Industrial Cellular Router With Integrated Firewall and VPN: User Manual

Industrial cellular router
with integrated firewall and VPN

User manual
UM EN TC ROUTER ... 3G/4G
User manual
Industrial cellular router with integrated firewall and VPN
UM EN TC ROUTER ... 3G/4G, Revision 03 2020-03-03
This user manual is valid for:
Designation Software release Order No.

TC ROUTER 3002T-4G 2.05.4 2702528
TC ROUTER 3002T-3G 2.05.4 2702529
TC ROUTER 2002T-4G 2.05.4 2702530
TC ROUTER 2002T-3G 2.05.4 2702531
TC ROUTER 3002T-4G VZW 2.05.4 2702532
TC ROUTER 3002T-4G ATT 2.05.4 2702533
107025_en_03
PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany

phoenixcontact.com
Table of contents
Table of contents
1 For your safety ...........................................................................................................................5
1.1 Identification of warning notes ...............................................................................5
1.2 Qualification of users .............................................................................................5
1.3 Field of application of the product ..........................................................................6
1.4 Safety notes...........................................................................................................7
1.5 Security in the network...........................................................................................8
1.6 UL warning notes (only TC ROUTER 3002T-4G VZW and
TC ROUTER 3002T-4G ATT)................................................................................9
2 Transport, storage, and unpacking ..........................................................................................10

2.1 Transport .............................................................................................................10
2.2 Storage................................................................................................................10
2.3 Unpacking ...........................................................................................................11
3 Installation ................................................................................................................................13
3.1 Product description..............................................................................................13
3.2 Licensing information on open source software...................................................13
3.3 Structure ..............................................................................................................14
3.4 Mounting and removal .........................................................................................16
3.5 Inserting the SIM card..........................................................................................17
3.6 Connection ..........................................................................................................18
3.7 Resetting the router .............................................................................................21
4 Configuration via web-based management ..............................................................................23

4.1 Connection requirements ....................................................................................23
4.2 Starting web-based management........................................................................23
4.3 Basic setup ..........................................................................................................24
4.4 Device information...............................................................................................25
4.5 Software ..............................................................................................................26
4.6 Status ..................................................................................................................27
4.7 IPsec status .........................................................................................................30
4.8 OpenVPN status ..................................................................................................30
4.9 Local network ......................................................................................................33
4.10 Wireless network .................................................................................................36
4.11 Device services ...................................................................................................49
4.12 Network security ..................................................................................................63
107025_en_03 PHOENIX CONTACT 3 / 156

TC ROUTER ... 3G/4G
4.13 VPN .....................................................................................................................70

4.14 I/O........................................................................................................................86
4.15 System ................................................................................................................89
5 Creating X.509 certificates .....................................................................................................101

5.1 Installation .........................................................................................................101
5.2 Creating a new database ...................................................................................101
5.3 Creating a CA certificate ....................................................................................102
5.4 Creating templates ............................................................................................105
5.5 Creating certificates...........................................................................................107
5.6 Exporting certificates .........................................................................................109
6 Device replacement, device defect and repair .......................................................................111

6.1 Device replacement...........................................................................................111
6.2 Device failure and repair ....................................................................................111
7 Maintenance and disposal .....................................................................................................112

7.1 Maintenance......................................................................................................112
7.2 Disposal.............................................................................................................112
8 Technical data .......................................................................................................................113

8.1 Ordering data.....................................................................................................113
8.2 Technical data ...................................................................................................115
8.3 Dimensions........................................................................................................119
A Technical appendix.................................................................................................................121
A1 XML elements....................................................................................................121
A2 Structure of the XML configuration file ...............................................................124
A3 Wireless network ...............................................................................................127
A4 CIDR, Classless Inter-Domain Routing..............................................................146
B Appendixes.............................................................................................................................147
B1 List of figures .....................................................................................................147
B2 Index..................................................................................................................151
4 / 156 PHOENIX CONTACT 107025_en_03

For your safety
1 For your safety

Read this user manual carefully and keep it for future reference.
1.1 Identification of warning notes

This symbol indicates hazards that could lead to personal injury.
There are three signal words indicating the severity of a potential injury.
DANGER
Indicates a hazard with a high risk level. If this hazardous situation is not
avoided, it will result in death or serious injury.
WARNING
Indicates a hazard with a medium risk level. If this hazardous situation is not
avoided, it could result in death or serious injury.
CAUTION
Indicates a hazard with a low risk level. If this hazardous situation is not avoided,
it could result in minor or moderate injury.
This symbol together with the NOTE signal word warns the reader of actions
that might cause property damage or a malfunction.
Here you will find additional information or detailed sources of information.
1.2 Qualification of users

The use of products described in this user manual is oriented exclusively to:
– Electrically skilled persons or persons instructed by them. The users must be familiar
with the relevant safety concepts of automation technology as well as applicable stan-
dards and other regulations.
– Qualified application programmers and software engineers. The users must be familiar
with the relevant safety concepts of automation technology as well as applicable stan-
dards and other regulations.

TC ROUTER ... 3G/4G
1.3 Field of application of the product

Europe
The following devices are intended for use within Europe:
– TC ROUTER 3002T-4G
USA
The following devices are intended for use in the USA (only for export outside of the Euro-
pean Economic Area):
– TC ROUTER 3002T-4G VZW
– TC ROUTER 3002T-4G ATT
Other countries
If the required general conditions are met, use in other countries is possible.
To gain a rough idea of which frequency bands are available in your country of use, visit
www.frequencycheck.com.
• You will find the frequency bands for your device at “Wireless interface” on page 116.
Check with your provider whether any of these frequency bands are available at the
installation location.
• Check with your provider whether there is network coverage at the installation location.
• Check with your provider whether the device is approved for operation at the installation
location.
1.3.1 Intended use

The devices are industrial cellular routers for 3G and 4G cellular networks.
• The devices are designed for use in industrial environments.
• The devices are intended for installation in a control cabinet.
• Operation of the wireless system is only permitted if accessories available from
Phoenix Contact are used. The use of other accessory components could invalidate the
operating license.
You can find the approved accessories listed with the product at
phoenixcontact.net/products.
1.3.2 Product changes

Modifications to hardware and firmware of the device are not permitted.
Incorrect operation or modifications to the device can endanger your safety or damage the
device. Do not repair the device yourself. If the device is defective, please contact
Phoenix Contact.

For your safety
1.4 Safety notes
WARNING:
Observe the following safety notes when using the device.
• Installation, operation, and maintenance may only be carried out by qualified electri-
cians. Follow the installation instructions as described.
• When installing and operating the device, the applicable regulations and safety direc-
tives (including national safety directives), as well as the generally recognized codes of
practice, must be observed. The technical data is provided in the packing slip and on
the certificates (conformity assessment, additional approvals where applicable).
• Opening or modifying the device is prohibited. Do not repair the device yourself, but re-
place it with an equivalent device. Repairs may only be carried out by the manufacturer.
The manufacturer is not liable for damages resulting from non-compliance.
• The IP20 degree of protection (IEC 60529/EN 60529) of the device is intended for use
in a clean and dry environment. Do not subject the device to mechanical and/or thermal
stress that exceeds the specified limits.
• The device is designed exclusively for operation with safety extra-low voltage (SELV)
in accordance with IEC 60950/EN 60950/VDE 0805. The device may only be connect-
ed to devices that meet the requirements of EN 60950.
• The device complies with the EMC regulations for industrial areas (EMC class A).
When used in residential areas, the device may cause radio interference.

TC ROUTER ... 3G/4G
1.5 Security in the network
NOTE: Risk of unauthorized network access

Connecting devices to a network via Ethernet entails the danger of unauthorized access
to the network.
Observe the following safety notes!
• If possible, deactivate unused communication channels.

• Assign passwords such that third-parties cannot access the device and make unautho-
rized changes.
• Due to its communication interfaces, the device should not be used in safety-critical
applications unless additional security appliances are used. Please take additional pro-
tective measures in accordance with the IT security requirements and the standards
applicable to your application (e.g., virtual networks (VPN) for remote maintenance
access, firewalls, etc.) for protection against unauthorized network access.
• On first request, you shall release Phoenix Contact and the companies associated with
Phoenix Contact GmbH & Co. KG, Flachsmarktstraße 8, 32825 Blomberg (hereinafter
collectively referred to as “Phoenix Contact”) in accordance with §§ 15 ff AktG or
German Stock Corporation Act from all third-party claims that are made due to improper
use.
• For the protection of networks for remote maintenance via VPN, Phoenix Contact offers
the mGuard and TC CLOUD CLIENT... product ranges of security appliances, a de-
scription of which you will find in the latest Phoenix Contact catalog
(phoenixcontact.net/products).
Additional measures for protection against unauthorized network access can be found in
the AH EN INDUSTRIAL SECURITY application note. The application note can be down-
loaded by going to the product listing at phoenixcontact.net/products.
HTTPS certificate
• At the plant, a self-signed HTTPS certificate is located in the device to encrypt access
to the internet. For initial commissioning, you must renew the certificate or exchange it
for one you have created yourself. This is the only way to ensure that the certificate is
unique for operative use (see page 49).

For your safety
1.6 UL warning notes (only

TC ROUTER 3002T-4G VZW and
TC ROUTER 3002T-4G ATT)
WARNING: Explosion hazard when used in potentially explosive areas.

Make sure that the following notes and instructions are observed and complied with.
 Use copper wires rated 85°C.

 If the equipment is used in a manner not specified, the protection provided by the
equipment may be impaired.
 This device has to be built in an enclosure (control box).
 External circuit from SELV supplied
 SELV - Limited energy according to UL/IEC/EN 61010-1 or NEC class II
 This equipment must be mounted in an enclosure certified for use in Class I, Zone 2
minimum and rated IP54 minimum in accordance with IEC 60529 when used in
Class I, Zone 2 environment.
 Device shall only be used in an area of not more than pollution degree 2.
Class I, Zone 2, AEx nA IIC T4 / Ex nA IIC T4 Gc

Class I, Division 2, Groups A, B, C and D T4
Input: 10 - 30 V DC, max. 1.7 A
IND.CONT.EQ.
Amb. Temp. Range: -40°C < Tamb < 70°C
FOR.HAZ.LOC.
E366272

TC ROUTER ... 3G/4G
2 Transport, storage, and unpacking
2.1 Transport
The device is delivered in cardboard packaging.
• Only transport the device to its destination in its original packaging.
• Observe the instructions on how to handle the package, as well as the moisture, shock,
tilt, and temperature indicators on the packaging.
• Observe the humidity specifications and the temperature range specified for transport
(see “Ambient conditions” on page 117).
• Protect the surfaces as necessary to prevent damage.
• When transporting the equipment or storing it temporarily, make sure that the surfaces
are protected from the elements and any external influences, and that they are kept dry
and clean.
2.2 Storage
The storage location must meet the following requirements:
– Dry
– Protected against unauthorized access
– Protected from harmful environmental influences such as UV light
• For storage/transport, observe the humidity and air pressure specifications, and the
temperature range.
See “Ambient conditions” on page 117.

Transport, storage, and unpacking
2.3 Unpacking
The device is delivered in packaging together with a packing slip that provides installation
instructions.
• Read the entire packing slip carefully.
• Retain the packing slip.
NOTE: Electrostatic discharge

Electrostatic discharge can damage or destroy components.
– When handling the device, observe the necessary safety precautions against elec-
trostatic discharge (ESD) in accordance with EN 61340-5-1 and IEC 61340-5-1.
Checking the delivery • Check the delivery for transport damage.

Damaged packaging is an indicator of potential damage to the device that may have
occurred during transport. This could result in a malfunction.
• Immediately upon delivery, check the delivery note to ensure that the delivery is com-
plete.
• Submit claims for any transport damage immediately, and inform Phoenix Contact or
your supplier as well as the shipping company without delay.
• Enclose photos clearly documenting the damage to the packaging and/or delivery
together with your claim.
• Keep the box and packaging material in case you need to return the product.
• We strongly recommend using the original packaging to return the product.
• If the original packaging is no longer available, observe the following points:
– Observe the humidity specifications and the temperature range specified for trans-
port (see “Ambient conditions” on page 117).
– Use dehumidifying agents if necessary.
– Use suitable ESD packaging to protect components that are sensitive to electro-
static discharge.
– Make sure that the packaging you select is large enough and sufficiently thick.
– Only use plastic bubble wrap sheets as wadding.
– Attach warnings to the transport packaging so that they are clearly visible.
– Please ensure that the delivery note is placed inside the package if the package is
to be shipped domestically. However, if the package is being shipped internation-
ally, the delivery note must be placed inside a delivery note pocket and attached to
the outside so that it is clearly visible.

TC ROUTER ... 3G/4G

Installation
3 Installation
3.1 Product description

The TC ROUTER... cellular routers enable high-performance high-speed data links via
cellular networks. The integrated firewall and VPN (Virtual Private Network) protect your
application against unauthorized access.
The focus is on EMC, electrical isolation, and surge protection for reliable and secure com-
munication. The data link and quality of the cellular network are also monitored. If required,
the device sends a message or re-establishes the cellular network connection.
Features
– Virtual permanent line to connect networks via cellular network
– Stateful inspection firewall for dynamic filtering
– VPN remote start via SMS or call
– Two switching inputs and one switching output
– XML interface
– Alarm sent via SMS or e-mail directly via the integrated switching input
– Configuration via web-based management or microSD card
– Two local Ethernet connections
– Switchable energy-saving mode
– Integrated log
– Extended temperature range of -40°C ... +70°C
Table 3-1 Overview of product versions
Designation Cellular Fallback VPN function Area of

communication application
TC ROUTER 3002T-4G 4G (LTE) 3G (UMTS/HSPA)
IPsec and OpenVPN, up
2G (GPRS/EDGE)
to three VPN tunnels
TC ROUTER 3002T-3G 3G (UMTS/HSPA) 2G (GPRS/EDGE)
Europe
TC ROUTER 2002T-4G 4G (LTE) 3G (UMTS/HSPA)
2G (GPRS/EDGE) -
TC ROUTER 2002T-3G 3G (UMTS/HSPA) 2G (GPRS/EDGE)
TC ROUTER 3002T-4G VZW - IPsec and OpenVPN, up USA (HazLoc
4G (LTE)
TC ROUTER 3002T-4G ATT 3G (UMTS/HSPA) to three VPN tunnels approval)
3.2 Licensing information on open source software

The licensing information can be found in the web-based management of the device under
the “Device Information, Software” menu item.
You can find further information on the open source software in the technical note
AH EN OPEN SOURCE SOFTWARE at phoenixcontact.net/product/2702528.

TC ROUTER ... 3G/4G
3.3 Structure
3.3.1 4G router
11
10
9 US
ERR
CON
Micro SD
Micro
SD 1
LAN 1 LAN 2
2
7
ANT 1
3
ANT 2
4
TC ROUTER
SIM
6
24V 0V I1 I2 01
5
Figure 3-1 4G router
1 LAN interface 1
2 LAN interface 2
3 SMA antenna connection 1, primary antenna
4 SMA antenna connection 2, secondary antenna
5 COMBICON plug-in screw terminal block
6 SIM interface
7 Slot for microSD card
8 CON LED
9 ERR LED
10 US LED
11 Reset button

Installation
3.3.2 3G router

CON

Figure 3-2 3G router
1 LAN interface 1
2 LAN interface 2
3 SMA antenna socket
4 COMBICON plug-in screw terminal block
5 SIM interface
6 Slot for microSD card
7 CON LED
8 ERR LED
9 US LED
10 Reset button
3.3.3 Status and diagnostics indicators

US Power Green
On Supply voltage is present
ERR Error Red
Off Logged into the network
Flashing SIM card not inserted,
SIM error (e.g., PIN or PUK locked)
On Searching for cellular network
CON Connect Yellow
On Connection established
In the case of the TC ROUTER 3002T..., the CON LED can be configured via web-based
management. You can therefore monitor the cellular IP connection or the VPN tunnel.

TC ROUTER ... 3G/4G
3.4 Mounting and removal
NOTE: Device damage

Only mount and remove devices when the power supply is disconnected!
The device is intended for installation in a control cabinet.

• Snap the device onto a 35 mm DIN rail in accordance with EN 60715.
• Connect the DIN rail to protective earth ground.
B
Figure 3-3 Mounting on the DIN rail
Removal
• Pull down the locking latch using a screwdriver, needle-nose pliers or similar.
• Pull the bottom edge of the device slightly away from the mounting surface.
• Pull the device away from the DIN rail.
A B
Figure 3-4 Removal

Installation
3.5 Inserting the SIM card
NOTE: Electrostatic discharge

Electrostatic discharge can damage or destroy components.
– When handling the device, observe the necessary safety precautions against elec-
trostatic discharge (ESD) in accordance with EN 61340-5-1 and IEC 61340-5-1.
The device only supports 1.8 V and 3 V SIM cards. In the event of older SIM cards, please
contact your provider.
You will receive a SIM card from the provider on which all data and services for your con-
nection are stored. The SIM card can be protected with a 4 or 5-digit PIN code. We recom-
mend that you enter the PIN code and the APN settings as described in “SIM” on page 37.
A packet data connection via the cellular network is required for the core functions. Select
an appropriate SIM card. You must activate the package data connection before the oper-
ation (see “Packet data setup” on page 43).
• Press the yellow release button with a pointed object.

• Remove the SIM card holder.
• Insert the SIM card so that the SIM chip remains visible.
• Fully insert the SIM card holder together with the SIM card into the device until this ends
flush with the housing.
T1
C
AN
T1
AN
T2
AN
T2
AN
A
D D
SIM
SIM
B
Figure 3-5 Removing the SIM card holder, inserting the SIM card

TC ROUTER ... 3G/4G
3.6 Connection
3.6.1 Antenna
– You can find the approved accessories for this wireless system listed with the product
at phoenixcontact.net/products.
– Please refer to the documentation for the antenna.
US US
ER ER
R R
CO CO
N N
Mic Mic
ro ro
SD SD
LA LA
N N
1 1
LA LA
N N
2 2
AN AN
T1 T1
ANT 1 AN
T2
AN
T2
ANT 2
SIM
SIM
TC ROUTER
TC ROUTER
24V 24V
01 01
I1 I1
I2 I2
01 01
Figure 3-6 Connecting the antenna (4G router)
The 4G routers have two antenna connections. To achieve optimum LTE reception, always
connect two antennas for 4G routers. The 3G routers only have one antenna connection.
• Connect one or two suitable antennas to the antenna connection.

• The antenna cable must not be longer than 5 meters in length.
• Check the signal quality in the web-based management software under “Device Infor-
mation, Status, Radio”.
• Fix the antenna in place when reception is good or very good.
• Screw the antenna hand-tight onto the device (1.7 Nm).

Installation
3.6.2 Ethernet network

• Only twisted pair cables with an impedance of 100 Ω may be connected to the RJ45
Ethernet interfaces.
• Only use shielded twisted pair cables and corresponding shielded RJ45 connectors.
• Push the Ethernet cable with the RJ45 connector into the TP interface until the connec-
tor engages with a click. Observe the connector coding.
n.c. 8 RJ45
n.c. 7
TD- 6
n.c. 5
n.c. 4
TD+ 3
RD- 2
RD+ 1
Figure 3-7 RJ45 interface
3.6.3 Supply voltage
CAUTION: Electrical voltage

The device is designed exclusively for operation with safety extra-low voltage (SELV) in
accordance with IEC 60950/EN 60950/VDE 0805.
– Provide overcurrent protection (I ≤ 5 A) in the installation.
US
ER
R
CO
N
Mic
ro
SD
LA
N
1
LA
N
2
AN
T1
AN
T2
24V 0V I1 I2 01
SIM
TC ROUTER
24V
01
I1
I2
01
Figure 3-8 Connecting the supply voltage
• Connect the supply voltage to 24 V and 0 V at the plug-in screw terminal block. Ensure
the correct polarity when doing so.
• The device is ready for operation as soon as the US LED lights up.

TC ROUTER ... 3G/4G
3.6.4 Switching inputs and switching outputs

Two configurable switching inputs for the following functions:
– Sending an SMS, including to multiple recipients
– Sending an e-mail, including to multiple recipients
– Controlling an output at a remote station via SMS
– Restarting the router
– Starting or stopping a cellular data connection
– Switching the IPsec or OpenVPN connection
– Automatically loading a configuration from a microSD card
– Activating energy-saving mode
One configurable switching output, activated by:

– Activation by the input at a remote station
– SMS
– Web-based management
– Incoming call
– Connection abort
– Status of the cellular network connection
– Status of the cellular data connection
– Status of a VPN connection
Connection
• You can connect 10 ... 30 V DC to switching inputs I1 and I2.
• Switching output O1 is designed for a maximum of 50 mA at 10 ... 30 V DC.
• The connecting cables for the switching inputs and the switching output must not be
longer than 30 meters in length.
• The 0 V potential of the switching inputs and outputs must be connected to the “0 V” ter-
minal block of the power supply connection.
–
+
24V 0V I1 I2 01
Figure 3-9 Wiring inputs

Installation
3.7 Resetting the router

The routers have a reset button on the front to the right of the LEDs. The reset button can
be used to temporarily reset the following parameters:
– IP address of the router
– Passwords
– Firewall settings of the web device access (HTTP, HTTPS)
Reset
• Press and hold the reset button.
• Disconnect the Ethernet cable from the LAN connection on the router.
• Reconnect the Ethernet cable.
• Press and hold down the reset button for a further five seconds.
The IP address has now been reset to the default address.
– IP address: 192.168.0.1
– Subnet mask: 255.255.255.0

TC ROUTER ... 3G/4G

Configuration via web-based management
4 Configuration via web-based management
4.1 Connection requirements

– The device must be connected to the power supply.
– The computer that is to be used for configuration must be connected to one of the LAN
ports on the router.
– The device must be located in the same LAN.
– A browser (e.g., Mozilla Firefox®, Internet Explorer® or Apple Safari®) must be
installed on the computer.
4.2 Starting web-based management

The router is configured via web-based management (WBM).
• Establish an Ethernet connection from the device to a PC.
• If necessary, adjust the IP parameters of your computer.
• Open a browser on the computer.
• Enter the IP address 192.168.0.1 in the address field of your browser.
Figure 4-1 Login window
• To log in to the router, click on “Login”. You need the user name and the password.
– User name: admin
– Password: admin
For security reasons, we recommend you change the password during initial configura-
tion (see “User, password change” on page 91).

TC ROUTER ... 3G/4G
There are two user levels.

– user: read access only to
– Device information
– Status, Radio
– Status, Network connections
– Status, IPsec status
– Status, OpenVPN status
– Status, I/O status
– admin: full access to all areas
4.3 Basic setup
Figure 4-2 Basic setup
Basic setup
admin Password for unrestricted access to all areas
IP configuration IP address (local or LAN) and subnet mask of the router
SIM PIN: Enter the PIN for the SIM card here. The PIN cannot be
read back, it can only be overwritten.
APN: The APN can be obtained from your provider.
APN (Access Point Name) is the name of a terminal point in a
packet data network. The APN enables access to an external
data network. At the same time, the APN specifies the network
to which a connection is to be established. In the case of a
public APN, the connection is usually established to the Inter-
net. The device supports public and private APNs.

4.4 Device information

You can also access this page with the user login. The page displays information about the
hardware and software.
4.4.1 Hardware
Figure 4-3 Device information, Hardware
Device information, Hardware

Hardware information Address Address of the manufacturer
Internet Website address of the manufacturer
Type Order designation of the router
Order No. Order number of the router
Serial number Serial number of the router
Hardware Hardware version of the router
Release version Release version of the router software
Operating system Operating system version
Web-based Web-based management version
management
MAC address LAN MAC address for unique identification of an Ethernet device in
a computer network
Radio engine Type of radio engine used
Radio firmware Firmware version of the radio engine
IMEI IMEI = International Mobile Station Equipment Identity
15-digit serial number that can be used to clearly identify each
cellular network device

TC ROUTER ... 3G/4G
4.5 Software
Here you will find a list of the software used and license information.
You can find further information on the open source software in the technical note
AH EN OPEN SOURCE SOFTWARE at phoenixcontact.net/product/2702528.
Figure 4-4 Software

4.6 Status
The following status information is displayed here:
– Device
– Cellular communication interface
– LAN interface
– VPN connection
– I/Os
This area is also visible with the user access. The menu items “Routing table”, “DHCP
leases” and “System info” are only available if you are logged in as an administrator.
4.6.1 Radio
Figure 4-5 Status, Radio
Status, Radio
Radio status Provider Provider name
Network status Status of the cellular network
– Registered home: logged in to the provider‘s home net-
work
– Roaming: dial-in via an external cellular network
– Waiting for PIN: enter the PIN.
– Waiting for PUK: SIM card locked because an incorrect
PIN was entered three times, PUK entry required
– Wrong PIN: wrong PIN stored in device
– No SIM card: SIM card not inserted
– Busy: radio engine starting
– Power off: radio engine switched off
Signal level Signal strength as a dBm value, RSSI value, and bar

TC ROUTER ... 3G/4G
Status, Radio [...]

Packet data – Offline: no packet data connection in the cellular network
– GPRS online: active packet data connection in the
cellular network via GPRS. GPRS is a GSM service which
provides packet-based wireless access for cellular GSM
users.
– EDGE online: active packet data connection in the
cellular network via EDGE. EDGE is a further develop-
ment of the GPRS data service and has a higher data
transmission speed.
– UMTS online: active packet data connection in the 3G
cellular network via UMTS.
– HSDPA/UPA online: active packet data connection in
the 3G cellular network via HSDPA/UPA. HSDPA/UPA is
a further development of the UMTS network with a higher
data transmission speed.
– LTE online: active high-speed packet connection in the
4G cellular network via LTE
IMSI IMSI = International Mobile Subscriber Identity, number used
to clearly identify the user of a network
Local area code Area code in the cellular network
Cell ID Unique cellular ID

4.6.2 Network connections

Here you will find status information about the packet data interface in the cellular network
and the local Ethernet network.
Figure 4-6 Status, Network connections
Status, Network connections

Wireless network Link – TCP/IP connected: active packet data connection in the
cellular network. You can transmit data via TCP/IP.
– VPN connected: active VPN connection in the cellular
network. You can transmit encrypted data.
– not connected: no packet data connection in the cellular
network, no data transmission
IP address IP address assigned by the provider
Netmask Netmask assigned by the provider
DNS server IP address of the DNS server
Sec. DNS server IP address of the alternative DNS server
Uptime Time after which the IP settings assigned by the provider
expire (IP address, netmask, DNS server).
RX bytes Sum of data received since last login to the cellular network
TX bytes Sum of data sent since last login to the cellular network
Local network LAN 1/2 – connected: LAN 1/2 connected
– not connected: LAN 1/2 not connected
IP address Current Ethernet IP address
Netmask Netmask of the local Ethernet network
DHCP mode Operating state of the router in the local network
– Server: the router assigns the IP addresses.
– Client: the router receives an IP address.
– Disabled: fixed IP address

TC ROUTER ... 3G/4G
4.7 IPsec status
Figure 4-7 IPsec status
Status, IPsec status

IPsec status Active Ipsec Status of the active IPsec-VPN connection
connections
4.8 OpenVPN status
Figure 4-8 OpenVPN status
Status, OpenVPN status

OpenVPN status Active OpenVPN Status of the active OpenVPN-connection
connections

4.8.1 I/O status

Here you can find current status information and the configuration of the inputs and outputs.
Figure 4-9 Status, I/O status
4.8.2 Routing table

Here you can find all entries of the routing table.
Figure 4-10 Status, Routing table

TC ROUTER ... 3G/4G
4.8.3 DHCP leases

Here you can find the IP addresses that the cellular router has currently assigned to the
DHCP clients.
Figure 4-11 Status, DHCP leases
4.8.4 System info

Here you will find the current system utilization.
Figure 4-12 Status, System info

4.9 Local network
4.9.1 IP configuration
The connection from the router to the local Ethernet network can be set up here. You can
modify the IP configuration, e.g., the IP address, the subnet mask, and the type of address
assignment. Confirm your changes to the IP configuration with “Apply”. The changes only
take effect after a restart.
Figure 4-13 Local network, IP configuration
Local Network, IP configuration

Current address IP address Current IP address of the router
Computers that are connected to the LAN interfaces access
the router using this address. You can use the reset button to
reset the IP address to the default address 192.168.0.1 (see
“Resetting the router” on page 21).
Subnet mask Subnet mask for the current IP address
MTU (default 1500) Maximum Transmission Unit (MTU) is the maximum packet
size, in bytes, in the cellular network
Enable IPv6 IPv6 protocol is supported. You can specify an IPv6 address
for the LAN interface.
Type of the IP address – Static (default): the IP address is assigned permanently
assignment (fixed IP).
– DHCP: when the router is started, the IP address and the
subnet mask are assigned dynamically by a DHCP serv-
er.
 The router can only procure its own address via DHCP
when it is not configured as DHCP server itself (see 4.9.2
“DHCP server”).
Alias addresses Using alias addresses, you can assign up to 8 additional IP
addresses to the router. This means that the router can be
accessed from various subnetworks. Click on “New” and enter
the desired IP address and subnet mask.

TC ROUTER ... 3G/4G
4.9.2 DHCP server

You can use the Dynamic Host Configuration Protocol (DHCP) to assign the set network
configuration to the devices. The devices must be connected directly to the router.
Figure 4-14 Local network, DHCP server
Local network, DHCP server

DHCP server DHCP server – Enabled: router acts as the DHCP server. It assigns LAN
IP addresses and subnet masks to the devices.
 The router can only work as a DHCP server when it does not
procure its own IP address via DHCP (see 4.9.1 “IP configura-
tion”).
Hostname Device name of the router in the local network
Domain name Domain name that will be distributed via DHCP
Lease time (d,h,m,s) Time for which the network configuration assigned to the client
is valid
The client should renew its assigned configuration shortly
before this time expires. Otherwise it may be assigned to other
computers.
Dynamic IP address Dynamic IP address pool: when the DHCP server and the
allocation dynamic IP address pool have been activated, you can specify
the network parameters to be used by the client.
Start of IP range, DHCP area: the start and end of the address area from which
End of IP range the DHCP server should assign IP addresses to locally con-
nected devices.
Static IP address allocation Static assignment based on the MAC address: the static IP of
the client to which the MAC address should be assigned
Client MAC address MAC of the client with dashes

Local network, DHCP server [...]

Client IP address IP address of the client
– Static assignments must not overlap with the dynam-
ic IP address pool.
– Do not use one IP address in multiple static assign-
ments, otherwise this IP address will be assigned to
multiple MAC addresses.
4.9.3 Static routes

With local static routes, you can specify alternative routes for data packets from the local
network via other gateways in higher-level networks. You can define up to eight static
routes.
If the entries for the network and gateway are logically incorrect, the incorrect entries will be
displayed with a red frame.
Figure 4-15 Local network, Static routes
Local network, Static routes

Local static routes Network Network in CIDR format, see “CIDR, Classless Inter-Domain
Routing” on page 146
Gateway Gateway via which this network can be accessed

TC ROUTER ... 3G/4G
4.10 Wireless network

You can integrate remote stations into an IP network, e.g., the Internet, via a cellular network
connection. The cellular network connection and frequencies can be configured here.
4.10.1 Radio setup
Figure 4-16 Wireless network, Radio setup
Wireless network, Radio setup

Radio setup 2G (GSM/GPRS/EDGE) GSM frequency range in which the router should operate
3G (UMTS/HSPA) Frequency range for UMTS in which the router should operate
4G (LTE) Frequency range for LTE in which the router should operate
In addition, you can deactivate LTE: “LTE off”
Provider timeout Period of time after which the radio engine restarts in the event
of the failure or unavailability of the cellular network (in min-
utes)
Daily relogin – Disabled: daily login deactivated
– Enabled: daily login activated
Time Time at which the router logs out of the cellular network under
controlled conditions and logs in again.

4.10.2 SIM
Settings for the European devices (TC ROUTER ... 3G/4G)
Figure 4-17 Wireless network, SIM (Europe)
Wireless network, SIM Settings for the primary cellular network connection, Europe
SIM Country Select the country in which the router is dialing into the cellular
network. This setting limits the selection among the providers.
PIN Enter the PIN for the SIM card here. The PIN cannot be read
back, it can only be overwritten.
Roaming If roaming is activated (default), you can select a specific pro-
vider from the drop-down menu.
– Enabled: the router can also dial-in via external networks.
If “Auto” is set under “Provider”, the strongest provider is
selected. Depending on your contract, this may incur
additional costs. Alternatively, you can specify a provider.
– Disabled: roaming is deactivated. Only the provider‘s
home network is used. If this network is unavailable, the
router cannot establish an Internet connection.
Provider Select a provider via which the router is to establish the Inter-
net connection. The country selected under “Country” limits
the list of providers.
– Auto: the router automatically selects the provider using
the SIM card.
User name User name for packet data access
The user name and password can be obtained from your
provider. This field may be left empty if the provider does not
require a special input.
Password Password for packet data access
This field may be left empty if the provider does not require a
password.

TC ROUTER ... 3G/4G
Wireless network, SIM [...] Settings for the primary cellular network connection, Europe
APN The APN can be obtained from your provider.
APN (Access Point Name) is the name of a terminal point in a
Authentication Select the protocols for logging in to the provider:
– None: the provider‘s APN does not require login (default).
– Refuse MSCHAP: MSCHAP is not accepted.
– CHAP only: Only CHAP is accepted.
– PAP only: Only PAP is accepted.

Settings for the US devices (TC ROUTER 3002T-4G VZW and

TC ROUTER 3002T-4G ATT)
The devices for the American market require special APN settings.
Figure 4-18 Wireless network, SIM (US)
Wireless network, SIM Settings for the primary cellular network connection, US
SIM Country Select the country in which the router is dialing into the GSM
network. This setting limits the selection among the providers.
PIN Enter the PIN for the SIM card here. The PIN cannot be read
back, it can only be overwritten.
Roaming If roaming is activated (default), you can select a specific pro-
vider from the drop-down menu.
– Disabled: roaming is deactivated. Only the provider‘s
home network is used. If this network is unavailable, the
router cannot establish an Internet connection.
– Enabled: the router can also dial-in via external networks.
If “Auto” is set under “Provider”, the strongest provider is
selected. Depending on your contract, this may incur
additional costs. Alternatively, you can specify a provider.
Provider Select a provider via which the router is to establish the Inter-
net connection. The country selected under “Country” limits
the list of providers.
– Auto: the router automatically selects the provider using
the SIM card.
User name User name for packet data access
The user name and password can be obtained from your
provider. This field may be left empty if the provider does not
require a special input.
Password Password for packet data access
This field may be left empty if the provider does not require a
password.

TC ROUTER ... 3G/4G
Wireless network, SIM [...] Settings for the primary cellular network connection, US
APN APN (Access Point Name) is the name of a terminal point in a
– managed Internet APN: default, no manual input
The device autonomously logs in to the network. The APN
is set automatically. When the router has logged in to the
network, the standard APN used is displayed.
– managed application APN (only Verizon Wireless):
enter an application APN. The standard APN remains
stored in the device.
– customer APN: enter a customer-specific APN. The
standard APN remains stored in the device.
– overwrite APN: the standard APN will be deleted if you
enter your APN here. This is only possible after the router
has successfully made a connection with the cellular net-
work by using the default setting (managed Internet APN).
 Only use "overwrite APN" if the default APN of your pro-
vider changed and the router does not adapt automati-
cally.
Contact your provider if you have accidentally overwritten
the default APN.
Authentication Select the protocols for logging in to the provider:
– None: the provider‘s APN does not require login (default).
– Refuse MSCHAP: MSCHAP is not accepted.
– CHAP only: Only CHAP is accepted.
– PAP only: Only PAP is accepted.

4.10.3 SMS configuration

You can operate the device remotely via SMS.
• Open “Wireless network, SMS configuration”.
• Activate “SMS control” and enter the “SMS password”. The password can contain up
to seven alphanumeric characters.
In addition, the device can forward received SMS messages to a recipient as a TCP packet
via Ethernet.
• Activate the “SMS forward” function.
• Enter the recipient IP address and port with which you would like to communicate. The
default value for the server is port 1432.
• Alternatively, incoming SMS messages can be accessed from the local Ethernet net-
work via XML and socket server (see “System” on page 89).
The received SMS is forwarded in the following format:
<?xml version="1.0"?>
<cmgr origaddr="+49172123456789" timestamp="10/05/21,11:27:14+08">
SMS message</cmgr>
– origaddr = Sender telephone number
– timestamp = Time stamp of the service center in GSM 03.40 format
The SMS syntax for switching inputs, outputs, and functions contains the following informa-
tion:
– Password
– Function command
– Additional subcommands
Table 4-1 Supported function commands
Function command Description

SET:<sub_cmd> General command for starting functions (ON), must be supple-
mented with subcommand
CLR:<sub_cmd> General command for stop functions (OFF), must be supple-
mented with subcommand
SEND:STATUS Query status of the cellular router
RESET Reset alarms
REBOOT Restart cellular router
Table 4-2 Subcommands <sub_cmd> for the function commands “SET” and “CLR”
Subcommand Description
<sub_cmd>
GPRS Start or stop packet data connection
OUTPUT Switch output 1: ON/OFF
OUTPUT:n Switch output n: ON/OFF, n={1...4}
IPSEC Start or stop IPsec VPN 1: ON/OFF
IPSEC:n Start or stop IPsec VPN n: ON/OFF, n={1...3}
OPENVPN Start or stop VPN 1: ON/OFF
OPENVPN:n Start or stop VPN n: ON/OFF, n={1...3}

TC ROUTER ... 3G/4G
Figure 4-19 Wireless network, SMS configuration
Wireless network, SMS configuration

SMS configuration SMS control – Disabled: remote operation of router via SMS not possi-
ble
– Enabled: remote operation of router via SMS activated
SMS password SMS password for remote operation
SMS forward – Disabled: not possible to forward SMS messages via
Ethernet
– Enabled: forwarding of SMS messages via Ethernet acti-
vated
Server IP address IP address to which the SMS message should be forwarded
Server port Port to which the SMS message should be forwarded
(default 1432)
Example
SMS message text for starting IPsec tunnel #2 with the password 1234:
#1234:SET:IPSEC:2
To stop this connection, you must send the following SMS message:
#1234:CLR:IPSEC:2

4.10.4 Packet data setup
Figure 4-20 Wireless network, Packet data setup
Wireless network, Packet data setup

Packet data setup Packet data – Disabled: packet data connection deactivated
– Enabled: access enabled to LTE/UMTS/HSPA/
GPRS/EDGE
If this packet data connection is active, there is only a virtual
permanent connection to the partner. This wireless area is not
used until data is actually transmitted, e.g., via VPN tunnel.
Debug mode – Disabled: advanced logbook entries deactivated
– Enabled: advanced logbook entries
If you do not use an external SD card, the entries are over-
written again within a short time.
Packet data mode Type of data connection in the cellular network
– Default: protocol favored by the cellular communication
engine
– PPP: Point-to-Point Protocol
– NDIS: Network Mode
MTU (default 1500) Maximum Transmission Unit (MTU) is the maximum packet
size, in bytes, in the cellular network
Enable IPv6 The cellular communication interface supports the IPv6 proto-
col.

TC ROUTER ... 3G/4G
Wireless network, Packet data setup [...]

Event Event that starts the packet data connection:
– Initiate: automatic start after router boots up
– Initiate on Input #1 ... #2: manual start via switching
input
– Initiate on SMS: manual start via SMS message
– Initiate on XML: manual start via XML socket server
Manual DNS – Disabled: manual DNS setting is deactivated. The DNS
settings are received automatically from the provider.
– Enabled: manual DNS setting is enabled.
DNS server IP address of the primary DNS server in the cellular network
Sec. DNS server IP address of the alternative DNS server in the cellular network
4.10.5 Wireless static routes

With static routes, you can specify alternative routes for data packets in the cellular network.
If the entries for the network and gateway are logically incorrect, the incorrect entries will be
displayed with a red frame.
Figure 4-21 Wireless network, Static routes
Wireless network, Static routes

Wireless static routes Network The network in CIDR format, see “CIDR, Classless Inter-Do-
main Routing” on page 146
Gateway Gateway via which this network can be accessed

4.10.6 DynDNS
Each cellular router is dynamically assigned an IP address by the provider. The address
changes from session to session.
If the cellular router is to be accessed via the Internet, you can specify a fixed host name with
the help of a DynDNS provider for the dynamic IP address. The router can in the future be
accessed via this host name.
Check whether your cellular network provider supports dynamic DNS in the cellular net-
work.
Figure 4-22 Wireless network, DynDNS
Wireless network, DynDNS

DynDNS setup Status – Disabled: DynDNS client deactivated
– Enabled: DynDNS client activated
DynDNS provider Select the name of the provider with whom you are registered,
e.g., DynDNS.org, TZO.com, dhs.org
DynDNS user name User name for your DynDNS account
DynDNS password Password for your DynDNS account
DynDNS host name Host name that was specified for this router with the DynDNS
service
The router can be accessed via this host name.

TC ROUTER ... 3G/4G
4.10.7 Connection check

Connection monitoring enables you to check whether the packet data connection in the
cellular network is functioning correctly. In order to maintain the packet data connection in
the cellular network, connection monitoring also acts as a Keep Alive function.
Figure 4-23 Wireless network, Connection check
Wireless network, Connection check

Connection check Status – Disabled: connection monitoring of the packet data
connection is deactivated (default)
– Enabled: connection monitoring of the packet data
connection is activated
Host #1 ... #3 IP address or host name of the reference point for connection
monitoring
Source – Local: the local network interface sends the connection
monitoring IP packets with the IP address of the local
interface (LAN).
– Wireless network: the cellular network interface sends
the connection monitoring IP packets with the IP address
assigned by the provider.
Check every Check interval in minutes
Max. retry Number of times to retry until the configured action is per-
formed
Activity – Reboot: restart router
– Reconnect: re-establish packet data connection
– Relogin: shut down cellular network interface and restart
by logging into the cellular network again.
– None: no action
As an option, you can configure information regarding the
status of connection monitoring via a switching output.

4.10.8 Monitoring
Monitoring records cellular network parameters. You can use the function temporarily for
startup or troubleshooting. The function is not intended for permanent use. All parameters
are stored in a separate log file: “logradio.txt”. At the end of the monitoring period, monitor-
ing must be disabled.
Figure 4-24 Wireless network, Monitoring
Wireless network, Monitoring

Monitoring Monitoring – Disabled: cellular network monitoring deactivated
(default)
– Enabled: cellular network monitoring activated
Log duration Monitoring duration in hours, we recommend a maximum of
30 hours
Log interval Monitoring interval in minutes (at least one minute)
Ping host IP address or host name of the reference point for monitoring
Clear Clear log file in the router for a new monitoring session
View View current log file
Save Save log file on local computer

TC ROUTER ... 3G/4G
Structure of the “logradio.txt” log file:
Date and time

Network status creg=
0 Not logged in, not searching for cellular network
1 Logged in, home network
2 Not logged in, searching for cellular network
3 Not logged in, login rejected
4 Status unknown
5 Logged in, external network
Reception strength rssi=

0 -113 dBm or worse
1 -111 dBm
2...30 -109 dBm ... -53 dBm
31 -51 dBm or better
Packet data connection packet=

0 OFFLINE
1 ONLINE
2 GPRS ONLINE
3 EDGE ONLINE
4 WCDMA ONLINE
5 WCDMA HSDPA ONLINE
6 WCDMA HSUPA ONLINE
7 WCDMA HSDPA+HSUPA ONLINE
8 LTE ONLINE
Site lac= Location Area Code

ci= cell ID
Current own IP address myip=
Reference IP ping=
Ping times in msd round-trip min/avg/max= (minimum/average/maximum)

4.11 Device services
4.11.1 Web setup
Configuration
Figure 4-25 Device services, Web setup, Configuration
Device services, Web setup, Configuration

Web configuration Web server access Protocol via which the web interface of the router can be
reached
– http: only HTTP, not encrypted
– https: only HTTPS, TSL/SSL-encrypted
– local http, https: connection via both protocols allowed
locally; via the cellular network interface, only encrypted
HTTPS connection allowed
Server port Port for the HTTP connection
(default 80)
HTTPS port Port for the HTTPS connection
(default 443)
TLS version disable Deactivate out-of-date protocol versions
HTTPS certificate HTTPS certificate
You can load a self-created certificate into the router under
“Certificates”.
The “_selfsigned_” certificate is the router's own device-
specific default certificate. You cannot delete it.

TC ROUTER ... 3G/4G
Device services, Web setup, Configuration [...]

Certificate validity Future duration of validity of the device-specific HTTPS certif-
icate
• To apply the entered value, click “Renew” in the “Certifi-
cates” menu item.
Certificate subject Common name
Company/
Organisation
Organisation unit Information for the Certificate Sign Request (CSR)
City/Location You require the CSR in order to apply for a certificate at a pub-
State/Province lic certification authority.
Country
Subject alternative
names
Download certificate Create CSR
sign request

Certificates
NOTE: Data security

If the router’s web interface is to be accessible through public networks via HTTPS, you
must renew or replace the manufacturer certificate upon initial commissioning.
– Upload your own certificate via “Upload”.
Or:
– To create a new, self-signed certificate, click “Renew”.
Figure 4-26 Device services, Web setup, Certificates
Device services, Web setup, Certificates

Web certificates Load own PKCS#12 Upload: upload self-created certificate for HTTPS-access
certificate (.p12 .pfx)
The file must be in .p12/.pfx format. Click on the “Browse” but-
ton to select the certificate to be imported.
Password: password used to protect the private key of the
PKCS#12 file.
 The procedure for creating an X.509 certificate is described
under Section 5.5, “Creating certificates”.
For the HTTPS connection to be classified as secure, you
must manually save the CA certificate in the web browser.
A secure connection is usually indicated with a lock in front of
the URL.

TC ROUTER ... 3G/4G
Device services, Web setup, Certificates [...]

Load CA signed certifi- Upload: upload certificate of an external Certificate Authority
cate with CA chain (CA) for HTTPS-access
(.pem .crt)
Prerequisite: the certificate was requested in advance with the
Certificate Sign Request (CSR). The file must be present in
.pem/.crt format, including the chain of trust.
 From creating the CSR until the certificate is uploaded,
keep the router connected with the power. Otherwise, the
information on the CSR that is saved temporarily will be lost.
 If you use a CA that is known to the browser, the connection
is automatically classified as secure.
Installed certificates Overview of the certificates that are saved in the router
The certificate information is displayed per mouseover at the
green checkmark.
Renew: update certificate
Delete: delete certificate

Firewall
You can filter access to the device interfaces (Web, SSH, SNMP, socket server) with the
firewall. You can create 32 rules for local access from the LAN, as well as 32 rules for remote
access from the WAN via the cellular network interface. Remote access is completely
blocked in the standard setting and local access allowed.
If multiple firewall rules are defined, these are queried starting from the top of the list of
entries until an appropriate rule is found. This rule is then applied.
If the list of rules contains further subsequent rules that could also apply, these rules are
ignored.
Figure 4-27 Device services, Web setup, Firewall
Device services, Web setup, Firewall

Web server firewall New Add a new firewall rule
Delete Delete rule
From IP IP address or address area
0.0.0.0/0 means all IP addresses. To specify an address area,
use CIDR format (see “CIDR, Classless Inter-Domain Rout-
ing” on page 146).
Action – Accept: the data packets may pass through.
– Reject: the data packets are sent back. The sender is
informed of their rejection.
– Drop: the data packets are blocked. The sender is not
informed of their whereabouts.
Comment Comments on the rule
Log For each individual firewall rule, you can specify whether the
event is to be logged if the rule is applied.
– Yes: event is logged.
– No: event is not logged (default).

TC ROUTER ... 3G/4G
4.11.2 SSH setup
Figure 4-28 Device services, SSH setup, Configuration
Device services, SSH setup, Configuration

SSH configuration SSH server This option can be used to specify whether the router can be
accessed via the SSH service.
– Disabled: the SSH service is not available. No access to
the router via SSH (default).
– Enabled: access to the router via the SSH service is pos-
sible, from the local network or via a VPN tunnel.
Server port Port for the SSH connection
(default 22)
4.11.3 SSH setup, Firewall

The firewall for SSH is configured in the same way as the web server firewall (see “Fire-
wall”).

4.11.4 SNMP Setup

The router supports the reading of information via SNMP (Simple Network Management
Protocol). SNMP is a network protocol that can be used to monitor and control network
elements from a central station. The protocol controls communication between the moni-
tored devices and the central station.
Figure 4-29 Device services, SNMP setup, Configuration
Device services, SNMP setup, Configuration

System information
Name of device Name for management purposes, can be freely assigned
Description Description of the router
Physical location Designation for the installation location, can be freely
assigned
Contact Contact person responsible for the router
SNMPv1/v2 community
Enable SNMPv1/2 – No: the service is deactivated (default).
access – Yes: SNMP Version 1 and Version 2 are used.
Read only Password for read access via SNMP
Read and write Password for read and write access via SNMP
Enable SNMPv3 – No: the service is deactivated (default).
access – Yes: SNMP Version 3 is used.
4.11.5 SNMP setup, Firewall

The firewall for SNMP is configured like the web server firewall (see “Firewall”).

TC ROUTER ... 3G/4G
4.11.6 Socket server

The router has a socket server which can accept operating commands via the Ethernet
interface. These commands must be sent in XML format.
A client from the local network initiates basic communication. To do this, a TCP connection
is established to the set server port. The socket server responds to the client's requests. It
then terminates the TCP connection. A TCP connection is established again for another
request. Only one request is permitted per connection.
Figure 4-30 Device services, Socket server, Configuration
Device services, Socket server, Configuration

Socket configuration Socket server – Disabled: no operation via Ethernet interface
– Enabled: operation via Ethernet interface possible
Server Port Socket server port (default: 1432)
(default 1432) Please note that port 80 cannot be used for the socket server.
To use the router, a TCP socket connection must be estab-
lished to the configured port. The data format must conform to
XML Version 1.0.
XML newline char Character which creates a line break in the XML file
– LF: line feed, line break after 0x0A (hex)
– CR: carriage return, line break after 0x0D (hex)
– CR+LF: line break after carriage return, followed by a line
feed
XML Boolean values Format in which requests are answered via XML
– Verbose: response in words, e.g., on/off
– Numeric: short numerical response, e.g., 1/0

Every XML file generally begins with the header <?xml version="1.0"?> or
<?xml version="1.0" encoding="UTF-8"?> followed by the basic entry.
Basic entries
<io> ........... </io> I/O system
<info> ........... </info> Request general device information
<cmgs> ........... </cmgs> Send SMS messages
<cmgr> ........... </cmgr> Receive SMS messages
<cmga> ........... </cmga> Confirm receipt of SMS
<email> ........... </email> Send e-mails
I/O system
Using the XML socket server, you can:
– Query outputs and inputs
– Switch outputs
The outputs used must have been previously configured to “Remote controlled”. Depending
on the setting of “XML Boolean values”, on/off or 0/1 can be output as “value”.
Make sure that the XML data does not contain any line breaks.
Query outputs and inputs
<io>
Request state of output 1
<output no="1"/>
<input no="1"/> Request state of input 1
</io>
Response from the router (shown with line break):
<?xml version="1.0" encoding="UTF-8"?>

<result>
<io>
<output no="1" value="off"/> State output 1
<input no="1" value="off"/>
State input 1
</io>
</result>

TC ROUTER ... 3G/4G
Switch outputs
<io>
Switch output 1
<output no="1" value="on"/>
</io>

<result>
<io>
<output no="1" value="on"/> Output 1 switched
</io>
</result>
Switch on data connection

First, set the following in the web-based management:
• Switch on the data connection under “Packet data setup” (Enabled, see page 43).
• Under "Event", select the option "Initiate on XML".
⇒ You can now switch on the data connection of the router through XML.
<io>
Switch on data connection
<gprs value="on"/>
</io>

<result>
<io>
<gprs value="on"/> Connection enabled
</io>
</result>

Requesting general device information

You can read status information from the device:
<info>
Request device data
<device/>
<radio/> Data for the wireless connection (cellular devices only)
<inet/>
Request data for the Internet connection
<io/>
</info> Logical states at the connections

<result>
<info>
<device>
<serialno>13120004</serialno>
<hardware>A</hardware>
<firmware>1.04.9</firmware>
<wbm>1.40.8</wbm>
<imei>359628023404123</imei>
</device>
<radio>
<provider>Vodafone.de</provider>
<rssi>15</rssi>
<creg>1</creg>
<lac>0579</lac>
<ci>26330CD</ci>
<packet>7</packet>
<simstatus>5</simstatus>
<simselect>1</simselect>
</radio>
<inet>
<ip>1.2.3.4</ip>
<rx_bytes>24255</rx_bytes>
<tx_bytes>1753</tx_bytes>
<mtu>1500</mtu>
</inet>
<io>
<gsm>1</gsm>
<inet>1</inet>
<vpn>0</vpn>
</io>
</info>
</result>
To read just one single value, you can use the “Select” attribute to select it. Here is a request
for the RSSI value as an example:
<info>
<radio select="rssi"/>
</info>

TC ROUTER ... 3G/4G
Send SMS messages

Send XML data with the following structure to the device IP address via Ethernet:
<cmgs destaddr="0172 123 4567">SMS message</cmgs>
Make sure that the XML data does not contain any line breaks. The text must be UTF-8-
coded.
ASCII characters 34dec, 38dec, 39dec, 60dec, and 62dec must be entered as " '
& < and >.
If the XML data was received correctly, the device responds with the transmission status:
<result>
<cmgs length="17">SMS transmitted</cmgs>
</result>
Receive SMS messages

To receive SMS messages via Ethernet, enter the following:
<cmgr/>

<result>
<cmgr error="1">empty</cmgr>
</result>
The response means that an SMS message has not been received yet. The following error
codes are possible:
1 Empty = no SMS message received

2 Busy = try again later
3 System error = communication problem with the radio engine
If the router has received an SMS message and if it is available, then the message is output:
<result>
<cmgr origaddr="+49123456789"
timestamp="14/06/30,10:01:05+08">SMS message</cmgr>
</result>

Confirm receipt of SMS

Successful receipt of the SMS via Ethernet must be confirmed with the following command:
<?xml version="1.0" encoding"UTF-8"?>
<cmga/>

<result>
<cmga>ok</cmga>
</result>
This SMS message is then marked as read on the router.
Sending e-mails
Send XML data with the following structure to the device IP address via Ethernet:
<email to="[email protected]" cc="[email protected]">
<subject>Test Mail</subject>
<body>
This is an e-mail text with several lines.
Best regards,
your router
</body>
</email>

<result>
<email>done</email>
</result>
Response from the router in the event of an error:

<result>
<email error="3">transmission failed</email>
</result>
Establishing an IPsec VPN tunnel

To start IPsec VPN connections, send XML data with the following structure to the device
IP address via Ethernet.
<io>
Start IPsec VPN connection
<ipsec no="1" value="on"/>
</io>

<result>
<io>
<ipsec no="1" value="on"/>
</io>
</result>

TC ROUTER ... 3G/4G
Closing an IPsec VPN tunnel

To stop IPsec VPN connections, send XML data with the following structure to the device IP
address via Ethernet.
<io>
Stop IPsec VPN connection
<ipsec no="1" value="off"/>
</io>

<result>
<io>
<ipsec no="1" value="off"/>
</io>
</result>
Establishing an OpenVPN tunnel

To start OpenVPN connections, send XML data with the following structure to the device IP
<io>
Start OpenVPN connection
<openvpn no="1" value="on"/>
</io>

<result>
<io>
<openvpn no="1" value="on"/>
</io>
</result>
Closing an OpenVPN tunnel

To stop OpenVPN connections, send XML data with the following structure to the device IP
<io>
Stop OpenVPN connection
<openvpn no="1" value="off"/>
</io>

<result>
<io>
<openvpn no="1" value="off"/>
</io>
</result>
4.11.7 Socket server, Firewall

The socket server firewall is configured like the web server firewall (see “Firewall”).

4.12 Network security
4.12.1 Firewall
The device includes a stateful packet inspection firewall. The connection data of an active
connection is recorded in a database (connection tracking). Rules therefore only have to be
defined for one direction. This means that only data from the other direction of the relevant
connection is automatically allowed through.
The firewall is active by default upon delivery. It blocks incoming data traffic and only permits
outgoing data traffic.
The device supports a maximum of 32 rules for incoming data traffic and 32 rules for out-
going data traffic.
If multiple firewall rules are defined, these are queried starting from the top of the list of
entries until an appropriate rule is found. This rule is then applied.
If the list of rules contains further subsequent rules that could also apply, these rules are
ignored.
Figure 4-31 Network security, Firewall
Network security, Firewall

Firewall List of the firewall rules that have been set up
The rules apply either for incoming data traffic or outgoing data traffic.
Default setting: accept all outgoing connections
 If no rule is defined, all outgoing connections are prohibited (excluding VPN).
New Add a new firewall rule
Delete Delete rule
Protocol TCP, UDP, ICMP, all

TC ROUTER ... 3G/4G
Network security, Firewall [...]

From IP / To IP 0.0.0.0/0 means all IP addresses. To specify an address area,
From port / To port Only evaluated for TCP and UDP protocols
– any: any port
– startport-endport: a port range, e.g., 110 ... 120
Action – Accept: the data packets may pass through.
– Reject: the data packets are sent back. The sender is
informed of their rejection.
– Drop: the data packets are blocked. The sender is not
informed of their whereabouts.
4.12.2 Traffic forwarding
Port forwarding
The table contains the rules defined for IP and port forwarding. The device has one IP ad-
dress, which can be used to access the device externally. For incoming data packets, the
device can convert the specified sender IP address to internal addresses. This technique is
referred to as NAT (Network Address Translation). Using the port number, the data packets
can be redirected to the ports of internal IP addresses.
Figure 4-32 Network security, Traffic forwarding, Port forwarding

Network security, Traffic forwarding, Port forwarding

Traffic forwarding Setup forwarding – Port forwarding: port forwarding from the cellular net-
work to the local network
– Disabled: deactivated, see “Exposed host”
IP and port forwarding New Add a new firewall rule below the last rule
Delete Delete rule
Protocol Limitation of forwarding to one protocol (TCP, UDP or ICMP)
From IP / To IP 0.0.0.0/0 means all IP addresses. To specify an address area,
In Port / To Port Only evaluated for TCP and UDP protocols
– any: any port
– startport-endport: a port range, e.g., 110 ... 120
To IP IP address from the local network, incoming packets are for-
warded to this address
Masq For each individual rule, you can specify whether IP masquer-
ading is to be used.
– Yes: IP masquerading is activated, incoming packets
from the Internet are given the IP address of the router.
A response via the Internet is possible, even without a
default gateway.
– No: a response via the Internet is only possible with the
default gateway (default)

TC ROUTER ... 3G/4G
Exposed host
With this function, the router forwards all received external packets that do not belong to an
existing connection to an IP address in the LAN. The device can therefore be accessed
directly from the Internet as an “exposed host”. You can use the device as a server.
Figure 4-33 Network security, traffic forwarding, exposed host
Network security, Traffic forwarding, Exposed host

Traffic forwarding Setup forwarding – Exposed host: forwarding of all data traffic from the
cellular network to an Ethernet device in the local network
This access cannot be restricted via the firewall in the
cellular router.
– Disabled: deactivated, see “Port forwarding”
Exposed host Local exposed host IP address of the exposed host (server)
Allow external access IP addresses for incoming data links
from
0.0.0.0/0 means all IP addresses. To specify an address area,
Masquerade traffic to – Enabled: IP masquerading is activated, incoming pack-
exposed host ets from the Internet are given the IP address of the router.
A response via the Internet is possible, even without a
default gateway.
– Disabled: a response via the Internet is only possible with
the default gateway (default).
Log traffic to exposed – Enabled: IP connections are logged.
host – Disabled: IP connections are not logged (default).

4.12.3 Masquerading
For certain networks, you can specify whether IP masquerading is to be used. When IP
masquerading is active, the router replaces the sender IP address with the IP address of the
router for all data traffic packets. This assignment is saved in a table. In this way, the router
can transmit the answer back to the right destination.
The device supports a maximum of 16 rules for IP masquerading.
Figure 4-34 Network security, Masquerading
Network security, Masquerading

External NAT IP masquerading
(Masquerade) – Disabled: IP masquerading is deactivated
– Enabled: IP masquerading is activated. You can commu-
nicate via the Internet from a private, local network
(default).
New Add a new firewall rule
Delete Delete rule
From IP 0.0.0.0/0 means all IP addresses. To specify an address area,

TC ROUTER ... 3G/4G
4.12.4 Additional settings

General settings for network security can be made on this page.
Figure 4-35 Network security, Additional settings
Network security, Additional settings

Block outgoing If Windows®-based systems are installed in the local network,
netbios NetBIOS requests can result in data traffic and the associated
costs, where applicable.
– Disabled: outgoing NetBIOS requests are permitted.
– Enabled: outgoing NetBIOS requests are blocked
(default).
DNS service With the DNS service, network devices from the local network
can recode DNS names in the Internet into IP addresses.
– Disabled: the router forwards no DNS requests from the
LAN. Devices or programs cannot establish a connection
in the Internet via DNS.
– Enabled: DNS requests from the LAN are forwarded to
the Internet.
Drop invalid packets The firewall of the cellular router can filter and drop invalid or
damaged IP packets.
– Disabled: invalid IP packets are also sent.
– Enabled: invalid IP packets are dropped (default).
External ping (ICMP) A ping can be used to check whether a device in an IP network
can be accessed. During normal operation, responding to ex-
ternal ping requests results in data traffic and its associated
costs, where applicable.
– Disabled: if a ping request is sent from the external IP
network to the router, it is ignored (default).
– Enabled: if a ping request is sent from the external IP net-
work to the router, it is sent back.

Network security, Additional settings [...]

DoS protection TCP SYN request limit, – TCP: limit number of TCP connection requests
Ping request limit – PING: limit number of ping requests
(ICMP echo request)
No requests beyond the specified number per second are
accepted. In the case of an attack per TCP-SYN flood or ping
(ICMP) flood, the router can no longer be reached for the
duration of the attack, even for regular requests. No overload
situation can occur, however.
 Select a value that is large enough to ensure that your appli-
cation is not impaired, and small enough so that no unneces-
sary resources are needed.

TC ROUTER ... 3G/4G
4.13 VPN
Requirements for a VPN connection
A general requirement for a VPN connection is that the IP addresses of the VPN partners
are known and can be accessed. The device supports up to three IPsec connections and
up to three OpenVPN connections.
In order to successfully establish an IPsec connection, the VPN peer must support IPsec
with the following configuration:
– Authentication via X.509 certificate or pre-shared secret key
– Diffie-Hellman group 2 or 5
– 3DES or AES encryption
– MD5 or SHA-1 hash algorithms
– Tunnel mode
– Quick mode
– Main mode
– SA lifetime (one second to 24 hours)
The following functions are supported for OpenVPN connections:
– OpenVPN Client
– TUN device
– Authentication via X.509 certificate or pre-shared secret key (PSK)
– Static key
– TCP and UDP transmission protocol
– Keep Alive

4.13.1 IPsec
IPsec (Internet Protocol Security) is a secure VPN standard used for communication via IP
networks.
Figure 4-36 VPN, IPsec, Connections
VPN, IPsec, Connections

IPsec connections Monitor DynDNS Activate this function to check accessibility.
– If the VPN peer does not have a fixed IP address
– if a DynDNS name is used as the “Remote host”.
Check interval Enter the check interval in seconds.
IKE logging level Specify in what detail the events are saved to the logbook. If
you do not use an external SD card, extended entries are
overwritten again within a short time.
Enabled – Yes: VPN connection activated
– No: VPN connection deactivated
Name Assign a descriptive name to each VPN connection. The VPN
connection can be freely named or renamed.
Settings Click on Edit to specify the settings for IPsec (see page 72).
IKE Internet Key Exchange protocol for automatic key manage-
ment for IPsec
Click on Edit to specify the settings for IKE (see page 75).
Firewall, Edit You can filter the data traffic through the VPN tunnel with the
IPsec firewall. The settings are the same as for the general
application firewall under “Firewall” on page 63.

TC ROUTER ... 3G/4G
Settings, Edit
Figure 4-37 VPN, IPsec, Connections, Settings, Edit
VPN, IPsec, Connections, Settings, Edit

IPsec connection settings Name Name of the VPN connection entered under “IPsec connec-
tions”
VPN – Enabled: VPN connection activated
– Disabled: VPN connection deactivated
Remote host IP address or URL of the peer to which (or from which) the tun-
nel will be created.
“Remote host” is only used if “Initiate” has been selected
under “Remote connection” (the router establishes the con-
nection).
If “Remote connection” is set to “Accept”, the value “%any” is
set internally for “Remote host”. It therefore waits for a connec-
tion.

VPN, IPsec, Connections, Settings, Edit [...]

Authentication X.509 remote certificate: authentication method with X.509
certificate
With the X.509 certificate option, each VPN device has a
private secret key and a public key. The certificate contains
additional information about the certificate‘s owner and the
certification authority (CA).
Preshared secret key (PSK): authentication method

With a preshared secret key, each VPN device knows one
shared private key, one password. Enter this shared key in the
“Preshared Secret Key” field.
Remote certificate Certificate the router uses to authenticate the VPN peer
(remote certificate, .pem).
The selection list contains the certificates that have been
loaded on the router (see “Certificates” on page 78).
Local certificate Certificate used by the router to authenticate itself to the VPN
peer (machine certificate, PKCS#12)
The selection list contains the certificates that have been
loaded on the router (see “Certificates” on page 78).
Remote ID The Remote ID can be used to specify the name the router
uses to identify itself to the peer. The name must match the
data in the router certificate. If the field is left empty, the data
from the certificate is used.
Valid values:
– No entry (default). The “Subject” entry (previously Distin-
guished Name) in the certificate is used.
– Subject entry in the certificate
– One of the “Subject Alternative Names”, if they are listed
in the certificate. If the certificate contains “Subject Alter-
native Names”, these are specified under “Valid values:”.
These can include IP addresses, host names with “@”
prefix or e-mail addresses, for example.
Local ID The “Local ID” can be used to specify the name the router uses
to identify itself to the peer, see “Remote ID”.
Address remote IP address/subnet mask of the remote network to which the
network VPN connection is to be established

TC ROUTER ... 3G/4G

Address local network IP address/subnet mask of the local network
Specify the address of the network or computer which is con-
nected locally to the router here.
– “NAT to local network” set to “None” (default)
Actual IP address or subnet mask of the local network.
Specify the address of the network that is connected
locally to the router here.
– With activation of “Local 1:1 NAT” and “Remote masquer-
ading”
This virtual IP address/subnet mask enables the IP ad-
dresses for the remote network to be accessed via the
VPN tunnel. You must enter the same settings as the
remote network on the remote VPN router.
Connection NAT – None: no NAT within the VPN tunnel (default)
– Local 1:1 NAT: virtual IP addresses are used for commu-
nication via a VPN tunnel. These addresses are linked to
the real IP addresses for the set network that has been
connected. The subnet mask remains unchanged.
– Remote masquerading: as with “Local 1:1 NAT”, virtual
IP addresses are used for communication via a VPN tun-
nel. In addition, the sender IP address (source IP) is
replaced with the IP address of the router for all incoming
packets via a VPN tunnel. Devices in the local network
that cannot use a default gateway can therefore be
accessed via a VPN tunnel.
NAT to local network Enter the real IP address area for the local network here. Using
this address area, the local network can be accessed from the
remote network via 1:1 NAT. You can use this function, for ex-
ample, to access two machines with the same IP address via
a VPN tunnel.


Remote connection Side from which the connection is established
– Initiate: the router starts the VPN connection.
– Accept: the peer starts the VPN connection.
Additional settings:
– Initiate on Input...: VPN tunnel is started or stopped via
a digital input.
– Initiate on SMS: VPN tunnel is started via SMS. When
establishing the connection, you can define a time-out
after which the tunnel is automatically stopped.
– Initiate on call: VPN tunnel is started via a call. When es-
tablishing the connection, you can define a time-out after
which the tunnel is automatically stopped.
– Initiate on XML: VPN tunnel is started or stopped per
socket server, via an XML command.
Autoreset IPsec tunnel restarts at the set interval.
IKE, Edit
Figure 4-38 VPN, IPsec, Connections, IKE, Edit
VPN, IPsec, Connections, IKE, Edit

IPsec - Internet key Name Name of the VPN connection entered under “IPsec connec-
exchange settings tions”

TC ROUTER ... 3G/4G
VPN, IPsec, Connections, IKE, Edit [...]

IKE protocol Select an IKE version.
– initiate IKEv2: IKEv2 is preferred. A switch back to IKEv1
takes place in case of an erroneous connection attempt.
Phase 1 ISAKMP SA ISAKMP SA encryption Encryption algorithm
Key exchange Internet Security Association and Key Management Protocol
(ISAKMP) is a protocol for creating Security Associations (SA)
and exchanging keys on the Internet.
AES128 is preset as default.
The more bits an encryption algorithm has, the more secure it
is. The longer the key, the more time-consuming the encryp-
tion procedure.
ISAKMP SA hash Leave this set to SHA-1/MD5. It then does not matter whether
the peer works with MD5 or SHA-1.
ISAKMP SA lifetime The keys of an IPsec connection are renewed at defined inter-
vals in order to increase the difficulty of an attack on an IPsec
connection.
ISAKMP SA lifetime: lifetime in seconds of the keys agreed for
ISAKMP SA.
Default: 3600 seconds (1 hour)
Maximum: 86400 seconds (24 hours).
Phase 2 IPsec SA In contrast to Phase 1 ISAKMP SA (key exchange), the proce-
dure for data exchange is defined here. It does not necessarily
Data exchange
have to differ from the procedure defined for key exchange.
IPsec SA encryption See “ISAKMP SA encryption”
IPsec SA hash See “ISAKMP SA encryption”
IPsec SA lifetime Lifetime in seconds of the keys agreed for IPsec SA
Default: 28800 seconds (8 hours)
The maximum lifetime is 86400 seconds (24 hours).
Perfect forward – Yes: PFS activated
secrecy (PFS) – No: PFS deactivated

VPN, IPsec, Connections, IKE, Edit [...]

DH/PFS group Key exchange procedure, defined in RFC 3526 – More Modu-
lar Exponential (MODP) Diffie-Hellman groups for Internet
Key Exchange (IKE)
Perfect Forward Secrecy (PFS): method for providing in-
creased security during data transmission. With IPsec, the
keys for data exchange are renewed at defined intervals. With
PFS, new random numbers are negotiated with the peer in-
stead of being derived from previously agreed random num-
bers.
5/modp1536 – 2/modp1024
The following generally applies: the more bits an encryption
algorithm has (specified by the appended number), the more
secure it is. The longer the key, the more time-consuming the
encryption procedure.
Rekey The router may send a request to the peer for another
exchange of the key. The peer must support this.
Dead peer detection If the peer supports the Dead Peer Detection (DPD) protocol,
the relevant peers can detect whether or not the IPsec con-
nection is still valid and whether it needs to be established
again.
Behavior in the event that the IPsec connection is aborted:
– Off: no DPD
– On: DPD activated
– in “Restart” mode for VPN Initiate
– in “Clear” mode for VPN Accept
DPD delay Delay between requests for a sign of life
Duration in seconds after which DPD Keep Alive requests
should be transmitted. These requests test whether the peer
is still available.
Default: 30 seconds
DPD timeout Duration after which the connection to the peer should be de-
clared dead if there has been no response to the Keep Alive
requests.
Default: 120 seconds

TC ROUTER ... 3G/4G
4.13.1.1 Certificates
A certificate that has been loaded on the router is used to authenticate the router at the peer.
The certificate acts as an ID card for the router, which it shows to the relevant peer.
The procedure for creating an X.509 certificate is described under Section 5.5, “Creating
certificates”.
There are various certificate types:

– Remote or peer certificates contain the public key used to decode the encrypted data.
– Own or machine certificates contain the private key used to encrypt the data. The pri-
vate key is kept private. A PKCS#12 file is therefore protected by a password.
– The CA certificate or root certificate is the “mother of all certificates used”. It is used to
check the validity of the certificates.
By importing a PKCS#12 file, the router is provided with a private key and the corresponding
certificate. You can load several PKCS#12 files on the router. This enables the router to
show the desired machine certificate to the peer for various connections. This can be a self-
signed or CA-signed machine certificate.
To use a certificate that is installed, the certificate must be assigned under “VPN, IPsec,
Connections, Settings, Edit”. Click on “Apply” to load the certificate onto the router.
Figure 4-39 VPN, IPsec, Certificates

VPN, IPsec, Certificates

IPsec certificates Load remote Here you can upload certificates which the router can use for
certificate (.pem .cer authentication with the VPN peer.
.crt)
Under “VPN, IPsec, Connections, Settings, Edit”, one of
the certificates listed under “Remote certificate” or “Local cer-
tificate” can be assigned to each VPN connection.
Load own PKCS#12 Certificates that you received from the provider can be up-
certificate (.p12 .pfx) loaded here. The file must be in PKCS#12 format.
Under “VPN, IPsec, Connections, Settings, Edit”, one of
the certificates listed under “Remote certificate” or “Local cer-
tificate” can be assigned to each VPN connection.
Password: password used to protect the private key of the
PKCS#12 file. The password is assigned when the key is
exported.
Remote certificates Overview of the imported .cer/.crt certificates of the peers
Click on “Delete” to delete a certificate.
Own certificates Overview of own imported PKCS#12 certificates
Click on “Delete” to delete a certificate.
The green ticks indicate whether the PKCS#12 file contains a
CA certificate, a machine certificate or a private key.

TC ROUTER ... 3G/4G
4.13.2 OpenVPN
4.13.2.1 Connections
OpenVPN is a program for creating a virtual private network (VPN) via an encrypted con-
nection. The device supports three OpenVPN connections.
Figure 4-40 VPN, OpenVPN, Connections
VPN, OpenVPN, Connections

OpenVPN connections Enabled – Yes: defined VPN connection active
– No: defined VPN connection not active
Name Assign a descriptive name to each VPN connection. The VPN
Tunnel Click on “Edit” to specify the settings for OpenVPN (see “Tun-
nel, Edit” on page 81).
Advanced Click on “Edit” to specify advanced settings for OpenVPN (see
“Advanced, Edit” on page 83).

Tunnel, Edit
Figure 4-41 VPN, OpenVPN, Connections, Tunnel, Edit
VPN, OpenVPN, Connections, Tunnel, Edit

OpenVPN tunnel Name Assign a descriptive name to each VPN connection. The VPN
VPN – Disabled: VPN connection deactivated
– Enabled: VPN connection activated
Event Event for starting the OpenVPN connection
– Initiate: automatic start after router boots up
– Initiate on SMS: manual start via SMS message
You must also specify the number of minutes until the
VPN connection is to be stopped via Autoreset.
– Initiate on call: start via a call
You must also specify the number of minutes until the
VPN connection is to be stopped via Autoreset.
– Initiate on XML: manual start via XML socket server
– Initiate on Input #1 ... #2: manual start via switching
input
Remote host IP address or URL of the peer to which the tunnel will be cre-
ated.
Remote port Port of the peer to which the tunnel will be created (default:
1194)

TC ROUTER ... 3G/4G

Protocol Choose whether UDP or TCP will be used for transport.
LZO compression Choose whether data transmission for the OpenVPN connec-
tion will be compressed.
– Disabled: no OpenVPN compression
– Adaptive: adaptive OpenVPN compression
– Yes: OpenVPN compression
Allow remote float Activate this option in order to accept authenticated packets
from each IP address for the OpenVPN connection. This op-
tion is recommended when dynamic IP addresses are used
for communication.
Redirect default Activate this option in order to redirect all network communica-
gateway tion to external networks, e.g., requests via the Internet, via
this tunnel. The OpenVPN tunnel is used as the default gate-
way of the local network.
Local port Local port from which the tunnel is created (default: 1194)
Authentication X.509 certificate - authentication method: each VPN
device has a private secret key in the form of an X.509 certifi-
cate. The certificate contains additional information about the
certificate‘s owner and the certification authority (CA).
Pre-shared secret key: each VPN device knows one shared
private key. Load this shared key as a “Static key” (see
page 85).
Local certificate Certificate used by the router to authenticate itself to the VPN
peer
HMAC authentication Select encryption type (Keyed-Hash Message Authentication
Code)
TLS authentication key TLS key used to encrypt communication
Check remote Check the OpenVPN connection certificates.
certificate type
Connection NAT – None: no NAT within the VPN tunnel (default)
– Local 1:1 NAT: virtual addresses are used for communi-
cation via a VPN tunnel. The virtual addresses are linked
to the real IP addresses for the set network that has been
connected. The subnet mask remains unchanged.
Address local network Virtual IP address/subnet mask of the local network
This virtual IP address enables the IP addresses for the
remote network to be accessed through the VPN tunnel. You
must enter the same settings as the remote network on the
remote VPN router.


NAT to local network Enter the real IP address area for the local network here. Using
this address area, the local network can be accessed from the
remote network via 1:1 NAT. You can use this function, for ex-
ample, to access two machines with the same IP address via
a VPN tunnel.
Encryption Choose the encryption algorithm for the OpenVPN connec-
tion.
Keep alive Duration in seconds after which Keep Alive requests will be
transmitted. These requests test whether the peer is still avail-
able.
Default: 30 seconds
Restart Period of time after which the connection to the peer should be
restarted, if there has been no response to the Keep Alive
requests.
Default: 120 seconds
Advanced, Edit
Figure 4-42 VPN, OpenVPN, Connections, Advanced, Edit
VPN, OpenVPN, Connections, Advanced, Edit

OpenVPN tunnel advanced Name Name of the VPN connection entered under “OpenVPN con-
nections”

TC ROUTER ... 3G/4G
VPN, OpenVPN, Connections, Advanced, Edit

TUN-MTU Maximum IP packet size that may be used for the OpenVPN
connection.
Default: 1500
MTU = Maximum Transmission Unit
Fragment Maximum size for unencrypted UDP packets that are sent
through the tunnel. Larger packets are sent in fragments.
Default: 1450
“Fragment” is deactivated if the box is unchecked (default).
MSS fix Maximum size for TCP packets that are sent via a UDP tunnel
The maximum packet size in bytes is used for the TCP con-
nection through the OpenVPN tunnel.
“MSS fix” is deactivated if the box is unchecked (default).
When “Fragment” and “MSS fix” are active, the value for MSS
fix is specified automatically. The value cannot be modified
manually.
Renegotiate key Lifetime in seconds of the keys agreed
interval
Default: 3600 seconds (one hour)
The keys of the OpenVPN connection are renewed at defined
intervals in order to increase the difficulty of an attack on the
OpenVPN connection.
4.13.2.2 Port forwarding

Configuration as described under “Port forwarding” on page 64
4.13.2.3 Certificates
Upload the certificates as described under “Certificates” on page 78

4.13.2.4 Static keys (pre-shared secret key authentication)

Static key authentication is based on a symmetrical encryption method where the commu-
nication partners first exchange a shared key via a secure channel. All tunnel network traffic
is then encrypted using this key. Network traffic can then be decoded by anyone who has
this key.
Figure 4-43 VPN, OpenVPN, Static keys
VPN, OpenVPN, Static keys

OpenVPN static keys Generate static key Generates a key for the OpenVPN connection. You can store
this key locally on the computer.
Load static key Loads the key on the cellular router.
Static keys Keys stored in the router

TC ROUTER ... 3G/4G
4.14 I/O
The router has two integrated digital switching inputs and one integrated digital switching
output for alarms and switching.
4.14.1 Inputs
The inputs can be used to send alarms by SMS or e-mail. Each input can be configured
individually. Please note that inputs that are used to start a VPN connection, for example,
cannot also be used to send alarms.
Figure 4-44 I/O, Inputs
I/O, Inputs
Inputs High, Low • Select if a message should be sent at a “High” level or a
“Low” level.
• Click on “Apply”.
• Choose whether you want to be alerted by SMS or e-mail.
• Click on “Edit”.
• Enter the following for an SMS message:
– Recipient from the phonebook
– Message text
• Enter the following for an e-mail alert:
– To: recipient
– Cc: recipient of a copy
– Subject
– Message text

4.14.2 Outputs
The outputs can be switched remotely or, alternatively, provide information about the status
of the router. Each output can be configured individually.
Figure 4-45 I/O, Outputs
I/O, Outputs
Outputs – Manual: manual switching of the output via the web-
based management
– Remote controlled: remote switching via SMS or socket
server. Automatic reset of the output can be used as an
option. To do this, activate “Autoreset” and specify the du-
ration in minutes.
– Radio network: the output is switched if the router is
logged in to a cellular network.
– Packet service: the output is switched if the router has
established a packet data connection and received a val-
id IP address from the provider.
– VPN service: the output is switched if the router has es-
tablished a VPN connection.
– Incoming call: the output is switched if the router is
called by a phone number listed in the phonebook.
– Connection lost: the output is switched if the router con-
nection check does not reach the configured reference
address.
Autoreset Duration in minutes until the output is reset automatically

TC ROUTER ... 3G/4G
4.14.3 Phonebook
Enter phone numbers here:
– For the recipients of alarm SMS messages
– For those authorized to switch the outputs
Figure 4-46 I/O, Phonebook

4.15 System
4.15.1 System configuration

Set the basic options for web-based management and router logging here. The router can
store log files on an external log server via UDP.
Figure 4-47 System, System configuration
System, System configuration

System configuration Remote UDP logging – Disabled: no external logging
– Enabled: logging on external server activated.
Server IP address IP address of the log server
Server port Log server port (default: 514)
Non volatile log – SD card: permanent logging on microSD card
– Disabled: temporary logging
Load configuration – Disabled: configuration is not loaded automatically when
the router is started
– SD card: configuration is loaded automatically from a
microSD card when the router is started

TC ROUTER ... 3G/4G
System, System configuration

Configuration unlock – Once: a configuration is loaded once from a microSD
card next time the router is started.
– Always: a configuration is loaded from a microSD card
every time the router is started.
– By input 1: a configuration is loaded from a microSD
card, controlled via switching input 1
– By input 2: a configuration is loaded from a microSD
card, controlled via switching input 2
Reset button – Web access reset: the IP address and access data for
the administrator are reset to the default settings via the
reset button. The configuration is retained.
– Factory reset: the device is completely reset to the deliv-
ery state via the reset button. The configuration will be
deleted.
Disable IPsec You can switch off the IPsec function of the router completely.
Connect LED function – Internet connectivity: packet data connection via
cellular network active
– VPN connectivity: VPN connection active (IPsec or
OpenVPN)
Energy saving mode – None: no energy-saving mode
– Initiate on input 1: energy-saving mode, activated via
switching input 1.
– Initiate on input 2: energy-saving mode, activated via
switching input 2.
Radio engine: energy-saving mode deactivates the radio
engine. If energy-saving mode is active, cellular communica-
tion is no longer possible.
Ethernet LAN1/2: energy-saving mode deactivates Ethernet
interface LAN 1/2. If energy-saving mode is active, communi-
cation is no longer possible via this interface.

4.15.2 User, password change
Figure 4-48 System, User
System, User
User setup admin Password for unrestricted access to all areas
user Password for restricted access (only read access)

TC ROUTER ... 3G/4G
4.15.3 Log file

The router log file can be used to diagnose various events and operating states. The log file
is a form of circulating storage where the oldest entries are overwritten first.
Figure 4-49 System, Log file
System, Log file

Log file Rotate You can create a new file on the SD card. The results are then
also written to this file. With the “Save” button, you always only
download the last file. This prevents you from having to trans-
mit too large a file via the cellular network volume. The history
on the SD card is retained.
You can view the complete log file only from the SD card on
location.
“Rotate” is only visible when an SD card is inserted.
Save Save log file as text file on local computer

4.15.4 E-mail configuration

To send alarms by e-mail, the e-mail server via which these alerts are sent can be config-
ured here. The e-mail server must support the SMTP protocol.
Figure 4-50 System, E-mail configuration
System, E-mail configuration

E-mail configuration SMTP server Host name or IP address of the e-mail server
– Local: the IP packets for the SMTP server are sent from
the local network interface with the IP address of the local
interface (LAN).
– Wireless network: the IP packets for the SMTP server
are sent from the cellular network interface with the IP ad-
dress assigned by the provider.
Server port E-mail server port (default: 25)
Transport layer – None: unencrypted connection to e-mail server
security – STARTTLS: STARTTLS-encrypted connection to the
e-mail server
– SSL/TLS: SSL/TLS-encrypted connection to the e-mail
server

TC ROUTER ... 3G/4G
System, E-mail configuration [...]

Authentication – No authentication: no authentication required.
– Plain password: authentication with user name and
password. User name and password are transmitted in
unencrypted form.
– Encrypted password: authentication with user name
and password. User name and password are transmitted
in encrypted form.
User name User name for login to the e-mail server
Password Corresponding password for login to the e-mail server
From E-mail address of the sender

4.15.5 Configuration up-/download

You can save the active configuration to a file and load prepared configurations via WBM.
Figure 4-51 System, Configuration up-/download
System, Configuration up-/download

Configuration Download To save the active configuration to a microSD card, select the
up-/download “SD card” option under “Download”.
Click on “Save” to save the active configuration locally to a file.
Enable the “XML format” option to save the router configura-
tion as an editable XML structure.
Upload To load a configuration from the microSD card, select the “SD
card” option under “Upload”.
Import a saved configuration. Click on the “Browse” button to
select the configuration that is to be imported. Click on “Apply”
to load the selected configuration (cfg format or XML format).
Reset to factory Click on “Apply” to reset the router to the default state upon
defaults delivery. This will reset all settings, including IP settings.
Imported certificates remain unaltered.

TC ROUTER ... 3G/4G
4.15.6 Date/time
Figure 4-52 System, date/time
System, Date/time
Date/time System time You can set the time manually if no NTP server (time server)
has been set up or the NTP server cannot be reached.
Time synchronisation – Enabled: the router synchronizes the time and date with
a time server. Initial time synchronization can take up to
15 minutes. During this time, the router continuously com-
pares the time data of the external time server and that of
its own clock. The time is thus adjusted as accurately as
possible. Only then can the router act as the NTP server
for the devices connected to the LAN interface. The router
then provides the system time.
– Disabled: the router does not adjust the system time
automatically.

System, Date/time [...]

NTP server NTP = Network Time Protocol
The router can act as the NTP server for the devices con-
nected to the LAN interface. In this case, the devices should
be configured so that the local address of the router is speci-
fied as the NTP server address. For the router to act as the
NTP server, it must obtain the current date and time from an
NTP server (time server). In order to do this you must specify
the address of a time server. In addition, NTP synchronization
must be set to “Enabled”.
A green tick is displayed following successful time synchroni-
zation with the time server.
– Local: the specified NTP server can be accessed with the
IP address of the local interface (LAN). Activate this op-
tion if the NTP server can be accessed in the local LAN or
via a VPN tunnel.
– Wireless network: activate this option if the NTP server
is on the Internet (default).
Time zone Select the time zone.
Daylight saving time – Disabled: daylight savings is not taken into account.
– Enabled: daylight savings is taken into account.
Time server for local Time server for the local network
network

TC ROUTER ... 3G/4G
4.15.7 Reboot
Figure 4-53 System, reboot
System, Reboot
Reboot Reboot NOW! Restart the router
Any active data transmissions will be aborted.
 Do not trigger a reboot while data transmission is active.
Daily reboot Define the day of the week on which the router will be restarted
at the specified time.
Following a reboot, it is necessary to log in to the cellular net-
work again. The provider resets the data link and calculates
charges. Regular rebooting provides protection against the
provider aborting and re-establishing the connection at an
unforeseeable point in time.
Time Time specified in Hours:Minutes
Event Choose the digital input with the “High” signal which will be
used to restart the router if required.
Make sure that, following a restart, the signal is “Low” again.
This ensures that the router starts up normally.

4.15.8 Firmware update
Figure 4-54 System, Firmware update
System, Firmware update

Device firmware update Updates ensure that you can benefit from function extensions
and product updates.
Updates can be downloaded at: phoenixcontact.net/products.
Install firmware update:
• Click on “Browse” and select the update file with the ex-
tension *.fw.
• To ensure that the active configuration is retained follow-
ing the update, select the “Keep configuration” option.
• Click on “Install firmware”.
• The ERR LED and CON LED flash alternately during the
update. Wait until the update is complete and the router
restarts automatically.
 Do not start the router manually. Do not interrupt the
power supply during the update process.
Package update If necessary you can also just update individual router func-
tions.

TC ROUTER ... 3G/4G

Creating X.509 certificates
5 Creating X.509 certificates

Certificates are required for a secure VPN connection. Certificates can be acquired from
certification authorities or you can create them using the appropriate software. In this exam-
ple, X.509 certificates are created using Version 0.9.3 of the XCA program.
The XCA program can be downloaded at http://xca.sourceforge.net.
5.1 Installation
• Start the setup file. Follow the instructions in the setup program.
5.2 Creating a new database

• Start the XCA program.
• Create a new database via “File, New Database”.
Figure 5-1 Creating a new database

TC ROUTER ... 3G/4G
• Assign a password to encrypt the database.
Figure 5-2 Assigning a password
5.3 Creating a CA certificate

First of all, create a Certification Authority (CA) certificate. This root certificate acts as an
entity that certifies and authenticates. It signs all certificates that are derived from it and thus
guarantees the authenticity of these certificates.
• Switch to the “Certificates” tab.
• Create a new certificate.
In the program window shown, there is already a preset self-signed certificate with the sig-
nature algorithm SHA-1.
Figure 5-3 Creating a new CA certificate

• On the “Subject” tab, enter the information about the owner of the root certificate.
Figure 5-4 Entering information about the owner (subject)
• Create a key for this certificate. The default name, key type, and key size can be
retained.
Figure 5-5 Creating a key

TC ROUTER ... 3G/4G
The period of validity of the certificate is specified on the “Extensions” tab. The root certifi-
cate must be valid for longer than the machine certificates that are to be created later. In this
example, the validity is set to ten years.
• Set the certificate type to “Certification Authority”.
• Activate all the options as shown in Figure 5-6.
Figure 5-6 Setting the validity and type for the CA certificate
• Click OK.
The certificate has been created. A new root certificate from which further machine certifi-
cates can be derived now appears in the overview.
Figure 5-7 CA certificate created

5.4 Creating templates

By using templates, you can create machine certificates quickly and easily.
• Go to the “Templates” tab.
• Create a new template for a terminal certificate.
• When prompted about template values, select “Nothing”.
Figure 5-8 Creating a new template
• Default settings for the certificates to be created later can be made on the “Subject” tab.
The name must be specified in the relevant certificates. The text specified in the angle
brackets is a placeholder which is replaced when the template is applied.
Figure 5-9 Creating a template, entering information about the owner (subject)

TC ROUTER ... 3G/4G
• On the “Extensions” tab, set the certificate type to “End Entity” as the template should
be valid for machine certificates.
• The validity of the certificates to be created is 365 days in this example. Once the end
date has elapsed, the certificates can no longer be used.
Figure 5-10 Creating a template, entering the validity and type of certificate
• Click OK.
The template has been created. You can now use the template as a basis to create certifi-
cates signed by the root certificate.

5.5 Creating certificates

• To create certificates based on the template, switch to the “Certificates” tab.
• Create a new certificate.
• A program window opens. On the “Source” tab, the root certificate that is to be used for
signing is specified. In addition, you can select a template that was created earlier. The
data is imported when you click on “Apply all”.
Figure 5-11 Creating a certificate

TC ROUTER ... 3G/4G
The fields on the “Subject” tab will now either be empty or they will contain the defaults from
the imported template. When entering information on this tab, please note that the certifi-
cates must differ at least with regard to their name (internal name and common name). For
example, the equipment identification of the machine or the location can be specified as the
name here.
Figure 5-12 Creating a certificate, “Subject” tab
• Create a new private key for this certificate.
Figure 5-13 Creating a key for a certificate
• Click OK.
You have now created a machine certificate signed by the Certification Authority (CA).

5.6 Exporting certificates

In order to use the machine certificate in a router, you must export the certificate.
• Select the desired certificate from the list.
• Click on “Export”.
Figure 5-14 Selecting a certificate for export
The complete certificate, including the private key and the CA certificate, must be in “PKCS
#12 with Certificate Chain” format. You can then upload it to the relevant device as a
machine certificate.
Figure 5-15 Exporting a certificate

TC ROUTER ... 3G/4G
For security reasons, the machine certificate is protected with a password of your choice.
• Enter the password. You need the password in order to load the machine certificate on
the relevant device.
Figure 5-16 Entering the password
• The certificate for the peer must also be exported. This certificate is stored in PEM for-
mat without the private key.
Figure 5-17 Exporting the peer certificate

Device replacement, device defect and repair
6 Device replacement, device defect and repair
6.1 Device replacement
NOTE: Device damage

Only mount and remove devices when the power supply is disconnected!
You can replace the device if necessary.

• Disconnect the device from the power supply.
• Remove all cables.
• Remove the SIM card.
• Remove the device as described in “Removal” on page 16.
Replace the device with an identical device (the same Order No.).
6.2 Device failure and repair

Repairs may only be carried out by Phoenix Contact.
• Send defective devices back to Phoenix Contact for repair or to receive a replacement
device.
• We strongly recommend using the original packaging to return the product.
• Include a note in the packaging indicating that the contents are returned goods.
• Include an error description with the returned product.
• If the original packaging is no longer available, observe the following points:
– Observe the humidity specifications and the temperature range specified for trans-
port (see “Ambient conditions” on page 117).
– Use dehumidifying agents if necessary.
– Use suitable ESD packaging to protect components that are sensitive to electro-
static discharge.
– Make sure that the packaging you select is large enough and sufficiently thick.
– Only use plastic bubble wrap sheets as wadding.
– Attach warnings to the transport packaging so that they are clearly visible.
– Please ensure that the delivery note is placed inside the package if the package is
to be shipped domestically. However, if the package is being shipped internation-
ally, the delivery note must be placed inside a delivery note pocket and attached to
the outside so that it is clearly visible.

TC ROUTER ... 3G/4G
7 Maintenance and disposal
7.1 Maintenance
The device is maintenance-free.
7.2 Disposal
Dispose of the device separately from other waste, i.e., via an appropriate collection site.
• Dispose of packaging materials that are no longer needed (cardboard packaging,

paper, bubble wrap sheets, etc.) with household waste in accordance with the currently
applicable national regulations.

Technical data
8 Technical data
8.1 Ordering data
For Europe Type Order No. Pcs./Pkt.

Industrial LTE 4G router, fallback to 3G UMTS/HSPA TC ROUTER 2002T-4G 2702530 1
and 2G GPRS/EDGE, 2 Ethernet interfaces, firewall, NAT,
2x SMA-F antenna socket, SMS and e-mail transmission,
2 digital inputs, 1 digital output
+ IPsec and OpenVPN support TC ROUTER 3002T-4G 2702528 1
Industrial 3G router, fallback to 2G GPRS/EDGE, TC ROUTER 2002T-3G 2702531 1
2 Ethernet interfaces, firewall, NAT, SMA-F antenna
socket, SMS and e-mail transmission, 2 digital inputs,
1 digital output
+ IPsec and OpenVPN support TC ROUTER 3002T-3G 2702529 1
#
For the North American market

Industrial LTE 4G router, 2 Ethernet interfaces, firewall,
NAT, IPsec and OpenVPN support, 2x SMA-F antenna
socket, SMS and e-mail transmission, 2 digital inputs,
1 digital output
Version for Verizon Wireless (US) TC ROUTER 3002T-4G VZW 2702532 1
Version for AT&T (US), fallback to 3G UMTS/HSPA TC ROUTER 3002T-4G ATT 2702533 1

TC ROUTER ... 3G/4G
8.1.1 Accessories
Power supply Type Order No. Pcs./Pkt.

Primary-switched TRIO POWER power supply with push- TRIO-PS- 2903147 1
in connection for DIN rail mounting, input: 1-phase, output: 2G/1AC/24DC/3/C2LPS
24 V DC/3 A C2LPS
Antennas and antenna cables

Multiband cellular antenna with SMA circular connector,
suitable for LTE/4G
For EU devices, with mounting bracket for outdoor TC ANT MOBILE WALL 5M 2702273 1
installation, 5 m antenna cable
For US devices, wall-mounted, 0.5 m antenna cables TC ANT MOBILE WALL 0,5M 2702274 1
Cellular antenna cable, SMA (male) -> SMA (female),
50 ohm impedance
5m PSI-CAB-GSM/UMTS- 5M 2900980 1
10 m PSI-CAB-GSM/UMTS-10M 2900981 1
Push-in plug and surge protection

PCB connector, nominal current: 8 A, number of positions: FK-MCP 1,5/ 5-ST- 1105115 50
5, pitch: 3.81 mm, connection method: Push-in spring 3,81GY35BD-01
connection, color: light gray, contact surface: tin
Attachment plug with LAMBDA/4 technology as surge CSMA-LAMBDA/4-2.0-BS- 2800491 1
protection for coaxial signal interfaces SET
Connection: plug/socket SMA connectors
License
License for mGuard Secure VPN Client v11.x MGUARD SECURE VPN 2702579 1
CLIENT LIC

Technical data
8.2 Technical data
Supply TC ROUTER ...-4G... TC ROUTER ...-3G

Supply voltage range 10 V DC ... 30 V DC (SELV, via COMBICON pluggable screw terminal block)
Typical current consumption < 200 mA (24 V DC)
65 mA (with activated energy-saving mode)
Maximum current consumption 1.7 A
Electrical isolation VCC // LTE // Ethernet // PE VCC // UMTS // Ethernet // PE
Functions TC ROUTER 3002T... TC ROUTER 2002T...

Management Web-based management, SNMP
Firewall rules Stateful inspection firewall
Filtering IP, port, protocol
Number of VPN tunnels 3 -
1:1 Network Address Translation Supported -
(NAT) in the VPN
Encryption methods 3DES, AES-128, -192, -256 -
Internet Protocol Security (IPsec) ESP tunnel -
mode
Authentication X.509v3, PSK -
Data integrity MD5, SHA-1 -
Dead Peer Detection (DPD) RFC 3706 -
Ethernet interface, 10/100Base-T(X), in accordance with IEEE 802.3u

Number of channels 2 (SELV)
Connection method RJ45 socket, shielded
Serial transmission speed 10/100 Mbps, auto-negotiation
Transmission length 100 m (twisted pair, shielded)
Supported protocols TCP/IP, UDP/IP, FTP, HTTP(S)
Secondary protocols ARP, DHCP, PING (ICMP), SNMP V1/V2, SMTP(S), NTP, SSL/TLS, STARTTLS

TC ROUTER ... 3G/4G
Wireless interface TC ROUTER 3002T TC ROUTER 3002T TC ROUTER 3002T TC ROUTER 3002T
-4G -3G -4G VZW -4G ATT
TC ROUTER 2002T TC ROUTER 2002T
-4G -3G
Interface description GSM / GPRS / GSM / GPRS / LTE (FDD) LTE (FDD) / UMTS /
EDGE / UMTS / EDGE / UMTS / HSPA
HSPA / LTE (FDD) HSPA
Frequency 850 MHz 850 MHz 700 MHz (LTE B13) 850 MHz
(EGSM, 2 W) (EGSM, 2 W) 1700 MHz (LTE B4) (UMTS/HSPA B5)
900 MHz 900 MHz 1900 MHz
(EGSM, 2 W) (EGSM, 2 W) (UMTS/HSPA B2)
1800 MHz 1800 MHz 700 MHz (LTE B13 /
(EGSM, 1 W) (EGSM, 1 W) B17)
1900 MHz 1900 MHz 850 MHz (LTE B5)
(EGSM, 1 W) (UMTS/HSPA B2) 1700 MHz (LTE B4)
850 MHz 2100 MHz 1900 MHz (LTE B2)
(UMTS/HSPA B5) (UMTS/HSPA B1)
900 MHz
(UMTS/HSPA B8)
1900 MHz
(UMTS/HSPA B2)
2100 MHz
(UMTS/HSPA B1)
800 MHz (LTE B20)
850 MHz (LTE B5)
900 MHz (LTE B8)
1800 MHz (LTE B3)
1900 MHz (LTE B2)
2100 MHz (LTE B1)
2600 MHz (LTE B7)
Data rate ≤ 150 Mbps ≤ 21.6 Mbps (HSPA ≤ 150 Mbps (LTE (DL))
(LTE (DL)) (DL))
≤ 50 Mbps (LTE (UL))
≤ 50 Mbps ≤ 5.76 Mbps (HSPA
(LTE (UL)) (UL))
Antenna 50 Ω impedance, SMA antenna socket
SIM interface 1.8 V, 3 V
GPRS Class 12, Class B -
CS1 ... CS4
EDGE Multislot Class 10 -
UMTS HSPA 3GPP R9 HSPA 3GPP R7 - HSPA 3GPP R9
LTE CAT4 - CAT4 CAT4

Technical data
Digital input
Number of inputs 2
Voltage input signal 10 V DC ... 30 V DC
Switching level “1” signal 10 V DC ... 30 V DC
Digital output
Number of outputs 1 (resistive load)
Voltage output signal 10 V DC ... 30 V DC (depending on the operating voltage)
Current output signal ≤50 mA (not short-circuit-proof)
General data
Management Web-based management, SNMP
Degree of protection IP20 (manufacturer‘s declaration)
Pollution degree 2 (indoor use only)
Dimensions (W/H/D) 45 mm x 130 mm x 126 mm
Housing material Plastic, gray
Vibration resistance in accordance 5g, 10 ... 150 Hz, 2.5 h, in XYZ direction
with EN 60068-2-6/IEC 60068-2-6
Shock in accordance with 15 g
EN 60068-2-27/IEC 60068-2-27
Immunity in accordance with EN 61000-6-2
Electromagnetic compatibility Conformance with EMC directive 2014/30/EU
Ambient conditions TC ROUTER ...-4G... TC ROUTER ...-3G

Ambient temperature (operation)
Operation -40°C ... 70°C -40°C ... 70°C
(maximum transmission power of 5 dBm) (maximum transmission power of
-40°C ... 60°C 10 dBm)
(maximum transmission power of -40°C ... 60°C
23 dBm) (maximum transmission power of
23 dBm)
Storage/transport -40°C … 85°C
Permissible humidity
Operation 30% ... 95% (non-condensing)
Storage/transport 30% ... 95% (non-condensing)
Altitude 5000 m (for restrictions see manufacturer‘s declaration)

TC ROUTER ... 3G/4G
Approvals TC ROUTER 3002T-4G TC ROUTER 3002T-4G VZW

TC ROUTER 3002T-3G TC ROUTER 3002T-4G ATT
TC ROUTER 2002T-4G
TC ROUTER 2002T-3G
Conformance CE-compliant -
UL, USA/Canada - Class I, zone 2, AEx nA IIC T4 / Ex nA IIC
T4 Gc
Class I, Div. 2, Groups A, B, C, D T4
Corrosive gas test ISA-S71.04-1985 G3 Harsh Group A
Conformance with EMC directive 2014/30/EU

Noise immunity in accordance with EN 61000-6-2
Electrostatic discharge EN 61000-4-2
Contact ±6 kV (test intensity 3)
discharge
Air discharge ±8 kV (test intensity 3)
Comment Criterion B
Electromagnetic HF field EN 61000-4-3
Frequency range 80 MHz ... 3 GHz (test intensity 3)
Field strength 10 V/m
Comment Criterion A
Fast transients (burst) EN 61000-4-4
Input ±2 kV (test intensity 3)
Signal ±2 kV (Ethernet)
Comment Criterion B
Surge current loads (surge) EN 61000-4-5
Input ±0.5 kV (symmetrical)
±1 kV (asymmetrical)
Signal ±1 kV (data cable, asymmetrical)
Comment Criterion B
Conducted interference EN 61000-4-6
Frequency range 0.15 MHz ... 80 MHz
Voltage 10 V
Comment Criterion A
Noise emission in accordance with EN 61000-6-4

Radio interference voltage in accordance with EN 55011 Class B, industrial and residential applications
Emitted radio interference in accordance with EN 55011 Class B, industrial and residential applications
Criterion A Normal operating behavior within the specified limits

Criterion B Temporary impairment of operating behavior that is corrected by the device itself.

Technical data
RED directive 2014/53/EU

EMC - immunity to interference (electromagnetic compatibil- EN 61000-6-2 Generic standard for the
ity of wireless systems) industrial sector
Safety – Protection of personnel with regard to electrical EN 60950
safety
Health – Limitation of exposure of the population to electro- Official Journal of the Euro- Recommendation of the
magnetic fields pean Union 1999/519/EC Council of the European
Community from
July 12, July 1999
Radio – Effective use of the frequency spectrum and avoid- DIN EN 301511
ance of radio interference
8.3 Dimensions
45 127,5
US
ERR
CON
Micro SD
Micro
SD
LAN 1 LAN 2
130
ANT 1
ANT 2
TC ROUTER
SIM
24V 0V I1 I2 01
Figure 8-1 Dimensions

TC ROUTER ... 3G/4G

A Technical appendix
A1 XML elements
Table A-1 Data definitions of the XML elements used
Category XML element Description

Info Device group
serialno Device serial number
hardware Hardware version of the device
firmware Firmware release
wbm Web-based management version
imei IMEI of the SIM card
Info Radio group
provider Name of the provider (text)
rssi Received signal strength (decimal number 0 ... 99)
0 -113 dBm or less
1 -111 dBm
2 ... 30 -109 dBm ... -53 dBm
31 -51 dBm or more
99 Not measured yet or not to be determined
creg Status of registration in the cellular network (decimal number 0 ... 5)
0 Not registered, not searching for cellular network
1 Registered in home network
2 Not registered yet, searching for cellular network
3 Registration rejected
4 Not used
5 Registered in another network (roaming)
lac Location Area Code (LAC) of the device in a cellular network (hexadecimal
number, maximum of 4 digits)
ci Cell ID, unique identification of the radio cell within the LAC (hexadecimal
number, maximum of 8 digits)

TC ROUTER ... 3G/4G

Category XML element [...] Description [...]
Info packet Packet data status (decimal number 0 ... 8)
0 Offline (no Internet connection)
1 Online (Internet connection)
2 GPRS online
3 EDGE online
4 UMTS online
5 HSDPA online
6 HSUPA online
7 HSDPA+HSUPA online
8 LTE online
simstatus Status of the SIM card (decimal number 0 ... 5)
0 Unknown
1 No SIM card
2 Waiting for PIN
3 Incorrect PIN entered
4 Waiting for PUK
5 Ready
Info Inet group
ip IP address of the packet data connection on the Internet
rx_bytes Number of data bytes received so far
(decimal number 0 ... 4294967295)
tx_bytes Number of data bytes transmitted so far
(decimal number 0 ... 4294967295)
mtu Maximum Transmission Unit (MTU), the maximum packet size, in bytes, in
the packet data network (decimal number 128 ... 1500)
Info IO group Returned data type, depends on server configuration
Verbose Response in words, e.g., on/off
Numeric Short numerical response, e.g., 1/0
gsm Binary status of the GSM/UMTS connection
inet Binary status of the Internet connection (packet data connection)
vpn Binary status of the VPN tunnel
SMS Send SMS (cmgs)
destaddr National or international telephone number of the recipient (160 characters
maximum)
The UTF-8 coded text is specified in the element content. The text may con-
sist of characters that are defined in the GSM 03.38 6.2.1 default alphabet.
However, coding must be in UTF-8 as per the XML rules.

XML elements

Category XML element [...] Description [...]
SMS Receive SMS (cmgr,
UTF-8 text)
origaddr National or international telephone number of the sender
timestamp Time of SMS transmission
error Error type (decimal number 1 ... 3)
1 Empty = no SMS message received
2 Busy = try again later
3 System error = communication problem with the radio engine
SMS Acknowledge SMS If communication with the GSM/UMTS control program is possible, “ok” is
receipt (cmga, text) always returned.
error Error type (decimal number 8)
Only returned if an error is present. In this case “system error” is returned in
the cmga element of the error test.
E-mail E-mail
to E-mail address
cc E-mail subject, UTF-8 coded text
body E-mail message, UTF-8 coded text
IO Input element (input)
no Decimal number 1 ... 6
IO Output element (out-
put)
no Decimal number 1 ... 6
value Returned data type depending on server configuration. Both variants are
recognized to set or reset outputs:
Verbose Response in words, e.g., on/off
Numeric Short numerical response, e.g., 1/0

TC ROUTER ... 3G/4G
A2 Structure of the XML configuration file

You can configure the device using an XML file. The device can export and also import XML
files.
A 2.1 XML file format

A valid XML file contains:
– A header which distinguishes the file as XML
– A <config> “root” element
After the <config> element, only the <entry> element is used to specify settings:
<config>
<entry name="...">...</entry>
...
</config>
Only “name” is used as an attribute in the <entry> element. This attribute determines where
the data is placed in the file tree. As defined in the header, all data must be specified in the
UTF-8 character set.
Line breaks in the data are specified as escape sequences: “
”.
A 2.2 Reference to <entry> element

The described reference is valid as of release 2.01.8.
A 2.3 Local network settings
LAN interface
<entry name="conf/network/interface/lan/ipaddr">192.168.0.1</entry>
<entry name="conf/network/interface/lan/netmask">255.255.255.0</entry>
<entry name="conf/network/interface/lan/proto">static</entry>
<entry name="conf/network/interface/lan/ipalias"># IP
alias
#
let alias_cnt=0</entry>
<entry name="conf/network/interface/lan/devlist"></entry>
<entry name="conf/network/interface/lan/ifname">eth0</entry>
<entry name="conf/network/interface/lan/mode">auto</entry>
<entry name="conf/network/interface/lan/type">ethernet</entry>
The ./devlist, ./ifname, ./mode, and ./type elements must not be modified. They are also not
modified by settings on the configuration page.
./ipaddr IPv4 address of the device

./netmask IPv4 netmask
./proto Type of address assignment: “static” or “dhcp”
./ipalias This value represents a special list and should only be modified via
the configuration page.

Structure of the XML configuration file
DHCP server
<entry name="conf/network/dhcp/lan/enable">0</entry>
<entry name="conf/network/dhcp/lan/domain">example.net</entry>
<entry name="conf/network/dhcp/lan/lease">24h</entry>
<entry name="conf/network/dhcp/lan/dynamic">0</entry>
<entry name="conf/network/dhcp/lan/addr1">192.168.0.10</entry>
<entry name="conf/network/dhcp/lan/addr2">192.168.0.30</entry>
<entry name="conf/network/dhcp/lan/hosts"># DHCP hosts
#</entry>
<entry name="conf/network/dhcp/lan/names"># DHCP names
#</entry>
<entry name="conf/network/dhcp/lan/options"># DHCP options
#</entry>
./enable DHCP server

0 Off
1 On
./domain Local domain name, maximum of 64 characters
./lease Time after which the IP address is automatically renewed
./dynamic Dynamic address assignment in the specified area
0 Off
1 On
./addr1 Area for dynamic address assignment
./addr2 Area for dynamic address assignment
./hosts List of static MAC at IP assignments
This list should only be modified via the configuration page.
./names Not used at present, must not be modified
./options Not used at present, must not be modified
Static routes
<entry name="conf/network/route/lan/sroute"># static routes
#
</entry>
./sroute List of local static routes

This list should only be modified via the configuration page.

TC ROUTER ... 3G/4G
SNMP
<entry name="conf/snmp/device"></entry>
<entry name="conf/snmp/description"></entry>
<entry name="conf/snmp/location"></entry>
<entry name="conf/snmp/contact"></entry>
<entry name="conf/snmp/rocommunity">public</entry>
<entry name="conf/snmp/rwcommunity"></entry>
<entry name="conf/snmp/rwuser">admin</entry>
<entry name="conf/snmp/secretpass">Snmpadmin</entry>
<entry name="conf/snmp/trap_addr">0.0.0.0</entry>
<entry name="conf/snmp/trap_port">162</entry>
<entry name="conf/snmp/trap_community">public</entry>
<entry name="conf/snmp/trap_enable">0</entry>
<entry name="conf/snmp/v12_enable">0</entry>
<entry name="conf/snmp/v3_enable">0</entry>
<entry name="conf/snmp/fw_local"></entry>
<entry name="conf/snmp/fw_external"></entry>
./device Text descriptions of the same name with a maximum of

250 characters each
./description Text descriptions of the same name with a maximum of
250 characters each
./location Text descriptions of the same name with a maximum of
250 characters each
./contact Text descriptions of the same name with a maximum of
250 characters each
./rocommunity Password for read access. If the password is left empty, the SNMP
service will not be started.
./rwcommunity Password for write access
./rwuser User name for SNMPv3 access
./secretpass Password for SNMPv3 access
./trap_addr IPv4 trap manager address
./trap_port IPv4 trap manager port
./trap_community Password for traps
./trap_enable Send traps
0 No
1 Yes
./v12_enable Activate SNMPv1/v2
0 No
1 Yes
./v3_enable Activate SNMPv3
0 No
1 Yes
The values represent a special list and should only be modified via the configuration page.
./fw_local List of firewall rules for local data

./fw_external List of firewall rules for external data

Wireless network
A3 Wireless network
General settings
<entry name="conf/gsm/band_setup">515</entry>
<entry name="conf/gsm/sim_timeout">10</entry>
<entry name="conf/gsm/relogin">0</entry>
<entry name="conf/gsm/time">01:00</entry>
./band_setup Bit mask for band selection of the GSM/UMTS/LTE engine

./sim_timeout Provider timeout in minutes
./relogin Daily (new) login into the network
0 No
1 Yes
./time Time for daily (new) login into the network
SIM card
<entry name="conf/sim1/mcc">262</entry>
<entry name="conf/sim1/cpin"></entry>
<entry name="conf/sim1/roaming">1</entry>
<entry name="conf/sim1/provider">0</entry>
<entry name="conf/sim1/username"></entry>
<entry name="conf/sim1/password"></entry>
<entry name="conf/sim1/apn">web.vodafone.de</entry>
<entry name="conf/sim1/auth_allow">0</entry>
./mcc Code for country selection

./cpin PIN of the SIM card
./roaming Roaming allowed
0 No
1 Yes
./provider Code of the selected provider
0 Auto
./username User name for packet data network access
./password Password for packet data network access
./apn APN access point of the provider
./authallow Bit mask for permitted access protocols

TC ROUTER ... 3G/4G
SMS configuration
<entry name="conf/gsm/sms_control">0</entry>
<entry name="conf/gsm/sms_password"></entry>
<entry name="conf/gsm/sms_forward">0</entry>
<entry name="conf/gms/sms_server">192.168.0.200</entry>
<entry name="conf/gsm/sms_port">1432</entry>
./sms_control Control device via SMS

0 No
1 Yes
./sms_password Password used for control
./sms_forward Forward received SMS message to a server
0 No
1 Yes
./sms_server IP address of the SMS server
./sms_port SMS server port

Wireless network
Packet data
<entry name="conf/gprs/enable">0</entry>
<entry name="conf/gprs/debug">0</entry>
<entry name="conf/gprs/noccp">0</entry>
<entry name="conf/network/interface/wwan/mtu">1500</entry>
<entry name="conf/gprs/restart">5</entry>
<entry name="conf/gprs/echo-interval">30</entry>
<entry name="conf/gprs/echo-failure">4</entry>
<entry name="conf/gprs/event">0</entry>
./enable Activate packet data

0 No
1 Yes
./debug Activate debug mode for PPP connection establishment
0 No
1 Yes
./noccp Allow data compression
0 No
1 Yes
./mtu Selected MTU (Maximum Transmission Unit) on the PPP interface
./restart Restart interval in seconds
./echo-interval Echo interval in seconds
./echo-failure Number of missing echo responses after which the connection is ter-
minated
./event Start selection for packet data connection
0 Start immediately
1 Control via SMS message
2 Reserved (do not use)
3 Control via XML server
4 ... 5 Control via input 1 ... 2
Static routes
<entry name="conf/network/route/wwan/sroute"># static routes
#
</entry>
./sroute List of local static routes. This list should only be modified via the con-
figuration page.

TC ROUTER ... 3G/4G
DynDNS
<entry name="conf/ddns/enable">0</entry>
<entry name="conf/ddns/provider">0</entry>
<entry name="conf/ddns/server">members.dyndns.org</entry>
<entry name="conf/ddns/username"></entry>
<entry name="conf/ddns/password"></entry>
<entry name="conf/ddns/hostname"></entry>
./enable Activate DynDNS client

0 No
1 Yes
./provider Selection list of supported providers
0 DynDNS.org
1 TZO.com
3 selfHOST.de
4 custom DynDNS
5 FesteIP.net
6 FreeDNS.afraid.org
7 Hurricane Electric
./server Server URL for the custom DynDNS server
./username User name for the DynDNS service
./password Password for the DynDNS service
./hostname Own host name which is registered for the DynDNS service

Wireless network
Connection check (connection monitoring)

<entry name="conf/conchk/enable">0</entry>
<entry name="conf/conchk/host1"></entry>
<entry name="conf/conchk/local1">0</entry>
<entry name="conf/conchk/interval">5</entry>
<entry name="conf/conchk/retry">3</entry>
<entry name="conf/conchk/event">0</entry>
./enable Activate connection monitoring

0 No
1 Yes
./host[n] URL or IP address of the host that should respond to the echo
request
./local[n] Wireless network or local network as transmitting interface
0 Wireless
1 Local
./interval Transmission interval in minutes
./retry Maximum number of missing responses after which an action is trig-
gered
./event Action selection
0 None
1 Restart device (reboot)
2 Reconnect packet data (Reconnect)
3 Reconnect to GSM/UMTS network (Relogin)
Monitoring
<entry name="conf/gsm/log_enable">0</entry>
<entry name="conf/gsm/log_duration">24</entry>
<entry name="conf/gsm/log_interval">1</entry>
<entry name="conf/gsm/log_ping"></entry>
./log_enable Activate monitoring

0 No
1 Yes
./log_duration Monitoring duration in hours
./log_interval Time between the echo requests
./log_ping URL or IP address of a host that should respond to the echo requests

TC ROUTER ... 3G/4G
A 3.1 Network security
General settings
<entry name="conf/iptables/fw_enable">1</entry>
<entry name="conf/iptables/nat_enable">0</entry>
<entry name="conf/iptables/fw_netbios">1</entry>
<entry name="conf/iptables/icmp">0</entry>
<entry name="conf/iptables/masq_enable">1</entry>
<entry name="conf/iptables/xssh">0</entry>
<entry name="conf/iptables/xwbm">0</entry>
<entry name="conf/dropbear/enable">0</entry>
<entry name="conf/dropbear/port">22</entry>
./fw_enable State of the overall firewall function

0 Off
1 On
./nat_enable State of the NAT table (port forwarding)
0 Off
1 On
./fw_netbios Block outgoing NetBIOS broadcasts
0 No
1 Yes
./icmp Respond to echo requests at the external interface
0 No
1 Yes
./masq_enable Perform IP masquerading at the external interface
0 No
1 Yes
./xssh External device access via SSH
0 No
1 Yes
./xwbm External device access via HTTP or HTTPS
0 No
1 Yes
./enable Device access via SSH
0 No
1 Yes
./port Port used for SSH access, normally 22

Wireless network
Firewall
<entry name="conf/iptables/fw_in"># Firewall incoming
#</entry>
<entry name="conf/iptables/fw_out"># Firewall outgoing
#</entry>
./fw_in List of firewall rules for incoming data
./fw_out List of firewall rules for outgoing data
NAT table
<entry name="conf/iptables/nat_fw"># NAT firewall
#</entry>
<entry name="conf/iptables/nat_vs"># NAT virtual server
#</entry>
./nat_fw List of firewall rules for the NAT table (port forwarding)
./nat_vs List of forwarding rules for the NAT table (port forwarding)
A 3.2 VPN
A 3.2.1 IPsec
Higher-level settings
<entry name="conf/ipsec/enableupdate">0</entry>
<entry name="conf/ipsec/autoupdate">600</entry>
./enableupdate Monitoring of IP address changes

0 Off
1 On
./autoupdate Monitoring interval in seconds

TC ROUTER ... 3G/4G
Connection settings 1 ... n

<entry name="conf/ipsec/vpn1/name">vpn1</entry>
<entry name="conf/ipsec/vpn1/enable">0</entry>
<entry name="conf/ipsec/vpn1/rightallowany">0</entry>
<entry name="conf/ipsec/vpn1/host"></entry>
<entry name="conf/ipsec/vpn1/auth">0</entry>
<entry name="conf/ipsec/vpn1/remote_cert">mGuard.crt</entry>
<entry name="conf/ipsec/vpn1/local_cert">test.p12</entry>
<entry name="conf/ipsec/vpn1/remote_id"></entry>
<entry name="conf/ipsec/vpn1/local_id"></entry>
<entry name="conf/ipsec/vpn1/remote_addr">192.168.9.0/24</entry>
<entry name="conf/ipsec/vpn1/local_addr">192.168.0.0/24</entry>
<entry name="conf/ipsec/vpn1/psk">complicated_-
like_5Dy0qoD_and_long</entry>
<entry name="conf/ipsec/vpn1/nat">0</entry>
<entry name="conf/ipsec/vpn1/local_net">192.168.1.0</entry>
<entry name="conf/ipsec/vpn1/mode">0</entry>
<entry name="conf/ipsec/vpn1/autoreset">0</entry>
<entry name="conf/ipsec/vpn1/resettime">60</entry>
./name Description of the connection

./enable Connection active
0 No
1 Yes
./rightallowany Accept connection from any peer
0 No
1 Yes
./host URL or IP address of the peer
./auth Selected authentication method
0 X.509 certificates
1 Pre-shared key
./remote_cert Peer certificate
./local_cert Local certificate
./remote_id Peer ID
./local_id Own ID
./remote_addr Peer tunnel end
./local_addr Local tunnel end
./psk Pre-shared key
./nat Connection NAT
0 None
1 Local 1:1 NAT
5 Remote masquerading
./local_net Target of local NAT

Wireless network
./mode Type of connection

0 Waiting for connection
1 Always establish connection
3 Control via call
5 ... 6 Control via input 1 ... 2
./autoreset Automatic connection release
0 No
1 Yes
./resettime Time in minutes after which the connection is re-established
IKE settings (1 ... n)

<entry name="conf/ipsec/vpn1/ike_crypt">aes128</entry>
<entry name="conf/ipsec/vpn1/ike_hash">0</entry>
<entry name="conf/ipsec/vpn1/ike_life">3600</entry>
<entry name="conf/ipsec/vpn1/esp_crypt">aes128</entry>
<entry name="conf/ipsec/vpn1/esp_hash">0</entry>
<entry name="conf/ipsec/vpn1/esp_life">28800</entry>
<entry name="conf/ipsec/vpn1/pfs">1</entry>
<entry name="conf/ipsec/vpn1/pfsgroup">modp1024</entry>
<entry name="conf/ipsec/vpn1/rekey">1</entry>
<entry name="conf/ipsec/vpn1/dpd">1</entry>
<entry name="conf/ipsec/vpn1/dpddelay">30</entry>
<entry name="conf/ipsec/vpn1/dpdtimeout">120</entry>
<entry name="conf/ipsec/vpn1/keyingtries">0</entry>
<entry name="conf/ipsec/vpn1/rekeyfuzz">100</entry>
<entry name="conf/ipsec/vpn1/rekeymargin">540</entry>
./ike_crypt Phase 1 ISAKMP encryption,

valid values: 3des, aes128, aes192, aes256
./ike_hash Phase 1 ISAKMP hash
0 All
1 MD5
2 SHA-1
./ike_life Time in seconds after which the key is renegotiated
./esp_crypt Phase 2 IPsec SA encryption,
valid values: 3des, aes128, aes192, aes256
./esp_hash Phase 2 IPsec SA hash
0 All
1 MD5
2 SHA-1
./esp_life Time in seconds after which the key is renegotiated

TC ROUTER ... 3G/4G
./pfs Perfect forward secrecy

0 No
1 Yes
./pfsgroup DH/PFS group, valid values: modp1024, modp1536, modp2048
./rekey Renew key
0 No
1 Yes
./dpd Dead Peer Detection (DPD)
0 No
1 Yes
./dpddelay Time in seconds between requests
./dpdtimeout Time in seconds after which the connection is deemed interrupted
./keyingtries Number of attempts to establish a connection
0 Unlimited
./rekeyfuzz Value as a percentage
./rekeymargin Time in seconds
A 3.2.2 Certificates
<entry name="ipsec.d/cacerts/test.crt">-----BEGIN CERTIFICATE--...
</entry>
<entry name="ipsec.d/certs/local/test.crt">-----BEGIN CERTIFICATE--
...</entry>
<entry name="ipsec.d/certs/remote/mGuard.crt">-----BEGIN CERTIFICATE--
...</entry>
<entry name="ipsec.d/private/test.pem">-----BEGIN RSA PRIVATE KEY--
...</entry>
<entry name="ipsec.d/ldir/test.p12">7</entry>
./cacerts/* CA certificates
./certs/local/* Local certificates
./certs/remote/* Peer certificates
./private/* Private key
./ldir/* Bit mask for certificate validity

Wireless network
A 3.2.3 OpenVPN
Connections 1 ... n
<entry name="conf/openvpn/tunnel1/name">tunnel1</entry>
<entry name="conf/openvpn/tunnel1/enable">0</entry>
<entry name="conf/openvpn/tunnel1/event">0</entry>
<entry name="conf/openvpn/tunnel1/host"></entry>
<entry name="conf/openvpn/tunnel1/rport">1194</entry>
<entry name="conf/openvpn/tunnel1/proto">0</entry>
<entry name="conf/openvpn/tunnel1/complzo">0</entry>
<entry name="conf/openvpn/tunnel1/float">0</entry>
<entry name="conf/openvpn/tunnel1/redir">0</entry>
<entry name="conf/openvpn/tunnel1/bind">0</entry>
<entry name="conf/openvpn/tunnel1/lport">1194</entry>
<entry name="conf/openvpn/tunnel1/auth">0</entry>
<entry name="conf/openvpn/tunnel1/certificate">test-server.p12</entry>
<entry name="conf/openvpn/tunnel1/nscert">0</entry>
<entry name="conf/openvpn/tunnel1/psk">my_static.key</entry>
<entry name="conf/openvpn/tunnel1/username"></entry>
<entry name="conf/openvpn/tunnel1/password"></entry>
<entry name="conf/openvpn/tunnel1/remote_ifc">172.16.0.2</entry>
<entry name="conf/openvpn/tunnel1/local_ifc">172.16.0.1</entry>
<entry name="conf/openvpn/tunnel1/remote_addr">192.168.9.0/24</entry>
<entry name="conf/openvpn/tunnel1/nat">0</entry>
<entry name="conf/openvpn/tunnel1/local_masq">0</entry>
<entry name="conf/openvpn/tunnel1/local_addr">192.168.0.0/24</entry>
<entry name="conf/openvpn/tunnel1/local_net">192.168.1.0</entry>
<entry name="conf/openvpn/tunnel1/cipher">BF-CBC</entry>
<entry name="conf/openvpn/tunnel1/keepalive">1</entry>
<entry name="conf/openvpn/tunnel1/ping">30</entry>
<entry name="conf/openvpn/tunnel1/restart">120</entry>
./name Description of the connection

./enable Connection active
0 No
1 Yes
./event Start selection for the tunnel
0 Start immediately
2 Control via call
4...5 Control via input 1 ... 2
./host URL or IP address of the peer
./rport Used peer port
./proto Protocol
0 UDP
1 TCP

TC ROUTER ... 3G/4G
./complzo Settings for data compression

0 Disabled
1 Adaptive compression
2 No compression active
3 Compression active
4 Compression allowed
./float Peer may change its IP address
0 No
1 Yes
./redir All data traffic is routed through the tunnel.
0 No
1 Yes
./bind Specify outgoing port
0 No
1 Yes
./lport Outgoing port
./auth Authentication
0 X.509 certificates
1 Pre-shared key
2 User name and password
./certificate Certificate name
./nscert Check peer certificate type
0 No
1 Yes
./psk Pre-shared key
./username User name
./password Password
./remote_ifc Peer tunnel end
./local_ifc Local tunnel end
./remote_addr Peer tunnel network
./nat Connection NAT
0 None
1 Local 1:1 NAT
4 Local masquerading
5 Remote masquerading
6 Port forwarding
7 Host forwarding

Wireless network
./local_masq Activate masquerading in the port and host forwarding settings.

Otherwise, the value must be set to 0.
0 Off
1 On
./local_addr Local tunnel network
./local_net Target of local NAT
./cipher Type of encryption, valid values: BF-CBC, AES-128-CBC, AES-192-
CBC, AES-256-CBC, DES-CBC, DES-EDE-CBC, DES-EDE3-CBC,
DESX-CBC, CAST5-CBC, RC2-40-CBC, RC2-64-CBC, RC2-CBC,
none
./keepalive Send Keep Alive packets
0 No
1 Yes
./ping Time in seconds between packets
./restart Time in minutes after which the connection is re-established
Additional connection settings (1 ... n)

<entry name="conf/openvpn/tunnel1/tun_mtu">1500</entry>
<entry name="conf/openvpn/tunnel1/frag_enable">0</entry>
<entry name="conf/openvpn/tunnel1/frag_size">1450</entry>
<entry name="conf/openvpn/tunnel1/mssfix_enable">0</entry>
<entry name="conf/openvpn/tunnel1/mssfix_size">1450</entry>
<entry name="conf/openvpn/tunnel1/reneg_sec">3600</entry>
./tun_mtu MTU (Maximum Transmission Unit) for the TUN device

./frag_enable Fragmentation of data packets
0 No
1 Yes
./frag_size Size of fragmented packets
./mssfix_enable MSSFIX option
0 No
1 Yes
./mssfix_size Size of packets with MSSFIX
./reneg_sec Time in seconds for renewing the key
Port forwarding
<entry name="conf/openvpn/napt"># NAPT port forwarding
#</entry>
.napt List of settings for port forwarding

TC ROUTER ... 3G/4G
Certificates
<entry name="openvpn/cacerts/test-server.crt">-----BEGIN CERTIFICATE--
...</entry>
<entry name="openvpn/certs/test-server.crt">-----BEGIN CERTIFICATE--
...</entry>
<entry name="openvpn/private/test-server.pem">-----BEGIN RSA PRIVATE
KEY--...</entry>
<entry name="openvpn/ldir/test-server.p12">7</entry>
<entry name="openvpn/casonly/test-ca.crt">-----BEGIN CERTIFICATE--
...</entry>
./cacerts/* CA certificates
./certs/ Certificates
./private/ Private key
./ldir/* Bit mask for certificate validity
./casonly/* CA certificates for authentication with user name and password
Static key
<entry name="openvpn/keys/my_static.key">#
# 2048 bit OpenVPN static
key... </entry>
./ keys/* Static key
Diffie-Hellman parameters
<entry name="openvpn/dh1024.pem">-----BEGIN DH PARAMETERS--...</entry>
<entry name="openvpn/dh2048.pem">-----BEGIN DH PARAMETERS--...</entry>
./dh1024.pem DH parameter, 1024 bits

./dh2048.pem DH parameter, 2048 bits

Wireless network
A 3.3 Inputs and outputs
Inputs 1 ... 2
<entry name="conf/alerts/in_1/0/enable">0</entry>
<entry name="conf/alerts/in_1/0/action">0</entry>
<entry name="conf/alerts/in_1/0/sms/phonebook">0</entry>
<entry name="conf/alerts/in_1/0/sms/message"></entry>
<entry name="conf/alerts/in_1/0/email/to"></entry>
<entry name="conf/alerts/in_1/0/email/cc"></entry>
<entry name="conf/alerts/in_1/0/email/subject"></entry>
<entry name="conf/alerts/in_1/0/email/message"></entry>
<entry name="conf/alerts/in_1/1/enable">0</entry>
<entry name="conf/alerts/in_1/1/action">0</entry>
<entry name="conf/alerts/in_1/1/sms/phonebook">0</entry>
<entry name="conf/alerts/in_1/1/sms/message"></entry>
<entry name="conf/alerts/in_1/1/email/to"></entry>
<entry name="conf/alerts/in_1/1/email/cc"></entry>
<entry name="conf/alerts/in_1/1/email/subject"></entry>
<entry name="conf/alerts/in_1/1/email/message"></entry>
<entry name="conf/alerts/in_1/alarm_enable">0</entry>
<entry name="conf/alerts/in_1/alarm_time">0</entry
./in_[n]/0/* Refers to input [n], falling edge

./in_[n]/1/* Refers to input [n], rising edge
./enable Enable action for the input
0 No
1 Yes
./action Action on the event
0 No action
1 Send SMS message
3 Send e-mail
./sms/phonebook Bit mask for phonebook selection
./sms/message SMS text
./email/to Recipient of the message
./email/cc Recipient of a copy
./email/subject Subject
./email/message Text message
./alarm_enable Activate alarm
0 No
1 Yes
./alarm_time Automatic reset time for the alarm in minutes

TC ROUTER ... 3G/4G
Output 1
<entry name="conf/leds/out_1/function">0</entry>
<entry name="conf/leds/out_1/autoreset">0</entry>
<entry name="conf/leds/out_1/time">10</entry>
./out_1 Refers to output 1

./function Function linked to the output
0 Manual
1 Remote controlled
2 Radio network
3 Packet service
4 VPN service
5 Incoming call
6 Connection lost
9 Alarm
./autoreset Automatically reset alarm
0 No
1 Yes
./time Time in minutes to reset the alarm
Phonebook
<entry name="conf/phonebook/n01"></entry>
./n[xx] Telephone number in national or international format

Wireless network
Socket server
<entry name="conf/alerts/sock_enable">0</entry>
<entry name="conf/alerts/sock_port">1432</entry>
<entry name="conf/alerts/sock_xml_nl">1</entry>
<entry name="conf/alerts/sock_xml_io">0</entry>
./sock_enable Socket server

0 Off
1 On
./sock_port Server listener port
./sock_xml_nl Character which creates a line break in the XML file
0 None
1 Line feed
2 Carriage return
3 Carriage return + line feed
./sock_xml_io Representation of Boolean values
0 Text
1 Numeric
A 3.4 System
General system configuration

<entry name="conf/system/httpaccess">2</entry>
<entry name="conf/system/httpport">80</entry>
<entry name="conf/system/httpsport">443</entry>
<entry name="conf/system/logremote">0</entry>
<entry name="conf/system/logserver">192.168.0.200</entry>
<entry name="conf/system/logport">514</entry>
<entry name="conf/system/lognvm">0</entry>
./httpaccess HTTP access via:

0 HTTP
1 HTTPS
2 HTTP and HTTPS
./httpport Port used for the web server for HTTP
./httpsport Port used for the web server for HTTPS
./logremote Send log data to a log server
0 No
1 Yes
./logserver IP address of the log server
./logport Log server port
./lognvm Reserved, must be set to 0

TC ROUTER ... 3G/4G
User authentication
<entry name="conf/auth/admin">admin</entry>
<entry name="conf/auth/user">public</entry>
For users “admin” and “user”, the passwords are stored in plain text by default. When a new
password is assigned, only the hash values are stored here.
E-mail configuration (SMTP)

<entry name="conf/smtp/server"></entry>
<entry name="conf/smtp/port">25</entry>
<entry name="conf/smtp/auth">1</entry>
<entry name="conf/smtp/tls">0</entry>
<entry name="conf/smtp/username"></entry>
<entry name="conf/smtp/password"></entry>
<entry name="conf/smtp/from"></entry>
./server Address of the SMTP server

./port SMTP server port
./auth Authentication for the server
0 None
1 STARTTLS
2 Encrypted Password
./tls Reserved, must be set to 0
Default AT commands
<entry name="conf/gsm/at1cmd"></entry>
<entry name="conf/gsm/at2cmd"></entry>
<entry name="conf/gprs/at1cmd"></entry>
<entry name="conf/gprs/dialup">*99***1#</entry>
./gsm/at1cmd Commands before PIN entry (without prefixed AT)

./gsm/at2cmd Commands after PIN entry (without prefixed AT)
./gprs/at1cmd Commands before PPP dial-in (without prefixed AT)
./gprs/dialup Dial-in into the packet data network that is used (not used at present)

Wireless network
Date and time

<entry name="conf/system/newtime">1388534400</entry>
<entry name="conf/system/ntpenable">0</entry>
<entry name="conf/system/ntpserver">europe.pool.ntp.org</entry>
<entry name="conf/system/ntpiface">0</entry>
<entry name="conf/system/timezone">6+0100</entry>
<entry name="conf/system/daylight">1</entry>
<entry name="conf/system/ntplocal">0</entry>
./newtime Time at device start in seconds,

since January 1, 1970 00:00 (UNIX time)
./ntpenable Synchronize with a time server
0 No
1 Yes
./ntpserver URL or IP address of an Internet time server
./ntpiface Wireless network or local network as transmitting interface
0 Wireless
1 Local
./daylight Take daylight savings into account
0 No
1 Yes
./timezone Select the time zone
./ntplocal Make own time available to the local network
0 No
1 Yes
Reboot
<entry name="conf/system/rebootenable">0</entry>
<entry name="conf/system/reboottime">01:00</entry>
<entry name="conf/system/rebootevent">0</entry>
./rebootenable Bit mask of weekdays on which a reboot should be performed

./reboottime Time for the reboot
./rebootevent Selected event for a reboot
0 None
1 ... 2 Triggered by the relevant input

TC ROUTER ... 3G/4G
A4 CIDR, Classless Inter-Domain Routing

IP netmasks and CIDR combine several IP addresses to create a single address area. An area comprising consecutive
addresses is handled like a network. To specify an area of IP addresses for the router, it may be necessary to specify the
address area in CIDR format (e.g., when configuring the firewall).
IP netmask1 Binary CIDR

255.255.255.255 11111111 11111111 11111111 11111111 32
255.255.255.254 11111111 11111111 11111111 11111110 31
255.255.255.252 11111111 11111111 11111111 11111100 30
255.255.255.248 11111111 11111111 11111111 11111000 29
255.255.255.240 11111111 11111111 11111111 11110000 28
255.255.255.224 11111111 11111111 11111111 11100000 27
255.255.255.192 11111111 11111111 11111111 11000000 26
255.255.255.128 11111111 11111111 11111111 10000000 25
255.255.255.0 11111111 11111111 11111111 00000000 24
255.255.254.0 11111111 11111111 11111110 00000000 23
255.255.252.0 11111111 11111111 11111100 00000000 22
255.255.248.0 11111111 11111111 11111000 00000000 21
255.255.240.0 11111111 11111111 11110000 00000000 20
255.255.224.0 11111111 11111111 11100000 00000000 19
255.255.192.0 11111111 11111111 11000000 00000000 18
255.255.128.0 11111111 11111111 10000000 00000000 17
255.255.0.0 11111111 11111111 00000000 00000000 16
255.254.0.0 11111111 11111110 00000000 00000000 15
255.252.0.0 11111111 11111100 00000000 00000000 14
255.248.0.0 11111111 11111000 00000000 00000000 13
255.240.0.0 11111111 11110000 00000000 00000000 12
255.224.0.0 11111111 11100000 00000000 00000000 11
255.192.0.0 11111111 11000000 00000000 00000000 10
255.128.0.0 11111111 10000000 00000000 00000000 9
255.0.0.0 11111111 00000000 00000000 00000000 8
254.0.0.0 11111110 00000000 00000000 00000000 7
252.0.0.0 11111100 00000000 00000000 00000000 6
248.0.0.0 11111000 00000000 00000000 00000000 5
240.0.0.0 11110000 00000000 00000000 00000000 4
224.0.0.0 11100000 00000000 00000000 00000000 3
192.0.0.0 11000000 00000000 00000000 00000000 2
128.0.0.0 10000000 00000000 00000000 00000000 1
0.0.0.0 00000000 00000000 00000000 00000000 0
1 Example: 192.168.1.0/255.255.255.0 corresponds to CIDR: 192.168.1.0/24

Appendixes
B Appendixes
B1 List of figures
Figure 3-1: 4G router .............................................................................................14
Figure 3-2: 3G router .............................................................................................15
Figure 3-3: Mounting on the DIN rail .....................................................................16
Figure 3-4: Removal ..............................................................................................16
Figure 3-5: Removing the SIM card holder, inserting the SIM card .......................17
Figure 3-6: Connecting the antenna (4G router) ....................................................18
Figure 3-7: RJ45 interface .....................................................................................19
Figure 3-8: Connecting the supply voltage ............................................................19
Figure 3-9: Wiring inputs .......................................................................................20
Figure 4-1: Login window ......................................................................................23
Figure 4-2: Basic setup .........................................................................................24
Figure 4-3: Device information, Hardware .............................................................25
Figure 4-4: Software ..............................................................................................26
Figure 4-5: Status, Radio ......................................................................................27
Figure 4-6: Status, Network connections ..............................................................29
Figure 4-7: IPsec status ........................................................................................30
Figure 4-8: OpenVPN status .................................................................................30
Figure 4-9: Status, I/O status .................................................................................31
Figure 4-10: Status, Routing table ...........................................................................31
Figure 4-11: Status, DHCP leases ..........................................................................32
Figure 4-12: Status, System info .............................................................................32
Figure 4-13: Local network, IP configuration ...........................................................33
Figure 4-14: Local network, DHCP server ...............................................................34
Figure 4-15: Local network, Static routes ................................................................35
Figure 4-16: Wireless network, Radio setup ............................................................36
Figure 4-17: Wireless network, SIM (Europe) .........................................................37
Figure 4-18: Wireless network, SIM (US) ................................................................39
Figure 4-19: Wireless network, SMS configuration .................................................42
Figure 4-20: Wireless network, Packet data setup ..................................................43
Figure 4-21: Wireless network, Static routes ...........................................................44
Figure 4-22: Wireless network, DynDNS .................................................................45
Figure 4-23: Wireless network, Connection check ..................................................46
Figure 4-24: Wireless network, Monitoring ..............................................................47

TC ROUTER ... 3G/4G
Figure 4-25: Device services, Web setup, Configuration ........................................49

Figure 4-26: Device services, Web setup, Certificates ............................................51
Figure 4-27: Device services, Web setup, Firewall .................................................53
Figure 4-28: Device services, SSH setup, Configuration ........................................54
Figure 4-29: Device services, SNMP setup, Configuration .....................................55
Figure 4-30: Device services, Socket server, Configuration ....................................56
Figure 4-31: Network security, Firewall ...................................................................63
Figure 4-32: Network security, Traffic forwarding, Port forwarding ..........................64
Figure 4-33: Network security, traffic forwarding, exposed host ..............................66
Figure 4-34: Network security, Masquerading .........................................................67
Figure 4-35: Network security, Additional settings ..................................................68
Figure 4-36: VPN, IPsec, Connections ....................................................................71
Figure 4-37: VPN, IPsec, Connections, Settings, Edit .............................................72
Figure 4-38: VPN, IPsec, Connections, IKE, Edit ....................................................75
Figure 4-39: VPN, IPsec, Certificates ......................................................................78
Figure 4-40: VPN, OpenVPN, Connections ............................................................80
Figure 4-41: VPN, OpenVPN, Connections, Tunnel, Edit ........................................81
Figure 4-42: VPN, OpenVPN, Connections, Advanced, Edit ..................................83
Figure 4-43: VPN, OpenVPN, Static keys ...............................................................85
Figure 4-44: I/O, Inputs ...........................................................................................86
Figure 4-45: I/O, Outputs ........................................................................................87
Figure 4-46: I/O, Phonebook ...................................................................................88
Figure 4-47: System, System configuration ............................................................89
Figure 4-48: System, User ......................................................................................91
Figure 4-49: System, Log file ..................................................................................92
Figure 4-50: System, E-mail configuration ..............................................................93
Figure 4-51: System, Configuration up-/download ..................................................95
Figure 4-52: System, date/time ...............................................................................96
Figure 4-53: System, reboot ....................................................................................98
Figure 4-54: System, Firmware update ...................................................................99
Figure 5-1: Creating a new database ..................................................................101
Figure 5-2: Assigning a password .......................................................................102
Figure 5-3: Creating a new CA certificate ............................................................102
Figure 5-4: Entering information about the owner (subject) .................................103
Figure 5-5: Creating a key ...................................................................................103
Figure 5-6: Setting the validity and type for the CA certificate .............................104
Figure 5-7: CA certificate created .......................................................................104

List of figures
Figure 5-8: Creating a new template ...................................................................105

Figure 5-9: Creating a template, entering information about the owner (subject) 105
Figure 5-10: Creating a template, entering the validity and type of certificate .......106
Figure 5-11: Creating a certificate .........................................................................107
Figure 5-12: Creating a certificate, “Subject” tab ...................................................108
Figure 5-13: Creating a key for a certificate ...........................................................108
Figure 5-14: Selecting a certificate for export ........................................................109
Figure 5-15: Exporting a certificate .......................................................................109
Figure 5-16: Entering the password ......................................................................110
Figure 5-17: Exporting the peer certificate ............................................................110
Figure 8-1: Dimensions .......................................................................................119

TC ROUTER ... 3G/4G

Index
B2 Index
A DynDNS (dynamic DNS)............................................. 45
Accessories .............................................................. 114

Alarms E
E-mail .............................................................. 86, 93 Electrical connection ................................................... 18
SMS ...................................................................... 86 E-mail configuration .................................................... 93
Antenna..................................................................... 114 Energy saving mode ................................................... 90
Antenna cables ......................................................... 114 Europe ........................................................................ 14
APN Exposed host .............................................................. 80
Europa................................................................... 38
US ......................................................................... 40 F
Firmware update ......................................................... 99
C Frequency check........................................................... 6
CA certificate............................................................. 102
Cellular network settings I
See Wireless network I/O status..................................................................... 31
Certificate.................................................................... 78 IKE (Internet Key Exchange) ....................................... 75
Creation............................................................... 107 Input ............................................................................ 86
Export.................................................................. 109 See Switching input
Template ............................................................. 105 Inserting the SIM card ................................................. 17
Change password ....................................................... 91 Installation................................................................... 18
Checking the delivery.................................................. 11 Intended use ................................................................. 6
CON LED .................................................................... 15 IP configuration ........................................................... 33
Configuration up-/download ........................................ 95 IP masquerading
Configuration via web-based management................. 23 See Masquerading
Connection IPsec certificates ......................................................... 78
Antenna................................................................. 18 IPsec status................................................................. 80
Ethernet network ................................................... 19
Supply voltage....................................................... 19 K
Switching input ...................................................... 20 Key
Switching output .................................................... 20 See Static keys
Connection check ....................................................... 46
Country of Use ............................................................ 14
L
customer APN............................................................. 40
LED ............................................................................. 15
License ..................................................................... 114
D Licensing information .................................................. 13
Date/time..................................................................... 96 Local network.............................................................. 33
Device defect ............................................................ 111 Local static route
Device information ...................................................... 25 See Static routes
DHCP server ............................................................... 34 Log file ........................................................................ 92
Dimensions ............................................................... 119 Structure................................................................ 48
DIN rail ........................................................................ 16
Disposal .................................................................... 112
DPD (Dead Peer Detection) ........................................ 77

TC ROUTER ... 3G/4G
M Restart
See Reboot
Maintenance ..................................................... 111, 112
RJ45 interface............................................................. 19
managed application APN........................................... 40
Root certificate
managed Internet APN................................................ 40
See CA certificate
Masquerading ............................................................. 80
Routing table ............................................................... 31
mGuard Secure VPN Client ...................................... 114
Monitoring ................................................................... 47
Mounting ..................................................................... 16 S
Security settings
N See Network security
SIM
Network connections................................................... 29
Europe................................................................... 37
Network security ......................................................... 63
US ......................................................................... 39
SMS settings............................................................... 41
O
SNMP configuration .................................................... 93
Open source software ................................................. 13
SNMP Firewall ............................................................ 80
OpenVPN status ......................................................... 86
Socket server .............................................................. 89
OpenVPN tunnel
Static keys................................................................... 85
See VPN tunnel
Static routes ................................................................ 35
Operating and indication elements
Status and diagnostics indicators................................ 15
3G router ............................................................... 15
Storage ....................................................................... 10
4G router ............................................................... 14
Subcommand.............................................................. 41
Ordering data ............................................................ 113
Supply voltage ............................................................ 19
Output
Surge protection........................................................ 114
See Switching output
Switching input
Outputs ....................................................................... 87
Configuration ......................................................... 86
Overview of product versions ...................................... 13
Connection ............................................................ 20
overwrite APN ............................................................. 40
Switching output
Configuration ......................................................... 87
P Connection ............................................................ 20
Password (default) ...................................................... 23 Synchronisation .......................................................... 96
Phonebook.................................................................. 88 System configuration................................................... 89
Power supply
See Supply voltage T
Pre-shared secret key
Technical data........................................................... 115
See Static keys
Time settings
Product versions ......................................................... 13
See Date/time
Push-in plug .............................................................. 114
Transport..................................................................... 10
Tunnel
R See VPN tunnel
Radio setup................................................................. 36
Radio status ................................................................ 27 U
Reboot ........................................................................ 98
Update
Redirection of data packets......................................... 35
See Firmware update
Repair ....................................................................... 111
USA............................................................................. 14
Reset .......................................................................... 21

Index
User ............................................................................ 91
User level .................................................................... 24
User name .................................................................. 23
V
Viewing the device status............................................ 25
VPN (Virtual Private Network) ..................................... 80
VPN tunnel .................................................................. 81
W
Web-based management
Login ..................................................................... 23
Starting .................................................................. 23
Wireless network......................................................... 36
Wireless static routes .................................................. 44
X
X.509 certificate .................................................. 78, 101
XCA .......................................................................... 101
XML element............................................................. 121
XML file format .......................................................... 124

TC ROUTER ... 3G/4G

Please observe the following notes
General terms and conditions of use for technical documentation
Phoenix Contact reserves the right to alter, correct, and/or improve the technical
documentation and the products described in the technical documentation at its own
discretion and without giving prior notice, insofar as this is reasonable for the user. The
same applies to any technical changes that serve the purpose of technical progress.
The receipt of technical documentation (in particular user documentation) does not
constitute any further duty on the part of Phoenix Contact to furnish information on
modifications to products and/or technical documentation. You are responsible to verify the
suitability and intended use of the products in your specific application, in particular with
regard to observing the applicable standards and regulations. All information made
available in the technical data is supplied without any accompanying guarantee, whether
expressly mentioned, implied or tacitly assumed.
In general, the provisions of the current standard Terms and Conditions of Phoenix Contact
apply exclusively, in particular as concerns any warranty liability.
This manual, including all illustrations contained herein, is copyright protected. Any
changes to the contents or the publication of extracts of this document is prohibited.
Phoenix Contact reserves the right to register its own intellectual property rights for the
product identifications of Phoenix Contact products that are used here. Registration of such
intellectual property rights by third parties is prohibited.
Other product identifications may be afforded legal protection, even where they may not be
indicated as such.
PHOENIX CONTACT 155 / 156

156
How to contact us
Internet Up-to-date information on Phoenix Contact products and our Terms and Conditions can be
found on the Internet at:
phoenixcontact.com
Make sure you always use the latest documentation.
It can be downloaded at:
phoenixcontact.net/products
Subsidiaries If there are any problems that cannot be solved using the documentation, please contact
your Phoenix Contact subsidiary.
Subsidiary contact information is available at phoenixcontact.com.
Published by PHOENIX CONTACT GmbH & Co. KG

Flachsmarktstraße 8
32825 Blomberg
GERMANY
PHOENIX CONTACT Development and Manufacturing, Inc.
586 Fulling Mill Road
Middletown, PA 17057
USA
Should you have any suggestions or recommendations for improvement of the contents and
layout of our manuals, please send your comments to:
[email protected]
156 / 156 PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany
phoenixcontact.com

Industrial Cellular Router With Integrated Firewall and VPN: User Manual

Uploaded by

Copyright:

Available Formats

Industrial Cellular Router With Integrated Firewall and VPN: User Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Industrial Cellular Router With Integrated Firewall and VPN: User Manual

Uploaded by

Copyright:

Available Formats

Industrial cellular router

with integrated firewall and VPN

UM EN TC ROUTER ... 3G/4G, Revision 03 2020-03-03

This user manual is valid for:

Designation Software release Order No.

PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany

2 Transport, storage, and unpacking ..........................................................................................10

4 Configuration via web-based management ..............................................................................23

107025_en_03 PHOENIX CONTACT 3 / 156

4.13 VPN .....................................................................................................................70

5 Creating X.509 certificates .....................................................................................................101

6 Device replacement, device defect and repair .......................................................................111

7 Maintenance and disposal .....................................................................................................112

8 Technical data .......................................................................................................................113

4 / 156 PHOENIX CONTACT 107025_en_03

1 For your safety

1.1 Identification of warning notes

Here you will find additional information or detailed sources of information.

1.2 Qualification of users

107025_en_03 PHOENIX CONTACT 5 / 156

1.3 Field of application of the product

1.3.1 Intended use

1.3.2 Product changes

6 / 156 PHOENIX CONTACT 107025_en_03

1.4 Safety notes

107025_en_03 PHOENIX CONTACT 7 / 156

1.5 Security in the network

NOTE: Risk of unauthorized network access

• If possible, deactivate unused communication channels.

8 / 156 PHOENIX CONTACT 107025_en_03

1.6 UL warning notes (only

WARNING: Explosion hazard when used in potentially explosive areas.

 Use copper wires rated 85°C.

Class I, Zone 2, AEx nA IIC T4 / Ex nA IIC T4 Gc

107025_en_03 PHOENIX CONTACT 9 / 156

2 Transport, storage, and unpacking

10 / 156 PHOENIX CONTACT 107025_en_03

NOTE: Electrostatic discharge

Checking the delivery • Check the delivery for transport damage.

107025_en_03 PHOENIX CONTACT 11 / 156

12 / 156 PHOENIX CONTACT 107025_en_03

3.1 Product description

Table 3-1 Overview of product versions

Designation Cellular Fallback VPN function Area of

3.2 Licensing information on open source software

107025_en_03 PHOENIX CONTACT 13 / 156

14 / 156 PHOENIX CONTACT 107025_en_03

3.3.3 Status and diagnostics indicators

107025_en_03 PHOENIX CONTACT 15 / 156

3.4 Mounting and removal

NOTE: Device damage

The device is intended for installation in a control cabinet.

16 / 156 PHOENIX CONTACT 107025_en_03

3.5 Inserting the SIM card

NOTE: Electrostatic discharge

• Press the yellow release button with a pointed object.

107025_en_03 PHOENIX CONTACT 17 / 156

Figure 3-6 Connecting the antenna (4G router)

• Connect one or two suitable antennas to the antenna connection.