Networking — How-To Guides

Step-by-step instructions for connecting your Abilis to the internet, configuring your local network, and keeping it secure. Every task is done through the Web Interface at Networking > Settings.

Table of Contents

  1. Configure LAN settings (IP address, subnet, gateway)
  2. Connect to the internet via LTE / SIM modem
  3. Connect via an Ethernet DSL modem (PPPoE)
  4. Connect with a fixed public IP (static WAN)
  5. Run several networks through one cable (VLANs)
  6. Set up a guest network with limited internet access
  7. Configure the default IP route
  8. Add a backup default route (two WAN lines)
  9. Set up the DHCP server
  10. Forward DHCP requests to another server (relay mode)
  11. Enable NAT to share one internet connection
  12. Apply NAT (or ACL) to a list of addresses
  13. Open a port to reach an internal device from outside (port forwarding)
  14. Configure DNS settings
  15. Block unwanted websites with DNS filtering
  16. Redirect all DNS requests through the Abilis
  17. Set up firewall rules (Access Control Lists)
  18. Block traffic between two internal subnets
  19. Send specific traffic down a specific line (PBR)
  20. Set up a VPN tunnel between two Abilis devices (AIPT2)
  21. Give a VPN tunnel a second path for redundancy
  22. Protect against brute-force attacks (IP Ban)
  23. Get notified when a new device appears on your network
  24. Monitor network devices with SNMP
  25. Access your own public services from inside the network (NAT loopback)
  26. Activate traffic analysis (TRFA)
  27. View traffic analysis (Line Load and Top 5)
  28. Set up Dynamic DNS
  29. Set up LTE as a backup internet connection (automatic failover)
  30. Monitor a voice tunnel between two Abilis
  31. Check the state of network interfaces
  32. Limit bandwidth on a connection (traffic shaping)
  33. Cap bandwidth per IP (IP Shaping)
  34. Restart a connection (WAN, VPN, tunnel)
  35. Internet is not working — what to check first

The Settings page has tabs across the top: Ports, Routings, NAT, ACL, IP Shaping, DHCP, DNS, FTP, HTTP. Each How-To below tells you exactly which tab to use.

Configure LAN settings (IP address, subnet, gateway)

Goal: Sets the IP address of the Abilis on your local network. This is the address every device on your LAN uses to reach the Abilis — and through it, the internet, phone system, and everything else. Getting this right is the foundation of your entire setup.

Why it matters: If two devices share the same IP, neither works. If the Abilis IP doesn't match what your devices expect, they can't reach it.

IP address — a number like 192.168.1.1 that uniquely identifies a device on a network. Subnet mask — defines how big your network is (e.g. 255.255.255.0 means 254 usable addresses). Gateway — the address of the device that connects your network to the outside world.
  1. Go to Networking > Settings > Ports.
    2. Settings > Ports — each row is a network interface.
    Settings > Ports — each row is a network interface.
  2. You see a table of all network ports. Each row shows: Status (green icon = active), Port (e.g. Ip-1), Subtype (LAN, WAN…), Over (physical interface like Eth-1), IP Address (e.g. 192.168.094.254/24), and Description.
  3. Click on the LAN port row (typically Ip-1 with Subtype "LAN" over Eth-1).
  4. A detail panel opens. Key fields:
    LAN port detail panel — IP address, mask, NAT zone.
    LAN port detail panel — IP address, mask, NAT zone.
  5. Expand IP Address Settings:
  6. Check the Network Address Translation (NAT) dropdown at the bottom — for a LAN port this must be INSIDE.
  7. Click Save.
If you change the IP address you will lose your browser connection immediately. Type the new address in your browser to reconnect. Write it down before clicking Save.
The "/24" after an IP (e.g. 192.168.094.254/24) is shorthand for subnet mask 255.255.255.0. It means "the first 24 bits identify the network." You will see both notations.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.1 — How to configure LAN settings of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Connect to the internet via LTE / SIM modem

Goal: Gets your Abilis online using a mobile data connection (4G/LTE) through an LTE-BOX or SIM dongle.

LTE-BOX — a mobile broadband modem built into or connected to the Abilis. Uses a SIM card to connect to the cellular network. APN (Access Point Name) — a setting from your mobile operator that tells the modem how to connect.
Disable the SIM's PIN code first. Most SIMs ship with PIN-protection enabled. Either disable the PIN by inserting the SIM into a phone first and turning SIM-lock off, or enter the PIN in the modem's settings — otherwise the modem will silently fail to register and the connection will never come up.
  1. Insert the SIM card into the LTE-BOX and connect it to the Abilis.
  2. Go to Networking > Settings > Ports.
    3. Settings > Ports — each row is a network interface.
    Settings > Ports — each row is a network interface.
  3. Look for a port with Subtype "WAN" and Over "EthLte-1" or similar — this is your LTE modem.
  4. Click on it. Check Active is ticked.
  5. Set the APN to match your mobile operator. If you don't know it, call your operator or search "[operator name] APN settings." Common Italian examples: internet (generic), mobile.vodafone.it, ibox.tim.it.
  6. Set the NAT zone to OUTSIDE.
  7. Click Save.
  8. Go to Networking > Info — check the LTE connection shows a green status icon.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.10 — How to configure UMTS-BOX or LTE-BOX as gateway for the Internet of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Connect to the internet via an Ethernet DSL modem (PPPoE)

Goal: Your ISP provided an ADSL or VDSL modem that plugs into the Abilis over Ethernet, and the line requires a username and password. The Abilis establishes a PPPoE session over the Ethernet link and uses the resulting connection as the internet gateway.

PPPoE resource showing Authentication fields and NAT OUTSIDE.
A PPPoE resource: Side (Type) set to WAN, Automatic IP Address (RETRIEVE), Authentication with username and password, NAT set to OUTSIDE.
PPPoE (Point-to-Point Protocol over Ethernet, RFC 2516) — a protocol that wraps an authenticated PPP session inside Ethernet frames. It is the standard access method for most European xDSL operators. Access Concentrator — the ISP-side equipment that terminates the PPPoE session at the other end of the line. Bridge mode — the modem hands raw Ethernet frames straight through to the Abilis, which does the PPPoE login itself. Routed mode — the modem terminates the line and acts as its own router (not what you want here). CHAP / PAP — the two authentication methods PPP can use; CHAP is challenge-based and more common, but the ISP picks which is required.

What you need from your ISP: the PPPoE username and password; whether the public IP is dynamic (assigned during the PPP session — most common) or fixed; whether the DSL link itself requires a VLAN tag (some operators do, most do not); and the service name, if the ISP specifies one.

Prerequisite — modem in bridge mode: the DSL modem must be configured by the ISP or by you as a transparent bridge. A modem in routed mode will not allow the Abilis to initiate the PPPoE session. If the modem shipped pre-configured in routed mode, factory-reset it and set bridge mode before going further. (The exact procedure varies by modem — usually a small reset hole on the back held with a paperclip for ten seconds, then a one-time login to the modem's own web interface to switch from routed to bridge mode. Consult the modem's own quick-start guide if the reset button isn't obvious.)

  1. Connect the DSL modem's Ethernet output to a free Ethernet port on the Abilis (for example Eth-2). Connect the telephone line to the modem and wait until the modem's DSL-sync LED stops blinking.
  2. If — and only if — your ISP requires a VLAN tag on the DSL link, prepare the Ethernet port first. See Run several networks through one Ethernet cable (VLANs) for the port-level VLAN setup; the PPPoE client you create below will then use the tagged sub-interface. If the line is untagged (the usual case), skip this step.
  3. Go to Networking > Settings > Ports and click New +. Create a new IP resource bound to the Ethernet port the modem is plugged into — this is the resource that will carry the PPPoE session and hold the ISP-assigned address.
  4. On the new resource panel, set:
  5. Fill in the PPPoE credentials: the ISP-supplied username and password, authentication mode (leave at the default — the ISP dictates CHAP or PAP), service name (blank unless specified by the ISP), and IP-assignment mode (dynamic for most lines; enter the reserved IP instead if the ISP has assigned a static public address).
  6. Enable DNS learning so the Abilis picks up the ISP's resolvers through the PPP session, and enable TCP MSS clamping on the connection. MSS clamping prevents the well-known failure where some HTTPS sites will not load over a PPPoE WAN because the PPP and Ethernet headers leave less room for TCP than the endpoints assume.
  7. Click Save. The Abilis starts PPPoE discovery on the Ethernet port; once the Access Concentrator responds and PPP authentication succeeds, the resource comes up with its assigned address.
  8. Add a default route through the new WAN — see Configure the default IP route. Its gateway should be OUT-IP so the route follows whichever address the ISP assigns on each session.
  9. Verify on Networking > Info. The new WAN resource should show a green status icon and the ISP-assigned address. Open a browser on the LAN and load a public site to confirm internet is reachable.
If the session will not come up: the most common cause is an incorrect username or password — check the boot log and SYSLOG output for PPP authentication failures. Other common causes: a required VLAN tag has not been configured on the Ethernet port; the modem is still in routed mode rather than bridge; the ISP's service name is required but not set.
Ethernet-connected DSL modems used this way do not support multiple VPI/VCI pairs or PPPoA/IPoA routed mode — those require a different modem type. If your ISP requires either, contact Anteklab to confirm which modem types your unit supports.
If a field name doesn't match exactly. The labels inside the PPPoE-specific panels (subtype name, username/password inputs, IP/DNS retrieval toggles, MSS clamping location) can vary slightly between firmware releases. The concepts above are stable; if a field isn't named verbatim on your unit, look for its semantic equivalent on the same panel.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.8 — How to configure ADSL/VDSL connections using Ethernet modems of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Connect to the internet with a fixed public IP (static WAN)

Goal: Your ISP has assigned you a fixed public IP address on an Ethernet DSL/fibre modem. There is no login — the Abilis just needs to sit on the WAN link with the address you were given.

Static WAN resource with manual IP address, mask, and gateway.
A static WAN resource: Manual IP Address ticked, IP/Mask/Gateway filled in, NAT set to OUTSIDE.

What you need: the public IP address and subnet mask from your ISP, and the VLAN ID if the operator requires tagging on the line.

Two cases — identify which one you're in before starting:

  1. Connect the modem to a free Ethernet port on the Abilis.
  2. Go to Networking > Settings > Ports.
  3. Click New +.
  4. Click Save.
  5. On the IP resource panel, configure:
  6. Click Save.
  7. Add a default route through this line — see Configure the default IP route. If the ISP's equipment is a router rather than a bridged modem, also set the Gateway field to the router's LAN-side IP.
  8. Verify at Networking > Info — the port should go green.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.8.2 — How to configure an IPoE connection with static IP of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Run several networks through one Ethernet cable (VLANs)

Goal: Carry two or more separate IP networks over the same physical Ethernet cable — for example a management network and a guest network, or several tagged networks coming from an upstream switch. Each network will appear on the Abilis as its own IP resource with its own address, NAT side, firewall rules, and traffic statistics.

VLAN (Virtual LAN) — a logical network that shares a physical Ethernet cable with other VLANs. Each VLAN is identified by a number (14094) added to the Ethernet frame as a tag. Untagged frames — traffic with no tag — belong to the default (native) VLAN.

How the Abilis represents VLANs: there is no dedicated VLAN page. VLAN is a property of each IP resource, set inside the resource's configuration panel. To carry three VLANs on one cable you create three IP resources, all pointing at the same Ethernet port as their Lower Resource, each with a different VLAN ID.

Hardware requirement: the Ethernet port the cable plugs into must support VLAN tagging. Gigabit NICs typically do; some older 100 Mbit/s ports do not. If the port does not support tagging, the configuration will refuse to save — the error tells you to try a different port.

Step 1 — Open the Ethernet port and enable multiple VLANs on it

By default an Ethernet port is configured to carry a single untagged network. To carry tagged VLANs on top of that, the port's tag capacity has to be raised first.

Tag capacity — the maximum number of tagged VLANs the port will accept. Default is 0 (untagged traffic only). Set this to the number of tagged VLANs you plan to carry on this cable, on top of the untagged native VLAN, not including it.
  1. Go to Networking > Settings > Ports.
  2. Open the row for the Ethernet port you plan to share (e.g. Eth-2). Its configuration panel opens on the right.
  3. Tick Advanced at the top of the panel to reveal the full set of fields, and raise the tag capacity to cover the number of tagged VLANs you intend to carry on this port — for four tagged VLANs on top of the native one, four is enough.
  4. Click Save.
A system restart is required for the port to pick up the new tag capacity. Plan the change for outside business hours, or before you start adding the individual VLAN resources in Step 2 (those don't need a reboot themselves).

Step 2 — Add one IP resource per VLAN

IP resource configuration panel — Description, Alert, Side (Type), Lower Resource, IP Address Settings (expanded), VLAN Settings (collapsed), Network Address Translation (NAT).
IP resource configuration panel. VLAN Settings is the collapsible section between IP Address Settings and NAT — expand it on each new resource to set that resource's VLAN ID.
  1. Still on Networking > Settings > Ports, click New +.
  2. In the add-resource dialog, pick a free IP slot (e.g. Ip-3) and choose the LAN subtype — the most common case, where the VLAN carries an ordinary routed LAN segment.
  3. Click Save. The new resource's configuration panel opens.
  4. Set the basics:
  5. Expand IP Address Settings, tick Manual IP Address, and fill in the address and mask the Abilis will hold on this VLAN. Leave the gateway at 0.0.0.0 on a LAN-side VLAN — the gateway is only set on a WAN resource that has an upstream next-hop.
  6. Expand VLAN Settings and enter the VLAN tag (the 1–4094 number configured on the upstream switch). Leave the setting at its default only if this resource is meant to carry the untagged (native) VLAN on the port.
  7. Set Network Address Translation (NAT):
  8. Click Save.
  9. Repeat steps 1–8 for each additional VLAN on the same Ethernet port. All the new resources share the same Lower Resource (Eth-2), each with its own VLAN ID.
After saving, each VLAN appears as its own row in the Ports table with its own status icon, address, and statistics. The upstream switch or router port connected to this cable must be configured as a trunk and must tag traffic with the matching VLAN IDs — otherwise the Abilis receives frames that do not match any of your tagged resources and they are dropped.
If you are configuring a guest VLAN specifically, the guest-network worked example — Set up a guest network with limited internet access — follows the steps above and then adds the firewall rules that keep guests off the main LAN.
Field labels — verify against your unit. The exact labels inside the VLAN Settings accordion and the advanced Ethernet-port panel (the tag-capacity field in Step 1, the tag-value field in Step 2) may vary slightly by GUI release. The concepts above — raise the port's tag capacity; then one IP resource per VLAN sharing the Ethernet Lower Resource, each with its own tag — are stable.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.5 — How to assign a VLAN for an Ethernet interface of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Set up a guest network with limited internet access (worked example)

Goal: You want visitors — customers in a waiting room, contractors, family members at home — to get internet without being on your business LAN. Guests should reach the internet, nothing on your internal network, and not be able to saturate your line.

Guest VLAN — office and guest networks on separate VLANs, both reach internet.
Office and guest devices run on separate VLANs through a managed switch. The Abilis has an IP on each VLAN and an ACL blocking traffic between them.
VLAN Settings expanded showing TAG mode and VLAN Identifier.
Expand VLAN Settings on the guest resource. Set it to TAG and enter the VLAN Identifier your switch uses for the guest network.

This is a worked example that ties several how-tos together. Each step points at the focused how-to for the detail.

  1. Add a guest IP resource on a VLAN. Pick a VLAN tag not used elsewhere (e.g. 100) and a fresh subnet for the guests (e.g. 192.168.100.0/24). Follow Run several networks through one Ethernet cable (VLANs) to create the VLAN, and give the new resource a clear description like Lan_guest. Set NAT zone to INSIDE.
  2. Give the guest VLAN its own DHCP pool. On the new resource, follow Set up the DHCP server. The pool comes from the guest subnet automatically. For DNS: leave it as the Abilis (Ip-1) if you want your DNS-filtering rules to apply to guests too; set it to an external resolver (e.g. 8.8.8.8) if you'd rather guests bypass your filtering and go straight to public DNS.
  3. Restrict what guests can reach. Go to Set up firewall rules (Access Control Lists) and add two rules at a high priority: The order matters: the deny rule must be evaluated first (lower priority number).
  4. Cap the bandwidth. Follow Cap bandwidth per IP address or subnet (IP Shaping) to limit the whole guest subnet to, say, 30% of your WAN capacity. Guests stay usable for web and video calls; they can't starve the business traffic.
  5. (Optional) Block business-hours access. If the guest network should only be live when the office is closed (or vice versa), add an ACL rule with a time condition. This is supported directly in the ACL rule editor.
  6. Plug the guest VLAN into the switch — either a dedicated port tagged with VLAN 100, or a WiFi SSID that the access point maps to VLAN 100. From the guest's point of view, this is an ordinary internet connection; they have no visibility into your business network.
The same pattern scales to three, four or more isolated networks on the same physical cable — a staff VLAN, a VoIP phones VLAN, a cameras VLAN, and a guest VLAN — each with its own subnet, DHCP range, bandwidth cap, and ACL posture. Build them one at a time and test each before adding the next.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.5 — How to assign a VLAN for an Ethernet interface of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Configure the default IP route

Goal: Tells the Abilis where to send traffic that isn't destined for the local network. Without a default route, the Abilis can talk to LAN devices but nothing beyond: no websites, no email, no VPN.

Analogy: Routing is like road signs. The default route is the sign that says "for everything else, take this highway."

  1. Go to Networking > Settings > Routings.
    2. Routings table — default routes and their status.
    Routings table — default routes and their status.
  2. Look for a route with destination any and gateway OUT-IP — that is the default route. It tells the Abilis "for any traffic not going to a local network, send it out through this WAN port."
  3. If it exists, verify the Output port column shows the correct WAN interface (e.g. Ip-5) and the status icon is green.
  4. If it doesn't exist, click New +:
  5. Click Save.
Two default routes pointing to different output ports create automatic failover. In the example above, Ip-5 (green) is the active primary route and Ip-3 (red) is the backup that takes over if the primary goes down.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.12 — How to configure the default IP route of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Add a backup default route (two WAN lines, automatic failover)

Goal: You have two WAN lines — a primary (e.g. fibre) and a backup (e.g. a second DSL or LTE line) — and you want the Abilis to send all internet traffic through the primary, and only switch to the backup if the primary fails.

How it works: you add a second default route with a higher metric. The Abilis always prefers the route with the lowest metric. The backup route stays dormant until the primary goes down, then takes over automatically, then hands back when the primary recovers.

Metric — a priority number attached to a route. When two routes lead to the same destination, the Abilis picks the one with the lower metric. Three names for the same number: this how-to calls it Metric, the Routings table column is labelled AD (Priority), and the v9.0 reference manual calls it Administrative Distance. They are all the one column.
  1. Make sure both WAN lines are configured and appear green in Networking > Info.
  2. Go to Networking > Settings > Routings.
    3. Routings table — default routes and their status.
    Routings table — default routes and their metrics.
  3. Confirm the existing default route (destination any) points to the primary WAN port and note its metric (usually 1).
  4. Click New + and add the backup default route:
  5. Click Save. Both routes now appear in the table — the primary active, the backup dormant.
To test failover, disconnect the primary WAN cable for a minute. The Abilis should switch to the backup within seconds; reconnecting the primary returns traffic to it automatically. For the LTE-specific variant, see Set up LTE as a backup internet connection.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.12.3 — How to configure an alternative default IP route of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Set up the DHCP server

Goal: Makes the Abilis automatically hand out IP addresses to every device that connects. Without DHCP you'd need to manually configure an IP on every computer, phone, and printer.

DHCP (Dynamic Host Configuration Protocol) — automatically assigns IP addresses, gateway, and DNS information to devices when they connect.
  1. Go to Networking > Settings > DHCP.
  2. On a fresh system you see "DHCP protocol table" with a Disabled checkbox. Click on it.
    3. DHCP tab on a fresh system — Disabled.
    DHCP tab on a fresh system — Disabled.
  3. A dialog opens titled Ip-1 | Lan_for_Ip-1 with three tabs: Settings, Manually assigned addresses, Automatically assigned addresses.
  4. On Settings:
    DHCP Settings — Mode, Pool, Gateway, DNS.
    DHCP Settings — Mode, Pool, Gateway, DNS.
  5. Under Profile:
  6. Click Save.

Reserving a fixed address for a device

How DHCP works — the 4-step handshake between device and server.
How DHCP works — the 4-step handshake between device and server.

Devices like printers or cameras should always have the same IP. Use manual assignment instead of configuring a static IP on the device itself.

  1. In the DHCP dialog, go to the Manually assigned addresses tab.
  2. Click Add manual DHCP record +.
  3. Enter the device's MAC address and the IP address you want to reserve.
  4. Click Save.
The Automatically assigned addresses tab shows every device that received an address from the pool — the quickest way to see "what's connected right now."
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.23 — How to activate the DHCP resource of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Forward DHCP requests to an existing DHCP server (relay mode)

Goal: You already have a DHCP server somewhere on your network (a Windows server, a central appliance, a different router) and you want the Abilis to pass DHCP requests from its LAN through to that server instead of answering them itself. The server keeps control of address assignments; the Abilis just passes messages back and forth.

Why use it: centralised control of addresses across many sites, or reservations configured on an existing corporate DHCP server that the Abilis shouldn't override.

This is an enterprise / multi-site pattern. If your office has just one Abilis and one network, you almost certainly want plain Server mode (the previous how-to). Use Relay only when there is an upstream DHCP server you must hand off to.
  1. Note the IP address of the existing DHCP server (for example 192.168.1.250) — you will enter it in step 5.
  2. Go to Networking > Settings > DHCP.
  3. If DHCP is disabled, click the Disabled checkbox to enable it. The DHCP configuration dialog opens.
    4. DHCP tab on a fresh system — Disabled.
    DHCP tab — click to enable and open the configuration dialog.
  4. On the Settings tab, set DHCP Mode to Relay.
  5. In the DHCP Server field, enter the IP address of your existing DHCP server.
  6. Click Save.
  7. Test — connect a computer to the Abilis LAN. It should receive an address from the upstream DHCP server, not from the Abilis itself. In Networking > Info you can check the DHCP log to see the relayed requests.
In relay mode the Abilis does not hand out addresses on its own. If the upstream DHCP server is unreachable, LAN clients cannot obtain an address and your network will stop working for new devices. Make sure the link to the DHCP server is reliable before switching from server mode to relay mode.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.23.1 — How to activate the DHCP in relay mode of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Enable NAT to share one internet connection

Goal: Lets all devices on your LAN share a single internet connection. Without NAT, only the Abilis itself could access the internet.

How it works: When your PC requests a webpage, the Abilis rewrites the request so it appears to come from its own public IP. When the reply arrives, the Abilis forwards it back to your PC. The outside world only ever sees the Abilis's address.

NAT (Network Address Translation) — hides your private network behind one public IP. Source NAT rewrites the sender's address on outgoing traffic. Destination NAT rewrites the receiver's address on incoming traffic (port forwarding).

The NAT table at Networking > Settings > NAT has these columns:

Rules are checked in number order, starting from the smallest. The Abilis reads the PR column top-down (0, then 1, then 2…) and uses the first rule that matches the traffic. Anything below it is ignored.
NAT table — two rules: DNS redirect and Source NAT for internet sharing.
NAT table — two rules: DNS redirect and Source NAT for internet sharing.
ColumnMeaning
PRPriority — rules are processed lowest number first.
Inbound / OutboundNAT zones (INSIDE = LAN, OUTSIDE = internet).
TypeSource or Destination.
Pre-NAT Source/Destin. Addr + PortOriginal addresses before translation. * = any.
Post-NAT Address + PortWhat the address gets rewritten to. OUT-IP = the Abilis public IP.
PATPort Address Translation. With PAT on, the rule rewrites the port number too, not just the IP. This is what lets many internal devices share one public IP — the port number is how the Abilis tells responses apart.
ProtocolWhich protocol this rule applies to (* = all, UDP, TCP…).

Typical setup: two rules

#TypePurpose
0DestinationDNS Redirect — intercepts all DNS traffic (port 53) and sends it to the Abilis DNS service. Makes DNS filtering work and ensures caching even if a device has a different DNS configured.
1SourceInternet sharing — rewrites the source of all outgoing LAN traffic to the Abilis's public IP (OUT-IP). This is what actually gives your devices internet access.

Adding a Source NAT rule

This example creates rule #1 from the default setup — the rule that gives all LAN devices internet access.

About address fields. In NAT (and ACL) address fields you can type a literal IP/range, or a resource name like Ip-1 — Abilis expands a resource name to "any address that resource owns." Cleaner than typing the subnet, and self-updating if the subnet changes.
New NAT rule dialog — all the fields for a Source NAT rule.
New NAT rule dialog — all the fields for a Source NAT rule.
How NAT works — translating addresses between Inside and Outside zones.
How NAT works — translating addresses between Inside and Outside zones.
  1. Go to Networking > Settings > NAT, click New +.
  2. Fill in:
  3. Click Save.
The finished NAT table should show two rules: rule 0 (Destination — DNS redirect through the Abilis) and rule 1 (Source — internet sharing via OUT-IP). Both use INSIDE → OUTSIDE zones.
NAT rules are powerful but easy to misconfigure. Follow the examples above carefully and always test internet access immediately after saving. If you lose connectivity, the issue is almost always a wrong zone (INSIDE/OUTSIDE) or a missing Source NAT rule. If the unit becomes unreachable, connect a computer directly to a LAN port (bypassing any switch) and revert the change from there.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.13 — How to configure Network Address Translation (NAT) of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Apply NAT (or a firewall rule) to a list of addresses

Goal: Instead of writing a separate NAT or ACL rule for each subnet or host, define the group of addresses once as a List, then have one rule reference the list. When the list changes, every rule that uses it updates automatically.

Typical use cases: "NAT only the corporate LAN, not the guest VLAN"; "block all traffic from this known-bad set of IPs"; "allow SSH only from the office subnets". In each case the rule stays tidy and the list can be edited on its own.

  1. Create the list. Go to Tools > Lists.
    2. Lists — existing lists with Name, Type, Description.
    Tools > Lists — the place to define named groups of addresses.
  2. Click Add a new list + and fill in:
  3. Click Save, then open the new list and add the entries — one line per IP, range, or subnet (e.g. 192.168.94.0/24).
  4. Now reference the list in a NAT rule. Go to Networking > Settings > NAT and click New +.
  5. In the source or destination address field, instead of typing a single IP, pick the list you just created (entry format list:corp_hosts).
  6. Fill in the rest of the NAT rule as normal — translation type, post-NAT address, direction — and click Save.
The same pattern works in ACL firewall rules, in DNS filtering, and anywhere else the GUI accepts a list reference. To add or remove addresses later, edit the list only — every rule that uses it picks up the change.

Open a port to reach an internal device from outside (port forwarding)

Port forwarding — external port mapped to an internal device.
Port forwarding — external port mapped to an internal device.

Goal: Makes a device on your LAN accessible from the internet. Example: your camera at 192.168.1.50:80 becomes reachable at your-public-ip:8080.

Why 8080 externally instead of 80? Two reasons: (1) port 80 on the Abilis itself is taken by its own web interface, so a port forward can't grab it; (2) using a non-standard external port noticeably reduces drive-by attacks — most automated scanners only probe well-known ports.
  1. Go to Networking > Settings > NAT, click New +.
  2. Set Translation Type: Destination.
  3. Tick Port Address Translation.
  4. Set Pre-NAT Destination Address Port: the external port (e.g. 8080).
  5. Set Post-NAT Address: the internal device IP (e.g. 192.168.1.50).
  6. Set Post-NAT Address Port: the internal port (e.g. 80).
  7. Click Save.
Only forward ports to password-protected devices. Never expose management interfaces without proper security.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.15 — How to access IP hosts behind a NAT manager (port forwarding) of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Configure DNS settings

Goal: Controls how the Abilis resolves domain names into IP addresses. The Abilis can act as a DNS server for your whole network, caching results and enabling filtering.

Two confusing labels on this page. Public DNS Solver (DNS Relay) means "answer DNS queries from LAN devices, relaying upstream when needed" — almost always tick this. Private DNS Solver (DNS Server) means "store your own local records like printer.office" — only tick this if you have local-only names to publish. Despite the names, neither setting exposes anything to the public internet.
  1. Go to Networking > Settings > DNS.
  2. Make sure Enabled is ticked.
  3. Under DNS Choice:
    DNS settings — Primary 8.8.8.8, Secondary 8.8.4.4, DNS Relay enabled.
    DNS settings — Primary 8.8.8.8, Secondary 8.8.4.4, DNS Relay enabled.
  4. Use DNS Cache — leave ticked. Default Size: 500 entries is fine. Click DNS Cache Table to see what's currently cached.
  5. Use as Private DNS Solver (DNS Server) — tick only if you need local DNS records (e.g. printer.office).
  6. Use as Public DNS Solver (DNS Relay) — tick this so the Abilis answers DNS queries from LAN devices. This is the standard setting.
  7. Click Apply Changes.
If DHCP points devices to Ip-1 as their DNS (see DHCP above), the Abilis receives all DNS queries and can cache them and apply filtering.

Block unwanted websites with DNS filtering

Goal: Prevents devices from accessing specific websites by blocking them at the DNS level. When a device tries to visit a banned domain, the Abilis refuses to resolve the name.

DNS filtering — the Abilis checks each DNS request against a blocklist.
DNS filtering — the Abilis checks each DNS request against a blocklist.

How it actually works: This is not a simple category checkbox system. It's a blacklist/whitelist system that you manage through domain lists.

  1. Go to Administration > DNS filtering.
  2. Two tabs: DNS Blacklist and DNS Whitelist.
  3. The DNS Blacklist page shows:
    DNS Blacklist — resolved domains log with ban buttons.
    DNS Blacklist — resolved domains log with ban buttons.
  4. To block a domain: find it in the Resolved Domains log and click the ban icon, or click Banned domain » and type it manually.
  5. To manage the bypass/exclude lists, go to Tools > Lists.
For filtering to work, all DNS traffic must go through the Abilis. Set DHCP Primary DNS to Ip-1, and add a DNS redirect rule in NAT (see below).

Redirect all DNS requests through the Abilis

Goal: Forces every DNS request on your network through the Abilis, even from devices with a different DNS configured (like 8.8.8.8). Without this rule, a device can bypass your DNS filtering simply by using Google DNS.

DNS redirect — without the rule, devices with hardcoded DNS bypass Abilis filtering; with the rule, the NAT rewrites the destination so all DNS traffic is filtered.
Without the redirect rule, a device with its own DNS (e.g. 8.8.8.8) bypasses Abilis filtering. With the rule, the NAT rewrites the destination of any port-53 traffic back to the Abilis, so every device is filtered — whether it wants to be or not.
  1. Go to Networking > Settings > NAT.
  2. Check if a DNS redirect rule already exists (look for a Destination rule with port 53 and 'ToDNS').
  3. If not, click New +:
  4. Click Save.
Give this rule a lower priority number than the Source NAT rule so DNS traffic is redirected before it gets sent to the internet.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.17 — How to redirect DNS requests to Abilis of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Set up firewall rules (Access Control Lists)

Goal: Controls which traffic is allowed and which is blocked. Rules are checked top to bottom by Priority number — first match wins.

ACL (Access Control List) — a list of allow/deny rules. Rules can reference Lists (from Tools > Lists) instead of individual addresses, making management much easier.
List-reference syntax. List names go in single quotes'blackip', 'Firewall'. The quotes tell Abilis "this is a named list, not a literal IP." Without the quotes the value is parsed as an address and the rule fails to save.

The ACL table at Networking > Settings > ACL:

Rules are checked in number order, starting from the smallest. The Abilis reads the PR column top-down (0, then 1, then 2…) and uses the first rule that matches the traffic. The rest are ignored. So a specific permit exception must have a smaller PR than the broader deny rule, or it will never be reached.
ACL table — firewall rules using list references.
ACL table — firewall rules using list references.
ColumnMeaning
PRPriority (evaluation order).
TypeDeny or Allow.
IPCOSIP Class of Service (Default for most rules).
Source / Destination Addresses RangeIP addresses, ranges, or list names in quotes (e.g. 'Firewall', 'blackip').
Protocol* = all protocols.
Port SelectionPO = port-based. Can reference a port list.

Adding a rule

New ACL rule — Deny Blacklisted using list references.
New ACL rule — Deny Blacklisted using list references.
How ACL rules are evaluated — top to bottom, first match wins.
How ACL rules are evaluated — top to bottom, first match wins.
  1. Go to Networking > Settings > ACL, click New +.
  2. Fill in:
  3. Click Save.
The power of Abilis ACL is Lists. Create one list called 'blackip' with 50 addresses at Tools > Lists, then one ACL rule referencing 'blackip'. Much easier than 50 separate rules.
A wrong Deny rule can lock you out. Test immediately. If you do lock yourself out, connect a computer directly to a LAN port on the Abilis (bypassing any switch, router, or VLAN), set its address to the same subnet, and revert the rule from there.

Block traffic between two internal subnets

Goal: Two internal networks are both attached to the Abilis — for example, an office LAN and a separate CCTV-cameras subnet, or a production network and a management network. They should reach the internet, but they should not reach each other. A compromised camera must not be able to scan the office.

Route restriction — two subnets share the Abilis but an ACL keeps them apart.
One ACL Deny rule blocks traffic between the two subnets while both share the same internet connection.
ACL rule dialog — Deny rule blocking traffic between two subnets.
An ACL rule with Access List Type set to Deny. Source and Destination IP Addresses Range are set to the two private subnets that should not reach each other.

Unlike NAT or firewall-to-WAN rules, this is strictly internal — LAN-to-LAN isolation enforced by the Abilis's ACL as it routes between the two subnets.

  1. Confirm both subnets are configured — each with its own IP resource and LAN setup. See Configure LAN settings for each side.
  2. Go to Networking > Settings > ACL.
  3. Click New + and add the deny rule:
  4. If the block needs to be bidirectional (cameras also can't reach office), add a second rule mirroring source and destination.
  5. Click Save. ACL rules take effect immediately.
  6. Test — from a host on subnet A, try to ping a device on subnet B. It should fail. Internet access from both sides should still work (no NAT rules were changed).
If you also want selective access — e.g. allow office hosts to reach one specific camera on the cameras subnet but nothing else — add a permit rule for that exact source-destination pair at a higher priority than the deny rule. First-match wins, so the more specific permit fires before the broad deny.

Send specific traffic down a specific line (Policy-Based Routing)

Goal: You have two WAN lines and want certain traffic to always go out through a specific one — for example, all VoIP traffic through the fibre line (low latency), everything else through the LTE backup. Normal routing only looks at the destination; policy-based routing can decide based on source, protocol, and ports.

Policy-based routing — VoIP pinned to fibre, general traffic uses either line.
A routing rule with a protocol filter forces VoIP down the fibre for quality while browsing and email can use whichever line is available.
Policy-Based Routing (PBR) — a feature that overrides the normal routing table based on rules about the traffic itself (who sent it, what protocol, what ports). On the Abilis, PBR isn't a separate page or feature — it's a side-effect of the ACL editor. You write an ACL rule with action permit and fill in the Output resource field. That combination tells the Abilis: "let this traffic through, AND send it out via that specific port." A regular deny rule (no output resource) just drops the traffic; a regular permit rule (no output) lets it route normally.
  1. Identify the traffic you want to redirect — for example: LAN host 192.168.1.50, UDP, destination port 5060 (SIP).
  2. Identify the WAN line you want that traffic to use — for example Ip-5 (fibre).
  3. Go to Networking > Settings > ACL.
    4. ACL New rule — Priority, Action, Source, Destination, Protocol, Output.
    ACL — new rule with source, destination, protocol, and output resource.
  4. Click New +. Configure:
  5. Click Save. ACL rules take effect immediately — no restart needed.
  6. Test — send traffic that matches the rule. You can confirm the path it takes at Networking > Info by watching the Line Load on the chosen output port. If you have it, Tools > IP Flow Tracer shows the exact route each packet follows.
ACL rules are evaluated in order of priority. If you already have a broad permit any rule at priority 1, your PBR rule must sit at a higher priority (lower number) to be matched first.

Set up a VPN tunnel between two Abilis devices (AIPT2)

VPN tunnel — two sites connected securely through the internet.
VPN tunnel — two sites connected securely through the internet.

Goal: Creates a secure encrypted connection between two Abilis units. Devices at both sites can communicate directly across the internet — as if connected by a virtual cable.

AIPT2 (Abilis IP Tunnel version 2) — the current Abilis VPN protocol, optimised for data and voice with improved encryption and performance over the original AIPT. A tunnel can have up to 6 paths configured. Normally one path carries the traffic; backup paths stay on standby and activate when the primary degrades or the bandwidth-on-demand feature kicks in.

A tunnel always has two sides: one Abilis acts as the server, the other as the client. Both sides must be configured with matching parameters. Below is the full walkthrough.

Which side is server, which is client? Pick whichever side has the more stable public IP as the server — the client connects out to it. If one site is behind a dynamic IP or CGNAT, that side should be the client. If both sides have stable public IPs, the choice is arbitrary.

Step 1 — Create a new AIPT2 resource

  1. Go to Networking > Settings > Ports.
    2. Networking > Settings > Ports tab.
    Networking > Settings > Ports — click New + to add a resource.
  2. Click New +. The "Add new resource" dialog opens.
    3. Add new resource — Resource Ip-7, Subtype AIPT2.
    Add new resource — select an IP resource and set Subtype to AIPT2.
  3. Set:
  4. Click Save. The tunnel configuration panel opens.

Step 2 — Configure the tunnel

AIPT2 tunnel configuration — tunnel side, ports, purpose, neighbour, WAN paths, authentication.
AIPT2 tunnel configuration — all main settings with the example network diagram.

The configuration panel has these sections:

Tunnel identity

FieldWhat to set
Tunnel sideclient or server. One Abilis must be the server, the other the client.
Tunnel side dropdown — client or server.
Tunnel side — choose client or server.
The tunnel uses IP port / nameThe IP resource name (e.g. Ip-8) that binds this tunnel to a port slot on this Abilis. Auto-filled from the resource you created in Step 1; you don't change it here.
This tunnel listens on UDP portDefault: 4008. Must match on both sides.
Remote end UDP port# means same as local. Set a specific port if the remote side uses a different one.

Purpose

Purpose dropdown — VPN site to site, VPN for remote access, Client to the internet.
Purpose — determines the tunnel's role.
OptionUse case
VPN site to siteConnect two fixed locations (e.g. office ↔ villa). Both sides have a LAN.
VPN for remote accessA mobile user or single device connects into a site.
Client to the internetRoute all internet traffic through the remote Abilis (e.g. for secure browsing).

Connection treatment type tells the Abilis what kind of traffic will flow through the tunnel, so it can optimise accordingly:

Connection treatment type dropdown — none, VPN, Voip, Surfing, Streaming, Mobile.
Connection treatment type — optimises traffic handling for the selected use case.
TypeOptimised for
noneNo special treatment — generic traffic.
VPNGeneral VPN data traffic.
VoipVoice calls — prioritises low latency and jitter.
SurfingWeb browsing — balances latency and throughput.
StreamingVideo/audio streaming — prioritises sustained throughput.
MobileMobile connections — handles variable link quality.

Neighbour Router — the IP address and subnet mask of the remote Abilis's LAN. (Despite the field name, this is the remote LAN's network address, not a router on the link.) Use the remote site's LAN subnet — in the example diagram: the server has LAN 192.168.0.0/24, the client has LAN 192.168.1.0/24.

WAN Paths

WAN Paths — port selection dropdown showing available interfaces.
WAN Paths — select which internet connections the tunnel can use.

A WAN path defines which internet connection the tunnel uses to reach the remote Abilis. You can add up to 6 paths for redundancy.

Authentication methods

Choose how the two Abilis units verify each other's identity:

Step 3 — Advanced parameters

Click Expand advanced parameters (top right) to access three sections:

Packet handling, redundancy, and fallback

Advanced — Encryption, Compression, MTU, IPsec, tunnel redundancy options.
Packet handling — encryption, fragmentation, error correction, bandwidth on demand.
SettingDefaultPurpose
Include Tunnel in IPSEC serviceWraps the tunnel inside an additional IPsec layer for extra encryption.
Fragment packets (FRAGSIZE)1480 bytesMaximum packet size before fragmentation. 1480 is the standard 1500-byte Ethernet MTU minus typical tunnel overhead. Lower the value if you see packet loss on the tunnel; raising it usually doesn't help.
Reorder timeout5000 msHow long to wait for out-of-order packets before giving up.
Buffer size for received packets250 KBReceive buffer. Increase for high-throughput tunnels.
Output buffers1000Transmit queue depth.
Forward Error CorrectionAdds redundant data so the receiver can recover lost packets without retransmission. Costs bandwidth, improves reliability.
Bandwidth on demand using backup pathsWhen ticked, backup paths join the active path during congestion to add capacity (essentially load-balancing under pressure). When unticked, backup paths only activate on primary failure (traditional standby behaviour).

Advanced routing

Advanced routing — auto-export routes, traffic shaping.
Advanced routing — automatic route export and traffic shaping.

Monitoring and Logging

Monitoring — state change handling, log type, SNMP traps, alert channel, TRFA.
Monitoring and Logging — alerts, logging, and traffic analysis for the tunnel.

Step 4 — Save and verify

  1. Click Save to apply the configuration.
  2. Repeat the same process on the remote Abilis, setting it as the opposite side (if this one is client, the remote must be server). The UDP port, authentication, and neighbour settings must match.
  3. Go to Networking > Info, expand VPN Connections.
  4. The VPN matrix shows colour-coded quality bars for each tunnel across time windows (5 sec, 1 min, 15 min, 1 hour).
  5. Colours: green = healthy, yellow = fair, orange = degraded, red = almost unusable, black = down, grey = inactive. (Same scheme as the VPN Connections matrix on the Info tab.)
  6. Click a connection name to see Line Load (bandwidth graph) and Top 5 (who's using it).
If the tunnel stays red or black after configuration, verify that the remote Abilis is reachable on the specified UDP port (default 4008), that the authentication method and credentials match on both sides, and that any firewalls between the two sites allow UDP traffic on that port. Also check Networking > Info on both units to confirm WAN connectivity is healthy.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.21 — How to configure a VPN tunnel between two Abilis of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Give a VPN tunnel a second path for redundancy

Goal: You have two WAN lines at each site, and you want your AIPT2 VPN tunnel to keep working even if one of the WAN lines fails. The tunnel uses both paths for resilience — if the primary drops, traffic carries on over the backup without the call or session breaking.

Prerequisite: the basic tunnel is already working between the two Abilis — if not, configure it first via Set up a VPN tunnel between two Abilis devices (AIPT2).

  1. Open the tunnel on the first Abilis: go to Networking > Settings > Ports and click the AIPT2 IP resource (e.g. Ip-8).
  2. Scroll to the WAN Paths section.
    3. WAN Paths — port selection and Add Wan path button.
    WAN Paths — where extra tunnel paths are added for redundancy.
  3. Click Add Wan path. A new row appears.
  4. Expand advanced parameters (top right). Under Packet handling, redundancy, and fallback:
  5. Click Save.
  6. Repeat on the second Abilis — add its own second WAN path with the matching remote IP from the first Abilis. The two configurations mirror each other.
  7. Verify at Networking > Info > VPN Connections — both paths should show traffic under the tunnel entry.
Pair this with alerting. In the tunnel's Monitoring and Logging advanced panel, tick Export events to alert channel so you get an SMS or email when the tunnel switches paths — useful if a WAN line has been down for a while without anyone noticing.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.21.4 — VPN tunnel with the double-path option of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Protect against brute-force attacks (IP Ban)

Goal: Automatically blocks IP addresses that repeatedly fail to log in. The IP Ban agent is always active — you don't enable it, you configure its sensitivity.

IP Ban — repeated failed logins cause the attacker's IP to be blocked automatically.
IP Ban — repeated failed logins cause the attacker's IP to be blocked automatically.

Viewing ban status

  1. Go to Networking > Info, scroll to IP Ban.
    2. IP Ban section in Networking > Info.
    IP Ban section in Networking > Info.
  2. The header shows: "Banned X attackers responsible for Y malicious trials".
  3. Expand it to see banned IPs and two buttons:
    IP Ban section — Unban Addresses and IP Ban Settings buttons.
    IP Ban section — Unban Addresses and IP Ban Settings buttons.

Configuring thresholds

  1. Click IP Ban Settings. The Preferences dialog opens.
    2. IP Ban Preferences — thresholds and ban duration.
    IP Ban Preferences — thresholds and ban duration.
  2. Configure:
  3. Click Save and apply all changes.
The notice at the bottom of IP Ban Settings explains that thresholds can be customised per attacked port, and you can set up a whitelist to exempt certain IPs (e.g. your own office). Both are CLI-only — see the v9.0 reference manual under keyword IPBAN preferences.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 83.33 — How to prevent brute-force attacks of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Get notified when a new device appears on your network

Goal: The Abilis continuously scans your LAN for devices using ARP. You can see every connected device and set up alerts for unknown ones.

ARP alert — the Abilis detects unknown devices appearing on your network.
ARP alert — the Abilis detects unknown devices appearing on your network.

Viewing connected devices

  1. Go to Networking > Info > LAN Connections > ARP Monitor.
    2. ARP Monitor — Monitored tab with device status.
    ARP Monitor — Monitored tab with device status.
  2. Three sub-tabs:

Setting up alerts

  1. Click New Host Alert (top right).
    2. New Host Alert — choose the notification method.
    New Host Alert — choose the notification method.
  2. Choose alert channel: No, 1-Email, 2-SMS, 3-Call, 4-Digital Output.
  3. Click Save.

Adding a device to monitoring

  1. Either click + Add To Monitor on an Unknown Host, or click New + to enter details manually.
  2. Set IP, MAC, description, and monitoring parameters.
  3. Click Save.
Practical workflow: check Unknown Hosts regularly. Click Add To Monitor on devices you recognise. Any device you don't recognise is worth investigating.

Monitor network devices with SNMP

Goal: Lets you watch specific services on network devices (switches, printers, servers) and get alerted when they go down. The Abilis periodically asks "are you alive?" and raises an alarm if the answer stops coming.

SNMP (Simple Network Management Protocol) — a standard for monitoring network devices. The Abilis acts as an SNMP manager that polls other devices for status.
  1. Go to Networking > Info > LAN Connections > SNMP Monitor.
  2. Click New +.
  3. Fill in:
    SNMP monitoring setup — service name, community, OID, alert channel.
    SNMP monitoring setup — service name, community, OID, alert channel.
  4. Click Submit.
The SNMP Monitor tab shows each service with State (green tick / red cross). When a service goes down and stays down past the tolerated time, the alert fires.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.27 — How to activate the SNMP agent of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Access your own public services from inside the network (NAT loopback)

Goal: Fixes a common problem — you've set up port forwarding so your camera is accessible at myoffice.ddns.net:8080 from the internet. It works from home. But from inside the office, the same address doesn't work.

NAT loopback — internal traffic hits the public IP and is bounced back inside.
How NAT loopback works. Without the loopback rule the camera would reply directly to the PC and the connection would break silently.
NAT table showing destination-NAT, source-NAT, and loopback rules side by side.
The NAT table. Rule 0 is a DNS redirect (destination NAT), rule 1 is the standard source NAT (INSIDE → OUTSIDE), and rule 2 is the loopback source NAT (OUTSIDE → INSIDE) that lets internal devices reach internal services via the public IP.

Why: Your PC sends the request to the Abilis's public IP. The Abilis sees it came from inside the LAN but is addressed to the outside — it doesn't know to redirect it internally.

When you need it: Only if internal devices need to use the public IP or domain name. If everyone inside uses the device's internal IP directly (e.g. 192.168.1.50), you don't need this.

NAT loopback requires a Source NAT rule with both zones set to INSIDE. This rule rewrites the sender's address so that the internal server's reply routes back through the Abilis (instead of going directly to the client, which would break the connection).
  1. Go to Networking > Settings > NAT, click New +.
  2. Fill in:
  3. Click Save.
This rule works alongside your existing Destination NAT port forwarding rule. The port forwarding rule handles the incoming connection; this Source NAT rule ensures the reply goes back through the Abilis so internal clients can reach the service using the public address.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.16 — How to configure the NAT loopback of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Activate traffic analysis (TRFA)

Goal: Enables bandwidth monitoring on a network port so you can see Line Load graphs and Top 5 usage charts for that connection.

TRFA is enabled per port — you choose which connections you want to monitor.

  1. Go to Networking > Settings > Ports.
  2. Click on the port you want to monitor (e.g. your WAN port).
  3. Tick Advanced to see all options.
  4. Scroll down to Traffic Analysis (TRFA) and tick the checkbox to enable it.
  5. Set the Trfa Mode to choose the level of detail:
Trfa Mode dropdown — TOTALS, PROT, IP, IP-PROT.
Trfa Mode options — from basic totals to full per-IP protocol breakdown.
ModeWhat it recordsBest for
TOTALSTotal global traffic on this port.Simple "how much bandwidth am I using?" overview.
PROTTraffic broken down by protocol (TCP, UDP, etc.).Understanding what kind of traffic flows through.
IPTraffic totals per individual IP address.Finding which device uses the most bandwidth.
IP-PROTTraffic per IP address, further split by protocol.Full detail — which device is doing what. Uses the most disk space.
  1. Click Save.
  2. Repeat for any other ports you want to monitor.
Once TRFA is active on a port, traffic data starts collecting immediately. You can view the results at Networking > Info — see View traffic analysis below.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.24 — How to activate the IP TRFA resource of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

View traffic analysis (Line Load and Top 5)

Goal: See how much bandwidth each connection is using right now and which devices on your network are consuming the most traffic.

  1. Go to Networking → Info. Click on any connection (e.g. Lan_locale).
  2. You'll see two tabs at the top: Line Load and Top 5.
  3. Line Load — a real-time throughput graph showing how much data is flowing through the connection over time. Use the dropdowns at the top to set: The display toggles under the graph (Throughput, Bandwidth, Trip time, sent / received / lost / FEC-reconstructed packets) control which series are drawn.
    Line Load — real-time throughput graph showing bandwidth usage over time.
    Line Load — throughput graph for LAN (Ip-1) showing download and upload traffic in real time.
  4. Top 5 — four pie charts showing which devices and remote hosts are using the most bandwidth. The grey outer circle represents the full capacity; coloured slices show each device's share.
    Top 5 — pie charts showing bandwidth usage by IP address.
    Top 5 — the four quadrants show: which LAN device downloads the most, which remote server sends the most, which LAN device uploads the most, and which remote server receives the most.
  5. You can Export to CSV from the Line Load view for reporting or analysis in Excel.
Tip: Internet feeling slow? Check Top 5 to see which device is consuming the most bandwidth. If one device is using most of the pie, that's your culprit.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.24 — How to activate the IP TRFA resource of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Set up Dynamic DNS

Goal: Gives your Abilis a fixed name (like myoffice.ddns.net) that always points to your current public IP, even when it changes.

DDNS has two parts: the DDNS service (provider credentials) is configured via the SSH/Telnet CLI as a one-time setup, but the domain name binding is managed through the web interface.

Assign a DDNS hostname to a WAN port

  1. Go to Networking > Settings > Ports.
  2. Click on the WAN port that connects to the internet (e.g. your fibre or LTE port).
  3. Scroll down to Dynamic Domain Name Service (DDNS).
  4. Tick the DDNS checkbox to enable it.
  5. In the DDNS domain name field, enter the hostname you registered with your DDNS provider (e.g. myoffice.no-ip.org).
Port settings — Dynamic Domain Name Service (DDNS) enabled with domain name myoffice.no-ip.org.
Port settings (Advanced) — DDNS enabled with the registered hostname.
  1. Click Save.
The DDNS service itself (provider name, username, password) must be configured once via the Abilis control program. Once that initial setup is done, the domain name binding shown above is all you need to manage through the web interface. If you change DDNS providers, the service credentials will need to be updated via CLI again.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.18 — How to setup DDNS service on Abilis of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Set up LTE as a backup internet connection (automatic failover)

Goal: If your main connection drops, the Abilis switches to LTE automatically.

Automatic failover — primary line fails, Abilis switches to LTE backup.
Automatic failover — primary line fails, Abilis switches to LTE backup.

How it works: Two default routes with different metrics in the Routings table. Lower metric = higher priority. The Abilis monitors both and switches automatically.

  1. Go to Networking > Settings > Routings.
  2. You should see your primary default route (destination: any, pointing to your fibre/DSL port). Note its metric value.
  3. Click New + to create a second default route:
  4. Click Save.
  5. Verify at Networking > Info — you should see both connections, with the primary showing a green status icon and the backup ready to take over.
To test failover, temporarily disconnect the primary connection. The Abilis should switch to LTE within seconds. Reconnect the primary and it will switch back automatically.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.11 — How to configure UMTS-BOX or LTE-BOX as backup for the Internet of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Monitor a voice tunnel between two Abilis

Goal: A voice tunnel carries phone calls between two Abilis sites. Extensions at Site A can call Site B as internal calls.

This how-to is for monitoring an existing voice tunnel. To create one, see Phone How-To → Link two Abilis PBXs (the configuration lives in the Phone section because it deals with extensions and call routing).
  1. Go to Networking > Info. Click on the voice connection (e.g. "VoIP_smartphones").
  2. Line Load shows a throughput graph. Select the resource (e.g. VoIP_smartphones Ip-4) and timespan.
  3. Green line = bandwidth usage. Flat near zero = no active calls; spikes = call traffic.
  4. Click Export to CSV for reporting.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.22 — How to configure a voice tunnel between two Abilis of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Check the state of network interfaces

Goal: You want a quick overview of all your network connections — which ones are working, which ones are down, and whether the Abilis is connected to the internet. This is the first thing to check when something isn't working.

  1. Go to Networking → Info. Click the Networking icon in the sidebar, then the Info tab. The live status dashboard loads automatically.
  2. Read the status indicators. Each connection is shown as a pill-shaped button with a coloured icon:
    IconWhat it means
    Green (happy face)Connection is up and working normally.
    Dark/grey iconConnection is configured but not currently active — it may be intentionally disabled, standing by as a backup, or misconfigured.
  3. Click on any connection to see its detail page, including Line Load graphs (how much bandwidth is being used) and Top 5 traffic sources.
LAN Connections Info — status indicators show connection health.
Networking → Info — status indicators show connection health at a glance.
Tip: Bookmark this page or make it your habit to check it first thing in the morning. If all icons are green, everything is fine. If a connection that should be active shows a dark icon, see Internet not working — what to check first for next steps.
Advanced: CLI equivalent
The CLI command sequence for this task is documented in Chapter 84.25 — How to use state detection of IP interfaces of the old Abilis manual. A rewritten CLI guide is in preparation; this link will be updated when it is ready.

Limit bandwidth on a connection (traffic shaping)

Goal: Caps the bandwidth on a connection to prevent it from consuming all available capacity, reserving room for other services (e.g. phone calls, VPN).

  1. Go to Networking > Settings > Ports.
  2. Click on the port you want to limit (e.g. a WAN or tunnel port).
  3. Tick Advanced to see all options.
  4. Scroll to Traffic Shaping and expand it.
  5. Set Output speed limitation to YES.
  6. Set the Output speed limitation value in Kbit/s (e.g. 1000 for 1 Mbit/s).
Quick Kbit/s ↔ Mbit/s conversions: 1000 Kbit/s = 1 Mbit/s · 10000 = 10 Mbit/s · 100000 = 100 Mbit/s.
Port settings — Traffic Shaping expanded showing Output speed limitation set to YES with value 1000.
Port settings (Advanced) — Traffic Shaping with output speed limited to 1000 Kbit/s.
  1. Click Save.
This is especially useful on VPN tunnels or WAN connections where you want to guarantee bandwidth for voice traffic. Limit the data tunnel so it can't starve the voice tunnel.

Cap bandwidth per IP address or subnet (IP Shaping)

Goal: One device or one department is saturating the internet line — a backup job, a single heavy downloader, a guest VLAN hogging everything. Rather than limit the whole WAN port (see traffic shaping for that), you want to cap specific hosts or networks so everyone else keeps their share.

IP Shaping configuration — thresholds for bandwidth-hungry hosts.
Networking > Settings > IP Shaping. Set the upload and download thresholds above which a host is throttled, the variance window, and how often the rate is adjusted.
IP Shaping — an Abilis feature that enforces a maximum bandwidth rate per IP address, per subnet, or per matching rule. Different from the ACL firewall (allow/deny): IP Shaping doesn't block anything, it just limits speed.
  1. Identify who to limit — the offending IP, a list of IPs, or a subnet (e.g. the guest VLAN 192.168.100.0/24).
  2. Go to Networking > Settings > IP Shaping.
  3. Click New + and configure the rule:
  4. Click Save. The rule takes effect immediately — no restart.
  5. Verify at Networking > Info — the affected IP's Line Load will flatten at the rate you set.
The most common real use: create one IP Shaping rule pointing at the guest-VLAN subnet with a reasonable cap (say 30% of total WAN bandwidth). Guests can still browse and video-call; they can no longer exhaust the line and starve business traffic.
IP Shaping and ACL work together, not instead of each other. ACL decides whether a packet is allowed at all; IP Shaping decides how fast it flows when allowed. You can combine them — e.g. allow a guest subnet but cap it.

Worked example: machine-to-machine bottleneck

A concrete case Lino described, common in small industrial and office installations:

The situation. A 100 Mbit/s internet line serves a small office. One of the hosts on the LAN is an industrial PC that periodically uploads large telemetry or backup files to a supplier's server over the internet — unattended, machine-to-machine, no human noticing. When an upload runs, the line saturates: the VPN to the other site stutters, video calls freeze, the cameras' remote viewers lose frames. The upload itself doesn't need to be fast — it runs overnight by design — but nothing else works while it does.

The fix. Cap only that machine's outbound rate. Everyone else keeps full access to the line. The upload still completes (just over a longer window); the other services stay smooth throughout.

  1. Identify the machine by its static IP — for example 192.168.1.50. If it doesn't have a fixed address yet, reserve one first via Set up the DHCP server so the shaping rule keeps targeting the right host.
  2. Decide the cap. For the 100 Mbit/s line in this example, reserving 80 Mbit/s for everything else leaves 20 Mbit/s for the industrial PC — enough to upload several gigabytes overnight without noticeable impact on anyone else. Express the cap in Kbit/s: 20000 for 20 Mbit/s.
  3. Go to Networking > Settings > IP Shaping and click New +.
  4. Configure the rule:
  5. Click Save.
  6. Verify: when the next upload runs, open Networking > Info and select the WAN port. The Line Load graph should show a flat plateau at ~20 Mbit/s rather than the previous spike to line rate. Meanwhile the VPN tunnel and voice traffic stay smooth — the other 80 Mbit/s is there for them.
If the cap turns out too tight and uploads start missing their overnight window, raise it (e.g. from 20000 to 40000 Kbit/s) and re-check. IP Shaping rules take effect immediately, so tuning is a matter of minutes, not reboots.
The same shape solves other machine-to-machine squeezes: a CCTV exporter uploading footage to cloud storage, a store's POS system pushing end-of-day batches, a backup appliance syncing overnight. The pattern is always the same — pin the heavy sender to a bounded share, give everyone else breathing room.

Restart a connection (WAN, VPN, tunnel)

Goal: One of your network connections is stuck — a WAN line, a VPN tunnel, or an LTE uplink — but the Abilis itself is still reachable. You want to recycle just that one resource without rebooting the whole appliance.

How it works: Restart is done by toggling the resource off and on — deactivate, save, then reactivate. The resource is torn down and rebuilt cleanly without affecting any other port on the appliance.

  1. Go to Networking > Settings > Ports and open the resource you want to restart (e.g. Ip-40, Ip-4 VoIP_smartphones, an LTE port).
  2. At the top of the resource panel, untick Active.
  3. Click Save. The resource goes down — its status icon changes and its traffic stops.
  4. Wait a few seconds, then tick Active again and click Save. The resource comes back up and re-establishes its connection.
  5. Check the result on Networking > Info — the status icon for the resource should return to green within 30–60 seconds for a normal WAN, or up to a couple of minutes for an LTE modem that has to re-register on the mobile network.
If the connection doesn't come back: the problem is not on the Abilis side — it is the upstream device, the operator, or the physical link. Check any other resource sharing the same cable or modem, and the LEDs on the external equipment, before calling Anteklab support.

Internet is not working — what to check first

Goal: A user reports "the internet is down." Before calling support, you can quickly check a few things from the Abilis web interface to understand what's happening and possibly fix it yourself.

Troubleshooting flow — follow these steps when the internet is not working.
Troubleshooting flow — follow these steps when the internet is not working.
Networking Info — green smileys mean the connection is up.
Networking > Info — status indicators showing connection health. Green smileys = connection is up. A red smiley means that connection has a problem.

Step 1: Can you reach the Abilis?

Open your browser and go to the Abilis web address (factory default: https://192.168.1.1). If the Abilis login page appears, the Abilis itself is fine — the problem is between the Abilis and the internet. Continue to Step 2. If you can't reach the Abilis at all, the problem is on your local network (cable unplugged, WiFi down, wrong IP address on your computer).

Step 2: Check the connection status

Go to Networking → Info. Look at the status icons:

What you seeWhat it meansWhat to do
All icons greenAll internet connections are working. The problem is elsewhere (a specific website may be down, or DNS is misconfigured).Try visiting a different website. If that works, the original site is down — not your internet.
One connection dark/inactive, others greenOne connection failed, but other connections are still working. Internet should still work, but may be slower.Try restarting the modem for the inactive connection.
All connections dark/inactiveAll internet connections are down. This could be a provider-side outage or a widespread issue.Wait 5 minutes (provider outages often resolve quickly). If it persists, try restarting each modem. If still down, call your internet provider.
Icons green but slow/no browsingConnections are up but DNS might be blocked or a firewall rule is interfering.Check Networking → Settings → DNS to verify DNS servers are configured. Check DNS Filtering in Administration — a new rule may be blocking legitimate sites.

Step 3: Check if it's just one computer

Ask another user on a different computer to try. If only one computer has the problem, the issue is with that specific computer (its network cable, WiFi connection, or local settings) — not with the Abilis.

Step 4: If nothing helps

If you've checked all of the above and the problem persists, gather the following information before contacting support:

InformationWhere to find it
Which connections are up/downNetworking → Info (note the status icon colours)
When the problem startedAsk the user, or check Networking → Info for connection history
Is it all users or just one?Ask around the office
Abilis firmware versionAdministration → System → General Parameters

Send this information to tem@antek.it or call +39 0376 16262,27. This saves time because the support engineer won't need to ask you for it.

Anteklab Technical Support Email: tem@antek.it
Tel: +39 0376 16262,27
← Settings Tab Phone Overview →