Config CLI Use Case Examples
Adding a User
The following is a fully worked example showing the adding of a new user.
Note: In the following examples, some commentary has been added, the commentary is denoted with a ‘//’ prefix. Where sessions continue onto the next page, this is shown with the comment "// session continues here:"
# config
Welcome to the Opengear interactive config shell. Type ? or help for help.
// Move to the user entity
config: user
config(user): help add
Add a new item for entity user.
The add command requires a unique value to identify the record.
This will be used for the username field.
Description for the item:
Retrieve and update information for a specific user.
// Create the new user
config(user): add matt
config(user matt): show
Entity user item matt
description
// Session continues here:
enabled true
no_password false
password (required)
ssh_password_enabled true
username matt
groups (array)
// Fill out some fields
config(user matt): password topsecretpassword
config(user matt): description scrum master
config(user matt): show
Entity user item matt
description scrum master *
enabled true
password topsecretpassword *
ssh_password_enabled true
username matt
groups (array)
// Edit the groups
config(user matt): groups
config(user matt groups): show
Entity user item matt field groups
config(user matt groups): add // Tab completion to show available values
admin myuser netgrp
config(user matt groups): add admin
config(user matt groups): up // Exit the groups list
// Session continues here:
// Show and apply
config(user matt): show
Entity user item matt
description scrum master *
enabled true
password topsecretpassword *
ssh_password_enabled true
username matt
groups (array)
0 admin *
config(user matt): apply
Creating entity user item matt.
config(user matt):
Configuring a Port
config: port
config(port): help
You are here: entity port
Description for the entity:
Configuring and viewing ports information
Names (type <name> or help <name>)
==================================
USB-A USB-E USB-front-lower port03 port07 port11 port15 port19 port23
USB-B USB-F USB-front-upper port04 port08 port12 port16 port20 port24
USB-C USB-G port01 port05 port09 port13 port17 port21
USB-D USB-H port02 port06 port10 port14 port18 port22
Commands (type help <command>)
==============================
exit help show up
config(port): port01
config(port port01): baudrate // tab completion
110 1200 150 19200 230400 300 4800 57600 75
115200 134 1800 200 2400 38400 50 600 9600
config(port port01): baudrate 57600
config(port port01): label Router
config(port port01): control_code
config(port port01 control_code): break a
config(port port01 control_code): up
config(port port01): show
// Session continues here:
Entity port item port01
baudrate 57600 *
databits 8
escape_char ~
label Router *
logging_level disabled
mode consoleServer
parity none
pinout X2
stopbits 1
control_code (object)
break a *
chooser
pmhelp
portlog
power
quit
ip_alias (array)
config(port port01): apply
Updating entity port item port01.
config(port port01):
Configure a Single Session on a Port
The feature is enabled by typing single_session true, then apply the change.
config(port port01): single_session true
config(port port01): apply
Updating entity port item port01.
config(port port01): show
Entity port item port01
baudrate 9600
...
single_session true
...
ip_alias (array)
Create or Configure a Loopback Interface
Loopbacks are not physical interfaces and as such cannot be attached to a firewall zone; firewall zone or policy rules must be created for whatever interface you are connecting over. Service translations can be created through the firewall/service_translation endpoint to change the source address of outbound packets to the loopback address.
To create a loopback, navigate to the physifs endpoint and set the media to loopback:
CREATE A LOOPBACK IN CONFIG SHELL
config: physif
config(physif): add loop
config(physif loop): media loopback
config(physif loop): enabled true
config(physif loop): apply
Creating entity physif item loop.
CREATE A LOOPBACK IN OGCLI
ogcli create physif << 'END'
device="loop"
enabled=true
media="loopback"
END
ADD AN ADDRESS TO A LOOPBACK INTERFACE
To add an address to a loopback interface, navigate to the conns endpoint and attach an ipv4 or ipv6 static address to the loopback (dhcp and ipv6_automatic are invalid for loopbacks):
ADD AN ADDRESS IN CONFIG SHELL
config: conn
config(conn): add new
config(conn new): mode static
config(conn new): physif loop
config(conn new): ipv4_static_settings
config(conn new ipv4_static_settings): address 10.0.0.1
config(conn new ipv4_static_settings): netmask 255.255.255.0
config(conn new ipv4_static_settings): apply
Creating entity conn item new.
ADD AN ADDRESS IN OGCLI
ogcli create conn << 'END'
mode="static"
physif="loop"
ipv4_static_settings.address="10.0.0.1"
ipv4_static_settings.netmask="255.255.255.255"
END
In the above example the physif is set to loop. Do not set the broadcast_address and gateway_address for loopback interfaces.
Create Source NAT Rules
Note: When referring to service translation rules, we refer to translating the source ip of traffic to a desired source ip address. To change the source address of outbound packets for a particular service, a service_translation rule must be added, see the following example:
The following rule contains a list of outbound services along with the changed source address for the service packets. Navigating to the firewall/service_translation endpoint, you can add a new translation rule by using the add command. Note: Only services which use tcp or udp protocols are valid.
config(firewall/service_translation 10.0.0.1): show
Entity firewall/service_translation item 10.0.0.1
address 10.0.0.1
services (array)
0 ssh
1 https
If a service translation rule contains an address that does not exist on the box, a warning message is shown when creating the rule; however, it will not prevent these rules being created. See the following:
config(firewall/service_translation): add 10.0.0.2
WARNING: The IP entered does not exist as a known IPv4 or IPv6 address.
If this is expected, you can safely ignore this message.
If required, source NAT may be used for all tcp and udp traffic leaving the box by adding the service all-tcp-udp to the service list:
config(firewall/service_translation 10.0.0.1): show
Entity firewall/service_translation item 10.0.0.1
address 10.0.0.1
services (array)
0 all-tcp-udp
Note: There must be either a static or dynamic route to the loopback address from which you are connecting to the device.
Note: Source NAT is not used for packets on the cell interface wwan0. A VPN can be set up over the cell interface if the loopback address is used over cell; dynamic routing will need to be configured over the VPN to share the route to the loopback address.
REST API
The firewall/service_translation endpoint is used to create nftables rules which configure source NATs for outgoing service traffic. This replaces the outgoing IP address of a service packet with the address given in the service_translation. This is done for all services within the service translation rule.
"service_translation" : {
"address": "A.B.C.D"
"services": []
}
The address can be ipv4 or ipv6 (no netmask required), and does not need to exist on the box (a warning is presented if the address does not exist).
The list of services is a list of strings of service names. The outbound services must already be defined on the box, either as a predefined firewalld service or as a custom user service.
Logging and Debugging
You can ping the loopback address like any other interface. You will need a static or dynamic route to the loopback in order to reach it.
-
Use the command
ip ato display logging information. -
Conman logs information about creating or deleting loopback interfaces, and connections attached to loopback interfaces, in
/var/log/message. -
When creating loopback interfaces, the generated files should be directed to
/etc/config/conman.conf. -
Use the command
tcpdumpon interfaces connected to the device to see source NAT traffic. -
Source NAT rules can be found under
/etc/nftables/og-service-snat/og-service-snat.conf, or use the commandnft list rulesetto check for rules under the service SNAT tables.
Configure NET1 Static IPV4
conn default-conn-1 ipv4_static_settings
address 192.168.2.54
gateway 192.168.2.1
top
Configure NET2 Static IPV4
add conn net2-static-1 mode static physif net2
conn net2-static-1 ipv4_static_settings
address 192.168.3.58
gateway 192.168.3.1
netmask 255.255.255.0
top
Configure NET3 Static IPV4 for OM2224-24e units
add conn net3-static-1 mode static physif net3
conn net3-static-1 ipv4_static_settings
address 192.168.4.58
gateway 192.168.4.1
netmask 255.255.255.0
top
Configure WireGuard through Config Shell
WireGuard is configured through Config Shell (or REST API). The minimum configuration of WireGuard is shown in the following:
-
Provide a name for the interface (wg0 in the example below).
-
Set enabled.
-
Set the private_key of your WireGuard interface.
-
Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case).
-
Add a peer with the following parameters: endpoint_address, endpoint_port, public_key.
-
Add an allowed_ip for your peer. At least one - this is the WireGuard address(es) (as it can also accept an address range) of the other interface to which you are connected.
For example:
config: wireguard
config(wireguard): add wg0
config(wireguard wg0): private_key AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=
config(wireguard wg0): enabled true
config(wireguard wg0): addresses
config(wireguard wg0 addresses): add 10.0.0.1/24
config(wireguard wg0 addresses): up
config(wireguard wg0): peers
config(wireguard wg0 peers): add
config(wireguard wg0 peers 0): public_key o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=
config(wireguard wg0 peers 0): allowed_ips
config(wireguard wg0 peers 0 allowed_ips): add 10.0.0.2/32
config(wireguard wg0 peers 0 allowed_ips): up
config(wireguard wg0 peers 0): endpoint_address 192.168.1.2
config(wireguard wg0 peers 0): endpoint_port 51820
config(wireguard wg0 peers 0): up
config(wireguard wg0 peers): top
Root User Password - cleartext
edit user root password newpassword
Root User Password = password via SHA256
openssl passwd -5 password
Note: This operation is not available in Config Shell.
Define Password Complexity Rules
edit local_password_policy
password_complexity_enabled true
password_expiry_interval_enabled true
edit local_password_policy
password_disallow_username true
password_must_contain_number true
password_must_contain_special true
password_must_contain_upper_case true
Hostname
edit system/admin_info hostname "OM2216-l-lab"
Contact Info
edit system/admin_info
contact "fred.bloggs@opengear.com"
hostname "om2216-l.lab"
location "Happy Valley Lab"
Time Zone and NTP
edit system/timezone timezone "America/New_York"
edit services/ntp enabled true
services/ntp servers
add
value "74.207.242.234"
top
Create Admin User
add user admin
description "admin"
enabled true
no_password false
password "password"
user admin groups
add "admin"
top
Create Breakglass User (belongs to netgrp)
add user breakglass
description "breakglass" enabled true
no_password false
password "password"
user breakglass groups
add "netgrp"
top
Enable netgrp - Set to ConsoleUser
edit group netgrp enabled true
group netgrp ports
add port01
add port02
add port03
add port04
top
group netgrp access_rights
add web_ui
add pmshell
delete admin
top
Change SSH Delimiiter to : default is +
edit services/ssh ssh_url_delimiter ":"
Change Port Labels
edit port port01 label "cisco1"
edit port port02 label "cisco2"
edit port port03 label "cisco3"
edit port port04 label "cisco4"
Enable Tacacs - Set Mode to remotelocal
edit auth mode "tacacs"
edit auth tacacsMethod "pap" tacacs
Password "tac_tests"
policy "remotelocal"
tacacsService "raccess"
auth tacacsAuthenticationServers
add
hostname "192.168.2.220"
port 49
top
Enable lldp on Net1 & Net2
edit services/lldp enabled true
services/lldp physifs
add "net1"
add "net2"
top
Enable tftp
edit services/tftp enabled true
Enable Boot Messages
Displays on local console port.
edit managementport ttyS0 kerneldebug true
Define Session Timeouts
edit system/session_timeout cli_timeout 100 serial_port_timeout 100 webui_timeout 100
Note: The inactivity timer starts only after you exit Config Shell, ie. it begins the count when you have left config and are at the bash command prompt.
Define MOTD
Enter banner text within quotations.
edit system/banner banner """
Enable SIMM 1 Enable and Add APN
edit physif wwan0 enabled true
physif wwan0 cellular_setting
apn hologram
top
Enable SIMM 1 Complete End Points
edit physif wwan0 enabled true
physif wwan0 cellular_setting
active_sim 1
apn hologram
iptype IPv4v6
sim_failback_disconnect_mode ping
sim_failback_policy never
sim_failover_disconnect_mode ping
sim_failover_policy never
top
physif wwan0 cellular_setting sims 0
fail_probe_address 8.8.8.8
fail_probe_count 3
fail_probe_interval 600
fail_probe_threshold 1
failback_delay 60
iptype "IPv4v6"
slot 1
top
physif wwan0 cellular_setting sims 1
fail_probe_address 8.8.8.8
fail_probe_count 3
fail_probe_interval 600
fail_probe_threshold 1
failback_delay 60
iptype IPv4v6
slot 2
top
Enable Failover
edit failover/settings enabled true probe_address 192.168.2.1 probe_physif net1
Add a Syslog Server
services/syslog_server
add server1
address 192.168.34.113
protocol TCP
port 610
description "my syslog server"
top
Add Five Syslog Servers
Note: Due to page width limitations, in the following example, some command lines break over two lines.
add services/syslog_server server0 address 192.168.34.112 min_severity notice port 514 port_logging_enabled true protocol UDP
add services/syslog_server server1 address 192.168.34.113 min_severity notice port 514 port_logging_enabled true protocol UDP
add services/syslog_server server2 address 192.168.34.114 min_severity notice port 514 port_logging_enabled true protocol UDP
add services/syslog_server server3 address 192.168.34.116 min_severity info port 514 port_logging_enabled true protocol UDP
add services/syslog_server server4 address 192.168.128.1 description "lighthouse-remote-syslog" min_severity info port 514 port_logging_enabled true protocol UDP
Set Port Logging Remote Syslog Settings
edit logs/portlog_settings facility daemon severity infoEnable system monitor snmp traps
Enable System Monitor SNMP Traps
monitoring/alerts/power power_supply_voltage_alert
millivolt_lower 11000
millivolt_upper 13000
snmp
enabled true
up
top
monitoring/alerts/networking cell_signal_strength_alert
enabled true
threshold_lower 33
threshold_upper 66
top
monitoring/alerts/system
authentication_alert
enabled true
up
config_change_alert
enabled true
up
temperature_alert
enabled true
threshold_lower 35
threshold_upper 67
up
top
Enable SNMP V2 Service for Polling
edit services/snmpd enable_legacy_versions true
enable_secure_snmp false enabled true port 161 protocol UDP
edit services/snmpd rocommunity "TkcxJAAAABBfDsigaxdDf7whb3sxKQKnjtCuuy/0COC6rE3lUu9ghg=="
Enable 2 SNMP Traps and Trap Servers
Note: Due to page width limitations, in the following example, some command lines break over two lines.
add services/snmp_alert_manager "snmp trap server 1" address 10.1.1.199 port
162 protocol UDP version v2c
services/snmp_alert_manager "snmp trap server 1"
community "TkcxJAAAABBfDsigaxdDf7whb3sxKQKnjtCuuy/0COC6rE3lUu9ghg==" msg_type TRAP
top
apply all
services/snmp_alert_manager 10.1.1.199:162/UDP
name "snmp trap server 1" privacy_password secret auth_password secret
top
apply all
Create a StaTic Route
Note: Due to page width limitations, in the following example, some command lines break over two lines.
add static_route "static route test" destination_address 10.0.0.0 destination_netmask 8 interface net2
Edit LAN (Net2) Firewall Zone
(allow only source address traffic)
firewall/zone lan custom_rules
add
description "source_net4-1"
rule_content "rule family=ipv4 source address=192.168.3.0/24 accept"
up
add
description "source_net4-2"
rule_content "rule family=ipv4 source address=10.202.198.0/27 accept"
up
top
Edit WAN (Net1) Firewall Zone
(allow only source address traffic)
firewall/zone wan custom_rules
add
description "source_net4-1"
rule_content "rule family=ipv4 source address=192.168.2.0/24 accept"
up
add
description "source_net4-2"
rule_content "rule family=ipv4 source address=192.168.4.0/24 accept"
up
top
Custom_rule Example for Port and Protocol
add firewall/service myports label "My Serial Ports"
firewall/service myports
add
port 3001
protocol tcp
up
apply
top
firewall/zone wan address_filters
add
source_address 10.10.2.0/19
services
add myports
up
up
top
Enroll Into Lighthouse
add lighthouse_enrollment lh1 address 2.21.99.188 bundle om2216-l token password