Network Interfaces

• 2 x autosensing 10/100/1000 WAN Ports
• 1 x autosensing 10/100/1000 NET port configurable as LAN, WAN or VoIP port
• 4 x autosensing 10/100/1000 LAN Ports

WAN

• DHCP Client
• Static IP
• PPPoE
• Load balance & failover
• Rule based routing

LAN

• DHCP server
• DNS Cache
• Multiple zones
• VLAN tagging

Auxiliary Ports

• 2 x USB 3.0 ports
• 1 x Reset Pinhole

Routing Performance

• Up to 1 million packets/second with 64-byte packet size

USB

• Printer sharing
• File sharing

Network Protocols

• IPv4, IPv6, 802.1Q, 802.1p

VPN

• Protocols: PPTP, L2TP/IPSec, OpenVPN®
• Client, Server or pass through

LED

• 8 green-color LEDs for device tracking and status indication

Mounting

• Indoor wall mount
• Desktop

QoS

• VLAN, ToS, supports multiple traffic classes, filter by port, IP address, DSCP, and policing.

Firewall

• NAT, DMZ, Port Forwarding, SPI, UPnP

Auto Provisioning Capability

• Embedded provisioning controller to manage up to 300+ GWN series Wi-Fi Access Points

Management

• Web, CLI

Power

• 802.3at PoE (To power the unit via LAN1 port)
• Included Power Supply: 12V/2A
• Max power consumption: 16W

Environmental

• Operation: 0°C to 50°C
• Storage: -10°C to 60°C
• Humidity: 10% to 90% Non-condensing

Physical

• Unit Dimensions: 200 x 136 x 37mm; Unit Weight: 570g
• Entire Package Dimensions: 324 x 163.5 x 54mm, Entire Package Weight: 930g

Package Content

• GWN7000 Enterprise Router
• 12V/2A Power Adapter
• Quick Installation Guide
• GPL License

Compliance

• FCC, CE, RCM, IC

Main Case

Yes (1)

Power adaptor

Yes (1)

Quick Installation Guide

Yes (1)

GPL License

Yes (1)

AP

Shows the number of Access Points that are Discovered, Paired (Online) and Offline. Click on to go to Access Points’ page for basic and advanced configuration options for the APs

Clients

Shows the total number of connected clients, and a count for clients connected to each Channel. Click on to go to Clients page for more options.

AP Channel Distribution

Shows the Channel used for all APs that are paired with this Access Point.

Top AP

Shows the Top APs list, assort the list by number of clients connected to each AP or data usage combining upload and download. Click on to go to Access Points page for basic and advanced configuration options for the APs.

Top SSID

Shows the Top SSIDs list, assort the list by number of clients connected to each SSID or data usage combining upload and download. Click on to go to SSID page for more options.

Top Clients

Shows the Top Clients list, assort the list of clients by their upload or download. Click on to go to Clients page for more options.

Traffic

Shows the sent/received traffic data speeds on both WAN ports.

WAN Interfaces

Shows the status of the wan interfaces (IP, Uptime, status …etc).

LAN Interfaces

Displays the status of the LAN interfaces, which includes also the NET port.

This will display the connection status, the uptime, and the link speeds.

Enabled

Choose whether to enable or disable the WAN port.

Name

Specify the port name.

WAN Address Type

Select “DHCP”, “Static” or “PPPoE” mode on the WAN interfaces of GWN7000. The default setting is “DHCP”.

• DHCP

When selected, it will act as a DHCP client and acquire an IPv4 address automatically from the DHCP server.

• Static

When selected, the user should set a static IPv4 address, IPv4 Subnet Mask, IPv4 Gateway and adding Additional IPv4 Addresses as well to communicate with the web interface, SSH, or other services running on the device.

• PPPoE

When selected, the user should set the PPPoE account and password, PPPoE Keep alive interval and Inter-Key Timeout (in seconds).

Preferred IPv4 DNS

Enter the preferred DNS server address (IPv4 address). If Preferred DNS is set, GWN7000 will use it in priority.

Alternate IPv4 DNS

Enter the Alternate DNS server address (IPv4 address). If Preferred DNS is set, GWN7000 will use it in when the Preferred DNS fails.

Tracking IP

Configures the tracking IP(s). ICMP packets are being used to track the IP(s) address(es). When the tracking fails, the GWN7000 will use the secondary WAN port as failover. Default IP used is 8.8.8.8.

MTU

Configures the maximum transmission unit allowed on the wan port. The valid range is 64-9000 Bytes, and the default value is 1500.

Native IPv6

Used to enable assigning IPv6 address to GWN7000. Once checked users will be able to configure following fields: “IPv6 Address Assignment”, “Preferred IPv6 DNS”, “Alternate IPv6 DNS” and “IPv6 Relay to LAN”.

IPv6 Address Assignment

This option is appearing when enabling “Native IPv6” option.

Select “Auto” to get an IPv6 address from DHCP server or “Static” to configure manually an IPv6 address. If set to Static, the following fields should be configured:

• IPv6 Address/Prefix Length

Used to set an IPv6 address/Prefix length when using Static IPv6 option
Example: fec0:470:28:5b2::1/64

• IPv6 Gateway

Used to define the Gateway’s IPv6 address.

• IPv6 Prefix/IPv6 Prefix Length

Enter the IPv6 prefix and IPv6 prefix length.
Example: ::1/64

Preferred IPv6 DNS

This option appears only when “Native IPv6” option is enabled.
It is used to set a preferred DNS server address (IPv6 address). If Preferred DNS is set, GWN7000 will use it in priority.

Alternate IPv6 DNS

This option appears only when “Native IPv6” option is enabled.
It is used to set an Alternate DNS server address (IPv6 address). If Preferred DNS is set, GWN7000 will use it in when the Preferred DNS fails.

IPv6 Relay to LAN

This option appears only when “Native IPv6” option is enabled.
When enabled the GWN7000 will relay IPv6 address to LAN clients

VLAN Tagging

Used to enable VLAN tagging. If set to “0” the VLAN tagging will be disabled, otherwise set a VLAN value between 2 and 4093. Default is 0.

Enable LAN1 (NET Port)

Enable the NET port as a normal LAN port.

Enable WAN (Net Port)

Enable the NET port as a WAN port, and set the required configuration as WAN1 and 2. See Table 5: GWN7000 WEB GUI🡪Router🡪WAN🡪WAN Port (1,2)

WAN Interface

Choose the WAN port on which to setup the 6in4 tunnel.

MTU

Set the Maximum Transmission Unit value.

The valid range is 64-9000. Default value is 1500.

6in4 IPv4 Peer Address

Enter the IPv4 tunnel endpoint at the tunnel’s provider.

6in4 Tunnel Endpoint IPv6 Address

Enter the local IPv6 address delegated to the tunnel endpoint.

Example: 2001:db8:2222::2/64

6in4 Routed Prefix

Set the routable prefix given by the tunnel provider to allow LAN clients to get addresses from that prefix.

Tunnel ID

Specifies the tunnel’s ID.

Username

Set the username used to login into the tunnel broker.

Password

Set the password (used for endpoint update).

Update Key

Set the update key, it overrides the password used for endpoint update.

WAN Interface

Choose the WAN port on which to setup the 6rd tunnel.

MTU

Set the Maximum Transmission Unit value.

The valid range is 64-9000 and default value is 1500.

6rd IPv4 Peer Address

Enter the IPv4 Peer address.

6rd IPv6 Address Prefix

Specifies the IPv6 prefix given by the provider.
Example: 2001:B000::/32

IPv6 Prefix Length

Specifies the IPv6 prefix length (Value between 1 and 128).
Example: 32

IPv4 Prefix Length

Specifies the prefix length of the IPv4 transport address.

(Value between 1 and 32).

WAN Interface

Choose the WAN port on which to setup the aiccu tunnel.

Username

Enter the Username (Provided by signing up with SixXS Tunnel Broker)

Password

Enter the Username’s password

WAN Interface

Specifies the WAN interface to bind the tunnel to.

Name

Set a name for the tunnel connection.

Enabled

Enabled/Disable the tunnel connection.

GRE Peer IP Address

Specifies the tunnel destination address (public IP).

GRE Tunnel IP Address

Specify the local GRE tunnel interface. (ex: 10.1.1.2)

GRE Tunnel Netmask

Set the Tunnel interface netmask. (ex: 255.255.255.0)

MTU

Configures the maximum transmission unit. The valid range is 64-9000 and the default is 1500.

Subnet

Set the destination subnet that is reachable though GRE tunnel.

IP Masquerading

Enable/Disable IP masquerading. Users could configure this option under the “General” tab of Firewall 🡪 Advanced as well.

Tunnel Input Key

Specifies the key that would be added to the incoming packets.

Tunnel Output Key

Specifies the key that would be added to the outgoing packets.

Local Routing Policy

Specifies the routing policy that would be applied on locally generated traffic from the GWN7000 router. See [Policy Routing] section.

MAC Override Address

This option is used to override the MAC address of the GWN7000 Router.

MAC Address octets (in hex) are separated by “:” in English input condition. The characters here must be lowercase.

Note: Reboot the router to take effect.

LAN Name

Specifies the name for the LAN group.

Enabled

Check to activate the newly created LAN group.

Routing Policy

Select which routing to use for this LAN network. See Policy Routing section for more details.

Destination

If enabled, choose which groups you want to forward, if not, you can manually configure the forward rules under firewall settings.

LAN Membership

Configure the LAN port membership. If choose lan1 (NET Port), please make sure you have enabled lan1 under Router🡪 WAN🡪 NET port Tab.

VLAN

Check to enable VLAN. This field is appearing only when having more than one LAN subnet.

VLAN ID

Set a VLAN ID. Valid range is between 2 and 4093.

Enable IPv4

Check to enable IPv4 addressing for this LAN.

Ipv4 Static Address

Set a static Ipv4 address for the LAN subnet when enabling Ipv4.

Additional IPv4 Static Address

Set an additional static Ipv4 address for the LAN subnet when enabling IPv4.

Ipv4 Subnet Mask

Set the Subnet Mask.

DHCP Enabled for Ipv4

Check to enable DHCP using Ipv4. This will allow clients connected to this LAN subnet to get Ipv4 addresses automatically from GWN7000 acting as DHCP server.

DHCP Start Address

Set the starting Ipv4 address for this LAN’s clients.

DHCP End Address

Set the ending Ipv4 address for this LAN’s clients

DHCP Lease Time

Set the lease time for DHCP clients, the value can be defined in hours, minutes, or as “infinite”. Default lease time is “12h”.

DHCP Options

Set the DHCP options. Click on to add another option, and to delete an option.
Example: 44,192.168.2.50 for DHCP option 44 and 192.168.2.50 is the WINS server’s address. Please refer to the following link for DHCP options syntax: https://wiki.openwrt.org/doc/howto/dhcp.dnsmasq

DHCP Gateway

Defines the IP address of the DHCP gateway.

DHCP Preferred DNS

Set the preferred DNS Servers via DHCP.

DHCP Alternate DNS

Set the alternate DNS Servers via DHCP.

DHCPv4 Relay Enabled

Enable this option, if you want the GWN7000 relays the DHCP requests from clients to another DHCP server(s). Once checked, click to add another DHCPv4 Relay Target, and to delete a DHCPv4 Relay Target.

Enable IPv6

Check to enable IPv6 addressing for this LAN subnet.

IPv6 Relay from WAN

Check to allow GWN7000 to relay IPv6 DHCP request from LAN’s clients to WAN port.

DHCP Enabled for IPv6

Check to enable IPv6 DHCP server for this LAN.

IPv6 Prefix for Assignment

Set the prefix value to be assigned to the LAN. Valid range is between 1 to 64. Example: 64 will assign /64 prefixes.

IPv6 Subnet Hint

Set the subnet mask value.

IPv6 Uplink

Select the WAN port.

Enable Outgoing Mirroring

Check to enable outgoing mirroring for a LAN port. Default is “Disabled”

Enable Incoming Mirroring

Check to enable incoming mirroring for a LAN port. Default is “Disabled”

Mirroring Port

Select which LAN port that will be mirroring traffic. Default is “Disabled”

Mirrored Port

Select which LAN port that will act as mirrored port. Default is “Disabled”

Use Custom Port Mapping

Use this option in order to enable VLAN tagging on the ports or disable it or block the port from participating in the selected VLAN, click on button to change the settings.

Three options are available for each port:

• Tagged: the port will participate on the VLAN and will tag the outgoing frames with the 802.1q VLAN id.
• Untagged: The port will participate on the VLAN but will not tag outgoing frames.
• Off: The port will not participate on the VLAN.

Up/Down Stream QoS Enabled

Check to enable upstream and downstream bandwidth speeds for the selected WAN interface.

Upstream

Set the Upstream value to specify the upload bandwidth for selected interface, the value should end with Mbit. Note that the set value will affect and limit the bandwidth values on created classes on QoS Upstream.
Examples: 500Mbit

100Kbit

Downstream

Set the Downstream value to specify the download bandwidth speed for selected interface, the value should end with “Mbit”, “Kbit” or with no unit if the set value is referring to “bit” unit.
Examples: 1000Mbit
100Kbit

Type

Select which QoS method to apply on select WAN interface:

• SQM: Smart queue management queueing mode will be applied to the interface along with the option to select Qdisc and Manager values.
• ACC: Select this option in order to use active congestion control QoS mode on the interface then select which policy to apply, users should create policies under “Router🡪QoS🡪Policy Manager”.
• Legacy: Select this option in order to use legacy classifying and filter QoS mode, users need to configure the related DSCP marking and bandwidth limitations under the menu “Router🡪QoS🡪Legacy QoS”.

Qdisc

Select which Queuing discipline method to use for QoS:

• fq_codel (Fair Queue with Controlled Delay)
• Cake

Manager

Choose the type of the smart queue management:

• If fq_codel queuing discipline method is selected.
• simple: Three-tier prioritization system.
• simplest: HTB (Hierarchical Token Bucket) shaper with a single fq_codel queuing discipline.
• simplest_tbf: TBF (Token Bucket Filter) shaper with a single fq_codel queuing discipline.
• If cake queuing discipline method is selected.
• layer_cake: Three-tier prioritization system with cake as a replacement for HTB rate limiting.
• Piece_of_cake: Single queue with cake as a replacement for HTB rate limiting.

Link-layer Adaptation

Select the link-layer type for the WAN connection. This can be used to compensate for the link-layer overhead of certain types of WAN connections.

• None (default).
• Ethernet (should be selected for VDSL connections).
• ATM (should be selected for ADSL connections).

Overhead

If the link-layer is set to something other than “none”, then the link-layer overhead setting can be used to specify how many bytes of overhead there are.

Defaults are 8 for Ethernet, and 44 for ATM.

Advanced Qdisc Options

Check this option in order to show advanced Qdisc options to be used.

Squash DSCP on ingress

Select whether to squash or not the DSCP on ingress packets. By default, this option is disabled.

Ignore DSCP on ingress

Select whether to ignore DSCP on ingress packets or not. By default, this option is disabled.

ECN Status on Inbound packets

Select whether to set or not ECN status on inbound packets.

ECN Status on outbound packets

Select whether to set or not ECN status on bound packets.

ACC Policy

Select from the drop-down list the acc policy to apply, policies can be managed from the Policy Manager tab.

This field appears only when Type is set to “acc”.

Use Active Congestion Controller

This Option must be enabled when using ACC (Adaptive Congestion Control) QoS type under the selected wan interface.

This field appears only when Type is set to “acc”.

Use Custom ping target

Enter the IPv4 address of the target where the router will send ICM echo messages to track the health of the link (RTT measurements…etc).

This field appears only when Type is set to “acc”.

Target ping time limit (ms)

Value that indicates the congestion on the ISP link, this is automatically calculated on the back end of the router, but users can override it.

This field appears only when Type is set to “acc”.

Traffic Class

Name

Define a name for the traffic class.

Priority

Set the priority of the traffic class, the lower the value, the highest the priority. Valid range is between 1 and 64.

Interface

Select the WAN interface from which the traffic will be classified, make sure to enable the desired interface it from in order to appear.

Upstream

Set Upstream bandwidth value. The value should end with “Mbit”, “Kbit”.

Note that the sum of created classes should have upstream bandwidth speeds lower than the Upstream bandwidth value configured on QoS Basic.
Examples: 100Mbit
100Kbit

Traffic Filter

Class

Select a class from created traffic classes using drop-down menu.

Name

Define a Name for the traffic filter rule.

DSCP

Choose the Differentiated Services Code Point (DSCP) value from drop-down list. Default is 0.

IP Source Address

Specify the Source IP address from which the traffic filter rule will be applied.

IP Destination Address

Specify the Destination IP address to which the traffic filter rule will be applied.

TCP Source Port

Specify the TCP Source port from which the traffic filter rule will be applied.

TCP Destination Port

Specify the TCP Source port to which the traffic filter rule will be applied.

UDP Source Port

Specify the UDP Source port from which the traffic filter rule will be applied.

UDP Destination Port

Specify the UDP Source port to which the traffic filter rule will be applied.

Group Source

Choose the LAN group of the specified Source IP address. If no Source IP address has been defined, the rule will be applied to all members of that LAN group.

Policer

Name

Define a Name for the Policer rule.

Interface

Select an interface from which the traffic will be policed, make sure to enable the desired interface from General QoS in order to appear.

Priority

Set the priority of the traffic class, the lower the value, the highest the priority. Valid range is between 1 and 64.

Rate

Set a Rate value for download bandwidth when applying policer rule.

DSCP

Choose the Differentiated Services Code Point (DSCP) value from drop-down list. Default is 0.

IP Source Address

Specify the Source IP address from which the policer rule will be applied.

IP Destination Address

Specify the Destination IP address to which the policer rule will be applied.

TCP Source Port

Specify the TCP Source port from which the policer rule will be applied.

TCP Destination Port

Specify the TCP Source port to which the policer rule will be applied.

UDP Source Port

Specify the UDP Source port from which the policer rule will be applied.

UDP Destination Port

Specify the UDP Source port to which the policer rule will be applied.

Group Source

Choose the LAN group of the specified Source IP address.

If no Source IP address has been defined, the rule will be applied to all members of that LAN group.

General

Name

Define a name for the traffic policy which can be then select on general tab settings if settings the QoS type for a wan interface to acc (adaptive congestion control).

Upload/Download 🡪 Policy Class

Name

Set a name for the traffic class.

Bandwidth share %

Configure the bandwidth share percentage for this class of traffic, the acc mechanism will dynamically borrow bandwidth from other classes if one class needs more, thus using efficiently the available bandwidth.

Set minimum bandwidth

Enable this option to set the Minimum bandwidth for this traffic class.

Min bandwidth

Configure the minimum bandwidth reserved for this traffic class in Mbps or Kbps.

Set maximum bandwidth

Enable this option to set the Maximum bandwidth for this traffic class.

Max bandwidth

Configure the maximum bandwidth allowed for this traffic class in Mbps or Kbps.

Minimize RTT (Only for Download Class)

Enable this option in order to minimize traffic latency/delay 🡪 Useful for VoIP.

Upload/Download 🡪 Policy Rule

Name

Enter a name for the traffic rule 🡺 rules are used to put a traffic into a class.

Enabled

Used to enable/disable the traffic rule.

Protocol

Select the protocol for the traffic rule (TCP, UDP, TCP/UDP or ICMP).

Src IP

Set the source IP of the traffic to be matched.

Src Port

Set the source port number of the traffic to be matched.

Dest IP

Set the destination IP of the traffic to be matched.

Dest Port

Set the destination port number of the traffic to be matched.

Min Pkt Size

Configures the minimum packet size of the traffic that will be matched.

Max Pkt Size

Configures the minimum packet size of the traffic that will be matched.

Class

Select from the drop-down list the class where this traffic will be put, thus making all necessary bandwidth reservations for this traffic in respect of the configurations set under the class settings.

Enable Application Tracking

Enables the application tracking. By default, it’s disabled.

Interface

Select the interface on which the application tracking will be performed. By default, it’s WAN Port 1.

Name

Enter the Name of the static route to be configured.

Enabled

Select whether to enable or disable this static route.

Interface

Choose the LAN network or WAN port, which will be using this static route.

Target Network/Host

Enter the Network/Host IP address on which to route the traffic to.
Example: 192.168.5.0

Netmask

Enter the Network/Host Netmask.
Example: 255.255.255.0

NextHop

Enter the NextHop IP address.
Example: 192.168.5.1.

Metric

Set the metric value. The valid range is 0-255. Default value is 0.

Name

Enter the Name of the static route to be configured.

Enable

Select whether to enable or disable this static route.

Interface

Choose the LAN network or WAN port, which will be using this static route.

Target Network/Host

Enter the Network/Host IP address on which to route the traffic to.
2001:db8:3c4d:4::/64

NextHop

Enter the Gateway’s IP address.
fec0:470:28:5b2::1/64

Metric

Set the metric value. The valid range is 0-255. Default value is 1.

Name

Enter the Name for the member.

Interface

Select the interface to which the member points.

Metric

Enter the value of the metric related to the member (default is 1).

Weight

Enter the weight that will be attributed to the member, in case load balancing is used, this will indicate how much traffic will be routed via this member through the specified interface. Default value is 1.

Status

Shows the device’s status information such as Firmware version, IP Address, Link Speed, Uptime, and Users count via different Radio channels.

Clients

Shows the Clients connected to the GWN76xx access point.

Configuration

• Device Name: Set GWN76xx’s name to identify it along with its MAC address.
• Fixed IP: Used to set a static IP for the GWN76xx, if checked, the following needs to be configured:
  -IPv4 Address: Enter the IPv4 address to be set as static for the device

-IPv4 Subnet Mask: Enter the Subnet Mask.
-IPv4 Gateway: Enter the Network Gateway’s IPv4 Address.
-Preferred IPv4 DNS: Enter the Primary IPv4 DNS.
-Alternate IPv4 DNS: Enter the Alternate IPv4 DNS.

• Frequency: Set the GWN76xx’s frequency, it can be either 2.4GHz, 5GHz or Dual-band.
• Enable Band Steering: When Frequency is set to Dual-Band, check this option to enable Band Steering on the Access Point, this will help redirecting clients to a radio band accordingly for efficient use and to benefit from the maximum throughput supported by the client.
• Mode: Choose the mode for the frequency band, 802.11n/g/b for 2.4Ghz and 802.11ac for 5Ghz.
• Channel Width: Choose the Channel Width, note that wide channel will give better speed/throughput, and narrow channel will have less interference. 20Mhz is suggested in very high-density environment.
• 40MHz Channel Location: Configure the 40MHz channel location when using 20MHz/40MHz in Channel Width, it can be set it to be “Secondary Below Primary”, “Primary Below Secondary” or “Auto”.
• Channel: Select “Auto” or a specific channel. Default is “Auto”. Note that the proposed channels depend on Country Settings under System Settings–>Maintenance.
• Enable Short Guard Interval: Check to activate this option to half the guard interval (from 800ns to 400ns) ensuring that distinct transmissions do not interfere with one another, this will help increasing throughput.
• Active Spatial Streams: Choose active spatial stream. Available options: “Auto”, “1 stream”, “2 streams” and “3 streams” (For GWN7610).
• Radio Power: Set the Radio Power depending on desired cell size to be broadcasted, three options are available: “Low”, “Medium” or “High”. Default is “High”.
• Allow Legacy Device(802.11b): This feature appears when “Mode” option is set to “802.11g” or “802.11n”, it allows legacy devices not supporting “802.11g/n” mode to connect using the “802.11b” mode.
• Custom Wireless Power(dBm): allows users to set a custom wireless power for both 5GHz/2.4GHz band, the value of this field must be between 1 and 31.

Field

Description

Enable SSID

Check to enable Wi-Fi for the SSID.

SSID

Set or modify the SSID name.

SSID Band

Select the Wi-Fi band the GWN will use, three options are available:

• Dual-Band
• 2.4GHz
• 5Ghz

SSID Hidden

Select to hide SSID. SSID will not be visible when scanning for Wi-Fi, to connect a device to hidden SSID, users need to specify SSID name and authentication password manually.

VLAN

Enter the VLAN ID corresponding to the SSID.

Wireless Client Limit

Configure the limit for wireless client. If there’s an SSID per-radio on a SSID, each SSID will have the same limit. So, setting a limit of 50 will limit each SSID to 50 users independently. If set to 0 the limit is disabled.

Enable Captive Portal

Click on the checkbox to enable the captive portal feature.

Captive Portal Policy

Select the captive portal policy already created on the “CAPTIVE PORTAL” web page to be used in the created SSID.

Enable Schedule

Check the box and choose a schedule to apply for the selected SSID.

Security Mode

Set the security mode for encryption, 5 options are available:

• WEP 64-bit: Using a static WEP key. The characters can only be 0-9 or A-F with a length of 10, or printable ASCII characters with a length of 5.
• WEP 128-bit: Using a static WEP key. The characters can only be 0-9 or A-F with a length of 26, or printable ASCII characters with a length of 13.
• WPA/WPA2: Using “PSK” or “802.1x” as WPA Key Mode, with “AES” or “AES/TKIP” Encryption Type.
• WPA2: Using “PSK” or “802.1x” as WPA Key Mode, with “AES” or “AES/TKIP” Encryption Type. Recommended configuration for authentication.
• Open: No password is required. Users will be connected without authentication. Not recommended for security reasons.

WEP Key

Enter the password key for WEP protection mode.

WPA Key Mode

Two modes are available:

• PSK: Use a pre-shared key to authenticate to the Wi-Fi.
• 802.1X: Use a RADIUS server to authenticate to the Wi-Fi.

WPA Encryption Type

Two modes are available:

• AES: This method changes dynamically the encryption keys making them nearly impossible to circumvent.
• AES/TKIP: use both Temporal Key Integrity Protocol and Advanced Encryption Standard for encryption, this provides the most reliable security.

WPA Pre – Shared Key

Set the access key for the clients, and the input range should be: 8-63 ASCII characters or 8-64 hex characters.

Client Bridge Support

Configures the client bridge support to allow the access point to be configured as a client for bridging wired only clients wirelessly to the network. When an access point is configured in this way, it will share the WiFi connection to the LAN ports transparently. Once a SSID has a Client Bridge Support enabled, the AP adopted in this SSID can be turned in to Bridge Client mode by click the Bridge button.

RADIUS Sever Address

Configures RADIUS authentication server address.

RADIUS Server Port

Configures RADIUS Server Listening port.

Default is: 1812.

RADIUS Server Secret

Enter the secret password for client authentication with RADIUS server.

RADIUS Accounting Server

Configures the address for the RADIUS accounting server.

RADIUS Accounting Server Port

Configures RADIUS accounting server listening port (defaults to 1813).

RADIUS Accounting Server Secret

Enter the secret password for client authentication with RADIUS accounting server.

Client Time Policy

Select a time policy to be applied to all clients connected to this SSID.

Use MAC Filtering

Choose Blacklist/Whitelist to specify MAC addresses to be excluded/included from connecting to the zone’s Wi-Fi.

Default is Disabled.

Enable Dynamic VLAN (beta)

When enabled, clients will be assigned IP address from corresponding VLAN configured on the RADIUS user profile.

This field is available only when “WPA Key Mode” is set to “802.1x”.

Client Isolation

Client isolation feature blocks any TCP/IP connection between connected clients to GWN76XX’s Wi-Fi access point.

Client isolation can be helpful to increase security for Guest networks/Public Wi-Fi.

Three modes are available:

• Internet Mode: Wireless clients will be allowed to access only the internet services and they cannot access any of the management services, either on the router nor the access points GWN76XX.
• Gateway MAC Mode: Wireless clients can only communicate with the gateway, the communication between clients is blocked and they cannot access any of the management services on the GWN76XX access points.
• Radio Mode: Wireless clients can access to the internet services, GWN7xxx router and the access points GWN76XX but they cannot communicate with each other.

Client Isolation

Client isolation feature blocks any TCP/IP connection between connected clients to GWN76XX’s Wi-Fi access point.

Client isolation can be helpful to increase security for Guest networks/Public Wi-Fi.

Three modes are available:

• Internet Mode: Wireless clients will be allowed to access only the internet services and they cannot access any of the management services, either on the router nor the access points GWN76XX.
• Gateway MAC Mode: Wireless clients can only communicate with the gateway, the communication between clients is blocked and they cannot access any of the management services on the GWN76XX access points.
• Radio Mode: Wireless clients can access to the internet services, GWN7xxx router and the access points GWN76XX but they cannot communicate with each other.

Gateway MAC Address

This field is required when using Client Isolation set to Gateway MAC, so users will not lose access to the Network (usually Internet).

Type in the default LAN Gateway’s MAC address (router’s MAC address for instance) in hexadecimal separated by “:”. Example: 00:0B:82:8B:4D:D8

Enable Minimum RSSI

Check to enable RSSI function, this will lead the AP to disconnect users below the configured threshold in Minimum RSSI (dBm).

Minimum RSSI (dBm)

Enter the minimum RSSI value in dBm. If the signal value is lower than the configured minimum value, the client will be disconnected.

The input range is from “-94” or “-1”.

Beacon Interval

Configures interval between beacon transmissions/broadcasts.

The Beacon signals help to keep the network synchronized and provide main information about the network such as SSID, Timestamp…

• Using High Beacon Interval: AP will be sending beacon broadcast less frequently.

This will help to get better throughput, thus better speed/performance. It also helps to save WiFi clients energy consumption.

• Using Low Beacon Interval: AP will be sending beacon broadcast more frequently. This can help in environments with weak signal areas; sending more frequently beacons will increase chances to be received by WiFi clients with weak signal.

Notes:

1. When AP enables several SSIDs with different interval values, the max value will take effect.
2. When AP enables less than 3 SSIDs, the interval value which will be effective are the values from 40 to 500.
3. When AP enables more than 2 but less than 9 SSIDs, the interval value which will be effective are the values from 100 to 500.
4. When AP enables more than 8 SSIDs, the interval value which will be effective are the values from 200 to 500.
5. Mesh feature will take up a share when it is enabled.

Default value is 100ms. Valid range: 40 – 500 ms.

DTIM Period

Configures the frequency of DTIM (Delivery Traffic Indication Message) transmission per each beacon broadcast. Clients will check the AP for buffered data at every configured DTIM Period. You may set a high value for power saving consideration. 

Default value is 1, meaning that AP will have DTIM broadcast every beacon. If set to 10, AP will have DTIM broadcast every 10 beacons.

Valid range: 1 – 10.

Multicast to Unicast

Once selected, AP will convert multicast streams into unicast streams over the wireless link. Which helps to enhance the quality and reliability of video/audio stream and preserve the bandwidth available to the non-video/audio clients.

Enable Voice Enterprise

Check to enable/disable Voice Enterprise. The roaming time will be reduced once enable voice enterprise.

• The 802.11k standard helps clients to speed up the search for nearby APs that are available as roaming targets by creating an optimized list of channels.

When the signal strength of the current AP weakens, your device will scan for target APs from this list.

• When your client device roams from one AP to another on the same network, 802.11r uses a feature called Fast Basic Service Set Transition (FT) to authenticate more quickly. FT works with both pre-shared key (PSK) and 802.1X authentication methods.
• 802.11v allows client devices to exchange information about the network topology, including information about the RF environment, making each client network aware, facilitating overall improvement of the wireless network.

Note: 11R is required for enterprise audio feature, 11V and 11K are optional. This field is available only when “Security Mode” is set to “WPA/WPA2” or “WPA2”.

Enable 11R

Check to enable 802.11r

Enable 11K

Check to enable 802.11k

Enable 11V

Check to enable 802.11v

ARP Proxy

This option will enable GWN AP to answer the ARP requests from its LAN for its connected WiFi clients. This is mainly to reduce the airtime consumed by ARP Packets

Filed

Description

Enable Mesh

When checked the Mesh feature will be activated.

Scan Interval

Interval in seconds to scan for available Mesh neighbors. Must be less than or equal to 300 seconds.

Interface

Select either 2.4GHz or 5GHz band.

Wireless cascades

Define how many AP can be cascaded wirelessly with the AP. The minimum value is 1 and maximum value is 3.

Option

Description

Name

Enter the name of the policy

Enabled

Check the box to enable the policy

Limit Client Connection Time

Sets amount of time a client may be connected.

Client Reconnect Timeout Type

Select the method with which we will reset a client’s connection timer, so they may reconnect again. Options are:

• Reset Daily.
• Reset Weekly.
• Reset Hourly.
• Timed Reset.

Client Reconnect Timeout

If ‘Timed Reset’ is selected, this is the period for which the client will have to wait before reconnecting.

Hour of the Day

If Reset Daily is selected, this is the hour the reset will be applied.

Day of the Week

If Reset Weekly is selected, this is the day the reset will be applied.

Hour of the Week

If Reset Weekly is selected, this is the hour the reset will be applied.

Reset Hour

If Reset Weekly or Reset Daily is select, this is the hour and day the reset will be applied.

Field

Description

Common Name

Enter the common name for the CA.

It could be any name to identify this certificate. Example: “CATest”.

Key Length

Choose the key length for generating the CA certificate.

Following values are available:

• 1024: 1024-bit keys are no longer sufficient to protect against attacks.
• 2048: 2048-bit keys are a good minimum. (Recommended).
• 4096: 4096-bit keys are accepted by nearly all RSA systems. Using 4096-bit keys will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations.

Digest Algorithm

Choose the digest algorithm:

• SHA1: This digest algorithm provides a 160-bit fingerprint output based on arbitrary length input.
• SHA-256: This digest algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one-way function – it cannot be decrypted back.

Lifetime (days)

Enter the validity date for the CA certificate in days.

In our example, set to “120”.

Country Code

Select a country code from the dropdown list.

Example: “MA”.

State or Province

Enter a state name or province.

Example: “Casablanca”.

City

Enter a city name.

Example: “Casablanca”.

Organization

Enter the organization name.

Example: “GS”.

Organization Unit

Enter the organization unit name.

Example: “Gs”.

Email Address

Enter an email address.

Example: “grandstream@gmail.com”

Field

Description

Common Name

Enter the common name for the server certificate.

It could be any name to identify this certificate.

Example: “ServerCertificate”.

CA Certificate

Select CA certificate previously generated from the drop-down list.

Example: “CATest”.

Certificate Type

Choose the certificate type from the drop-down list. It can be either a client or a server certificate.

Choose “Server” to generate server certificate.

Key Length

Choose the key length for generating the server certificate.

Following values are available:

• 1024: 1024-bit keys are no longer sufficient to protect against attacks. Not recommended.
• 2048: 2048-bit keys are a good minimum. Recommended.
• 4096: 4096-bit keys are accepted by nearly all RSA systems. Using 4096-bit keys will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations.

Digest Algorithm

Choose the digest algorithm:

• SHA1: This digest algorithm provides a 160-bit fingerprint output based on arbitrary length input.
• SHA-256: This digest algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one-way function – it cannot be decrypted back

Lifetime (days)

Enter the validity date for the server certificate in days.

In our example, set to “120”.

Country Code

Select a country code from the dropdown list.

Example: “MA”.

State or Province

Enter a state name or province.

Example: “Casablanca”.

City

Enter a city name.

Example: “Casablanca”.

Organization

Enter the organization name.

Example: “GS”.

Email Address

Enter an email address.

Example: “Cert@grandstream.com”.

Field

Description

Enabled

Check to enable the user.

PPTP Server

Enable this option when using the account for PPTP client connection.

Full Name

Choose full name to identify the users.

Username

Choose username to distinguish client’s certificate.

Password

Enter user password for each username.

Enable PPTP Client Subnet

Enable this option to configure the remote subnet reachable through the PPTP client.

Client Subnet

Enter the Subnet that exists behind the connected PPTP client.

OpenVPN Subnet

Used to indicate which networks are located behind the remote device when the user account is used by an OpenVPN client router to establish a site-to-site VPN.

Field

Description

Common Name

Enter the common name for the client certificate.

It could be any name to identify this certificate.

Example: “ClientCertificate”.

CA Certificate

Select the generated CA certificate from the drop-down list.

Certificate Type

Choose the certificate type from the drop-down list.

It can be either a client or server certificate.

Username

Select created user to generate his certificate.

Key Length

Choose the key length for generating the client certificate.

Following values are available:

• 1024: 1024-bit keys are no longer sufficient to protect against attacks. Not recommended.
• 2048: 2048-bit keys are a good minimum. Recommended.
• 4096: 4096-bit keys are accepted by nearly all RSA systems. Using 4096-bit keys will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations.

Digest Algorithm

Choose the digest algorithm:

• SHA1: This digest algorithm provides a 160-bit fingerprint output based on arbitrary length input.
• SHA-256: This digest algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one-way function – it cannot be decrypted back

Lifetime (days)

Enter the validity date for the client certificate in days.

Example: “120”.

Country Code

Select a country code from the dropdown list.

Example: “MA”.

State or Province

Enter a state name or province.

Example: “Casablanca”.

City

Enter a city name.

Example: “Casablanca”.

Organization

Enter the organization name.

Example: “GS”.

Email Address

Enter an email address.

Example: “user@grandstream.com”.

Field

Description

Enable

Click on the checkbox to enable the OpenVPN® server feature.

VPN Name

Enter a name for the OpenVPN® server.

Server Mode

Choose the server mode the OpenVPN® server will operate with.

4 modes are available:

• PSK: Used to establish a point-to-point OpenVPN® configuration. A VPN tunnel will be created with a server endpoint of a specified IP and a client endpoint of specified IP. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN® port.
• SSL: Authentication is made using certificates only (no user/pass authentication). Each user has a unique client configuration that includes their personal certificate and key. This is useful if clients should not be prompted to enter a username and password, but it is less secure as it relies only on something the user has (TLS key and certificate).
• User Auth: Authentication is made using only CA, user and password, no certificates. Useful if the clients should not have individual certificates.

Less secure as it relies on a shared TLS key plus only something the user knows (Username/password).

• SSL + User Auth: Requires both certificate and username / password. Each user has a unique client configuration that includes their personal certificate and key.

Most secure as there are multiple factors of authentication (TLS Key and Certificate that the user has, and the username/password they know).

Protocol

Choose the Transport protocol from the dropdown list, either TCP or UDP. The default protocol is UDP.

Bind to Local Interface

Select the interface used to connect the GWN7000 to the uplink, either WAN1, WAN2, LAN or All.

Local Port

Configure the listening port for OpenVPN® server. The default value is 1194.

Traffic Routing Policy

Select which routing policy to assign to the traffic from this VPN network.

See Policy Routing section in the GWN7000 usermanual.

Destination

Choose to which destination group or WAN to allow traffic from the VPN, this will generate automatically a forwarding rule under the menu Firewall 🡪 Traffic Rules 🡪 Forward.

Encryption Algorithm

Choose the encryption algorithm from the dropdown list to encrypt data so that the receiver can decrypt it using same algorithm.

Digest Algorithm

Choose digest algorithm from the dropdown list, which will uniquely identify the data to provide data integrity and ensure that the receiver has an unmodified data from the one sent by the original host.

TLS Authentication

This option uses a static Pre-Shared Key (PSK) that must be generated in advance and shared among all peers.

This feature adds extra protection to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key.

TLS Pre-Shared Key

Enter the generated TLS Pre-Shared Key when using TLS Authentication.

Certificate Authority

Select a generated CA from the dropdown list.

Server Certificate

Select a generated Server Certificate from the dropdown list.

IPv4 Tunnel Network

Enter the network range that the GWN7000 will be serving from to the OpenVPN® client.

Note: The network format should be the following 10.0.10.0/16.

The mask should be at least 16 bits.

Redirect Gateway

When redirect-gateway is used, OpenVPN® clients will route DNS queries through the VPN, and the VPN server will need to handle them.

Automatic Firewall Rule

Enable automatic firewall rule.

Push Route

Specify route(s) to be pushed to all clients. Example: 10.0.0.1/8

LZO Compression

Select whether to activate LZO compression or no, if set to “Adaptive”, the server will make the decision whether this option will be enabled or no.

Allow Peer to Change IP

Allow remote change the IP and/or Port, often applicable to the situation when the remote IP address changes frequently.

Field

Description

Enable

Click on the checkbox to enable the OpenVPN® client feature.

VPN Name

Enter a name for the OpenVPN® client.

Protocol

Choose the Transport protocol from the dropdown list, either TCP or UDP. The default protocol is UDP.

Bind to Local

Select the interface used to connect the GWN7000 to the uplink, either WAN1, WAN2, LAN or All.

Interface

Select the interface used to connect the GWN7000 to the uplink, either WAN1, WAN2.

Local Port

Configure the listening port for OpenVPN® server. Default is 1194.

Destination

Choose to which destination group or WAN to allow traffic from the VPN, this will generate automatically a forwarding rule under the menu Firewall 🡪 Traffic Rules 🡪 Forward.

Remote OpenVPN® Server

Configure the remote OpenVPN® server IP address.

Remote OpenVPN® Server Port

Configure the remote OpenVPN® server port.

Local TUN IP address

Configures statically the local VPN tunnel IP address for the client.

Remote TUN IP address

Configures statically the local VPN tunnel IP address for the remote server.

Auth Mode

Choose the server mode the OpenVPN® server will operate with, 4 modes are available:

• PSK: used to establish a point-to-point OpenVPN® configuration. A VPN tunnel will be created with a server endpoint of a specified IP and a client endpoint of specified IP. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN® port.
• SSL: Authentication is made using certificates only (no user/pass authentication). Each user has a unique client configuration that includes their personal certificate and key. This is useful if clients should not be prompted to enter a username and password, but it is less secure as it relies only on something the user has (TLS key and certificate).
• User Auth: Authentication is made using only CA, user and password, no certificates. Useful if the clients should not have individual certificates.

Less secure as it relies on a shared TLS key plus only something the user knows (Username/password).

• SSL + User Auth: Requires both certificate and username / password. Each user has a unique client configuration that includes their personal certificate and key.

Most secure, as there are multiple factors of authentication (TLS Key and Certificate that the user has, and the username/password they know).

Encryption Algorithm

Choose the encryption algorithm from the drop-down list, in order to encrypt data so that the receiver can decrypt it using the same algorithm.

Digest Algorithm

Choose the digest algorithm from the drop-down list, which will uniquely identify the data to provide data integrity and ensure that the receiver has an unmodified data from the one sent by the original host.

TLS Authentication

This option uses a static Pre-Shared Key (PSK) that must be generated in advance and shared among all peers. This feature adds extra protection to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key.

TLS Pre-Shared Key

Enter the generated TLS Pre-Shared Key when using TLS Authentication.

Routes

This feature allows specifying and adding custom routes.

Don’t Pull Routes

If enabled, client will ignore routes pushed by the server.

IP Masquerading

This feature is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.

LZO Compression

LZO encoding provides a very high compression ratio with good performance. LZO encoding works especially well for CHAR and VARCHAR columns that store very long character strings.

Allow Peer to Change IP

Allow remote change the IP and/or Port, often applicable to the situation when the remote IP address changes frequently.

CA Certificate

Click on “Upload” and select the “CA” certificate generated previously on this guide.

Client Certificate

Click on “Upload” and select the “Client Certificate” generated previously on this guide.

Client Private Key

Click on “Upload” and select the “Client Private Key” generated previously on this guide.

Client Private Key Password

Enter the client private key password

Field

Description

Enable

Click on the checkbox in order to enable the L2TP client feature.

VPN Name

Enter a name for the L2TP client.

WAN Port

Select which WAN port is connected to the uplink, either WAN1 or WAN2.

Remote L2TP Server

Enter the IP/Domain of the remote L2TP Server.

Username

Enter the Username for authentication against the VPN Server.

Password

Enter the Password for authentication against the VPN Server.

Connection Type

Select either Transport mode or Tunnel mode:

• Transport mode is commonly used between end stations or between an end station and a gateway, if the gateway is being treated as a host.
• Tunnel mode is used between gateways, or at an end station to a gateway, the gateway acting as a proxy for the hosts behind it.

Pre-Shared Key

Enter the L2TP pre-shared key.

Remote Subnet

Configures the remote subnet for the VPN.

The format should be “IP/Mask” where IP could be either IPv4 or IPv6 and mask is a number between 1 and 32.

For example: 192.168.5.0/24

IP Masquerading

This feature is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.

Masq Source

This option allows the user to configure the local subnets that needs to be masqueraded.

Use DNS from Server

Enable this option to retrieve DNS from the VPN server.

Keepalive

Specifies the keepalive failure value “n”. if ppp doesn’t receive LCP response from “n” LCP echo-request frames, then the connection to the peer will be terminated.

If this option is set LCP echo-request will be sent to the peer for every 5 sec by default.

Use Built-in IPv6 management

Enable the IPv6 management for the VPN.

Connection retries

Configures the number of attempts to reconnect the L2TP client, if this number is exceeded, the client will be disconnected from the L2TP/IP Server.

Field

Description

Enable

Click on the checkbox to enable the PPTP VPN client feature.

VPN Name

Enter a name for the PPTP client.

Remote PPTP Server

Enter the IP/Domain of the remote PPTP Server.

Username

Enter the Username for authentication against the VPN Server.

Password

Enter the Password for authentication against the VPN Server.

Destination

Choose to which destination group or WAN to allow traffic from the VPN, this will generate automatically a forwarding rule under the menu Firewall 🡪 Traffic Rules 🡪 Forward.

Remote Subnet

Configures the remote subnet for the VPN.

The format should be “IP/Mask” where IP could be either IPv4 or IPv6 and mask is a number between 1 and 32.

For example: 192.168.5.0/24

IP Masquerading

This feature is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.

Use DNS from Server

Enable this option to retrieve DNS from the VPN server.

Number of Attempts to Reconnect

Configures the number of attempts to reconnect the PPTP client, if this number is exceeded, the client will be disconnected from the PPTP Server.

Use Built-in IPv6 management

Enable the IPv6 management for the VPN.

MPPE

Enable / disable the MPPE for data encryption. By default, it’s disabled.

Field

Description

Enable

Click on the checkbox to enable the PPTP VPN Server.

VPN Name

Enter a name for the PPTP Server.

PPTP Server Address

Configure the PPTP server local address (ex: 192.168.1.1).

Client Start Address

Configure the remote client IP start address.

Note: this address should be in the same subnet as the end address and PPTP server address.

Client End Address

Configure the remote client IP end address.

Note: this address should be in the same subnet as the start address and PPTP server address.

Allow Forwarding between Site-To-Site VPNs

This option allows forwarding between multiple site-to-site VPNs. i.e. if there are multiple PPTP users configured with client subnet enabled, then this option allows one PPTP client subnet to access another PPTP client subnet through the server.

Note: for this option to work more than one PPTP users with client subnet must be enabled.

MPPE

Enable / disable the MPPE for data encryption. By default, it’s disabled.

Traffic Routing Policy

Select which routing policy to assign to the traffic from this VPN network. See Policy Routing section

Destination

Choose to which destination group or WAN to allow traffic from the VPN, this will generate automatically a forwarding rule under the menu Firewall 🡪 Traffic Rules 🡪 Forward.

PPP Keep-Alive Interval (sec)

Interval in seconds for LCP echo-request frames to be sent.

PPP Keep-Alive Failure Threshold

The PPTP server will consider a peer to be dead if N Echo-request frames aren’t replied to. The connection will be then terminated.

A setting of 0 disables this function.

PPP Adaptive Keep-Alive

If the PPP keepalive failure settings is enabled, then echo-request frames will only be sent if no traffic has been received from the peers since the last echo-request was sent.

Debug

Enable debug logging to syslog.

MTU

Specify the MTU, valid range (1280-1500 Bytes).

MRU

Specify the MRU, valid range (1280-1500 Bytes).

Field

Description

Enabled

Enable or Disable the IPSec tunnel.

VPN Name

VPN Connection Name.

Remote Address

Enter the IP address of the remote side of the tunnel.

Interface

Select from which interface the router will try to build the VPN connection.

IKE Version

Allows the use to choose between using IKE version 1 or 2.

Default value: IKEv1

IKE Lifetime

Specifies in seconds the lifetime of the keying channel.

Default: 3600 seconds.

Key Exchange mode

Select which mode to use for key exchange during the stage of channel establishment: Main mode or Aggressive mode.

Pre-Shared key

Enter the PSK password for authentication.

Destination

Choose to which destination group or WAN to allow traffic from the VPN, this will generate automatically a forwarding rule under the menu Firewall 🡪 Traffic Rules 🡪 Forward.

Encryption algorithm

Select the crypto to be used for data confidentiality:

• AES_CBC_256
• AES_CBC_192
• AES_CBC_128
• 3DES_192

Hash algorithm

Select the hash to be used data integrity:

• MD5
• SHA1
• SHA2_256
• SHA2_512
• SHA2_384

DH group

Select the Diffie Hellman group to be used for the session:

• MODP1024
• MODP1536
• MODP2048
• MODP3072
• MODP4096
• MODP6144
• MODP8192
• DH19
• DH20
• DH21
• DH23
• DH24

Rekey

This allows the user to decide whether a connection should be renegotiated when it is about to expire. if disabled it is necessary to make sure the other end also agrees on it. Otherwise it is ineffective.

Keying tries

This specifies the number of attempts to be made to negotiate a connection before giving up. By default, it is set to 10 and if set to 0 the router will keep trying forever.

Dead Peer Detection

Check the option to enable/disable DPD.

DPD delay

Configures the delay for DPD keepalive packets for the specific connection.

DPD timeout

Configures the length of time it will remain idle without

receiving any response from the peer.

DPD action

This provides the user with a set of actions to perform if the peer is

considered to be dead.

• hold– all routes will be put on hold
• clear– routes and SA will be cleared.
• restart–all SA’s to the dead peer will be renegotiated.

Field

Description

Local Subnet

Configure the local subnet that will be included on the connection.

Local Source IP

Configures the source IP to be used when transmitting a packet to the other end of the connection.

NAT Enable

This option enables the user to masquerade the local LAN subnets. NAT translated subnet must be specified along with this option.

Remote Subnet

Specifies the remote subnet that can be reached through the tunnel connection.

SA lifetime

Sets the lifetime of a set of encryption/auth keys for a packet.

Encryption algorithm

Select the crypto to be used for data confidentiality:

• AES_CBC_256
• AES_CBC_192
• AES_CBC_128
• 3DES_192

Hash algorithm

Select the hash to be used data integrity:

• MD5
• SHA1
• SHA2_256

PFS group

Select the Diffie Hellman group to be used for the session:

• MODP1024
• MODP1536
• MODP2048
• MODP3072
• MODP4096
• MODP6144
• MODP8192
• DH23
• DH24

The default value is disabled, which indicates that the router will use the option configured on DH group under phase 1.

Name

Specify a name for the port forward rule.

Enabled

Check to enable this port forward rule.

Protocol

Select a protocol, users can select TCP, UDP or TCP/UDP.

Source Group

Select the WAN Interface.

Source Port (s)

Set a single or a range of Ports.

Destination Group

Select the LAN or VLAN group.

Destination IP

Set the destination IP address.

Destination Port (s)

Set a single or a range of Ports.

Name

Specify a name for the DMZ entry.

Enabled

Check to enable this DMZ entry.

Source Group

Select the WAN interface

Destination Group

Select the LAN group.

Destination IP

Set the destination IP address.

Enable Daemon

Check to enable Daemon for UPnP.

External Interface

Select the WAN interface to allow external connection to resources that enables UPnP.

Internal Interface

Check the LAN network on which to activate UPnP.

Enable UPnP

Check to Enable UPnP for the LAN clients on selected LAN network.

Enable NAT-PMP

Check to enable automatic NAT Port Mapping (NAT-PMP).

Secure Mode

Check to activate secure mode for devices that activate UPnP.

Logging to Syslog

Choose whether to log activities for UPnP into Syslog.

Download Speed

Set the Download speed value in KB/s. Default is 2048

Upload Speed

Set the Upload speed value in KB/s. Default is 1024.

Name

Specify a name for the traffic rule.

Enabled

Check to enable this rule.

IP Family

Select the IP version, three options are available: IPv4, IPv6 or Any.

Source Group

Select a WAN interface or a LAN group for Source Group, or select All.

Protocol

Select one of the protocols from dropdown list or All, available options are: UDP, TCP, TCP/UCP, UDP-Lite, ICMP, AH, SCTP, IGMP and All.

Source IP Address

Set the Source IP address, it can be an IPv4 or IPv6 address.

Source Port(s)

Set the source port number. Or port range.

Source MAC address

Set the Source MAC address.

Destination IP

Set the destination IP address, it can be an IPv4 or IPv6 address.

Destination Port(s)

Set the destination’s port(s).

Firewall Action

Select which action to perform for the given traffic rule, 3 options are available: Accept, Reject or Drop.

Input Policy

Select which action to apply to all incoming traffic to this interface/LAN group, 3 actions are available: Accept, Reject and Drop.

Output Policy

Select which action to apply to all outgoing traffic from this interface/LAN group, 3 actions are available: Accept, Reject and Drop.

IP Masquerading

Check to enable IP Masquerading, this will allow internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.

MSS Clamping

Check to enable MSS Clamping. This will provide a method to prevent fragmentation when the MTU value on the communication path is lower than the MSS value.

Log Dropped and Reject Traffic to Syslog

Check to send all rejected and dropped traffic logs to configured Syslog Server.

Limit for Dropped and Rejected Traffic

Specify the limit for dropped and reject traffic. The value format is N/unit, where N is a digit number, and unit can either be in second, minute, hour or day.

Name

Specify a name for the SNAT entry

Enabled

Check to enable this SNAT entry.

IP Family

Select the IP version, three options are available: IPv4, IPv6 or Any.

Source Group

Select a WAN interface or a LAN group for Source Group, or select All.

Destination Group

Select a WAN interface or a LAN group for Destination Group, or select All. Make sure that destination and source groups are different to avoid conflict.

Protocol

Select one of the protocols from dropdown list or All, available options are: UDP, TCP, TCP/UCP and All.

Source IP

Set the Source IP address.

Rewrite IP

Set the Rewrite IP. The source IP address of the data package from the source group will be updated to this configured IP.

Destination IP

Set the Destination IP address.

Schedule Start Date

Click on icon to schedule a start date for this SNAT entry to be applied.

Schedule End Date

Click on icon to schedule an end date for this SNAT entry to end.

Schedule Start Time

Click on icon to schedule a start time for this SNAT entry to be applied.

Schedule End Time

Click on icon to schedule an end time for this SNAT entry to end.

Schedule Weekdays List of Weekdays

Select the days, on which the SNAT entry will be applied, the unselected days will ignore this rule.

Schedule Days of the Month

Enter the days of the months (separated by space) on which the SNAT entry will be applied.
Example: 5 10 15

This will be applied only on 5^th, 10^th and 15^th day monthly.

Treat Time Values as UTC Instead of Local Time

Check to use UTC as time zone for the specified times, instead of using GWN7000’s local time.

Name

Specify a name for the DNAT entry

Enabled

Check to enable this DNAT entry.

IP Family

Select the IP version, three options are available: IPv4, IPv6 or Any.

Source Group

Select a WAN interface or a LAN group for Source Group, or select All.

Destination Group

Select a WAN interface or a LAN group for Destination Group, or select All. Make sure that destination and source groups are different to avoid conflict.

Protocol

Select one of the protocols from dropdown list or All, available options are: UDP, TCP, TCP/UCP and All.

Source IP

Set the Source IP address.

Destination IP

Set the Destination IP address.

Rewrite IP

Set the Rewrite IP. The source IP address of the data package from the source group will be updated to this configured IP.

Enable NAT Reflection

Check to enable NAT Reflection for this DNAT entry to allow the access of a service via the public IP address from inside the local network.

Field

Description

Name

Enter the name of the Captive Portal policy

Splash Page

Select Splash Page type, Internal or External.

Authentication Type

Following types of authentication are available:

• Login for free: when choosing this option, the landing page feature will not provide any type of authentication, instead it will prompt users to accept the license agreement to gain access to internet.
• RADIUS Server: Choosing this option will allow users to set a RADIUS server to authenticate connecting clients.
• Social Login Authentication: Choosing this option will allow users to enable authentication Facebook or Twitter or WeChat.
• Vouchers: Choose this page when using authentication via Vouchers.
• Login with Password: Choose this page when using authentication via a password.

Expiration

Configures the period of validity, after the valid period, the client will be re-authenticated again.

If Authentication Type is set to “RADIUS Authentication”

RADIUS Server Address

Fill in the IP address of the RADIUS server.

RADIUS Server Port

Set the RADIUS server port, the default value is 1812.

RADIUS Server Secret

Fill in the key of the RADIUS server.

RADIUS Authentication Method

Select the RADIUS authentication method, 3 methods are available: PAP, CHAP and MS-CHAP.

If Authentication Type is set to “Social Login Authentication”

WeChat

Check to enable/disable WeChat Authentication

Shop ID

Fill in the Shop ID that offers WeChat Authentication.

APP ID

Fill in the APP ID provided by the WeChat in its web registration page

Secret Key

Set the key for the portal, once clients want to connect to the Wi-Fi, they should enter this key.

Facebook

Check to enable/disable Facebook Authentication

Facebook App ID

Fill in the Facebook App ID.

Facebook APP Key

Set the key for the portal, once clients want to connect to the Wi-Fi___33, they should enter this key.

Twitter

Check this box to enable Twitter Authentication.

Force to Follow

If checked, users need to Follow owner before been authenticated.

Owner

Enter the app Owner to use Twitter Login API.

This field appears only when Force to Follow is checked.

Consumer Key

Enter the app Key to use Twitter Login API.

Consumer Secret

Enter the app secret to use Twitter Login API.

For all Authentication Types

Use Default Portal Page

If checked, the users will be redirected to the default portal page once connected to the GWN.

If unchecked, users can manually select which Portal Page to use from Portal Page Customization drop-down list.

Portal Page Customization

Select the customized portal page (if “Use Default Portal Page” is unchecked).

• /facebook.html
• /password_auth.html
• /portal_default.html
• /portal_pass.html
• /portal_tip.html
• /social_auth.html
• /status.html
• /twitter.html
• /twitter_website.html
• /vouchers_auth.html
• /wechat.html

Landing Page

Choose the landing page, 2 options are available:

• Redirect to the Original URL.
• Redirect to External Page.

Redirect External Page URL Address

Once the landing page is set to redirect to external page, user should set the URL address for redirecting.

This field appears only when Landing Page is set to “Redirect to an External Page”.

Enable Daily Limit

If enabled, captive portal will limit user connection by times of one day.

Failsafe Mode

If checked, AP will grant access to STA if AP can’t reach to external authentication server.

This option is available only when Authentication Type is set to “RADIUS Server” or “Vouchers”.

Enable HTTPS

Check to enable/disable HTTPS service.

Field

Description

Name

Enter the name of the Captive Portal policy

Splash Page

Select to either use Internal or External Splash Page.

Platform

Select which external captive portal platform to use:

• Linkyfi Platform (https://www.avsystem.com/products/linkyfi)
• Purple Platform (https://purple.ai/)
• Universal Platform (when using other external captive portal platforms)

External Splash Page URL

Enter the External Splash Page URL, and make sure to enter the pre-authentication rules request by the external portal platform in the pre-authentication configuration option.

RADIUS Server Address

Fill in the IP address of the RADIUS server.

RADIUS Server Port

Set the RADIUS server port, the default value is 1812.

RADIUS Server Secret

Fill in the key of the RADIUS server.

RADIUS Accounting Server Address

Configures the address for the RADIUS accounting server.

RADIUS Accounting Server Port

Configures RADIUS accounting server listening port (default is 1813).

RADIUS Accounting Server Secret

Enter the secret password for client authentication with RADIUS accounting server.

Accounting Update Interval

Enter Update Interval for RADIUS Accounting Server. The interval unit can be set by seconds, minutes, hours or days.

RADIUS NAS ID

Enter RADIUS NAS ID.

This field appears only when Platform is set to “Linkyfi Platform” or “Universal Platform”.

Redirect URL

Specify URL where to redirect clients after authentication.

Field

Description

Create Number One Time

Specify how many vouchers to generate which will have same profile/settings (duration, bandwidth and number of users).

Valid range: 1 – 1000.

Max Devices

Specify how many users can use same voucher.

Valid range: 1 – 5.

Duration

Specify the duration after which the voucher will expire, and clients will be disconnected from internet.

Note: in case or multiple users, the duration will start counting after first user starts using the voucher.

Validity Time

Set the validity period of credentials, limited to 1-365 integer. The unit is day.

Download Limit

Set the downstream bandwidth speed limit (in Kbps or Mbps).

Upload Limit

Set the upstream bandwidth speed limit (in Kbps or Mbps).

Notes

Notes for the admin when checking the list of vouchers.

Field

Description

Enable

Enable/Disable the Bandwidth rule.

SSID

Select which SSID will be affected by the bandwidth rule limitation.

Range Constraint

Choose the type of rule to be applied on bandwidth utilization from the dropdown list, three options are available:

• Per-SSID: Set a bandwidth limitation on the SSID level.
• Per-Client: Set a bandwidth limitation per Client.
• MAC: Set a bandwidth limitation per MAC address.
• IP Address: Set a bandwidth limitation per IP address.

MAC

Enter the MAC address of the device to which the limitation will be applied, this option appears only when MAC type is selected.

IP address

Enter the IP address of the device to which the limitation will be applied, this option appears only when IP Address type is selected.

Enable Schedule

Enable this option to assign a schedule for the bandwidth rule.

Upload Limit

Specify the limit for the upload bandwidth using Kbps or Mbps.

Download Limit

Specify the limit for the download bandwidth using Kbps or Mbps.

Rebind Protection

Anti-domain name hijacking protection.

If enabled, when the address returned by the superior DNS is a private LAN address, it will be regarded as a domain name hijacking, thus discarding the analytical result.

If disabled, the analytical result will not be discarded.

Web WAN Access

Enable the web WAN access. By default, it’s disabled

Web HTTP Access

Enable the web HTTP Access. By default, it’s disabled.

Web HTTPS Port

Specifies the HTTPS port.

By default, is 443.

Country

Select the country from the drop-down list.

Time Zone

Configure time zone for the GWN7000.

Please reboot the device to take effect.

NTP Server

Configure the IP address or URL of the NTP server, the device will obtain the date and time from the configured server.

Date Display Format

Change the Date Display Format, three options are possible YYYY/MM/DD, MM/DD/YYYY and DD/MM/YYYY

Reboot Schedule

Select the pre-configured schedule (System Settings 🡪 Schedule), once a schedule is selected, then the network will not be working for a while (reboot duration during the scheduled reboot duration.

Authenticate Config File

Authenticate configuration file before acceptance. Default is disabled.

XML Config File Password

Enter the password for encrypting the XML configuration file using OpenSSL.

The password is used to decrypt the XML configuration file if it is encrypted.

Upgrade Via

Specify uploading method for firmware and configuration. 3 options are available: HTTP, HTTPS and TFTP.

Firmware Server

Configure the IP address or URL for the firmware upgrade server.

Config Server

Configure the IP address or URL for the configuration file server.

Check Update on Boot

Choose whether to enable or disable automatic upgrade and provisioning after reboot. Default is disabled.

Automatic Upgrade Check Interval(m)

Specify the time period to check for firmware upgrade (in minutes).

Reboot

Click on Reboot button to reboot the device

Download Configuration

Click on Download to download the device’s configuration file.

Upgrade Now

Click on Upgrade, to launch firmware/config file provisioning.

Please make sure to Save and Apply changes before clicking on Upgrade.

Factory Reset

Click on Reset to restore the GWN7000 as well as all online GWN76xx units to factory default settings

Current Administrator Password

Enter the current administrator password

New Administrator Password

Change the current password. This field is case sensitive with a maximum length of 32 characters.

Confirm New Administrator Password

Enter the new administrator password one more time to confirm.

User Password

Configure the password for user-level Web GUI access. This field is case sensitive with a maximum length of 32 characters.

User Password Confirmation

Enter the new User password again to confirm.

Syslog Server

Enter the IP address or URL of Syslog server. Please reboot the GWN7000 to take effect.

Syslog Level

Select the level of Syslog, 5 levels are available: None, Emergency, Alert, Critical, Error, Warning, Notice, Information and Debug.

Please reboot the GWN7000 to take effect.

Option

Description

Enable WAN Firewall Rule

Enable WAN Firewall rules to allow incoming syslog messages to the router.

Logrotate File Size

Select the size of file to trigger rotation, if left empty, then the router will use only the Logrotate frequency rules to trigger rotation.

Logrotate File Count

Select the Maximum number of rotates files to keep. Default is 56 files.

Logrotate Mode

Choose the time rotation frequency mode (default every 3 hours).

• Every X hours (0-23)
• Every X Minutes (0-59).
• X hour of day (0-23).
• X day of week (Sunday-Saturday) + X hour of day (0-23).

Hours

Enter the number of hours period after which trigger file rotation.

Minutes

Enter the number of Minutes period after which trigger file rotation.

Hour of the day

Enter the hour of day at which trigger file rotation.

Day of the week

Enter Day of the week + hour of day, at which trigger file rotation.

Devices

Select the path (a USB partition) to store collected logs. Required.

Enable Logserver

Enables the logserver

File Name

Enter the name of the capture file that will be generated.

Interface

Choose an Interface (WAN port1 or 2, or a network group) from where to begin the capture.

Device

Choose a device plugged to USB port to save the capture once started.

File Size

Set a File size that the capture will not exceed (Optional field).

Rotate Count

Set a value for rotating captures (Optional Field).

Direction

Choose if you want to get all traffic or only outgoing or incoming to the choses interface.

Source Port

Set the Source Port to filter capture traffic coming from the defined source port.

Destination Port

Set the Destination Port to filter capture traffic coming from the defined port.

Source IP

Set the Source IP to filter capture traffic coming from the defined source IP.

Destination IP

Set the Destination IP to filter capture traffic coming from the defined destination IP.

Protocol

Choose ALL or a specific protocol to capture (IP, ARP, RARP, TCP, UDP, ICMP, IPv6)

Filed

Description

Enable Email Notification

Once enabled, AP will send related notification email to the the receivers.

Note: if no event is specified in the Notification page, server will send an empty mail.

General

From Email Address

Specify the email address of the notification sender. If the address is not specified, AP will use the SMTP username as a sender.

From Name

Specifies the name of the notification sender.

SMTP Username

Specifies the username to login to the mail server

Email Address

Specifies the email address of the administer where to receive notifications.

Skip Certificate Validation

Check this box to skip the certificate validation

SMTP Settings

SMTP Host

Configures the SMTP Email Server IP or Domain Name.

SMTP Port

Specifies the Port number used by server to send email.

Receiver Email Address

Specifies the email addresses to receive notifications.

Filed

Description

Enabled

Enable/disable the notification. By default, it’s disabled

Memory Usage

Configures whether to send notification if memory usage is greater than the configured threshold. By default, it’s disabled.

Memory Usage Threshold (%)

Specifies the Memory Usage Threshold (%). Must be integer between 1 and 100.

CPU Usage

Configures whether to send notification if CPU usage is greater than the configured threshold. By default, it’s disabled.

CPU Usage Threshold (%)

Specifies the CPU Usage Threshold (%). Must be integer between 1 and 100.

WAN1 Usage

Configures whether to send notification if WAN1 usage is greater than the configured threshold. By default, it’s disabled.

WAN1 Usage Threshold (%)

Specifies the WAN1 Usage Threshold (%). Must be integer between 1 and 100.

WAN2 Usage

Configures whether to send notification if WAN2 usage is greater than the configured threshold. By default, it’s disabled.

WAN2 Usage Threshold (%)

Specifies the WAN2 Usage Threshold (%). Must be integer between 1 and 100.

Firmware upgrade

Configures whether to send notification on firmware upgrade. Default is disabled.

Add/Remove LAN

Configures whether to send notification on LAN added or removed. Default is disabled.

SSID

Configures whether to send notification if any SSID is enabled. Default is disabled.

Time Zone Change

Configures whether to send notification on time zone change. Default is disabled.

Administrator Password Change

Configures whether to send notification on admin password change. Default is disabled.

AP Offline

Configures whether to send notification when AP going offline. Default is disabled.

Field

Description

LEDs Always Off

Configure whether to disable the AP LED dictator

Schedule

Please choose a schedule to assign to LEDs, users can configure schedules under the menu Schedule

Share Name

Enter the share name

Path to Share

Choose from the drop menu the path to share.

Access to Share

Choose whether to allow users to Read/Write or Read Only on the shared path.

Comment

Enter a comment for the added shared file.

Share Accessible by LAN

Choose whether to allow All LANs to access the shared path, restrict access by selecting only some groups or None.

System Location

Set the System Location information, for example: SNMP-Server Lobby GWN.

System Contact

Set the System Contact information, for example: Contact Supervisor_GWN via extension is 1000.

System Name

Set the System Name information, for example: Supervisor_GWN.

Read-Only Community for IPv4

Gives the permission for the set community to access and read only to devices in management information base via IPv4 Protocol.

Read-Write Community for IPv4

Gives the permission for the set community to access and read/write to devices in management information base via IPv4 Protocol.

Read-Only Community for IPv6

Gives the permission for the set community to access and read only to devices in management information base via IPv6 Protocol.

Read-Write Community for IPv6

Gives the permission for the set community to access and read/write to devices in management information base via IPv6 Protocol.

Trap Type

Choose the Trap Type from drop-down menu, 4 options are available: None, SNMPv1, SNMPv2c and SNMPv2cInforms.

Monitoring Host

Enter the Monitoring Host’s IP/Domain Name (Network Management System “NMS”)

Monitoring Host Port

Enter the Monitoring Host’s Port (Network Management System “NMS”)

Trap Community

Enter the Trap Community string to authenticate the client against the server.

SNMP Service Listening on

Click on to add an SNMP Service Listening on:

• Set the Transport Type: UDPv4, UDPv6, TCPv4 or TCPv6.
• Choose the IP Address from drop-down menu list.
• Set the Port number on which the GWN7000 will listen on.

SNMPv3 Users

Click on to add an SNMPv3 User:

• Set the Username for authentication.
• Choose the Authentication type, 2 options are available: SHA and MD5.
• Set the Authentication Password from Authentication Passphrase.
• Enter the Password again to confirm from Authentication Passphrase Confirmation.
• Choose the Privacy Protocol, 3 options are available: None, DES and AES.
• Set the Privacy Passphrase.
• Enter the Privacy Passphrase in Privacy Passphrase Confirmation field.

Option

Description

Enabled

Check this option to enable/disable the user account.

PPTP Server

Check this option to enable the user connection to the PPTP server.

Full Name

Enter user full name. When using PPTP it defaults to pptpd.

Username

Enter user Username.

Password

Enter user password.

IPSec Pre-Shared Key

Set user pre-shared key for authentication.

Enabled PPTP Client Subnet

Check this option when using PPTP, and enter the client subnet.

Client Subnet

Configured to which subnet this client belongs to (ex: 192.168.1.0/24).

OpenVPN Subnet

Configures OpenVPN user subnet (ex: 192.168.1.0/24).

Upgrade Via

Choose the firmware upgrade method: TFTP, HTTP or HTTPS.

Firmware Server

Define the server path for the firmware server.

Check/Download New Firmware and Config at Boot

Allows the device to check if there is a firmware from the configured firmware server at boot.

Allow DHCP options 66 and 43 override

Configure whether to allow DHCP options 66 and 43 to override upgrade and provisioning settings.

Automatic Upgrade

Specify the time to check for firmware upgrade (in minutes).

Upgrade Now

Click on button to begin the upgrade. Note that the device will reboot after downloading the firmware.