site Settings, you can provision and configure all your network devices on the same site in minutes. In Controller Settings, you can maintain the controller system for best performance.

4. 2 Modify the Current Site Configuration

You can view and modify the configurations of the current site in Site, including the basic site information, centrally-managed device features, and the device account. The features and device account configured here are applied to all devices on the site, so you can easily manage the devices centrally.

4. 2. 1 Site Configuration

In Site Configuration, you can view and modify the site name, location, time zone, and application scenario of the current site.

Select a site from the drop down list of Sites in the top-right corner, go to Settings > Site , and configure the following information of the site in Site Configuration . Click Save .

Site Name

Country/Region

Time Zone

Daylight Saving Time

Time Offset

Starts On

Ends On

Application Scenario

Create New Scenario in the drop-down list.

4. 2. 2 Services

In Services, you can view and modify the features applied to devices on the current site. Most features are applied to all devices, such as LED, Automatic Upgrades, and Alert Emails, while some are applied to EAPs only, such as Channel Limit and Mesh.

Select a site from the drop down list of Sites in the top-right corner, go to Settings > Site , and configure the following features for the current site in Services . Click Save .

LED	By default, the device follows the LED setting of the site it belongs to. To change the LED setting for certain devices, refer to Chapter 6. Configure and Monitor Omada Managed Devices .
Automatic Upgrades		Channel Limit	Mesh	Auto Failover	To enable this feature, enable Mesh first.
Connectivity Detection	In a mesh network, the APs can send ARP request packets to a fixed IP address to test the connectivity. If the link fails, the status of these APs will change to Isolated. Auto (Recommended) : Select this method and the mesh APs will send ARP request packets to the default gateway for the detection. Custom IP Address : Select this method and specify a desired IP address. The mesh APs will send ARP request packets to the custom IP address to test the connectivity. If the IP address of the AP is in different network segments from the custom IP address, the AP will use the default gateway IP address for the detection.
Full-Sector DFS	To enable this feature, enable Mesh first.
Periodic Speed Test	Speed Test Interval : When enabled, specify the interval to decide how often to test the speed of devices. Speed Test History : Click it to view the history statistics of speed test in 8. 2. 3 Speed Test Statistics .
Alert Emails	Enable alert emails : When enabled, the controller can send emails to notify the administrators and viewers of the site’s alert logs once generated. Send similar alerts within seconds in one email : When enabled, the similar alerts generated in each time period are collected and sent to administrators and viewers in one email. refer to 8. 5. 3 Notifications .
Remote Logging	Syslog Server IP/Hostname : Enter the IP address or hostname of the log server. Syslog Server Port : Enter the port of the server. Client Detail Logs : With this feature enabled, the logs of clients will be sent to the syslog server.
Advanced Features	Advanced Features . When disabled, these features keep the default settings. 4. 2. 3 Advanced Features .

4. 2. 3 Advanced Features

Advanced features include Fast Roaming, Band Steering, and Beacon Control, which are applicable to APs only. With these advanced features configured properly, you can improve the network’s stability, reliability and communication efficiency.

Advanced features are recommended to be configured by network administrators with the WLAN knowledge. If you are not sure about your network conditions and the potential impact of all settings, keep Advanced Features disabled in Services to use their default configurations.

Select a site from the drop down list of Sites in the top-right corner, go to Settings > Site , and enable Advanced Features in Services first. Then configure the following features in Advanced Features . Click Save .

Fast Roaming

By default, it is disabled. This feature is available for some certain devices.

AI Roaming

Dual Band 11k Report

When enabled, the controller provides neighbor list that contains neighbor APs in both 2.4 GHz and 5 GHz bands.

Force-Disassociation

With this feature enabled, the AP will force disassociate the client if it does not re-associate to another AP.

Band Steering

When enabled, dual-band clients will be steered to the 5 GHz band according to the configured parameters. With appropriate settings, Band Steering can improve the network performance because the 5 GHz band supports a larger number of non-overlapping channels and is less noisy. By default, it is disabled.

Connection Threshold : Specify the maximum number of clients connected to the 5 GHz band. By default, the threshold is 30.

Difference Threshold : Specify the maximum difference between the number of clients on the 5 GHz band and 2.4 GHz band. By default, the threshold is 4.

Maximum Failures : Specify the maximum number of the failed attempts when a client repeatedly tries to associate with an EAP on 5 GHz. When the number of rejections reaches Maximum Failures, the EAP will accept the client’s request for connection. By default, it is 4.

Beacon Control

, select the band, and configure the following parameters of Beacon Control.

Beacon Interval : Specify how often the APs send a beacon to clients. By default, it is 100.

DTIM Period : Specify how often the clients check for buffered data that are still on the EAP awaiting pickup. By default, the clients check for them at every beacon.

Airtime Fairness : With this option enabled, each client connecting to the EAP can get the same amount of time to transmit data so that low-data-rate clients do not occupy too much network bandwidth and network performance improves as a whole. We recommend you enable this function under multi-rate wireless networks.

4. 2. 4 Device Account

You can specify a device account for all adopted devices on the site in batches. Once the devices are adopted by the controller, their username and password become the same as settings in Device Account to protect the communication between the controller and devices. By default, the username is admin and the password is generated randomly.

Go to Settings > Site and modify the username and password in Device Account . Click Save and the new username and password are applied to all devices on the site.

4. 3 Configure Wired Networks

Wired networks enable your wired devices and clients including the gateway, switches, EAPs and PCs to connect to each other and to the internet.

As shown in the following figure, Wired Networks consist of two parts: Internet and LAN.

For Internet, you determine the number of WAN ports on the gateway and how they connect to the internet. You can set up an IPv4 connection and IPv6 connection to your internet service provider (ISP) according to your needs. The parameters of the internet connection for the gateway depends on which connection types you use. For an IPv4 connection, the following internet connection types are available: Dynamic IP, Static IP, PPPoE, L2TP, and PPTP. For an IPv6 connection, the following internet connection types are available: Dynamic IP (SLAAC/ DHCPv6), Static IP, PPPoE, 6to4 Tunnel, and Pass-Through (Bridge). And, when more than one WAN port is configured, you can configure Load Balancing to optimize the resource utilization if needed.

For LAN, you configure the wired internal network and how your devices logically separate from or connect to each other by means of VLANs and interfaces. Advanced LAN features include IGMP Snooping, DHCP Server and DHCP Options, PoE, Voice Network, 802.1X Control, Port Isolation, Spanning Tree, LLDP-MED, and Bandwidth Control.

4. 3. 1 Set Up an Internet Connection

To set up an internet connection, follow these steps:

1 ) Configure the number of WAN ports on the gateway based on needs.

2 ) Configure WAN Connections. You can set up the IPv4 connection, IPv6 connection, or both.

3 ) (Optional) Configure Load Balancing if more than one WAN port is configured.

Select WAN Mode

Configure WAN Connections

(Optional) Configure Load Balancing

Go to Settings > Wired Networks > Internet to load the following page. In WAN Mode , configure the number of WAN ports deployed by the gateway and other parameters. Then click Apply .

WAN Ports

Online Detection Interval

Note that Load Balancing and Link Backup will take effects based on the results of online detection. Configure a proper online detection interval to make sure that Load Balancing and Link Backup works.

Select WAN Mode

Configure WAN Connections

(Optional) Configure Load Balancing

Note:

The number of configurable WAN ports is decided by WAN Mode.

�? Set Up IPv4 Connection

Go to Settings > Wired Networks > Internet . For WAN connections, choose a Connection Type according to the service provided by your ISP.

Connection Type

Dynamic IP : If your ISP automatically assigns the IP address and the corresponding parameters, choose Dynamic IP.

Static IP : If your ISP provides you with a fixed IP address and the corresponding parameters, choose Static IP.

PPPoE : If your ISP provides you with a PPPoE account, choose PPPoE.

L2TP : If your ISP provides you with an L2TP account, choose L2TP.

PPTP : If your ISP provides you with a PPTP account, choose PPTP.

�? Dynamic IP

1. Choose Connection Type as Dynamic IP and configure the following parameters.

MAC Address

Use Default MAC Address : The WAN port uses the default MAC address to set up the internet connection. It’s recommended to use the default MAC address unless required otherwise.

Customize MAC Address : The WAN port uses a customized MAC address to set up the internet connection and you need to specify the MAC address. Typically, this is required when your ISP bound the MAC address with your account or IP address. If you are not sure, contact the ISP.

2. Click + Advanced Settings and configure the following parameters. Then click Apply .

Unicast DHCP		Primary DNS Server / Secondary DNS Server		Host Name		MTU	MTU is the maximum data unit transmitted in the physical network. When the connection type is Dynamic IP, MTU can be set in the range of 576-1500 bytes. The default value is 1500.
VLAN		QoS Tag	QoS Tag is only available when VLAN is enabled.

�? Static IP

1. Choose Connection Type as Static IP and configure the following parameters.

IP Address

Subnet Mask

Default Gateway

MAC Address

Use Default MAC Address : The WAN port uses the default MAC address to set up the internet connection. It’s recommended to use the default MAC address unless required otherwise.

2. Click + Advanced Settings and configure the following parameters. Then click Apply .

Primary DNS Server / Secondary DNS Server		MTU	MTU is the maximum data unit transmitted in the physical network. When the connection type is Static IP, MTU can be set in the range of 576-1500 bytes. The default value is 1500.
VLAN		QoS Tag	QoS Tag is only available when VLAN is enabled.

�? PPPoE

1. Choose Connection Type as PPPoE and configure the following parameters.

Username

Password

MAC Address

Use Default MAC Address : The WAN port uses the default MAC address to set up the internet connection. It’s recommended to use the default MAC address unless required otherwise.

2. Click + Advanced Settings and configure the following parameters. Then click Apply .

Get IP address from ISP	With this option disabled, you need to specify the IP Address provided by your ISP.
Primary DNS Server / Secondary DNS Server		Connection Mode	Connect Automatically : The gateway activates the connection automatically when the connection is down. You need to specify the Redial Interval , which decides how often the gateway tries to redial after the connection is down. Connect Manually : You can manually activate or terminate the connection. Time-Based : During the specified period, the gateway will automatically activate the connection. You need to specify the Time Range when the connection is up.
Service Name		MTU	MTU is the maximum data unit transmitted in the physical network. When the connection type is PPPoE, MTU can be set in the range of 576-1492 bytes. The default value is 1492.
VLAN		QoS Tag	QoS Tag is only available when VLAN is enabled.
Secondary Connection	None : Select this if the secondary connection is not required by your ISP. Static IP : Select this if your ISP provides you with a fixed IP address and subnet mask for the secondary connection. You need to specify the IP Address and Subnet Mask provided by your ISP. Dynamic IP : Select this if your ISP automatically assigns the IP address and subnet mask for the secondary connection.

�? L2TP

Choose Connection Type as L2TP and configure the following parameters. Then click Apply .

Username		Password		VPN Server / Domain Name	Get IP address from ISP	With this option disabled, you need to specify the IP address provided by your ISP.
Primary DNS Server / Secondary DNS Server		Connection Mode	Connect Automatically : The gateway activates the connection automatically when the connection is down. You need to specify the Redial Interval , which decides how often the gateway tries to redial after the connection is down. Connect Manually : You can manually activate or terminate the connection. Time-Based : During the specified period, the gateway will automatically activate the connection. You need to specify the Time Range when the connection is up.
MTU	MTU is the maximum data unit transmitted in the physical network. When the connection type is L2TP, MTU can be set in the range of 576-1460 bytes. The default value is 1460.
VLAN		QoS Tag	QoS Tag is only available when VLAN is enabled.
Secondary Connection	Static IP : Select this if your ISP provides you with a fixed IP address and subnet mask for the secondary connection. You need to specify the IP Address , Subnet Mask , Default Gateway (Optional) , Primary DNS Server (Optional) , and Secondary DNS Server (Optional) provided by your ISP. Dynamic IP : Select this if your ISP automatically assigns the IP address and subnet mask for the secondary connection.
MAC Address	Use Default MAC Address : The WAN port uses the default MAC address to set up the internet connection. It’s recommended to use the default MAC address unless required otherwise. Customize MAC Address : The WAN port uses a customized MAC address to set up the internet connection and you need to specify the MAC address. Typically, this is required when your ISP bound the MAC address with your account or IP address. If you are not sure, contact the ISP.

�? PPTP

Choose Connection Type as PPTP and configure the following parameters. Then click Apply .

Username		Password		VPN Server / Domain Name	Get IP address from ISP	With this option disabled, you need to specify the IP address provided by your ISP.
Primary DNS Server / Secondary DNS Server		Connection Mode	Connect Automatically : The gateway activates the connection automatically when the connection is down. You need to specify the Redial Interval , which decides how often the gateway tries to redial after the connection is down. Connect Manually : You can manually activate or terminate the connection. Time-Based : During the specified period, the gateway will automatically activate the connection. You need to specify the Time Range when the connection is up.
MTU	MTU is the maximum data unit transmitted in the physical network. When the connection type is PPTP, MTU can be set in the range of 576-1420 bytes. The default value is 1420.
VLAN		QoS Tag	QoS Tag is only available when VLAN is enabled.
Secondary Connection	Static IP : Select this if your ISP provides you with a fixed IP address and subnet mask for the secondary connection. You need to specify the IP Address , Subnet Mask , Default Gateway (Optional) , Primary DNS Server (Optional) , and Secondary DNS Server (Optional) provided by your ISP. Dynamic IP : Select this if your ISP automatically assigns the IP address and subnet mask for the secondary connection.
MAC Address	Use Default MAC Address : The WAN port uses the default MAC address to set up the internet connection. It’s recommended to use the default MAC address unless required otherwise. Customize MAC Address : The WAN port uses a customized MAC address to set up the internet connection and you need to specify the MAC address. Typically, this is required when your ISP bound the MAC address with your account or IP address. If you are not sure, contact the ISP.

�? Set Up IPv6 Connection

For IPv6 connections, check the box to enable the IPv6 connection, select the internet connection type according to the requirements of your ISP.

Connection Type

Dynamic IP (SLAAC/DHCPv6) : If your ISP uses Dynamic IPv6 address assignment, either DHCPv6 or SLAAC+Stateless DHCP, select Dynamic IP (SLAAC/DHCPv6).

Static IP : If your ISP provides you with a fixed IPv6 address, select Static IP.

PPPoE : If your ISP uses PPPoEv6, and provides a username and password, select PPPoE.

6to4 Tunnel : If your ISP uses 6to4 deployment for assigning IPv6 address, select 6to4 Tunnel. 6to4 is an internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network. The IPv6 packet will be encapsulated in the IPv4 packet and transmitted to the IPv6 destination through IPv4 network.

Pass-Through (Bridge) : In Pass-Through (Bridge) mode, the gateway works as a transparent bridge. The IPv6 packets received from the WAN port will be transparently forwarded to the LAN port and vice versa. No extra parameter is required.

�? Dynamic IP (SLAAC/DHCPv6)

Choose Connection Type as Dynamic IP (SLAAC/DHCPv6) and configure the following parameters. Then click Apply .

Get IPv6 Address

Automatically : With this option selected, the gateway will automatically select SLAAC or DHCPv6 to get IPv6 addresses.

Via SLAAC : With SLAAC (Stateless Address Auto-Configuration) selected, your ISP assigns the IPv6 address prefix to the gateway and the gateway automatically generates its own IPv6 address. Also, your ISP assigns other parameters including the DNS server address to the gateway.

Via DHCPv6 : With DHCPv6 selected, your ISP assigns an IPv6 address and other parameters including the DNS server address to the gateway using DHCPv6.

Prefix Delegation

Prefix Delegation Size

DNS Address

Get from ISP Dynamically : The DNS address will be automatically assigned by the ISP.

Use the Following DNS Addresses : Enter the DNS address provided by the ISP.

�? Static IP

Choose Connection Type as Static IP and configure the following parameters. Then click Apply .

IPv6 Address

Prefix Length

Default Gateway

Primary DNS Server

Secondary DNS Server

�? PPPoE

Choose Connection Type as PPPoE and configure the following parameters. Then click Apply .

Share the same PPPoE session with IPv4

Username

Password

Get IPv6 Address

Automatically : With this option selected, the gateway will automatically select the method to get IPv6 addresses between SLAAC and DHCPv6.

Via DHCPv6 : With DHCPv6 selected, your ISP assigns an IPv6 address and other parameters including the DNS server address to the gateway using DHCPv6.

Specified by ISP : With this option selected, enter the IPv6 address you get from your ISP.

Prefix Delegation

Prefix Delegation Size

DNS Address

Get from ISP Dynamically : The DNS address will be automatically assigned by the ISP.

Use the Following DNS Addresses : Enter the DNS address provided by the ISP.

�? 6to4 Tunnel

Choose Connection Type as 6to4 Tunnel and configure the following parameters. Then click Apply .

DNS Address

Get from ISP Dynamically : The DNS address will be automatically assigned by the ISP.

Use the Following DNS Addresses : Enter the DNS address provided by the ISP.

�? Pass-Through (Bridge)

Choose Connection Type as Pass-Through (Bridge) and no configuration is required for this type of connection Then click Apply .

Select WAN Mode

Configure WAN Connections

(Optional) Configure Load Balancing

Note:

Loading Balancing is only available when you configure more than one WAN port.

Go to Settings > Wired Networks > Internet to load the following page. In Load Balancing , configure the following parameters and click Apply .

Load Balancing Weight

Alternatively, you can click Pre-Populate to test the speed of WAN ports and automatically fill in the appropriate ratio according to test result.

Application Optimized Routing

This feature ensures that multi-connected applications work properly.

Link Backup

Backup WAN / Primary WAN

Backup Mode

Link Backup: The system will switch all the new sessions from dropped line automatically to another to keep an always on-link network.

Always Link Primary: Traffic is always forwarded through the primary WAN port unless it fails. The system will try to forward the traffic via the backup WAN port when it fails, and switch back when it recovers.

Mode

4. 3. 2 Configure LAN Networks

The LAN function allows you to configure wired internal network. Based on 802.1Q VLAN, Omada Controller provides a convenient and flexible way to separate and deploy the network. The network can be logically segmented by departments, application, or types of users, without regard to geographic locations.

To create a LAN, follow the guidelines:

1 ) Create a Network with specific purpose. For Layer 2 isolation, create a network as VLAN. To realize inter-VLAN routing, create a network as Interface , which is configured with a VLAN interface.

2 ) Create a port profile for the network. The profile defines how the packets in both ingress and egress directions are handled.

3 ) Assign the port profile to the desired ports of the switch to activate the LAN.

Create a Network

Create a Port Profile

Assign the Port Profile to the Ports

Note:

A default Network (default VLAN) named LAN is preconfigured as Interface and is associated with all LAN ports of the Omada Gateway and all switch ports. The VLAN ID of the default Network is 1. The default Network can be edited, but not deleted.

1. Go to Settings > Wired Networks > LAN > Networks to load the following page.

2. Click + Create New LAN to load the following page, enter a name to identify the network, and select the purpose for the network.

Purpose

Interface: Create the network with a Layer 3 interface, which is required for inter-VLAN routing.

VLAN: Create the network as a Layer 2 VLAN.

3. Configure the parameters according to the purpose for the network.

�? Interface

LAN Interface

VLAN

Gateway/Subnet

Domain Name

IGMP Snooping

DHCP Server

DHCP Range

Update DHCP Range beside the Gateway/Subnet entry to get the IP address range populated automatically, and edit the range according to your needs.

DNS Server

Auto: The DHCP server automatically assigns DNS server for devices in the network. It uses the IP address specified in the Gateway/Subnet entry as the DNS server address.

Manual: Specify DNS servers manually. Enter the IP address of a server in each DNS server field.

Lease TIme

Default Gateway

Auto: The DHCP server automatically assigns default gateway for devices in the network. It uses the IP address specified in the Gateway/Subnet entry as the default gateway address.

Manual: Specify default gateway manually. Enter the IP address of the default gateway in the field.

DHCP Omada Controller

Legal DHCP Servers

Option 60

Option 66

It specifies the TFTP server information and supports a single TFTP server IP address.

Option 138

It is used in discovering the devices by the Omada controller.

You can configure IPv6 connections for the LAN clients based on you needs. First, determine the method whereby the gateway assigns IPv6 addresses to the clients in the local network. Some clients may support only a few of these connection types, so you should choose it according to the compatibility of clients in the local network.

IPv6 Interface Type

None : IPv6 connection is not enabled for the clients in the local network.

DHCPv6 : The gateway assigns an IPv6 address and other parameters including the DNS server address to each client using DHCPv6.

SLAAC+Stateless DHCP : The gateway assigns the IPv6 address prefix to each client and the client automatically generates its own IPv6 address. Also, the gateway assigns other parameters including the DNS server address to each client using DHCPv6.

SLAAC+RDNSS : The gateway assigns the IPv6 address prefix to each client and the client automatically generates its own IPv6 address. Also, the gateway assigns other parameters including the DNS server address to each client using the RDNSS option in RA (Router Advertisement).

Pass-Through : Select this type if the WAN ports of the gateway use the Pass-Through for IPv6 connections.

Gateway/Subnet

DHCP Range

beside the Gateway/Subnet entry to get the IP address range populated automatically, and edit the range according to your needs.

Lease Time

DHCPv6 DNS

Prefix

Manual Prefix : With Manual Prefix selected, enter the prefix in the Address Prefix field.

Get from Prefix Delegation : With Get from Prefix Delegation selected, select the WAN port with Prefix Delegation configured, and the clients will get the address prefix from the Prefix Delegation.

IPv6 Prefix ID

The range of IPv6 Prefix ID is determined by the larger value of Prefix Delegation Size and Prefix Delegation Length (obtained from the ISP). Note that if the Prefix Delegation Length is larger than 64, the IPv6 Prefix ID cannot be obtained from Prefix Delegation, please select another method. Go to Settings > Wired Network > Internet to configure Prefix Delegation Size.

DNS Server

Auto : With Auto selected, the DHCP server automatically assigns DNS server for devices in the network.

Manual : With Manual selected, enter the IP address of a server in each DNS server field.

Prefix

Manual Prefix : With Manual Prefix selected, enter the prefix in the Address Prefix field.

Get from Prefix Delegation : With Get from Prefix Delegation selected, select the WAN port with Prefix Delegation configured, and the clients will get the address prefix from the Prefix Delegation.

IPv6 Prefix ID

DNS Server

Auto : With Auto selected, the DHCP server automatically assigns DNS server for devices in the network.

Manual : With Manual selected, enter the IP address of a server in each DNS server field.

IPv6 Prefix Delegation Interface

VLAN

IGMP Snooping

Legal DHCP Servers

4. Click Save . The new LAN is added to the LAN list. You can click in the ACTION column to edit the LAN. You can click in the ACTION column to delete the LAN.

Create a Network

Create a Port Profile

Assign the Port Profile to the Ports

Note:

�? Three default port profiles are preconfigured on the controller. They can be viewed, but not edited or deleted.

All: In the All profile, all networks except the default network (LAN) are configured as Tagged Network, and the native network is the default network (LAN). This profile is assigned to all switch ports by default.

Disable: In the Disable profile, no networks are configured as the native network, Tagged Networks and Untagged Networks. With this profile assigned to a port, the port does not belong to any VLAN.

LAN: In the LAN profile, the native network is the default network (LAN), and no networks are configured as Tagged Networks and Untagged Networks.

�? When a network is created, the system will automatically create a profile with the same name and configure the network as the native network for the profile. In this profile, the network itself is configured as the Untagged Networks, while no networks are configured as Tagged Networks. The profile can be viewed and deleted, but not edited.

1. Go to Wired Networks > LAN > Profiles to load the following page.

2. Click + Create New Port Profile to load the following page, and configure the following parameters.

Name		PoE	Keep the Device's Settings: PoE keep enabled or disabled according to the switches�?settings. By default, the switches enable PoE on all PoE ports. Enable: Enable PoE on PoE ports. Disable: Disable PoE on PoE ports.
Native Network		Tagged Networks		Untagged Networks	Voice Network	802.1X Control	Settings > Authentication > 802.1X . Auto: The port is unauthorized until the client is authenticated by the authentication server successfully. Force Authorized: The port remains in the authorized state, sends and receives normal traffic without 802.1X authentication of the client. Force Unauthorized: The port remains in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port.
Port Isolation		Loopback Control	Off : Disable loopback control on the port. Loopback Detection : Select loopback detection and it helps prevent loops on the port. It is used to detect loops that occurr on a specific port. When a loop is detected on a port, the switch will block the corresponding port . Spanning Tree : Select STP (Spanning Tree Protocal) to prevent loops in the network. STP helps block specific ports of the switches to build a loop-free topology and detect topology changes and automatically generate a new loop-free topology. 6. 3 Configure and Monitor Switches .
LLDP-MED		Bandwidth Control	Off: Disable Bandwidth Control for the port. Rate Limit: Select Rate limit to limit the ingress/egress traffic rate on each port. With this function, the network bandwidth can be reasonably distributed and utilized. Storm Control: Select Storm Control to allow the switch to monitor broadcast frames, multicast frames and UL-frames (Unknown unicast frames) in the network. If the transmission rate of the frames exceeds the set rate, the frames will be automatically discarded to avoid network broadcast storm.
Ingress Rate Limit	Rate Limit selected, click the checkbox and specify the upper rate limit for receiving packets on the port.
Egress Rate Limit	Rate Limit selected, click the checkbox and specify the upper rate limit for sending packets on the port.
Broadcast Threshold	Storm Control selected, click the checkbox and specify the upper rate limit for receiving broadcast frames. The broadcast traffic exceeding the limit will be processed according to the Action configurations.
Multicast Threshold	Storm Control selected, click the checkbox and specify the upper rate limit for receiving multicast frames. The multicast traffic exceeding the limit will be processed according to the Action configurations.
UL-Frame Threshold	Storm Control selected, click the checkbox and specify the upper rate limit for receiving unknown unicast frames. The traffic exceeding the limit will be processed according to the Action configurations..
Action	Storm Control selected, select the action that the switch will take when the traffic exceeds its corresponding limit. With Drop selected, the port will drop the subsequent frames when the traffic exceeds the limit. With Shutdown selected, the port will be shutdown when the traffic exceeds the limit.

3. Click Save . The new port profile is added to the profile list. You can click in the ACTION column to edit the port profile. You can click in the ACTION column to delete the port profile.

Create a Network

Create a Port Profile

Assign the Port Profile to the Ports

Note:

By default, there is a port profile named All, which is assigned to all switch ports by default. In the All profile, all networks except the default network (LAN) are configured as Tagged Network, and the native network is the default network (LAN).

1. Go to Devices , and click the switch in the devices list to reveal the Properties window. Go to Ports, you can either click in the Action column to assign the port profile to a single port, or select the desired ports and click Edit Selected on the top to assign the port profile to multiple ports in batch .

2. Select the profile from the drop-down list to assign the port profile to the desired ports of the switch. You can enable profile overrides to customize the settings for the ports, and all the configuration here overrides the port profile. For details, refer to Chapter 6. Configure and Monitor Omada Managed Devices .

4. 4 Configure Wireless Networks

Wireless networks enable your wireless clients to access the internet. Once you set up a wireless network, your EAPs typically broadcast the network name (SSID) in the air, through which your wireless clients connect to the wireless network and access the internet.

A WLAN group is a combination of wireless networks. Configure each group so that you can flexibly apply these groups of wireless networks to different EAPs according to your needs.

After setting up basic wireless networks, you can further configure WLAN Schedule, 802.11 Rate Control, and MAC Filter among other advanced settings.

4. 4. 1 Set Up Basic Wireless Networks

To create, configure and apply wireless networks, follow these steps:

1 ) Create a WLAN group.

2 ) Create Wireless Networks

3 ) Apply the WLAN group to your EAPs

Create a WLAN Group

Create Wireless Networks

Apply the WLAN Group

Note:

By default, there is a WLAN group named Default, which is applied to all EAPs. If you simply want to configure wireless networks for the default WLAN group and apply it to all your EAPs, skip this step.

1. Go to Settings > Wireless Networks to load the following page.

2. Select + Create New Group from the drop-down list of WLAN Group to load the following page. Enter a name to identify the WLAN group.

3. (Optional) If you want to create a new WLAN group based on an existing one, check Copy All SSIDs from the WLAN Group and select the desired WLAN group. Then you can further configure wireless networks based on current settings.

4. Click Save . The new WLAN Group is added to the WLAN Group list. You can select a WLAN Group from the list to further create and configure its wireless networks. You can click to edit the name of the WLAN Group. You can click to delete the WLAN Group.

Create a WLAN Group

Create Wireless Networks

Apply the WLAN Group

1. Select the WLAN group for which you want to configure wireless networks from the drop-down list of WLAN Group.

2. Click + Create New Wireless Network to load the following page. Configure the basic parameters for the network.

Network Name (SSID)

Band

Guest Network

3. Select the security strategy for the wireless network.

�? None

With None selected, the hosts can access the wireless network without authentication, which is applicable to lower security requirements.

�? WEP

Traffic is encrypted with a WEP Key, which you need to specify. WEP is not recommended because it’s insecure.

�? WPA-Personal

Traffic is encrypted with a Security Key, which you need to specify. WPA-Personal is more secure than WEP.

�? WPA-Enterprise

WPA-Enterprise requires an authentication server to authenticate wireless clients, and probably an accounting server to record the traffic statistics.

Select a RADIUS Profile, which records the settings of the authentication server and accounting server. You can create a RADIUS Profile by clicking + Create New Radius Profile from the drop-down list of RADIUS Profile. For details, refer to 4. 9 Authentication .

4. (Optional) You can also configure 4. 4. 2 Advanced Settings , 4. 4. 3 WLAN Schedule , 4. 4. 4 802.11 Rate Control , and 4. 4. 5 MAC Filter according to your needs. Related topics are covered later in this chapter.

5. Click Apply . The new wireless network is added to the wireless network list under the WLAN group. You can click in the ACTION column to edit the wireless network. You can click in the ACTION column to delete the wireless network.

Create a WLAN Group

Create Wireless Networks

Apply the WLAN Group

Note:

�? Apply to a Single EAP

Go to Devices, select the EAP which you want to apply the WLAN group to. In the Properties window, go to Config > WLANs , select the WLAN group which you want to apply to the EAP.

�? Apply to EAPs in batch

1. Go to Devices, select the APs tab, click Batch Action , and then select Batch Config , check the boxes of EAPs which you want to apply the WLAN group to, and click Done .

2. In the Properties window, go to Config > WLANs , select the WLAN group which you want to apply to the EAP.

4. 4. 2 Advanced Settings

Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + Advanced Settings to load the following page. Configure the parameters and click Apply .

SSID Broadcast		VLAN	With this option enabled, traffic in different wireless networks is marked with different VLAN tags according to the configured VLAN IDs. Then the EAPs work together with the switches which also support 802.1Q VLAN, to distribute the traffic to different VLANs according to the VLAN tags. As a result, wireless clients in different VLANs cannot directly communicate with each other.
WEP Mode	Select the WEP authentication type. Open System : Wireless clients can pass the authentication and connect to the wireless network without any password. However, the correct password is required for data transmission. Shared Key : The correct password is required for wireless clients to pass the authentication, connect to the wireless network, and transmit data. Auto : EAPs automatically decide whether to use Open System or Shared Key in the authentication process. ASCII : ASCII format stands for any combination of keyboard characters of the specified length. Hexadecimal : Hexadecimal format stands for any combination of hexadecimal digits (0-9, A-F) with the specified length. 64Bit : The WEP key is 10 hexadecimal digits or 5 ASCII characters. 128Bit : The WEP key is 26 hexadecimal digits or 13 ASCII characters. 152Bit : The WEP key is 32 hexadecimal digits or 16 ASCII characters.
WPA Mode	Select the version of WPA according to your needs. TKIP : TKIP stands for Temporal Key Integrity Protocol. AES : AES stands for Advanced Encryption Standard. We recommend that you select AES as the encryption type for it is more secure than TKIP. Auto: EAPs automatically decide whether to use TKIP or AES in the authentication process.
Group Key Update Period		Rate Limit	Download Limit : Set the download rate for each client to receive the traffic. Upload Limit : Set the upload rate for each client to transmit the traffic.

4. 4. 3 WLAN Schedule

WLAN Schedule can turn on or off your wireless network in the specific time period as you desire.

Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + WLAN Schedule to load the following page. Enable WLAN schedule and configure the parameters .Then click Apply .

Action

Radio On : Turn on your wireless network within the time range you set, and turn it off beyond the time range.

Radio Off : Turn off your wireless network within the time range you set, and turn it on beyond the time range.

Time Range

+ Create New Time Range Entry from the drop-down list of Time Range. For details, refer to 4. 8 Create Profiles .

4. 4. 4 802.11 Rate Control

Note:

802.11 Rate Control is only available for certain devices.

802.11 Rate Control can improve performance for higher-density networks by disabling lower bit rates and only allowing the higher. However, 802.11 Rate Control might make some legacy devices incompatible with your networks, and limit the range of your wireless networks.

Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + 802.11 Rate Control to load the following page. Select 2.4 GHz and/or 5 GHz band to enable minimum data rate control according to your needs, move the slider to determine what bit rates your wireless network allows, and configure the parameters. Then click Apply .

Disable CCK Rates (1/2/5.5/11 Mbps)

Require Clients to Use Rates at or Above the Specified Value

Send Beacons at 1 Mbps/6 Mbps

4. 4. 5 MAC Filter

MAC Filter allows or blocks connections from wireless clients of specific MAC addresses.

Go to Settings > Wireless Networks , click in the ACTION column of the wireless network which you want to configure, and click + MAC Filter to load the following page. Enable MAC Filter and configure the parameters .Then click Apply .

Policy

Allow List : Allow the connection of the clients whose MAC addresses are in the specified MAC Address List, while blocking others.

Deny List : Block the connection of the clients whose MAC address are in the specified MAC Addresses List, while allowing others.

MAC Address List

+ Create New MAC Group from the drop-down list of MAC Address List. For details, refer to 4. 8 Create Profiles .

4. 5 Network Security

Network Security is a portfolio of features designed to improve the usability and ensure the safety of your network and data. Network security services include 4. 5. 1 ACL , 4. 5. 2 URL Filtering , and 4. 5. 3 Attack Defense , 4. 5. 4 Firewall , which implement policies and controls on multiple layers of defenses in the network.

4. 5. 1 ACL

ACL (Access Control List) allows a network administrator to create rules to restrict access to network resources. ACL rules filter traffic based on specified criteria such as source IP addresses, destination IP addresses, and port numbers, and determine whether to forward the matched packets. These rules can be applied to specific clients or groups whose traffic passes through the gateway, switches and EAPs.

The system filters traffic against the rules in the list sequentially. The first match determines whether the packet is accepted or dropped, and other rules are not checked after the first match. Therefore, the order of the rules is critical. By default, the rules are prioritized by their created time. The rule created earlier is checked for a match with higher priority. To reorder the rules, select a rule and drag it to a new position. If no rules match, the device forwards the packet because of an implicit Permit All clause.

The system provides three types of ACL:

�? Gateway ACL

After Gateway ACLs are configured on the controller, they can be applied to the gateway to control traffic which is sourced from LAN ports and forwarded to the WAN ports.

You can set the Network, IP address, port number of a packet as packet-filtering criteria in the rule.

�? Switch ACL

After Switch ACLs are configured on the controller, they can be applied to the switch to control inbound and outbound traffic through switch ports.

You can set the Network, IP address, port number and MAC address of a packet as packet-filtering criteria in the rule.

�? EAP ACL

After EAP ACLs are configured on the controller, they can be applied to the EAPs to control traffic in wireless networks.

You can set the Network, IP address, port number and SSID of a packet as packet-filtering criteria in the rule.

To complete the ACL configuration, follow these steps:

1 ) Create an ACL with the specified type.

2 ) Define packet-filtering criteria of the rule, including protocols, source, and destination, and determine whether to forward the matched packets.

�? Configuring Gateway ACL

1. Go to Settings > Network Security > ACL . On Gateway ACL tab, click to load the following page.

2. Define packet-filtering criteria of the rule, including protocols, source, and destination, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters and click Apply .

Name

Policy

Permit : Forward the matched packet.

Deny : Discard the matched packet.

Protocols

From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies:

Network	Settings > Wired Networks > LAN to create one. The gateway will examine whether the packets are sourced from the selected network.
IP Group	+Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the source IP address of the packet is in the IP Group.
IP-Port Group	+Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the source IP address and port number of the packet are in the IP-Port Group.

From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies:

IP Group	+Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the destination IP address of the packet is in the IP Group.
IP-Port Group	+Create on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the destination IP address and port number of the packet are in the IP-Port Group.

�? Configuring Switch ACL

1. Go to Settings > Network Security > ACL . Under the Switch ACL tab, click to load the following page.

Name

Status

Policy

Permit : Forward the matched packet.

Deny : Discard the matched packet.

Protocols

Ethertype

Bi-Directional

From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies:

Network	Settings > Wired Networks > LAN to create one. The switch will examine whether the packets are sourced from the selected network.
IP Group	+Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the source IP address of the packet is in the IP Group.
IP-Port Group	+Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the source IP address and port number of the packet are in the IP-Port Group.
MAC Group	+Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the source MAC address of the packet is in the MAC Group.

From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies:

Network	Settings > Wired Networks > LAN to create one. The switch will examine whether the packets are forwarded to the selected network.
IP Group	+Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the destination IP address of the packet is in the IP Group.
IP-Port Group	+Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the destination IP address and port number of the packet are in the IP-Port Group.
MAC Group	+Create on this page or go to Settings > Profiles > Groups to create one. The switch will examine whether the destination MAC address of the packet is in the MAC Group.

3. Bind the switch ACL to a switch port or a VLAN and click Apply . Note that a switch ACL takes effect only after it is bound to a port or VLAN.

Binding Type

Ports : Select All ports or Custom ports as the interfaces to be bound with the ACL. With All ports selected, the rule is applied to all ports of the switch. With Custom ports selected, the rule is applied to the selected ports of the switch. Click the ports from the Device List to select the binding ports.

VLAN : Select a VLAN from the drop-down list as the interface to be bound with the ACL. If no VLANs have been created, you can select the default VLAN 1 (LAN), or go to Settings > Wired Networks > LAN to create one.

�? Configuring EAP ACL

1. Go to Settings > Network Security > ACL . Under the EAP ACL tab, click to load the following page.

Name

Status

Policy

Permit : Forward the matched packet.

Deny : Discard the matched packet.

Protocols

From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL applies:

Network	Settings > Wired Networks > LAN to create one. The EAP will examine whether the packets are sourced from the selected network.
IP Group	+Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the source IP address of the packet is in the IP Group.
IP-Port Group	+Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the source IP address and port number of the packet are in the IP-Port Group.
SSID	Settings > Wireless Networks to create one. The EAP will examine whether the SSID of the packet is the SSID selected here.

From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies:

Network	Settings > Wired Networks > LAN to create one. The EAP will examine whether the packets are forwarded to the selected network.
IP Group	+Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the destination IP address of the packet is in the IP Group.
IP-Port Group	+Create on this page or go to Settings > Profiles > Groups to create one. The EAP will examine whether the destination IP address and port number of the packet are in the IP-Port Group.

4. 5. 2 URL Filtering

URL Filtering allows a network administrator to create rules to block or allow certain websites, which protects it from web-based threats, and deny access to malicious websites.

In URL filtering, the system compares the URLs in HTTP, HTTPS and DNS requests against the lists of URLs that are defined in URL Filtering rules, and intercepts the requests that are directed at a blocked URLs. These rules can be applied to specific clients or groups whose traffic passes through the gateway and EAPs.

The system filters traffic against the rules in the list sequentially. The first match determines whether the packet is accepted or dropped, and other rules are not checked after the first match. Therefore, the order of the rules is critical. By default, the rules are prioritized based on the sequence they are created. The rule created earlier is checked for a match with a higher priority. To reorder the rules, select a rule and drag it to a new position. If no rules match, the device forwards the packet because of an implicit Permit All clause.

Note that URL Filtering rules take effects with a higher priority over ACL rules. That is, the system will process the URL Filtering rule first when the URL Filtering rule and ACL rules are configured at the same time.

To complete the URL Filtering configuration, follow these steps:

1 ) Create a new URL Filtering rule with the specified type.

2 ) Define filtering criteria of the rule, including source, and URLs, and determine whether to forward the matched packets.

�? Configuring Gateway Rules

1. Go to Settings > Network Security > URL Filtering . Under the Gateway Rules tab, click to load the following page.

2. Define filtering criteria of the rule, including source and URLs, and determine whether to forward the matched packets. Refer to the following table to configure the required parameters and click Apply .

Name

Status

Policy

Deny : Discard the matched packet and the clients cannot access the URLs.

Permit : Forward the matched packet and clients can access the URLs.

Source Type

Network : With Network selected, select the network you have created from the Network drop-down list. If no networks have been created, you can select the default network (LAN), or go to Settings > Wired Networks > LAN to create one. The gateway will filter the packets sourced from the selected network.

IP Group : With IP Group selected, select the IP Group you have created from the IP Group drop-down list. If no IP Groups have been created, click +Create New IP Group on this page or go to Settings > Profiles > Groups to create one. The gateway will examine whether the source IP address of the packet is in the IP Group.

URLs

URL address should be given in a valid format. The URL which contains a wildcard(*) is supported. One URL with a wildcard(*) can match mutiple subdomains. For example, with *.tp-link.com specified, community.tp-link.com will be matched.

�? Configuring EAP Rules

1. Go to Settings > Network Security > URL Filtering . On EAP Rules tab, click to load the following page.

Name

Status

Policy

Deny : Discard the matched packet and the clients cannot access the URLs.

Permit : Forward the matched packet and clients can access the URLs.

Source Type

URLs

4. 5. 3 Attack Defense

Overview

Attacks initiated by utilizing inherent bugs of communication protocols or improper network deployment have negative impacts on networks. In particular, attacks on a network device can cause the device or network paralysis.

With the Attack Defense feature, the gateway can identify and discard various attack packets in the network, and limit the packet receiving rate. In this way, the gateway can protect itself and the connected network against malicious attacks.

The gateway provides two types of Attack Defense:

�? Flood Defense

If an attacker sends a large number of fake packets to a target device, the target device is busy with these fake packets and cannot process normal services. Flood Defense detects flood packets in real time and limits the receiving rate of the packets to protect the device.

Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks.

�? Packet Anomaly Defense

Anomalous packets are packets that do not conform to standards or contain errors that make them unsuitable for processing. Packet Anomaly Defense discards the illegal packets directly.

�? Configuring Flood Defense

Go to Settings > Network Security > Attack Defense . In the Flood Defense, click the checkbox and set the corresponding limit of the rate at which specific packets are received.

Multi-Connections TCP SYN Flood	With this feature enabled, the gateway limits the rate of receiving TCP SYN packets from all the clients to the specified rate.
Multi-Connections UDP Flood	With this feature enabled, the gateway limits the rate of receiving UDP packets from all the clients to the specified rate.
Multi-Connections ICMP Flood	With this feature enabled, the system limits the rate of receiving ICMP packets from all the clients to the specified rate.
Stationary Source TCP SYN Flood	With this feature enabled, the gateway limits the rate of receiving TCP SYN packets from a single client to the specified rate.
Stationary Source UDP Flood	With this feature enabled, the gateway limits the rate of receiving UDP packets from a single client to the specified rate.
Stationary Source ICMP Flood	With this feature enabled, the system limits the rate of receiving ICMP packets from a single clients to the specified rate.

�? Configuring Packet Anomaly Defense

Go to Settings > Network Security > Attack Defense . In the Packet Anomaly Defense, click the checkbox and set the corresponding limit of the rate at which specific packets are received.

Block Fragment Traffic

Block TCP Scan (Stealth FIN/Xmas/Null)

Stealth FIN Scan: The attacker sends the packet with its SYN field and the FIN field set to 1. The SYN field is used to request initial connection whereas the FIN field is used to request disconnection. Therefore, the packet of this type is illegal.

Null Scan: The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal.

Block Ping of Death

Block Large Ping

Block Ping from WAN

Block WinNuke Attack

Block TCP Packets with SYN and FIN Bits Set

Block TCP Packets with FIN Bit but No ACK Bit Set

Block Packets with Specified Options

You can choose the options according to your needs.

4. 5. 4 Firewall

Overview

Firewall is used to enhance the network security. In State Timeouts, you can specify a number of timeouts for sessions including TCP, UDP, and ICMP connection. The packets will be forwarded within the specified timeout. When there is no response after the specified time, the session or status will be closed. State timeout will help close inactive sessions and thus avoid network malfunction. In Firewall Options, you can further configure the gateway to prevent attacks like SYN flood attacks and broadcast ping.

�? Configuring State Timeouts

Go to Settings > Network Security > Firewall . In the Sate Timeouts, set the time limit for the different sessions.

ICMP

Other

TCP Close

TCP Close Wait

TCP Established

TCP FIN Wait

TCP Last ACK

TCP SYN Recv

TCP SYN Sent

TCP Time Wait

UDP Other

UDP Stream

�? Configuring Firewall Options

Go to Settings > Network Security > Firewall . In the Sate Timeouts, set the time limit for the different sessions.

Broadcast Ping

Receive Redirects

Send Redirects

SYN Cookies

4. 6 Transmission

Transmission helps you control network traffic in multiple ways. You can add policies and rules to control transmission routes and limit the session and bandwidth.

4. 6. 1 Routing

�? Static Route

Network traffic is oriented to a specific destination, and Static Route designates the next hop or interface where to forward the traffic.

�? Policy Routing

Policy Routing designates which WAN port the router uses to forward the traffic based on the source, the destination, and the protocol of the traffic.

�? Static Route

1. Go to Setting > Transmission > Routing > Static Route . Click + Create New Route to load the following page and configure the parameters.

Name

Status

Destination IP/Subnet

+ Add Subnet to specify multiple Destination IP/Subnets and click to delete them.

Route Type

Next Hop: With Next Hop selected, your devices forward the corresponding network traffic to a specific IP address. You need to specify the IP address as Next Hop.

Interface: With Interface selected, your devices forward the corresponding network traffic through a specific interface. You need to specify the Interface according to your needs.

Metric

2. Click Create . The new Static Route entry is added to the table. You can click to edit the entry. You can click to delete the entry.

�? Policy Routing

1. Go to Setting > Transmission > Routing > Policy Routing . Click + Create New Routing to load the following page and configure the parameters.

Name

Status

Protocols

WAN

Use the other WAN port if the current WAN is down .

Routing Legend

Select the type of the traffic source and destination.

Network : Select the LAN Interfaces for the traffic source or destination.

IP Group : Select the IP Group for the traffic source or destination. You can click + Create to create a new IP Group.

IP-Port Group: Select the IP-Port Group for the traffic source or destination. You can click + Create to create a new IP-Port Group.

2. Click Create . The new Policy Routing entry is added to the table. You can click to edit the entry. You can click to delete the entry.

4. 6. 2 NAT

�? Port Forwarding

You can configure Port Forwarding to allow internet users to access local hosts or use network services which are deployed in the LAN.

Port Forwarding helps establish network connections between a host on the internet and the other in the LAN by letting the traffic pass through the specific port of the gateway. Without Port Forwarding, hosts in the LAN are typically inaccessible from the internet for the sake of security.

�? ALG

ALG ensures that certain application-level protocols function appropriately through your gateway.

�? Port Forwarding

1. Go to Setting > Transmission > NAT > Port Forwarding . Click + Create New Rule to load the following page and configure the parameters.

Name		Status		Source IP	Any : The rule applies to traffic from any source IP address. Limited IP Address : The rule only applies to traffic from specific IP addresses. With this option selected, specify the IP addresses and subnets according to your needs.
Interface		DMZ	Destination IP in the LAN, port to port. You need to specify the Destination IP . Source Port and the Protocol is forwarded. The traffic is forwarded to the Destination Port of the Destination IP in the LAN. You need to specify the Source Port , Destination IP , Destination Port , and Protocol .
Source Port	Source Port to receive the traffic from the internet. Only the traffic which matches the Source Port and the Protocol is forwarded.
Destination IP	Destination IP in the LAN.
Destination Port	Destination Port of the host in the LAN.
Protocol	Source Port and the Protocol is forwarded. All .

2. Click Create . The new Port Forwarding entry is added to the table. You can click to edit the entry. You can click to delete the entry.

�? ALG

Go to Setting > Transmission > NAT > ALG . Enable or disable certain types of ALG according to your needs and click Apply .

FTP ALG	�? The FTP server is in the LAN, while the FTP client is on the internet. �? The FTP server is on the internet, while the FTP client is in the LAN. �? The FTP server and FTP client are in different LANs.
H.323 ALG	�? One of the endpoints is in the LAN, while the other is on the internet. �? The endpoints are in different LANs.
PPTP ALG	�? The PPTP server is in the LAN, while the PPTP client is on the internet. �? The PPTP server is on the internet, while the PPTP client is in the LAN. �? The PPTP server and PPTP client are in different LANs.
SIP ALG	�? One of the endpoints is in the LAN, while the other is on the internet. �? The endpoints are in different LANs.
IPsec ALG	�? One of the endpoints is in the LAN, while the other is on the internet. �? The endpoints are in different LANs.

4. 6. 3 Session Limit

Session Limit optimizes network performance by limiting the maximum sessions of specific sources.

1. Go to Setting > Transmission > Session Limit . In Session Limit , enable Session Limit globally and click Apply .

2. In Session Limit Rule List , click + Create New Rule to load the following page and configure the parameters.

Name

Status

Source Type

Network : Limit the maximum sessions of specific LAN networks. With this option selected, select the networks, which you can customize in Wired Networks > LAN Networks . For detailed configuration of networks, refer to 4. 3. 2 Configure LAN Networks .

IP Group : Limit the maximum sessions of specific IP Groups. With this option selected, select the IP Groups, which you can customize in Profiles > Groups . For detailed configuration of IP groups, refer to 4. 8 Create Profiles .

Maximum Sessions

3. Click Create . The new Session Limit rule is added to the list. You can click to edit the rule. You can click to delete the rule.

4. 6. 4 Bandwidth Control

Bandwidth Control optimizes network performance by limiting the bandwidth of specific sources.

1. Go to Setting > Transmission > Bandwidth Control . In Bandwidth Control , enable Bandwidth Control globally and configure the parameters. Then click Apply .

Threshold Control

Test Speed tool to decide the actual Upstream Bandwidth and Downstream Bandwidth.

2. In Bandwidth Control Rule List , click + Create New Rule to load the following page and configure the parameters.

Name

Status

Source Type

Network : Limit the maximum bandwidth of specific LAN networks. With this option selected, select the networks, which you can customize in Wired Networks > LAN Networks . For detailed configuration of networks, refer to 4. 3. 2 Configure LAN Networks .

IP Group : Limit the maximum bandwidth of specific IP Groups. With this option selected, select the IP Groups, which you can customize in Profiles > Groups . For detailed configuration of IP groups, refer to 4. 8 Create Profiles .

WAN

Upstream Bandwidth

Downstream Bandwidth

Mode

Shared : The total bandwidth for all the local hosts is equal to the specified values.

Individual : The bandwidth for each local host is equal to the specified values.

3. Click Create . The new Bandwidth Control rule is added to the list. You can click to edit the rule. You can click to delete the rule.

4. 7 Configure VPN

VPN (Virtual Private Network) provides a means for secure communication between remote computers across a public wide area network (WAN), such as the internet. Omada managed gateways supports various types of VPN. VPN configurations include 4. 7. 1 VPN and 4. 7. 2 VPN User .

4. 7. 1 VPN

VPN (Virtual Private Network) gives remote LANs or users secure access to LAN resources over a public network such as the internet. Virtual indicates the VPN connection is based on the logical end-to-end connection instead of the physical end-to-end connection. Private indicates users can establish the VPN connection according to their requirements and only specific users are allowed to use the VPN connection.

The core of VPN connection is to realize tunnel communication, which fulfills the task of data encapsulation, data transmission and data decompression via the tunneling protocol. The gateway supports common tunneling protocols that a VPN uses to keep the data secure:

�? IPsec

IPsec (IP Security) can provide security services such as data confidentiality, data integrity and data authentication at the IP layer. IPsec uses IKE (Internet Key Exchange) to handle negotiation of protocols and algorithms based on the user-specified policy, and to generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more paths between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

�? PPTP

PPTP (Point-to-Point Tunneling Protocol) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP uses the username and password to validate users.

�? L2TP

L2TP (Layer 2 Tunneling Protocol) provides a way for a dialup user to make a virtual Point-to-Point Protocol (PPP) connection to an L2TP network server (LNS), which can be a security gateway. L2TP sends PPP frames through a tunnel between an L2TP access concentrator (LAC) and the LNS. Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. L2TP uses the username and password to validate users.

�? OpenVPN

OpenVPN uses OpenSSL for encryption of UDP and TCP for traffic transmission. OpenVPN uses a client-server connection to provide secure communications between a server and a remote client over the internet. One of the most important steps in setting up OpenVPN is obtaining a certificate which is used for authentication. Omada SDN controller supports generating the certificate which can be downloaded as a file on your computer. With the certificate imported, the remote clients are checked out by the certificate and granted access to the LAN resources.

There are many variations of virtual private networks, with the majority based on two main models:

�? Site-to-Site VPN

A Site-to-Site VPN creates a connection between two networks at different geographic locations. Typically, headquarters set up Site-to-Site VPN with the subsidiary to provide the branch office with access to the headquarters�?network.

Omada managed gateway supports two types of Site-to-Site VPNs:

�? Auto IPsec

The controller automatically creates an IPsec VPN tunnel between two sites on the same controller. The VPN connection is bidirectional. That is, creating an Auto IPsec VPN from site A to site B also provides connectivity from site B to site A, and nothing is needed to be configured on site B.

�? Manual IPsec

You create an IPsec VPN tunnel between two peer routers over internet manually, from a local router to a remote router that supports IPsec. Omada managed gateway on this site is the local peer router.

�? Client-to-Site VPN

A Client-to-Site VPN creates a connection to the LAN from a remote host. It is useful for teleworkers and business travelers to access their central LAN from a remote location without compromising privacy and security.

The first step to build a Client-to-Site VPN connection is to determine the role of the gateways and which VPN tunneling protocol to use:

�? VPN Server

The gateway on the central LAN works as a VPN server to provide a remote host with access to the local network. The gateway which functions as a VPN server can use L2TP, PPTP, IPsec, or OpenVPN as the tunneling protocol.

�? VPN Client

Either the remote user’s gateway or the remote user’s laptop or PC works as the VPN client.

When the remote user’s gateway works as the VPN client, the gateway helps create VPN tunnels between its connected hosts and the VPN server. The gateway which functions as a VPN client can use L2TP, PPTP, or OpenVPN as the tunneling protocol.

When the remote user’s laptop or PC works as the VPN client, the laptop or PC uses a VPN client software program to create VPN tunnels between itself and the VPN server. The VPN client software program can use L2TP, PPTP, IPsec, or OpenVPN as the tunneling protocol.

Note:

In scenario 1, you need to configure VPN client and VPN server separately on the gateways, while remote hosts can access the local networks without running VPN client software.

In scenario 2, you need to configure VPN server on the gateway, and then configure the VPN client software program on the remote user’s laptop or PC, while the remote user’s gateway doesn’t need any VPN configuration.

Here is the infographic to provide a quick overview of VPN solutions.

To complete the VPN configuration, follow these steps:

1 ) Create a new VPN policy and select the purpose of the VPN according to your needs. Select Site-to-Site if you want the network connected to another. Select Client-to-Site if you want some hosts connected to the network.

2 ) Select the VPN tunneling protocol and configure the VPN policy based on the protocol.

�? Configuring Site-to-Site VPN

Omada managed gateway supports two types of Site-to-Site VPNs: Auto IPsec and Manual IPsec .

�? Configuring Auto IPsec VPN

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Site-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Site-to-Site VPN .

VPN Type

Auto IPsec .

Status

Remote Site

�? Configuring Manual IPsec VPN

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Site-to-Site VPN. Refer to the following table to configure the basic parameters and click Create .

Name

Purpose

Site-to-Site VPN .

VPN Type

Manual IPsec .

Status

Remote Gateway

Remote Subnets

Local Networks

Pre-Shared Key

A pre-shared key is a string of characters that is used as an authentication key. Both peer gateways create a hash value based on the same pre-shared key and other information. The hash values are then exchanged and verified to authenticate the other party.

WAN

3. Click Advanced Settings to load the following page.

Advanced settings include Phase-1 settings and Phase-2 settings. Phase-1 is used to set up a secure encrypted channel which the two peers can negotiate Phase-2, and then establish the IKE Security Associations (IKE SA). Phase-2 is used to negotiate about a set of parameters that define what traffic can go through the VPN, and how to encrypt and authenticate the traffic, then establish the IPsec Security Associations (IPsec SA).

Refer to the following table to complete the configurations according to your actual needs and click Create .

For Phase-1 Settings:

Phase-1 Settings

Internet Key Exchange Version

Note that both peer gateways must be configured to use the same IKE version.

Proposal

Authentication algorithms verify the data integrity and authenticity of a message. The types of authentication includes MD5 and SHA1.

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. The DH group includes DH1, DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH25, and DH26.

Exchange Mode

Main Mode: This mode provides identity protection and exchanges more information, which applies to scenarios with higher requirements for identity protection.

Aggressive Mode: This mode establishes a faster connection but with lower security, which applies to scenarios with lower requirements for identity protection.

Negotiation Mode

Initiator Mode: This mode means that the local device initiates a connection to the peer.

Responder Mode: This mode means that the local device waits for the connection request initiated by the peer.

Local ID Type

IP Address: Select IP Address to use the IP address for authentication.

Name: Select Name, and then enter the name in the Local ID field to use the name as the ID for authentication.

Local ID

Remote ID Type

IP Address: Select IP Address to use the IP address for authentication.

Name: Select Name, and then enter the name in the Remote ID field to use the name as the ID for authentication.

Remote ID

SA Lifetime

DPD

DPD Interval

For Phase-2 Settings:

Phase-2 Settings

Encapsulation Mode

Proposal

Note that both peer gateways must be configured to use the same Proposal.

PFS

SA Lifetime

Omada managed gateway supports seven types of client-to-Site VPNs depending on the role of your Omada managed gateway and the protocol that you used:

Configuring the gateway as a VPN server using L2TP

Configuring the gateway as a VPN server using PPTP

Configuring the gateway as a VPN server using IPsec

Configuring the gateway as a VPN server using OpenVPN

Configuring the gateway as a VPN client using L2TP

Configuring the gateway as a VPN client using PPTP

Configuring the gateway as a VPN client using OpenVPN

�? Configuring the gateway as a VPN server using L2TP

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Server - L2TP .

Status

IPsec Encryption

Encrypted: Select Encrypted to encrypt the L2TP tunnel by IPsec (L2TP over IPsec). With Encrypted selected, enter the Pre-shared Key for IKE authentication. VPN server and VPN client must use the same pre-shared secret key for authentication.

Unencrypted: With Unencrypted selected, the L2TP tunnel will not be encrypted by IPsec.

Auto: With Auto selected, the L2TP server will determine whether to encrypt the tunnel according to the client ‘s encryption settings. And enter the Pre-shared Key for IKE authentication. VPN server and VPN client must use the same pre-shared secret key for authentication.

Local Networks

Pre-shared Key

WAN

IP Pool

3. Add the VPN users account to validate remote hosts. To create VPN users, refer to 4. 7. 2 VPN User .

�? Configuring the gateway as a VPN server using PPTP

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Server - PPTP .

Status

MPPE Encryption

Encrypted: With Encrypted selected, the PPTP tunnel will be encrypted by MPPE.

Unencrypted: With Unencrypted selected, the PPTP tunnel will be not encrypted by MPPE.

Local Networks

WAN

IP Pool

3. Add the VPN users account to validate remote hosts. To create VPN users, refer to 4. 7. 2 VPN User .

�? Configuring the gateway as a VPN server using IPsec

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the basic parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Server - IPsec .

Status

Remote Host

Local Networks

Pre-Shared Key

A pre-shared key is a string of characters that is used as an authentication key. Both VPN peers create a hash value based on the same pre-shared key and other information. The hash values are then exchanged and verified to authenticate the other party.

WAN

IP Pool

3. Click Advanced Settings to load the following page.

Refer to the following table to complete the configurations according to your actual needs and click Create .

For Phase-1 Settings:

Phase-1 Settings

Internet Key Exchange Version

Note that both VPN peers must be configured to use the same IKE version.

Proposal

Authentication algorithms verify the data integrity and authenticity of a message. The types of authentication includes MD5 and SHA1.

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. The DH group includes DH1, DH2, DH5, DH14, DH15, DH16, DH19, DH20, DH21, DH25, and DH26.

Exchange Mode

Main Mode: This mode provides identity protection and exchanges more information, which applies to scenarios with higher requirements for identity protection.

Aggressive Mode: This mode establishes a faster connection but with lower security, which applies to scenarios with lower requirements for identity protection.

Negotiation Mode

Initiator Mode: This mode means that the local device initiates a connection to the peer.

Responder Mode: This mode means that the local device waits for the connection request initiated by the peer.

Local ID Type

IP Address: Select IP Address to use the IP address for authentication.

Name: Select Name, and then enter the name in the Local ID field to use the name as the ID for authentication.

Local ID

Remote ID Type

IP Address: Select IP Address to use the IP address for authentication.

Name: Select Name, and then enter the name in the Remote ID field to use the name as the ID for authentication.

Remote ID

SA Lifetime

DPD

DPD Interval

For Phase-2 Settings:

Phase-2 Settings

Encapsulation Mode

Proposal

Note that both peer gateways must be configured to use the same Proposal.

PFS

SA Lifetime

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Server - OpenVPN .

Status

Protocol

Service Port

Local Networks

WAN

IP Pool

3. After clicking Create to save the VPN policy, go to VPN Policy List and click in the Action column to export the OpenVPN file that ends in .ovpn which is to be used by the remote client. The exported OpenVPN file contains the certificate and configuration information.

�? Configuring the gateway as a VPN client using L2TP

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Client - L2TP .

Status

Working Mode

NAT: With NAT (Network Address Translation) mode selected, the L2TP client uses the assigned IP address as its source addresses of original IP header when forwarding L2TP packets.

Routing: With Routing selected, the L2TP client uses its own IP address as its source addresses of original IP header when forwarding L2TP packets.

Username

Password

IPsec Encryption

Unencrypted: With Unencrypted selected, the L2TP tunnel will be not encrypted by IPsec.

Remote Server

Remote Subnets

Local Networks

Pre-shared Key

WAN

�? Configuring the gateway as a VPN client using PPTP

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Client - PPTP .

Status

Working Mode

NAT: With NAT (Network Address Translation) mode selected, the PPTP client uses the assigned IP address as its source addresses of original IP header when forwarding PPTP packets.

Routing: With Routing selected, the PPTP client uses its own IP address as its source addresses of original IP header when forwarding PPTP packets.

Username

Password

MPPE Encryption

Encrypted: Select Encrypted to encrypt the PPTP tunnel by MPPE.

Unencrypted: With Unencrypted selected, the PPTP tunnel will be not encrypted by MPPE.

Remote Server

Remote Subnets

Local Networks

WAN

�? Configuring the gateway as a VPN client using OpenVPN

1. Go to Settings > VPN . Click to load the following page.

2. Enter a name to identify the VPN policy and select the purpose as Client-to-Site VPN. Refer to the following table to configure the required parameters and click Create .

Name

Purpose

Client-to-Site VPN .

VPN Type

VPN Client - OpenVPN .

Status

Remote Server

Local Networks

WAN

Configuration

to import the OpenVPN file that ends in .ovpn generated by the OpenVPN server. Only one file can be imported.

4. 7. 2 VPN User

VPN User is used to configure and record your custom settings for VPN configurations, and it allows you to configure VPN users that can be used for multiple VPN servers, including L2TP servers and PPTP servers. It saves you from setting the VPN users with the same configurations repeatedly when you want to apply the user in different VPN servers.

To configure the VPN users, follow these steps:

1. Go to Settings > VPN > VPN User . Click +Create New VPN User to add a new entry of VPN User.

2. Specify the parameters and select the VPN policy with the type of VPN Server-L2TP/PPTP that the VPN user is applied to and click Create .

Username

Password

VPN Server

Mode

Client: This mode allows the client to request for an IP address and the server supplies the IP addresses from the VPN IP Pool. With this mode selected, set maximum number of concurrent VPN connections with the same account in Maximum Connections.

Network Extension Mode: This mode allows only clients from the configured subnet to connect to the server and obtain VPN services. With this mode selected, specify the subnet in Remote Subnets.

Maximum Connections

Remote Subnets

to specify the subnet.

To edit or delete the VPN users, click the icon in the Action column.

Delete the VPN user.

4. 8 Create Profiles

Profiles section is used to configure and record your custom settings for site configurations. It includes Time Range and Groups profiles. In Time Range section, you can configure time templates for wireless schedule, PoE schedule, etc. In Groups section, you can configure groups based on IP, IP-Port and MAC addresses for ACL, Routing, NAT, etc. After creating the profiles, you can apply them to multiply configurations for different sites, saving you from repeatedly setting up the same information.

4. 8. 1 Time Range

Time Range section allows you to customize time-related configurations. You can set different time range templates which can be shared and applied to wireless schedule, PoE schedule, etc. in site configuration.

To configure the time range profiles, follow these steps:

1. Go to Settings > Profiles > Time Range . Click +Create New Time Range to add a new time range entry. By default, there is no entry in the list.

2. Enter a Name for the new entry, select the Day Mode, and specify the time range. Click Apply to save the entry. After saving the newly added entry, you can apply them to site configuration. To apply the customized time range profiles in configuration, refer to 4. 4. 3 WLAN Schedule , and 4. 10. 6 PoE Schedule .

Name

Day Mode

Every Day , Weekday , Weekend , or Customized first before specifying the time range for each day.

Every Day : You only need to set the time range once, and it will repeat every day.

Weekday : You only need to set the time range once, and it will repeat every weekday from Monday to Friday.

Weekend : You only need to set the time range once, and it will repeat every Saturday and Sunday.

Customized : You are able to set different time range for the chosen day(s) based on your needs. When a day is not chosen, the WiFi is open all day by default.

You can view the name, day mode and time range in the list.

To edit or delete the time range entry, click the icon in the Action column.

Delete the entry.

4. 8. 2 Groups

Overview

Groups section allows you to customize client groups based on IP, IP-Port, or MAC Address. You can set different rules for the groups profiles which can be shared and applied to ACL, Routing, NAT, etc. in site configuration.

Configuration

To configure the group profiles, follow these steps:

1. Go to Settings > Profiles > Groups . By default, there is an entry covering all IPs, and it is not editable and deletable. Click +Create New Group to add a new group entry.

2. Enter a name for the new group profile entry, and select the type for the new entry.

�? Based on IP Group

To configure a group profile based on IP Group, you are required to specify the IP subnets, while subnet mask is optional. You can click +Add Subnet to add new subnets, and click to delete them.

�? Based on IP-Port Group

To configure a group profile based on IP-Port Group, you are required to specify the port(s) for the entry, while it is optional to specify the IP subnet(s). If you only specify the port(s) without entering any IP subnet, it means the group contains the specified port(s) for all IPs. You can click +Add Subnet to add new IP subnets, click +Add Port to add ports, and click to delete them.

�? Based on MAC Group

To configure a group profile based on MAC Group, you are required to enter MAC Address(es) in the MAC Addresses List. There are three ways to add MAC address(es) to the MAC Addresses List.

Add MAC addresses in batches. You can enter the MAC addresses and names in the input box or import them with files in the format of Excel, txt, and text.

If you want to use the newly added MAC address(es) and names when they conflict with the existing ones, click the to allow it to override the curent MAC Access Control List.

Note:

1. Each MAC address and name should be entered on a new line. The MAC address and name should be separated by a space.

2. Octets in a MAC address should be separated by a hyphen. For example, AA-BB-CC-DD-EE-FF.

3. Click Apply to save the entry.

After saving the newly added entry, you can apply them to site configuration. To apply the customized profiles in configuration, refer to 4. 5. 1 ACL , 4. 6. 1 Routing , 4. 6. 2 NAT .

You can view the name, type, and count in the list.

To view, edit or delete the group entry, click the icon in the Action column.

Delete the entry.

4. 8. 3 Rate Limit

Overview

Rate Limit allows you to customize rate-related configurations. You can set different rate limit templates. They can be bound with wireless network to limit the upload/download rate of clients connected the SSID, and applied to specific types of Portal, such as Local User and Voucher. After creating the profiles, you can apply them to multiple configurations, saving you from repeatedly setting up the same information.

Configuration

To configure the rate limit profiles, follow these steps:

1. Go to Settings > Profiles > Rate Limit . By default, there is an entry with no limits, and it can not be deleted. Click +Create New Rate Limit Profile to add a new group entry.

2. Enter a name and specify the download/upload rate limit for the new entry. After saving the newly added entry, you can apply them to other configurations. To apply the customized rate limit profiles in the related configurations, refer to 4. 9. 1 Portal , 4. 4. 1 Set Up Basic Wireless Networks , and 7. 1. 3 Using the Properties Window to Monitor and Manage the Clients .

Name

Download Limit

Upload Limit

3. Click Apply to save the entry. After saving the newly added entry, you can apply them to site configuration. To apply the customized rate limit profiles in the related configurations, refer to 4. 9. 1 Portal , and 4. 4. 1 Set Up Basic Wireless Networks .

You can view the name, download limit, and upload limit in the list.

To view, edit or delete the rate limit profile, click the icon in the Action column.

Delete the entry.

4. 9 Authentication

Authentication is a portfolio of features designed to authorize network access to clients, which enhances the network security. Authentication sevices include 4. 9. 1 Portal , 4. 9. 2 802.1X and 4. 9. 3 MAC-Based Authentication , covering all the needs to authenticate both wired and wireless clients.

4. 9. 1 Portal

Portal authentication provides convenient authentication services to the clients that only need temporary access to the network, such as the customers in a restaurant or in a supermarket. To access the network, these clients need to enter the authentication login page and use the correct login information to pass the authentication. In addition, you can customize the authentication login page and specify a URL which the authenticated clients will be redirected to.

Portal authentication takes effect on SSIDs and LAN networks. EAPs authenticate wireless clients which connect to the SSID with Portal configured, and the gateway authenticates wired clients which connect to the network with Portal configured. To make Portal authentication available for wired and wireless clients, ensure that both the gateway and EAPs are connected and working properly.

The controller provides six types of Portal authentication:

�? No Authentication

With this authentication type configured, clients can pass the authentication and access the network without providing any login information. Clients just need to accept the terms (if configured) and click the Login button.

�? Simple Password

With this authentication type configured, clients are required to enter the correct password to pass the authentication. All clients use the same password which is configured in the controller.

�? Hotspot

With this authentication type configured, clients can access the network after passing any type of the authentication:

�? Voucher

Clients can use the unique voucher codes generated by the controller within a predefined time usage. Voucher codes can be printed out from the controller, so you can print the codes and distribute them to your costumers to tie the network access to consumption.

�? Local User

Clients are required to enter the correct username and password of the login account to pass the authentication.

�? SMS

Clients can get verification codes using their mobile phones and enter the received codes to pass the authentication.

�? RADIUS

Clients are required to enter the correct username and password which are stored in the RADIUS server to pass the authentication.

�? External RADIUS Server

Clients are required to enter the correct username and password created on the RADIUS server to pass the authentication.

�? External Portal Server

The option of External Portal Server is designed for the developers. They can customize their own authentication type like Google account authentication according to the interface provided by Omada Controller.

�? Facebook

With Facebook Portal configured, when clients connect to your Wi-Fi, they will be redirected to your Facebook page. To access the internet, clients need to log in their account or enter the password code in the Facebook page.

Portal authentication can work with Access Control Policy, which grant specific network access to the users with valid identities. You can determine that the clients which didn’t pass Portal authentication can only access the network resources allowed by Access Control Policy.

�? Pre-Authentication Access

Pre-Authentication Access allows unauthenticated clients to access the specific network resources.

�? Authentication-Free Client

Authentication-Free Clients allows the specific clients to access the specific network resources without authentication.

To complete the Portal configuration, follow these steps:

1 ) Click to create new Portal entry.

2 ) Click to enable Portal, select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on.

3 ) Customize the Portal page including the background picture, logo picture and so on.

4 ) (Optional) Configure access control policies including Pre-Authentication Access and Authentication-Free Clients if needed.

The following part introduces how to configure each type of Portal authentication: No Authentication , Simple Password , Hotspot (Voucher, Local User, SMS, RADIUS), External RADIUS Server , External Portal Server and Facebook .

�? Configuring Portal with No Authentication

1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page.

2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on.

Portal Name

Portal

to enable Portal.

SSID & Network

Authentication Type

Authentication Timeout

Daily Limit

HTTPS Redirection

Landing Page

The Original URL: Clients are directed to the URL they request for after they pass Portal authentication.

The Promotional URL: Clients are directed to the specified URL after they pass Portal authentication.

3. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on.

Type

Edit Current Page: Edit the related parameters to customize the Portal page based on the provided page.

Import Customized Page: Click to import your unique Portal page for branding it as per your business.

Default Language

Background

Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker.

Picture: Click and select a picture from your PC as the background.

Logo

Logo Picture

and select a picture from your PC as the logo.

Logo Position

Button Color

Button Text Color

Button Position

Welcome Information

Click Advertisement Options and c ustomize advertisement pictures on the authentication page.

Picture Resource

and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Advertisement Duration Time

Picture Carousel Interval

Allow Users To Skip Advertisement

4. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy.

Pre-Authentication Access		Pre-Authentication Access List	to configure the IP range or URL which unauthenticated clients are allowed to access.
Authentication-Free Policy		Authentication-Free Client List	and enter the IP address or MAC address of Authentication-Free clients.

�? Configuring Portal with Simple Password

1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page.

2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on.

SSID & Network

Authentication Type

Password

Authentication Timeout

HTTPS Redirection

Landing Page

The Original URL: Clients are directed to the URL they request for after they pass Portal authentication.

The Promotional URL: Clients are directed to the specified URL here after they pass Portal authentication.

3. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on.

Type

Edit Current Page: Edit the related parameters to customize the portal page based on the provided page.

Import Customized Page: Click to import your unique Portal page for branding it as per your business.

Default Language

Background

Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker.

Picture: Click and select a picture from your PC as the background.

Logo

Logo Picture

and select a picture from your PC as the logo.

Logo Position

Input Box Color

Input Text Color

Button Text Color

Button Position

Welcome Information

Click Advertisement Options and c ustomize advertisement pictures on the authentication page.

Picture Resource

and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Advertisement Duration Time

Picture Carousel Interval

Allow Users To Skip Advertisement

Pre-Authentication Access		Pre-Authentication Access List	to configure the IP range or URL which unauthenticated clients are allowed to access.
Authentication-Free Policy		Authentication-Free Client List	and enter the IP address or MAC address of Authentication-Free clients.

�? Configuring Portal with Hotspot

1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page.

2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters.

SSID & Network

Authentication Type

Type

HTTPS Redirection

Landing Page

The Original URL: Clients are directed to the URL they request for after they pass Portal authentication.

The Promotional URL: Clients are directed to the specified URL after they pass Portal authentication.

3. With different types of Hotspot selected, configure the related parameters.

�? Configuring Voucher Portal

Voucher

to manage the voucher codes.

7. 2. 2 Vouchers for detailed information about how to create vouchers.

�? Configuring Local Portal

Local User

to manage the information of the login accounts.

7. 2. 3 Local Users for detailed information about how to create Local Users.

�? Configuring SMS Portal

Select SMS and configure the required parameters in the SMS section.

SMS

Twilio SID

Auth Token

Operating Phone Number

Maximum User Numbers

Authentication Timeout

Preset Country Code

�? Configuring RADIUS Portal

Select RADIUS and configure the required parameters in the RADIUS section.

Authentication Timeout

RADIUS Profile

from the drop-down list or to create one. The RADIUS profile records the information of the RADIUS server which provides a method for storing the authentication information centrally.

Authentication Mode

NAS ID

Disconnected Requests

Receiver Port

Status

4. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on.

Type

Edit Current Page: Edit the related parameters to customize the portal page based on the provided page.

Import Customized Page: Click to import your unique Portal page for branding it as per your business.

Default Language

Background

Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker.

Picture: Click and select a picture from your PC as the background.

Logo

Logo Picture

and select a picture from your PC as the logo.

Logo Position

Input Box Color

Input Text Color

Button Color

Button Text Color

Button Position

Welcome Information

Click Advertisement Options and c ustomize advertisement pictures on the authentication page.

Picture Resource

and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Advertisement Duration Time

Picture Carousel Interval

Allow Users To Skip Advertisement

5. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy.

Pre-Authentication Access		Pre-Authentication Access List	to configure the IP range or URL which unauthenticated clients are allowed to access.
Authentication-Free Policy		Authentication-Free Client List	and enter the IP address or MAC address of Authentication-Free clients.

�? Configuring Portal with External RADIUS Server

1. Go to Settings > Authentication > Portal . Click to enable Portal and load the following page.

2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, authentication timeout and so on.

SSID & Network

Authentication Type

Authentication Timeout

RADIUS Profile

from the drop-down list or to create one. The RADIUS profile records information of the RADIUS server including the IP address, port and so on.

NAS ID

Disconnected Requests

Receiver Port

Status

Authentication Mode

Portal Customization

HTTPS Redirection

Landing Page

The Original URL: Clients are directed to the URL they request for after they pass Portal authentication.

The Promotional URL: Clients are directed to the specified URL here after they pass Portal authentication.

3. If you choose Local Web Portal which is provided by the built-in portal server of the controller, customize the Portal page in the Portal Customization section, including the background picture, logo picture and so on.

Type

Edit Current Page: Edit the related parameters to customize the portal page based on the provided page.

Import Customized Page: Click to import your unique Portal page for branding it as per your business.

Default Language

Background

Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker.

Picture: Click and select a picture from your PC as the background.

Logo

Logo Picture

and select a picture from your PC as the logo.

Logo Position

Button Color

Button Text Color

Button Position

Welcome Information

Click Advertisement Options and customize advertisement pictures on the authentication page.

Picture Resource

and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Advertisement Duration Time

Picture Carousel Interval

Allow Users To Skip Advertisement

Pre-Authentication Access		Pre-Authentication Access List	to configure the IP range or URL which unauthenticated clients are allowed to access.
Authentication-Free Policy		Authentication-Free Client List	and enter the IP address or MAC address of Authentication-Free clients.

�? Configuring Portal with External Portal Server

1. Go to Settings > Authentication > Portal . On Portal tab, click to create new portal entry. Then click to enable Portal and load the following page.

2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters including authentication type, custom portal server and so on.

SSID & Network

Authentication Type

Custom Portal Server

HTTPS Redirection

Landing Page

The Original URL: Clients are directed to the URL they request for after they pass Portal authentication.

The Promotional URL: Clients are directed to the specified URL here after they pass Portal authentication.

3. (Optional) Configure access control rules including Pre-Authentication Access and Authentication-Free Policy if needed. Go to Settings > Authentication > Portal . On Access Control tab, click the checkbox to enable Pre-Authentication Access and Authentication-Free Policy.

Pre-Authentication Access		Pre-Authentication Access List	to configure the IP range or URL which unauthenticated clients are allowed to access.
Authentication-Free Policy		Authentication-Free Client List	and enter the IP address or MAC address of Authentication-Free clients.

�? Configuring Portal with Facebook

1. Go to Settings > Authentication > Portal . Click to enable Portal and load the following page.

2. Select the SSIDs and LAN networks for the portal to take effect on and configure basic parameters.

SSID & Network

Authentication Type

Facebook Page Configuration:

to specify the Facebook Page.

Facebook Checkin Location

HTTPS Redirection

3. In the Portal Customization section, customize the Portal page including the background picture, logo picture and so on.

Type

Edit Current Page: Edit the related parameters to customize the portal page based on the provided page.

Import Customized Page: Click to import your unique Portal page for branding it as per your business.

Default Language

Background

Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker.

Picture: Click and select a picture from your PC as the background.

Logo

Logo Picture

and select a picture from your PC as the logo.

Logo Position

Theme Color

Button Text Color

Button Position

Welcome Information

Click Advertisement Options and c ustomize advertisement pictures on the authentication page.

Picture Resource

and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Advertisement Duration Time

Picture Carousel Interval

Allow Users To Skip Advertisement

Click Advertisement Options and c ustomize advertisement pictures on the authentication page.

Picture Resource

and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Advertisement Duration Time

Picture Carousel Interval

Allow Users To Skip Advertisement

Pre-Authentication Access		Pre-Authentication Access List	to configure the IP range or URL which unauthenticated clients are allowed to access.
Authentication-Free Policy		Authentication-Free Client List	and enter the IP address or MAC address of Authentication-Free clients.

4. 9. 2 802.1X

802.1X provides port-based authentication service to restrict unauthorized clients from accessing to the network through publicly accessible switch ports. An 802.1X-enabled port allows only authentication messages and forbids normal traffic until the client passes the authentication.

802.1X authentication uses client-server model which contains three device roles: client/supplicant, authenticator and authentication server. This is described in the figure below:

�? Client

A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1X authentication client software on the client hosts, enabling them to request 802.1X authentication to access the LAN.

�? Authenticator

An authenticator is usually a network device that supports 802.1X protocol. As the above figure shows, the switch is an authenticator.

The authenticator acts as an intermediate proxy between the client and the authentication server. The authenticator requests user information from the client and sends it to the authentication server; also, the authenticator obtains responses from the authentication server and sends them to the client. The authenticator allows authenticated clients to access the LAN through the connected ports but denies the unauthenticated clients.

�? Authentication Server

The authentication server is usually the host running the RADIUS server program. It stores information of clients, confirms whether a client is legal and informs the authenticator whether a client is authenticated.

Based on authenticated identity, 802.1X can also deliver customized services. For example, 802.1X and VLAN Assignment together make it possible to assign different authenticated users to different VLANs automatically.

To complete the 802.1X configuration, follow these steps:

1 ) Click to enable 802.1X.

2 ) Select the RADIUS profile you have created and configure other parameters.

3 ) Select the ports on which 802.1X Authentication will take effect.

Enable 802.1X

Configure RADIUS Profile and Parameters

Select the Ports

Go to Settings > Authentication > 802.1X . Click to enable 802.1X.

Enable 802.1X

Configure RADIUS Profile and Parameters

Select the Ports

Select the RADIUS profile you have created. If no RADIUS profiles have been created, click from the drop-down list or to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during 802.1X authentication.

Authentication Protocol	PAP: The EAP packets are converted to other protocol (such as RADIUS) packets, and transmitted to the RADIUS server. EAP: The EAP packets are encapsulated in other protocol (such as RADIUS) packets, and transmitted to the authentication server. To use this authentication mechanism, the RADIUS server should support EAP attributes.
Authentication Type	Port Based: After a client connected to the port gets authenticated successfully, other clients can access the network via the port without authentication. MAC Based: Clients connected to the port need to be authenticated individually. The RADIUS server distinguishes clients by their MAC addresses.
VLAN Assignment		MAB
Enable 802.1X		Configure RADIUS Profile and Parameters	Select the Ports

Select the ports to enable 802.1X authentication or MAB for them. To enable 802.1X authentication, click the unselected ports. 802.1X-enabled ports will be marked with . To enable MAB, click the ports marked with . You can enable MAB only on 802.1X-enabled ports. MAB-enabled ports will be marked with .

Note:

�? You are not recommended to enable 802.1X authentication on the switch ports which connects to network devices without 802.1X capability like the router and APs.

�? The switch authenticates wired clients which connect to the port with 802.1X enabled. And the gateway authenticates wired clients which connect to the network with Portal configured. Wired clients should pass Portal and 802.1X authentication to access the internet when both are configured.

4. 9. 3 MAC-Based Authentication

Overview

MAC-Based Authentication allows or disallows clients access to wireless networks based on the MAC addresses of the clients. In this authentication method, the controller takes wireless clients�?MAC addresses as their usernames and passwords for authentication. The RADIUS server authenticates the MAC addresses against its database which stores the allowed MAC addresses. Clients can access the wireless networks configured with MAC-based authentication after passing authentication successfully.

Note:

Both MAC-Based Authentication and Portal authentication can authenticate wireless clients. If both are configured on a wireless network, a wireless client needs to pass MAC-Based Authentication first and then Portal authentication for internet access. You can enable MAC-Based Authentication Fallback to allow clients bypass MAC-Based Authentication, which means the client needs to pass either of the two authentication. The client tries MAC-Based Authentication first, and is allowed to try portal authentication if it failed the MAC-Based Authentication.

1. Go to Settings > Authentication > MAC-Based Authentication . Click to enable MAC-Based Authentication.

2. In the Basic Info, select the SSIDs, RADIUS Profile and other required parameters. Refer to the following table to configure the required parameters and click Save .

SSID

RADIUS Profile

from the drop-down list or to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during MAC-Based Authentication.

MAC-Based Authentication Fallback

MAC Address Format

Empty Password

4. 9. 4 RADIUS Profile

Overview

RADIUS (Remote Authentication Dial In User Service) is a client/server protocol that provides for the AAA (Authentication, Authorization, and Accounting) needs in modern IT environments.

In authentication services including 802.1X, Portal and MAC-Based Authentication, Omada devices operate as clients of RADIUS to pass user information to designated RADIUS servers. A RADIUS server maintains a database which stores the identity information of legal users. It authenticates users against the database when the users are requesting to access the network, and provides authorization and accounting services for them.

A RADIUS profile records your custom settings of a RADIUS server. After creating a RADIUS profile, you can apply it to multiple authentication policies like Portal and 802.1X, saving you from repeatedly entering the same information.

1. Go to Settings > Authentication > RADIUS Profile . Click to load the following page.

2. Enter the information of the RADIUS servers. Refer to the following table to configure the required parameters and click Save .

Name

VLAN Assignment

Note:

1. VLAN Assignment is not currently supported when a client is authenticated by Portal with External RADIUS Server or RADIUS Hotspot.

2. VLAN Assignment is applicable only when the device supports the feature. To make this feature work properly, it is recommended to upgrade your devices to the latest firmware version.

Authentication Server IP

Authentication Port

Authentication Password

RADIUS Accounting

Interim Update

Interim Update Interval

Accounting Server IP

Accounting Port

Accounting Password

4. 10 Services

Services provide convenient network services and facilitate network management. You can configure servers or terminals in DDNS, SNMP, UPnP, and SSH, schedule the devices in Reboot Schedule and PoE Schedule, and export the running logs in Export Data.

4. 10. 1 Dynamic DNS

WAN IP Address of your gateway can change periodically because your ISP typically employs DHCP among other techniques. This is where Dynamic DNS comes in. Dynamic DNS assigns a fixed domain name to the WAN port of your gateway, which facilitates remote users to access your local network through WAN Port.

Let’s illustrate how Dynamic DNS works with the following figures.

Go to Settings > Services > Dynamic DNS . Click + Create New Dynamic DNS Entry , to load the following page. Configure the parameters and click Create .

Service Provider

Status

Interface

Username

Go To Register .

Password

Domain Name

Update Interval

4. 10. 2 SNMP

SNMP (Simple Network Management Protocol) provides a convenient and flexible method for you to configure and monitor network devices. Once you set up SNMP for the devices, you can centrally manage them with an NMS (Network Management Station).

The controller supports multiple SNMP versions including SNMPv1, SNMPv2c and SNMPv3.

Note:

If you use an NMS to manage devices which are managed by the controller, you can only read but not write SNMP objects.

Go to Settings > Services > SNMP and configure the parameters. Then click Apply .

SNMPv1 & SNMPv2c

Community String

SNMPv3

Username

Password

4. 10. 3 UPnP

UPnP (Universal Plug and Play) is essential for applications including multiplayer gaming, peer-to-peer connections, real-time communication (such as VoIP or telephone conference) and remote assistance, etc. With the help of UPnP, the traffic between the endpoints of these applications can freely pass the gateway, thus realizing seamless connections.

Go to Settings > Services > UPnP . Enable UPnP globally and configure the parameters. Then click Apply .

Interface

Networks

4. 10. 4 SSH

SSH (Secure Shell) provides a method for you to securely configure and monitor network devices via a command-line user interface on your SSH terminal.

Note:

If you use an SSH terminal to manage devices which are managed by the controller, you can only get the User privilege.

Go to Settings > Services > SSH . Enable SSH Login globally and configure the parameters. Then click Apply .

SSH Server Port

Layer 3 Accessibility

4. 10. 5 Reboot Schedule

Reboot Schedule can make your devices reboot periodically according to your needs. You can configure Reboot Schedule flexibly by creating multiple Reboot Schedule entries.

1. Go to Settings > Services > Reboot Schedule . Click + Create New Reboot Schedule to load the following page and configure the parameters.

Name

Status

Occurrence

Devices List

2. Click Create . The new Reboot Schedule entry is added to the table. You can click to edit the entry. You can click to delete the entry.

4. 10. 6 PoE Schedule

PoE Schedule can make PoE devices which are connected to your PoE switches power on and work only in the specific time period as you desire. You can configure PoE Schedule flexibly by creating multiple PoE Schedule entries.

1. Go to Settings > Services > PoE Schedule . Click + Create New PoE Schedule to load the following page and configure the parameters.

Name

Status

Time Range

+ Create New Time Range Entry from the drop down list of Time Range. For details, refer to Profiles .

Devices List

2. Click Create . The new PoE Schedule entry is added to the table. You can click to edit the entry. You can click to delete the entry.

4. 10. 7 Export Data

You can export data to monitor or debug your devices.

Go to Settings > Services > Export Data . Select the type of data from the export list and click Export .

Export List

Device List : Export the list of managed devices.

Client List : Export the list of all clients that are connected to the networks.

Insight-Rogue AP List : Export the list of the rogue APs scanned before. For detailed information, refer to 8. 4. 9 Rogue APs .

Log List : Export the list of the logs generated by the controller.

Authorized Client List : Export the list of authorized clients.

Voucher Codes : Export the list of the voucher codes.

Running Log : Export the day-to-day running log of the controller.

Mode

All Columns : Export the data list that contains all columns.

Current Display Columns : Export the data list that contains only the displayed columns currently.

Format

< Previous Next >

Feedback

* Please rate this article:
poor excellent

* Does this article help you solve your problem?
Yes No Just browsing

Suggestions:

Enter your contact information so we can get back to you:

Name:
Email:

* I have read and agree to the Privacy Policy

Thank you for your feedback.

Sorry, something went wrong!