FAQ

Have you tried it over HTTPS? We have deactivated HTTP connections with firmware version 4.4. Your device should be accessible over HTTPS. You find more on this topic under the following link:
https://icom-os.releasenotes.io/release/gE5su-icom-os-v44

This means that the router's firewall blocks the ICMP packets. Under Netfilter/IP-Filter create a new output firewall rule, select ICMP as protocol, and choose your wished output interface.

New UI

• Under Status/Support Packet/Create support packet

Classic UI

• Under Help/Support/Create new support packet

If you've configured your device using the setup wizard and no firewall rules or other settings are missing, then make sure you entered the proper Access Point Name under Interfaces/LTE.
For some providers, such as Telekom, it is very important to have a proper APN entry, otherwise they will block your Internet connection.

As of Version 7.8 of the icom OS we do not support this mode yet, nor is it planned at the moment to implement this feature.

The blinking gear indicates that the profile opened in the router differs from the profile running in the router. A click on the gear activates the opened profile, i.e. it becomes the running profile. See Profiles for detailed information.

Port 1 of the card in slot 1 (leftmost) is assigned to IP net 1 (configuration network) in default settings (for routers with 5-port switch; for routers with 2-port switch, port ETH1 is assigned to IP net 1). This local network has the static IP address 192.168.1.1. It is intended for accessing the router from a configuration PC. The firewall rules for HTTP (port 80) and HTTPS (port 443) access are also entered for this in default settings.

It is recommended to use IP nets 2-5 and the other ports for the application to still enable local configuration access to the router. If the application’s requirements or other circumstances do not allow this, port 1 can also be configured accordingly like ports 2-5. It should be ensured that router access in case of an emergency is still possible using other means.

The internal clock of the router should always be set correctly to ensure that time-controlled events are processed precisely to the desired time, system messages are dated correctly and certificates are within their validity period. A regular synchronisation with an NTP (Network Time Protocol) server is recommended for this. This can be achieved using the action Synchronise clock via NTP. The action will be triggered by a regular event, like the expiration of a timer or the condition change of an interface.

The startup wizard makes all necessary settings that the time is always synchronised when the respective WAN chain went online.

In order to get a synchronisation at a certain time, the router must be configured as follows:

• Add a timer of the type Fix set time with a daily time (menu Events – page Timer)

• Add an event Timer expired of this timer with the action Synchronise clock via NTP (menu Events – page Events)

Moreover, the following prerequisites must be met:

• An NTP server must be entered (menu Administration – page Time / Date)

• The NTP server must be accessible (via a functional WAN connection or in the local network)

• A default route must be entered (menu Routing – page Static routes)

• An IP filter rule must be entered that permits the NTP requests of the router (Packet direction: OUTPUT, Protocol: UDP, Destination port: 123) via the respective WAN interface (menu Netfilter – page IP filter)

The router allows a very complex configuration to cover almost all application cases custom-made. This can cause a complex troubleshooting – in particular for configurations made by third parties.
A comfortable troubleshooting option is provided by the plausibility check. It mainly serves for detecting obvious configuration gaps. It cannot expose all configuration failures of the function. This applies especially to IP filters and NAT rules.
If connections cannot be established, this may be caused by missing or wrong IP filter rules (firewall). This can be located by deactivating the IP filters temporarily in the Netfilter menu on the IP filter page.

In contrast to a local network (LAN), a WAN connection will not be started immediately. A WAN connection will then be established, if a WAN chain, which contains the respective WAN interface, is started. The status of the existing WAN chain is displayed in the Status menu on the System status page.

The following prerequisites must be met for a functional WAN connection:

• In case of an Ethernet connection, the respective IP net must be activated (menu Interfaces – page IP net [x])

• In case of a cellular connection, the respective modem interface must be configured correctly (menu Interfaces – page Slot [x]: [Modem])

• The WAN interface must be contained in a WAN chain (menu WAN – page WAN chains)

• If the WAN chain contains more than one interface, all must be functional that the WAN chain can be started

• If more than one WAN chain exists, sequential order and WAN chain to be started in case of failure are decisive

It can be useful due to reasons of security to block an IP version (IPv4 or IPv6) for data traffic completely. Proceed as follows for this:

• Activate the IP filters (firewall) of the IP version to be blocked (menu Netfilter – page IP filter)

• Modify all IP filter rules such that they exclude the respective IP version; for example by entering the IP address only in the permitted IP version (menu Netfilter – page IP filter)

In order to dispatch a message via e-mail within an action, it is necessary to configure the e-mail account in the router and add appropriate netfilter rules.

The configuration of the e-mail account takes place in the menu Events on the page E-mail account. Useful instructions for this are available in the inline help of this page that can be displayed with a click on ? Display help text.

If Netfilters are activated, it is neceesary to add the following netfilter rule to enable e-mail dispatch:

• Description: E-mail dispatch (proposal)

• Packet direction: OUTPUT

• Protocol: TCP

• Output interface: used WAN interface, e.g. lte2 or net3

• Source port: (field remains empty)

• Destination IP address: (field remains empty)

• Destination port: The SMTP port set in the menu Events on the page E-mail account

If the SMTP server of the e-mail account is specified in form of a domain name, it is necessary to add the following netfilter rule to enable a DNS resolution.

• Description: DNS queries sent by the router (proposal)

• Packet direction: OUTPUT

• Protocol: UDP

• Output interface: used WAN interface, e.g. lte2 or net3

• Source port: (field remains empty)

• Destination IP address: (field remains empty)

• Destination port: 53

If a container cannot be accessed via its IP address, it is recommended to check the following settings:

• In the Administration menu on the Container page:

  • Is the container present and active?

  • Does the container have a configuration?

  • Does the container require a license for being accessed?

• Editing the configuration of the container in the Administration menu on the Container page ( ):

  • Does the container have a bridge into the correct IP net?

  • Is the container configured for the correct IP address?

  • Does the container require a certain user group for being functional?

• Are the IP filters activated in the Netfilter menu on the IP filter page? If yes, these may be deactivated temporarily for troubleshooting. If the container can then be accessed, an IP filter rule is missing that permits to access the container.

Yes, this is possible.
Just keep in mind that if the other device is lacking a feature, for example DSL or LTE, those settings will be skipped over during the import.

Regarding this topic, we have a written configuration guide:
Establishing an Internet Connection via an LTE Router

and even a YouTube tutorial for you:

This is due to the fact that you are trying to access an entry that does not exist.
Each entry, for example a netfilter rule, has its own index number.
In this case, you are trying to access the 6th element of the list but only 5 elements exist.

• Either try to correct the index of the entry appearing in the square brackets, e.g. [5] -> [6]

• or add the correct number of elements to your ASCII file, e.g. with “netfilter.ip_filter.rule.add”

1. Start WAN connection. This step sets up the Internet connection. If it fails, our router was not able to set up the connection. Make sure the Ethernet cable is connected to the router, or the SIM card is inserted and activated properly.

2. Start secure channel to server. This step connects the router to the icom Connectivity Suite – VPN service. This step can fail if your LAN network’s firewall settings block the ports and IP addresses necessary for the connection. Please, contact your network administrator and make sure you opened all the necessary ports for the connection.

3. Get configuration. If this failed, you might have selected the wrong device type, typed in the wrong device code, or registered the wrong serial number for the device.

4. Apply configuration. This step rarely fails, however icom OS firmware version 5.8 had a bug, in which profile activation was not possible with a device uptime of 24 days. Please contact our support team at support@insys-icom.de if this is not the case and you’re experiencing this issue.

This generally means a DNS error, however a routing conflict can lead to this as well:

• Is the OpenVPN server online and reachable over its domain name? Ask your provider or network administrator.

• Make sure your Insys device’s DNS settings are correct and it is allowed to make DNS requests.

• Have you configured 2 or more interfaces in the same IP range? Even if net2 and net3 are in the same IP range, the OpenVPN connection will not work, and you’ll receive this error message.

Yes, it is possible.

• Create a new destination NAT rule under Netfilter/NAT.

• Select “portforward” as type, your wished protocol, the input interface over which the packets reach the device, and lastly your wished IP address and port number.

• In case your firewall is active, create a new firewall rule under Netfilter/IP filter.

• Select “FORWARD” as packet direction, select your protocol, configure your input and output interfaces, and most importantly set your destination port and IP address with a subnet mask of /32.

We have a highly detailed configuration guide for you regarding this topic.
The guide includes a step-by-step tutorial on how to configure 1-to-1 NAT using our icom OS devices, and even a troubleshooting guide:

IP-Forwarding: 1-to-1 NAT

We do not have a complete list, as the icom OS uses the same commands in CLI that you find in your ASCII profile.
We have however a video tutorial on this topic, and a written documentation in every router under “Help/Documentation/Online Help/Command Line Interface (CLI)“.

After decommissioning a MIRO device, it is necessary to upload the special kernel milestone file onto it.
Please contact our support team at support@insys-icom.de to receive this file.
Don’t forget to tell us your firmware version at the time of decommissioning, as this decides which kernel milestone the team has to send you.

In the the new UI under Administration/Debugging, in the classic UI under Help/Debugging select AT command as tool and type in your PUK and your new PIN number in the following format:
AT+CPIN="PUK","NEW PIN"

So for example:
AT+CPIN="12345678","0000"

This usually means that your device's date set incorrectly. Your certificate is literally not valid yet, as your device is in the past. You can set the correct date and time under Administration/Time.

This behaviour is caused by the TIA Portal of Siemens, who is also responsible for support in this case.
INSYS has no influence over this behaviour.
Try deactivating the option SIMATIC Industrial Ethernet (ISO) for the OpenVPN Virtual Ethernet Adapter under your PC’s network connection settings.

We do not support this mode, nor is it planned at the moment to implement this feature.

Yes, that is possible.
Please contact our colleagues in the Customer Service Center at support@insys-icom.de to do the necessary changes to your account.

You have to manually assign the license to the device by clicking on the gear symbol and selecting an available license.

The device still manually has to be reactivated by clicking on the gear symbol next to it and unchecking the checkbox next to deactivated.

No, it’s not possible. These firmware versions are incompatible with each other.

If your device has a firmware version of 1.x.x the update cannot be carried out!
In the event of large version jumps, incremental updates are first necessary. These updates are available from the INSYS support department:

• If your device has a previous firmware version of at least 2.0.0 but before 2.2.0, an intermediate update step to 2.2.1, and then an intermediate update step to 2.6.2 must be performed before.

• If your device has a previous firmware version of at least 2.2.0 but before 2.6.0, an intermediate update step to 2.6.2 must be performed before.

Some e-mail service providers don’t support TLS versions 1.0 and 1.1 anymore. Please update your device to the lates firmware, in which we implemented TLS versions 1.2 and 1.3.
The latest firmware is found under the following link:
Insys OS Firmware

No, this is not possible. The two operating systems are incompatible with each other.
You have 2 options:

1. You manually configure your icom OS device following the settings in your INSYS OS device.

2. Our Customer Service Center manually converts your INSYS OS profile to an icom OS profile, as an Extended Support service. Please contact our team at +49 941 58692 661, or per e-mail at support@insys-icom.de.

For more information about our Extended Support services visit:
https://www.insys-icom.com/en/support/technical-support/extended-support/

With the INSYS OS, the cellular interface cannot be used while the LAN(ext) port is in "DHCP" or "static" mode. Please either turn the port off, or set it to "bridging" mode.

This is not possible with INSYS OS devices.
Our new icom OS devices, such as the MRX, MRO, ECR, SCR and MIRO are capable of simultaneously running multiple OpenVPN and even IPSec tunnels.
Test our icom OS devices free of charge:
https://www.insys-icom.com/en/products/router-gateways/

You can create a support packet under System/Download/Create new support packet at the bottom of the page.

Under the menu GSM/GPRS, UMTS, or WWAN under Terminal type in your PUK and your new PIN number in the following format:
AT+CPIN="PUK","NEW PIN"

So for example:
AT+CPIN="12345678","0000"

We have not set an arbitrary limit. Theoretically you can register as many data points as you wish.
This does not mean however that you will be able to simultaneously use thousands of data points.
The maximum simultaneously usable data points strongly depends on how often the points are polled, and how large of a data traffic they produce.

Please visit the following link for a written manual:
Installing the icom Data Suite Container
or the following link for a YouTube Tutorial video: