Firmware version 2.11.2 (05.2026)

IP address: http://192.168.1.10
User name: admin
Password: password



|| DeviceType | Wireless access point |
|| DeviceName | WOP-3L-EX  |
|| DocTitleMain |  |
|| DocTitleAdditional | User manual |
|| fwversion | 2.11.2 |
|| issueDate | 05.2026 |
|| ipaddr | 192.168.1.10 |
|| username | admin |
|| password | password |



Introduction

Annotation

Modern tendencies of telecommunication development necessitate operators to search for the most optimal technologies, allowing one to meet rapidly growing needs of subscribers, while maintaining at the same time consistency of business processes, development flexibility and reducing the costs of various services. Wireless technologies are spinning up more and more, and have paced a huge way for short time from unstable low-speed communication networks of low radius to broadband access networks equitable to speed of wired networks with high criteria to the quality of provided services.

The primary purpose of the WOP-3L-EX explosion-proof access point is to provide reliable wireless communication where it is critically needed: in the oil and gas, chemical, mining, and energy industries.

This manual specifies intended purpose, main technical specifications, design, design, safe operation rules, and installation and configuration recommendations for the device. 

Symbols

Notes and warnings

Notes contain important information, tips or recommendations on device operation and setup.


Warnings are used to inform the user about harmful situations for the device and the user alike, which could cause malfunction or data loss.


Device description

Purpose

WOP-3L-EX is a next-generation industrial Wi-Fi 6 (IEEE 802.11ax) access point that provides a high-speed and secure wireless network. An explosion-proof access point is ideal for installation at manufacturing facilities in the chemical, oil refining, gas, and other industries in areas with a potentially explosive atmosphere. The explosion protection marking 1Ex db IIC T5 Gb allows the device to be used in hazardous areas of indoor and outdoor installations.

With support for IEEE 802.11n/ax standards, the WOP-3L-EX access point provides data transfer rates of 300 Mbps (2.4 GHz) and 1201 Mbps (5 GHz).

Using MU-MIMO technology and omnidirectional protected antennas, WOP-3L-EX is a versatile solution for corporate networks in hazardous environments.

Device specification

Interfaces:

The device is powered via 24 V PoE injector from 220 V.

Using a PoE injector with a voltage different from 24 V will damage the device. 

Functions:

WLAN capabilities:

Network features:

QoS functions:

Security:

Figure 1 shows use case of WOP-3L-EX.


Figure 1 — Use case of WOP-3L-EX

Technical parameters

Table 1 — Main specification

Ethernet interface parameters
Number of ports1
Electrical connectorRJ-45
Data rate10/100/1000 Mbps, auto-negotiation
StandardsBASE-T
Wireless interface parameters
Standards802.11a/b/g/n/ac/ax
Frequency range2400–2483.5 MHz; 5150–5350 MHz, 5470–5850 MHz
ModulationBPSK, QPSK, 16QAM, 64QAM, 256QAM, 1024QAM
Operating channels1

802.11b/g/n: 1–13 (2401–2483 MHz) 

802.11a/n/ac/ax:

  • 36–64 (5170–5330 MHz) 
  • 100–144 (5490–5730 MHz)
  • 149–165 (5735–5835 MHz)
Data rate2

2.4 GHz, 802.11n: 300 Mbps
5 GHz, 802.11ax: 1201 Mbps

Maximum number of concurrent connections 

2.4 GHz: 64
5 GHz: 64
Maximum output power of the transmitter12.4 GHz: 20 dBm
5 GHz: 20 dBm
Built-in antenna gain2.4 GHz: ~4 dBi
5 GHz: ~6 dBi
Receiver sensitivity2.4 GHz: up to -94 dBm
5 GHz: up to -94 dBm 
Security

centralized authorization via RADIUS server (802.1X WPA/WPA2/WPA3 Enterprise)
WPA/WPA2/WPA3/OWE encryption
Captive Portal
authorization via RADIUS server when logging

MIMO 2×2 for 2.4 GHz; MU-MIMO 2×2 for 5 GHz
OFDMA for 5 GHz

Management 
Remote managementweb interface, Telnet, SSH, CLI, SNMP, NETCONF
Access restrictionby password, authentication via RADIUS server
General parameters
Flash128 MB SPI-NAND Flash
RAM128 MB DDR2 RAM 
Power supplyPassive PoE 24 V
Power consumptionno more than 8.5 W
Operating temperature rangefrom -45 to +60 °C
Relative humidity at 25 °Cup to 80 %
Explosion-proof marking1Ex db IIC Т5 Gb
Ingress protectionIP66
Dimensions (W × H × D)235 × 503 × 164 mm
Weight10.2 kg
Service lifeno less than 15 years

1 The number of channels and the value of the maximum output power will vary according to the rules of radio frequency regulation in your country.

2 The maximum wireless data rate is defined according to IEEE 802.11 standards. The real bandwidth can be different. Conditions of the network, environment, the amount of traffic, building materials and constructions and network service data can decrease the real bandwidth. The environment can influence the network coverage range.


Radiation patterns

The figures below show the radiation patterns of the device.

Measurement position 

AZIMUT (XY)

ELEVATION (YZ)

2.4 GHz band

5 GHz band

Design 

The WOP-3L-EX device is made in an explosion-proof enclosure with 1Ex db IIC T5 Gb explosion protection marking.

Main panel 

 The layout of WOP-3L-EX main panel is shown in Figure 2.


 
Figure 2 — WOP-3L-EX main panel layout

The WOP-3L-EX main panel feature the following ports and components (Table 2).

Table 2 — Description of ports

Panel element Description
1Explosion-proof antennas for 2.4 and 5 GHz bands
2Cover 
3Cover securing screw
4Cable gland for Passive PoE power 
5Grounding terminal

Restore the default configuration

To reset the default configuration, press and hold the "RST" button on the PoE injector included in the supply package (for about 10-15 seconds). The device will automatically reboot.

DHCP client will be launched by default. If the address is not obtained via DHCP, the device will have the factory IP address — 192.168.1.10, and the following netmask — 255.255.255.0, and username/password for access via the web interface: admin/password.

Supply package

The supply package includes:

Rules and recommendations for the device installation

This section defines safety rules, installation recommendations, setup procedure and the device starting procedure.

Safety rules

  1. The device should be operated by engineering and technical personnel who have undergone special training in accordance with national laws and relevant standards.
  2. The voltage, current and frequency requirements specified in this manual should be observed.
  3. It is prohibited to change the device technical specifications. 
  4. It is prohibited to change the device components without the consent of the manufacturer.
  5. It is prohibited to carry out mechanical modifications with the enclosure (for example, drilling) or make any changes to the device design.
  6. The device can only be used if it is free of damage: cracks, chips on the body, defects in the paintwork, signs of corrosion, etc.
  7. The explosion protection marking of the device should comply with the parameters of the hazardous area.
  8. Do not install this device during a thunderstorm. There may be a risk of lightning strike.
  9. When mounting the device on high-rise structures, comply with established standards and requirements for working at height.
  10. Do not install the device near heat sources or in rooms with temperatures below -45°C or above 60°C.
  11. It is prohibited to insert the cable into the device enclosure without a cable gland.
  12. It is prohibited to connect several grounded nodes in series to the grounding conductor.
  13. Only suitable auxiliary equipment should be connected to the device.
  14. Before connecting measuring instruments and a computer to the device, they should first be grounded. The potential difference between the housings of equipment and measuring instruments should not exceed 1 V.
  15. It is prohibited to operate devices in hazardous areas with open covers and unsealed ports for cable gland and/or control elements.
  16. It is prohibited to operate the device in a hazardous areas without a complete set of fasteners for the enclosure cover.
  17. The connecting fittings installed on the thread lock cannot be dismantled.
  18. Before turning on the device, make sure the cables are intact and securely attached to the connectors.
  19. It is prohibited to troubleshoot when the power supply is on. 

Installation recommendations

  1. The recommended installation position: wall/floor. 
  2. Before installing the device and turning it on, check the device for visible mechanical defects. If defects are observed, stop the device installation, fill in the corresponding act and contact the supplier.
  3. If the device has been exposed to low temperatures for an extended period, allow it to stay at room temperature for two hours before turning it on. If the device has been exposed to high humidity for an extended period, allow it to stay at normal temperatures for at least 12 hours before turning it on.
  4. After transportation, it is necessary to ensure the reliability of the contact connections; if necessary, reapply the appropriate tightening torque to the clamps.
  5. After performing works inside the device enclosure that has silicone grease on the flanges, before closing the cover, it is necessary to apply a new layer of silicone grease to the explosion-proof contact surfaces of the cover and enclosure.
  6. When placing the device, in order to provide the best Wi-Fi coverage consider the following rules:
  7. When installing several access points, cell action radius must overlap with action radius of a neighboring cell at the level from -65 to -70 dBm. It is allowed to reduce the signal level to -75 dBm at cell boundaries, if it is not intended to use VoIP, video streaming and other sensitive to losses traffic in wireless network. 

Calculating the number of required access points

When choosing the number of access points needed to cover a room, it is important to estimate the required coverage area. A more accurate estimate requires a radio frequency survey of the room. The approximate coverage radius of the WOP-3L-EX access point when mounted on the ceiling in typical office spaces is: 2.4 GHz — 40–50 m, 5 GHz — 20–30 m. In a completely clear environment, the coverage radius is: 2.4 GHz — up to 100 m, 5 GHz — up to 60 m.
Table 5 shows approximate attenuation values.

Table 5 — Attenuation values

MaterialChange of signal level, dB
2.4 GHz5 GHz
Organic glass-0.3-0.9
Brick-4.5-14.6
Glass-0.5-1.7
Drywall-0.5-0.8
Particle board-1.6-1.9
Plywood-1.9-1.8
Plaster with wire cloth-14.8-13.2
Breeze block-7-11

Metal lattice (mesh 13 × 6 mm, metal 2 mm)

-21-13

Channel selection for neighboring access points

It is recommended to set non-overlapping channels to avoid interchannel interference among neighboring access points.



Figure 3 — General diagram of frequency channel overlap in the range of 2.4 GHz

Example of channel allocation scheme among neighboring access points in frequency range of 2.4 GHz when channel width is 20 MHz, see Figure 4.



Figure 4 — Scheme of channel allocation among neighboring access points in the frequency range of 2.4 GHz when channel width is 20 MHz

Similarly, the procedure of channel allocation is recommended to save for access point allocation between floors, see Figure 5.



Figure 5 — Scheme of channel allocation between neighboring access points that are located between floors

With a channel width of 40 MHz there are no non-overlapping channels in the 2.4 GHz band. In such cases, you should select channels maximally separated from each other.


Figure 6 — Channels used in the 5 GHz band when channel width is 20, 40 or 80 MHz

Installation

The device can be installed on a flat surface (wall, floor) subject to the safety instructions and recommendations given above.

When installing on a vertical surface, the weight of the device (10.2 kg) should be taken into account. 

The device should be mounted on 2 or 4 external mounting points. 

The device should fit evenly and tightly to the surface exclusively at the mounting points and should be secured without deforming any parts of the enclosure.

When placing the device on a wall/floor, secure it using anchor bolts or self-tapping screws, dowels, or screws with a diameter of up to 12 mm.

When placing the device on the mounting plate, secure it using an M12 bolt connection. 


Figure 7 — Connection dimensions

Figure 8 — Fastening the device using a bolted connection

After installing the device, connect the grounding terminal to the external ground bolt of the device located on the enclosure. 

Figure 9 — Grounding the device

Device connection

If the device was previously powered on, you must disconnect the power before proceeding.

Network cable connection

1. Unscrew the nut from the cable gland and remove the sealing sleeve.

Figure 10 — Disassembled cable gland

2. Pass the Ethernet cable through the opening of the cable gland nut and the rubber sleeve. 

Figure 11 — Installing the cable gland nut and rubber sleeve on the cable 

3. Loosen the cover securing screw using a 2.5 mm Allen key. Then open the device cover by turning it counterclockwise. 

Figure 12 — Device cover  

4. Pull the cable through the cable gland as shown in Figure 13. 

Figure 13 — Pulling the cable through the cable gland

5. Crimp the RJ-45 connector onto the cable.

Figure 14 — Cable with RJ-45 connector

6. Connect the cable to the Ethernet port of the device. 

Figure 15 — Connecting an Ethernet cable

7. Insert the rubber sleeve into the cable gland.

Figure 16 — Installing a rubber sleeve 

8. Screw the nut onto the cable gland and tighten with a spanner/open-end wrench.

Figure 17 — Installing a cable gland nut

Incorrect installation of the cable gland may compromise the device sealing. The nut must be tightened with a 27 mm spanner/open-end wrench, otherwise the IP66 rating will not be maintained.

9. Close the device cover by turning it clockwise. Then tighten the cover securing screw using a 2.5 mm Allen key. 

Figure 18 — Device cover 

To prevent device damage, it is recommended to use lightning protection. 

Device power 

 1. Connect the Ethernet cable from WOP-3L-EX to the injector PoE port.

2. Connect the Ethernet cable of your network to the LAN port of the PoE injector.  

3. Connect the PoE injector to a 220V outlet using the power cord. After powering on, WOP-3L-EX will boot up within a minute.  

4. Connect the WOP-3L-EX web configurator using a browser, following the instructions from Device management via the web interface

Device management via web interface

Getting started

To get started, connect to the device via WAN interface using a web browser:

1. Open a web browser, for example, Firefox, Opera, Chrome.

2. Enter the device IP address in the browser address bar.

Factory IP address: 192.168.1.10, subnet mask: 255.255.255.0. By default, the device is capable to obtain an IP address via DHCP.


When the device is successfully detected, username and password request page will be shown in the browser window.

3. Enter username into "Login" and password into "Password" field.

Factory settings: login — admin, password — password

4. Click "Log in". The device status monitoring menu will open in a browser window. 

5. If necessary, select the information display language. 

Applying configuration and discarding changes

  1. Applying configuration

Clicking the button starts the process of saving the configuration to the device flash memory and applying new settings. All settings are applied without device rebooting.

The web interface has a visual indication of the current status of the setting application process (Table 6).

Table 6 — Visual indication of the current status of the setting application process

ImageStatus description

Clicking "Apply" button starts the process of saving the configuration to the device flash memory and applying new settings. This is indicated by the  icon in the tab name and on the "Apply" button.

The  icon in the tab name and on the "Apply" button indicates about successful saving and application of the settings. 

2. Discarding changes 

The changes can be discarded only before clicking the "Apply" button. If you click the "Apply" button, all changed parameters will be applied and saved to the device memory. After clicking the "Apply" button, return to the previous settings will not be possible.

The button for discarding changes appears as follows: .

Main elements of the web interface

The figure below shows the navigation elements of the web interface. 

User interface window is divided into five general areas:

  1. Menu tabs categorize the submenu tabs: Monitoring, Radio, VAP, Network settings, External Services, System.
  2. Interface language selection and "Logout" button designed to terminate a session in the web interface under a given user.
  3. Submenu tabs allows managing the settings field.
  4. Device settings field displays data and configuration.
  5. Information field displays the current firmware version. 

"Monitoring" menu

The "Monitoring" menu displays the current system status.

"Wi-Fi Clients" submenu

The "Wi-Fi Clients" submenu displays information about the status of connected Wi-Fi clients.

Information on connected clients is not displayed in real time. In order to update the information on the page, click the "Refresh" button.

To display more detailed information on a particular client, select it from the list. A detailed description includes the following options:

"Traffic Statistics" submenu

The "Traffic Statistics" submenu displays the graphs of the transmitted/received traffic rate for the last 3 minutes, as well as statistics on the amount of transmitted/received traffic since the access point was turned on.

The LAN Tx/Rx graph shows the rate of the transmitted/received traffic via Ethernet interface of the access point for the last 3 minutes. The graph is automatically updated every 6 seconds.

The WLAN0 and WLAN1 Tx/Rx graphs show the rate of transmitted/received traffic via Radio 2.4 GHz and Radio 5 GHz interfaces for the last 3 minutes. The graph is automatically updated every 6 seconds.

"Transmit" table description:

"Receive" table description:

"Scan Environment" submenu

The "Scan Environment" submenu performs scanning of the surrounding radio environment and detects neighboring access points.

 

To start the scanning process, click the "Scan" button. After the scan is completed, a list of detected access points and information about them will appear:

While scanning the environment, the device radio interface will be temporarily disabled, preventing data transmission to Wi-Fi clients.

"Events" submenu

This section displays a list of real-time informational messages containing the following data:

Table 7 — Description of event importance categories:

LevelMessage importance levelDescription
0
Emergency
A critical error has occurred in the system, the system may not work properly.
1
Alert
Immediate intervention in the system is required.
2
Critical
A critical error has occurred in the system.
3
Error
An error has occurred in the system.
4
Warning
Warning, non-emergency message.
5
Notice
System notice, non-emergency message.
6
Informational
Informational system messages.
7
Debug
Debugging messages provide the user with information to correctly configure the system.

To receive new messages in the event log, click the "Refresh" button.

If necessary, all old messages can be deleted from the log by clicking the "Clear" button.

"Network Information" submenu

The "Network Information" submenu displays main network settings of the device.

WAN Status:

Ethernet:

ARP:
The ARP table contains mapping information between the IP and MAC addresses of neighboring network devices:

Routes:

The flags can have the following values:

"Radio Information" submenu

The "Radio Information" submenu displays the current status of the WOP-3L-EX radio interfaces.

The access point radio interfaces can be in two states: "On" and "Off". The status of each radio interface is shown in the "Status" field.

The Radio status depends on whether the radio interface has virtual access points (VAPs) enabled. In case there is at least one active VAP on the radio interface, the Radio status will be "On", otherwise — "Off".

Depending on the Radio status, the following information is available for monitoring:

"Off":

"On":

"Device Information" submenu

The "Device Information" submenu displays main WOP-3L-EX parameters.

"Radio" menu

The "Radio" menu is used to configure the device’s radio interfaces.

"Radio 2.4 GHz" submenu 

The "Radio 2.4 GHz" submenu is used to configure the main parameters of the device’s radio interface operating in the 2.4 GHz band.

If an unavailable channel is specified in the "Use Limit Channels" list, it will be highlighted in grey. To apply the new configuration to the access point, only available channels (highlighted in blue) must be selected in the "Use Limit Channels" list.

Example. No configuration has been applied to the access point yet. By default, the "Channel Bandwidth" for the Radio 2.4 GHz interface is set to 20 MHz, and the "Use Limit Channels" list contains the following channels: 1, 6, and 11. 
Suppose the "Channel Bandwidth" is changed to 40 MHz When this parameter is changed from 20 MHz to 40 MHz, the following occurs:

  • the "Primary Channel" option becomes available for editing, with the default value set to "Lower".
  • channel 11 in the "Use Limit Channels" list changes its color from blue to grey.

If you change the Channel Width to 40 MHz but do not remove the grey (unavailable) channels from the list, clicking the "Apply" button will result in an error message in the browser: "There are errors in data. Changes were not applied". As a result, the configuration will not be applied to the access point. This happens because the gray-highlighted channels in the "Use Limit Channels" list are not valid based on the current "Primary Channel" setting, which is "Lower" in this case.

The "Advanced" section provides configuration options for additional radio interface parameters.

The following functions are available for Quality of Service configuration:

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

"Radio 5 GHz" submenu

The "Radio 5 GHz" submenu is used to configure the main parameters of the device’s radio interface operating in the 5 GHz band.

If an unavailable channel is specified in the "Use Limit Channels" list, it will be highlighted in grey. To apply the new configuration to the access point, only available channels (highlighted in blue) must be selected in the "Use Limit Channels" list.

Example. No configuration has been applied to the access point yet. By default, the "Channel Bandwidth" for the Radio 5 GHz interface is set to 20 MHz, and the "Use Limit Channels" list contains the following channels: 36, 40, 44, 48. 
Suppose the "Channel Bandwidth" is changed to 40 MHz When this parameter is changed from 20 MHz to 40 MHz, the following occurs:

  • the "Primary Channel" option becomes available for editing, with the default value set to "Upper".
  • channels 36 and 44 in the "Use Limit Channels" list change color from blue to grey.

If you change the Channel Width to 40 MHz but do not remove the grey (unavailable) channels from the list, clicking the "Apply" button will result in an error message in the browser: "There are errors in data. Changes were not applied". As a result, the configuration will not be applied to the access point. This happens because the gray-highlighted channels in the "Use Limit Channels" list are not valid based on the current "Primary Channel" setting, which is "Upper" in this case.

The "Advanced" section provides configuration options for additional radio interface parameters.

The following functions are available for Quality of Service configuration:

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes. 

"Advanced" submenu

The "Advanced" submenu is used to configure advanced radio interface parameters of the device.

Local country regulations settings, including operation within legal frequency channels and output power, is the installer's responsibility.

Selecting the wrong region may result in compatibility issues with different client devices.

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes. 

"VAP" menu

The "VAP" menu is used to configure virtual Wi-Fi access points (VAPs).

"Summary" submenu

The "Summary" submenu displays the settings of all VAPs on Radio 2.4 GHz and Radio 5 GHz radio interfaces. The settings for each virtual access point can be viewed in the VAP0–VAP3 sections.

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

"VAP" submenu

Common settings:

 1"OWE transition mode" provides backward compatibility with Wi-Fi clients that do not support OWE authentication. When attempting to connect to an open network where "OWE transition mode" is configured, a client that supports OWE will connect to the encrypted network configured on the specified interface, and a client that does not support OWE will connect to the current open network without encryption.

RADIUS:

Captive Portal:

When selecting one of the following security modes: Off, WPA, WPA2, WPA/WPA2, WPA3, WPA2/WPA3, a portal authorization setting is available on the VAP. 

Shapers:

MAC ACL:

This subsection is used to configure the lists of MAC addresses of clients that are allowed or denied to this VAP, depending on the selected access policy. 

To add an address to the list, click the  button and enter the MAC address in the appeared field. To remove an address from the list, click the button in the corresponding line.

If there is a need to add the client that is currently connected to the base station to the list the MAC addresses, click the button at the end of the line and select the desired address from the list, it will automatically be added to the field.

By default, the list displays up to 10 addresses. To see the full list in case it contains more than 10 addresses, click the "Show all" button.

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

"Network Settings" menu

"System Configuration" submenu

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

"Access" submenu

The "Access" submenu is used to configure access to the device via the Web interface, Telnet, SSH, NETCONF, and SNMP.

Ports for the HTTP and HTTPS protocols should not have the same value.

The WOP-3L-EX  software allows changing the device configuration, monitoring the status of the base station and its sensors, as well as managing the device using the SNMP protocol.

To change the SNMP settings, check the box next to "SNMP", the following SNMP agent options become available:

The list of objects which are supported for reading and configuring via SNMP is given below:

eltexLtd — 1.3.6.1.4.1.35265 — Eltex Enterprise ID.

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

"External Services" menu

"Captive Portal" submenu

The "Captive Portal" submenu is used to enable and configure the APB service at the access point.

The APB service is used to provide portal roaming of clients between access points connected to the service.

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes. 

"Airtune" submenu

The "AirTune" submenu is used to enable and configure the AirTune service on the access point.

The AirTune service is used for Radio Resource Management and automatic configuration of seamless 802.11 k/r roaming.

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes. 

"System" menu

The "System" menu provides access to system settings, time configuration, device access via different protocols, password change, and firmware update.

"Device Firmware Upgrade" submenu

The "Device Firmware Upgrade" submenu is used to upgrade the device firmware.

Firmware upgrade

Download the firmware file from https://eltex-co.com/download/. To do this, select WOP-3L-EX from the list of devices and save the file on your computer. After that, click the "Choose File" button in the Firmware Image field and specify the path to the firmware file in .tar.gz format.
To start the update process, click the "Start Upgrading" button. The process may take several minutes (its current status will be shown on the page). The device will be automatically rebooted when the upgrade is completed.

Do not switch off or reboot the device during a firmware upgrade.

"Configuration" submenu

The "Configuration" submenu is used to save and update the current configuration.

Backup Configuration

To save current device configuration to local computer click the "Download" button.

Restore Configuration

To upload the configuration file saved on the local computer, use the Restore Configuration item. To update the device configuration click the "Choose File" button, specify a file (in .tar.gz format) and click the "Upload File" button. Uploaded configuration will be applied automatically and does not require device reboot. 

Reset to Default Configuration

To reset all the settings to default values, click the "Reset" button. If the "Save access setting" is checked, the configuration settings related to the device access (IP address settings, Telnet/SSH/SNMP/Netconf/Web access settings) will be saved.

"Reboot" submenu

To reboot the device, click the "Reboot" button. The device reboot process takes about 1 minute. 

"Authentication" submenu

When logging in via web interface, administrator (default password: password) has the full access to the device: read/write any settings, full device status monitoring. 

Factory account for accessing the device: login: admin, password: password

The "Local Password" section is used to change the factory password for the admin account.  

The "Session Settings" is designed to automatically log the user out of the web interface after a timeout. 

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.  

"Log" submenu

The "Log" submenu is used to configure the output of various kinds of debugging messages of the system in order to detect the causes of problems in the operation of the device. 

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes. 

"Date and Time" submenu

The "Date and Time" submenu is used to set the time manually or via the Network Time Protocol (NTP).

Manual

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

NTP server

To apply a new configuration and save settings to non-volatile memory, click the "Apply" button. Click the "Cancel" button to discard the changes.

"Troubleshooting" submenu

Troubleshooting File

To download the troubleshooting.tar.gz archive from the device to the local computer, click the "Download" button.

Managing the device using the command line

To display the existing settings of a particular configuration section, enter the show-config command.

To get a hint about the possible values of a configuration parameter, press the key combination [Shift + ?] (in the English keyboard layout).

To get a list of options available for editing in this configuration section, press the Tab key.

To save the settings, enter the save command.

To go back to the previous configuration section, enter the exit command.

To go to the root section, enter the end command.

Connection to the device

By default, WOP-3L-EX is configured to receive the address via DHCP. If this does not happen, you can connect to the device using the factory IP address.  

WOP-3L-EX factory IP address: 192.168.1.10, subnet mask: 255.255.255.0.

Connection to the device is performed via SSH/Telnet:

ssh admin@<IP address of the device>, enter the password

telnet<IP address of the device>, enter login and password


Network parameters configuration

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# br0
WOP-3L-EX(config):/interface/br0# common
WOP-3L-EX(config):/interface/br0/common# static-ip X.X.X.X (where X.X.X.X — WOP-3L-EX IP address)
WOP-3L-EX(config):/interface/br0/common# netmask X.X.X.X (where X.X.X.X — subnet mask)
WOP-3L-EX(config):/interface/br0/common# dns-server-1 X.X.X.X (where X.X.X.X — IP address of the DNS server No. 1)
WOP-3L-EX(config):/interface/br0/common# dns-server-2 X.X.X.X (where X.X.X.X — IP address of the DNS server No. 2
WOP-3L-EX(config):/interface/br0/common# protocol static-ip (change operation mode from DHCP to Static-IP)
WOP-3L-EX(config):/interface/br0/common# save (save changes)


Adding a static route

WOP-3L-EX(config):/interface/br0/common# exit
WOP-3L-EX(config):/interface/br0# exit
WOP-3L-EX(config):/interface# exit
WOP-3L-EX(config):/# route
WOP-3L-EX(config):/route# add default (where default — route name)
WOP-3L-EX(config):/route# default
WOP-3L-EX(config):/route/default# destination X.X.X.X (where X.X.X.X — IP address of the network or destination node, for default route — 0.0.0.0)
WOP-3L-EX(config):/route/default# netmask X.X.X.X (where X.X.X.X — destination network mask, for default route — 0.0.0.0) 
WOP-3L-EX(config):/route/default# gateway X.X.X.X (where X.X.X.X — gateway IP address
WOP-3L-EX(config):/route/default# save (save changes)


WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# br0
WOP-3L-EX(config):/interface/br0# common
WOP-3L-EX(config):/interface/br0/common# protocol dhcp 
WOP-3L-EX(config):/interface/br0/common# save (save changes)


Starting from firmware version 2.2.0, it is possible to set MTU via DHCP (option 26).

The MTU value obtained via DHCP has higher priority than the configured setting.

The MTU size for a bridge should be no larger than the smallest MTU size on the interfaces within this bridge.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# br0
WOP-3L-EX(config):/interface/br0# common
WOP-3L-EX(config):/interface/br0/common# mtu Х (where Х — MTU size in bytes. Acceptable values: 1–1500. Default value: 1500) 
WOP-3L-EX(config):/interface/br0/common# save (save changes)

Network parameters configuration via set-management-vlan-mode utility

Obtaining the network parameters via DHCP:

WOP-3L-EX(root):/# set-management-vlan-mode off protocol dhcp

Static settings:

WOP-3L-EX(root):/# set-management-vlan-mode off protocol static-ip ip-addr X.X.X.X netmask Y.Y.Y.Y gateway Z.Z.Z.Z (where X.X.X.X — static IP address, Y.Y.Y.Y — subnet mask, Z.Z.Z.Z — gateway)


Obtaining the network parameters via DHCP:

WOP-3L-EX(root):/# set-management-vlan-mode terminating vlan-id X protocol dhcp (where X — VLAN ID used for access to the device. Acceptable values: 1–4094)

Static settings:

WOP-3L-EX(root):/# set-management-vlan-mode terminating vlan-id X protocol static-ip ip-addr X.X.X.X netmask Y.Y.Y.Y gateway Z.Z.Z.Z (where X — VLAN ID used for access to the device. Acceptable values: 1–4094; X.X.X.X — static IP address; Y.Y.Y.Y — subnet mask; Z.Z.Z.Z — gateway)


Obtaining the network parameters via DHCP:

WOP-3L-EX(root):/# set-management-vlan-mode forwarding vlan-id X protocol dhcp (where X — VLAN ID used for access to the device. Acceptable values: 1–4094)

Static settings:

WOP-3L-EX(root):/#  set-management-vlan-mode forwarding vlan-id X protocol static-ip ip-addr X.X.X.X netmask Y.Y.Y.Y gateway Z.Z.Z.Z (where X — VLAN ID used for access to the device. Acceptable values: 1–4094;  X.X.X.X — static IP address; Y.Y.Y.Y — subnet mask; Z.Z.Z.Z — gateway)


WOP-3L-EX(root):/#  save (save changes)

Remote control configuration 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# ssh
WOP-3L-EX(config):/ssh# enable true (remote control via SSH. To disable, enter false. Default value: true)
WOP-3L-EX(config):/ssh# port X (where Х — SSH server port. Default value: 22)
WOP-3L-EX(config):/ssh# session-limit X (where Х — maximum number of SSH sessions. Default value: 5)
WOP-3L-EX(config):/ssh# save (save changes)

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# telnet
WOP-3L-EX(config):/telnet# enable true (remote control via Telnet. To disable, enter false. Default value: false)
WOP-3L-EX(config):/telnet# port X (where Х — port. Default value: 23)
WOP-3L-EX(config):/telnet# session-limit X (where Х — maximum number of Telnet sessions. Default value: 5)
WOP-3L-EX(config):/telnet# save (save changes)

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# snmp
WOP-3L-EX(config):/snmp# enable true (SNMP management. To disable, enter false. Default value: true) 
WOP-3L-EX(config):/snmp# rocommunity public (where public — password to read parameters)
WOP-3L-EX(config):/snmp# rwcommunity private (where private — password to write parameters)
WOP-3L-EX(config):/snmp# trapsink Х.Х.Х.Х (where Х.Х.Х.Х — IP address or domain name of the SNMPv1 trap message receiver in the format HOST [COMMUNITY [PORT]]) 
WOP-3L-EX(config):/snmp# trap2sink Х.Х.Х.Х (where Х.Х.Х.Х — IP address or domain name of the SNMPv2 trap message receiver in the format HOST [COMMUNITY [PORT]]) 
WOP-3L-EX(config):/snmp# informsink Х.Х.Х.Х (where Х.Х.Х.Х — IP address or domain name of the Inform message receiver in the format HOST [COMMUNITY [PORT]])
WOP-3L-EX(config):/snmp# sysnameWOP-3L-EX (where WOP-3L-EX — system name of the device. Default value: WOP-3L-EX)
WOP-3L-EX(config):/snmp# syscontact Contact (where Contact — contact information of the device manufacturer. Default value: Contact)
WOP-3L-EX(config):/snmp# syslocation Russia (where Russia — device location information. Default value: Russia)
WOP-3L-EX(config):/snmp# trapcommunity trap (where trap — password contained in traps. Default value: trap)
WOP-3L-EX(config):/snmp# save (save changes)

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# snmp
WOP-3L-EX(config):/snmp# enable true (SNMP management. To disable, enter false. Default value: true)
WOP-3L-EX(config):/snmp# view (defines the range of OIDs available to specific user groups)
WOP-3L-EX(config):/snmp/view# add inc-all
WOP-3L-EX(config):/snmp/view# inc-all
WOP-3L-EX(config):/snmp/view/inc-all# rule (defines access rights for different user groups to specific MIB parts)
WOP-3L-EX(config):/snmp/view/inc-all/rule# add 1
WOP-3L-EX(config):/snmp/view/inc-all/rule# 1
WOP-3L-EX(config):/snmp/view/inc-all/rule/1# type included (where included — action type. Acceptable valuesincluded — adding a specified OID, excluded — excluding a specified OID)
WOP-3L-EX(config):/snmp/view/inc-all/rule/1# subtree .1 (where .1 specified OID. If a view with type = included and OID .1 is used as a read-view in a group, then OID .1 and all its children will be readable. If type = excluded, then all OIDs except .1 and its children will be accessible)
WOP-3L-EX(config):/snmp/view/inc-all/rule/1# exit
WOP-3L-EX(config):/snmp/view/inc-all/rule# exit
WOP-3L-EX(config):/snmp/view/inc-all# exit
WOP-3L-EX(config):/snmp/view# exit
WOP-3L-EX(config):/snmp# group (specifies ranges of OIDs for reading and writing, determines the security level)
WOP-3L-EX(config):/snmp/group# add rw (where rw — group name. Used to assign users to the group)
WOP-3L-EX(config):/snmp/group# rw
WOP-3L-EX(config):/snmp/group/rw# read-view inc-all (where inc-all — view for reading parameters. Defines the range of OIDs available for reading)
WOP-3L-EX(config):/snmp/group/rw# write-view inc-all (where inc-all — view for writing parameters. Defines the range of OIDs available for writing)
WOP-3L-EX(config):/snmp/group/rw# security-level priv (where priv — security level. Acceptable values: noauth — no security, auth — authorization of requests by username and password is used, priv — authorization of requests by username and password is used, as well as encryption of the request and response)
WOP-3L-EX(config):/snmp/group/rw# auth-type MD5 (where MD5 — authorization method. Acceptable values
MD5, SHA. It is used, if security-level = auth or priv. If not specified, MD5 is used)
WOP-3L-EX(config):/snmp/group/rw# priv-type DES (where DES — encryption method. Acceptable values
DESAES. It is used, if security-level = priv. If not specified, DES is used)
WOP-3L-EX(config):/snmp/group/rw# exit
WOP-3L-EX(config):/snmp/group# exit
WOP-3L-EX(config):/snmp# user (user account. It is linked to a specific group and contains the name and passwords for authorization and encryption)
WOP-3L-EX(config):/snmp/user# add admin (where admin — user name. Used when authorizing requests, and can also be assigned to target)
WOP-3L-EX(config):/snmp/user# admin
WOP-3L-EX(config):/snmp/user/admin# group rw (where rw — the group to which the user is added)
WOP-3L-EX(config):/snmp/user/admin# auth-password password (where password — password for authorization. If a group has security-level = auth or priv, and auth-password is not specified, then the user will not be available)
WOP-3L-EX(config):/snmp/user/admin# priv-password password (where password — password for encryption. If a group has security-level = priv, and priv-password is not specified, then the user will not be available)
WOP-3L-EX(config):/snmp/user/admin# exit
WOP-3L-EX(config):/snmp/user# exit
WOP-3L-EX(config):/snmp# target (generates traps for specified hosts. This is optional. Analogue of trapsink and trap2sink for SNMPv3)
WOP-3L-EX(config):/snmp/target# add target1
WOP-3L-EX(config):/snmp/target# target1 
WOP-3L-EX(config):/snmp/target/target1# host Х.Х.Х.Х (where Х.Х.Х.Х — IP address of the host to which traps will be sent)
WOP-3L-EX(config):/snmp/target/target1# port X (where Х — port number to which the traps will be sent)
WOP-3L-EX(config):/snmp/target/target1# user admin (where admin — user name used to generate traps. On the remote side, the user should be configured similarly. If an inactive user is specified (they do not have one of the required passwords set), then the target will also be inactive
)
WOP-3L-EX(config):/snmp/target/target1# exit
WOP-3L-EX(config):/snmp/target# exit
WOP-3L-EX(config):/snmp# snmpv3-only true (enable access denial to all OIDs via SNMPv1, SNMPv2. To disable, enter 
false. Default value: false)
WOP-3L-EX(config):/snmp# save (save changes)

Virtual Wi-Fi access points (VAP) configuration

When configuring a VAP, keep in mind that the interface names in the 2.4 GHz band start with wlan0, in the 5 GHz band with wlan1.

Table 8 — Commands for configuring security mode on VAP

Security modeCommand to configure the security mode
No passwordmode off
WPAmode WPA
WPA2mode WPA2
WPA/WPA2mode WPA_WPA2
WPA3mode WPA3
WPA2/WPA3mode WPA2_WPA3
OWEmode OWE
WPA-Enterprisemode WPA_1X
WPA2-Enterprisemode WPA2_1X
WPA/WPA2-Enterprisemode WPA_WPA2_1X
WPA2/WPA3-Enterprisemode WPA2_WPA3_1X
WPA3-Enterprisemode WPA3_1X

Examples of VAP configuration with different security modes for Radio 5 GHz (wlan1) are provided below. 

Configuration of VAP without encryption

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'SSID_WOP-3L-EX_open' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security 
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode off (encryption mode off — no password
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-enable true (enable sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-address X.X.X.X (where X.X.X.X — IP address of RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-password secret (where secret — password for RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-periodic true (enable periodic sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-interval 600 (interval for sending "Accounting" messages to the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# exit
WOP-3L-EX(config):/interface/wlan1-va0# common
WOP-3L-EX(config):/interface/wlan1-va0/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va0/common# save (save changes)

Configuration of VAP with OWE encryption

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'SSID_WOP-3L-EX_owe' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security 
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode OWE (encryption mode OWE — encrypted connection without entering a password. Only Wi-Fi 6 clients will be able to connect in this mode
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-enable true (enable sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-address X.X.X.X (where X.X.X.X — IP address of RADIUS server, used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-password secret (where secret — password for RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-periodic true (enable periodic sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-interval 600 (interval for sending "Accounting" messages to the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# exit
WOP-3L-EX(config):/interface/wlan1-va0# common
WOP-3L-EX(config):/interface/wlan1-va0/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va0/common# save (save changes)

Configuration of VAP with OWE and OWE Transition Mode

Only Wi-Fi 6 clients can connect to a VAP with OWE security mode. In order for other clients to be able to connect to such a VAP, it is required to configure OWE Transition Mode. In this mode, Wi-Fi 6 clients will be connected in OWE security mode, and all other clients will be connected in open mode.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0 (set up a hidden VAP with OWE encryption. Wi-Fi 6 clients will implicitly connect to it)
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'SSID_WOP-3L-EX_owe' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va0/vap# hidden true (hide VAP) 
WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security 
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode OWE (encryption mode OWE — encrypted connection without entering a password. Only Wi-Fi 6 clients will be able to connect in this mode
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# owe-transition-interface wlan1-va1 (specify an open VAP to which the connection will occur. The Wi-Fi 6 clients will implicitly work with the current VAP with OWE encryption, and other clients will work with the open VAP)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# exit
WOP-3L-EX(config):/interface/wlan1-va0# common
WOP-3L-EX(config):/interface/wlan1-va0/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va0/common#exit
WOP-3L-EX(config):/interface/wlan1-va0# exit
WOP-3L-EX(config):/interface# wlan1-va1 (set up VAP without encryption)
WOP-3L-EX(config):/interface/wlan1-va1# vap
WOP-3L-EX(config):/interface/wlan1-va1/vap# ssid 'SSID_WOP-3L-EX_open' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va1/vap# ap-security (go to the security settings block on the VAP)
WOP-3L-EX(config):/interface/wlan1-va1/vap/ap-security# mode off (encryption mode offno password)
WOP-3L-EX(config):/interface/wlan1-va1/vap/ap-security# owe-transition-interface wlan1-va0 (specify a VAP with OWE encryption mode, to which Wi-Fi 6 clients will be implicitly connected, other clients will be connected to the VAP without encryption)
WOP-3L-EX(config):/interface/wlan1-va1/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va1/vap# exit
WOP-3L-EX(config):/interface/wlan1-va1# common
WOP-3L-EX(config):/interface/wlan1-va1/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va1/common# exit
WOP-3L-EX(config):/interface/wlan1-va1# save (save changes)

Configuration of VAP with WPA-Personal security mode

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'SSID_WOP-3L-EX_Wpa2' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode WPA_WPA2 (encryption mode — WPA/WPA2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# key-wpa password123 (key/password required to connect to the virtual access point. The key must be between 8 and 63 characters long)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-enable true (enable sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-address X.X.X.X (where X.X.X.X — IP address of the RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-password secret (where secret — password for the RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-periodic true (enable periodic sending of "Accounting" messages to the RADIUS server. Default value: false
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-interval 600 (interval for sending "Accounting" messages to the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# exit
WOP-3L-EX(config):/interface/wlan1-va0# common
WOP-3L-EX(config):/interface/wlan1-va0/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va0/common# save (save changes)

Configuration of VAP with Enterprise authorization

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'SSID_WOP-3L-EX _enterprise' (change SSID name)
 WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security 
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode WPA_WPA2_1X (encryption mode — WPA/WPA2-Enterprise)
 WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# domain root (where root — user domain)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-address X.X.X.X (where X.X.X.X — IP address of RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-port X (where Х — port of RADIUS server used for authentication and authorization. Default value: 1812)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-password secret (where secret — password for RADIUS server used for authentication and authorization)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-enable true (enable sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-address X.X.X.X (where X.X.X.X —  IP address of RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-password secret (where secret — password for RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-periodic true (enable periodic sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-interval 600 (interval for sending "Accounting" messages to the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
 WOP-3L-EX(config):/interface/wlan1-va0/vap# exit
WOP-3L-EX(config):/interface/wlan1-va0# common
WOP-3L-EX(config):/interface/wlan1-va0/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va0/common# save (save changes)

Configuration of VAP with Captive Portal

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0  
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# vlan-id X (where X — VLAN-ID on VAP)
 WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode off (encryption mode off — no password)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'Portal_WOP-3L-EX' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va0/vap# captive-portal
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# scenarios
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios# scenario-redirect
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios/scenario-redirect# redirect-url  http://<IP>:<PORT>/eltex_portal/ (specify URL of virtual portal)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios/scenario-redirect# index 1
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios/scenario-redirect# virtual-portal-name default (specify portal name. Default value: default)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios/scenario-redirect# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# apb-mac-auth true (enable MAC authorization of portal users via the APB service (available only with SoftWLC version 1.34.1 and later). Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# enabled true 
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# domain root (where root — user domain)
 WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-enable true (enable sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-address X.X.X.X (where Х.Х.Х.Х — IP address of RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-password secret (where secret — password for RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-periodic true (enable periodic sending of "Accounting" messages to the RADIUS server. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-interval 600 (interval for sending "Accounting" messages to the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# exit
WOP-3L-EX(config):/interface/wlan1-va0# common
WOP-3L-EX(config):/interface/wlan1-va0/common# enabled true (enable VAP)
WOP-3L-EX(config):/interface/wlan1-va0/common# save (save changes)

Configuration of VAP with external Captive Portal

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0  
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# vlan-id X (where X — VLAN-ID on VAP)
WOP-3L-EX(config):/interface/wlan1-va0/vap# ap-security 
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# mode off (encryption mode off — no password)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ap-security# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# ssid 'Portal_WOP-3L-EX' (change SSID name)
WOP-3L-EX(config):/interface/wlan1-va0/vap# captive-portal
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# verification-mode external-portal (enable external portal support. Default value: portal)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# scenarios
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios# scenario-redirect
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios/scenario-redirect# redirect-url "https://X.X.X.X/<NAS_ID>/?switch_url=<SWITCH_URL>&ap_mac=<AP_MAC>&client_mac=<CLIENT_MAC>
&wlan=<SSID>&original-url=<ORIGINAL_URL>&nas-ip=<NAS_IP>&ap_location=<AP_LOCATION>&nas_id=<NAS_ID>"
(specify the URL of the external virtual portal according to the table 9)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios/scenario-redirect# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal/scenarios# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal#
enabled true (enable captive-portal feature)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-address X.X.X.X (where Х.Х.Х.Х — IP address of the RADIUS server used for authorization)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-password secret (where secret — password for the RADIUS server used for authorization)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# preauth-filter-mode acl (determines the basis for filtering traffic from unauthorized clients. Acceptable values: acl, white-list. Default value: white-list)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# http-auth false (disable HTTP authorization. Default value: true)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# ipv4-acl ipv4_list (where ipv4_list — ipv4-acl rule list name)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# url-acl url_list (where url_list — url-ac rule list name)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# filter-dns-by-acl true (enable filtering DNS requests by preauth-acl rules. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# client-mac-format XX-XX-XX-XX-XX-XX (where XX-XX-XX-XX-XX-XX — client's MAC address format, which will be substituted for <AP_MAC> in requests to an external portal. Acceptable values: XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, XXXXXXXXXXXX, xx-xx-xx-xx-xx-xx, xx:xx:xx:xx:xx:xx, xxxxxxxxxxxx. Default value: xxxxxxxxxxxx)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# nas-id-format XX-XX-XX-XX-XX-XX (where XX-XX-XX-XX-XX-XX — format of the access point MAC address, which will be substituted for <NAS_ID> in requests to an external portal. Acceptable values: XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, XXXXXXXXXXXX, xx-xx-xx-xx-xx-xx, xx:xx:xx:xx:xx:xx, xxxxxxxxxxxx. Default value: xxxxxxxxxxxx)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# disconnect-on-reject true (parameter responsible for disconnecting the client after receiving an Access-Reject. To disable, enter false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/captive-portal# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# use-macaddr-as-password true (send the client's MAC address as a password in RADIUS requests. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# macaddr-format XX-XX-XX-XX-XX-XX (where XX-XX-XX-XX-XX-XX —  client's MAC address format, which will be used in RADIUS requests. The functionality works only if use-macaddr-as-password = true. Acceptable values: XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, XXXXXXXXXXXX, xx-xx-xx-xx-xx-xx, xx:xx:xx:xx:xx:xx, xxxxxxxxxxxx. Default value: xxxxxxxxxxxx)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

To learn about the operation algorithm with the external portal, see the diagram.



Table 9 — Setting up a URL template for external Captive Portal 

ParameterDescription
<NAS_ID>NAS ID set on VAP or in the system. If neither of these parameters is set, then the MAC address of the access point will be used as NAS ID in RADIUS and HTTP(S) packets
<SWITCH_URL>Domain name that is shown to the client when redirected
<AP_MAC>MAC address of the access point
<CLIENT_MAC>MAC address of the client
<SSID>SSID
<ORIGINAL_URL>URL that the client originally requested
<NAS_IP>IP address of the access point
<AP_LOCATION>AP-location of the access point

Configuration of an alternative RADIUS server on VAP

This functionality is only available for portal and Enterprise authentication modes.


WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius (configuration of the primary RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# backup (configuration of an alternative RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup# add <IP address of alternative RADIUS server in the configuration> (creation of the configuration section for the alternative RADIUS server. Maximum number: 4)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup# X.X.X.X (where X.X.X.X — IP address of the alternative RADIUS server in the configuration)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# auth-address X.X.X.X (where X.X.X.X — IP address of RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# auth-port X (where Х — port of RADIUS server used for authentication and authorization. Default value: 1812)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# auth-password secret (where secret — password for RADIUS server used for authentication and authorization)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# acct-address X.X.X.X (where X.X.X.X — IP address of RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# acct-port X (where Х — port of RADIUS server used for accounting. Default value: 1813)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# acct-password secret (where secret — password for RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# order 1 (where order — RADIUS server priority. If the priority has not been explicitly specified, it is assumed to be 0. In this case, servers are selected in the order RADIUS servers were added to the configuration)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius/backup/X.X.X.X# save (save changes)

Configuration of repeated requests to RADIUS server

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1-va0
WOP-3L-EX(config):/interface/wlan1-va0# vap
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius 
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-retry-count X (where Х — number of Access-Requests sent to the RADIUS server if the RADIUS server does not respond. Acceptable values: 0–32000. If the parameter is 0, one Access-Request will be sent. Default value: 4)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-retry-timeout X (where Х — timeout to wait for a response from the RADIUS server in seconds before resending the Access-Request. Acceptable values: 0–32000. Default value: 2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-retry-count X (where Х — number of Accounting-Request (Start) packets sent if the RADIUS server does not respond. Acceptable values: 0–32000. If the parameter is 0, then one Accounting-Request (Start) will be sent. Default value: 4)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-retry-timeout X (where Х — timeout to wait for a response from the RADIUS server in seconds before resending Accounting-Request (Start) packets. Acceptable values: 0–32000. Default value: 2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# save (save changes)

Advanced VAP settings 

WOP-3L-EX(config):/interface/wlan1-va0/vap# vlan-id X (where X — VLAN ID number on VAP)

WOP-3L-EX(config):/interface/wlan1-va0/vap# vlan-group X,Y-Z (where X,Y-Z — VLAN ID numbers, which can be assigned on VAP. Acceptable values: 1–4094. If the vlan-group parameter is configured, the vlan-id parameter will be ignored)

WOP-3L-EX(config):/interface/wlan1-va0/vap# band-steer-mode true (enabling Band Steer mode. To disable, enter false)


WOP-3L-EX(config):/interface/wlan1-va0/vap# vlan-trunk true (enabling VLAN Trunk on VAP. To disable, enter false)

WOP-3L-EX(config):/interface/wlan1-va0/vap# general-vlan-mode true (enabling General VLAN on SSID. To disable, enter false)
WOP-3L-EX(config):/interface/wlan1-va0/vap# general-vlan-id X (where X — General VLAN number)


WOP-3L-EX(config):/interface/wlan1-va0/vap# priority-by-dscp false (priority analysis from CoS field (Class of Service) of the tagged packets. Default value: true. In this case, the priority from DSCP header field of the IP packet is analyzed)


WOP-3L-EX(config):/interface/wlan1-va0/vap# mfp required (enable management frame protection. required requires MFP support from client, clients that do not support MFP will not be able to connect. capable compatible with MFP; clients that do not support MFP can connect. To disable, enter off)


WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# tls-enable true (use TLS for authorization process. To disable, enter false)


WOP-3L-EX(config):/interface/wlan1-va0/vap# hidden true (enable hidden SSID. To disable, enter false)

WOP-3L-EX(config):/interface/wlan1-va0/vap# station-isolation true (enable traffic isolation between clients within a single VAP. To disable, enter false)


WOP-3L-EX(config):/interface/wlan1-va0/vap# sta-limit X (where X — maximum number of clients connected to the virtual network) 

WOP-3L-EX(config):/interface/wlan1-va0/vap# arp-inspection true (enable traffic checking for source IP address spoofing in ARP packets. To disable, enter false. Default value: false)

WOP-3L-EX(config):/interface/wlan1-va0/vap# uplink-ipv4-acl X (where Х — name of ACL list, that will be applied on VAP)


WOP-3L-EX(config):/interface/wlan1-va0/vap# wmf-bss-enable true (enable multicast traffic replication on the VAP. To disable, enter false)


WOP-3L-EX(config):/interface/wlan1-va0/vap# check-signal-enable true (enable the use of Minimal Signal functionality. To disable, enter false)
WOP-3L-EX(config):/interface/wlan1-va0/vap# min-signal X (where X — RSSI threshold value, when reached, the point will disconnect the client from the VAP. The parameter can take values from -100 to -1)
WOP-3L-EX(config):/interface/wlan1-va0/vap# check-signal-timeout X (where X —  time period in seconds, after which the decision is made to disconnect the client equipment from the virtual network)
WOP-3L-EX(config):/interface/wlan1-va0/vap# roaming-signal X (where X — RSSI threshold value, when reached, the client equipment is switched to another access point. The parameter can take values from -100 to -1. The roaming-signal parameter must be higher than min-signal: if min-signal = -75 дБм, then roaming-signal should be -70 dBm, for example)
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)


WOP-3L-EX(config):/interface/wlan1-va0/vap# local-switching true (enable local switching. To disable, enter false. Default value: disabled)

Configuring traffic shaper from clients (each separately) connected to this VAP towards access point:

WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-per-sta-rx 
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-sta-rx# value X (where X — maximum speed in kbps
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-sta-rx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-sta-rx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)


Configuring traffic shaper from access point towards clients (each separately) connected to this VAP:

WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-per-sta-tx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-sta-tx# value X (where X — maximum speed in kbps) 
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-sta-tx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-sta-tx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)


Configuring traffic shaper from clients (in total) connected to this VAP towards access point:

WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-per-vap-rx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-vap-rx# value X (where X — maximum speed in kbps) 
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-vap-rx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-vap-rx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)


Configuring traffic shaper from access point towards clients (in total) connected to this VAP:

WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-per-vap-tx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-vap-tx# value X (where X — maximum speed in kbps) 
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-vap-tx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-per-vap-tx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

Configuring traffic shaper from client towards access point:
WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-bcast-rx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-bcast-rx# value X (where X — maximum speed in kbps or pps)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-bcast-rx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-bcast-rx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

Configuring traffic shaper from access point towards client:
WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-bcast-tx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-bcast-tx# value X (where X — maximum speed in kbps or pps)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-bcast-tx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-bcast-tx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

Configuring traffic shaper from client towards access point: 
WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-mcast-rx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-mcast-rx# value X (where X — maximum speed in kbps or pps)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-mcast-rx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-mcast-rx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

Configuring traffic shaper from access point towards client: 
WOP-3L-EX(config):/interface/wlan1-va0/vap# shaper-mcast-tx
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-mcast-tx# value X (where X — maximum speed in kbps or pps)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-mcast-tx# mode kbps (enable shaper. Acceptable values: kbps — kilobits per second, pps — packets per second, off — disabled)
WOP-3L-EX(config):/interface/wlan1-va0/vap/shaper-mcast-tx# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

WOP-3L-EX(config):/interface/wlan1-va0/vap# acl
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# mode local (select the local mode checking MAC addresses from the list on the device)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# mac
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl/mac# add XX:XX:XX:XX:XX:XX (where XX:XX:XX:XX:XX:XX — MAC address of the device to be allowed/denied access. To remove an address from the list, use del)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl/mac# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# policy allow (policy selection. Acceptable values: allow allow connections only from clients with MAC addresses included in the listdeny deny connections from clients with MAC addresses included in the list. Default value: deny)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# enable true (enable MAC access control. To disable, enter false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

WOP-3L-EX(config):/interface/wlan1-va0/vap# acl
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# mode radius (select the radius mode — checking MAC addresses via RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# policy allow (select the priority. Acceptable values: allow — allow connections only to those clients approved by the RADIUS server; deny — deny connections to clients approved by the RADIUS server. Default value: deny)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# enable true (enable MAC access control via RADIUS server. To disable, enter false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/acl# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# radius
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# domain root (where root — user domain)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-address X.X.X.X (where X.X.X.X — IP address of the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-port X (where Х — RADIUS server port used for authentication and authorization. Default: 1812)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# auth-password secret (where secret — RADIUS server password used for authentication and authorization)
WOP-3L-EXL(config):/interface/wlan1-va0/vap/radius# acct-enable true (enable sending "Accounting" messages to the RADIUS server. Default: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-address X.X.X.X (where X.X.X.X — IP address of the RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-password secret (where secret — password of the RADIUS server used for accounting)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-periodic true (enable periodic sending of "Accounting" messages to the RADIUS server. Default: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# acct-interval 600 (interval for sending "Accounting" messages to the RADIUS server)
WOP-3L-EX(config):/interface/wlan1-va0/vap/radius# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

If it is required by security policy to implement protection against connections of users duplicating the MAC address of a wired device (gateway, PC, etc.), use the fdb-filtering setting, which has the following operating modes:
on-connect mode blocks all connection attempts via Wi-Fi if the MAC address has already been learned on the Ethernet port of the access point;
by-eth-event mode disconnects a connected client via Wi-Fi if its MAC address has been learned on the Ethernet port of the access point (the mode helps clear the old client record when roaming);
full mode combines the functionality of the previous modes: blocks the connection of a new user via Wi-Fi and disconnects the previously connected one if its MAC address matches with the device connected to the Ethernet interface.

When setting the full and on-connect modes, the roaming of Wi-Fi clients may deteriorate. During operation, all broadcast packets from the client are received by other access points in the network, causing the client's MAC address to be learned on all access points of the network. As a result, during roaming, if the MAC address is already present on the Ethernet port of the target access point, reconnection may take a long of time.

WOP-3L-EX(config):/interface/wlan1-va0/vap# fdb-filtering
WOP-3L-EX(config):/interface/wlan1-va0/vap/fdb-filtering # enabled true (enable functionality. To disable, enter false. Default value: false)
WOP-3L-EX(config):/interface/wlan1-va0/vap/fdb-filtering # mode full (select operating mode. Default value: by-eth-event)
WOP-3L-EX(config):/interface/wlan1-va0/vap/fdb-filtering # exit
WOP-3L-EX(config):/interface/wlan1-va0/vap# save (save changes)

802.11r configuration 

This type of roaming is available only for client devices supporting 802.11r.

802.11r roaming is possible only between VAPs with WPA2 or higher security modes.

See instructions for configuring VAP with WPA2-Personal security mode and others in Configuration of VAP with WPA-Personal security mode section. 

Each VAP on the access points should be configured individually, eg. AP1(wlan1)↔AP2(wlan1), AP1(wlan0)↔AP2(wlan0), AP1(wlan1)↔AP3(wlan1), etc.

Below is the example of 802.11r configuring on two access points: AP1 and AP2.

WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# enabled false
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# r1-key-holder-id E8:28:C1:FC:D6:80 (MAC address of the VAP. Can be viewed with ifconfig)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# r0-key-holder-id 12345 (unique key for this VAP)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# mobility-domain 100 (domain must match on remote VAPs)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# mac
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac# add E4:5A:D4:E2:C4:B0 (MAC address of VAP interface of remote access point — AP2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac# E4:5A:D4:E2:C4:B0
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E4:5A:D4:E2:C4:B0# r0-kh-id 23456 (unique key of remote VAP AP2 — r0-key-holder-id)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E4:5A:D4:E2:C4:B0# r1-kh-id E4:5A:D4:E2:C4:B0 (MAC address of remote VAP on AP2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E4:5A:D4:E2:C4:B0# r0-kh-key 0102030405060708 (random key. Must not match the r1-kh-key of AP1, but must match the r1-kh-key of the remote AP2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E4:5A:D4:E2:C4:B0# r1-kh-key 0001020304050607 (random key. Must not match the r0-kh-key of AP1, but must match the r0-kh-key of the remote AP2)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E4:5A:D4:E2:C4:B0# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# enabled true (enable access point operation based on 802.11r protocol)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# save (save changes)

WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# enabled false
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# r1-key-holder-id E4:5A:D4:E2:C4:B0 (MAC address of the VAP. Can be viewed with ifconfig)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# r0-key-holder-id 23456 (unique key for this VAP)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# mobility-domain 100 (domain must match on remote VAPs)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# mac
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac# add E8:28:C1:FC:D6:80 (MAC address of VAP interface of remote access point — AP1)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac# E8:28:C1:FC:D6:80
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E8:28:C1:FC:D6:80# r0-kh-id 12345 (unique key of remote VAP AP1 — r0-key-holder-id)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E8:28:C1:FC:D6:80# r1-kh-id E8:28:C1:FC:D6:80 (MAC address of remote VAP on AP1)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E8:28:C1:FC:D6:80# r0-kh-key 0001020304050607 (random key. Must not match the r1-kh-key of AP2, but must match the r1-kh-key of the remote AP1
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E8:28:C1:FC:D6:80# r1-kh-key 0102030405060708 (random key. Must not match the r0-kh-key of AP2, but must match the r0-kh-key of the remote AP1)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac/E8:28:C1:FC:D6:80# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config/mac# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# enabled true (enable access point operation based on 802.11r protocol)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# save (save changes)

802.11k configuration 

Roaming based on 802.11k protocol can be configured between any types of networks (open/secure). If the access point is configured to operate with 802.11k protocol, when a client connects, the access point sends the list of "friendly" access points to which the client can switch in a roaming process. The list contains information about access points' MAC addresses and channels they work with.

The use of 802.11k allows to reduce the time for finding another network when roaming, since the client does not need to scan channels on which there are no target access points available for switching.

This type of roaming is available only for client devices supporting 802.11k.

Below is an example of configuring 802.11k on an access point — making a list of "friendly" access points. 

WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# enabled false
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# mac
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac# add E8:28:C1:FC:D6:90 (where E8:28:C1:FC:D6:90 — MAC address of "friendly" access point)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac# E8:28:C1:FC:D6:90
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac/E8:28:C1:FC:D6:90# channel 132 (where 132 — channel on which access point with E8:28:C1:FC:D6:90 MAC address operates)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac/E8:28:C1:FC:D6:90# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac# add E8:28:C1:FC:D6:70 (where E8:28:C1:FC:D6:70 — MAC address of "friendly" access point)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac# E8:28:C1:FC:D6:70
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac/E8:28:C1:FC:D6:70# channel 36 (where 36 — channel on which access point with  E8:28:C1:FC:D6:70 MAC address operates)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac/E8:28:C1:FC:D6:70# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config/mac# exit
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# enabled true (enable access point operation based on 802.11k protocol)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# save (save changes)

802.11v configuration 

Roaming based on 802.11v protocol can be configured between any types of networks (open/secure). If the access point is configured to operate with 802.11v protocol, the device sends a special BSS Transition packet toward the client at the request of an administrator or controller (AirTune). This packet contains a recommendation for the client to initiate roaming. Whether the client device follows the recommendation of the access point cannot be guaranteed, as the final decision to switch to another access point is always made on the client side. When used in combination with the 802.11k standard, the BSS Transition Management message also includes a list of recommended access points for roaming. This list provides details on which channel each access point operates and the wireless standard used (IEEE 802.11n/ac/ax). The client then analyzes the environment and makes a decision based on signal strength, channel load, and the configuration of the remote access point.

This type of roaming is available only for client devices supporting 802.11v.

WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# enabled true (enable access point operation based on 802.11k/v protocol)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# save (save changes)

AirTune configuration 

WOP-3L-EX(config):/# airtune
WOP-3L-EX(config):/airtune# airtune_service_url ws://192.168.1.20:8099/apb/rrm (where 192.168.1.20 —  IP address of the server on which the AirTune service is installed)
WOP-3L-EX(config):/airtune# dca true (enable dynamic channel allocation functionality. To disable, enter false)
WOP-3L-EX(config):/airtune# tpc true (enable automatic power control functionality. To disable, enter false)
WOP-3L-EX(config):/airtune# load-balance-80211v true (enable client balancing functionality. To disable, enter false
WOP-3L-EX(config):/airtune# enabled true (enable interaction with the AirTune service. To disable, enter false)
WOP-3L-EX(config):/airtune# save (save changes)

To enable automatic 802.11r configuration via the AirTune service on the access point, the 802.11r functionality must be enabled. To do this, apply the following settings: 

WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# enabled true (enable access point operation based on 802.11r protocol)
WOP-3L-EX(config):/interface/wlan1-va0/vap/ft-config# save (save changes)

To enable automatic 802.11k/v configuration via the AirTune service on the access point, the 802.11k/v functionality must be enabled on the SSID. To do this, apply the following settings:

WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# enabled true (enable 802.11k/v protocol support on a virtual access point)
WOP-3L-EX(config):/interface/wlan1-va0/vap/w80211kv-config# save (save changes)

Radio configuration 

By default, automatic channel selection is used on the Radio. To manually set the channel or change the transmit power, use the following commands: 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan0
WOP-3L-EX(config):/interface/wlan0# wlan
WOP-3L-EX(config):/interface/wlan0/wlan# radio
WOP-3L-EX(config):/interface/wlan0/wlan/radio# channel X (where X — number of the static channel on which the access point will operate)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# auto-channel false (disable Auto Channel. To enable, enter true)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# use-limit-channels false (disable Use Limit Channels. To enable, enter true)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# bandwidth X (where X — channel width. The parameter can take the following values: Radio 1: 20, 40; Radio 2: 20, 40, 80)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# tx-power X (where X — power level, dBm. The parameter can take the following values: Radio 1: 11–16 dBm; Radio 2: 11–19 dBm)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# tx-power-min X (where X — minimum power level, dBm. The parameter can take the following values: Radio 1: 11–16 dBm; Radio 2: 11–19 dBm)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# tx-power-max X (where X — maximum power level, dBm. The parameter can take the following values: Radio 1: 11–16 dBm; Radio 2: 11–19 dBm)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# save (save changes)


Channels available for selection for radio 2.4 GHz: 

  • for 20 MHz channel width: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13.
  • for 40 MHz channel width:
    • if "control-sideband" = lower: 1, 2, 3, 4, 5, 6, 7, 8, 9.
    • if "control-sideband" = upper: 5, 6, 7, 8, 9, 10, 11, 12, 13.

Channels available for selection for radio 5 GHz:

  • for 20 MHz channel width: 36, 40, 44, 48, 52, 56, 60, 64, 132, 136, 140, 144, 149, 153, 157, 161, 165.
  • for 40 MHz channel width:
    • if "control-sideband" = lower: 36, 44, 52, 60, 132, 140, 149, 157.
    • if "control-sideband" = upper: 40, 48, 56, 64, 136, 144, 153, 161.
  • for 80 MHz channel width: 36, 40, 44, 48, 52, 56, 60, 64, 132, 136, 140, 144, 149, 153, 157, 161.

The parameters tx-power-min and tx-power-max are only applicable when operating with the AirTune service is enabled.

Advanced Radio settings

WOP-3L-EX(config):/interface/wlan0/wlan/radio# country X (where X — select the country where the device is located. Possible values: EU, RU, ALL. Default: RU)     

WOP-3L-EX(config):/interface/wlan0/wlan/radio# use-limit-channels true (enable use of limited list of channels in auto-channel selection mode. To disable, enter false)
WOP-3L-EX(config):/interface/wlan0/wlan/radio# limit-channels '1 6 11' (where 1, 6, 11 —  channels of range in which the configurable radio interface can operate


WOP-3L-EX(config):/interface/wlan0/wlan/radio# control-sideband lower (parameter can take values: lower, upper. Default value: for Radio 1: lower; for Radio 2: upper)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# sgi true (enable the use of a Short Guard Interval for data transmission of 400 ns instead of 800 ns. To disable, enter false)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# stbc true (enable the Space-Time Block Coding (STBC) method, aimed at improving the reliability of data transmission. To disable, enter false)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# aggregation true (enable aggregation on Radio — support for AMPDU/AMSDU. To disable, enter false)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# short-preamble true (enable the short packet preamble. To disable, enter false)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# wmm true (enable the support for WMM (Wi-Fi Multimedia). To disable, enter false)

Configuration is available only on Radio 5 GHz (wlan1)

WOP-3L-EX(config):/interface/wlan1/wlan/radio# dfs X (where X — DFS mechanism operating mode. Acceptable values: forcedmechanism is disable, DFS channels are available for selection; automechanism is enabled; disabledmechanism is disabled, DFS channels are unavailable for selection)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# obss-coex true (enables automatic channel width change from 40 MHz to 20 MHz when the radio air is congested. To disable, enter false)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# tx-broadcast-limit X (where X — restricting broadcast/multicast traffic over the wireless network, the limit for broadcast traffic is specified in packets per second)


WOP-3L-EX(config):/interface/wlan0/wlan/radio# qos
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos# enable true (enable the use of Quality of Service (QoS) functions. To disable, enter false
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos# edca-ap (configure QoS parameters of the access point, traffic is transmitted from the access point to the client)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap# bk (configure QoS parameters for low-priority high-bandwidth queues, 802.1p priorities: cs1, cs2)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap/bk# aifs X (where X —  waiting time for frames of data, measured in slots. Acceptable values: 1–255)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap/bk# cwmin X (where X — initial value of the waiting time before resending a frame, specified in milliseconds. Acceptable values: 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023. The cwMin value cannot exceed the cwMax value)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap/bk# cwmax X (where X — maximum value of the waiting time before resending a frame, specified in milliseconds. Acceptable values: 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023. The value of cwMax must exceed the value of cwMin)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap/bk# txop X (where X — time interval, in milliseconds, in which the client WME station is allowed to initiate data transmission over the wireless environment to the access point. Maximum value is 65535 ms)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap/bk# exit
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos/edca-ap# exit
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos# edca-sta (configure QoS parameters of the client station, traffic is transmitted from the client station to the access point)
WOP-3L-EX(config):/interface/wlan0/wlan/radio/qos# save (save changes)

The configuration procedure for edca-sta is similar to that of edca-ap.
Configuring parameters for the be, vi, and vo queues is similar to configuring parameters for the bk queue. 

Configuring DHCP option 82

DHCP option 82 is configured separately for each radio interface. This section provides examples of configuring option 82 for Radio 2.4 GHz — wlan0.

DHCP snooping operating modes:

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan0 (configuring will be done for Radio 2.4 GHz. To configure option 82 on Radio 5 GHz, enter wlan1)
WOP-3L-EX(config):/interface/wlan0# common
WOP-3L-EX(config):/interface/wlan0/common# dhcp-snooping
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# dhcp-snooping-mode replace (selection of DHCP snooping operation in the mode of replacement or substitution of option 82
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# save (save changes)


If the option 82 replace processing policy is configured on the radio interface, the following parameters become available for configuration: 

WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# dhcp-option-82-CID-format custom (where custom replacement of the CID content with the value specified in the dhcp-option-82-custom-CID parameter. The parameter can take values: APMAC-SSID replacement of the CID content with <MAC address of the access point>-<SSID name>SSID  replacement of the CID content with SSID name, to which the client is connected. Default value: APMAC-SSID)
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# dhcp-option-82-RID-format custom (where custom replacement of the RID content with the value specified in the dhcp-option-82-custom-RID parameter. The parameter can take values: ClientMAC replacement of the RID content with MAC address of the client deviceAPMAC replacement of the RID content with MAC address of the access point. APdomainreplacement of the RID content with the domain where the access point is located. Default value: ClientMAC)
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# dhcp-option-82-custom-CID longstring (where longstring value from 1 to 52 characters, which will be transmitted in CID. If the value of dhcp-option-82-custom-CID parameter is not defined, the access point will change the CID to the default value: <MAC address of the access point>-<SSID name>)
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# dhcp-option-82-custom-RID longstring (where longstring value from 1 to 63 characters, which will be transmitted in RID. If the value of dhcp-option-82-custom-RID parameter is not defined, the access point will change the RID to the default value: MAC address of the client device)
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# dhcp-option-82-MAC-format radius (selecting octet delimiter of the MAC address which is transmitted in RID and CID. radius a dash is used as a delimiter: AA-BB-CC-DD-EE-FF; default a colon is used as a delimiter: AA:BB:CC:DD:EE:FF) 
WOP-3L-EX(config):/interface/wlan0/common/dhcp-snooping# save (save changes)

Configuring DHCP replication

This configuration enables the functionality of converting broadcast DHCP responses from the server to unicast when they are transmitted to the wireless client.

This allows to increase the stability of DHCP exchange between client and server in the radio environment.

This is a global configuration that applies to all VAP radio interfaces.

Below is the DHCP replication configuration for Radio 5 GHz (wlan1). 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan1
WOP-3L-EX(config):/interface/wlan1# common
WOP-3L-EX(config):/interface/wlan1/common# dhcp-snooping
WOP-3L-EX(config):/interface/wlan1/common/dhcp-snooping# dhcp-replication-mode true (enable DHCP replication. Disabled by default, false)
WOP-3L-EX(config):/interface/wlan1/common/dhcp-snooping# save (save changes)

Configuring ARP replication

ARP suppression is configured separately for each radio interface. This section provides examples of ARP suppression configuration for Radio 2.4 GHz — wlan0.

After ARP suppression is enabled, the recipient's MAC address is replaced. 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# wlan0
WOP-3L-EX(config):/interface/wlan0# common
WOP-3L-EX(config):/interface/wlan0/common# arp-suppression
WOP-3L-EX(config):/interface/wlan0/common/arp-suppression# enabled true (enable ARP suppression. Disabled by default: false)
WOP-3L-EX(config):/interface/wlan0/common/arp-suppression# drop-unknown-arp-ip true (ARP replication management. If the parameter is set to true, packets with an unknown destination IP address are discarded. If the parameter is set to false, packets will be broadcast. Enabled by default: true. Only works when ARP suppression is enabled)
WOP-3L-EX
(config):/interface/wlan0/common/arp-suppression# save (save changes)

System settings

Device firmware update

WOP-3L-EX(root):/# firmware upload tftp <IP address of TFTP server> <Firmware file name> (example: firmware upload tftp 192.168.1.15 WOP-3L-EX-2.11.2_build_X.tar.gz)  
WOP-3L-EX(root):/# firmware upgrade


WOP-3L-EX(root):/# firmware upload http <URL for firmware uploading> (example: firmware upload http http://192.168.1.100:8080/files/WOP-3L-EX-2.11.2_build_X.tar.gz)
WOP-3L-EX(root):/# firmware upgrade


WOP-3L-EX(root):/# firmware switch

Device configuration management

WOP-3L-EX(root):/# manage-config reset-to-default


WOP-3L-EX(root):/# manage-config reset-to-default-without-management


WOP-3L-EX(root):/# manage-config download tftp <IP address of the TFTP server> (example: manage-config download tftp 192.168.1.15) 


WOP-3L-EX(root):/# manage-config upload tftp <IP address of the TFTP server> <Configuration file name> (example: manage-config upload tftp 192.168.1.15 config.json)
WOP-3L-EX(root):/# manage-config apply (apply configuration to the access point)

Device reboot  

WOP-3L-EX(root):/# reboot
WOP-3L-EX(root):/# reboot delay X (where X — time in seconds after which a delayed device reboot will occur. Acceptable values: 0–86400)
WOP-3L-EX(root):/# reboot at hh:mm:ss (where hh:mm:ss — time at which the scheduled device reboot will occur. Acceptable values: hh:mm, hh:mm:ss)
WOP-3L-EX(root):/# reboot cancel

Configuring the authentication mode  

The device has a factory user account of admin with a password of password. This account cannot be deleted. You can change your password using the following commands.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# authentication
WOP-3L-EX(config):/authentication# admin-password <New password for admin account> (from 1 to 64 characters, including Latin letters and digits)
WOP-3L-EX(config):/authentication# save (save changes)

It is possible to create additional users for local authentication as well as authentication via RADIUS. 

New users should be assigned one of two roles:
admin — a user with this role will have full access to configure and monitor the base station;
viewer — a user with this role will only have access to base station monitoring.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# authentication
WOP-3L-EX(config):/authentication# user
WOP-3L-EX(config):/authentication/user# add userX (where userX — new account name. To delete, enter del)
WOP-3L-EX(config):/authentication/user# userX
WOP-3L-EX(config):/authentication/user/userX# login userX (where userX — new account name)
WOP-3L-EX(config):/authentication/user/userX# password <password for the userX account> (from 1 to 64 characters, including Latin letters and digits)
WOP-3L-EX(config):/authentication/user/userX# role admin (user is given configuration rights. Acceptable value: viewer the account will only have access to monitoring)
WOP-3L-EX(config):/authentication/user/userX# save (save changes)

To authenticate via a RADIUS server, you need to configure access parameters to it.  

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# authentication
WOP-3L-EX(config):/authentication# radius
WOP-3L-EX(config):/authentication/radius# auth-address X.X.X.X (where X.X.X.X — IP address of the RADIUS server)
WOP-3L-EX(config):/authentication/radius# auth-port X (where Х — port of the RADIUS server, which is used for authentication and authorization. Default value: 1812)
WOP-3L-EX(config):/authentication/radius# auth-password secret (where secret — key of the RADIUS server, which is used for authentication and authorization)
WOP-3L-EX(config):/authentication/radius# exit
WOP-3L-EX(config):/authentication# radius-auth true (enable authentication mode via RADIUS server. To disable, enter false)
WOP-3L-EX(config):/authentication# save (save changes)

When authenticating via a RADIUS server, it is necessary to create a local account that is similar to the account on the RADIUS server.
In this case, the local account should have a specified role with access rights (admin or viewer).
If the RADIUS server is unavailable, authentication will be performed using the local account.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# authentication
WOP-3L-EX(config):/authentication# session-idle-timeout X (where X — idle session timeout, is used to configure a policy on how long users are inactive in the web interface before the session is automatically terminated. Acceptable values: 0–10080. To disable the functionality, set 0. Default: 15)
WOP-3L-EX(config):/authentication# save (save changes)

Configuring the date and time

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# date-time
WOP-3L-EX(config):/date-time# mode ntp (enable NTP operation mode)
WOP-3L-EX(config):/date-time# ntp
WOP-3L-EX(config):/date-time/ntp# server <IP address of the NTP server> (NTP server configuration)
WOP-3L-EX(config):/date-time/ntp# alt-servers (configuring alternative NTP servers)
WOP-3L-EX(config):/date-time/ntp/alt-servers# add <Domain name/IP address of NTP server in the configuration> (creating a configuration section for an alternative NTP server. Maximum number: 8. To delete, enter del)
WOP-3L-EX(config):/date-time/ntp/alt-servers# exit
WOP-3L-EX(config):/date-time/ntp#exit
WOP-3L-EX(config):/date-time# common
WOP-3L-EX(config):/date-time/common# timezone 'Asia/Novosibirsk (Novosibirsk)' (timezone configuration)
WOP-3L-EX(config):/date-time/common# save (save changes)

Advanced system settings

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# system
WOP-3L-EX(config):/system# global-station-isolation true (enable global traffic isolation between clients of different VAPs and different radio interfaces. To disable, enter false)
WOP-3L-EX config):/system# save (save changes)


WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# system
WOP-3L-EX(config):/system# hostname WOP-3L-EX _room2 (where WOP-3L-EX_room2 —  new device name. The parameter can take values from 1 to 63 characters: capital and lowercase Latin letters, digits, hyphen character "-" (hyphen can not be the last character in name). Default value: WOP-3L-EX)
WOP-3L-EX(config):/system# save (save changes)


WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# system
WOP-3L-EX(config):/system# ap-location ap.test.root (where ap.test.root — EMS management system device tree node domain, where access point is located. Default value: root)
WOP-3L-EX(config):/system# save (save changes)

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# system
WOP-3L-EX(config):/system# nas-id Lenina_1.Novovsibirsk.root (where Lenina_1.Novovsibirsk.root — identifier of this access point. The parameter is intended to identify the device on the RADIUS server if RADIUS expects a value other than the MAC address. Default value: MAC address of the access point)
WOP-3L-EX(config):/system# save (save changes)


WOP-3L-EX(root):/# configure 
WOP-3L-EX(config):/# lldp
WOP-3L-EX(config):/lldp# enabled true (enable the LLDP. To disable, enter false. Default value: true)
WOP-3L-EX(config):/lldp# tx-interval Х (where Х —  changing the period for sending LLDP messages. Acceptable values: 1–86400. Default value: 30)
WOP-3L-EX(config):/lldp# system-name WOP-3L-EX_reserv (where WOP-3L-EX_reserv — new device nameDefault value: WOP-3L-EX)
WOP-3L-EX(config):/lldp# save (save changes)

Configuring Captive Portal

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# captive-portal
WOP-3L-EX(config):/captive-portal# ap-ip-alias <Domain name> (domain name to which clients will be redirected. Default value: redirect.loc)
WOP-3L-EX(config):/captive-portal# tinyproxy-https true (enable client redirection via HTTPS. To redirect via HTTP, enter false. Default value: false)
WOP-3L-EX(config):/
captive-portal# save (save changes)


A DNS request for the domain name specified in ap-ip-alias will be intercepted by the access point. A response will be sent to this request, and the response will contain the IP address of the access point.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# captive-portal
WOP-3L-EX(config):/captive-portal# web-redirector
WOP-3L-EX(config):/captive-portal/web-redirector# param-names
WOP-3L-EX(config):/captive-portal/web-redirector/param-names# redirect_url original_url (configure the name of the parameter containing the original URL requested by the client. The client will be redirected to this URL if the authorization is successful)
WOP-3L-EX(config):/captive-portal/web-redirector/param-names# error_url err_url (configure the name of the parameter containing the URL where the client will be redirected in case of an authorization error)
WOP-3L-EX(config):/captive-portal/web-redirector/param-names# username login (configure the name of the parameter containing the login for the client
WOP-3L-EX(config):/captive-portal/web-redirector/param-names# password pass (configure the name of the parameter containing the password for the client)
WOP-3L-EX(config):/captive-portal/web-redirector/param-names# save (save changes)

The configuration is needed if the parameter names in the http response with code 302 differ from the default names accepted by the access point. 

For values in parameters redirect_url, error_url, username, password use only Latin characters of any case, as well as the symbols $\-_.!*'() with a length from 0 to 255 characters. 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# captive-portal
WOP-3L-EX(config):/captive-portal# web-redirector
WOP-3L-EX(config):/captive-portal/web-redirector# captive-adaptive true (enable adaptive mode of portal authorization for iOS devices. To disable, enter false. Default: false)
WOP-3L-EX(config):/captive-portal/web-redirector# save (save changes)

When adaptive mode is enabled, minimizing the authorization window on iOS devices will not cause the disconnection.

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# acl
WOP-3L-EX(config):/acl# ipv4 
WOP-3L-EX(config):/acl/ipv4# add ipv4_list (create a list of ACL rules) 
WOP-3L-EX(config):/acl/ipv4# ipv4_list
WOP-3L-EX(config):/acl/ipv4/ipv4_list# entry
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry# add 0 (create ACL rules) 
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry# 0
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# action permit (specify an action for the rule. Acceptable options: permit — allow, deny — prohibit)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# protocol-mode any (configure the protocol operating mode according to which the rule will be processed. Acceptable values: any — any protocol, value — specific protocol)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# protocol gre (select the protocol. Acceptable values: gre, icmp, igmp, tcp, udp)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# src-port-start X (where Х — source start port)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# src-port-end X (where Х — source end port. Used only for src-port-mode range)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# src-mode host (configure the source filtering mode. Acceptable options: any — any source, host — filtering by host address, network — filtering by network address)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# src-ip X.X.X.X (where X.X.X.X — IP address of the source host)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# src-mask X.X.X.X (where X.X.X.X — source host subnet mask)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# src-port-mode any (configure the source port operating mode. Acceptable options:
any — any mode, eq — equal, gt — greater, lt — less, neq — not equal, range — port range)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# dst-mode host (configure the destination filtering mode. Acceptable options: any any sourcehost filtering by host address, network — filtering by network address)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# dst-ip X.X.X.X (where X.X.X.X — IP address of the destination host)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# dst-mask X.X.X.X (where X.X.X.X — destination host subnet mask)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# dst-port-mode any (configure the destination port operating modeAcceptable options
any — any mode, eq — equal, gt —greater, lt — less, neq not equalrange — port range)
WOP-3L-EX(config):/acl/ipv4/ipv4_list/entry/0# dst-port-start X (where Х — destination start port)
WOP-3L-EX(config):/acl/ipv4/ipv4-acl/ipv4_list/entry/0# dst-port-end X (where Х destination end port. Used only for dst-port-mode range)

WOP-3L-EX(config):/acl/ipv4/ipv4-acl/ipv4_list/entry/0# save (save changes)

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# acl
WOP-3L-EX(config):/acl# url 
WOP-3L-EX(config):/acl/url# add url_list (create a list of ACL rules) 
WOP-3L-EX(config):/acl/url# url_list
WOP-3L-EX(config):/acl/url/url_list# action permit (specify the action for list. Acceptable optionspermit — allow, deny prohibit)
WOP-3L-EX(config):/acl/url/url_list# entry
WOP-3L-EX(config):/acl/url/url_list/entry# add 0 (create ACL rules) 
WOP-3L-EX(config):/acl/url/url_list/entry# 0
WOP-3L-EX(config):/acl/url/url_list/entry/0# domain <Domain name> (specify a domain or regular expression)
WOP-3L-EX(config):/acl/url/url_list/entry/0# save (save changes)

Portal Certificate Management 

WOP-3L-EX(root):/# manage-certificates portal upload tftp <TFTP server IP address> <File name> (example: manage-certificates portal upload tftp 192.168.1.15 portal.pem) 


WOP-3L-EX(root):/# manage-certificates portal upload http <URL for uploading the software file> (example: manage-certificates portal upload http http://192.168.1.100:8080/files/portal.pem)


WOP-3L-EX(root):/# manage-certificates portal erase 

Configuring APB service   

The APB service is used to provide portal roaming of clients between access points connected to the service.  

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# captive-portal
WOP-3L-EX(config):/captive-portal# apbd 
WOP-3L-EX(config):/captive-portal/apbd# roam_service_url <APB service address> (example: roam_service_url ws://192.168.1.100:8090/apb/broadcast)
WOP-3L-EX(config):/captive-portal/apbd# enabled true (enable the APB service. To disable it, enter false)
WOP-3L-EX(config):/captive-portal/apbd# save (save changes)

Configuring DAS server

The DAS server functionality ensures processing of dynamic RADIUS authorization requests by access points. 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# das-server
WOP-3L-EX(config):/das-server# enabled true (enable DAS server. To disable, enter false)
WOP-3L-EX(config):/das-server# port X (where Х — DAS server port. Default: 3799)
WOP-3L-EX(config):/das-server# auth-password secret (where secret password for DAS server, used when encrypting RADIUS requests)
WOP-3L-EX(config):/das-server# save (save changes)

Configuring Radar mode

The functionality is designed to collect information about client devices within the access point's coverage area and transmit data to a collector server.  

Configuring radar with data sending via HTTP

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/#radar
WOP-3L-EX(config):/radar# enabled true (enable radar functionality. To disable, enter false)
WOP-3L-EX(config):/radar# url http://host:port/service (specify a URL to a service that will receive data from the access point in JSON format. Data can be transmitted via HTTP/HTTPS)
WOP-3L-EX(config):/radar# scan-interface all (where all — interface on which scanning will work. Acceptable values: wlan0 2.4 GHz interface, wlan1 — 5 GHz interface, all — 2.4 GHz and 5 GHz simultaneously. Default: all)
WOP-3L-EX(config):/radar# send-interval X (where Х — interval for sending data to the collector. Acceptable values: 1-3600. Default: 5 seconds)
WOP-3L-EX(config):/radar# mac-source"probe data" (where probe data — select the type of data collected over the air. Acceptable valuesprobe — only probe request, assoc — only assoc, dataonly data, all — all types of packages. Default: all)
WOP-3L-EX(config):/radar# scan-channel-timeout X (where Х — time for scanning one channel. Acceptable values: 100-60000. Default: 200 ms)
WOP-3L-EX(config):/radar# scan-limit-channels-2g "1 6 11" (where 1, 6, 11 — channels for scanning in the 2.4 GHz range. Empty value — all available channels are scanned)
WOP-3L-EX(config):/radar# scan-limit-channels-5g "36 40 44 48" (where 36, 40, 44, 48 — channels for scanning in the 5 GHz range. Empty value — all available channels are scanned)
WOP-3L-EX(config):/radar# save (save changes)

Configuring radar with data sending via MQTT protocol

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# radar
WOP-3L-EX(config):/radar# url mqtt://host:port/service (specify a URL to a service that will receive data from the access point via MQTT protocol. Example: mqtt://rtls.eltex.nsk.ru:1883/)
WOP-3L-EX(config):/radar# mqtt-username eltex (where eltex — username. Required for authorization on the collection service)
WOP-3L-EX(config):/radar# mqtt-password password (where password — password. Required for authorization on the collection service)
WOP-3L-EX(config):/radar# mqtt-topic input_mqtt_topic (specify URL identifier of entities is specified in the exchange between the access point and the collector via MQTT protocol)
WOP-3L-EX(config):/radar# scan-mode passive (where passive — radar operating mode. Acceptable valuesactive — access point only scans the air and does not provide service to clients; passive — access point provides service to clients, does not scan the air, and transmits data to connected clients. Default: active)
WOP-3L-EX(config):/radar# scan-interface all (where all — interface on which scanning will work. Acceptable values: wlan02.4 GHz interface, wlan15 GHz interface, all2.4 GHz and 5 GHz simultaneouslyDefault: all)
WOP-3L-EX(config):/radar# send-interval X (where Х —  interval for sending data to the collector. Acceptable values: 1-3600. Default: 5 seconds)
WOP-3L-EX(config):/radar# mac-source"probe data" (where probe data —  select the type of data collected over the air. Acceptable values: probeonly probe request, assoconly assoc, dataonly data, allall types of packages. Default: all)
WOP-3L-EX(config):/radar# scan-channel-timeout X (where Х — time for scanning one channel. Acceptable values: 100-60000. Default: 200 ms)
WOP-3L-EX(config):/radar# scan-limit-channels-2g "1 6 11" (where 1, 6, 11 — channels to scan in the 2.4 GHz range. Empty value — all available channels are scanned)
WOP-3L-EX(config):/radar# scan-limit-channels-5g "36 40 44 48" (where 36, 40, 44, 48 — channels for scanning in the 5 range. Empty value — all available channels are scanned)
WOP-3L-EX(config):/radar# scan-min-signal X (where X — signal strength threshold. If the access point sees a client with a strength below the specified level, the client's MAC address is not transmitted to the collector, and the client is not considered detected. Acceptable values: -100-0. Default: 0, function is disabled)
WOP-3L-EX(config):/radar# enabled true (enable radar function. To disable, enter false)
WOP-3L-EX(config):/radar# save (save changes)

Monitoring

Wi-Fi clients 

To display monitoring of connected Wi-Fi clients, use the command:

monitoring associated-clients <mac address of client 1> ... <mac address of client N> filter <parameter 1> ... <parameter N>,

where <mac address of client 1> ... <mac address of client N> — MAC addresses of customer devices, connected to the access point. In order to display information for all customers, instead of <mac address of client> enter all;

        filter — a special word followed by the monitoring parameters required for output by client/clients;

        <parameter 1> ... <parameter N> — monitoring parameter/parameters, necessary for client/clients output.

To display a list of clients connected to the access point, press Tab after monitoring associated-clients.     

WOP-3L-EX(root):/# monitoring associated-clients <Tab>

32:5b:60:62:e0:a4
bc:2e:f6:cc:85:46
all


To get a list of monitoring parameters, press Tab after filter.

WOP-3L-EX(root):/# monitoring associated-clients all filter <Tab>

index
interface
ssid
hw-addr
state
ip-addr
hostname
rx-retry-count
tx-fails
tx-period-retry
tx-retry-count
..... 



WOP-3L-EX(root):/# monitoring associated-clients (or monitoring associated-clients all)

 index                    | 0
 state                    | ASSOC SLEEP AUTH_SUCCESS 
 hw-addr                  | 32:5b:60:62:e0:a4
 interface                | wlan0-va0
 rfid                     | 0
 wid                      | 0
 band                     | 2.4
 ssid                     | WOP-3L-EX_2.4GHz
 vlan-id                  | 100
 ip-addr                  | 192.168.1.15
 frequency                | 2412
 channel                  | 1
 auth-algorithm           | open-system
 encryption-cipher        | no-cipher
 encryption-group-cipher  | no-cipher
 hostname                 | Test-phone
 username                 | 79xxxxxxxxx
 domain                   | root
 authorized               | true
 captive-portal-vap       | true
 enterprise-vap           | false
 radius-mac-auth          | not-required
 portal-auth              | authorized
 portal-auth-time         | 00:01:45
 wlan-auth-type           | Open
 wlan-auth-status         | authorized
 wlan-auth-time           | 00:01:46
 mfp                      | false
 rx-retry-count           | 209
 tx-fails                 | 0
 tx-period-retry          | 3
 tx-retry-count           | 18
 rssi-1                   | -48
 rssi-2                   | -48
 rssi                     | -48
 snr-1                    | 0
 snr-2                    | 0
 tx-rate                  | MCS15 NO SGI 270
 rx-rate                  | MCS14 NO SGI 117
 rx-bw                    | 20M
 rx-bw-all                | 20M
 tx-bw                    | 20M
 uptime                   | 00:01:46
 multicast-groups-count   | 1
 wireless-mode            | n
 using-802.11r            | no
 using-802.11k            | no
 using-802.11v            | no
 perftest-capable         | false
 dhcp-request-status      | obtained
 dhcp-start-packet-type   | request
 dhcp-start-delay         | 161
 dhcp-start-duration      | 0
 dhcp-end-duration        | 2
 link-capacity            | 90
 link-quality             | 85
 link-quality-common      | 96
 actual-tx-rate           | 0
 actual-rx-rate           | 0
 shaped-rx-rate           | 0
 actual-tx-pps            | 1
 actual-rx-pps            | 1
 shaped-rx-pps            | 1
 name                     | 0

Counter                  Transmitted               Received                    
----------------------   -----------------------   -------------------------   
Total Packets:           341                       901                         
TX success:              100                                                   
Total Bytes:             57550                     69222                       
Data Packets:            336                       375                         
Data Bytes:              48540                     45658                       
Mgmt Packets:            5                         526                         
Mgmt Bytes:              274                       268                         
Dropped Packets:         0                         0                           
Dropped Bytes:           0                         0                           
Lost Packets:            0   
                                                  
Rate              Transmitted               Received                    
---------------   -----------------------   -------------------------   
dsss1             0              |   0%     615            |  61%       
ofdm6             6              |   1%     0              |   0%       
mcs0              0              |   0%     27             |   2%       
mcs1              0              |   0%     27             |   2%       
mcs2              0              |   0%     23             |   2%       
mcs3              0              |   0%     12             |   1%       
mcs4              0              |   0%     33             |   3%       
mcs5              0              |   0%     13             |   1%       
mcs6              0              |   0%     14             |   1%       
mcs10             0              |   0%     9              |   0%       
mcs11             54             |  12%     38             |   3%       
mcs12             80             |  17%     78             |   7%       
mcs13             5              |   1%     52             |   5%       
mcs14             78             |  17%     53             |   5%       
mcs15             224            |  50%     12             |   1%       

Multicast groups:
MAC                 IP                
-----------------   ---------------   
33:33:FF:A0:8B:83   xxx.160.139.131 



WOP-3L-EX(root):/# monitoring associated-clients bc:2e:f6:cc:85:46 (it is possible to specify several MAC addresses, for example, monitoring associated-clients bc:2e:f6:cc:85:46 32:5b:60:62:e0:a4)

 index                    | 1
 hw-addr                  | bc:2e:f6:cc:85:46
 interface                | wlan1-va0
 rfid                     | 1
 wid                      | 0
 band                     | 5
 state                    | ASSOC SLEEP AUTH_SUCCESS 
 ssid                     | WOP-3L-EX_5GHz
 vlan-id                  | 100
 ip-addr                  | 192.168.1.20
 frequency                | 5200
 channel                  | 40
 auth-algorithm           | open-system
 encryption-cipher        | no-cipher
 encryption-group-cipher  | no-cipher
 hostname                 | Test-phone
 username                 | 79xxxxxxxxx
 domain                   | root
 dhcp-request-status      | obtained
 authorized               | true
 captive-portal-vap       | true
 enterprise-vap           | false
 radius-mac-auth          | not-required
 portal-auth              | authorized
 portal-auth-time         | 00:00:22
 wlan-auth-type           | Open
 wlan-auth-status         | authorized
 wlan-auth-time           | 00:01:48
 rx-retry-count           | 85
 tx-fails                 | 1
 tx-period-retry          | 0
 tx-retry-count           | 47
 rssi-1                   | -32
 rssi-2                   | -35
 rssi                     | -35
 snr-1                    | 34
 snr-2                    | 34
 snr                      | 34
 noise-1                  | -66
 noise-2                  | -69
 noise                    | -66
 tx-rate                  | HE NSS2 MCS11 SGI 286.8
 rx-rate                  | HE NSS2 MCS10 SGI 258.1
 rx-bw                    | 20M
 rx-bw-all                | 20M
 tx-bw                    | 20M
 uptime                   | 00:01:48
 mfp                      | false
 wireless-mode            | ax
 perftest-capable         | false
 link-quality             | 97
 link-quality-common      | 94
 actual-tx-rate           | 446
 actual-rx-rate           | 60
 shaped-rx-rate           | 59
 actual-tx-pps            | 16
 actual-rx-pps            | 22
 shaped-rx-pps            | 38
 link-capacity            | 98
 multicast-groups-count   | 1
 using-802.11r            | no
 using-802.11k            | no
 using-802.11v            | no
 twt-support              | requester broadcast flexible 
 name                     | 0

Counter                  Transmitted               Received                    
----------------------   -----------------------   -------------------------   
Total Packets:           2654                      1269                        
TX success:              99                                                    
Total Bytes:             2682230                   341604                      
Data Packets:            2639                      1255                        
Data Bytes:              2679056                   339575                      
Mgmt Packets:            15                        14                          
Mgmt Bytes:              3174                      2029                        
Dropped Packets:         0                         0                           
Dropped Bytes:           0                         0                           
Lost Packets:            0                                                     

Rate              Transmitted               Received                    
---------------   -----------------------   -------------------------   
ofdm6             0              |   0%     6              |   0%       
he-nss2-mcs6      0              |   0%     2              |   0%       
he-nss2-mcs7      0              |   0%     8              |   0%       
he-nss2-mcs8      2              |   0%     13             |   1%       
he-nss2-mcs9      23             |   0%     13             |   1%       
he-nss2-mcs10     892            |  33%     74             |   5%       
he-nss2-mcs11     1722           |  65%     1139           |  90%       

Multicast groups:
MAC                 IP                
-----------------   ---------------   
33:33:ff:d5:8c:1b   xxx.213.140.27   


WOP-3L-EX(root):/# monitoring associated-clients 32:5b:60:62:e0:a4 filter hw-addr ip-addr tx-rate rx-rate uptime (display of a limited number of monitoring parameters for a certain client, it is possible to specify several MAC addresses)

 hw-addr                  | 32:5b:60:62:e0:a4
 ip-addr                  | 192.168.1.15
 tx-rate                  | MCS15 NO SGI 270
 rx-rate                  | MCS14 NO SGI 117
 uptime                   | 00:09:51  

WOP-3L-EX(root):/# monitoring associated-clients all filter hw-addr rssi-1 rssi-2 wireless-mode interface (display of a limited number of monitoring parameters for all clients)

 hw-addr                  | 32:5b:60:62:e0:a4
 rssi-1                   | -48
 rssi-2                   | -47
 wireless-mode            | n
 interface                | wlan0-va0

 hw-addr                  | bc:2e:f6:cc:85:46
 rssi-1                   | -33
 rssi-2                   | -31
 wireless-mode            | ac
 interface                | wlan1-va0


Device information

WOP-3L-EX(root):/# monitoring information

 system-time                  | 08:16:34 12.05.2026
 uptime                       | 8 d 21:29:58
 hostname                     | WOP-3L-EX
 software-version             | 2.11.2 build X
 secondary-software-version   | 2.11.2 build X
 boot-version                 | 2.11.2 build X
 memory-usage                 | 79
 memory-free                  | 24
 memory-used                  | 96
 memory-total                 | 121
 cpu-load                     | 7.2
 cpu-average                  | 1.42
 is-default-config            | false
 vendor                       | Eltex
 device-type                  | Access Point
 board-type                   | WOP-3L-EX 
 hw-platform                  | WOP-3L-EX
 factory-wan-mac              | E8:28:C1:xx:xx:xx
 factory-lan-mac              | E8:28:C1:xx:xx:xx
 factory-serial-number        | WP3C000555
 hw-revision                  | 1v1
 session-password-initialized | false
 ott-mode                     | false
 last-reboot-reason           | firmware update
 test-changes-mode            | false


Certificate information

WOP-3L-EX(root):/# monitoring certificate

  ott:
      status: not present
  wlc:
      status: present
      url: https://192.168.1.15:8044
      file 'ca.pem':
         correctness: true
         issuer: /CN=WLC
         serial: F15E65D33604010D
         subject: /CN=WLC
         not-before: Jan  1 00:00:00 1999 GMT
         not-after: Aug 20 16:56:46 2124 GMT
      file 'cert.pem':
         correctness: true
         issuer: /CN=WLC
         serial: 6813E201D050
         subject: /CN=68:13:E2:01:D0:50
         not-before: Jan  1 00:00:00 1970 GMT
         not-after: Mar 31 14:28:02 2125 GMT
      file 'key.pem':
         correctness: false
  web:
      status: present
      file 'host.pem':
         correctness: true
         issuer: /C=RU/ST=Novosibirsk Region/L=Novosibirsk/O=Eltex Ent/CN=192.168.1.1
         serial: AD4C597BE0D04958
         subject: /C=RU/ST=Novosibirsk Region/L=Novosibirsk/O=Eltex Ent/CN=192.168.1.1
         not-before: Jan  1 00:00:44 1970 GMT
         not-after: Jan 18 00:00:44 2038 GMT
  portal:
      status: present
      file 'portal.pem':
         correctness: true
         issuer: /CN=redirect.loc/O=Eltex Ent
         serial: DDDD00B627AE03BC
         subject: /CN=redirect.loc/O=Eltex Ent
         not-before: Apr 24 07:46:06 2025 GMT
         not-after: Mar 31 07:46:06 2125 GMT
  redirector:
      status: present
      file 'redirector.pem':
         correctness: true
         issuer: /CN=*.*/O=Eltex Ent
         serial: 8737D51F860832B2
         subject: /CN=*.*/O=Eltex Ent
         not-before: Jul  9 13:26:36 2024 GMT
         not-after: Jun 15 13:26:36 2124 GMT


Network information 

WOP-3L-EX(root):/# monitoring wan-status

Common information:

 interface                | br0
 mac                      | e8:28:c1:xx:xx:xx
 rx-bytes                 | 4864149
 rx-packets               | 13751
 tx-bytes                 | 2462399
 tx-packets               | 20753

IPv4 information:

 protocol                 | dhcp
 ip-address               | 192.168.1.15
 netmask                  | 255.255.255.0
 gateway                  | 192.168.1.1
 DNS-1                    | 192.168.1.100
 DNS-2                    | 8.8.8.8

IPv6 information:

 addresses                |
 dns-servers              | ::
                          | ::


WOP-3L-EX(root):/# monitoring ethernet-ports

   ETH1:
      name: ETH1
      link: up
      speed: 1000
      duplex: enabled
      media-type: copper
      rx-bytes: 7429253
      rx-packets: 15934
      tx-bytes: 1489188
      tx-packets: 6942

WOP-3L-EX(root):/# monitoring arp

#        ip                mac              
------  ----------------   -----------------
0        192.168.1.1       02:00:48:xx:xx:xx
1        192.168.1.151     2c:fd:a1:xx:xx:xx

WOP-3L-EX(root):/# monitoring route

Destination       Gateway           Mask              Flags      Interface 
--------------    ---------------  ---------------   -------     ---------
0.0.0.0           192.168.1.1      0.0.0.0            UG         br0       
192.168.1.0       0.0.0.0          255.255.255.0      U          br0  

WOP-3L-EX(root):/# monitoring lldp

System capability legend:
        B - Bridge; R - Router; W - Wlan Access Point; T - Telephone;
        D - DOCSIS Cable Device; H - Host; r - Repeater; O - Other;

Port        Device ID           Port ID         System Name    Capabilities   TTL     
---------   -----------------   -------------   ------------   ------------   ----  
eth0        e0:d9:e3:xx:xx:xx   gi 0/16         MES            B,R            120


Wireless interfaces  

WOP-3L-EX(root):/# monitoring radio-interface 

   name                     | wlan0
   rfid                     | 0
   status                   | on
   band                     | 2.4 GHz
   hwaddr                   | EC:B1:E0:xx:xx:xx
   tx-power                 | 16 dBm
   connection-status        | AP mode
   operation-mode           | vap
   noise-1                  | -100 dBm
   noise-2                  | -100 dBm
   utilization              | 0%
   channel                  | 1
   frequency                | 2412 MHz
   bandwidth                | 20 MHz
   mode                     | b/g/n
   thermal                  | 22

   name                     | wlan1
   rfid                     | 1
   status                   | on
   band                     | 5 GHz
   hwaddr                   | EC:B1:E0:xx:xx:xx
   tx-power                 | 19 dBm
   connection-status        | AP mode
   operation-mode           | vap
   noise-1                  | -89 dBm
   noise-2                  | -89 dBm
   utilization              | 7%
   channel                  | 40
   frequency                | 5200 MHz
   bandwidth                | 20 MHz
   mode                     | a/n/ac/ax
   thermal                  | 44


VAP

Event logging 

WOP-3L-EX(root):/# monitoring events

Jan  23 00:00:07 WOP-3L-EX daemon.info syslogd[925]: started: BusyBox v1.21.1

Jan  23 00:00:09 WOP-3L-EX daemon.info configd[955]: The AP startup configuration was loaded successfully.

Jan  1 03:00:14 WOP-3L-EX daemon.info networkd[987]: Networkd started

Jan  1 03:01:17 WOP-3L-EX daemon.info networkd[987]: DHCP-client: Interface br0 obtained lease on 192.168.1.15.

Jan 23 07:17:14 WOP-3L-EX daemon.info monitord[1055]: event: 'associated' mac: E4:0E:EE:BD:AE:6B ssid: 'WOP-3L-EX_2.4GHz' int0


Air scanning 

While scanning the environment, the device radio interface will be disabled, which will make it impossible to transfer data to Wi-Fi clients during scanning.

Spectrum analyzer 

The spectrum analyzer provides information on channel congestion in the 2.4 and 5 GHz bands. The result is displayed as a percentage. 

While the spectrum analyzer is running, all clients are disconnected from the access point. Clients will reconnect only after the spectrum analyzer has finished its operation.

The analysis of all radio channels in both bands takes approximately 5 minutes.

The spectrum analyzer analyzes all channels in the range, regardless of the settings on the radio interface. 

For more information on configuring the radio interface via CLI, see the Radio configuration section.


WOP-3L-EX(root):/# monitoring spectrum-analyzer

 Channel| CCA
       1|  81%
       2|  40%
       3|  14%
       4|  10%
       5|  36%
       6|  60%
       7|  40%
       8|   8%
       9|  14%
      10|  38%
      11|  75%
      12|  37%
      13|  18%
      36|  14%
      40|  12%
      44|  10%
      48|  18%
      52|   3%
      56|   5%
      60|   8%
      64|   6%
     132|   0%
     136|   0%
     140|   0%
     144|   1%
     149|  30%
     153|   1%
     157|   3%
     161|   2%
     165|   1%


Troubleshooting file 

This command is not available for created users, it is only available for admin.

WOP-3L-EX(root):/# get-troubleshooting-file 

After executing the command, an archive named troubleshooting.tar.gz will be created, containing troubleshooting data and information about the device status.

The troubleshooting.tar.gz archive can be downloaded from the device via the TFTP protocol to the server.

This protocol is not available for created users, it is only available for admin.

WOP-3L-EX(root):/# tftp -pl troubleshooting.tar.gz <IP address of TFTP server>

troubleshooting.tar. 100% |********************************| 62755 0:00:00 ETA


The troubleshooting.tar.gz archive can be downloaded from your device to your server/PC via SCP protocol: 

This protocol is not available for created users, it is only available for admin.

scp <User>@<IP address of access point>:troubleshooting.tar.gz troubleshooting.tar.gz (example: scp admin@192.168.1.15:troubleshooting.tar.gz troubleshooting.tar.gz. This command is executed on the server/PC)

Auxiliary utilities

The traceroute utility

The utility shows which nodes (routers) the packet passes through, how much time it takes to process the packet at each node.  

This utility is not available for created users, it is only available for admin.

WOP-3L-EX(root):/# traceroute <tested host> 

The tcpdump utility

The tcpdump utility allows capturing packets on the specified interface.

To get information on how to work with the utility, use the following command:

This utility is not available for created users, it is only available for admin.

WOP-3L-EX(config):/# tcpdump --help

Traffic capture from any active interface

For example, it is possible to enable packet capture on the Ethernet interface.

WOP-3L-EX(root):/# tcpdump -i eth0

Capturing Ethernet interface packets and save to file.

WOP-3L-EX(root):/# tcpdump -i eth0 -env -w tcpdump.pcap

Environment sniffer 

The access point must have any VAP enabled in the range from which the traffic will be captured.

It is necessary to enable a special interface that captures all packets from the air on the working channel of the access point. 

WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# interface
WOP-3L-EX(config):/interface# radioX (for 2.4 GHz range — radio0, for 5 GHz range radio1)
WOP-3L-EX(config):/interface/radioX# common
WOP-3L-EX(config):/interface/radioX/common# enabled true


WOP-3L-EX(root):/# tcpdump -i radio1

Configuring remote traffic dump capture

The remote-capture section performs remote recording of a traffic dump.
The device supports the RPCAP protocol, which allows recording a traffic dump from the device interface on a remote machine in online mode.

To remotely capture packets from radio interfaces, it is required to connect the interfaces radio0 and radio1 from the previous step. 


WOP-3L-EX(root):/# configure
WOP-3L-EX(config):/# remote-capture
WOP-3L-EX(config):/remote-capture# enabled true (true — enabling. To disable, enter false)
WOP-3L-EX(config):/remote-capture# disable-authentication true (disable the authentication requirement when adding a remote interface on a remote host. Default value: false — authentication required)
WOP-3L-EX(config):/remote-capture# port 2002 (2002 — port number used to connect the remote machine. The parameter takes values ​​from 1025 to 65530. Default value: 2002
WOP-3L-EX(config):/remote-capture# save (save changes)

For remote connection, use the RPCAP protocol, specify the device IP address and port. For this purpose, you can use a program such as Wireshark. Then get a list of interfaces available for sniffing from the device, select one of them and start capturing the dump from the remote interface.

Uploading a traffic dump file from an access point to a server

This command is executed on the server/PC.

This command is not available for created users, it is only available for admin. 

scp <User>@<IP address of the device>:tcpdump.pcap tcpdump.pcap (example: scp admin@192.168.1.15:tcpdump.pcap tcpdump.pcap)

The iperf utility 

This utility is used to start a traffic flow from one device to another. The sending side is called the client, the receiving side is called the server.

To get information on how to work with the utility, use the following command:

This utility is not available for created users, it is only available for admin. 

WOP-3L-EX(root):/# iperf --help

Example of starting a traffic flow from AP to server:

root@server:/# iperf -s


WOP-3L-EX(root):/# iperf -c X.X.X.X (where X.X.X.X — IP address of the server)

List of changes 

Document version Issue Revisions 
Version 1.105.2026

Synchronization with firmware version 2.11.2

Added:

6.9.4 "Authentication" submenu

6.9.7 "Troubleshooting" submenu

7.3.9 Configuration of repeated requests to RADIUS server

7.12 Configuring DAS server

7.13 Configuring Radar mode

8.2.4 Uploading a traffic dump file from an access point to a server


Changed:

6.5.3 "Advanced" submenu

6.9.6.2 NTP server 

7.2.2 Remote control configuration

7.3.7 Configuration of VAP with external Captive Portal

7.3.10 Advanced VAP settings

7.5.1 Advanced Radio settings

7.9.3 Device reboot

7.9.4 Configuring the authentication mode

7.10 Configuring Captive Portal

7.14 Monitoring 

Version 1.010.2025First issue 
Firmware version 2.11.2