WiFi / Local Networks
This section is used to configure the settings for networks created by your router (LAN). Note that changes made in this section may also need to be duplicated on wireless devices that you want to connect to your wireless network.
For example, if you change a wireless LAN’s IP address, devices within that network will lose connection. They will have to reconnect to the network.
The user can set up multiple networks on the router, each with its own unique configuration and its own selection of interfaces. Each local network can be attached to any of the following types of interfaces:
For example, one network might be just an isolated WiFi hotspot for guests, while another might be the main network with administrative access, an Ethernet port, a password-protected WiFi SSID, and a VLAN interface.
Local IP Networks
Local IP Networks displays the following information for each network:
- Network Name and IP address/Netmask (along the top bar)
- Enabled: Yes/No
- Multicast Proxy (Enabled/Disabled)
- DHCP Server (Enabled/Disabled)
- Schedule (Enabled/Disabled – See the Schedule tab in the Local Network Editor)
- VRRP Failover State (Disabled, Backup, or Master)
- IPv4 Routing Mode (NAT, Standard, IP Passthrough, Hotspot, Disabled)
- IPv6 Addressing Mode (SLAAC Only, SLAAC with DHCP, Disable SLAAC and DHCP)
- Access Control (Admin Access, UPnP Gateway, LAN Isolation)
- Attached Interfaces (Ethernet ports, WiFi, VLAN)
Click Add to configure a new network, or select an existing network and click Edit to view configuration options.
Local Network Editor
Click Add or select a network and click Edit to open the Local Network Editor to make configure a LAN. The Local Network Editor contains the following tabs: General Settings, IPv4 Settings, IPv6 Settings, Interfaces, Access Control, IPv4 DHCP, IPv6 Addressing, Multicast Proxy, Schedule, VRRP, STP, and Wired 802.1X.
Enabled: Click to manually disable a network. Also, some settings could cause a network to be automatically disabled: click here to re-enable the network.
Name: This primarily helps to identify this network during other administration tasks.
Hostname: [Default: cp (for CradlePoint)] The hostname is the DNS name associated with the router's local area network IP address.
NOTE: You can access the router’s administration pages by typing the hostname into your browser, so if you change “cp” to another hostname, you can access the administration pages through the new hostname.
IP Address: This is the address used by the router for local area network communication. Changes to this parameter may require a restart to computers on this network.
Each network must have a distinct IP address. Most users will want an address from one of the following private IP ranges:
- 10.0.0.1 - 10.255.255.1
- 172.16.0.1 - 172.31.255.1
- 192.168.0.1 - 192.168.255.1
NOTE: The final number does not have to be 1, but it is a simple, logical convention for routers that leaves higher numbers free for other devices.
Netmask: (Default: 255.255.255.0) The netmask controls how many IP addresses can be used in this network. The default value allows for 254 IP addresses.
IPv4 Routing Mode: (Default: NAT) Each network can use a unique routing mode to connect to the Internet and other local networks. NAT is desirable for most configurations. Select from the following options in the dropdown list:
- NAT: Network Address Translation hides private IP addresses behind the router's IP address. This is the simplest and most common choice for users, because NAT does the translation work for you.
- Standard: NAT-less routing. If you select Standard, you must separately configure your IP addresses so that they will be publically accessible. Typically you will not select this option unless you have a specific reason to bypass NAT.
- IP Passthrough: IP Passthrough passes the IP address given by a cellular modem (WAN) through the router to Ethernet (LAN). All Ethernet ports must be in LAN mode (or disabled) and Hotspot, VPN, and GRE must be disabled. Any wireless interfaces must be removed from this network in order to enable IP Passthrough. The easiest way to enable IP Passthrough mode is with the IP Passthrough Setup Wizard (see Getting Started → IP Passthrough Setup).
- Hotspot: Provide Hotspot Services on this network, requiring Terms of Service or RADIUS/UAM authentication before WAN access will occur on both wireless and wired LAN connections. To enable a Hotspot you must also configure your Hotspot settings under System Settings → Hotspot Services.
- Disabled: Disable this network.
IPv6 must be enabled through the WAN initially: go to Internet → Connection Manager to enable IPv6.
IPv6 Address Source: By default, this is set to Delegated, which means the IPv6 address range for the LAN is passed through from the WAN side. Change this to Static to input your own IPv6 address range here, or select None to explicitly disable IPv6 LAN connectivity.
Select network interfaces to attach to this network. Choose from WiFi, Ethernet ports, and VLAN interfaces. Double-click on any of the interfaces shown on the left in the Available section to move them to the Selected section on the right (or highlight an interface and click the “+” button). To deselect an interface, double-click on an interface in the Selected section (or highlight the interface and click the “–“ button).
If you want more interface options, you must configure additional WiFi, Ethernet ports, and VLAN interfaces separately. See the Local Network Interfaces section below (on this same administration page: Network Settings → WiFi / Local Networks).
Tune the access control settings of this network to match the intended use. Simply select or deselect any of the following:
- LAN Isolation: When checked, this network will NOT be allowed to communicate with other local networks.
- UPnP Gateway: Select the UPnP (Universal Plug and Play) option if you want to enable the UPnP Gateway service for computers on this network.
- Admin Access: When enabled, users may access these administration pages on this network.
Changing settings for the IPv4 DHCP server is optional. The default selections are almost always sufficient.
DHCP Server: (Default: Enabled) When the DHCP server is enabled, users of your network will be able to automatically connect to the Internet without any special configuration. It is recommended that you leave this enabled. Disabling the DHCP server is only recommended if you have another DHCP server on your network and it is configured properly.
Range Start and Range End: These designate the range of values in the reserved pool of IP addresses for the DHCP server. Values within this range will be given to any DHCP enabled computers on your network. The default values are almost always sufficient (default: 72 to 200, as in 192.168.0.72 to 192.168.0.200).
Example: The router uses an IP address of 192.168.0.1 for its primary network by default. A computer designated as a Web server has a static IP address of 192.168.0.3. Another computer is designated as an FTP server with a static IP address of 192.168.0.4. The starting IP address for the DHCP server needs to be 192.168.0.5 or higher.
Lease Time: [Default: 720 minutes (12 hours)] The lease time specifies how long DHCP-enabled computers will wait before requesting a new DHCP lease. Smaller values are better suited to busy environments.
Custom Options: Input a custom DHCP option by first clicking the Custom Options field to enable it and then clicking “Add” at the top of the table that appears. There are close to 200 possible DHCP options available. One of the more common uses is to assign a VoIP phone server using option 66 (Server name).
- Option: Select an option from the dropdown list or manually enter the number of an option. A complete list of options is available from IANA.
- Value: Generally this field should be a string, IP address, or numeric value. Some fields can accept both IP addresses and hostnames – in these cases you may need to wrap this value in quotes. For example, option 66 (Server name) requires quotes around IP addresses.
DHCP Relay: DHCP Relay communicates with a DHCP server and acts as a proxy for DHCP broadcast messages that must be routed to remote segments. This is accomplished by converting broadcast DHCP messages to unicast messages to communicate between clients and servers.
DHCP Server Address: An optional DHCP server address if more than one DHCP server is located on the network. This field is only available when DHCP Relay is enabled.
Address Configuration Mode: Select from the following dropdown options:
- SLAAC Only – SLAAC stands for stateless address autoconfiguration. The router regularly generates a router advertisement that includes network prefix and routing information, allowing clients to autogenerate an address and start communicating on the network. Clients utilize neighbor discovery protocols to ensure multiple clients on the subnet have not chosen an identical address.
- SLAAC with DHCP – (Default) IPv6 DHCP provides an additional client configuration method and is regularly combined with SLAAC to provide DNS servers (a shortcoming in the original SLAAC specification) and additional options not supported by SLAAC. By defaulting to SLAAC with DHCPv6, all IPv6-capable clients on the network should be configurable with IPv6 connectivity.
- DHCP Range Start: The beginning of the range that will be used for IPV6 DHCP addresses. The IPv6 range will always start at 1.
- DHCP Range End: The ending IP address in the DHCP Server range is the end of the reserved pool of IP addresses that will be given to any DHCP-enabled computers on your network.
- IPv6 DHCP Lease Time: This specifies how long DHCP-enabled computers will wait before requesting a new DHCP lease.
- Disable SLAAC and DHCP – Disable both IPv6 address configuration modes.
IGMP (Internet Group Management Protocol) multicast proxy allows a single packet to reroute to multiple destinations (see the Wikipedia explanation of multicast). This may be used for IPTV, for example.
Multicast Proxy: Select to enable IGMP proxy support to allow multicast streams to flow across this network.
Quick Leave Mode: Disable quick leave mode if it's vital that the daemon should act exactly as a real multicast client on the upstream interface. However, disabling this function increases the risk of bandwidth saturation.
By default, enabling multicast proxy enables a multicast connection with devices within the LAN. In rare cases, additional IP address ranges need access to the multicast streams. Click Add and input the IP Address and Netmask for an additional IP address range.
Set up a schedule for this network interface. This allows an interface to be enabled or disabled during specific hours of a day. For example, use this to limit a Hotspot network to business hours.
Schedule Service: (Default: Disabled.) Select to enable. This will open a configurable chart for setting the schedule.
Each hour of the week is represented by a black or gray square. Black represents disabled, while gray represents enabled. Hover over a square to reveal the hour it represents. Click on the squares to toggle between black and gray.
In the example shown, the network is enabled from 8-5 on Monday through Friday, but disabled at all other times.
NOTE: VRRP requires a feature license. Go to System Settings → Feature Licenses to enable this feature.
VRRP (Virtual Router Redundancy Protocol) allows you to associate multiple routers with one LAN so that if the primary physical router fails, the LAN will keep the same settings via the virtual router.
Enable VRRP: Select to enable VRRP configuration options.
Virtual Router IP: IP address of the virtual router. This must be distinct from the IP address of any physical router associated with the virtual router.
Virtual Router ID: Identifying number of the virtual router. (Range: 1-255)
Router Priority: Failover priority level of this physical router. The physical router with the highest priority number will have primary ownership of the virtual router. (Range: 1-254)
WAN Fault Priority: This optional value sets the failover priority of this router when no WAN connection is available. If the value matches the normal router priority, WAN connection state will not be considered. If the value is empty (the default), the router will always give up ownership of the virtual IP and let a new master take over when no WAN connection is available.
Advertisement Interval: Sets the amount of time (in seconds) between VRRP advertisements, which communicate the router status. The default of 1 second is standard.
Initial Virtual Router State: This controls the initial VRRP failover state for this physical router: choose Master or Backup. This sets up the virtual router association more quickly than the Router Priority level, but the Router Priority assignment will eventually overrule this if there is a discrepancy.
Authentication: VRRP Authentication Method. This is for legacy purposes: VRRP Authentication has been deprecated as of RFC 3768. Select None or Simple. If you select Simple, input a VRRP group password.
Provide Virtual IP in DHCP leases: Select this to automatically set the DHCP default gateway address and DNS server address to the virtual IP in DHCP leases provided on this network.
NOTE: STP requires a feature license. Go to System Settings → Feature Licenses to enable this feature.
Spanning Tree Protocol (STP) allows a network design to include redundant paths while preventing broadcast radiation from bridge loops.
Enable STP: Enable Spanning Tree Protocol loop detection.
Bridge Priority: Set the priority of the bridge. When determining the root bridge of the spanning tree topology, the bridge priority is compared first. The bridge with the lowest priority value will win. If you want this router to be the root bridge, then set it to a value less than the default of 32768. A valid priority value is between 0 and 65535.
Wired 802.1X: (requires hardware version 2.0) This allows you to configure an authentication server that will accept authentication requests from devices attached to wired Ethernet ports. IEEE 802.1X defines the encapsulations of the Extensible Authentication Protocol (EAP).
Click Enable 802.1X to require IEEE 802.1X authorization for the Ethernet ports associated with this network.
Reauthentication Period: EAP re-authentication period in seconds.
- Auth Server IP Address: This is the IP address of the connected RADIUS server.
- Auth Server MAC Address: This is the hardware address of the connected RADIUS server’s interface. NOTE: If you don’t know the MAC address for the RADIUS server, enter 00:00:00:00:00:00 and the service will try to find the MAC address from the given IP address.
- Port: 1812 is common for the authentication port.
- Password: Assigned by the RADIUS server.
Accounting settings: Most of the accounting settings often match the authentication settings, depending on whether the RADIUS server is the same for both authentication and accounting.
- Acct Server IP Address
- Acct Server MAC Address
- Port: 1813 is common for the accounting port.
Local Network Interfaces
Each LAN type – WiFi, Ethernet, and VLAN – has a separate section with configuration options. Unless the default configuration is sufficient, YOU MUST CONFIGURE EACH INTERFACE SEPARATELY in order to create the desired interface options for a network. You can then select these interfaces to add to a network in the Local Network Editor (see above).
Select from the following tabs:
- WiFi Radio #1 Settings (2.4 GHz)
- WiFi Radio #2 Settings (5 GHz)
- Ethernet Port Configuration
- VLAN Interfaces
Wireless (WiFi) Network Settings
Each wireless radio (2.4 GHz and 5 GHz) can broadcast as many as four SSIDs (service set identifiers – the names for WiFi networks). One primary WiFi network is enabled by default, while you may have enabled a second guest network when using the First Time Setup Wizard. You have the ability to change the settings for either of these networks and/or enable additional networks.
Wireless Radio: Enable/Disable. (Default: Enabled). Leave enabled unless you don’t want any WiFi networks broadcast from your router.
Select a WiFi network and click Edit to change the settings.
Wireless Network Editor
WiFi Name (SSID): When users browse for available wireless networks, this is the name that they will see. This name is referred to as the SSID (service set identifier). For security purposes, CradlePoint highly recommends that you change this from the pre-configured name.
Hidden: This shows whether the router broadcasts its SSID. It is somewhat harder for hackers to find and attack a router that is not broadcasting its SSID, which adds to the wireless security, but it is also more difficult for friendly users to attach to a WiFi network with a hidden SSID.
Isolate: Select this to isolate all wireless clients so they cannot directly communicate with each other on the wireless network.
WMM: WiFi Multimedia. This is a basic traffic shaping, or QoS (quality of service), system for the network. WMM works behind the scenes to set priorities for different types of traffic on your network. For example, video streams are given higher priority than print jobs, since video streams need consistent throughput.
Enabled: Whether the network is available.
Security Mode: You have several options for selecting a security mode. The mode you choose depends on the security features your wireless adapters support.
- WPA2 Personal
- WPA / WPA2 Personal
- WPA Personal
- WPA2 Enterprise
- WPA / WPA2 Enterprise
- WPA Enterprise
- WEP Auto
Select “Open” to create a hotspot: otherwise select the best security that your devices will support (CradlePoint recommends WPA2).
Depending on which Security Mode you select, there are different setup options.
- “Personal” security modes require passwords.
- “Enterprise” security modes are linked to a RADIUS server and require RADIUS authentication: IP, Port, and Shared Key (Secondary IP and NAS ID optional).
- “WPA2” (Personal or Enterprise) forces AES as the WPA Cipher.
- “WPA/WPA2” and “WPA” (Personal or Enterprise) allow AES, TKIP/AES, and TKIP.
- “WEP Auto” requires a WEP Key.
- “Open” has no password or other security measures.
NOTE: If you don’t know whether you should choose Personal or Enterprise, assume Personal since you need to know RADIUS authentication for Enterprise.
In order to protect your network from hackers and unauthorized users, CradlePoint highly recommends WPA2/AES for security if your attached devices can support it. WEP and WPA/TKIP are obsolete and have been replaced by WPA/AES. Using those security settings will cause the WiFi to limit to 802.11g modes.
NOTE: If you select one of the security modes and are unable to connect to the router afterwards, you can use the reset buttons to reset the router to its factory default state and try a different security mode instead.
Ethernet Port Configuration
Ethernet Port Configuration provides controls for your router’s Ethernet ports. There are five total ports: by default, one WAN port and four numbered LAN ports. While default settings will be sufficient in most circumstances, you have the ability to control: Mode (WAN or LAN) and Link Speed. Additional controls for WAN ports are available in Internet → Ethernet Settings.
Mode: WAN or LAN. By default there are four LAN (Local Area Network) ports and one WAN (Wide Area Network) port.
- Internet (WAN) is used as a possible source of Internet for the router.
- Local Network (LAN) is for connecting a computer or similar device directly to the router with an Ethernet cable.
Link Speed: Default setting is Auto. The Auto setting is preferred in most cases.
- 10Mbps - Half Duplex
- 10Mbps - Full Duplex
- 100Mbps - Half Duplex
- 100Mbps - Full Duplex
- 1000Mbps - Full Duplex
Ethernet Port Group Editor
A Port Group represents a logical grouping of Ethernet ports. Any computers physically connected to ports in a group will be allowed to freely communicate with each other. For example, if you keep the four default LAN ports, you might group ports 1 and 2 together to be part of your primary network, and then group ports 3 and 4 together to be part of a guest network.
NOTE: When a port group uses the LAN mode you must separately ensure that this logical interface is attached to a Local IP Network in the top panel of this page.
Port Group ID: The Group ID field provides a reference to this grouping of ports to be used in other parts of the router configuration. For example, this ID is referenced in the Local IP Networks configuration to attach this logical group of Ethernet ports with a network configuration. Use a simple short text phrase to describe this group, such as "main", "guestports", "backup_wan", etc. This must be unique.
Select one or more ports to create a port group that you can subsequently attach to a network in the Local Network Editor. Double-click on any of the Ethernet ports shown on the left in the Available section to move them to the Selected section on the right (or highlight a port and click the + button). To deselect an Ethernet port, double-click on an interface in the Selected section (or highlight the port and click the – button).
A virtual local area network, or VLAN, functions as any other physical LAN, but it enables computers and other devices to be grouped together even if they are not physically attached to the same network switch.
To enable a VLAN, select a VID (virtual LAN ID) and a group of Ethernet ports through which users can access the VLAN. Then go back up to the Local Network Editor to attach your new VLAN to a network. To use a VLAN, the VID must be shared with another router or similar device so that multiple physical networks have access to the one virtual network.
Click Add to create a new VLAN interface.
VID: An integer value that is the Virtual LAN ID.
Ethernet Group: Select the LAN port(s) with which you want to associate the VLAN ID from a dropdown list. Your Ethernet group must be created separately under Ethernet Port Configuration.
Click Submit to save your configured VLAN.
WiFi Settings (Advanced)
When you select either of the WiFi tabs (2.4 GHz or 5 GHz) in the Local Network Interfaces section, you have several additional options for configuring your wireless LANs under the WiFi Settings heading.
Channel Selection Method: This controls how a WiFi channel is selected.
- User Selection – Manually set the channel.
- Random Selection – The router randomly sets the channel.
- Smart Selection (Default) – Scans to determine the lowest interference WiFi channel.
Channel Selection Schedule: When using the "Smart" channel selection, this controls whether the router will periodically rescan for a better channel and change to it. Select from “Once,” “Daily,” “Weekly,” or “Monthly.” Note that there may be a momentary WiFi disconnection while the channel changes.
Optimize WiFi/WiMAX coexistence: (Shows if Smart Selection or Random Selection is chosen and the WiFi band is 2.4 GHz.) Setting this will lessen any possible conflict with WiFi in the 2.4 GHz band and an attached WiMAX modem. If a WiMAX modem is attached to the router when the WiFi is enabled, the WiFi channel and transmit power will be set to levels that optimize the performance of the WiMAX modem. If no WiMAX modem is attached, then default channel and power settings will be used even if this is selected.
Channel: (Shows if User Selection is selected.) The WiFi channel corresponds to a frequency the router uses to communicate with other devices. For 2.4 GHz, the range is 1 to 11, and 1, 6, and 11 do not overlap each other. If a WiMAX modem is attached, a higher number channel will increase the chance the router's WiFi and modem's WiMAX radios will conflict with each other, which may result in lower throughput. Select a channel from the dropdown list:
- 1 (2412 MHz)
- 2 (2417 MHz)
- 3 (2422 MHz)
- 4 (2427 MHz)
- 5 (2432 MHz)
- 6 (2437 MHz)
- 7 (2442 MHz)
- 8 (2447 MHz)
- 9 (2452 MHz)
- 10 (2457 MHz)
- 11 (2462 MHz)
For 5.0 GHz, the ranges are 36 to 64 and 149 to 165. These channels do not interfere with a WiMAX modem.
- 36 (5180 MHz)
- 40 (5200 MHz)
- 44 (5220 MHz)
- 48 (5240 MHz)
- 149 (5745 MHz)
- 153 (5765 MHz)
- 157 (5785 MHz)
- 161 (5805 MHz)
- 165 (5825 MHz)
Client Timeout: If the access point is not able to communicate with the client it will disconnect it after this timeout (in seconds).
TX Power: Normally the wireless transmitter operates at 100% power. In some circumstances, however, there might be a need to isolate specific frequencies to a smaller area. By reducing the power of the radio, you can prevent transmissions from reaching beyond your corporate/home office or designated wireless area. RTS Threshold: When an excessive number of wireless packet collisions are occurring, wireless performance can be improved by using the RTS/CTS (Request to Send/Clear to Send) handshake protocol. The wireless transmitter will begin to send RTS frames (and wait for CTS) when data frame size in bytes is greater than the RTS Threshold. This setting should remain at its default value.
Fragmentation Threshold: Wireless frames can be divided into smaller units (fragments) to improve performance in the presence of RF interference and at the limits of RF coverage. Fragmentation will occur when frame size in bytes is greater than the Fragmentation Threshold. This setting should remain at its default value. Setting the Fragmentation value too low may result in poor performance.
DTIM: A DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages. When the wireless router has buffered broadcast or multicast messages for associated clients, it sends the next DTIM with a DTIM Interval value. Wireless clients detect the beacons and awaken to receive the broadcast and multicast messages. The default value is 1. Valid settings are between 1 and 255.
Beacon: Beacons are packets sent by a wireless router to synchronize wireless devices. Specify a Beacon Period value between 20 and 1000 milliseconds.
WPS: WiFi Protected Setup is a method for easy and secure establishment of a wireless network. It can be used instead of passwords when connecting clients that support WPS.
Short Slot: Slot Time is the period wireless clients use in determining if the channel is free for transmission. Enabling this value allows clients that can utilize a shorter time to do so. Disabling this option forces all clients to use a longer backoff check and thus may reduce network throughput while reducing the number of transmission collisions.
Wireless Mode: Select the WiFi clients the router will be compatible with. Greater compatibility is a tradeoff with better performance. For greatest compatibility with all WiFi devices, select "802.11 a/b/g/n". For best performance, connect with only other 802.11n-compatible devices and select "802.11 n."
- 802.11 b
- 802.11 b/g
- 802.11 a/b/g/n
- 802.11 b/g/n
- 802.11 n
Channel Width: Selects whether the router uses a single 20 MHz channel to send/receive, or uses two adjacent 20 MHz channels to create a 40 MHz channel. Higher performance is possible with the 40 MHz channel. Selecting Auto is generally best. Enabling WiFi as WAN will force 20 MHz only mode.
Extended Channel: When operating in 40 MHz mode the access point will use an extended channel either below or above the current channel. Optimal selection will depend on the channels of other networks in the area.
MCS: 802.11n uses multiple Modulation Coding Schemes to enable higher throughput in various environments. Since clients can dynamically change rates depending on environment, selecting Auto is generally best.
Short GI: Short GI is an optimization for shortening the interval between transmissions. May be incompatible with older clients.
Greenfield Mode: Greenfield mode uses an 802.11n-only preamble to transmit packets that older wireless clients cannot interpret. Use of greenfield mode in a mixed 802.11 environment may result in degraded performance but can improve performance if all devices in the area are 802.11n compatible.
RADIUS Timeout: (Default: 3600 seconds) When using an Enterprise security mode clients will be forced to re-authenticate with the RADIUS server at this interval in seconds. This allows administrators to revoke access so when an attached client’s authentication expires, the client must re-authenticate.
RADIUS Retry: (Default: 60 seconds) When using an Enterprise security mode, if a RADIUS query fails to receive a response from the server it will delay by this interval (in seconds) before attempting another query. This helps protect the network from floods of authentication requests if the RADIUS server is temporarily unreachable.
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.