Technical support

Have you tried it over HTTPS? We have deactivated HTTP connection with firmware version 4.4. Your device should be accessible over HTTPS. You find more on this topic under the following link:

https://icom-os.releasenotes.io/release/gE5su-icom-os-v44

This means that the router’s firewall blocks the ICMP packets. Under Netfilter/IP-Filter create a new output firewall rule, select ICMP as protocol, and choose your wished output interface.

If you’ve configured your device using the setup wizard and no firewall rules or other settings are missing, then make sure you entered the proper Access Point Name under Interfaces/LTE.

For some providers, such as Telekom, it is very important to have a proper APN entry, and they will block your connection otherwise.

As of Version 6.12 of the icom OS we do not support this mode yet, nor is it planned at the moment to implement this feature

The blinking gear indicates that the profile opened in the router differs from the profile running in the router. A click on the gear activates the opened profile, i.e. it becomes the running profile. See Profiles for detailed information.

Port 1 of the card in slot 1 (leftmost) is assigned to IP net 1 (configuration network) in default settings (for routers with 5-port switch; for routers with 2-port switch, port ETH1 is assigned to IP net 1). This local network has the static IP address 192.168.1.1. It is intended for accessing the router from a configuration PC. The firewall rules for HTTP (port 80) and HTTPS (port 443) access are also entered for this in default settings.
It is recommended to use IP nets 2-5 and the other ports for the application to still enable local configuration access to the router. If the application’s requirements or other circumstances do not allow this, port 1 can also be configured accordingly like ports 2-5. It should be ensured that router access in case of an emergency is still possible using other means

The internal clock of the router should always be set correctly to ensure that time-controlled events are processed precisely to the desired time, system messages are dated correctly and certificates are within their validity period. A regular synchronisation with an NTP (Network Time Protocol) server is recommended for this. This can be achieved using the action Synchronise clock via NTP. The action will be triggered by a regular event, like the expiration of a timer or the condition change of an interface.

The startup wizard makes all necessary settings that the time is always synchronised when the respective WAN chain went online.

In order to get a synchronisation at a certain time, the router must be configured as follows:

• Add a timer of the type Fix set time with a daily time (menu Events – page Timer)
• Add an event Timer expired of this timer with the action Synchronise clock via NTP (menu Events – page Events)

Moreover, the following prerequisites must be met:

• An NTP server must be entered (menu Administration – page Time / Date)
• The NTP server must be accessible (via a functional WAN connection or in the local network)
• A default route must be entered (menu Routing – page Static routes)
• An IP filter rule must be entered that permits the NTP requests of the router (Packet direction: OUTPUT, Protocol: UDP, Destination port: 123) via the respective WAN interface (menu Netfilter – page IP filter)

The router allows a very complex configuration to cover almost all application cases custom-made. This can cause a complex troubleshooting – in particular for configurations made by third parties.

A comfortable troubleshooting option is provided by the plausibility check. It mainly serves for detecting obvious configuration gaps. It cannot expose all configuration failures of the function. This applies especially to IP filters and NAT rules.

If connections cannot be established, this may be caused by missing or wrong IP filter rules (firewall). This can be located by deactivating the IP filters temporarily in the Netfilter menu on the IP filter page.

In contrast to a local network (LAN), a WAN connection will not be started immediately. A WAN connection will then be established, if a WAN chain, which contains the respective WAN interface, is started. The status of the existing WAN chain is displayed in the Status menu on the System status page.

The following prerequisites must be met for a functional WAN connection:

• In case of an Ethernet connection, the respective IP net must be activated (menu Interfaces – page IP net [x])
• In case of a cellular connection, the respective modem interface must be configured correctly (menu Interfaces – page Slot [x]: [Modem])
• The WAN interface must be contained in a WAN chain (menu WAN – page WAN chains)
• If the WAN chain contains more than one interface, all must be functional that the WAN chain can be started
• If more than one WAN chain exists, sequential order and WAN chain to be started in case of failure are decisive

The following explains how to add another WAN network to an existing configuration and what must be observed when doing so.

• Defining IP network
  Menu Interfaces – page IP net [x]
  Check the checkbox Activate network
  Enter a Description
  Select the Mode WAN (this starts the interface only in a WAN chain)
  There are two options for assigning the IP address:
  • Check the checkbox Start DHCP client (if the WAN network shall retrieve the IP settings from a DHCP server)
    OR
  • Click on + to add a Static IP address (with netmask) for the WAN network

Click on Save settings

• Assigning Ethernet port
  Menu Interfaces – page Slot [x]: Ethernet
  Assign the desired Port to the WAN network by selecting the WAN network there
  Click on Save settings
• Defining WAN chain
  Menu WAN – page WAN chains
  Click on + to add a new WAN chain
  Enter a Description for the new WAN chain
  Click at the new WAN chain on + to add an interface
  Click on the pen symbol to edit the interface
  Select above added WAN network as Interface
  Select the WAN chain to be started in case of failure
  Click on Save settings
• Defining WAN chain order (if more than one WAN chain exists)
  menu WAN – page WAN chains
  If required, move the added WAN chain upwards by clicking ^ on the right
  If required, adjust for existing WAN chains the WAN chain to be started in case of failure
  Click on Save settings
• Defining static routes
  Menu Routing – page Static routes
  Click on + to add a new static route
  Enter a Description for the new static route
  Select above added WAN network as Interface
  There are two options for defining the gateway address:
  • Select for the Gateway the option use dynamically received IP address
    OR
  • Enter a static IP address for the gateway (if the DHCP client has not been started above)

Click on Save settings

• Defining IP filters (firewall rules)
  Menu Netfilter – page IP filter
  Depending on whether a WAN network already exists, two approaches are recommended:
  • Add the new WAN network to all existing rules that already contain a WAN interface
    OR
  • Add new filter rules for the WAN network selectively

Click on Save settings

• Defining NAT rules
  Menu Netfilter – page NAT
  Depending on whether a WAN network already exists, two approaches are recommended:
  • Add the new WAN network to all rules that already contain a WAN chain
    OR
  • Add a new source NAT rule of the type Masquerade for all protocols for the new WAN network

Click on Save settings

It can be useful due to reasons of security to block an IP version (IPv4 or IPv6) for data traffic completely. Proceed as follows for this:

• Activate the IP filters (firewall) of the IP version to be blocked (menu Netfilter – page IP filter)
• Modify all IP filter rules such that they exclude the respective IP version; for example by entering the IP address only in the permitted IP version (menu Netfilter – page IP filter)

In order to dispatch a message via e-mail within an action, it is necessary to configure the e-mail account in the router and add appropriate netfilter rules.

The configuration of the e-mail account takes place in the menu Events on the page E-mail account. Useful instructions for this are available in the inline help of this page that can be displayed with a click on ? Display help text.

If Netfilters are activated, it is neceesary to add the following netfilter rule to enable e-mail dispatch:

• Description: E-mail dispatch (proposal)
• Packet direction: OUTPUT
• Protocol: TCP
• Output interface: used WAN interface, e.g. lte2 or net3
• Source port: (field remains empty)
• Destination IP address: (field remains empty)
• Destination port: The SMTP port set in the menu Events on the page E-mail account

If the SMTP server of the e-mail account is specified in form of a domain name, it is necessary to add the following netfilter rule to enable a DNS resolution.

• Description: DNS queries sent by the router (proposal)
• Packet direction: OUTPUT
• Protocol: UDP
• Output interface: used WAN interface, e.g. lte2 or net3
• Source port: (field remains empty)
• Destination IP address: (field remains empty)
• Destination port: 53

If a container cannot be accessed via its IP address, it is recommended to check the following settings:

• In the Administration menu on the Container page:
  • Is the container present and active?
  • Does the container have a configuration?
  • Does the container require a license for being accessed?
• Editing the configuration of the container in the Administration menu on the Container page ():
  • Does the container have a bridge into the correct IP net?
  • Is the container configured for the correct IP address?
  • Does the container require a certain user group for being functional?
• Are the IP filters activated in the Netfilter menu on the IP filter page? If yes, these may be deactivated temporarily for troubleshooting. If the container can then be accessed, an IP filter rule is missing that permits to access the container.

Yes, this is possible.
Just keep in mind that if the other device is lacking a feature, for example DSL or LTE, those settings will be skipped over during the import.

Regarding this topic, we have a written configuration guide:
https://docs.insys-icom.de/pages/en_m3_internet_via_lte_v2.html
and even a YouTube tutorial for you:
https://youtu.be/Rg2A27Yxnlg

This is due to the fact that you are trying to access an entry that does not exist.
Each entry, for example a netfilter rule, has its own index number.
In this case, you are trying to access the 6th element of the list but only 5 elements exist.

1. Either try to correct the index of the entry appearing in the square brackets, e.g. [5] -> [6]
2. or add the correct number of elements to your ASCII file, e.g. with “netfilter.ip_filter.rule.add”

1, Start WAN connection. This step sets up the Internet connection. If it fails, our router was not able to set up the connection. Make sure the Ethernet cable is connected to the router, or the SIM card is inserted and activated properly.
2, Start secure channel to server. This step connects the router to the icom Connectivity Suite – VPN service. This step can fail if your LAN network’s firewall settings block the ports and IP addresses necessary for the connection. Please, contact your network administrator and make sure you opened all the necessary ports for the connection.
3, Get configuration. If this failed, you might have selected the wrong device type, typed in the wrong device code, or registered the wrong serial number for the device.
4, Apply configuration. This step rarely fails, however icom OS firmware version 5.8 had a bug, in which profile activation was not possible with a device uptime of 24 days. Please contact our support team at support@insys-icom.de if this is not the case and you’re experiencing this issue.

This generally means a DNS error, however a routing conflict can lead to this as well:

– Is the OpenVPN server online and reachable over its domain name? Ask your provider or network administrator.

– Make sure your Insys device’s DNS settings are correct and it is allowed to make DNS requests.

– Have you configured 2 or more interfaces in the same IP range? Even if net2 and net3 are in the same IP range, the OpenVPN connection will not work, and you’ll receive this error message.

Yes, it is possible.

• Create a new destination NAT rule under Netfilter/NAT.
• Select “portforward” as type, your wished protocol, the input interface over which the packets reach the device, and lastly your wished IP address and port number.
• In case your firewall is active, create a new firewall rule under Netfilter/IP filter.
• Select “FORWARD” as packet direction, select your protocol, configure your input and output interfaces, and most importantly set your destination port and IP address with a subnet mask of /32.

We have a highly detailed configuration guide for you regarding this topic.
The guide includes a step-by-step tutorial on how to configure 1-to-1 NAT using our icom OS devices, and even a troubleshooting guide:
https://docs.insys-icom.de/pages/en_m3_ip_forwarding.html

We do not have a complete list, as the icom OS uses the same commands in CLI that you find in your ASCII profile.

We have however a video tutorial on this topic:

https://youtu.be/KIpkj6e8dJg

and a written documentation in every router under “Help/Documentation/Online Help/Command Line Interface (CLI)“.

If your device has a firmware version of 1.x.x the update cannot be carried out!
In the event of large version jumps, incremental updates are first necessary. These updates are available from the INSYS support department:

• If your device has a previous firmware version of at least 2.0.0 but before 2.2.0, an intermediate update step to 2.2.1, and then an intermediate update step to 2.6.2 must be performed before.
• If your device has a previous firmware version of at least 2.2.0 but before 2.6.0, an intermediate update step to 2.6.2 must be performed before.

No, it’s not possible. These firmware versions are incompatible with each other.

Some e-mail service providers don’t support TLS versions 1.0 and 1.1 anymore. Please update your device to the lates firmware, in which we implemented TLS versions 1.2 and 1.3.

The latest firmware is found under the following link:

https://www.insys-icom.com/en/support/documentation-and-downloads/

No, this is not possible. The two operating systems are incompatible with each other.
You have 2 options:

1. You manually configure your icom OS device following the settings in your INSYS OS device.
2. Our Customer Service Center manually converts your INSYS OS profile to an icom OS profile, as an Extended Support service. Please contact our team at +49 941 58692 661, or per e-mail at support@insys-icom.de.

For more information about our Extended Support services visit:

https://www.insys-icom.com/en/support/technical-support/extended-support/

This is not possible with Insys OS devices.

Our new icom OS devices, such as the MIRO, SCR, ECR, MRO and MRX are capable of simultaneously running multiple OpenVPN and even IPSec tunnels.

Test our icom OS devices free of charge:

https://www.insys-icom.com/en/products/router-gateways/

We have not set an arbitrary limit.Theoretically you can register as many data points as you wish.
This does not mean however that you will be able to simultaneously use thousands of data points.
The maximum simultaneously usable data points strongly depends on how often the points are polled, and how large of a data traffic they produce.

Please visit the following link for a written manual:

https://docs.insys-icom.de/pages/en_m3_install_ids_container.html

or the following link for a YouTube Tutorial video:

https://youtu.be/hb93t4oQabM

We have not set an arbitrary limit.Theoretically you can register as many data points as you wish.
This does not mean however that you will be able to simultaneously use thousands of data points.
The maximum simultaneously usable data points strongly depends on how often the points are polled, and how large of a data traffic they produce.

This usually means that your device’s date set incorrectly. Your certificate is literally not valid yet, as your device is in the past. You can set the correct date and time over Administration/Time.

This behaviour is caused by the TIA Portal of Siemens, who is also responsible for support in this case.

INSYS has little to no influence here.

Try deactivating the option SIMATIC Industrial Ethernet (ISO) for the OpenVPN Virtual Ethernet Adapter under your PC’s network connection settings.

We do not support this mode, nor is it planned at the moment to implement this feature.

Yes, that is possible.

Please contact our colleagues in the Customer Service Center at support@insys-icom.de to do the necessary changes to your account.

You have to manually assign the license to the device by clicking on the gear symbol and selecting an available license.