Hardware

Protectli Products

Overview

One of the most common and basic network configurations starts with a modem which connects the Internet from an Internet Service Provider (ISP). The modem can be a cable modem, fiber modem, DSL modem or other type, but it will have an Ethernet output. The Ethernet output is connected to a firewall, then the firewall is connected to a switch. It is recommended that the switch handles all local traffic within a subnet, as the Vault’s hardware is not optimized for this.  By doing so will also simplify firewall configuration.

The following diagram depicts a basic configuration for a Small Office/ Home Office (SOHO) network. This article is intended to serve as a general reference explaining how best to incorporate a Protectli Vault that has been configured to act as a firewall using any chosen firewall software such as OPNsense, pfSense, etc. This assumes that the Protectli Vault has been loaded with a fresh installation of the selected OS.

 

Diagram: Basic SOHO Network with Switch

Vault Interface Connections

  • WAN to modem (ISP) Ethernet port
  • LAN to PC being used for configuration, access to OS GUI
  • OPT1 to switch

IP Assignments

  • WAN interface will receive an IP address via DHCP address from the modem
  • LAN interface will have a DHCP server enabled by default, and will be assigned an address of 192.168.1.1. and it will provide an IP address of 192.168.1.X to the PC used for configuration
  • Set the OPT1 IP address to 192.168.2.1, and enable DHCP Server for the interface

Configuration

Note: It is important with this setup to verify that the WAN IP addresses is NOT in the 192.168.1.X or 192.168.2.X range as this would create an IP address subnet conflict between the OS on the Vault and the other network devices.

  • Verify the PC connected to the LAN port receives an IP address in the range of 192.168.1.X
  • Browse from the PC to the installed OS on the Protectli Vault using default IP address of 192.168.1.1
  • Verify the OS GUI is displayed
  • Enable OPT1 and assign an IP address of 192.168.2.1 and enable DHCP Server for OPT1 ( Services > DHCP Server)

Firewall Rules

In order to block unknown and/or unwanted incoming traffic from the Internet and to allow access out to the Internet, the OS has some built in rules for the WAN and LAN ports.

  • WAN: Default rule is to DENY any incoming traffic
  • LAN: Default rule is to ALLOW any incoming or outgoing traffic

In order to allow access out to the Internet for all of the switch connected devices, a rule has to be created for the OPT1 interface that is the same as the default LAN interface rule.

  • OPT1: No default rules. Replicate the LAN ANY to ANY rule to allow traffic through this interface

 

By following the simple network configuration above, the firewall should be able to effectively pass network traffic among all network devices and out to the Internet. Keep in mind that this is intended to document the physical topology and get the firewall up and running as quickly as possible. Refer to documentation pertaining to the specific software that is installed on the Vault in order to customize configuration settings to suit your network needs. Installation guides and more can be found in our Knowledge Base. As always, should you need additional assistance, please feel free to reach out to us using our support page.

Overview

One of the most common and basic network configurations starts with a modem which connects the Internet from an Internet Service Provider (ISP). The modem can be a cable modem, fiber modem, DSL modem or other type, but it will have an Ethernet output. The Ethernet output is connected to a firewall/router, then the firewall/router is connected to a WiFi access point. The following diagram depicts a basic configuration for a Small Office/ Home Office (SOHO) network. This article is intended to serve as a general reference explaining how best to incorporate a Protectli Vault that has been configured to act as a firewall/router using any chosen firewall/routing software such as OPNsense, pfSense, etc. This assumes that the Protectli Vault has been loaded with a fresh installation of the selected OS.

 

Diagram: Basic SOHO Wireless Network

Vault Interface Connections

  • WAN to modem (ISP) Ethernet port
  • LAN to PC being used for configuration, access to OS GUI
  • OPT1 to wireless router

IP Assignments

  • LAN interface will have a DHCP server enabled by default, and will be assigned an address of 192.168.1.1. and it will provide an IP address of 192.168.1.X to the PC used for configuration.
  • Set the OPT1 IP address to 192.168.2.1, and enable DHCP Server for the interface.
  • WAN interface will receive an IP address via DHCP address from the modem.

Configuration

Note: It is important with this setup to verify that the WAN IP addresses is NOT in the 192.168.1.X or 192.168.2.X range as this would create an IP address subnet conflict between the OS on the Vault and the WiFi Router.

  • Verify the PC connected to the LAN port receives an IP address in the range of 192.168.1.X
  • Browse from the PC to the installed OS on the Protectli Vault using default IP address of 192.168.1.1
  • Verify the OS GUI is displayed
  • Enable OPT1 and assign an IP address of 192.168.2.1 and enable DHCP Server for OPT1 ( Services > DHCP Server). Ensure that wireless router is not acting as a DHCP Server for OPT1

 

Firewall Rules

In order to block unknown and/or unwanted incoming traffic from the Internet and to allow access out to the Internet, the OS has some built in rules for the WAN and LAN ports.

  • WAN: Default rule is to DENY any incoming traffic
  • LAN: Default rule is to ALLOW any incoming or outgoing traffic

In order to allow access out to the Internet for all of the WiFi connected devices, a rule has to be created for the OPT1 interface that is the same as the default LAN interface rule.

  • OPT1: No default rules. Replicate the LAN ANY to ANY rule to allow traffic through this interface

 

By following the simple network configuration above, the firewall should be able to effectively pass network traffic among all network devices and out to the Internet. Keep in mind that this is intended to document the physical topology and get the firewall up and running as quickly as possible. Refer to documentation pertaining to the specific software that is installed on the Vault in order to customize configuration settings to suit your network needs. Installation guides and more can be found in our Knowledge Base. As always, should you need additional assistance, please feel free to reach out to us using our support page.

Protectli 4G LTE Modem Firmware

Protectli IDG400 angled

Overview

Protectli offers 2 options for a 4G LTE Modem. The 4G LTE products can be found on the main 4G LTE page. There is an external modem, the IDG400 and an internal modem, the MDG100. The IDG400 can be found on this product page. The MDG100 can be found on this product page. The MDG100 intermal 4G LTE Modem is compatible with all of the Vaults except the FW6 series. Not surprisingly, these units require firmware (FW) to run and occasionally there are FW updates. This document describes how to update the FW and contains a table with the latest FW versions. Note that for the Internal 4G LTE Modem, MDG100, an operating system (OS) must be installed and configured to recognize the internal modem. See the Knowledge Base for specific OS configuration of the MDG100.

Firmware Upgrade Instructions

  • Download the correct FW from the table below to your PC
  • Verify .zip downloads correctly
  • Unzip the file
  • Verify .bin file 
  • Browse to the 4G LTE Modem GUI
  • The External Modem, IDG400 default IP address is 192.168.123.254
  • The Internal Modem, MDG100 default IP address is 172.16.0.1
  • Verify the Login page is displayed
  • Login to the modem. The default user/password is “admin”/”admin”, no quotes
  • Verify the Status page is displayed

 

4G LTE Status

 

 

  • Select Administrator->Manager
  • Verify the Manager page is displayed with the FW Upgrade tab selected

 

4G LTE FW Upgrade Page

 

  • Select Firmware Upgrade Choose File button
  • Select the correct FW file for the modem
  • Verify the file name is displayed

 

4G LTE FW File Upgrade

 

  • Select the Upgrade button
  • Verify the Warning message is displayed

 

4G LTE FW Upgrade Warning

 

 

  • Wait for the process to complete, ~5 minutes
  • Verify the Login page is displayed upon completion of the upgrade
  • Login again
  • Select Administrator->Manager
  • Verify the Manager page is displayed with the FW Upgrade tab selected
  • Verify the Firmware Information field shows the proper FW version and date

At this point the new FW is installed. If you need additional assistance, please feel free to contact us at support@protectli.com.

 

Model

Download Link

Date

IDG400

IDG400 K21 101420

10/14/20

MDG100

IDG400 K21 101420

10/14/20

How to configure OPNsense for the Internal 4G LTE Modem

Protectli offers 4G LTE Modems and service subscription plans. An overview can be found on the main 4G LTE page. One of the options is an internal modem, the MDG100. In order to use the MDG100, an Operating System (OS) must be installed on the Vault and configured to recognize and utilize the 4G LTE Modem. This article describes how to configure OPNsense  to utilize the MDG100 Internal 4G LTE Modem.

Accessories

The Internal 4G LTE Modem, MDG100, includes micro coax cables and antennas. When the MDG100 is ordered with one of the Vaults, the MDG100 is installed and tested by Protectli at the factory. If the modem has not been installed, install the modem in the proper slot, connect the coax cables and attach the external antennas.

Protectli LTE radio card - MDG100
MDG100 antennas
Protectli LTE - antennas

OPNsense Configuration

To install OPNsense, follow the instruction in this Knowledge Base article.

When complete, verify that the OPNsense Dashboard is displayed

 

Screen Shot OPNsense Dashboard

 

  • Select Interfaces->Assignments
  • Verify the Interfaces:Assigments page is displayed
Screen Shot OPNsense Interfaces-Assignments

 

  • Select the “New interface:” dropdown
  • Verify one of the options is “ue0”, which is the MDG100 Internal 4G LTE Modem
  • Select ueo for the new interface
Screen Shot OPNsense Interfaces-Assignments-ue0

 

  • Add a Description if desired (recommended)
  • Select the “+” button
  • Select the Save button
Screen Shot OPNsense Interfaces-Assignments-ue0-Description

 

  • Verify the new 4GLTE interface is saved

 

Screen Shot OPNsense Interfaces-Assignments-4GLTE

 

  • Select the 4G LTE Interface
  • Verify the 4G LTE interfaces page is displayed
  • Select “Enable Interface” checkbox
  • Verify the configuration menu is expanded
  • Select IPv4 Configuration Type->DHCP
  • Select the Save Button
  • Select the Apply Changes Button
Screen Shot OPNsense Interfaces-4GLTE-Config

 

The Internal 4G LTE Modem is now configured in OPNsense. It should now be possible to browse to  172.16.0.1 which is the default IP address of the MDG100.

  • Open another tab in the same browser or another browser window
  • Browse to  172.16.0.1
  • Verify the MDG100 Internal 4G LTE Modem Login page is displayed
Screen Shot 4G LTE Modem-Login

At this point, the modem has been installed, OPNsense has been installed and configured to recognize and utilize the modem. The modem is ready to be configured and used. As always, if you have questions or issues, please reach out to us at support@protectli.com or find more information in our Knowledge Base.

 

Protectli IDG400 angled

Getting Started with Protectli 4G LTE Modems and Service

Protectli offers 4G LTE Modems and service subscription plans. 4G LTE Service can be used with the Vault as a backup/failover Internet connection in the event the primary WAN service is down or as the primary WAN interface when a wired Internet connection is unavailable. For any business or operation, a 4G LTE failover solution ensures that Internet connectivity is preserved and eliminates potential loss of sales and loss of productivity. Maintaining a constant Internet connection is particularly crucial these days as so many applications and business functions are in the “cloud” and only accessible via the Internet.

Applications

There are various use cases for the Vault with 4G LTE

IoT remote monitoring and control

Temporary connectivity for outdoor markets, sporting events, activities

General backup if primary WAN goes down

Credit card processing for retail as primary or backup WAN

Construction connectivity for site offices and on site video monitoring

Oil, Gas, and Utilities connectivity and monitoring

Protectli 4G LTE Modems and Service

Protectli offers 2 options for a 4G LTE Modem. The 4G LTE products can be found on the main 4G LTE page. There is an external modem, the IDG400 and an internal modem, the MDG100. The IDG400 can be found on this product page. The MDG100 can be found on this product page. The MDG100 intermal 4G LTE Modem is compatible with all of the Vaults except the FW6 series.

Both are Category 4 LTE, which indicates that the maximum downlink speed is 150 Mbps and the maximum uplink speed is 50 Mbps. The actual data throughput will depend on the installation environment and physical placement of the unit and antennas.

Both 4G LTE Modems support all of the cellular services listed on the main 4G LTE page for Verizon, AT&T, and T-Mobile in the US. For deployment outside of the US, consult Protectli sales at sales@protectli.com. 4G LTE cellular service requires a SIM card for operation. The IDG400 requires a 3FF Micro SIM. The MDG100 requires a 4FF Nano SIM. When the 4G LTE Modems are ordered with a service, a SIM is provided with the unit and the service is activated by Protectli. The unit is tested with that service before it ships from the factory.

The 4G LTE Modems can also be ordered without service, using the customer’s SIM. And the 4G LTE service can be ordered without a Protectli 4G LTE Modem, using the customer’s own equipment. Depending on the service ordered or if the customer provides their own SIM or equipment, some configuration may be needed on the 4G LTE Modem. See below.

Accessories and Power

The External 4G LTE Modem, IDG400, comes with antennas, an Ethernet cable, and a USB micro to USB Type A cable. The USB cable is used to provide power to the unit via an external USB connection. The USB power source must be able to provide 5V and 2A. There is an optional USB Power Supply that can be purchased with the 4G LTE Modem.

Protectli LTE - antennas
Protectli IDG400
Protectli IDG400

The Internal 4G LTE Modem, MDG100, includes micro coax cables and antennas. When the MDG100 is ordered with one of the Vaults, the MDG100 is installed and tested by Protectli at the factory.

Protectli LTE radio card - MDG100
MDG100 antennas
Protectli LTE - antennas

4G LTE Modem GUI

Both the IDG400 and MDG100 have a web based GUI. To reach the GUI of the External IDG400 modem, connect the Ethernet cable to a computer. By default the 4G LTE Modem will provide a an IP address to the PC via DHCP. On the PC, browse to 192.168.123.254 to reach the GUI. The default user/password is “admin”/”admin”.

To reach the internal 4G LTE Modem, the unit must be installed in the Vault and an Operating System (OS) must be installed and configured to recognize and use the internal modem. Once installed correctly, connect a PC to the LAN port of the vault. By default, for example with OPNsense or pfSense® CE, the Vault will provide a an IP address to the PC via DHCP, typically 192.168.1.100. On the PC, browse to 172.16.0.1 to reach the GUI of the internal Modem. The default user/password is “admin”/”admin”.

4G LTE Modem Configuration

Assuming the 4G LTE Modem has been properly connected or installed with an OS on the Vault, there are multiple scenarios  and configuration required (or not) depending on the cellular service. If the SIM is activated by Protectli and shipped to the customer site, it has already been properly configured and the 4G LTE service has been verified. However, if the unit is reset or needs to be reconfigured, the configurations are listed below. There are currently 4 possibilities in the US.

  • AT&T Dynamic IP
  • AT&T Static IP
  • Verizon Dynamic IP
  • Verizon Static IP

AT&T Dynamic IP

No configuration is necessary

AT&T Static IP

No configuration is necessary

Verizon Dynamic IP

The Access Point Name (APN) must be set to “Auto”.

  • Browse to the 4G LTE Modem GUI using the procedure above for the specific modem.
  • Select Setup->Network->Cellular->APN
  • Select “Auto”
  • Save
  • Verify the configuration is saved

Verizon Static IP

The Access Point Name (APN) must be set to “so01.vzwstatic” where the “so01” are the letters “s” and “o” and numbers “0” and “1”.

  • Browse to the 4G LTE Modem GUI using the procedure above for the specific modem.
  • Select Setup->Network->Cellular->APN
  • Select “Manual”
  • Set the APN to “so01.vzwstatic”, no quotes
  • Verify the configuration is saved

 

Customer Provided SIM

The Protectli 4G LTE Modems can be purchased without a cellular service. In this case, the customer must provide their own SIM for the desired cellular service. If the customer provides their own SIM for the cellular service, it may require setting the APN manually on the 4G LTE Modem. If the cellular service does not come up automatically, contact your cellular provider for the APN. Follow the instructions above to browse to the 4G LTE Modem GUI and set the APN appropriately for the service.  

Customer Provided 4G LTE Modem

The Protectli 4G LTE cellular service can be purchased without a 4G LTE Modem. In this case, the customer must provide their own 4G LTE Modem.  If the user provides their own 4G LTE Modem and requests Verizon service, Protectli needs to have the International Mobile Equipment Identity (IMEI) of that specific unit. The IMEI uniquely identifies the specific device and includes information regarding the vendor, the model and serial number. Verizon requires the IMEI in order to activate the SIM and provision service. When the customer provides their own 4G LTE Modem, the APN configuration guidelines follow the same instructions as the section above for Protectli provided equipment and SIM.  

Optional Accessories

Protectli provides optional accessories for the 4G LTE Modems.

Antenna-1

Antennas – Optional antennas with a 2 Meter cable and sticky back can be used to place the antennas away from the unit itself in a better location and/or position for reception. The Product SKU is AC-4G-LTE-ANT-1 and contains 2 antennas.

USB Power Adapter - 4G LTE External Modem IDG400

USB Power Brick – An optional USB Power Brick can be used to power the External 4G LTE Modem, IDG400. This is particularly useful if the 4G LTE Modem is located at a distance from the device attached via the Ethernet port.

 

IDG400 Wall Mount Brackets

Wall Brackets – Optional Wall Brackets can be used to mount the External 4G LTE Modem, IDG400, on a wall.    

WiFi on the FW2B

Protectli offers an optional WiFi kit that can be used with the Vault. The Product ID for the WiFi Kit is WAP01K. There is an article that explains how to install the kit into the Vault and how to configure it with some of the supported applications.

The Protectli wireless card supports 802.11 B/G/N in the 2.4 GHz band. However, it is non-standard, in that while it utilizes the PCIe physical form factor, the electrical data communication path is via USB. This is because most of the PCIe “lanes” are used for Ethernet ports. The result is that Protectli doesn’t recommend it for heavy duty WiFi applications.

The FW2B is an exception. Due to the fact that there are only 2 Ethernet ports, more PCIe lanes are available for data communication, so the Fw2B is compatible with many standard PCIe WiFi cards that use the PCIe bus for communication.

WiFi card compatibility also requires driver support in the Operating System (OS) that is deployed in the Vault. Common PCIe WiFi vendors that enjoy wide driver support include Atheros and Intel. This article uses an Atheros PCIe WiFi module with the FW2B as an example of a compatible module.

 

Install the WiFi Kit

The third party WiFi Kits typically contain the same or similar contents as the Protectli WiFi Kit, and they are installed in the same slot of the FW2B. See this Knowledge Base article to install the WiFi Kit into the Vault.

 

HP 495848-003 with Atheros AR5BHB92-H, pfSense® CE

The Hewlett Packard HP 495848-003 with the Atheros AR5BHB92-H chipset is a WiFi kit that has successfully been tested with the FW2B as a WiFi access point with pfSense® CE v2.4.5. The module is available on Amazon at this link. The module was configured for 802.11an in order to use the 5 GHz band and MIMO technology with 802.11n.

pfSense® CE Configuration for WiFi Access Point

There is another Knowledge Base article that describes how to install pfSense® CE on the Vault at this link. The information below is specifically to enable the WiFi card and assumes that the user  has already successfully installed pfSense® CE and the WiFi kit on the FW2B. The example below uses pfSense® CE version 2.4.5 to configure the WiFi interface as an Access Point for 802.11AN. 

  •  Verify that pfSense® CE version 2.4.5  and and the WiFi interface have been installed on the FW2B
  • Browse to the LAN port on the FW2B at 192.168.1.1 in order to access the pfSense® CE Dashboard
  • Verify the login page is displayed
  • Login and verify that the dashboard page is displayed
  • Select Interfaces->Interface Assignments
  • Select Wireless
  • Add the WiFi interface
  • Verify it is “ath0 (Atheros 9280)”
  • Set Mode to “Access Point”
  • Add a Description if desired (optional, recommended)
  • Save
  • Verify ath0_wlan0 with “Access Point” and Description is displayed
  • Return to Interfaces->Interface Assignments
  • Add the WiFi Interface “ath0_wlan0”
  • Edit the WiFi interface by clicking on the name in the left column (OPT1)
  • General Configuration
    • Enable interface
    • Description – Change Description if desired (recommended)
    • IPv4 Configuration Type – Static IPv4
  • Static IPv4 Configuration
    • IPv4 Address – Enter the desired IP address for the WiFi network and the subnet mask, this example uses 192.168.99.1 / 24
  • Common Wireless Configuration
    • Standard – 802.11na
    • Channel 11a/n – 161 (channel may vary, 161 was used for this example)
  • Network-Specific Wireless Configuration
    • Mode – Access Point
    • SSID – Set SSID (case sensitive, this is the ID that other clients will use to connect) “Test99” was used in this example
    • Enable WME
  • WPA
    • Enable WPA
    • WPA Pre-Shared Key – Set key (essentially SSID password, case sensitive, this is the password that other clients will use to connect)
    • WPA Mode – WPA2
  • Save
  • Apply Changes
  • Verify the changes have been applied successfully.

As with any other interface, when using pfSense® CE, Services and Firewall rules must be configured in order to connect and pass traffic on the interface. For this example, DHCP server will be configured for the WiFi interface and all traffic will be allowed to pass. Firewall rules should be edited later for desired security.

  • Go to Services->DHCP Server and select the WiFi interface
  • General Options
    • Enable DHCP serverS
    • Set the DHCP range (192.168.99.10 – 192.168.99.100 in this example)
    • Save
  • Verify the changes have been applied successfully.
  • Go to Firewall->Rules and select the WiFi interface
  • Add a Rule to allow all traffic to pass for this test
    • Action – Pass
    • Protocol – Any
  • Save
  • Apply Changes
  • Verify the changes have been applied successfully.
  • Verify that the WAN port is connected to the Internet
  • Verify that another device, such as a PC or laptop can connect to the WiFi network that was just created using the SSID and password for the WiFi network
  • Verify that the PC can browse out to the Internet

More details regarding WiFi configuration for pfSense® CE can be found at this link.

At this point, the FW2B with pfSense® CE v2.4.5 configured as a WiFi Access Point should be up and running.

As usual, if you have any questions or issues, feel free to contact us at: https://protectli.com/contact/

 

 

 

How to Configure pfSense® CE for 4G LTE Failover

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/ There are multiple articles regarding pfSense® CE on the Protectli Knowledge Base at this link. This article describes how to configure pfSense® CE for 4G LTE Failover using Protectli 4G LTE Products and Service. The example uses pfSense ® CE version 2.4.4-p3. Protectli 4G LTE Products and Services can be found at this link. 4G LTE Failover with the Vault requires at least 3 Ethernet ports, 1 each for WAN, LAN, and OPT1. Therefore a 4 or 6 port version of the Vault is required. In addition, it requires that the Protectli 4G LTE modem has been provisioned and is active on the cellular network. This article assumes the default configuration of pfSense ® CE with the WAN getting an IP address via DHCP and the default LAN static IP address of 192.168.1.1 and is a DHCP server.

Enable Interfaces

By default the WAN interface is configured to receive an IP address via DHCP and the LAN interface has static IP address 192.168.1.1 and is a DHCP server. Only the OPT1 interface needs to be configured.

  • Install pfSense ® CE on the Vault. (See Knowledge Base link if needed)
  • Connect the WAN and LAN ports to the devices or ports that they are normally connected to
  • Connect the OPT1 port to the LAN port of the 4G LTE modem
  • Browse to the pfSense ® CE GUI and login
  • Select Interfaces->Interface Assignments
  • Add OPT1 and select the default Network port (em2 or igb2)
  • Select “OPT1” to configure the port
  • Select General Configuration->Enable->Enable interface check box
  • Select General Configuration->IPv4 Configuration Type->DHCP to get the IP address of OPT1 from the 4G LTE modem
pfSense OPT1 interface
Interfaces->OPT1
  • Select the SAVE button at the bottom of the page
  • Select the APPLY CHANGES button when it appears at the top of the page
  • Select Status->Dashboard and verify that the Dashboard is displayed
  • Select the red “+” sign in the upper right corner of the GUI and enable the “Interfaces” widget
  • Verify the WAN, LAN, and OPT1 interfaces are up with IP addresses in the “Interfaces” widget
  • Select the red “+” sign in the upper right corner of the GUI and enable the “Traffic Graphs” Widget
  • Verify the Traffic Graphs widget is displayed and shows WAN, LAN, and OPT1
dashboard widgets
Dashboard Widgets

At this point the interfaces have been enabled and are active. Now the WAN and OPT1 interfaces need to be configured as Gateways and form a Gateway Group so that they can failover and revert.

Configure Gateways

  • Select System->Routing->Gateways
  • Verify WAN_DHCP is displayed
  • Select Edit Icon
  • Set Edit Gateway->Monitor IP to 8.8.8.8 This is the Google DNS address. pfSense ® CE will monitor this address to determine if this connection is up
pfSense routing gateways
WAN Gateway
  • Select the SAVE button at the bottom of the page
  • Select the APPLY CHANGES button when it appears at the top of the page
  • Select System->Routing->Gateways
  • Select ADD button
  • Add OPT1 Interface
  • Verify the Name is OPT1_DHCP
  • Set Edit Gateway->Monitor IP to 1.1.1.1 This is the Cloudflare DNS address. pfSense ® CE will monitor this address to determine if this connection is up
pfSense routing gateways OPT1_DHCP
OPT1 Gateway
  • Select the SAVE button at the bottom of the page
  • Select the APPLY CHANGES button when it appears at the top of the page

At this point the WAN and OPT1 interfaces have been configured as Gateways. Now they need to be configured as a Gateway Group so that they can operate as a single entity, failover and revert.

Configure Gateway Groups

  • Select System->Routing->Gateway Groups
  • Select ADD button
  • Set Edit Gateway Group Entry->Group Name to “Group_WAN_OPT1” or desired name
  • Set Edit Gateway Group Entry->Gateway Priority->WAN_DHCP->Tier to “Tier 1” (highest priority)
  • Set Edit Gateway Group Entry->Gateway Priority->OPT1_DHCP->Tier to “Tier 5” (lowest priority)
  • Set Edit Gateway Group Entry->Trigger Level to “Member Down” (Failover when link is down)
  • Set Edit Gateway Group Entry->Description if desired
pfSense gateway groups
Gateway Group
  • Select the SAVE button at the bottom of the page
  • Select the APPLY CHANGES button when it appears at the top of the page

At this point interfaces are enabled, Gateways configured and a Gateway Group with WAN and OPT1 has been configured. The last step is to set the LAN Firewall rule to select the Gateway Group as the Gateway, rather than treat WAN and OPT1 as individual interfaces.

Configure LAN Firewall

  • Select Firewall->Rules->LAN
  • Select Edit for “Default allow LAN to any rule”
  • Select ADVANCED button
  • Set Advanced Options->Gateway to “Group_WAN_OPT1” or the name given to the Gateway Group above
pfSense firewall rules
LAN Firewall Group
  • Select the SAVE button at the bottom of the page
  • Select the APPLY CHANGES button when it appears at the top of the page

At this point, everything has been configured. We need to verify the Gateway status.

Verify Gateway Status

  • Select Status->Gateways
  • Verify WAN_DHCP and OPT1_DHCP Gateways are online
pfSense gateway status
Gateway Status

At this point, everything has been configured, gateways are up. We need to verify that the 4G LTE Failover functions as desired.

Verify 4G LTE Failover

The Vault has been configured to failover from WAN port to OPT1 port in the event the WAN port goes down. When the WAN port comes back, traffic should revert back to the WAN port. pfSense® CE monitors the gateway connectivity via the “Monitor IP” address configured earlier to determine whether the connection is “up” or not. “Up” means full connectivity to the Monitor IP address. This means that even if the Ethernet link is up, but the unit cannot ping the Monitor IP address, the Gateway is considered down and will failover to another gateway in the Gateway Group. The detection time and failover is typically on the order of 15-20 seconds because pfSense® CE monitors the connectivity at the system level as opposed to just the Ethernet link level.

The following steps can be used to verify the 4G LTE Failover is working correctly.

  • Generate significant traffic from the LAN port to the Internet, for example, using a PC connected to the LAN port, browse to a web site and play a video
  • Select Dashboard and monitor the Traffic Graphs
  • Verify the WAN and LAN ports have similar high levels of traffic
  • Disconnect the WAN port from the Vault
  • Verify the video continues to play
  • Verify the OPT1 and LAN ports have similar high levels of traffic and the WAN port shows no traffic (as noted, about 15-20 seconds to failover)
  • Reconnect the WAN port to the Vault
  • Verify the video continues to play
  • Verify the WAN and LAN ports have similar high levels of traffic and the OPT1 port shows little traffic (about 15-20 seconds to revert)

At this point, 4G LTE Failover should be up and running on The Vault. However, if you experience any issues, please feel free to reach out to us: You can submit a ticket here, or find more information in our Knowledge Base.

 

UEFI Overview

UEFI is an acronym for Unified Extensible Firmware Interface. It is a specification that defines a new model for the interface between operating systems (OS) and platform firmware. It is a replacement for legacy BIOS. More information may be found on the UEFI Forum website at: https://uefi.org/

Recent updates to some OS software have introduced incompatibility between the default installation of the OS with some of the Vault hardware platforms. Setting the BIOS mode on the Vault to UEFI eliminates some of these issues. The article below will detail how to set the BIOS mode to UEFI.

Changing BIOS mode to UEFI

  • Verify that the Vault is powered down
  • Verify that the monitor is connected
  • Verify that the USB keyboard is connected
  • While powering up the Vault, press “DEL” key
  • Verify that the system boots into the BIOS
BIOS Main Screen
  • Select the “Advanced” tab
BIOS Advanced Tab
  • Select “CSM Configuration”
CSM Screen
  • Select “Boot option filter”
Boot Option Filter Menu
  • Verify the Boot option filter menu is displayed
  • Select “UEFI only”
  • Press Return(Enter)
  • Press “F4” to save and exit the BIOS
  • Power off the Vault

At this point UEFI mode is enabled. See the specific installation guide for the desired OS.

If you experience any issues, please feel free to reach out to: support@protectli.com.

Overview

The “Splash Screen” is the graphical image or logo that is briefly displayed at boot up of the system. The splash screen for the Vault can be customized to enhance the brand awareness of the product and/or solution. Protectli provides a Windows tool that can be used to change the BIOS and customize the splash screen.

Splash Screen File

The splash screen file is a “bitmap” file with an extension of “.bmp” in Windows. The bitmap file used for the splash screen must have maximum dimensions of 800 x 600 and be less than 1.4 MB. If there is already a logo file in “.jpg” or “.png” format, that file can be converted to a bitmap file using the Windows Paint program or other tools.

Verify the Desired Splash Screen File

  • On Windows, right click the desired file
  • Select Properties
  • Verify “Type of File” is BMP file
  • Select the Details tab
  • Verify the Dimensions are 800 x 600 or less
  • Verify the Size is 1.4 MB or less

Convert the Desired Splash Screen File

If the desired file is in JPG or PNG format, it can be converted to Bitmap using the Windows Paint program. This procedure is only necessary if the desired file is not already in Bitmap format.

  • On Windows, right click the desired file
  • Select Edit
  • Verify the Paint program starts and the graphical image is displayed
  • Select File->Save As->Save as type:
  • Verify the dropdown menu that contains these bitmap options is displayed
    • Monochrome Bitmap
    • 16 Color Bitmap
    • 24 Color Bitmap
    • 24-bit Bitmap
  • Select the desired bitmap format
  • Note that the formats listed in the dropdown are in increasing order of quality and increasing order of size
  • Select Save
  • Right click on the newly created bitmap and verify that it is less than 1.4 MB
  • If greater than 1.4 MB, repeat this procedure with a lesser quality bitmap format

Download the BIOS

The BIOS folder for each specific model of the Vault is available at this link. Be very sure when downloading and installing the BIOS that it is the correct BIOS for the specific Vault. Installing incorrect BIOS may result in an inoperable system.

  • Download the BIOS zip file for the model of the Vault from the link above
  • Verify the BIOS zip file is downloaded
  • Unzip the file and verify the BIOS folder is downloaded

Download the BIOS Logo Tool

There are two BIOS logo tools. One is for the FW1, FW2, and FW4 models of the Vault. The other is for the FW6 models of the Vault. The FW1, FW2, and FW4 tool is at this link. The FW6 tool is at this link.

  • Download the BIOS logo tool zip file for the model of the Vault from the link above
  • Verify the proper BIOS logo tool zip file is downloaded
  • Unzip the BIOS logo tool

Use the BIOS Logo Tool to Change the Splash Screen

  • Double click on the BIOS Logo executable file
  • Verify the “Change Logo” application appears on the screen

BIOS logo tool - change splash screen

Change Logo Application

  • Select the “Load Image” button

BIOS logo tool - load image

Load Image Button

  • Verify navigator window is displayed

BIOS logo tool - open

Navigator Window

  • Verify/Select “Files of type:” All Files
  • Navigate to the BIOS folder
  • Select the .bin file
  • Select “Open”

BIOS logo tool - open file

.bin File

  • Verify the .bin file is displayed in the proper folder in the “Aptio Image” Box

BIOS logo tool - change splash logo

Aptio Image Box

  • Select Browse Button

BIOS logo tool - change logo browse

Browse to find Bitmap File

  • Verify the navigator window is displayed
  • Select files of type “BMP Files (*bmp)
  • Navigate to the desired bitmap file
  • Select the .bmp file
  • Select Open
  • Verify the desired bitmap file is displayed in the “Select BMP file” box

BIOS logo tool - verify bitmap file

Select BMP File

  • Select the Replace Logo button

BIOS logo tool - select bmp file

Replace Logo

  • Verify the “Save Image As” button is now not grayed out

BIOS logo tool - replace logo

Save Image As Button

  • Select the “Save Image As” button
  • Verify the navigator window is displayed
  • Navigate to the BIOS folder, this is where the new BIOS file will be placed
  • Manually enter the name of the original .bin file, note that it must be exactly the same name

BIOS logo tool - save image as

BIN File

  • Select Save button
  • Verify the Success message is displayed in the lower left of the tool

BIOS logo tool - load bin file

Success Message

Create Bootable USB Drive and Install New BIOS

Now that the new bitmap file has been created, the BIOS folder must be transferred to a USB drive and then used to update the BIOS on the Vault. Follow the instructions at this link to create a bootable USB drive, transfer the new BIOS folder to the USB drive, and install the new BIOS on the Vault.

  • Verify the splash screen has the new logo or image during initial boot
  • Verify the system boots

At this point, the new splash screen should be installed on The Vault. However, if you experience any issues, please feel free to reach out to us at: support@protectli.com. For more information, visit our Knowledge Base.

 

 

 

Overview

There are known security vulnerabilities with Intel processors that are named “Spectre” and “Meltdown”. These vulnerabilities are documented at this link. There is a Windows based tool that can analyze the the system to determine if it is vulnerable to Spectre or Meltdown. This document describes how to use that tool to assess the vulnerability of the Vault. Information regarding specific BIOS updates to the different Vault platforms can be found from links on the product pages.

On a Windows computer,

  • Browse to InSpectre homepage at https://www.grc.com/inspectre.htm
  • Scroll down to Download Button and download InSpectre application from this link.
  • Verify that the file/application “InSpectre.exe” is downloaded to the Windows computer
  • Run InSpectre (double-click) and verify the application pops up

inspectre

InSpectre & Meltdown Vulnerability Status  – Not Protected

  • Verify that both Meltdown and Spectre vulnerabilites are protected.

If not, update the Vault to the appropriate BIOS that addresses the vulnerabilities. See the latest BIOS at this link.

  • Update BIOS on the Vault
  • Rerun the InSpectre application
  • Verify vulnerabilities are protected

inspectre

InSpectre & Meltdown Vulnerability Status  – Protected

At this point the Vault should be protected from the Spectre and Meltdown vulnerabilities. However, if there are any issues, feel free to reach out to us at support@protectli.com or find more information in our Knowledge Base.

Load More

0
    Cart
    Your cart is emptyShop Vault
    • Ships Worldwide
    • 30-Day Money Back Guarantee
    • US-Based Support
      Calculate Shipping