Omada Controller User Guide_V6.0

Stands for the Omada On-Premises Controller and the Omada Cloud-Based Controller.

Includes the Omada Software Controller (also referred to as the Omada Network Application), Omada Hardware Controller, and Omada Integrated Gateway (Controller).

The Omada Cloud-Based Controller is now referred to as the Omada Network system on the Omada Central.

Note that the Omada Central integrates the Omada Network system and Omada Guard system. The Omada Network system works as an Omada Controller to manage network devices (gateways, switches, access points, OLTs, and more), while the Omada Guard system works as a VMS system to manage surveillance devices (security cameras, NVRs, and more).

This guide involves instructions about the Omada Network system. For instructions about the Omada Guard system, refer to the Omada Guard User Guide.

Stands for the Omada Gateway/Router.

Stands for the Omada Switch.

Stands for the Omada AP.

Stands for the DeltaStream GPON Optical Line Terminal.

The note contains the helpful information for a better use of the controller.

Provide guidelines for the feature and its configurations.

https://www.omadanetworks.com

https://support.omadanetworks.com/video

https://support.omadanetworks.com/document

https://support.omadanetworks.com/product

https://support.omadanetworks.com/contact-support

Select this type to create an Essentials organization for easy and free management of essential features. To check whether your devices can be managed by Omada Central Essentials, click View Compatibility List.

Select this type to create a Standard organization for basic and advanced features through subscription-based licensing.

Click the Search icon and enter the keywords to quickly look up the functions or devices that you want to configure. And you can search for the devices by their MAC addresses and device names.

Click the Refresh icon to refresh the page.

Change theme settings to light mode, dark mode, or system theme to improve your overall screen experience.

Click the Account icon to display account information, Account Settings and Log Out. You can change your password on Account Settings.

Click the More icon for more settings.

Feedback: Click to send your feedback to us.

About: Click to display the controller info.

Tutorial: Click to view the quick Getting Started guide which demonstrates the navigation and tools available for the controller.

Old UI Layout/New UI Layout: Click to switch between the previous UI layout and the new UI layout.

Allows you to access the Global View or access a site quickly.

Global View: Know the status of your Site at a glance, and manage sites in the platform.

Site View: Know the status of your network at a glance, gain insights, and manage network devices all in the platform.

Displays the sites in the organization and their status. You can switch between the site list view and site map view.

Allows you to configure site templates and bind sites to them to facilitate batch configuration and management of sites.

Displays the devices on all sites and their general information. This list view can change depending on your monitoring need through customizing the columns.

You can click any device on the list for device details and settings.

Displays the logs about systems events and devices. Comprehensive logs make historical information more accurate, readily accessible, and usable, which allows for proactive troubleshooting. And you can determine alert-level events and enable pushing notifications.

Allows you to update the firmware of network devices in a one-time or periodic manner.

Allows you to manage threats that the controller discovered to ensure network security.

Note: This option will be hidden if no Omada device that supports this function is adopted.

Allows you to easily connect multiple gateways together without complicated VPN configuration.

Note: This option will be hidden if no Omada device that supports this function is adopted.

Allows you to manage all administrative accounts of the controller.

Allows you to configure global settings in minutes and maintain the Omada network for best performance.

Allows you to access the Global View or access a site quickly.

Global View: Know the status of your Site at a glance, and manage sites in the platform.

Site View: Know the status of your network at a glance, gain insights, and manage network devices all in the platform.

Displays a summarized view of the network status through different visualizations. The dashboard is a powerful tool that arms you with real-time data for monitoring the network.

Displays the devices in the site and their general information. This list view can change depending on your monitoring need through customizing the columns.

You can click any device on the list for device details and settings.

Displays a list view of wired and wireless clients, IPCs, and NVRs that are connected to the network. This list view can change depending on your monitoring need through customizing the columns.

You can click any entry on the list for more detailed information and settings.

Displays the geographic location of each device and site in Device Map and Site Map. You can also upload images of your location for a visual representation of your network in Heat Map.

Displays the statistics of various network indicators and their changes over time in Reports and detailed traffic information in Application Analytics.

Records the activities of the system, devices, users and administrators. Comprehensive logs make historical information more accurate, readily accessible, and usable, which allows for proactive troubleshooting. And you can determine alert-level events and enable pushing notifications.

Allows you to manage and optimize network configurations to ensure efficient and secure network connections.

Allows you to centrally set up and manage device configurations by device type, improving device performance and stability.

Allows you to centrally monitor and manage the clients authorized by portal authentication.

Provides various network tools for you to test the device connectivity, capture packets for troubleshooting, open Terminal to execute CLI or Shell commands, and perform cable tests.

Allows you to monitor the status of PoE devices, automatically repairing abnormal devices.

Displays the controller name, which identifies the controller. You can specify the controller name in Controller Settings.

Displays the MAC address of the controller.

Displays the system time of the controller. The system time is based on the time zone which you configure in Controller Settings.

Displays how long the controller has been working.

Enable the option to join the program and check for firmware in the Release Channel > Beta for upgrading, so you can try out in-development features and help improve them.

Select the Release Channel of the controller to check whether the corresponding Channel has a newer version.

Display the software version of the controller.

Click to check for any updates of the controller.

Enable the option and the system will query the cloud for controller firmware updates.

Select the format of your certificate, and import the certificate file.

Import the SSL certificate to create an encrypted link between the controller and server.

JKS: Import your SSL certificate and enter the Keystore Password if your SSL certificate has the password. Otherwise, leave it blank.

PFX: Import your SSL certificate and enter the Private Key Password if your SSL certificate has the password. Otherwise, leave it blank.

PEM: Import your SSL certificate and SSL Key.

Choose whether to customize the log level.

Select the log level of the manager module, which mainly includes device management and site-related configurations.

Select the log level of the client info module, which mainly includes functions related to client monitoring.

Select the log level of the network monitoring module, which mainly includes functions related to data monitoring.

Select the log level of the system setting module, which mainly includes system data related functions.

Select the log level of the account module, which mainly includes account-related functions.

Select the log level of the log-related operation module, which mainly includes related functions of the log page.

Select the log level of other modules.

Enter the hostname or IP address of the controller which will be used as the Controller URL in the notification email for resetting your controller password. You can keep it default and IP address recognized by the controller will be used as the Controller URL.

(Only for hardware controller) Enable the feature and the hardware controller will refresh its IP address automatically.

Specify the HTTPS port used by the controller for management. After setting the port, you can visit https://[Controller Host’s IP address or URL]:[HTTPS Port] to log in to the Controller.

Specify the HTTP port used by the controller for management. After setting the port, you can visit https://[Controller Host’s IP address or URL]:[HTTP Port] to log in to the Controller.

Set the Portal URL.

Auto Refresh: The device will automatically use the actual IP address of the Controller as the portal redirection destination.

Manual: Manually enter a domain name or IP address that clients can access.

If enabled, clients will be redirected to Captive Portal using HTTPS instead of HTTP.

Specify the HTTPS port used by the controller for Portal.

Specify the HTTP port used by the controller for Portal.

When enabled, the controller will apply the Device Management Hostname/IP you specified to managed devices for remote management.

Specify the Controller Name to identify the controller.

Select the location of the controller.

The configuration here only takes effect on the controller. To configure the Country/Region for sites, go to the Site Configuration.

Select the Time Zone of the controller according to your region. For controller settings and statistics, time is displayed based on the Time Zone.

The configuration here only takes effect on the controller. To configure the Time Zone for sites, go to the Site Configuration.

Enable the feature if your country/region implements DST (Daylight Saving Time).

Select the time added in minutes when Daylight Saving Time starts.

Specify the time when the DST starts. The clock will be set forward by the time offset you specify.

Specify the time when the DST ends.The clock will be set back by the time offset you specify.

Specify the Controller Name to identify the controller.

Select the location of the controller.

The configuration here only takes effect on the controller. To configure the Country/Region for sites, go to the Site Configuration.

Select the Time Zone of the controller according to your region. For controller settings and statistics, time is displayed based on the Time Zone.

The configuration here only takes effect on the controller. To configure the Time Zone for sites, go to the Site Configuration.

Enable the feature if your country/region implements DST (Daylight Saving Time).

Select the time added in minutes when Daylight Saving Time starts.

Specify the time when the DST starts. The clock will be set forward by the time offset you specify.

Specify the time when the DST ends.The clock will be set back by the time offset you specify.

The controller will consider a client offline (thus disconnect it) when it is idle for longer than the specified threshold. If the specified threshold is too short, clients may be disconnected frequently.

This function controls HTTP access to the web pages of managed Omada devices. If it is turned off, HTTP access to the devices’ web pages will be unavailable.

This function controls HTTPS access to the web pages of managed Omada devices. If it is turned off, HTTPS access to the devices’ web pages will be unavailable.

With the feature enabled, network devices will report client information in real time to ensure the accuracy of client identification.

When enabled, all users except SAML users will be converted to the specified MSP user role. The converted MSP users have All Site permissions. All custom roles will be converted to Customer custom roles.

Select to convert all users to MSP Admin or MSP Viewer.

Specify the interval to automatically refresh the UI interface.

With this feature enabled, you will receive an update notification when a new firmware version for your device is available.

Record connected clients according to the time you specified. When the limit is exceeded, the oldest disconnected known client may be deleted.

When enabled, client history and client logs will be recorded. This will occupy much storage space.

Specify the retention time of client online and offline records.

When enabled, client trend statistics and charts will be retained, which will take up lots of storage space.

Displays the retention time of AP, switch, gateway, and client data. Corresponding to 5-minute statistics.

Displays the retention time of AP, switch, gateway, and client data. Corresponding to hourly statistics.

Specify the retention time of AP, switch, gateway, and client data. Corresponding to daily statistics.

Specify the retention time of client data. Corresponding to weekly statistics.

Specify the retention time of portal authorization records. Corresponding to Hotspot - Authorized Clients.

Specify the retention time of logs.

Specify the retention time of scanned Interference Detection. Corresponding to Network Tools-Interference Detection.

Enter the URL or IP address of the SMTP server according to the instructions of the email service provider.

Configure the port used by the SMTP server according to the instructions of the email service provider.

Enable or disable SSL according to the instructions of the email service provider. SSL (Secure Sockets Layer) is used to create an encrypted link between the controller and the SMTP server.

Enable or disable Authentication according to the instructions of the email service provider. If Authentication is enabled, the SMTP server requires the username and password for authentication.

When Authentication is enabled, enter your email address as the username.

When Authentication is enabled, enter the authorization code as the password, which is provided by the email service provider when you enable the SMTP service.

(Optional) Specify the email address of the sender. If you leave it blank, the controller will use your current email address.

Test the Mail Server configuration by sending a test email to an email address that you specify.

Toggle on to enable the built-in RADIUS server.

Displays the current status of the server.

Specify the built-in server address type.

When the controller is on a computer with multiple network adapters, and the type is configured as Auto, the server address will be sent to the device according to the ports connected to the device.

When the type is configured as Manual, the user needs to manually configure the server's IP address, which should be the address the device can communicate with.

Specify the RADIUS server key.

Specify the RADIUS server authentication port.

Enable this option if you want to allow the reply of the Tunneled Reply-related attributes to the device. Only after this option is enabled can the client be assigned a VLAN.

Select the format of your certificate, and import the certificate file.

Import the SSL certificate to create an encrypted link between the controller and server.

JKS: Import your SSL certificate and enter the Keystore Password if your SSL certificate has the password. Otherwise, leave it blank.

PFX: Import your SSL certificate and enter the Private Key Password if your SSL certificate has the password. Otherwise, leave it blank.

PEM: Import your SSL certificate and SSL Key.

Export the installable built-in authentication server root certificate. If the user uploads a certificate, the root certificate of the uploaded certificate will be exported; otherwise the default root certificate will be exported. The DNS name of the default root certificate is “Omada”.

Toggle on to enable the Radius Proxy Server.

Displays the current status of the server.

Specify the port that the controller listens for to receive radius messages from devices.

This function improves the security of the controller by requiring two factors of identification to access resources and data. With this function enabled, all accounts will be forced to enable 2FA upon user login. You can also enable 2FA for accounts on the Accounts > User page.

Specify the IP address type: Single IP Address, Single Subnet Mask, or IP Range.

Specify the IP addresses that are allowed to access the controller.

Enter a description for identification.

Specify the redirect URL for Oauth2.0 authorization flow.

Specify the authority role of the client through the Open API.

Specify the site privileges of the client through the Open API.

Specify the Webhook entry name.

Specify the authentication secret key. If it is not filled in, the system will automatically generate a key. If it is manually cleared, the system will no longer generate a key.

Specify the Webhook URL address.

Select a template for message push.

Specify the Webhook retry policy: None (no retry), Important (up to 5 retries over 60 minutes), and Critical (up to 5 retries over 24 hours).

Specify the role name.

Set the validity period of the user.

Permanent: The user account will have permissions permanently unless modified or deleted.

Temporary: The user account will have permissions only in the period you set. Note that Temporary Users don’t have account-related permissions, including permissions such as User Manager, Roles Manager, SAML User Group Manager, SAML Users Manager, and SAML SSO Manager.

Specify the authority role of the account.

Specify the site privileges of the client through the Open API.

Specify the IdP name.

Enter a description for identification.

Configure the metadata. You can upload the metadata file, use URL parsing, or manually fill in the information.

Select where you store the restore file.

Import from Local File: Import the data locally. It is not supported when accessing the controller via cloud.

Import from File Server: Import the data from a file server. Select the desired file server type (FTP / TFTP / SFTP / SCP) and configure the parameters.

Select this option if you want to retain device information.

Select the backup file to restore the information.

Select the data contents to back up.

Settings: All the controller settings will be backed up.

User Info: All local and cloud user information except for the main admin will be retained. Make sure Cloud Access is enabled on the Controller to be restored. Otherwise the Cloud account will not be retained correctly.

Authenticated Clients: The authenticated client information will be backed up and can be used to verify clients for portal authentication. It is recommended to select this option if your network uses portal authentication.

Firmware Update Logs: The firmware update logs will be backed up.

Select the length of time in days that data will be backed up.

7 Days/30 Days/60 Days/90 Days/180 Days/365 Days: Back up the data in the recent days.

All Time: (Only for Software Controller) Back up all data in the controller.

Select where you want to export the data to.

Export to Local File: Export and save the data locally. It is not supported when accessing the controller via cloud.

Export to File Server: Export and save the data to a file server. Select the desired file server type (FTP / TFTP / SFTP / SCP) and configure the parameters.

Specify when to perform Auto Backup regularly. Select Every Day, Week, Month, or Year first and then set a time to back up files.

Note the time availability when you choose Every Month. For example, if you choose to automatically backup the data on the 31st of every month, Backup Schedule will not take effect when it comes to the month with no 31st, such as February, April, and June.

Select the data contents to back up.

Settings: All the controller settings will be backed up.

User Info: All locPast Connectionsal and cloud user information except for the main admin will be retained. Make sure Cloud Access is enabled on the Controller to be restored. Otherwise the Cloud account will not be retained correctly.

Authenticated Clients: The authenticated client information will be backed up and can be used to verify clients for portal authentication. It is recommended to select this option if your network uses portal authentication.

Firmware Update Logs: The firmware update logs will be backed up.

Known Clients: Back up the list of the known clients.

Past Connections: Back up the list of the past connections. To export past connections data, you need to first enable Client’s History Data in 5.4 History Data Retention.

Logs: Back up the list of the logs.

Audit Log List: Back up the list of the audit logs.

Select the length of time in days that data will be backed up.

7 Days/30 Days/60 Days/90 Days/180 Days/365 Days: Back up the data in the recent days.

All Time: (Only for Software Controller) Back up all data in the controller.

Select where you want to save the backup file.

Save to Local File: The backup file will be saved as a local file.

Save to File Server: The backup file will be saved in the specified file server.

(Only for Hardware Controller) Select a path to save the backup files.

(When selecting Save to Local File) Specify the maximum number of backup files to save.

(When selecting Save to File Server) Specify the file server you are using. Four types of file server are available: FTP, TFTP, SFTP, and SCP.

(When selecting Save to File Server) Specify the Hostname/IP corresponding to the file server.

(When selecting Save to File Server) Specify the port corresponding to the file server.

(When selecting FTP as File Server) Specify the username of the FTP file server.

(When selecting FTP as File Server) Specify the password of the FTP file server.

(When selecting SFTP as File Server) Specify the username of the SFTP file server.

(When selecting SFTP as File Server) Specify the password of the SFTP file server.

(When selecting SCP as File Server) Specify the username of the SCP file server.

(When selecting SCP as File Server) Specify the password of the SCP file server.

(When selecting Save to File Server) Specify the file path.

Restore the configurations and data in the backup file. All current configurations will be replaced after the restoration.

To keep the backup data safe, please wait until the operation is finished. This will take several minutes.

Export the backup file. The exported file will be saved in the saving path of your web browser.

Delete the backup file.

Device List: Export the list of managed devices.

Client List (All): Export the list of all clients that are connected to the networks.

Alert & Event List: Export the list of the alerts and events.

Audit Log List: Export the list of the audit logs.

Authorized Client List: Export the list of authorized clients.

Voucher Codes: Export the list of the voucher codes.

Client Connection Records: Export the list of the client connection records.

Threat Management: Export the list of the threat management data.

Select the columns to export. We recommend selecting Default Columns, which include commonly needed columns such as DEVICE NAME, MAC ADDRESS, MODEL, etc. If you select All Columns or Current Display Columns, data exporting will be time-consuming if there are lots of devices.

The data can be exported to the file in the format of .CSV or .XLSX.

Click to export running logs.

Click to export configuration data.

Specify the data content to send.

Specify the name of the data report.

Specify the file format of the data report.

Specify the time to send the data report.

Specify the email to send the data report.

Specify the name of the current site. It should be no more than 64 characters.

Specify the application scenario of the site. To customize your scenario, click Create New Scenario in the drop-down list.

Select the location of the site.

Select the time zone of the site.

Enter the IP address(es) of the NTP (Network Time Protocol) server. NTP server assigns network time to the EAP devices.

Enable the feature if your country/region implements DST.

Select the time added in minutes when Daylight Saving Time starts.

Specify the time when the DST starts. The clock will be set forward by the time offset you specify.

Specify the time when the DST ends.The clock will be set back by the time offset you specify.

Configure the parameters according to where the site is located. These fields are optional.

Site Inform URL adds site information based on the Controller Inform URL to informs devices of the controller’s URL or IP address as well as site info. Then the devices make contact with the controller so the controller can discover them and adopt them to the site.

Enable or disable LEDs of all devices in the site.

By default, the device follows the LED setting of the site it belongs to. To change the LED setting for certain devices, configure the devices on the Devices page.

When enabled, the controller will remember all devices in the site. After device reset and power-on, the controller will automatically adopt the device if the controller can find it.

Customize the domain name for portal-authenticated clients to open the logout page. If not specified, the default value is the domain name in the configuration file (in \properties\omada.properties in the controller installation path).

When enabled, APs supporting Mesh can establish the mesh network at the site.

(For APs in the mesh network) Auto Failover is used to automatically maintain the mesh network. When enabled, the controller will automatically select a new wireless uplink for the AP if the original uplink fails.

To enable this feature, enable Mesh first.

(For APs in the mesh network) Specify the method of Connection Detection when mesh is enabled.

In a mesh network, the APs can send ARP request packets to a fixed IP address to test the connectivity. If the link fails, the status of these APs will change to Isolated.

Auto (Recommended): Select this method and the mesh APs will send ARP request packets to the default gateway for the detection.

Custom IP Address: Select this method and specify a desired IP address. The mesh APs will send ARP request packets to the custom IP address to test the connectivity. If the IP address of the AP is in different network segments from the custom IP address, the AP will use the default gateway IP address for the detection.

(For APs in the mesh network) With this feature enabled, when radar signals are detected on current channel by one AP, the other APs in the mesh network will be also informed. Then all APs in the mesh network will switch to an alternate channel.

To enable this feature, enable Mesh first.

Click the checkbox to enable EAP LLDP (Link Layer Discovery Protocol) for device discovery and auto-configuration of VoIP devices.

With this feature enabled, wireless clients that support 802.11k/v can improve fast roaming experience when moving among different APs and wireless gateways/routers.

By default, it is disabled. This feature is available for some certain devices.

This feature helps disconnect “sticky clients” receiving weak signals from their suboptimal Wireless Device, allowing them to switch to a superior Wireless Device and improve network efficiency. Note that this may cause temporary disconnections or hinder re-association in rare cases.

This feature helps prevent clients from frequently roaming between two APs in areas where weak signals overlap, thereby improving connection stability. Note that this may cause clients not able to connect to certain AP in rare cases, and also may dynamic change tx power of AP.

With Fast Roaming enabled, you can enable AI Roaming to facilitate Fast Roaming, which improves roaming experience of the wireless clients that support 802.11k/v. This feature is available for certain models.

Band steering can adjust the number of clients in 2.4 GHz, 5 GHz and 6 GHz bands to provide better wireless experience.

When enabled, multi-band clients will be steered to the 5 GHz and 6 GHz band according to the configured parameters. This function can improve the network performance because the 5 GHz and 6 GHz band supports a larger number of non-overlapping channels and is less noisy.

With rate limit configured for Other Multicast, multicast services such as multicast video will be affected.

Beacons are transmitted periodically by the AP and wireless gateway/router to announce the presence of a wireless network for the clients. Click  , select the band, and configure the following parameters of Beacon Control.

Beacon Interval: Specify how often the APs and wireless gateways/routers send a beacon to clients. By default, it is 100.

DTIM Period: Specify how often the clients check for buffered data that are still on the AP or wireless gateway/router awaiting pickup. By default, the clients check for them at every beacon.

DTIM (Delivery Traffic Indication Message) is contained in some Beacon frames indicating whether the AP or wireless gateway/router has buffered data for client devices. An excessive DTIM interval may reduce the performance of multicast applications, so we recommend that you keep the default interval, 1.

RTS Threshold: RTS (Request to Send) can ensure efficient data transmission by avoiding the conflict of packets. If a client wants to send a packet larger than the threshold, the RTS mechanism will be activated to delay packets of other clients in the same wireless network.

We recommend that you keep the default threshold, which is 2347. If you specify a low threshold value, the RTS mechanism may be activated more frequently to recover the network from possible interference or collisions. However, it also consumes more bandwidth and reduces the throughput of the packet.

Airtime Fairness: With this option enabled, each client connecting to the AP or wireless gateway/router can get the same amount of time to transmit data so that low-data-rate clients do not occupy too much network bandwidth and network performance improves as a whole. We recommend you enable this function under multi-rate wireless networks.

Probe Response Maximum Retransmission: Set the maximum number that the AP retransmits probe responses if it does not receive a client acknowledgment. When a client sends a probe request to detect the network, the AP responds with a probe response. However, factors like interference, long distance, or mobile devices (such as passing clients) may cause response loss and trigger retransmissions. Frequent invalid retransmissions in high-density scenarios will occupy wireless channel resources. It is recommended to keep the default value of 1 to balance reliability and efficiency.

Probe Response Threshold: When enabled, the AP will filter probe requests with signal strength below the set threshold and stop responding, which may affect weak signal terminals from discovering the network. It is recommended to enable this feature only in high-density scenarios and select the Auto mode to optimize efficiency. In Auto mode, the AP dynamically calculates the threshold based on historical coverage data to avoid wasting wireless resources for devices in non-target areas. In Custom mode, you need to set the threshold manually.

Enter a username and password for all devices in the site. The new username and password will be applied to all the managed devices. For newly adopted devices, once they are adopted by the controller, their username and password becomes the same as settings in device account.

Check the box to enable automatic data report.

Specify the content of data report.

Specify the name of data report.

Specify the file format of data report: csv or xlsx.

Set the time to send the data report.

Enter the email addresses to send the data reports. Press Enter after each email address to separate them. (Each Controller can send up to 100 emails every 24 hours via Cloud Access.)

Specify the SSH Sever Port which your network devices use for SSH connections. You need to configure the SSH Server Port correspondingly on your SSH terminal.

With this feature enabled, the SSH terminal from a different subnet can access your devices via SSH. With this feature disabled, only the SSH terminal in the same subnet can access your devices via SSH.

Enter the name to identify the Reboot Schedule entry.

Enable or disable the Reboot Schedule entry.

Specify the date and time for the devices to reboot.

Select the devices which the Reboot Schedule applies to.

Enter the name to identify the schedule entry.

Enable or disable the schedule entry.

Type:Specify the schedule type:

PoE Schedule: This function only affects PoE power supply.

Port Schedule: This function affects LAN connections of ports but does not affect PoE power supply. To avoid network problems, please check your topology and related configurations before turning off ports.

When the Type is PoE Schedule, select the time range when the PoE switches will supply power to the powered devices.

when the Type is Port Schedule, select the time range when the switches will turn on the designated ports.

You can create a Time Range entry by clicking Create New Time Range Entry from the drop down list.

When Type is PoE Schedule, select the PoE switch and PoE port to apply the schedule.

When Type is Port Schedule, select the switch and port to apply the schedule.

Specify the rule name for identification.

Enable or disable this rule.

Specify the device type for which the rule takes effect.

Specify the services to be forwarded.

When Device Type is AP, specify the VLANs where the mDNS services are located. You can enter VLAN ranges or VLAN IDs separated by comma.

When Device Type is AP, specify the VLANs where the Client devices are located. You can enter VLAN ranges or VLAN IDs separated by comma.

When Device Type is Gateway, specify the networks where the mDNS services are located.

When Device Type is Gateway, specify the networks where the Client devices are located.

Enter a name to identify the profile.

Specify the domain name corresponding to the mDNS service. It is used to identify and filter mDNS packets.

Enable or disable SNMPv1 and SNMPv2c globally.

With SNMPv1 & SNMPv2c enabled, specify the Community String, which is used as a password for your NMS to access the SNMP agent. You need to configure the Community String correspondingly on your NMS.

Enable or disable SNMPv3 globally.

With SNMPv3 enabled, specify the username for your NMS to access the SNMP agent. You need to configure the username correspondingly on your NMS.

With SNMPv3 enabled, specify the password for your NMS to access the SNMP agent. You need to configure the password correspondingly on your NMS.

Enter a name to identify the profile.

Choose your telephony provider, then enter the parameters specified by your provider. The parameters differ according to your selection. If your provider is not listed, choose Other Provider, then refer to the following to configure the parameters:

Specify the registrar address specified by your provider. Usually it is a domain name, if not, an IP address.

Specify the registrar port. Typically 5060, unless your provider specifies a different port.

Specify the IP address or URL of the SIP proxy server.

Specify the SIP proxy port. Typically 5060, unless your provider specifies a different port.

Specify the IP address or URL of the outbound proxy server.

Specify the outbound proxy port. Typically 5060, unless your provider specifies a different port.

When enabled, the connected VoIP devices will use the specified Outbound Proxy for SIP registration. When disabled, the connected VoIP devices will use the Registrar Address above for SIP registration.

Enter a name to identify the profile.

Enter a digit map by referring to the setting examples.

Enter a name to identify the profile.

Enable this option to block unwanted incoming calls.

Specify the types of incoming calls to block.

Specific Number: Specify one or more phone numbers to block incoming calls from them.

Anonymous Number: Block all unknown incoming calls.

Enable this option to block unwanted outgoing calls.

Specify the types of outgoing calls to block.

Mobile: Block outgoing calls to mobile numbers.

Landline: Block outgoing calls to landline numbers.

Long Distance: Block outgoing calls to long-distance numbers.

International: Block outgoing calls to international numbers.

Calls with specific number prefix: Specify one or more number prefixes to block outgoing calls to phone numbers with the prefixes.

Select the phone number used by your telephony device to make outgoing calls. The default is Auto, which means the device will automatically select an available phone number to make calls.

Select the phone numbers used by your telephony device to receive incoming calls. The default is all registered numbers, which means the device can use all registered numbers to receive calls.

VAD (Voice Activity Detection) saves bandwidth consumption by avoiding transmission of silence packets. It also ensures that the bandwidth is reserved only when voice activity is activated.

Adjust the slider to control the speaker sound.

Adjust the slider to control the microphone sound.

Enable this function to block unwanted calls.

Select a blocking profile to block unwanted calls.

Select a digit map profile to control phone numbers from being dialed. A phone number can be dialed out only when its digit sequence matches the digit map.

Select your location. The system is embedded with the default location-based parameters such as ring tones.

DSCP (Differentiated Services Code Point) is the first 6 bits in the ToS (Type of Service) byte. DSCP marking allows you to ensure preferential treatment for higher-priority traffic on the network based on the DSCP value. Select DSCP for the SIP (Session Initiation Protocol) and RTP (Real-time Transport Protocol) respectively. If you are unsure, please keep the default value.

Select a protocol for DTMF relay setting. If you are unsure of which one to select, please keep the default value.

Enter the expiration time of the SIP registration.

Enter the time duration for which the system sends a request to retry registering automatically prior to the Registry Expiration Time. If you are unsure, please keep the default value.

Select the check box to enable T.38 support that allows fax documents to be transferred in real-time between two standard Group 3 facsimile terminals over the Internet or other networks using IP protocols. This function is only effective between two T.38-enabled terminals.

Select the check box to use the pound sign (#) as an end-of-dialing.

The number used to make calls. This number cannot be reused across different devices.

The account name used to register the phone number. Please enter it according to the registration server configuration.

The authentication password used to register the phone number. Please enter it according to the registration server configuration.

Specify the provider profile associated with the phone number. The phone number will be registered on the corresponding server.

Specify the VoIP device associated with the phone number. Up to eight phone numbers can be added to a device.

Displays the phone number's registration status.

Edit or delete an added phone number.

Enter the last name and first name of your contact.

Enter the private phone number of your contact.

Enter the work phone number of your contact.

Enter the mobile phone number of your contact.

Select the type of number for speed dial. Speed Dial allows you to quickly place a call with fewer numbers to dial.

Set the speed dial number. After saving the settings, you can simply press this number followed by # to place a call.

Enable this function to allow the telephony device to call a specific contact when the handset is picked up but no operation is done within a specific time period.

Specify the time period before the telephony device makes a call automatically.

Specify one or more phone numbers for emergency calls. The telephony device will call these numbers in order if the previous call is not answered.

Specify the days you want to block the incoming calls.

Set the start time and end time of the DND period you want to block incoming calls.

Select a call type to be forwarded.

All Incoming Calls: If this option is selected, all incoming calls will be forwarded.

Calls to the Telephone Number: If this option is selected, select a telephone number from the list. Any incoming calls to this number will be forwarded.

Calls to the Phone: If this option is selected, select a telephony device from the list. Any incoming calls to this device will be forwarded.

Calls from a Person in the Telephone Book: If this option is selected, select a contact from the list. Any incoming calls from this contact will be forwarded.

Calls from the Telephone Number: If this option is selected, enter a specific telephone number. Any incoming calls from this number will be forwarded.

Enter a Destination Telephone Number that incoming calls will be redirected to.

Select the Call Forward Condition.

Unconditional: All incoming calls will be redirected to the designated telephone number whether the receiver is busy or not.

No Answer: Incoming calls that are not answered for the specified time period will be redirected to the designated telephone number.

Enter the duration for the incoming calls to go to voicemail or the destination telephone number when there is no response.

(Optional) If you want to listen to your voice mails remotely, enable Remote Access to Voice Mail.

To access your voice mail remotely, dial the number for incoming calls. When your personal greeting starts, press *. Enter your Remote Access PIN when prompted.

Enable Store Voice Mail in USB. Select a path in the USB storage device to save your voice mail.

Select the Greeting for Voice Mail to use either the default or your custom greeting for the voice mail. You can click the Play icon to play the greeting.

Click the Play icon to play the greeting.

Specify the length of each voice mail.

Specify the name of the CLI profile.

(Optional) Enter a description for identification.

Enter the command lines manually.

Click and select a device that supports CLI configuration to import its running config.

Click and select an existing command file to import command lines.

Specify the name of the CLI profile.

(Optional) Enter a description for identification.

Enter the command lines manually. You can enter %xxx% in the CLI template to define variables.

Click and select a device that supports CLI configuration to import its running config.

Click and select an existing command file to import command lines.

Gateway Model

Specify the gateway model and version. If you change the gateway, follow the web instructions to select WAN ports and copy WAN port settings.

If the number of preconfigured WAN ports does not match the number of WAN ports enabled in the adopted Omada gateway, the gateway will automatically reboot after adoption.

Online Detection Interval

Select how often the WAN ports detect WAN connection status. If you don’t want to enable online detection, select Disable.

Online Detection results will influence whether Load Balancing and Link Backup features take effect. The smaller the online detection interval, the faster Load Balancing and Link Backup features will respond, and meanwhile more detection packets will be sent.

Location

Select your location.

ISP

Select your ISP (internet service provider).

DSL Modulation Type

Select the modulation type for your DSL connection.

USB Modem

Display whether a USB modem is connected to the device and the name of the connected USB modem.

Config Type

Select a configuration type for the USB modem.

Auto: Use the Location and Mobile ISP information below for configuration.

Manually: Enter the Dial Number, APN, Username, and password provided by your Mobile ISP.

Location

Select your location.

Mobile ISP

Select your mobile ISP.

SIM/UIM PIN

(Optional) Enter the PIN of your SIM card.

The field is required when the following information appears in the Message: PIN protection is enabled and the PIN is invalid.

Connection Mode

Select the connection mode.

Connect Automatically: The router will use the USB modem to connect to the internet automatically.

Connect Manually: You need to turn on/off the internet manually for the gateway on the device page.

Authentication Mode

Select the Authentication mode for the USB modem. The default value is Auto, and it is recommended to keep the default value.

MTU Size

Specify the MTU (Maximum Transmission Unit) of the USB WAN port. The default value is 1480, and it is recommended to keep the default value.

MTU is the maximum data unit transmitted in the physical network.

Use the following DNS Servers

Enable the feature if you want to specify the Primary and Secondary DNS servers manually.

USB 3.0 Interference Reduction

Enable this option if you want to lower the data transfer speed of a USB 3.0 port to improve performance on the 2.4GHz Wi-Fi band. Enabling the feature trades USB 3.0 speed for better wireless stability.

Primary DNS Server / Secondary DNS Server

Enter the IP address of the DNS server provided by your ISP if there is any.

Host Name

Enter a name for the gateway.

MTU

Specify the MTU (Maximum Transmission Unit) of the WAN port.

MTU is the maximum data unit transmitted in the physical network. When the connection type is Dynamic IP, MTU can be set in the range of 576-1500 bytes. The default value is 1500.

VLAN ID

Add the WAN port to a VLAN and you need to specify the VLAN ID. Generally, you don’t need to manually configure it unless required by your ISP.

VLAN Priority

Priority is only available when Internet VLAN is enabled. The VLAN Priority function helps to prioritize the internet traffic based on your needs. You can determine the priority level for the traffic by specifying the tag. The tag ranges from 0 to 7. None means the packet will be forwarded without any operation.

WAN IP Alias

WAN IP Alias supports configuring multiple IP addresses on one WAN port, and these IP addresses can be used to configure virtual server and other functions.

IP Address

Enter the IP address provided by your ISP.

Subnet Mask

Enter the subnet mask provided by your ISP.

Default Gateway

Enter the default gateway provided by your ISP.

Primary DNS Server / Secondary DNS Server

Enter the IP address of the DNS server provided by your ISP if there is any.

MTU

Specify the MTU (Maximum Transmission Unit) of the WAN port.

MTU is the maximum data unit transmitted in the physical network. When the connection type is Static IP, MTU can be set in the range of 576-1500 bytes. The default value is 1500.

VLAN ID

Add the WAN port to a VLAN and you need to specify the VLAN ID. Generally, you don’t need to manually configure it unless required by your ISP.

VLAN Priority

Priority is only available when Internet VLAN is enabled. The VLAN Priority function helps to prioritize the internet traffic based on your needs. You can determine the priority level for the traffic by specifying the tag. The tag ranges from 0 to 7. None means the packet will be forwarded without any operation.

WAN IP Alias

WAN IP Alias supports configuring multiple IP addresses on one WAN port, and these IP addresses can be used to configure virtual server and other functions.

Password

Enter the PPPoE password provided by your ISP.

Get IP address from ISP

With this option enabled, the gateway gets IP address from ISP when setting up the WAN connection.

With this option disabled, you need to specify the IP Address provided by your ISP.

Primary DNS Server / Secondary DNS Server

Enter the IP address of the DNS server provided by your ISP if there is any.

Connection Mode

Connect Automatically: The gateway activates the connection automatically when the connection is down. You need to specify the Redial Interval, which decides how often the gateway tries to redial after the connection is down.

Connect Manually: You can manually activate or terminate the connection.

Time-Based: During the specified period, the gateway will automatically activate the connection. You need to specify the Time Range when the connection is up.

Redial Interval

Specify how often the gateway tries to redial after the connection is down.

Service Name

Keep it blank unless your ISP requires you to configure it.

MTU

Specify the MTU (Maximum Transmission Unit) of the WAN port.

MTU is the maximum data unit transmitted in the physical network. When the connection type is PPPoE, MTU can be set in the range of 576-1492 bytes. The default value is 1492.

MRU

Specify the MRU (Maximum Receive Unit) of the WAN port. MRU is the maximum data unit transmitted in the Data link layer.

MSS Clamping

Specify the upper limit of the value of the MSS (Maximum Segment Size) field negotiated by the sending and receiving parties when establishing TCP connection to avoid IP fragmentation. If the value of the MSS field negotiated by the communication parties exceeds the specified value, the gateway will change the negotiated MSS field to the specified value

Disabled: Disable the MSS Clamping function, and the gateway will not intervene in the MSS value negotiated by the communication parties.

Auto: Automatically calculate MSS value based on path MTU.

Custom: Select this option to specify the MSS value. It should not exceed the MTU value.

VLAN ID

Add the WAN port to a VLAN and you need to specify the VLAN ID. Generally, you don’t need to manually configure it unless required by your ISP.

VLAN Priority

Priority is only available when Internet VLAN is enabled. The VLAN Priority function helps to prioritize the internet traffic based on your needs. You can determine the priority level for the traffic by specifying the tag. The tag ranges from 0 to 7. None means the packet will be forwarded without any operation.

Secondary Connection

Secondary connection is required by some ISPs. Select the connection type required by your ISP.

None: Select this if the secondary connection is not required by your ISP.

Static IP: Select this if your ISP provides you with a fixed IP address and subnet mask for the secondary connection. You need to specify the IP Address and Subnet Mask provided by your ISP.

Dynamic IP: Select this if your ISP automatically assigns the IP address and subnet mask for the secondary connection.

Password

Enter the L2TP password provided by your ISP.

VPN Server / Domain Name

Enter the VPN Server/Domain Name provided by your ISP.

Get IP address from ISP

With this option enabled, the gateway gets IP address from ISP when setting up the WAN connection.

With this option disabled, you need to specify the IP address provided by your ISP.

Primary DNS Server / Secondary DNS Server

Enter the IP address of the DNS server provided by your ISP if there is any.

Connection Mode

Connect Automatically: The gateway activates the connection automatically when the connection is down. You need to specify the Redial Interval, which decides how often the gateway tries to redial after the connection is down.

Connect Manually: You can manually activate or terminate the connection.

Time-Based: During the specified period, the gateway will automatically activate the connection. You need to specify the Time Range when the connection is up.

Redial Interval

Specify how often the gateway tries to redial after the connection is down.

MTU

Specify the MTU (Maximum Transmission Unit) of the WAN port.

MTU is the maximum data unit transmitted in the physical network. When the connection type is L2TP, MTU can be set in the range of 576-1460 bytes. The default value is 1460.

MSS Clamping

Specify the upper limit of the value of the MSS (Maximum Segment Size) field negotiated by the sending and receiving parties when establishing TCP connection to avoid IP fragmentation. If the value of the MSS field negotiated by the communication parties exceeds the specified value, the gateway will change the negotiated MSS field to the specified value

Disabled: Disable the MSS Clamping function, and the gateway will not intervene in the MSS value negotiated by the communication parties.

Auto: Automatically calculate MSS value based on path MTU.

Custom: Select this option to specify the MSS value. It should not exceed the MTU value.

VLAN ID

Add the WAN port to a VLAN and you need to specify the VLAN ID. Generally, you don’t need to manually configure it unless required by your ISP.

VLAN Priority

Priority is only available when Internet VLAN is enabled. The VLAN Priority function helps to prioritize the internet traffic based on your needs. You can determine the priority level for the traffic by specifying the tag. The tag ranges from 0 to 7. None means the packet will be forwarded without any operation.

Secondary Connection

Select the connection type required by your ISP.

Static IP: Select this if your ISP provides you with a fixed IP address and subnet mask for the secondary connection. You need to specify the IP Address, Subnet Mask, Default Gateway (Optional), Primary DNS Server (Optional), and Secondary DNS Server (Optional) provided by your ISP.

Dynamic IP: Select this if your ISP automatically assigns the IP address and subnet mask for the secondary connection.

Password

Enter the PPTP password provided by your ISP.

VPN Server / Domain Name

Enter the VPN Server/Domain Name provided by your ISP.

Get IP address from ISP

With this option enabled, the gateway gets IP address from ISP when setting up the WAN connection.

With this option disabled, you need to specify the IP address provided by your ISP.

Primary DNS Server / Secondary DNS Server

Enter the IP address of the DNS server provided by your ISP if there is any.

Connection Mode

Connect Automatically: The gateway activates the connection automatically when the connection is down. You need to specify the Redial Interval, which decides how often the gateway tries to redial after the connection is down.

Connect Manually: You can manually activate or terminate the connection.

Time-Based: During the specified period, the gateway will automatically activate the connection. You need to specify the Time Range when the connection is up.

Redial Interval

Specify how often the gateway tries to redial after the connection is down.

MTU

Specify the MTU (Maximum Transmission Unit) of the WAN port.

MTU is the maximum data unit transmitted in the physical network. When the connection type is PPTP, MTU can be set in the range of 576-1420 bytes. The default value is 1420.

MSS Clamping

Specify the upper limit of the value of the MSS (Maximum Segment Size) field negotiated by the sending and receiving parties when establishing TCP connection to avoid IP fragmentation. If the value of the MSS field negotiated by the communication parties exceeds the specified value, the gateway will change the negotiated MSS field to the specified value

Disabled: Disable the MSS Clamping function, and the gateway will not intervene in the MSS value negotiated by the communication parties.

Auto: Automatically calculate MSS value based on path MTU.

Custom: Select this option to specify the MSS value. It should not exceed the MTU value.

VLAN ID

Add the WAN port to a VLAN and you need to specify the VLAN ID. Generally, you don’t need to manually configure it unless required by your ISP.

VLAN Priority

Priority is only available when Internet VLAN is enabled. The VLAN Priority function helps to prioritize the internet traffic based on your needs. You can determine the priority level for the traffic by specifying the tag. The tag ranges from 0 to 7. None means the packet will be forwarded without any operation.

Secondary Connection

Select the connection type required by your ISP.

Static IP: Select this if your ISP provides you with a fixed IP address and subnet mask for the secondary connection. You need to specify the IP Address, Subnet Mask, Default Gateway (Optional), Primary DNS Server (Optional), and Secondary DNS Server (Optional) provided by your ISP.

Dynamic IP: Select this if your ISP automatically assigns the IP address and subnet mask for the secondary connection.

Prefix Delegation

Select Enable to get an address prefix by DHCPv6 server from your ISP, or Disable to designate an address prefix for your LAN port manually. Clients in LAN will get an IPv6 address with this prefix.

Prefix Delegation Size

With Prefix Delegation enabled, enter the Prefix Delegation Size to determine the length of the address prefix. If you are not sure about the value, you can ask your ISP.

DNS Address

Select whether to get the DNS address dynamically from your ISP or designate the DNS address manually.

Get from ISP Dynamically: The DNS address will be automatically assigned by the ISP.

Use the Following DNS Addresses: Enter the DNS address provided by the ISP.

Prefix Length

Enter the prefix length of the IPv6 address received from your ISP.

Default Gateway

Enter the default gateway provided by your ISP.

Primary DNS Server

Enter the IP address of the primary DNS server provided by your ISP.

Secondary DNS Server

(Optional) Enter the IP address of the secondary DNS server, which provides redundancy in case the primary DNS server goes down.

Username

Enter the username of your PPPoE account provided by your ISP.

Password

Enter the password of your PPPoE account provided by your ISP.

Get IPv6 Address

Select the proper method whereby your ISP assigns IPv6 address to your gateway.

Automatically: With this option selected, the gateway will automatically select the method to get IPv6 addresses between SLAAC and DHCPv6.

Via SLAAC: With SLAAC (Stateless Address Auto-Configuration) selected, your ISP assigns the IPv6 address prefix to the gateway and the gateway automatically generates its own IPv6 address. Also, your ISP assigns other parameters including the DNS server address to the gateway.

Via DHCPv6: With DHCPv6 selected, your ISP assigns an IPv6 address and other parameters including the DNS server address to the gateway using DHCPv6.

Non-Address: With this option selected, the gateway will not get an IPv6 address.

Specified by ISP: With this option selected, enter the IPv6 address you get from your ISP.

Prefix Delegation

Select Enable to get an address prefix by DHCPv6 server from your ISP, or Disable to designate an address prefix for your LAN port manually. Clients in LAN will get an IPv6 address with this prefix.

Prefix Delegation Size

With Prefix Delegation enabled, enter the Prefix Delegation Size to determine the length of the address prefix. If you are not sure about the value, you can ask your ISP.

DNS Address

Select whether to get the DNS address dynamically from your ISP or designate the DNS address manually.

Get from ISP Dynamically: The DNS address will be automatically assigned by the ISP.

Use the Following DNS Addresses: Enter the DNS address provided by the ISP.

Application Optimized Routing

With Application Optimized Routing enabled, the router will consider the source IP address and destination IP address (or destination port) of the packets as a whole and record the WAN port they pass through. Then the packets with the same source IP address and destination IP address ( or destination port) will be forwarded to the recorded WAN port.

This feature ensures that multi-connected applications work properly.

Link Backup

With Link Backup enabled, the router will switch all the new sessions from dropped lines automatically to another to keep an always on-line network.

Backup WAN / Primary WAN

The backup WAN port backs up the traffic for the primary WAN ports under the specified condition.

Failover Mode

Select whether to enable backup link when any primary WAN fails or all primary WANs fail.

Recover Mode

Link Backup: The system will switch all the new sessions from dropped line automatically to another to keep an always on-link network.

Always Link Primary: Traffic is always forwarded through the primary WAN port unless it fails. The system will try to forward the traffic via the backup WAN port when it fails, and switch back when it recovers.

VLAN Type

Specify whether to use a single VLAN or multiple VLANs.

If the VLAN Type is “Multiple” and the DHCP Server Device Type is “Gateway”, a single network containing multiple VLAN IDs will be created.

If the VLAN Type is “Multiple” and the DHCP Server Device Type is “External Device” or “None”, multiple networks will be created, each corresponding to one VLAN.

Gateway/Subnet

Enter the IP address and subnet mask in the CIDR format. The CIDR Notation here includes the IP address and subnet mask of the default gateway.The summary of the information that you entered will show up below in realtime.

DHCP Server

Click the checkbox to allow the device to serve as the DHCP server for this network. A DHCP server assigns IP addresses, DNS server, default gateway, and other parameters to all devices in the network. Deselect the box if there is already a DHCP server in the network.

If selected, set the starting and ending IP addresses of the DHCP address pool in the fields provided.

Default Gateway

Enter the IP address of the default gateway.

Auto: The DHCP server automatically assigns default gateway for devices in the network. It uses the IP address specified in the Gateway/Subnet entry as the default gateway address.

Manual: Specify default gateway manually. Enter the IP address of the default gateway in the field.

Lease Time

Specify how long a client can use the IP address assigned from this address pool.

ARP Detection

When enabled, the gateway will broadcast ARP requests to obtain the status of the dumb terminal. It is recommended that the subnet mask be no less than 24 bits.

Domain Name

Enter the domain name.

QoS Queue

Click the checkbox to assign the traffic in this network to a queue, and the traffic will be forwarded with a certain priority.

Isolate Network

Enable this option if you want to isolate the network.

Snooping

Select the Snooping function to be enabled.

IGMP Snooping: Click the checkbox to monitor IGMP (Internet Group Management Protocol) traffic and thereby manage multicast traffic.

MLD Snooping: Click the checkbox to monitor MLD (Multicast Listener Discovery) traffic and thereby manage IPv6 multicast traffic.

DHCP Next Server

Specify the server IP address that the DHCP client will use in the next step.

Legal DHCP Servers

With Legal DHCP Server enabled, Omada switches ensure that users get IP addresses only from the DHCP servers whose IP addresses are specified here.

Legal DHCPv6 Servers

With Legal DHCPv6 Server enabled, Omada switches ensure that users get IPv6 addresses only from the DHCPv6 servers whose IPv6 addresses are specified here.

DHCP L2 Relay

With DHCP L2 relay enabled, Omada switches configure the Option 82 field of the DHCP packets and transmit the packets in the LAN.

Option 42

DHCP clients use DHCP option 42 to configure the NTP server address.

Option 44

DHCP clients use DHCP option 44 to configure the NetBIOS over TCP/IP name server.

Option 60

Enter the value for DHCP Option 60. DHCP clients use this field to optionally identify the vendor type and configuration of a DHCP client. Mostly it is used in the scenario where the APs apply for different IP addresses from different servers according to the needs.

Option 66

Enter the value for DHCP Option 66. It specifies the TFTP server information and supports a single TFTP server IP address.

Option 67

Option 67 tells the client a path to a file from a TFTP server (option 66) that will be retrieved and used to boot. That file needs to be a basic boot loader that will do any other required work.

Option 138

Enter the value for DHCP Option 138. It is used in discovering the devices by the controller.

Option 252

Option 252 provides a DHCP client a URL to use to configure its proxy settings. It’s defined in draft-ietf-wrec-wpad-01. If it was a statement like ‘wpad-proxy-url’ then only systems that understood it could use it (they’d have to recognize that string and know how to handle it)

With DHCPv6 selected, configure the following parameters.

Gateway/Subnet

Enter the IP address and subnet mask in the CIDR format. The CIDR notation here includes the IP address and subnet mask of the default gateway. The summary of the information that you entered will show up below in real time.

DHCP Range

Enter the starting and ending IP addresses of the DHCP address pool in the fields provided. For quick operation, click Update DHCP Range beside the Gateway/Subnet entry to get the IP address range populated automatically, and edit the range according to your needs.

Lease Time

This entry determines how long the assigned IPv6 address remains valid. Either keep the default 1440 minutes or change it if required by your ISP.

DHCPv6 DNS

Select a method to configure the DNS server for the network. With Auto selected, the DHCP server automatically assigns DNS server for devices in the network. With Manual selected, enter the IP address of a server in each DNS server field.

RA Priority

Specify the router priority to help a host choose its default gateway. If a host receives RA messages from multiple routers, it will select the router with the highest RA priority as the default gateway. In the case of routers with the same priority, it will select the router whose RA message is received first as the default gateway.

RA Valid Lifetime

Specify the validity lifetime of the prefix. The addresses automatically generated with the prefix can be used normally during the valid lifetime, and they will become invalid and be deleted after the valid lifetime expires.

RA Preferred Lifetime

Specify the preferred lifetime for stateless auto-configuration of addresses with the prefix. After the preferred lifetime expires, the addresses automatically configured by the hosts with this prefix will be abolished. A host cannot use an abolished address to establish a new connection, but it can still receive packets whose destination address is an abolished address. The RA Preferred Lifetime must be less than or equal to the RA Valid Lifetime.

With SLAAC+Stateless DHCP selected, configure the following parameters.

Prefix

Configure the IPv6 address prefix for each client in the local network.

Manual Prefix: With Manual Prefix selected, enter the prefix in the Address Prefix field.

Get from Prefix Delegation: With Get from Prefix Delegation selected, select the WAN port with Prefix Delegation configured, and the clients will get the address prefix from the Prefix Delegation.

IPv6 Prefix ID

With Get from Prefix Delegation selected, enter the Prefix ID, which will be added to the prefix to obtain a /64 subnet.

The range of IPv6 Prefix ID is determined by the larger value of Prefix Delegation Size and Prefix Delegation Length (obtained from the ISP). Note that if the Prefix Delegation Length is larger than 64, the IPv6 Prefix ID cannot be obtained from Prefix Delegation, please select another method. In site view, go to Network Config > Network Settings > Internet to configure Prefix Delegation Size.

DNS Server

Select a method to configure the DNS server for the network.

Auto: With Auto selected, the DHCP server automatically assigns DNS server for devices in the network.

Manual: With Manual selected, enter the IP address of a server in each DNS server field.

RA Priority

Specify the router priority to help a host choose its default gateway. If a host receives RA messages from multiple routers, it will select the router with the highest RA priority as the default gateway. In the case of routers with the same priority, it will select the router whose RA message is received first as the default gateway.

RA Valid Lifetime

Specify the validity lifetime of the prefix. The addresses automatically generated with the prefix can be used normally during the valid lifetime, and they will become invalid and be deleted after the valid lifetime expires.

RA Preferred Lifetime

Specify the preferred lifetime for stateless auto-configuration of addresses with the prefix. After the preferred lifetime expires, the addresses automatically configured by the hosts with this prefix will be abolished. A host cannot use an abolished address to establish a new connection, but it can still receive packets whose destination address is an abolished address. The RA Preferred Lifetime must be less than or equal to the RA Valid Lifetime.

With SLAAC+RDNSS selected, configure the following parameters.

Prefix

Configure the IPv6 address prefix for each client in the local network.

Manual Prefix: With Manual Prefix selected, enter the prefix in the Address Prefix field.

Get from Prefix Delegation: With Get from Prefix Delegation selected, select the WAN port with Prefix Delegation configured, and the clients will get the address prefix from the Prefix Delegation.

IPv6 Prefix ID

With Get from Prefix Delegation selected, enter the Prefix ID, which will be added to the prefix to obtain a /64 subnet.

DNS Server

Select a method to configure the DNS server for the network.

Auto: With Auto selected, the DHCP server automatically assigns DNS server for devices in the network.

Manual: With Manual selected, enter the IP address of a server in each DNS server field.

RA Priority

Specify the router priority to help a host choose its default gateway. If a host receives RA messages from multiple routers, it will select the router with the highest RA priority as the default gateway. In the case of routers with the same priority, it will select the router whose RA message is received first as the default gateway.

RA Valid Lifetime

Specify the validity lifetime of the prefix. The addresses automatically generated with the prefix can be used normally during the valid lifetime, and they will become invalid and be deleted after the valid lifetime expires.

RA Preferred Lifetime

Specify the preferred lifetime for stateless auto-configuration of addresses with the prefix. After the preferred lifetime expires, the addresses automatically configured by the hosts with this prefix will be abolished. A host cannot use an abolished address to establish a new connection, but it can still receive packets whose destination address is an abolished address. The RA Preferred Lifetime must be less than or equal to the RA Valid Lifetime.

With Pass-Through selected, configure the following parameters.

IPv6 Prefix Delegation Interface

Select the WAN port using Pass-Through (Bridge) for the IPv6 connection.

IP Address Mode

Select a method to configure the IP for the DHCP Server

Static: Specify the IP of DHCP servers manually. Enter the IP address of server in IP Address/Subnet field.

DHCP: The DHCP server is automatically assigned an IP address in the network.

IP Address/Subnet

Enter the IP address and subnet mask in the CIDR format.

DHCP Mode

Select a mode for the clients in the VLAN to obtain their IP address.

None: Do not use DHCP to assign IP addresses.

DHCP Server: Assign an IP address to the clients through a DHCP server.

When DHCP Server is selected, you can specify the DHCP Range, and the IP addresses in the range can be assigned to the clients in the VLAN. Also, it is optional for you to specify the DHCP Option 138, Primary/Seconday DNS, Default Gateway, and Lease Time. DHCP Option 138 informs the DHCP client of the controller's IP address when the client sends a request to the DHCP server, and specify Option 138 as the controller's IP address here. Lease Time decides how long the client can use the assigned IP address.

DHCP Relay: It allows clients in the VLAN to obtain IP addresses from a DHCP server ion different subnet. When DHCP Relay is selected, specify the IP address of the DHCP server in Server Address.

DHCP Range

Enter the starting and ending IP addresses of the DHCP address pool in the fields provided.

DNS Server

Specify DNS servers manually. Enter the IP address of a server in each DNS server field.

Default Gateway

Specify default gateway manually. Enter the IP address of the default gateway in the field.

Lease Time

Specify how long a client can use the IP address assigned from this address pool.

Snooping

Select the Snooping function to be enabled.

IGMP Snooping: Click the checkbox to monitor IGMP (Internet Group Management Protocol) traffic and thereby manage multicast traffic.

MLD Snooping: Click the checkbox to monitor MLD (Multicast Listener Discovery) traffic and thereby manage IPv6 multicast traffic.

Legal DHCP Servers

With Legal DHCP Server enabled, Omada switches ensure that users get IP addresses only from the DHCP servers whose IP addresses are specified here.

Legal DHCPv6 Servers

With Legal DHCPv6 Server enabled, Omada switches ensure that users get IPv6 addresses only from the DHCPv6 servers whose IPv6 addresses are specified here.

DHCP L2 Relay

With DHCP L2 relay enabled, Omada switches configure the Option 82 field of the DHCP packets and transmit the packets in the LAN.

VLAN

Enter a VLAN ID with the value between 1 and 4094. Each VLAN can be uniquely identified by its VLAN ID, which is transmitted and received as IEEE 802.1Q tag in an Ethernet frame.

Snooping

Select the Snooping function to be enabled.

IGMP Snooping: Click the checkbox to monitor IGMP (Internet Group Management Protocol) traffic and thereby manage multicast traffic.

MLD Snooping: Click the checkbox to monitor MLD (Multicast Listener Discovery) traffic and thereby manage IPv6 multicast traffic.

VLAN

Enter a VLAN ID with the value between 1 and 4094. Each VLAN can be uniquely identified by its VLAN ID, which is transmitted and received as IEEE 802.1Q tag in an Ethernet frame.

Snooping

Select the Snooping function to be enabled.

IGMP Snooping: Click the checkbox to monitor IGMP (Internet Group Management Protocol) traffic and thereby manage multicast traffic.

MLD Snooping: Click the checkbox to monitor MLD (Multicast Listener Discovery) traffic and thereby manage IPv6 multicast traffic.

Flow Control

When enabled, 802.3 pause frames notify IPCs to temporarily buffer video data during network congestion, preventing frame loss that would occur when packets are dropped. This requires IPC support for the protocol.

Add Port Labels For Selected Switch Port(s)

This option is used to add labels to the selected switch ports, facilitating centralized port management on the Device Config > Switch Ports page.

Network

Select the target network for multicast configuration, which will automatically enable its multicast snooping.

Protocol

Choose between IGMP (IPv4) or MLD (IPv6) based on network protocol requirements.

Unknown Multicast

Specify handling method for unidentified multicast packets.

Forward: Flood unknown multicast traffic within VLAN.

Discard: Drop unknown multicast packets.

Router Port First: Forward to router ports (static/dynamic) if available; otherwise flood within VLAN.

Querier

Set a switch as the querier for a specific network, and configure more parameters in Advanced Settings.

Manual Router Port

Manually set Static Router Port and Forbidden Router Port.

Static Router Port: Select one or more ports to be the Static Router Ports in the network. All multicast data in this network will be forwarded through the static router ports.

Forbidden Router Port: Select one or more ports to forbid them from being router ports in the network.

Report Suppression

When enabled, the switch will only forward the first IGMP report message for each multicast group to L3 devices during one query interval. This feature prevents duplicate report messages from being sent to the L3 devices.

Member Port Aging Time

Specify the aging time of the member ports in the Network. If the switch does not receive any IGMP membership report messages for a specific multicast group from a dynamic member port, it will no longer consider this port as a member port of this multicast group and delete it from the multicast forwarding table.

Router Port Aging Time

Specify the aging time of the router ports in the Network. If the switch does not receive any IGMP general query message from a dynamic router port within the router port aging time, the switch will no longer consider this port as a router port and delete it from the router port list.

Leave Time

Specify the leave time for the Network. When the switch receives a leave message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group. Exceptions are as follows: If the member port ages out before the Leave Time ends and no report messages are received, the port will be removed from the multicast group once its Member Port Aging Time ends. The Leave Time mechanism will not take effect when Fast Leave takes effect.

Status

Whether to enable this entry.

Domain Name

Enter the domain name.

Alias Domain Name

If a server provides different services and has multiple domain names, you can enter them here.

Type

There are three options, IP, CNAME, and FORWARD.

IP: When selected, the gateway will respond to the DNS query of the specified domain name, and use the configured IP address as the DNS response to directly reply to the LAN host. Select this type when there is a web server in the intranet and you want hosts in the LAN to access the web server through private IP addresses instead of public IP addresses.

CNAME: When selected, the gateway will map the domain name to the configured CNAME domain name, send it to the DNS server for query, and then reply to the LAN host with the IP corresponding to the CNAME domain name.

FORWARD: When selected, the gateway will forward the DNS query of the LAN host to the specified DNS server, and reply the DNS response to the LAN host. The forwarding priority is higher than other public configurations, such as the DNS Server configured on the WAN port.

IP Address

When the Type is IP, it is the IPv4 address of the returned DNS response.

IPv6 Address

When the Type is IP, it is the IPv6 address of the returned DNS response.

Apply To LAN

When the Type is IP or CNAME, it is the LAN network to which the rule applies. You can choose to apply all LANs or apply to a single LAN or multiple LANs.

CNAME

When Type is CNAME, set the domain name to which Domain Name and Alias Domain Name need to be mapped.

DNS Server

When the Type is FORWARD, set the Domain Name and Alias Domain Name to be forwarded to a specific DNS Server, up to two DNS Servers can be configured.

Enter the network name (SSID) to identify the wireless network. The users of wireless clients choose to connect to the wireless network according to the SSID, which appears on the WLAN settings page of wireless clients.

Select the type of devices that the wireless network can apply to.

Enable the radio band(s) for the wireless network. When 6GHz is turned on, Security cannot be PPSK with/without RADIUS since 6GHz does not support them.

With Guest Network enabled, all the clients connecting to the SSID are blocked from reaching any private IP subnet.

Select the encryption method for the wireless network based on needs

Opportunistic Wireless Encryption, also known as Enhanced Open, is a certification provided by the Wi-Fi Alliance as part of the WPA3 wireless security standard. OWE will enable two wireless APs per radio, one for access of OWE-supported stations, and one for access of other stations. An SSID with OWE enabled will be counted as two SSID entries.

Specify a security key to encrypt the traffic.

Select a RADIUS Profile, which records the settings of the authentication server and accounting server. You can create a RADIUS Profile by clicking Create New Radius Profile from the drop-down list of RADIUS Profile. For details, refer to the network profile configuration section in this guide.

Configure a Network Access Server Identifier (NAS ID) for the authentication. Authentication request packets from the controller to the RADIUS server carry the NAS ID. The RADIUS server can classify users into different groups based on the NAS ID, and then choose different policies for different groups.

The NAS ID can be a default one (TP-Link: MAC Address), follow the device name, or a customized one.

Select a PPSK Profile, which records the PPSK settings. You can create a PPSK Profile by clicking Create New PPSK Profile from the drop-down list of PPSK Profile. For details, refer to the network profile configuration section in this guide.

Select a RADIUS Profile, which records the settings of the authentication server and accounting server. You can create a RADIUS Profile by clicking Create New Radius Profile from the drop-down list of RADIUS Profile. For details, refer to the network profile configuration section in this guide.

Choose the authentication type.

Generic Radius with bound MAC: This method uses a device’s unique MAC address as the username and password for a RADIUS server to grant or deny network access. This type needs to specify device MAC addresses.

EKMS: The EKMS (Eleven Key Matching Service) authentication type is used to connect to the ElevenOS server. Only the EKMS authentication method in PPSK with RADIUS supports domain name.

Generic Radius with unbound MAC: This method uses a client’s MAC address as the username and password for a RADIUS server to grant or deny network access. This type does not need to specify device MAC addresses.

Configure a Network Access Server Identifier (NAS ID) for the authentication. Authentication request packets from the controller to the RADIUS server carry the NAS ID. The RADIUS server can classify users into different groups based on the NAS ID, and then choose different policies for different groups.

Select clients’ MAC address format which the controller uses for authentication. Then configure the MAC addresses in the specified format as usernames for the clients on the RADIUS server.

Toggle on to enable the EoGRE (Ethernet over GRE) Tunnel for the wireless network.

Note: If the function is unavailable, go to Device Config > EAP > EoGRE Tunnel to enable the feature globally.

With SSID Broadcast enabled, APs broadcast the SSID (network name) in the air so that wireless clients can connect to the wireless network, which is identified by the SSID. With SSID Broadcast disabled, users of wireless clients must enter the SSID manually to connect to the wireless network.

When enabled, the connected clients will be prohibited to share the Wi-Fi with other clients.

Configure the uplink port VLAN(s) corresponding to the SSID.

Default: Using untagged transmission.

Custom: Configure an SSID-based VLAN pool by binding one or multiple networks (by network) or manually entering one or multiple VLAN IDs (by VLAN). When a client connects to the SSID, it will be assigned to a VLAN in the VLAN pool you configured. If a device does not support multiple VLANs, the smallest VLAN you configured will be applied to the SSID.

If you select WPA-Personal or WPA-Enterprise as the security strategy, you can select the WPA Mode including the version of WPA, and the encryption type.

Select the version of WPA according to your needs.

Select the encryption type. Some encryption type is only available under certain circumstances.

AES: AES stands for Advanced Encryption Standard.

Auto: APs automatically decide the encryption type in the authentication process.

MLO (Multi-Link Operation) enables Wi-Fi 7 devices to simultaneously send and receive data across different frequency bands and channels. This ensures fast and reliable connections even in dense network environments.

Protected Management Frames (PMF) provide protection for unicast and multicast management action frames. When Mandatory is selected, non-PMF-capable clients may fail to connect to the network.

Disable: Disables PMF for a network. It is not recommended to use this setting, only in case non-PMF-capable clients experience connection issues with the “Capable” option.

Capable: Both types of clients, capable of PMF or not, can connect to the network. Clients capable of PMF will negotiate it with the AP.

Mandatory: Only PMF-capable clients can connect to the network.

If you select WPA-Personal or WPA-Enterprise as the security strategy, you can specify whether and how often the security key changes. If you want the security key to change periodically, enable GIK (Group Integrity Key) rekeying and specify the time period.

802.11r allows faster roaming when both the AP and client have 802.11r capabilities. However, older devices may be incompatible with the feature. Currently 802.11r does not support WPA3-Enterprise encryption.

Specify the profile to limit the download and upload rates of each client to balance bandwidth usage.

You can use the default profile or custom a profile.

Specify the profile to limit the download and upload rates of each wireless band. Bandwidth is shared among all clients connected to the same wireless band of the same AP.

You can use the default profile or custom a profile.

Note: This feature requires new firmware updates for Omada APs, and the rate limit settings will only take effect on those APs running firmware that supports the feature.

Specify the 802.11u network type: public, private, or guest network.

Enter the PLMN (Public Land Mobile Network) ID of the 802.11u 3GPP cellular network, which consists of the MCC (Mobile Country Code) and MNC (Mobile Network Code). Wireless clients can obtain this information through ANQP queries to determine whether to access the network. This is applicable to networks that have roaming relationships with mobile operators.

Enter the 802.11u roaming organization identifiers. For a network that has roaming relationships with other network operators, you can configure a roaming organization list for wireless clients to automatically identify trusted roaming network partners.

Enter the domain name of the access network operator. Wireless clients can obtain this information through ANQP queries as the basis for network selection.

Network operator friendly name. This parameter can be used to define the names of different language environments, so that users of different languages can easily select the network. Currently, only English format input is provided.

In DGAF (downstream group-addressed forwarding) disable mode, the AP will not forward downstream multicast and broadcast packets. Downstream multicast and broadcast packets use the same GTK (Group Temporal Key) key, which poses a security risk. The AP will discard these ARP and multicast packets to prevent attackers from exploiting the vulnerability that all clients in the same BSS use the same GTK key to forge group address frames and attack clients. This function is disabled by default. When it is enabled, some multicast services will be unavailable. To ensure normal internet access, the AP will enable the ARP proxy and disable ARP-to-unicast conversion.

Homogenous Extended Service Set Identifier. It is used to identify the same type of ESS network set. An area may have multiple Hotspot 2.0 networks. Based on the unique HESSID, wireless clients can identify which networks provide the same service without having to re-acquire network parameters. HESSID should be consistent with one of the BSSIDs of the APs in the zone.

Internet access support status (network reachability).

Available type information of IPv4 addresses. When a wireless client accesses a Hotspot 2.0 network, the AP can pass the available types of IPv4 addresses in the network to the client as ANQP parameters, so that the client can understand the types of IP addresses that can be obtained after accessing the network.

Available type information of IPv6 addresses. When a wireless client accesses a Hotspot 2.0 network, the AP can pass the available types of IPv6 addresses in the network to the client as ANQP parameters, so that the client can understand the types of IP addresses that can be obtained after accessing the network.

Indicates the venue information using the combination of the network's venue group and venue type (using the international building code). When a wireless client attempts to access a Hotspot 2.0 network, it can obtain the location type information of the current network from the AP for network selection.

Network’s venue name, identifying the physical location of the network.

Add a profile to identify and describe a NAI (Network Access Identifier) realm accessible using the AP, and the method that this NAI realm uses for authentication.

Realm name: The name of the NAI realm. Usually the domain name of the service provider.

Realm Encoding: NAI realm name format. Two formats are supported:

•RFC4282: Realm formatted according to RFC 4282.

•UTF-8: UTF-8 formatted string not formatted according to IETF RFC 4282.

EAP Method: EAP authentication method supported by the NAI realm.

Authentication param: Configure the EAP authentication parameter identifier and authentication parameters.

Radio On: Turn on your wireless network within the time range you set, and turn it off beyond the time range.

Radio Off: Turn off your wireless network within the time range you set, and turn it on beyond the time range.

Select the Time Range for the action to take effect. You can create a Time Range entry by clicking Create New Time Range Entry from the drop-down list of Time Range. For details, refer to the network profile configuration section in this guide.

Select whether to disable CCK (Complementary Code Keying), the modulation scheme which works with 802.11b devices. Disable CCK Rates (1/2/5.5/11 Mbps) is only available for 2.4 GHz band.

Select whether or not to require clients to use rates at or above the value specified on the minimum data rate controller slider.

Select whether or not to send Beacons at the minimum rate of 1Mbps for 2.4 GHz band or 6Mbps for 5 GHz band.

Allow List: Allow the connection of the clients whose MAC addresses are in the specified MAC Address List, while blocking others.

Deny List: Block the connection of the clients whose MAC address are in the specified MAC Addresses List, while allowing others.

Select the MAC Group which you want to allow or block according to the policy. You can create new MAC group by clicking + Create New MAC Group from the drop-down list of MAC Address List. For details, refer to the network profile configuration section in this guide.

When the channel utilization is below the set value, the Wireless Device will convert the IPv4/IPv6 multicast packets into unicast packets and send them to the corresponding clients based on the learned multicast relationships. This improves the transmission efficiency of IPv4/IPv6 multicast.

When enabled, the controller will convert ARP packets into unicast packets.

When enabled, the device will filter the multicast packets of the specified protocols. Improper settings may cause network issues

Choose IGMP/mDNS/ND/Others according to your need. Choose Others for MAC-based filtering, which will filter IP multicast packets that are not using IGMP, MLD, mDNS, or ND protocols.

If you want to allow packets from specific addresses to pass through, you can choose MAC Group and Create New MAC Group. Here you can set MAC Group Name and choose different methods to add the MAC Address.

The system will perform wireless optimization on some APs based on historical optimization results, historical client behavior, and the current wireless environment. To ensure the connection stability of wireless clients, the system will adjust as few wireless configurations as possible. This optimization option is recommended, but it is only available for non-initial optimizations since it requires historical optimization data.

The system will perform wireless optimization on all APs, selecting the appropriate wireless configurations.

Specify the optimization mode.

Default: The controller will conduct the optimization with the default configurations.

Custom: The controller will conduct the optimization with the configurations you set.

Enable this function, and the controller will scan the wireless environment to conclude the optimum operation channels for the APs.

Enable this function in a high-density deployment scenario, and the controller will scan the wireless environment and determine whether to turn off some radio bands to reduce network interference, hence improving the performance of the entire network.

Enable this function in a high-density deployment scenario, and the controller will scan the wireless environment and determine whether to reduce some radio bandwidth to reduce network interference, hence improving the performance of the entire network.

Enable this function, and the controller will scan the wireless environment to conclude the optimum transmission power for the APs.

Select Custom if you want to optimize the power within the specified range. You can limit the transmit power range of each AP/wireless routers after the power deployment is completed. For high-density deployment, you can try to set a smaller power range. An over-low value may lead to limited coverage, while an over-high value may lead to strong interference. (Note: The deployment may fail if the minimum power you select exceeds the maximum power of the AP to be deployed.)

Select Custom if you want to optimize the power within the specified threshold. You can adjust the power deployment override threshold according to the actual deployment height and spacing of APs/wireless routers, achieving optimal wireless coverage after RF optimization. The larger the threshold, the larger the adjusted overall power value.

Select the channel width for each band, and the optimization will maintain the selected channel width.

When enabled, you can specify the channels so they will not execute the automatic optimization.

Select the login duration. Clients will be off-line after the authentication timeout.

Click the checkbox to enable Daily Limit. With this feature enabled, after authentication times out, clients cannot get authenticated again until the next day. With this feature disabled, after authentication times out, clients can get authenticated again without limit.

Specify the password for the portal.

Select the login duration. Clients will be off-line after the authentication timeout.

Select one or more authentication types according to your needs. Clients can access the network after passing any type of the authentication.

Select Voucher and click Voucher Manager to manage the voucher codes.

Refer to the voucher configuration chapter in this guide for detailed information about how to create vouchers.

Select Local User and click User Management to manage the information of the login accounts.

Refer to the account configuration chapter in this guide for detailed information about how to create Local Users.

Clients can get verification codes using their mobile phones and enter the received codes to pass the authentication.

Enter the Account SID for Twilio API Credentials.

Enter the Authentication Token for Twilio API Credentials.

Enter the phone number that is used to send verification messages to the clients.

Click the checkbox and enter the maximum number of users allowed to be authenticated using the same phone number at the same time.

Select the login duration. The client needs to log in again on the web authentication page to access the network.

Enter the default country code that will be filled automatically on the authentication page.

Clients are required to enter the correct username and password which are stored in the RADIUS server to pass the authentication.

Select the RADIUS profile you have created. If no RADIUS profiles have been created, click Create New RADIUS Profile from the drop-down list or Manage RADIUS Profile to create one. The RADIUS profile records the information of the RADIUS server which provides a method for storing the authentication information centrally.

Check the box to allow clients to log out of the portal by accessing a URL (portal.tplink.net/portal/logout by default). You can change the default URL by editing portal.logout.domain in the omada.properties file. Some devices may require firmware update to support Portal Logout. Please refer to Configuration Result for details.

Configure a Network Access Server Identifier (NAS ID) on the portal. Authentication request packets from the controller to the RADIUS server carry the NAS ID. The RADIUS server can classify users into different groups based on the NAS ID, and then choose different policies for different groups.

With the feature enabled, the controller will listen on the receiver port for disconnect requests from the RADIUS server. When the controller receives the disconnect requests in correct format, the controller will terminate the RADIUS authentication session of the clients. Note that the feature is available only when the controller is accessible to the RADIUS server.

Specify the port on which the controller listens when there are disconnect requests from the RADIUS server. Make sure that the specified port is not in use.

The entry displays the status of the receiver port, including Running, Disabled, and Error. Running means that the port is available, Disabled means that the port is closed, and Error means that the port is already in use.

Specify a name for the survey for identification.

Specify how long clients can use the network after they pass the form authentication.

Select the login duration. Clients will be off-line after the authentication timeout.

Select the RADIUS profile you have created. If no RADIUS profiles have been created, click Create New RADIUS Profile from the drop-down list or click Manage RADIUS Profile to create one. The RADIUS profile records information of the RADIUS server including the IP address, port and so on.

Configure a Network Access Server Identifier (NAS ID) on the portal. Authentication request packets from the controller to the RADIUS server carry the NAS ID. The RADIUS server can classify users into different groups based on the NAS ID, and then choose different policies for different groups.

With the feature enabled, the controller will listen on the receiver port for disconnect requests from the RADIUS server. When the controller receives the disconnect requests in correct format, the controller will terminate the RAIDIUS authentication session of the clients. Note that the feature is available only when the controller is accessible to the RADIUS server.

Specify the port on which the controller listens when there are disconnect requests from the RADIUS server. Make sure that the specified port is not in use.

The entry displays the status of the receiver port, including Running, Disabled, and Error. Running means that the port is available, Disabled means that the port is closed, and Error means that the port is already in use.

Select the authentication protocol for the RADIUS server.

Select Local Web Portal or External Web Portal. The authentication login page of Local Web Portal is provided by the built-in portal server of the controller. The External Web Portal is provided by external portal server. Enter the authentication login page’s URL provided by the external portal server in the External Web Portal URL field.

Select the login duration. Clients will be off-line after the authentication timeout.

Select the LDAP profile you have created. If no LDAP profiles have been created, click Create New LDAP Profile from the drop-down list or click Manage LDAP Profile to create one. The LDAP profile records information of the LDAP server including the server address, port and so on.

Select Local Web Portal or External Web Portal. The authentication login page of Local Web Portal is provided by the built-in portal server of the controller. The External Web Portal is provided by external portal server. Enter the authentication login page’s URL provided by the external portal server in the External Web Portal URL field.

Specify the IP address or URL that redirect to an external portal server.

Select the login duration. Clients will be off-line after the authentication timeout.

Enter the Client ID provided by Google to integrate with Google OAuth 2.0.

Enter the Client Secret provided by Google to integrate with Google OAuth 2.0.

Click the checkbox to enable HTTPS Redirection. With this feature enabled, the unauthorized clients will be redirected to the Portal page when they are trying to browse HTTPS websites. With this feature disabled, the unauthorized clients cannot browse HTTPS websites and are not redirected to the Portal page.

Select which page the client will be redirected to after a successful authentication.

The Original URL: Clients are directed to the URL they request for after they pass Portal authentication.

The Promotional URL: Clients are directed to the specified URL after they pass Portal authentication.

Select the type of the Portal page.

Edit Current Page: Edit the related parameters to customize the Portal page based on the provided page.

Import Customized Page: Click Import to import your unique Portal page for branding it as per your business.

Select the default language displayed on the Portal page. The controller automatically adjusts the language displayed on the Portal page according to the system language of the clients. If the language is not supported, the controller will use the default language specified here.

Select the background type.

Solid Color: Configure your desired background color by entering the hexadecimal HTML color code manually or through the color picker.

Picture: Click Choose and select a picture from your PC as the background.

Click to show the logo on the portal page.

Click Choose and select a picture from your PC as the logo.

Adjust the logo size and position on the Portal Page.

(For cetain anthentication types) Configure your desired background and text color for the input box by entering the hexadecimal HTML color code manually or through the color picker.

Configure your desired background and text color for the button by entering the hexadecimal HTML color code manually or through the color picker.

Select the button position on the Portal Page.

Enter the text for the button.

Click the checkbox and enter text as the welcome information.

You can specify the desired text font size and configure the text color by entering the hexadecimal HTML color code manually or through the color picker.

Click the checkbox and enter text as the terms of service in the following box. Click Add Terms to enter the name and context of the terms which will appear after a client clicks the link in Terms of Service.

Click the checkbox and enter text as the copyright in the following box.

You can specify the desired text font size and configure the text color by entering the hexadecimal HTML color code manually or through the color picker.

When enabled, the system will show the portal’s redirection countdown.

Click the checkbox to enable the Advertisement feature. With this feature enabled, you can add advertisement pictures on the authentication page. These advertisement pictures will be displayed before the login page appears.

Click Choose and select pictures from your PC as the advertisement pictures. When several pictures are added, they will be played in a loop.

Enter the duration time for the advertisement pictures. For this duration, the pictures will be played in a loop. If the duration time is not enough for all the pictures, the rest will not be displayed.

Enter the picture carousel interval. For example, if this value is set as 5 seconds, the first picture will be displayed for 5 seconds, followed by the second picture for 5 seconds, and so on.

Click the checkbox to allow users to skip the advertisement.

Click the checkbox to enable Pre-Authentication Access. With this feature enabled, unauthenticated clients are allowed to access the subnets and web resources specified in the Pre-Authentication Access List below.

Click Add to configure the IP range or URL which unauthenticated clients are allowed to access.

Click the checkbox to enable Authentication-Free Policy. With this feature enabled, you can allow certain clients to access the internet without Portal authentication.

Click Add and enter the IP address or MAC address of Authentication-Free clients.

Select the authentication protocol for exchanging messages between the switch and RADIUS server. As a bridge between the client and RADIUS server, the switch forwards messages for them. It uses AP packets to exchange messages with the client, and processes the messages according to the specified authentication protocol before forwarding them to the RADIUS server.

PAP: The AP packets are converted to other protocol (such as RADIUS) packets, and transmitted to the RADIUS server.

EAP: The AP packets are encapsulated in other protocol (such as RADIUS) packets, and transmitted to the authentication server. To use this authentication mechanism, the RADIUS server should support AP attributes.

Select the 802.1X authentication type.

Port Based: After a client connected to the port gets authenticated successfully, other clients can access the network via the port without authentication.

MAC Based: Clients connected to the port need to be authenticated individually. The RADIUS server distinguishes clients by their MAC addresses.

This feature allows the RADIUS server to send the VLAN configurations to the port dynamically. After the port is authenticated, the RADIUS server assigns the VLAN based on the username of the client connecting to the port. The username-to-VLAN mappings must be already stored in the RADIUS server database. This feature is available only when the 802.1X authentication type is Port Based.

MAB (MAC Authentication Bypass) allows clients to be authenticated without any client software installed. MAB is useful for authenticating devices without 802.1X capability like IP phones. When MAB is enabled on a port, the switch will learn the MAC address of the client automatically and send the authentication server a RADIUS access request frame with the client’s MAC address as the username and password. MAB takes effect only when 802.1X authentication is enabled on the port.

Select one or more SSIDs for MAC-based authentication to take effect.

Select the RADIUS profile you have created. If no RADIUS profiles have been created, click Create New RADIUS Profile from the drop-down list or Manage RADIUS Profile to create one. The RADIUS profile records the information of the RADIUS server which acts as the authentication server during MAC-Based Authentication.

Configure a Network Access Server Identifier (NAS ID) for the authentication. Authentication request packets from the controller to the RADIUS server carry the NAS ID. The RADIUS server can classify users into different groups based on the NAS ID, and then choose different policies for different groups.

For the wireless network configured with both MAC-Based Authentication and Portal, if you enable this feature, a wireless client needs to pass only one authentication. The client tries MAC-Based Authentication first, and is allowed to try Portal authentication if it failed the MAC-Based Authentication. If you disable this feature as default, a wireless client needs to pass both the MAC-Based Authentication and portal authentication for internet access, and will be denied if it fails either of the authentication.

Select clients’ MAC address format which the controller uses for authentication. Then configure the MAC addresses in the specified format as usernames for the clients on the RADIUS server.

Click to allow a blank password for MAC-Based Authentication. With this option disabled, the password will be the same as the username.